Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add a parameter resolver for EJSON wrapper #264

Merged
merged 9 commits into from Aug 9, 2019

Conversation

@stevehodgkiss
Copy link
Member

commented Dec 21, 2018

An EJSON file that uses KMS can be generated with EJSON Wrapper:

ejson_wrapper generate --region ap-southeast-2 --kms-key-id [key_id] --file secrets/staging.ejson

Secrets are then added as usual with EJSON. Add the plaintext then:

ejson encrypt secrets.ejson

Set ejson_file in the stack definition to staging.ejson. Then secrets can be referenced in parameter files:

my_param:
  ejson: "my_secret"

TODO:

  • Update Readme.

@stevehodgkiss stevehodgkiss added the wip label Dec 21, 2018

@stevehodgkiss stevehodgkiss force-pushed the ejson_wrapper branch from d2b12c8 to 25cbb66 Dec 21, 2018

@patrobinson
Copy link
Contributor

left a comment

Tested and it works, minor question


def secret_path_relative_to_base
@secret_path_relative_to_base ||= File.join('secrets', ejson_file)
end

This comment has been minimized.

Copy link
@patrobinson

patrobinson Jan 2, 2019

Contributor

These two methods have no effect and are not called anywhere? When I specify ejson_file I have to use the full path (secrets/foo.ejson)

This comment has been minimized.

Copy link
@stevehodgkiss

stevehodgkiss Feb 4, 2019

Author Member

I've updated the resolver to look in secrets/ for the ejson_file

@patrobinson

This comment has been minimized.

Copy link
Contributor

commented Feb 2, 2019

@stevehodgkiss I've added documentation, do you want to review that for me?

README.md Outdated

[ejson](https://github.com/Shopify/ejson) is a tool for managing asymmetrically encrypted values in JSON format. This allows you to keep secrets securely in git/Github and give anyone the ability the capability to add new secrets without requiring access to the private key.

First create the `production.ejson` file and store the secret value in it, then call `ejson encrypt secrets.ejson`. Then add the `ejson_file` argument to your stack in stack_master.yml:

This comment has been minimized.

Copy link
@stevehodgkiss

stevehodgkiss Feb 4, 2019

Author Member

Shall we provide details about how to create this file? For example:

ejson_wrapper generate --region ap-southeast-2 --kms-key-id [key_id] --file secrets/production.ejson

This comment has been minimized.

Copy link
@stevehodgkiss

stevehodgkiss Feb 4, 2019

Author Member

We could add another command to stack master to create ejson files with ejson wrapper/a kms key rather than relying on the user to know about ejson wrapper and do this manually. Thoughts?

This comment has been minimized.

Copy link
@patrobinson

patrobinson Feb 4, 2019

Contributor

Yeah I think that's a nice addition

@orien

orien approved these changes Aug 1, 2019


def resolve(secret_key)
validate_ejson_file_specified
secrets = decrypt_ejson_file

This comment has been minimized.

Copy link
@joneslee85

joneslee85 Aug 2, 2019

Member

@stevehodgkiss should we memoize secrets?

@stevehodgkiss stevehodgkiss removed the wip label Aug 5, 2019

@stevehodgkiss stevehodgkiss merged commit 4b225c8 into master Aug 9, 2019

2 checks passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details
continuous-integration/travis-ci/push The Travis CI build passed
Details

@stevehodgkiss stevehodgkiss deleted the ejson_wrapper branch Aug 9, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
5 participants
You can’t perform that action at this time.