Revert "CCM-11029: remove dupe ssh param"

This reverts commit 2509d17.

Author: harrim91

amplify.yml

@@ -8,7 +8,7 @@ applications:
             - cd ..
             - nvm install 20.13.1
             - nvm use 20.13.1
-            - export GITHUB_TOKEN=$(aws ssm get-parameter --name "$GITHUB_PAT_SSM_PARAM_NAME" --with-decryption --query Parameter.Value --output text)
+            - export GITHUB_TOKEN=$(aws ssm get-parameter --name "$GITHUB_PACKAGES_READ_PAT_SSM_PARAM_NAME" --with-decryption --query Parameter.Value --output text)
             - ./scripts/set_github_token.sh
             - npm ci --cache .npm --prefer-offline
             - npm run create-amplify-outputs env

infrastructure/terraform/components/acct/README.md

@@ -51,6 +51,7 @@
 | Name | Description |
 |------|-------------|
 | <a name="output_dns_zone"></a> [dns\_zone](#output\_dns\_zone) | n/a |
+| <a name="output_github_packages_read_pat_ssm_param_name"></a> [github\_packages\_read\_pat\_ssm\_param\_name](#output\_github\_packages\_read\_pat\_ssm\_param\_name) | n/a |
 | <a name="output_github_pat_ssm_param_name"></a> [github\_pat\_ssm\_param\_name](#output\_github\_pat\_ssm\_param\_name) | n/a |
 | <a name="output_log_subscription_role_arn"></a> [log\_subscription\_role\_arn](#output\_log\_subscription\_role\_arn) | n/a |
 | <a name="output_s3_buckets"></a> [s3\_buckets](#output\_s3\_buckets) | n/a |

infrastructure/terraform/components/acct/outputs.tf

@@ -10,6 +10,10 @@ output "github_pat_ssm_param_name" {
   value = aws_ssm_parameter.github_pat.name
 }
 
+output "github_packages_read_pat_ssm_param_name" {
+  value = aws_ssm_parameter.github_packages_read_pat.name
+}
+
 output "s3_buckets" {
   value = {
     access_logs = {

infrastructure/terraform/components/acct/ssm_parameter_github_packages_read_pat.tf

@@ -0,0 +1,16 @@
+resource "aws_ssm_parameter" "github_packages_read_pat" {
+  name        = "/${local.csi}/github_packages_read_pat"
+  description = "A GitHub PAT token with read:packages scope, used by Amplify to download packages from GitHub package repo"
+  type        = "SecureString"
+  value       = try(var.initial_cli_secrets_provision_override.github_packages_read_pat, "UNSET")
+
+  lifecycle {
+    ignore_changes = [value]
+  }
+}
+
+# This can be set at provision time like:
+# PARAM_OBJECT=$(jq -n \
+#   --arg github_packages_read_pat "github_pat_123abc" \
+#   '{github_packages_read_pat:$github_packages_read_pat}' | jq -R)
+# .bin/terraform <args> .. -a apply -- -var="initial_cli_secrets_provision_override=${PARAM_OBJECT}"

infrastructure/terraform/components/app/amplify_app.tf

@@ -1,7 +1,7 @@
 resource "aws_amplify_app" "main" {
   name         = local.csi
   repository   = "https://github.com/NHSDigital/nhs-notify-web-template-management"
-  access_token = data.aws_ssm_parameter.github_pat.value
+  access_token = data.aws_ssm_parameter.github_pat_ssm_param_name.value
 
   iam_service_role_arn = aws_iam_role.amplify.arn
 
@@ -32,7 +32,7 @@ resource "aws_amplify_app" "main" {
     AMPLIFY_MONOREPO_APP_ROOT                = "frontend"
     API_BASE_URL                             = module.backend_api.api_base_url
     CSRF_SECRET                              = aws_ssm_parameter.csrf_secret.value
-    GITHUB_PAT_SSM_PARAM_NAME                = data.aws_ssm_parameter.github_pat.name
+    GITHUB_PACKAGES_READ_PAT_SSM_PARAM_NAME  = data.aws_ssm_parameter.github_packages_read_pat.name
     NEXT_PUBLIC_PROMPT_SECONDS_BEFORE_LOGOUT = 120
     NEXT_PUBLIC_TIME_TILL_LOGOUT_SECONDS     = 900
     NOTIFY_ENVIRONMENT                       = var.environment

infrastructure/terraform/components/app/data_ssm_parameter_github_packages_read_pat.tf

@@ -0,0 +1,3 @@
+data "aws_ssm_parameter" "github_packages_read_pat" {
+  name = local.acct.github_packages_read_pat_ssm_param_name
+}

infrastructure/terraform/components/app/data_ssm_parameter_github_pat.tf

@@ -1,3 +1,3 @@
-data "aws_ssm_parameter" "github_pat" {
+data "aws_ssm_parameter" "github_pat_ssm_param_name" {
   name = local.acct.github_pat_ssm_param_name
 }

infrastructure/terraform/components/app/iam_role_amplify.tf

@@ -74,7 +74,7 @@ data "aws_iam_policy_document" "amplify" {
     ]
 
     resources = [
-      data.aws_ssm_parameter.github_pat.arn
+      data.aws_ssm_parameter.github_packages_read_pat.arn
     ]
   }
 }