Setting secrets ¶
Secret values used by the Benefits application (such as API keys, private keys, certificates, etc.) are stored in an Azure Key Vault for each environment.
There are helper scripts under
terraform/secrets which build up the Azure CLI command, given some inputs. The usage is as follows:
First, make sure you are set up for local development and that you are in the
To set a secret by providing a value:
./value.sh <environment_letter> <secret_name> <secret_value>
D for development,
T for test, and
P for production.
To set a secret by providing the path of a file containing the secret (useful for multi-line secrets):
./file.sh <environment_letter> <secret_name> <file_path>
To verify the value of a secret, you can use the helper script named
./read.sh <environment_letter> <secret_name>
Refreshing secrets ¶
To make sure the Benefits application uses the latest secret values in Key Vault, you will need to make a change to the app service’s configuration. If you don’t do this step, the application will instead use cached values, which may not be what you expect. See the Azure docs for more details.
The steps are:
- After setting new secret values, go to the App Service configuration in Azure Portal, and change the value of the setting named
- Save your changes.
The effects of following those steps should be:
- A restart of the App Service is triggered.
- The next time that our Azure infrastructure pipeline is run, the value of
change_me_to_refresh_secretsis set back to the value defined in our Terraform file for the App Service resource.