You aren’t misunderstanding it at all and it’s awesome that you’ve thought about this.
We do have a Wiki page which briefly talks about this.
Putting “secret” credentials in group_vars is a compromise basically. bedrock-ansible has a very wide scope of use. It could be used by:
- devs who want a Vagrant VM only
- individual developers to create server and then pass them off
- developers working on short term projects
- teams working on long term projects
When dealing with “secrets” it’s hard to design a proper solution when keeping it flexible. Take teams for example: you could Git ignore the files, but how would your team members also get the information?
Most credentials end up being stored in plain text somewhere. That might be in a private GitHub/Bitbucket repo, a private Git server, Amazon S3, etc. Or it might be people sending master passwords around via plain text email/chat. Or attaching them to some other unsecure software system (think Wiki, ticketing system, etc).
That being said, we should think about this again and maybe strongly recommend the use Ansible Vault more.