#154 Soapbox Secrets Management

[LouisFettet]

Work Completed:

• [x] Provision an AWS KMS (Key Management System) key at application creation time using terraform – specifically, during the network setup stage. This key will be used to encrypt and decrypt all configurations for that particular application across all its environments. Give the key some tags and an alias so that it is easily identifiable.
• [x] Grab the ARN (Amazon Resource Name) of the key after it has been created and save it as an attribute of the application. A new column, aws_encryption_key_arn, has been added to the applications table of the database.
• [x] On configuration creation and on subsequent updates, encrypt configs using KMS (accessed via saved ARN). Save the encrypted configurations to S3.

Work Not Yet Completed:

• [ ] On configuration read and on application deployment, grab encrypted configurations from S3 and decrypt them using KMS.

Future Work (some of which is outside the scope of one PR)

• Remove the configurations table from the database since it is no longer needed after the above tasks are completed.

• From @paulsmith in #154:

  come up with a means of fetching, decrypting, and injecting the config vars into the application process's environment at startup time, without having them be on disk

  add some UI that let's a user invalidate and/or rotate their key

  use a derived key (i.e., a separately generated random key, which is used to do the actual encryption, and which is encrypted with the KMS master key and stored alongside the secrets -- this would let a user encrypted more than 4 KB worth of secrets

Miscellaneous Notes (not sure where else to put this)

• All non-Amazon KMS key aliases must begin with alias/. KMS cannot have two keys with the same alias (regardless of whether they are enabled or disabled).

  An AWS user cannot remove or edit an alias from the AWS console, but this is possible using the AWS CLI, like so: aws kms delete-alias --alias-name alias/<ALIAS_NAME>

  You can view the available keys with their aliases by running: aws kms list aliases

• I found this post to be pretty helpful when getting started with the AWS KMS Go SDK since our use-case is pretty simple.

Last Update: 11/13/2017

[kalilsn]

@robertfairhead @oren I made a few schema changes: changed configuration version column to identity, and removed the now obsolete config_vars table. Afterwards I ran make models but didn't see any changes to the models. Is something wrong or is that expected?

[kalilsn]

I completed these two items from the original comment above:

On configuration read and on application deployment, grab encrypted configurations from S3 and decrypt them using KMS. Remove the configurations table from the database since it is no longer needed after the above tasks are completed.

The other improvements mentioned from #154 are still open – I'll tackle them in a future PR.

I also reworked the DeleteConfiguration function to work with our new storage, although that hasn't actually been implemented on the frontend yet.

Let me know if there's anything that's not idiomatic or if you want me to reorganize this in any way!