Skip to content

streof/rotate-maps-api-key

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
 
 
 
 
 
 

Repository files navigation

Google Maps API key rotation

This repository builds the fundaments that will be used in order to rotate the Google Maps API key using GitHub Actions.

A second repository rotate-maps-api-key-workflow is autogenerated and responsible for the rotation itself.

Introduction

This repository uses Terraform to manage all required resources. There are three providers each defined within their onw module:

cd terraform
tree
├── backend.tf
├── bootstrap_gcp_env.sh
├── create_state_blob.sh
├── main.tf
├── modules
│   ├── azure
│   │   ├── main.tf
│   │   ├── outputs.tf
│   │   └── variables.tf
│   ├── gcp
│   │   ├── main.tf
│   │   ├── outputs.tf
│   │   └── variables.tf
│   └── github
│       ├── main.tf
│       ├── rotate-key.yaml
│       └── variables.tf
├── providers.tf
├── terraform.tfvars
└── variables.tf

The responsilities of the modules are as follows:

  • azure:
    • Key Vault used to store the Google Maps API key;
    • Service Principal used to authenticate when using GitHub Actions;
    • Role-based access control used to grant required permissions;
    • Purge protection is enabled preventing permanent deletes until the end of the 7 days retention period.
  • gcp:
    • Dedicated project encapsulating all required resources;
    • Service Account used to authenticate when using GitHub Actions;
    • Needed permissions and API services.
  • github:
    • Separated repository;
    • Workflow used to rotate the Google Maps API key;
    • Required Google Cloud and Azure secrets.

In addition we have two Bash scripts:

  • create_state_blob.sh: sets up the backend for storing the Terraform state.
  • bootstrap_gcp_env.sh: exports sensitive variables for Terraform.

The terraform.tfvars file contains the remaining variables.

Local setup

Google Cloud, Azure and Github accounts are required as well as the following cli's:

First time setup

The very first time you'll need to create a new remote Terraform backend for storing the Terraform state. Running the create_state_blob.sh script will create a blob container called terraformstate which is also the container name that Terraform expects (see backend.tf)

Running Terraform

Prerequisites

Before running Terraform, make sure to:

  • authenticate with az login and gcloud auth login
  • run bootstrap_gcp_env.sh
  • generate a GitHub token with enough permissions that is available under the GITHUB_TOKEN environment variable.

Unfortunately, the last step cannot be automated as the GitHub CLI does not provide a way to generate fine-grained personal access tokens.

Make sure the generated token has sufficient permissions (Administration, Action, Contents, Secrets, Variables and Workflows) and has a global scope.

Terraform

Once all prerequisites are set, we can focus on Terraform. By default, Terraform will use the variables specified in the terraform.tfvars file. Currently, these represent my setup and so you'll need to change the values for some of the variables (e.g. github_owner).

Now we can use Terraform as usual:

terraform init
terraform plan
terraform apply

Future work

Might include:

  • Improve workflow (use OpenID Connect (OIDC) for login, incorporate retry logic, add alerting, notify API key consumers etc.)
  • Incorparate API security best practices (e.g. apply restrictions, delete unused keys)
  • Have a disaster recovery plan.

How do I use AI?

The only AI assistant I use is the Web browser version of ChatGPT.

Pros:

  • Smart auto-completion/-generation for boilerplate code (e.g. generating variables.tf including descriptions)
  • Sanity checks, making sure that I haven't missed anything obvious (e.g covering all cases, fixing typos, etc.)
  • Can be helpful for debugging

Cons:

  • Generates not working code (e.g. missing required fields, using older versions, etc.)
  • Generates unnecessarily complex code
  • Not really security aware

About

Infrastructure for rotating Google Maps API keys

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published