services/auth/config.yml

defaults:
  taskcluster:
    rootUrl:                  !env TASKCLUSTER_ROOT_URL
  app:
    # Name of component in statistics
    statsComponent:           auth

    # Static clients, these clients are built-in from start, and can't be
    # modified or deleted at runtime. Useful for granting clientIds to other
    # services and boostrapping with a root client.
    # Each entry must have: clientId, accessToken, description, scopes
    # where clientId MUST start with 'static/', by convention these namespaced:
    #    static/<project>/<name>
    staticClients: !env:json STATIC_CLIENTS

    # Maximum before updating lastUsed, MUST be negative
    # A sane value is something like 6 hours as all nodes will race to update
    # this value, and it's really only a best effort service.
    maxLastUsedDelay:         '- 6 hours'

    # Sentry configuration
    # The authToken _must_ have at least project:{read,write,admin} and org:read
    sentry:
      organization:             !env:optional SENTRY_ORGANIZATION
      hostname:                 !env:optional SENTRY_HOST
      authToken:                !env:optional SENTRY_AUTH_TOKEN
      initialTeam:              !env:optional SENTRY_TEAM
      keyPrefix:                !env:optional SENTRY_KEY_PREFIX

    # Delay before expiring sentry keys, this should be negative!
    sentryExpirationDelay:      '- 15 minutes'

    # Similarly, delay before deleting expired clients
    clientExpirationDelay:      '-1 hour'

    websocktunnel:
      secret:                   !env:optional WEBSOCKTUNNEL_SECRET

    # Overrides of s3 buckets for redeployability
    # Leave unset if running inside Heroku
    buckets:
      docs:                     !env:optional DOCS_BUCKET
      schemas:                  !env:optional SCHEMAS_BUCKET
      references:               !env:optional REFS_BUCKET

    # Name of a kinesis firehose stream to write audit logs to
    auditLog:                   !env:optional AUDIT_LOG

  monitoring:
    level:                      !env:optional LEVEL
    errorConfig:                !env:json:optional ERROR_CONFIG

  server:

    # Port to listen for requests on
    port:                     !env:number PORT

    # Environment 'development' or 'production'
    env:                      !env NODE_ENV
    development:              false

    # Force SSL, not useful when runnning locally
    forceSSL:                 !env:bool FORCE_SSL

    # Trust a forwarding proxy
    trustProxy:               !env:bool TRUST_PROXY

  azure:
    # deprecated way of specifying an encryption key
    cryptoKey:               !env:optional AZURE_CRYPTO_KEY

  postgres:
    readDbUrl:               !env READ_DB_URL
    writeDbUrl:              !env WRITE_DB_URL
    dbCryptoKeys:            !env:json:optional DB_CRYPTO_KEYS

  pulse:
    username:                 !env PULSE_USERNAME
    password:                 !env PULSE_PASSWORD
    hostname:                 !env PULSE_HOSTNAME
    vhost:                    !env PULSE_VHOST

  # Accounts that auth can delegate access to, as JSON
  azureAccounts:            !env:json:optional AZURE_ACCOUNTS

  awsCredentials:
    # Configuration for the AWS credentials used for the awsS3Credentials.  The
    # method looks up the credentials by bucket name.  Each array element has
    # the form
    # - accessKeyId: ..
    #   secretAccessKey: ..
    #   buckets: [bucket1, bucket2, ..]
    allowedBuckets:            !env:json:optional AWS_CREDENTIALS_ALLOWED_BUCKETS

  # Configuration for the GCP serviceAccounts to which the `gcpCredentials`
  # endpoint can grant access.
  gcpCredentials:
    # This has the form {
    #   "projectName": {
    #     # credentials for a serviceAccount in this project that has
    #     # roles/iam.serviceAccountTokenCreator.
    #     "credentials": {
    #       "type": ..,
    #       "project_id": ..,
    #       ..
    #     },
    #     # allowed service accounts in this project
    #     "allowedServiceAccounts": ["accountName1", ..]
    #   }, ..
    # }
    # If omitted, it defaults to {}
    allowedProjects:          !env:json:optional GCP_CREDENTIALS_ALLOWED_PROJECTS

  # new relic config (processed in services/prelude.js)
  newRelic: !env:json:optional NEW_RELIC

test:
  app:
    statsComponent:           auth-tests
    staticClients:  # overridden in helper.js
    # Special value for tests, as we don't want to wait forever
    maxLastUsedDelay:         '- 3 seconds'
    sentry:
      organization:             operations
      hostname:                 sentry.prod.mozaws.net
      authToken:                whatever
      initialTeam:              taskcluster
      keyPrefix:                auth-test
    websocktunnel:
      secret:                   'test-secret'
  azure:
    cryptoKey:           AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
  server:
    forceSSL:                 false
    port:                     60552
    env:                      development
    development:              true
    trustProxy:               true
  taskcluster:
    rootUrl: "https://tc.example.com"