From 3863aa1767a079551d5ba4d7c0632ab53ddc5abe Mon Sep 17 00:00:00 2001 From: Ronaldo Macapobre Date: Fri, 7 Feb 2025 22:25:13 +0000 Subject: [PATCH] - Simplify lambda functions to a single proxy that handles all requests routed to BC Gov API - Enable VPC settings for lambda functions - Added DARS secrets --- .../cloud/environments/dev/webapp.tf | 28 +--- .../cloud/environments/prod/main.tf | 28 +--- .../cloud/environments/test/main.tf | 28 +--- .../cloud/modules/APIGateway/main.tf | 128 ++---------------- .../cloud/modules/ECS/TaskDefinition/main.tf | 11 +- infrastructure/cloud/modules/IAM/main.tf | 19 ++- infrastructure/cloud/modules/IAM/variables.tf | 5 + infrastructure/cloud/modules/Lambda/main.tf | 61 ++++++--- .../cloud/modules/Lambda/variables.tf | 54 +++++--- .../cloud/modules/SecretsManager/main.tf | 14 ++ .../cloud/modules/SecretsManager/output.tf | 29 ++-- 11 files changed, 161 insertions(+), 244 deletions(-) diff --git a/infrastructure/cloud/environments/dev/webapp.tf b/infrastructure/cloud/environments/dev/webapp.tf index de1689df..55064919 100644 --- a/infrastructure/cloud/environments/dev/webapp.tf +++ b/infrastructure/cloud/environments/dev/webapp.tf @@ -76,6 +76,7 @@ module "iam" { account_id = data.aws_caller_identity.current.account_id kms_key_id = module.initial.kms_key_arn region = var.region + vpc_id = data.aws_vpc.vpc.id } # Parse Subnets @@ -129,28 +130,11 @@ module "lambda" { lambda_role_arn = module.iam.lambda_role_arn apigw_execution_arn = module.apigw.apigw_execution_arn lambda_ecr_repo_url = module.initial.lambda_ecr.ecr_repo_url - mtls_secret_name = module.secrets_manager.mtls_secret_name lambda_memory_size = var.lambda_memory_size - functions = { - "authorizer" = { - http_method = "*" - resource_path = "" - env_variables = { - VERIFY_SECRET_NAME = module.secrets_manager.api_authorizer_secret.name - } - }, - "rotate-key" = { - http_method = "POST" - resource_path = "/*" - statement_id_prefix = "AllowSecretsManagerInvoke" - source_arn = module.secrets_manager.api_authorizer_secret.arn - principal = "secretsmanager.amazonaws.com" - env_variables = { - VERIFY_SECRET_NAME = module.secrets_manager.api_authorizer_secret.name - CLUSTER_NAME = module.ecs_cluster.ecs_cluster.name - } - } - } + subnet_ids = module.subnets.all_subnet_ids + sg_ids = [data.aws_security_group.web_sg.id, data.aws_security_group.data_sg.id, data.aws_security_group.app_sg.id] + lambda_secrets = module.secrets_manager.lambda_secrets + ecs_cluster_name = module.ecs_cluster.ecs_cluster.name } # Create Cloudwatch LogGroups @@ -234,7 +218,7 @@ module "ecs_api_td" { }, { name = "AWS_API_GATEWAY_URL" - value = module.apigw.apigw_invoke_url + value = "${module.apigw.apigw_invoke_url}${var.environment}" } ] secret_env_variables = module.secrets_manager.api_secrets diff --git a/infrastructure/cloud/environments/prod/main.tf b/infrastructure/cloud/environments/prod/main.tf index de1689df..55064919 100644 --- a/infrastructure/cloud/environments/prod/main.tf +++ b/infrastructure/cloud/environments/prod/main.tf @@ -76,6 +76,7 @@ module "iam" { account_id = data.aws_caller_identity.current.account_id kms_key_id = module.initial.kms_key_arn region = var.region + vpc_id = data.aws_vpc.vpc.id } # Parse Subnets @@ -129,28 +130,11 @@ module "lambda" { lambda_role_arn = module.iam.lambda_role_arn apigw_execution_arn = module.apigw.apigw_execution_arn lambda_ecr_repo_url = module.initial.lambda_ecr.ecr_repo_url - mtls_secret_name = module.secrets_manager.mtls_secret_name lambda_memory_size = var.lambda_memory_size - functions = { - "authorizer" = { - http_method = "*" - resource_path = "" - env_variables = { - VERIFY_SECRET_NAME = module.secrets_manager.api_authorizer_secret.name - } - }, - "rotate-key" = { - http_method = "POST" - resource_path = "/*" - statement_id_prefix = "AllowSecretsManagerInvoke" - source_arn = module.secrets_manager.api_authorizer_secret.arn - principal = "secretsmanager.amazonaws.com" - env_variables = { - VERIFY_SECRET_NAME = module.secrets_manager.api_authorizer_secret.name - CLUSTER_NAME = module.ecs_cluster.ecs_cluster.name - } - } - } + subnet_ids = module.subnets.all_subnet_ids + sg_ids = [data.aws_security_group.web_sg.id, data.aws_security_group.data_sg.id, data.aws_security_group.app_sg.id] + lambda_secrets = module.secrets_manager.lambda_secrets + ecs_cluster_name = module.ecs_cluster.ecs_cluster.name } # Create Cloudwatch LogGroups @@ -234,7 +218,7 @@ module "ecs_api_td" { }, { name = "AWS_API_GATEWAY_URL" - value = module.apigw.apigw_invoke_url + value = "${module.apigw.apigw_invoke_url}${var.environment}" } ] secret_env_variables = module.secrets_manager.api_secrets diff --git a/infrastructure/cloud/environments/test/main.tf b/infrastructure/cloud/environments/test/main.tf index de1689df..55064919 100644 --- a/infrastructure/cloud/environments/test/main.tf +++ b/infrastructure/cloud/environments/test/main.tf @@ -76,6 +76,7 @@ module "iam" { account_id = data.aws_caller_identity.current.account_id kms_key_id = module.initial.kms_key_arn region = var.region + vpc_id = data.aws_vpc.vpc.id } # Parse Subnets @@ -129,28 +130,11 @@ module "lambda" { lambda_role_arn = module.iam.lambda_role_arn apigw_execution_arn = module.apigw.apigw_execution_arn lambda_ecr_repo_url = module.initial.lambda_ecr.ecr_repo_url - mtls_secret_name = module.secrets_manager.mtls_secret_name lambda_memory_size = var.lambda_memory_size - functions = { - "authorizer" = { - http_method = "*" - resource_path = "" - env_variables = { - VERIFY_SECRET_NAME = module.secrets_manager.api_authorizer_secret.name - } - }, - "rotate-key" = { - http_method = "POST" - resource_path = "/*" - statement_id_prefix = "AllowSecretsManagerInvoke" - source_arn = module.secrets_manager.api_authorizer_secret.arn - principal = "secretsmanager.amazonaws.com" - env_variables = { - VERIFY_SECRET_NAME = module.secrets_manager.api_authorizer_secret.name - CLUSTER_NAME = module.ecs_cluster.ecs_cluster.name - } - } - } + subnet_ids = module.subnets.all_subnet_ids + sg_ids = [data.aws_security_group.web_sg.id, data.aws_security_group.data_sg.id, data.aws_security_group.app_sg.id] + lambda_secrets = module.secrets_manager.lambda_secrets + ecs_cluster_name = module.ecs_cluster.ecs_cluster.name } # Create Cloudwatch LogGroups @@ -234,7 +218,7 @@ module "ecs_api_td" { }, { name = "AWS_API_GATEWAY_URL" - value = module.apigw.apigw_invoke_url + value = "${module.apigw.apigw_invoke_url}${var.environment}" } ] secret_env_variables = module.secrets_manager.api_secrets diff --git a/infrastructure/cloud/modules/APIGateway/main.tf b/infrastructure/cloud/modules/APIGateway/main.tf index ae0f7ea3..b6775c2d 100644 --- a/infrastructure/cloud/modules/APIGateway/main.tf +++ b/infrastructure/cloud/modules/APIGateway/main.tf @@ -5,11 +5,7 @@ resource "aws_api_gateway_rest_api" "apigw" { resource "aws_api_gateway_deployment" "apigw_deployment" { depends_on = [ - # Add new integration here so that it registers in API Gateway - aws_api_gateway_integration.get_locations_integration, - aws_api_gateway_integration.get_locations_rooms_integration, - aws_api_gateway_integration.get_files_civil_integration, - aws_api_gateway_integration.get_files_criminal_integration, + aws_api_gateway_integration.lambda_integration, ] rest_api_id = aws_api_gateway_rest_api.apigw.id @@ -111,89 +107,17 @@ resource "aws_api_gateway_authorizer" "authorizer" { identity_source = "method.request.header.x-origin-verify" } -# -# /locations Resource -# -resource "aws_api_gateway_resource" "locations_resource" { - rest_api_id = aws_api_gateway_rest_api.apigw.id - parent_id = aws_api_gateway_rest_api.apigw.root_resource_id - path_part = "locations" -} - -# GET /locations -resource "aws_api_gateway_method" "get_locations_method" { - rest_api_id = aws_api_gateway_rest_api.apigw.id - resource_id = aws_api_gateway_resource.locations_resource.id - http_method = var.lambda_functions["get-locations"].http_method - authorization = "CUSTOM" - authorizer_id = aws_api_gateway_authorizer.authorizer.id - api_key_required = true - - request_parameters = { - "method.request.header.x-origin-verify" = true - } -} - -resource "aws_api_gateway_integration" "get_locations_integration" { - rest_api_id = aws_api_gateway_rest_api.apigw.id - resource_id = aws_api_gateway_resource.locations_resource.id - http_method = aws_api_gateway_method.get_locations_method.http_method - type = "AWS_PROXY" - integration_http_method = "POST" - uri = var.lambda_functions["get-locations"].invoke_arn -} - -# /locations/rooms Resource -resource "aws_api_gateway_resource" "rooms_resource" { - rest_api_id = aws_api_gateway_rest_api.apigw.id - parent_id = aws_api_gateway_resource.locations_resource.id - path_part = "rooms" -} - -# GET /locations/rooms -resource "aws_api_gateway_method" "get_locations_rooms_method" { - rest_api_id = aws_api_gateway_rest_api.apigw.id - resource_id = aws_api_gateway_resource.rooms_resource.id - http_method = var.lambda_functions["get-rooms"].http_method - authorization = "CUSTOM" - authorizer_id = aws_api_gateway_authorizer.authorizer.id - api_key_required = true - - request_parameters = { - "method.request.header.x-origin-verify" = true - } -} - -resource "aws_api_gateway_integration" "get_locations_rooms_integration" { - rest_api_id = aws_api_gateway_rest_api.apigw.id - resource_id = aws_api_gateway_resource.rooms_resource.id - http_method = aws_api_gateway_method.get_locations_rooms_method.http_method - type = "AWS_PROXY" - integration_http_method = "POST" - uri = var.lambda_functions["get-rooms"].invoke_arn -} - -# -# /files Resource -# -resource "aws_api_gateway_resource" "files_resource" { +# Root Resource / +resource "aws_api_gateway_resource" "root_resource" { rest_api_id = aws_api_gateway_rest_api.apigw.id parent_id = aws_api_gateway_rest_api.apigw.root_resource_id - path_part = "files" -} - -# /files/civil Resource -resource "aws_api_gateway_resource" "civil_resource" { - rest_api_id = aws_api_gateway_rest_api.apigw.id - parent_id = aws_api_gateway_resource.files_resource.id - path_part = "civil" + path_part = "{proxy+}" } -# GET /files/civil -resource "aws_api_gateway_method" "get_files_civil_method" { +resource "aws_api_gateway_method" "root_method" { rest_api_id = aws_api_gateway_rest_api.apigw.id - resource_id = aws_api_gateway_resource.civil_resource.id - http_method = var.lambda_functions["search-civil-files"].http_method + resource_id = aws_api_gateway_resource.root_resource.id + http_method = "ANY" authorization = "CUSTOM" authorizer_id = aws_api_gateway_authorizer.authorizer.id api_key_required = true @@ -203,41 +127,11 @@ resource "aws_api_gateway_method" "get_files_civil_method" { } } -resource "aws_api_gateway_integration" "get_files_civil_integration" { +resource "aws_api_gateway_integration" "lambda_integration" { rest_api_id = aws_api_gateway_rest_api.apigw.id - resource_id = aws_api_gateway_resource.civil_resource.id - http_method = aws_api_gateway_method.get_files_civil_method.http_method - type = "AWS_PROXY" + resource_id = aws_api_gateway_resource.root_resource.id + http_method = aws_api_gateway_method.root_method.http_method integration_http_method = "POST" - uri = var.lambda_functions["search-civil-files"].invoke_arn -} - -# /files/criminal Resource -resource "aws_api_gateway_resource" "criminal_resource" { - rest_api_id = aws_api_gateway_rest_api.apigw.id - parent_id = aws_api_gateway_resource.files_resource.id - path_part = "criminal" -} - -# GET /files/criminal -resource "aws_api_gateway_method" "get_files_criminal_method" { - rest_api_id = aws_api_gateway_rest_api.apigw.id - resource_id = aws_api_gateway_resource.criminal_resource.id - http_method = var.lambda_functions["search-criminal-files"].http_method - authorization = "CUSTOM" - authorizer_id = aws_api_gateway_authorizer.authorizer.id - api_key_required = true - - request_parameters = { - "method.request.header.x-origin-verify" = true - } -} - -resource "aws_api_gateway_integration" "get_files_criminal_integration" { - rest_api_id = aws_api_gateway_rest_api.apigw.id - resource_id = aws_api_gateway_resource.criminal_resource.id - http_method = aws_api_gateway_method.get_files_criminal_method.http_method type = "AWS_PROXY" - integration_http_method = "POST" - uri = var.lambda_functions["search-criminal-files"].invoke_arn + uri = var.lambda_functions["proxy-request"].invoke_arn } diff --git a/infrastructure/cloud/modules/ECS/TaskDefinition/main.tf b/infrastructure/cloud/modules/ECS/TaskDefinition/main.tf index 6bfc2c2f..7651c366 100644 --- a/infrastructure/cloud/modules/ECS/TaskDefinition/main.tf +++ b/infrastructure/cloud/modules/ECS/TaskDefinition/main.tf @@ -7,11 +7,12 @@ resource "aws_ecs_task_definition" "ecs_td" { execution_role_arn = var.ecs_execution_role_arn task_role_arn = var.ecs_execution_role_arn - lifecycle { - # Since the dummy-image will be replaced when the GHA pipeline runs, - # the whole container_definition edits has been ignored. - ignore_changes = [container_definitions] - } + # This will be uncommented out when the long term solution is implemented (JASPER-291) + # lifecycle { + # # Since the dummy-image will be replaced when the GHA pipeline runs, + # # the whole container_definition edits has been ignored. + # ignore_changes = [container_definitions] + # } container_definitions = jsonencode([ { diff --git a/infrastructure/cloud/modules/IAM/main.tf b/infrastructure/cloud/modules/IAM/main.tf index 2057a0d9..62d603f7 100644 --- a/infrastructure/cloud/modules/IAM/main.tf +++ b/infrastructure/cloud/modules/IAM/main.tf @@ -287,8 +287,7 @@ resource "aws_iam_policy" "lambda_role_policy" { "ecs:ListServices" ], "Resource" : [ - "arn:aws:ecs:${var.region}:${var.account_id}:cluster/${var.app_name}-app-cluster-${var.environment}", - "arn:aws:ecs:${var.region}:${var.account_id}:service/${var.app_name}-app-cluster-${var.environment}/${var.app_name}-*-ecs-service-${var.environment}" + "arn:aws:ecs:${var.region}:${var.account_id}:service/${var.app_name}-app-cluster-${var.environment}/*" ] }, { @@ -301,6 +300,22 @@ resource "aws_iam_policy" "lambda_role_policy" { "Resource" : [ "arn:aws:ecr:${var.region}:${var.account_id}:repository/${var.app_name}-*-repo-${var.environment}" ] + }, + { + "Action" : [ + "ec2:CreateNetworkInterface", + "ec2:DescribeNetworkInterfaces", + "ec2:DeleteNetworkInterface", + "ec2:AttachNetworkInterface", + "ec2:DetachNetworkInterface" + ], + "Effect" : "Allow", + "Resource" : "*", + "Condition" : { + "ArnLikeIfExists" : { + "ec2:Vpc" : "arn:aws:ec2:${var.region}:*:vpc/${var.vpc_id}" + } + } } ] }) diff --git a/infrastructure/cloud/modules/IAM/variables.tf b/infrastructure/cloud/modules/IAM/variables.tf index a7dc3a44..2be21934 100644 --- a/infrastructure/cloud/modules/IAM/variables.tf +++ b/infrastructure/cloud/modules/IAM/variables.tf @@ -47,3 +47,8 @@ variable "region" { description = "The AWS region" type = string } + +variable "vpc_id" { + description = "The default VPC Id" + type = string +} diff --git a/infrastructure/cloud/modules/Lambda/main.tf b/infrastructure/cloud/modules/Lambda/main.tf index d2c7ec5c..798868de 100644 --- a/infrastructure/cloud/modules/Lambda/main.tf +++ b/infrastructure/cloud/modules/Lambda/main.tf @@ -1,26 +1,38 @@ locals { - # Keys should match the folder name in lambda code - default_functions = { - "get-locations" = { - http_method = "GET" - resource_path = "/locations" - }, - "get-rooms" = { - http_method = "GET" - resource_path = "/locations/rooms" - }, - "search-criminal-files" = { - http_method = "GET" - resource_path = "/files/criminal" - }, - "search-civil-files" = { - http_method = "GET" - resource_path = "/files/civil" + functions = { + "authorizer" = { + http_method = "*" + resource_path = "" + enable_vpc_config = false + env_variables = { + VERIFY_SECRET_NAME = var.lambda_secrets["authorizer"] + } + } + "rotate-key" = { + http_method = "POST" + resource_path = "/*" + statement_id_prefix = "AllowSecretsManagerInvoke" + source_arn = var.lambda_secrets["authorizer_arn"] + principal = "secretsmanager.amazonaws.com" + enable_vpc_config = false + env_variables = { + VERIFY_SECRET_NAME = var.lambda_secrets["authorizer"] + CLUSTER_NAME = var.ecs_cluster_name + } + } + "proxy-request" = { + http_method = "*" + resource_path = "" + env_variables = { + FILE_SERVICES_CLIENT_SECRET_NAME = var.lambda_secrets["file_services_client"] + PCSS_SECRET_NAME = var.lambda_secrets["pcss"] + DARS_SECRET_NAME = var.lambda_secrets["dars"] + } } } lambda_functions = { - for k, v in merge(local.default_functions, var.functions) : k => { + for k, v in local.functions : k => { name = k memory_size = coalesce(lookup(v, "memory_size", null), var.lambda_memory_size) timeout = coalesce(lookup(v, "timeout", null), var.lambda_timeout) @@ -29,13 +41,14 @@ locals { source_arn = lookup(v, "source_arn", "${var.apigw_execution_arn}/*/${v.http_method}${v.resource_path}") statement_id_prefix = coalesce(lookup(v, "statement_id_prefix", null), "AllowAPIGatewayInvoke") principal = coalesce(lookup(v, "principal", null), "apigateway.amazonaws.com") - env_variables = coalesce(lookup(v, "env_variables", null), {}) + env_variables = v.env_variables source_arn = coalesce(lookup(v, "source_arn", null), "${var.apigw_execution_arn}/*/${v.http_method}${v.resource_path}") + enable_vpc_config = coalesce(lookup(v, "enable_vpc_config", null), true) } } default_env_variables = { - MTLS_SECRET_NAME = var.mtls_secret_name + MTLS_SECRET_NAME = var.lambda_secrets["mtls"] } } @@ -58,6 +71,14 @@ resource "aws_lambda_function" "lambda" { ignore_changes = [image_uri] } + dynamic "vpc_config" { + for_each = each.value.enable_vpc_config ? [1] : [] + content { + subnet_ids = var.subnet_ids + security_group_ids = var.sg_ids + } + } + tracing_config { mode = "Active" } diff --git a/infrastructure/cloud/modules/Lambda/variables.tf b/infrastructure/cloud/modules/Lambda/variables.tf index 1cdfeb74..ca5e6222 100644 --- a/infrastructure/cloud/modules/Lambda/variables.tf +++ b/infrastructure/cloud/modules/Lambda/variables.tf @@ -13,20 +13,21 @@ variable "lambda_role_arn" { type = string } -variable "functions" { - description = "Lambda functions config" - type = map(object({ - http_method = string - resource_path = string - env_variables = optional(map(string), {}) - timeout = optional(number, null) - memory_size = optional(number, null) - statement_id_prefix = optional(string, "AllowAPIGatewayInvoke") - principal = optional(string, "apigateway.amazonaws.com") - source_arn = optional(string, null) - })) - default = {} -} +# variable "functions" { +# description = "Lambda functions config" +# type = map(object({ +# http_method = string +# resource_path = string +# env_variables = optional(map(string), {}) +# timeout = optional(number, null) +# memory_size = optional(number, null) +# statement_id_prefix = optional(string, "AllowAPIGatewayInvoke") +# principal = optional(string, "apigateway.amazonaws.com") +# source_arn = optional(string, null) +# enable_vpc_config = optional(bool, true) +# })) +# default = {} +# } variable "apigw_execution_arn" { description = "The API Gateway Execution ARN" @@ -38,11 +39,6 @@ variable "lambda_ecr_repo_url" { type = string } -variable "mtls_secret_name" { - description = "The secret name of mTLS Cert in Secrets Manager" - type = string -} - variable "lambda_memory_size" { description = "The Lambda Function default Memory Size" type = number @@ -53,3 +49,23 @@ variable "lambda_timeout" { type = number default = 30 } + +variable "subnet_ids" { + description = "The Subnet IDs" + type = list(string) +} + +variable "sg_ids" { + description = "The Security Group IDs" + type = list(string) +} + +variable "lambda_secrets" { + description = "List of secrets used by Lambda functions" + type = map(string) +} + +variable "ecs_cluster_name" { + description = "ECS Cluster Name" + type = string +} diff --git a/infrastructure/cloud/modules/SecretsManager/main.tf b/infrastructure/cloud/modules/SecretsManager/main.tf index cc8bfd00..731752c5 100644 --- a/infrastructure/cloud/modules/SecretsManager/main.tf +++ b/infrastructure/cloud/modules/SecretsManager/main.tf @@ -223,3 +223,17 @@ resource "aws_secretsmanager_secret_version" "pcss_secret_value" { baseUrl = "" }) } + +resource "aws_secretsmanager_secret" "dars_secret" { + name = "external/${var.app_name}-dars-secret-${var.environment}" + kms_key_id = var.kms_key_arn +} + +resource "aws_secretsmanager_secret_version" "dars_secret_value" { + secret_id = aws_secretsmanager_secret.dars_secret.id + secret_string = jsonencode({ + username = "", + password = "", + baseUrl = "" + }) +} diff --git a/infrastructure/cloud/modules/SecretsManager/output.tf b/infrastructure/cloud/modules/SecretsManager/output.tf index 2ccc8074..9bcdfc86 100644 --- a/infrastructure/cloud/modules/SecretsManager/output.tf +++ b/infrastructure/cloud/modules/SecretsManager/output.tf @@ -13,7 +13,8 @@ output "secrets_arn_list" { aws_secretsmanager_secret.splunk_secret.arn, aws_secretsmanager_secret.user_services_client_secret.arn, aws_secretsmanager_secret.api_authorizer_secret.arn, - aws_secretsmanager_secret.pcss_secret.arn + aws_secretsmanager_secret.pcss_secret.arn, + aws_secretsmanager_secret.dars_secret.arn ] } @@ -26,6 +27,9 @@ output "api_secrets" { ["Auth__UserPassword", "${aws_secretsmanager_secret.auth_secret.arn}:userPassword::"], ["Auth__AllowSiteMinderUserType", "${aws_secretsmanager_secret.auth_secret.arn}:allowSiteMinderUserType::"], ["AuthorizerKey", "${aws_secretsmanager_secret.api_authorizer_secret.arn}:verifyKey::"], + ["DARS__Username", "${aws_secretsmanager_secret.dars_secret.arn}:username::"], + ["DARS__Password", "${aws_secretsmanager_secret.dars_secret.arn}:password::"], + ["DARS__Url", "${aws_secretsmanager_secret.dars_secret.arn}:baseUrl::"], ["DatabaseConnectionString", "${aws_secretsmanager_secret.database_secret.arn}:dbConnectionString::"], ["DataProtectionKeyEncryptionKey", "${aws_secretsmanager_secret.misc_secret.arn}:dataProtectionKeyEncryptionKey::"], ["FileServicesClient__Username", "${aws_secretsmanager_secret.file_services_client_secret.arn}:username::"], @@ -81,23 +85,18 @@ output "db_password" { sensitive = true } -output "mtls_secret_name" { - value = aws_secretsmanager_secret.mtls_cert_secret.name -} - -output "api_authorizer_secret" { - value = aws_secretsmanager_secret.api_authorizer_secret -} - output "allowed_ip_ranges" { value = jsondecode(data.aws_secretsmanager_secret_version.current_misc_secret_value.secret_string).allowedIpRanges sensitive = true } -output "file_services_client_secret_name" { - value = aws_secretsmanager_secret.file_services_client_secret.name +output "lambda_secrets" { + value = { + mtls = aws_secretsmanager_secret.mtls_cert_secret.name + authorizer = aws_secretsmanager_secret.api_authorizer_secret.name + authorizer_arn = aws_secretsmanager_secret.api_authorizer_secret.arn + file_services_client = aws_secretsmanager_secret.file_services_client_secret.name + pcss = aws_secretsmanager_secret.pcss_secret.name + dars = aws_secretsmanager_secret.dars_secret.name + } } - -output "pcss_secret_name" { - value = aws_secretsmanager_secret.pcss_secret.name -} \ No newline at end of file