update ansible to load put secrets in environment not .env file

private-attribution · Jul 9, 2024 · 135fd9b · 135fd9b
1 parent 44da939
commit 135fd9b
Show file tree

Hide file tree

Showing 3 changed files with 48 additions and 43 deletions.
diff --git a/server/ansible/deploy.yaml b/server/ansible/deploy.yaml
@@ -14,31 +14,21 @@
         state: present
         ci: true
 
-    - name: Load .env file
-      shell: >
-        aws secretsmanager get-secret-value
-        --secret-id {{ env_secret_id }}
-        --region {{ aws_region }}
-        --query SecretString
-        --output text |
-        jq -r 'to_entries|map("\(.key)=\"\(.value|tostring)\"")|.[]' >
-        .env
-      args:
-        chdir: '{{ ansible_env.HOME }}/draft/server'
-        executable: /bin/bash
-
-
-    - name: Rebuild draft website
+    - name: Build draft website
       shell: >
         npm run build
       args:
         chdir: '{{ ansible_env.HOME }}/draft/server'
         executable: /bin/bash
 
-
-    - name: Restart draft website
+    - name: start traefik and nextjs
       shell: >
-        npm run pm2-restart
+        source ansible/load_secrets.sh && npm run pm2-start
+      environment:
+        CERT_DIR: '{{ ansible_env.HOME }}/cert/'
+        DRAFT_DOMAIN: '{{ draft_domain }}'
+        DRAFT_PORT: '{{ draft_port }}'
+
       args:
         chdir: '{{ ansible_env.HOME }}/draft/server'
         executable: /bin/bash
diff --git a/server/ansible/load_secrets.sh b/server/ansible/load_secrets.sh
@@ -0,0 +1,36 @@
+#!/bin/bash
+
+# Check if the CERT_DIR environment variable is set
+if [ -z "$CERT_DIR" ]; then
+  echo "Error: CERT_DIR environment variable is not set."
+  exit 1
+fi
+
+# Directory where the cert files will be written
+CERT_DIR="$1"
+# Ensure the directory exists
+mkdir -p "$CERT_DIR"
+
+# load cert.pem file
+aws secretsmanager get-secret-value \
+    --secret-id cert.pem \
+    --region {{ aws_region }} \
+    --query SecretString \
+    --output text \
+    > "${CERT_DIR}"/cert.pem
+
+# load key.pem file
+aws secretsmanager get-secret-value \
+    --secret-id key.pem \
+    --region {{ aws_region }} \
+    --query SecretString \
+    --output text \
+    > ${CERT_DIR}/key.pem
+
+# set environmental variables
+aws secretsmanager get-secret-value \
+    --secret-id {{ env_secret_id }} \
+    --region {{ aws_region }} \
+    --query SecretString \
+    | jq -r 'fromjson | to_entries | .[] | "export \(.key)=\(.value|tostring)"' \
+    | while read -r line; do eval "$line"; done
diff --git a/server/ansible/provision.yaml b/server/ansible/provision.yaml
@@ -91,37 +91,16 @@
       command: 'setcap cap_net_bind_service=+ep {{ ansible_env.HOME }}/draft/traefik'
       become: yes
 
-    - name: Create cert directory
-      file:
-        path: '{{ ansible_env.HOME }}/cert'
-        state: directory
-
-    - name: Load cert.pem file
+    - name: Build draft website
       shell: >
-        aws secretsmanager get-secret-value
-        --secret-id cert.pem
-        --region {{ aws_region }}
-        --query SecretString
-        --output text > cert.pem
+        npm run build
       args:
-        chdir: '{{ ansible_env.HOME }}/cert'
-        executable: /bin/bash
-
-
-    - name: Load key.pem file
-      shell: >
-        aws secretsmanager get-secret-value
-        --secret-id key.pem
-        --region {{ aws_region }}
-        --query SecretString
-        --output text > key.pem
-      args:
-        chdir: '{{ ansible_env.HOME }}/cert'
+        chdir: '{{ ansible_env.HOME }}/draft/server'
         executable: /bin/bash
 
     - name: start traefik and nextjs
       shell: >
-        npm run pm2-start
+        source ansible/load_secrets.sh && npm run pm2-start
       environment:
         CERT_DIR: '{{ ansible_env.HOME }}/cert/'
         DRAFT_DOMAIN: '{{ draft_domain }}'