Adding a key and secret to identify the key.
Infrastructure Submissions:
- [YES/NO] Have you added an explanation of what your changes do and why you'd like us to include them?
- [YES/NO] I have updated the documentation accordingly.
- [YES/NO/NA] I have added tests to cover my changes.
- [YES/NO/NA] All new and existing tests passed.
- [YES/NO/NA] I have formatted the terraform code. (
terraform fmt -recursive && go fmt ./...)
Current Behavior or Linked Issues
The register service is an R3 service which is adding to the capabilities of OSDU. One of the functions of the service is to store secrets in Cosmos. Keeping security in mind, these secrets should be encrypted while storing. The encryption can be facilitated by keeping a key in the key vault.
Implications in the infrastructure.
- The key should have encrypt and decrypt roles.
- The application code SP should have encrypt and decrypt permission.
How does Data partition impact the infra?
The data partition service doesn't have support for keys in the application code. This leaves us with two options,
- have all partitions share the same key.
- All data partitions will have a different keys. The name/identifier of the key will be stored as a secret that is aware of partitions. When the key has to be retrieved, the secret will be used to get to the key id and hence the value.
Does this introduce a breaking change?
- [YES/NO] No
Other information
Reviewer request
- Please provide an ETA when you plan to review this MR. Write a comment to decline or provide an ETA.
- Block the MR if you feel there is less testing or no details in the MR