KMS decryption before CloudFormation Orchestration
pc-alves opened this issue · comments
For senza files with sensitive parameters, those parameters would ideally be encrypted.
It is possible to use KMS encryption to avoid having those values as plain text in the senza definition file. This, however, means that those parameters must be decrypted before CloudFormation orchestration, and it will happen on a local machine running senza, or through lizzy.
The suggestion is to use the prefix senza:kms:
to clearly identify these parameters.
For reasons of simplicity, those parameters should be in the SenzaInfo
section.
Ex.:
SenzaInfo:
SensitiveParameter: "senza:kms:skdfjg-sdFDGS23rwfkgjhsdfGSDGER034teFSD"
SenzaComponents:
(...)
someParameter: {{SenzaInfo.SensitiveParameter}}
A concrete example for this functionality is ElastiGroup's SpotinstAccessToken
parameter: https://github.com/zalando-stups/senza/blob/master/examples/elastigroup.yaml#L5
The inspiration for this approach comes from Taupage's use of KMS encryption. In that case the prefix is aws:kms:
Missing: Error handling for KMS exceptions:
- InvalidCiphertextException
- KeyUnavailableException
- KMSInvalidStateException
- KMSInternalException