Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[docs] Add how-to for creating a team secret #3804

Merged
merged 1 commit into from
Oct 14, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions doc/how-to/how-to-add-a-secret.md
Original file line number Diff line number Diff line change
Expand Up @@ -9,13 +9,13 @@ This guide will demonstrate how to -

## Process

**Setup**
### Setup
1. Generate a secret [using the existing process](how-to-generate-a-secret.md), or obtain one from a third-party integration
2. Add to your local `.env` file for local development
- Note: This file is never checked into our public repository and is listed in our `.gitignore` config
3. Document the secret in `.env.example`

**Docker Environments (Local development + Pizza environments)**
### Docker Environments (Local development + Pizza environments)
To pass a secret into our Docker Compose setup you will need to map it into the relevant container in `docker-compose.yml`. For example -

```yml
Expand All @@ -35,7 +35,7 @@ When building Pizza environments for testing, GitHub actions access secrets via
> Please be aware that if you are rotating secrets this may affect existing Pizzas which will need to be rebuilt. This can be done manually in GitHub by re-running the latest action associated with affected PRs.


**AWS / Pulumi Environments (Staging + Production environments)**
### AWS / Pulumi Environments (Staging + Production environments)
Secrets for Staging and Production environment are not handled in `.env` files, and are set directly in Pulumi, our Infrastruture as Code (IaC) platform.

These values are set using the [Pulumi CLI](https://www.pulumi.com/docs/reference/cli/)
Expand Down
30 changes: 30 additions & 0 deletions doc/how-to/how-to-add-a-team-secret.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
# How to add a team secret
This document describes our processes for adding a new team secret to the PlanX application, e.g. Gov Pay API keys.

This guide will demonstrate how to -
- Encrypt a secret
- Store the encrypted secret in our database
- Verify that the encrypted secret matches the decrypted/raw version

## Process

### Obtain the secret
1. Get the raw secret, e.g. you might have been sent it in an email from a council officer.

### Get the encryption key
1. In `/infrastructure/application`, run `pulumi config get encryption-key --stack production`.
2. This should output the encryption key in the terminal.

### Encrypt the secret
1. In `/scripts/encrypt`, run the encryption script using the encryption key and raw secret that you obtained in the previous steps: `pnpm encrypt <encryption-key> <secret>`.
2. This should output the encrypted secret in the terminal.
3. It is useful to double check that the encryption was successful by running the decryption script and checking you get the same secret back: `pnpm decrypt <encryption-key> <encrypted_secret>`.

### Update the database with the encrypted secret
1. Go to our [production Hasura instance](hasura.editor.planx.uk).
2. In the `team_integrations` table, find the row for the relevant team and paste the encrypted secret into the correct field (e.g. `production_govpay_secret`).
3. Press save!

### Test

You should now prompt the team representative (e.g. council officer) to test that the secret has been successfully updated, e.g. test a flow with GovPay.
Loading