Securing Production Configs
As the production access tokens and configuration of the connected APIs should not be publicly available to everybody on the project, it is recommended to encrypt these configurations if neccessary.
The API tokens will of course not be publicly accessible in general, but as they normally lie inside our
project.yml in the
config/ folder and therefore inside the repository, they would be available to everyone who has
access to that private repository!
Adding encrypted project configurations
We have introduced a way to add another ansible-vault for encrypted project configurations. This vault should be just an
encrypted version of the
project.yml with the neccessary overwrites and should be named accordingly:
project.yml.crypt for the production
project.yml.staging.crypt for the staging
These files will then get decrypted on our servers to make them available there.
The files are sourced in the following hierarchy and values from top are overwritten the way down:
Creating the ansible-vault
In order to create a vault you could follow the documentation of ansible here: https://docs.ansible.com/ansible/latest/user_guide/vault.html#creating-encrypted-files
But basically you will need to run the following command on your shell inside the project's config directory:
# cd to project's config directory, where $PROJECT is something like "demo_de" cd $PROJECT/config # create the ansible vault there with an vault-id that equals your customer's name, e.g. "demo" # Keep in mind that it should be some unique passowrd that needs to be known by Frontastic as well, so please do not # reuse a passowrd here! ansible-vault create --vault-id $CUSTOMER@prompt project.yml.crypt
The password you choose here needs to be known by Frontastic, so that it could be configured on our Servers properly. Therefore do not reuse another password here!
Choose any new password you like and get in touch with one of our Frontastic employees, so that they could configure the servers properly to use that password so that it gets decrypted on the production and staging machines.
Please don't forget to checkin the generated encrypted vault file into the git!
Editing the ansible-vault
You could edit the vault by running the following command:
ansible-vault edit --vault-id $CUSTOMER@prompt project.yml.crypt
For further details, see the ansible documentation: https://docs.ansible.com/ansible/latest/user_guide/vault.html#editing-encrypted-files