darkhelm/notifications-api
1
0
Fork 0
mirror of https://github.com/GSA/notifications-api.git synced 2025-12-20 15:31:15 -05:00
Code Issues Packages Projects Releases Wiki Activity

Remove insecure output of creds, adjust README

Browse Source
This commit is contained in:
John Skiles Skinner
2024-04-08 17:11:20 -07:00
parent f2ef5efb1d
commit e054d9b03f
2 changed files with 21 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

38
terraform/README.md
View File

@@ -4,6 +4,25 @@ This directory holds the terraform modules for maintaining your complete persist
Prerequisite: install the `jq` JSON processor: `brew install jq`
## Retrieving existing bucket credentials
Assuming [initial setup](#initial-setup) is complete, new developers start here!
1. Enter the bootstrap module with `cd bootstrap`
1. Run `./import.sh` to pull existing terraform state into the local state
1. Follow instructions under [Use bootstrap credentials](#use-bootstrap-credentials)
### Use bootstrap credentials
1. Run `./run.sh show -json`.
1. In the output, locate `access_key_id` and `secret_access_key` within `bucket_credentials`. These values are secret, so, don't share them with anyone or copy them to anywhere online.
1. Add the following to `~/.aws/credentials`:
```
[notify-terraform-backend]
aws_access_key_id = <access_key_id from bucket_credentials>
aws_secret_access_key = <secret_access_key from bucket_credentials>
```
## Initial setup
These instructions were used for deploying the project for the first time, years ago. We should not have to perform these steps again. They are provided here for reference.
@@ -22,9 +41,9 @@ The bootstrap module is used to create an s3 bucket for later terraform runs to
### Bootstrapping the state storage s3 buckets for the first time
1. Run `terraform init`
1. Within the `bootstrap` directory, run `terraform init`
1. Run `./run.sh plan` to verify that the changes are what you expect
1. Run `./run.sh apply` to set up the bucket and retrieve credentials
1. Run `./run.sh apply` to set up the bucket
1. Follow instructions under [Use bootstrap credentials](#use-bootstrap-credentials)
1. Ensure that `import.sh` includes a line and correct IDs for any resources created
1. Run `./teardown_creds.sh` to remove the space deployer account used to create the s3 bucket
@@ -41,21 +60,6 @@ The bootstrap module is used to create an s3 bucket for later terraform runs to
1. Make your changes
1. Continue from step 2 of the boostrapping instructions
### Retrieving existing bucket credentials
1. Run `./import.sh` to pull existing terraform state into the local state
1. Run `./run.sh show`
1. Follow instructions under `Use bootstrap credentials`
#### Use bootstrap credentials
1. Add the following to `~/.aws/credentials`
```
[notify-terraform-backend]
aws_access_key_id = <access_key_id from bucket_credentials>
aws_secret_access_key = <secret_access_key from bucket_credentials>
```
## SpaceDeployers
A [SpaceDeployer](https://cloud.gov/docs/services/cloud-gov-service-account/) account is required to run terraform or

4
terraform/bootstrap/main.tf
View File

@@ -14,7 +14,3 @@ resource "cloudfoundry_service_key" "bucket_creds" {
name = "${local.s3_service_name}-access"
service_instance = module.s3.bucket_id
}
output "bucket_credentials" {
value = cloudfoundry_service_key.bucket_creds.credentials
}