Fixes #1244: Add support for a secrets.yml file with Ansible Vault.

geerlingguy · geerlingguy · commit ac841e1c29a0 · 2017-03-21T23:33:39.000-05:00
diff --git a/docs/other/production.md b/docs/other/production.md
@@ -33,6 +33,26 @@ _Note: Having the variable set locally takes precedence over having it on the re
 
 As a precaution not to accidentally provision a production server with insecure configurations, you should set your security hardening configurations in `config.yml`, your local development overrides in `vagrant.config.yml` and finally any additional production specific overrides in `prod.config.yml`. This way, a production environment will never be provisioned with development tools, even if the `prod.config.yml` is not read.
 
+## Ansible Vault support
+
+Drupal VM will include a `secrets.yml` file included in your VM's configuration directory (alongside `config.yml`, `local.config.yml`, etc.) that you can use to store sensitive variables (e.g. MySQL's root password, Drupal's admin password). For extra security, you can encrypt this file, and require a password whenever the variable is used.
+
+First, you'd create an Ansible Vault encrypted file:
+
+    $ ansible-vault create secrets.yml
+
+Create the file inside your VM's configuration directory, add any plaintext passwords, and save it. Ansible Vault will encrypt the file, and you can edit the file using `ansible-vault edit`.
+
+When running `vagrant` commands, make sure you tell the Ansible provisioner to use `--ask-vault-pass`, e.g.:
+
+    DRUPALVM_ANSIBLE_ARGS='--ask-vault-pass' vagrant [command]
+
+And if you need to override one of the secrets stored in that file, you can do so through an environment-specific config file, for example:
+
+    vagrant.config.yml
+    prod.config.yml
+    [etc.]
+
 ## Example: Drupal VM on DigitalOcean
 
 The [`examples/prod` directory](https://github.com/geerlingguy/drupal-vm/tree/master/examples/prod) contains an example production configuration for Drupal VM which can be used to deploy Drupal VM to a production environment on a cloud provider like DigitalOcean, Linode, or AWS.
diff --git a/provisioning/playbook.yml b/provisioning/playbook.yml
@@ -19,6 +19,7 @@
       with_fileglob:
         - "{{ config_dir }}/config.yml"
         - "{{ config_dir }}/local.config.yml"
+        - "{{ config_dir }}/secrets.yml"
         - "{{ config_dir }}/{{ lookup('env', 'DRUPALVM_ENV')|default(drupalvm_env, true)|default(ansible_env.DRUPALVM_ENV)|default(omit) }}.config.yml"
       tags: ['always']
 
