Conversation
…nd update default value
sseehra
requested review from
Tibap,
bkochendorfer,
jasonthomas,
jbuck and
whd
as code owners
sseehra
changed the title
| variable "slack_logging_webhook_url" { | ||
| type = string | ||
| sensitive = true | ||
| default = "TBD" |
There was a problem hiding this comment.
@bkochendorfer Would it make more sense to:
- Have
main.tfread the secret from a specific GCP project. Example:
data "google_secret_manager_secret_version" "slack_waf_webhook" {
count = var.enable_slack_alerting ? 1 : 0
project = var.slack_webhook_secret_project
secret = "slack-waf-webhook-url"
}
- and create that secret in webservices?
What do you think?
There was a problem hiding this comment.
I think this is a good way to retrieve the data. The url will still be written to terraform state in plain text in sigsci_site_integration so I'm not sure I would consider this entire approach optimal
There was a problem hiding this comment.
Correct. I think the impact is not too high though: someone retrieving the URL will be able to post messages to that channel.
- If not doing it this way: what approach would you recommend?
- If doing it this way, we still need to figure out where in webservices do we store this secret 🤔
There was a problem hiding this comment.
Terraform does have a method for dealing with secrets like this https://www.hashicorp.com/en/blog/ephemeral-values-in-terraform, but it would require the sigsci provider to modify that slack url to be "write only" as well. If they did you could do something like the following. You could also create the secret object here in this module and have the secret persisted outside of Terraform.
We might need to think of a more centralized approach here as these URLs are likely the same per channel and you might have multiple notifications bound to one channel?
ephemeral "google_secret_manager_secret_version" "slack_waf_webhook" {
count = var.enable_slack_alerting ? 1 : 0
project = var.slack_webhook_secret_project
secret = "slack-waf-webhook-url"
}
resource "sigsci_site_integration" "slack_logging_mode_alerts" {
count = var.enable_slack_logging_mode_alerts ? 1 : 0
site_short_name = sigsci_site.ngwaf_edge_site.short_name
type = "slack"
url = ephemeral.google_secret_manager_secret_version..slack_logging_webhook_url
events = ["loggingModeChanged"]
}There was a problem hiding this comment.
We might need to think of a more centralized approach here as these URLs are likely the same per channel
+1 on that. I was suggesting above to host this in webservices, but... i don't have any strong feelings on that, so can be in our security-infra as well for example.
There was a problem hiding this comment.
@sseehra After talking with @bkochendorfer on this, we think we should change our approach. I'll post more details in the Jira ticket.
…e and update Slack integration resource
Release plan
|
…o conditionally return ID based on enable_slack_logging_mode_alerts variable
3 participants
Description
This PR adds Slack Alerting functionality for any sites that change their Agent Mode (Blocking --> Not Blocking, vice versa)
Related Tickets & Documents
https://mozilla-hub.atlassian.net/browse/INFRASEC-2395