Skip to content

README.md

Latest commit

 

History

History
129 lines (98 loc) · 5.17 KB

README.md

File metadata and controls

129 lines (98 loc) · 5.17 KB

BCDA Config Root Module

This root module is responsible for configuring the sops-enabled strategy for storing sensitive and nonsensitive configuration in AWS SSM Parameter Store. The environment-specific configuration values are located in the values directory. You will need to have copied over AWS short term access keys for all of the following. See cloudtamer to get keys.

Usage

Initial Setup

First, initialize and apply the configuration with the sopsw script targeted.

cd ops/services/10-config
export TF_VAR_env=dev
tofu init
tofu apply -target 'module.sops.local_file.sopsw[0]' -var=create_local_sops_wrapper=true

Editing Encrypted Configuration

The sopsw script should be automatically generated in the bin/ directory in the initial setup. You can then edit the encrypted configuration files for each environment:

# Edit dev environment, for example
./bin/sopsw -e values/dev.sopsw.yaml

Deploying Configuration Changes

After editing configuration files, deploy the changes to AWS Parameter Store:

# Review changes before applying
tofu plan -var env=dev

# Apply changes
tofu apply -var env=dev

Configuration Structure

Configuration files follow this pattern:

  • /bcda/${env}/<service>/<sensitivity>/<parameter>
  • Values with /nonsensitive/ in the path remain unencrypted
  • Values with /sensitive/ in the path are encrypted

Example Configuration

/bcda/${env}/core/sensitive/database_password: "encrypted-password"
/bcda/${env}/core/nonsensitive/database_name: "bcda_dev"
/bcda/${env}/api/sensitive/jwt_secret: "encrypted-jwt"
/bcda/${env}/api/nonsensitive/api_version: "v1"

Dependencies

Required Tools

  • awscli - For AWS authentication and KMS operations
  • sops - For encryption/decryption (brew install sops)
  • yq - For YAML processing (brew install yq)
  • envsubst - For environment variable substitution (brew install gettext)

External Tools

  • tofu - For deploying configuration to AWS Parameter Store (brew install opentofu)

Providers

No providers.

Requirements

No requirements.

Inputs

Name Description Type Default Required
create_local_sops_wrapper When true, creates sops wrapper file at bin/sopsw. bool false no
parent_env The parent environment of the current solution. Will correspond with terraform.workspace".
Necessary on tofu init and tofu workspace select _only_. In all other situations, parent env
will be divined from terraform.workspace.		 string null no
region n/a string "us-east-1" no
secondary_region n/a string "us-west-2" no

Modules

Name Source Version
platform github.com/CMSgov/cdap//terraform/modules/platform ff2ef539fb06f2c98f0e3ce0c8f922bdacb96d66
sops github.com/CMSgov/cdap//terraform/modules/sops 8874310

Resources

No resources.

Outputs

No outputs.