@govuk-pay/cli 0.0.42 → 0.0.44
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/package.json +1 -1
- package/resources/legacy-ruby-cli/config/secrets.yml +50 -0
- package/resources/legacy-ruby-cli/config/service_secrets.yml +14 -0
- package/src/commands/secrets/subcommands/audit.js +30 -0
- package/src/commands/secrets/subcommands/copy.js +35 -0
- package/src/commands/secrets/subcommands/fetch.js +47 -0
- package/src/commands/secrets/subcommands/provision.js +30 -0
- package/src/commands/secrets/utils/preflight.js +47 -0
- package/src/commands/secrets.js +11 -0
package/package.json
CHANGED
|
@@ -65,6 +65,7 @@ pay-low-pass:
|
|
|
65
65
|
master_db_password: aws/rds/superuser/deploy-tooling/pact-broker/password # pragma: allowlist secret
|
|
66
66
|
DB_PASSWORD: aws/rds/application_users/deploy/pact_broker # pragma: allowlist secret
|
|
67
67
|
DB_SUPPORT_PASSWORD_READONLY: aws/rds/support_readonly_users/deploy/pact_broker_support_readonly # pragma: allowlist secret
|
|
68
|
+
DB_SUPPORT_PASSWORD_READWRITE: aws/rds/support_readwrite_users/deploy/pact_broker_support_readwrite # pragma: allowlist secret
|
|
68
69
|
stubs:
|
|
69
70
|
smartpay-expected-password: pay-stubs/smartpay/expected-password
|
|
70
71
|
smartpay-expected-user: pay-stubs/smartpay/expected-user
|
|
@@ -74,6 +75,7 @@ pay-low-pass:
|
|
|
74
75
|
adminusers:
|
|
75
76
|
DB_PASSWORD: aws/rds/application_users/test/adminusers1
|
|
76
77
|
DB_SUPPORT_PASSWORD_READONLY: aws/rds/support_readonly_users/test/adminusers_support_readonly # pragma: allowlist secret
|
|
78
|
+
DB_SUPPORT_PASSWORD_READWRITE: aws/rds/support_readwrite_users/test/adminusers_support_readwrite # pragma: allowlist secret
|
|
77
79
|
NOTIFY_API_KEY: notify/api_key/ci/test.adminusers.notify_api_key
|
|
78
80
|
SENTRY_DSN: sentry_io/adminusers_dsn
|
|
79
81
|
cardid:
|
|
@@ -81,6 +83,7 @@ pay-low-pass:
|
|
|
81
83
|
connector:
|
|
82
84
|
DB_PASSWORD: aws/rds/application_users/test/connector2
|
|
83
85
|
DB_SUPPORT_PASSWORD_READONLY: aws/rds/support_readonly_users/test/connector_support_readonly # pragma: allowlist secret
|
|
86
|
+
DB_SUPPORT_PASSWORD_READWRITE: aws/rds/support_readwrite_users/test/connector_support_readwrite # pragma: allowlist secret
|
|
84
87
|
NOTIFY_API_KEY: notify/api_key/ci/test.connector.notify_api_key
|
|
85
88
|
GDS_CONNECTOR_STRIPE_AUTH_TOKEN: stripe/test/test/account-api-key
|
|
86
89
|
GDS_CONNECTOR_STRIPE_AUTH_LIVE_TOKEN: stripe/test/test/account-api-key
|
|
@@ -110,10 +113,12 @@ pay-low-pass:
|
|
|
110
113
|
ledger:
|
|
111
114
|
DB_PASSWORD: aws/rds/application_users/test/ledger
|
|
112
115
|
DB_SUPPORT_PASSWORD_READONLY: aws/rds/support_readonly_users/test/ledger_support_readonly # pragma: allowlist secret
|
|
116
|
+
DB_SUPPORT_PASSWORD_READWRITE: aws/rds/support_readwrite_users/test/ledger_support_readwrite # pragma: allowlist secret
|
|
113
117
|
SENTRY_DSN: sentry_io/ledger_dsn
|
|
114
118
|
webhooks:
|
|
115
119
|
DB_PASSWORD: aws/rds/application_users/test/webhooks # pragma: allowlist secret
|
|
116
120
|
DB_SUPPORT_PASSWORD_READONLY: aws/rds/support_readonly_users/test/webhooks_support_readonly # pragma: allowlist secret
|
|
121
|
+
DB_SUPPORT_PASSWORD_READWRITE: aws/rds/support_readwrite_users/test/webhooks_support_readwrite # pragma: allowlist secret
|
|
117
122
|
SENTRY_DSN: sentry_io/webhooks_dsn
|
|
118
123
|
product-page:
|
|
119
124
|
pager_duty_cloudwatch_integration_url: pager-duty/govuk-pay-product-page/amazon-cloudwatch-integration-url
|
|
@@ -126,6 +131,7 @@ pay-low-pass:
|
|
|
126
131
|
DB_USER: ""
|
|
127
132
|
DB_PASSWORD: ""
|
|
128
133
|
DB_SUPPORT_PASSWORD_READONLY: aws/rds/support_readonly_users/test/publicauth_support_readonly # pragma: allowlist secret
|
|
134
|
+
DB_SUPPORT_PASSWORD_READWRITE: aws/rds/support_readwrite_users/test/publicauth_support_readwrite # pragma: allowlist secret
|
|
129
135
|
# These secrets are used by the app, but having them set to an empty string tries to overwrite working secrets with
|
|
130
136
|
# the words 'Password Store'. They are not in pay-low-pass, so for now to stop them being overwritten I'm commenting them out
|
|
131
137
|
# TOKEN_DB_BCRYPT_SALT: ""
|
|
@@ -135,6 +141,7 @@ pay-low-pass:
|
|
|
135
141
|
DB_USER: ""
|
|
136
142
|
DB_PASSWORD: ""
|
|
137
143
|
DB_SUPPORT_PASSWORD_READONLY: aws/rds/support_readonly_users/test/products_support_readonly # pragma: allowlist secret
|
|
144
|
+
DB_SUPPORT_PASSWORD_READWRITE: aws/rds/support_readwrite_users/test/products_support_readwrite # pragma: allowlist secret
|
|
138
145
|
SENTRY_DSN: sentry_io/products_dsn
|
|
139
146
|
products-ui:
|
|
140
147
|
SESSION_ENCRYPTION_KEY: ""
|
|
@@ -171,6 +178,7 @@ pay-low-pass:
|
|
|
171
178
|
adminusers:
|
|
172
179
|
DB_PASSWORD: aws/rds/application_users/test/adminusers
|
|
173
180
|
DB_SUPPORT_PASSWORD_READONLY: aws/rds/support_readonly_users/test-perf/adminusers_support_readonly # pragma: allowlist secret
|
|
181
|
+
DB_SUPPORT_PASSWORD_READWRITE: aws/rds/support_readwrite_users/test-perf/adminusers_support_readwrite # pragma: allowlist secret
|
|
174
182
|
NOTIFY_API_KEY: notify/api_key/ci/test_perf.adminusers.notify_api_key # pragma: allowlist secret
|
|
175
183
|
SENTRY_DSN: sentry_io/adminusers_dsn
|
|
176
184
|
cardid:
|
|
@@ -178,6 +186,7 @@ pay-low-pass:
|
|
|
178
186
|
connector:
|
|
179
187
|
DB_PASSWORD: aws/rds/superuser/test-12/connector/payment-password
|
|
180
188
|
DB_SUPPORT_PASSWORD_READONLY: aws/rds/support_readonly_users/test-perf/connector_support_readonly # pragma: allowlist secret
|
|
189
|
+
DB_SUPPORT_PASSWORD_READWRITE: aws/rds/support_readwrite_users/test-perf/connector_support_readwrite # pragma: allowlist secret
|
|
181
190
|
NOTIFY_API_KEY: notify/api_key/ci/test_perf.connector.notify_api_key # pragma: allowlist secret
|
|
182
191
|
GDS_CONNECTOR_STRIPE_AUTH_TOKEN: stripe/test/test/account-api-key
|
|
183
192
|
GDS_CONNECTOR_STRIPE_AUTH_LIVE_TOKEN: stripe/test/test/account-api-key
|
|
@@ -207,6 +216,7 @@ pay-low-pass:
|
|
|
207
216
|
ledger:
|
|
208
217
|
DB_PASSWORD: aws/rds/application_users/test/ledger
|
|
209
218
|
DB_SUPPORT_PASSWORD_READONLY: aws/rds/support_readonly_users/test-perf/ledger_support_readonly # pragma: allowlist secret
|
|
219
|
+
DB_SUPPORT_PASSWORD_READWRITE: aws/rds/support_readwrite_users/test-perf/ledger_support_readwrite # pragma: allowlist secret
|
|
210
220
|
SENTRY_DSN: sentry_io/ledger_dsn
|
|
211
221
|
publicapi:
|
|
212
222
|
# These secrets are used by the app, but having them set to an empty string tries to overwrite working secrets with
|
|
@@ -217,6 +227,7 @@ pay-low-pass:
|
|
|
217
227
|
DB_USER: ""
|
|
218
228
|
DB_PASSWORD: ""
|
|
219
229
|
DB_SUPPORT_PASSWORD_READONLY: aws/rds/support_readonly_users/test-perf/publicauth_support_readonly # pragma: allowlist secret
|
|
230
|
+
DB_SUPPORT_PASSWORD_READWRITE: aws/rds/support_readwrite_users/test-perf/publicauth_support_readwrite # pragma: allowlist secret
|
|
220
231
|
# These secrets are used by the app, but having them set to an empty string tries to overwrite working secrets with
|
|
221
232
|
# the words 'Password Store'. They are not in pay-low-pass, so for now to stop them being overwritten I'm commenting them out
|
|
222
233
|
# TOKEN_DB_BCRYPT_SALT: ""
|
|
@@ -226,6 +237,7 @@ pay-low-pass:
|
|
|
226
237
|
DB_USER: ""
|
|
227
238
|
DB_PASSWORD: ""
|
|
228
239
|
DB_SUPPORT_PASSWORD_READONLY: aws/rds/support_readonly_users/test-perf/products_support_readonly # pragma: allowlist secret
|
|
240
|
+
DB_SUPPORT_PASSWORD_READWRITE: aws/rds/support_readwrite_users/test-perf/products_support_readwrite # pragma: allowlist secret
|
|
229
241
|
SENTRY_DSN: sentry_io/products_dsn
|
|
230
242
|
products-ui:
|
|
231
243
|
SESSION_ENCRYPTION_KEY: ""
|
|
@@ -260,6 +272,7 @@ pay-low-pass:
|
|
|
260
272
|
webhooks:
|
|
261
273
|
DB_PASSWORD: aws/rds/application_users/test/webhooks # pragma: allowlist secret
|
|
262
274
|
DB_SUPPORT_PASSWORD_READONLY: aws/rds/support_readonly_users/test-perf/webhooks_support_readonly # pragma: allowlist secret
|
|
275
|
+
DB_SUPPORT_PASSWORD_READWRITE: aws/rds/support_readwrite_users/test-perf/webhooks_support_readwrite # pragma: allowlist secret
|
|
263
276
|
SENTRY_DSN: sentry_io/webhooks_dsn
|
|
264
277
|
test:
|
|
265
278
|
alb_and_s3_logging_pipeline:
|
|
@@ -279,6 +292,7 @@ pay-low-pass:
|
|
|
279
292
|
adminusers:
|
|
280
293
|
DB_PASSWORD: aws/rds/application_users/staging/adminusers1
|
|
281
294
|
DB_SUPPORT_PASSWORD_READONLY: aws/rds/support_readonly_users/staging/adminusers_support_readonly # pragma: allowlist secret
|
|
295
|
+
DB_SUPPORT_PASSWORD_READWRITE: aws/rds/support_readwrite_users/staging/adminusers_support_readwrite # pragma: allowlist secret
|
|
282
296
|
NOTIFY_API_KEY: notify/api_key/deploy/staging.adminusers.notify_api_key
|
|
283
297
|
SENTRY_DSN: sentry_io/adminusers_dsn
|
|
284
298
|
cardid:
|
|
@@ -286,6 +300,7 @@ pay-low-pass:
|
|
|
286
300
|
connector:
|
|
287
301
|
DB_PASSWORD: aws/rds/application_users/staging/connector1
|
|
288
302
|
DB_SUPPORT_PASSWORD_READONLY: aws/rds/support_readonly_users/staging/connector_support_readonly # pragma: allowlist secret
|
|
303
|
+
DB_SUPPORT_PASSWORD_READWRITE: aws/rds/support_readwrite_users/staging/connector_support_readwrite # pragma: allowlist secret
|
|
289
304
|
NOTIFY_API_KEY: notify/api_key/deploy/staging.connector.notify_api_key
|
|
290
305
|
GDS_CONNECTOR_STRIPE_AUTH_TOKEN: stripe/staging/test/account-api-key
|
|
291
306
|
GDS_CONNECTOR_STRIPE_AUTH_LIVE_TOKEN: stripe/staging/test/account-api-key
|
|
@@ -313,9 +328,11 @@ pay-low-pass:
|
|
|
313
328
|
ledger:
|
|
314
329
|
DB_PASSWORD: aws/rds/application_users/staging/ledger
|
|
315
330
|
DB_SUPPORT_PASSWORD_READONLY: aws/rds/support_readonly_users/staging/ledger_support_readonly # pragma: allowlist secret
|
|
331
|
+
DB_SUPPORT_PASSWORD_READWRITE: aws/rds/support_readwrite_users/staging/ledger_support_readwrite # pragma: allowlist secret
|
|
316
332
|
SENTRY_DSN: sentry_io/ledger_dsn
|
|
317
333
|
products:
|
|
318
334
|
DB_SUPPORT_PASSWORD_READONLY: aws/rds/support_readonly_users/staging/products_support_readonly # pragma: allowlist secret
|
|
335
|
+
DB_SUPPORT_PASSWORD_READWRITE: aws/rds/support_readwrite_users/staging/products_support_readwrite # pragma: allowlist secret
|
|
319
336
|
SENTRY_DSN: sentry_io/products_dsn
|
|
320
337
|
products-ui:
|
|
321
338
|
SENTRY_DSN: sentry_io/products_ui_dsn
|
|
@@ -328,6 +345,7 @@ pay-low-pass:
|
|
|
328
345
|
# TOKEN_API_HMAC_SECRET: ""
|
|
329
346
|
publicauth:
|
|
330
347
|
DB_SUPPORT_PASSWORD_READONLY: aws/rds/support_readonly_users/staging/publicauth_support_readonly # pragma: allowlist secret
|
|
348
|
+
DB_SUPPORT_PASSWORD_READWRITE: aws/rds/support_readwrite_users/staging/publicauth_support_readwrite # pragma: allowlist secret
|
|
331
349
|
SENTRY_DSN: sentry_io/publicauth_dsn
|
|
332
350
|
# These secrets are used by the app, but having them set to an empty string tries to overwrite working secrets with
|
|
333
351
|
# the words 'Password Store'. They are not in pay-low-pass, so for now to stop them being overwritten I'm commenting them out
|
|
@@ -364,6 +382,7 @@ pay-low-pass:
|
|
|
364
382
|
webhooks:
|
|
365
383
|
DB_PASSWORD: aws/rds/application_users/staging/webhooks # pragma: allowlist secret
|
|
366
384
|
DB_SUPPORT_PASSWORD_READONLY: aws/rds/support_readonly_users/staging/webhooks_support_readonly # pragma: allowlist secret
|
|
385
|
+
DB_SUPPORT_PASSWORD_READWRITE: aws/rds/support_readwrite_users/staging/webhooks_support_readwrite # pragma: allowlist secret
|
|
367
386
|
SENTRY_DSN: sentry_io/webhooks_dsn
|
|
368
387
|
webhooks_intrusion_monitoring:
|
|
369
388
|
pager_duty_cloudwatch_integration_url: pager-duty/govuk-pay-staging-webhooks/amazon-cloudwatch-integration-url
|
|
@@ -374,6 +393,7 @@ pay-low-pass:
|
|
|
374
393
|
adminusers:
|
|
375
394
|
DB_PASSWORD: aws/rds/application_users/production/adminusers1
|
|
376
395
|
DB_SUPPORT_PASSWORD_READONLY: aws/rds/support_readonly_users/production/adminusers_support_readonly # pragma: allowlist secret
|
|
396
|
+
DB_SUPPORT_PASSWORD_READWRITE: aws/rds/support_readwrite_users/production/adminusers_support_readwrite # pragma: allowlist secret
|
|
377
397
|
NOTIFY_API_KEY: notify/api_key/deploy/production.adminusers.notify_api_key
|
|
378
398
|
SENTRY_DSN: sentry_io/adminusers_dsn
|
|
379
399
|
cardid:
|
|
@@ -381,6 +401,7 @@ pay-low-pass:
|
|
|
381
401
|
connector:
|
|
382
402
|
DB_PASSWORD: aws/rds/application_users/production/connector2
|
|
383
403
|
DB_SUPPORT_PASSWORD_READONLY: aws/rds/support_readonly_users/production/connector_support_readonly # pragma: allowlist secret
|
|
404
|
+
DB_SUPPORT_PASSWORD_READWRITE: aws/rds/support_readwrite_users/production/connector_support_readwrite # pragma: allowlist secret
|
|
384
405
|
NOTIFY_API_KEY: notify/api_key/deploy/production.connector.notify_api_key
|
|
385
406
|
GDS_CONNECTOR_STRIPE_AUTH_TOKEN: stripe/production/test/account-api-key
|
|
386
407
|
GDS_CONNECTOR_STRIPE_AUTH_LIVE_TOKEN: stripe/production/live/account-api-key
|
|
@@ -410,6 +431,7 @@ pay-low-pass:
|
|
|
410
431
|
ledger:
|
|
411
432
|
DB_PASSWORD: aws/rds/application_users/production/ledger
|
|
412
433
|
DB_SUPPORT_PASSWORD_READONLY: aws/rds/support_readonly_users/production/ledger_support_readonly # pragma: allowlist secret
|
|
434
|
+
DB_SUPPORT_PASSWORD_READWRITE: aws/rds/support_readwrite_users/production/ledger_support_readwrite # pragma: allowlist secret
|
|
413
435
|
SENTRY_DSN: sentry_io/ledger_dsn
|
|
414
436
|
network:
|
|
415
437
|
PAGER_DUTY_CLOUDWATCH_ALB_INTEGRATION_URL: pager-duty/govuk-pay-cloudwatch-alb/amazon-cloudwatch-integration-url
|
|
@@ -417,6 +439,7 @@ pay-low-pass:
|
|
|
417
439
|
pager_duty_cloudwatch_integration_url: pager-duty/govuk-pay-product-page/amazon-cloudwatch-integration-url
|
|
418
440
|
products:
|
|
419
441
|
DB_SUPPORT_PASSWORD_READONLY: aws/rds/support_readonly_users/production/products_support_readonly # pragma: allowlist secret
|
|
442
|
+
DB_SUPPORT_PASSWORD_READWRITE: aws/rds/support_readwrite_users/production/products_support_readwrite # pragma: allowlist secret
|
|
420
443
|
SENTRY_DSN: sentry_io/products_dsn
|
|
421
444
|
products-ui:
|
|
422
445
|
SENTRY_DSN: sentry_io/products_ui_dsn
|
|
@@ -427,6 +450,7 @@ pay-low-pass:
|
|
|
427
450
|
SENTRY_DSN: sentry_io/publicapi_dsn
|
|
428
451
|
publicauth:
|
|
429
452
|
DB_SUPPORT_PASSWORD_READONLY: aws/rds/support_readonly_users/production/publicauth_support_readonly # pragma: allowlist secret
|
|
453
|
+
DB_SUPPORT_PASSWORD_READWRITE: aws/rds/support_readwrite_users/production/publicauth_support_readwrite # pragma: allowlist secret
|
|
430
454
|
SENTRY_DSN: sentry_io/publicauth_dsn
|
|
431
455
|
# These secrets are used by the app, but having them set to an empty string tries to overwrite working secrets with
|
|
432
456
|
# the words 'Password Store'. They are not in pay-low-pass, so for now to stop them being overwritten I'm commenting them out
|
|
@@ -461,6 +485,7 @@ pay-low-pass:
|
|
|
461
485
|
webhooks:
|
|
462
486
|
DB_PASSWORD: aws/rds/application_users/production/webhooks # pragma: allowlist secret
|
|
463
487
|
DB_SUPPORT_PASSWORD_READONLY: aws/rds/support_readonly_users/production/webhooks_support_readonly # pragma: allowlist secret
|
|
488
|
+
DB_SUPPORT_PASSWORD_READWRITE: aws/rds/support_readwrite_users/production/webhooks_support_readwrite # pragma: allowlist secret
|
|
464
489
|
SENTRY_DSN: sentry_io/webhooks_dsn
|
|
465
490
|
webhooks_intrusion_monitoring:
|
|
466
491
|
pager_duty_cloudwatch_integration_url: pager-duty/govuk-pay/amazon-cloudwatch-integration-url
|
|
@@ -502,14 +527,17 @@ value:
|
|
|
502
527
|
pact-broker:
|
|
503
528
|
DB_USER: "pact_broker"
|
|
504
529
|
DB_SUPPORT_USER_READONLY: "pact_broker_support_readonly"
|
|
530
|
+
DB_SUPPORT_USER_READWRITE: "pact_broker_support_readwrite"
|
|
505
531
|
test-12:
|
|
506
532
|
adminusers:
|
|
507
533
|
DB_USER: "adminusers1"
|
|
508
534
|
DB_SUPPORT_USER_READONLY: "adminusers_support_readonly"
|
|
535
|
+
DB_SUPPORT_USER_READWRITE: "adminusers_support_readwrite"
|
|
509
536
|
NOTIFY_SECRET: ""
|
|
510
537
|
connector:
|
|
511
538
|
DB_USER: "connector2"
|
|
512
539
|
DB_SUPPORT_USER_READONLY: "connector_support_readonly"
|
|
540
|
+
DB_SUPPORT_USER_READWRITE: "connector_support_readwrite"
|
|
513
541
|
NOTIFY_SECRET: ""
|
|
514
542
|
frontend:
|
|
515
543
|
AB_TEST_THRESHOLD: "50"
|
|
@@ -518,15 +546,19 @@ value:
|
|
|
518
546
|
ledger:
|
|
519
547
|
DB_USER: "ledger"
|
|
520
548
|
DB_SUPPORT_USER_READONLY: "ledger_support_readonly"
|
|
549
|
+
DB_SUPPORT_USER_READWRITE: "ledger_support_readwrite"
|
|
521
550
|
webhooks:
|
|
522
551
|
DB_USER: "webhooks"
|
|
523
552
|
DB_SUPPORT_USER_READONLY: "webhooks_support_readonly"
|
|
553
|
+
DB_SUPPORT_USER_READWRITE: "webhooks_support_readwrite"
|
|
524
554
|
publicauth:
|
|
525
555
|
DB_USER: "publicauth1"
|
|
526
556
|
DB_SUPPORT_USER_READONLY: "publicauth_support_readonly"
|
|
557
|
+
DB_SUPPORT_USER_READWRITE: "publicauth_support_readwrite"
|
|
527
558
|
products:
|
|
528
559
|
DB_USER: "products"
|
|
529
560
|
DB_SUPPORT_USER_READONLY: "products_support_readonly"
|
|
561
|
+
DB_SUPPORT_USER_READWRITE: "products_support_readwrite"
|
|
530
562
|
toolbox:
|
|
531
563
|
AUTH_GITHUB_VIEW_ONLY_TEAM_ID: "3304536"
|
|
532
564
|
AUTH_GITHUB_USER_SUPPORT_TEAM_ID: "3304536"
|
|
@@ -537,10 +569,12 @@ value:
|
|
|
537
569
|
adminusers:
|
|
538
570
|
DB_USER: "adminusers"
|
|
539
571
|
DB_SUPPORT_USER_READONLY: "adminusers_support_readonly"
|
|
572
|
+
DB_SUPPORT_USER_READWRITE: "adminusers_support_readwrite"
|
|
540
573
|
NOTIFY_SECRET: ""
|
|
541
574
|
connector:
|
|
542
575
|
DB_USER: "connector"
|
|
543
576
|
DB_SUPPORT_USER_READONLY: "connector_support_readonly"
|
|
577
|
+
DB_SUPPORT_USER_READWRITE: "connector_support_readwrite"
|
|
544
578
|
NOTIFY_SECRET: ""
|
|
545
579
|
frontend:
|
|
546
580
|
AB_TEST_THRESHOLD: "50"
|
|
@@ -549,12 +583,15 @@ value:
|
|
|
549
583
|
ledger:
|
|
550
584
|
DB_USER: "ledger"
|
|
551
585
|
DB_SUPPORT_USER_READONLY: "ledger_support_readonly"
|
|
586
|
+
DB_SUPPORT_USER_READWRITE: "ledger_support_readwrite"
|
|
552
587
|
publicauth:
|
|
553
588
|
DB_USER: "publicauth"
|
|
554
589
|
DB_SUPPORT_USER_READONLY: "publicauth_support_readonly"
|
|
590
|
+
DB_SUPPORT_USER_READWRITE: "publicauth_support_readwrite"
|
|
555
591
|
products:
|
|
556
592
|
DB_USER: "products"
|
|
557
593
|
DB_SUPPORT_USER_READONLY: "products_support_readonly"
|
|
594
|
+
DB_SUPPORT_USER_READWRITE: "products_support_readwrite"
|
|
558
595
|
terraform:
|
|
559
596
|
PERF_ENV: "true"
|
|
560
597
|
toolbox:
|
|
@@ -566,14 +603,17 @@ value:
|
|
|
566
603
|
webhooks:
|
|
567
604
|
DB_USER: "webhooks"
|
|
568
605
|
DB_SUPPORT_USER_READONLY: "webhooks_support_readonly"
|
|
606
|
+
DB_SUPPORT_USER_READWRITE: "webhooks_support_readwrite"
|
|
569
607
|
staging-2:
|
|
570
608
|
adminusers:
|
|
571
609
|
DB_USER: "adminusers1"
|
|
572
610
|
DB_SUPPORT_USER_READONLY: "adminusers_support_readonly"
|
|
611
|
+
DB_SUPPORT_USER_READWRITE: "adminusers_support_readwrite"
|
|
573
612
|
NOTIFY_SECRET: ""
|
|
574
613
|
connector:
|
|
575
614
|
DB_USER: "connector1"
|
|
576
615
|
DB_SUPPORT_USER_READONLY: "connector_support_readonly"
|
|
616
|
+
DB_SUPPORT_USER_READWRITE: "connector_support_readwrite"
|
|
577
617
|
NOTIFY_SECRET: ""
|
|
578
618
|
frontend:
|
|
579
619
|
AB_TEST_THRESHOLD: "50"
|
|
@@ -582,12 +622,15 @@ value:
|
|
|
582
622
|
ledger:
|
|
583
623
|
DB_USER: "ledger"
|
|
584
624
|
DB_SUPPORT_USER_READONLY: "ledger_support_readonly"
|
|
625
|
+
DB_SUPPORT_USER_READWRITE: "ledger_support_readwrite"
|
|
585
626
|
publicauth:
|
|
586
627
|
DB_USER: "publicauth1"
|
|
587
628
|
DB_SUPPORT_USER_READONLY: "publicauth_support_readonly"
|
|
629
|
+
DB_SUPPORT_USER_READWRITE: "publicauth_support_readwrite"
|
|
588
630
|
products:
|
|
589
631
|
DB_USER: "products"
|
|
590
632
|
DB_SUPPORT_USER_READONLY: "products_support_readonly"
|
|
633
|
+
DB_SUPPORT_USER_READWRITE: "products_support_readwrite"
|
|
591
634
|
toolbox:
|
|
592
635
|
AUTH_GITHUB_VIEW_ONLY_TEAM_ID: "3304500"
|
|
593
636
|
AUTH_GITHUB_USER_SUPPORT_TEAM_ID: "3304500"
|
|
@@ -597,26 +640,32 @@ value:
|
|
|
597
640
|
webhooks:
|
|
598
641
|
DB_USER: "webhooks"
|
|
599
642
|
DB_SUPPORT_USER_READONLY: "webhooks_support_readonly"
|
|
643
|
+
DB_SUPPORT_USER_READWRITE: "webhooks_support_readwrite"
|
|
600
644
|
production-2:
|
|
601
645
|
adminusers:
|
|
602
646
|
DB_USER: "adminusers1"
|
|
603
647
|
DB_SUPPORT_USER_READONLY: "adminusers_support_readonly"
|
|
648
|
+
DB_SUPPORT_USER_READWRITE: "adminusers_support_readwrite"
|
|
604
649
|
NOTIFY_SECRET: ""
|
|
605
650
|
connector:
|
|
606
651
|
DB_USER: "connector2"
|
|
607
652
|
DB_SUPPORT_USER_READONLY: "connector_support_readonly"
|
|
653
|
+
DB_SUPPORT_USER_READWRITE: "connector_support_readwrite"
|
|
608
654
|
NOTIFY_SECRET: ""
|
|
609
655
|
frontend:
|
|
610
656
|
AB_TEST_THRESHOLD: "50"
|
|
611
657
|
ledger:
|
|
612
658
|
DB_USER: "ledger"
|
|
613
659
|
DB_SUPPORT_USER_READONLY: "ledger_support_readonly"
|
|
660
|
+
DB_SUPPORT_USER_READWRITE: "ledger_support_readwrite"
|
|
614
661
|
publicauth:
|
|
615
662
|
DB_USER: "publicauth1"
|
|
616
663
|
DB_SUPPORT_USER_READONLY: "publicauth_support_readonly"
|
|
664
|
+
DB_SUPPORT_USER_READWRITE: "publicauth_support_readwrite"
|
|
617
665
|
products:
|
|
618
666
|
DB_USER: "products"
|
|
619
667
|
DB_SUPPORT_USER_READONLY: "products_support_readonly"
|
|
668
|
+
DB_SUPPORT_USER_READWRITE: "products_support_readwrite"
|
|
620
669
|
toolbox:
|
|
621
670
|
AUTH_GITHUB_VIEW_ONLY_TEAM_ID: "7196958"
|
|
622
671
|
AUTH_GITHUB_USER_SUPPORT_TEAM_ID: "3304532"
|
|
@@ -626,3 +675,4 @@ value:
|
|
|
626
675
|
webhooks:
|
|
627
676
|
DB_USER: "webhooks"
|
|
628
677
|
DB_SUPPORT_USER_READONLY: "webhooks_support_readonly"
|
|
678
|
+
DB_SUPPORT_USER_READWRITE: "webhooks_support_readwrite"
|
|
@@ -4,6 +4,8 @@ adminusers:
|
|
|
4
4
|
- DB_PASSWORD
|
|
5
5
|
- DB_SUPPORT_USER_READONLY
|
|
6
6
|
- DB_SUPPORT_PASSWORD_READONLY
|
|
7
|
+
- DB_SUPPORT_USER_READWRITE
|
|
8
|
+
- DB_SUPPORT_PASSWORD_READWRITE
|
|
7
9
|
- NOTIFY_API_KEY
|
|
8
10
|
- NOTIFY_SECRET
|
|
9
11
|
- SENTRY_DSN
|
|
@@ -19,6 +21,8 @@ connector:
|
|
|
19
21
|
- DB_PASSWORD
|
|
20
22
|
- DB_SUPPORT_USER_READONLY
|
|
21
23
|
- DB_SUPPORT_PASSWORD_READONLY
|
|
24
|
+
- DB_SUPPORT_USER_READWRITE
|
|
25
|
+
- DB_SUPPORT_PASSWORD_READWRITE
|
|
22
26
|
- NOTIFY_SECRET
|
|
23
27
|
- NOTIFY_API_KEY
|
|
24
28
|
- GDS_CONNECTOR_STRIPE_AUTH_TOKEN
|
|
@@ -43,6 +47,8 @@ pact-broker:
|
|
|
43
47
|
- DB_PASSWORD
|
|
44
48
|
- DB_SUPPORT_USER_READONLY
|
|
45
49
|
- DB_SUPPORT_PASSWORD_READONLY
|
|
50
|
+
- DB_SUPPORT_USER_READWRITE
|
|
51
|
+
- DB_SUPPORT_PASSWORD_READWRITE
|
|
46
52
|
pact-broker-auth:
|
|
47
53
|
- pact-broker-basic-auth-password
|
|
48
54
|
- pact-broker-basic-auth-username
|
|
@@ -74,6 +80,8 @@ publicauth:
|
|
|
74
80
|
- DB_PASSWORD
|
|
75
81
|
- DB_SUPPORT_USER_READONLY
|
|
76
82
|
- DB_SUPPORT_PASSWORD_READONLY
|
|
83
|
+
- DB_SUPPORT_USER_READWRITE
|
|
84
|
+
- DB_SUPPORT_PASSWORD_READWRITE
|
|
77
85
|
# These secrets are used by the app, but having them set to an empty string tries to overwrite working secrets with
|
|
78
86
|
# the words 'Password Store'. They are not in pay-low-pass, so for now to stop them being overwritten I'm commenting them out
|
|
79
87
|
# - TOKEN_DB_BCRYPT_SALT
|
|
@@ -86,6 +94,8 @@ products:
|
|
|
86
94
|
- DB_PASSWORD
|
|
87
95
|
- DB_SUPPORT_USER_READONLY
|
|
88
96
|
- DB_SUPPORT_PASSWORD_READONLY
|
|
97
|
+
- DB_SUPPORT_USER_READWRITE
|
|
98
|
+
- DB_SUPPORT_PASSWORD_READWRITE
|
|
89
99
|
- SENTRY_DSN
|
|
90
100
|
products-ui:
|
|
91
101
|
- SESSION_ENCRYPTION_KEY
|
|
@@ -104,12 +114,16 @@ ledger:
|
|
|
104
114
|
- DB_USER
|
|
105
115
|
- DB_SUPPORT_USER_READONLY
|
|
106
116
|
- DB_SUPPORT_PASSWORD_READONLY
|
|
117
|
+
- DB_SUPPORT_USER_READWRITE
|
|
118
|
+
- DB_SUPPORT_PASSWORD_READWRITE
|
|
107
119
|
- SENTRY_DSN
|
|
108
120
|
webhooks:
|
|
109
121
|
- DB_PASSWORD
|
|
110
122
|
- DB_USER
|
|
111
123
|
- DB_SUPPORT_USER_READONLY
|
|
112
124
|
- DB_SUPPORT_PASSWORD_READONLY
|
|
125
|
+
- DB_SUPPORT_USER_READWRITE
|
|
126
|
+
- DB_SUPPORT_PASSWORD_READWRITE
|
|
113
127
|
- SENTRY_DSN
|
|
114
128
|
toolbox:
|
|
115
129
|
- AUTH_GITHUB_CLIENT_ID
|
|
@@ -0,0 +1,30 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
var __importDefault = (this && this.__importDefault) || function (mod) {
|
|
3
|
+
return (mod && mod.__esModule) ? mod : { "default": mod };
|
|
4
|
+
};
|
|
5
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
6
|
+
exports.handler = exports.builder = exports.desc = exports.command = void 0;
|
|
7
|
+
const node_child_process_1 = require("node:child_process");
|
|
8
|
+
const preflight_js_1 = __importDefault(require("../utils/preflight.js"));
|
|
9
|
+
exports.command = 'audit <service> <env..>';
|
|
10
|
+
exports.desc = 'Audits secrets for <service> for the given <envs..>';
|
|
11
|
+
const builder = (yargs) => {
|
|
12
|
+
return yargs
|
|
13
|
+
.positional('service', {
|
|
14
|
+
type: 'string',
|
|
15
|
+
description: 'The service (e.g. connector) to audit the secret for'
|
|
16
|
+
})
|
|
17
|
+
.positional('env', {
|
|
18
|
+
type: 'string',
|
|
19
|
+
description: 'The environment (e.g. test-12) to audit the secret for'
|
|
20
|
+
});
|
|
21
|
+
};
|
|
22
|
+
exports.builder = builder;
|
|
23
|
+
exports.handler = auditHandler;
|
|
24
|
+
async function auditHandler(argv) {
|
|
25
|
+
const service = argv.service;
|
|
26
|
+
const envs = argv.env;
|
|
27
|
+
const preflightInfo = (0, preflight_js_1.default)();
|
|
28
|
+
(0, node_child_process_1.spawnSync)(preflightInfo.rbenvCommand, ['exec', 'bundle', 'exec', 'bin/pay', 'secrets', 'audit', service, ...envs], { shell: true, stdio: 'inherit', cwd: preflightInfo.pathToLegacyRubyCli });
|
|
29
|
+
}
|
|
30
|
+
exports.default = auditHandler;
|
|
@@ -0,0 +1,35 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
var __importDefault = (this && this.__importDefault) || function (mod) {
|
|
3
|
+
return (mod && mod.__esModule) ? mod : { "default": mod };
|
|
4
|
+
};
|
|
5
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
6
|
+
exports.handler = exports.builder = exports.desc = exports.command = void 0;
|
|
7
|
+
const node_child_process_1 = require("node:child_process");
|
|
8
|
+
const preflight_js_1 = __importDefault(require("../utils/preflight.js"));
|
|
9
|
+
exports.command = 'copy <service> <src_env> <dest_env>';
|
|
10
|
+
exports.desc = 'Copies secrets for <service> from <src_env> to <dest_env>';
|
|
11
|
+
const builder = (yargs) => {
|
|
12
|
+
return yargs
|
|
13
|
+
.positional('service', {
|
|
14
|
+
type: 'string',
|
|
15
|
+
description: 'The service (e.g. connector) to copy the secrets for'
|
|
16
|
+
})
|
|
17
|
+
.positional('src_env', {
|
|
18
|
+
type: 'string',
|
|
19
|
+
description: 'The environment (e.g. test-12) to copy the secrets from'
|
|
20
|
+
})
|
|
21
|
+
.positional('dest_env', {
|
|
22
|
+
type: 'string',
|
|
23
|
+
description: 'The environment (e.g. test-perf-1) to copy the secrets to'
|
|
24
|
+
});
|
|
25
|
+
};
|
|
26
|
+
exports.builder = builder;
|
|
27
|
+
exports.handler = copyHandler;
|
|
28
|
+
async function copyHandler(argv) {
|
|
29
|
+
const service = argv.service;
|
|
30
|
+
const srcEnv = argv.src_env;
|
|
31
|
+
const destEnv = argv.dest_env;
|
|
32
|
+
const preflightInfo = (0, preflight_js_1.default)();
|
|
33
|
+
(0, node_child_process_1.spawnSync)(preflightInfo.rbenvCommand, ['exec', 'bundle', 'exec', 'bin/pay', 'secrets', 'copy', service, srcEnv, destEnv], { shell: true, stdio: 'inherit', cwd: preflightInfo.pathToLegacyRubyCli });
|
|
34
|
+
}
|
|
35
|
+
exports.default = copyHandler;
|
|
@@ -0,0 +1,47 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
var __importDefault = (this && this.__importDefault) || function (mod) {
|
|
3
|
+
return (mod && mod.__esModule) ? mod : { "default": mod };
|
|
4
|
+
};
|
|
5
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
6
|
+
exports.handler = exports.builder = exports.desc = exports.command = void 0;
|
|
7
|
+
const node_child_process_1 = require("node:child_process");
|
|
8
|
+
const preflight_js_1 = __importDefault(require("../utils/preflight.js"));
|
|
9
|
+
exports.command = 'fetch <env> <service> <secret_name> [--use-ssm]';
|
|
10
|
+
exports.desc = 'Fetches a <named secret> for <service> for <env>, if use-ssm is set then get the secret from ssm';
|
|
11
|
+
const builder = (yargs) => {
|
|
12
|
+
return yargs
|
|
13
|
+
.positional('env', {
|
|
14
|
+
type: 'string',
|
|
15
|
+
description: 'The environment (e.g. test-12) to fetch the secret for'
|
|
16
|
+
})
|
|
17
|
+
.positional('service', {
|
|
18
|
+
type: 'string',
|
|
19
|
+
description: 'The service (e.g. connector) to fetch the secret for'
|
|
20
|
+
})
|
|
21
|
+
.positional('secret_name', {
|
|
22
|
+
type: 'string',
|
|
23
|
+
description: 'The name of the secret to get'
|
|
24
|
+
})
|
|
25
|
+
.option('use-ssm', {
|
|
26
|
+
type: 'boolean',
|
|
27
|
+
default: false,
|
|
28
|
+
description: 'Query SSM to get the value'
|
|
29
|
+
});
|
|
30
|
+
};
|
|
31
|
+
exports.builder = builder;
|
|
32
|
+
exports.handler = fetchHandler;
|
|
33
|
+
async function fetchHandler(argv) {
|
|
34
|
+
const service = argv.service;
|
|
35
|
+
const env = argv.env;
|
|
36
|
+
const secretName = argv.secret_name;
|
|
37
|
+
const useSSM = argv.useSsm;
|
|
38
|
+
const preflightInfo = (0, preflight_js_1.default)();
|
|
39
|
+
const rbenvArgs = ['exec', 'bundle', 'exec', 'bin/pay', 'secrets', 'fetch', env, service, secretName];
|
|
40
|
+
if (useSSM) {
|
|
41
|
+
rbenvArgs.push('--use-ssm');
|
|
42
|
+
}
|
|
43
|
+
(0, node_child_process_1.spawnSync)(preflightInfo.rbenvCommand, rbenvArgs, { shell: true, stdio: 'inherit', cwd: preflightInfo.pathToLegacyRubyCli });
|
|
44
|
+
// The fetch command doesn't output a newline which is really annoying, so add one
|
|
45
|
+
console.log();
|
|
46
|
+
}
|
|
47
|
+
exports.default = fetchHandler;
|
|
@@ -0,0 +1,30 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
var __importDefault = (this && this.__importDefault) || function (mod) {
|
|
3
|
+
return (mod && mod.__esModule) ? mod : { "default": mod };
|
|
4
|
+
};
|
|
5
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
6
|
+
exports.handler = exports.builder = exports.desc = exports.command = void 0;
|
|
7
|
+
const node_child_process_1 = require("node:child_process");
|
|
8
|
+
const preflight_js_1 = __importDefault(require("../utils/preflight.js"));
|
|
9
|
+
exports.command = 'provision <service> <env>';
|
|
10
|
+
exports.desc = 'Provisions secrets from config for <service> in <env>';
|
|
11
|
+
const builder = (yargs) => {
|
|
12
|
+
return yargs
|
|
13
|
+
.positional('service', {
|
|
14
|
+
type: 'string',
|
|
15
|
+
description: 'The service (e.g. connector) to provision secrets for'
|
|
16
|
+
})
|
|
17
|
+
.positional('env', {
|
|
18
|
+
type: 'string',
|
|
19
|
+
description: 'The environment (e.g. test-12) to provision the secrets in'
|
|
20
|
+
});
|
|
21
|
+
};
|
|
22
|
+
exports.builder = builder;
|
|
23
|
+
exports.handler = provisionHandler;
|
|
24
|
+
async function provisionHandler(argv) {
|
|
25
|
+
const service = argv.service;
|
|
26
|
+
const env = argv.env;
|
|
27
|
+
const preflightInfo = (0, preflight_js_1.default)();
|
|
28
|
+
(0, node_child_process_1.spawnSync)(preflightInfo.rbenvCommand, ['exec', 'bundle', 'exec', 'bin/pay', 'secrets', 'provision', service, env], { shell: true, stdio: 'inherit', cwd: preflightInfo.pathToLegacyRubyCli });
|
|
29
|
+
}
|
|
30
|
+
exports.default = provisionHandler;
|
|
@@ -0,0 +1,47 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
var __importDefault = (this && this.__importDefault) || function (mod) {
|
|
3
|
+
return (mod && mod.__esModule) ? mod : { "default": mod };
|
|
4
|
+
};
|
|
5
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
6
|
+
const node_child_process_1 = require("node:child_process");
|
|
7
|
+
const node_path_1 = __importDefault(require("node:path"));
|
|
8
|
+
const constants_1 = require("../../../core/constants");
|
|
9
|
+
function preflightCheck() {
|
|
10
|
+
const pathToLegacyRubyCli = node_path_1.default.join(constants_1.rootDir, 'resources', 'legacy-ruby-cli');
|
|
11
|
+
const rbenvCommand = process.env.PAY_CLI_RBENV_COMMAND ?? 'rbenv';
|
|
12
|
+
console.error('Checking for ruby dependencies prior to launch');
|
|
13
|
+
const whichRbenvResult = (0, node_child_process_1.spawnSync)('command', ['-v', rbenvCommand], { shell: true });
|
|
14
|
+
if (whichRbenvResult.status !== 0) {
|
|
15
|
+
console.error('You need rbenv installed before you can continue.');
|
|
16
|
+
process.exit(1);
|
|
17
|
+
}
|
|
18
|
+
console.error(`Ruby version manager ${rbenvCommand} available`);
|
|
19
|
+
console.error('Checking for bundler');
|
|
20
|
+
const whichBundlerResult = (0, node_child_process_1.spawnSync)(rbenvCommand, ['exec', 'bundle', '--version'], { shell: true, cwd: pathToLegacyRubyCli });
|
|
21
|
+
if (whichBundlerResult.status !== 0) {
|
|
22
|
+
console.error('You need bundler installed and available to rbenv before you can continue. Installing it...');
|
|
23
|
+
const installBundlerResult = (0, node_child_process_1.spawnSync)(rbenvCommand, ['exec', 'gem', 'install', 'bundler'], { shell: true, stdio: 'inherit', cwd: pathToLegacyRubyCli });
|
|
24
|
+
if (installBundlerResult.status !== 0) {
|
|
25
|
+
console.error('Could not install bundler, cannot continue');
|
|
26
|
+
process.exit(1);
|
|
27
|
+
}
|
|
28
|
+
}
|
|
29
|
+
console.error('Bundler available');
|
|
30
|
+
console.error('Checking for bundled dependencies');
|
|
31
|
+
const bundleCheckResult = (0, node_child_process_1.spawnSync)(rbenvCommand, ['exec', 'bundle', 'check'], { shell: true, cwd: pathToLegacyRubyCli });
|
|
32
|
+
if (bundleCheckResult.status !== 0) {
|
|
33
|
+
console.error('Not all bundler dependencies are installed, installing them now.');
|
|
34
|
+
const bundleInstallResult = (0, node_child_process_1.spawnSync)(rbenvCommand, ['exec', 'bundle', 'install'], { shell: true, stdio: 'inherit', cwd: pathToLegacyRubyCli });
|
|
35
|
+
if (bundleInstallResult.status !== 0) {
|
|
36
|
+
console.error('Failed to bundle install, cannot continue');
|
|
37
|
+
process.exit(1);
|
|
38
|
+
}
|
|
39
|
+
}
|
|
40
|
+
console.error('Bundled dependencies installed and available');
|
|
41
|
+
console.error('All ruby dependencies satisfied, executing legacy ruby cli');
|
|
42
|
+
return {
|
|
43
|
+
rbenvCommand,
|
|
44
|
+
pathToLegacyRubyCli
|
|
45
|
+
};
|
|
46
|
+
}
|
|
47
|
+
exports.default = preflightCheck;
|
|
@@ -0,0 +1,11 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
+
exports.builder = exports.desc = exports.command = void 0;
|
|
4
|
+
exports.command = 'secrets';
|
|
5
|
+
exports.desc = 'Provision secrets (uses the legacy ruby CLI)';
|
|
6
|
+
const builder = (yargs) => {
|
|
7
|
+
return yargs
|
|
8
|
+
.commandDir('secrets/subcommands')
|
|
9
|
+
.demandCommand();
|
|
10
|
+
};
|
|
11
|
+
exports.builder = builder;
|