fix: properly create conditional SSM parameters (#8)

SSM parameters do not allow blank values so this fix conditionally
creates them as needed.

Author: patheard

terraform/aws/ecs.tf

@@ -11,25 +11,27 @@ data "template_file" "valentine" {
   template = file("./templates/valentine.json.tpl")
 
   vars = {
-    awslogs-group         = aws_cloudwatch_log_group.valentine_group.name
-    awslogs-region        = var.region
-    awslogs-stream-prefix = "ecs-valentine"
-    image                 = "public.ecr.aws/cds-snc/valentine:latest"
-    fargate_cpu           = var.fargate_cpu
-    fargate_memory        = var.fargate_memory
-    aws_region            = var.region
-    AZURE_OPENAI_ENDPOINT = aws_ssm_parameter.azure_openai_endpoint.arn
-    AZURE_OPENAI_KEY      = aws_ssm_parameter.azure_openai_key.arn
-    COGNITO_DOMAIN        = aws_ssm_parameter.cognito_domain.arn
-    COGNITO_CLIENT_ID     = aws_ssm_parameter.cognito_client_id.arn
-    COGNITO_CLIENT_SECRET = aws_ssm_parameter.cognito_client_secret.arn
-    COGNITO_USER_POOL_ID  = aws_ssm_parameter.cognito_user_pool_id.arn
-    COGNITO_AWS_REGION    = aws_ssm_parameter.cognito_aws_region.arn
-    DATABASE_URL          = aws_ssm_parameter.database_url.arn
-    GOOGLE_CLIENT_ID      = aws_ssm_parameter.google_client_id.arn
-    GOOGLE_CLIENT_SECRET  = aws_ssm_parameter.google_client_secret.arn
-    PHX_HOST              = aws_acm_certificate.valentine.domain_name
-    SECRET_KEY_BASE       = aws_ssm_parameter.secret_key_base.arn
+    awslogs-group            = aws_cloudwatch_log_group.valentine_group.name
+    awslogs-region           = var.region
+    awslogs-stream-prefix    = "ecs-valentine"
+    image                    = "public.ecr.aws/cds-snc/valentine:latest"
+    fargate_cpu              = var.fargate_cpu
+    fargate_memory           = var.fargate_memory
+    aws_region               = var.region
+    AZURE_OPENAI_ENDPOINT    = aws_ssm_parameter.azure_openai_endpoint.arn
+    AZURE_OPENAI_KEY         = aws_ssm_parameter.azure_openai_key.arn
+    COGNITO_DOMAIN           = var.create_cognito_user_pool ? aws_ssm_parameter.cognito_domain[0].arn : ""
+    COGNITO_CLIENT_ID        = var.create_cognito_user_pool ? aws_ssm_parameter.cognito_client_id[0].arn : ""
+    COGNITO_CLIENT_SECRET    = var.create_cognito_user_pool ? aws_ssm_parameter.cognito_client_secret[0].arn : ""
+    COGNITO_USER_POOL_ID     = var.create_cognito_user_pool ? aws_ssm_parameter.cognito_user_pool_id[0].arn : ""
+    COGNITO_AWS_REGION       = var.create_cognito_user_pool ? aws_ssm_parameter.cognito_aws_region[0].arn : ""
+    CREATE_COGNITO_USER_POOL = var.create_cognito_user_pool
+    CREATE_GOOGLE_AUTH       = var.create_google_auth
+    DATABASE_URL             = aws_ssm_parameter.database_url.arn
+    GOOGLE_CLIENT_ID         = var.create_google_auth ? aws_ssm_parameter.google_client_id[0].arn : ""
+    GOOGLE_CLIENT_SECRET     = var.create_google_auth ? aws_ssm_parameter.google_client_secret[0].arn : ""
+    PHX_HOST                 = aws_acm_certificate.valentine.domain_name
+    SECRET_KEY_BASE          = aws_ssm_parameter.secret_key_base.arn
   }
 }
 

terraform/aws/iam.tf

@@ -15,19 +15,27 @@ data "aws_iam_policy_document" "valentine_secrets_manager" {
     actions = [
       "ssm:GetParameters",
     ]
-    resources = [
-      aws_ssm_parameter.azure_openai_endpoint.arn,
-      aws_ssm_parameter.azure_openai_key.arn,
-      aws_ssm_parameter.cognito_domain.arn,
-      aws_ssm_parameter.cognito_client_id.arn,
-      aws_ssm_parameter.cognito_client_secret.arn,
-      aws_ssm_parameter.cognito_user_pool_id.arn,
-      aws_ssm_parameter.cognito_aws_region.arn,
-      aws_ssm_parameter.database_url.arn,
-      aws_ssm_parameter.google_client_id.arn,
-      aws_ssm_parameter.google_client_secret.arn,
-      aws_ssm_parameter.secret_key_base.arn
-    ]
+    resources = concat(
+      [
+        aws_ssm_parameter.azure_openai_endpoint.arn,
+        aws_ssm_parameter.azure_openai_key.arn,
+        aws_ssm_parameter.database_url.arn,
+        aws_ssm_parameter.secret_key_base.arn
+      ],
+      (var.create_cognito_user_pool ?
+        [
+          aws_ssm_parameter.cognito_domain[0].arn,
+          aws_ssm_parameter.cognito_client_id[0].arn,
+          aws_ssm_parameter.cognito_client_secret[0].arn,
+          aws_ssm_parameter.cognito_user_pool_id[0].arn,
+          aws_ssm_parameter.cognito_aws_region[0].arn,
+      ] : []),
+      (var.create_google_auth ?
+        [
+          aws_ssm_parameter.google_client_id[0].arn,
+          aws_ssm_parameter.google_client_secret[0].arn,
+      ] : [])
+    )
   }
 }
 

terraform/aws/ssm.tf

@@ -22,9 +22,11 @@ resource "aws_ssm_parameter" "azure_openai_key" {
 }
 
 resource "aws_ssm_parameter" "cognito_domain" {
+  count = var.create_cognito_user_pool ? 1 : 0
+
   name  = "cognito_domain"
   type  = "SecureString"
-  value = var.create_cognito_user_pool ? "${aws_cognito_user_pool_domain.domain[0].domain}.auth.${var.region}.amazoncognito.com" : ""
+  value = "${aws_cognito_user_pool_domain.domain[0].domain}.auth.${var.region}.amazoncognito.com"
 
   tags = {
     CostCentre = var.billing_code
@@ -33,9 +35,11 @@ resource "aws_ssm_parameter" "cognito_domain" {
 }
 
 resource "aws_ssm_parameter" "cognito_client_id" {
+  count = var.create_cognito_user_pool ? 1 : 0
+
   name  = "cognito_client_id"
   type  = "SecureString"
-  value = var.create_cognito_user_pool ? aws_cognito_user_pool_client.client[0].id : ""
+  value = aws_cognito_user_pool_client.client[0].id
 
   tags = {
     CostCentre = var.billing_code
@@ -44,9 +48,11 @@ resource "aws_ssm_parameter" "cognito_client_id" {
 }
 
 resource "aws_ssm_parameter" "cognito_client_secret" {
+  count = var.create_cognito_user_pool ? 1 : 0
+
   name  = "cognito_client_secret"
   type  = "SecureString"
-  value = var.create_cognito_user_pool ? aws_cognito_user_pool_client.client[0].client_secret : ""
+  value = aws_cognito_user_pool_client.client[0].client_secret
 
   tags = {
     CostCentre = var.billing_code
@@ -55,9 +61,11 @@ resource "aws_ssm_parameter" "cognito_client_secret" {
 }
 
 resource "aws_ssm_parameter" "cognito_user_pool_id" {
+  count = var.create_cognito_user_pool ? 1 : 0
+
   name  = "cognito_user_pool_id"
   type  = "SecureString"
-  value = var.create_cognito_user_pool ? aws_cognito_user_pool.valentine_user_pool[0].id : ""
+  value = aws_cognito_user_pool.valentine_user_pool[0].id
 
   tags = {
     CostCentre = var.billing_code
@@ -66,9 +74,11 @@ resource "aws_ssm_parameter" "cognito_user_pool_id" {
 }
 
 resource "aws_ssm_parameter" "cognito_aws_region" {
+  count = var.create_cognito_user_pool ? 1 : 0
+
   name  = "cognito_aws_region"
   type  = "SecureString"
-  value = var.create_cognito_user_pool ? var.region : ""
+  value = var.region
 
   tags = {
     CostCentre = var.billing_code
@@ -88,6 +98,8 @@ resource "aws_ssm_parameter" "database_url" {
 }
 
 resource "aws_ssm_parameter" "google_client_id" {
+  count = var.create_google_auth ? 1 : 0
+
   name  = "google_client_id"
   type  = "SecureString"
   value = var.google_client_id
@@ -99,6 +111,8 @@ resource "aws_ssm_parameter" "google_client_id" {
 }
 
 resource "aws_ssm_parameter" "google_client_secret" {
+  count = var.create_google_auth ? 1 : 0
+
   name  = "google_client_secret"
   type  = "SecureString"
   value = var.google_client_secret
@@ -119,3 +133,38 @@ resource "aws_ssm_parameter" "secret_key_base" {
     Terraform  = true
   }
 }
+
+moved {
+  from = aws_ssm_parameter.cognito_aws_region
+  to   = aws_ssm_parameter.cognito_aws_region[0]
+}
+
+moved {
+  from = aws_ssm_parameter.cognito_client_id
+  to   = aws_ssm_parameter.cognito_client_id[0]
+}
+
+moved {
+  from = aws_ssm_parameter.cognito_client_secret
+  to   = aws_ssm_parameter.cognito_client_secret[0]
+}
+
+moved {
+  from = aws_ssm_parameter.cognito_domain
+  to   = aws_ssm_parameter.cognito_domain[0]
+}
+
+moved {
+  from = aws_ssm_parameter.cognito_user_pool_id
+  to   = aws_ssm_parameter.cognito_user_pool_id[0]
+}
+
+moved {
+  from = aws_ssm_parameter.google_client_id
+  to   = aws_ssm_parameter.google_client_id[0]
+}
+
+moved {
+  from = aws_ssm_parameter.google_client_secret
+  to   = aws_ssm_parameter.google_client_secret[0]
+}

terraform/aws/templates/valentine.json.tpl

@@ -40,6 +40,7 @@
                 "name": "AZURE_OPENAI_KEY",
                 "valueFrom": "${AZURE_OPENAI_KEY}"
             },
+            %{ if CREATE_COGNITO_USER_POOL == "true" }
             {
                 "name": "COGNITO_DOMAIN",
                 "valueFrom": "${COGNITO_DOMAIN}"
@@ -60,10 +61,12 @@
                 "name": "COGNITO_AWS_REGION",
                 "valueFrom": "${COGNITO_AWS_REGION}"
             },
+            %{ endif }
             {
                 "name": "DATABASE_URL",
                 "valueFrom": "${DATABASE_URL}"
             },
+            %{ if CREATE_GOOGLE_AUTH == "true" }
             {
                 "name": "GOOGLE_CLIENT_ID",
                 "valueFrom": "${GOOGLE_CLIENT_ID}"
@@ -72,6 +75,7 @@
                 "name": "GOOGLE_CLIENT_SECRET",
                 "valueFrom": "${GOOGLE_CLIENT_SECRET}"
             },
+            %{ endif }
             {
                 "name": "SECRET_KEY_BASE",
                 "valueFrom": "${SECRET_KEY_BASE}"

terraform/aws/variables.tf

@@ -30,6 +30,11 @@ variable "create_gh_oidc_roles" {
   type        = bool
 }
 
+variable "create_google_auth" {
+  description = "Whether to create Google authentication resources"
+  type        = bool
+}
+
 variable "domain" {
   description = "The domain for the application"
   type        = string

terraform/env/production/terragrunt.hcl

@@ -14,6 +14,7 @@ inputs = {
   billing_code             = local.billing_code
   create_cognito_user_pool = false
   create_gh_oidc_roles     = false
+  create_google_auth       = true
   domain                   = "valentine.cds-snc.ca"
   region                   = local.region
 }

terraform/env/user-testing/terragrunt.hcl

@@ -14,6 +14,7 @@ inputs = {
   billing_code             = local.billing_code
   create_cognito_user_pool = true
   create_gh_oidc_roles     = true
+  create_google_auth       = false
   domain                   = "valentine-dev.cdssandbox.xyz"
   region                   = local.region
 }