transcom · chrisgilmerproj · Jan 3, 2020 · Dec 20, 2019 · Dec 20, 2019 · Dec 20, 2019
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -482,7 +482,6 @@ jobs:
       - restore_cache:
           keys:
             - v2-mymove-node-modules-{{ checksum "yarn.lock" }}
-      - run: make bin/chamber
       - run: make bin/rds-combined-ca-bundle.pem
       - run: make bin/rds-ca-2019-root.pem
       - run: make client_build
@@ -518,7 +517,6 @@ jobs:
       - checkout
       - setup_remote_docker:
           docker_layer_caching: false
-      - run: make bin/chamber
       - run: make bin/rds-combined-ca-bundle.pem
       - run: make bin/rds-ca-2019-root.pem
       - run: make server_build
@@ -538,7 +536,6 @@ jobs:
       - restore_cache:
           keys:
             - go-mod-sources-v2-{{ checksum "go.sum" }}-{{ checksum "scripts/check-go-version" }}}
-      - run: make bin/chamber
       - run: make bin/rds-combined-ca-bundle.pem
       - run: make bin/rds-ca-2019-root.pem
       - run: make tasks_build
@@ -768,23 +765,23 @@ workflows:
           # if testing on experimental, you can disable these tests by using the commented block below.
           filters:
             branches:
-              ignore: placeholder_branch_name
+              ignore: cg_remove_chamber
 
       - client_test:
           requires:
             - pre_deps_yarn
           # if testing on experimental, you can disable these tests by using the commented block below.
           filters:
             branches:
-              ignore: placeholder_branch_name
+              ignore: cg_remove_chamber
 
       - server_test:
           requires:
             - pre_deps_golang
           # if testing on experimental, you can disable these tests by using the commented block below.
           filters:
             branches:
-              ignore: placeholder_branch_name
+              ignore: cg_remove_chamber
 
       - build_app:
           requires:
@@ -825,28 +822,28 @@ workflows:
             - build_migrations
           filters:
             branches:
-              only: placeholder_branch_name
+              only: cg_remove_chamber
 
       - deploy_experimental_tasks:
           requires:
             - deploy_experimental_migrations
           filters:
             branches:
-              only: placeholder_branch_name
+              only: cg_remove_chamber
 
       - deploy_experimental_app:
           requires:
             - deploy_experimental_migrations
           filters:
             branches:
-              only: placeholder_branch_name
+              only: cg_remove_chamber
 
       - deploy_experimental_app_client_tls:
           requires:
             - deploy_experimental_migrations
           filters:
             branches:
-              only: placeholder_branch_name
+              only: cg_remove_chamber
 
       - check_circle_against_staging_sha:
           requires:

diff --git a/.envrc b/.envrc
@@ -155,6 +155,7 @@ export TZ="UTC"
 # aws-vault. They will be detected and used by the app automatically.
 export AWS_S3_BUCKET_NAME="transcom-ppp-app-devlocal-us-west-2"
 export AWS_S3_REGION="us-west-2"
+export AWS_DEFAULT_REGION="us-west-2"
 export AWS_VAULT_KEYCHAIN_NAME=login
 export AWS_PROFILE=transcom-ppp
 export AWS_S3_KEY_NAMESPACE=$USER

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -12,6 +12,12 @@ repos:
     rev: v2.3.0
     hooks:
       - id: check-json
+        exclude: >
+          (?x)^(
+            config/app-client-tls.container-definition.json|
+            config/app-migrations.container-definition.json|
+            config/app.container-definition.json|
+          )$
       - id: check-merge-conflict
       - id: check-yaml
         exclude: config/database.yml # database.yml is not a valid yaml file, it contains go templating

diff --git a/Dockerfile b/Dockerfile
@@ -2,7 +2,6 @@ FROM gcr.io/distroless/base:latest
 
 COPY bin/rds-combined-ca-bundle.pem /bin/rds-combined-ca-bundle.pem
 COPY bin/rds-ca-2019-root.pem /bin/rds-ca-2019-root.pem
-COPY bin/chamber /bin/chamber
 COPY bin/milmove /bin/milmove
 
 COPY config/tls/Certificates_PKCS7_v5.4_DoD.der.p7b /config/tls/Certificates_PKCS7_v5.4_DoD.der.p7b

diff --git a/Dockerfile.migrations b/Dockerfile.migrations
@@ -2,7 +2,6 @@ FROM alpine:3.10.3
 
 COPY bin/rds-combined-ca-bundle.pem /bin/rds-combined-ca-bundle.pem
 COPY bin/rds-ca-2019-root.pem /bin/rds-ca-2019-root.pem
-COPY bin/chamber /bin/chamber
 COPY bin/milmove /bin/milmove
 
 COPY migrations /migrate/migrations

diff --git a/Dockerfile.tasks b/Dockerfile.tasks
@@ -2,7 +2,6 @@ FROM gcr.io/distroless/base:latest
 
 COPY bin/rds-combined-ca-bundle.pem /bin/rds-combined-ca-bundle.pem
 COPY bin/rds-ca-2019-root.pem /bin/rds-ca-2019-root.pem
-COPY bin/chamber /bin/chamber
 COPY bin/milmove-tasks /bin/milmove-tasks
 
 WORKDIR /bin
diff --git a/cmd/ecs-deploy-task-container/main.go b/cmd/ecs-deploy-task-container/main.go
@@ -5,7 +5,6 @@ import (
 	"io/ioutil"
 	"log"
 	"os"
-	"strconv"
 	"strings"
 
 	"github.com/aws/aws-sdk-go/aws"
@@ -15,6 +14,7 @@ import (
 	"github.com/aws/aws-sdk-go/service/ecr"
 	"github.com/aws/aws-sdk-go/service/ecs"
 	"github.com/aws/aws-sdk-go/service/rds"
+	"github.com/aws/aws-sdk-go/service/ssm"
 	"github.com/pkg/errors"
 	"github.com/spf13/pflag"
 	"github.com/spf13/viper"
@@ -85,19 +85,15 @@ func (e *errInvalidFile) Error() string {
 }
 
 const (
-	awsAccountIDFlag       string = "aws-account-id"
-	chamberBinaryFlag      string = "chamber-binary"
-	chamberRetriesFlag     string = "chamber-retries"
-	chamberKMSKeyAliasFlag string = "chamber-kms-key-alias"
-	chamberUsePathsFlag    string = "chamber-use-paths"
-	serviceFlag            string = "service"
-	environmentFlag        string = "environment"
-	repositoryNameFlag     string = "repository-name"
-	imageTagFlag           string = "image-tag"
-	commandFlag            string = "command"
-	commandArgsFlag        string = "command-args"
-	variablesFileFlag      string = "variables-file"
-	dryRunFlag             string = "dry-run"
+	awsAccountIDFlag   string = "aws-account-id"
+	serviceFlag        string = "service"
+	environmentFlag    string = "environment"
+	repositoryNameFlag string = "repository-name"
+	imageTagFlag       string = "image-tag"
+	commandFlag        string = "command"
+	commandArgsFlag    string = "command-args"
+	variablesFileFlag  string = "variables-file"
+	dryRunFlag         string = "dry-run"
 )
 
 func initFlags(flag *pflag.FlagSet) {
@@ -111,12 +107,6 @@ func initFlags(flag *pflag.FlagSet) {
 	// Vault Flags
 	cli.InitVaultFlags(flag)
 
-	// Chamber Settings
-	flag.String(chamberBinaryFlag, "/bin/chamber", "Chamber Binary")
-	flag.Int(chamberRetriesFlag, 20, "Chamber Retries")
-	flag.String(chamberKMSKeyAliasFlag, "alias/aws/ssm", "Chamber KMS Key Alias")
-	flag.Int(chamberUsePathsFlag, 1, "Chamber Use Paths")
-
 	// Task Definition Settings
 	flag.String(serviceFlag, "", fmt.Sprintf("The service name (choose %q)", services))
 	flag.String(environmentFlag, "", fmt.Sprintf("The environment name (choose %q)", environments))
@@ -147,38 +137,27 @@ func checkConfig(v *viper.Viper) error {
 	}
 
 	if err := cli.CheckAWSRegionForService(region, cloudwatchevents.ServiceName); err != nil {
-		return errors.Wrap(err, fmt.Sprintf("'%q' is invalid for service %s", cli.AWSRegionFlag, ecs.ServiceName))
+		return errors.Wrap(err, fmt.Sprintf("'%q' is invalid for service %s", cli.AWSRegionFlag, cloudwatchevents.ServiceName))
 	}
 
 	if err := cli.CheckAWSRegionForService(region, ecs.ServiceName); err != nil {
 		return errors.Wrap(err, fmt.Sprintf("'%q' is invalid for service %s", cli.AWSRegionFlag, ecs.ServiceName))
 	}
 
 	if err := cli.CheckAWSRegionForService(region, ecr.ServiceName); err != nil {
-		return errors.Wrap(err, fmt.Sprintf("'%q' is invalid for service %s", cli.AWSRegionFlag, ecs.ServiceName))
+		return errors.Wrap(err, fmt.Sprintf("'%q' is invalid for service %s", cli.AWSRegionFlag, ecr.ServiceName))
 	}
 
 	if err := cli.CheckAWSRegionForService(region, rds.ServiceName); err != nil {
-		return errors.Wrap(err, fmt.Sprintf("'%q' is invalid for service %s", cli.AWSRegionFlag, ecs.ServiceName))
-	}
-
-	if err := cli.CheckVault(v); err != nil {
-		return err
+		return errors.Wrap(err, fmt.Sprintf("'%q' is invalid for service %s", cli.AWSRegionFlag, rds.ServiceName))
 	}
 
-	chamberRetries := v.GetInt(chamberRetriesFlag)
-	if chamberRetries < 1 && chamberRetries > 20 {
-		return errors.New("Chamber Retries must be greater than or equal to 1 and less than or equal to 20")
+	if err := cli.CheckAWSRegionForService(region, ssm.ServiceName); err != nil {
+		return errors.Wrap(err, fmt.Sprintf("'%q' is invalid for service %s", cli.AWSRegionFlag, ssm.ServiceName))
 	}
 
-	chamberKMSKeyAlias := v.GetString(chamberKMSKeyAliasFlag)
-	if len(chamberKMSKeyAlias) == 0 {
-		return errors.New("Chamber KMS Key Alias must be set")
-	}
-
-	chamberUsePaths := v.GetInt(chamberUsePathsFlag)
-	if chamberUsePaths < 1 && chamberUsePaths > 20 {
-		return errors.New("Chamber Use Paths must be greater than or equal to 1 and less than or equal to 20")
+	if err := cli.CheckVault(v); err != nil {
+		return err
 	}
 
 	serviceName := v.GetString(serviceFlag)
@@ -263,6 +242,38 @@ func varFromCtxOrEnv(varName string, ctx map[string]string) string {
 	return os.Getenv("DB_PORT")
 }
 
+func buildSecrets(serviceSSM *ssm.SSM, awsRegion, registryID, serviceName, environmentName string) []*ecs.Secret {
+
+	var secrets []*ecs.Secret
+
+	var describeParametersNextToken *string
+
+	for {
+		parametersOutput, err := serviceSSM.DescribeParameters(&ssm.DescribeParametersInput{
+			MaxResults: aws.Int64(50),
+			NextToken:  describeParametersNextToken,
+		})
+		if err != nil {
+			log.Fatal(errors.Wrap(err, "error reading secrets from SSM"))
+		}
+
+		for _, parameter := range parametersOutput.Parameters {
+			if strings.HasPrefix(*parameter.Name, fmt.Sprintf("/%s-%s", serviceName, environmentName)) {
+				secrets = append(secrets, &ecs.Secret{
+					Name:      parameter.Name,
+					ValueFrom: aws.String(fmt.Sprintf("arn:aws:ssm:%s:%s:parameter:%s", awsRegion, registryID, *parameter.Name)),
+				})
+			}
+		}
+		describeParametersNextToken = parametersOutput.NextToken
+
+		if describeParametersNextToken == nil || *describeParametersNextToken == "" {
+			break
+		}
+	}
+	return secrets
+}
+
 func buildContainerEnvironment(v *viper.Viper, environmentName string, dbHost string, variablesFile string) []*ecs.KeyValuePair {
 
 	// Construct variables from a file for the task def
@@ -286,17 +297,7 @@ func buildContainerEnvironment(v *viper.Viper, environmentName string, dbHost st
 		}
 	}
 
-	chamberKMSKeyAlias := v.GetString(chamberKMSKeyAliasFlag)
-	chamberUsePaths := v.GetInt(chamberUsePathsFlag)
 	return []*ecs.KeyValuePair{
-		{
-			Name:  aws.String("CHAMBER_KMS_KEY_ALIAS"),
-			Value: aws.String(chamberKMSKeyAlias),
-		},
-		{
-			Name:  aws.String("CHAMBER_USE_PATHS"),
-			Value: aws.String(strconv.Itoa(chamberUsePaths)),
-		},
 		{
 			Name:  aws.String("DB_ENV"),
 			Value: aws.String(cli.DbEnvContainer),
@@ -401,6 +402,7 @@ func main() {
 	serviceECS := ecs.New(sess)
 	serviceECR := ecr.New(sess)
 	serviceRDS := rds.New(sess)
+	serviceSSM := ssm.New(sess)
 
 	// Get the current task definition (for rollback)
 	commandName := v.GetString(commandFlag)
@@ -480,18 +482,7 @@ func main() {
 	awsLogsGroup := fmt.Sprintf("ecs-tasks-%s-%s", serviceName, environmentName)
 	awsLogsStreamPrefix := fmt.Sprintf("%s-tasks", serviceName)
 
-	// Chamber Settings
-	chamberBinary := v.GetString(chamberBinaryFlag)
-	chamberRetries := v.GetInt(chamberRetriesFlag)
-	chamberStore := fmt.Sprintf("%s-%s", serviceName, environmentName)
-
 	entryPoint := []string{
-		chamberBinary,
-		"-r",
-		strconv.Itoa(chamberRetries),
-		"exec",
-		chamberStore,
-		"--",
 		fmt.Sprintf("/bin/%s", cmds[0]),
 	}
 	if len(cmds) > 1 {
@@ -511,6 +502,7 @@ func main() {
 				Essential:   aws.Bool(true),
 				EntryPoint:  aws.StringSlice(entryPoint),
 				Command:     []*string{},
+				Secrets:     buildSecrets(serviceSSM, awsRegion, registryID, serviceName, environmentName),
 				Environment: buildContainerEnvironment(v, environmentName, dbHost, variablesFile),
 				LogConfiguration: &ecs.LogConfiguration{
 					LogDriver: aws.String("awslogs"),

diff --git a/config/app-client-tls.container-definition.json b/config/app-client-tls.container-definition.json
@@ -3,12 +3,6 @@
   "image": "{{ .image }}",
   "essential": true,
   "entryPoint": [
-    "/bin/chamber",
-    "-r",
-    "{{ .CHAMBER_RETRIES }}",
-    "exec",
-    "app-{{ .environment }}",
-    "--",
     "/bin/milmove",
     "serve",
     "--db-env",
@@ -29,6 +23,7 @@
     }
   ],
   "command": [],
+  "secrets": {{ .secrets }},
   "environment": [
     {
       "name": "DB_IAM",
@@ -74,14 +69,6 @@
       "name": "DEVLOCAL_AUTH",
       "value": "{{ .DEVLOCAL_AUTH }}"
     },
-    {
-      "name": "CHAMBER_KMS_KEY_ALIAS",
-      "value": "alias/aws/ssm"
-    },
-    {
-      "name": "CHAMBER_USE_PATHS",
-      "value": "1"
-    },
     {
       "name": "MOVE_MIL_DOD_CA_CERT",
       "value": "{{ .move_mil_dod_ca_cert }}"

diff --git a/config/app-migrations.container-definition.json b/config/app-migrations.container-definition.json
@@ -4,12 +4,6 @@
   "portMappings": [],
   "essential": true,
   "entryPoint": [
-    "/bin/chamber",
-    "-r",
-    "{{ .CHAMBER_RETRIES }}",
-    "exec",
-    "app-{{ .environment }}",
-    "--",
     "/bin/milmove",
     "migrate",
     "--db-env",
@@ -18,6 +12,7 @@
     "production"
   ],
   "command": [],
+  "secrets": {{ .secrets }},
   "environment": [
     {
       "name": "DB_IAM",