Add ability to generate secrets for the application #602
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rocketnova
approved these changes
May 25, 2024
coilysiren
added a commit
to HHS/simpler-grants-gov
that referenced
this pull request
Oct 10, 2024
## Summary Fixes #1656 ### Time to review: __10 ~ 30 mins__ ## Changes proposed - Deploys an opensearch domain - Configures the opensearch domain to be high availability in prod, and as cheap as possible (while still being similarly configured) elsewhere. Prod is currently turned off, though. - Adds opensearch secrets to the API service ## Context for reviewers Opensearch takes about 20 minutes to deploy, similarly to RDS Postgres Generating the password was a pain in the butt This style of this infra code is similar to the style of platform code, so I'm going to post it in our platform channel for other people to see This PR tangentially includes the updated secrets handling from navapbc/template-infra#602. I added that because I'm adding a bunch of secrets, and I don't want them to conflict with #2351. ## Additional information Opensearch deployment: (staging has since been torn down) <img width="396" alt="image" src="https://github.com/user-attachments/assets/ab78b649-8e9c-460c-b9e8-3d0b823d8d5e"> The terraform diff for the API service layer: ``` { Action = "ssm:GetParameters" Effect = "Allow" ~ Resource = "arn:aws:ssm:*:*:parameter/api/dev/api-auth-token" -> [ + "arn:aws:ssm:us-east-1:315341936575:parameter/search/dev/username" + "arn:aws:ssm:us-east-1:315341936575:parameter/search/dev/password" + "arn:aws:ssm:us-east-1:315341936575:parameter/search/dev/endpoint" + "arn:aws:ssm:us-east-1:315341936575:parameter/api/dev/api-auth-token" ] Sid = "SecretsAccess" } ] ``` ``` secrets = [ { } + { + name = "SEARCH_ENDPOINT" + valueFrom = "arn:aws:ssm:us-east-1:315341936575:parameter/search/dev/endpoint" } + { + name = "SEARCH_PASSWORD" + valueFrom = "arn:aws:ssm:us-east-1:315341936575:parameter/search/dev/password" } + { + name = "SEARCH_USERNAME" + valueFrom = "arn:aws:ssm:us-east-1:315341936575:parameter/search/dev/username" } ] ```
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Ticket
Resolves #562
Changes
secrets are now defined as a map:
It was previously defined as a list:
To migrate:
Context for reviewers
This is the work for #562
The CI failures for trivy and anchor aren't related to this PR.
Testing
Developed and tested in platform-test in this PR: navapbc/platform-test#95
Rollout notes
After the template-infra PR is merged, we should update the platform-test PR from main and then merge it rather than closing it, since it'll have changes to app-config and the app that wouldn't have been pulled over from the template CD.
Future work
In the future we should add the ability to rotate the randomly generated secret by adding version numbers: #601