ci: use ansible-valut for storing a private key

Part of #435

Author: php-coder

.gitignore

@@ -39,6 +39,9 @@ infra/terraform/terraform.tfstate.backup
 infra/docker/application-prod.properties
 infra/docker/mysql_backup_mystamps.sql.gz
 
+# created by src/main/scripts/ci/deploy.sh
+vault-pass.txt
+
 # maven-wrapper
 .mvn/wrapper/maven-wrapper.jar
 

src/main/scripts/ci/ansible/mystamps_rsa.enc

@@ -14,9 +14,10 @@ CURRENT_DIR="$(dirname "${0:-.}")"
 INVENTORY="$CURRENT_DIR/ansible/mystamps.inventory"
 PLAYBOOK="$CURRENT_DIR/ansible/deploy.yml"
 PRIVATE_KEY="$CURRENT_DIR/ansible/mystamps_rsa"
+PASS_FILE="$CURRENT_DIR/vault-pass.txt"
 
 cleanup() {
-	rm -f "$PRIVATE_KEY"
+	rm -f "$PRIVATE_KEY" "$PASS_FILE"
 	exit
 }
 trap 'cleanup' EXIT SIGHUP SIGINT SIGTERM
@@ -29,13 +30,19 @@ export ANSIBLE_HOST_KEY_CHECKING=False
 # See: https://docs.ansible.com/ansible/2.9/reference_appendices/config.html#envvar-ANSIBLE_STDOUT_CALLBACK
 export ANSIBLE_STDOUT_CALLBACK=debug
 
-if [ -z "${encrypted_bf07cb25089f_key:-}" ] || [ -z "${encrypted_bf07cb25089f_iv:-}" ] ; then
-	echo >&2 'ERROR: encrypted_bf07cb25089f_key or encrypted_bf07cb25089f_iv were not defined!'
+if [ -z "$VAULT_PASSWORD" ]; then
+	echo >&2 "ERROR: env variable VAULT_PASSWORD is empty!"
 	exit 1
 fi
 
 # Decrypt private key
-openssl aes-256-cbc -K "$encrypted_bf07cb25089f_key" -iv "$encrypted_bf07cb25089f_iv" -in "$PRIVATE_KEY.enc" -out "$PRIVATE_KEY" -d
+echo -n "$VAULT_PASSWORD" >"$PASS_FILE"
+
+ansible-vault decrypt \
+	--vault-password-file "$PASS_FILE" \
+	--output "$PRIVATE_KEY" \
+	"${PRIVATE_KEY}.enc"
+
 chmod 600 "$PRIVATE_KEY"
 
 ansible-playbook \