Merge pull request #1934 from cmu-delphi/add-vault-backup-scripts

Add Ansible Vault backup scripts

.gitignore

@@ -129,6 +129,8 @@ venv.bak/
 .retry
 .indicators-ansible-vault-pass
 indicators-ansible-vault-pass
+vault_plain*
+vault_backup*
 
 # testing_utils
 testing_utils/cache

ansible/README.md

@@ -0,0 +1,43 @@
+# Ansible
+
+Ansible is used in the indicators deployment process.
+
+It aids in:
+
+- Setting up staging and production systems to run the indicators.
+- Placing templated indicators params files onto staging and production systems.
+- Managing secrets.
+
+## Managing secrets with ansible-vault
+
+The deployment process uses [`ansible-vault`](https://docs.ansible.com/ansible/latest/vault_guide/index.html) and a corresponding file of `vault.yaml` to write secrets into template files that are placed onto staging and production systems. `vault.yaml` should always be encrypted.
+
+To work with secrets in this repo you should follow one of these processes:
+
+1. Work with systems administrators to add secrets.
+
+OR
+
+2. Obtain the vault decryption password and use the helper scripts.
+
+- Make sure you are in the repo's `ansible` directory.
+
+  ```shell
+  cd $(git rev-parse --show-toplevel)/ansible
+  ```
+
+- Use the helper scripts to:
+
+  - Decrypt to `vault_plain.yaml` - Creates a .gitgnored "plain" file for editing. Also a backup directory and backup file if possible.
+
+    ```shell
+    bash vault-decrypt.sh
+    ```
+
+  - Make your changes in `vault_plain.yaml`
+
+  - Encrypt to a new `vault.yaml` - Creates a new encrypted vault file suitable for committing. Also creates a backup directory and backup file if possible.
+
+    ```shell
+    bash vault-encrypt.sh
+    ```

ansible/vault-decrypt.sh

@@ -0,0 +1,12 @@
+#!/bin/sh
+
+# Create backup directory and copy vault_plain.yaml if it exists.
+if [ -f vault_plain.yaml ]; then
+    echo "Creating backup of vault_plain.yaml..."
+    mkdir -p vault_backup
+    cp -Rvp vault_plain.yaml \
+    "vault_backup/vault_plain.yaml.backup-$(date -u +%Y-%m-%d_T%H-%M-%S_%Z)"
+fi
+
+# Create a new/overwrite vault_plain.yaml using vault.yaml as the source.
+ansible-vault decrypt --output vault_plain.yaml vault.yaml

ansible/vault-encrypt.sh

@@ -0,0 +1,12 @@
+#!/bin/sh
+
+# Create backup directory and copy vault.yaml if it exists.
+if [ -f vault.yaml ]; then
+    echo "Creating backup of vault.yaml..."
+    mkdir -p vault_backup
+    cp -Rvp vault.yaml \
+    "vault_backup/vault.yaml.backup-$(date -u +%Y-%m-%d_T%H-%M-%S_%Z)"
+fi
+
+# Create a new/overwrite vault.yaml using vault_plain.yaml as the source.
+ansible-vault encrypt --output vault.yaml vault_plain.yaml