Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Secrets leak fix (do not merge) #400

Closed
wants to merge 17 commits into from
Closed

Secrets leak fix (do not merge) #400

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
17 commits
Select commit Hold shift + click to select a range
a1fef37
fix(infra): read key vault secrets and put in infra
dfberry Nov 7, 2023
276c2be
fix(api): archive v3, make v4 the default
dfberry Nov 7, 2023
aa3377e
fix(infra): key vault fixes
dfberry Nov 7, 2023
ca086e2
fix(db): restore fix w/kv password
dfberry Nov 7, 2023
2bf2141
fix(api): Move api-v3 out of packages directory
dfberry Nov 7, 2023
349d2b7
fix(api): api-v3 has to leave packages
dfberry Nov 7, 2023
5900a4e
fix(api): api in local spins up
dfberry Nov 8, 2023
2f9d3c0
fix(api): wip
dfberry Nov 10, 2023
9982f81
fix(api): organize api names for azure portal
dfberry Nov 10, 2023
504b5a9
fix(api): move api to legacy
dfberry Nov 10, 2023
886356b
fix(infra): remove secrets from appsettings
dfberry Nov 10, 2023
2a895c7
fix(infra): package list for legacy
dfberry Nov 10, 2023
f1bd06f
fix(api): package list
dfberry Nov 10, 2023
fcf3b3d
fix(infra): restore db from key vault secret
dfberry Nov 10, 2023
a222502
Delete old.env.local
dfberry Nov 10, 2023
2cf9a56
fix(infra): revert to core files
dfberry Nov 10, 2023
291a15f
fix(infra): move secrets mgmt to app folder
dfberry Nov 10, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .devcontainer/post-create-command.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,3 +3,4 @@
sudo apt update
npm i -g npm@latest fuzz-run
npm install
chmod +x ./scripts/*.sh
2 changes: 1 addition & 1 deletion azure.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ hooks:
interactive: true

# TODO: provide a cross platform way to run this script
run: ./scripts/database/restore.sh strapi_20230922
run: ./scripts/restore-db.sh strapi_20230922

services:
portal:
Expand Down
4 changes: 2 additions & 2 deletions docker-compose.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -77,9 +77,9 @@ services:
STRAPI_DATABASE_USERNAME: postgres
STRAPI_DATABASE_PASSWORD: PostgresPass
STRAPI_DATABASE_NAME: strapi
command: ["./restore.sh", "strapi_20230922"]
command: ["./restore-db.sh", "strapi_20230922"]
volumes:
- ./scripts/database:/scripts
- ./scripts:/scripts
depends_on:
postgres:
condition: service_healthy
Expand Down
50 changes: 50 additions & 0 deletions infra/app/key-vault-secrets.bicep
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
// Add secrets to key vaults, to avoid
// leaked secrets in Azure deployment log
// leaked secrets in .env files

param keyVaultName string

// POSTGRESQL PASSWORD - NAME in KEY VAULT
param administratorLoginPasswordSecretName string = 'STRAPI-DATABASE-PASSWORD'
@secure()
param administratorLoginPasswordKSecretValue string

// COSMOS DB CONNECTION STRING - NAME in KEY VAULT
param cosmosDbSecretName = 'AZURE-COSMOS-CONNECTION-STRING'
@secure()
param cosmosDbSecretNameValue string

// APP INSIGHT CONNECTION STRING - NAME in KEY VAULT
param appInsightsConnectionStringName string = 'APPLICATIONINSIGHTS-CONNECTION-STRING'
@secure ()
param appInsightsConnectionStringValue string

// POSTGRESQL PASSWORD
resource postgresPassword 'Microsoft.KeyVault/vaults/secrets@2022-07-01' = {
parent: keyVault
name: administratorLoginPasswordSecretName
properties: {
value: administratorLoginPasswordKSecretValue
}
}

// COSMOS DB CONNECTION STRING
resource cosmosDbConnectionString 'Microsoft.KeyVault/vaults/secrets@2022-07-01' = {
parent: keyVault
name: cosmosDbSecretName
properties: {
value: cosmosDbSecretNameValue
}
}

// APPLICATIONINSIGHTS CONNECTION STRING
resource appInsightsConnectionString 'Microsoft.KeyVault/vaults/secrets@2022-07-01' = {
parent: keyVault
name: appInsightsConnectionStringName
properties: {
value: appInsightsConnectionStringValue
}
}
resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' existing = {
name: keyVaultName
}
2 changes: 1 addition & 1 deletion infra/core/database/postgresql/flexibleserver.bicep
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -76,4 +76,4 @@ resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' existing = {
}

output POSTGRES_SERVER_NAME string = postgresServer.name
output POSTGRES_DOMAIN_NAME string = postgresServer.properties.fullyQualifiedDomainName
output POSTGRES_DOMAIN_NAME string = postgresServer.properties.fullyQualifiedDomainName
2 changes: 1 addition & 1 deletion infra/core/monitor/monitoring.bicep
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,4 +28,4 @@ output applicationInsightsConnectionString string = applicationInsights.outputs.
output applicationInsightsInstrumentationKey string = applicationInsights.outputs.instrumentationKey
output applicationInsightsName string = applicationInsights.outputs.name
output logAnalyticsWorkspaceId string = logAnalytics.outputs.id
output logAnalyticsWorkspaceName string = logAnalytics.outputs.name
output logAnalyticsWorkspaceName string = logAnalytics.outputs.name
22 changes: 15 additions & 7 deletions infra/main.bicep
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -96,6 +96,7 @@ module monitoring './core/monitor/monitoring.bicep' = {
params: {
location: location
tags: tags
keyVaultName: keyVault.outputs.name
logAnalyticsName: !empty(logAnalyticsName) ? logAnalyticsName : '${abbrs.operationalInsightsWorkspaces}${resourceToken}'
applicationInsightsName: !empty(applicationInsightsName) ? applicationInsightsName : '${abbrs.insightsComponents}${resourceToken}'
applicationInsightsDashboardName: !empty(applicationInsightsDashboardName) ? applicationInsightsDashboardName : '${abbrs.portalDashboards}${resourceToken}'
Expand Down Expand Up @@ -244,16 +245,15 @@ module api './app/api.bicep' = {
storageAccountName: storageAccount.outputs.name
allowedOrigins: [ portal.outputs.SERVICE_WEB_URI ]
appSettings: {
AZURE_COSMOS_CONNECTION_STRING_KV: cosmos.outputs.connectionStringKey
AZURE_COSMOS_CONNECTION_STRING_KEY: cosmos.outputs.connectionString
AZURE_COSMOS_DATABASE_NAME: cosmos.outputs.databaseName
AZURE_COSMOS_ENDPOINT: cosmos.outputs.endpoint
STRAPI_DATABASE_NAME: cmsDatabaseName
STRAPI_DATABASE_USERNAME: cmsDatabaseUser
STRAPI_DATABASE_PASSWORD: cmsDatabasePassword
STRAPI_DATABASE_HOST: cmsDB.outputs.POSTGRES_DOMAIN_NAME
STRAPI_DATABASE_PORT: cmsDatabasePort
STRAPI_DATABASE_SSL: 'true'
AZURE_KEY_VAULT_NAME: keyVault.outputs.name
APPLICATIONINSIGHTS_NAME: monitoring.outputs.applicationInsightsName
}

// Note: this property is passed as params to avoid circular dependency (see api.bicep)
Expand Down Expand Up @@ -352,6 +352,18 @@ module stripe './app/stripe.bicep' = {
}
}

//////////////// KEY VAULT secrets /////////////////////////
module keyVaultSecrets './app/key-vault-secrets.bicep' = {
name: 'keyVaultSecrets'
scope: rg
params: {
keyVaultName: keyVaultName
administratorLoginPasswordKSecretValue: cmsDatabasePassword
cosmosDbSecretNameValue: cosmos.outputs.connectionStringKey
appInsightsConnectionStringValue: monitoring.outputs.applicationInsightsConnectionString
}
}

module eventGrid './app/events.bicep' = {
name: 'events'
scope: rg
Expand All @@ -364,11 +376,9 @@ module eventGrid './app/events.bicep' = {
}

// Data outputs
output AZURE_COSMOS_CONNECTION_STRING_KEY string = cosmos.outputs.connectionStringKey
output AZURE_COSMOS_DATABASE_NAME string = cosmos.outputs.databaseName

// App outputs
output APPLICATIONINSIGHTS_CONNECTION_STRING string = monitoring.outputs.applicationInsightsConnectionString
output APPLICATIONINSIGHTS_NAME string = monitoring.outputs.applicationInsightsName

output AZURE_CONTAINER_ENVIRONMENT_NAME string = containerApps.outputs.environmentName
Expand Down Expand Up @@ -405,5 +415,3 @@ output STRAPI_DATABASE_HOST string = cmsDB.outputs.POSTGRES_DOMAIN_NAME
output STRAPI_DATABASE_PORT string = cmsDatabasePort

output CMS_DATABASE_SERVER_NAME string = cmsDB.outputs.POSTGRES_SERVER_NAME
// We need this to manually restore the database
output STRAPI_DATABASE_PASSWORD string = cmsDatabasePassword
6 changes: 3 additions & 3 deletions infra/main.parameters.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,13 +27,13 @@
"value": "$(secretOrRandomPassword)"
},
"stripePublicKey": {
"value": "${STRIPE_PUBLIC_KEY}"
"value": "${STRIPE_PUBLIC_KEY=''}"
},
"stripeSecretKey": {
"value": "${STRIPE_SECRET_KEY}"
"value": "${STRIPE_SECRET_KEY=''}"
},
"stripeWebhookSecret": {
"value": "${STRIPE_WEBHOOK_SECRET}"
"value": "${STRIPE_WEBHOOK_SECRET=''}"
},
"cmsDatabaseHost": {
"value": "${SERVICE_CMS_SERVER_HOST}"
Expand Down
Loading