Manually apply template changes

.template-version

@@ -1 +1 @@
-1774e0f0e3285f02ed4e88baf1576136bb8458ef
+a4b4cf4c78bcf201717d11eb6bf5a2ce51124795

docs/infra/environment-variables-and-secrets.md

@@ -0,0 +1,58 @@
+# Environment variables and secrets
+
+Applications follow [12-factor app](https://12factor.net/) principles to [store configuration as environment variables](https://12factor.net/config). The infrastructure provides some of these environment variables automatically, such as environment variables to authenticate as the ECS task role, environment variables for database access, and environment variables for accessing document storage. However, many applications require extra custom environment variables for application configuration and for access to secrets. This document describes how to configure application-specific environment variables and secrets. It also describes how to override those environment variables for a specific environment.
+
+## Application-specific extra environment variables
+
+Applications may need application specific configuration as environment variables. Examples may includes things like `WORKER_THREADS_COUNT`, `LOG_LEVEL`, `DB_CONNECTION_POOL_SIZE`, or `SERVER_TIMEOUT`. This section describes how to define extra environment variables for your application that are then made accessible to the ECS task by defining the environment variables in the task definition (see AWS docs on [using task definition parameters to pass environment variables to a container](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/taskdef-envfiles.html)).
+
+> ⚠️ Note: Do not put sensitive information such as credentials as regular environment variables. The method described in this section will embed the environment variables and their values in the ECS task definition's container definitions, so anyone with access to view the task definition will be able to see the values of the environment variables. For configuring secrets, see the section below on [Secrets](#secrets)
+
+Environment variables are defined in the `app-config` module in the [environment-variables.tf file](/infra/app/app-config/env-config/environment-variables.tf). Modify the `default_extra_environment_variables` map to define extra environment variables specific to the application. Map keys define the environment variable name, and values define the default value for the variable across application environments. For example:
+
+```terraform
+# environment-variables.tf
+
+locals {
+  default_extra_environment_variables = {
+    WORKER_THREADS_COUNT = 4
+    LOG_LEVEL            = "info"
+  }
+}
+```
+
+To override the default values for a particular environment, modify the `app-config/[environment].tf file` for the environment, and pass overrides to the `env-config` module using the `service_override_extra_environment_variables` variable. For example:
+
+```terraform
+# dev.tf
+
+module "dev_config" {
+  source                                       = "./env-config"
+  service_override_extra_environment_variables = {
+    WORKER_THREADS_COUNT = 1
+    LOG_LEVEL            = "debug"
+  }
+  ...
+}
+```
+
+## Secrets
+
+Secrets are a specific category of environment variables that need to be handled sensitively. Examples of secrets are authentication credentials such as API keys for external services. Secrets first need to be stored in AWS SSM Parameter Store as a `SecureString`. This section then describes how to make those secrets accessible to the ECS task as environment variables through the `secrets` configuration in the container definition (see AWS documentation on [retrieving Secrets Manager secrets through environment variables](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/secrets-envvar-secrets-manager.html)).
+
+Secrets are defined in the same file that non-sensitive environment variables are defined, in the `app-config` module in the [environment-variables.tf file](/infra/app/app-config/env-config/environment-variables.tf). Modify the `secrets` list to define the secrets that the application will have access to. For each secret, `name` defines the environment variable name, and `ssm_param_name` defines the SSM parameter name that stores the secret value. For example:
+
+```terraform
+# environment-variables.tf
+
+locals {
+  secrets = [
+    {
+      name           = "SOME_API_KEY"
+      ssm_param_name = "/${var.app_name}-${var.environment}/secret-sauce"
+    }
+  ]
+}
+```
+
+> ⚠️ Make sure you store the secret in SSM Parameter Store before you try to add secrets to your application service, or else the service won't be able to start since the ECS Task Executor won't be able to fetch the configured secret.

infra/README.md

@@ -67,7 +67,8 @@ To set up this project for the first time (aka it has never been deployed to the
     1. [Set up application build repository](/docs/infra/set-up-app-build-repository.md)
     2. [Set up application database](/docs/infra/set-up-database.md)
     3. [Set up application environment](/docs/infra/set-up-app-env.md)
-    4. [Set up background jobs](/docs/infra/background-jobs.md)
+    4. [Configure environment variables and secrets](/docs/infra/environment-variables-and-secrets.md)
+    5. [Set up background jobs](/docs/infra/background-jobs.md)
 
 ### 🆕 New developer
 

infra/app/app-config/env-config/environment-variables.tf

@@ -0,0 +1,20 @@
+locals {
+  # Map from environment variable name to environment variable value
+  # This is a map rather than a list so that variables can be easily
+  # overridden per environment using terraform's `merge` function
+  default_extra_environment_variables = {
+    # Example environment variables
+    # WORKER_THREADS_COUNT    = 4
+    # LOG_LEVEL               = "info"
+    # DB_CONNECTION_POOL_SIZE = 5
+  }
+
+  # Configuration for secrets
+  # List of configurations for defining environment variables that pull from SSM parameter
+  # store. Configurations are of the format
+  # { name = "ENV_VAR_NAME", ssm_param_name = "/ssm/param/name" }
+  secrets = [{
+    name           = "API_AUTH_TOKEN"
+    ssm_param_name = "/${var.app_name}-${var.environment}/api-auth-token"
+  }]
+}

infra/app/app-config/env-config/outputs.tf

@@ -22,6 +22,13 @@ output "service_config" {
     memory                 = var.service_memory
     desired_instance_count = var.service_desired_instance_count
 
+    extra_environment_variables = merge(
+      local.default_extra_environment_variables,
+      var.service_override_extra_environment_variables
+    )
+
+    secrets = toset(local.secrets)
+
     file_upload_jobs = {
       for job_name, job_config in local.file_upload_jobs :
       # For job configs that don't define a source_bucket, add the source_bucket config property

infra/app/app-config/env-config/variables.tf

@@ -43,3 +43,12 @@ variable "service_desired_instance_count" {
   type    = number
   default = 1
 }
+
+variable "service_override_extra_environment_variables" {
+  type        = map(string)
+  description = <<EOT
+    Map that overrides the default extra environment variables defined in environment-variables.tf.
+    Map from environment variable name to environment variable value
+    EOT
+  default     = {}
+}

infra/app/service/main.tf

@@ -131,12 +131,13 @@ module "service" {
     }
   } : null
 
-  extra_environment_variables = [
-    // TODO: Move API_AUTH_TOKEN to config module
-    { name : "API_AUTH_TOKEN", value : "TEST_AUTH_12345678" }, // For demonstration purposes only, do not use this for prod environments
-    { name : "FEATURE_FLAGS_PROJECT", value : module.feature_flags.evidently_project_name },
-    { name : "BUCKET_NAME", value : local.storage_config.bucket_name }
-  ]
+  extra_environment_variables = merge({
+    FEATURE_FLAGS_PROJECT = module.feature_flags.evidently_project_name
+    BUCKET_NAME           = local.storage_config.bucket_name
+  }, local.service_config.extra_environment_variables)
+
+  secrets = local.service_config.secrets
+
   extra_policies = {
     feature_flags_access = module.feature_flags.access_policy_arn,
     storage_access       = module.storage.access_policy_arn

infra/modules/service/access-control.tf

@@ -62,6 +62,15 @@ data "aws_iam_policy_document" "task_executor" {
     ]
     resources = [data.aws_ecr_repository.app.arn]
   }
+
+  dynamic "statement" {
+    for_each = length(local.secrets) > 0 ? [1] : []
+    content {
+      sid       = "SecretsAccess"
+      actions   = ["ssm:GetParameters"]
+      resources = local.secrets[*].valueFrom
+    }
+  }
 }
 
 resource "aws_iam_role_policy" "task_executor" {

infra/modules/service/main.tf

@@ -28,7 +28,10 @@ locals {
   environment_variables = concat(
     local.base_environment_variables,
     local.db_environment_variables,
-    var.extra_environment_variables,
+    [
+      for name, value in var.extra_environment_variables :
+      { name : name, value : value }
+    ],
   )
 }
 
@@ -89,6 +92,7 @@ resource "aws_ecs_task_definition" "app" {
         ]
       },
       environment = local.environment_variables,
+      secrets     = local.secrets,
       portMappings = [
         {
           containerPort = var.container_port,

infra/modules/service/secrets.tf

@@ -0,0 +1,14 @@
+data "aws_ssm_parameter" "secret" {
+  for_each = { for secret in var.secrets : secret.name => secret }
+  name     = each.value.ssm_param_name
+}
+
+locals {
+  secrets = [
+    for secret in var.secrets :
+    {
+      name      = secret.name,
+      valueFrom = data.aws_ssm_parameter.secret[secret.name].arn
+    }
+  ]
+}

infra/modules/service/variables.tf

@@ -62,8 +62,17 @@ variable "aws_services_security_group_id" {
 }
 
 variable "extra_environment_variables" {
-  type        = list(object({ name = string, value = string }))
-  description = "Additional environment variables to pass to the service container"
+  type        = map(string)
+  description = "Additional environment variables to pass to the service container. Map from environment variable name to the value."
+  default     = {}
+}
+
+variable "secrets" {
+  type = set(object({
+    name           = string
+    ssm_param_name = string
+  }))
+  description = "List of configurations for defining environment variables that pull from SSM parameter store"
   default     = []
 }