Add ability to sync secrets from 1Password to Google Secret Manager
As part of https://gitlab.developers.cam.ac.uk/uis/devops/iam/authentication/infrastructure/-/issues/30, we discussed the fact that currently we sync secrets from 1Password to Google Secret Manager via a small "bootstrap" module in many of our deployment repos.
This has the following main issues as I see it:
- The synchronised secrets end up stored in plain text in terraform state files.
- The "bootstrap" modules are root Terraform modules nested within another root module (i.e. the main deployment Terraform).
- This is not ideal Terraform layout and is confusing to new (and existing!) devs.
- These also require routine maintenance (e.g. to bump provider/module versions etc.).
- They all follow a similar pattern but some code does differ between projects.
I'm proposing that we add a sub-command to logan (maybe logan sync-secrets
) to perform this secret synchronisation instead. The secret mappings (1password id => google project id) could be defined in the .logan.yaml
config file (under a sync-secrets
key, for example) and synchronised ad-hoc by running the command from your local machine. Keeping this as an ad-hoc task would be consistent with the current bootstrap modules as these are also run ad-hoc. This is primarily due to requiring the 1password CLI be authenticated as a personal user account with permission to access the required 1Password vaults.
Potential improvements by adopting this proposal are as follows:
- Remove multiple secrets from terraform state files.
- Standardise the approach to synchronising these secrets.
- No additional terraform/tools required. Building on the
logan
tool means that all devs will already have the tool installed and all products will have the ability to sync secrets from 1Password if required. - Use service account impersonation to create the secrets in Google Secret Manager. While we would still need to authenticate to 1Password with our personal accounts, we could use service account impersonation to create/manage the secrets in Google Secret Manager.
Repos which currently have a bootstrap secrets module are as follows.
This may not be all of them!
- API Gateway Ops
- Gitlab (doesn't use a bootstrap Terraform module but does use a legacy secret encryption method which is non-standard)
- Admissions Portal
- Albatross
- Gaobase
- G Suite
- Raven Legacy
- IAM Authentication
- Identity Platform
- SQL Backups (doesn't use a bootstrap Terraform module but does use a legacy secret encryption method which is non-standard)
- GCP Infra
- Research Dashboard
- Self-Service Gateway