BCDA-9727: Add Secondary Region KMS Key (#1292)

## 🎫 Ticket

BCDA-9727

## 🛠 Changes

This change set updates the sops values files for all path-to-production
environments to include both us-east-1 and us-west-2 homed KMS keys.

This also simplifies the `10-config` terraform, introduces a mechanism
for generating the distributed `sopsw` script via terraform input
variable, introduces a root-level `.terraform-docs.yaml` configuration
file for `terraform-docs`, and refreshes the included README.

## ℹ️ Context
In the unlikely event of us-east-1 availability issues in SSM and/or
KMS, we need to be able to use KMS keys homes in the BCP/GDR us-west-2
environment. This requires re-encryption of all encrypted values.
Re-encryption was accommodated by decrypting previous sopsw values files
via `sopsw -d` and re-encrypting with `sops -e` alongside appropriate
`.sops.yaml` that encoded the comma-delimited kms keys in the following
format:
```
creation_rules:
  - kms: arn:aws:kms:us-east-1:${aws_account_id}:alias/bcda-${env},arn:aws:kms:us-west-2:${aws_account_id}:alias/bcda-${env}
    unencrypted_regex: /nonsensitive/
    mac_only_encrypted: true
stores:
  yaml:
    indent: 2
```

## 🧪 Validation
`tofu` invocations and the following `sopsw` commands continue to
function under `10-config` with authenticated shells:
```sh
bin/sopsw -d values/dev.sopsw.yaml
bin/sopsw -d values/test.sopsw.yaml
bin/sopsw -d values/sandbox.sopsw.yaml
bin/sopsw -d values/prod.sopsw.yaml
```

Author: mjburling

.terraform-docs.yml

@@ -0,0 +1,55 @@
+formatter: markdown table
+sections:
+  show:
+    - providers
+    - requirements
+    - inputs
+    - resources
+    - outputs
+    - data-sources
+    - modules
+
+# this `content` string is implemented as a golang template https://pkg.go.dev/text/template
+# updates here correspond to `{{ .Content }}` in `output.template` setting below
+content: |-
+    {{ $warning := `<!--WARNING: GENERATED CONTENT with terraform-docs, e.g.
+         'terraform-docs --config "$(git rev-parse --show-toplevel)/.terraform-docs.yml" .'
+         Manually updating sections between TF_DOCS tags may be overwritten.
+         See https://terraform-docs.io/user-guide/configuration/ for more information.
+    -->`}}
+
+    {{- $warning }}
+    {{ .Providers }}
+
+    {{ $warning }}
+    {{ .Requirements }}
+
+    {{ $warning }}
+    {{ .Inputs }}
+
+    {{ $warning }}
+    {{ .Modules }}
+
+    {{ $warning }}
+    {{ .Resources }}
+
+    {{ $warning }}
+    {{ .Outputs }}
+
+output:
+  file: README.md
+  mode: inject
+  template: |-
+    <!-- BEGIN_TF_DOCS -->
+    {{ .Content }}
+    <!-- END_TF_DOCS -->
+
+sort:
+  enabled: true
+  by: required
+
+settings:
+  indent: 2
+  default: true
+  required: true
+  type: true

ops/services/10-config/README.md

@@ -13,7 +13,7 @@ First, initialize and apply the configuration with the `sopsw` script targeted.
 cd ops/services/10-config
 export TF_VAR_env=dev
 tofu init
-tofu apply -target module.sops.local_file.sopsw
+tofu apply -target 'module.sops.local_file.sopsw[0]' -var=create_local_sops_wrapper=true
 ```
 
 ### Editing Encrypted Configuration
@@ -63,3 +63,67 @@ Configuration files follow this pattern:
 
 ### External Tools
 - **tofu** - For deploying configuration to AWS Parameter Store (`brew install opentofu`)
+
+<!-- BEGIN_TF_DOCS -->
+<!--WARNING: GENERATED CONTENT with terraform-docs, e.g.
+     'terraform-docs --config "$(git rev-parse --show-toplevel)/.terraform-docs.yml" .'
+     Manually updating sections between TF_DOCS tags may be overwritten.
+     See https://terraform-docs.io/user-guide/configuration/ for more information.
+-->
+## Providers
+
+No providers.
+
+<!--WARNING: GENERATED CONTENT with terraform-docs, e.g.
+     'terraform-docs --config "$(git rev-parse --show-toplevel)/.terraform-docs.yml" .'
+     Manually updating sections between TF_DOCS tags may be overwritten.
+     See https://terraform-docs.io/user-guide/configuration/ for more information.
+-->
+## Requirements
+
+No requirements.
+
+<!--WARNING: GENERATED CONTENT with terraform-docs, e.g.
+     'terraform-docs --config "$(git rev-parse --show-toplevel)/.terraform-docs.yml" .'
+     Manually updating sections between TF_DOCS tags may be overwritten.
+     See https://terraform-docs.io/user-guide/configuration/ for more information.
+-->
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_env"></a> [env](#input\_env) | The application environment (dev, test, sandbox, prod) | `string` | n/a | yes |
+| <a name="input_create_local_sops_wrapper"></a> [create\_local\_sops\_wrapper](#input\_create\_local\_sops\_wrapper) | When `true`, creates sops wrapper file at `bin/sopsw`. | `bool` | `false` | no |
+| <a name="input_region"></a> [region](#input\_region) | n/a | `string` | `"us-east-1"` | no |
+| <a name="input_secondary_region"></a> [secondary\_region](#input\_secondary\_region) | n/a | `string` | `"us-west-2"` | no |
+
+<!--WARNING: GENERATED CONTENT with terraform-docs, e.g.
+     'terraform-docs --config "$(git rev-parse --show-toplevel)/.terraform-docs.yml" .'
+     Manually updating sections between TF_DOCS tags may be overwritten.
+     See https://terraform-docs.io/user-guide/configuration/ for more information.
+-->
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_platform"></a> [platform](#module\_platform) | github.com/CMSgov/cdap//terraform/modules/platform | ff2ef539fb06f2c98f0e3ce0c8f922bdacb96d66 |
+| <a name="module_sops"></a> [sops](#module\_sops) | github.com/CMSgov/cdap//terraform/modules/sops | 8874310 |
+
+<!--WARNING: GENERATED CONTENT with terraform-docs, e.g.
+     'terraform-docs --config "$(git rev-parse --show-toplevel)/.terraform-docs.yml" .'
+     Manually updating sections between TF_DOCS tags may be overwritten.
+     See https://terraform-docs.io/user-guide/configuration/ for more information.
+-->
+## Resources
+
+No resources.
+
+<!--WARNING: GENERATED CONTENT with terraform-docs, e.g.
+     'terraform-docs --config "$(git rev-parse --show-toplevel)/.terraform-docs.yml" .'
+     Manually updating sections between TF_DOCS tags may be overwritten.
+     See https://terraform-docs.io/user-guide/configuration/ for more information.
+-->
+## Outputs
+
+No outputs.
+<!-- END_TF_DOCS -->

ops/services/10-config/main.tf

@@ -1,6 +1,5 @@
 locals {
-  default_tags = module.platform.default_tags
-  service      = "config"
+  service = "config"
 }
 
 module "platform" {
@@ -14,11 +13,8 @@ module "platform" {
 }
 
 module "sops" {
-  source = "github.com/CMSgov/cdap//terraform/modules/sops?ref=ff2ef539fb06f2c98f0e3ce0c8f922bdacb96d66"
+  source = "github.com/CMSgov/cdap//terraform/modules/sops?ref=8874310"
 
-  platform = module.platform
-}
-
-output "edit" {
-  value = module.sops.sopsw
+  platform                  = module.platform
+  create_local_sops_wrapper = var.create_local_sops_wrapper
 }