[NRL-1379] Keep notification emails as sensitive in TF

Author: mattdean3-nhs

terraform/account-wide-infrastructure/dev/locals.tf

@@ -4,5 +4,5 @@ locals {
   environment = terraform.workspace
   prefix      = "${local.project}--${local.environment}"
 
-  notification_emails = nonsensitive(toset(tolist(jsondecode(data.aws_secretsmanager_secret_version.emails.secret_string))))
+  notification_emails = tolist(jsondecode(data.aws_secretsmanager_secret_version.emails.secret_string))
 }

terraform/account-wide-infrastructure/dev/secrets.tf

@@ -7,10 +7,6 @@ resource "aws_secretsmanager_secret" "backup_destination_parameters" {
   description = "Parameters used to configure the backup destination"
 }
 
-resource "aws_secretsmanager_secret" "notification_email_addresses" {
-  name = "${local.prefix}-dev-notification-email-addresses"
-}
-
 resource "aws_secretsmanager_secret" "dev_smoke_test_apigee_app" {
   name        = "${local.prefix}--dev--apigee-app--smoke-test"
   description = "APIGEE App used to run Smoke Tests against the DEV environment"

terraform/account-wide-infrastructure/modules/lambda-errors-metric-alarm/sns.tf

@@ -4,8 +4,8 @@ resource "aws_sns_topic" "sns_topic" {
 }
 
 resource "aws_sns_topic_subscription" "sns_subscription" {
-  for_each  = var.notification_emails
+  count     = length(var.notification_emails)
   topic_arn = aws_sns_topic.sns_topic.arn
   protocol  = "email"
-  endpoint  = sensitive(each.value)
+  endpoint  = var.notification_emails[count.index]
 }

terraform/account-wide-infrastructure/modules/lambda-errors-metric-alarm/vars.tf

@@ -27,7 +27,8 @@ variable "kms_deletion_window_in_days" {
 }
 
 variable "notification_emails" {
-  type        = set(string)
+  type        = list(string)
+  sensitive   = true
   description = "The email addresses to which notifications will be sent."
   default     = []
 }

terraform/account-wide-infrastructure/prod/locals.tf

@@ -4,5 +4,5 @@ locals {
   environment = terraform.workspace
   prefix      = "${local.project}--${local.environment}"
 
-  notification_emails = nonsensitive(toset(tolist(jsondecode(data.aws_secretsmanager_secret_version.emails.secret_string))))
+  notification_emails = tolist(jsondecode(data.aws_secretsmanager_secret_version.emails.secret_string))
 }

terraform/account-wide-infrastructure/test/locals.tf

@@ -4,5 +4,5 @@ locals {
   environment = terraform.workspace
   prefix      = "${local.project}--${local.environment}"
 
-  notification_emails = nonsensitive(toset(tolist(jsondecode(data.aws_secretsmanager_secret_version.emails.secret_string))))
+  notification_emails = tolist(jsondecode(data.aws_secretsmanager_secret_version.emails.secret_string))
 }