Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat/NUKAMI-293 added secrets and utilised orbs to fetch secrets #3993

Open
wants to merge 12 commits into
base: master
Choose a base branch
from
Open

feat/NUKAMI-293 added secrets and utilised orbs to fetch secrets #3993

wants to merge 12 commits into from

Conversation

Ha2605
Copy link

@Ha2605 Ha2605 commented Dec 2, 2024
edited by SonaliNewsUK
Loading

Secret Rotator README

Overview

This document provides an overview of the Secret Rotator implementation for managing secrets in the Sun Savers BACS Service environment. The secret rotator is designed to automate secret creation, rotation, and retrieval, ensuring secure and efficient secret management across environments.

Features

  • Automated creation and rotation of secrets.
  • AWS Lambda functions for specific secret rotation tasks.
  • Support for multiple secret types such as API keys, passwords, and tokens.
  • Integration with AWS Secrets Manager.
  • Optional Slack notifications for secret rotation status.

Module Configuration

Terraform Module

The secret_rotator Terraform module is used to configure the secret rotation settings.

module "secret_rotator_times_components_dev" {
  source                                  = "[email protected]:newsuk/nuk-secret-rotator.git?ref=v0.20.0"
  create_secrets                          = true
  environment                             = "dev"
  account                                 = "aws-digital-dev-tnlweb"
  custom_role_arn                         = "arn:aws:iam::512040659177:role/circle-oidc-nuk-aws-digital-dev-tnlweb"
  create_role                             = false
  enable_notifications = {
    enable                 = false
    slack_channel          = ""
    slack_token_secret_arn = ""
  }

  secrets = {
    "times-components/dev/GH_TOKEN" = {
      description             = "The Github token for dev"
      recovery_window_in_days = 0
      enable_rotation         = false
      tags = {
        Environment    = "dev"
        Repository     = var.repository
        SecretRotation = "auto"
        SecretType     = "external"
        ServiceName    = "Github"
        SecretOwner    = var.service_owner
      }
    }
  }
}

Utilization of AWS Secrets

Command details

command : fetch_secrets_dev

This workflow securely retrieves and saves secrets GH_TOKENfrom AWS Secrets Manager for use in development pipelines.

  fetch_secrets_dev:
    description: "Fetch secrets dev using AWS Secrets Manager"
    steps:
      - aws-cli/setup:
          region: "eu-west-1"
          role_arn: arn:aws:iam::512040659177:role/circle-oidc-nuk-aws-digital-dev-tnlweb
      - aws-secrets-manager/get-aws-secret:
          aws-secret-name: times-components/dev/GH_TOKEN
          key-var-name: GH_TOKEN

Secret Rotation Workflow

The workflow secrets-rotator automates secret creation and rotation through Terraform configurations.

Workflow Steps:

  1. Plan Terraform Changes:
    • Prepares the Terraform plan for secret rotator configuration.
  2. Approval:
    • Manual approval step to proceed with applying changes.
  3. Apply Terraform Changes:
    • Executes the Terraform plan to create or update secret configurations.

Example Workflow:

secrets-rotator:
    when:
      and:
        - equal: [true, << pipeline.parameters.deploy_secrets >>]
    jobs:
      - plan-secret-terraform:
          name: plan-terraform-secret-rotator-dev
          role: arn:aws:iam::512040659177:role/circle-oidc-nuk-aws-digital-dev-tnlweb
          env: dev
          region: eu-west-1
      - approve-apply-terraform-secret-rotator-dev:  
          type: approval  
          requires:  
            - plan-terraform-secret-rotator-dev    
      - apply-secret-terraform:  
          name: apply-terraform-secret-rotator-dev  
          role: arn:aws:iam::512040659177:role/circle-oidc-nuk-aws-digital-dev-tnlweb
          env: dev
          region: eu-west-1
          requires:  
            - approve-apply-terraform-secret-rotator-dev

Notifications (Optional)

Slack notifications can be enabled to provide updates on secret rotation status.

enable_notifications = {
  enable                 = true
  slack_channel          = "your-slack-channel"
  slack_token_secret_arn = "your-slack-token-secret-arn"
}

Best Practices

  • Environment Isolation:
    • Use separate secrets for each environment (dev, staging, prod) to ensure security.
  • Access Management:
    • Restrict access to sensitive secrets and roles using AWS IAM policies.
  • Rotation Frequency:
    • Ensure critical secrets are rotated at regular intervals to maintain security.

@Ha2605 Ha2605 requested a review from a team as a code owner December 2, 2024 10:37
douglasmik and others added 11 commits December 2, 2024 11:42
@douglasmik
feat(TMRS-482): add CategorisedArticles (#3976)
164ee6a
@Ha2605
added secrets code
87fb305
@Ha2605
added secrets code
006697b
@Ha2605
added secrets code
0756c16
@times-tools
chore: Publish 164ee6a [ci skip]
47690c4 
 - @times-components/[email protected]
 - @times-components/[email protected]
 - @times-components/[email protected]
 - @times-components/[email protected]
 - @times-components/[email protected]
 - @times-components/[email protected]
 - @times-components/[email protected]
 - @times-components/[email protected]
 - @times-components/[email protected]
 - @times-components/[email protected]
 - @times-components/[email protected]
 - @times-components/[email protected]
 - @times-components/[email protected]
 - @times-components/[email protected]
 - @times-components/[email protected]
 - @times-components/[email protected]
 - @times-components/[email protected]
 - @times-components/[email protected]
 - @times-components/[email protected]
 - @times-components/[email protected]
@ibrahim-kurhan
fix(TMD-000): this pr is just to fix the pipeline issue (#3995)
7a5754c
@Ha2605
added secrets code
c57c0f7
@Ha2605
cahnged readme.md file
6c0cb73
@josipVuko @dbuljanNewsUk @adamosborne-tnl
Feat/tmpz 775 build button for aduio naration (#3996)
6383ecb 
* feat/TMPZ-777-audio-player-mobile

* feat/TMPZ-777-audio-player-working-player

* feat/TMPZ-777-audio-player-working-player

* feat/TMPZ-777-audio-player

* feat/TMPZ-777-audio-player-lin-sht

* feat(TMPZ-775): created audio playe button

* feat/TMPZ-777-audio-player-icons

* feat/TMPZ-777-audio-player-icons

* feat/TMPZ-777-audio-player-tests

* feat(TMPZ-775): added imperative handle for audio player

* feat/TMPZ-777-audio-player-tests

* feat/TMPZ-777-audio-player-tests

* feat(TMPZ-775): minor adjustments

* feat/TMPZ-777-audio-player-tests

* feat/TMPZ-777-audio-player-tests

* feat/TMPZ-777-audio-player-tests

* feat/TMPZ-777-audio-player-tests

* feat/TMPZ-777-audio-player-no-test-cus-of-bad-and-outdated-env

* feat/TMPZ-777-audio-player-no-test-cus-of-bad-and-outdated-env

* feat/TMPZ-777-audio-player-no-test-audio

* feat/TMPZ-777-audio-player-no-test-audio

* feat/TMPZ-777-audio-player-no-test-audio

* feat/TMPZ-777-audio-player-no-test-audio

* feat/TMPZ-777-audio-player-no-test-audio

* feat/TMPZ-777-audio-player-no-test-audio

* feat/TMPZ-777-audio-player-no-test-audio

* feat/TMPZ-777-audio-player-no-test-audio

* feat/TMPZ-777-audio-player-components-fix

* feat/TMPZ-777-audio-player-components-fix-remove-old-player

* feat/TMPZ-777-audio-player-with-tests

* feat/TMPZ-777-audio-player-with-tests

* feat/TMPZ-777-audio-player-with-tests

* feat/TMPZ-777-audio-player-with-tests

* feat/TMPZ-777-audio-player-analyitcs-test

* temporary reduction in thresholds code is in transition

* feat/TMPZ-777-audio-player-using-ts-styles

* feat/TMPZ-777-audio-player-new-tests

* feat/TMPZ-777-audio-player-new-tests

* feat/TMPZ-777-audio-player-new-tests

* feat/TMPZ-777-audio-player-new-tests

* feat/TMPZ-775-build_button_for_aduio_naration-resolve-audio-branch-resolve-lints

* feat/TMPZ-775-build_button_for_aduio_naration-writing-helping-with-test

* feat/TMPZ-775-build_button_for_aduio_naration-writing-helping-with-test

* feat(TMPZ-775): adjusted styles, adjusted tests

* feat/TMPZ-775-build_button_for_aduio_naration-test-fix

* feat/TMPZ-775-build_button_for_aduio_naration-test-fix

* feat(TMPZ-775): removed unused prop from test

* feat(TMPZ-775): adjusted tests

* feat/TMPZ-775-build_button_for_aduio_naration

* feat(TMPZ-775): manualy adjusted snap

---------

Co-authored-by: Domagoj <[email protected]>
Co-authored-by: Adam Osborne <[email protected]>
@times-tools
chore: Publish 6383ecb [ci skip]
4c6b4e8 
 - @times-components/[email protected]
 - @times-components/[email protected]
 - @times-components/[email protected]
 - @times-components/[email protected]
 - @times-components/[email protected]
 - @times-components/[email protected]
 - @times-components/[email protected]
 - @times-components/[email protected]
 - @times-components/[email protected]
 - @times-components/[email protected]
 - @times-components/[email protected]
 - @times-components/[email protected]
 - @times-components/[email protected]
 - @times-components/[email protected]
 - @times-components/[email protected]
 - @times-components/[email protected]
 - @times-components/[email protected]
 - @times-components/[email protected]
@sonali-dash11
Changes done
ad30123
@sonarqubecloud SonarQubeCloud
Copy link

sonarqubecloud bot commented Dec 5, 2024

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@Ha2605 @douglasmik @times-tools @ibrahim-kurhan @josipVuko @sonali-dash11