From 274e6ab91015b83bfc2b1a7871bf50d5169a15f0 Mon Sep 17 00:00:00 2001 From: Tom Broughton Date: Tue, 30 Jan 2024 09:45:28 +0000 Subject: [PATCH] deploying secrets --- ...-secrets-deployed-to-aws-secret-manager.md | 42 +++++++++++++++++++ 1 file changed, 42 insertions(+) create mode 100644 docs/ADR/ADR006-use-github-repo-to-store-secrets-deployed-to-aws-secret-manager.md diff --git a/docs/ADR/ADR006-use-github-repo-to-store-secrets-deployed-to-aws-secret-manager.md b/docs/ADR/ADR006-use-github-repo-to-store-secrets-deployed-to-aws-secret-manager.md new file mode 100644 index 0000000..d475ab9 --- /dev/null +++ b/docs/ADR/ADR006-use-github-repo-to-store-secrets-deployed-to-aws-secret-manager.md @@ -0,0 +1,42 @@ +# ADR006: Github repo will store secrets and github actions will deploy via Terraform to AWS Secret Manager + +Date: 2024-01-30 + +## Status + + * Accepted + +## Context + + * Request Account Tool app requires various secrets: + - Dockerhub API key to pull image from private registry + - Google (cloud platform) SSO/OAuth2 client secret for AWS + - Github PAT to store access API to raise PR for requested accounts + * Secrets need to be deployed securely + * Restricted access to secrets to only team members with elevated privilages + +## Decision + + * Github repo for deploying request account tool infrastructure will contain secrets + * Terraform will have definition of secret manager resources for each secret + * Secrets will be integrated into other resources (AppRunner) in Terraform + * Github actions will access the secrets and pass into Terraform plan/apply as environment variables + +## Considered Options + + * Github secrets/Actions + AWS Secret manager + * Manually stored in AWS (SSM parameter store/secret manager): would require clickops in multiple AWS accounts and prone to unnecessary developer access to AWS accounts. + * Password Manager (eg Bitwarden) API: would require API key/token for accessing passwords which could pose greater risks + complication in setting up interface to API and wrtiting appropriate scripts to access necessary passwords (would require Github actions secrets anyway). + +## Consequences + + * Secrets will need to be managed manually in github by Admins + * Redacted values for the secrets will be present in Terraform and github actions logs + * Secrets will be encrypted in Terraform state file + * Carefull management/access to secrets values will be required and any misconfiguration caught in Code Reviews + +## Other Notes ## + + * The single source of truth for the secrets will be stored in the Engineering Enablement Password Manager + * Only team members with elevated privilages will be able to access these passwords and manually edit the secrets in the github repo settings. + * We will use the Engineering Enablement Bot accounts in Github and Docker Hub for API tokens