From 33982dc4be5e1a79911e2e9211607c1465627b05 Mon Sep 17 00:00:00 2001
From: Kai Siren <kaisiren@navapbc.com>
Date: Wed, 16 Oct 2024 07:36:06 -0700
Subject: [PATCH 1/2] swap everything to new secrets pattern

---
 .../env-config/environment-variables.tf       | 22 ++++----
 .../app-config/env-config/outputs.tf          |  2 +-
 infra/analytics/service/main.tf               |  7 ++-
 infra/analytics/service/secrets.tf            | 16 ++++++
 .../env-config/environment-variables.tf       | 51 ++++++++++---------
 .../frontend/app-config/env-config/outputs.tf |  2 +-
 infra/frontend/service/main.tf                |  7 ++-
 infra/frontend/service/secrets.tf             | 16 ++++++
 8 files changed, 85 insertions(+), 38 deletions(-)
 create mode 100644 infra/analytics/service/secrets.tf
 create mode 100644 infra/frontend/service/secrets.tf

diff --git a/infra/analytics/app-config/env-config/environment-variables.tf b/infra/analytics/app-config/env-config/environment-variables.tf
index e2d262a87..128f3cd75 100644
--- a/infra/analytics/app-config/env-config/environment-variables.tf
+++ b/infra/analytics/app-config/env-config/environment-variables.tf
@@ -13,18 +13,18 @@ locals {
   # List of configurations for defining environment variables that pull from SSM parameter
   # store. Configurations are of the format
   # { name = "ENV_VAR_NAME", ssm_param_name = "/ssm/param/name" }
-  secrets = [
-    {
-      name           = "GH_TOKEN"
-      ssm_param_name = "/${var.app_name}/${var.environment}/github-token"
+  secrets = {
+    GH_TOKEN = {
+      manage_method     = "manual"
+      secret_store_name = "/${var.app_name}/${var.environment}/github-token"
     },
-    {
-      name           = "ANALYTICS_SLACK_BOT_TOKEN"
-      ssm_param_name = "/${var.app_name}/${var.environment}/slack-bot-token"
+    ANALYTICS_SLACK_BOT_TOKEN = {
+      manage_method     = "manual"
+      secret_store_name = "/${var.app_name}/${var.environment}/slack-bot-token"
     },
-    {
-      name           = "ANALYTICS_REPORTING_CHANNEL_ID"
-      ssm_param_name = "/${var.app_name}/${var.environment}/reporting-channel-id"
+    ANALYTICS_REPORTING_CHANNEL_ID = {
+      manage_method     = "manual"
+      secret_store_name = "/${var.app_name}/${var.environment}/reporting-channel-id"
     }
-  ]
+  }
 }
diff --git a/infra/analytics/app-config/env-config/outputs.tf b/infra/analytics/app-config/env-config/outputs.tf
index 893e95143..95d5edee6 100644
--- a/infra/analytics/app-config/env-config/outputs.tf
+++ b/infra/analytics/app-config/env-config/outputs.tf
@@ -20,7 +20,7 @@ output "service_config" {
       var.service_override_extra_environment_variables
     )
 
-    secrets = toset(local.secrets)
+    secrets = local.secrets
   }
 }
 
diff --git a/infra/analytics/service/main.tf b/infra/analytics/service/main.tf
index f220a45b4..947465add 100644
--- a/infra/analytics/service/main.tf
+++ b/infra/analytics/service/main.tf
@@ -135,5 +135,10 @@ module "service" {
   }
 
   extra_environment_variables = local.service_config.extra_environment_variables
-  secrets                     = local.service_config.secrets
+  secrets = concat(
+    [for secret_name in keys(local.service_config.secrets) : {
+      name      = secret_name
+      valueFrom = module.secrets[secret_name].secret_arn
+    }],
+  )
 }
diff --git a/infra/analytics/service/secrets.tf b/infra/analytics/service/secrets.tf
new file mode 100644
index 000000000..e65eaa0cc
--- /dev/null
+++ b/infra/analytics/service/secrets.tf
@@ -0,0 +1,16 @@
+module "secrets" {
+  for_each = local.service_config.secrets
+
+  source = "../../modules/secret"
+
+  # When generating secrets and storing them in parameter store, append the
+  # terraform workspace to the secret store path if the environment is temporary
+  # to avoid conflicts with existing environments.
+  # Don't do this for secrets that are managed manually since the temporary
+  # environments will need to share those secrets.
+  secret_store_name = (each.value.manage_method == "generated" && local.is_temporary ?
+    "${each.value.secret_store_name}/${terraform.workspace}" :
+    each.value.secret_store_name
+  )
+  manage_method = each.value.manage_method
+}
diff --git a/infra/frontend/app-config/env-config/environment-variables.tf b/infra/frontend/app-config/env-config/environment-variables.tf
index 883bbd964..f6eb88576 100644
--- a/infra/frontend/app-config/env-config/environment-variables.tf
+++ b/infra/frontend/app-config/env-config/environment-variables.tf
@@ -12,32 +12,37 @@ locals {
   # Configuration for secrets
   # List of configurations for defining environment variables that pull from SSM parameter
   # store. Configurations are of the format
-  # { name = "ENV_VAR_NAME", ssm_param_name = "/ssm/param/name" }
-  secrets = [
-    {
-      # Sendy API key to pass with requests for sendy subscriber endpoints.
-      name           = "SENDY_API_KEY"
-      ssm_param_name = "/${var.app_name}/${var.environment}/sendy-api-key"
+  # {
+  #   ENV_VAR_NAME = {
+  #     manage_method     = "generated" # or "manual" for a secret that was created and stored in SSM manually
+  #     secret_store_name = "/ssm/param/name"
+  #   }
+  # }
+  secrets = {
+    # Sendy API key to pass with requests for sendy subscriber endpoints.
+    SENDY_API_KEY = {
+      manage_method     = "manual"
+      secret_store_name = "/${var.app_name}/${var.environment}/sendy-api-key"
     },
-    {
-      # Sendy API base url for requests to manage subscribers.
-      name           = "SENDY_API_URL"
-      ssm_param_name = "/${var.app_name}/${var.environment}/sendy-api-url"
+    # Sendy API base url for requests to manage subscribers.
+    SENDY_API_URL = {
+      manage_method     = "manual"
+      secret_store_name = "/${var.app_name}/${var.environment}/sendy-api-url"
     },
-    {
-      # Sendy list ID to for requests to manage subscribers to the Simpler Grants distribution list.
-      name           = "SENDY_LIST_ID"
-      ssm_param_name = "/${var.app_name}/${var.environment}/sendy-list-id"
+    # Sendy list ID to for requests to manage subscribers to the Simpler Grants distribution list.
+    SENDY_LIST_ID = {
+      manage_method     = "manual"
+      secret_store_name = "/${var.app_name}/${var.environment}/sendy-list-id"
     },
-    {
-      # URL that the frontend uses to make fetch requests to the Grants API.
-      name           = "API_URL"
-      ssm_param_name = "/${var.app_name}/${var.environment}/api-url"
+    # URL that the frontend uses to make fetch requests to the Grants API.
+    API_URL = {
+      manage_method     = "manual"
+      secret_store_name = "/${var.app_name}/${var.environment}/api-url"
     },
-    {
-      # Token that the frontend uses to authenticate when making Grants API fetch requests.
-      name           = "API_AUTH_TOKEN"
-      ssm_param_name = "/${var.app_name}/${var.environment}/api-auth-token"
+    # Token that the frontend uses to authenticate when making Grants API fetch requests.
+    API_AUTH_TOKEN = {
+      manage_method      = "manual"
+      secret_store_names = "/${var.app_name}/${var.environment}/api-auth-token"
     }
-  ]
+  }
 }
diff --git a/infra/frontend/app-config/env-config/outputs.tf b/infra/frontend/app-config/env-config/outputs.tf
index 24cb685e7..9852ff3de 100644
--- a/infra/frontend/app-config/env-config/outputs.tf
+++ b/infra/frontend/app-config/env-config/outputs.tf
@@ -19,7 +19,7 @@ output "service_config" {
       var.service_override_extra_environment_variables
     )
 
-    secrets = toset(local.secrets)
+    secrets = local.secrets
   }
 }
 
diff --git a/infra/frontend/service/main.tf b/infra/frontend/service/main.tf
index 86f8e5c09..94866be4f 100644
--- a/infra/frontend/service/main.tf
+++ b/infra/frontend/service/main.tf
@@ -141,7 +141,12 @@ module "service" {
   } : null
 
   extra_environment_variables = local.service_config.extra_environment_variables
-  secrets                     = local.service_config.secrets
+  secrets = concat(
+    [for secret_name in keys(local.service_config.secrets) : {
+      name      = secret_name
+      valueFrom = module.secrets[secret_name].secret_arn
+    }],
+  )
 }
 
 module "monitoring" {
diff --git a/infra/frontend/service/secrets.tf b/infra/frontend/service/secrets.tf
new file mode 100644
index 000000000..e65eaa0cc
--- /dev/null
+++ b/infra/frontend/service/secrets.tf
@@ -0,0 +1,16 @@
+module "secrets" {
+  for_each = local.service_config.secrets
+
+  source = "../../modules/secret"
+
+  # When generating secrets and storing them in parameter store, append the
+  # terraform workspace to the secret store path if the environment is temporary
+  # to avoid conflicts with existing environments.
+  # Don't do this for secrets that are managed manually since the temporary
+  # environments will need to share those secrets.
+  secret_store_name = (each.value.manage_method == "generated" && local.is_temporary ?
+    "${each.value.secret_store_name}/${terraform.workspace}" :
+    each.value.secret_store_name
+  )
+  manage_method = each.value.manage_method
+}

From 7e37dd915be2bc08e3e91bdc81768503a26c2b21 Mon Sep 17 00:00:00 2001
From: Kai Siren <kaisiren@navapbc.com>
Date: Wed, 16 Oct 2024 07:47:20 -0700
Subject: [PATCH 2/2] typos, lockfiles

---
 .../env-config/environment-variables.tf       |  4 ++--
 infra/analytics/service/.terraform.lock.hcl   | 19 +++++++++++++++++++
 .../env-config/environment-variables.tf       |  4 ++--
 infra/frontend/service/.terraform.lock.hcl    | 19 +++++++++++++++++++
 4 files changed, 42 insertions(+), 4 deletions(-)

diff --git a/infra/analytics/app-config/env-config/environment-variables.tf b/infra/analytics/app-config/env-config/environment-variables.tf
index 128f3cd75..412ade49c 100644
--- a/infra/analytics/app-config/env-config/environment-variables.tf
+++ b/infra/analytics/app-config/env-config/environment-variables.tf
@@ -16,11 +16,11 @@ locals {
   secrets = {
     GH_TOKEN = {
       manage_method     = "manual"
-      secret_store_name = "/${var.app_name}/${var.environment}/github-token"
+      secret_store_name = "/${var.app_name}/github-token"
     },
     ANALYTICS_SLACK_BOT_TOKEN = {
       manage_method     = "manual"
-      secret_store_name = "/${var.app_name}/${var.environment}/slack-bot-token"
+      secret_store_name = "/${var.app_name}/slack-bot-token"
     },
     ANALYTICS_REPORTING_CHANNEL_ID = {
       manage_method     = "manual"
diff --git a/infra/analytics/service/.terraform.lock.hcl b/infra/analytics/service/.terraform.lock.hcl
index 8b6028214..7463d5bf3 100644
--- a/infra/analytics/service/.terraform.lock.hcl
+++ b/infra/analytics/service/.terraform.lock.hcl
@@ -55,3 +55,22 @@ provider "registry.terraform.io/hashicorp/external" {
     "zh:f31982f29f12834e5d21e010856eddd19d59cd8f449adf470655bfd19354377e",
   ]
 }
+
+provider "registry.terraform.io/hashicorp/random" {
+  version = "3.6.3"
+  hashes = [
+    "h1:zG9uFP8l9u+yGZZvi5Te7PV62j50azpgwPunq2vTm1E=",
+    "zh:04ceb65210251339f07cd4611885d242cd4d0c7306e86dda9785396807c00451",
+    "zh:448f56199f3e99ff75d5c0afacae867ee795e4dfda6cb5f8e3b2a72ec3583dd8",
+    "zh:4b4c11ccfba7319e901df2dac836b1ae8f12185e37249e8d870ee10bb87a13fe",
+    "zh:4fa45c44c0de582c2edb8a2e054f55124520c16a39b2dfc0355929063b6395b1",
+    "zh:588508280501a06259e023b0695f6a18149a3816d259655c424d068982cbdd36",
+    "zh:737c4d99a87d2a4d1ac0a54a73d2cb62974ccb2edbd234f333abd079a32ebc9e",
+    "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
+    "zh:a357ab512e5ebc6d1fda1382503109766e21bbfdfaa9ccda43d313c122069b30",
+    "zh:c51bfb15e7d52cc1a2eaec2a903ac2aff15d162c172b1b4c17675190e8147615",
+    "zh:e0951ee6fa9df90433728b96381fb867e3db98f66f735e0c3e24f8f16903f0ad",
+    "zh:e3cdcb4e73740621dabd82ee6a37d6cfce7fee2a03d8074df65086760f5cf556",
+    "zh:eff58323099f1bd9a0bec7cb04f717e7f1b2774c7d612bf7581797e1622613a0",
+  ]
+}
diff --git a/infra/frontend/app-config/env-config/environment-variables.tf b/infra/frontend/app-config/env-config/environment-variables.tf
index f6eb88576..95fffc57d 100644
--- a/infra/frontend/app-config/env-config/environment-variables.tf
+++ b/infra/frontend/app-config/env-config/environment-variables.tf
@@ -41,8 +41,8 @@ locals {
     },
     # Token that the frontend uses to authenticate when making Grants API fetch requests.
     API_AUTH_TOKEN = {
-      manage_method      = "manual"
-      secret_store_names = "/${var.app_name}/${var.environment}/api-auth-token"
+      manage_method     = "manual"
+      secret_store_name = "/${var.app_name}/${var.environment}/api-auth-token"
     }
   }
 }
diff --git a/infra/frontend/service/.terraform.lock.hcl b/infra/frontend/service/.terraform.lock.hcl
index 8b6028214..7463d5bf3 100644
--- a/infra/frontend/service/.terraform.lock.hcl
+++ b/infra/frontend/service/.terraform.lock.hcl
@@ -55,3 +55,22 @@ provider "registry.terraform.io/hashicorp/external" {
     "zh:f31982f29f12834e5d21e010856eddd19d59cd8f449adf470655bfd19354377e",
   ]
 }
+
+provider "registry.terraform.io/hashicorp/random" {
+  version = "3.6.3"
+  hashes = [
+    "h1:zG9uFP8l9u+yGZZvi5Te7PV62j50azpgwPunq2vTm1E=",
+    "zh:04ceb65210251339f07cd4611885d242cd4d0c7306e86dda9785396807c00451",
+    "zh:448f56199f3e99ff75d5c0afacae867ee795e4dfda6cb5f8e3b2a72ec3583dd8",
+    "zh:4b4c11ccfba7319e901df2dac836b1ae8f12185e37249e8d870ee10bb87a13fe",
+    "zh:4fa45c44c0de582c2edb8a2e054f55124520c16a39b2dfc0355929063b6395b1",
+    "zh:588508280501a06259e023b0695f6a18149a3816d259655c424d068982cbdd36",
+    "zh:737c4d99a87d2a4d1ac0a54a73d2cb62974ccb2edbd234f333abd079a32ebc9e",
+    "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
+    "zh:a357ab512e5ebc6d1fda1382503109766e21bbfdfaa9ccda43d313c122069b30",
+    "zh:c51bfb15e7d52cc1a2eaec2a903ac2aff15d162c172b1b4c17675190e8147615",
+    "zh:e0951ee6fa9df90433728b96381fb867e3db98f66f735e0c3e24f8f16903f0ad",
+    "zh:e3cdcb4e73740621dabd82ee6a37d6cfce7fee2a03d8074df65086760f5cf556",
+    "zh:eff58323099f1bd9a0bec7cb04f717e7f1b2774c7d612bf7581797e1622613a0",
+  ]
+}