From 13c00427e3bdda8e145eb391a5bc521bbf85bf3d Mon Sep 17 00:00:00 2001
From: Mitchell Alessio <5306896+malessi@users.noreply.github.com>
Date: Mon, 4 Nov 2024 16:47:36 -0500
Subject: [PATCH] BFD-3724: MGMT CI issues blocking MGMT environment apply
 (#2476)

---
 ops/terraform/env/mgmt/alarms.tf             |  8 ++++----
 ops/terraform/env/mgmt/backups/ami-pruner.tf |  2 +-
 ops/terraform/env/mgmt/data-sources.tf       |  8 ++++++--
 ops/terraform/env/mgmt/github-actions-iam.tf | 15 +++++++++++----
 ops/terraform/env/mgmt/main.tf               | 17 +++++++++++++----
 ops/terraform/env/mgmt/r53.tf                | 10 +++++-----
 6 files changed, 40 insertions(+), 20 deletions(-)

diff --git a/ops/terraform/env/mgmt/alarms.tf b/ops/terraform/env/mgmt/alarms.tf
index 2b03c352c5..f7397c8d24 100644
--- a/ops/terraform/env/mgmt/alarms.tf
+++ b/ops/terraform/env/mgmt/alarms.tf
@@ -1,8 +1,8 @@
 locals {
-  victor_ops_url                                = local.sensitive_common_config["victor_ops_url"]
-  ec2_failing_instances_runbook_url             = local.sensitive_common_config["alarm_ec2_failing_instances_runbook_url"]
-  ec2_instance_script_failing_start_runbook_url = local.sensitive_common_config["alarm_ec2_instance_script_failing_start_runbook_url"]
-  lambda_error_stats_runbook_url                = local.sensitive_common_config["alarm_lambda_error_stats_runbook_url"]
+  victor_ops_url                                = local.ssm_config["/bfd/common/victor_ops_url"]
+  ec2_failing_instances_runbook_url             = local.ssm_config["/bfd/common/alarm_ec2_failing_instances_runbook_url"]
+  ec2_instance_script_failing_start_runbook_url = local.ssm_config["/bfd/common/alarm_ec2_instance_script_failing_start_runbook_url"]
+  lambda_error_stats_runbook_url                = local.ssm_config["/bfd/common/alarm_lambda_error_stats_runbook_url"]
 
   cloudwatch_sns_topic_policy_spec = <<-EOF
 {
diff --git a/ops/terraform/env/mgmt/backups/ami-pruner.tf b/ops/terraform/env/mgmt/backups/ami-pruner.tf
index fa29fcfbe3..190c85a9ed 100644
--- a/ops/terraform/env/mgmt/backups/ami-pruner.tf
+++ b/ops/terraform/env/mgmt/backups/ami-pruner.tf
@@ -7,7 +7,7 @@ locals {
     log_retention_days        = 30
     log_group                 = "/aws/lambda/bfd-${local.env}-backups-ami-pruner"
     log_level                 = 20 # 10 = DEBUG, 20 = INFO, 30 = WARNING, 40 = ERROR, 50 = CRITICAL
-    retention_policy_ssm_path = "/bfd/${local.env}/common/sensitive/backups/ami"
+    retention_policy_ssm_path = "/bfd/${local.env}/common/nonsensitive/backups/ami"
   }
 }
 
diff --git a/ops/terraform/env/mgmt/data-sources.tf b/ops/terraform/env/mgmt/data-sources.tf
index cc96bbb669..fd387f3443 100644
--- a/ops/terraform/env/mgmt/data-sources.tf
+++ b/ops/terraform/env/mgmt/data-sources.tf
@@ -54,8 +54,12 @@ data "aws_ssm_parameter" "cpm_aws_account_arn" {
   with_decryption = true
 }
 
-data "aws_ssm_parameters_by_path" "common_sensitive" {
-  path = "/bfd/${local.env}/common/sensitive"
+data "aws_ssm_parameters_by_path" "params" {
+  for_each = toset(local.ssm_hierarchies)
+
+  recursive       = true
+  path            = each.value
+  with_decryption = true
 }
 
 data "aws_ec2_managed_prefix_list" "vpn" {
diff --git a/ops/terraform/env/mgmt/github-actions-iam.tf b/ops/terraform/env/mgmt/github-actions-iam.tf
index 0bfe6d55a6..a2faab859f 100644
--- a/ops/terraform/env/mgmt/github-actions-iam.tf
+++ b/ops/terraform/env/mgmt/github-actions-iam.tf
@@ -362,9 +362,15 @@ resource "aws_iam_policy" "github_actions_ci_ops" {
           Sid    = "AllowSsmAccess"
           Effect = "Allow"
           Action = [
-            "ssm:Describe*",
-            "ssm:GetParam*",
-            "ssm:List*"
+            "ssm:ListTagsForResource",
+            "ssm:DescribeParameters",
+            "ssm:PutParameter",
+            "ssm:DeleteParameter",
+            "ssm:GetParameterHistory",
+            "ssm:GetParametersByPath",
+            "ssm:GetParameters",
+            "ssm:GetParameter",
+            "ssm:DeleteParameters"
           ]
           Resource = "*"
         },
@@ -450,7 +456,8 @@ resource "aws_iam_policy" "github_actions_ci_ops" {
           Action = [
             "quicksight:Get*",
             "quicksight:Describe*",
-            "quicksight:List*"
+            "quicksight:List*",
+            "quicksight:Create*"
           ]
           Resource = "*"
         },
diff --git a/ops/terraform/env/mgmt/main.tf b/ops/terraform/env/mgmt/main.tf
index b9bf9af9e0..f5a2ab4fde 100644
--- a/ops/terraform/env/mgmt/main.tf
+++ b/ops/terraform/env/mgmt/main.tf
@@ -41,11 +41,20 @@ locals {
     ]
   )
 
-  sensitive_common_config = zipmap(
+  ssm_hierarchies = ["/bfd/${local.env}/common"]
+  ssm_flattened_data = {
+    names = flatten(
+      [for k, v in data.aws_ssm_parameters_by_path.params : v.names]
+    )
+    values = flatten(
+      [for k, v in data.aws_ssm_parameters_by_path.params : nonsensitive(v.values)]
+    )
+  }
+  ssm_config = zipmap(
     [
-      for name in data.aws_ssm_parameters_by_path.common_sensitive.names :
-      element(split("/", name), length(split("/", name)) - 1)
+      for name in local.ssm_flattened_data.names :
+      replace(name, "/((non)*sensitive|${local.env})//", "")
     ],
-    nonsensitive(data.aws_ssm_parameters_by_path.common_sensitive.values)
+    local.ssm_flattened_data.values
   )
 }
diff --git a/ops/terraform/env/mgmt/r53.tf b/ops/terraform/env/mgmt/r53.tf
index 703609386c..eaf2e57672 100644
--- a/ops/terraform/env/mgmt/r53.tf
+++ b/ops/terraform/env/mgmt/r53.tf
@@ -1,14 +1,14 @@
 locals {
   hosted_zones = {
-    for zone in jsondecode(local.sensitive_common_config["r53_hosted_zones_json"]) :
+    for zone in jsondecode(local.ssm_config["/bfd/common/r53_hosted_zones_json"]) :
     zone => {
-      domain  = local.sensitive_common_config["r53_hosted_zone_${zone}_domain"]
-      comment = local.sensitive_common_config["r53_hosted_zone_${zone}_comment"]
+      domain  = local.ssm_config["/bfd/common/r53_hosted_zone_${zone}_domain"]
+      comment = local.ssm_config["/bfd/common/r53_hosted_zone_${zone}_comment"]
       # If a hosted zone does not specify any VPC associations, it is considered a Public zone. If
       # any VPCs are specified, it is considered Private. We handle the case where VPCs are not
       # specified in configuration by returning an empty list.
-      internal_vpc_ids = jsondecode(lookup(local.sensitive_common_config, "r53_hosted_zone_${zone}_internal_vpcs_json", "[]"))
-      external_vpc_ids = jsondecode(lookup(local.sensitive_common_config, "r53_hosted_zone_${zone}_external_vpcs_json", "[]"))
+      internal_vpc_ids = jsondecode(lookup(local.ssm_config, "/bfd/common/r53_hosted_zone_${zone}_internal_vpcs_json", "[]"))
+      external_vpc_ids = jsondecode(lookup(local.ssm_config, "/bfd/common/r53_hosted_zone_${zone}_external_vpcs_json", "[]"))
     }
   }
   all_internal_r53_vpcs = flatten([for hz_label, hz_config in local.hosted_zones : hz_config.internal_vpc_ids])