BFD-3219: Init commit to remove ansible-vault references

ops/ansible/playbooks-ccs/ansible.cfg

@@ -3,10 +3,6 @@
 # Use an inventory file specific to this repo/project.
 inventory = ./hosts
 
-# Look for the Ansible Vault password in this (.gitignore'd) file.
-# If you need this password, please contact [email protected].
-# vault_password_file = vault.password
-
 # Ensures that roles & modules installed from install_roles.yml can be used.
 roles_path = ./roles_external:../roles
 library = ./roles_external:../roles

ops/ansible/roles/bfd-db-migrator/README.md

@@ -52,8 +52,8 @@ Here's an example of how to apply this role to the `bfd-db-migrator` host in an
             bfd_version: 2.0.0-SNAPSHOT
             db_migrator_zip: "{{ lookup('env','HOME') }}/.m2/repository/gov/cms/bfd/bfd-db-migrator/{{ bfd_version }}/bfd-db-migrator-{{ bfd_version }}.zip"
             db_migrator_db_url: 'jdbc:hsqldb:mem:test'
-            db_migrator_db_username: "{{ vault_db_migrator_db_username }}"
-            db_migrator_db_password: "{{ vault_db_migrator_db_password }}"
+            db_migrator_db_username: "{{ ssm_db_migrator_db_username }}"
+            db_migrator_db_password: "{{ ssm_db_migrator_db_password }}"
 
 
 Running the Tests

ops/ansible/roles/bfd-pipeline/README.md

@@ -53,11 +53,11 @@ Here's an example of how to apply this role to the `etlbox` host in an Ansible p
           vars:
             data_pipeline_zip: /home/karlmdavis/workspaces/cms/beneficiary-fhir-data.git/apps/bfd-pipeline/bfd-pipeline-app/target/bfd-pipeline-app-2.0.0-SNAPSHOT.zip
             data_pipeline_s3_bucket: name-of-the-s3-bucket-with-the-data-to-process
-            data_pipeline_hicn_hash_iterations: "{{ vault_data_pipeline_hicn_hash_iterations }}"
-            data_pipeline_hicn_hash_pepper: "{{ vault_data_pipeline_hicn_hash_pepper }}"
+            data_pipeline_hicn_hash_iterations: "{{ ssm_data_pipeline_hicn_hash_iterations }}"
+            data_pipeline_hicn_hash_pepper: "{{ ssm_data_pipeline_hicn_hash_pepper }}"
             data_pipeline_db_url: 'jdbc:postgresql://mydbserver.example.com:5432/mydb'
-            data_pipeline_db_username: "{{ vault_data_pipeline_db_username }}"
-            data_pipeline_db_password: "{{ vault_data_pipeline_db_password }}"
+            data_pipeline_db_username: "{{ ssm_data_pipeline_db_username }}"
+            data_pipeline_db_password: "{{ ssm_data_pipeline_db_password }}"
 
 Running the Tests
 -----------------

ops/ansible/roles/bfd-pipeline/defaults/main.yml

@@ -24,7 +24,7 @@ rif_job_queue_size_multiple_claims: 10
 data_pipeline_rda_job_enabled: false
 
 # Communication settings for RDA API server.
-# These are defined in the vault rather than plain text.
+# These are defined in ssm rather than plain text.
 data_pipeline_rda_grpc_host: undefined
 data_pipeline_rda_grpc_port: 443
 
@@ -40,7 +40,7 @@ data_pipeline_rda_job_write_threads: 1
 # How long to allow the RDA API stream to be idle before closing the connection.
 data_pipeline_rda_grpc_max_idle_seconds: 600
 
-# By default call the RDA API with no token.  Override this value in env specific vault
+# By default call the RDA API with no token.  Override this value in env specific ssm
 # to enable authentication.
 data_pipeline_rda_grpc_auth_token: ''
 
@@ -51,7 +51,7 @@ data_pipeline_rda_grpc_server_type: 'Remote'
 data_pipeline_rda_grpc_inproc_server_mode: ''
 
 # An InProcess server can serve data from NDJSON files in an S3 bucket.
-# These settings are defined in the vault rather than plain text but we 
+# These settings are defined in the ssm rather than plain text but we
 # provide empty string values here so the script has values for the
 # environment variables when the mock server is not in use.
 # Region containing S3 bucket.

ops/ccs-ops-misc/restore-aurora-snapshot/README.md

@@ -17,16 +17,17 @@ The script will prompt for all nessecary information.
 
 Database Failure Scenario Walkthrough
 -------------------------------------
-Lets say some data corruption has been introduced to the database after the latest ETL run and you want to get the FHIR servers on yesterdays copy of the data while you troubleshoot the issue.  That scenario might go like this:
+Let's say some data corruption has been introduced to the database after the latest ETL run and you want to get the FHIR servers on yesterday's copy of the data while you troubleshoot the issue.  That scenario might go like this:
 - Run the restore script to create a temporary restore cluster:
   - `cd ops/ccs-ops-misc/restore-aurora-snapshot`
   - `source .venv/bin/activate`
   - `python3 restore_aurora_snapshot.py`
-- Create a new branch with updated FHIR server databse config:
+- Create a new branch with updated FHIR server database config:
   - `git checkout -b myname/myhotfixbranch`
   - `cd ops/ansible/playbooks-ccs`
   - `source .venv/bin/activate`
-  - `ansible-vault edit vars/(env)/group_vars/all/vault.yml`
+  - `cd ops/terraform/env/mgmt/base_config`
+  - `./scripts/edit-yaml.sh (env)`
   - `git commit -a -m 'Emergency procedure configure FHIR servers in (env) to use temporary aurora cluster'`
 - Push your branch to github:
   - `git push -u origin myname/myhotfixbranch`

ops/ccs-ops-misc/tls-certificates/make_bfd_keystores.sh

@@ -72,6 +72,6 @@ gen_keystore "cn=test.bfd.cms.gov" \
     "san=dns:test.bfd.cms.gov" \
     "test"
 
-# Encrypt
-echo "About to encrypt using ansible vault..."
-ansible-vault encrypt --ask-vault-pass prod-bluebutton-appserver-keystore.pfx prod-sbx-bluebutton-appserver-keystore.pfx test-bluebutton-appserver-keystore.pfx
+# Update SSM params in prod.yaml - bfd/prod/server/server_keystore_base64
+# cd ops/terraform/env/mgmt/base_config
+# ./scripts/edit-yaml.sh prod

ops/deploy-ccs.groovy

@@ -129,20 +129,17 @@ def buildDockerHostAmi(String gitBranchName, String gitCommitId, String platinum
  * @param templateFile the relative path to the packer template file
  */
 def packerBuildAmis(String platinumAmiId, String gitBranchName, String gitCommitId, String templateFile) {
-	withCredentials([file(credentialsId: 'bfd-vault-password', variable: 'vaultPasswordFile')]) {
-		withEnv(["platinumAmiId=${platinumAmiId}", "gitBranchName=${gitBranchName}",
-				 "gitCommitId=${gitCommitId}", "templateFile=${templateFile}"]) {
-			// build AMIs in parallel
-			sh '''
+	withEnv(["platinumAmiId=${platinumAmiId}", "gitBranchName=${gitBranchName}",
+		 "gitCommitId=${gitCommitId}", "templateFile=${templateFile}"]) {
+	// build AMIs in parallel
+	sh '''
 packer build -color=false \
--var vault_password_file="$vaultPasswordFile" \
 -var source_ami="$platinumAmiId" \
 -var subnet_id=subnet-092c2a68bd18b34d1 \
 -var git_branch="$gitBranchName" \
 -var git_commit="$gitCommitId" \
 "$templateFile"
 '''
-		}
 	}
 }
 

ops/jenkins/bfd-build-platinum/Jenkinsfile

@@ -21,19 +21,17 @@ def platinumAmiId
 def currentStage
 
 def buildPlatinum(String goldId = '') {
-    // Retrieve latest platium and assign the sourceAmiId tag value with the latest gold AMI ID.
-    withCredentials([file(credentialsId: 'bfd-vault-password', variable: 'vaultPasswordFile')]) {
-        // packer is always run from $repoRoot/ops/ansible/playbooks-ccs
-        dir('ops/ansible/playbooks-ccs') {
-            echo "Using the following gold image: ${goldId}"
-
-            sh """
-            packer build -color=false -var vault_password_file="$vaultPasswordFile" \
-            -var source_ami=${goldId} \
-            -var subnet_id=subnet-092c2a68bd18b34d1 \
-            ../../packer/build_bfd-platinum.json
-            """
-        }
+    // Retrieve latest platinum and assign the sourceAmiId tag value with the latest gold AMI ID.
+    // packer is always run from $repoRoot/ops/ansible/playbooks-ccs
+    dir('ops/ansible/playbooks-ccs') {
+        echo "Using the following gold image: ${goldId}"
+
+        sh """
+        packer build -color=false \
+        -var source_ami=${goldId} \
+        -var subnet_id=subnet-092c2a68bd18b34d1 \
+        ../../packer/build_bfd-platinum.json
+        """
     }
 }
 

ops/packer/build_bfd-all.json

@@ -1,8 +1,7 @@
 {
   "variables": {
     "source_ami": "",
-    "subnet_id": "",
-    "vault_password_file": ""
+    "subnet_id": ""
   },
   "builders": [
     {
@@ -109,8 +108,7 @@
         "pre-ami"
       ],
       "ansible_env_vars": [
-        "ANSIBLE_SSH_ARGS='-o IdentitiesOnly=yes'",
-        "ANSIBLE_VAULT_PASSWORD_FILE={{user `vault_password_file`}}"
+        "ANSIBLE_SSH_ARGS='-o IdentitiesOnly=yes'"
       ]
     },
     {
@@ -129,8 +127,7 @@
         "pre-ami"
       ],
       "ansible_env_vars": [
-        "ANSIBLE_SSH_ARGS='-o IdentitiesOnly=yes'",
-        "ANSIBLE_VAULT_PASSWORD_FILE={{user `vault_password_file`}}"
+        "ANSIBLE_SSH_ARGS='-o IdentitiesOnly=yes'"
       ]
     },
     {
@@ -149,8 +146,7 @@
         "pre-ami"
       ],
       "ansible_env_vars": [
-        "ANSIBLE_SSH_ARGS='-o IdentitiesOnly=yes'",
-        "ANSIBLE_VAULT_PASSWORD_FILE={{user `vault_password_file`}}"
+        "ANSIBLE_SSH_ARGS='-o IdentitiesOnly=yes'"
       ]
     }
   ],

ops/packer/build_bfd-db-migrator.json

@@ -1,8 +1,7 @@
 {
   "variables": {
     "source_ami": "",
-    "subnet_id": "",
-    "vault_password_file": ""
+    "subnet_id": ""
   },
   "builders": [{
       "type": "amazon-ebs",
@@ -44,8 +43,7 @@
         "pre-ami"
       ],
       "ansible_env_vars": [
-        "ANSIBLE_SSH_ARGS='-o IdentitiesOnly=yes'",
-        "ANSIBLE_VAULT_PASSWORD_FILE={{user `vault_password_file`}}"
+        "ANSIBLE_SSH_ARGS='-o IdentitiesOnly=yes'"
       ]
       },
       {

ops/packer/build_bfd-pipeline.json

@@ -1,8 +1,7 @@
 {
   "variables": {
     "source_ami": "",
-    "subnet_id": "",
-    "vault_password_file": ""
+    "subnet_id": ""
   },
   "builders": [{
       "type": "amazon-ebs",
@@ -44,8 +43,7 @@
         "pre-ami"
       ],
       "ansible_env_vars": [
-        "ANSIBLE_SSH_ARGS='-o IdentitiesOnly=yes'",
-        "ANSIBLE_VAULT_PASSWORD_FILE={{user `vault_password_file`}}"
+        "ANSIBLE_SSH_ARGS='-o IdentitiesOnly=yes'"
       ]
       },
       {

ops/packer/build_bfd-platinum.json

@@ -1,8 +1,7 @@
 {
   "variables": {
     "source_ami": "",
-    "subnet_id": "",
-    "vault_password_file": ""
+    "subnet_id": ""
   },
   "builders": [{
       "type": "amazon-ebs",
@@ -42,8 +41,7 @@
       "user": "ec2-user",
       "playbook_file": "./build_bfd-platinum.yml",
       "ansible_env_vars": [
-        "ANSIBLE_SSH_ARGS='-o IdentitiesOnly=yes'",
-        "ANSIBLE_VAULT_PASSWORD_FILE={{user `vault_password_file`}}"
+        "ANSIBLE_SSH_ARGS='-o IdentitiesOnly=yes'"
       ]
     }
   ],

ops/packer/build_bfd-server.json

@@ -1,8 +1,7 @@
 {
   "variables": {
     "source_ami": "",
-    "subnet_id": "",
-    "vault_password_file": ""
+    "subnet_id": ""
   },
   "builders": [{
       "type": "amazon-ebs",
@@ -44,8 +43,7 @@
         "pre-ami"
       ],
       "ansible_env_vars": [
-        "ANSIBLE_SSH_ARGS='-o IdentitiesOnly=yes'",
-        "ANSIBLE_VAULT_PASSWORD_FILE={{user `vault_password_file`}}"
+        "ANSIBLE_SSH_ARGS='-o IdentitiesOnly=yes'"
       ]
       },
       {

ops/terraform/env/mgmt/README.md

@@ -46,7 +46,6 @@ https://terraform-docs.io/user-guide/configuration/
 | [aws_iam_group_policy_attachment.app_engineers_vpc_ro](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy_attachment) | resource |
 | [aws_iam_group_policy_attachment.jenkins_user_group_attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy_attachment) | resource |
 | [aws_iam_openid_connect_provider.github_actions](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_openid_connect_provider) | resource |
-| [aws_iam_policy.ansible_vault_pw_ro_s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.bfd_ssm_ro](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.code_artifact_ro](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.code_artifact_rw](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |

ops/terraform/env/mgmt/iam.tf

@@ -1,29 +1,3 @@
-resource "aws_iam_policy" "ansible_vault_pw_ro_s3" {
-  description = "ansible vault pw read only S3 policy"
-  name        = "bfd-${local.env}-ansible-vault-pw-ro-s3"
-  path        = "/"
-  policy      = <<-POLICY
-{
-  "Statement": [
-    {
-      "Action": [
-        "kms:Decrypt",
-        "s3:GetObject"
-      ],
-      "Effect": "Allow",
-      "Resource": [
-        "${data.aws_kms_key.cmk.arn}",
-        "${aws_s3_bucket.admin.arn}/ansible/vault.password"
-      ],
-      "Sid": "AnsibleVaultPwRO"
-    }
-  ],
-  "Version": "2012-10-17"
-}
-POLICY
-
-}
-
 #TODO: Determine if the bfd-packages sees continued use
 resource "aws_iam_policy" "packer_s3" {
   description = "packer S3 Policy"

ops/terraform/modules/resources/bfd_pipeline/main.tf

@@ -186,16 +186,6 @@ resource "aws_iam_role_policy_attachment" "bfd_pipeline_rif" {
   policy_arn = aws_iam_policy.bfd_pipeline_rif.arn
 }
 
-# Give the BFD Pipeline app read access to the Ansible Vault PW.
-data "aws_iam_policy" "ansible_vault_pw_ro_s3" {
-  arn = "arn:aws:iam::${var.launch_config.account_id}:policy/bfd-ansible-vault-pw-ro-s3"
-}
-
-resource "aws_iam_role_policy_attachment" "bfd_pipeline_iam_ansible_vault_pw_ro_s3" {
-  role       = module.iam_profile_bfd_pipeline.role
-  policy_arn = data.aws_iam_policy.ansible_vault_pw_ro_s3.arn
-}
-
 # Attach the amazon manged AmazonElasticFileSystemReadOnlyAccess policy to the instance role
 # This is needed to query EFT EFS file systems
 resource "aws_iam_role_policy_attachment" "aws_efs_read_only_access" {

ops/terraform/modules/resources/templates/fhir_server.tpl

@@ -10,10 +10,6 @@ exec > >(
 
 cd /beneficiary-fhir-data/ops/ansible/playbooks-ccs/
 
-# TODO: references to the ansible-vault vault.password file are still necessary for bfd-server until
-#       we develop an alternative for the vault-encrypted JKS file
-aws s3 --quiet cp s3://bfd-mgmt-admin-${accountId}/ansible/vault.password .
-
 # TODO: Consider injecting ansible variables with more modern ansible versions. BFD-1890.
 aws ssm get-parameters-by-path \
     --with-decryption \
@@ -45,9 +41,7 @@ EOF
 
 mkdir -p logs
 
-ansible-playbook --extra-vars '@server_vars.json' --extra-vars '@client_certificates.json' --extra-vars '@common_vars.json' --extra-vars '@extra_vars.json' --vault-password-file=vault.password --tags "post-ami" launch_bfd-server.yml
-
-rm vault.password
+ansible-playbook --extra-vars '@server_vars.json' --extra-vars '@client_certificates.json' --extra-vars '@common_vars.json' --extra-vars '@extra_vars.json' --tags "post-ami" launch_bfd-server.yml
 
 # Set login environment for all users:
 # 1. make BFD_ENV_NAME available to all logins

ops/terraform/modules/resources/templates/pipeline_server.tpl

@@ -12,8 +12,6 @@ git clone https://github.com/CMSgov/beneficiary-fhir-data.git --branch ${gitBran
 
 cd beneficiary-fhir-data/ops/ansible/playbooks-ccs/
 
-aws s3 cp s3://bfd-mgmt-admin-${accountId}/ansible/vault.password .
-
 # The extra_vars.json file from the previous build step contains a few incorrect values
 # and needs to get trimmed down to the following
 cat <<EOF >> extra_vars.json
@@ -23,9 +21,7 @@ cat <<EOF >> extra_vars.json
 }
 EOF
 
-ansible-playbook --extra-vars '@extra_vars.json' --vault-password-file=vault.password --tags "post-ami" launch_bfd-pipeline.yml
-
-rm vault.password
+ansible-playbook --extra-vars '@extra_vars.json' --tags "post-ami" launch_bfd-pipeline.yml
 
 # Set login environment for all users:
 # 1. make BFD_ENV_NAME available to all logins

ops/terraform/services/server/README.md

@@ -56,12 +56,10 @@ https://terraform-docs.io/user-guide/configuration/
 
 | Name | Type |
 |------|------|
-| [aws_iam_role_policy_attachment.fhir_iam_ansible_vault_pw_ro_s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_ami.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ami) | data source |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_ec2_managed_prefix_list.jenkins](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_managed_prefix_list) | data source |
 | [aws_ec2_managed_prefix_list.vpn](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_managed_prefix_list) | data source |
-| [aws_iam_policy.ansible_vault_pw_ro_s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source |
 | [aws_s3_bucket.logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/s3_bucket) | data source |
 | [aws_security_group.aurora_cluster](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/security_group) | data source |
 | [aws_security_group.remote](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/security_group) | data source |

ops/terraform/services/server/data-sources.tf

@@ -101,11 +101,6 @@ data "aws_security_group" "remote" {
   }
 }
 
-# ansible vault pw read only policy
-data "aws_iam_policy" "ansible_vault_pw_ro_s3" {
-  arn = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:policy/bfd-ansible-vault-pw-ro-s3"
-}
-
 data "aws_ssm_parameters_by_path" "nonsensitive_common" {
   path = "/bfd/${local.env}/common/nonsensitive"
 }