Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

docs: rfc on possible config parameter change process #552

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

docs: rfc on possible config parameter change process #552

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
a998d83
docs: rfc on config param change process
fibble Jan 15, 2025
84299ee
Update docs/rfc/rfc-008-parameter-and-secrets-config-change-process.md
fibble Jan 15, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
50 changes: 50 additions & 0 deletions docs/rfc/rfc-008-parameter-and-secrets-config-change-process.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
# RFC: Parameter and Secret Management Changes

## Background

Our Laminas app uses AWS Parameter Store and Secrets Manager for configuration management. We've experienced runtime failures during releases etc when parameter placeholders don't exist in AWS. This creates a need for a defined process to manage parameter and secret changes in vol-app.

## Proposed Solution

### Process for Parameter Store Management

When adding or modifying parameters in Laminas config files:

1. Developer identifies need for new parameter
2. Developer MUST:
- Create a branch in `vol-terraform` repository
- Determine if the parameter will be the same across multiple environments or change individually per environment
- Add parameter values to appropriate files in `/etc/` - group for common, environment ones for individual
3. Developer MUST create two linked PRs:
- `vol-terraform` PR with parameter additions
- `vol-app` PR with application changes to config
4. Both PRs MUST reference each other in their descriptions
5. The `vol-terraform` PR should be merged before or at the same time as the application PR

## Notes

The vol-terraform etc folder contains the files that define parameters. There are two group files which contain values shared by all environments in an account, then per-environment files for environment-specific values. Please use the least-specific file possible for your changes.

## File Structure Example

```
/etc/
├── env_eu-west-1_dev.tfvars # Dev-specific values
├── env_eu-west-1_pp.tfvars # PP-specific values
├── group_nonprod.tfvars # Shared non-prod values
└── group_prod.tfvars # Shared prod values
```

### Process for Secret Management

As we should not store secret values in a repository, AWS Secrets Manager is used. If a developer needs a new secret it is proposed that they:

1. Raises a ticket for Infrastructure team, linked to the ticket they are working on with:
- Secret placeholder name
- Description of purpose
- Required environments
- Where the value can be found / who is responsible for updating it in future etc
2. Infrastructure team will:
- Create the secret in AWS Secrets Manager
- Notify the developer upon completion
3. Developer can then merge their application changes
Loading