[PLT-1358] Add SOPS to cdap to manage SSM parameter store

.github/workflows/tf-config.yml

@@ -0,0 +1,59 @@
+name: tf-config
+run-name: tf-config ${{ (inputs.apply || (github.event_name == 'push' && github.ref == 'refs/heads/main') || github.event_name == 'schedule') && 'apply' || 'plan' }}
+
+on:
+  push:
+    paths:
+      - .github/workflows/tf-config.yml
+      - terraform/services/config/**
+  schedule:
+    - cron: "12 14 * * 1-5"
+  workflow_dispatch:
+    inputs:
+      apply:
+        required: false
+        type: boolean
+        description: "Apply the terraform?"
+
+env:
+  TENV_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+defaults:
+  run:
+    working-directory: ./terraform/services/config
+
+jobs:
+  check-fmt:
+    runs-on: codebuild-cdap-${{github.run_id}}-${{github.run_attempt}}
+    steps:
+      - uses: actions/checkout@v4
+      - uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159 # v3.9.2
+      - uses: cmsgov/cdap/actions/setup-tenv@8343fb96563ce4b74c4dececee9b268f42bd4a40
+      - run: tofu fmt -check -diff -recursive .
+  plan-apply:
+    needs: check-fmt
+    permissions:
+      contents: read
+      id-token: write
+    runs-on: codebuild-cdap-${{github.run_id}}-${{github.run_attempt}}
+    strategy:
+      fail-fast: false
+      matrix:
+        app: [cdap]
+        env: [mgmt]
+    steps:
+      - uses: actions/checkout@v4
+      - uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159 # v3.9.2
+      - uses: cmsgov/cdap/actions/setup-tenv@8343fb96563ce4b74c4dececee9b268f42bd4a40
+      - uses: cmsgov/cdap/actions/setup-sops@84a6bcee5b70d63c44f8fec4f9b542cb5ec29a54
+      - uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: arn:aws:iam::${{ contains(fromJSON('["dev", "test"]'), matrix.env) && secrets.NON_PROD_ACCOUNT || secrets.PROD_ACCOUNT }}:role/delegatedadmin/developer/${{ matrix.app }}-${{ matrix.env }}-github-actions
+          aws-region: ${{ vars.AWS_REGION }}
+      - run: tofu init -backend-config=../../backends/${{ matrix.app }}-${{ matrix.env }}.s3.tfbackend
+      - run: tofu plan -out=tf.plan
+        env:
+          TF_VAR_app: ${{ matrix.app }}
+          TF_VAR_env: ${{ matrix.env }}
+      - if: inputs.apply || (github.event_name == 'push' && github.ref == 'refs/heads/main') || github.event_name == 'schedule'
+        run: tofu apply -auto-approve tf.plan

terraform/modules/platform/main.tf

@@ -1,7 +1,7 @@
 locals {
   app              = var.app
   env              = var.env
-  established_envs = ["test", "dev", "sandbox", "prod"]
+  established_envs = ["test", "dev", "sandbox", "prod", "mgmt"]
   root_module      = var.root_module
   parent_env       = one([for x in local.established_envs : x if can(regex("${x}$$", local.env))])
   sdlc_env         = contains(["sandbox", "prod"], local.parent_env) ? "production" : "non-production"
@@ -22,6 +22,7 @@ locals {
     "test"    = "bucket-access-logs-20250409172631068600000001"
     "sandbox" = "bucket-access-logs-20250411172631068600000001"
     "prod"    = "bucket-access-logs-20250411172631068600000001"
+    "mgmt"    = "bucket-access-logs-20250411172631068600000001"
   }
 
   aws_iam_role_names = [

terraform/modules/platform/variables.tf

@@ -2,17 +2,17 @@ variable "app" {
   description = "The short name for the delivery team or ADO."
   type        = string
   validation {
-    condition     = contains(["ab2d", "bcda", "dpc"], var.app)
-    error_message = "Invalid short var.app (application). Must be one of ab2d, bcda, or dpc."
+    condition     = contains(["ab2d", "bcda", "dpc", "cdap"], var.app)
+    error_message = "Invalid short var.app (application). Must be one of ab2d, bcda, dpc or cdap."
   }
 }
 
 variable "env" {
-  description = "The solution's environment name."
+  description = "The application environment (dev, test, sandbox, prod, mgmt)"
   type        = string
   validation {
-    condition     = one([for x in ["test", "dev", "sandbox", "prod"] : x if can(regex("^${x}$$|^([a-z0-9]+[a-z0-9-])+([^--])-${x}$$", var.env))]) != null
-    error_message = "Invalid environment/workspace name. Must end in one of test, dev, sandbox, or prod."
+    condition     = contains(["dev", "test", "sandbox", "prod", "mgmt"], var.env)
+    error_message = "Valid value for env is dev, test, sandbox, prod, or mgmt."
   }
 }
 

terraform/modules/sops/README.md

@@ -1,6 +1,6 @@
 # SOPS Child Module
 
-This module faciliates adoption of a terraform/tofu infrastructure-as-code strategy for managing both secure and nonsecure configuration values in AWS SSM Parameter Store with the following:
+This module facilitates adoption of a terraform/tofu infrastructure-as-code strategy for managing both secure and nonsecure configuration values in AWS SSM Parameter Store with the following:
 * distributes a wrapper script `sopsw` for getsops.io that helps us avoid:
   * frequent, largely meaningless git merge conflicts for this specific getsops.io use-case
   * needlessly oversharing semi-sensitive AWS Account IDs

terraform/modules/sops/variables.tf

@@ -1,6 +1,14 @@
 variable "platform" {
   description = "Object that describes standardized platform values."
-  type        = any
+  type = object({
+    app = string,
+    parent_env = string,env = string,
+    kms_alias_primary = object({
+      target_key_arn = string,
+    }),
+    service          = string,
+    is_ephemeral_env = string
+  })
 }
 
 variable "sopsw_values_file_extension" {

terraform/services/config/README.md

@@ -0,0 +1,41 @@
+# CDAP Config Root Module
+
+This root module is responsible for configuring the sops-enabled strategy for storing sensitive and nonsensitive configuration in AWS SSM Parameter Store.
+The _parent environment_ specific configuration values are located in the `values` directory.
+
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 5 |
+
+## Providers
+
+No providers.
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_platform"></a> [platform](#module\_platform) | github.com/CMSgov/cdap//terraform/modules/platform | plt-1358_sops |
+| <a name="module_sops"></a> [sops](#module\_sops) | github.com/CMSgov/cdap//terraform/modules/sops | ff2ef539fb06f2c98f0e3ce0c8f922bdacb96d66 |
+
+## Resources
+
+No resources.
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_env"></a> [env](#input\_env) | The application environment (test, prod, mgmt) | `string` | n/a | yes |
+| <a name="input_region"></a> [region](#input\_region) | n/a | `string` | `"us-east-1"` | no |
+| <a name="input_secondary_region"></a> [secondary\_region](#input\_secondary\_region) | n/a | `string` | `"us-west-2"` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_edit"></a> [edit](#output\_edit) | n/a |
+<!-- END_TF_DOCS -->

terraform/services/config/bin/sopsw

@@ -0,0 +1 @@
+../../../../scripts/sopsw

terraform/services/config/main.tf

@@ -0,0 +1,34 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5"
+    }
+  }
+}
+
+module "platform" {
+  source    = "github.com/CMSgov/cdap//terraform/modules/platform?ref=plt-1358_sops"
+  providers = { aws = aws, aws.secondary = aws.secondary }
+
+  app         = local.app
+  env         = var.env
+  root_module = "https://github.com/CMSgov/cdap/tree/terraform/services/config"
+  service     = local.service
+}
+
+locals {
+  default_tags = module.platform.default_tags
+  env          = terraform.workspace
+  service      = "config"
+}
+
+module "sops" {
+  source   = "github.com/CMSgov/cdap//terraform/modules/sops?ref=ff2ef539fb06f2c98f0e3ce0c8f922bdacb96d66"
+  platform = module.platform
+}
+
+
+output "edit" {
+  value = module.sops.sopsw
+}

terraform/services/config/tofu.tf

@@ -0,0 +1,38 @@
+locals {
+  app          = "cdap"
+  state_bucket = "cdap-mgmt-s3.tfbackend"
+}
+
+variable "region" {
+  default  = "us-east-1"
+  nullable = false
+  type     = string
+}
+
+variable "secondary_region" {
+  default  = "us-west-2"
+  nullable = false
+  type     = string
+}
+
+provider "aws" {
+  region = var.region
+  default_tags {
+    tags = local.default_tags
+  }
+}
+
+provider "aws" {
+  alias = "secondary"
+
+  region = var.secondary_region
+  default_tags {
+    tags = local.default_tags
+  }
+}
+
+terraform {
+  backend "s3" {
+    key = "config/terraform.tfstate"
+  }
+}

terraform/services/config/values/mgmt.sopsw.yaml

@@ -0,0 +1,17 @@
+/cdap/nonsensitive/account/security_events_slack_renotify_after_days: 30
+/cdap/nonsensitive/account/security_events_slack_severity_list: CRITICAL,HIGH,MEDIUM
+/cdap/sensitive/account/security_events_slack_webhook_url: ENC[AES256_GCM,data:z9MLEAlb76u6MZ+GWcWcfnRtax1J677k47tabDmwCqAGN7H2BrmTnkIs1fAhl9dShaL5qZrq78s0sY9b2hCAGIWWaUenVbGGpWBuZvh7rw==,iv:kbgCH76ryIbnU40SWd/Wgg+hULSgGsTO4LLWIPoDE68=,tag:NmwrTB/oVI0WEhL9R5eV2g==,type:str]
+/cdap/sensitive/bucket-access-logs-bucket: ENC[AES256_GCM,data:TjwtktvWlh7Gt7JrTuxZganUT3AotzmEAeYKkpn5GutLcIT1/KSpTV1kjMxV,iv:fSMld0pXjqKabcq+8CK7kG018tspwVAS30ngYFepJKw=,tag:dMsUtxHVSpiHb9U+ebUbNg==,type:str]
+/cdap/sensitive/mgmt-vpc/cidr: ENC[AES256_GCM,data:uNKE6Nckt24ZWHDHEWjU,iv:yVvl1HbK7ljy6lgZdGUkfi0CeIHPnd2uof9tVB1z008=,tag:9tQ1atj1Vwkgw6j1FQ8p5w==,type:str]
+/cdap/sensitive/mgmt/public_nat_ipv4/cdap-east-mgmt-a: ENC[AES256_GCM,data:sL/7GoM3BjiBN0Wt1Xg=,iv:vxDF8a1nduKPkjNGjxFai/oLi9NrO5F2fzdbjZ9OC+w=,tag:iKQYgyBHaZqTnVKd2L6UcQ==,type:str]
+/cdap/sensitive/mgmt/public_nat_ipv4/cdap-east-mgmt-b: ENC[AES256_GCM,data:3T3XJXAfO+ukonOB,iv:pRRz120EXNn3Mjp+MWmjybWk20Tiqt5mZyH9tCt06FI=,tag:ejOONP6IvUWMfQUMotshcw==,type:str]
+/cdap/sensitive/mgmt/public_nat_ipv4/cdap-east-mgmt-c: ENC[AES256_GCM,data:FqJ5g/NEdjs9VUW1,iv:gPMZEY94Th2seM4bg6axdVKyD8ZS4y6EUjt92spY0nk=,tag:dM7vk5x4WRZd1/iC96LOjg==,type:str]
+sops:
+  kms:
+    - arn: arn:aws:kms:us-east-1:${ACCOUNT_ID}:key/e32dffdb-97e7-4b64-b5cb-f6dc4e6fabca
+      created_at: "2025-10-03T17:27:53Z"
+      enc: AQICAHiXhc+HhELIyRKOpc5vBWQJB9/2XFW+CxWFIfUyci0r/wGkXSt3AG0b8bCJ0pVuEmyuAAAAfjB8BgkqhkiG9w0BBwagbzBtAgEAMGgGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQM+S5DlWnhTDkMvmOxAgEQgDvMXlly/I5Vb2ah1KX2fSbY3mMOxA92rK4MU/rsyUN2oR8WXebzzW+ooNY1pEdGE4FMUmLUrU5qbcUoPg==
+      aws_profile: ""
+  unencrypted_regex: /nonsensitive/
+  mac_only_encrypted: true
+  version: 3.11.0

terraform/services/config/values/test.sopsw.yaml

@@ -0,0 +1,16 @@
+/cdap/nonsensitive/account/security_events_slack_renotify_after_days: 30
+/cdap/nonsensitive/account/security_events_slack_severity_list: CRITICAL,HIGH,MEDIUM
+/cdap/sensitive/account/security_events_slack_webhook_url: ENC[AES256_GCM,data:J70QSI23I0d1OnvD+n2ncd/ii0XiZ3NRcQqVwCLCBd7UxRIKgJ1YWqCZ9xV2Y8s/4fy+hi8iVvIkd0WdnC1Q9Adwh2rvRKKWM6lS59EYlA==,iv:/ZIY4WGOsxo2pR/t2FYADYcUeEq5eutP43KkNeTa3q0=,tag:HYuxPAStpJZ0t39j/xHLYg==,type:str]
+/cdap/sensitive/bucket-access-logs-bucket: ENC[AES256_GCM,data:I8m2zMO44IB1FnAuK08G99390eF5NjLcKTVvY4T5oD2O6/Apt3oSV3GAUldn,iv:DQUyoHG1Gplx4YuogWcG9kZnK3XTZXC+N5Ayzyb6LDM=,tag:wQpSTHVaItOGb3PC6tHw/w==,type:str]
+/cdap/sensitive/mgmt-vpc/cidr: ENC[AES256_GCM,data:bKqvpJcIqTqG9DkzO1/T,iv:ul/XIzIZ3BnERohYmuM7fWXWTYI0b45T4F2lUFHkvIw=,tag:LEpy1QiHUoGlTg+mKUaQtg==,type:str]
+/cdap/sensitive/gmt/public_nat_ipv4/cdap-east-mgmt-a: ENC[AES256_GCM,data:+mOA32KHMukav+YrGiI=,iv:XsU4F/UvJIlvwgco+SssgdMIEKyKx1e+AwfWP+bheYE=,tag:PsplAE2eFcxWvPddXNHEdQ==,type:str]
+/cdap/sensitive/mgmt/public_nat_ipv4/cdap-east-mgmt-b: ENC[AES256_GCM,data:yrLn9ruTYs3iUGtQ,iv:Sbvhi8ByvNKxq6HiI4sBYZ/J2z3baL6xtCqNwO+QBRo=,tag:cAAvVVyTZe7EC5nMOH7MYg==,type:str]
+/cdap/sensitive/mgmt/public_nat_ipv4/cdap-east-mgmt-c: ENC[AES256_GCM,data:SR+94ef0AuGMEzGP,iv:sbYtwbP3LFByLYzQysND27FDmSbqP7ihT+qXgqSuEds=,tag:UHJhmmOhBQ/7XsUHsLkkpA==,type:str]
+sops:
+  kms:
+    - arn: arn:aws:kms:us-east-1:${ACCOUNT_ID}:key/e32dffdb-97e7-4b64-b5cb-f6dc4e6fabca
+      created_at: "2025-10-03T17:38:55Z"
+      enc: AQICAHiXhc+HhELIyRKOpc5vBWQJB9/2XFW+CxWFIfUyci0r/wGgF/ZOMV/LMrvJSRhtedM1AAAAfjB8BgkqhkiG9w0BBwagbzBtAgEAMGgGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQM8xXrZN9mTFGkvKjtAgEQgDsOpxt5mGlXEpdiTlnAjnt/AcOMpA8coSH4NHWfC2Tsw/VES55XVAaWQYXuOOdKnIJznMlUqzqBVrfvTw==
+      aws_profile: ""
+  unencrypted_regex: /nonsensitive/
+  version: 3.11.0

terraform/services/config/variables.tf

@@ -0,0 +1,8 @@
+variable "env" {
+  description = "The application environment (test, prod, mgmt)"
+  type        = string
+  validation {
+    condition     = contains(["test", "prod", "mgmt"], var.env)
+    error_message = "Valid value for env is test, prod, or mgmt."
+  }
+}