bugzilla.mozilla.org has resumed normal operation. Attachments prior to 2014 will be unavailable for a few days. This is tracked in Bug 1475801.
Please report any other irregularities here.

Figure out how to store potentially PII in Community Ops' Ansible playbook

RESOLVED WONTFIX

Status

Enterprise Information Security
Investigation
RESOLVED WONTFIX
3 years ago
3 years ago

People

(Reporter: tanner, Assigned: gene)

Tracking

Details

(Reporter)

Description

3 years ago
Just dropping this in from IRC:

I'm working on setting up Ansible for Community Ops, and one of the roles I'd like is AWS security group management. Right now it involves putting our personal IPs in a public GitHub repo (https://github.com/Mozilla-cIT/ansible-playbooks). Is this acceptable?
Assignee: nobody → gene
Status: NEW → ASSIGNED
(Assignee)

Comment 1

3 years ago
I'm unable to find the place in your code where you're hard coding IPs. Can you point me to the file and line?

What services are you hoping to constrain access to using IPs in security groups?

I'm not sure what you mean when you like "one of the roles" to be "AWS security group management"
(Reporter)

Comment 2

3 years ago
We did figure out how we're going to do this without any IPs having to be public. http://docs.ansible.com/ansible/ec2_group_module.html#examples is the Ansible module we're using.

Private files will be stored on an either an internal git server, only accessible to the core Community Ops team. From there, we'll pull the info to the Ansible master server as a submodule. The git server won't be accessible to the outside world, with only port 22 open on our VPC and to our individual IPs.

Thanks for agreeing to take this on, it just took a bit of brainstorming from our side.
Status: ASSIGNED → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → WONTFIX
Component: Operations Security (OpSec): Investigation → Investigation
Product: mozilla.org → Enterprise Information Security
You need to log in before you can comment on or make changes to this bug.