Skip to main content

Manage secrets

Terraform creates the Secrets Manager resources with safe placeholder values and then intentionally ignores later JSON changes. Operators are expected to populate the real values out-of-band after terraform apply.

Events ingestion secret

The events ingestion task definition reads its full runtime config from one JSON secret. The current template in terraform/staging/locals.tf includes keys for:

  • HTTP server settings
  • MSK brokers and topic names
  • IAM + TLS Kafka client configuration
  • log level

Example update command:

aws secretsmanager put-secret-value \
  --secret-id "poc-atlas-dev/app-config" \
  --secret-string '{
    "APP_NAME": "atlas-events",
    "APP_VERSION": "0.1.0",
    "APP_ENVIRONMENT": "development",
    "HTTP_PORT": "8080",
    "HTTP_READ_TIMEOUT": "5s",
    "HTTP_WRITE_TIMEOUT": "10s",
    "HTTP_SHUTDOWN_TIMEOUT": "30s",
    "KAFKA_BROKERS": "b-1.example.kafka.us-east-1.amazonaws.com:9098,b-2.example.kafka.us-east-1.amazonaws.com:9098",
    "KAFKA_EVENTS_TOPIC": "atlas.events.raw",
    "KAFKA_DLQ_TOPIC": "atlas.events.dlq",
    "KAFKA_PRODUCER_MAX_RETRIES": "3",
    "KAFKA_REQUIRED_ACKS": "-1",
    "KAFKA_DIAL_TIMEOUT": "10s",
    "KAFKA_WRITE_TIMEOUT": "10s",
    "KAFKA_BATCH_SIZE": "100",
    "KAFKA_BATCH_TIMEOUT": "1ms",
    "KAFKA_TLS_ENABLED": "true",
    "KAFKA_TLS_INSECURE_SKIP_VERIFY": "false",
    "KAFKA_SASL_MECHANISM": "AWS_MSK_IAM",
    "KAFKA_AWS_REGION": "us-east-1",
    "LOG_LEVEL": "info"
  }'

Dashboard backend secret

The dashboard backend uses a dedicated secret with database, Auth0, session, CORS, and web app settings.

Useful outputs for building the real DATABASE_URL:

terraform output -raw dashboard_backend_secret_name
terraform output -raw dashboard_db_endpoint
terraform output -raw dashboard_db_port
terraform output -raw dashboard_db_name
terraform output dashboard_db_master_user_secret_arn
terraform output -raw msk_bootstrap_brokers_tls

Important dashboard keys defined in locals.dashboard_secret_template include:

  • DATABASE_URL
  • WEB_APP_URL
  • AUTH0_DOMAIN
  • AUTH0_CLIENT_ID
  • AUTH0_CLIENT_SECRET
  • AUTH0_MANAGEMENT_CLIENT_ID
  • AUTH0_MANAGEMENT_CLIENT_SECRET
  • AUTH_SESSION_SECRET

Guardrails

What Terraform owns

Terraform owns the existence of the secret resource and the initial placeholder document shape.

What operators own

Operators own the real runtime values after apply. Those values should not be committed to Git and should not be encoded directly into Terraform variables.

What to verify after rotation

Confirm the affected ECS service can still start, read the secret, and pass the ALB target-group health check.

warning

The secret names and ARNs are environment-specific. Always query the active root outputs before updating production values.