search

aws-ia / terraform-aws-control_tower_account_factory

AWS Control Tower Account Factory
Apache License 2.0
604 stars 386 forks source link

Documentation on handling of sensitive input variables in aft-global-customizations and aft-account-customizations repositories #435

Open rybons opened 4 months ago

rybons commented 4 months ago

Describe the outcome you'd like

Documentation or recommended approaches for handling of sensitive input variables in aft-global-customizations and aft-account-customizations.

Is your feature request related to a problem you are currently experiencing? If so, please describe.

I often have ideas to make use of third-party providers (Harness, for example) in my aft-global-customizations repository. Idea being that it would be useful to automatically integrate the AWS accounts that I provision with third-party tools at the time the account is provisioned.

# Authenticate with Harness

provider "harness" {
  endpoint   = "some_endpoint"
  account_id = "some_account_id"
  platform_api_key = "<sensitive_value>"           <--- How can I manage this value securely within the AFT framework?
}

# Provision Harness resources

resource "harness_platform_connector_aws" "aws" {
  ...
}

Additional context

If I were to run the sample Terraform code above, but outside of the AFT framework (as a normal Terraform project), I would have some safer options for securing the input variable for platform_api_key. First, I would set a variable:

provider "harness" {
  endpoint   = "..."
  account_id = "..."
  platform_api_key = var.secret_api_key
}

Then, I have several options for safely providing values to the secret_api_key variable:

However, I'm unaware as to how I'd make use of any of the methods above within the AFT workflow because:

v-rosa commented 4 months ago

I tipically use AWS Secrets Manager for such use case.

Provision the SM instance, provide cross account access and refer it in the aft-providers.jinja e.g.:

data "aws_secretsmanager_secret" "harness" {
  arn = "arn:aws:secretsmanager:us-east-1:123456789secret:harness-q1w23e"
}

provider "harness" {
  endpoint   = "..."
  account_id = "..."
  platform_api_key = jsondecode(data.aws_secretsmanager_secret_version.harness.secret_string)["platform_api_key "]
}
rybons commented 4 months ago

I tipically use AWS Secrets Manager for such use case.

Provision the SM instance, provide cross account access and refer it in the aft-providers.jinja e.g.:

data "aws_secretsmanager_secret" "harness" {
  arn = "arn:aws:secretsmanager:us-east-1:123456789secret:harness-q1w23e"
}

provider "harness" {
  endpoint   = "..."
  account_id = "..."
  platform_api_key = jsondecode(data.aws_secretsmanager_secret_version.harness.secret_string)["platform_api_key "]
}

@v-rosa Thanks, I considered this as well. To clarify:

Is the secret in your example (arn:aws:secretsmanager:us-east-1:123456789secret:harness-q1w23e) managed in a "central" AWS account, made accessible to other accounts in your AWS organization? (i.e. like this)

I suspect this would need to be the case, as if you were creating this secret for each account, you'd have similar problems populating the value of the secret at the time the account is created.

I suppose the AFT-management account might be the most logical place to store these secrets.

v-rosa commented 4 months ago

(....) managed in a "central" AWS account, made accessible to other accounts in your AWS organization?

Exactly.

as if you were creating this secret for each account, you'd have similar problems populating the value of the secret at the time the account is created. I suppose the AFT-management account might be the most logical place to store these secrets.

AFT-mgt account could be used for sure, assuming it is a very restricted account. In that case, you could import the AFT-mgt account into the the AFT pipelines and create secrets for the vended accounts from there. You can then restrict the access to the secrets/cmk to the vended account AFT role.