Skip to content

[PLT-1358] Add SOPS to cdap to manage SSM parameter store #324

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 23 commits into
base: main
Choose a base branch
from
Draft

[PLT-1358] Add SOPS to cdap to manage SSM parameter store #324

wants to merge 23 commits into from

Conversation

@juliareynolds-nava
Copy link
Contributor

🎫 Ticket

https://jira.cms.gov/browse/PLT-1358

🛠 Changes

Added a config service that uses SOPS to store parameters

ℹ️ Context

Adoption of the SOPS standard for CDAP

🧪 Validation

@juliareynolds-nava juliareynolds-nava marked this pull request as ready for review October 3, 2025 18:10
@juliareynolds-nava juliareynolds-nava requested a review from a team as a code owner October 3, 2025 18:10
gsf
gsf reviewed Oct 3, 2025
View reviewed changes
terraform/services/config/tofu.tf Outdated
# _all_ Terraservices, so be careful!

locals {
app = "cdap"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Format this file - you may be able to set up your editor to do this automatically on save.

gsf
gsf reviewed Oct 6, 2025
View reviewed changes
Copy link
Member

@gsf gsf left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please add a tf workflow to plan and apply the terraform in the new config service.

gsf
gsf reviewed Oct 6, 2025
View reviewed changes
@juliareynolds-nava juliareynolds-nava marked this pull request as draft October 7, 2025 13:44
jscott-nava and others added 6 commits October 7, 2025 10:33
@jscott-nava @juliareynolds-nava
[PLT-1108] Updating web module README sample usage commit hashes refs. (
4bb8ee4 
#319)

## 🎫 Ticket

https://jira.cms.gov/browse/PLT-1108

## 🛠 Changes

This PR updates the web module README sample usage section with commit
hashes instead of branch references now that the branch has been merged.

## ℹ️ Context

The CDAP web module contains a sample usage snippet in the README that
contains three references to the branch in which changes were being
made. Since that branch has now been merged to main these references
should now be updated to the commit hash of that merge.

## 🧪 Validation

This is a README update that does not require validation.
@juliareynolds-nava
[PLT-1299]. Cluster changes for ecs service module (#316)
0532b39 
## 🎫 Ticket

https://jira.cms.gov/browse/PLT-1299

## 🛠 Changes

Expanded platform variable and edited readme

## ℹ️ Context

These changes are for the ecs service module.

## 🧪 Validation
<details>
<summary>Tofu Plan Output</summary>

```
OpenTofu will perform the following actions:

  # aws_ecs_service.worker will be updated in-place
  ~ resource "aws_ecs_service" "worker" {
        id                                 = "arn:aws:ecs:us-east-1:***:service/ab2d-test-worker/ab2d-test-worker"
        name                               = "ab2d-test-worker"
        tags                               = {}
      ~ task_definition                    = "arn:aws:ecs:us-east-1:***:task-definition/ab2d-test-worker:227" -> (known after apply)
        # (17 unchanged attributes hidden)

        # (3 unchanged blocks hidden)
    }

  # aws_ecs_task_definition.worker must be replaced
-/+ resource "aws_ecs_task_definition" "worker" {
      ~ arn                      = "arn:aws:ecs:us-east-1:***:task-definition/ab2d-test-worker:227" -> (known after apply)
      ~ arn_without_revision     = "arn:aws:ecs:us-east-1:***:task-definition/ab2d-test-worker" -> (known after apply)
      ~ container_definitions    = jsonencode(
          ~ [
              ~ {
                  ~ environment            = [
                        # (12 unchanged elements hidden)
                        {
                            name  = "AWS_SQS_URL"
                            value = "https://sqs.us-east-1.amazonaws.com/***/ab2d-test-events"
                        },
                      ~ {
                            name  = "IMAGE_VERSION"
                          ~ value = "ab2d-worker-1626-merge-682775a" -> "ab2d-worker-1626-merge-37a4551"
                        },
                        {
                            name  = "MICROSERVICES_URL"
                            value = "http://internal-ab2d-test-microservices-87290984.us-east-1.elb.amazonaws.com/"
                        },
                        # (1 unchanged element hidden)
                    ]
                  ~ image                  = "***.dkr.ecr.us-east-1.amazonaws.com/ab2d-worker:ab2d-worker-1626-merge-682775a" -> "***.dkr.ecr.us-east-1.amazonaws.com/ab2d-worker:ab2d-worker-1626-merge-37a4551"
                    name                   = "worker"
                  - portMappings           = []
                  - systemControls         = []
                  - volumesFrom            = []
                    # (5 unchanged attributes hidden)
                },
            ] # forces replacement
        )
      ~ enable_fault_injection   = false -> (known after apply)
      ~ id                       = "ab2d-test-worker" -> (known after apply)
      ~ revision                 = 227 -> (known after apply)
      - tags                     = {} -> null
        # (10 unchanged attributes hidden)

      - volume {
          - configure_at_launch = false -> null
          - name                = "efs" -> null

          - efs_volume_configuration {
              - file_system_id          = "fs-06898a9a35a2a8959" -> null
              - root_directory          = "/" -> null
              - transit_encryption      = "ENABLED" -> null
              - transit_encryption_port = 0 -> null

              - authorization_config {
                  - access_point_id = "fsap-09a16152758024a89" -> null
                }
            }
        }
      - volume {
          - configure_at_launch = false -> null
          - name                = "newrelic_logs" -> null
        }
      - volume {
          - configure_at_launch = false -> null
          - name                = "tmp" -> null
        }
      - volume {
          - configure_at_launch = false -> null
          - name                = "var_logs" -> null
        }
      + volume {
          + configure_at_launch = (known after apply)
          + name                = "efs"

          + efs_volume_configuration {
              + file_system_id          = "fs-06898a9a35a2a8959"
              + root_directory          = "/"
              + transit_encryption      = "ENABLED"
              + transit_encryption_port = 0

              + authorization_config {
                  + access_point_id = "fsap-09a16152758024a89"
                }
            }
        }
      + volume {
          + configure_at_launch = (known after apply)
          + name                = "newrelic_logs"
        }
      + volume {
          + configure_at_launch = (known after apply)
          + name                = "tmp"
        }
      + volume {
          + configure_at_launch = (known after apply)
          + name                = "var_logs"
        }
    }

Plan: 1 to add, 1 to change, 1 to destroy.
```
@juliareynolds-nava @gsf
[PLT-1371] added workflows to dependabot (#323)
152d2b8 
## 🎫 Ticket

https://jira.cms.gov/browse/PLT-1371

## 🛠 Changes

Add coverage for workflows in the .cdap dependabot configuration,
including terraform.

## ℹ️ Context

Changes are for extended scan coverage by dependabot.  

## 🧪 Validation

see checks

---------

Co-authored-by: Sean Fern <[email protected]>
@michaeljvaldes @juliareynolds-nava
BCDA-9395: use full service name for execution role (#325)
e58fd49 
## 🎫 Ticket

https://jira.cms.gov/browse/BCDA-9395

## 🛠 Changes

Updated the name of the ecs service execution role to include the full
service name (including app and env) to avoid name clashes between
different apps and envs.

## ℹ️ Context

<!-- Why were these changes made? Add background context suitable for a
non-technical audience. -->

<!-- If any of the following security implications apply, this PR must
not be merged without Stephen Walter's approval. Explain in this section
and add @SJWalter11 as a reviewer.
  - Adds a new software dependency or dependencies.
  - Modifies or invalidates one or more of our security controls.
  - Stores or transmits data that was not stored or transmitted before.
- Requires additional review of security implications for other reasons.
-->

## 🧪 Validation

<!-- How were the changes verified? Did you fully test the acceptance
criteria in the ticket? Provide reproducible testing instructions and
screenshots if applicable. -->
@juliareynolds-nava
added github workflow
f80877b
@juliareynolds-nava
corrected service name
012b65f
@juliareynolds-nava juliareynolds-nava force-pushed the plt-1358_sops branch 2 times, most recently from 13a4845 to 012b65f Compare October 21, 2025 21:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gsf gsf gsf left review comments

@gfreeman-navapbc gfreeman-navapbc Awaiting requested review from gfreeman-navapbc

@jscott-nava jscott-nava Awaiting requested review from jscott-nava

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@juliareynolds-nava @gsf @jscott-nava @michaeljvaldes