Load secrets from AWS SSM Parameter Store via chamber at container boot#11619
Draft
nbudin wants to merge 1 commit into
Draft
Load secrets from AWS SSM Parameter Store via chamber at container boot#11619nbudin wants to merge 1 commit into
nbudin wants to merge 1 commit into
Conversation
Adds an entrypoint script that conditionally runs chamber (Segment's SSM Parameter Store injector) before starting the app. If CHAMBER_SERVICE is set, all SSM parameters under that path are loaded as environment variables at boot; otherwise the app starts normally. This lets us manage secrets that are sourced from Terraform outputs (AWS credentials, S3 bucket, etc.) without manual copy-paste, while keeping the container bootable without AWS for operators running their own instances. Extends the intercode_aws_resources Terraform module to write the Terraform-derived secrets to SSM automatically, add a `secrets` variable for manually-managed secrets, and grant the app's IAM user permission to read from its own SSM path. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Purpose
Managing secrets that come from Terraform outputs (AWS access keys, S3 bucket name, etc.) has always been a manual step — someone has to run
flyctl secrets setafter aterraform apply. This closes that gap.The approach is a thin entrypoint script that conditionally runs chamber before starting the app. If
CHAMBER_SERVICEis set, chamber loads all SSM parameters under that path as environment variables before exec-ing the real process. If it's not set, the script is a no-op — the app boots normally. This means operators running their own Intercode instances aren't affected at all.On the Terraform side, the
intercode_aws_resourcesmodule now writes the secrets it produces (IAM access keys, S3 bucket name, region) to SSM automatically, adds asecretsvariable for the manually-managed ones (DATABASE_URL, Stripe keys, etc.), and grants the app's IAM user permission to read from its own SSM path. The existing IAM user the app already uses for SQS/SES/S3 gets the SSM permissions, so no new credentials are needed.Changes
💻 Engineer-facing
bin/entrypoint.sh: conditional chamber wrapper;CHAMBER_SERVICEunset = passthrough, set = SSM load then execDockerfile: installs chamber binary (multi-arch), wires upENTRYPOINT, pins version viaARG CHAMBER_VERSIONfly.toml: addsCHAMBER_SERVICE = "intercode_production"(update this to match yourvar.nameif different)terraform/modules/intercode_aws_resources/ssm.tf: SSM parameters for Terraform-derived secrets (auto-populated) andvar.secretsmap (caller-provided)terraform/modules/intercode_aws_resources/iam.tf: addsssm:GetParametersByPath/GetParameter/GetParametersto the app's IAM group policychamber_service,ssm_path_prefixRisks
The Terraform changes are additive — new SSM parameters and a new IAM policy statement — so they won't affect existing deployments until
CHAMBER_SERVICEis set and thesecretsvariable is populated. The entrypoint script is a no-op unlessCHAMBER_SERVICEis present, so this is safe to deploy before the Terraform side is wired up.The chamber version is pinned at
2.13.4— worth verifying that's current before the first build.Release plan and notes
Deploy the app change first (harmless since
CHAMBER_SERVICEis now in fly.toml but SSM parameters don't exist yet — chamber will fail to start). Actually: populate the SSM parameters viaterraform applybefore deploying, then remove the corresponding Fly secrets once confirmed working.🤖 Generated with Claude Code