[CX-2682, CX-2683, CX-2684] - Move all configuration/secrets to AWS Secret Manager (#2)

* [CX-2682, CX-2684] - Move all configuration/secrets to AWS Secret Manager

* CX-2682: Addressed code review changes.

* CX-2682: Removed unwanted files.

* CX-2683: Fix the code vulnerabilities/snyk reported issues

* [CX-2682] Redis TTL & Ping endpoint.

* CX-2682: Addressed code review changes.

Author: vivekpunchh

Dockerfile

@@ -0,0 +1,26 @@
+# Build the application from source
+FROM golang:1.21.5 AS build-stage
+
+WORKDIR /app
+
+COPY go.mod go.sum ./
+RUN go mod download
+
+COPY . .
+
+RUN CGO_ENABLED=0 GOOS=linux go build -o /server main.go
+
+# Deploy the application binary into a lean image
+FROM alpine:3.21.3 AS build-release-stage
+
+RUN apk update \
+  && apk --no-cache add ca-certificates \
+  && apk --no-cache add -U tzdata \
+  && rm -rf /var/cache/apk/*
+
+WORKDIR /usr/app/
+
+COPY --from=build-stage server .
+
+EXPOSE 8080
+ENTRYPOINT ["./server"]

config/app.json

@@ -2,61 +2,25 @@ package config
 
 import (
 	"encoding/json"
+	"fmt"
 	"os"
-	"os/exec"
-	"path/filepath"
+	"strconv"
 	"strings"
-)
-
-var configFile *appConfig
-
-func getExcPath() string {
-	file, _ := exec.LookPath(os.Args[0])
-	// 获取包含可执行文件名称的路径
-	path, _ := filepath.Abs(file)
-	// 获取可执行文件所在目录
-	index := strings.LastIndex(path, string(os.PathSeparator))
-	ret := path[:index]
-	return strings.Replace(ret, "\\", "/", -1)
-}
-
-func GetConfig() appConfig {
-	if configFile != nil {
-		return *configFile
-	}
-	path := getExcPath()
-	var mode modeConfig = readJson[modeConfig](path + "/config/app.json")
-
-	appConfig := readJson[appConfig](path + "/config/app." + mode.Mode + ".json")
-	configFile = &appConfig
-	return *configFile
-}
-
-func readJson[T any](path string) T {
-	file, err := os.Open(path)
-	if err != nil {
-		panic(path + " config not found")
-	}
-	defer file.Close()
-	decoder := json.NewDecoder(file)
+	"sync"
 
-	var jsonF T
-	decoder.Decode(&jsonF)
-	return jsonF
-}
-
-type modeConfig struct {
-	Mode string
-}
+	"github.com/go-playground/validator/v10"
+)
 
 type appConfig struct {
 	DBUser          dbConfig
 	Redis           redisConfig
 	CodePush        codePush
 	UrlPrefix       string
 	Port            string
-	ResourceUrl     string
+	ResourceUrl     string `json:"resource_url" validate:"required"`
 	TokenExpireTime int64
+	Environment     string `json:"environment" validate:"required"`
+	TenantName      string `json:"tenant_name" validate:"required"`
 }
 type dbConfig struct {
 	Write           dbConfigObj
@@ -65,38 +29,196 @@ type dbConfig struct {
 	ConnMaxLifetime uint
 }
 type dbConfigObj struct {
-	UserName string
-	Password string
-	Host     string
-	Port     uint
-	DBname   string
+	UserName string `json:"db_username" validate:"required"`
+	Password string `json:"db_password" validate:"required"`
+	Host     string `json:"db_host" validate:"required"`
+	Port     uint   `json:"db_port" validate:"required"`
+	DBname   string `json:"db_name" validate:"required"`
 }
 type redisConfig struct {
-	Host     string
-	Port     uint
-	DBIndex  uint
-	UserName string
-	Password string
+	Host     string `json:"redis_host" validate:"required"`
+	Port     uint   `json:"redis_port" validate:"required"`
+	DBIndex  uint   `json:"redis_db_index"`
+	UserName string `json:"redis_username"`
+	Password string `json:"redis_password"`
 }
 type codePush struct {
-	FileLocal string
+	FileLocal string `json:"build_save_location" validate:"required"`
 	Local     localConfig
 	Aws       awsConfig
 	Ftp       ftpConfig
 }
 type awsConfig struct {
-	Endpoint         string
-	Region           string
-	S3ForcePathStyle bool
-	KeyId            string
-	Secret           string
-	Bucket           string
+	Endpoint         string `json:"aws_s3_endpoint" validate:"required"`
+	Region           string `json:"aws_region" validate:"required"`
+	S3ForcePathStyle bool   `json:"aws_s3_force_path_style" validate:"required"`
+	KeyId            string `json:"aws_access_key_id" validate:"required"`
+	Secret           string `json:"aws_secret_access_key" validate:"required"`
+	Bucket           string `json:"aws_s3_bucket_name" validate:"required"`
 }
 type ftpConfig struct {
-	ServerUrl string
-	UserName  string
-	Password  string
+	ServerUrl string `json:"ftp_server_url"`
+	UserName  string `json:"ftp_username"`
+	Password  string `ftp_password`
 }
 type localConfig struct {
-	SavePath string
+	SavePath string `json:"local_build_save_path"`
+}
+
+var config *appConfig
+var once sync.Once
+
+func GetConfig() *appConfig {
+	once.Do(func() {
+		config = LoadConfig()
+	})
+	return config
+}
+
+func LoadConfig() *appConfig {
+	fmt.Println("Fetching config from AWS secret manager...")
+	keys := []string{
+		"global",  // Global secrets
+		"tenant",  // Tendancy punchh-server secrets
+		"service", // Email template secrets
+		"db",      // DB secrets
+	}
+
+	var config appConfig
+
+	var dbObj dbConfigObj
+	var redis redisConfig
+	var buildSaveLocation codePush
+	var aws awsConfig
+	var ftp ftpConfig
+
+	// default values
+	config.DBUser.MaxIdleConns = 5
+	config.DBUser.MaxOpenConns = 20
+	config.DBUser.ConnMaxLifetime = 300
+
+	config.Port = ":8080"
+	config.UrlPrefix = "/"
+	config.ResourceUrl = ""
+	config.TokenExpireTime = 1 //in days
+
+	for _, key := range keys {
+		key = key + "_secrets"
+
+		data, ok := os.LookupEnv(key)
+		if !ok {
+			fmt.Println("config: no secrets found for - ", key)
+			continue
+		}
+
+		secrets := make(map[string]interface{})
+		if err := json.Unmarshal([]byte(data), &secrets); err != nil {
+			fmt.Println("config: error unmarshalling secrets for - ", key)
+			panic(err)
+		}
+
+		for k, v := range secrets {
+			k = strings.ToLower(k)
+			fmt.Println(k)
+			// DB
+			if k == "db_username" {
+				dbObj.UserName = v.(string)
+			}
+			if k == "db_password" {
+				dbObj.Password = v.(string)
+			}
+			if k == "db_host" {
+				dbObj.Host = v.(string)
+			}
+			if k == "db_port" {
+				u64, _ := strconv.ParseUint(v.(string), 10, 32)
+				dbObj.Port = uint(u64)
+			}
+			if k == "db_name" {
+				dbObj.DBname = v.(string)
+			}
+
+			// Redis
+			if k == "redis_host" {
+				redis.Host = v.(string)
+			}
+			if k == "redis_port" {
+				u64, _ := strconv.ParseUint(v.(string), 10, 32)
+				redis.Port = uint(u64)
+			}
+			if k == "redis_db_index" {
+				u64, _ := strconv.ParseUint(v.(string), 10, 32)
+				redis.DBIndex = uint(u64)
+			}
+			if k == "redis_username" {
+				redis.UserName = v.(string)
+			}
+			if k == "redis_password" {
+				redis.Password = v.(string)
+			}
+
+			// local bundle save location
+			if k == "build_save_location" {
+				buildSaveLocation.FileLocal = v.(string)
+			}
+
+			// AWS
+			if k == "aws_s3_endpoint" {
+				aws.Endpoint = v.(string)
+			}
+			if k == "aws_region" {
+				aws.Region = v.(string)
+			}
+			if k == "aws_s3_force_path_style" {
+				aws.S3ForcePathStyle = true
+			}
+			if k == "aws_access_key_id" {
+				aws.KeyId = v.(string)
+			}
+			if k == "aws_secret_access_key" {
+				aws.Secret = v.(string)
+			}
+			if k == "aws_s3_bucket_name" {
+				aws.Bucket = v.(string)
+			}
+
+			// ftp
+			if k == "ftp_server_url" {
+				ftp.ServerUrl = v.(string)
+			}
+			if k == "ftp_username" {
+				ftp.UserName = v.(string)
+			}
+			if k == "ftp_password" {
+				ftp.Password = v.(string)
+			}
+			// common
+
+			// if build_save_location is set to `local` then resource URL should the self server URL
+			// if build_save_location is set to `aws` then resource URL should the AWS S3 bucket URL
+			if k == "resource_url" {
+				config.ResourceUrl = v.(string)
+			}
+			if k == "tenant_name" {
+				config.TenantName = v.(string)
+			}
+
+			if k == "environment" {
+				config.Environment = v.(string)
+			}
+		}
+	}
+	config.DBUser.Write = dbObj
+	config.Redis = redis
+	config.CodePush = buildSaveLocation
+	config.CodePush.Aws = aws
+	config.CodePush.Ftp = ftp
+
+	// validate the config
+	validate := validator.New()
+	if err := validate.Struct(config); err != nil {
+		fmt.Println("config: invalid/missing configuration", err)
+		panic(err)
+	}
+	return &config
 }