-
Notifications
You must be signed in to change notification settings - Fork 5
Configure hhs_ansible
hhs_ansible must be configured to recognize the VPC environment it will deploy servers in to. This requires two variable files to be updated.
In this section we will explain how variables are inherited by hhs_ansible.
- Command Line Variables
- Common Variables and all_var.yml
- Environment-specific Variables
- Secure Environment-specific Variables
- Task/Role-specific Variables
Variables can be passed to an ansible-playbook command using the following syntax:
ansible-playbook playbook_yml_file --extra-vars 'variable1=value1 variable2=value2'
A typical use is to define the environment that the scripts will apply to. eg.
ansible-playbook create_server.yml --extra-vars 'env=dev'
Values that are consistent across all environments are placed in:
vars/common.yml
Variables defined in this file are prefixed with common_.
Variables used in multiple his_ansible scripts should first be defined in:
vars/all_var.yml
A variable defined in all_var.yml will typically refers to a variable defined in common.yml or an environment-specific .yml file. for example:
database_server_name: "{{ env_database_server_name }}"
The vars section of a playbook will load a series of variable files using the {{ env }} variable to load the files required for a specific environment.
This approach allows an variable to be used across multiple scripts without requiring each script to know where each variable is defined.
Each environment should be defined with a directory user the parent vars/env directory . eg.
vars/env/dev/env.yml
the env.yml file defines environment-specific settings. Each variable should relate to a "parent" variable in all_var.yml.
Variables in env_yml should be prefixed with:
env_
eg. env_database_server_name: "my_data_server.gov"
If the content of the variable is sensitive it should be placed in the secure vault file. For example:
env_database_server_name: "{{ vault_env_database_server_name }}"
Ansible provides a vault service. This is a secure, encrypted file that can contain variables and other file contents. The vault requires a password to decrypt the vault file. This allows sensitive data to be included with the repository but it can only be used when the password is provided. The password is held securely outside of the hhS_ansible repository.
The vault files are managed using the ansible-vault command.
Vault files are stored in the following directory:
vault/env
A vault file is required for each environment. For example:
vault/env/dev/vault.yml
Variables that are used only in a single playbook or role script can be assigned in the vars section of the relevant script.
Created for US Department of Health and Human Services / Centers for Medicare and Medicaid Services by Mark Scrimshire/TransparentHealth