DIGIT Core
PlatformDomainsAcademyDesign SystemFeedback
2.9-LTS
2.9-LTS
  • 🖥️Platform
    • Overview
    • Why DIGIT?
    • Principles
    • Architecture
      • Service Architecture
      • Technology Architecture
        • Open Source Tools
      • Infrastructure Architecture
      • Deployment Architecture
    • API Specifications
      • Access Control
      • Boundary
      • Document Uploader
      • Encryption
      • File Store
      • ID Generation
      • Indexer
      • Localisation
      • Master Data Management
      • OTP
      • Payment Gateway
      • PDF Generation
      • URL Shortner
      • WhatsApp Chatbot
      • Workflow
    • Core Services
      • Access Control Services
      • Audit Service
        • Signed Audit Performance Testing Results
      • API Gateway
        • Configuring Gateway Rate Limiting
      • Boundary Service
        • Migrate Old Boundary Data - Steps
      • Email Notification Service
      • Encryption Service
        • Encryption Client Library
        • User Data Security Architecture
        • Guidelines for supporting User Privacy in a module
      • FileStore Service
      • ID Generation Service
      • Indexer Service
        • Indexer Configuration
      • Internal Gateway
      • Location
      • Localization Service
        • Configuring Localization
          • Setup Base Product Localisation
          • Configure SMS and Email
      • MDMS V2 (Master Data Management Service)
        • Adopt New MDMS - Steps
        • MDMS (Master Data Management Service)
          • Setting up Master Data
            • MDMS Overview
            • MDMS Rewritten
            • Configuring Tenants
            • Configuring Master Data
            • Adding New Master
            • State Level Vs City Level Master
        • MDMS Migration
      • OTP Service
      • Payment Gateway Service
      • PDF Generation Service
      • Persister Service
        • Persister Configuration
      • Service Request
      • SMS Notification Service
        • Setting Up SMS Gateway
          • Using The Generic GET & POST SMS Gateway Interface
      • User
        • User Session Management
      • User OTP Service
      • URL Shortening Service
      • Workflow
        • Setting Up Workflows
        • Configuring Workflows For An Entity
        • Workflow Auto Escalation
        • Migration To Workflow 2.0
      • Libraries
        • Tracer Library
        • Encryption Client
      • Accelerators
        • Inbox Service
    • DIGIT: How-Tos
      • SMS Template Approval Process
      • Notification Enhancement Based On Different Channel
    • Releases
      • DIGIT 2.9 LTS
        • Test Automation
        • Release Checklist
        • Service Build Updates
          • Hotfix
        • Test Cases
        • Automated DIGIT Deployment
        • Upgrade Guide: Transitioning DIGIT Modules to Spring Boot Version 3.2.2
        • Postgres Upgrade: Service Code Changes
        • Updating RDS Version in AWS
        • LTS DIGIT Migration - v2.8 To v2.9
        • Changelog
        • Backup PostgreSQL Database In AWS - Steps
    • Source Code
  • 📓Guides
    • Installation Guide
      • Infrastructure Setup
        • AWS
          • 1. Pre-requisites
          • 2. Setup AWS Account
          • 3. Provision Infrastructure
          • FAQ
        • Azure
          • 1. Azure Pre-requisites
          • 2. Understanding AKS
          • 3. Infra-as-code (Terraform)
        • SDC
          • 1. SDC Pre-requisites
          • 2. Infra-as-code (Kubespray)
          • CI/CD Setup On SDC
        • CI/CD Set Up
          • CI/CD Build Job Pipeline Setup
      • DIGIT Deployment
        • Full Deployment
          • Deploy DIGIT
            • Prepare Deployment Configuration
        • Full Deployment (Beta)
          • Creating New HelmChart
          • Prepare Helm Release Chart
      • Quick Setup (AWS)
    • Data Setup Guide
      • Bootstrap DIGIT
      • Productionize DIGIT
      • User Module
      • Localisation Module
      • Location Module
      • MDMS - V2
    • Design Guide
      • Model Requirements
      • Design Services
      • Design User Interface
      • Checklists
    • Developer Guide
      • Pre-requisites Training Resources
      • Backend Developer Guide
        • Section 0: Prep
          • Development Pre-requisites
          • Design Inputs
            • High Level Design
            • Low Level Design
          • Development Environment Setup
        • Section 1: Create Project
          • Generate Project Using API Specs
          • Create Database
          • Configure Application Properties
          • Import Core Models
          • Implement Repository Layer
          • Create Validation & Enrichment Layers
          • Implement Service Layer
          • Build The Web Layer
        • Section 2: Integrate Persister & Kafka
          • Add Kafka Configuration
          • Implement Kafka Producer & Consumer
          • Add Persister Configuration
          • Enable Signed Audit
        • Section 3: Integrate Microservices
          • Integrate IDGen Service
          • Integrate User Service
          • Add MDMS Configuration
          • Integrate MDMS Service
          • Add Workflow Configuration
          • Integrate Workflow Service
          • Integrate URL Shortener Service
        • Section 4: Integrate Billing & Payment
          • Custom Calculator Service
          • Integrate Calculator Service
          • Payment Back Update
        • Section 5: Other Advanced Integrations
          • Add Indexer Configuration
          • Certificate Generation
        • Section 6: Run Final Application
        • Section 7: Build & Deploy Instructions
        • FAQs
      • UI Developer Guide
        • DIGIT-UI
          • UI Components Standardisation
            • DIGIT UI Core React Components
            • DIGIT UI Core Flutter Components
              • Input Field
              • Radio
              • Toggle
              • Button
              • Dropdown
              • Checkbox
              • Toast
              • Info Card
            • DIGIT UI Components v0.2.0
              • Foundation
                • Typography
                • Colour Pallete
                • Spacer
              • Atom
                • Accordion
                • Button
                • Checkbox
        • DIGIT UI Development Pre-requisites
        • UI Configuration (DevOps)
        • Local Development Setup
        • Run Application
        • Build & Deploy
        • Pre-defined Screens In DIGIT-UI
          • Create Screen (FormComposer)
          • Inbox/Search Screen
          • Workflow Component
        • Create a New UI Module/Package
          • Project Structure
          • Install Dependency
          • Module.js
          • Import Required Components
          • Common Hooks
        • Employee Module Setup
          • Write Employee Module Code
          • Create Form - Create Screen
        • Citizen Module Setup
          • Sample screenshots
          • Citizen Landing Screen
          • Write Citizen Module Code
        • Customisation
          • Integrate External Web Application/UI With DIGIT UI
          • Utility - Pre-Process MDMS Configuration
          • CSS Customisation
          • Kibana Dashboard Integration With DSS Module
          • Login Page
        • Setup Monitoring Tools
        • Android Web View & How To Generate APK
        • FAQs
          • Troubleshoot Using Browser Network Tab
          • Debug Android App Using Chrome Browser
      • Flutter (Mobile App) UI Developer Guide
        • Introduction to Flutter
          • Flutter - Key Features
          • Flutter Architecture & Approach
          • Flutter Pre-Requisites
        • Setup Development Environment
          • Flutter Installation & Setup Guide
          • Setup Device Emulators/Simulators
          • Run Application
        • Build User Interfaces
          • Create Form Screen
        • Build Deploy & Publish
          • Build & Deploy Flutter Web Application
          • Generate Android APKs & App Bundles
          • Publishing App Bundle To Play Store
        • State Management With Provider & Bloc
          • Provider State Management
          • BloC State Management
        • Best Practices & Tips
        • Troubleshooting
    • Operations Guide
      • DIGIT - Infra Overview
      • Kubernetes
        • RBAC Management
        • Database Dump - Playground
      • Setup Jenkins - Docker way
      • GitOps
        • Git Client installation
        • GitHub organization creation
        • Adding new SSH key to it
        • GitHub repo creation
        • GitHub Team creation
        • Enabling Branch protection:
        • CODEOWNER Reviewers
        • Adding Users to the Git
        • Setting up an OAuth with GitHub
        • Fork (Fork the mdms,config repo with a tenant-specific branch)
      • Working with Kubernetes
        • Installation of Kubectl
      • Containerizing application using Docker
        • Creation of Dockerhub account
      • Infra Provisioning Using Terraform
        • Installation of Terraform
      • Customise Existing Terraform Templates
      • Cert-Manager
        • Obtaining SSL certificates with the help of cluster-issuer
      • Moving Docker Images
      • Pre and post deployment checklist
      • Multi-tenancy Setup
      • Availability
        • Infrastructure
        • Backbone services
          • Database
          • Kafka
          • Kafka Connect
          • Elastic search
            • Elastic Search Rolling Upgrade
            • ElasticSearch Direct Upgrade
        • Core services
        • DIGIT apps
        • DSS dashboard
      • Observability
        • ES-Curator - Clear Old Logs/indices
        • Monitoring
        • Environment Changes
        • Tracing
        • Jaeger Tracing Setup
        • Logging
        • eGov Monitoring & Alerting Setup
        • eGov Logging Setup
      • Performance
        • What to monitor?
          • Infrastructure
          • Backbone services
          • Core services
        • Identifying bottlenecks
        • Solutions
      • Handling errors
      • Security
      • Reliability and disaster recovery
      • Privacy
      • Skillsets/hiring
      • Incident management processes
      • Kafka Troubleshooting Guide
        • How to clean up Kafka logs
        • How to change or reset consumer offset in Kafka?
      • SRE Rituals
      • FAQs
        • I am unable to login to the citizen or employee portal. The UI shows a spinner.
        • My DSS dashboard is not reflecting accurate numbers? What can I do?
      • Deployment using helm
        • Helm Installation
        • Helm chart creation
        • Helm chart customization
      • How to Dump Elasticsearch Indexes
      • Deploy Nginx-Ingress-Controller
      • Deployment Job Pipeline Setup
      • OAuth2-Proxy Setup
      • Jira Ticket Creation
    • Implementation Guide
    • Security & Privacy Guide
      • Security & Privacy Guidelines For Product Developers
      • Security & Privacy Guidelines For Solution Implementing Agencies
      • Security & Privacy Guidelines For Program Owners
  • 🚀Accelerators
    • UI Frameworks
      • Service Build Updates
    • Integrations
      • Payment
      • Notification
      • Transaction
      • Verification
      • View
      • Calculation
    • Concepts
      • Deployment - Key Concepts
        • Security Practices
        • Readiness & Liveness
        • Resource Requests & Limits
        • Deploying DIGIT Services
        • Deployment Architecture
        • Routing Traffic
        • Backbone Deployment
    • API Playground
    • Sandbox
    • Checklists
      • API Checklist
      • Security Checklist
        • Security Guidelines Handbook
        • Security Flow - Exemplar
      • Performance Checklist
      • Deployment Checklist
    • Contribute
    • Discussion Board
    • Academy
    • Events
Powered by GitBook

All content on this page by eGov Foundation is licensed under a Creative Commons Attribution 4.0 International License.

On this page
  • Step-1: Update the domain name
  • Step-2: Modify the role attribute path for Grafana access
  • Step-3: Modify the retention, storage size, cluster name and targets based on the specific requirements
  • Step-4: Adjust the volume size and update the retention period accordingly
  • Step-5: Make the required changes in the env-secrets file
  • Step-6: OAuth app configuration
  • Step-7: Authentication configuration for Grafana in env-secrets.yaml
  • Sample Env-Secrets File
  • Create KMS Key & Configure SOPs
  • 1. Create IAM User & Attach Policies
  • 2. Create KMS Key
  • 3. Placing the KMS arn value in the deployment manifest file

Was this helpful?

  1. Guides
  2. Operations Guide
  3. Observability

Environment Changes

Steps to configure changes in the environment for deploying the tools

PreviousMonitoringNextTracing

Last updated 28 days ago

Was this helpful?

Step-1: Update the domain name

Step-2: Modify the role attribute path for Grafana access

Step-3: Modify the retention, storage size, cluster name and targets based on the specific requirements

Step-4: Adjust the volume size and update the retention period accordingly

Optional: S3 bucket configuraation(Recommended for prod)

Caution: Use the sub claim instead of aud when setting up Web Identity (OIDC) IAM roles to ensure correct identity matching.

Step-4a: Create an AWS Web Identity (OIDC) IAM role with the following policy.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AccessToLokiBucket",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:DeleteObject",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::<s3-bucket>",
                "arn:aws:s3:::<s3-bucket>/*"
            ]
        }
    ]
}

Step-4b: Update S3 details & role ARN in the below config.

# deploy-as-code/helm/environments/egov-demo.yaml
loki:
  persistence:
    enabled: true
    accessModes:
      - ReadWriteOnce
    size: 10Gi
  serviceAccount:
    annotations:
      eks.amazonaws.com/role-arn: <s3-role-arn>    ## AWS arn for s3 role 
  additionalConfigs:
    schema_config:
      configs:
        - from: 2020-10-24
          store: boltdb-shipper
          object_store: s3                         ## AWS s3 as storage
          schema: v11
          index:
            prefix: index_
            period: 24h
    storage_config:
      boltdb_shipper:
        active_index_directory: /data/loki/index
        cache_location: /data/loki/index_cache
        shared_store: s3                           ## AWS s3 as storage
        cache_ttl: 24h
      aws:
        s3: s3://<region>/<s3-bucket>              ## s3 region & bucket
    compactor:
      working_directory: /data/loki/boltdb-shipper-compactor
      shared_store: s3                             ## AWS s3 as storage
      retention_enabled: true
      compaction_interval: 168h                    ## compaction in hours
    table_manager:
      retention_deletes_enabled: true
      retention_period: 168h                       ## retention in hours

Step-5: Make the required changes in the env-secrets file

Changes to the Alertmanager configuration in the env-secrets.yaml file.

Step-6: OAuth app configuration

Step-7: Authentication configuration for Grafana in env-secrets.yaml

Sample Env-Secrets File

cluster-configs:
   secrets:
       db:
           username: postgres
           password: test123
           flywayUsername: postgres
           flywayPassword: test123
       egov-filestore:
           awskey: jdfbjdfjvnbvdk
           awssecretkey: bxjcsvbvncajsb
       user:
           username: admin
           password: demo
       egov-enc-service:
           master_password: demo
           master_salt: q7.fr.cr
           master_initialvector: 9J&asfgrU-H2
       egov-notification-sms:
           username: demo
           password: demo
       egov-pg-service:
           axis_merchant_accesscode: demo
           axis_merchant_id: demo
           axis_merchant_pwd: demo
           axis_merchant_secretkey: demo
           axis_merchant_user: demo
           payu_merchant_key: demo
           payu_merchant_salt: demo
       egov-notification-mail:
           mailsenderusername: demo@demo
           mailsenderpassword: demo
       egov-location:
           gmapskey: jbsdbvxvcmbsmnx
       kafka:
           clusterID: HshRPdVrcvxWoB4kuTdEbawtq
       elasticsearch:
           password: <Password>
       oauth2:
           clientSecret: <Client Sec ID>    
           clientID: <Client ID>
       grafana:
           clientID: <OAuth-key>    ##change ID
           clientSecret: <OAuth-token> #change secrets key
       git-sync:
           ssh: |-
               -----BEGIN RSA PRIVATE KEY-----
               MIIEpAIBAAKCAQEAxMn4y2irJKb/dAQr4FZtiBbX+VfgeNWDO6Ure90CA+f5QcjL
               i0SHAbpvZ+PAPwZcYZMiOE7hdRh1xSiY7u1GQPcm1ZIboKSYahafq41XFzYGG3hk
               6GHC0RPPGhW4TQ8PWbUiReSndn2VE/VY+3DItS6kSwKazqfBWVqXZ9fkAQ0yUFT1
               M1rsdIZoeei9NH48UyDD4U2x/BEHMneElQbibwDuBrN/6DSzlIcgOMhePf272Nsf
               GOL/SA2YJx6k7gDHjEDZ/pz6MT9XjVcDjP9y8f2udObrzIopv3C0jRZp+rKM6PFU
               sLCtJSRoohmmYlexixhMFS/kAPP6Q8VyHeUcWwIDAQABAoIBAQCBZiW460yOP1l+
               mjeXvn0rnYnKpaQvEIbIs6VSP1NR6jmWrkhZfWghFMyozbPePXqFltBLomLSMpFO
               YZGemls14M6iZP7RtSmbqOC5V6lK0/VUHuiLfa0y+gmWp22XDi4T2O1+dApB+fYL
               N6uZOuJfcRoLUN0mwlx7OvyQBgAhR7r0eePcV+yvk35qSVlKw9KreAytvE9fmLcZ
               pH4jKSOFibAsDYYz9oVnwo5+aVvYl3oU2TyLwQFKmkZyKJsMOWtGw4+MVRO5/xre
               WzuR8QNY/z7/A2MNQlO4KjEqkv4m/z6lh9WaDXO+PbCRRARbFcS4ZUJgXgPhtFz3
               wiyXxExxAoGBAOP/GKktpUVMqtE3sXlJ4xS2l7e9w1t9kyceElXZl2FSJkqJe9Bt
               PJ9FdjbB4wlxF985PkOByvOQwsGMcuMOF+BlHW/KcA2LR2vsoBY6zGTJB35YqD2V
               lpdI3az0RugrYTCi3pHq/GVAc9h+V9S4+SvsuIZfrfXV+OwkeFh6gmG9AoGBANz1
               nbgdQk5ZIJJvr5Y0Hn2fTKGyvHsiu/MNL5axaYxD1BUAdPdW9x7nsI42ayIzERGr
               lLkO4YF4kC52LZj/wo3UlYq8ERMyH6tLnD4j/aFy4bqYAco89H43DBDAq59DTcM6
               2tF+VzTNaANI4bvOTnjMTmLEJ4zRDUnb9vkAX3v3AoGAQtjVUyz16waagrMQjt4x
               /S23+ABkWdvMnEh92bvtXXRnk60Rpz+P6abFDTL1rRwCgslWzxYr+hO0dmkGejn0
               mC8tXUx+ZAo1C5iaK0pcCSTD1LCLy1qjh4GutPn+HC4z1b27Ag9ipxEppg0NFWqS
               a+WBCKze5VgyHpJm0pJAzgUCgYASs6tMyRUyonKSUmevM+wcv93xlbpERdVYphYQ
               ECYZ3CfYOzirMq4p7HxSHSMGOwJH15j37N2DYtv5QsFrQMKL1KFvo6liUYzCp9yq
               mcs+3gVjELieEHi1Mh2QUW51RXIQgyvALYxeCMCz/ng0uCqGKOy9iVK7pXoVdUu7
               GZ/7UwKBgQDcgSKcRk17AZ5w6cTGV+POpTnHCwq8cC37t8YBRLBqXgbQObVGViYp
               D+t2DZeZ22VQCXbyBE8NTMi/9c+Zo+uguAe8tzroxhAP9uzsHw6qTb7QHQHZ/CPK
               wBkBi92ZelIXkby0L8ljdQKEDbhPc8MBpinoIQgJurbZvdvS9zhjuljLssw==
               -----END RSA PRIVATE KEY-----
           known_hosts: github.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCj7ndNxQowgcQnjshcLrqPEiiphnt+VTTvDP6mHBL9j1aNUkY4Ue1gvwnGLVlOhGeYrnZaMgRK6+PKCUXaDbC7qtbW8gIkhL7aGCsOr/C56SJMy/BCZfxd1nWzAOxSDPgVsmerOBYfNqltV9/hWCqBywINIR+5dIg6JTJ72pcEpEjcYgXkE2YEFXV1JHnsKgbLWNlhScqb2UmyRkQyytRLtL+38TGxkxCflmO+5Z8CSSNY7GidjMIZ7Q4zMjA2n1nGrlTDsskzwDCsw+wqFPGQA179cnfGWOWRVruj16z6XyvxvjJwbz0wQZ75XK5tKSb7FNyeIEs4TT4jk+S4dhPeAUC5y+bDYirYgM4GC7uEnztnZyaVWQ7B381AK4Qdrwt51ZqExKbQpTUNn+EjqoTwvqNj4kqx5QUCI0ThS/YkOxJCXmPUWZbhjpCg56i+2aB6CmK2JGhn57K5mj0MNdBXA4/WnwH6XoPWJzK5Nyu2zB3nAZp+S5hpQs+p1vN1/wsjk=
       alertmanager:
           config:
               global:
                   slack_api_url: https://hooks.slack.com     ##change the slack api url
                   resolve_timeout: 5m
               route:
                   group_by:
                       - alertname
                   group_wait: 30s
                   receiver: slack-notification
                   group_interval: 5m
                   repeat_interval: 10m
                   routes:
                       - receiver: slack-notification
                         match_re:
                           severity: warning|critical
                         continue: true
                       - receiver: email-notification
                         match:
                           severity: critical
               receivers:
                   - name: slack-notification
                     slack_configs:
                       - channel: '<slack-channel>'     ##change the slack channel name 
                         send_resolved: true
                         username: Alertmanager
                         title: |
                           [{{ .Status | toUpper }}{{ if eq .Status "firing" }}:{{ .Alerts.Firing | len }}{{ end }}] {{ .CommonLabels.alertname }}
                         text: |-
                           {{ range .Alerts -}}
                           {{- "\n" -}}
                           *Alert:* {{ .Annotations.summary }}
                           {{ if .Labels.severity }}*Severity:* `{{ .Labels.severity }}`{{ end }}
                           *Cluster:* {{ .Labels.cluster }}
                           *Details:*
                           {{ .Annotations.description }}
                           {{ end }}
                         color: |-
                           {{ if eq .Status "firing" -}}
                             {{ if eq .CommonLabels.severity "warning" -}}
                               warning
                             {{- else if eq .CommonLabels.severity "critical" -}}
                               danger
                             {{- else -}}
                               #439FE0
                             {{- end -}}
                           {{ else -}}
                             good
                           {{- end }}
                   - name: email-notification
                     email_configs:
                       - to: <Email ID>    ##change the Email ID to get the alert in the Email
                         from: <Email ID>
                         smarthost: smtp.gmail.com:587
                         auth_username: <Email ID>           # Ex: unified.alerts@egovernments.org
                         auth_password: <Password>           # Ex: mujp cgjj fhdv wieu
                         send_resolved: true
                         headers:
                           subject: |
                               [{{ .Status | toUpper }}{{ if eq .Status "firing" }}:{{ .Alerts.Firing | len }}{{ end }}] {{ .CommonLabels.cluster }} - {{ .CommonLabels.alertname }}
                         html: |-
                           <html>
                           <head>
                           <title>Alert!</title>
                           </head>
                           <body>
                           {{ range .Alerts }}
                           <ul>
                           <li> <b>Alert Name:</b> {{ .Labels.alertname }} </li>
                           <li> <b>Severity:</b> {{ if eq .Labels.severity "critical" }}<b style="color:red;">CRITICAL</b>{{ else if eq .Labels.severity "warning" }}<b style="color:orange;">WARNING</b>{{ else }}<b>{{ .Labels.severity | toUpper }}</b>{{ end }} </li>
                           <li> <b>Summary:-</b> {{ .Annotations.summary }} </li>
                           <li> <b>Cluster:-</b> {{ .Labels.cluster }} </li>
                           <li> <b>Details:</b>
                             <p style="margin-left: 20px; white-space: pre-wrap;"> {{ .Annotations.description }} </p>
                           </li>
                           </ul><br>
                           {{ end }}
                           </body></html>
                       

Create KMS Key & Configure SOPs

Follow the below steps to create a KMS key and configure SOPs for encryption and decryption.

1. Create IAM User & Attach Policies

  • Go to AWS Management Console.

  • Go to IAM and click Policies on the left-hand side of the toolbar.

  • Click Create Policy and then press Next. Click on JSON add the below policy and click Next.

{

   "Version": "2012-10-17",

   "Statement": [

       {

           "Sid": "AllowCreateRole",

           "Effect": "Allow",

           "Action": "iam:CreateRole",

           "Resource": "arn:aws:iam::349271159511:role/*"

       }

   ]

}
  • Give the name to the policy and Create Policy.

  • Now click on Users in the console on the left side.

  • Click Add User, provide the name of the specific user and click Next.

  • In permission options click Attach Policies directly. Select Administration Access, AWSKeyManagementServicePoweruser and also attach the policy which you have created in the previous steps and then click Next.

  • Verify the name of the user and the 3 policies attached or not and then click Create User.

2. Create KMS Key

  • Go to AWS Management Console.

  • Go to KMS and Custom Managed Keys. Click Create Key.

  • In Configure Key, use the default options and then click Next. Provide Name in alias and the give the administrator access to the IAM user created in the previous step. Select the users to give permissions to encrypt and decrypt using this key and then click Next.

  • Attach the below policy in the key policy and then click finish. Make sure to provide the IAM user you created in the below-highlighted placeholder.

{

   "Version": "2012-10-17",

   "Id": "key-consolepolicy-3",

   "Statement": [

       {

           "Sid": "Enable IAM User Permissions",

           "Effect": "Allow",

           "Principal": {

               "AWS": "arn:aws:iam::349271159511:root"

           },

           "Action": "kms:*",

           "Resource": "*"

       },

       {

           "Sid": "Allow access for Key Administrators",

           "Effect": "Allow",

           "Principal": {

               "AWS": "arn:aws:iam::349271159511:role/aws-reserved/sso.amazonaws.com/ap-south-1/AWSReservedSSO_AdministratorAccess_3b9b4bb9eebf66ac"

           },

           "Action": [

               "kms:Create*",

               "kms:Describe*",

               "kms:Enable*",

               "kms:List*",

               "kms:Put*",

               "kms:Update*",

               "kms:Revoke*",

               "kms:Disable*",

               "kms:Get*",

               "kms:Delete*",

               "kms:TagResource",

               "kms:UntagResource",

               "kms:ScheduleKeyDeletion",

               "kms:CancelKeyDeletion"

           ],

           "Resource": "*"

       },

       {

           "Sid": "Allow use of the key",

           "Effect": "Allow",

           "Principal": {

               "AWS": "arn:aws:iam::349271159511:user/<IAM USER>"

           },

           "Action": [

               "kms:Decrypt",

               "kms:DescribeKey"

           ],

           "Resource": "arn:aws:kms:ap-south-1:349271159511:key/29adbf26-7b85-4469-8c9e-f8050fd19a8e"

       },

       {

           "Sid": "Allow attachment of persistent resources",

           "Effect": "Allow",

           "Principal": {

               "AWS": "arn:aws:iam::349271159511:role/aws-reserved/sso.amazonaws.com/ap-south-1/AWSReservedSSO_AdministratorAccess_3b9b4bb9eebf66ac"

           },

           "Action": [

               "kms:CreateGrant",

               "kms:ListGrants",

               "kms:RevokeGrant"

           ],

           "Resource": "*",

           "Condition": {

               "Bool": {

                   "kms:GrantIsForAWSResource": "true"

               }

           }

       }

   ]

}
  • Copy the arn value after creating the KMS Key.

3. Placing the KMS arn value in the deployment manifest file

  • Go to the below code and add the arn key in .sops.yaml file.

DIGIT-DevOps/blob/DIGIT-2.9LTS-monitoring/deploy-as-code/charts/.sops.yaml
  • Next, cd to deploy-as-code and run the below command.

sops --encrypt --in-place charts/env-secrets.yaml
  • Now to see the encrypted secrets. We can decrypt the secrets using the below command.

sops -d environments/env-secrets.yaml

Note: Refer to the for detailed configuration.

📓
official docs