This PR shifts some of the more sensitive configuration, that was previously handled using local .env files, to AWS SSM's parameter store (and encrypted if necessary). The necessary parameters have been documented in each service's README.
Now all parameters have a single source of truth, vs before where we had to update GitHub secrets and local .env files. This should also help prevent accidentally pushing secrets to GitHub.
Note that running the applications locally now require you to use the correct IAM user, as we need to fetch the configuration from SSM first.
Executor Lambda
The exeuctor lambda now resides in its own VPC with no Internet access at all. It also assumes a role with zero permissions, so that it cannot affect any other AWS resources.
Production Deployment
Deployment should hopefully go smoothly, all resources for the production environment have already been created. The only issue to take note of is that the executor lambda might need to be removed manually and re-deployed (I had issues with the dev instance, I think shifting it into a VPC didn't work correctly).
AWS SSM
This PR shifts some of the more sensitive configuration, that was previously handled using local
.envfiles, to AWS SSM's parameter store (and encrypted if necessary). The necessary parameters have been documented in each service's README.Now all parameters have a single source of truth, vs before where we had to update GitHub secrets and local .env files. This should also help prevent accidentally pushing secrets to GitHub.
Note that running the applications locally now require you to use the correct IAM user, as we need to fetch the configuration from SSM first.
Executor Lambda
The exeuctor lambda now resides in its own VPC with no Internet access at all. It also assumes a role with zero permissions, so that it cannot affect any other AWS resources.
Production Deployment
Deployment should hopefully go smoothly, all resources for the production environment have already been created. The only issue to take note of is that the executor lambda might need to be removed manually and re-deployed (I had issues with the dev instance, I think shifting it into a VPC didn't work correctly).