From a998d83e7273f73bfe351a1a75f3e10828deb4a5 Mon Sep 17 00:00:00 2001 From: Andrew Newton Date: Wed, 15 Jan 2025 09:40:33 +0000 Subject: [PATCH 1/2] docs: rfc on config param change process --- ...meter-and-secrets-config-change-process.md | 49 +++++++++++++++++++ 1 file changed, 49 insertions(+) create mode 100644 docs/rfc/rfc-008-parameter-and-secrets-config-change-process.md diff --git a/docs/rfc/rfc-008-parameter-and-secrets-config-change-process.md b/docs/rfc/rfc-008-parameter-and-secrets-config-change-process.md new file mode 100644 index 0000000000..581f7a0076 --- /dev/null +++ b/docs/rfc/rfc-008-parameter-and-secrets-config-change-process.md @@ -0,0 +1,49 @@ +# RFC: Parameter and Secret Management Changes + +## Background + +Our Laminas app uses AWS Parameter Store and Secrets Manager for configuration management. We've experienced runtime failures during releases etc when parameter placeholders don't exist in AWS. This creates a need for a defined process to manage parameter and secret changes in vol-app. + +## Proposed Solution + +### Process for Parameter Store Management + +When adding or modifying parameters in Laminas config files: + +1. Developer identifies need for new parameter +2. Developer MUST: + - Create a branch in `vol-terraform` repository + - Add parameter values to appropriate files in `/etc/` +3. Developer MUST create two linked PRs: + - `vol-terraform` PR with parameter additions + - `vol-app` PR with application changes to config +4. Both PRs MUST reference each other in their descriptions +5. The `vol-terraform` PR should be merged before or at the same time as the application PR + +## Notes + +The vol-terraform etc folder contains the files that define parameters. There are two group files which contain values shared by all environments in an account, then per-environment files for environment-specific values. Please use the least-specific file possible for your changes. + +## File Structure Example + +``` +/etc/ +├── env_eu-west-1_dev.tfvars # Dev-specific values +├── env_eu-west-1_pp.tfvars # PP-specific values +├── group_nonprod.tfvars # Shared non-prod values +└── group_prod.tfvars # Shared prod values +``` + +### Process for Secret Management + +As we should not store secret values in a repository, AWS Secrets Manager is used. If a developer needs a new secret it is proposed that they: + +1. Raises a ticket for Infrastructure team, linked to the ticket they are working on with: + - Secret placeholder name + - Description of purpose + - Required environments + - Where the value can be found / who is responsible for updating it in future etc +2. Infrastructure team will: + - Create the secret in AWS Secrets Manager + - Notify the developer upon completion +3. Developer can then merge their application changes From 84299ee7207e8a5a2f2c554d4376fd9f9a479281 Mon Sep 17 00:00:00 2001 From: Andrew Newton Date: Wed, 15 Jan 2025 10:04:14 +0000 Subject: [PATCH 2/2] Update docs/rfc/rfc-008-parameter-and-secrets-config-change-process.md Co-authored-by: Shaun Hare --- .../rfc/rfc-008-parameter-and-secrets-config-change-process.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/rfc/rfc-008-parameter-and-secrets-config-change-process.md b/docs/rfc/rfc-008-parameter-and-secrets-config-change-process.md index 581f7a0076..3ec2aae31f 100644 --- a/docs/rfc/rfc-008-parameter-and-secrets-config-change-process.md +++ b/docs/rfc/rfc-008-parameter-and-secrets-config-change-process.md @@ -13,7 +13,8 @@ When adding or modifying parameters in Laminas config files: 1. Developer identifies need for new parameter 2. Developer MUST: - Create a branch in `vol-terraform` repository - - Add parameter values to appropriate files in `/etc/` + - Determine if the parameter will be the same across multiple environments or change individually per environment + - Add parameter values to appropriate files in `/etc/` - group for common, environment ones for individual 3. Developer MUST create two linked PRs: - `vol-terraform` PR with parameter additions - `vol-app` PR with application changes to config