Secrets allow you to configure Components with sensitive values and keys.

Secrets are defined with a secrets.toml and incorporated in the CloudFormation stack. This allows users to enter values when clicking on the stack link in the Nuon Dashboard, during the initial step of an Install where the Runner is created as a VM. Secrets are then stored in the user’s AWS Secrets Manager.

Because the user creates the CloudFormation stack from that Nuon-generated CloudFormation template using their cloud credentials, the user can enter the secret values at that time. Nuon will never see the secret values, as they are not stored in the Nuon data plane.

Secrets can be used to configure Components and Actions using variables.

How do you configure a Secret?

Within your App Config directory, create a file named secrets.toml. This file will contain the configuration for your Secrets. Alternatively, you can create a directory named secrets and place individual Secret files inside it, such as github_app_key.toml, vendor_license_key.

secrets.toml
#:schema https://api.nuon.co/v1/general/config-schema?source=secrets

[[secret]]
name         = "github_app_key"
display_name = "GitHub App Key"
description  = "Base64 encoded Github App Key"
required     = true

kubernetes_sync             = true
kubernetes_secret_namespace = "control-plane"
kubernetes_secret_name      = "github-app-key"
format = "base64"

[[secret]]
name = "rds_secret"
display_name = "database password"
description = "database password"
required = true

[[secret]]
name = "vendor_license_key"
display_name = "Vendor license key"
description = "Vendor license key"
required = true

kubernetes_sync = true
kubernetes_secret_namespace = "app"
kubernetes_secret_name = "vendor-license-key"

Use the key-value pair kubernetes_sync = true to indicate that the Secret should be synced to Kubernetes as a Secret object. The kubernetes_secret_namespace and kubernetes_secret_name fields specify where the Secret will be created in Kubernetes.

The nuon secrets command is deprecated and will be removed in a future release.

Configuring Components with Secrets

Reference the Secrets from AWS Secrets Manager as outputs from the CloudFormation stack, and then use them in your Component config.

components/helm.toml

name              = "helm"
type              = "terraform_module"
terraform_version = "1.11.3"

[public_repo]
directory = "helm"
repo      = "your-org/your-repo"
branch    = "main"

[vars]
vendor_license_key = "{{ .nuon.install_stack.outputs.vendor_license_key_arn }}"

Configuring Actions with Secrets

Reference the Secrets from AWS Secrets Manager as outputs from the CloudFormation stack, and then use them in your Actions config. In this example, the secret is assigned to an Action environment variable and then referenced in a script. Note the script is stored in the src directory of the App Config.

actions/rds_secrets.toml

[[triggers]]
type           = "post-deploy-component"
component_name = "rds_cluster"

[[steps]]
name    = "Copy RDS Secret for deployment"
command = "./rds_secrets/import.sh"

[steps.env_vars]
SECRET_ARN       = "{{ .nuon.install_stack.outputs.rds_secret_arn }}"
src/rds_secrets/import.sh

#!/usr/bin/env bash
secret_arn="$SECRET_ARN"

echo "[rds-secrets import] reading db access secrets from AWS"
secret=`aws --region $region secretsmanager get-secret-value --secret-id=$secret_arn`

Changing Secrets Outside of the App Config

If you need to change a Secret value outside of the App Config, e.g., in AWS Secrets Manager and use manual means to apply the Secret to your infrastructure, understand that Nuon will not detect the change. In order for Nuon to be aware of the change, you will have to either reprovision the Install or review the Dependency Graph in the Dashboard and manually reinstall the Components or Actions that depend on the Secret.

If you have a use case for working with secret values not covered here, please let us know