Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(main): Make configuration parameters of type SSM SecureString #3619

Closed
wants to merge 3 commits into from
Closed

feat(main): Make configuration parameters of type SSM SecureString #3619

wants to merge 3 commits into from

Conversation

alpozcan
Copy link

It is understandable to keep non-sensitive configuration information as a plain SSM String, however for the purposes of SOC2 compliance in our organisation, we need to make all SSM Parameters encrypted.

This PR changes the type for the below SSM parameters so that they are SecureString:

  • "${var.ssm_paths.root}/${var.ssm_paths.config}/cloudwatch_agent_config_runner"
  • "${var.ssm_paths.root}/${var.ssm_paths.config}/run_as"
  • "${var.ssm_paths.root}/${var.ssm_paths.config}/agent_mode"
  • "${var.ssm_paths.root}/${var.ssm_paths.config}/enable_jit_config"
  • "${var.ssm_paths.root}/${var.ssm_paths.config}/enable_cloudwatch"
  • "${var.ssm_paths.root}/${var.ssm_paths.config}/token_path"

@alpozcan alpozcan changed the title Make configuration parameters of type SSM SecureString feat(main): Make configuration parameters of type SSM SecureString Nov 20, 2023
@npalm
Copy link
Member

npalm commented Nov 20, 2023

Thank you for taking the time to create a PR. The SSM paramters you are changing are not considers to be secret or senstive and all. For that reason, we use the plain string. Please can you explain why you think those should be sentive?

@alpozcan
Copy link
Author

Thank you for taking the time to create a PR. The SSM paramters you are changing are not considers to be secret or senstive and all. For that reason, we use the plain string. Please can you explain why you think those should be sentive?

Hi,
I believe I already did in the first paragraph above, also acknowledging that they are not sensitive.

@npalm
Copy link
Member

npalm commented Nov 20, 2023

Thank you for taking the time to create a PR. The SSM paramters you are changing are not considers to be secret or senstive and all. For that reason, we use the plain string. Please can you explain why you think those should be sentive?

Hi, I believe I already did in the first paragraph above, also acknowledging that they are not sensitive.

Sorry mis-read the description. Did you test your change on a actual deployment?

@alpozcan alpozcan closed this by deleting the head repository Nov 20, 2023
@alpozcan
Copy link
Author

alpozcan commented Nov 20, 2023
edited
Loading

@npalm Sorry, didn't actually mean to close this.

I have re-forked this in our GH organisation, applied the changes above there and also reverted it to v4.6.0. This'll do for our purposes for now.

It deployed successfully on top our v4.1.0 deployment. However, even thought the runners get launched fine, they do not pick up jobs now.

I'll troubleshoot this later.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@alpozcan @npalm