Skip to content
Ansible Configuration and Playbooks
Branch: master
Clone or download
jzulim and ekivemark BLUEBUTTON-314: Build ENV Agnostic AMI's (#1354)
* Adding env_config playbook and swithcing user_data to use

* Saving

* Switching env_config playbook to use test branch bluebutton-314

* Trimming env_vars to only build env and cert copy and not checkout code

* Only copy env_config playbook. env_var playbook imported nested.

* Test

* Stripping build playbook of env specific tasks,.

* Removing env declaration from packer job.

* Removing ENV declaration and private key.

* Syntax error, extra } not needed.

* Jenkins file typo. Forgot stages.

* More jenkins files typos.

* Refactor env_var and fix env_config

* Cleanup

* Setting aws_region var in all_var.

* moving app_pyapps_user definition to common vars. Same across all env.

* removing app_pyapps_user password set.

* Moving cf_app_log_dir to common vars as app_log_dir.

* moving cf_app_pyapp_home to commons var.

* Setting project_repo for all environments.

* moving css settings to common vars

* Setting project_parent in common vars

* Moving cf_app_py_virtual_env to common vars

* Typo

* Moving python_bin_dir def to common vars.

* Moving python version to common vars

* Moving app_py_virtual_env to commons

* Moving venv defintion to commons

* Renaming venv full path var

* Moving NGINX install to deployment phase of pipeline.

* Switching to include_role.

* Duplicate NGINX role. Removing one.

* Instead of including specific task switch to include_role
Latest commit 0bd0be3 Mar 20, 2019
Type Name Latest commit message Commit time
Failed to load latest commit information.
Jenkinsfiles BLUEBUTTON-314: Build ENV Agnostic AMI's (#1354) Mar 20, 2019
inventory fixes for test, impl, prod ec2 ini files, workaround ansible dynamic … Feb 12, 2018
lib resp.status is an int, not a string Apr 13, 2018
locust Bluebutton 289 Fix remaining issues (#1312) Jul 27, 2018
vars BLUEBUTTON-314: Build ENV Agnostic AMI's (#1354) Mar 20, 2019
vault/env BLUEBUTTON-511 Add db_role to DB connect() host options (#1351) Feb 18, 2019
AUTHORS Add license and contribution information. May 22, 2017
LICENSE Add license and contribution information. May 22, 2017
ansible.cfg add ansible logging on mgmtserver Jun 27, 2017


Ansible Configuration and Playbooks for Blue Button API.

Keeping variables safe

Configuration variables and sensitive values are now stored in this repository using ansible-vault. hhs_Ansible uses a cascading set of variable files:

  • ./vars/envs/common.yaml: For frequently used variables across all environments.
  • ./vars/all-var.yml: All variables used across any platform. Environment specific variables are embedded inside the variable defined in this file. Environment specific variables are prefixed with "env_".
  • ./vars/env/{environment_name}/env.yml: Non-sensitive environment specific variables are stored in this file. Sensitive environment variables are embedded within env_{variable_name} variables and are prefixed with "vault_".

Variable files can't embed other variable files as includes. Therefore the playbook must load the variables files as includes. A typical include section in a playbook would be:

Where the playbook is found in: ./playbook/{role}/playbook.yml

  - "./../../vars/common.yml"
  - "./../../vault/env/{{ env }}/vault.yml"
  - "./../../vars/env/{{ env }}/env.yml"
  - "./../../vars/all_var.yml"


{env} is a variable passed at run time to the playbook using --extra-vars env=dev | test | impl | prod

for example: In all_var.yml: aws_secret_key: "{{ env_aws_secret_key }}"

In ./vars/env/{{ env }}/env.yml: env_aws_secret_key: "{{ vault_env_aws_secret_key }}"

In ./vault/env/{{ env }}/vault.yml: vault_env_aws_secret_key: "what_ever_the_secret_should_be"

Installation (Redhat / Centos / Fedora)

To enable ec2 support you must install python-boto:

sudo yum install -y python-pip
sudo pip install --upgrade pip
sudo yum -y install git
sudo yum -y install ansible
sudo yum -y install python-boto

NOTE: if FIPS is enabled add an additional parameter to pip command: -i

Install hhs_ansible:

mkdir /hhs_ansible
cd /hhs_ansible
git clone

Updating the Application Load Balancers requires a newer version of awscli. Install updated version as follows:

sudo /bin/bash
cd /root
pip install --upgrade --user awscli -i

this will install the updated version to


Then add your hosts to


Edit the config file:


The public keys from ec2-user ( and need to be generated on the Management Server so that they can be copied to the remote machines in the base_patch role. As the ec2-user on the Management Server generate two sets of keys with no passphrase:

ssh-keygen -t rsa
ssh-keygen -t ecdsa
  • Do not enter a passphrase. Hit enter to step pass the prompt
  • Do not change the default filenames id_rsa and id_ecdsa.

As a minimum, if you are using AWS you will probably want to change: ' #remote_user = root'

to the remote user account used to connect to a server.

Host Configuration

Hosts fall into the following groups:

  • mgmtservers (The ansible management server)
  • appservers
  • dbservers

When creating a MGMT server instance in ec2 to run ansible add the following tags to the instance:

  • Managed = "BB-MANAGED-{{ env|upper }}"
  • Environment = {{ env|upper }} eg. DEV | TEST | IMPL | PROD
  • Layer = "MGMT"

These fields are added to each ec2 instance to be managed. These instances will automatically be grouped in to the relevant group in /etc/anasible/hosts based upon their Layer setting (MGMT | APP | DATA)

more information about hhs_ansible is here: [./]

You can’t perform that action at this time.