VIA-591 MD/AS: Move AUTH_SECRET from lambda to SSM

(cherry picked from commit 9cbce0a)

Author: marie-dedikova-nhs

auth.ts

@@ -30,6 +30,7 @@ export const { handlers, signIn, signOut, auth } = NextAuth(async () => {
   return await asyncLocalStorage.run(requestContext, async () => {
     return {
       providers: [await NHSLoginAuthProvider()],
+      secret: config.AUTH_SECRET,
       pages: {
         signIn: SSO_FAILURE_ROUTE,
         signOut: SESSION_LOGOUT_ROUTE,

infrastructure/environments/dev/locals.tf

@@ -43,7 +43,6 @@ locals {
     IS_APIM_AUTH_ENABLED     = false
 
     AUTH_TRUST_HOST = "true"
-    AUTH_SECRET     = random_password.auth_secret.result
     APP_VERSION     = local.app_version
 
     NBS_URL          = "https://f.nhswebsite-integration.nhs.uk/nbs"
@@ -60,12 +59,6 @@ locals {
   }
 }
 
-resource "random_password" "auth_secret" {
-  length           = 64
-  special          = true
-  override_special = "/+"
-}
-
 resource "null_resource" "check_workspace" {
   lifecycle {
     precondition {

infrastructure/environments/dev/ssm.tf

@@ -32,3 +32,16 @@ resource "aws_ssm_parameter" "apim_private_key" {
   value_wo         = "to-be-replaced-manually"
   value_wo_version = 0
 }
+
+resource "aws_ssm_parameter" "auth_secret" {
+  name             = "/${local.prefix}/AUTH_SECRET"
+  type             = "SecureString"
+  value_wo         = random_password.auth_secret.result
+  value_wo_version = 0
+}
+
+resource "random_password" "auth_secret" {
+  length           = 64
+  special          = true
+  override_special = "/+"
+}