Feature/nd 398 secrets in plain sight in nacs task definitions #326
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…eval of secrets from secrets manager, added new vpc endpoint for secrets, adding local list to secrets to share secrets with modules ND-398
…to source secrets from secrets manager, removing secrets from aws_ssn_get_parameters.sh script which have been moved to secrets manager
… manager as data lookups ND-398
…es sourced directly from secrets manager as data lookups ND-398
…form import ND-398
…n secrets manager ND-398
…d sourced via ecs task definitions from buildspec.yml
…ition, removal of jsondecode formatting from secrets manager lookups as secrets are plain text. ND-398
…s-task-definitions included updates to ECR retention policy to align with agreed policy
…plicate parameters that existed in both environment block and secrets block of ecs task definitions so secrets only in secrets block
…s-task-definitions including the following updates - amended cw thresholds (#309)
…s-task-definitions including the following updates - (details of commits) - including secrets manager secrets, added descriptions/tags to secret, added dhl ocsp endpoints
…s-task-definitions including the following updates - Adding user_data script to RDS bastion (#319)
…r. Removed admin_db_details from outputs as we are no longer including the admin db details parameters in secrets manager. ND-398
…s-task-definitions Pulling in latest updates to main
…le as we are doing data lookup to retrieve values directly from secrets manager ND-398
…in, removed changes to be added later
…s-task-definitions-new Pulling in latest updates to main
… for eap_private_key_password/radsec_private_key_password, read_replica db username/password to retrieve values directly from secrets manager
…or admin read replica db password to retrieve values directly from secrets manager
…for eap_private_key_password/radsec_private_key_password, admin db username/password to retrieve values directly from secrets manager
…eve values directly from secrets manager
…eing enabled as the endpoints are always required for connection to secr ets manager / ssm parameter store from task definitions
…s-task-definitions-new Pulling in latest updates to main
…sist. Using a hard coded count to prevent destruction and recreation of exisitng endpoints created by the "var.ssm_session_manager_endpoints" boolean when set to true. ND-510
So the VPC endpoints needs to be attached there. ND-510
…s-task-definitions-new Pulling in latest updates to main
…he container tls configuration is expecting within radius tasks definition secrets block
… as these values/secrets are now being obtained from secrets manager using aws data lookups
… secrets manager and are being obtained using data source lookup
… new secrets_manager.tf file
…as these have been replaced with ones that are doing data lookups from secrets manager instead of sourcing from .env file and ssm get parameters script
…t parameters as these have been replaced with ones that are doing data lookups from secrets manager instead of sourcing from .env file and ssm get parameters script
…ch have been moved to secrets manager & are being sourced by data lookups instead of sourcing from .env file and ssm get parameters script
asifamirat00
requested review from
Gary-H9,
moontune and
juddin927
and removed request for
a team
asifamirat00
had a problem deploying
to
development
GitHub Actions
Failure
laurentb4
approved these changes
Oct 29, 2024
asifamirat00
deleted the
feature/ND-398-secrets-in-plain-sight-in-nacs-task-definitions-new
branch
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Secrets identified within ecs task definitions for nac-infrastructure and moved from shared services parameter store to target account secrets manager
Using secrets block within task definitions to source secrets from secrets manager. Moving secrets to a secrets block allows the secret values to be hidden from plain sight.
Associated work to allow tasks to access secrets stored in secrets manager (vpc endpoints to allow network route to secrets in secrets manager, custom policies with permissions to read secrets in secrets manager attached to IAM roles)
input parameters in root terraform modules which have been moved to secrets manager are being sourced via data lookups from secrets manager instead of sourcing from .env file and ssm get parameters script
removal of parameters from ssm get parameters script, buildspec.yml which have been moved to secrets manager, removal of variables no longer required
various other changes to allow secret retrieval to work