Improve the way to manage environment variables and secrets

[longnd]

Why

With the current structure, every time we need to add a new environment variable, we need to open a PR to define a new variable and add it into the container definition(example). That is tedious.
Inspired by the Varun project, we set a new way to do so in EWA Payroll project: maintain a new variable environment_variables on Terraform cloud as a JSON object; a new variable just needs to add to it.
A similar approach (but less flexible) for secrets. These PRs can be used as references.
https://github.com/onward-venture/ewa-payroll-infra/pull/2
https://github.com/onward-venture/ewa-payroll-infra/pull/6
Wiki: https://github.com/worpt-wallet/wallet-api/wiki/Environment-Variables

Who benefits

All developers who need to occasionally define new environment variables and secrets when working on the tasks.

[andyduong1920]

As I understand correctly, we will store the secret into only 1 key on Terraform cloud, but the secret value must to store as sensitive data, I'm wondering when we add a new secret key how do we update the Terraform variable as the old keys was encrypted 🤔

[hoangmirs]

@andyduong1920 In the Varun project, we store the whole secret object in 1Password, and whenever we added a new key, we updated 1Password as well.

It seems that is not a good way. In the Ewa project, when we add a new secret, we create the corresponding secret in AWS. But this will create many secrets if we have many.

I found a way we can improve this:

1. Add secrets in variables.
2. Create an object to store all secrets using terraform code.
3. Create only 1 secret on AWS to store that object
4. Pass that object to Task Definition
5. In the application, we will fetch it, parse it into variables and add them to environment variables.

But I still feel it's not the best practice. Do you have any better options?

[andyduong1920]

@andyduong1920 In the Varun project, we store the whole secret object in 1Password, and whenever we added a new key, we updated 1Password as well.

It seems that is not a good way. In the Ewa project, when we add a new secret, we create the corresponding secret in AWS. But this will create many secrets if we have many.

I found a way we can improve this:

1. Add secrets in variables.

2. Create an object to store all secrets using terraform code.

3. Create only 1 secret on AWS to store that object

4. Pass that object to Task Definition

5. In the application, we will fetch it, parse it into variables and add them to environment variables.

But I still feel it's not the best practice. Do you have any better options?

@hoangmirs can we try the 1Passworld Terraform provider to get the value from 1Password and pass it into Terraform?

https://registry.terraform.io/providers/1Password/onepassword/latest/docs/data-sources/item

So we just need to update the ENV only on the 1Password side and let Terraform script pull and handle that.

The downside is: when we transfer the project to client, not sure we can transfer the 1Password ownership 🤔