Should I keep my deployment settings in a separate repository?

I'm learning Salt Stack to deploy my Python application to various stages of production on AWS. Right now I have all my source code and salt states in one big repository.

Are there any practical or security considerations in keeping minion state files with my source? Or should I split them up and why?

If I do move my State Files into a separate salt-states repo, where should I keep my master and minion configuration files, or don't they belong in version control?


Pete,

So there are some things to beaware of with having your configs and code together. Lets say you deploy using git this means all your code and config files are sent to each server. If your git is not setup for readonly then someone that gets into one of your machines can edit the configs with a small exploit that will help them access all your machines.

I have known people that put there ssh keys in there deploy repo so they can easily spin up a new salt server or puppet or what ever they use. Again the issue with deploying both your app and configs to each server would mean you have given the keys to the kingdom again this depends that your doing it pull on all your servers and the ssh key is there also.

I have setup deploy systems where i use a readonly git user for deploying code and keep my configs away from all my servers only giving each server the config files that it needs. Each server does have the private key to the readonly git account. I have also been in a setup that on every deploy i automatically roated the public key of all my servers.