fix: add api missing variables (zitadel domain and app key) (#781)

cds-snc · Aug 21, 2024 · 0d92933 · 0d92933
1 parent e5fcca5
commit 0d92933
Show file tree

Hide file tree

Showing 10 changed files with 84 additions and 5 deletions.
diff --git a/.github/workflows/terragrunt-apply-staging.yml b/.github/workflows/terragrunt-apply-staging.yml
@@ -27,6 +27,7 @@ env:
   TF_INPUT: false
   # API
   FF_API: true
+  TF_VAR_zitadel_application_key: ${{ secrets.STAGING_ZITADEL_APPLICATION_KEY }}
   # App
   TF_VAR_ecs_secret_token: ${{ secrets.STAGING_TOKEN_SECRET }}
   TF_VAR_recaptcha_secret: ${{ secrets.STAGING_RECAPTCHA_SITE_SECRET }}

diff --git a/.github/workflows/terragrunt-plan-all-staging.yml b/.github/workflows/terragrunt-plan-all-staging.yml
@@ -20,6 +20,7 @@ env:
   TF_INPUT: false
   # API
   FF_API: true
+  TF_VAR_zitadel_application_key: ${{ secrets.STAGING_ZITADEL_APPLICATION_KEY }}
   # App
   TF_VAR_ecs_secret_token: ${{ secrets.STAGING_TOKEN_SECRET }}
   TF_VAR_recaptcha_secret: ${{ secrets.STAGING_RECAPTCHA_SITE_SECRET }}

diff --git a/.github/workflows/terragrunt-plan-staging.yml b/.github/workflows/terragrunt-plan-staging.yml
@@ -29,6 +29,7 @@ env:
   TF_INPUT: false
   # API
   FF_API: true
+  TF_VAR_zitadel_application_key: ${{ secrets.STAGING_ZITADEL_APPLICATION_KEY }}
   # App
   TF_VAR_ecs_secret_token: ${{ secrets.STAGING_TOKEN_SECRET }}
   TF_VAR_recaptcha_secret: ${{ secrets.STAGING_RECAPTCHA_SITE_SECRET }}

diff --git a/aws/api/ecs.tf b/aws/api/ecs.tf
@@ -1,8 +1,18 @@
 locals {
-  container_env     = [] # TODO: add api environment variables
-  container_secrets = [] # TODO: add api secrets
-}
+  container_env = [
+    {
+      name  = "ZITADEL_DOMAIN"
+      value = var.zitadel_provider
+    }
+  ]
 
+  container_secrets = [
+    {
+      name      = "ZITADEL_APPLICATION_KEY"
+      valueFrom = var.zitadel_application_key_secret_arn
+    }
+  ]
+}
 module "api_ecs" {
   source = "github.com/cds-snc/terraform-modules//ecs?ref=f11e70a097b0796e661b7e209e29f7d6b62240cf" # v9.6.3
 
@@ -101,3 +111,17 @@ data "aws_iam_policy_document" "api_ecs_s3_vault" {
     ]
   }
 }
+
+data "aws_iam_policy_document" "api_ecs_secrets_manager" {
+  statement {
+    effect = "Allow"
+
+    actions = [
+      "secretsmanager:GetSecretValue",
+    ]
+
+    resources = [
+      var.zitadel_application_key_secret_arn
+    ]
+  }
+}
diff --git a/aws/api/inputs.tf b/aws/api/inputs.tf
@@ -42,3 +42,14 @@ variable "security_group_id_api_ecs" {
   description = "ID of the security group for the API ECS service"
   type        = string
 }
+
+variable "zitadel_provider" {
+  description = "The Zitadel provider endpoint used by the ECS task"
+  type        = string
+}
+
+variable "zitadel_application_key_secret_arn" {
+  description = "The Zitadel application key secret used by the ECS task"
+  type        = string
+  sensitive   = true
+}
diff --git a/aws/secrets/inputs.tf b/aws/secrets/inputs.tf
@@ -33,4 +33,10 @@ variable "zitadel_administration_key" {
   description = "The Zitadel administration key used by the ECS task and Lambda"
   type        = string
   sensitive   = true
+}
+
+variable "zitadel_application_key" {
+  description = "The Zitadel application key used by the ECS task (API)"
+  type        = string
+  sensitive   = true
 }
diff --git a/aws/secrets/outputs.tf b/aws/secrets/outputs.tf
@@ -26,4 +26,9 @@ output "notify_callback_bearer_token_secret_arn" {
 output "zitadel_administration_key_secret_arn" {
   description = "ARN of zitadel_administration_key secret"
   value       = aws_secretsmanager_secret_version.zitadel_administration_key.arn
+}
+
+output "zitadel_application_key_secret_arn" {
+  description = "ARN of zitadel_application_key secret"
+  value       = aws_secretsmanager_secret_version.zitadel_application_key.arn
 }
diff --git a/aws/secrets/secrets.tf b/aws/secrets/secrets.tf
@@ -65,4 +65,15 @@ resource "aws_secretsmanager_secret" "zitadel_administration_key" {
 resource "aws_secretsmanager_secret_version" "zitadel_administration_key" {
   secret_id     = aws_secretsmanager_secret.zitadel_administration_key.id
   secret_string = var.zitadel_administration_key
-}
+}
+
+resource "aws_secretsmanager_secret" "zitadel_application_key" {
+  # checkov:skip=CKV2_AWS_57: Automatic secret rotation not required
+  name                    = "zitadel_application_key"
+  recovery_window_in_days = 0
+}
+
+resource "aws_secretsmanager_secret_version" "zitadel_application_key" {
+  secret_id     = aws_secretsmanager_secret.zitadel_application_key.id
+  secret_string = var.zitadel_application_key
+}
diff --git a/env/cloud/api/terragrunt.hcl b/env/cloud/api/terragrunt.hcl
@@ -3,7 +3,7 @@ terraform {
 }
 
 dependencies {
-  paths = ["../kms", "../network", "../dynamodb", "../load_balancer", "../ecr", "../s3", "../app"]
+  paths = ["../kms", "../network", "../dynamodb", "../load_balancer", "../ecr", "../s3", "../app", "../secrets"]
 }
 
 dependency "app" {
@@ -73,6 +73,19 @@ dependency "s3" {
   }
 }
 
+dependency "secrets" {
+  config_path                             = "../secrets"
+  mock_outputs_allowed_terraform_commands = ["init", "fmt", "validate", "plan", "show"]
+  mock_outputs_merge_strategy_with_state  = "shallow"
+  mock_outputs = {
+      zitadel_application_key_secret_arn   = "arn:aws:secretsmanager:ca-central-1:123456789012:secret:zitadel_application_key"
+  }
+}
+
+locals {
+  zitadel_domain            = get_env("ZITADEL_PROVIDER", "https://localhost")
+}
+
 inputs = {
   api_image_tag = "latest"
 
@@ -84,6 +97,10 @@ inputs = {
   private_subnet_ids          = dependency.network.outputs.private_subnet_ids
   security_group_id_api_ecs   = dependency.network.outputs.api_ecs_security_group_id
   s3_vault_file_storage_arn   = dependency.s3.outputs.vault_file_storage_arn
+  zitadel_application_key_secret_arn   = dependency.secrets.outputs.zitadel_application_key_secret_arn
+
+  zitadel_domain              = local.zitadel_domain
+
 }
 
 include {

diff --git a/env/cloud/secrets/terragrunt.hcl b/env/cloud/secrets/terragrunt.hcl
@@ -14,6 +14,7 @@ locals {
   notify_api_key               = get_env("NOTIFY_API_KEY", "I_am_not_a_secret_token")
   freshdesk_api_key            = get_env("FRESHDESK_API_KEY", "I_am_not_a_secret_token")
   zitadel_administration_key   = get_env("ZITADEL_ADMINISTRATION_KEY", "I_am_not_a_secret_token")
+  zitadel_application_key      = get_env("ZITADEL_APPLICATION_KEY", "I_am_not_a_secret_token")
   rds_db_password              = "chummy"
 }
 
@@ -24,6 +25,7 @@ inputs = {
   notify_api_key               = local.notify_api_key
   freshdesk_api_key            = local.freshdesk_api_key
   zitadel_administration_key   = local.zitadel_administration_key
+  zitadel_application_key      = local.zitadel_application_key
   # Overwritten in GitHub Actions by TFVARS
   rds_db_password              = local.rds_db_password
 }