fix: app secrets stored in encrypted AWS SSM Parameter Store

following aws-amplify/amplify-hosting#3348 (comment)
mkraenz · Mar 22, 2023 · b5c6fe4 · b5c6fe4
1 parent 3e18590
commit b5c6fe4
Show file tree

Hide file tree

Showing 2 changed files with 54 additions and 4 deletions.
diff --git a/apps/infrastructure/amplify.buildSpec.yaml b/apps/infrastructure/amplify.buildSpec.yaml
@@ -9,6 +9,11 @@ applications:
             - npm ci
         build:
           commands:
+            - yum install jq -y
+            # writing NEXTAUTH_SECRET etc from parameter store secrets (available as json inside of $secrets env var) to env vars so that we can `env | grep ..` them down below
+            - export NEXTAUTH_SECRET=$(echo $secrets | jq -r .NEXTAUTH_SECRET)
+            - export COGNITO_OAUTH_CLIENT_SECRET=$(echo $secrets | jq -r .COGNITO_OAUTH_CLIENT_SECRET)
+            - export MY_AWS_ACCESS_KEY_SECRET=$(echo $secrets | jq -r .MY_AWS_ACCESS_KEY_SECRET)
             - env | grep -e NEXTAUTH_URL -e NEXTAUTH_SECRET -e COGNITO_OAUTH_CLIENT_ID -e COGNITO_OAUTH_CLIENT_SECRET -e COGNITO_OAUTH_ISSUER_URL -e MY_AWS_DYNAMODB_TABLE -e MY_AWS_DYNAMODB_TABLE_NAME -e MY_AWS_REGION -e MY_AWS_ACCESS_KEY_ID -e MY_AWS_ACCESS_KEY_SECRET >> .env.production
             - npm run build
       artifacts:

diff --git a/apps/infrastructure/index.ts b/apps/infrastructure/index.ts
@@ -20,11 +20,17 @@ const userpoolClientCallbackUrlRemote = `${baseUrlRemote}/api/auth/callback/cogn
 const adminEmail = config.require("adminEmail");
 const adminUserSub = config.require("adminUserSub");
 const awsIdentity = await aws.getCallerIdentity();
+// TODO move secrets from config to a separate (private) repository
 const nextauthSecret = config.requireSecret("nextAuthSecret");
 const nextAuthUrl = config.require("nextAuthUrl");
 const domainName = config.require("domainName");
 const subdomain = config.require("subdomain");
 
+const tags = {
+  managedBy: "pulumi",
+  project,
+};
+
 const db = new aws.dynamodb.Table(
   "db",
   {
@@ -91,6 +97,26 @@ const amplifyServiceRole = new aws.iam.Role(`${project}-amplify-svc-role`, {
         getAmplifyServiceRole(awsIdentity.accountId, region)
       ),
     },
+    {
+      name: `${project}-amplify-access-to-parameter-store`,
+      policy: JSON.stringify({
+        Version: "2012-10-17",
+        Statement: [
+          {
+            Sid: "",
+            Effect: "Allow",
+            Action: [
+              "ssm:GetParametersByPath",
+              "ssm:GetParameters",
+              "ssm:GetParameter",
+              "ssm:DescribeParameters",
+            ],
+            // TODO restrict to specific path, minimize the actions
+            Resource: "*",
+          },
+        ],
+      }),
+    },
   ],
 });
 
@@ -99,16 +125,13 @@ const amplifyApp = new aws.amplify.App(project, {
   accessToken: amplifyToGithubAccessToken,
   platform: "WEB_COMPUTE",
   environmentVariables: {
-    // TODO put secrets into AWS Systems Manager Parameter Store
-    NEXTAUTH_SECRET: nextauthSecret,
+    // NOTE: secrets are inside AWS Systems Manager Parameter Store and accessed in the buildSpec as an environment variable named $secrets
     NEXTAUTH_URL: nextAuthUrl,
     COGNITO_OAUTH_CLIENT_ID: userpoolClient.id,
-    COGNITO_OAUTH_CLIENT_SECRET: userpoolClient.clientSecret,
     COGNITO_OAUTH_ISSUER_URL: pulumi.interpolate`https://cognito-idp.${region}.amazonaws.com/${userpool.id}`,
     MY_AWS_REGION: region,
     MY_AWS_DYNAMODB_TABLE: db.name,
     MY_AWS_ACCESS_KEY_ID: nextjsToDynamodbAccessKey.id,
-    MY_AWS_ACCESS_KEY_SECRET: nextjsToDynamodbAccessKey.secret,
     AMPLIFY_MONOREPO_APP_ROOT: "apps/frontend",
   },
   repository: githubRepositoryUrl,
@@ -140,6 +163,28 @@ new aws.amplify.DomainAssociation("domain", {
   waitForVerification: true,
 });
 
+const getParameterName = (suffix: string) =>
+  pulumi.interpolate`/amplify/${amplifyApp.id}/${nextAppMainBranch.branchName}/${suffix}`;
+
+new aws.ssm.Parameter("nextauth-secret", {
+  type: "SecureString",
+  name: getParameterName("NEXTAUTH_SECRET"),
+  value: nextauthSecret,
+  tags,
+});
+new aws.ssm.Parameter("cognito-oauth-client-secret", {
+  type: "SecureString",
+  name: getParameterName("COGNITO_OAUTH_CLIENT_SECRET"),
+  value: userpoolClient.clientSecret,
+  tags,
+});
+new aws.ssm.Parameter("aws-access-key-secret", {
+  type: "SecureString",
+  name: getParameterName("MY_AWS_ACCESS_KEY_SECRET"),
+  value: nextjsToDynamodbAccessKey.secret,
+  tags,
+});
+
 export const amplifyAppId = amplifyApp.id;
 export const amplifyAppArn = amplifyApp.arn;
 export const amplifyAppDefaultDomain = amplifyApp.defaultDomain;