@tcheymol Passwords appear unencrypted in both Ansible vars and database.json db-migrate config file.
What I suggest:
[ ] During the Yeoman generation, ask for a Vault Password
[ ] Write the password in a ~/.vault_pass.txt file
[ ] When the generator asks for a database password, execute ansible-vault encrypt-string {{ your strong password }} --vault-password-file=~/.vault_pass.txt
[ ] Put the encrypted content in postgresql_users.pass variable
[ ] During the provisioning, add a task to export database credentials in new env vars according to db-migrate variable names (i.e.: PRODUCTION_PASSWORD) => I think "environment" Ansible module is not suited for this, it has to be in a .profile file sourced for the www-user I think. Tell me if you have a better idea.
[ ] Use dummy unencrypted passwords for developement environment (avoid env vars exportation management locally)
Then the dev who generated the Vault password manages its sharing according to organization policy/team practices (LastPass, KeePass...).
Remy-Luciani
commented
7 years ago
@tcheymol Passwords appear unencrypted in both Ansible vars and database.json db-migrate config file.
What I suggest:
~/.vault_pass.txtfileansible-vault encrypt-string {{ your strong password }} --vault-password-file=~/.vault_pass.txtpostgresql_users.passvariableThen the dev who generated the Vault password manages its sharing according to organization policy/team practices (LastPass, KeePass...).