fix(infra): lambda functions load information from secrets manager

passportxyz · Nov 24, 2023 · 9f8832f · 9f8832f
1 parent dd3b8bd
commit 9f8832f
Show file tree

Hide file tree

Showing 6 changed files with 75 additions and 6 deletions.
diff --git a/api/aws_lambdas/Readme.md b/api/aws_lambdas/Readme.md
@@ -40,8 +40,3 @@ curl -X 'POST' \
   "isBase64Encoded": false
 }'
 ```
-````
-
-```
-
-```
diff --git a/api/aws_lambdas/utils.py b/api/aws_lambdas/utils.py
@@ -5,6 +5,7 @@
 import json
 import os
 from functools import wraps
+from traceback import print_exc
 from typing import Any, Dict, Tuple
 
 from aws_lambdas.exceptions import InvalidRequest
@@ -13,6 +14,45 @@
 os.environ.setdefault("DJANGO_SETTINGS_MODULE", "scorer.settings")
 os.environ.setdefault("CERAMIC_CACHE_SCORER_ID", "1")
 
+###########################################################
+# Loading secrets from secrets manager
+# https://aws.amazon.com/developer/language/python/
+# For a list of exceptions thrown, see
+# https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html
+# https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html
+###########################################################
+
+import boto3
+from botocore.exceptions import ClientError
+
+
+def load_secrets():
+    ssm_srn = os.environ["SCORER_SERVER_SSM_ARN"]
+
+    # Create a Secrets Manager client
+    session = boto3.session.Session()
+    client = session.client(service_name="secretsmanager")
+
+    try:
+        get_secret_value_response = client.get_secret_value(SecretId=ssm_srn)
+    except ClientError as e:
+        print(f"Error occurred while loading secret value: {e}")
+        print_exc()
+        raise e
+
+    # Decrypts secret using the associated KMS key.
+    # Load secrets and store them in env variables
+    secrets = json.loads(get_secret_value_response["SecretString"])
+    os.environ["SECRET_KEY"] = secrets["SECRET_KEY"]
+
+
+load_secrets()
+
+###########################################################
+# END: Loading secrets from secrets manager
+###########################################################
+
+
 # pylint: disable=wrong-import-position
 
 import django

diff --git a/api/scorer/settings/base.py b/api/scorer/settings/base.py
@@ -20,7 +20,7 @@
 # See https://docs.djangoproject.com/en/4.1/howto/deployment/checklist/
 
 # SECURITY WARNING: keep the secret key used in production secret!
-SECRET_KEY = env("SECRET_KEY", default="some-secret-value")
+SECRET_KEY = env("SECRET_KEY")
 
 # SECURITY WARNING: don't run with debug turned on in production!
 DEBUG = env("DEBUG", default=True)

diff --git a/infra/lib/scorer/service.ts b/infra/lib/scorer/service.ts
@@ -749,6 +749,16 @@ export const createSharedLambdaResources = () => {
     ],
   });
 
+  const lambdaSecretsManagerPolicyDocument = aws.iam.getPolicyDocument({
+    statements: [
+      {
+        effect: "Allow",
+        actions: ["secretsmanager:GetSecretValue"],
+        resources: ["arn:aws:secretsmanager:*:*:*"],
+      },
+    ],
+  });
+
   const lambdaLoggingPolicy = new aws.iam.Policy("lambdaLoggingPolicy", {
     path: "/",
     description: "IAM policy for logging from a lambda",
@@ -765,6 +775,15 @@ export const createSharedLambdaResources = () => {
     ),
   });
 
+  const lambdaSecretsManagerPolicy = new aws.iam.Policy("lambdaSecretManagerPolicy", {
+    path: "/",
+    description: "IAM policy for interfacing with EC2 network",
+    policy: lambdaSecretsManagerPolicyDocument.then(
+      (lambdaSecretsManagerPolicyDocument) =>
+        lambdaSecretsManagerPolicyDocument.json
+    ),
+  });
+
   const assumeRole = aws.iam.getPolicyDocument({
     statements: [
       {
@@ -800,10 +819,17 @@ export const createSharedLambdaResources = () => {
     }
   );
 
+  const lambdaSecretsManagerPolicyAttachement =
+    new aws.iam.RolePolicyAttachment("lambdaSecretManagerRoleAttachment", {
+      role: lambdaRole.name,
+      policyArn: lambdaSecretsManagerPolicy.arn,
+    });
+
   return {
     lambdaRole,
     lambdaLogRoleAttachment,
     lambdaEc2RoleAttachment,
+    lambdaSecretsManagerPolicyAttachement,
   };
 };
 

diff --git a/infra/prod/index.ts b/infra/prod/index.ts
@@ -1252,6 +1252,10 @@ const lambdaSettings = {
       name: "CERAMIC_CACHE_SCORER_ID",
       value: "335",
     },
+    {
+      name: "SCORER_SERVER_SSM_ARN",
+      value: SCORER_SERVER_SSM_ARN,
+    },
   ],
   ...sharedLambdaResources,
 };

diff --git a/infra/staging/index.ts b/infra/staging/index.ts
@@ -571,6 +571,10 @@ const lambdaSettings = {
       name: "CERAMIC_CACHE_SCORER_ID",
       value: "14",
     },
+    {
+      name: "SCORER_SERVER_SSM_ARN",
+      value: SCORER_SERVER_SSM_ARN,
+    },
   ],
   ...sharedLambdaResources,
 };
-Original file line number
+Diff line change
@@ Expand Up / @@ -40,8 +40,3 @@ curl -X 'POST' \ @@
       "isBase64Encoded": false
     }'
     ```
-    ````
-    ```
-    ```