VIA-591 MD/AS: Move AUTH_SECRET from lambda to SSM for the rest of all envs

marie-dedikova-nhs · ankur-jain-nhs · commit b52651693791 · 2025-11-21T10:15:04.000Z
(cherry picked from commit 49357ff)
diff --git a/infrastructure/environments/preprod/locals.tf b/infrastructure/environments/preprod/locals.tf
@@ -45,7 +45,6 @@ locals {
     APIM_KEY_ID              = "test-1"
 
     AUTH_TRUST_HOST = "true"
-    AUTH_SECRET     = random_password.auth_secret.result
     APP_VERSION     = local.app_version
 
     NBS_URL          = "https://www.nhswebsite-staging.nhs.uk/nbs"
@@ -62,12 +61,6 @@ locals {
   }
 }
 
-resource "random_password" "auth_secret" {
-  length           = 64
-  special          = true
-  override_special = "/+"
-}
-
 resource "null_resource" "check_workspace" {
   lifecycle {
     precondition {
diff --git a/infrastructure/environments/preprod/ssm.tf b/infrastructure/environments/preprod/ssm.tf
@@ -32,3 +32,16 @@ resource "aws_ssm_parameter" "apim_private_key" {
   value_wo         = "to-be-replaced-manually"
   value_wo_version = 0
 }
+
+resource "aws_ssm_parameter" "auth_secret" {
+  name             = "/${local.prefix}/AUTH_SECRET"
+  type             = "SecureString"
+  value_wo         = random_password.auth_secret.result
+  value_wo_version = 0
+}
+
+resource "random_password" "auth_secret" {
+  length           = 64
+  special          = true
+  override_special = "/+"
+}
diff --git a/infrastructure/environments/prod/locals.tf b/infrastructure/environments/prod/locals.tf
@@ -45,7 +45,6 @@ locals {
     APIM_KEY_ID              = "prod-1"
 
     AUTH_TRUST_HOST = "true"
-    AUTH_SECRET     = random_password.auth_secret.result
     APP_VERSION     = local.app_version
 
     NBS_URL          = "https://www.nhs.uk/nbs"
@@ -62,12 +61,6 @@ locals {
   }
 }
 
-resource "random_password" "auth_secret" {
-  length           = 64
-  special          = true
-  override_special = "/+"
-}
-
 resource "null_resource" "check_workspace" {
   lifecycle {
     precondition {
diff --git a/infrastructure/environments/prod/ssm.tf b/infrastructure/environments/prod/ssm.tf
@@ -32,3 +32,16 @@ resource "aws_ssm_parameter" "apim_private_key" {
   value_wo         = "to-be-replaced-manually"
   value_wo_version = 0
 }
+
+resource "aws_ssm_parameter" "auth_secret" {
+  name             = "/${local.prefix}/AUTH_SECRET"
+  type             = "SecureString"
+  value_wo         = random_password.auth_secret.result
+  value_wo_version = 0
+}
+
+resource "random_password" "auth_secret" {
+  length           = 64
+  special          = true
+  override_special = "/+"
+}
diff --git a/infrastructure/environments/test/locals.tf b/infrastructure/environments/test/locals.tf
@@ -43,7 +43,6 @@ locals {
     APIM_KEY_ID          = "test-1"
 
     AUTH_TRUST_HOST = "true"
-    AUTH_SECRET     = random_password.auth_secret.result
     APP_VERSION     = local.app_version
 
     NBS_URL          = "https://www.nhswebsite-staging.nhs.uk/nbs"
@@ -60,12 +59,6 @@ locals {
   }
 }
 
-resource "random_password" "auth_secret" {
-  length           = 64
-  special          = true
-  override_special = "/+"
-}
-
 resource "null_resource" "check_workspace" {
   lifecycle {
     precondition {
diff --git a/infrastructure/environments/test/ssm.tf b/infrastructure/environments/test/ssm.tf
@@ -32,3 +32,16 @@ resource "aws_ssm_parameter" "apim_private_key" {
   value_wo         = "to-be-replaced-manually"
   value_wo_version = 0
 }
+
+resource "aws_ssm_parameter" "auth_secret" {
+  name             = "/${local.prefix}/AUTH_SECRET"
+  type             = "SecureString"
+  value_wo         = random_password.auth_secret.result
+  value_wo_version = 0
+}
+
+resource "random_password" "auth_secret" {
+  length           = 64
+  special          = true
+  override_special = "/+"
+}
