Merge pull request #875 from edx/jarv/add-edx-ansible-jenkins

Jarv/add edx ansible jenkins

playbooks/roles/aws/defaults/main.yml

@@ -34,19 +34,12 @@ AWS_S3_LOG_PATHS:
   - bucket: "{{ COMMON_ENVIRONMENT }}-{{ COMMON_DEPLOYMENT }}-tracking-logs"
     path: "{{ COMMON_LOG_DIR }}/*tracking*"
 
-# set this to true dump all extra vars
-# this is currently broken when extra vars
-# contains references to vars that are not
-# included in the play.
-AWS_DUMP_VARS: false
-
 #
 # vars are namespace with the module name.
 #
 aws_role_name: aws
 aws_data_dir: "{{ COMMON_DATA_DIR }}/aws"
 aws_app_dir: "{{ COMMON_APP_DIR }}/aws"
-aws_var_file: "{{ aws_app_dir }}/server-vars.yml"
 aws_s3_sync_script: "{{ aws_app_dir }}/send-logs-to-s3"
 aws_s3_logfile: "{{ aws_log_dir }}/s3-log-sync.log"
 aws_log_dir: "{{ COMMON_LOG_DIR }}/aws"

playbooks/roles/aws/tasks/main.yml

@@ -62,62 +62,6 @@
     dest={{ COMMON_BIN_DIR }}/s3cmd
     state=link
 
-# The sync script and config file are now symlinks
-# Remove them if they are regular files
-# This can be removed once we don't need to worry
-# about backwards compatibility.
-- stat: path={{ COMMON_BIN_DIR }}/{{ aws_s3_sync_script|basename }}
-  register: sync_script
-
-- stat: path={{ COMMON_CFG_DIR}}/{{ aws_var_file|basename }}
-  register: var_file
-
-- file: path={{ COMMON_BIN_DIR }}/{{ aws_s3_sync_script|basename }} state=absent
-  when: sync_script.stat.exists and sync_script.stat.isreg
-
-- file: path={{ COMMON_CFG_DIR}}/{{ aws_var_file|basename }} state=absent
-  when: var_file.stat.exists and var_file.stat.isreg
-
-- name: dump all vars to yaml
-  template: src=dumpall.yml.j2 dest={{ aws_var_file }} mode=0600
-  when: AWS_DUMP_VARS
-
-- name: create symlink for config file
-  file: >
-    src={{ aws_var_file }}
-    dest={{ COMMON_CFG_DIR }}/{{ aws_var_file|basename }}
-    state=link
-  when: AWS_DUMP_VARS
-
-- name: clean up var file, removing all version vars and internal ansible vars
-  shell: sed -i -e "/{{item}}/d" {{ aws_var_file }}
-  with_items:
-    # deploy versions
-    - "^edx_platform_version:"
-    - "^edx_platform_commit:"
-    - "^xqueue_version:"
-    - "^forum_version:"
-    - "^xserver_version:"
-    - "^discern_ease_version:"
-    - "^ora_ease_version:"
-    - "^discern_version:"
-    - "^ora_version:"
-    - "^configuration_version:"
-    - "^ease_version:"
-    - "^certs_version:"
-    # other misc vars
-    - "^tags:"
-    - "^_original_file:"
-    - "^register:"
-    - "^item:"
-    - "^failed_when:"
-    - "^changed_when:"
-    - "^delegate_to:"
-    - "^ansible_ssh_private_key_file:"
-    - "^always_run:"
-  when: AWS_DUMP_VARS
-
-
 - name: create s3 log sync script
   template: >
     dest={{ aws_s3_sync_script }}

playbooks/roles/certs/defaults/main.yml

@@ -28,7 +28,7 @@ CERTS_KEY_ID: "FEF8D954"
 # Path to git identity file for pull access to
 # the edX certificates repo - REQUIRED
 # Example - {{ secure_dir }}/files/git-identity
-CERTS_LOCAL_GIT_IDENTITY: !!null
+CERTS_GIT_IDENTITY: !!null
 # Path to public and private gpg key for signing
 # the edX certificate. Default is a dummy key
 CERTS_LOCAL_PRIVATE_KEY: "example-private-key.txt"
@@ -42,7 +42,7 @@ certs_venvs_dir: "{{ certs_app_dir }}/venvs"
 certs_venv_dir: "{{ certs_venvs_dir }}/certs"
 certs_venv_bin: "{{ certs_venv_dir }}/bin"
 certs_git_ssh: /tmp/git_ssh.sh
-certs_git_identity: "{{ certs_app_dir }}/git-identity"
+certs_git_identity: "{{ certs_app_dir }}/certs-git-identity"
 certs_requirements_file: "{{ certs_code_dir }}/requirements.txt"
 certs_repo: "git@github.com:/edx/certificates"
 certs_version: 'master'

playbooks/roles/certs/tasks/deploy.yml

@@ -26,15 +26,11 @@
     owner={{ certs_user }} mode=750
   notify: restart certs
 
-- stat: path={{ CERTS_LOCAL_GIT_IDENTITY }}
-  register: certs_identity
-
 - name: install read-only ssh key for the certs repo
   copy: >
-    src={{ CERTS_LOCAL_GIT_IDENTITY }} dest={{ certs_git_identity }}
+    content="{{ CERTS_GIT_IDENTITY }}" dest={{ certs_git_identity }}
     force=yes owner={{ certs_user }} mode=0600
   notify: restart certs
-  when: certs_identity.stat.exists
 
 - name: checkout certificates repo into {{ certs_code_dir }}
   git: dest={{ certs_code_dir }} repo={{ certs_repo }} version={{ certs_version }}
@@ -42,12 +38,10 @@
   environment:
     GIT_SSH: "{{ certs_git_ssh }}"
   notify: restart certs
-  when: certs_identity.stat.exists
 
 - name: remove read-only ssh key for the certs repo
   file: path={{ certs_git_identity }} state=absent
   notify: restart certs
-  when: certs_identity.stat.exists
 
 - name : install python requirements
   pip: requirements="{{ certs_requirements_file }}" virtualenv="{{ certs_venv_dir }}" state=present

playbooks/roles/certs/tasks/main.yml

@@ -32,8 +32,8 @@
 #     - certs
 #
 - name: Checking to see if git identity is set
-  fail: msg="You must set CERTS_LOCAL_GIT_IDENTITY var for this role!"
-  when: not CERTS_LOCAL_GIT_IDENTITY
+  fail: msg="You must set CERTS_GIT_IDENTITY var for this role!"
+  when: not CERTS_GIT_IDENTITY
 
 - name: create application user
   user: >

playbooks/roles/edx_ansible/defaults/main.yml

@@ -13,6 +13,12 @@
 #
 # OS packages
 #
+# set this to true dump all extra vars
+# this is currently broken when extra vars
+# contains references to vars that are not
+# included in the play.
+EDX_ANSIBLE_DUMP_VARS: false
+
 
 edx_ansible_debian_pkgs:
   - python-pip
@@ -32,6 +38,6 @@ edx_ansible_venv_bin: "{{ edx_ansible_venv_dir }}/bin"
 edx_ansible_user: "edx-ansible"
 edx_ansible_source_repo: https://github.com/edx/configuration.git
 edx_ansible_requirements_file: "{{ edx_ansible_code_dir }}/requirements.txt"
-edx_ansible_var_file: "{{ edx_ansible_data_dir }}/server-vars.yml"
 # edX configuration repo
 configuration_version: master
+edx_ansible_var_file: "{{ edx_ansible_app_dir }}/server-vars.yml"

playbooks/roles/edx_ansible/tasks/deploy.yml

@@ -18,12 +18,6 @@
     dest={{ COMMON_BIN_DIR }}/update
     state=link
 
-- name: create a symlink for var file
-  file: >
-    src={{ edx_ansible_var_file }}
-    dest={{ COMMON_CFG_DIR }}/{{ edx_ansible_var_file|basename }}
-    state=link
-
 - name: create a symlink for ansible-playbook
   file: >
     src={{ edx_ansible_venv_bin }}/ansible-playbook
@@ -35,3 +29,18 @@
     src={{ edx_ansible_code_dir }}/playbooks
     dest={{ COMMON_CFG_DIR }}/playbooks
     state=link
+
+- name: dump all vars to yaml
+  template: src=dumpall.yml.j2 dest={{ edx_ansible_var_file }} mode=0600
+  when: EDX_ANSIBLE_DUMP_VARS
+
+- name: create symlink for config file
+  file: >
+    src={{ edx_ansible_var_file }}
+    dest={{ COMMON_CFG_DIR }}/{{ edx_ansible_var_file|basename }}
+    state=link
+  when: EDX_ANSIBLE_DUMP_VARS
+
+- name: clean up var file, removing all version vars and internal ansible vars (anything not caps)
+  shell: python -c "import yaml; y=yaml.load(open('{{ edx_ansible_var_file }}')); f=open('{{ edx_ansible_var_file }}', 'wb'); f.write(yaml.safe_dump({key:value for key,value in y.iteritems() if key.isupper()}, default_flow_style=False)); f.close();"
+  when: EDX_ANSIBLE_DUMP_VARS

playbooks/roles/edxapp/defaults/main.yml

@@ -147,8 +147,9 @@ EDXAPP_AUTOMATOR_SUDO_CMDS:
 - "ALL=({{ common_web_user }})  NOPASSWD:SETENV:{{ COMMON_BIN_DIR }}/python.edxapp {{ COMMON_BIN_DIR }}/manage.edxapp lms transfer_students *"
 
 EDXAPP_USE_GIT_IDENTITY: false
-# Example: "{{ secure_dir }}/files/git-identity"
-EDXAPP_LOCAL_GIT_IDENTITY: !!null
+# Paste the contents of the git identity
+# into this var
+EDXAPP_GIT_IDENTITY: !!null
 
 # Configuration for database migration
 EDXAPP_TEST_MIGRATE_DB_NAME: "{{ COMMON_ENVIRONMENT }}_{{ COMMON_DEPLOYMENT }}_test_{{ EDXAPP_MYSQL_DB_NAME }}"
@@ -178,7 +179,7 @@ edxapp_staticfile_dir: "{{ edxapp_data_dir }}/staticfiles"
 edxapp_course_data_dir: "{{ edxapp_data_dir }}/data"
 edxapp_upload_dir: "{{ edxapp_data_dir }}/uploads"
 edxapp_theme_dir: "{{ edxapp_data_dir }}/themes"
-edxapp_git_identity: "{{ edxapp_app_dir }}/{{ EDXAPP_LOCAL_GIT_IDENTITY|basename }}"
+edxapp_git_identity: "{{ edxapp_app_dir }}/edxapp-git-identity"
 edxapp_git_ssh: "/tmp/edxapp_git_ssh.sh"
 edxapp_pypi_local_mirror: "http://localhost:{{ devpi_port }}/root/pypi/+simple"
 edxapp_workers:

playbooks/roles/edxapp/tasks/deploy.yml

@@ -22,7 +22,7 @@
 
 - name: install read-only ssh key
   copy: >
-    src={{ EDXAPP_LOCAL_GIT_IDENTITY }} dest={{ edxapp_git_identity }}
+    content="{{ EDXAPP_GIT_IDENTITY }}" dest={{ edxapp_git_identity }}
     force=yes owner={{ edxapp_user }} mode=0600
   when: EDXAPP_USE_GIT_IDENTITY
 

playbooks/roles/jenkins_admin/defaults/main.yml

@@ -23,8 +23,8 @@ JENKINS_ADMIN_NAME: 'default_jenkins_name'
 # JENKINS_ADMIN_CONFIGURATION_REPO: !!null
 # JENKINS_ADMIN_CONFIGURATION_SECURE_REPO: !!null
 #
-# # Local path to the key to use to checkout secure repos on jenkins and in abbey
-# JENKINS_ADMIN_GIT_KEY_LOCAL_PATH: !!null
+# # git key to use to checkout secure repos on jenkins and in abbey
+# JENKINS_ADMIN_GIT_KEY: !!null
 #
 # # EC2 Key to use when bringing up the abbey instance in ec2 (aws key-pair)
 # JENKINS_ADMIN_EC2_KEY: !!null

playbooks/roles/jenkins_admin/tasks/main.yml

@@ -39,8 +39,8 @@
 - fail: "JENKINS_ADMIN_CONFIGURATION_SECURE_REPO is not defined."
   when: JENKINS_ADMIN_CONFIGURATION_SECURE_REPO is not defined
 
-- fail: "JENKINS_ADMIN_GIT_KEY_LOCAL_PATH is not defined."
-  when: JENKINS_ADMIN_GIT_KEY_LOCAL_PATH is not defined
+- fail: "JENKINS_ADMIN_GIT_KEY is not defined."
+  when: JENKINS_ADMIN_GIT_KEY is not defined
 
 - fail: "JENKINS_ADMIN_EC2_KEY is not defined."
   when: JENKINS_ADMIN_EC2_KEY is not defined
@@ -88,7 +88,7 @@
 
 - name: drop the secure credentials
   copy: >
-    src={{JENKINS_ADMIN_GIT_KEY_LOCAL_PATH}}
+    content="{{ JENKINS_ADMIN_GIT_KEY }}"
     dest={{jenkins_home}}/.ssh/id_rsa
     owner={{jenkins_user}}
     group={{jenkins_group}}

playbooks/roles/xserver/defaults/main.yml

@@ -11,8 +11,7 @@ XSERVER_GRADER_DIR: !!null
 # For 6.00x use "git@github.com:/MITx/6.00x.git"
 XSERVER_GRADER_SOURCE: !!null
 # This must be set to run this role
-# Example: "{{ secure_dir }}/files/git-identity"
-XSERVER_LOCAL_GIT_IDENTITY: !!null
+XSERVER_GIT_IDENTITY: !!null
 
 XSERVER_LANG: "en_US.UTF-8"
 
@@ -29,7 +28,7 @@ xserver_user: "xserver"
 xserver_sandbox_user: "sandbox"
 xserver_log_dir: "{{ COMMON_LOG_DIR }}/xserver"
 xserver_grader_root: "{{ XSERVER_GRADER_DIR }}/graders"
-xserver_git_identity: "{{ xserver_app_dir }}/{{ XSERVER_LOCAL_GIT_IDENTITY|basename }}"
+xserver_git_identity: "{{ xserver_app_dir }}/xserver-identity"
 
 xserver_env_config:
   RUN_URL: $XSERVER_RUN_URL

playbooks/roles/xserver/tasks/deploy.yml

@@ -23,25 +23,17 @@
   sudo_user: "{{ xserver_user }}"
   notify: restart xserver
 
-# Check to see if the identity file exists before copying.
-# This extra check is done to prevent failures when
-# ansible-playbook is run locally
-- stat: path={{ XSERVER_LOCAL_GIT_IDENTITY }}
-  register: xserver_identity
-
 - name: install read-only ssh key for the content repo that is required for grading
   copy: >
-    src={{ XSERVER_LOCAL_GIT_IDENTITY }} dest={{ xserver_git_identity }}
+    content="{{ XSERVER_GIT_IDENTITY }}" dest={{ xserver_git_identity }}
     owner={{ xserver_user }} group={{ xserver_user }} mode=0600
   notify: restart xserver
-  when: xserver_identity.stat.exists
 
 - name: upload ssh script
   template: >
     src=git_ssh.sh.j2 dest=/tmp/git_ssh.sh
     owner={{ xserver_user }} mode=750
   notify: restart xserver
-  when: xserver_identity.stat.exists
 
 - name: checkout grader code
   git: dest={{ XSERVER_GRADER_DIR }} repo={{ XSERVER_GRADER_SOURCE }} version={{ xserver_grader_version }}
@@ -49,12 +41,10 @@
     GIT_SSH: /tmp/git_ssh.sh
   notify: restart xserver
   sudo_user: "{{ xserver_user }}"
-  when: xserver_identity.stat.exists
 
 - name: remove read-only ssh key for the content repo
   file: path={{ xserver_git_identity }} state=absent
   notify: restart xserver
-  when: xserver_identity.stat.exists
 
   # call supervisorctl update. this reloads
   # the supervisorctl config and restarts

playbooks/roles/xserver/tasks/main.yml

@@ -8,8 +8,8 @@
   when: not XSERVER_GRADER_DIR or not XSERVER_GRADER_SOURCE
 
 - name: checking for git identity
-  fail: msg="You must define XSERVER_LOCAL_GIT_IDENTITY to use this role"
-  when: not XSERVER_LOCAL_GIT_IDENTITY
+  fail: msg="You must define XSERVER_GIT_IDENTITY to use this role"
+  when: not XSERVER_GIT_IDENTITY
 
 - name: create application user
   user: >

util/jenkins/ansible-provision.sh

@@ -21,21 +21,11 @@
 export PYTHONUNBUFFERED=1
 export BOTO_CONFIG=/var/lib/jenkins/${aws_account}.boto
 
-if [[ -n $WORKSPACE ]]; then
-    # setup a virtualenv in jenkins
-    if [[ ! -d ".venv" ]]; then
-        virtualenv .venv
-    fi
-    source .venv/bin/activate
-    pip install -r requirements.txt
-fi
-
-
 if [[ -z $WORKSPACE ]]; then
     dir=$(dirname $0)
     source "$dir/ascii-convert.sh"
 else
-    source "$WORKSPACE/util/jenkins/ascii-convert.sh"
+    source "$WORKSPACE/configuration/util/jenkins/ascii-convert.sh"
 fi
 
 if [[ -z $static_url_base ]]; then
@@ -76,7 +66,7 @@ fi
 if [[ -z $ami ]]; then
   if [[ $server_type == "full_edx_installation" ]]; then
     ami="ami-bd6b6ed4"
-  elif [[ $server_type == "ubuntu_12.04" ]]; then
+  elif [[ $server_type == "ubuntu_12.04" || $server_type == "full_edx_installation_from_scratch" ]]; then
     ami="ami-a73264ce"
   fi
 fi
@@ -92,31 +82,11 @@ cd playbooks/edx-east
 
 cat << EOF > $extra_vars
 ---
-enable_datadog: False
-enable_splunkforwarder: False
-enable_newrelic: False
 ansible_ssh_private_key_file: /var/lib/jenkins/${keypair}.pem
-NGINX_ENABLE_SSL: True
-NGINX_SSL_CERTIFICATE: '/var/lib/jenkins/star.sandbox.edx.org.crt'
-NGINX_SSL_KEY: '/var/lib/jenkins/star.sandbox.edx.org.key'
-EDXAPP_LMS_SSL_NGINX_PORT: 443
-EDXAPP_CMS_SSL_NGINX_PORT: 443
 EDXAPP_PREVIEW_LMS_BASE: preview.${deploy_host}
 EDXAPP_LMS_BASE: ${deploy_host}
 EDXAPP_CMS_BASE: studio.${deploy_host}
-EDXAPP_LMS_NGINX_PORT: 80
-EDXAPP_LMS_PREVIEW_NGINX_PORT: 80
-EDXAPP_CMS_NGINX_PORT: 80
 EDXAPP_SITE_NAME: ${deploy_host}
-XSERVER_GRADER_DIR: "/edx/var/xserver/data/content-mit-600x~2012_Fall"
-XSERVER_GRADER_SOURCE: "git@github.com:/MITx/6.00x.git"
-XSERVER_LOCAL_GIT_IDENTITY: /var/lib/jenkins/git-identity-edx-pull
-CERTS_LOCAL_GIT_IDENTITY: /var/lib/jenkins/git-identity-edx-pull
-CERTS_AWS_KEY: $(cat /var/lib/jenkins/certs-aws-key)
-CERTS_AWS_ID: $(cat /var/lib/jenkins/certs-aws-id) 
-CERTS_BUCKET: "verify-test.edx.org"
-migrate_db: "yes"
-openid_workaround: True
 edx_platform_version: $edxapp_version
 forum_version: $forum_version
 xqueue_version: $xqueue_version
@@ -125,24 +95,7 @@ ora_version: $ora_version
 ease_version: $ease_version
 certs_version: $certs_version
 discern_version: $discern_version
-
-rabbitmq_ip: "127.0.0.1"
-rabbitmq_refresh: True
-COMMON_HOSTNAME: edx-server
-COMMON_DEPLOYMENT: edx
-COMMON_ENVIRONMENT: sandbox
 EDXAPP_STATIC_URL_BASE: $static_url_base
-
-# Settings for Grade downloads
-EDXAPP_GRADE_STORAGE_TYPE: 's3'
-EDXAPP_GRADE_BUCKET: 'edx-grades'
-EDXAPP_GRADE_ROOT_PATH: 'sandbox'
-
-# send logs to s3
-AWS_S3_LOGS: true
-AWS_S3_LOGS_NOTIFY_EMAIL: devops+sandbox-log-sync@edx.org
-AWS_S3_LOGS_FROM_EMAIL: devops@edx.org
-AWS_DUMP_VARS: true
 EOF
 
 if [[ $basic_auth == "true" ]]; then
@@ -184,13 +137,13 @@ EOF
 
     # run the tasks to launch an ec2 instance from AMI
     cat $extra_vars
-    ansible-playbook edx_provision.yml  -i inventory.ini -e "@${extra_vars}"  --user ubuntu  -v
+    ansible-playbook edx_provision.yml  -i inventory.ini -e@${extra_vars} -e@${WORKSPACE}/configuration-secure/ansible/vars/developer-sandbox.yml --user ubuntu  -v
 
     if [[ $server_type == "full_edx_installation" ]]; then
         # additional tasks that need to be run if the
         # entire edx stack is brought up from an AMI
-        ansible-playbook rabbitmq.yml -i "${deploy_host}," -e "@${extra_vars}" --user ubuntu
-        ansible-playbook restart_supervisor.yml -i "${deploy_host}," -e "@${extra_vars}" --user ubuntu
+        ansible-playbook rabbitmq.yml -i "${deploy_host}," -e@${extra_vars} -e@${WORKSPACE}/configuration-secure/ansible/vars/developer-sandbox.yml --user ubuntu
+        ansible-playbook restart_supervisor.yml -i "${deploy_host}," -e@${extra_vars} -e@${WORKSPACE}/configuration-secure/ansible/vars/developer-sandbox.yml --user ubuntu
     fi
 fi
 
@@ -202,22 +155,22 @@ done
 
 # If reconfigure was selected or if starting from an ubuntu 12.04 AMI
 # run non-deploy tasks for all roles
-if [[ $reconfigure == "true" ]]; then
+if [[ $reconfigure == "true" || $server_type == "full_edx_installation_from_scratch" ]]; then
     cat $extra_vars
-    ansible-playbook edx_continuous_integration.yml -i "${deploy_host}," -e "@${extra_vars}" --user ubuntu --skip-tags deploy
+    ansible-playbook edx_continuous_integration.yml -i "${deploy_host}," -e@${extra_vars} -e@${WORKSPACE}/configuration-secure/ansible/vars/developer-sandbox.yml --user ubuntu --skip-tags deploy
 fi
 
-if [[ $server_type == "full_edx_installation" ]]; then
+if [[ $server_type == "full_edx_installation" || $server_type == "full_edx_installation_from_scratch" ]]; then
     # Run deploy tasks for the roles selected
     for i in $roles; do
         if [[ ${deploy[$i]} == "true" ]]; then
             cat $extra_vars
-            ansible-playbook ${i}.yml -i "${deploy_host}," -e "@${extra_vars}" --user ubuntu --tags deploy
+            ansible-playbook ${i}.yml -i "${deploy_host}," -e@${extra_vars} -e@${WORKSPACE}/configuration-secure/ansible/vars/developer-sandbox.yml --user ubuntu --tags deploy
         fi
     done
 fi
 
 # deploy the edx_ansible role
-ansible-playbook edx_ansible.yml -i "${deploy_host}," -e "@${extra_vars}" --user ubuntu
+ansible-playbook edx_ansible.yml -i "${deploy_host}," -e@${extra_vars} -e@${WORKSPACE}/configuration-secure/ansible/vars/developer-sandbox.yml --user ubuntu
 
 rm -f "$extra_vars"

util/vpc-tools/abbey.py

@@ -200,11 +200,9 @@ def parse_args():
 
 def get_instance_sec_group(vpc_id):
 
-    security_group_id = None
-
     grp_details = ec2.get_all_security_groups(
         filters={
-            'vpc_id':vpc_id,
+            'vpc_id': vpc_id,
             'tag:play': args.play
         }
     )
@@ -242,10 +240,10 @@ def create_instance_args():
     if args.identity:
         config_secure = 'true'
         with open(args.identity) as f:
-            identity_file = f.read()
+            identity_contents = f.read()
     else:
         config_secure = 'false'
-        identity_file = "dummy"
+        identity_contents = "dummy"
 
     user_data = """#!/bin/bash
 set -x
@@ -311,7 +309,7 @@ chmod 755 $git_ssh
 
 if $config_secure; then
     cat << EOF > $secure_identity
-{identity_file}
+{identity_contents}
 EOF
 fi
 
@@ -324,15 +322,6 @@ cat << EOF >> $extra_vars
 
 {git_refs_yml}
 
-# The private key used for pulling down
-# private edx-platform repos is the same
-# identity of the github huser that has
-# access to the secure vars repo.
-# EDXAPP_USE_GIT_IDENTITY needs to be set
-# to true in the extra vars for this
-# variable to be used.
-EDXAPP_LOCAL_GIT_IDENTITY: $secure_identity
-
 # abbey will always run fake migrations
 # this is so that the application can come
 # up healthy
@@ -377,7 +366,7 @@ rm -rf $base_dir
                 deployment=args.deployment,
                 play=args.play,
                 config_secure=config_secure,
-                identity_file=identity_file,
+                identity_contents=identity_contents,
                 queue_name=run_id,
                 extra_vars_yml=extra_vars_yml,
                 git_refs_yml=git_refs_yml,
@@ -543,7 +532,7 @@ def create_ami(instance_id, name, description):
                 time.sleep(AWS_API_WAIT_TIME)
                 img.add_tag("build_id", args.jenkins_build)
                 time.sleep(AWS_API_WAIT_TIME)
-                for repo,ref in git_refs.items():
+                for repo, ref in git_refs.items():
                     key = "vars:{}".format(repo)
                     img.add_tag(key, ref)
                     time.sleep(AWS_API_WAIT_TIME)