Merge pull request #793 from ministryofjustice/feature/ND-564-Documen…

…t-process-to-hide-secrets-in-nacs-task-defs Feature/nd 564 document process to hide secrets in nacs task defs
ministryofjustice · Nov 12, 2024 · 4419f00 · 4419f00
2 parents 0b0fb39 + d65789c
commit 4419f00
Show file tree

Hide file tree

Showing 2 changed files with 45 additions and 15 deletions.
diff --git a/source/documentation/adrs/013-use-aws-secrets-manager-for-secrets.html.md.erb b/source/documentation/adrs/013-use-aws-secrets-manager-for-secrets.html.md.erb
@@ -0,0 +1,29 @@
+---
+owner_slack: "#nvvs-devops"
+title: 006 - Use AWS Secrets Manager for Secrets
+last_reviewed_on: 2024-11-07
+review_in: 6 months
+---
+
+# 013 - Use AWS Secrets Manager for Secrets
+  Date: 2020-11-07
+
+## Status
+✅ Accepted
+
+## Context
+
+There is a need to store infrastructure secrets securely in the [PTTP](https://ministry-of-justice-acronyms.service.justice.gov.uk/#:~:text=Prison%20Technology%20Transformation%20Programme) programme. Typical examples of secrets include API keys to reference external services, and AWS account IDs.
+
+## Decision
+
+Use AWS Secrets Manager.
+- Aligned with [MoJ Security Guidance](https://security-guidance.service.justice.gov.uk/secrets-management/#application--infrastructure-secrets)
+- Compatible with AWS services e.g. [CodePipelines](https://docs.aws.amazon.com/codebuild/latest/userguide/build-spec-ref.html#build-spec-ref-example)
+- AWS Secrets Manager has the ability to automatically rotate secrets for AWS RDS access. AWS Secrets Manager has a higher cost than AWS SSM Parameter Store.
+- AWS Secrets Manager has a higher cost than AWS SSM Parameter Store.
+
+### Alternative Considerations:
+
+#### HashiCorp Vault
+HashiCorp Vault is an open-source secret management solution. In order to use it we would have to host and manage an instance of the service ourselves. The cost of hosting, as well as the time to ensure data has appropriate backups, gives this service a high maintenance cost and overhead.
diff --git a/source/documentation/adrs/adr-index.html.md.erb b/source/documentation/adrs/adr-index.html.md.erb
@@ -11,21 +11,22 @@ This is a record of architectural decisions made by the NVVS DevOps team.
 
 To understand why we are recording decisions and how we are doing it, please see ADR-000
 
-| ADR no. | Status | Title |
-| :-- | :-- | :-- |
-| ADR-000 | ✅ | [Record architecture decisions](000-record-architecture-decisions.html) |
-| ADR-001 | ✅ | [Use BIND for Domain Naming System](001-use-bind-for-device-domain-naming-system.html) |
-| ADR-002 | ❌ | [Use Cloud Platform to host DHCP DNS](002-use-cloud-platform-to-host-dhcp-dns.html) |
-| ADR-003 | ✅ |  [Use AWS Elastic Container Service for DHCP DNS](003-use-aws-elastic-container-service-for-dhcp-dns.html) |
-| ADR-004 | ⌛️ | [Use AWS CodePipelines for CI/CD](004-use-aws-codepiplines-for-cicd.html) |
-| ADR-005 | ✅ | [Use Log Aggregation Platform for logging](005-use-log-aggregration-platform-for-logging.html) |
-| ADR-006 | ✅ | [Use AWS Parameter Store for secrets](006-use-aws-parameter-store-for-secrets.html) |
-| ADR-007 | ✅ | [Use Prometheus and Grafana for monitoring and alerting](007-use-prometheus-and-grafana-for-metrics-alerting.html) |
-| ADR-008 | ✅ | [Use AWS Elastic Container Registry](008-use-aws-elastic-container-registry.html) |
-| ADR-009 | ✅ | [Use AWS SSO for AWS account access](009-use-aws-sso-for-aws-account-access.html) |
-| ADR-010 | ✅ | [Use AWS EKS for monitoring infrastructure](010-use-aws-eks-for-monitoring-infrastructure.html) |
-| ADR-011 | ✅ | [Use GitHub Actions for CI/CD](011-use-github-actions-for-ci-cd.html) |
-| ADR-012 | ✅ | [Use TechDocs for ADRs](012-use-techdocs-for-adrs.html) |
+| ADR no. | Status | Title                                                                                                              |
+|:--------|:-------|:-------------------------------------------------------------------------------------------------------------------|
+| ADR-000 | ✅      | [Record architecture decisions](000-record-architecture-decisions.html)                                            |
+| ADR-001 | ✅      | [Use BIND for Domain Naming System](001-use-bind-for-device-domain-naming-system.html)                             |
+| ADR-002 | ❌      | [Use Cloud Platform to host DHCP DNS](002-use-cloud-platform-to-host-dhcp-dns.html)                                |
+| ADR-003 | ✅      | [Use AWS Elastic Container Service for DHCP DNS](003-use-aws-elastic-container-service-for-dhcp-dns.html)          |
+| ADR-004 | ⌛️     | [Use AWS CodePipelines for CI/CD](004-use-aws-codepiplines-for-cicd.html)                                          |
+| ADR-005 | ✅      | [Use Log Aggregation Platform for logging](005-use-log-aggregration-platform-for-logging.html)                     |
+| ADR-006 | ⌛️     | [Use AWS Parameter Store for secrets](006-use-aws-parameter-store-for-secrets.html)                                |
+| ADR-007 | ✅      | [Use Prometheus and Grafana for monitoring and alerting](007-use-prometheus-and-grafana-for-metrics-alerting.html) |
+| ADR-008 | ✅      | [Use AWS Elastic Container Registry](008-use-aws-elastic-container-registry.html)                                  |
+| ADR-009 | ✅      | [Use AWS SSO for AWS account access](009-use-aws-sso-for-aws-account-access.html)                                  |
+| ADR-010 | ✅      | [Use AWS EKS for monitoring infrastructure](010-use-aws-eks-for-monitoring-infrastructure.html)                    |
+| ADR-011 | ✅      | [Use GitHub Actions for CI/CD](011-use-github-actions-for-ci-cd.html)                                              |
+| ADR-012 | ✅      | [Use TechDocs for ADRs](012-use-techdocs-for-adrs.html)                                                            |
+| ADR-013 | ✅️      | [Use AWS Secrets Manager for secrets](013-use-aws-secrets-manager-for-secrets.html)                                |
 
 ## Statuses
 - ✅ Accepted