From a34abc0fb839c65eb904d43093ebccf096879644 Mon Sep 17 00:00:00 2001 From: Kevin Mahoney Date: Tue, 30 Apr 2024 20:42:12 +0200 Subject: [PATCH 1/3] add ability to write secrets for amplify app --- examples/complete/fixtures.us-east-2.tfvars | 4 ++++ examples/complete/variables.tf | 1 + main.tf | 16 ++++++++++++++++ outputs.tf | 5 +++++ variables.tf | 1 + 5 files changed, 27 insertions(+) diff --git a/examples/complete/fixtures.us-east-2.tfvars b/examples/complete/fixtures.us-east-2.tfvars index 2830aed..302c2f0 100644 --- a/examples/complete/fixtures.us-east-2.tfvars +++ b/examples/complete/fixtures.us-east-2.tfvars @@ -87,6 +87,10 @@ environments = { enable_pull_request_preview = false framework = "React" stage = "PRODUCTION" + secrets = { + TEST = "test_secret" + TEST2 = "test_secret2" + } } dev = { branch_name = "dev" diff --git a/examples/complete/variables.tf b/examples/complete/variables.tf index 1ebf54b..eb019aa 100644 --- a/examples/complete/variables.tf +++ b/examples/complete/variables.tf @@ -164,6 +164,7 @@ variable "environments" { enable_performance_mode = optional(bool) enable_pull_request_preview = optional(bool) environment_variables = optional(map(string)) + secrets = optional(map(string), {}) framework = optional(string) pull_request_environment_name = optional(string) stage = optional(string) diff --git a/main.tf b/main.tf index e7890f7..f6cc425 100644 --- a/main.tf +++ b/main.tf @@ -126,3 +126,19 @@ resource "aws_amplify_webhook" "default" { command = "curl -X POST -d {} '${aws_amplify_webhook.default[each.key].url}&operation=startbuild' -H 'Content-Type:application/json'" } } + +module "write_ssm_secrets" { + source = "cloudposse/ssm-parameter-store/aws" + version = "0.13.0" + + for_each = local.environments + + parameter_write = [for secret_key, secret_value in each.value.secrets : { + name = format("/amplify/%s/%s/%s", one(aws_amplify_app.default[*].id), each.key, secret_key) + value = secret_value + type = "SecureString" + description = "AWS Amplify secret." + }] + + context = module.this.context +} diff --git a/outputs.tf b/outputs.tf index 67a7803..87ac180 100644 --- a/outputs.tf +++ b/outputs.tf @@ -37,3 +37,8 @@ output "domain_associations" { description = "Created domain associations" value = aws_amplify_domain_association.default } + +output "secret_arns" { + description = "The ARNs of the created secrets" + value = module.write_ssm_secrets[*].arn_map +} diff --git a/variables.tf b/variables.tf index 877687a..c8c6a67 100644 --- a/variables.tf +++ b/variables.tf @@ -163,6 +163,7 @@ variable "environments" { enable_performance_mode = optional(bool) enable_pull_request_preview = optional(bool) environment_variables = optional(map(string)) + secrets = optional(map(string), {}) framework = optional(string) pull_request_environment_name = optional(string) stage = optional(string) From 83c39582218040a1630b48c932ab60a4974d93cb Mon Sep 17 00:00:00 2001 From: Kevin Mahoney Date: Tue, 30 Apr 2024 21:35:51 +0200 Subject: [PATCH 2/3] readme --- README.md | 4 +++- docs/terraform.md | 4 +++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 09791ea..3bdfd1b 100644 --- a/README.md +++ b/README.md @@ -216,6 +216,7 @@ Available targets: |------|--------|---------| | [role](#module\_role) | cloudposse/iam-role/aws | 0.18.0 | | [this](#module\_this) | cloudposse/label/null | 0.25.0 | +| [write\_ssm\_secrets](#module\_write\_ssm\_secrets) | cloudposse/ssm-parameter-store/aws | 0.13.0 | ## Resources @@ -253,7 +254,7 @@ Available targets: | [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no | | [environment](#input\_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no | | [environment\_variables](#input\_environment\_variables) | The environment variables for the Amplify app | `map(string)` | `{}` | no | -| [environments](#input\_environments) | The configuration of the environments for the Amplify App | 
map(object({
    branch_name                   = optional(string)
    backend_enabled               = optional(bool, false)
    environment_name              = optional(string)
    deployment_artifacts          = optional(string)
    stack_name                    = optional(string)
    display_name                  = optional(string)
    description                   = optional(string)
    enable_auto_build             = optional(bool)
    enable_basic_auth             = optional(bool)
    enable_notification           = optional(bool)
    enable_performance_mode       = optional(bool)
    enable_pull_request_preview   = optional(bool)
    environment_variables         = optional(map(string))
    framework                     = optional(string)
    pull_request_environment_name = optional(string)
    stage                         = optional(string)
    ttl                           = optional(number)
    webhook_enabled               = optional(bool, false)
  }))
| `{}` | no | +| [environments](#input\_environments) | The configuration of the environments for the Amplify App | 
map(object({
    branch_name                   = optional(string)
    backend_enabled               = optional(bool, false)
    environment_name              = optional(string)
    deployment_artifacts          = optional(string)
    stack_name                    = optional(string)
    display_name                  = optional(string)
    description                   = optional(string)
    enable_auto_build             = optional(bool)
    enable_basic_auth             = optional(bool)
    enable_notification           = optional(bool)
    enable_performance_mode       = optional(bool)
    enable_pull_request_preview   = optional(bool)
    environment_variables         = optional(map(string))
    secrets                       = optional(map(string), {})
    framework                     = optional(string)
    pull_request_environment_name = optional(string)
    stage                         = optional(string)
    ttl                           = optional(number)
    webhook_enabled               = optional(bool, false)
  }))
| `{}` | no | | [iam\_service\_role\_actions](#input\_iam\_service\_role\_actions) | List of IAM policy actions for the AWS Identity and Access Management (IAM) service role for the Amplify app.
If not provided, the default set of actions will be used for the role if the variable `iam_service_role_enabled` is set to `true`. | `list(string)` | `[]` | no | | [iam\_service\_role\_arn](#input\_iam\_service\_role\_arn) | The AWS Identity and Access Management (IAM) service role for the Amplify app.
If not provided, a new role will be created if the variable `iam_service_role_enabled` is set to `true`. | `list(string)` | `[]` | no | | [iam\_service\_role\_enabled](#input\_iam\_service\_role\_enabled) | Flag to create the IAM service role for the Amplify app | `bool` | `false` | no | @@ -283,6 +284,7 @@ Available targets: | [domain\_associations](#output\_domain\_associations) | Created domain associations | | [id](#output\_id) | Amplify App Id | | [name](#output\_name) | Amplify App name | +| [secret\_arns](#output\_secret\_arns) | The ARNs of the created secrets | | [webhooks](#output\_webhooks) | Created webhooks | diff --git a/docs/terraform.md b/docs/terraform.md index ddeb9f8..d3dd55e 100644 --- a/docs/terraform.md +++ b/docs/terraform.md @@ -18,6 +18,7 @@ |------|--------|---------| | [role](#module\_role) | cloudposse/iam-role/aws | 0.18.0 | | [this](#module\_this) | cloudposse/label/null | 0.25.0 | +| [write\_ssm\_secrets](#module\_write\_ssm\_secrets) | cloudposse/ssm-parameter-store/aws | 0.13.0 | ## Resources @@ -55,7 +56,7 @@ | [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no | | [environment](#input\_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no | | [environment\_variables](#input\_environment\_variables) | The environment variables for the Amplify app | `map(string)` | `{}` | no | -| [environments](#input\_environments) | The configuration of the environments for the Amplify App | 
map(object({
    branch_name                   = optional(string)
    backend_enabled               = optional(bool, false)
    environment_name              = optional(string)
    deployment_artifacts          = optional(string)
    stack_name                    = optional(string)
    display_name                  = optional(string)
    description                   = optional(string)
    enable_auto_build             = optional(bool)
    enable_basic_auth             = optional(bool)
    enable_notification           = optional(bool)
    enable_performance_mode       = optional(bool)
    enable_pull_request_preview   = optional(bool)
    environment_variables         = optional(map(string))
    framework                     = optional(string)
    pull_request_environment_name = optional(string)
    stage                         = optional(string)
    ttl                           = optional(number)
    webhook_enabled               = optional(bool, false)
  }))
| `{}` | no | +| [environments](#input\_environments) | The configuration of the environments for the Amplify App | 
map(object({
    branch_name                   = optional(string)
    backend_enabled               = optional(bool, false)
    environment_name              = optional(string)
    deployment_artifacts          = optional(string)
    stack_name                    = optional(string)
    display_name                  = optional(string)
    description                   = optional(string)
    enable_auto_build             = optional(bool)
    enable_basic_auth             = optional(bool)
    enable_notification           = optional(bool)
    enable_performance_mode       = optional(bool)
    enable_pull_request_preview   = optional(bool)
    environment_variables         = optional(map(string))
    secrets                       = optional(map(string), {})
    framework                     = optional(string)
    pull_request_environment_name = optional(string)
    stage                         = optional(string)
    ttl                           = optional(number)
    webhook_enabled               = optional(bool, false)
  }))
| `{}` | no | | [iam\_service\_role\_actions](#input\_iam\_service\_role\_actions) | List of IAM policy actions for the AWS Identity and Access Management (IAM) service role for the Amplify app.
If not provided, the default set of actions will be used for the role if the variable `iam_service_role_enabled` is set to `true`. | `list(string)` | `[]` | no | | [iam\_service\_role\_arn](#input\_iam\_service\_role\_arn) | The AWS Identity and Access Management (IAM) service role for the Amplify app.
If not provided, a new role will be created if the variable `iam_service_role_enabled` is set to `true`. | `list(string)` | `[]` | no | | [iam\_service\_role\_enabled](#input\_iam\_service\_role\_enabled) | Flag to create the IAM service role for the Amplify app | `bool` | `false` | no | @@ -85,5 +86,6 @@ | [domain\_associations](#output\_domain\_associations) | Created domain associations | | [id](#output\_id) | Amplify App Id | | [name](#output\_name) | Amplify App name | +| [secret\_arns](#output\_secret\_arns) | The ARNs of the created secrets | | [webhooks](#output\_webhooks) | Created webhooks | From 73b8fac315be1253c4a17e181e77986476fe2f66 Mon Sep 17 00:00:00 2001 From: Kevin Mahoney Date: Tue, 30 Apr 2024 21:50:52 +0200 Subject: [PATCH 3/3] rm output --- outputs.tf | 4 ---- 1 file changed, 4 deletions(-) diff --git a/outputs.tf b/outputs.tf index 87ac180..091c556 100644 --- a/outputs.tf +++ b/outputs.tf @@ -38,7 +38,3 @@ output "domain_associations" { value = aws_amplify_domain_association.default } -output "secret_arns" { - description = "The ARNs of the created secrets" - value = module.write_ssm_secrets[*].arn_map -}