fix(ephemerals): Quick fix for ephemeral spin-up

[craig-rueda]

SUMMARY

Quick fix to add support for the "new" requirement to include a SECRET_KEY

[cwegener]

@craig-rueda @rusackas Why not store an actual SECRET key in this Github Repo and let the Github runner pass it to ECS via the very same 'render-task-definition' action using the environment-variables parameter? https://github.com/aws-actions/amazon-ecs-render-task-definition/blob/b451ae8d4af191e94b479ca69435c85a0bd25140/action.yml#L16-L18

[rusackas]

@cwegener We might still do that... but it requires an Apache Infra task to set that up, and we wanted to unblock the broken ephemerals as expediently as possible. While it would be a nice thing to do, I'm not particularly worried about the security of these workspaces, as everyone on the internet knows the admin credentials anyway :)

[cwegener]

I suspected that something like that would be the reason. 🙂

I disagree with with the security stance though. It's not the fact that these workspace are public that I am lamenting, but the fact that the actual practice for publicizing secret keys is unchanged as a result of this PR. Totally understand the need for expediting of this fix in this case of course.

Another option would be to use an actual random string with high entropy by following the Flask documentation recommendations: https://flask.palletsprojects.com/en/2.3.x/quickstart/#sessions
https://flask.palletsprojects.com/en/2.3.x/config/#SECRET_KEY

[rusackas]

We could definitely provide a randomized secret key on these ephemeral environments, but it seems a bit moot when we publish the admin credentials publicly on the thread as they're spun up. Maybe we can add an extra warning on the PR comment that lists those credentials with a "⚠️ This instance is public: do not connect production databases! ⚠️" warning, or something similar.