Skip to content

Commit

Permalink
feat(secret): Add examples for secret manager
Browse files Browse the repository at this point in the history
  • Loading branch information
kozlove-aws committed Sep 14, 2021
1 parent 6e9a95c commit 74a1599
Show file tree
Hide file tree
Showing 8 changed files with 102 additions and 6 deletions.
25 changes: 23 additions & 2 deletions examples/deadline/All-In-AWS-Infrastructure-Basic/python/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -123,12 +123,33 @@ These instructions assume that your working directory is `examples/deadline/All-
```python
self.alarm_email_address: Optional[str] = 'username@yourdomain.com'
```
15. Deploy all the stacks in the sample app:
15. Deadline Secrets Management is a feature used to encrypt certain values in the database that need to be kept secret. Additional documentation about the feature and how it works in the RFDK can be found in the [RFDK README](../../../../packages/aws-rfdk/lib/deadline/README.md). By default, Deadline Secrets Management is enabled, but it can be disabled by changing the `enable_secret_management` variable in `package/config.py`.

16. When you are using Deadline Secrets Management you can define your own admin credentials by creating a Secret in SecretsManager in the following format:

```json
{
"username": <admin user name>,
"password": <admin user password>,
}
```
The password must be at least 8 characters long and contain at least one lowercase, one uppercase, one digit, and one special character.

Then the value of the `secret_management_secret_arn` variable in `package/config.py` should be changed to this secret's ARN:
```python
self.ubl_certificate_secret_arn: str = '<your secret arn>'
```
It is highly recommended that you leave this parameter undefined to enable the automatic generation of a strong password.
17. Deploy all the stacks in the sample app:
```bash
cdk deploy "*"
```
16. Once you are finished with the sample app, you can tear it down by running:
18. Once you are finished with the sample app, you can tear it down by running:
```bash
cdk destroy "*"
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,9 @@ def main():
if 'region' in config.deadline_client_linux_ami_map:
raise ValueError('Deadline Client Linux AMI map is required but was not specified.')

if not config.enable_secret_management and config.secret_management_secret_arn:
print('Deadline Secret Management is disabled and the admin credentials specified in the provided secret will not be used.')

# ------------------------------
# Application
# ------------------------------
Expand Down Expand Up @@ -110,7 +113,9 @@ def main():
root_ca=security.root_ca,
dns_zone=network.dns_zone,
deadline_version=config.deadline_version,
accept_aws_thinkbox_eula=config.accept_aws_thinkbox_eula
accept_aws_thinkbox_eula=config.accept_aws_thinkbox_eula,
enable_secret_management=config.enable_secret_management,
secret_management_secret_arn=config.secret_management_secret_arn
)
service = service_tier.ServiceTier(app, 'ServiceTier', props=service_props, env=env)

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -59,6 +59,13 @@ def __init__(self):
# If false, then we use Amazon DocumentDB to back the render farm.
self.deploy_mongo_db: bool = False

# Whether to enable Deadline Secrets Management.
self.enable_secret_management: bool = True

# A Secret in AWS SecretsManager that stores the admin credentials for Deadline Secrets Management.
# If not defined and Secrets Management is enabled the AWS Secret with admin credentials will be generated.
self.secret_management_secret_arn: Optional[str] = None

# This is only relevant if deploy_mongo_db is True.
#
# Change this value to MongoDbSsplLicenseAcceptance.USER_ACCEPTS_SSPL
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -72,6 +72,10 @@ class ServiceTierProps(StackProps):
deadline_version: str
# Whether the AWS Thinkbox End-User License Agreement is accepted or not
accept_aws_thinkbox_eula: AwsThinkboxEulaAcceptance
# Whether to enable Deadline Secrets Management.
enable_secret_management: bool
# The ARN of the secret containing the admin credentials for secret management.
secret_management_secret_arn: typing.Optional[str]


class ServiceTier(Stack):
Expand Down Expand Up @@ -122,6 +126,12 @@ def __init__(self, scope: Construct, stack_id: str, *, props: ServiceTierProps,
version=props.deadline_version
)

secrets_management_settings = {
"enabled": props.enable_secret_management
}
if props.enable_secret_management and props.secret_management_secret_arn is not None:
secrets_management_settings["credentials"] = Secret.from_secret_arn(self, 'SMAdminUser', props.secret_management_secret_arn)

repository = Repository(
self,
'Repository',
Expand All @@ -130,7 +140,8 @@ def __init__(self, scope: Construct, stack_id: str, *, props: ServiceTierProps,
file_system=props.mountable_file_system,
repository_installation_timeout=Duration.minutes(20),
repository_installation_prefix='/',
version=self.version
version=self.version,
secrets_management_settings=secrets_management_settings
)

images = ThinkboxDockerImages(
Expand Down
23 changes: 23 additions & 0 deletions examples/deadline/All-In-AWS-Infrastructure-Basic/ts/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -119,6 +119,29 @@ These instructions assume that your working directory is `examples/deadline/All-
```ts
public readonly alarmEmailAddress?: string = 'username@yourdomain.com';
```

15. Deadline Secrets Management is a feature used to encrypt certain values in the database that need to be kept secret. Additional documentation about the feature and how it works in the RFDK can be found in the [RFDK README](../../../../packages/aws-rfdk/lib/deadline/README.md). By default, Deadline Secrets Management is enabled, but it can be disabled by changing the `enable_secret_management` variable in `package/config.py`.

```ts
public readonly enableSecretManagement?: boolean = false;
```
16. When you are using Deadline Secrets Management you can define your own admin credentials by creating a Secret in SecretsManager in the following format:

```json
{
"username": <admin user name>,
"password": <admin user password>,
}
```
The password must be at least 8 characters long and contain at least one lowercase, one uppercase, one digit, and one special character.

Then the value of the `secret_management_secret_arn` variable in `package/config.py` should be changed to this secret's ARN:

```ts
public readonly secretManagementSecretArn?: string = '<your-secret-arn>';
```
It is highly recommended that you leave this parameter undefined to enable the automatic generation of a strong password.

14. Build the `aws-rfdk` package, and then build the sample app. There is some magic in the way yarn workspaces and lerna packages work that will link the built `aws-rfdk` from the base directory as the dependency to be used in the example's directory:
```bash
# Navigate to the root directory of the RFDK repository (assumes you started in the example's directory)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,10 @@ import { WorkstationTier } from '../lib/workstation-tier';
throw new Error('Deadline Client Linux AMI map is required but was not specified.');
}

if (!config.enableSecretManagement && config.secretManagementSecretArn) {
console.warn('Deadline Secret Management is disabled and the admin credentials specified in the provided secret will not be used.');
}

// ------------------- //
// --- Application --- //
// ------------------- //
Expand Down Expand Up @@ -114,6 +118,8 @@ const service = new ServiceTier(app, 'ServiceTier', {
rootCa: security.rootCa,
dnsZone: network.dnsZone,
acceptAwsThinkboxEula: config.acceptAwsThinkboxEula,
enableSecretManagement: config.enableSecretManagement,
secretManagementSecretArn: config.secretManagementSecretArn
});

// -------------------- //
Expand Down
11 changes: 11 additions & 0 deletions examples/deadline/All-In-AWS-Infrastructure-Basic/ts/bin/config.ts
Original file line number Diff line number Diff line change
Expand Up @@ -72,6 +72,17 @@ class AppConfig {
*/
public readonly deployMongoDB: boolean = false;

/**
* Whether to enable Deadline Secrets Management.
*/
public readonly enableSecretManagement: boolean = true;

/**
* A Secret in AWS SecretsManager that stores the admin credentials for Deadline Secrets Management.
* If not defined and Secrets Management is enabled the AWS Secret with admin credentials will be generated.
*/
public readonly secretManagementSecretArn?: string;

/**
* This is only relevant if deployMongoDB = true.
*
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -79,14 +79,25 @@ export interface ServiceTierProps extends cdk.StackProps {

/**
* Version of Deadline to use.
* @default The latest available release of Deadline is used
* @default - The latest available release of Deadline is used
*/
readonly deadlineVersion?: string;

/**
* Whether the AWS Thinkbox End-User License Agreement is accepted or not
*/
readonly acceptAwsThinkboxEula: AwsThinkboxEulaAcceptance;

/**
* Whether to enable Deadline Secrets Management.
*/
readonly enableSecretManagement: boolean;

/**
* The ARN of the AWS Secret containing the admin credentials for Deadline Secrets Management.
* @default - If Deadline Secrets Managemen is enabled AWS Secret with admin credentials will be generated.
*/
readonly secretManagementSecretArn?: string;
}

/**
Expand Down Expand Up @@ -129,7 +140,8 @@ export class ServiceTier extends cdk.Stack {
repositoryInstallationTimeout: cdk.Duration.minutes(20),
repositoryInstallationPrefix: "/",
secretsManagementSettings: {
enabled: true,
enabled: props.enableSecretManagement,
credentials: props.secretManagementSecretArn ? Secret.fromSecretCompleteArn(this, 'SMAdminUser', props.secretManagementSecretArn) : undefined,
},
});

Expand Down

0 comments on commit 74a1599

Please sign in to comment.