Add new AWS secrets for admin OIDC (#242)

cloud/aws/templates/aws_oidc/app.tf

@@ -70,6 +70,14 @@ module "civiform_server_container_def" {
     {
       name      = "APPLICANT_OIDC_CLIENT_SECRET"
       valueFrom = aws_secretsmanager_secret_version.applicant_oidc_client_secret_secret_version.arn
+    },
+    {
+      name      = "ADMIN_OIDC_CLIENT_ID"
+      valueFrom = aws_secretsmanager_secret_version.admin_oidc_client_id_secret_version.arn
+    },
+    {
+      name      = "ADMIN_OIDC_CLIENT_SECRET"
+      valueFrom = aws_secretsmanager_secret_version.admin_oidc_client_secret_secret_version.arn
     }
   ]
 
@@ -252,6 +260,8 @@ locals {
               aws_secretsmanager_secret.adfs_client_id_secret.arn,
               aws_secretsmanager_secret.applicant_oidc_client_secret_secret.arn,
               aws_secretsmanager_secret.applicant_oidc_client_id_secret.arn,
+              aws_secretsmanager_secret.admin_oidc_client_secret_secret.arn,
+              aws_secretsmanager_secret.admin_oidc_client_id_secret.arn,
             ]
           },
           {

cloud/aws/templates/aws_oidc/bin/resources.py

@@ -13,6 +13,8 @@
 ADFS_SECRET = 'civiform_adfs_secret'
 APPLICANT_OIDC_CLIENT_ID = 'civiform_applicant_oidc_client_id'
 APPLICANT_OIDC_CLIENT_SECRET = 'civiform_applicant_oidc_client_secret'
+ADMIN_OIDC_CLIENT_ID = 'civiform_admin_oidc_client_id'
+ADMIN_OIDC_CLIENT_SECRET = 'civiform_admin_oidc_client_secret'
 POSTGRES_PASSWORD = 'civiform_postgres_password'
 
 # Defined in cloud/aws/templates/aws_oidc/main.tf

cloud/aws/templates/aws_oidc/bin/setup.py

@@ -18,9 +18,13 @@
     resources.ADFS_SECRET:
         'Secret for the ADFS configuration. Enter any value if you do not use ADFS.',
     resources.APPLICANT_OIDC_CLIENT_ID:
-        'Client ID for your OIDC provider. Enter any value if you have not set it up yet.',
+        'Client ID for your OIDC provider for applicants. Enter any value if not applicable.',
     resources.APPLICANT_OIDC_CLIENT_SECRET:
-        'Client secret for your OIDC provider. Enter any value if you have not set it up yet.',
+        'Client secret for your OIDC provider for applicants. Enter any value if not applicable.',
+    resources.ADMIN_OIDC_CLIENT_ID:
+        'Client ID for your OIDC provider for admins. Enter any value if not applicable.',
+    resources.ADMIN_OIDC_CLIENT_SECRET:
+        'Client secret for your OIDC provider for admins. Enter any value if not applicable.',
 }
 
 

cloud/aws/templates/aws_oidc/secrets.tf

@@ -182,3 +182,29 @@ resource "aws_secretsmanager_secret_version" "applicant_oidc_client_id_secret_ve
   secret_id     = aws_secretsmanager_secret.applicant_oidc_client_id_secret.id
   secret_string = " "
 }
+
+# Creating an AWS secret for admin_oidc_secret
+resource "aws_secretsmanager_secret" "admin_oidc_client_secret_secret" {
+  name                    = "${var.app_prefix}-civiform_admin_oidc_client_secret"
+  kms_key_id              = aws_kms_key.civiform_kms_key.arn
+  recovery_window_in_days = local.secret_recovery_window_in_days
+}
+
+# Creating an AWS secret versions for admin_oidc_secret
+resource "aws_secretsmanager_secret_version" "admin_oidc_client_secret_secret_version" {
+  secret_id     = aws_secretsmanager_secret.admin_oidc_client_secret_secret.id
+  secret_string = " "
+}
+
+# Creating an AWS secret for admin_oidc_client_id
+resource "aws_secretsmanager_secret" "admin_oidc_client_id_secret" {
+  name                    = "${var.app_prefix}-civiform_admin_oidc_client_id"
+  kms_key_id              = aws_kms_key.civiform_kms_key.arn
+  recovery_window_in_days = local.secret_recovery_window_in_days
+}
+
+# Creating an AWS secret versions for admin_oidc_client_id
+resource "aws_secretsmanager_secret_version" "admin_oidc_client_id_secret_version" {
+  secret_id     = aws_secretsmanager_secret.admin_oidc_client_id_secret.id
+  secret_string = " "
+}