Notification svc external secret (#223)

* notification-svc: default to external secrets

* fixup! notification-svc: default to external secrets

* fixup! fixup! notification-svc: default to external secrets

* fixup! fixup! fixup! notification-svc: default to external secrets

* fixup! fixup! fixup! fixup! notification-svc: default to external secrets

Author: davidcheung

doc-site/docs/components/kubernetes/notification-service.md

@@ -25,7 +25,7 @@ By default, Zero uses Helm to bundle the service, you just need to enable it and
 [See the Helm chart][notification-available-values] for all the available configuration options. In the `application` section you can set up your API keys and application-related parameters.
 
 ### Setting up API keys
-Zero will create a Kubernetes secret containing the API keys and mounted the secret to the deployment using values from `zero-project.yml`.
+Zero will create a secret in AWS SecretsManager, and external-secret is created to poll the values then mounted as a secret to the deployment using values from `zero-project.yml`.
 
 [See Documentation][notification-service-config] on how to configure service with environment variables
 

templates/Makefile

@@ -28,7 +28,7 @@ apply-secrets:
 	aws secretsmanager describe-secret --secret-id "$(PROJECT)-$(ENVIRONMENT)-rds-<% index .Params `randomSeed` %>" > /dev/null 2>&1 || ( \
 	cd terraform/bootstrap/secrets && \
 	terraform init && \
-	terraform apply $(AUTO_APPROVE) --var "sendgrid_api_key=${sendgridApiKey}" --var "slack_api_key=${notificationServiceSlackApiKey}"&& \
+	terraform apply $(AUTO_APPROVE) --var "sendgrid_api_key=${sendgridApiKey}" --var "slack_api_key=${notificationServiceSlackApiKey}" --var "twilio_account_id=${notificationServiceTwilioAccountId}"  --var "twilio_auth_token=${notificationServiceTwilioAuthToken}"&& \
 	rm ./terraform.tfstate )
 
 apply-shared-env:

templates/kubernetes/terraform/environments/prod/main.tf

@@ -109,9 +109,8 @@ module "kubernetes" {
     ## If you need to add another user-auth instance you will have to create another set of these resources
   ]<% end %>
   notification_service_enabled          = <%if eq (index .Params `notificationServiceEnabled`) "yes" %>true<% else %>false<% end %>
-  notification_service_sendgrid_enabled = <%if ne (index .Params `sendgridApiKey`) "" %>true<% else %>false<% end %>
-  notification_service_slack_enabled    = <%if ne (index .Params `notificationServiceSlackApiKey`) "" %>true<% else %>false<% end %>
   notification_service_highly_available = true
+  notification_service_twilio_phone_number = "<% index .Params `notificationServiceTwilioPhoneNumber` %>"
 
   cache_store =  "<% index .Params `cacheStore` %>"
 

templates/kubernetes/terraform/environments/stage/main.tf

@@ -107,10 +107,9 @@ module "kubernetes" {
     ## per environment one of each (database/database secret/private key) is created in the pre-k8s step
     ## If you need to add another user-auth instance you will have to create another set of these resources
   ]<% end %>
-  notification_service_enabled          = <%if eq (index .Params `notificationServiceEnabled`) "yes" %>true<% else %>false<% end %>
-  notification_service_sendgrid_enabled = <%if ne (index .Params `sendgridApiKey`) "" %>true<% else %>false<% end %>
-  notification_service_slack_enabled    = <%if ne (index .Params `notificationServiceSlackApiKey`) "" %>true<% else %>false<% end %>
-  notification_service_highly_available = false
+  notification_service_enabled             = <%if eq (index .Params `notificationServiceEnabled`) "yes" %>true<% else %>false<% end %>
+  notification_service_highly_available    = false
+  notification_service_twilio_phone_number = "<% index .Params `notificationServiceTwilioPhoneNumber` %>"
 
   cache_store = "<% index .Params `cacheStore` %>"
 

templates/kubernetes/terraform/modules/kubernetes/notification_service.tf

@@ -1,25 +1,6 @@
 locals {
   # Created in terraform/bootstrap/secrets
-  sendgrid_api_key_secret_name = "${var.project}-sendgrid-${var.random_seed}"
-  slack_api_key_secret_name    = "${var.project}-slack-${var.random_seed}"
-}
-
-data "aws_secretsmanager_secret" "sendgrid_api_key" {
-  count = var.notification_service_enabled && var.notification_service_sendgrid_enabled ? 1 : 0
-  name  = local.sendgrid_api_key_secret_name
-}
-data "aws_secretsmanager_secret_version" "sendgrid_api_key" {
-  count = var.notification_service_enabled && var.notification_service_sendgrid_enabled ? 1 : 0
-  secret_id = data.aws_secretsmanager_secret.sendgrid_api_key[0].id
-}
-
-data "aws_secretsmanager_secret" "slack_api_key" {
-  count = var.notification_service_enabled && var.notification_service_slack_enabled ? 1 : 0
-  name  = local.slack_api_key_secret_name
-}
-data "aws_secretsmanager_secret_version" "slack_api_key" {
-  count     = var.notification_service_enabled && var.notification_service_slack_enabled ? 1 : 0
-  secret_id = data.aws_secretsmanager_secret.slack_api_key[0].id
+  notification_service_secret_name = "${var.project}/kubernetes/${var.environment}/notification-service"
 }
 
 resource "kubernetes_namespace" "notification_service" {
@@ -35,7 +16,7 @@ resource "helm_release" "notification_service" {
   name       = "zero-notification-service"
   repository = "https://commitdev.github.io/zero-notification-service/"
   chart      = "zero-notification-service"
-  version    = "0.0.5"
+  version    = "0.1.0"
   namespace  = kubernetes_namespace.notification_service[0].metadata[0].name
 
   set {
@@ -62,14 +43,13 @@ resource "helm_release" "notification_service" {
     value = var.notification_service_highly_available ? "4" : "2"
   }
 
-  # These will become secrets provided as env vars
-  set_sensitive {
-    name  = "application.sendgridApiKey"
-    value = var.notification_service_enabled && var.notification_service_sendgrid_enabled ? data.aws_secretsmanager_secret_version.sendgrid_api_key[0].secret_string : ""
+  set {
+    name  = "externalSecret.dataFrom[0]"
+    value = local.notification_service_secret_name
   }
 
-  set_sensitive {
-    name  = "application.slackApiKey"
-    value = var.notification_service_enabled && var.notification_service_slack_enabled ? data.aws_secretsmanager_secret_version.slack_api_key[0].secret_string : ""
+  set {
+    name  = "application.twilioPhoneNumber"
+    value = var.notification_service_twilio_phone_number
   }
 }

templates/kubernetes/terraform/modules/kubernetes/variables.tf

@@ -107,24 +107,18 @@ variable "notification_service_enabled" {
   default     = false
 }
 
-variable "notification_service_slack_enabled" {
-  description = "If enabled, will inject slack_api_key env-vars from secret manager to notification service"
-  type        = bool
-  default     = false
-}
-
-variable "notification_service_sendgrid_enabled" {
-  description = "If enabled, will inject sendgrid_api_key env-vars from secret manager to notification service"
-  type        = bool
-  default     = false
-}
-
 variable "notification_service_highly_available" {
   description = "If enabled, will make sure a minimum of 2 pods are running and use a horizontal pod autoscaler to make scale the number of pods based on CPU. Recommended for Production."
   type        = bool
   default     = true
 }
 
+variable "notification_service_twilio_phone_number" {
+  description = "Twilio Phone Number is the Send from number for your SMS messages for the notification service"
+  type        = string
+  default     = ""
+}
+
 variable "cache_store" {
   description = "Cache store - redis or memcached"
   type        = string

templates/terraform/bootstrap/secrets/main.tf

@@ -44,13 +44,34 @@ module "sendgrid_api_key" {
   tags  = { sendgrid: local.project }
 }
 
-module "slack_api_key" {
-  count   = <%if eq (index .Params `notificationServiceSlackApiKey`) "" %>0<% else %>1<% end %>
+module "notification_service_secret_prod" {
+  count   = <%if eq (index .Params `notificationServiceEnabled`) "yes" %>1<% else %>0<% end %>
   source  = "commitdev/zero/aws//modules/secret"
   version = "0.0.2"
 
-  name  = "${local.project}-slack-<% index .Params `randomSeed` %>"
-  type  = "string"
-  value = var.slack_api_key
-  tags  = { slack: local.project }
+  name   = "${local.project}/kubernetes/prod/notification-service"
+  type   = "map"
+  values = {
+    SENDGRID_API_KEY  = var.sendgrid_api_key
+    SLACK_API_KEY     = var.slack_api_key
+    TWILIO_ACCOUNT_ID = var.twilio_account_id
+    TWILIO_AUTH_TOKEN = var.twilio_auth_token
+  }
+  tags   = { notification_svc : local.project }
+}
+
+module "notification_service_secret_stage" {
+  count   = <%if eq (index .Params `notificationServiceEnabled`) "yes" %>1<% else %>0<% end %>
+  source  = "commitdev/zero/aws//modules/secret"
+  version = "0.0.2"
+
+  name   = "${local.project}/kubernetes/stage/notification-service"
+  type   = "map"
+  values = {
+    SENDGRID_API_KEY  = var.sendgrid_api_key
+    SLACK_API_KEY     = var.slack_api_key
+    TWILIO_ACCOUNT_ID = var.twilio_account_id
+    TWILIO_AUTH_TOKEN = var.twilio_auth_token
+  }
+  tags   = { notification_svc : local.project }
 }

templates/terraform/bootstrap/secrets/variables.tf

@@ -7,3 +7,13 @@ variable "slack_api_key" {
   description = "The Slack API key to use with the notification service, if necessary"
   default     = ""
 }
+
+variable "twilio_account_id" {
+  description = "The Twilio Account ID to use with the notification service, if necessary"
+  default     = ""
+}
+
+variable "twilio_auth_token" {
+  description = "The Twilio Auth Token to use with the notification service, if necessary"
+  default     = ""
+}

zero-module.yml

@@ -165,6 +165,27 @@ parameters:
     - action: KeyMatchCondition
       whenValue: "yes"
       matchField: notificationServiceEnabled
+  - field: notificationServiceTwilioAccountId
+    label: "Twilio Account ID if you want to send SMS with the Zero Notification Service."
+    info: "Leave blank if you don't intend to use the Twilio SMS functionality.\nSee https://www.twilio.com/"
+    conditions:
+    - action: KeyMatchCondition
+      whenValue: "yes"
+      matchField: notificationServiceEnabled
+  - field: notificationServiceTwilioAuthToken
+    label: "Twilio Auth Token if you want to send SMS with the Zero Notification Service."
+    info: "Leave blank if you don't intend to use the Twilio SMS functionality.\nSee https://www.twilio.com/"
+    conditions:
+    - action: KeyMatchCondition
+      whenValue: "yes"
+      matchField: notificationServiceEnabled
+  - field: notificationServiceTwilioPhoneNumber
+    label: "Twilio Phone Number if you want to send SMS with the Zero Notification Service."
+    info: "This is the Send From number of the SMS messages sent, Leave blank if you don't intend to use the Twilio SMS functionality."
+    conditions:
+    - action: KeyMatchCondition
+      whenValue: "yes"
+      matchField: notificationServiceEnabled
   - field: accountId
     label: AWS Account ID
     execute: aws sts get-caller-identity --query "Account" | tr -d '"'