diff --git a/.github/workflows/provision.yml b/.github/workflows/provision.yml index 671466d..d5f9ccf 100644 --- a/.github/workflows/provision.yml +++ b/.github/workflows/provision.yml @@ -70,5 +70,5 @@ jobs: run: exit 1 - name: Terraform Apply - if: (github.ref == 'refs/heads/main' && github.event_name == 'push') || github.event_name == 'workflow_dispatch' + #if: (github.ref == 'refs/heads/main' && github.event_name == 'push') || github.event_name == 'workflow_dispatch' run: terraform apply -auto-approve -input=false diff --git a/terraform/outputs.tf b/terraform/outputs.tf deleted file mode 100644 index 0e4e843..0000000 --- a/terraform/outputs.tf +++ /dev/null @@ -1,4 +0,0 @@ -output "cognito_secrets_read_only_policy_arn" { - description = "The ARN of the Cognito secrets" - value = aws_iam_policy.cognito_secrets_read_only_policy.arn -} \ No newline at end of file diff --git a/terraform/secrets.tf b/terraform/secrets.tf index 0d3ceb8..c8ebf3c 100644 --- a/terraform/secrets.tf +++ b/terraform/secrets.tf @@ -1,13 +1,9 @@ -module "secrets_manager" { - source = "terraform-aws-modules/secrets-manager/aws" - version = "1.1.2" +module "cognito_ssm_param" { + source = "terraform-aws-modules/ssm-parameter/aws" + name = "live/cognito" + type = "String" - name = "live/cognito" - - ignore_secret_changes = true - recovery_window_in_days = 0 - - secret_string = jsonencode({ + value = jsonencode({ "issuer-uri" = "https://cognito-idp.${var.region}.amazonaws.com/${aws_cognito_user_pool.user_pool.id}" "jwk-set-uri" = "https://cognito-idp.${var.region}.amazonaws.com/${aws_cognito_user_pool.user_pool.id}/.well-known/jwks.json" }) @@ -24,10 +20,10 @@ resource "aws_iam_policy" "cognito_secrets_read_only_policy" { { Effect = "Allow" Action = [ - "secretsmanager:DescribeSecret", - "secretsmanager:GetSecretValue" + "ssm:GetParameter", + "ssm:GetParameters" ], - Resource = module.secrets_manager.secret_arn + Resource = module.cognito_ssm_param.ssm_parameter_arn } ] })