HHS · coilysiren · Oct 16, 2024 · Oct 16, 2024 · Oct 16, 2024
@@ -13,18 +13,18 @@ locals {
   # List of configurations for defining environment variables that pull from SSM parameter
   # store. Configurations are of the format
   # { name = "ENV_VAR_NAME", ssm_param_name = "/ssm/param/name" }
-  secrets = [
-    {
-      name           = "GH_TOKEN"
-      ssm_param_name = "/${var.app_name}/${var.environment}/github-token"
+  secrets = {
+    GH_TOKEN = {
+      manage_method     = "manual"
+      secret_store_name = "/${var.app_name}/github-token"
     },
-    {
-      name           = "ANALYTICS_SLACK_BOT_TOKEN"
-      ssm_param_name = "/${var.app_name}/${var.environment}/slack-bot-token"
+    ANALYTICS_SLACK_BOT_TOKEN = {
+      manage_method     = "manual"
+      secret_store_name = "/${var.app_name}/slack-bot-token"
     },
-    {
-      name           = "ANALYTICS_REPORTING_CHANNEL_ID"
-      ssm_param_name = "/${var.app_name}/${var.environment}/reporting-channel-id"
+    ANALYTICS_REPORTING_CHANNEL_ID = {
+      manage_method     = "manual"
+      secret_store_name = "/${var.app_name}/${var.environment}/reporting-channel-id"
     }
-  ]
+  }
 }
@@ -20,7 +20,7 @@ output "service_config" {
       var.service_override_extra_environment_variables
     )
 
-    secrets = toset(local.secrets)
+    secrets = local.secrets
   }
 }
 

@@ -135,5 +135,10 @@ module "service" {
   }
 
   extra_environment_variables = local.service_config.extra_environment_variables
-  secrets                     = local.service_config.secrets
+  secrets = concat(
+    [for secret_name in keys(local.service_config.secrets) : {
+      name      = secret_name
+      valueFrom = module.secrets[secret_name].secret_arn
+    }],
+  )
 }
@@ -0,0 +1,16 @@
+module "secrets" {
+  for_each = local.service_config.secrets
+
+  source = "../../modules/secret"
+
+  # When generating secrets and storing them in parameter store, append the
+  # terraform workspace to the secret store path if the environment is temporary
+  # to avoid conflicts with existing environments.
+  # Don't do this for secrets that are managed manually since the temporary
+  # environments will need to share those secrets.
+  secret_store_name = (each.value.manage_method == "generated" && local.is_temporary ?
+    "${each.value.secret_store_name}/${terraform.workspace}" :
+    each.value.secret_store_name
+  )
+  manage_method = each.value.manage_method
+}
@@ -12,32 +12,37 @@ locals {
   # Configuration for secrets
   # List of configurations for defining environment variables that pull from SSM parameter
   # store. Configurations are of the format
-  # { name = "ENV_VAR_NAME", ssm_param_name = "/ssm/param/name" }
-  secrets = [
-    {
-      # Sendy API key to pass with requests for sendy subscriber endpoints.
-      name           = "SENDY_API_KEY"
-      ssm_param_name = "/${var.app_name}/${var.environment}/sendy-api-key"
+  # {
+  #   ENV_VAR_NAME = {
+  #     manage_method     = "generated" # or "manual" for a secret that was created and stored in SSM manually
+  #     secret_store_name = "/ssm/param/name"
+  #   }
+  # }
+  secrets = {
+    # Sendy API key to pass with requests for sendy subscriber endpoints.
+    SENDY_API_KEY = {
+      manage_method     = "manual"
+      secret_store_name = "/${var.app_name}/${var.environment}/sendy-api-key"
     },
-    {
-      # Sendy API base url for requests to manage subscribers.
-      name           = "SENDY_API_URL"
-      ssm_param_name = "/${var.app_name}/${var.environment}/sendy-api-url"
+    # Sendy API base url for requests to manage subscribers.
+    SENDY_API_URL = {
+      manage_method     = "manual"
+      secret_store_name = "/${var.app_name}/${var.environment}/sendy-api-url"
     },
-    {
-      # Sendy list ID to for requests to manage subscribers to the Simpler Grants distribution list.
-      name           = "SENDY_LIST_ID"
-      ssm_param_name = "/${var.app_name}/${var.environment}/sendy-list-id"
+    # Sendy list ID to for requests to manage subscribers to the Simpler Grants distribution list.
+    SENDY_LIST_ID = {
+      manage_method     = "manual"
+      secret_store_name = "/${var.app_name}/${var.environment}/sendy-list-id"
     },
-    {
-      # URL that the frontend uses to make fetch requests to the Grants API.
-      name           = "API_URL"
-      ssm_param_name = "/${var.app_name}/${var.environment}/api-url"
+    # URL that the frontend uses to make fetch requests to the Grants API.
+    API_URL = {
+      manage_method     = "manual"
+      secret_store_name = "/${var.app_name}/${var.environment}/api-url"
     },
-    {
-      # Token that the frontend uses to authenticate when making Grants API fetch requests.
-      name           = "API_AUTH_TOKEN"
-      ssm_param_name = "/${var.app_name}/${var.environment}/api-auth-token"
+    # Token that the frontend uses to authenticate when making Grants API fetch requests.
+    API_AUTH_TOKEN = {
+      manage_method     = "manual"
+      secret_store_name = "/${var.app_name}/${var.environment}/api-auth-token"
     }
-  ]
+  }
 }
@@ -19,7 +19,7 @@ output "service_config" {
       var.service_override_extra_environment_variables
     )
 
-    secrets = toset(local.secrets)
+    secrets = local.secrets
   }
 }
 

@@ -141,7 +141,12 @@ module "service" {
   } : null
 
   extra_environment_variables = local.service_config.extra_environment_variables
-  secrets                     = local.service_config.secrets
+  secrets = concat(
+    [for secret_name in keys(local.service_config.secrets) : {
+      name      = secret_name
+      valueFrom = module.secrets[secret_name].secret_arn
+    }],
+  )
 }
 
 module "monitoring" {

@@ -0,0 +1,16 @@
+module "secrets" {
+  for_each = local.service_config.secrets
+
+  source = "../../modules/secret"
+
+  # When generating secrets and storing them in parameter store, append the
+  # terraform workspace to the secret store path if the environment is temporary
+  # to avoid conflicts with existing environments.
+  # Don't do this for secrets that are managed manually since the temporary
+  # environments will need to share those secrets.
+  secret_store_name = (each.value.manage_method == "generated" && local.is_temporary ?
+    "${each.value.secret_store_name}/${terraform.workspace}" :
+    each.value.secret_store_name
+  )
+  manage_method = each.value.manage_method
+}