From fa44507a4c36f06084e259d4a9c9132446770d68 Mon Sep 17 00:00:00 2001 From: Max Schmidt Date: Sun, 17 Aug 2025 10:13:31 +0200 Subject: [PATCH] Fix aws-ecs secret generation docs; Add terraform variable validations Signed-off-by: Max Schmidt --- deploy/aws-ecs/README.md | 6 +++++- deploy/aws-ecs/variables.tf | 10 ++++++++++ 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/deploy/aws-ecs/README.md b/deploy/aws-ecs/README.md index fa3759cd9..ef590b35d 100644 --- a/deploy/aws-ecs/README.md +++ b/deploy/aws-ecs/README.md @@ -4,12 +4,16 @@ These templates assume you need to create a VPC, ECS cluster, and security group ### Secrets -`secret_key_base` should be a random string of at least 32 characters. +`secret_key_base` should be a random string of **exactly** 64 characters. `vault_key` should be a random base64 encoded string of **exactly** 32 characters. You can generate these secrets with `openssl` like so: ```bash +# Generate SECRET_KEY_BASE +openssl rand -base64 64 + +# Generate VAULT_KEY openssl rand -base64 32 ``` diff --git a/deploy/aws-ecs/variables.tf b/deploy/aws-ecs/variables.tf index 193df4ba6..99c182341 100644 --- a/deploy/aws-ecs/variables.tf +++ b/deploy/aws-ecs/variables.tf @@ -35,12 +35,22 @@ variable "secret_key_base" { description = "The secret key base for Sequin (will be stored in SSM Parameter Store)" type = string sensitive = true + + validation { + condition = length(var.secret_key_base) == 64 + error_message = "secret_key_base must be exactly 64 characters long." + } } variable "vault_key" { description = "The vault key for Sequin (will be stored in SSM Parameter Store)" type = string sensitive = true + + validation { + condition = length(var.vault_key) == 32 + error_message = "vault_key must be exactly 32 characters long." + } } data "aws_availability_zones" "available" {}