Skip to content

Instantly share code, notes, and snippets.

@kvncrw

kvncrw/session_summary.md

Created March 13, 2026 21:19
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save kvncrw/2959002d851729301044f363eb776ac1 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save kvncrw/2959002d851729301044f363eb776ac1 to your computer and use it in GitHub Desktop.
Download ZIP
AppConfig .NET Migration Context Dump
Raw
session_summary.md

AppConfig .NET Migration - Session Summary

Objective

Migrate database migration workflows to AWS AppConfig while resolving the "edge case" where .NET services require a fully-baked appsettings.json (handling Container-Runtime-Population markers) without leaking secrets into build artifacts.

Solutions Implemented

1. appconfig_toolkit (PR #74)

  • New render command: Fetches config from AppConfig and resolves secrets.
  • Recursive Resolution: Handles nested JSON objects and lists in appsettings.json.
  • Placeholder Baking: Specifically resolves Container-Runtime-Population strings by searching Secrets Manager connection strings.
  • Role Assumption: Supports sts:AssumeRole with EXTERNAL_ID=\"appconfig-cicd\".
  • Robust Search: Checks both hyphenated and underscored service names across all applications.

2. devops_pipelines (PR #63)

  • Two-Stage Fetch: fetch-appconfig.sh now pulls a "raw" config (with placeholders) for the repo and a "resolved" config (with secrets) to a hidden directory.
  • Secure Runtime Mount: dotnet-db-auto-migration-v1.sh mounts the resolved config directly into the container, keeping the build context clean.
  • Credential Isolation: Isolated cross-account role credentials using temporary variables to prevent breaking subsequent ECR logins.
  • Workflow Updates: Added toolkit setup and AWS credential logic to all migration entry points (cicd-db-auto-migration-v1.yml, cicd-db-v1.yml, cicd-db-legacy-v1.yml).
  • Detection Fallback: Prioritizes find-based auto-detection for apidir while maintaining metadata as a fallback.

3. devops_aws_terraform (PR #56)

  • IAM Fix: Updated cicd-appconfig-cross-account-access role trust policy to allow the local account root (and thus eks_mgmt).
  • User Permission: Explicitly granted sts:AssumeRole on the cross-account roles to the eks_mgmt user in iam.tf.

Verification Status

  • Successes: approval_service, booking_service, optimize_service_sync, integration_service, validation_service.
  • Infrastructure Noise: Some failures persist due to unrelated TIER variable errors in Helm scripts or ImagePullBackOff.
  • Branch: test/appconfig-migrations-integration across all three repos.

PR Links

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment