aws-health-aware icon indicating copy to clipboard operation
aws-health-aware copied to clipboard

Published 20 hours ago verified publisher icon aws-samples

Added noecho on secret parameters

Open Smiddie31 opened this issue 3 years ago • 1 comments

Description of changes: Added 'noecho' to the teams, slack and chime webhook parameters masking them from the console. At present these parameters are saved as secretmanager secrets, however the parameter values are visible in the cloudformation console.

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

Smiddie31 avatar Nov 10 '21 09:11 Smiddie31

My personal thoughts on this:

  • Webhooks are secrets. So the NoEcho option totally makes sense here.
  • However, the project also supports deploy via Terraform. In this case, different form CloudFormation, options are versioned as well (terraform.tfvars), which includes params like SlackWebhookURL
    • So, while the Pull Request solves the problem for CloudFormation, we still have the problem for Terraform
    • I do not have any expertise on Terraform. I'm just curious about what should be the best approach.
      • Maybe the Terraform deploy should not create the secrets in Secrets Manager, but instead instruct the user to manually create them, and pass the secrets via a param like SecretsManagerName in terraform.tfvars

rarylson avatar May 15 '22 23:05 rarylson