Asciidoc conversion of hardening guide changes

Edited and renamed modules

Asciidoc conversion of new and revised content for hardening guide v4.

https://issues.redhat.com/browse/AAP-48749

Author: ianf77

downstream/assemblies/aap-hardening/assembly-hardening-aap.adoc

@@ -57,9 +57,9 @@ include::aap-hardening/ref-security-variables-install-inventory.adoc[leveloffset
 
 include::aap-hardening/proc-install-user-pki.adoc[leveloffset=+2]
 
-include::aap-hardening/ref-sensitive-variables-install-inventory.adoc[leveloffset=+2]
+include::aap-hardening/proc-sensitive-variables-install-inventory.adoc[leveloffset=+2]
 
-include::aap-hardening/ref-install-rpm-deployment.adoc[leveloffset=+3]
+include::aap-hardening/proc-install-rpm-deployment.adoc[leveloffset=+3]
 
 include::aap-hardening/ref-install-containerized-deployment.adoc[leveloffset=+3]
 

downstream/modules/aap-hardening/ref-install-rpm-deployment.adoc renamed to downstream/modules/aap-hardening/proc-install-rpm-deployment.adoc

@@ -1,8 +1,8 @@
-[id="ref-install-rpm-deployment"]
+[id="proc-install-rpm-deployment"]
 
 = Using an external vault file with an RPM-based {PlatformNameShort} deployment
 
-For RPM-based installations, you can provide the Ansible Vault at runtime when executing the setup script.
+For RPM-based installations, you can provide the Ansible vault at runtime when executing the setup script.
 
 Sensitive variables used are as follows:
 
@@ -16,11 +16,15 @@ automationhub_pg_password: <secure_password>
 automationedacontroller_admin_password: <secure_password>
 automationedacontroller_pg_password: <secure_password>
 ----
-To use the new Ansible vault with the {Installer}, ensure the file, for example, `vault.yml`, contains all required sensitive variables and run it with the following command: 
 
-`./setup.sh -e @vault.yml –ask-vault-pass`
+To use the vault during installation, use the following procedure:
+
+.Procedure
 
-Ensure that the vault file is located in the working directory, or provide the full path. Do not duplicate the encrypted variables in the plaintext inventory file.
+. Ensure the vault file, for example, `vault.yml`, contains all required sensitive variables.
+. Run the installation using the following command: 
++
+`./setup.sh -e @vault.yml –ask-vault-pass`
 
-This ensures that the installer reads encrypted variables from the vault and prompts for the vault password.
+Using this procedure ensures that the installer reads encrypted variables from the vault and prompts for the vault password.
 

downstream/modules/aap-hardening/proc-sensitive-variables-install-inventory.adoc

@@ -0,0 +1,36 @@
+// Module included in the following assemblies:
+// downstream/assemblies/assembly-hardening-aap.adoc
+
+[id="proc-sensitive-variables-install-inventory_{context}"]
+
+= Securing sensitive variables with ansible vault
+
+The installation inventory file for {PlatformNameShort} contains a number of sensitive variables, such as default administrative and database passwords. 
+By default, these are stored in plain text. 
+By securing sensitive values with Ansible Vault, both RPM-based and containerized {PlatformNameShort} installations benefit from improved security, password hygiene, and maintainability. 
+
+To create an Ansible vault file, use the following procedure: 
+
+.Procedure
+
+. Navigate to the install directory by using the following command:
++
+`cd /path/to/ansible-automation-platform-setup-bundle-2.5-<version>`
+. Create a vault file by using the following command:
++
+`ansible-vault create vault.yml`
+. When prompted, enter a vault password
+This password is required to access or modify the vault and is required for day-two operations such as backups and reconfigurations. 
++
+[IMPORTANT]
+====
+Passwords with special characters must be in double quotes.
+====
+. Store the vault password securely, in accordance with your organizations security policy, for example, using a password manager or vault service.
+. Add your sensitive variables to the vault and ensure they are not also defined in the inventory file.
+
+To edit your vault file use:
+
+`ansible-vault edit <file>`
+
+

downstream/modules/aap-hardening/ref-install-containerized-deployment.adoc

@@ -1,8 +1,8 @@
 [id="ref-install-containerized-deployment"]
 
-= Using an external vault file with a Containerized deployment of {PlatformNameShort}
+= Using an external vault file with a containerized installation
 
-For containerized installations of {PlatformNameShort}, you can use the provided automation execution playbook with the external vault file.
+For containerized installations of {PlatformNameShort}, use the provided automation execution playbook with the external vault file.
 
 Use the following sensitive variables:
 ----
@@ -11,15 +11,17 @@ gateway_admin_password:  <secure_password>
 gateway_pg_password:  <secure_password>
 controller_admin_password:  <secure_password>
 controller_pg_password:  <secure_password>
-hub_admin_password:  <secure_password>
+hub_admin_password:  <secure_password>c
 hub_pg_password:  <secure_password>
 eda_admin_password:  <secure_password>
 eda_pg_password: <secure_password>
 ----
-To use the new Ansible vault with the {Installer}, ensure the file, for example, `vault.yml`, contains all required sensitive variables and run it with the following command: 
+To use the new Ansible vault with the {Installer}, use the following procedure:
 
+.Procedure
+. Ensure your vault file, for example, `vault.yml`, contains all required sensitive variables.
+. Run the container installer using the following command: 
++
 `ansible-playbook ansible.containerized_installer.install -e @vault.yml –ask-become-pass`.
 
-Ensure that the vault file is located in the working directory, or provide the full path. Do not duplicate the encrypted variables in the plaintext inventory file.
-
-By securing sensitive values with ansible vault, both RPM-based and containerized installations of {PlatformNameShort} benefit from improved security, password hygiene, and maintainability.
+Ensure that the vault file is located in the working directory, or provide the full path. Do not duplicate the encrypted variables in the `plaintext` inventory file.