Configure passage API key in AWS environments #59

TylerHendrickson · 2023-12-22T05:04:40Z

This PR makes it possible for the GraphQL Lambda function to retrieve the Passage API key from AWS Secrets Manager.

Note that the API key itself is not set on Lambda environment variables (which prevents the secret from being stored at-rest outside of Secrets Manager). Instead, the Lambda environment variable is configured with a new $PASSAGE_API_KEY_SECRET_ARN variable, which provides the fully-formed ARN for the Secrets Manager secret resource.

At runtime, the Lambda function must use the $PASSAGE_API_KEY_SECRET_ARN environment variable to retrieve the actual, decrypted secret value from Secrets Manager. A (non-exported) helper function, getPassageAPIKey(), has been added to the api/src/lib/auth.ts module to facilitate this process. Once retrieved from Secrets Manager, the decrypted secret is stored in-memory on process.env.PASSAGE_API_KEY, which helps avoid unnecessary subsequent calls to the Secrets Manager API (this behavior can be overridden when calling the function).

For consistency, code (which is yet to be implemented) that makes calls to the Passage API should use the getPassageAPIKey() function exclusively to retrieve the API key each time it is required.

api/src/lib/auth.ts

+ * @returns The Passage API key
+ */
+// eslint-disable-next-line @typescript-eslint/no-unused-vars
+async function getPassageAPIKey(setEnv = true, force = false): Promise<string> {


github-actions · 2023-12-22T05:10:17Z

QA Summary

QA Check	Result
🌐 Web Tests	✅
🔗 API Tests	✅
📏 ESLint	✅
🧹 TFLint	✅

Test Coverage

Coverage report for api suite

St	File	% Stmts	% Branch	% Funcs	% Lines	Uncovered Line #s
🔴	All files	23.94	2.18	32.29	24.4
🟢	directives/requireAuth	100	100	100	100
🟢	requireAuth.ts	100	100	100	100
🟡	directives/skipAuth	50	100	0	50
🟡	skipAuth.ts	50	100	0	50	13
🔴	functions	0	100	0	0
🔴	graphql.ts	0	100	0	0	14-22
🔴	graphql	0	100	100	0
🔴	agencies.sdl.ts	0	100	100	0	1
🔴	expenditureCategories.sdl.ts	0	100	100	0	1
🔴	inputTemplates.sdl.ts	0	100	100	0	1
🔴	organizations.sdl.ts	0	100	100	0	1
🔴	outputTemplates.sdl.ts	0	100	100	0	1
🔴	projects.sdl.ts	0	100	100	0	1
🔴	reportingPeriods.sdl.ts	0	100	100	0	1
🔴	roles.sdl.ts	0	100	100	0	1
🔴	subrecipients.sdl.ts	0	100	100	0	1
🔴	uploadValidations.sdl.ts	0	100	100	0	1
🔴	uploads.sdl.ts	0	100	100	0	1
🔴	users.sdl.ts	0	100	100	0	1
🔴	lib	4.91	2.23	6.66	5.04
🔴	auth.ts	20	10.34	25	21.21	40-41,72-101,120,124-159
🔴	aws.ts	27.02	12.5	18.18	27.02	45-50,66-98,125-168,181
🔴	db.ts	31.25	50	50	31.25	15-35,45,47
🔴	ec-codes.ts	0	100	100	0	1
🟢	logger.ts	100	100	100	100
🔴	persist-upload.js	0	0	0	0	16-295
🔴	preconditions.ts	0	0	0	0	2-3
🔴	records.js	0	0	0	0	12-214
🔴	templateRules.ts	0	0	0	0
🔴	tracer.ts	0	100	100	0	5-14
🔴	validate-upload.js	0	0	0	0	18-790
🔴	validation-error.ts	0	0	0	0	14-22
🔴	validation-rules.js	0	0	0	0	6-194
🟡	services/agencies	70.58	0	83.33	70.58
🟢	agencies.scenarios.ts	100	100	100	100
🟡	agencies.ts	68.75	0	83.33	68.75	39-47
🟢	services/expenditureCategories	92.3	100	83.33	92.3
🟢	expenditureCategories.scenarios.ts	100	100	100	100
🟢	expenditureCategories.ts	91.66	100	83.33	91.66	46
🟢	services/inputTemplates	92.3	100	83.33	92.3
🟢	inputTemplates.scenarios.ts	100	100	100	100
🟢	inputTemplates.ts	91.66	100	83.33	91.66	47
🟢	services/organizations	92.3	100	83.33	92.3
🟢	organizations.scenarios.ts	100	100	100	100
🟢	organizations.ts	91.66	100	83.33	91.66	47
🟢	services/outputTemplates	92.3	100	83.33	92.3
🟢	outputTemplates.scenarios.ts	100	100	100	100
🟢	outputTemplates.ts	91.66	100	83.33	91.66	43
🟡	services/projects	80	100	62.5	80
🟢	projects.scenarios.ts	100	100	100	100
🟡	projects.ts	78.57	100	62.5	78.57	45-51
🟡	services/reportingPeriods	53.84	0	41.66	56
🟢	reportingPeriods.scenarios.ts	100	100	100	100
🟡	reportingPeriods.ts	52	0	41.66	54.16	21-31,42-45,72-82
🟢	services/roles	92.3	100	83.33	92.3
🟢	roles.scenarios.ts	100	100	100	100
🟢	roles.ts	91.66	100	83.33	91.66	40
🟡	services/subrecipients	80	100	62.5	80
🟢	subrecipients.scenarios.ts	100	100	100	100
🟡	subrecipients.ts	78.57	100	62.5	78.57	47-55
🔴	services/uploadValidations	0	100	0	0
🔴	uploadValidations.scenarios.ts	0	100	100	0	5
🔴	uploadValidations.ts	0	100	0	0	9-66
🟡	services/uploads	70	100	45.45	70
🟢	uploads.scenarios.ts	100	100	100	100
🟡	uploads.ts	68.42	100	45.45	68.42	49-66
🟡	services/users	52	0	38.46	52
🟢	users.scenarios.ts	100	100	100	100
🟡	users.ts	50	0	38.46	50	40-48,54-72

Coverage report for web suite

St	File	% Stmts	% Branch	% Funcs	% Lines	Uncovered Line #s
🔴	All files	13.49	12.6	12.32	12.76
🔴	src	25.92	0	21.42	25.92
🔴	App.tsx	0	0	0	0	3-35
🟢	Routes.tsx	100	100	100	100
🔴	auth.ts	35.71	100	16.66	35.71	33-45,68-88
🔴	entry.client.tsx	0	0	100	0	10-22
🔴	src/components/Agency/Agencies	0	100	0	0
🔴	Agencies.tsx	0	100	0	0	9-21
🔴	src/components/Agency/AgenciesCell	0	100	0	0
🔴	AgenciesCell.tsx	0	100	0	0	8-39
🔴	src/components/Agency/Agency	0	0	0	0
🔴	Agency.tsx	0	0	0	0	10-78
🔴	src/components/Agency/AgencyCell	0	100	0	0
🔴	AgencyCell.tsx	0	100	0	0	7-27
🔴	src/components/Agency/AgencyForm	0	0	0	0
🔴	AgencyForm.tsx	0	0	0	0	24-39
🔴	src/components/Agency/EditAgencyCell	0	100	0	0
🔴	EditAgencyCell.tsx	0	100	0	0	10-58
🔴	src/components/Agency/NewAgency	0	100	0	0
🔴	NewAgency.tsx	0	100	0	0	9-35
🟢	src/components/Navigation	100	100	100	100
🟢	Navigation.tsx	100	100	100	100
🔴	src/components/Organization/EditOrganizationCell	0	100	0	0
🔴	EditOrganizationCell.tsx	0	100	0	0	13-62
🔴	src/components/Organization/NewOrganization	0	100	0	0
🔴	NewOrganization.tsx	0	100	0	0	9-35
🔴	src/components/Organization/Organization	0	0	0	0
🔴	Organization.tsx	0	0	0	0	10-70
🔴	src/components/Organization/OrganizationCell	0	100	0	0
🔴	OrganizationCell.tsx	0	100	0	0	7-27
🔴	src/components/Organization/OrganizationForm	0	0	0	0
🔴	OrganizationForm.tsx	0	0	0	0	27-41
🔴	src/components/Organization/Organizations	0	100	0	0
🔴	Organizations.tsx	0	100	0	0	9-21
🔴	src/components/Organization/OrganizationsCell	0	100	0	0
🔴	OrganizationsCell.tsx	0	100	0	0	8-37
🟡	src/components/ReportingPeriodCell	55	0	55.55	47.05
🟢	ReportingPeriodCell.mock.ts	100	100	100	100
🔴	ReportingPeriodCell.stories.tsx	0	0	0	0	6-32
🟢	ReportingPeriodCell.tsx	100	100	100	100
🟡	src/components/ReportingPeriodsCell	57.14	28.57	60	50
🟢	ReportingPeriodsCell.mock.ts	100	100	100	100
🔴	ReportingPeriodsCell.stories.tsx	0	0	0	0	6-32
🟢	ReportingPeriodsCell.tsx	100	66.66	100	100	63-66
🔴	src/components/TableBuilder	0	0	0	0
🔴	DebouncedInput.tsx	0	0	0	0	13-32
🔴	Filter.tsx	0	0	0	0	6-15
🔴	TableBuilder.tsx	0	0	0	0	22-70
🔴	TableHeader.tsx	0	0	0	0	5-42
🔴	TableRow.tsx	0	100	0	0	3-7
🔴	src/components/Upload/EditUploadCell	0	100	0	0
🔴	EditUploadCell.tsx	0	100	0	0	10-68
🔴	src/components/Upload/NewUpload	0	100	0	0
🔴	NewUpload.tsx	0	100	0	0	7-30
🔴	src/components/Upload/Upload	0	0	0	0
🔴	Upload.tsx	0	0	0	0	12-100
🔴	src/components/Upload/UploadCell	0	100	0	0
🔴	UploadCell.tsx	0	100	0	0	7-32
🔴	src/components/Upload/UploadForm	0	0	0	0
🔴	UploadForm.tsx	0	0	0	0	21-95
🔴	src/components/Upload/Uploads	0	0	0	0
🔴	Uploads.tsx	0	0	0	0	9-66
🔴	columns.tsx	0	0	0	0	7-62
🔴	src/components/Upload/UploadsCell	0	100	0	0
🔴	UploadsCell.tsx	0	100	0	0	8-53
🔴	src/components/User/EditUserCell	0	100	0	0
🔴	EditUserCell.tsx	0	100	0	0	10-60
🔴	src/components/User/NewUser	0	100	0	0
🔴	NewUser.tsx	0	100	0	0	9-32
🔴	src/components/User/User	0	0	0	0
🔴	User.tsx	0	0	0	0	9-93
🔴	src/components/User/UserCell	0	100	0	0
🔴	UserCell.tsx	0	100	0	0	7-31
🔴	src/components/User/UserForm	0	0	0	0
🔴	UserForm.tsx	0	0	0	0	25-39
🔴	src/components/User/Users	0	100	0	0
🔴	Users.tsx	0	100	0	0	9-24
🔴	src/components/User/UsersCell	0	100	0	0
🔴	UsersCell.tsx	0	100	0	0	8-43
🟡	src/layouts/AuthenticatedLayout	60	50	100	60
🔴	AuthenticatedLayout.stories.tsx	0	100	100	0	5-13
🟢	AuthenticatedLayout.tsx	100	50	100	100	24
🟢	src/lib	100	100	100	100
🟢	formatters.tsx	100	100	100	100
🔴	src/pages/Agency/AgenciesPage	0	100	0	0
🔴	AgenciesPage.tsx	0	100	0	0	7-11
🔴	src/pages/Agency/AgencyPage	0	100	0	0
🔴	AgencyPage.tsx	0	100	0	0	7-8
🔴	src/pages/Agency/EditAgencyPage	0	100	0	0
🔴	EditAgencyPage.tsx	0	100	0	0	7-8
🔴	src/pages/Agency/NewAgencyPage	0	100	0	0
🔴	NewAgencyPage.tsx	0	100	0	0	3-4
🔴	src/pages/FatalErrorPage	0	0	0	0
🔴	FatalErrorPage.tsx	0	0	0	0	15
🟡	src/pages/LoginPage	50	100	100	50
🔴	LoginPage.stories.tsx	0	100	100	0	5-13
🟢	LoginPage.tsx	100	100	100	100
🔴	src/pages/NotFoundPage	0	100	0	0
🔴	NotFoundPage.tsx	0	100	0	0	2
🔴	src/pages/Organization/EditOrganizationPage	0	100	0	0
🔴	EditOrganizationPage.tsx	0	100	0	0	7-8
🔴	src/pages/Organization/NewOrganizationPage	0	100	0	0
🔴	NewOrganizationPage.tsx	0	100	0	0	3-4
🔴	src/pages/Organization/OrganizationPage	0	100	0	0
🔴	OrganizationPage.tsx	0	100	0	0	7-8
🔴	src/pages/Organization/OrganizationsPage	0	100	0	0
🔴	OrganizationsPage.tsx	0	100	0	0	7-8
🟡	src/pages/ReportingPeriodsPage	50	100	100	50
🔴	ReportingPeriodsPage.stories.tsx	0	100	100	0	5-13
🟢	ReportingPeriodsPage.tsx	100	100	100	100
🔴	src/pages/Upload/EditUploadPage	0	100	0	0
🔴	EditUploadPage.tsx	0	100	0	0	7-8
🔴	src/pages/Upload/NewUploadPage	0	100	0	0
🔴	NewUploadPage.tsx	0	100	0	0	3-4
🔴	src/pages/Upload/UploadPage	0	100	0	0
🔴	UploadPage.tsx	0	100	0	0	7-8
🔴	src/pages/Upload/UploadsPage	0	100	0	0
🔴	UploadsPage.tsx	0	100	0	0	7-8
🟡	src/pages/UploadTemplatePage	50	100	50	50
🔴	UploadTemplatePage.stories.tsx	0	100	100	0	5-13
🟡	UploadTemplatePage.tsx	75	100	50	75	9
🔴	src/pages/User/EditUserPage	0	100	0	0
🔴	EditUserPage.tsx	0	100	0	0	7-8
🔴	src/pages/User/NewUserPage	0	100	0	0
🔴	NewUserPage.tsx	0	100	0	0	3-4
🔴	src/pages/User/UserPage	0	100	0	0
🔴	UserPage.tsx	0	100	0	0	7-8
🔴	src/pages/User/UsersPage	0	100	0	0
🔴	UsersPage.tsx	0	100	0	0	7-11
🔴	src/utils	0	0	0	0
🔴	index.ts	0	0	0	0	3-37

Pusher: @as1729, Action: pull_request_target, Workflow: Continuous Integration

github-actions · 2023-12-22T05:29:17Z

Terraform Summary

Step	Result
🖌 Terraform Format & Style	✅
⚙️ Terraform Initialization	✅
🤖 Terraform Validation	✅
📖 Terraform Plan	✅

Hint: If "Terraform Format & Style" failed, run terraform fmt -recursive from the terraform/ directory and commit the results.

Output

Validation Output

Success! The configuration is valid.

Plan Output

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
+   create
  ~ update in-place
-   destroy
-/+ destroy and then create replacement
+/- create replacement and then destroy

Terraform will perform the following actions:

  # aws_ecs_service.console will be updated in-place
  ~ resource "aws_ecs_service" "console" {
        id                                 = "arn:aws:ecs:us-west-2:357150818708:service/cpfreporter/cpfreporter-console"
        name                               = "cpfreporter-console"
        tags                               = {}
      ~ task_definition                    = "arn:aws:ecs:us-west-2:357150818708:task-definition/cpfreporter-console:28" -> (known after apply)
        # (15 unchanged attributes hidden)

        # (3 unchanged blocks hidden)
    }

  # aws_ecs_task_definition.console must be replaced
+/- resource "aws_ecs_task_definition" "console" {
      ~ arn                      = "arn:aws:ecs:us-west-2:357150818708:task-definition/cpfreporter-console:28" -> (known after apply)
      ~ arn_without_revision     = "arn:aws:ecs:us-west-2:357150818708:task-definition/cpfreporter-console" -> (known after apply)
      ~ container_definitions    = (sensitive value) # forces replacement
      ~ id                       = "cpfreporter-console" -> (known after apply)
      ~ revision                 = 28 -> (known after apply)
-       tags                     = {} -> null
        # (9 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

  # aws_s3_object.lambda_artifact-graphql must be replaced
+/- resource "aws_s3_object" "lambda_artifact-graphql" {
+       acl                    = (known after apply)
      ~ bucket_key_enabled     = false -> (known after apply)
+       checksum_crc32         = (known after apply)
+       checksum_crc32c        = (known after apply)
+       checksum_sha1          = (known after apply)
+       checksum_sha256        = (known after apply)
      ~ content_type           = "binary/octet-stream" -> (known after apply)
      ~ etag                   = "00bc4cd9ef7d908e382f47c1206f76c4-6" -> "45eb4767c5e5cc35d83bf7be121ad858"
      ~ id                     = "graphql.dc448572876ddfd7912a8c6203fa928e.zip" -> (known after apply)
      ~ key                    = "graphql.dc448572876ddfd7912a8c6203fa928e.zip" -> "graphql.45eb4767c5e5cc35d83bf7be121ad858.zip" # forces replacement
+       kms_key_id             = (known after apply)
-       metadata               = {} -> null
      ~ source_hash            = "dc448572876ddfd7912a8c6203fa928e" -> "45eb4767c5e5cc35d83bf7be121ad858"
      ~ storage_class          = "STANDARD" -> (known after apply)
-       tags                   = {} -> null
      ~ version_id             = "kRFOyn2lYbGtGsioN3ubia1kcjtBpgO_" -> (known after apply)
        # (5 unchanged attributes hidden)
    }

  # aws_s3_object.origin_dist_artifact["200.html"] will be updated in-place
  ~ resource "aws_s3_object" "origin_dist_artifact" {
      ~ etag                   = "e37801febff6ad3d930f6ebe8dd62804" -> "7e7f571e4c6a7931e2d5da673c05f9f3"
        id                     = "dist/200.html"
      ~ source_hash            = "e37801febff6ad3d930f6ebe8dd62804" -> "7e7f571e4c6a7931e2d5da673c05f9f3"
        tags                   = {}
      ~ version_id             = "8TrWxlugsh5FJJleNGo6UZ4gvcnPPAOB" -> (known after apply)
        # (10 unchanged attributes hidden)
    }

  # aws_s3_object.origin_dist_artifact["build-manifest.json"] will be updated in-place
  ~ resource "aws_s3_object" "origin_dist_artifact" {
      ~ etag                   = "f0c5fbf0b1d6dbbdf541b5137681ac52" -> "e4d3471f6d043d511dfaaa9616004e13"
        id                     = "dist/build-manifest.json"
      ~ source_hash            = "f0c5fbf0b1d6dbbdf541b5137681ac52" -> "e4d3471f6d043d511dfaaa9616004e13"
        tags                   = {}
      ~ version_id             = "dwhPXUMbjWQyjCAsnyD0KVxgXIh5tjTS" -> (known after apply)
        # (10 unchanged attributes hidden)
    }

  # aws_s3_object.origin_dist_artifact["chunk-references.json"] will be updated in-place
  ~ resource "aws_s3_object" "origin_dist_artifact" {
      ~ etag                   = "b10d1e9a629d8fd6e87e78d794bb7d87" -> "a7ce3fa7a3571a9515987b7809f0cabe"
        id                     = "dist/chunk-references.json"
      ~ source_hash            = "b10d1e9a629d8fd6e87e78d794bb7d87" -> "a7ce3fa7a3571a9515987b7809f0cabe"
        tags                   = {}
      ~ version_id             = "m1GGhAorvdJ_ojDKUpsSTPocfIAPcK.y" -> (known after apply)
        # (10 unchanged attributes hidden)
    }

  # aws_s3_object.origin_dist_artifact["index.html"] will be updated in-place
  ~ resource "aws_s3_object" "origin_dist_artifact" {
      ~ etag                   = "e37801febff6ad3d930f6ebe8dd62804" -> "7e7f571e4c6a7931e2d5da673c05f9f3"
        id                     = "dist/index.html"
      ~ source_hash            = "e37801febff6ad3d930f6ebe8dd62804" -> "7e7f571e4c6a7931e2d5da673c05f9f3"
        tags                   = {}
      ~ version_id             = "BtISBWVojU7qcuHt0Lu.7L5HS4oWZPNG" -> (known after apply)
        # (10 unchanged attributes hidden)
    }

  # aws_s3_object.origin_dist_artifact["static/js/app.728f4d3a.js"] will be created
+   resource "aws_s3_object" "origin_dist_artifact" {
+       acl                    = (known after apply)
+       bucket                 = "cpfreporter-origin-357150818708-us-west-2"
+       bucket_key_enabled     = (known after apply)
+       checksum_crc32         = (known after apply)
+       checksum_crc32c        = (known after apply)
+       checksum_sha1          = (known after apply)
+       checksum_sha256        = (known after apply)
+       content_type           = "text/javascript"
+       etag                   = "99bc61ce7a73291005d7a167d60e6eaf"
+       force_destroy          = false
+       id                     = (known after apply)
+       key                    = "dist/static/js/app.728f4d3a.js"
+       kms_key_id             = (known after apply)
+       server_side_encryption = "AES256"
+       source                 = "/home/runner/work/cpf-reporter/cpf-reporter/web/dist/static/js/app.728f4d3a.js"
+       source_hash            = "99bc61ce7a73291005d7a167d60e6eaf"
+       storage_class          = (known after apply)
+       tags_all               = {
+           "env"        = "staging"
+           "management" = "terraform"
+           "owner"      = "grants"
+           "repo"       = "cpf-reporter"
+           "service"    = "cpf-reporter"
+           "usage"      = "workload"
        }
+       version_id             = (known after apply)
    }

  # aws_s3_object.origin_dist_artifact["static/js/app.728f4d3a.js.LICENSE.txt"] will be created
+   resource "aws_s3_object" "origin_dist_artifact" {
+       acl                    = (known after apply)
+       bucket                 = "cpfreporter-origin-357150818708-us-west-2"
+       bucket_key_enabled     = (known after apply)
+       checksum_crc32         = (known after apply)
+       checksum_crc32c        = (known after apply)
+       checksum_sha1          = (known after apply)
+       checksum_sha256        = (known after apply)
+       content_type           = "text/plain"
+       etag                   = "22534f5b586cb736e9cdf4c0742c3fd1"
+       force_destroy          = false
+       id                     = (known after apply)
+       key                    = "dist/static/js/app.728f4d3a.js.LICENSE.txt"
+       kms_key_id             = (known after apply)
+       server_side_encryption = "AES256"
+       source                 = "/home/runner/work/cpf-reporter/cpf-reporter/web/dist/static/js/app.728f4d3a.js.LICENSE.txt"
+       source_hash            = "22534f5b586cb736e9cdf4c0742c3fd1"
+       storage_class          = (known after apply)
+       tags_all               = {
+           "env"        = "staging"
+           "management" = "terraform"
+           "owner"      = "grants"
+           "repo"       = "cpf-reporter"
+           "service"    = "cpf-reporter"
+           "usage"      = "workload"
        }
+       version_id             = (known after apply)
    }

  # aws_s3_object.origin_dist_artifact["static/js/app.fdba7016.js"] will be destroyed
  # (because key ["static/js/app.fdba7016.js"] is not in for_each map)
-   resource "aws_s3_object" "origin_dist_artifact" {
-       bucket                 = "cpfreporter-origin-357150818708-us-west-2" -> null
-       bucket_key_enabled     = false -> null
-       content_type           = "text/javascript" -> null
-       etag                   = "476daa83a2b42ce799e6fd89715ddf55" -> null
-       force_destroy          = false -> null
-       id                     = "dist/static/js/app.fdba7016.js" -> null
-       key                    = "dist/static/js/app.fdba7016.js" -> null
-       metadata               = {} -> null
-       server_side_encryption = "AES256" -> null
-       source                 = "/home/runner/work/cpf-reporter/cpf-reporter/web/dist/static/js/app.fdba7016.js" -> null
-       source_hash            = "476daa83a2b42ce799e6fd89715ddf55" -> null
-       storage_class          = "STANDARD" -> null
-       tags                   = {} -> null
-       tags_all               = {
-           "env"        = "staging"
-           "management" = "terraform"
-           "owner"      = "grants"
-           "repo"       = "cpf-reporter"
-           "service"    = "cpf-reporter"
-           "usage"      = "workload"
        } -> null
-       version_id             = "LtJjB_KzjUDcc5B18QTyNAwvQr0W0M.Q" -> null
    }

  # aws_s3_object.origin_dist_artifact["static/js/app.fdba7016.js.LICENSE.txt"] will be destroyed
  # (because key ["static/js/app.fdba7016.js.LICENSE.txt"] is not in for_each map)
-   resource "aws_s3_object" "origin_dist_artifact" {
-       bucket                 = "cpfreporter-origin-357150818708-us-west-2" -> null
-       bucket_key_enabled     = false -> null
-       content_type           = "text/plain" -> null
-       etag                   = "22534f5b586cb736e9cdf4c0742c3fd1" -> null
-       force_destroy          = false -> null
-       id                     = "dist/static/js/app.fdba7016.js.LICENSE.txt" -> null
-       key                    = "dist/static/js/app.fdba7016.js.LICENSE.txt" -> null
-       metadata               = {} -> null
-       server_side_encryption = "AES256" -> null
-       source                 = "/home/runner/work/cpf-reporter/cpf-reporter/web/dist/static/js/app.fdba7016.js.LICENSE.txt" -> null
-       source_hash            = "22534f5b586cb736e9cdf4c0742c3fd1" -> null
-       storage_class          = "STANDARD" -> null
-       tags                   = {} -> null
-       tags_all               = {
-           "env"        = "staging"
-           "management" = "terraform"
-           "owner"      = "grants"
-           "repo"       = "cpf-reporter"
-           "service"    = "cpf-reporter"
-           "usage"      = "workload"
        } -> null
-       version_id             = "5XUag3vsyX1Sr3Ff1zXXNM74rry9BAbh" -> null
    }

  # module.lambda_function-graphql.aws_iam_policy.additional_inline[0] will be updated in-place
  ~ resource "aws_iam_policy" "additional_inline" {
        id        = "arn:aws:iam::357150818708:policy/cpfreporter-graphql-inline"
        name      = "cpfreporter-graphql-inline"
      ~ policy    = jsonencode(
          ~ {
              ~ Statement = [
                    {
                        Action   = "kms:Decrypt"
                        Effect   = "Allow"
                        Resource = "arn:aws:kms:us-west-2:357150818708:key/df1661b4-62e5-4668-8e39-f872c9acfceb"
                        Sid      = "DecryptPostgresSecret"
                    },
+                   {
+                       Action   = "secretsmanager:GetSecretValue"
+                       Effect   = "Allow"
+                       Resource = "arn:aws:secretsmanager:us-west-2:357150818708:secret:cpfreporter-passage_api_key-JCnrb7"
+                       Sid      = "GetPassageAPIKeySecretValue"
                    },
                    {
                        Action   = [
                            "ssm:GetParameters",
                            "ssm:GetParameter",
                        ]
                        Effect   = "Allow"
                        Resource = "arn:aws:ssm:us-west-2:357150818708:parameter/cpfreporter/postgres/master_password"
                        Sid      = "GetPostgresSecret"
                    },
                    # (1 unchanged element hidden)
                ]
                # (1 unchanged attribute hidden)
            }
        )
        tags      = {}
        # (4 unchanged attributes hidden)
    }

  # module.lambda_function-graphql.aws_lambda_function.this[0] will be updated in-place
  ~ resource "aws_lambda_function" "this" {
        id                             = "cpfreporter-graphql"
      ~ last_modified                  = "2024-01-05T22:50:22.000+0000" -> (known after apply)
      ~ qualified_arn                  = "arn:aws:lambda:us-west-2:357150818708:function:cpfreporter-graphql:44" -> (known after apply)
      ~ qualified_invoke_arn           = "arn:aws:apigateway:us-west-2:lambda:path/2015-03-31/functions/arn:aws:lambda:us-west-2:357150818708:function:cpfreporter-graphql:44/invocations" -> (known after apply)
      ~ s3_key                         = "graphql.dc448572876ddfd7912a8c6203fa928e.zip" -> "graphql.45eb4767c5e5cc35d83bf7be121ad858.zip"
        tags                           = {}
      ~ version                        = "44" -> (known after apply)
        # (19 unchanged attributes hidden)

      ~ environment {
          ~ variables = {
              ~ "DD_COMMIT_SHA"                      = "44445ed1ab0e11077995cc6a83b26ecd199d5096" -> "17039ba0d4853b08973fde1d8a35c90fb433283c"
              ~ "DD_TAGS"                            = "git.commit.sha:44445ed1ab0e11077995cc6a83b26ecd199d5096,git.repository_url:github.com/usdigitalresponse/cpf-reporter" -> "git.commit.sha:17039ba0d4853b08973fde1d8a35c90fb433283c,git.repository_url:github.com/usdigitalresponse/cpf-reporter"
              ~ "DD_VERSION"                         = "44445ed1ab0e11077995cc6a83b26ecd199d5096" -> "17039ba0d4853b08973fde1d8a35c90fb433283c"
+               "PASSAGE_API_KEY_SECRET_ARN"         = (sensitive value)
                # (15 unchanged elements hidden)
            }
        }

        # (4 unchanged blocks hidden)
    }

  # module.lambda_function-graphql.aws_lambda_permission.current_version_triggers["APIGateway"] must be replaced
-/+ resource "aws_lambda_permission" "current_version_triggers" {
      ~ id                  = "APIGateway" -> (known after apply)
      ~ qualifier           = "44" # forces replacement -> (known after apply) # forces replacement
+       statement_id_prefix = (known after apply)
        # (5 unchanged attributes hidden)
    }

Plan: 5 to add, 7 to change, 5 to destroy.

Pusher: @as1729, Action: pull_request_target, Workflow: Continuous Integration

TylerHendrickson added 4 commits December 22, 2023 04:49

Add dependency for @aws-sdk/client-secrets-manager

74466a8

Add helper function for Passage API key retrieval

55a12e7

Provide Passage API key ARN to Lambda environments

9ca55d7

Clarifying docstrings

40e2d9e

TylerHendrickson requested a review from a team December 22, 2023 05:04

TylerHendrickson self-assigned this Dec 22, 2023

TylerHendrickson enabled auto-merge (squash) December 22, 2023 05:04

github-actions bot added dependencies enhancement New feature or request infra javascript terraform labels Dec 22, 2023

github-advanced-security bot found potential problems Dec 22, 2023

View reviewed changes

Merge branch 'main' into feat/configure-passage-api-key

17039ba

as1729 approved these changes Jan 5, 2024

View reviewed changes

TylerHendrickson merged commit 194bed8 into main Jan 5, 2024
19 checks passed

TylerHendrickson deleted the feat/configure-passage-api-key branch January 5, 2024 23:12

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Configure passage API key in AWS environments #59

Configure passage API key in AWS environments #59

TylerHendrickson commented Dec 22, 2023

github-actions bot commented Dec 22, 2023 •

edited

Loading

github-actions bot commented Dec 22, 2023 •

edited

Loading

Configure passage API key in AWS environments #59

Configure passage API key in AWS environments #59

Conversation

TylerHendrickson commented Dec 22, 2023

github-actions bot commented Dec 22, 2023 • edited Loading

QA Summary

Test Coverage

github-actions bot commented Dec 22, 2023 • edited Loading

Terraform Summary

Output

github-actions bot commented Dec 22, 2023 •

edited

Loading

github-actions bot commented Dec 22, 2023 •

edited

Loading