We are going to move away from HashiCorp Vault to use AWS SSM. In thi…

…s commit I have updated the configuration so that will import the environment variables from AWS SSM. If something goes wrong, an error will be logged.
Crown-Commercial-Service · Oct 27, 2022 · 59f6815 · 59f6815
1 parent 2355256
commit 59f6815
Show file tree

Hide file tree

Showing 4 changed files with 67 additions and 30 deletions.
diff --git a/Gemfile b/Gemfile
@@ -43,7 +43,7 @@ gem 'roo', '~> 2.9.0'
 gem 'canonical-rails', github: 'jumph4x/canonical-rails'
 
 # For environment variables
-gem 'vault'
+gem 'aws-sdk-ssm'
 
 # Add rate limiting on the API
 gem 'rack-attack'

diff --git a/Gemfile.lock b/Gemfile.lock
@@ -91,6 +91,9 @@ GEM
       aws-sdk-core (~> 3, >= 3.127.0)
       aws-sdk-kms (~> 1)
       aws-sigv4 (~> 1.4)
+    aws-sdk-ssm (1.142.0)
+      aws-sdk-core (~> 3, >= 3.127.0)
+      aws-sigv4 (~> 1.1)
     aws-sigv4 (1.5.1)
       aws-eventstream (~> 1, >= 1.0.2)
     better_html (2.0.1)
@@ -314,8 +317,6 @@ GEM
       unf_ext
     unf_ext (0.0.7.7)
     unicode-display_width (2.3.0)
-    vault (0.17.0)
-      aws-sigv4
     web-console (4.2.0)
       actionview (>= 6.0.0)
       activemodel (>= 6.0.0)
@@ -339,6 +340,7 @@ DEPENDENCIES
   arask (= 1.2.3)
   aws-sdk-cognitoidentityprovider (~> 1.70.0)
   aws-sdk-s3 (~> 1)
+  aws-sdk-ssm
   bootsnap (>= 1.4.2)
   brakeman
   byebug
@@ -366,7 +368,6 @@ DEPENDENCIES
   spring
   spring-watcher-listen (~> 2.1.0)
   sqlite3 (~> 1.5)
-  vault
   web-console (>= 4.2.0)
   webpacker (~> 5.4, >= 5.4.3)
 

diff --git a/config/initializers/aws_ssm.rb b/config/initializers/aws_ssm.rb
@@ -0,0 +1,62 @@
+require 'rollbar'
+
+IDAM_SSM_SERVICE_NAME_REGEX = /pmp-idam-[a-z]+-ssm-service/.freeze
+
+def config_aws_ssm
+  ssm_client = setup_ssm_client
+
+  pmp_idam_variables = find_pmp_idam_variables(ssm_client)
+
+  pmp_idam_variables.each do |pmp_idam_key, pmp_idam_value|
+    ENV[pmp_idam_key] = pmp_idam_value
+  end
+
+  Rails.logger.info('SUCCESS: All variables imported from AWS SSM')
+rescue Aws::SSM::Errors::StandardError => e
+  Rails.logger.error('ERROR: Failed to import variables from AWS SSM')
+  Rails.logger.error(e.message)
+end
+
+def setup_ssm_client
+  vcap_services = JSON.parse(ENV.fetch('VCAP_SERVICES', nil), symbolize_names: true)
+
+  aws_credentials = vcap_services[:'user-provided'].find { |service| service[:name].match(IDAM_SSM_SERVICE_NAME_REGEX) }[:credentials]
+
+  Aws::SSM::Client.new(
+    region: aws_credentials[:region],
+    access_key_id: aws_credentials[:aws_access_key_id],
+    secret_access_key: aws_credentials[:aws_secret_access_key]
+  )
+end
+
+def find_pmp_idam_variables(ssm_client)
+  pmp_idam_variables = []
+
+  next_token = nil
+
+  loop do
+    resp = ssm_client.get_parameters_by_path(
+      {
+        path: '/pmp-idam/',
+        with_decryption: true,
+        max_results: 10,
+        next_token: next_token
+      }
+    )
+
+    pmp_idam_variables += resp.parameters.map do |parameter|
+      [
+        parameter.name.split('/').last.upcase.to_s,
+        parameter.value.to_s
+      ]
+    end
+
+    next_token = resp.next_token
+
+    break unless next_token
+  end
+
+  pmp_idam_variables
+end
+
+config_aws_ssm if ENV['SERVER_ENV_NAME'].present?
diff --git a/config/initializers/cf_vault.rb b/config/initializers/cf_vault.rb