publicdata/j40-cejst-2
1
0
Fork 0
mirror of https://github.com/DOI-DO/j40-cejst-2.git synced 2025-02-22 01:31:25 -08:00
Code Issues Projects Releases Packages Wiki Activity Actions
j40-cejst-2/.github/workflows/ENVIRONMENT_VARIABLES.md
ericiwamoto fd587c5b99 Update workflow documentation
2024-12-19 11:04:44 -05:00

3.8 KiB
Raw Permalink Blame History

J40 Workflow Environment Variables and Secrets

Summary

The Github Action workflows used to build and deploy the Justice40 data pipeline and website depend on some environment variables. Non-sensitive values are stored in the Github repo as environment variables. Sensitive values that should not be exposed publicly are stored in the repo as secrets.

List of Environment Variables

DESTINATION_FOLDER

This is a local environment variable in the Deploy Frontend Main workflow derived from branch name used to name the deploy directory

SCORE_VERSION

The version of the scoring to be deployed. The current version is "2.0".

List of Secrets

CENSUS_API_KEY

The key used to access US Census datasets via its APIs. A new key can be requested for free here.

CLIENT_DEV_AWS_ACCESS_KEY_ID

The AWS access key id used to add/remove files to the S3_WEB_BUCKET, as well as invalidating the Cloudfront distribution belonging to WEB_CDN_ID. This access key requires read/write access to the S3 bucket, and full access to the Cloudfront distribution.

CLIENT_DEV_AWS_SECRET_ACCESS_KEY

The AWS secret access key belonging to CLIENT_DEV_AWS_ACCESS_KEY_ID.

DATA_CDN_ID

The ID of the AWS Cloudfront distribution for the S3_DATA_BUCKET.

DATA_DEV_AWS_ACCESS_KEY_ID

The AWS access key id used to add/remove files to the S3_DATA_BUCKET, as well as invalidating the Cloudfront distribution belonging to DATA_CDN_ID. This access key requires read/write access to the S3 bucket, and full access to the Cloudfront distribution.

DATA_DEV_AWS_SECRET_ACCESS_KEY

The AWS secret access key belonging to DATA_DEV_AWS_ACCESS_KEY_ID.

DATA_SOURCE

Local variable that determines if the website should point to a local directory or use the production AWS cdn for backend data. Value can be set to cdn or local.

DATA_URL

The full address of the backend data files hostname, currently https://static-data-screeningtool.geoplatform.gov. This information is public so technically it could be changed to be a non-secret environment variable.

J40_TOOL_MONITORING_SLACK_ALERTS

The Slack webhook address used by the Ping Check workflow to send failure alerts.

SITE_URL

The full address of the Justice40 Website hostname, currently https://screeningtool.geoplatform.gov. This information is public so technically it could be changed to be a non-secret environment variable.

S3_DATA_BUCKET

The name of the AWS S3 bucket hosting the files created by the data pipeline application.

S3_WEBSITE_BUCKET

The name of the AWS S3 bucket hosting the static website files.

WEB_CDN_ID

The ID of the AWS Cloudfront distribution for the S3_WEBSITE_BUCKET.

Future Improvements

To improve security, a few items should be addressed. The use of AWS access keys should be replaced by a more secure soultion such as OpenID Connect (OIDC). If continuing to use AWS acccess keys, then key rotation should be implemented using a process such as the one documented here. The CENSUS_API_KEY could be rotated, but it would have to be a manual process as there is no programmatic way to generate a new key.