From e0c0faf60e0606df2a8dc124ac6cba798edec17f Mon Sep 17 00:00:00 2001
From: Kevin Velarde <kevin.velarde@itential.com>
Date: Wed, 17 Dec 2025 20:37:03 -0700
Subject: [PATCH 1/2] Move platform password encryption to separate playbook

---
 playbooks/encrypt_platform_passwords.yml      | 13 +++++
 .../platform/tasks/create-properties-file.yml | 40 ----------------
 roles/platform/tasks/encrypt-passwords.yml    | 47 +++++++++++++++++++
 3 files changed, 60 insertions(+), 40 deletions(-)
 create mode 100644 playbooks/encrypt_platform_passwords.yml
 create mode 100644 roles/platform/tasks/encrypt-passwords.yml

diff --git a/playbooks/encrypt_platform_passwords.yml b/playbooks/encrypt_platform_passwords.yml
new file mode 100644
index 00000000..28b52466
--- /dev/null
+++ b/playbooks/encrypt_platform_passwords.yml
@@ -0,0 +1,13 @@
+# Copyright (c) 2024, Itential, Inc
+# GNU General Public License v3.0+ (see LICENSE or https://www.gnu.org/licenses/gpl-3.0.txt)
+---
+- name: Encrypt Platform passwords
+  hosts: platform
+  become: true
+  roles:
+    - role: itential.deployer.common
+  tasks:
+    - name: Encrypt Platform passwords in properties file
+      ansible.builtin.import_role:
+        name: itential.deployer.platform
+        tasks_from: encrypt-passwords
diff --git a/roles/platform/tasks/create-properties-file.yml b/roles/platform/tasks/create-properties-file.yml
index 7a284b73..8305ab91 100644
--- a/roles/platform/tasks/create-properties-file.yml
+++ b/roles/platform/tasks/create-properties-file.yml
@@ -4,46 +4,6 @@
 
 # TODO: Do we still need to support the primary/secondary concept?
 
-# Note: Platform's encrypt.js script does not take command line arguments.
-# Instead, it prompts the user for input, reads it from stdin, and prints the key on the last line.
-# This necessitates the use of the workaround below.
-- name: Encrypt default passwords
-  when: not (platform_configure_vault | bool)
-  tags: encrypt_default_passwords
-  no_log: true
-  block:
-    - name: Generate encrypted passwords
-      ansible.builtin.shell: >
-        set -o pipefail &&
-        (echo "{{ item.plaintext }}"; sleep 2; echo "{{ platform_encryption_key }}") |
-        node {{ platform_server_dir }}/utils/encrypt.js 2>&1 |
-        tail -n 1
-      args:
-        executable: /bin/bash
-      loop:
-        - name: platform_redis_password_encrypted
-          plaintext: "{{ platform_redis_password }}"
-        - name: platform_redis_sentinel_password_encrypted
-          plaintext: "{{ platform_redis_sentinel_password }}"
-        - name: platform_mongo_password_encrypted
-          plaintext: "{{ platform_mongo_password }}"
-        - name: platform_default_user_password_encrypted
-          plaintext: "{{ platform_default_user_password }}"
-      register: encrypt_results
-      changed_when: false
-      failed_when: >
-        encrypt_results.rc != 0 or
-        encrypt_results.stdout == "" or
-        not encrypt_results.stdout.startswith("$ENC") or
-        (encrypt_results.stdout.split(':') | last | length) != 32
-
-    - name: Set encrypted passwords
-      ansible.builtin.set_fact:
-        "{{ item.item.name }}": "{{ item.stdout }}"
-      loop: "{{ encrypt_results.results }}"
-      loop_control:
-        label: "{{ item.item.name }}"
-
 - name: Create the platform.properties file
   ansible.builtin.template:
     src: "{{ item }}"
diff --git a/roles/platform/tasks/encrypt-passwords.yml b/roles/platform/tasks/encrypt-passwords.yml
new file mode 100644
index 00000000..31863ad1
--- /dev/null
+++ b/roles/platform/tasks/encrypt-passwords.yml
@@ -0,0 +1,47 @@
+# Copyright (c) 2024, Itential, Inc
+# GNU General Public License v3.0+ (see LICENSE or https://www.gnu.org/licenses/gpl-3.0.txt)
+---
+# Note: Platform's encrypt.js script does not take command line arguments.
+# Instead, it prompts the user for input, reads it from stdin, and prints the key on the last line.
+# This necessitates the use of the workaround below.
+- name: Encrypt default passwords
+  when: not (platform_configure_vault | bool)
+  tags: encrypt_default_passwords
+  no_log: true
+  notify: Enable and Start Platform
+  block:
+    - name: Generate encrypted passwords
+      ansible.builtin.shell: >
+        set -o pipefail &&
+        (echo "{{ item.plaintext }}"; sleep 2; echo "{{ platform_encryption_key }}") |
+        node {{ platform_server_dir }}/utils/encrypt.js 2>&1 |
+        tail -n 1
+      args:
+        executable: /bin/bash
+      loop:
+        - name: platform_redis_password_encrypted
+          plaintext: "{{ platform_redis_password }}"
+        - name: platform_redis_sentinel_password_encrypted
+          plaintext: "{{ platform_redis_sentinel_password }}"
+        - name: platform_mongo_password_encrypted
+          plaintext: "{{ platform_mongo_password }}"
+        - name: platform_default_user_password_encrypted
+          plaintext: "{{ platform_default_user_password }}"
+      register: platform_encrypt_results
+      changed_when: false
+      failed_when: >
+        platform_encrypt_results.rc != 0 or
+        platform_encrypt_results.stdout == "" or
+        not platform_encrypt_results.stdout.startswith("$ENC") or
+        (platform_encrypt_results.stdout.split(':') | last | length) != 32
+
+    - name: Set encrypted passwords
+      ansible.builtin.set_fact:
+        "{{ item.item.name }}": "{{ item.stdout }}"
+      loop: "{{ platform_encrypt_results.results }}"
+      loop_control:
+        label: "{{ item.item.name }}"
+
+    - name: Create properties.json file
+      ansible.builtin.include_tasks:
+        file: create-properties-file.yml

From ebcf2148aaf7642be9d7be0da0303cf1ffb5aa99 Mon Sep 17 00:00:00 2001
From: Kevin Velarde <kevin.velarde@itential.com>
Date: Thu, 18 Dec 2025 15:02:35 -0700
Subject: [PATCH 2/2] Remove encrypt platform passwords playbook

---
 playbooks/encrypt_platform_passwords.yml | 13 -------------
 1 file changed, 13 deletions(-)
 delete mode 100644 playbooks/encrypt_platform_passwords.yml

diff --git a/playbooks/encrypt_platform_passwords.yml b/playbooks/encrypt_platform_passwords.yml
deleted file mode 100644
index 28b52466..00000000
--- a/playbooks/encrypt_platform_passwords.yml
+++ /dev/null
@@ -1,13 +0,0 @@
-# Copyright (c) 2024, Itential, Inc
-# GNU General Public License v3.0+ (see LICENSE or https://www.gnu.org/licenses/gpl-3.0.txt)
----
-- name: Encrypt Platform passwords
-  hosts: platform
-  become: true
-  roles:
-    - role: itential.deployer.common
-  tasks:
-    - name: Encrypt Platform passwords in properties file
-      ansible.builtin.import_role:
-        name: itential.deployer.platform
-        tasks_from: encrypt-passwords