| FABRIZIO MANFREDI - any updates on this? This is a pretty serious security issue. Jakub Bochenski - we do check in our JCasC to Git, but the SSH key isn't rendered when it's in Git. We followed this approach:
- Terraform generates the SSH key
- JCasC is in a templates/jcasc.yml file
- Terraform uses the `template_file` data source to inject parameters into the template file
- Private key is loaded into the build file properly using `jsonencode` and `chomp` Terraform functions
- aws_s3_object is used to take the rendered template and load it to a locked down S3 bucket.
- We used [my-bloody-jenkins](https://github.com/odavid/my-bloody-jenkins) and passed in the S3 object key location into the container via environment variables. This container runs on AWS ECS with a Task role that is permitted to access the S3 bucket. This way, it can grab it at launch.
- Additionally, all secrets are set via AWS Parameter store, so they are accessible as environment variables on the container, which JCasC then reads.
It's a sound approach, but still, the private key is still embedded in the JCasC at some point. At least in this case, the private key is not checked into Git, but it's still stored as part of the JCasC file in S3. They need to fix this ASAP. |
