7. Future Considerations
7.1 Supersession by RFC-SECOPS-0001
This RFC is explicitly designed to be superseded. RFC-SECOPS-0001 defines the target Vault-first, GitOps-native secret management architecture. When that architecture is fully operational, this interim RFC transitions to Superseded status.
7.1.1 Supersession Trigger
The supersession occurs when all Phase 2 completion criteria (Section 5.4.5) are satisfied:
| Criterion | Description |
|---|---|
| All secrets in Vault | Every platform secret resides in HashiCorp Vault |
| ESO points to Vault | All ExternalSecret resources reference the Vault SecretStore |
| Secrets Manager decommissioned | No secrets remain in AWS Secrets Manager |
| RFC-SECOPS-0001 operational | Full Vault-first architecture is active |
7.1.2 Status Transition
Upon supersession:
| Attribute | Before | After |
|---|---|---|
| RFC-SECOPS-0002 Status | Draft / Accepted | Superseded |
| RFC-SECOPS-0002 Superseded By | RFC-SECOPS-0001 (when implemented) | RFC-SECOPS-0001 |
| RFC-SECOPS-0001 Status | Draft | Accepted / Implemented |
The superseded document is frozen. No further modifications are permitted.
7.2 Interim Architecture Retirement Criteria
The interim architecture MUST be fully retired when supersession occurs. Retirement means:
| Action | Description |
|---|---|
| Secrets Manager secrets deleted | All secrets removed from AWS Secrets Manager |
| IAM credentials removed | Per-application IAM credentials for Secrets Manager access deleted |
| Secret Config Modules removed | AWS SDK–based modules removed from all application codebases |
| Inventory manifest archived | secrets-inventory.yaml retained in Git history but removed from active repository |
| Documentation updated | All operational documentation referencing the interim architecture updated to reference RFC-SECOPS-0001 |
No component of the interim architecture MAY remain operational after the target architecture is fully active.
7.3 Extension Points
While this RFC is explicitly temporary, the following extensions MAY be considered if the interim period extends beyond initial expectations:
7.3.1 AWS Secrets Manager Rotation Automation
If manual rotation becomes operationally untenable before the target infrastructure is available, AWS Secrets Manager's native rotation feature (using AWS Lambda) MAY be introduced.
| Consideration | Assessment |
|---|---|
| Benefit | Automates rotation for supported secret types |
| Cost | Requires AWS Lambda function deployment and maintenance |
| Migration Impact | Low; rotation moves to Vault regardless |
| Recommendation | Adopt only if rotation burden becomes a demonstrated operational problem |
7.3.2 AWS CloudTrail Logging
If audit requirements emerge before the target architecture is available, AWS CloudTrail logging is enabled by default for Secrets Manager API calls. Additional CloudWatch integration MAY be configured for operational alerting.
| Consideration | Assessment |
|---|---|
| Benefit | Provides access audit trail |
| Cost | CloudWatch Logs and S3 storage costs (if custom destinations configured) |
| Migration Impact | None; Vault audit log replaces CloudTrail-based logging |
| Recommendation | Adopt if compliance or security review demands it |
7.3.3 Multi-Region Replication
If disaster recovery requirements emerge, AWS Secrets Manager's cross-region replication MAY be configured.
| Consideration | Assessment |
|---|---|
| Benefit | Secrets available in secondary region |
| Cost | Per-secret replication cost; operational complexity |
| Migration Impact | None; Vault handles its own replication |
| Recommendation | Adopt only if DR requirements are formalized |
7.4 What Does Not Change on Supersession
Certain elements established by this RFC persist into the target architecture by design:
| Element | Persistence Reason |
|---|---|
Naming conventions (platform-data/, platform-config/ in Secrets Manager and Vault) | Segment structure defined by RFC-SECOPS-0001 Section 5a.5; separator is identical across stores |
| Secret inventory concept | Evolves into Vault-managed secret metadata |
| Centralized access pattern | Evolves from Secret Config Module to ESO-mediated Kubernetes Secrets |
| Separation of metadata from values | Git tracks intent; runtime system tracks values |
These elements are not artifacts of the interim architecture; they are foundational principles of the platform's secret management approach that this RFC adopts early.