fix: add encrypting to ansible exec scripts

Author: ludwig-mueller

solutions/standard-openshift/ansible/main.tf

@@ -123,8 +123,7 @@ resource "terraform_data" "execute_playbooks" {
   provisioner "remote-exec" {
     inline = [
       "if [ -f \"~/.powervs/config.json\" ]; then echo ${var.ansible_vault_password} > password_file",
-      "if [ -f \"~/.powervs/config.json\" ]; then ansible-vault decrypt ~/.powervs/config.json --vault-password-file password_file",
-      "rm -f password_file"
+      "if [ -f \"~/.powervs/config.json\" ]; then ansible-vault decrypt ~/.powervs/config.json --vault-password-file password_file"
     ]
   }
 
@@ -227,9 +226,7 @@ resource "terraform_data" "execute_playbooks_with_vault" {
   # Decrypt ocp config if it already exists
   provisioner "remote-exec" {
     inline = [
-      "if [ -f \"~/.powervs/config.json\" ]; then echo ${var.ansible_vault_password} > password_file",
-      "if [ -f \"~/.powervs/config.json\" ]; then ansible-vault decrypt ~/.powervs/config.json --vault-password-file password_file",
-      "rm -f password_file"
+      "if [ -f \"~/.powervs/config.json\" ]; then ansible-vault decrypt ~/.powervs/config.json --vault-password-file password_file"
     ]
   }
 
@@ -241,23 +238,24 @@ resource "terraform_data" "execute_playbooks_with_vault" {
     ]
   }
 
-  # Again delete Ansible Vault password used to encrypt the var
-  # files with sensitive information and private ssh key
+  # Encrypt ocp config if it already exists
   provisioner "remote-exec" {
     inline = [
-      "rm -rf password_file",
-      "rm -rf ${local.private_key_file}"
+      "if [ -f \"~/.powervs/config.json\" ]; then echo ${var.ansible_vault_password} > password_file",
+      "if [ -f \"~/.powervs/config.json\" ]; then ansible-vault encrypt ~/.powervs/config.json --vault-password-file password_file",
+      "rm -f password_file"
     ]
   }
 
-  # Encrypt ocp config if it already exists
+  # Again delete Ansible Vault password used to encrypt the var
+  # files with sensitive information and private ssh key
   provisioner "remote-exec" {
     inline = [
-      "if [ -f \"~/.powervs/config.json\" ]; then echo ${var.ansible_vault_password} > password_file",
-      "if [ -f \"~/.powervs/config.json\" ]; then ansible-vault encrypt ~/.powervs/config.json --vault-password-file password_file",
-      "rm -f password_file"
+      "rm -rf password_file",
+      "rm -rf ${local.private_key_file}"
     ]
   }
+
 }
 
 

solutions/standard-openshift/ansible/templates-ansible/deploy-openshift-cluster/ansible_exec.sh.tftpl

@@ -24,8 +24,12 @@ export IBMCLOUD_API_KEY=$${IBMCLOUD_API_KEY}
 unbuffer ansible-playbook -i $${ansible_inventory} $${ansible_playbook} --extra-vars "IBMCLOUD_API_KEY=$IBMCLOUD_API_KEY"
 ## On failure:
 if [ $? -ne 0 ]; then
+    if [ -f "~/.powervs/config.json" ]; then ansible-vault encrypt ~/.powervs/config.json --vault-password-file password_file
+    rm -f password_file
     rm -rf $${ansible_private_key_file}
     exit 1
 fi
 echo \"Playbook command successful\"
 rm -rf $${ansible_private_key_file}
+if [ -f "~/.powervs/config.json" ]; then ansible-vault encrypt ~/.powervs/config.json --vault-password-file password_file
+rm -f password_file

solutions/standard-openshift/ansible/templates-ansible/deploy-openshift-cluster/ansible_exec_vault.sh.tftpl

@@ -24,8 +24,12 @@ export IBMCLOUD_API_KEY=$${IBMCLOUD_API_KEY}
 unbuffer ansible-playbook -i $${ansible_inventory} $${ansible_playbook} --extra-vars "IBMCLOUD_API_KEY=$IBMCLOUD_API_KEY" --vault-password-file password_file
 ## On failure:
 if [ $? -ne 0 ]; then
+    if [ -f "~/.powervs/config.json" ]; then ansible-vault encrypt ~/.powervs/config.json --vault-password-file password_file
+    rm -f password_file
     rm -rf $${ansible_private_key_file}
     exit 1
 fi
 echo \"Playbook command successful\"
 rm -rf $${ansible_private_key_file}
+if [ -f "~/.powervs/config.json" ]; then ansible-vault encrypt ~/.powervs/config.json --vault-password-file password_file
+rm -f password_file