From 6781448254f8e0d0f2c8e0e7c128123815324d48 Mon Sep 17 00:00:00 2001
From: Jay Hill <116148+jayhill@users.noreply.github.com>
Date: Tue, 30 Sep 2025 09:42:15 -0400
Subject: [PATCH] #8 move SSM parameter definitions to bootstrap terraform

---
 .github/workflows/verify-ssm-parameters.yml | 10 ++--
 infra/terraform/bootstrap/main.tf           | 52 +++++++++++++++++++++
 infra/terraform/bootstrap/variables.tf      | 15 ++++++
 infra/terraform/dev/dev.tf                  |  9 ++--
 infra/terraform/dev/variables.tf            |  5 --
 infra/terraform/main/alerts.tf              |  9 ----
 infra/terraform/main/parameters.tf          | 24 +---------
 infra/terraform/main/variables.tf           |  6 ---
 infra/terraform/prod/prod.tf                |  1 -
 infra/terraform/prod/variables.tf           |  5 --
 10 files changed, 77 insertions(+), 59 deletions(-)
 delete mode 100644 infra/terraform/main/alerts.tf

diff --git a/.github/workflows/verify-ssm-parameters.yml b/.github/workflows/verify-ssm-parameters.yml
index f97cbb6..d48ffe0 100644
--- a/.github/workflows/verify-ssm-parameters.yml
+++ b/.github/workflows/verify-ssm-parameters.yml
@@ -57,8 +57,8 @@ jobs:
                     if ! PARAM_VALUE=$(aws ssm get-parameter --name "$param" --with-decryption --query 'Parameter.Value' --output text 2>/dev/null); then
                       echo "::error::Missing required SSM parameter: $param"
                       MISSING_PARAMS=1
-                    elif [ "$PARAM_VALUE" = "CHANGE_ME" ] || [ -z "$PARAM_VALUE" ]; then
-                      echo "::error::SSM parameter $param has not been configured (value is empty or placeholder)"
+                    elif [ -z "$PARAM_VALUE" ]; then
+                      echo "::error::SSM parameter $param exists but has an empty value"
                       MISSING_PARAMS=1
                     else
                       echo "✅ Parameter $param is properly configured"
@@ -71,9 +71,9 @@ jobs:
                     echo "::error::❌ One or more required SSM parameters are missing or misconfigured"
                     echo ""
                     echo "💡 To fix this:"
-                    echo "   1. Ensure Terraform has been applied to create the parameter structure"
-                    echo "   2. Manually set the actual values in AWS Systems Manager Parameter Store"
-                    echo "   3. Replace any 'CHANGE_ME' placeholder values with real configuration"
+                    echo "   1. Ensure bootstrap Terraform has been applied to create the parameters"
+                    echo "   2. Run 'terraform apply' in the infra/terraform/bootstrap directory"
+                    echo "   3. Provide the required values when prompted during bootstrap"
                     exit 1
                   fi
 
diff --git a/infra/terraform/bootstrap/main.tf b/infra/terraform/bootstrap/main.tf
index a738780..e1b6777 100644
--- a/infra/terraform/bootstrap/main.tf
+++ b/infra/terraform/bootstrap/main.tf
@@ -2,6 +2,30 @@ provider "aws" {
   region = var.aws_region
 }
 
+# SSM Parameters
+# These are populated interactively during bootstrap
+
+resource "aws_ssm_parameter" "alert_email" {
+  name        = "/jaildata/alert-email"
+  type        = "String"
+  value       = var.alert_email
+  description = "E-mail address for JailData alerts"
+}
+
+resource "aws_ssm_parameter" "jail_data_base_url" {
+  name        = "/jaildata/base-url"
+  type        = "String"
+  value       = var.jail_data_base_url
+  description = "Base URL for external jail data API endpoints"
+}
+
+resource "aws_ssm_parameter" "buncombe_api_id" {
+  name        = "/jaildata/facilities/buncombe/api-id"
+  type        = "String"
+  value       = var.buncombe_api_id
+  description = "API ID for Buncombe County jail data system"
+}
+
 # Create IAM user for GitHub Actions
 resource "aws_iam_user" "github_actions" {
   name = "github-actions-jaildata"
@@ -331,4 +355,32 @@ output "terraform_state_bucket" {
 output "terraform_state_lock_table" {
   description = "DynamoDB table for Terraform state locking"
   value       = aws_dynamodb_table.terraform_state_lock.name
+}
+
+# Reminder about SSM parameter configuration
+output "ssm_parameters_created" {
+  description = "SSM parameters created by bootstrap"
+  value = <<EOT
+
+✅ SSM Parameters Successfully Created ✅
+
+The following SSM parameters have been created with the values you provided:
+
+1. /jaildata/alert-email
+   - Purpose: Email address for JailData alerts
+
+2. /jaildata/base-url
+   - Purpose: Base URL for external jail data API endpoints
+
+3. /jaildata/facilities/buncombe/api-id
+   - Purpose: API ID for Buncombe County jail data system
+
+These parameters are now ready for use by:
+- CI/CD workflows (SSM parameter verification will pass)
+- Main Terraform deployments (dev/prod environments)
+- Serverless Lambda functions (runtime configuration)
+
+Note: The alert-topic-arn parameter is managed by the Serverless Framework deployment.
+
+EOT
 }
\ No newline at end of file
diff --git a/infra/terraform/bootstrap/variables.tf b/infra/terraform/bootstrap/variables.tf
index 4a35c83..e28b92d 100644
--- a/infra/terraform/bootstrap/variables.tf
+++ b/infra/terraform/bootstrap/variables.tf
@@ -2,4 +2,19 @@ variable "aws_region" {
   description = "The AWS region to deploy resources to"
   type        = string
   default     = "us-east-2"
+}
+
+variable "alert_email" {
+  description = "E-mail address for JailData alerts"
+  type        = string
+}
+
+variable "jail_data_base_url" {
+  description = "Base URL for external jail data API endpoints"
+  type        = string
+}
+
+variable "buncombe_api_id" {
+  description = "API ID for Buncombe County jail data system"
+  type        = string
 }
\ No newline at end of file
diff --git a/infra/terraform/dev/dev.tf b/infra/terraform/dev/dev.tf
index 2099492..3cc1dcf 100644
--- a/infra/terraform/dev/dev.tf
+++ b/infra/terraform/dev/dev.tf
@@ -1,7 +1,6 @@
 module "main" {
-  source              = "../main"
-  environment         = var.environment
-  region              = var.region
-  domain              = var.domain
-  alert_email         = var.alert_email
+  source      = "../main"
+  environment = var.environment
+  region      = var.region
+  domain      = var.domain
 }
\ No newline at end of file
diff --git a/infra/terraform/dev/variables.tf b/infra/terraform/dev/variables.tf
index 20519d2..9d1fdf1 100644
--- a/infra/terraform/dev/variables.tf
+++ b/infra/terraform/dev/variables.tf
@@ -10,8 +10,3 @@ variable "region" {
     default = "us-east-2"
 }
 
-variable "alert_email" {
-    description = "Email address for alerts"
-    type        = string
-}
-
diff --git a/infra/terraform/main/alerts.tf b/infra/terraform/main/alerts.tf
deleted file mode 100644
index 8a87652..0000000
--- a/infra/terraform/main/alerts.tf
+++ /dev/null
@@ -1,9 +0,0 @@
-# Alerting configuration resources
-
-# SSM Parameter for alert email address
-resource "aws_ssm_parameter" "alert_email" {
-  name        = "/jaildata/alert-email"
-  type        = "String"
-  value       = var.alert_email
-  description = "Email address for JailData alerts"
-}
\ No newline at end of file
diff --git a/infra/terraform/main/parameters.tf b/infra/terraform/main/parameters.tf
index 2905554..43f22db 100644
--- a/infra/terraform/main/parameters.tf
+++ b/infra/terraform/main/parameters.tf
@@ -1,25 +1,3 @@
-resource "aws_ssm_parameter" "jail_data_base_url" {
-  name        = "/jaildata/base-url"
-  type        = "String"
-  value       = "CHANGE_ME"
-  description = "Base URL for external jail data API endpoints (set manually after deployment)"
-
-  lifecycle {
-    ignore_changes = [value]
-  }
-}
-
-resource "aws_ssm_parameter" "buncombe_api_id" {
-  name        = "/jaildata/facilities/buncombe/api-id"
-  type        = "String"
-  value       = "CHANGE_ME"
-  description = "API ID for Buncombe County jail data system (set manually after deployment)"
-
-  lifecycle {
-    ignore_changes = [value]
-  }
-}
-
 # API Gateway domain outputs
 output "ApiDomain" {
   description = "API Gateway custom domain name"
@@ -27,6 +5,6 @@ output "ApiDomain" {
 }
 
 output "ApiZoneId" {
-  description = "Route53 zone ID for API domain"  
+  description = "Route53 zone ID for API domain"
   value       = aws_route53_zone.api_zone.zone_id
 }
\ No newline at end of file
diff --git a/infra/terraform/main/variables.tf b/infra/terraform/main/variables.tf
index 97a6439..2bd9ef6 100644
--- a/infra/terraform/main/variables.tf
+++ b/infra/terraform/main/variables.tf
@@ -13,9 +13,3 @@ variable "region" {
   type        = string
 }
 
-variable "alert_email" {
-  description = "Email address for alerts"
-  type        = string
-  sensitive   = true
-}
-
diff --git a/infra/terraform/prod/prod.tf b/infra/terraform/prod/prod.tf
index 2faf972..3cc1dcf 100644
--- a/infra/terraform/prod/prod.tf
+++ b/infra/terraform/prod/prod.tf
@@ -3,5 +3,4 @@ module "main" {
   environment = var.environment
   region      = var.region
   domain      = var.domain
-  alert_email = var.alert_email
 }
\ No newline at end of file
diff --git a/infra/terraform/prod/variables.tf b/infra/terraform/prod/variables.tf
index a1d81ff..7b7a4d2 100644
--- a/infra/terraform/prod/variables.tf
+++ b/infra/terraform/prod/variables.tf
@@ -10,8 +10,3 @@ variable "region" {
     default = "us-east-2"
 }
 
-variable "alert_email" {
-    description = "Email address for alerts"
-    type        = string
-}
-