From f65021c68c13d8f511780ac736ac98d4cd898a72 Mon Sep 17 00:00:00 2001
From: NadavOps <72969918+NadavOps@users.noreply.github.com>
Date: Tue, 27 Feb 2024 12:02:17 +0200
Subject: [PATCH] feat: Allow to manage github app secret manually

---
 docs/configuration.md  | 3 ++-
 modules/ssm/outputs.tf | 4 ++--
 modules/ssm/ssm.tf     | 6 ++++++
 3 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/docs/configuration.md b/docs/configuration.md
index 29980fc68f..92bc4108ef 100644
--- a/docs/configuration.md
+++ b/docs/configuration.md
@@ -15,7 +15,7 @@ To be able to support a number of use-cases, the module has quite a lot of confi
 
 ## AWS SSM Parameters
 
-The module uses the AWS System Manager Parameter Store to store configuration for the runners, as well as registration tokens and secrets for the Lambdas. Paths for the parameters can be configured via the variable `ssm_paths`. The location of the configuration parameters is retrieved by the runners via the instance tag `ghr:ssm_config_path`. The following default paths will be used. Tokens or JIT config stored in the token path will be deleted after retrieval by instance, data not deleted after a day will be deleted by a SSM housekeeper lambda.
+The module uses the AWS System Manager Parameter Store to store configuration for the runners, as well as registration tokens and secrets for the Lambdas. Paths for the parameters can be configured via the variables `ssm_paths` and `prefix`. The location of the configuration parameters is retrieved by the runners via the instance tag `ghr:ssm_config_path`. The following default paths will be used. Tokens or JIT config stored in the token path will be deleted after retrieval by instance, data not deleted after a day will be deleted by a SSM housekeeper lambda.
 
 | Path                                                          | Description                                                                                                                                                                                                                     |
 | ------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
@@ -23,6 +23,7 @@ The module uses the AWS System Manager Parameter Store to store configuration fo
 | `ssm_paths.root/var.prefix?/runners/config/<name>`            | Configuration parameters used by runner start script                                                                                                                                                                            |
 | `ssm_paths.root/var.prefix?/runners/tokens/<ec2-instance-id>` | Either JIT configuration (ephemeral runners) or registration tokens (non ephemeral runners) generated by the control plane (scale-up lambda), and consumed by the start script on the runner to activate / register the runner. |
 | `ssm_paths.root/var.prefix?/webhook/runner-matcher-config`                             | Runner matcher config used by webhook to decide the target for the webhook event.                                                                                                                                                                                                    |
+| `ssm_paths.root/var.prefix?/ssm_paths.app/github_app_key_base64` | The github app secret key as base64. either you provide the secret key using the variable `var.github_app.key_base64` which will create the parameter or you create the parameter manually in the expected path and pass null to the variable  |
 Available configuration parameters:
 
 | Parameter name      | Description                                                 |
diff --git a/modules/ssm/outputs.tf b/modules/ssm/outputs.tf
index 3545a839c3..487a75e4ed 100644
--- a/modules/ssm/outputs.tf
+++ b/modules/ssm/outputs.tf
@@ -5,8 +5,8 @@ output "parameters" {
       arn  = aws_ssm_parameter.github_app_id.arn
     }
     github_app_key_base64 = {
-      name = aws_ssm_parameter.github_app_key_base64.name
-      arn  = aws_ssm_parameter.github_app_key_base64.arn
+      name = var.github_app.key_base64 == null ? data.aws_ssm_parameter.github_app_key_base64[0].name : aws_ssm_parameter.github_app_key_base64[0].name
+      arn  = var.github_app.key_base64 == null ? data.aws_ssm_parameter.github_app_key_base64[0].arn : aws_ssm_parameter.github_app_key_base64[0].arn
     }
     github_app_webhook_secret = {
       name = aws_ssm_parameter.github_app_webhook_secret.name
diff --git a/modules/ssm/ssm.tf b/modules/ssm/ssm.tf
index 6bf3291e37..351a03f672 100644
--- a/modules/ssm/ssm.tf
+++ b/modules/ssm/ssm.tf
@@ -7,6 +7,7 @@ resource "aws_ssm_parameter" "github_app_id" {
 }
 
 resource "aws_ssm_parameter" "github_app_key_base64" {
+  count  = var.github_app.key_base64 == null ? 0 : 1
   name   = "${var.path_prefix}/github_app_key_base64"
   type   = "SecureString"
   value  = var.github_app.key_base64
@@ -14,6 +15,11 @@ resource "aws_ssm_parameter" "github_app_key_base64" {
   tags   = var.tags
 }
 
+data "aws_ssm_parameter" "github_app_key_base64" {
+  count = var.github_app.key_base64 == null ? 1 : 0
+  name  = "${var.path_prefix}/github_app_key_base64"
+}
+
 resource "aws_ssm_parameter" "github_app_webhook_secret" {
   name   = "${var.path_prefix}/github_app_webhook_secret"
   type   = "SecureString"