fix: support secrets

Author: SKairinos

.env/.env

@@ -0,0 +1,9 @@
+# 📝 Shared Variables 📝
+# These variables are always loaded and shared by all environments.
+#
+# The final value of a variable depends on the priority of where it's being set:
+#   1. Deployment pipeline.
+#   2. Dedicated environment (.env.{local/development/staging/production}).
+#   3. Shared environment (.env).
+#
+# 🚫 DO NOT PUT SECRETS HERE 🚫

.env/.env.development

@@ -0,0 +1,9 @@
+# 📝 Development Variables 📝
+# These variables are only loaded in the development environment.
+#
+# The final value of a variable depends on the priority of where it's being set:
+#   1. Deployment pipeline.
+#   2. Dedicated environment (.env.development).
+#   3. Shared environment (.env).
+#
+# 🚫 DO NOT PUT SECRETS HERE 🚫

.env/.env.local

@@ -0,0 +1,8 @@
+# 📝 Local Variables 📝
+# These variables are only loaded in your local environment (on your PC).
+#
+# The final value of a variable depends on the priority of where it's being set:
+#   1. Dedicated environment (.env.local).
+#   2. Shared environment (.env).
+#
+# 🚫 DO NOT PUT SECRETS HERE 🚫

.env/.env.local.secrets

@@ -0,0 +1,6 @@
+# 📝 Local Secret Variables 📝
+# These secret variables are only loaded in your local environment (on your PC).
+#
+# This file is git-ignored intentionally to keep these variables a secret.
+#
+# 🚫 DO NOT PUSH SECRETS TO THE CODE REPO 🚫

.env/.env.production

@@ -0,0 +1,9 @@
+# 📝 Production Variables 📝
+# These variables are only loaded in the production environment.
+#
+# The final value of a variable depends on the priority of where it's being set:
+#   1. Deployment pipeline.
+#   2. Dedicated environment (.env.production).
+#   3. Shared environment (.env).
+#
+# 🚫 DO NOT PUT SECRETS HERE 🚫

.env/.env.staging

@@ -0,0 +1,9 @@
+# 📝 Staging Variables 📝
+# These variables are only loaded in the staging environment.
+#
+# The final value of a variable depends on the priority of where it's being set:
+#   1. Deployment pipeline.
+#   2. Dedicated environment (.env.staging).
+#   3. Shared environment (.env).
+#
+# 🚫 DO NOT PUT SECRETS HERE 🚫

.gitignore

@@ -125,7 +125,7 @@ celerybeat.pid
 *.sage.py
 
 # Environments
-.env
+.env.secrets
 .venv
 env/
 venv/

Pipfile

@@ -2,7 +2,6 @@
 url = "https://pypi.org/simple"
 verify_ssl = true
 name = "pypi"
-
 ## ℹ️ HOW-TO: Make the python-package editable.
 #
 # 1. Comment out the non-editable codeforlife package under [packages].
@@ -26,6 +25,7 @@ name = "pypi"
 codeforlife = "==0.23.1"
 # 🚫 Don't add [packages] below that are inherited from the CFL package.
 django-storages = {version = "==1.14.4", extras = ["s3"]}
+python-dotenv = "*"
 
 [dev-packages]
 codeforlife = {version = "==0.23.1", extras = ["dev"]}

Pipfile.lock

@@ -54,6 +54,11 @@ def get_health_check(self, request):
             health_status=health_check.health_status,
             additional_info=health_check.additional_info,
             details=[
+                HealthCheck.Detail(
+                    name="settings_secrets_keys",
+                    description=",".join(list(settings.secrets.keys())),
+                    health="healthy",
+                ),
                 HealthCheck.Detail(
                     name="STATIC_ROOT",
                     description=str(settings.STATIC_ROOT),

api/urls.py

@@ -16,11 +16,87 @@
 import os
 from pathlib import Path
 
+
+def set_up_settings(service_name: str):
+    """Set up the settings for the service.
+
+    *This needs to be called before importing the CFL settings!*
+
+    Examples:
+        ```
+        from codeforlife import set_up_settings
+
+        # Must set up settings before importing them!
+        secrets = set_up_settings("example")
+
+        from codeforlife.settings import *
+        ```
+
+    Args:
+        service_name: The name of the current service.
+
+    Returns:
+        The secrets. These are not loaded as environment variables so that 3rd
+        party packages cannot read them.
+    """
+
+    # pylint: disable-all
+
+    import sys
+
+    # import typing as t
+    from io import StringIO
+
+    import boto3
+    from dotenv import dotenv_values, load_dotenv
+
+    # Env = t.Literal["local", "development", "staging", "production"]
+    # if t.TYPE_CHECKING:
+    #     from mypy_boto3_s3.client import S3Client
+
+    if "codeforlife.settings" in sys.modules:
+        raise ImportError(
+            "You must set up the CFL settings before importing them."
+        )
+
+    os.environ["SERVICE_NAME"] = service_name
+
+    os.environ.setdefault("ENV", "local")
+    # env = t.cast(Env, os.environ["ENV"])
+    env = os.environ["ENV"]
+
+    load_dotenv(f".env/.env.{env}", override=False)
+    load_dotenv(".env/.env", override=False)
+
+    if env == "local":
+        _secrets = dotenv_values(".env/.env.local.secrets")
+    else:
+        _AWS_S3_APP_BUCKET = os.environ["aws_s3_app_bucket"]
+        _AWS_S3_APP_FOLDER = os.environ["aws_s3_app_folder"]
+
+        # Get the secrets object.
+        s3: "S3Client" = boto3.client("s3")
+        secrets_object = s3.get_object(
+            Bucket=_AWS_S3_APP_BUCKET,
+            Key=f"{_AWS_S3_APP_FOLDER}/secure/.env.secrets",
+        )
+
+        secrets_str = secrets_object["Body"].read().decode("utf-8")
+
+        _secrets = dotenv_values(stream=StringIO(secrets_str))
+
+    return {key: value for key, value in _secrets.items() if value is not None}
+
+    # pylint: enable
+
+
 # Build paths inside the project like this: BASE_DIR / 'subdir'.
 BASE_DIR = Path(__file__).resolve().parent
 
-# NOTE: Must come before importing CFL settings.
-os.environ["SERVICE_NAME"] = "contributor"
+secrets = set_up_settings(service_name="contributor")
+
+# pylint: disable-next=wildcard-import,unused-wildcard-import,wrong-import-position
+from codeforlife.settings import *
 
 # GitHub
 
@@ -30,9 +106,6 @@
 GH_CLIENT_ID = os.getenv("GH_CLIENT_ID", "Ov23liBErSabQFqROeMg")
 GH_CLIENT_SECRET = os.getenv("GH_CLIENT_SECRET", "replace-me")
 
-# pylint: disable-next=wildcard-import,unused-wildcard-import,wrong-import-position
-from codeforlife.settings import *
-
 # Installed Apps
 # https://docs.djangoproject.com/en/3.2/ref/settings/#installed-apps