Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feature request: chamber check command for target AWS Account #331

Open
simonireilly opened this issue Feb 27, 2022 · 1 comment
Open

feature request: chamber check command for target AWS Account #331

simonireilly opened this issue Feb 27, 2022 · 1 comment
Labels
enhancement help wanted

Comments

@simonireilly
Copy link

User Story

As a chamber user

I want to be able to set a collection of required environment variables in my namespace

so that I can return a non-zero exit code when required values do not exist in the target AWS Account

Justification

When considering portability, I tend to use a separate AWS account as dev, prod.

When I use chamber to manage configuration in the AWS SSM parameter store, I want a command I can run, that has list-only permissions, but throws a non-zero code for missing values in the service.

Why

  • It enforces service level documentation of required config (portability)
  • It enables opt-in pre-flight check for the required service configuration that can be added to the CI pipeline

Proposal

There should be a file that supports required environment variables; for example a .env.example file.

API

chamber check [--format <format=json>] [--template-file <file=chamber.json>] <service>

  • Would support checking a manifest file either in JSON or .env format.

Permissions; would require List/Describe permissions, but not Get/Read permissions:

  • Enables pointing CI at dev environment to check for required configuration
  • Enables pointing CI at prod environment to check for required configuration; without exposing Read access (principles of least privilege)

Behaviour;

  • Returns exit code 0 when the target AWS account includes the AWS secrets
  • Returns exit code 1 when the target AWS account does not include the AWS secrets

JSON Example

File format as chamber.json:

{
  "KEY_NAME_1": "String",
  "KEY_NAME_2": "SecureString"
}
chamber check \
  backend/services/user

DotEnv Example

File format as .env.example:

KEY_NAME_1=String
KEY_NAME_2=SecureString
chamber check \
  --format dotenv \
  --template-file .env.example \
  backend/services/user

Alternatives

Implement your own secret existence checker; a basic one could just use grep:

chamber list backend/services/user | grep please-exist
@simonireilly simonireilly changed the title feature request: chamber check command for environment feature request: chamber check command for target AWS Account Feb 27, 2022
@stale
Copy link

stale bot commented Apr 30, 2022

This issue has been automatically marked stale because it has not had any activity in the last 60 days. If no further activity occurs within 7 days, it will be closed. Closed does not mean "never", just that it has no momentum to get accomplished any time soon.
See CONTRIBUTING.md for more info.

@stale stale bot added the stale label Apr 30, 2022
@stale stale bot removed the stale label May 24, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement help wanted
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@alecjacobs5401 @simonireilly