-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
c217c07
commit 274e6ab
Showing
1 changed file
with
42 additions
and
0 deletions.
There are no files selected for viewing
42 changes: 42 additions & 0 deletions
42
docs/ADR/ADR006-use-github-repo-to-store-secrets-deployed-to-aws-secret-manager.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,42 @@ | ||
| # ADR006: Github repo will store secrets and github actions will deploy via Terraform to AWS Secret Manager | ||
|
|
||
| Date: 2024-01-30 | ||
|
|
||
| ## Status | ||
|
|
||
| * Accepted | ||
|
|
||
| ## Context | ||
|
|
||
| * Request Account Tool app requires various secrets: | ||
| - Dockerhub API key to pull image from private registry | ||
| - Google (cloud platform) SSO/OAuth2 client secret for AWS | ||
| - Github PAT to store access API to raise PR for requested accounts | ||
| * Secrets need to be deployed securely | ||
| * Restricted access to secrets to only team members with elevated privilages | ||
|
|
||
| ## Decision | ||
|
|
||
| * Github repo for deploying request account tool infrastructure will contain secrets | ||
| * Terraform will have definition of secret manager resources for each secret | ||
| * Secrets will be integrated into other resources (AppRunner) in Terraform | ||
| * Github actions will access the secrets and pass into Terraform plan/apply as environment variables | ||
|
|
||
| ## Considered Options | ||
|
|
||
| * Github secrets/Actions + AWS Secret manager | ||
| * Manually stored in AWS (SSM parameter store/secret manager): would require clickops in multiple AWS accounts and prone to unnecessary developer access to AWS accounts. | ||
| * Password Manager (eg Bitwarden) API: would require API key/token for accessing passwords which could pose greater risks + complication in setting up interface to API and wrtiting appropriate scripts to access necessary passwords (would require Github actions secrets anyway). | ||
|
|
||
| ## Consequences | ||
|
|
||
| * Secrets will need to be managed manually in github by Admins | ||
| * Redacted values for the secrets will be present in Terraform and github actions logs | ||
| * Secrets will be encrypted in Terraform state file | ||
| * Carefull management/access to secrets values will be required and any misconfiguration caught in Code Reviews | ||
|
|
||
| ## Other Notes ## | ||
|
|
||
| * The single source of truth for the secrets will be stored in the Engineering Enablement Password Manager | ||
| * Only team members with elevated privilages will be able to access these passwords and manually edit the secrets in the github repo settings. | ||
| * We will use the Engineering Enablement Bot accounts in Github and Docker Hub for API tokens |