fix: GC Notify API Key is not properly passed to Nagware and Reliabil…

…ity lambdas (#553)

aws/lambdas/iam.tf

@@ -216,9 +216,7 @@ data "aws_iam_policy_document" "lambda_secrets" {
     ]
 
     resources = [
-      var.database_secret_arn,
-      var.notify_api_key_secret_arn,
-      var.token_secret_arn
+      var.database_secret_arn
     ]
   }
 }

aws/lambdas/inputs.tf

@@ -1,19 +1,14 @@
-
-variable "notify_api_key_secret_arn" {
-  description = "ARN of notify_api_key secret"
+variable "notify_api_key_secret_value" {
+  description = "Value of notify_api_key secret"
   type        = string
+  sensitive   = true
 }
 
 variable "gc_template_id" {
   description = "GC Notify send a notification templateID"
   type        = string
 }
 
-variable "token_secret_arn" {
-  description = "Token secret used for app"
-  type        = string
-}
-
 variable "database_secret_arn" {
   description = "Database connection secret arn"
   type        = string

aws/lambdas/nagware.tf

@@ -39,7 +39,7 @@ resource "aws_lambda_function" "nagware" {
       DB_ARN                    = var.rds_cluster_arn
       DB_SECRET                 = var.database_secret_arn
       DB_NAME                   = var.rds_db_name
-      NOTIFY_API_KEY            = var.notify_api_key_secret_arn
+      NOTIFY_API_KEY            = var.notify_api_key_secret_value
       TEMPLATE_ID               = var.gc_template_id
       SNS_ERROR_TOPIC_ARN       = var.sns_topic_alert_critical_arn
       LOCALSTACK                = var.localstack_hosted

aws/lambdas/reliability.tf

@@ -30,7 +30,7 @@ resource "aws_lambda_function" "reliability" {
     variables = {
       ENVIRONMENT    = var.env
       REGION         = var.region
-      NOTIFY_API_KEY = var.notify_api_key_secret_arn
+      NOTIFY_API_KEY = var.notify_api_key_secret_value
       TEMPLATE_ID    = var.gc_template_id
       DB_ARN         = var.rds_cluster_arn
       DB_SECRET      = var.database_secret_arn

aws/secrets/outputs.tf

@@ -3,6 +3,12 @@ output "notify_api_key_secret_arn" {
   value       = aws_secretsmanager_secret_version.notify_api_key.arn
 }
 
+output "notify_api_key_secret_value" {
+  description = "Value of notify_api_key secret"
+  value       = aws_secretsmanager_secret_version.notify_api_key.secret_string
+  sensitive   = true
+}
+
 output "freshdesk_api_key_secret_arn" {
   description = "ARN of freshdesk_api_key secret"
   value       = aws_secretsmanager_secret.freshdesk_api_key.arn

env/cloud/app/terragrunt.hcl

@@ -106,6 +106,7 @@ dependency "secrets" {
   mock_outputs_merge_strategy_with_state  = "shallow"
   mock_outputs = {
     notify_api_key_secret_arn               = ""
+    notify_api_key_secret_value             = ""
     freshdesk_api_key_secret_arn            = ""
     token_secret_arn                        = ""
     recaptcha_secret_arn                    = ""

env/cloud/lambdas/terragrunt.hcl

@@ -90,6 +90,7 @@ dependency "secrets" {
   mock_outputs_allowed_terraform_commands = ["init", "fmt", "validate", "plan", "show"]
   mock_outputs = {
     notify_api_key_secret_arn               = ""
+    notify_api_key_secret_value             = ""
     freshdesk_api_key_secret_arn            = ""
     token_secret_arn                        = ""
     recaptcha_secret_arn                    = ""
@@ -134,8 +135,7 @@ inputs = {
 
   sns_topic_alert_critical_arn = dependency.sns.outputs.sns_topic_alert_critical_arn
 
-  notify_api_key_secret_arn = dependency.secrets.outputs.notify_api_key_secret_arn
-  token_secret_arn          = dependency.secrets.outputs.token_secret_arn
+  notify_api_key_secret_value = dependency.secrets.outputs.notify_api_key_secret_value
 
   reliability_file_storage_arn = dependency.s3.outputs.reliability_file_storage_arn
   vault_file_storage_arn       = dependency.s3.outputs.vault_file_storage_arn