Add SSM data sources and resources (#6)

Author: aknysh

README.md

@@ -205,11 +205,16 @@ Available targets:
 | atlantis_webhook_format | Template for the Atlantis webhook URL which is populated with the hostname | string | `https://%s/events` | no |
 | attributes | Additional attributes (e.g. `1`) | list | `<list>` | no |
 | authentication_cognito_user_pool_arn | Cognito User Pool ARN | string | `` | no |
+| authentication_cognito_user_pool_arn_ssm_name | SSM param name to lookup `authentication_cognito_user_pool_arn` if not provided | string | `` | no |
 | authentication_cognito_user_pool_client_id | Cognito User Pool Client ID | string | `` | no |
+| authentication_cognito_user_pool_client_id_ssm_name | SSM param name to lookup `authentication_cognito_user_pool_client_id` if not provided | string | `` | no |
 | authentication_cognito_user_pool_domain | Cognito User Pool Domain. The User Pool Domain should be set to the domain prefix (`xxx`) instead of full domain (https://xxx.auth.us-west-2.amazoncognito.com) | string | `` | no |
+| authentication_cognito_user_pool_domain_ssm_name | SSM param name to lookup `authentication_cognito_user_pool_domain` if not provided | string | `` | no |
 | authentication_oidc_authorization_endpoint | OIDC Authorization Endpoint | string | `` | no |
 | authentication_oidc_client_id | OIDC Client ID | string | `` | no |
+| authentication_oidc_client_id_ssm_name | SSM param name to lookup `authentication_oidc_client_id` if not provided | string | `` | no |
 | authentication_oidc_client_secret | OIDC Client Secret | string | `` | no |
+| authentication_oidc_client_secret_ssm_name | SSM param name to lookup `authentication_oidc_client_secret` if not provided | string | `` | no |
 | authentication_oidc_issuer | OIDC Issuer | string | `` | no |
 | authentication_oidc_token_endpoint | OIDC Token Endpoint | string | `` | no |
 | authentication_oidc_user_info_endpoint | OIDC User Info Endpoint | string | `` | no |

docs/terraform.md

@@ -31,11 +31,16 @@
 | atlantis_webhook_format | Template for the Atlantis webhook URL which is populated with the hostname | string | `https://%s/events` | no |
 | attributes | Additional attributes (e.g. `1`) | list | `<list>` | no |
 | authentication_cognito_user_pool_arn | Cognito User Pool ARN | string | `` | no |
+| authentication_cognito_user_pool_arn_ssm_name | SSM param name to lookup `authentication_cognito_user_pool_arn` if not provided | string | `` | no |
 | authentication_cognito_user_pool_client_id | Cognito User Pool Client ID | string | `` | no |
+| authentication_cognito_user_pool_client_id_ssm_name | SSM param name to lookup `authentication_cognito_user_pool_client_id` if not provided | string | `` | no |
 | authentication_cognito_user_pool_domain | Cognito User Pool Domain. The User Pool Domain should be set to the domain prefix (`xxx`) instead of full domain (https://xxx.auth.us-west-2.amazoncognito.com) | string | `` | no |
+| authentication_cognito_user_pool_domain_ssm_name | SSM param name to lookup `authentication_cognito_user_pool_domain` if not provided | string | `` | no |
 | authentication_oidc_authorization_endpoint | OIDC Authorization Endpoint | string | `` | no |
 | authentication_oidc_client_id | OIDC Client ID | string | `` | no |
+| authentication_oidc_client_id_ssm_name | SSM param name to lookup `authentication_oidc_client_id` if not provided | string | `` | no |
 | authentication_oidc_client_secret | OIDC Client Secret | string | `` | no |
+| authentication_oidc_client_secret_ssm_name | SSM param name to lookup `authentication_oidc_client_secret` if not provided | string | `` | no |
 | authentication_oidc_issuer | OIDC Issuer | string | `` | no |
 | authentication_oidc_token_endpoint | OIDC Token Endpoint | string | `` | no |
 | authentication_oidc_user_info_endpoint | OIDC User Info Endpoint | string | `` | no |

examples/with_cognito_authentication/main.tf

@@ -17,7 +17,7 @@ locals {
 }
 
 module "subnets" {
-  source              = "git::https://github.com/cloudposse/terraform-aws-dynamic-subnets.git?ref=tags/0.3.6"
+  source              = "git::https://github.com/cloudposse/terraform-aws-dynamic-subnets.git?ref=tags/0.8.0"
   availability_zones  = "${local.availability_zones}"
   namespace           = "${var.namespace}"
   stage               = "${var.stage}"

examples/with_google_oidc_authentication/main.tf

@@ -17,7 +17,7 @@ locals {
 }
 
 module "subnets" {
-  source              = "git::https://github.com/cloudposse/terraform-aws-dynamic-subnets.git?ref=tags/0.3.6"
+  source              = "git::https://github.com/cloudposse/terraform-aws-dynamic-subnets.git?ref=tags/0.8.0"
   availability_zones  = "${local.availability_zones}"
   namespace           = "${var.namespace}"
   stage               = "${var.stage}"

examples/without_authentication/main.tf

@@ -17,7 +17,7 @@ locals {
 }
 
 module "subnets" {
-  source              = "git::https://github.com/cloudposse/terraform-aws-dynamic-subnets.git?ref=tags/0.3.6"
+  source              = "git::https://github.com/cloudposse/terraform-aws-dynamic-subnets.git?ref=tags/0.8.0"
   availability_zones  = "${local.availability_zones}"
   namespace           = "${var.namespace}"
   stage               = "${var.stage}"

main.tf

@@ -144,11 +144,11 @@ module "web_app" {
   alb_ingress_authenticated_listener_arns_count   = "${var.alb_ingress_authenticated_listener_arns_count}"
 
   authentication_type                        = "${var.authentication_type}"
-  authentication_cognito_user_pool_arn       = "${var.authentication_cognito_user_pool_arn}"
-  authentication_cognito_user_pool_client_id = "${var.authentication_cognito_user_pool_client_id}"
-  authentication_cognito_user_pool_domain    = "${var.authentication_cognito_user_pool_domain}"
-  authentication_oidc_client_id              = "${var.authentication_oidc_client_id}"
-  authentication_oidc_client_secret          = "${var.authentication_oidc_client_secret}"
+  authentication_cognito_user_pool_arn       = "${local.authentication_cognito_user_pool_arn}"
+  authentication_cognito_user_pool_client_id = "${local.authentication_cognito_user_pool_client_id}"
+  authentication_cognito_user_pool_domain    = "${local.authentication_cognito_user_pool_domain}"
+  authentication_oidc_client_id              = "${local.authentication_oidc_client_id}"
+  authentication_oidc_client_secret          = "${local.authentication_oidc_client_secret}"
   authentication_oidc_issuer                 = "${var.authentication_oidc_issuer}"
   authentication_oidc_authorization_endpoint = "${var.authentication_oidc_authorization_endpoint}"
   authentication_oidc_token_endpoint         = "${var.authentication_oidc_token_endpoint}"
@@ -336,3 +336,95 @@ resource "aws_iam_role_policy_attachment" "default" {
     create_before_destroy = true
   }
 }
+
+locals {
+  authentication_cognito_user_pool_arn          = "${length(join("", data.aws_ssm_parameter.atlantis_cognito_user_pool_arn.*.value)) > 0 ? join("", data.aws_ssm_parameter.atlantis_cognito_user_pool_arn.*.value) : var.authentication_cognito_user_pool_arn}"
+  authentication_cognito_user_pool_arn_ssm_name = "${length(var.authentication_cognito_user_pool_arn_ssm_name) > 0 ? var.authentication_cognito_user_pool_arn_ssm_name : format(var.chamber_format, var.chamber_service, "atlantis_cognito_user_pool_arn")}"
+
+  authentication_cognito_user_pool_client_id          = "${length(join("", data.aws_ssm_parameter.atlantis_cognito_user_pool_client_id.*.value)) > 0 ? join("", data.aws_ssm_parameter.atlantis_cognito_user_pool_client_id.*.value) : var.authentication_cognito_user_pool_client_id}"
+  authentication_cognito_user_pool_client_id_ssm_name = "${length(var.authentication_cognito_user_pool_client_id_ssm_name) > 0 ? var.authentication_cognito_user_pool_client_id_ssm_name : format(var.chamber_format, var.chamber_service, "atlantis_cognito_user_pool_client_id")}"
+
+  authentication_cognito_user_pool_domain          = "${length(join("", data.aws_ssm_parameter.atlantis_cognito_user_pool_domain.*.value)) > 0 ? join("", data.aws_ssm_parameter.atlantis_cognito_user_pool_domain.*.value) : var.authentication_cognito_user_pool_domain}"
+  authentication_cognito_user_pool_domain_ssm_name = "${length(var.authentication_cognito_user_pool_domain_ssm_name) > 0 ? var.authentication_cognito_user_pool_domain_ssm_name : format(var.chamber_format, var.chamber_service, "atlantis_cognito_user_pool_domain")}"
+
+  authentication_oidc_client_id          = "${length(join("", data.aws_ssm_parameter.atlantis_oidc_client_id.*.value)) > 0 ? join("", data.aws_ssm_parameter.atlantis_oidc_client_id.*.value) : var.authentication_oidc_client_id}"
+  authentication_oidc_client_id_ssm_name = "${length(var.authentication_oidc_client_id_ssm_name) > 0 ? var.authentication_oidc_client_id_ssm_name : format(var.chamber_format, var.chamber_service, "atlantis_oidc_client_id")}"
+
+  authentication_oidc_client_secret          = "${length(join("", data.aws_ssm_parameter.atlantis_oidc_client_secret.*.value)) > 0 ? join("", data.aws_ssm_parameter.atlantis_oidc_client_secret.*.value) : var.authentication_oidc_client_secret}"
+  authentication_oidc_client_secret_ssm_name = "${length(var.authentication_oidc_client_secret_ssm_name) > 0 ? var.authentication_oidc_client_secret_ssm_name : format(var.chamber_format, var.chamber_service, "atlantis_oidc_client_secret")}"
+}
+
+data "aws_ssm_parameter" "atlantis_cognito_user_pool_arn" {
+  count = "${local.enabled && var.authentication_type == "COGNITO" && length(var.authentication_cognito_user_pool_arn) == 0 ? 1 : 0}"
+  name  = "${local.authentication_cognito_user_pool_arn_ssm_name}"
+}
+
+data "aws_ssm_parameter" "atlantis_cognito_user_pool_client_id" {
+  count = "${local.enabled && var.authentication_type == "COGNITO" && length(var.authentication_cognito_user_pool_client_id) == 0 ? 1 : 0}"
+  name  = "${local.authentication_cognito_user_pool_client_id_ssm_name}"
+}
+
+data "aws_ssm_parameter" "atlantis_cognito_user_pool_domain" {
+  count = "${local.enabled && var.authentication_type == "COGNITO" && length(var.authentication_cognito_user_pool_domain) == 0 ? 1 : 0}"
+  name  = "${local.authentication_cognito_user_pool_domain_ssm_name}"
+}
+
+data "aws_ssm_parameter" "atlantis_oidc_client_id" {
+  count = "${local.enabled && var.authentication_type == "OIDC" && length(var.authentication_oidc_client_id) == 0 ? 1 : 0}"
+  name  = "${local.authentication_oidc_client_id_ssm_name}"
+}
+
+data "aws_ssm_parameter" "atlantis_oidc_client_secret" {
+  count = "${local.enabled && var.authentication_type == "OIDC" && length(var.authentication_oidc_client_secret) == 0 ? 1 : 0}"
+  name  = "${local.authentication_oidc_client_secret_ssm_name}"
+}
+
+resource "aws_ssm_parameter" "atlantis_cognito_user_pool_arn" {
+  count       = "${local.enabled && var.authentication_type == "COGNITO" ? 1 : 0}"
+  overwrite   = "${var.overwrite_ssm_parameter}"
+  type        = "SecureString"
+  description = "Atlantis Cognito User Pool ARN"
+  key_id      = "${local.kms_key_id}"
+  name        = "${local.authentication_cognito_user_pool_arn_ssm_name}"
+  value       = "${local.authentication_cognito_user_pool_arn}"
+}
+
+resource "aws_ssm_parameter" "atlantis_cognito_user_pool_client_id" {
+  count       = "${local.enabled && var.authentication_type == "COGNITO" ? 1 : 0}"
+  overwrite   = "${var.overwrite_ssm_parameter}"
+  type        = "SecureString"
+  description = "Atlantis Cognito User Pool Client ID"
+  key_id      = "${local.kms_key_id}"
+  name        = "${local.authentication_cognito_user_pool_client_id_ssm_name}"
+  value       = "${local.authentication_cognito_user_pool_client_id}"
+}
+
+resource "aws_ssm_parameter" "atlantis_cognito_user_pool_domain" {
+  count       = "${local.enabled && var.authentication_type == "COGNITO" ? 1 : 0}"
+  overwrite   = "${var.overwrite_ssm_parameter}"
+  type        = "SecureString"
+  description = "Atlantis Cognito User Pool Domain"
+  key_id      = "${local.kms_key_id}"
+  name        = "${local.authentication_cognito_user_pool_domain_ssm_name}"
+  value       = "${local.authentication_cognito_user_pool_domain}"
+}
+
+resource "aws_ssm_parameter" "atlantis_oidc_client_id" {
+  count       = "${local.enabled && var.authentication_type == "OIDC" ? 1 : 0}"
+  overwrite   = "${var.overwrite_ssm_parameter}"
+  type        = "SecureString"
+  description = "Atlantis OIDC Client ID"
+  key_id      = "${local.kms_key_id}"
+  name        = "${local.authentication_oidc_client_id_ssm_name}"
+  value       = "${local.authentication_oidc_client_id}"
+}
+
+resource "aws_ssm_parameter" "atlantis_oidc_client_secret" {
+  count       = "${local.enabled && var.authentication_type == "OIDC" ? 1 : 0}"
+  overwrite   = "${var.overwrite_ssm_parameter}"
+  type        = "SecureString"
+  description = "Atlantis OIDC Client Secret"
+  key_id      = "${local.kms_key_id}"
+  name        = "${local.authentication_oidc_client_secret_ssm_name}"
+  value       = "${local.authentication_oidc_client_secret}"
+}

variables.tf

@@ -437,3 +437,33 @@ variable "authentication_oidc_user_info_endpoint" {
   description = "OIDC User Info Endpoint"
   default     = ""
 }
+
+variable "authentication_cognito_user_pool_arn_ssm_name" {
+  type        = "string"
+  description = "SSM param name to lookup `authentication_cognito_user_pool_arn` if not provided"
+  default     = ""
+}
+
+variable "authentication_cognito_user_pool_client_id_ssm_name" {
+  type        = "string"
+  description = "SSM param name to lookup `authentication_cognito_user_pool_client_id` if not provided"
+  default     = ""
+}
+
+variable "authentication_cognito_user_pool_domain_ssm_name" {
+  type        = "string"
+  description = "SSM param name to lookup `authentication_cognito_user_pool_domain` if not provided"
+  default     = ""
+}
+
+variable "authentication_oidc_client_id_ssm_name" {
+  type        = "string"
+  description = "SSM param name to lookup `authentication_oidc_client_id` if not provided"
+  default     = ""
+}
+
+variable "authentication_oidc_client_secret_ssm_name" {
+  type        = "string"
+  description = "SSM param name to lookup `authentication_oidc_client_secret` if not provided"
+  default     = ""
+}