secrets management

[tkellen]

Create a bash script for grabbing secrets that supports multiple environments ./deploy/get-secrets <environment>.

Update the npm get-secrets script to call ./deploy/get-secrets dev. Update Ansible to call ./deploy/get-secrets prod during deployment. Remove all secret management logic from Ansible. In this form, we rely on .env in development and production for secrets.

This will make https://github.com/bocoup/skillsbot/pull/84 possible.

The only concern I have here is that in this model we'd rely on nest.bocoup.com being accessible for every single deploy (currently we store the secrets in the upstart script via the configure playbook and they remain "hardcoded" through code deploys). This moves us more in the direction of dynamic secrets retrieval, which will potentially make it a bit easier to rotate them when we have a solution like Vault in place.

/cc @MattSurabian for a :+1: (or suggested improvements) before we implement.

Ideally we'd implement this for pombot as well.

/cc @jennschiffer

[jennschiffer]

sounds good to me, anything that makes the process consistent across projects!

[MattSurabian]

This sounds fine to me as well :+1: just make sure that as we go forward we consider what contingency plans we'd need to rotate out secrets if the environment was ever inadvertently dumped.