From 98c7b4f576ae25e98e5dcf99d9684d1557bb3da2 Mon Sep 17 00:00:00 2001
From: David Sibley <david.sibley@digital.justice.gov.uk>
Date: Mon, 30 Sep 2024 16:44:49 +0100
Subject: [PATCH] replace references to secretsmanager value with ssm insecure
 value, update name of local to better reflect purpose

---
 terraform/environments/core-logging/locals.tf              | 4 ++--
 terraform/environments/core-logging/vpc.tf                 | 2 +-
 terraform/environments/core-network-services/firewall.tf   | 2 +-
 terraform/environments/core-network-services/locals.tf     | 2 +-
 terraform/environments/core-network-services/logging.tf    | 2 +-
 terraform/environments/core-network-services/monitoring.tf | 2 +-
 terraform/environments/core-network-services/vpc.tf        | 2 +-
 terraform/environments/core-security/locals.tf             | 2 +-
 terraform/environments/core-security/vpc.tf                | 2 +-
 terraform/environments/core-shared-services/locals.tf      | 2 +-
 terraform/environments/core-shared-services/vpc.tf         | 2 +-
 terraform/environments/core-vpc/locals.tf                  | 3 +--
 terraform/environments/core-vpc/vpc.tf                     | 2 +-
 13 files changed, 14 insertions(+), 15 deletions(-)

diff --git a/terraform/environments/core-logging/locals.tf b/terraform/environments/core-logging/locals.tf
index 46db5a723..abcff2a15 100644
--- a/terraform/environments/core-logging/locals.tf
+++ b/terraform/environments/core-logging/locals.tf
@@ -12,8 +12,8 @@ locals {
 
   # This takes the name of the Terraform workspace (e.g. core-vpc-production), strips out the application name (e.g. core-vpc), and checks if
   # the string leftover is `-production`, if it isn't (e.g. core-vpc-non-production => -non-production) then it sets the var to false.
-  is-production          = substr(terraform.workspace, length(local.application_name), length(terraform.workspace)) == "-production"
-  cloudwatch_log_buckets = nonsensitive(jsondecode(data.aws_secretsmanager_secret_version.core_logging_bucket_arns.secret_string))
+  is-production            = substr(terraform.workspace, length(local.application_name), length(terraform.workspace)) == "-production"
+  core_logging_bucket_arns = jsondecode(aws_ssm_parameter.core_logging_bucket_arns.insecure_value)
 
   tags = {
     business-unit = "Platforms"
diff --git a/terraform/environments/core-logging/vpc.tf b/terraform/environments/core-logging/vpc.tf
index fbaa7a42c..4f1733914 100644
--- a/terraform/environments/core-logging/vpc.tf
+++ b/terraform/environments/core-logging/vpc.tf
@@ -21,7 +21,7 @@ module "vpc" {
 
   # VPC Flow Logs
   vpc_flow_log_iam_role       = aws_iam_role.vpc_flow_log.arn
-  flow_log_s3_destination_arn = each.key == "live_data" ? local.cloudwatch_log_buckets["vpc-flow-logs"] : ""
+  flow_log_s3_destination_arn = each.key == "live_data" ? local.core_logging_bucket_arns["vpc-flow-logs"] : ""
 
   # Transit Gateway ID
   transit_gateway_id = data.aws_ec2_transit_gateway.transit-gateway.id
diff --git a/terraform/environments/core-network-services/firewall.tf b/terraform/environments/core-network-services/firewall.tf
index f74ea9923..2360ad0ce 100644
--- a/terraform/environments/core-network-services/firewall.tf
+++ b/terraform/environments/core-network-services/firewall.tf
@@ -74,7 +74,7 @@ resource "aws_flow_log" "external_inspection" {
 }
 
 resource "aws_flow_log" "external_inspection_s3" {
-  log_destination          = local.cloudwatch_log_buckets["vpc-flow-logs"]
+  log_destination          = local.core_logging_bucket_arns["vpc-flow-logs"]
   log_destination_type     = "s3"
   log_format               = local.custom_vpc_flow_log_format
   max_aggregation_interval = "60"
diff --git a/terraform/environments/core-network-services/locals.tf b/terraform/environments/core-network-services/locals.tf
index be9cba3cd..a6c25e547 100644
--- a/terraform/environments/core-network-services/locals.tf
+++ b/terraform/environments/core-network-services/locals.tf
@@ -16,7 +16,7 @@ locals {
   # the string leftover is `-production`, if it isn't (e.g. core-vpc-non-production => -non-production) then it sets the var to false.
   is-production = substr(terraform.workspace, length(local.application_name), length(terraform.workspace)) == "-production"
 
-  cloudwatch_log_buckets        = nonsensitive(jsondecode(data.aws_secretsmanager_secret_version.core_logging_bucket_arns.secret_string))
+  core_logging_bucket_arns = jsondecode(data.aws_ssm_parameter.core_logging_bucket_arns.insecure_value)
   cloudwatch_generic_log_groups = concat([module.firewall_logging.cloudwatch_log_group_name], [for key, value in module.vpc_inspection : value.fw_cloudwatch_name])
 
   tags = {
diff --git a/terraform/environments/core-network-services/logging.tf b/terraform/environments/core-network-services/logging.tf
index fa8fc56a9..0931c46a1 100644
--- a/terraform/environments/core-network-services/logging.tf
+++ b/terraform/environments/core-network-services/logging.tf
@@ -2,7 +2,7 @@ module "logging-generic-logs" {
   source                     = "github.com/ministryofjustice/modernisation-platform-terraform-aws-data-firehose?ref=2e58c8fd0b43ca8461dfd0c8cc5f43a1a9c49987" #v1.1.0
   for_each                   = local.is-production ? { "build" = true } : {}
   cloudwatch_log_group_names = local.cloudwatch_generic_log_groups
-  destination_bucket_arn     = local.cloudwatch_log_buckets["generic-logs"]
+  destination_bucket_arn     = local.core_logging_bucket_arns["generic-logs"]
   tags                       = local.tags
 }
 
diff --git a/terraform/environments/core-network-services/monitoring.tf b/terraform/environments/core-network-services/monitoring.tf
index d06831336..f2b74c9ed 100644
--- a/terraform/environments/core-network-services/monitoring.tf
+++ b/terraform/environments/core-network-services/monitoring.tf
@@ -152,7 +152,7 @@ resource "aws_flow_log" "tgw_flowlog" {
 }
 
 resource "aws_flow_log" "tgw_flowlog_s3" {
-  log_destination          = local.cloudwatch_log_buckets["vpc-flow-logs"]
+  log_destination          = local.core_logging_bucket_arns["vpc-flow-logs"]
   log_destination_type     = "s3"
   log_format               = local.custom_tgw_flow_log_format
   max_aggregation_interval = "60"
diff --git a/terraform/environments/core-network-services/vpc.tf b/terraform/environments/core-network-services/vpc.tf
index ceee4f23b..4e9a7d622 100644
--- a/terraform/environments/core-network-services/vpc.tf
+++ b/terraform/environments/core-network-services/vpc.tf
@@ -11,7 +11,7 @@ module "vpc_inspection" {
 
   source                      = "../../modules/vpc-inspection"
   application_name            = local.application_name
-  flow_log_s3_destination_arn = each.key == "live_data" ? local.cloudwatch_log_buckets["vpc-flow-logs"] : ""
+  flow_log_s3_destination_arn = each.key == "live_data" ? local.core_logging_bucket_arns["vpc-flow-logs"] : ""
   fw_allowed_domains          = local.fqdn_firewall_rules.fw_allowed_domains
   fw_home_net_ips             = local.fqdn_firewall_rules.fw_home_net_ips
   fw_kms_arn                  = data.aws_kms_key.general_shared.arn
diff --git a/terraform/environments/core-security/locals.tf b/terraform/environments/core-security/locals.tf
index 182b7db71..1699d40a9 100644
--- a/terraform/environments/core-security/locals.tf
+++ b/terraform/environments/core-security/locals.tf
@@ -10,7 +10,7 @@ locals {
   # This takes the name of the Terraform workspace (e.g. core-vpc-production), strips out the application name (e.g. core-vpc), and checks if
   # the string leftover is `-production`, if it isn't (e.g. core-vpc-non-production => -non-production) then it sets the var to false.
   is-production          = substr(terraform.workspace, length(local.application_name), length(terraform.workspace)) == "-production"
-  cloudwatch_log_buckets = nonsensitive(jsondecode(data.aws_secretsmanager_secret_version.core_logging_bucket_arns.secret_string))
+  core_logging_bucket_arns = jsondecode(data.aws_ssm_parameter.core_logging_bucket_arns.insecure_value)
 
   tags = {
     business-unit = "Platforms"
diff --git a/terraform/environments/core-security/vpc.tf b/terraform/environments/core-security/vpc.tf
index e2d51fff7..ff3257b87 100644
--- a/terraform/environments/core-security/vpc.tf
+++ b/terraform/environments/core-security/vpc.tf
@@ -21,7 +21,7 @@ module "vpc" {
 
   # VPC Flow Logs
   vpc_flow_log_iam_role       = aws_iam_role.vpc_flow_log.arn
-  flow_log_s3_destination_arn = each.key == "live_data" ? local.cloudwatch_log_buckets["vpc-flow-logs"] : ""
+  flow_log_s3_destination_arn = each.key == "live_data" ? local.core_logging_bucket_arns["vpc-flow-logs"] : ""
 
   # Transit Gateway ID
   transit_gateway_id = data.aws_ec2_transit_gateway.transit-gateway.id
diff --git a/terraform/environments/core-shared-services/locals.tf b/terraform/environments/core-shared-services/locals.tf
index e013d3290..96ec21a8e 100644
--- a/terraform/environments/core-shared-services/locals.tf
+++ b/terraform/environments/core-shared-services/locals.tf
@@ -45,7 +45,7 @@ locals {
     ]
   }
 
-  cloudwatch_log_buckets = nonsensitive(jsondecode(data.aws_secretsmanager_secret_version.core_logging_bucket_arns.secret_string))
+  core_logging_bucket_arns = jsondecode(data.aws_ssm_parameter.core_logging_bucket_arns.insecure_value)
 
   tags = {
     business-unit = "Platforms"
diff --git a/terraform/environments/core-shared-services/vpc.tf b/terraform/environments/core-shared-services/vpc.tf
index 807dc0a79..af44b2b35 100644
--- a/terraform/environments/core-shared-services/vpc.tf
+++ b/terraform/environments/core-shared-services/vpc.tf
@@ -33,7 +33,7 @@ module "vpc" {
 
   # VPC Flow Logs
   vpc_flow_log_iam_role       = aws_iam_role.vpc_flow_log.arn
-  flow_log_s3_destination_arn = each.key == "live_data" ? local.cloudwatch_log_buckets["vpc-flow-logs"] : ""
+  flow_log_s3_destination_arn = each.key == "live_data" ? local.core_logging_bucket_arns["vpc-flow-logs"] : ""
 
   # Transit Gateway ID
   transit_gateway_id = data.aws_ec2_transit_gateway.transit-gateway.id
diff --git a/terraform/environments/core-vpc/locals.tf b/terraform/environments/core-vpc/locals.tf
index 12d5456db..8cf1e0550 100644
--- a/terraform/environments/core-vpc/locals.tf
+++ b/terraform/environments/core-vpc/locals.tf
@@ -15,8 +15,7 @@ locals {
   is-development = substr(terraform.workspace, length(local.application_name), length(terraform.workspace)) == "-development"
   is-live_data   = (substr(terraform.workspace, length(local.application_name), length(terraform.workspace)) == "-production") || (substr(terraform.workspace, length(local.application_name), length(terraform.workspace)) == "-preproduction")
 
-  # Secrets used by Firehose resources which we only require for development & production VPCs.
-  cloudwatch_log_buckets = nonsensitive(jsondecode(data.aws_secretsmanager_secret_version.core_logging_bucket_arns.secret_string))
+  core_logging_bucket_arns = jsondecode(data.aws_ssm_parameter.core_logging_bucket_arns.insecure_value)
 
   tags = {
     business-unit = "Platforms"
diff --git a/terraform/environments/core-vpc/vpc.tf b/terraform/environments/core-vpc/vpc.tf
index bf4e8463f..8f6aba854 100644
--- a/terraform/environments/core-vpc/vpc.tf
+++ b/terraform/environments/core-vpc/vpc.tf
@@ -91,7 +91,7 @@ module "vpc" {
 
   # VPC Flow Logs
   vpc_flow_log_iam_role       = aws_iam_role.vpc_flow_log.arn
-  flow_log_s3_destination_arn = local.is-production ? local.cloudwatch_log_buckets["vpc-flow-logs"] : ""
+  flow_log_s3_destination_arn = local.is-production ? local.core_logging_bucket_arns["vpc-flow-logs"] : ""
 
   # Tags
   tags_common = local.tags