navapbc · lorenyu · Feb 22, 2025 · Feb 21, 2025 · Feb 22, 2025
@@ -0,0 +1,32 @@
+locals {
+  generated_secrets = {
+    for name, config in var.secrets :
+    name => config if config.manage_method == "generated"
+  }
+  manual_secrets = {
+    for name, config in var.secrets :
+    name => config if config.manage_method == "manual"
+  }
+}
+
+resource "random_password" "secrets" {
+  for_each = local.generated_secrets
+
+  length           = 64
+  special          = true
+  override_special = "!#$%&*()-_=+[]{}<>:?"
+}
+
+resource "aws_ssm_parameter" "secrets" {
+  for_each = local.generated_secrets
+
+  name  = each.value.secret_store_name
+  type  = "SecureString"
+  value = random_password.secrets[each.key].result
+}
+
+data "aws_ssm_parameter" "secrets" {
+  for_each = local.manual_secrets
+
+  name = each.value.secret_store_name
+}
@@ -0,0 +1,6 @@
+output "secret_arns" {
+  value = merge(
+    { for k, v in aws_ssm_parameter.secrets : k => v.arn },
+    { for k, v in data.aws_ssm_parameter.secrets : k => v.arn }
+  )
+}
@@ -0,0 +1,24 @@
+variable "service_name" {
+  type        = string
+  description = "Name of the service these secrets belong to"
+}
+
+variable "secrets" {
+  type = map(object({
+    # Method to manage the secret. Options are 'manual' or 'generated'.
+    # Set to 'generated' to generate a random secret.
+    # Set to 'manual' to reference a secret that was manually created and stored in AWS parameter store.
+    # Defaults to 'generated'.
+    manage_method = string
+
+    # If manage_method is 'generated', path to store the secret in AWS parameter store.
+    # If manage_method is 'manual', path to reference the secret in AWS parameter store.
+    secret_store_name = string
+  }))
+  description = "Map of secret configurations"
+
+  validation {
+    condition     = alltrue([for s in values(var.secrets) : can(regex("^(manual|generated)$", s.manage_method))])
+    error_message = "Invalid manage_method. Must be 'manual' or 'generated'."
+  }
+}
@@ -101,9 +101,9 @@ module "service" {
   )
 
   secrets = concat(
-    [for secret_name in keys(local.service_config.secrets) : {
+    [for secret_name, secret_arn in module.secrets.secret_arns : {
       name      = secret_name
-      valueFrom = module.secrets[secret_name].secret_arn
+      valueFrom = secret_arn
     }],
     local.feature_flags_secrets,
     module.app_config.enable_identity_provider ? [{

@@ -1,16 +1,21 @@
 module "secrets" {
-  for_each = local.service_config.secrets
+  source = "../../modules/secrets"
 
-  source = "../../modules/secret"
+  service_name = local.service_name
+  secrets = {
+    for name, config in local.service_config.secrets :
+    name => {
+      manage_method = config.manage_method
 
-  # When generating secrets and storing them in parameter store, append the
-  # terraform workspace to the secret store path if the environment is temporary
-  # to avoid conflicts with existing environments.
-  # Don't do this for secrets that are managed manually since the temporary
-  # environments will need to share those secrets.
-  secret_store_name = (each.value.manage_method == "generated" && local.is_temporary ?
-    "${each.value.secret_store_name}/${terraform.workspace}" :
-    each.value.secret_store_name
-  )
-  manage_method = each.value.manage_method
+      # When generating secrets and storing them in parameter store, append the
+      # terraform workspace to the secret store path if the environment is temporary
+      # to avoid conflicts with existing environments.
+      # Don't do this for secrets that are managed manually since the temporary
+      # environments will need to share those secrets.
+      secret_store_name = (config.manage_method == "generated" && local.is_temporary ?
+        "${config.secret_store_name}/${terraform.workspace}" :
+        config.secret_store_name
+      )
+    }
+  }
 }