.ENV not updating on production

I’ve added a few custom variables to group_vars/production/vault.yml and I ran both provision (ansible-playbook server.yml -e env=production) and deploy (./bin/deploy.sh production example.com), but the variables aren’t getting into the .env on production.

The variables (without quotes around the variable content):

  ## backups
  aws_s3_bucket_name: bucket
  aws_s3_bucket_access_key: access
  aws_s3_bucket_secret_key: secret

Using the latest version of Trellis.

Any ideas?

Hard to help you without details. Please share the full contents (with sensitive data censored of course).

@ben sorry, I just realized that and edited my original.

Also, I just rebuilt my server and those variables didn’t go through either. So something else must be going on.

That’s the full file? Anyway, do some searching or look at the docs to find the proper format, eg

ps. Still waiting on you to reply to my questions on another thread you started…


My full file looks like this:

# Documentation: https://roots.io/trellis/docs/vault/
vault_mysql_root_password: password

# Documentation: https://roots.io/trellis/docs/security/
  - name: "{{ admin_user }}"
    password: password
    salt: "generateme"

# Variables to accompany `group_vars/production/wordpress_sites.yml`
# Note: the site name (`example.com`) must match up with the site name in the above file.
      db_password: password
      # Generate your keys here: https://roots.io/salts.html
      auth_key: "key"
      secure_auth_key: "key"
      logged_in_key: "key"
      nonce_key: "key"
      auth_salt: "key"
      secure_auth_salt: "key"
      logged_in_salt: "key"
      nonce_salt: "key"

      ## AWS Access
      aws_s3_bucket_name: "bucket"
      aws_s3_bucket_access_key: "access"
      aws_s3_bucket_secret_key: "secret"

## backups
  backup_user: "{{ admin_user }}"
  bucket_name: bucket
  target_user: access
  target_password: secret

I’ve tried this section with and without the quotes surrounding the value:

      ## AWS Access
      aws_s3_bucket_name: bucket
      aws_s3_bucket_access_key: access
      aws_s3_bucket_secret_key: secret

Also be sure your hosts/production and hosts/staging don’t have the same IP or hostname, otherwise Ansible might be using your group_vars/staging such that changes to group_vars/production have no effect. That issue is described here:

If the above applies, it’s just an issue of understanding how Ansible applies/uses host patterns. If you want to think about it a lot, this is a helpful note explaining the issue:

You CAN use the groups as a way to target hosts but that does not mean the other ‘host properties’ disappear. I am in the ‘males’ group and in the ‘programmers’ group, just because you ‘select me’ as a programmer I do not stop being male. ref

In the Trellis case, if a host is in both staging and production, targeting it with -e env=production doesn’t make the host no longer also in staging. Ansible will load both your production and staging versions of the vault_wordpress_sites variable, and potentially in a sequence that leaves the staging version in effect.


I’ve deleted my staging environment completely.

I guess I have a few questions to help me debug:

  1. Does the .ENV file get updated on the server or deploy task?
  2. Do I need to commit my file to the repo in order to test different formatting?
  1. Yes… please actually look at the code, a search for ‘env’ will show you everything
  2. No. The .env file is in the .gitignore file for a reason

I’m locking this thread. If you need further help you can head over to https://roots.io/services/ and purchase a call. Someone (most likely @fullyint, one of the Trellis product owners) can help you sort things out.