HomeUniteUs icon indicating copy to clipboard operation
HomeUniteUs copied to clipboard

Published 20 hours ago verified publisher icon hackforla

Create Config System For Credentials

Open ju1es opened this issue 1 year ago • 7 comments

Overview

Create config system so that credentials are used dynamically flask app, depending on the user and environment.

Action Items

Implement dynamic configs for credentials that live in a secure datastore i.e. vault

ju1es avatar Jun 27 '23 05:06 ju1es

@paulespinosa @tylerthome bumping this. besides github secrets, are there any other tools/frameworks we could leverage that accommodate local and remote environments?

ju1es avatar Jul 25 '23 01:07 ju1es

There is a dotenv vault tool available but I'm still looking into it: https://www.dotenv.org/. Tyler mentioned that other teams (DevOps) are putting runtime secrets into AWS. I haven't followed through how they're using it yet though.

paulespinosa avatar Jul 25 '23 06:07 paulespinosa

@ju1es What does dynamic mean here? And do you have example scenarios for "depending on the user and environment"? Thank you.

paulespinosa avatar Aug 27 '23 03:08 paulespinosa

@Joshua-Douglas @ju1es dotenv and dotenv-vault has been looking pretty good

https://www.dotenv.org/docs/tutorials/environments https://www.dotenv.org/docs/addons/github

paulespinosa avatar Sep 01 '23 03:09 paulespinosa

It is interesting, the dotenv team "strongly recommend against having a "main" .env file and an "environment" .env file like .env.test." https://www.npmjs.com/package/dotenv#user-content-should-i-have-multiple-env-files. However, the community seems to be taking another approach. Vite allows for "mode" specific .env files which seems to follow from React https://github.com/hackforla/HomeUniteUs/pull/587#pullrequestreview-1605961926 as @Joshua-Douglas has found. These are both using dotenv under the covers.

It should be noted that dotenv does load system environment variables. That is, .env files are optional. This is what allows us to configure GitHub with variables and secrets and have the API/app use them.

paulespinosa avatar Sep 01 '23 07:09 paulespinosa

From discussion with Ops team, the incubator system will either use AWS Parameter Store to store secrets or have a mechanism to pull secrets from GitHub secrets into the container when a container is deployed.

Regarding the GitHub secrets approach, Ops ensure their process will not puts secrets into a container image that is stored in ECR.

paulespinosa avatar Sep 14 '23 07:09 paulespinosa

The direction we're taking regarding shared secrets is that we will program the API and App to avoid needed them during development.

paulespinosa avatar Sep 14 '23 07:09 paulespinosa