Merge pull request #2781 from edx/zub/credentials-custom-s3-backend

update s3 configuration to use custom credentials s3 backends

playbooks/roles/ansible-role-django-ida/templates/defaults/main.yml.j2

@@ -30,9 +30,6 @@
     ATOMIC_REQUESTS: true
     CONN_MAX_AGE: 60
 
-{{ role_name|upper }}_DB_ADMIN_USER: 'root'
-{{ role_name|upper }}_DB_ADMIN_PASSWORD: ''
-{{ role_name|upper }}_MYSQL_MATCHER: 'localhost'
 
 {{ role_name|upper }}_MEMCACHE: [ 'memcache' ]
 

playbooks/roles/ansible-role-django-ida/templates/tasks/main.yml.j2

@@ -53,45 +53,6 @@
     - devstack
     - devstack:install
 
-- name: wait for database
-  wait_for:
-    host: "{{ '{{' }} {{ role_name|upper }}_DATABASES.default.HOST }}"
-    port: "{{ '{{' }} {{ role_name|upper }}_DATABASES.default.PORT }}"
-    delay: 2
-  tags:
-    - migrate
-    - migrate:install
-
-- name: create databases
-  mysql_db:
-    login_host: "{{ '{{' }} {{ role_name|upper }}_DATABASES.default.HOST }}"
-    login_user: "{{ '{{' }} {{ role_name|upper }}_DB_ADMIN_USER }}"
-    login_password: "{{ '{{' }} {{ role_name|upper }}_DB_ADMIN_PASSWORD }}"
-    db: "{{ '{{' }} {{ role_name|upper }}_DEFAULT_DB_NAME }}"
-    state: present
-    encoding: utf8
-  tags:
-    - migrate
-    - migrate:install
-
-- name: create database users
-  mysql_user:
-    login_host: "{{ '{{' }} {{ role_name|upper }}_DATABASES.default.HOST }}"
-    login_user: "{{ '{{' }} {{ role_name|upper }}_DB_ADMIN_USER }}"
-    login_password: "{{ '{{' }} {{ role_name|upper }}_DB_ADMIN_PASSWORD }}"
-    name: "{{ '{{' }} item.name }}"
-    host: "{{ '{{' }} {{ role_name|upper }}_MYSQL_MATCHER }}"
-    password: "{{ '{{' }} item.password }}"
-    priv: "{{ '{{' }} {{ role_name|upper }}_DEFAULT_DB_NAME }}.*:ALL"
-  with_items:
-    - name: "{{ '{{' }} {{ role_name|upper }}_DATABASES.default.USER }}"
-      password: "{{ '{{' }} {{ role_name|upper }}_DATABASES.default.PASSWORD }}"
-    - name: "{{ '{{' }} COMMON_MYSQL_MIGRATE_USER }}"
-      password: "{{ '{{' }} COMMON_MYSQL_MIGRATE_PASS }}"
-  tags:
-    - migrate
-    - migrate:install
-
 - name: migrate database
   command: make migrate
   args:

playbooks/roles/credentials/defaults/main.yml

@@ -23,7 +23,7 @@ CREDENTIALS_DEFAULT_DB_NAME: 'credentials'
 CREDENTIALS_MYSQL_HOST: 'localhost'
 # MySQL usernames are limited to 16 characters
 CREDENTIALS_MYSQL_USER: 'credentials001'
-CREDENTIALS_MYSQL_PASSWORD: 'password'
+CREDENTIALS_MYSQL_PASSWORD: 'SET-ME-TO-A-UNIQUE-LONG-RANDOM-STRING'
 
 CREDENTIALS_DATABASES:
   # rw user
@@ -37,36 +37,25 @@ CREDENTIALS_DATABASES:
     ATOMIC_REQUESTS: true
     CONN_MAX_AGE: 60
 
-CREDENTIALS_DB_ADMIN_USER: 'root'
-CREDENTIALS_DB_ADMIN_PASSWORD: ''
-CREDENTIALS_MYSQL_MATCHER: '{{ CREDENTIALS_MYSQL_HOST }}'
-
 CREDENTIALS_MEMCACHE: [ 'memcache' ]
 
 CREDENTIALS_CACHES:
   default:
     BACKEND:  'django.core.cache.backends.memcached.MemcachedCache'
-    KEY_PREFIX: 'default'
+    KEY_PREFIX: '{{ credentials_service_name }}'
     LOCATION: '{{ CREDENTIALS_MEMCACHE }}'
 
-CREDENTIALS_VERSION: "master"
 CREDENTIALS_DJANGO_SETTINGS_MODULE: "credentials.settings.production"
 CREDENTIALS_URL_ROOT: 'http://credentials:18150'
 CREDENTIALS_OAUTH_URL_ROOT: 'http://127.0.0.1:8000'
 
-CREDENTIALS_DATA_DIR: '{{ COMMON_DATA_DIR }}/{{ credentials_service_name }}'
-CREDENTIALS_MEDIA_ROOT: '{{ CREDENTIALS_DATA_DIR }}/media'
-CREDENTIALS_MEDIA_URL: '/media/'
-CREDENTIALS_STATIC_ROOT: '{{ CREDENTIALS_DATA_DIR }}/staticfiles'
-CREDENTIALS_STATIC_URL: '/static/'
-
-CREDENTIALS_SECRET_KEY: 'Your secret key here'
+CREDENTIALS_SECRET_KEY: 'SET-ME-TO-A-UNIQUE-LONG-RANDOM-STRING'
 CREDENTIALS_TIME_ZONE: 'UTC'
 CREDENTIALS_LANGUAGE_CODE: 'en_US.UTF-8'
 
 # Used to automatically configure OAuth2 Client
-CREDENTIALS_SOCIAL_AUTH_EDX_OIDC_KEY : 'credentials-key'
-CREDENTIALS_SOCIAL_AUTH_EDX_OIDC_SECRET : 'credentials-secret'
+CREDENTIALS_SOCIAL_AUTH_EDX_OIDC_KEY: 'SET-ME-TO-A-UNIQUE-LONG-RANDOM-STRING'
+CREDENTIALS_SOCIAL_AUTH_EDX_OIDC_SECRET: 'SET-ME-TO-A-UNIQUE-LONG-RANDOM-STRING'
 CREDENTIALS_SOCIAL_AUTH_REDIRECT_IS_HTTPS: false
 
 CREDENTIALS_PLATFORM_NAME: 'Your Platform Name Here'
@@ -76,43 +65,80 @@ CREDENTIALS_SERVICE_USER: 'credentials_service_user'
 
 # Absolute URL used to get programs from the programs service.
 CREDENTIALS_PROGRAMS_API_URL: 'https://127.0.0.1:8004/api/v1/'
-CREDENTIALS_PROGRAMS_API_JWT_AUDIENCE: 'programs-key'
-CREDENTIALS_PROGRAMS_API_JWT_SECRET_KEY: 'programs-secret'
+CREDENTIALS_PROGRAMS_API_JWT_AUDIENCE: 'SET-ME-TO-THE-SAME-AS-PROGRAMS_SOCIAL_AUTH_EDX_OIDC_KEY'
+CREDENTIALS_PROGRAMS_API_JWT_SECRET_KEY: 'SET-ME-TO-THE-SAME-AS-PROGRAMS_SOCIAL_AUTH_EDX_OIDC_SECRET'
 
 # Absolute URL used to get organization data from the organizations api in LMS
 CREDENTIALS_ORGANIZATIONS_API_URL: 'https://127.0.0.1:8000/api/organizations/v0/'
-CREDENTIALS_ORGANIZATIONS_API_AUDIENCE: 'lms-key'
-CREDENTIALS_ORGANIZATIONS_API_SECRET_KEY: 'lms-secret'
+CREDENTIALS_ORGANIZATIONS_API_AUDIENCE: 'SET-ME-TO-THE-SAME-AS-EDXAPP_JWT_AUDIENCE'
+CREDENTIALS_ORGANIZATIONS_API_SECRET_KEY: 'SET-ME-TO-THE-SAME-AS-EDXAPP_JWT_SECRET_KEY'
 
 # Absolute URL used to get user data from the user api in LMS
 CREDENTIALS_USER_API_URL: 'https://127.0.0.1:8000/api/user/v1/'
-CREDENTIALS_USER_API_JWT_AUDIENCE: 'lms-key'
-CREDENTIALS_USER_API_JWT_SECRET_KEY: 'lms-secret'
+CREDENTIALS_USER_API_JWT_AUDIENCE: 'SET-ME-TO-THE-SAME-AS-EDXAPP_JWT_AUDIENCE'
+CREDENTIALS_USER_API_JWT_SECRET_KEY: 'SET-ME-TO-THE-SAME-AS-EDXAPP_JWT_SECRET_KEY'
+
+CREDENTIALS_DATA_DIR: '{{ COMMON_DATA_DIR }}/{{ credentials_service_name }}'
+CREDENTIALS_MEDIA_ROOT: '{{ CREDENTIALS_DATA_DIR }}/media'
+CREDENTIALS_STATIC_ROOT: '{{ CREDENTIALS_DATA_DIR }}/staticfiles'
+CREDENTIALS_MEDIA_URL: '/media/'
+CREDENTIALS_STATIC_URL: '/static/'
 
-# Example settings to use Amazon S3 as files storage backend with django storages:
+# Example settings to use Amazon S3 as a storage backend with django storages:
 # https://django-storages.readthedocs.org/en/latest/backends/amazon-S3.html#amazon-s3
 #
+# CREDENTIALS_BUCKET: mybucket
+# credentials_s3_domain: s3.amazonaws.com
+# CREDENTIALS_MEDIA_ROOT: 'media'
+# CREDENTIALS_STATIC_ROOT: 'static'
+#
 # CREDENTIALS_FILE_STORAGE_BACKEND:
-#  AWS_STORAGE_BUCKET_NAME: mybucket
-#  AWS_CUSTOM_DOMAIN: mybucket.s3.amazonaws.com
-#  AWS_ACCESS_KEY_ID: XXXAWS_ACCESS_KEYXXX
-#  AWS_SECRET_ACCESS_KEY: XXXAWS_SECRETY_KEYXXX
+#  AWS_STORAGE_BUCKET_NAME: '{{ CREDENTIALS_BUCKET }}'
+#  AWS_CUSTOM_DOMAIN: '{{ CREDENTIALS_BUCKET }}.{{ credentials_s3_domain }}'
+#  AWS_ACCESS_KEY_ID: 'XXXAWS_ACCESS_KEYXXX'
+#  AWS_SECRET_ACCESS_KEY: 'XXXAWS_SECRET_KEYXXX'
 #  AWS_QUERYSTRING_AUTH: False
 #  AWS_QUERYSTRING_EXPIRE: False
 #  AWS_DEFAULT_ACL: ''
 #  AWS_HEADERS:
-#    Cache-Control: max-age-31536000
-#    Access-Control-Allow-Origin: PUT YOUR HOSTNAME HERE
+#    Access-Control-Allow-Origin: 'PUT-YOUR-HOSTNAME-HERE'
+#
+#  MEDIA_ROOT: '{{ CREDENTIALS_MEDIA_ROOT }}'
+#  STATIC_ROOT: '{{ CREDENTIALS_STATIC_ROOT }}'
 #
-#  COMPRESS_URL: 'https://mybucket.s3.amazonaws.com/'
-#  STATIC_URL: 'https://mybucket.s3.amazonaws.com/'
-#  COMPRESS_ROOT: {{ CREDENTIALS_STATIC_ROOT }}
-#  COMPRESS_STORAGE: storages.backends.s3boto.S3BotoStorage
-#  STATICFILES_STORAGE: storages.backends.s3boto.S3BotoStorage
-#  DEFAULT_FILE_STORAGE: storages.backends.s3boto.S3BotoStorage
+#  MEDIA_URL:    'https://{{ CREDENTIALS_BUCKET }}.{{ credentials_s3_domain }}{{ CREDENTIALS_MEDIA_URL }}'
+#  STATIC_URL:   'https://{{ CREDENTIALS_BUCKET }}.{{ credentials_s3_domain }}{{ CREDENTIALS_STATIC_URL }}'
+#
+#  STATICFILES_STORAGE:  'credentials.apps.core.s3utils.StaticS3BotoStorage'
+#  DEFAULT_FILE_STORAGE: 'credentials.apps.core.s3utils.MediaS3BotoStorage'
 
 CREDENTIALS_FILE_STORAGE_BACKEND:
-  DEFAULT_FILE_STORAGE: 'django.core.files.storage.DefaultStorage'
+  MEDIA_ROOT: '{{ CREDENTIALS_MEDIA_ROOT }}'
+  STATIC_ROOT: '{{ CREDENTIALS_STATIC_ROOT }}'
+  MEDIA_URL: '{{ CREDENTIALS_MEDIA_URL }}'
+  STATIC_URL: '{{ CREDENTIALS_STATIC_URL }}'
+  DEFAULT_FILE_STORAGE: 'django.core.files.storage.FileSystemStorage'
+
+CREDENTIALS_VERSION: "master"
+CREDENTIALS_REPOS:
+  - PROTOCOL: "{{ COMMON_GIT_PROTOCOL }}"
+    DOMAIN: "{{ COMMON_GIT_MIRROR }}"
+    PATH: "{{ COMMON_GIT_PATH }}"
+    REPO: credentials.git
+    VERSION: "{{ CREDENTIALS_VERSION }}"
+    DESTINATION: "{{ credentials_code_dir }}"
+    SSH_KEY: "{{ CREDENTIALS_GIT_IDENTITY }}"
+
+
+CREDENTIALS_GUNICORN_WORKERS: "2"
+CREDENTIALS_GUNICORN_EXTRA: ""
+CREDENTIALS_GUNICORN_EXTRA_CONF: ""
+CREDENTIALS_GUNICORN_WORKER_CLASS: "gevent"
+
+CREDENTIALS_HOSTNAME: '~^((stage|prod)-)?credentials.*'
+
+NGINX_CREDENTIALS_GUNICORN_HOSTS:
+  - 127.0.0.1
 
 CREDENTIALS_SERVICE_CONFIG:
   SECRET_KEY: '{{ CREDENTIALS_SECRET_KEY }}'
@@ -126,11 +152,6 @@ CREDENTIALS_SERVICE_CONFIG:
   SOCIAL_AUTH_EDX_OIDC_URL_ROOT: '{{ CREDENTIALS_OAUTH_URL_ROOT }}/oauth2'
   SOCIAL_AUTH_REDIRECT_IS_HTTPS: '{{ CREDENTIALS_SOCIAL_AUTH_REDIRECT_IS_HTTPS }}'
 
-  MEDIA_ROOT: '{{ CREDENTIALS_MEDIA_ROOT }}'
-  MEDIA_URL: '{{ CREDENTIALS_MEDIA_URL }}'
-  STATIC_ROOT: '{{ CREDENTIALS_STATIC_ROOT }}'
-  STATIC_URL: '{{ CREDENTIALS_STATIC_URL }}'
-
   # db config
   DATABASE_OPTIONS:
     connect_timeout: 10
@@ -160,31 +181,10 @@ CREDENTIALS_SERVICE_CONFIG:
   USER_JWT_AUDIENCE: '{{ CREDENTIALS_USER_API_JWT_AUDIENCE }}'
   USER_JWT_SECRET_KEY: '{{ CREDENTIALS_USER_API_JWT_SECRET_KEY }}'
 
-
-CREDENTIALS_REPOS:
-  - PROTOCOL: "{{ COMMON_GIT_PROTOCOL }}"
-    DOMAIN: "{{ COMMON_GIT_MIRROR }}"
-    PATH: "{{ COMMON_GIT_PATH }}"
-    REPO: credentials.git
-    VERSION: "{{ CREDENTIALS_VERSION }}"
-    DESTINATION: "{{ credentials_code_dir }}"
-    SSH_KEY: "{{ CREDENTIALS_GIT_IDENTITY }}"
-
-
-CREDENTIALS_GUNICORN_WORKERS: "2"
-CREDENTIALS_GUNICORN_EXTRA: ""
-CREDENTIALS_GUNICORN_EXTRA_CONF: ""
-CREDENTIALS_GUNICORN_WORKER_CLASS: "gevent"
-
-CREDENTIALS_HOSTNAME: '~^((stage|prod)-)?credentials.*'
-
-NGINX_CREDENTIALS_GUNICORN_HOSTS:
-  - 127.0.0.1
-
 #
 # vars are namespace with the module name.
 #
-credentials_role_name: credentials
+credentials_service_name: "credentials"
 credentials_venv_dir: "{{ credentials_home }}/venvs/{{ credentials_service_name }}"
 
 credentials_migration_environment:
@@ -194,7 +194,6 @@ credentials_migration_environment:
   DB_MIGRATION_USER: "{{ COMMON_MYSQL_MIGRATE_USER }}"
   DB_MIGRATION_PASS: "{{ COMMON_MYSQL_MIGRATE_PASS }}"
 
-credentials_service_name: "{{ credentials_role_name }}"
 credentials_user: "{{ credentials_service_name }}"
 credentials_home: "{{ COMMON_APP_DIR }}/{{ credentials_service_name }}"
 credentials_code_dir: "{{ credentials_home }}/{{ credentials_service_name }}"
@@ -215,6 +214,11 @@ credentials_gunicorn_timeout: 300
 
 credentials_log_dir: "{{ COMMON_LOG_DIR }}/{{ credentials_service_name }}"
 
+credentials_requirements_base: "{{ credentials_code_dir }}/requirements"
+credentials_requirements:
+  - production.txt
+  - optional.txt
+
 #
 # OS packages
 #

playbooks/roles/credentials/tasks/main.yml

@@ -30,25 +30,14 @@
     - install
     - install:configuration
 
-- name: build virtualenv
-  command: "virtualenv {{ credentials_venv_dir }}"
-  args:
-    creates: "{{ credentials_venv_dir }}/bin/pip"
-  sudo_user: "{{ credentials_user }}"
-  environment: "{{ credentials_environment }}"
-  tags:
-    - install
-    - install:app-requirements
-
 - name: install application requirements
-  command: make prod-requirements
-  args:
-    chdir: "{{ credentials_code_dir }}"
+  pip:
+    requirements: "{{ credentials_requirements_base }}/{{ item }}"
+    # Ansible will initialize this virtualenv if it's missing.
+    virtualenv: "{{ credentials_venv_dir }}"
+    state: present
   sudo_user: "{{ credentials_user }}"
-  environment: "{{ credentials_environment }}"
-  tags:
-    - install
-    - install:app-requirements
+  with_items: "{{ credentials_requirements }}"
 
 - name: create nodeenv
   shell: >
@@ -69,46 +58,6 @@
     - devstack
     - devstack:install
 
-- name: wait for database
-  wait_for:
-    host: "{{ CREDENTIALS_DATABASES.default.HOST }}"
-    port: "{{ CREDENTIALS_DATABASES.default.PORT }}"
-    delay: 2
-  tags:
-    - migrate
-    - migrate:install
-
-- name: create databases
-  mysql_db:
-    login_host: "{{ CREDENTIALS_DATABASES.default.HOST }}"
-    login_user: "{{ CREDENTIALS_DB_ADMIN_USER }}"
-    login_password: "{{ CREDENTIALS_DB_ADMIN_PASSWORD }}"
-    db: "{{ CREDENTIALS_DEFAULT_DB_NAME }}"
-    state: present
-    encoding: utf8
-  tags:
-    - migrate
-    - migrate:install
-
-- name: create database users
-  mysql_user:
-    login_host: "{{ CREDENTIALS_DATABASES.default.HOST }}"
-    login_user: "{{ CREDENTIALS_DB_ADMIN_USER }}"
-    login_password: "{{ CREDENTIALS_DB_ADMIN_PASSWORD }}"
-    name: "{{ item.name }}"
-    host: "{{ CREDENTIALS_MYSQL_MATCHER }}"
-    password: "{{ item.password }}"
-    priv: "{{ CREDENTIALS_DEFAULT_DB_NAME }}.*:ALL"
-    append_privs: yes
-  with_items:
-    - name: "{{ CREDENTIALS_DATABASES.default.USER }}"
-      password: "{{ CREDENTIALS_DATABASES.default.PASSWORD }}"
-    - name: "{{ COMMON_MYSQL_MIGRATE_USER }}"
-      password: "{{ COMMON_MYSQL_MIGRATE_PASS }}"
-  tags:
-    - migrate
-    - migrate:install
-
 - name: migrate database
   command: make migrate
   args:

playbooks/roles/discovery/defaults/main.yml

@@ -44,10 +44,6 @@ DISCOVERY_ELASTICSEARCH:
   host: '{{ DISCOVERY_ELASTICSEARCH_HOST }}'
   index: '{{ DISCOVERY_ES_INDEX }}'
 
-DISCOVERY_DB_ADMIN_USER: 'root'
-DISCOVERY_DB_ADMIN_PASSWORD: ''
-DISCOVERY_MYSQL_MATCHER: 'localhost'
-
 DISCOVERY_MEMCACHE: [ 'memcache' ]
 
 DISCOVERY_CACHES:

playbooks/roles/discovery/tasks/main.yml

@@ -76,46 +76,6 @@
     - devstack
     - devstack:install
 
-- name: wait for database
-  wait_for:
-    host: "{{ DISCOVERY_DATABASES.default.HOST }}"
-    port: "{{ DISCOVERY_DATABASES.default.PORT }}"
-    delay: 2
-  tags:
-    - migrate
-    - migrate:install
-
-- name: create databases
-  mysql_db:
-    login_host: "{{ DISCOVERY_DATABASES.default.HOST }}"
-    login_user: "{{ DISCOVERY_DB_ADMIN_USER }}"
-    login_password: "{{ DISCOVERY_DB_ADMIN_PASSWORD }}"
-    db: "{{ DISCOVERY_DEFAULT_DB_NAME }}"
-    state: present
-    encoding: utf8
-  tags:
-    - migrate
-    - migrate:install
-
-- name: create database users
-  mysql_user:
-    login_host: "{{ DISCOVERY_DATABASES.default.HOST }}"
-    login_user: "{{ DISCOVERY_DB_ADMIN_USER }}"
-    login_password: "{{ DISCOVERY_DB_ADMIN_PASSWORD }}"
-    name: "{{ item.name }}"
-    host: "{{ DISCOVERY_MYSQL_MATCHER }}"
-    password: "{{ item.password }}"
-    priv: "{{ DISCOVERY_DEFAULT_DB_NAME }}.*:ALL"
-    append_privs: yes
-  with_items:
-    - name: "{{ DISCOVERY_DATABASES.default.USER }}"
-      password: "{{ DISCOVERY_DATABASES.default.PASSWORD }}"
-    - name: "{{ COMMON_MYSQL_MIGRATE_USER }}"
-      password: "{{ COMMON_MYSQL_MIGRATE_PASS }}"
-  tags:
-    - migrate
-    - migrate:install
-
 - name: migrate database
   command: make migrate
   args:

playbooks/roles/edxlocal/defaults/main.yml

@@ -13,6 +13,8 @@ edxlocal_databases:
   - "{{ PROGRAMS_DEFAULT_DB_NAME | default(None) }}"
   - "{{ ANALYTICS_API_DEFAULT_DB_NAME | default(None) }}"
   - "{{ ANALYTICS_API_REPORTS_DB_NAME | default(None) }}"
+  - "{{ CREDENTIALS_DEFAULT_DB_NAME | default(None) }}"
+  - "{{ DISCOVERY_DEFAULT_DB_NAME | default(None) }}"
 
 edxlocal_database_users:
   - {
@@ -55,3 +57,13 @@ edxlocal_database_users:
       user: "{{ HIVE_METASTORE_DATABASE.user | default(None) }}",
       pass: "{{ HIVE_METASTORE_DATABASE.password | default(None) }}"
     }
+  - {
+      db: "{{ CREDENTIALS_DEFAULT_DB_NAME | default(None) }}",
+      user: "{{ CREDENTIALS_MYSQL_USER | default(None) }}",
+      pass: "{{ CREDENTIALS_MYSQL_PASSWORD | default(None) }}"
+    }
+  - {
+      db: "{{ DISCOVERY_DEFAULT_DB_NAME | default(None) }}",
+      user: "{{ DISCOVERY_MYSQL_USER | default(None) }}",
+      pass: "{{ DISCOVERY_MYSQL_PASSWORD | default(None) }}"
+    }

playbooks/roles/programs/tasks/main.yml

@@ -30,6 +30,7 @@
 - name: install application requirements
   pip:
     requirements: "{{ programs_requirements_base }}/{{ item }}"
+    # Ansible will initialize this virtualenv if it's missing.
     virtualenv: "{{ programs_venv_dir }}"
     state: present
   sudo_user: "{{ programs_user }}"

playbooks/roles/supervisor/files/pre_supervisor_checks.py

@@ -15,9 +15,10 @@ MIGRATION_COMMANDS = {
         'cms':     "NO_EDXAPP_SUDO=1 /edx/bin/edxapp-migrate-cms --noinput --list",
         'xqueue': "{python} {code_dir}/manage.py xqueue migrate --noinput --settings=aws --db-dry-run --merge",
         'ecommerce':     ". {env_file}; {python} {code_dir}/manage.py migrate --noinput --list",
-        'programs':     ". {env_file}; {python} {code_dir}/manage.py migrate --noinput --list",
+        'programs':      ". {env_file}; {python} {code_dir}/manage.py migrate --noinput --list",
         'insights':      ". {env_file}; {python} {code_dir}/manage.py migrate --noinput --list",
-        'analytics_api': ". {env_file}; {python} {code_dir}/manage.py migrate --noinput --list"
+        'analytics_api': ". {env_file}; {python} {code_dir}/manage.py migrate --noinput --list",
+        'credentials':   ". {env_file}; {python} {code_dir}/manage.py migrate --noinput --list",
     }
 HIPCHAT_USER = "PreSupervisor"
 
@@ -101,6 +102,15 @@ if __name__ == '__main__':
     programs_migration_args.add_argument("--programs-code-dir",
         help="Location to of the programs code.")
 
+    credentials_migration_args = parser.add_argument_group("credentials_migrations",
+            "Args for running credentials migration checks.")
+    credentials_migration_args.add_argument("--credentials-python",
+        help="Path to python to use for executing migration check.")
+    credentials_migration_args.add_argument("--credentials-env",
+        help="Location of the credentials environment file.")
+    credentials_migration_args.add_argument("--credentials-code-dir",
+        help="Location to of the credentials code.")
+
     insights_migration_args = parser.add_argument_group("insights_migrations",
             "Args for running insights migration checks.")
     insights_migration_args.add_argument("--insights-python",
@@ -222,6 +232,7 @@ if __name__ == '__main__':
                         "cms": {'python': args.edxapp_python, 'env_file': args.edxapp_env, 'code_dir': args.edxapp_code_dir},
                         "ecommerce": {'python': args.ecommerce_python, 'env_file': args.ecommerce_env, 'code_dir': args.ecommerce_code_dir},
                         "programs": {'python': args.programs_python, 'env_file': args.programs_env, 'code_dir': args.programs_code_dir},
+                        "credentials": {'python': args.credentials_python, 'env_file': args.credentials_env, 'code_dir': args.credentials_code_dir},
                         "insights": {'python': args.insights_python, 'env_file': args.insights_env, 'code_dir': args.insights_code_dir},
                         "analytics_api": {'python': args.analytics_api_python, 'env_file': args.analytics_api_env, 'code_dir': args.analytics_api_code_dir}
                     }

playbooks/roles/supervisor/templates/etc/init/pre_supervisor.conf.j2

@@ -11,4 +11,10 @@ setuid {{ supervisor_user }}
   {% set programs_command = "" %}
 {% endif %}
 
-exec {{ supervisor_venv_dir }}/bin/python {{ supervisor_app_dir }}/pre_supervisor_checks.py --available={{ supervisor_available_dir }} --enabled={{ supervisor_cfg_dir }} {% if SUPERVISOR_HIPCHAT_API_KEY is defined %}--hipchat-api-key {{ SUPERVISOR_HIPCHAT_API_KEY }} --hipchat-room {{ SUPERVISOR_HIPCHAT_ROOM }} {% endif %} {% if edxapp_code_dir is defined %}--edxapp-python {{ COMMON_BIN_DIR }}/python.edxapp --edxapp-code-dir {{ edxapp_code_dir }} --edxapp-env {{ edxapp_app_dir }}/edxapp_env{% endif %} {% if xqueue_code_dir is defined %}--xqueue-code-dir {{ xqueue_code_dir }} --xqueue-python {{ COMMON_BIN_DIR }}/python.xqueue {% endif %} {% if ecommerce_code_dir is defined %}--ecommerce-env {{ ecommerce_home }}/ecommerce_env --ecommerce-code-dir {{ ecommerce_code_dir }} --ecommerce-python {{ COMMON_BIN_DIR }}/python.ecommerce {% endif %} {% if insights_code_dir is defined %}--insights-env {{ insights_home }}/insights_env --insights-code-dir {{ insights_code_dir }} --insights-python {{ COMMON_BIN_DIR }}/python.insights {% endif %} {% if analytics_api_code_dir is defined %}--analytics-api-env {{ analytics_api_home }}/analytics_api_env --analytics-api-code-dir {{ analytics_api_code_dir }} --analytics-api-python {{ COMMON_BIN_DIR }}/python.analytics_api {% endif %} {{ programs_command }}
+{% if credentials_code_dir is defined %}
+  {% set credentials_command = "--credentials-env " + credentials_home + "/credentials_env --credentials-code-dir " + credentials_code_dir + " --credentials-python " + COMMON_BIN_DIR + "/python.credentials" %}
+{% else %}
+  {% set credentials_command = "" %}
+{% endif %}
+
+exec {{ supervisor_venv_dir }}/bin/python {{ supervisor_app_dir }}/pre_supervisor_checks.py --available={{ supervisor_available_dir }} --enabled={{ supervisor_cfg_dir }} {% if SUPERVISOR_HIPCHAT_API_KEY is defined %}--hipchat-api-key {{ SUPERVISOR_HIPCHAT_API_KEY }} --hipchat-room {{ SUPERVISOR_HIPCHAT_ROOM }} {% endif %} {% if edxapp_code_dir is defined %}--edxapp-python {{ COMMON_BIN_DIR }}/python.edxapp --edxapp-code-dir {{ edxapp_code_dir }} --edxapp-env {{ edxapp_app_dir }}/edxapp_env{% endif %} {% if xqueue_code_dir is defined %}--xqueue-code-dir {{ xqueue_code_dir }} --xqueue-python {{ COMMON_BIN_DIR }}/python.xqueue {% endif %} {% if ecommerce_code_dir is defined %}--ecommerce-env {{ ecommerce_home }}/ecommerce_env --ecommerce-code-dir {{ ecommerce_code_dir }} --ecommerce-python {{ COMMON_BIN_DIR }}/python.ecommerce {% endif %} {% if insights_code_dir is defined %}--insights-env {{ insights_home }}/insights_env --insights-code-dir {{ insights_code_dir }} --insights-python {{ COMMON_BIN_DIR }}/python.insights {% endif %} {% if analytics_api_code_dir is defined %}--analytics-api-env {{ analytics_api_home }}/analytics_api_env --analytics-api-code-dir {{ analytics_api_code_dir }} --analytics-api-python {{ COMMON_BIN_DIR }}/python.analytics_api {% endif %} {{ programs_command }} {{ credentials_command }}