build: release v5.17.0

.dockerignore

@@ -5,7 +5,6 @@
 **/.elasticbeanstalk
 **/node_modules
 **/public/lib
-**/.env
 .eslintrc.json
 .prettierrc.json
 .travis.yml

.ebextensions/env-file-creation.config

@@ -0,0 +1,41 @@
+# Creates an .env file from AWS SSM Parameter Store
+
+commands:
+  01-create-env:
+    command: "/tmp/create-env.sh"
+
+files:
+  "/tmp/create-env.sh":
+      mode: "000755"
+      content : |
+        #!/bin/bash
+        # Reach into the undocumented container config
+        AWS_REGION='`{"Ref": "AWS::Region"}`'
+        ENV_NAME=$(/opt/elasticbeanstalk/bin/get-config environment -k SSM_PREFIX)
+        TARGET_DIR=/etc/formsg
+
+        echo "Checking if ${TARGET_DIR} exists..."
+        if [ ! -d ${TARGET_DIR} ]; then
+            echo "Creating directory ${TARGET_DIR} ..."
+            mkdir -p ${TARGET_DIR}
+            if [ $? -ne 0 ]; then
+                echo 'ERROR: Directory creation failed!'
+                exit 1
+            fi
+        else
+            echo "Directory ${TARGET_DIR} already exists!"
+        fi
+        echo "Creating config for ${ENV_NAME} in ${AWS_REGION}"
+        aws ssm get-parameter --name "${ENV_NAME}-general" --with-decryption --region $AWS_REGION | jq -r '.Parameter.Value' > $TARGET_DIR/.env
+        aws ssm get-parameter --name "${ENV_NAME}-captcha" --with-decryption --region $AWS_REGION | jq -r '.Parameter.Value' >> $TARGET_DIR/.env
+        aws ssm get-parameter --name "${ENV_NAME}-ga" --with-decryption --region $AWS_REGION | jq -r '.Parameter.Value' >> $TARGET_DIR/.env
+        aws ssm get-parameter --name "${ENV_NAME}-intranet" --with-decryption --region $AWS_REGION | jq -r '.Parameter.Value' >> $TARGET_DIR/.env
+        aws ssm get-parameter --name "${ENV_NAME}-sentry" --with-decryption --region $AWS_REGION | jq -r '.Parameter.Value' >> $TARGET_DIR/.env
+        aws ssm get-parameter --name "${ENV_NAME}-sms" --with-decryption --region $AWS_REGION | jq -r '.Parameter.Value' >> $TARGET_DIR/.env
+        aws ssm get-parameter --name "${ENV_NAME}-ndi" --with-decryption --region $AWS_REGION | jq -r '.Parameter.Value' >> $TARGET_DIR/.env
+        aws ssm get-parameter --name "${ENV_NAME}-verified-fields" --with-decryption --region $AWS_REGION | jq -r '.Parameter.Value' >> $TARGET_DIR/.env
+        aws ssm get-parameter --name "${ENV_NAME}-webhook-verified-content" --with-decryption --region $AWS_REGION | jq -r '.Parameter.Value' >> $TARGET_DIR/.env
+
+packages:
+  yum: 
+    jq: []

Dockerrun.aws.json

@@ -13,6 +13,10 @@
     {
       "HostDirectory": "/certs",
       "ContainerDirectory": "/certs"
+    },
+    {
+      "HostDirectory": "/etc/formsg/.env",
+      "ContainerDirectory": "/opt/formsg/.env"
     }
   ]
-}
+}

README.md

@@ -91,9 +91,6 @@ FormSG requires some environment variables in order to function.
 More information about the required environment variables can be seen in
 [DEPLOYMENT_SETUP.md](/docs/DEPLOYMENT_SETUP.md).
 
-The docker-compose file declares some blank environment variables that are secret and cannot be committed into
-the repository. See below instructions to get them injected into the container.
-
 We provide a [`.template-env`](./.template-env) file with the secrets blanked out. You can copy and
 paste the variables described into a self-created `.env` file, replacing the
 required values with your own.

docker-compose.yml

@@ -33,11 +33,6 @@ services:
       - SEND_AUTH_OTP_RATE_LIMIT=60
       - SES_PORT=25
       - SES_HOST=maildev
-      - MYINFO_CLIENT_CONFIG=dev
-      - MYINFO_FORMSG_KEY_PATH=./node_modules/@opengovsg/mockpass/static/certs/key.pem
-      - MYINFO_CERT_PATH=./node_modules/@opengovsg/mockpass/static/certs/spcp.crt
-      - MYINFO_CLIENT_ID=mockClientId
-      - MYINFO_CLIENT_SECRET=mockClientSecret
       - WEBHOOK_SQS_URL=http://localhost:4566/000000000000/local-webhooks-sqs-main
       - INTRANET_IP_LIST_PATH
       - SENTRY_CONFIG_URL=https://[email protected]/123456
@@ -55,32 +50,39 @@ services:
       # Keep in sync with the development key in
       # https://github.com/opengovsg/formsg-javascript-sdk/blob/develop/src/resource/signing-keys.ts
       - SIGNING_SECRET_KEY=HDBXpu+2/gu10bLHpy8HjpN89xbA6boH9GwibPGJA8BOXmB+zOUpxCP33/S5p8vBWlPokC7gLR0ca8urVwfMUQ==
-      - TWILIO_ACCOUNT_SID
-      - TWILIO_API_KEY
-      - TWILIO_API_SECRET
-      - TWILIO_MESSAGING_SERVICE_SID
+      # Mock Twilio credentials. SMSes do not work in dev environment.
+      - TWILIO_ACCOUNT_SID=ACmockTwilioAccountSid
+      - TWILIO_API_KEY=mockTwilioApiKey
+      - TWILIO_API_SECRET=mockTwilioApiSecret
+      - TWILIO_MESSAGING_SERVICE_SID=mockTwilioMsgSrvcSid
+      # Use mockpass key pairs and endpoints
+      - SP_FORMSG_KEY_PATH=./node_modules/@opengovsg/mockpass/static/certs/key.pem
+      - SP_FORMSG_CERT_PATH=./node_modules/@opengovsg/mockpass/static/certs/server.crt
+      - SP_IDP_CERT_PATH=./node_modules/@opengovsg/mockpass/static/certs/spcp.crt
+      - SINGPASS_IDP_LOGIN_URL=http://localhost:5156/singpass/logininitial
+      - SINGPASS_IDP_ENDPOINT=http://localhost:5156/singpass/soap
+      - SINGPASS_ESRVC_ID=spEsrvcId
+      - SINGPASS_PARTNER_ENTITY_ID=https://localhost:5000/singpass
+      - SINGPASS_IDP_ID=https://saml-internet.singpass.gov.sg/FIM/sps/SingpassIDPFed/saml20
+      - CP_FORMSG_KEY_PATH=./node_modules/@opengovsg/mockpass/static/certs/key.pem
+      - CP_FORMSG_CERT_PATH=./node_modules/@opengovsg/mockpass/static/certs/server.crt
+      - CP_IDP_CERT_PATH=./node_modules/@opengovsg/mockpass/static/certs/spcp.crt
+      - CORPPASS_IDP_LOGIN_URL=http://localhost:5156/corppass/logininitial
+      - CORPPASS_IDP_ENDPOINT=http://localhost:5156/corppass/soap
+      - CORPPASS_PARTNER_ENTITY_ID=https://localhost:5000/corppass
+      - CORPPASS_ESRVC_ID=cpEsrvcId
+      - CORPPASS_IDP_ID=https://saml.corppass.gov.sg/FIM/sps/CorpIDPFed/saml20
+      - IS_SP_MAINTENANCE
+      - IS_CP_MAINTENANCE
+      - MYINFO_CLIENT_CONFIG=dev
+      - MYINFO_FORMSG_KEY_PATH=./node_modules/@opengovsg/mockpass/static/certs/key.pem
+      - MYINFO_CERT_PATH=./node_modules/@opengovsg/mockpass/static/certs/spcp.crt
+      - MYINFO_CLIENT_ID=mockClientId
+      - MYINFO_CLIENT_SECRET=mockClientSecret
       - SES_PASS
       - SES_USER
       - OTP_LIFE_SPAN
       - AWS_REGION
-      - SP_FORMSG_KEY_PATH
-      - SP_FORMSG_CERT_PATH
-      - SP_IDP_CERT_PATH
-      - SINGPASS_IDP_LOGIN_URL
-      - SINGPASS_IDP_ENDPOINT
-      - SINGPASS_ESRVC_ID
-      - SINGPASS_PARTNER_ENTITY_ID
-      - SINGPASS_IDP_ID
-      - CP_FORMSG_KEY_PATH
-      - CP_FORMSG_CERT_PATH
-      - CP_IDP_CERT_PATH
-      - CORPPASS_IDP_LOGIN_URL
-      - CORPPASS_IDP_ENDPOINT
-      - CORPPASS_PARTNER_ENTITY_ID
-      - CORPPASS_ESRVC_ID
-      - CORPPASS_IDP_ID
-      - IS_SP_MAINTENANCE
-      - IS_CP_MAINTENANCE
 
   mockpass:
     build: https://github.com/opengovsg/mockpass.git

docs/DEPLOYMENT_SETUP.md

@@ -19,6 +19,7 @@ Infrastructure
 - AWS Elastic Beanstalk / EC2 for hosting and deployment
 - AWS Elastic File System for mounting files (i.e. SingPass/MyInfo private keys into the `/certs` directory)
 - AWS S3 for image and logo hosting, attachments for Storage Mode forms
+- AWS Service Manager - Parameter Store, for holding environment variable configuration
 
 DevOps
 
@@ -104,8 +105,22 @@ The following env variables are set in Travis:
 
 ## Environment Variables
 
+These are configured by creating groups of environment variables formatted like `.env` files in the Parameter
+Store of AWS Service Manager. These groups have names formatted as `<environment>-<category>`. 
+
+The environment for each group is user-defined, and should be specified in the Elastic Beanstalk configuration
+as the environment variable `SSM_PREFIX`.
+
+The list of categories can be inferred by looking at the file `.ebextensions/env-file-creation.config`.
+
 ### Core Features
 
+#### AWS Service Manager
+
+| Variable            | Description                                                                                                      |
+| :------------------ | ---------------------------------------------------------------------------------------------------------------- |
+| `SSM_PREFIX`        | String prefix (typically the environment name) for AWS SSM parameter names to create a .env file for FormSG.     |
+
 #### App Config
 
 | Variable            | Description                                                                                                      |