Add a parameter resolver for EJSON wrapper by stevehodgkiss · Pull Request #264 · envato/stack_master

stevehodgkiss · 2018-12-21T04:04:17Z

An EJSON file that uses KMS can be generated with EJSON Wrapper:

ejson_wrapper generate --region ap-southeast-2 --kms-key-id [key_id] --file secrets/staging.ejson

Secrets are then added as usual with EJSON. Add the plaintext then:

ejson encrypt secrets.ejson

Set ejson_file in the stack definition to staging.ejson. Then secrets can be referenced in parameter files:

my_param:
  ejson: "my_secret"

TODO:

Update Readme.

patrobinson

Tested and it works, minor question

patrobinson · 2019-01-02T09:18:49Z

+
+      def secret_path_relative_to_base
+        @secret_path_relative_to_base ||= File.join('secrets', ejson_file)
+      end


These two methods have no effect and are not called anywhere? When I specify ejson_file I have to use the full path (secrets/foo.ejson)

I've updated the resolver to look in secrets/ for the ejson_file

patrobinson · 2019-02-02T12:28:40Z

@stevehodgkiss I've added documentation, do you want to review that for me?

stevehodgkiss · 2019-02-04T01:42:04Z

+
+[ejson](https://github.com/Shopify/ejson) is a tool for managing asymmetrically encrypted values in JSON format. This allows you to keep secrets securely in git/Github and give anyone the ability the capability to add new secrets without requiring access to the private key.
+
+First create the `production.ejson` file and store the secret value in it, then call `ejson encrypt secrets.ejson`. Then add the `ejson_file` argument to your stack in stack_master.yml:


Shall we provide details about how to create this file? For example:

ejson_wrapper generate --region ap-southeast-2 --kms-key-id [key_id] --file secrets/production.ejson

We could add another command to stack master to create ejson files with ejson wrapper/a kms key rather than relying on the user to know about ejson wrapper and do this manually. Thoughts?

Yeah I think that's a nice addition

runlevel5 · 2019-08-02T14:28:08Z

+
+      def resolve(secret_key)
+        validate_ejson_file_specified
+        secrets = decrypt_ejson_file


@stevehodgkiss should we memoize secrets?

Add a parameter resolver for EJSON wrapper

9a73a1d

stevehodgkiss added the wip label Dec 21, 2018

Update class name so resolving works

25cbb66

stevehodgkiss force-pushed the ejson_wrapper branch from d2b12c8 to 25cbb66 Compare December 21, 2018 04:27

patrobinson reviewed Jan 2, 2019

View reviewed changes

Add documentation

bc47143

stevehodgkiss commented Feb 4, 2019

View reviewed changes

stevehodgkiss added 3 commits February 4, 2019 05:46

Update location that ejson_file is expected to be in

ddc8fb8

Merge remote-tracking branch 'origin/master' into ejson_wrapper

6eea835

Update readme. Ejson wrapper w/KMS is required at the moment.

05a595a

orien approved these changes Aug 1, 2019

View reviewed changes

Allow specifying ejson_file_region

dad2f0d

runlevel5 reviewed Aug 2, 2019

View reviewed changes

runlevel5 approved these changes Aug 2, 2019

View reviewed changes

patrobinson approved these changes Aug 5, 2019

View reviewed changes

Memoize decrypted secrets

0b0b880

stevehodgkiss removed the wip label Aug 5, 2019

Add ability to not use KMS with ejson

184c6af

viraptor approved these changes Aug 7, 2019

View reviewed changes

stevehodgkiss merged commit 4b225c8 into master Aug 9, 2019

stevehodgkiss deleted the ejson_wrapper branch August 9, 2019 11:52

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add a parameter resolver for EJSON wrapper#264

Add a parameter resolver for EJSON wrapper#264
stevehodgkiss merged 9 commits intomasterfrom
ejson_wrapper

stevehodgkiss commented Dec 21, 2018 •

edited

Loading

Uh oh!

patrobinson left a comment

Uh oh!

patrobinson Jan 2, 2019

Uh oh!

stevehodgkiss Feb 4, 2019

Uh oh!

patrobinson commented Feb 2, 2019

Uh oh!

stevehodgkiss Feb 4, 2019

Uh oh!

stevehodgkiss Feb 4, 2019

Uh oh!

patrobinson Feb 4, 2019

Uh oh!

runlevel5 Aug 2, 2019

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants


		[ejson](https://github.com/Shopify/ejson) is a tool for managing asymmetrically encrypted values in JSON format. This allows you to keep secrets securely in git/Github and give anyone the ability the capability to add new secrets without requiring access to the private key.

		First create the `production.ejson` file and store the secret value in it, then call `ejson encrypt secrets.ejson`. Then add the `ejson_file` argument to your stack in stack_master.yml:

Conversation

stevehodgkiss commented Dec 21, 2018 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

patrobinson left a comment

Choose a reason for hiding this comment

Uh oh!

patrobinson Jan 2, 2019

Choose a reason for hiding this comment

Uh oh!

stevehodgkiss Feb 4, 2019

Choose a reason for hiding this comment

Uh oh!

patrobinson commented Feb 2, 2019

Uh oh!

stevehodgkiss Feb 4, 2019

Choose a reason for hiding this comment

Uh oh!

stevehodgkiss Feb 4, 2019

Choose a reason for hiding this comment

Uh oh!

patrobinson Feb 4, 2019

Choose a reason for hiding this comment

Uh oh!

runlevel5 Aug 2, 2019

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants

stevehodgkiss commented Dec 21, 2018 •

edited

Loading