docs: mark ssm-deploys-retire-ssh as shipped#173
Open
prog-strength-developer[bot] wants to merge 1 commit into
Open
docs: mark ssm-deploys-retire-ssh as shipped#173prog-strength-developer[bot] wants to merge 1 commit into
prog-strength-developer[bot] wants to merge 1 commit into
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Shipped: ssm-deploys-retire-ssh
Production deploys no longer ride an SSH channel: a standing, long-lived key that granted interactive shell as
ubuntu(effectively root) and required port 22 open to the world. Deploys now run through AWS SSM Run Command authenticated by the existing OIDC role, app secrets live in infra-owned AWS Secrets Manager (seeded from GitHub, never on a deploy), and inbound port 22 is closed.SOW:
sows/ssm-deploys-retire-ssh.mdImplementation PRs
prog-strength-infra#46— Secrets Manager containers (prog-strength-backend/prod/{api,mcp,agent}, values never in TF state) + instance-roleGetSecretValue&AmazonSSMManagedInstanceCore+ OIDC create/seed grants; on-hostdeploy/*.shscripts that render.envfrom Secrets Manager;seed-secrets.yml; SSM-baseddeploy-caddy.yml; SSH (port 22) ingress removed;jq+ SSM agent in bootstrap.prog-strength-api#64—release.yml+manual-deploy.ymldeploy jobs → OIDC +aws ssm send-commandinvokingdeploy/api.sh; dropped the 16-secretenvs:forwarding;DEPLOYMENT.mdscrubbed ofEC2_HOST/EC2_SSH_KEYand host-layout corrected.prog-strength-mcp#14—release.yml+manual-deploy.yml→ SSM Run Command invokingdeploy/mcp.sh; README secrets table removed (no repo-level deploy secret needed).prog-strength-agent#21—release.yml+manual-deploy.yml→ SSM Run Command invokingdeploy/agent.sh; dropped the 4-secretenvs:forwarding; README deploy note added.Deployment
prog-strength-infra(Add SOW: live workout logging session #46) — Merge and letapply.ymlrun first. This creates the Secrets Manager containers, grants the instance roleGetSecretValue+ SSM managed-node registration, grants the OIDC role create/seed, lands thedeploy/*.shscripts on the next infra pull, and closes port 22. Then runseed-secrets.ymlto populate the blobs from the current GitHub secrets, and confirm the host shows as a managed node (aws ssm describe-instance-information). On the live host (it predates the bootstrap change):apt-get install -y jqand confirm the SSM agent is registered. Merges first because until the scripts exist on the host and the secrets are seeded, every service repo's SSM deploy would fail (no script to invoke, no secrets to read) — and the IAM/managed-node registration the service deploys assume comes from here.prog-strength-api(docs: mark planned-workout-activity-reconciliation as shipped #64),prog-strength-mcp(docs: mark bodyweight-goal-and-page-polish as shipped #14), andprog-strength-agent(docs: add system architecture diagram #21) — can merge in parallel because they don't depend on each other; each only depends on infra being deployed and seeded. Each repo's next release (or aManual Deployworkflow_dispatch) then runs over SSM. Until infra deploys, these workflows'aws ssm send-commandwould 4xx (no script / no secret / role not yet granted), so do not merge them ahead of step 1.EC2_SSH_KEYandEC2_HOSTorg secrets in GitHub settings (out of band of these PRs). The app-config GitHub secrets stay — they seed Secrets Manager.Verify Session Manager break-glass (
aws ssm start-session) works before relying on the closed port — that is the safety gate against locking yourself out.Verification after rollout
aws ssm describe-instance-informationlists the instance (tagName=prog-strength-prod-backend).seed-secrets.ymlrun is green;aws secretsmanager get-secret-value --secret-id prog-strength-backend/prod/apireturns the expected keys, and thejqrender produces a.envbyte-equivalent to the previous SSH-written one.agentManual Deployover SSM and confirm a green deploy with the service healthy and.envcorrect, before relying on the rest.aws ssm start-session --target <instance-id>opens a shell (break-glass verified) before port 22 is closed.https://api.progstrength.fitness/healthreturns 200 (80/443 still serve) and an SSM deploy still succeeds.deploy-caddy.yml(workflow_dispatch) reloads Caddy green and the Let's Encrypt certs persist.Merging this PR flips
ssm-deploys-retire-sshtostatus: shippedinprog-strength-docs/sows/ssm-deploys-retire-ssh.md— that is the canonicalsignal the work is complete.
🤖 Generated with Claude Code