For the software development team who would like to check all environment variables, regardless of secrecy, through encryption where necessary.
Usecase Requirements:
- My developers would like to check encrypted secrets into source.
- My developers would like to encrypt secrets on their local machines via CLI.
- My developers only have access to their own accounts through their development machines.
- My developers should be able to assume the role of a "secrets-handler" when authenticated as themselves.
- My application is deployed through a continuous pipeline, capable of leveraging a service account permissioned to assume a secrets-decryption role.
Goals:
- enable the developer to push encrypted secrets and envvars to source with the features which rely on them
- deploy a containerized application to ECS through Terraform
- run deploy pipelines through github actions
- separate product-engineering concerns from devops concerns
This demo is intended to stand as an example of a steady state application (an echo server) which is capable of running in three environments:
- locally, on a dev machine with non-essential secrets
- qa, in the cloud (AWS) with essential secrets
- production, in the cloud (AWS) with essential secrets
As if DevOps has already set up the Terraform files and product engineers are free to add environment variables and secrets as they must.
The only additional task required of product engineers in this project is in secret management: in order to add a new secret, they must:
- authenticate to AWS through CLI
- decrypt the existing secrets files
- add their plain-text secrets to the files
- re-encrypt the secrets files
This demo will end with the following IAM configuration:
- Roles
- Secrets Handler
- permissions:
- kms:Encrypt
- kms:ReEncrypt
- kms:Decrypt
- permissions:
- Secrets Decrypter
- permissions:
- kms:Decrypt
- permissions:
- Secrets Handler
- User Groups
- people:
- prod-devs
- qa-devs
- dev-devs
- service-accounts:
- bots
- people:
- Users
- my-human-developer-1
- user-groups:
- people:
- prod-devs
- qa-devs
- dev-devs
- people:
- user-groups:
- my-human-developer-2
- user-groups:
- people:
- qa-devs
- dev-devs
- people:
- user-groups:
- my-deployment-bot
- user-groups:
- service-accounts:
- bots
- service-accounts:
- user-groups:
- my-human-developer-1
It is assumed the developer has access to AWS + Github accounts for this demo.
We will be using the following products on AWS:
- ECS
- KMS
The content of ./config/*.env is an example of the final result.
You should delete these files and replace them with your own unencrypted files, while keys are yet to be provisioned.
After running the terraform script, there are a handful of adjustments to this repository to take place before the developer is ready to start acting:
- Replace the role and key ARNs in
./config/.sops.yamlfor those which were created by the terraform run.
That's it.
Now the developer is ready to take over:
- Authorize
awsclion your own machine. - Decrypt a set of secrets for local development
sops -d config/dev.env > .env
- Develop!
- Start encrypting secrets in
./config/*.env. - Decrypt them when needed!
- The
docker-compose.yamldepends on the.envmade by the developer.
- Start encrypting secrets in