Setup CI/CD environment

[ryu1kn]

Possible options:

Code repo	CI	CD
GitHub	TravisCI	TravisCI
GitHub	CodePipeline	CodeDeploy
CodeCommit	CodePipeline	CodeDeploy

We want to make the code public as much as possible; so decided to go with the 1st option as long as we can be securely deploy our code changes to AWS

[ryu1kn]

Happened to find this blog on travis. Just make sure you're not making a silly mistake when you encrypt env vars.

• Security vulnerability with encrypted environment variables

[ryu1kn]

Travis encrypts your secret files with AES256. cf Encrypting Files

...which is not practical to crack with brute-force attack at the moment.

AES permits the use of 256-bit keys. Breaking a symmetric 256-bit key by brute force requires 2128 times more computational power than a 128-bit key. Fifty supercomputers that could check a billion billion (1018) AES keys per second (if such a device could ever be made) would, in theory, require about 3×1051 years to exhaust the 256-bit key space.

https://en.wikipedia.org/wiki/Brute-force_attack

[ryu1kn]

Although file encryption is done with AES256, the key needs to be put in the repo encrypted with RSA public key. So it really depends on how secure the RSA encryption is.

You can use the ssh key you generated but currently this is only available on private repository: https://docs.travis-ci.com/user/private-dependencies/#User-Key

[ryu1kn]

You can get your repo's public key

$ travis pubkey > pubkey_rsa.pub
$ cat pubkey_rsa.pub
ssh-rsa AAAAB3N...

Follow the great instruction of this post, How do I get the RSA bit length with the pubkey and openssl?,

$ cat pubkey_rsa.pub | cut -c9-85 | openssl base64 -d | od -t x1

You'll get 00 00 02 01 for The length in bytes of the modulus part. In decimal notation, this is:

$ node -p "0x0201"
513

So, in bit, this is (513-1) * 8 = 4096 bit. Considering that now it is recommended to use the modulus length longer than 1024 bit for RSA, 4096 bit is far safer.

So, it's alright to put sensitive data encrypted with the public key travis generated.

[ryu1kn]

Done with 86057c77d04845e08bb97939f6e3eb6f1292bbb3.

• Build process does code validation, unit tests and linting against the code under experiment-src directory
  • Later when we have real code to deploy, we change the directory to something like src. It’s defined in the Makefile
• If all went well, travis deploys the code to S3 (as a continuous delivery, CD, step)
  • Again once we have real code, we can change the deploy provider from s3 to elasticbeanstalk
  • ATM we need S3 bucket and IAM user for CD. They are created by cloudformation. You can find the template under infrastructure directory