chore: update auth variable names to match minimized variable names

BobanL · BobanL · commit 939877c1bd50 · 2025-03-17T08:23:41.000-04:00
diff --git a/README.md b/README.md
@@ -170,10 +170,11 @@ No modules.
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_appmesh_name"></a> [appmesh\_name](#input\_appmesh\_name) | Name of the AWS App Mesh | `string` | `""` | no |
-| <a name="input_auth_azure_ad_id"></a> [auth\_azure\_ad\_id](#input\_auth\_azure\_ad\_id) | The application (client) ID of the app registration | `string` | `""` | no |
-| <a name="input_auth_azure_ad_tenant_id"></a> [auth\_azure\_ad\_tenant\_id](#input\_auth\_azure\_ad\_tenant\_id) | The directory (tenant) ID of the azure ad/entra instance | `string` | `""` | no |
-| <a name="input_auth_keycloak_id"></a> [auth\_keycloak\_id](#input\_auth\_keycloak\_id) | The id to identify the client in key cloak | `string` | `""` | no |
-| <a name="input_auth_keycloak_issuer"></a> [auth\_keycloak\_issuer](#input\_auth\_keycloak\_issuer) | The url issuer to keycloak. This should inclue the realm - e.g. https://my-keycloak-domain.com/realms/My_Realm | `string` | `""` | no |
+| <a name="input_auth_client_id"></a> [auth\_client\_id](#input\_auth\_client\_id) | The application/client id used to idenitfy the client | `string` | `""` | no |
+| <a name="input_auth_issuer"></a> [auth\_issuer](#input\_auth\_issuer) | Used for keycloak only. The url issuer for the authentication provider. This should include the realm - e.g. https://my-keycloak-domain.com/realms/My_Realm | `string` | `""` | no |
+| <a name="input_auth_provider"></a> [auth\_provider](#input\_auth\_provider) | The authentication provider used. Either keycloak or ad. | `string` | `""` | no |
+| <a name="input_auth_tenant_id"></a> [auth\_tenant\_id](#input\_auth\_tenant\_id) | Used for azure ad/entra only. The directory (tenant) ID of the azure ad/entra instance | `string` | `""` | no |
+| <a name="input_auth_url"></a> [auth\_url](#input\_auth\_url) | Optional. The full URL of the auth api. By default https://your-site.com/ecr-viewer/api/auth. | `string` | `""` | no |
 | <a name="input_certificate_arn"></a> [certificate\_arn](#input\_certificate\_arn) | ARN of the SSL certificate that enables ssl termination on the ALB | `string` | `""` | no |
 | <a name="input_cloudmap_namespace_name"></a> [cloudmap\_namespace\_name](#input\_cloudmap\_namespace\_name) | Name of the AWS Cloud Map namespace | `string` | `""` | no |
 | <a name="input_cw_retention_in_days"></a> [cw\_retention\_in\_days](#input\_cw\_retention\_in\_days) | Retention period in days for CloudWatch logs | `number` | `30` | no |
@@ -199,8 +200,8 @@ No modules.
 | <a name="input_region"></a> [region](#input\_region) | The AWS region where resources are created | `string` | n/a | yes |
 | <a name="input_s3_viewer_bucket_name"></a> [s3\_viewer\_bucket\_name](#input\_s3\_viewer\_bucket\_name) | Name of the S3 bucket for the viewer | `string` | `""` | no |
 | <a name="input_s3_viewer_bucket_role_name"></a> [s3\_viewer\_bucket\_role\_name](#input\_s3\_viewer\_bucket\_role\_name) | Name of the IAM role for the ecr-viewer bucket | `string` | `""` | no |
-| <a name="input_secrets_manager_auth_azure_ad_secret_version"></a> [secrets\_manager\_auth\_azure\_ad\_secret\_version](#input\_secrets\_manager\_auth\_azure\_ad\_secret\_version) | n/a | `string` | `""` | no |
-| <a name="input_secrets_manager_auth_keycloak_secret_version"></a> [secrets\_manager\_auth\_keycloak\_secret\_version](#input\_secrets\_manager\_auth\_keycloak\_secret\_version) | n/a | `string` | `""` | no |
+| <a name="input_secrets_manager_auth_client_secret"></a> [secrets\_manager\_auth\_client\_secret](#input\_secrets\_manager\_auth\_client\_secret) | The location of the secret containing the auth client secret. This is the secret that comes from the authentication provider. | `string` | `""` | no |
+| <a name="input_secrets_manager_auth_secret"></a> [secrets\_manager\_auth\_secret](#input\_secrets\_manager\_auth\_secret) | The location of the secret containing the auth secret. This is used by eCR viewer to encrypt authentication. This can be generated by running `openssl rand -base64 32`. | `string` | `""` | no |
 | <a name="input_secrets_manager_postgresql_connection_string_version"></a> [secrets\_manager\_postgresql\_connection\_string\_version](#input\_secrets\_manager\_postgresql\_connection\_string\_version) | n/a | `string` | `""` | no |
 | <a name="input_secrets_manager_sqlserver_host_version"></a> [secrets\_manager\_sqlserver\_host\_version](#input\_secrets\_manager\_sqlserver\_host\_version) | n/a | `string` | `""` | no |
 | <a name="input_secrets_manager_sqlserver_password_version"></a> [secrets\_manager\_sqlserver\_password\_version](#input\_secrets\_manager\_sqlserver\_password\_version) | n/a | `string` | `""` | no |
diff --git a/_local.tf b/_local.tf
@@ -29,6 +29,13 @@ locals {
     name  = "DB_CIPHER",
     value = var.db_cipher
   } : null
+  auth_provider      = var.auth_provider != "" ? { name = "AUTH_PROVIDER", value = var.auth_provider } : null
+  auth_client_id     = var.auth_client_id != "" ? { name = "AUTH_CLIENT_ID", value = var.auth_client_id } : null
+  auth_client_secret = var.secrets_manager_auth_client_secret != "" ? { name = "AUTH_CLIENT_SECRET", value = var.secrets_manager_auth_client_secret } : null
+  auth_issuer        = var.auth_issuer != "" ? { name = "AUTH_ISSUER", value = var.auth_issuer } : null
+  auth_tenant_id     = var.auth_tenant_id != "" ? { name = "AUTH_TENANT_ID", value = var.auth_tenant_id } : null
+  auth_url           = var.auth_url != "" ? { name = "NEXTAUTH_URL", value = var.auth_url } : null
+  auth_secret        = var.secrets_manager_auth_secret != "" ? { name = "NEXTAUTH_SECRET", value = var.secrets_manager_auth_secret } : null
   service_data = length(var.service_data) > 0 ? var.service_data : {
     ecr-viewer = {
       short_name        = "ecrv",
@@ -66,35 +73,18 @@ locals {
           name  = "NBS_PUB_KEY",
           value = var.ecr_viewer_auth_pub_key
         },
-        {
-          name  = "AUTH_AZURE_AD_ID",
-          value = var.auth_azure_ad_id
-        },
-        {
-          name  = "AUTH_AZURE_AD_TENANT_ID",
-          value = var.auth_azure_ad_tenant_id
-        },
-        {
-          name  = "AUTH_AZURE_AD_SECRET",
-          value = var.secrets_manager_auth_azure_ad_secret_version
-        },
-        {
-          name  = "AUTH_KEYCLOAK_ID",
-          value = var.auth_keycloak_id
-        },
-        {
-          name  = "AUTH_KEYCLOAK_ISSUER",
-          value = var.auth_keycloak_issuer
-        },
-        {
-          name  = "AUTH_KEYCLOAK_SECRET",
-          value = var.secrets_manager_auth_keycloak_secret_version
-        },
         local.database_url,
         local.sqlserver_user,
         local.sqlserver_password,
         local.sqlserver_host,
-        local.db_cipher
+        local.db_cipher,
+        local.auth_provider,
+        local.auth_client_id,
+        local.auth_client_secret,
+        local.auth_issuer,
+        local.auth_tenant_id,
+        local.auth_url,
+        local.auth_secret
       ]
     },
     fhir-converter = {
diff --git a/_variable.tf b/_variable.tf
@@ -152,40 +152,48 @@ variable "secrets_manager_sqlserver_host_version" {
   sensitive = true
 }
 
-variable "auth_azure_ad_id" {
+variable "auth_provider" {
   type        = string
   default     = ""
-  description = "The application (client) ID of the app registration"
+  description = "The authentication provider used. Either keycloak or ad."
 }
 
-variable "auth_azure_ad_tenant_id" {
+variable "auth_client_id" {
   type        = string
   default     = ""
-  description = "The directory (tenant) ID of the azure ad/entra instance"
+  description = "The application/client id used to idenitfy the client"
 }
 
-variable "secrets_manager_auth_azure_ad_secret_version" {
-  type      = string
-  default   = ""
-  sensitive = true
+variable "secrets_manager_auth_client_secret" {
+  type        = string
+  default     = ""
+  description = "The location of the secret containing the auth client secret. This is the secret that comes from the authentication provider."
+  sensitive   = true
 }
 
-variable "auth_keycloak_id" {
+variable "auth_tenant_id" {
   type        = string
   default     = ""
-  description = "The id to identify the client in key cloak"
+  description = "Used for azure ad/entra only. The directory (tenant) ID of the azure ad/entra instance"
 }
 
-variable "auth_keycloak_issuer" {
+variable "auth_issuer" {
   type        = string
   default     = ""
-  description = "The url issuer to keycloak. This should inclue the realm - e.g. https://my-keycloak-domain.com/realms/My_Realm"
+  description = "Used for keycloak only. The url issuer for the authentication provider. This should include the realm - e.g. https://my-keycloak-domain.com/realms/My_Realm"
 }
 
-variable "secrets_manager_auth_keycloak_secret_version" {
-  type      = string
-  default   = ""
-  sensitive = true
+variable "auth_url" {
+  type        = string
+  default     = ""
+  description = "Optional. The full URL of the auth api. By default https://your-site.com/ecr-viewer/api/auth."
+}
+
+variable "secrets_manager_auth_secret" {
+  type        = string
+  default     = ""
+  description = "The location of the secret containing the auth secret. This is used by eCR viewer to encrypt authentication. This can be generated by running `openssl rand -base64 32`."
+  sensitive   = true
 }
 
 variable "certificate_arn" {
