avoid dots in SSM parameters

src/main/java/uk/gov/companieshouse/servicesdashboardapi/lambda/ConfigSecrets.java

@@ -58,8 +58,10 @@ public void postProcessBeanFactory(@NonNull ConfigurableListableBeanFactory bean
             properties.forEach((key, value) -> {
                 String keyStr = key.toString();
                 if (keyStr.endsWith(".secret")) {
-                    String secretName = String.format("%s/%s", ssmPrefix, keyStr);
-                    ApiLogger.info("reading SSM param (key: " + keyStr);
+                    // get the key without the ".secret" suffix and replace '.' with '_'
+                    String modifiedKeyStr = keyStr.substring(0, keyStr.length() - 7).replace('.', '_');
+                    String secretName = String.format("%s/%s", ssmPrefix, modifiedKeyStr);
+                    ApiLogger.info("reading SSM param (key: " + modifiedKeyStr + ")");
                     properties.setProperty(keyStr, getSecret(secretName));
                 }
             });

src/main/resources/application.properties

@@ -11,9 +11,10 @@
 #
 #         1. You define the secret-property you want with a '.secret' suffix (ex. "dt.server.apikey.secret")
 #         2. You ask its value (ex. "xxxxxx") to be stored in Vault. You omit the '.secret' suffix in the name,
-#            (as this would just add noise) (so you ask for  {"dt.server.apikey: "xxxxxx"})
-#         3. Terraform will create a secret in AWS SSM with the name "dt.server.apikey.secret"
-#            (so it will restore the '.secret' suffix)
+#            (as this would just add noise) and replace the dots with underscore (so you ask for  {"dt_server_apikey: "xxxxxx"})
+#         3. Terraform will create a secret in AWS SSM with the same name: "dt_server_apikey"
+#            (the reason why we don't want the dots in those names is that dots inhibt the usage in other contexts
+#             like in the ENV var section of Lambda or ECS)
 #         4. At runtime, as said, the code will source all the secrets from AWS SSM and set them in the Spring Boot context
 #            (like if they were set in application.properties eg.: dt.server.apikey.secret=xxxxxx)
 #

terraform/groups/lambda/lambda.tf

@@ -40,7 +40,7 @@ resource "aws_ssm_parameter" "secrets" {
   for_each = local.ssm_secret_keys # Use the cleared/nonsensitive map to loop over the keys
 
   name  = "${local.ssm_prefix}/${each.key}"
-  value = local.ssm_secrets[each.key]
+  value = local.vault_secrets[each.key]
   type  = "SecureString"
 }
 

terraform/groups/lambda/locals.tf

@@ -23,18 +23,19 @@ locals {
   vault_secrets = merge(local.stack_secrets, local.service_secrets)
 
   # Generate SSM secret names from vault names & appending ".secret" suffix
-  ssm_secrets = {
-    for k, v in local.vault_secrets :
-    "${k}.secret" => v
-  }
+  # ssm_secrets = {
+  #   for k, v in local.vault_secrets :
+  #   "${k}.secret" => v
+  # }
 
   # The map 'ssm_secrets' cannot be used directly in a for_each loop because
   # Terraform does not allow loops with sensitive values.
   # Terraform’s sensitivity propagation continues with nested or derived values.
   # A working solution is to use a "cleared" map with the same keys but with nonsensitive values
   # then loop on the cleared map and access the sensitive values using the key.
   ssm_secret_keys = nonsensitive(tomap({
-    for k in keys(local.ssm_secrets) :
+    # for k in keys(local.ssm_secrets) :
+    for k in keys(local.vault_secrets) :
     k => (can(nonsensitive(k)) ? nonsensitive(k) : k)
   }))
   # MONGO SETTINGS