Securing Production Configs

Stability

As the production access tokens and configuration of the connected APIs should not be publicly available to everybody on the project, it is recommended to encrypt these configurations if neccessary.

ℹ️ The API tokens will of course not be publicly accessible in general, but as they normally lie inside our project.yml in the config/ folder and therefore inside the repository, they would be available to everyone who has access to that private repository!

Adding encrypted project configurations

We have introduced a way to add another ansible-vault for encrypted project configurations. This vault should be just an encrypted version of the project.yml with the neccessary overwrites and should be named accordingly: * project.yml.crypt for the production project.yml * project.yml.staging.crypt for the staging project.yml.staging

These files will then get decrypted on our servers to make them available there.

Sourcing hierarchy

The files are sourced in the following hierarchy and values from top are overwritten the way down:

Production 1. project.yml 2. project.yml.crypt

Staging 1. project.yml 2. project.yml.staging 3. project.yml.staging.crypt

Dev 1. project.yml 2. project.yml.dev

Creating the ansible-vault

In order to create a vault you could follow the documentation of ansible here: https://docs.ansible.com/ansible/latest/user_guide/vault.html#creating-encrypted-files

But basically you will need to run the following command on your shell inside the project's config directory:

# cd to project's config directory, where $PROJECT is something like "demo_de"
cd $PROJECT/config
# create the ansible vault there with an vault-id that equals your customer's name, e.g. "demo"
# Keep in mind that it should be some unique passowrd that needs to be known by Frontastic as well, so please do not
# reuse a passowrd here!
ansible-vault create --vault-id $CUSTOMER@prompt project.yml.crypt

⚠️ The password you choose here needs to be known by Frontastic, so that it could be configured on our Servers properly. Therefore do not reuse another password here!

Choose any new password you like and get in touch with one of our Frontastic employees, so that they could configure the servers properly to use that password so that it gets decrypted on the production and staging machines.

Please don't forget to checkin the generated encrypted vault file into the git!

Editing the ansible-vault

You could edit the vault by running the following command:

ansible-vault edit --vault-id $CUSTOMER@prompt project.yml.crypt

For further details, see the ansible documentation: https://docs.ansible.com/ansible/latest/user_guide/vault.html#editing-encrypted-files