Dual-slot credential rotation for OpenEMR on EKS + EFS.
Full operational guide: See docs/CREDENTIAL_ROTATION_GUIDE.md for architecture diagrams, the operational runbook, failure scenarios, and infrastructure setup (Terraform, IAM, RBAC).
- Database configuration is read from
sites/default/sqlconf.phpon the shared EFS volume. - The K8s Secret
openemr-db-credentialsis patched with new credentials after rotation. - Runtime refresh uses a rolling restart of the
openemrDeployment for zero-downtime config pickup.
python -m credential_rotation.cli --log-jsonFlags:
--dry-run— Evaluate flow without mutating state--log-json— Emit structured JSON status output--sync-db-users— Sync RDS users to match slot secrets (no flip)--fix-permissions— Fix sqlconf.php permissions (chmod 644)
| Variable | Description |
|---|---|
AWS_REGION |
AWS region |
RDS_SLOT_SECRET_ID |
ARN of the dual-slot RDS secret |
RDS_ADMIN_SECRET_ID |
ARN of the RDS admin secret |
OPENEMR_SITES_MOUNT_ROOT |
EFS mount path for OpenEMR sites |
K8S_NAMESPACE |
Kubernetes namespace (e.g., openemr) |
K8S_DEPLOYMENT_NAME |
Deployment name (e.g., openemr) |
K8S_SECRET_NAME |
K8s Secret name (e.g., openemr-db-credentials) |
OPENEMR_HEALTHCHECK_URL |
(optional) Health check URL |
- Determine active slot (
AorB) - Select standby slot
- Validate admin credentials (auto-heals drift)
- Sync DB users to match slot secrets
- Update EFS
sqlconf.phpto standby credentials - Patch K8s Secret with standby credentials
- Rolling restart the Deployment
- Validate DB + app health
- Flip
active_slotin Secrets Manager - Rotate old slot credentials
- Rotate admin password
- If flip validation fails: revert
sqlconf.php, restore K8s Secret, restart again, re-validate, fail. - If old-slot rotation fails: keep app on current active slot and fail.
pip install -r requirements.txt
pytest tests/