Create Config System For Credentials

hackforla / HomeUniteUs

We're working with community non-profits who have a Host Home or empty bedrooms initiative to develop a workflow management tool to make the process scalable (across all providers), reduce institutional bias, and effectively capture data.

https://homeunite.us/

GNU General Public License v2.0

36 stars 21 forks source link

Create Config System For Credentials #529

Closed ju1es closed 1 week ago

ju1es commented 11 months ago

Overview

Create config system so that credentials are used dynamically flask app, depending on the user and environment.

Action Items

Implement dynamic configs for credentials that live in a secure datastore i.e. vault

ju1es commented 10 months ago

@paulespinosa @tylerthome bumping this. besides github secrets, are there any other tools/frameworks we could leverage that accommodate local and remote environments?

paulespinosa commented 10 months ago

There is a dotenv vault tool available but I'm still looking into it: https://www.dotenv.org/. Tyler mentioned that other teams (DevOps) are putting runtime secrets into AWS. I haven't followed through how they're using it yet though.

paulespinosa commented 9 months ago

@ju1es What does dynamic mean here? And do you have example scenarios for "depending on the user and environment"? Thank you.

paulespinosa commented 9 months ago

@Joshua-Douglas @ju1es dotenv and dotenv-vault has been looking pretty good

https://www.dotenv.org/docs/tutorials/environments https://www.dotenv.org/docs/addons/github

paulespinosa commented 9 months ago

It is interesting, the dotenv team "strongly recommend against having a "main" .env file and an "environment" .env file like .env.test." https://www.npmjs.com/package/dotenv#user-content-should-i-have-multiple-env-files. However, the community seems to be taking another approach. Vite allows for "mode" specific .env files which seems to follow from React https://github.com/hackforla/HomeUniteUs/pull/587#pullrequestreview-1605961926 as @Joshua-Douglas has found. These are both using dotenv under the covers.

It should be noted that dotenv does load system environment variables. That is, .env files are optional. This is what allows us to configure GitHub with variables and secrets and have the API/app use them.

paulespinosa commented 8 months ago

From discussion with Ops team, the incubator system will either use AWS Parameter Store to store secrets or have a mechanism to pull secrets from GitHub secrets into the container when a container is deployed.

Regarding the GitHub secrets approach, Ops ensure their process will not puts secrets into a container image that is stored in ECR.

paulespinosa commented 8 months ago

The direction we're taking regarding shared secrets is that we will program the API and App to avoid needed them during development.