writing out private key directly in the vars file

playbooks/roles/certs/defaults/main.yml

@@ -28,7 +28,7 @@ CERTS_KEY_ID: "FEF8D954"
 # Path to git identity file for pull access to
 # the edX certificates repo - REQUIRED
 # Example - {{ secure_dir }}/files/git-identity
-CERTS_LOCAL_GIT_IDENTITY: !!null
+CERTS_GIT_IDENTITY: !!null
 # Path to public and private gpg key for signing
 # the edX certificate. Default is a dummy key
 CERTS_LOCAL_PRIVATE_KEY: "example-private-key.txt"
@@ -42,7 +42,7 @@ certs_venvs_dir: "{{ certs_app_dir }}/venvs"
 certs_venv_dir: "{{ certs_venvs_dir }}/certs"
 certs_venv_bin: "{{ certs_venv_dir }}/bin"
 certs_git_ssh: /tmp/git_ssh.sh
-certs_git_identity: "{{ certs_app_dir }}/git-identity"
+certs_git_identity: "{{ certs_app_dir }}/certs-git-identity"
 certs_requirements_file: "{{ certs_code_dir }}/requirements.txt"
 certs_repo: "git@github.com:/edx/certificates"
 certs_version: 'master'

playbooks/roles/certs/tasks/deploy.yml

@@ -26,15 +26,11 @@
     owner={{ certs_user }} mode=750
   notify: restart certs
 
-- stat: path={{ CERTS_LOCAL_GIT_IDENTITY }}
-  register: certs_identity
-
 - name: install read-only ssh key for the certs repo
   copy: >
-    src={{ CERTS_LOCAL_GIT_IDENTITY }} dest={{ certs_git_identity }}
+    content={{ CERTS_GIT_IDENTITY }} dest={{ certs_git_identity }}
     force=yes owner={{ certs_user }} mode=0600
   notify: restart certs
-  when: certs_identity.stat.exists
 
 - name: checkout certificates repo into {{ certs_code_dir }}
   git: dest={{ certs_code_dir }} repo={{ certs_repo }} version={{ certs_version }}
@@ -42,12 +38,10 @@
   environment:
     GIT_SSH: "{{ certs_git_ssh }}"
   notify: restart certs
-  when: certs_identity.stat.exists
 
 - name: remove read-only ssh key for the certs repo
   file: path={{ certs_git_identity }} state=absent
   notify: restart certs
-  when: certs_identity.stat.exists
 
 - name : install python requirements
   pip: requirements="{{ certs_requirements_file }}" virtualenv="{{ certs_venv_dir }}" state=present

playbooks/roles/certs/tasks/main.yml

@@ -32,8 +32,8 @@
 #     - certs
 #
 - name: Checking to see if git identity is set
-  fail: msg="You must set CERTS_LOCAL_GIT_IDENTITY var for this role!"
-  when: not CERTS_LOCAL_GIT_IDENTITY
+  fail: msg="You must set CERTS_GIT_IDENTITY var for this role!"
+  when: not CERTS_GIT_IDENTITY
 
 - name: create application user
   user: >

playbooks/roles/edxapp/defaults/main.yml

@@ -147,8 +147,9 @@ EDXAPP_AUTOMATOR_SUDO_CMDS:
 - "ALL=({{ common_web_user }})  NOPASSWD:SETENV:{{ COMMON_BIN_DIR }}/python.edxapp {{ COMMON_BIN_DIR }}/manage.edxapp lms transfer_students *"
 
 EDXAPP_USE_GIT_IDENTITY: false
-# Example: "{{ secure_dir }}/files/git-identity"
-EDXAPP_LOCAL_GIT_IDENTITY: !!null
+# Paste the contents of the git identity
+# into this var
+EDXAPP_GIT_IDENTITY: !!null
 
 # Configuration for database migration
 EDXAPP_TEST_MIGRATE_DB_NAME: "{{ COMMON_ENVIRONMENT }}_{{ COMMON_DEPLOYMENT }}_test_{{ EDXAPP_MYSQL_DB_NAME }}"
@@ -178,7 +179,7 @@ edxapp_staticfile_dir: "{{ edxapp_data_dir }}/staticfiles"
 edxapp_course_data_dir: "{{ edxapp_data_dir }}/data"
 edxapp_upload_dir: "{{ edxapp_data_dir }}/uploads"
 edxapp_theme_dir: "{{ edxapp_data_dir }}/themes"
-edxapp_git_identity: "{{ edxapp_app_dir }}/{{ EDXAPP_LOCAL_GIT_IDENTITY|basename }}"
+edxapp_git_identity: "{{ edxapp_app_dir }}/edxapp-git-identity"
 edxapp_git_ssh: "/tmp/edxapp_git_ssh.sh"
 edxapp_pypi_local_mirror: "http://localhost:{{ devpi_port }}/root/pypi/+simple"
 edxapp_workers:

playbooks/roles/edxapp/tasks/deploy.yml

@@ -22,7 +22,7 @@
 
 - name: install read-only ssh key
   copy: >
-    src={{ EDXAPP_LOCAL_GIT_IDENTITY }} dest={{ edxapp_git_identity }}
+    content={{ EDXAPP_GIT_IDENTITY }} dest={{ edxapp_git_identity }}
     force=yes owner={{ edxapp_user }} mode=0600
   when: EDXAPP_USE_GIT_IDENTITY
 

playbooks/roles/xserver/tasks/main.yml

@@ -8,8 +8,8 @@
   when: not XSERVER_GRADER_DIR or not XSERVER_GRADER_SOURCE
 
 - name: checking for git identity
-  fail: msg="You must define XSERVER_LOCAL_GIT_IDENTITY to use this role"
-  when: not XSERVER_LOCAL_GIT_IDENTITY
+  fail: msg="You must define XSERVER_GIT_IDENTITY to use this role"
+  when: not XSERVER_GIT_IDENTITY
 
 - name: create application user
   user: >

util/vpc-tools/abbey.py

@@ -200,11 +200,9 @@ def parse_args():
 
 def get_instance_sec_group(vpc_id):
 
-    security_group_id = None
-
     grp_details = ec2.get_all_security_groups(
         filters={
-            'vpc_id':vpc_id,
+            'vpc_id': vpc_id,
             'tag:play': args.play
         }
     )
@@ -242,10 +240,14 @@ def create_instance_args():
     if args.identity:
         config_secure = 'true'
         with open(args.identity) as f:
-            identity_file = f.read()
+            identity_contents = f.read()
     else:
         config_secure = 'false'
-        identity_file = "dummy"
+        identity_contents = "dummy"
+
+    # indent identity file with 4 spaces for
+    # yaml
+    identity_contents_indent = "\n".join(("    ") + line for line in identity_contents.splitlines())
 
     user_data = """#!/bin/bash
 set -x
@@ -311,7 +313,7 @@ chmod 755 $git_ssh
 
 if $config_secure; then
     cat << EOF > $secure_identity
-{identity_file}
+{identity_contents}
 EOF
 fi
 
@@ -331,7 +333,8 @@ cat << EOF >> $extra_vars
 # EDXAPP_USE_GIT_IDENTITY needs to be set
 # to true in the extra vars for this
 # variable to be used.
-EDXAPP_LOCAL_GIT_IDENTITY: $secure_identity
+EDXAPP_GIT_IDENTITY: |
+{identity_contents_indent}
 
 # abbey will always run fake migrations
 # this is so that the application can come
@@ -377,7 +380,8 @@ rm -rf $base_dir
                 deployment=args.deployment,
                 play=args.play,
                 config_secure=config_secure,
-                identity_file=identity_file,
+                identity_contents_indent=identity_contents_indent,
+                identity_contents=identity_contents,
                 queue_name=run_id,
                 extra_vars_yml=extra_vars_yml,
                 git_refs_yml=git_refs_yml,
@@ -543,7 +547,7 @@ def create_ami(instance_id, name, description):
                 time.sleep(AWS_API_WAIT_TIME)
                 img.add_tag("build_id", args.jenkins_build)
                 time.sleep(AWS_API_WAIT_TIME)
-                for repo,ref in git_refs.items():
+                for repo, ref in git_refs.items():
                     key = "vars:{}".format(repo)
                     img.add_tag(key, ref)
                     time.sleep(AWS_API_WAIT_TIME)