search

zalando-stups / senza

Deploy immutable application stacks and create and execute AWS CloudFormation templates in a sane way
https://pypi.python.org/pypi/stups-senza
Other
96 stars 72 forks source link

KMS decryption before CloudFormation Orchestration #513

Closed pc-alves closed 6 years ago

pc-alves commented 6 years ago

For senza files with sensitive parameters, those parameters would ideally be encrypted.

It is possible to use KMS encryption to avoid having those values as plain text in the senza definition file. This, however, means that those parameters must be decrypted before CloudFormation orchestration, and it will happen on a local machine running senza, or through lizzy.

The suggestion is to use the prefix senza:kms: to clearly identify these parameters. For reasons of simplicity, those parameters should be in the SenzaInfo section.

Ex.:

SenzaInfo:
  SensitiveParameter: "senza:kms:skdfjg-sdFDGS23rwfkgjhsdfGSDGER034teFSD"

SenzaComponents:
(...)
      someParameter: {{SenzaInfo.SensitiveParameter}}

A concrete example for this functionality is ElastiGroup's SpotinstAccessToken parameter: https://github.com/zalando-stups/senza/blob/master/examples/elastigroup.yaml#L5

The inspiration for this approach comes from Taupage's use of KMS encryption. In that case the prefix is aws:kms:

pc-alves commented 6 years ago

Missing: Error handling for KMS exceptions: