This demos a very generic solution how to deal with a bank application deployment when it comes to prod and nonprod envs.
Note that you could split this process up to a few distributed parts: * A reference file to store encryption key, using keyref * You could dynamically manage pointing to nonprod/prod key during deployment time for decryption * You could automate the step to encrypt the password and use the encryption value in dvar, or * You could externalize the dvar values to a file and then encrypt the whole dvar file, dynamically decrypt it during runtime
The solution is flexible and you are not bound to third party tool, binary for your implementation and it is seamlessly integrated with your own workflow
vars:
bank_acct: 1234-5678
scopes:
- name: nonprod
members: [dev, staging]
vars:
#in real ci/cd case, this should comes from a secure location
#you can dynamically get it from ENV Var
#or you can use secure api call to a backend
enc_key: my_non_enc_key
- name: prod
members: [prod]
vars:
#in real ci/cd case, this should comes from a secure location
#you can dynamically get it from ENV Var
#or you can use secure api call to a backend
enc_key: my_prod_enc_key
dvars:
- name: bank_password_encrypted
value: '{{ "mybankpassword" | encryptAES .enc_key }}'
flags: [vvvv]
- name: bank_password_decrypted
value: '{{.bank_password_encrypted |decryptAES .enc_key}}'
flags: [vvvv]
- name: bank_password
#this should be the final way to be configured
#or this value could be from a ref file
value: '6HmsmiJIW1PfIXcF4WwOKOMDiL7PstgfKs2aRFajrwY='
flags:
- vvvv
secure:
type: default_aes
#the key value will be a var name used for the value
key: enc_key
- name: bank_password_using_defause_config
# keyref: /a/secure/location/key.file
desc: simply use secure flag, it will use default configured Secure setting in upconfig.yml
file
value: '6HmsmiJIW1PfIXcF4WwOKOMDiL7PstgfKs2aRFajrwY='
flags:
- v
- secure
tasks:
- name: task
task:
- func: call
do: task_generate_password
- name: task_generate_password
task:
- func: shell
do:
- echo "bank account [{{.bank_acct}}]"
- echo "bank password encrypted [{{.bank_password_encrypted}}]"
- echo "bank password [{{.bank_password}}]"
- echo "secure bank password [{{.secure_bank_password}}]"
- echo "bank password using default config [{{.bank_password_using_defause_config}}]"
- echo "secure bank password using default config [{{.secure_bank_password_using_defause_config}}]"
loading [Config]: ./tests/functests/upconfig.yml
Main config:
Version -> 1.0.0
RefDir -> ./tests/functests
WorkDir -> cwd
AbsWorkDir -> /up_project/up
TaskFile -> c0051
Verbose -> vvv
ModuleName -> self
ShellType -> /bin/sh
MaxCallLayers -> 8
Timeout -> 3600000
MaxModuelCallLayers -> 256
EntryTask -> task
ModRepoUsernameRef ->
ModRepoPasswordRef ->
work dir: /up_project/up
-exec task: task
loading [Task]: ./tests/functests/c0051
module: [self], instance id: [dev], exec profile: []
profile - envVars:
(*core.Cache)({
})
dvar> bank_password_encrypted:
"PrlhCeErYndmCBcplajkzSZYvv1/5aZSXlX5yttrScY="
-
PrlhCeErYndmCBcplajkzSZYvv1/5aZSXlX5yttrScY=
dvar> bank_password_decrypted:
"mybankpassword"
-
mybankpassword
dvar> bank_password:
"6HmsmiJIW1PfIXcF4WwOKOMDiL7PstgfKs2aRFajrwY="
-
6HmsmiJIW1PfIXcF4WwOKOMDiL7PstgfKs2aRFajrwY=
dvar> bank_password_using_defause_config:
"6HmsmiJIW1PfIXcF4WwOKOMDiL7PstgfKs2aRFajrwY="
-
6HmsmiJIW1PfIXcF4WwOKOMDiL7PstgfKs2aRFajrwY=
Task1: [task ==> task: ]
-Step1:
self: final context exec vars:
(*core.Cache)({
"bank_password": "6HmsmiJIW1PfIXcF4WwOKOMDiL7PstgfKs2aRFajrwY=",
"up_runtime_task_layer_number": 0,
"bank_password_encrypted": "PrlhCeErYndmCBcplajkzSZYvv1/5aZSXlX5yttrScY=",
"bank_password_using_defause_config": "6HmsmiJIW1PfIXcF4WwOKOMDiL7PstgfKs2aRFajrwY=",
"enc_key": "my_non_enc_key",
"bank_acct": "1234-5678",
"bank_password_decrypted": "mybankpassword"
})
=Task2: [task ==> task_generate_password: ]
--Step1:
self: final context exec vars:
(*core.Cache)({
"up_runtime_task_layer_number": 1,
"bank_password_using_defause_config": "6HmsmiJIW1PfIXcF4WwOKOMDiL7PstgfKs2aRFajrwY=",
"bank_acct": "1234-5678",
"enc_key": "my_non_enc_key",
"bank_password": "6HmsmiJIW1PfIXcF4WwOKOMDiL7PstgfKs2aRFajrwY=",
"bank_password_encrypted": "PrlhCeErYndmCBcplajkzSZYvv1/5aZSXlX5yttrScY=",
"bank_password_decrypted": "mybankpassword"
})
cmd( 1):
echo "bank account [{{.bank_acct}}]"
-
bank account [1234-5678]
-
.. ok
cmd( 2):
echo "bank password encrypted [{{.bank_password_encrypted}}]"
-
bank password encrypted [PrlhCeErYndmCBcplajkzSZYvv1/5aZSXlX5yttrScY=]
-
.. ok
cmd( 3):
echo "bank password [{{.bank_password}}]"
-
bank password [6HmsmiJIW1PfIXcF4WwOKOMDiL7PstgfKs2aRFajrwY=]
-
.. ok
cmd( 4):
echo "secure bank password [{{.secure_bank_password}}]"
-
secure bank password [mybankpassword]
-
.. ok
cmd( 5):
echo "bank password using default config [{{.bank_password_using_defause_config}}]"
-
bank password using default config [6HmsmiJIW1PfIXcF4WwOKOMDiL7PstgfKs2aRFajrwY=]
-
.. ok
cmd( 6):
echo "secure bank password using default config [{{.secure_bank_password_using_defause_config}}]"
-
secure bank password using default config [mybankpassword]
-
.. ok
. ok