We are using eb_deployer to deploy to Elastic Beanstalk and we would like to provision each node using .ebextensions and Ansible.
A package created for eb_deployer looks something like this (simplified), it is assembled on the control node with Ansible:
- Procfile
- application.jar
- .ebextensions
- ansible.config
- provision.yml
- roles
- appdynamics
- tasks
- main.yml
ansible.config installs ansible on the Beanstalk node and runs a single playbook:
packages:
python:
ansible: []
container_commands:
ansible:
command: "ansible-playbook .ebextensions/provision.yml"
provision.yml (simplified) only includes a single role:
- name: provision eb instance
hosts: localhost
connection: local
gather_facts: yes
roles:
- role: appdynamics
controller_host: "example.com"
controller_port: 443
Now the problem is that appdynamics role uses a variable appdynamics_accesskey which stored in the vault, but the vault password file is stored on the control node.
We would like to avoid copying the vault password file from the control machine to the .ebextensions on S3 bucket and then Beanstalk node.
What would you do in such scenario? Maybe there are other tools which are more appropriate in this case?
It appears that one way to solve this issue is to launch temporary instance, configure it with Ansible running on the control machine only, create an image with ec2_ami Ansible module, and use that image to configure custom image for autoscaling group.