eli-304 dealing with ssm + secrets

eddalmond1 · eddalmond1 · commit e73a67962dcc · 2025-08-20T15:15:14.000+01:00
diff --git a/.github/workflows/base-deploy.yml b/.github/workflows/base-deploy.yml
@@ -131,6 +131,9 @@ jobs:
           TF_VAR_API_CA_CERT: ${{ secrets.API_CA_CERT }}
           TF_VAR_API_CLIENT_CERT: ${{ secrets.API_CLIENT_CERT }}
           TF_VAR_API_PRIVATE_KEY_CERT: ${{ secrets.API_PRIVATE_KEY_CERT }}
+          TF_VAR_SPLUNK_HEC_TOKEN: ${{ secrets.SPLUNK_HEC_TOKEN }}
+          TF_VAR_SPLUNK_HEC_ENDPOINT: ${{ secrets.SPLUNK_HEC_ENDPOINT }}
+
         working-directory: ./infrastructure
         shell: bash
         run: |
diff --git a/.github/workflows/cicd-2-publish.yaml b/.github/workflows/cicd-2-publish.yaml
@@ -93,13 +93,15 @@ jobs:
           role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/service-roles/github-actions-api-deployment-role
           aws-region: eu-west-2
 
-      - name: "Terraform Plan Stacks"
+      - name: "Terraform Apply"
         env:
           ENVIRONMENT: dev
           WORKSPACE: "default"
           TF_VAR_API_CA_CERT: ${{ secrets.API_CA_CERT }}
           TF_VAR_API_CLIENT_CERT: ${{ secrets.API_CLIENT_CERT }}
           TF_VAR_API_PRIVATE_KEY_CERT: ${{ secrets.API_PRIVATE_KEY_CERT }}
+          TF_VAR_SPLUNK_HEC_TOKEN: ${{ secrets.SPLUNK_HEC_TOKEN }}
+          TF_VAR_SPLUNK_HEC_ENDPOINT: ${{ secrets.SPLUNK_HEC_ENDPOINT }}
 
         # just planning for now for safety and until review
         run: |
diff --git a/.github/workflows/cicd-3-test.yaml b/.github/workflows/cicd-3-test.yaml
@@ -119,7 +119,8 @@ jobs:
           TF_VAR_API_CA_CERT: ${{ secrets.API_CA_CERT }}
           TF_VAR_API_CLIENT_CERT: ${{ secrets.API_CLIENT_CERT }}
           TF_VAR_API_PRIVATE_KEY_CERT: ${{ secrets.API_PRIVATE_KEY_CERT }}
-
+          TF_VAR_SPLUNK_HEC_TOKEN: ${{ secrets.SPLUNK_HEC_TOKEN }}
+          TF_VAR_SPLUNK_HEC_ENDPOINT: ${{ secrets.SPLUNK_HEC_ENDPOINT }}
         run: |
           mkdir -p ./build
           echo "Running: make terraform env=$ENVIRONMENT workspace=$WORKSPACE stack=networking tf-command=apply"
diff --git a/.github/workflows/manual-terraform-apply.yaml b/.github/workflows/manual-terraform-apply.yaml
@@ -63,7 +63,8 @@ jobs:
           TF_VAR_API_CA_CERT: ${{ secrets.API_CA_CERT }}
           TF_VAR_API_CLIENT_CERT: ${{ secrets.API_CLIENT_CERT }}
           TF_VAR_API_PRIVATE_KEY_CERT: ${{ secrets.API_PRIVATE_KEY_CERT }}
-
+          TF_VAR_SPLUNK_HEC_TOKEN: ${{ secrets.SPLUNK_HEC_TOKEN }}
+          TF_VAR_SPLUNK_HEC_ENDPOINT: ${{ secrets.SPLUNK_HEC_ENDPOINT }}
         run: |
           mkdir -p ./build
           echo "Running: make terraform env=$ENVIRONMENT workspace=$WORKSPACE stack=networking tf-command=plan args=\"-auto-approve\""
diff --git a/infrastructure/stacks/api-layer/data.tf b/infrastructure/stacks/api-layer/data.tf
@@ -28,12 +28,3 @@ data "aws_ssm_parameter" "mtls_api_ca_cert" {
   name            = "/${var.environment}/mtls/api_ca_cert"
   with_decryption = true
 }
-
-data "aws_ssm_parameter" "splunk_hec_token" {
-  name = "/splunk/hec/token"
-  with_decryption = true
-}
-data "aws_ssm_parameter" "splunk_hec_endpoint" {
-  name = "/splunk/hec/endpoint"
-  with_decryption = true
-}
diff --git a/infrastructure/stacks/api-layer/splunk_forwarder.tf b/infrastructure/stacks/api-layer/splunk_forwarder.tf
@@ -1,8 +1,8 @@
 module "splunk_forwarder" {
   source = "../../modules/splunk_forwarder"
 
-  splunk_hec_endpoint           = data.aws_ssm_parameter.splunk_hec_endpoint.value
-  splunk_hec_token              = data.aws_ssm_parameter.splunk_hec_token.value
+  splunk_hec_endpoint           = aws_ssm_parameter.splunk_hec_endpoint.value
+  splunk_hec_token              = aws_ssm_parameter.splunk_hec_token.value
   splunk_firehose_s3_role_arn   = aws_iam_role.splunk_firehose_assume_role.arn
   splunk_firehose_s3_backup_arn = module.s3_firehose_backup_bucket.storage_bucket_arn
 
diff --git a/infrastructure/stacks/api-layer/ssm.tf b/infrastructure/stacks/api-layer/ssm.tf
@@ -58,7 +58,7 @@ resource "aws_ssm_parameter" "splunk_hec_token" {
   description = "Splunk HEC token"
   type        = "SecureString"
   key_id      = aws_kms_key.splunk_hec_kms.id # Will migrate to customer key after initial creation
-  value       = "PLACEHOLDER"                 # This will be ignored due to lifecycle rule
+  value       = var.splunk_hec_token
   tier        = "Advanced"
 
   tags = {
@@ -78,7 +78,7 @@ resource "aws_ssm_parameter" "splunk_hec_endpoint" {
   description = "Splunk HEC endpoint"
   type        = "SecureString"
   key_id      = aws_kms_key.splunk_hec_kms.id # Will migrate to customer key after initial creation
-  value       = "PLACEHOLDER"                 # This will be ignored due to lifecycle rule
+  value       = var.splunk_hec_endpoint
   tier        = "Advanced"
 
   tags = {
diff --git a/infrastructure/stacks/api-layer/variables.tf b/infrastructure/stacks/api-layer/variables.tf
@@ -0,0 +1,10 @@
+variable "splunk_hec_token" {
+  type        = string
+  description = "The HEC token for ITOC splunk"
+  sensitive   = true
+}
+variable "splunk_hec_endpoint" {
+  type        = string
+  description = "The HEC endpoint url for ITOC splunk"
+  sensitive   = true
+}
