cipher

[misikdmytro]

Cipher — Secret Rotation Service

Distributed secret rotation service that automates AWS Secrets Manager credential lifecycle: scheduled rotation, blue/green secret strategy, and webhook-based event notifications.

Architecture

Four services in a Cargo workspace (crates/):

Service	Role	Persistence
API	HTTP REST facade (Actix-web). CRUD for secrets metadata, schedules, webhooks. OpenAPI docs via utoipa.	PostgreSQL (sqlx)
Scheduler	Cron-based orchestrator. Triggers rotations by publishing rotation.scheduled events.	PostgreSQL (sqlx)
Rotator	Stateless worker. Executes rotation against AWS Secrets Manager (blue/green strategy, STS AssumeRole). Publishes rotation.started / done / failed.	—
Notificator	Event consumer. Delivers webhook notifications on rotation lifecycle events.	—

Shared domain and proto crates for domain types and gRPC definitions.

Communication

• Sync: gRPC (tonic) — API ↔ Scheduler, API ↔ Rotator, API ↔ Notificator, Rotator → API
• Async: RabbitMQ / AMQP (lapin) — event-driven pipeline for rotation lifecycle

Key features

• Full CRUD API for secrets, schedules, and webhooks
• Scheduled and manual secret rotation
• Blue/green rotation strategy for zero-downtime credential rollover
• AWS STS AssumeRole support for cross-account rotation
• Request validation and error handling middleware
• Structured logging and tracing configuration
• Integration tests
• OpenAPI documentation

Stack

actix-web, tonic (gRPC + protobuf), sqlx (PostgreSQL), lapin (RabbitMQ), aws-sdk-secretsmanager, aws-sdk-sts, tokio, tracing, utoipa, serde

[YevhenHrynov]

This isn't test code, it runs during service startup. If something goes wrong with TLS config or the system SSL stack, the whole service panics with no useful error. Return a Result from new_webhook_delivery_service() and let main() decide whether to panic.

[nikitosikvn1]

As I see it, failing to create the HTTP client here is an unrecoverable error for this application. Since the service's primary responsibility is making HTTP requests, we don't have a meaningful fallback strategy besides logging and exiting. In my opinion, panicking in this context is an acceptable and effectively the only viable approach. Whether we trigger the panic directly within the constructor or propagate an error to main() is a debatable point, but since the service cannot function without this client, the final outcome remains the same.

[YevhenHrynov]

yes, but if this method provides the functionality to create the client, then maybe it's not the method that should decide whether to panic now. But in general yes, the question is debatable

[YevhenHrynov]

secret_id is thrown away, deletion only uses webhook_id. This means DELETE /secrets/A/webhooks/1 will happily delete a webhook that belongs to secret B. That breaks REST semantics and is a potential authorization issue

[YevhenHrynov]

I would just change the endpoint and remove the path to the secrets resource

[YevhenHrynov]

Having username: "cipher", password: "cipher" in Default is fine for local dev, but it's a footgun. If someone accidentally constructs a config via Default::default() instead of loading it from file, the service silently connects with hardcoded creds. I suggest removing Default and force everyone to go through load_config.

[pokhanto]

Monumental work!
Everything feels very well thought through and in place - it is real pleasure to read and navigate in this code. And more than that, this solves real world problem in a very practical way.

[YevhenHrynov]

Solid PR. I’m impressed with how you handled the service boundaries - it actually makes sense as a system, which is rare.

Code reads well, and the type-driven error handling is a nice touch. I spent some time looking for more issues but didn't find anything worth mentioning.

The things I flagged above are worth addressing but none of them are blockers. Solid foundation, nice job.

[nikitosikvn1]

Consider extracting the error mapping logic into an impl From<ServiceError> for tonic::Status. This will significantly declutter the handler.

Additionally, be mindful of returning raw string representations of errors (like PersistenceError and the catch-all arm) directly to the client. You should establish a clear boundary indicating which errors are safe to expose with informative messages, and which should obscure internal implementation details to prevent data leakage - even within internal service-to-service communication.

[nikitosikvn1]

The utoipa::ToSchema trait bound on the generic type T doesn't appear to serve a functional purpose in this struct definition. I'd recommend reviewing whether it's strictly necessary here.

[vol-lev]

It might be needed because of the items (not sure though)

[nikitosikvn1]

This is a perfect use case for an if let Err(e) = body.validate() statement rather than a full match block.

[nikitosikvn1]

The default page size and the pagination bounds are currently hardcoded. It would be much better to make these values configurable, or at the very least, extract them into named constants.

[nikitosikvn1]

Similar to my previous note, the handler is heavily cluttered with explicit error mapping boilerplate. Ideally, handlers should focus purely on request orchestration. You can achieve this by implementing IntoResponse for your custom ServiceError type.

[nikitosikvn1]

While I understand the rationale behind using .expect() and panic!() here, I strongly recommend implementing TryFrom instead of From, propagating the errors upward. This prevents the entire application from panicking in the event of malformed, unexpected, or missing data in the database.

[nikitosikvn1]

If you need to map enum variants to their string representations, it would be cleaner to encapsulate this logic within the enum itself. Consider implementing standard traits like Display, AsRef<str>, or simply adding a .as_str() method to the enums instead of matching inline.

[nikitosikvn1]

Structs containing sensitive data (like passwords, API keys, etc.) generally should not implement Default. Furthermore, since this struct derives Debug, I highly recommend wrapping the sensitive fields in secrecy::SecretString.

[nikitosikvn1]

Consider using sqlx::postgres::PgConnectOptions to programmatically build the connection configuration rather than manually formatting a plaintext connection string. It is safer, less error-prone, and handles URL encoding out of the box.

[nikitosikvn1]

Great job, Dmytro! I really like how the project is shaping up, it’s clear you’ve invested a lot of time and effort into this. I’ve left a few minor comments, but they’re more 'food for thought' rather than critical issues.

[nikitosikvn1]

Since treating 4xx and 5xx status codes as errors is a standard requirement, you can simplify this logic by using the built-in error_for_status() method.

[nikitosikvn1]

Consider extracting these parameters (queue name, exchange, and routing keys) into a configuration file or environment variables.

[bzadorozhnyi]

Impressive and interesting project!

Nit: I noticed several functions with around six levels of indentation. It would be helpful to extract some of that logic into smaller helper functions.

[vol-lev]

utc might be useful here? not sure what time is stored here (ui / api server / cloud / etc)

[vol-lev]

I'd also recommend move secrets outside the commitable codebase

[vol-lev]

nice :)

[vol-lev]

nit: implementing From<> for Status would make the whole file cleaner (using just ? instead of map_err)

[vol-lev]

webhook handler most probably would like to know the timezone :)

[vol-lev]

consider moving retry outside the service (for instance - enqueue a message for each attempt) - to be able to retry even after service crash

[vol-lev]

My first pleasant experience reviewing such a huge PR! Great work with microservices! Resilient approach with rabbitmq (and ack-ed messages), nice trait usage, consistent error handling approach - good technical job and nice product! Can't wait for the release :)