chore: Add Notify api key environment variable for SSO portal (#1221)

Co-authored-by: Bryan Robitaille <bryan.robitaille.work@gmail.com>

Author: dsamojlenko

aws/idp/ecs_idp.tf

@@ -115,7 +115,7 @@ data "aws_iam_policy_document" "ecs_task_ssm_parameters" {
       aws_ssm_parameter.zitadel_admin_password.arn,
       aws_ssm_parameter.zitadel_database_host.arn,
       aws_ssm_parameter.zitadel_database_name.arn,
-      aws_ssm_parameter.zitadel_secret_key.arn
+      aws_ssm_parameter.zitadel_secret_key.arn,
     ]
   }
 }

aws/idp/ecs_login.tf

@@ -30,11 +30,20 @@ locals {
       {
         "name"  = "CUSTOM_REQUEST_HEADERS"
         "value" = "Host:${local.idp_domains[0]}"
+      },
+      {
+        "name"  = "TEMPLATE_ID",
+        "value" = var.gc_template_id
     }]
     secrets = [{
       "name"      = "ZITADEL_SERVICE_USER_TOKEN"
       "valueFrom" = aws_ssm_parameter.idp_login_service_user_token.arn
-    }],
+      },
+      {
+        "name"      = "NOTIFY_API_KEY",
+        "valueFrom" = var.notify_api_key_secret_arn
+      }
+    ],
 
 
   }]

aws/idp/ecs_login_iam.tf

@@ -75,7 +75,27 @@ data "aws_iam_policy_document" "ecs_xray" {
   }
 }
 
-resource "aws_iam_role_policy_attachment" "ecs_task_execution_forms" {
+resource "aws_iam_policy" "user_portal_secrets_manager" {
+  name   = "userPortalSecretsManagerKeyRetrieval"
+  path   = "/"
+  policy = data.aws_iam_policy_document.user_portal_secrets_manager.json
+}
+
+data "aws_iam_policy_document" "user_portal_secrets_manager" {
+  statement {
+    effect = "Allow"
+
+    actions = [
+      "secretsmanager:GetSecretValue",
+    ]
+
+    resources = [
+      var.notify_api_key_secret_arn,
+    ]
+  }
+}
+
+resource "aws_iam_role_policy_attachment" "ecs_task_execution_user_portal" {
   role       = aws_iam_role.idp_user_portal.name
   policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
 }
@@ -89,3 +109,8 @@ resource "aws_iam_role_policy_attachment" "ecs_xray" {
   role       = aws_iam_role.idp_user_portal.name
   policy_arn = aws_iam_policy.ecs_xray.arn
 }
+
+resource "aws_iam_role_policy_attachment" "ecs_secrets" {
+  role       = aws_iam_role.idp_user_portal.name
+  policy_arn = aws_iam_policy.user_portal_secrets_manager.arn
+}

aws/idp/inputs.tf

@@ -140,3 +140,14 @@ variable "code_build_security_group_id" {
   description = "Code Build Security Group"
   type        = string
 }
+
+variable "notify_api_key_secret_arn" {
+  description = "The Notify API key secret used by the ECS task and Lambda arn"
+  type        = string
+  sensitive   = true
+}
+
+variable "gc_template_id" {
+  description = "GC Notify send a notification templateID"
+  type        = string
+}

env/cloud/idp/terragrunt.hcl

@@ -3,7 +3,7 @@ terraform {
 }
 
 dependencies {
-  paths = ["../hosted_zone", "../network", "../ecr", "../load_balancer", "../kms"]
+  paths = ["../hosted_zone", "../network", "../ecr", "../load_balancer", "../kms", "../secrets"]
 }
 
 locals {
@@ -69,6 +69,15 @@ dependency "kms" {
   }
 }
 
+dependency "secrets" {
+  config_path                             = "../secrets"
+  mock_outputs_allowed_terraform_commands = ["init", "fmt", "validate", "plan", "show"]
+  mock_outputs_merge_strategy_with_state  = "shallow"
+  mock_outputs = {
+    notify_api_key_secret_arn = "arn:aws:secretsmanager:ca-central-1:${local.aws_account_id}:secret:notify_api_key"
+  }
+}
+
 
 inputs = {
   hosted_zone_ids = dependency.hosted_zone.outputs.hosted_zone_ids
@@ -93,13 +102,16 @@ inputs = {
 
   kms_key_cloudwatch_arn = dependency.kms.outputs.kms_key_cloudwatch_arn
 
+  notify_api_key_secret_arn = dependency.secrets.outputs.notify_api_key_secret_arn
+
   # 1 ACU ~= 2GB of memory and 1vCPU
   idp_database_min_acu = 1
   idp_database_max_acu = 4
 
   # Overwritten in GitHub Actions by TFVARS
   idp_login_service_user_token    = "ServiceUserTokenValue"
   ipd_login_github_webhook_secret = "GitHubWebhookAuthToken"
+  gc_template_id                  = "0123456789"
 }
 
 include "root" {