From 0d929332552856ec0561647ae566e768b50f9734 Mon Sep 17 00:00:00 2001 From: Wissam Moussa <70960477+wmoussa-gc@users.noreply.github.com> Date: Wed, 21 Aug 2024 14:33:24 -0400 Subject: [PATCH] fix: add api missing variables (zitadel domain and app key) (#781) --- .../workflows/terragrunt-apply-staging.yml | 1 + .../workflows/terragrunt-plan-all-staging.yml | 1 + .github/workflows/terragrunt-plan-staging.yml | 1 + aws/api/ecs.tf | 30 +++++++++++++++++-- aws/api/inputs.tf | 11 +++++++ aws/secrets/inputs.tf | 6 ++++ aws/secrets/outputs.tf | 5 ++++ aws/secrets/secrets.tf | 13 +++++++- env/cloud/api/terragrunt.hcl | 19 +++++++++++- env/cloud/secrets/terragrunt.hcl | 2 ++ 10 files changed, 84 insertions(+), 5 deletions(-) diff --git a/.github/workflows/terragrunt-apply-staging.yml b/.github/workflows/terragrunt-apply-staging.yml index 5712c24f2..0449bfdec 100644 --- a/.github/workflows/terragrunt-apply-staging.yml +++ b/.github/workflows/terragrunt-apply-staging.yml @@ -27,6 +27,7 @@ env: TF_INPUT: false # API FF_API: true + TF_VAR_zitadel_application_key: ${{ secrets.STAGING_ZITADEL_APPLICATION_KEY }} # App TF_VAR_ecs_secret_token: ${{ secrets.STAGING_TOKEN_SECRET }} TF_VAR_recaptcha_secret: ${{ secrets.STAGING_RECAPTCHA_SITE_SECRET }} diff --git a/.github/workflows/terragrunt-plan-all-staging.yml b/.github/workflows/terragrunt-plan-all-staging.yml index fec19a8cd..9f9e1a02f 100644 --- a/.github/workflows/terragrunt-plan-all-staging.yml +++ b/.github/workflows/terragrunt-plan-all-staging.yml @@ -20,6 +20,7 @@ env: TF_INPUT: false # API FF_API: true + TF_VAR_zitadel_application_key: ${{ secrets.STAGING_ZITADEL_APPLICATION_KEY }} # App TF_VAR_ecs_secret_token: ${{ secrets.STAGING_TOKEN_SECRET }} TF_VAR_recaptcha_secret: ${{ secrets.STAGING_RECAPTCHA_SITE_SECRET }} diff --git a/.github/workflows/terragrunt-plan-staging.yml b/.github/workflows/terragrunt-plan-staging.yml index 1b1f7561b..93f436534 100644 --- a/.github/workflows/terragrunt-plan-staging.yml +++ b/.github/workflows/terragrunt-plan-staging.yml @@ -29,6 +29,7 @@ env: TF_INPUT: false # API FF_API: true + TF_VAR_zitadel_application_key: ${{ secrets.STAGING_ZITADEL_APPLICATION_KEY }} # App TF_VAR_ecs_secret_token: ${{ secrets.STAGING_TOKEN_SECRET }} TF_VAR_recaptcha_secret: ${{ secrets.STAGING_RECAPTCHA_SITE_SECRET }} diff --git a/aws/api/ecs.tf b/aws/api/ecs.tf index 94600f96c..5899e10be 100644 --- a/aws/api/ecs.tf +++ b/aws/api/ecs.tf @@ -1,8 +1,18 @@ locals { - container_env = [] # TODO: add api environment variables - container_secrets = [] # TODO: add api secrets -} + container_env = [ + { + name = "ZITADEL_DOMAIN" + value = var.zitadel_provider + } + ] + container_secrets = [ + { + name = "ZITADEL_APPLICATION_KEY" + valueFrom = var.zitadel_application_key_secret_arn + } + ] +} module "api_ecs" { source = "github.com/cds-snc/terraform-modules//ecs?ref=f11e70a097b0796e661b7e209e29f7d6b62240cf" # v9.6.3 @@ -101,3 +111,17 @@ data "aws_iam_policy_document" "api_ecs_s3_vault" { ] } } + +data "aws_iam_policy_document" "api_ecs_secrets_manager" { + statement { + effect = "Allow" + + actions = [ + "secretsmanager:GetSecretValue", + ] + + resources = [ + var.zitadel_application_key_secret_arn + ] + } +} \ No newline at end of file diff --git a/aws/api/inputs.tf b/aws/api/inputs.tf index 4f407323a..e75de485b 100644 --- a/aws/api/inputs.tf +++ b/aws/api/inputs.tf @@ -42,3 +42,14 @@ variable "security_group_id_api_ecs" { description = "ID of the security group for the API ECS service" type = string } + +variable "zitadel_provider" { + description = "The Zitadel provider endpoint used by the ECS task" + type = string +} + +variable "zitadel_application_key_secret_arn" { + description = "The Zitadel application key secret used by the ECS task" + type = string + sensitive = true +} \ No newline at end of file diff --git a/aws/secrets/inputs.tf b/aws/secrets/inputs.tf index 1e574ea59..eef498378 100644 --- a/aws/secrets/inputs.tf +++ b/aws/secrets/inputs.tf @@ -33,4 +33,10 @@ variable "zitadel_administration_key" { description = "The Zitadel administration key used by the ECS task and Lambda" type = string sensitive = true +} + +variable "zitadel_application_key" { + description = "The Zitadel application key used by the ECS task (API)" + type = string + sensitive = true } \ No newline at end of file diff --git a/aws/secrets/outputs.tf b/aws/secrets/outputs.tf index c1816d3d9..594b3dcc5 100644 --- a/aws/secrets/outputs.tf +++ b/aws/secrets/outputs.tf @@ -26,4 +26,9 @@ output "notify_callback_bearer_token_secret_arn" { output "zitadel_administration_key_secret_arn" { description = "ARN of zitadel_administration_key secret" value = aws_secretsmanager_secret_version.zitadel_administration_key.arn +} + +output "zitadel_application_key_secret_arn" { + description = "ARN of zitadel_application_key secret" + value = aws_secretsmanager_secret_version.zitadel_application_key.arn } \ No newline at end of file diff --git a/aws/secrets/secrets.tf b/aws/secrets/secrets.tf index 809f3afb1..5937fd821 100644 --- a/aws/secrets/secrets.tf +++ b/aws/secrets/secrets.tf @@ -65,4 +65,15 @@ resource "aws_secretsmanager_secret" "zitadel_administration_key" { resource "aws_secretsmanager_secret_version" "zitadel_administration_key" { secret_id = aws_secretsmanager_secret.zitadel_administration_key.id secret_string = var.zitadel_administration_key -} \ No newline at end of file +} + +resource "aws_secretsmanager_secret" "zitadel_application_key" { + # checkov:skip=CKV2_AWS_57: Automatic secret rotation not required + name = "zitadel_application_key" + recovery_window_in_days = 0 +} + +resource "aws_secretsmanager_secret_version" "zitadel_application_key" { + secret_id = aws_secretsmanager_secret.zitadel_application_key.id + secret_string = var.zitadel_application_key +} diff --git a/env/cloud/api/terragrunt.hcl b/env/cloud/api/terragrunt.hcl index f6883a7d3..e646fd179 100644 --- a/env/cloud/api/terragrunt.hcl +++ b/env/cloud/api/terragrunt.hcl @@ -3,7 +3,7 @@ terraform { } dependencies { - paths = ["../kms", "../network", "../dynamodb", "../load_balancer", "../ecr", "../s3", "../app"] + paths = ["../kms", "../network", "../dynamodb", "../load_balancer", "../ecr", "../s3", "../app", "../secrets"] } dependency "app" { @@ -73,6 +73,19 @@ dependency "s3" { } } +dependency "secrets" { + config_path = "../secrets" + mock_outputs_allowed_terraform_commands = ["init", "fmt", "validate", "plan", "show"] + mock_outputs_merge_strategy_with_state = "shallow" + mock_outputs = { + zitadel_application_key_secret_arn = "arn:aws:secretsmanager:ca-central-1:123456789012:secret:zitadel_application_key" + } +} + +locals { + zitadel_domain = get_env("ZITADEL_PROVIDER", "https://localhost") +} + inputs = { api_image_tag = "latest" @@ -84,6 +97,10 @@ inputs = { private_subnet_ids = dependency.network.outputs.private_subnet_ids security_group_id_api_ecs = dependency.network.outputs.api_ecs_security_group_id s3_vault_file_storage_arn = dependency.s3.outputs.vault_file_storage_arn + zitadel_application_key_secret_arn = dependency.secrets.outputs.zitadel_application_key_secret_arn + + zitadel_domain = local.zitadel_domain + } include { diff --git a/env/cloud/secrets/terragrunt.hcl b/env/cloud/secrets/terragrunt.hcl index f707e28df..f8f99e504 100644 --- a/env/cloud/secrets/terragrunt.hcl +++ b/env/cloud/secrets/terragrunt.hcl @@ -14,6 +14,7 @@ locals { notify_api_key = get_env("NOTIFY_API_KEY", "I_am_not_a_secret_token") freshdesk_api_key = get_env("FRESHDESK_API_KEY", "I_am_not_a_secret_token") zitadel_administration_key = get_env("ZITADEL_ADMINISTRATION_KEY", "I_am_not_a_secret_token") + zitadel_application_key = get_env("ZITADEL_APPLICATION_KEY", "I_am_not_a_secret_token") rds_db_password = "chummy" } @@ -24,6 +25,7 @@ inputs = { notify_api_key = local.notify_api_key freshdesk_api_key = local.freshdesk_api_key zitadel_administration_key = local.zitadel_administration_key + zitadel_application_key = local.zitadel_application_key # Overwritten in GitHub Actions by TFVARS rds_db_password = local.rds_db_password } \ No newline at end of file