NDR-235 add ssm params for certs and keys

Author: megan-bower4

infrastructure/modules/ssm_parameter/main.tf

@@ -3,9 +3,14 @@ resource "aws_ssm_parameter" "secret" {
   type        = var.type
   description = var.description
   value       = var.value
+  key_id = var.key_id
   depends_on  = [var.resource_depends_on]
   tags = {
     Name = "${terraform.workspace}-ssm"
   }
+
+lifecycle {
+    ignore_changes = var.ignore_changes
+  }
 }
 

infrastructure/modules/ssm_parameter/variable.tf

@@ -37,3 +37,15 @@ variable "owner" {
   description = "Owner tag used to identify the team or individual responsible for the resource."
   type        = string
 }
+
+variable "key_id" {
+  type        = string
+  default     = null
+  description = "KMS Key ID or ARN to encrypt the SecureString parameter"
+}
+
+variable "ignore_changes" {
+  type    = list(string)
+  default = []
+  description = "List of resource attributes to ignore changes for"
+}

infrastructure/ssm_parameters_externally_signed_mtls.tf

@@ -0,0 +1,26 @@
+# Creating Params to hold a copy of externally signed client cert and key
+module "ssm_param_external_client_cert" {
+  # count       = var.externally_signed_certs ? 1 : 0
+  source      = "./modules/ssm_parameter"
+  environment           = var.environment
+  owner                 = var.owner
+  name        = "external_client_cert"
+  type        = "SecureString"
+  description = "Externally signed client certificate for mTLS"
+  value       = "REPLACE_ME"
+  key_id      = module.sns_encryption_key.key_id
+  ignore_changes = ["value"]
+}
+
+module "ssm_param_external_client_key" {
+  # count       = var.externally_signed_certs ? 1 : 0
+  source      = "./modules/ssm_parameter"
+  environment           = var.environment
+  owner                 = var.owner
+  name        = "external_client_key"
+  type        = "SecureString"
+  description = "Externally signed client certificate for mTLS"
+  value       = "REPLACE_ME"
+  key_id      = module.sns_encryption_key.key_id
+  ignore_changes = ["value"]
+}