Add core authorisation using secretsmanager

[kislerdm]

Why do we need it

To improve security by avoiding secrets injection to the process environment, and reducing their spread across various systems and providers.

What changed

• Added logic to fetch secrets from the secretsmanager. The implementation is BW compatible with injection through env variables.
• Added secrets provisioning
• Configured deployment for the service to use the secretes according to the deployment environment
• Adjusted CI definition

Note

The secrets values have to be set manually yet. It's the matter to re-consideration in the future.

[codecov-commenter]

Codecov Report

Merging #46 (f74e205) into master (59b1168) will increase coverage by 0.82%. The diff coverage is 46.26%.

@@            Coverage Diff             @@
##           master      #46      +/-   ##
==========================================
+ Coverage   66.03%   66.86%   +0.82%     
==========================================
  Files           7        8       +1     
  Lines         630      685      +55     
==========================================
+ Hits          416      458      +42     
- Misses        205      217      +12     
- Partials        9       10       +1     

Flag	Coverage Δ
lambda	71.08% <46.29%> (+4.95%)	:arrow_up:
module	66.00% <ø> (ø)
postgres	46.15% <46.15%> (∅)

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files	Coverage Δ
core/errors.go	0.00% <ø> (ø)
core/secretsmanager/secretsmanager.go	46.15% <46.15%> (ø)
core/cmd/lambda/main.go	71.08% <46.29%> (+4.95%)	:arrow_up:

:mega: We’re building smart automated test selection to slash your CI/CD build times. Learn more

[github-actions[bot]]

Terraform Initialization ⚙️success

Terraform Validation 🤖success

Validation Output

``` Success! The configuration is valid.  ```

Terraform Plan 📖success

Show Plan

``` null_resource.lambda_core: Refreshing state... [id=5347100042858998408] aws_cloudwatch_log_group.lambda_core: Refreshing state... [id=/aws/lambda/core-stg] aws_iam_role.lambda_core: Refreshing state... [id=Lambda-stg] data.aws_iam_policy_document.lambda_core: Reading... aws_api_gateway_rest_api.this: Refreshing state... [id=hl6yp94sy9] aws_api_gateway_domain_name.this: Refreshing state... [id=api.stage.diagramastext.dev] aws_api_gateway_api_key.main: Refreshing state... [id=0iz5rl9ff4] data.aws_iam_policy_document.lambda_core: Read complete after 0s [id=3463607964] aws_iam_policy.lambda_core: Refreshing state... [id=arn:aws:iam::027889758114:policy/LambdaCore-stg] aws_iam_role_policy_attachment.lambda_core: Refreshing state... [id=Lambda-stg-20230219140416929000000001] aws_lambda_function.core: Refreshing state... [id=core-stg] aws_cloudwatch_log_group.gw: Refreshing state... [id=API-Gateway-Execution-Logs_hl6yp94sy9] aws_api_gateway_model.schema_request: Refreshing state... [id=h6ryy8] aws_api_gateway_request_validator.this: Refreshing state... [id=tq63jc] aws_api_gateway_model.schema_response: Refreshing state... [id=2wvhiv] aws_api_gateway_resource.route_top["c4"]: Refreshing state... [id=xieiwr] aws_api_gateway_method.this["c4-POST"]: Refreshing state... [id=agm-hl6yp94sy9-xieiwr-POST] aws_api_gateway_method.options["c4"]: Refreshing state... [id=agm-hl6yp94sy9-xieiwr-OPTIONS] aws_api_gateway_deployment.this: Refreshing state... [id=yhem0i] aws_api_gateway_integration_response.this["c4-POST"]: Refreshing state... [id=agir-hl6yp94sy9-xieiwr-POST-200] aws_api_gateway_method_response.this["c4-POST"]: Refreshing state... [id=agmr-hl6yp94sy9-xieiwr-POST-200] aws_api_gateway_stage.this: Refreshing state... [id=ags-hl6yp94sy9-base] aws_api_gateway_integration_response.options["c4"]: Refreshing state... [id=agir-hl6yp94sy9-xieiwr-OPTIONS-200] aws_api_gateway_method_response.options["c4"]: Refreshing state... [id=agmr-hl6yp94sy9-xieiwr-OPTIONS-200] aws_api_gateway_integration.options["c4"]: Refreshing state... [id=agi-hl6yp94sy9-xieiwr-OPTIONS] aws_api_gateway_base_path_mapping.this: Refreshing state... [id=api.stage.diagramastext.dev/] aws_api_gateway_usage_plan.test: Refreshing state... [id=4v5ye3] aws_api_gateway_usage_plan_key.main: Refreshing state... [id=0iz5rl9ff4] aws_lambda_permission.gw["c4-POST"]: Refreshing state... [id=InvokeGWMain-c4-POST] aws_api_gateway_integration.this["c4-POST"]: Refreshing state... [id=agi-hl6yp94sy9-xieiwr-POST] Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: ~ update in-place -/+ destroy and then create replacement Terraform will perform the following actions: # aws_iam_policy.lambda_core will be updated in-place ~ resource "aws_iam_policy" "lambda_core" { id = "arn:aws:iam::027889758114:policy/LambdaCore-stg" name = "LambdaCore-stg" ~ policy = jsonencode( ~ { ~ Statement = [ # (1 unchanged element hidden) { Action = "secretsmanager:ListSecrets" Effect = "Allow" Resource = "*" Sid = "" }, ~ { ~ Resource = "arn:aws:secretsmanager:us-east-2:027889758114:secret:neon/main/core/lambda-C335bP" -> "arn:aws:secretsmanager:us-east-2:027889758114:secret:staging/core-MDqc82" # (3 unchanged elements hidden) }, ] # (1 unchanged element hidden) } ) tags = {} # (4 unchanged attributes hidden) } # aws_lambda_function.core will be updated in-place ~ resource "aws_lambda_function" "core" { id = "core-stg" ~ last_modified = "2023-02-20T20:52:59.000+0000" -> (known after apply) ~ source_code_hash = "ioZHYVrlJvKVd40CdAyOXQFw9VVQdx9Lnm8nsNkBK6w=" -> "4GBqEROJtmqsYAu/RG29IEutKpDDag0RF8B+AaXpI3U=" tags = {} # (19 unchanged attributes hidden) ~ environment { ~ variables = { + "ACCESS_CREDENTIALS_ARN" = "arn:aws:secretsmanager:us-east-2:027889758114:secret:staging/core-MDqc82" - "NEON_DBNAME" = "core" -> null - "NEON_HOST" = "ep-fragrant-mouse-914820.us-east-2.aws.neon.tech" -> null - "NEON_PASSWORD" = "S6VdaQHtK1zp" -> null - "NEON_USER" = "lambda-stg" -> null - "OPENAI_API_KEY" = "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" -> null # (4 unchanged elements hidden) } } # (2 unchanged blocks hidden) } # null_resource.lambda_core must be replaced -/+ resource "null_resource" "lambda_core" { ~ id = "5347100042858998408" -> (known after apply) ~ triggers = { # forces replacement ~ "md5" = "9hAQizpPcTunQdHSEyrcaCO+iSn3YeyEu/p8IabC2fc=" -> "4GBqEROJtmqsYAu/RG29IEutKpDDag0RF8B+AaXpI3U=" } } Plan: 1 to add, 2 to change, 1 to destroy. ───────────────────────────────────────────────────────────────────────────── Saved the plan to: /tmp/terraform.tfplan To perform exactly these actions, run the following command to apply: terraform apply "/tmp/terraform.tfplan" ```

Pusher: @kislerdm, Action: pull_request, Workflow: Deploy:Core

[github-actions[bot]]

Terraform Initialization ⚙️success

Terraform Validation 🤖success

Validation Output

``` Success! The configuration is valid.  ```

Terraform Plan 📖success

Show Plan

``` null_resource.lambda_core: Refreshing state... [id=5347100042858998408] aws_api_gateway_api_key.main: Refreshing state... [id=0iz5rl9ff4] aws_api_gateway_rest_api.this: Refreshing state... [id=hl6yp94sy9] aws_cloudwatch_log_group.lambda_core: Refreshing state... [id=/aws/lambda/core-stg] aws_iam_role.lambda_core: Refreshing state... [id=Lambda-stg] aws_api_gateway_domain_name.this: Refreshing state... [id=api.stage.diagramastext.dev] data.aws_iam_policy_document.lambda_core: Reading... data.aws_iam_policy_document.lambda_core: Read complete after 0s [id=3463607964] aws_iam_policy.lambda_core: Refreshing state... [id=arn:aws:iam::027889758114:policy/LambdaCore-stg] aws_api_gateway_resource.route_top["c4"]: Refreshing state... [id=xieiwr] aws_api_gateway_request_validator.this: Refreshing state... [id=tq63jc] aws_cloudwatch_log_group.gw: Refreshing state... [id=API-Gateway-Execution-Logs_hl6yp94sy9] aws_api_gateway_model.schema_response: Refreshing state... [id=2wvhiv] aws_api_gateway_model.schema_request: Refreshing state... [id=h6ryy8] aws_iam_role_policy_attachment.lambda_core: Refreshing state... [id=Lambda-stg-20230219140416929000000001] aws_lambda_function.core: Refreshing state... [id=core-stg] aws_api_gateway_method.options["c4"]: Refreshing state... [id=agm-hl6yp94sy9-xieiwr-OPTIONS] aws_api_gateway_method.this["c4-POST"]: Refreshing state... [id=agm-hl6yp94sy9-xieiwr-POST] aws_api_gateway_deployment.this: Refreshing state... [id=yhem0i] aws_api_gateway_method_response.this["c4-POST"]: Refreshing state... [id=agmr-hl6yp94sy9-xieiwr-POST-200] aws_api_gateway_integration_response.this["c4-POST"]: Refreshing state... [id=agir-hl6yp94sy9-xieiwr-POST-200] aws_api_gateway_integration_response.options["c4"]: Refreshing state... [id=agir-hl6yp94sy9-xieiwr-OPTIONS-200] aws_api_gateway_method_response.options["c4"]: Refreshing state... [id=agmr-hl6yp94sy9-xieiwr-OPTIONS-200] aws_api_gateway_integration.options["c4"]: Refreshing state... [id=agi-hl6yp94sy9-xieiwr-OPTIONS] aws_api_gateway_stage.this: Refreshing state... [id=ags-hl6yp94sy9-base] aws_api_gateway_base_path_mapping.this: Refreshing state... [id=api.stage.diagramastext.dev/] aws_api_gateway_usage_plan.test: Refreshing state... [id=4v5ye3] aws_api_gateway_usage_plan_key.main: Refreshing state... [id=0iz5rl9ff4] aws_lambda_permission.gw["c4-POST"]: Refreshing state... [id=InvokeGWMain-c4-POST] aws_api_gateway_integration.this["c4-POST"]: Refreshing state... [id=agi-hl6yp94sy9-xieiwr-POST] Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: ~ update in-place -/+ destroy and then create replacement Terraform will perform the following actions: # aws_iam_policy.lambda_core will be updated in-place ~ resource "aws_iam_policy" "lambda_core" { id = "arn:aws:iam::027889758114:policy/LambdaCore-stg" name = "LambdaCore-stg" ~ policy = jsonencode( ~ { ~ Statement = [ # (1 unchanged element hidden) { Action = "secretsmanager:ListSecrets" Effect = "Allow" Resource = "*" Sid = "" }, ~ { ~ Resource = "arn:aws:secretsmanager:us-east-2:027889758114:secret:neon/main/core/lambda-C335bP" -> "arn:aws:secretsmanager:us-east-2:027889758114:secret:staging/core-MDqc82" # (3 unchanged elements hidden) }, ] # (1 unchanged element hidden) } ) tags = {} # (4 unchanged attributes hidden) } # aws_lambda_function.core will be updated in-place ~ resource "aws_lambda_function" "core" { id = "core-stg" ~ last_modified = "2023-02-21T13:33:06.000+0000" -> (known after apply) ~ source_code_hash = "ioZHYVrlJvKVd40CdAyOXQFw9VVQdx9Lnm8nsNkBK6w=" -> "4GBqEROJtmqsYAu/RG29IEutKpDDag0RF8B+AaXpI3U=" tags = {} # (19 unchanged attributes hidden) ~ environment { ~ variables = { + "ACCESS_CREDENTIALS_ARN" = "arn:aws:secretsmanager:us-east-2:027889758114:secret:staging/core-MDqc82" - "NEON_DBNAME" = "core" -> null - "NEON_HOST" = "ep-fragrant-mouse-914820.us-east-2.aws.neon.tech" -> null - "NEON_PASSWORD" = "F9Bj7cRgvAua" -> null - "NEON_USER" = "lambda-stg" -> null - "OPENAI_API_KEY" = "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" -> null # (4 unchanged elements hidden) } } # (2 unchanged blocks hidden) } # null_resource.lambda_core must be replaced -/+ resource "null_resource" "lambda_core" { ~ id = "5347100042858998408" -> (known after apply) ~ triggers = { # forces replacement ~ "md5" = "9hAQizpPcTunQdHSEyrcaCO+iSn3YeyEu/p8IabC2fc=" -> "4GBqEROJtmqsYAu/RG29IEutKpDDag0RF8B+AaXpI3U=" } } Plan: 1 to add, 2 to change, 1 to destroy. ───────────────────────────────────────────────────────────────────────────── Saved the plan to: /tmp/terraform.tfplan To perform exactly these actions, run the following command to apply: terraform apply "/tmp/terraform.tfplan" ```

Pusher: @kislerdm, Action: pull_request, Workflow: Deploy:Core