Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add ability to write secrets for amplify app #33

Closed
wants to merge 7 commits into from
Closed

add ability to write secrets for amplify app #33

wants to merge 7 commits into from
+27 −2

Conversation

kevcube
Copy link
Contributor

@kevcube kevcube commented Apr 30, 2024
edited
Loading

what

Amplify can access secrets during build and runtime
This PR allows the

why

It may be useful depending on a user's secrets management pattern to write secrets here when creating the amplify app.

references

https://docs.aws.amazon.com/amplify/latest/userguide/environment-variables.html#environment-secrets
fixes #31

@kevcube kevcube requested review from a team as code owners April 30, 2024 18:44
@kevcube kevcube requested review from hans-d and jamengual April 30, 2024 18:44
@mergify mergify bot added the triage Needs triage label Apr 30, 2024
@kevcube kevcube added minor New features that do not break anything feature New functionality and removed triage Needs triage labels Apr 30, 2024
@goruha
Copy link
Member

goruha commented Jun 20, 2024

/terratest

@mergify Mergify
Copy link

mergify bot commented Jul 15, 2024

💥 This pull request now has conflicts. Could you fix it @kevcube? 🙏

@mergify mergify bot added the conflict This PR has conflicts label Jul 15, 2024
@mergify mergify bot closed this Jul 22, 2024
@mergify Mergify
Copy link

mergify bot commented Jul 22, 2024

This PR was closed due to inactivity and merge conflicts. 😭
Please resolve the conflicts and reopen if necessary.

@mergify mergify bot removed the conflict This PR has conflicts label Jul 22, 2024
@kevcube kevcube reopened this Jul 22, 2024
@mergify Mergify
Copy link

mergify bot commented Jul 22, 2024

💥 This pull request now has conflicts. Could you fix it @kevcube? 🙏

@mergify mergify bot added the conflict This PR has conflicts label Jul 22, 2024
@mergify mergify bot removed the conflict This PR has conflicts label Jul 22, 2024
@kevcube
Copy link
Contributor Author

kevcube commented Jul 22, 2024

/terratest

goruha
goruha reviewed Jul 22, 2024
View reviewed changes
Copy link
Member

@goruha goruha left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@kevcube, why can't a secret be written externally based on the module's outputs after the Amplify app is created?

@kevcube
Copy link
Contributor Author

kevcube commented Jul 22, 2024

@kevcube, why can't a secret be written externally based on the module's outputs after the Amplify app is created?

It can be written externally, if someone wants to use remote-state or something to grab the amplify ID that's an option, but because amplify has the ability to access secrets stored at these predefined paths I thought it made sense to package in this module because they can be considered a part of the amplify application stack

@kevcube
Copy link
Contributor Author

kevcube commented Jul 23, 2024

@kevcube, why can't a secret be written externally based on the module's outputs after the Amplify app is created?

@goruha do you have a reason why it should not be included in this module?

@goruha
Copy link
Member

goruha commented Jul 25, 2024

/terratest

goruha
goruha requested changes Jul 25, 2024
View reviewed changes
Copy link
Member

@goruha goruha left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@kevcube tests failed
https://github.com/cloudposse/actions/actions/runs/10102221318/job/27937411342

goruha
goruha requested changes Jul 25, 2024
View reviewed changes
main.tf
Comment on lines +131 to +145
module "write_ssm_secrets" {
source = "cloudposse/ssm-parameter-store/aws"
version = "0.13.0"

for_each = local.environments

parameter_write = [for secret_key, secret_value in each.value.secrets : {
name = format("/amplify/%s/%s/%s", one(aws_amplify_app.default[*].id), each.key, secret_key)
value = secret_value
type = "SecureString"
description = "AWS Amplify secret."
}]

context = module.this.context
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
module "write_ssm_secrets" {
source = "cloudposse/ssm-parameter-store/aws"
version = "0.13.0"
for_each = local.environments
parameter_write = [for secret_key, secret_value in each.value.secrets : {
name = format("/amplify/%s/%s/%s", one(aws_amplify_app.default[*].id), each.key, secret_key)
value = secret_value
type = "SecureString"
description = "AWS Amplify secret."
}]
context = module.this.context
}
resource "aws_ssm_parameter" "default" {
for_each = local.environments
name = format("/amplify/%s/%s/%s", one(aws_amplify_app.default[*].id), each.key, secret_key)
description = "AWS Amplify secret."
type = "SecureString"
tier = "Standard"
value = secret_value
overwrite = "false"
data_type = "text"
tags = module.this.tags
}

@mergify Mergify
Copy link

mergify bot commented Oct 13, 2024

💥 This pull request now has conflicts. Could you fix it @kevcube? 🙏

@mergify mergify bot added the conflict This PR has conflicts label Oct 13, 2024
@mergify mergify bot closed this Oct 13, 2024
@mergify Mergify
Copy link

mergify bot commented Oct 13, 2024

This PR was closed due to inactivity and merge conflicts. 😭
Please resolve the conflicts and reopen if necessary.

@mergify mergify bot removed the conflict This PR has conflicts label Oct 13, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@goruha goruha goruha requested changes

@hans-d hans-d Awaiting requested review from hans-d hans-d is a code owner automatically assigned from cloudposse/contributors

@jamengual jamengual Awaiting requested review from jamengual jamengual is a code owner automatically assigned from cloudposse/contributors

Assignees
No one assigned
Labels
feature New functionality minor New features that do not break anything
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Secret storage
2 participants
@kevcube @goruha