[PLT-1358] Add SOPS to cdap to manage SSM parameter store (#324)

## 🎫 Ticket

https://jira.cms.gov/browse/PLT-1358

## 🛠 Changes

Added a config service that uses SOPS to store parameters

## ℹ️ Context

Adoption of the SOPS standard for CDAP

## 🧪 Validation

See successful test run here:
https://github.com/CMSgov/cdap/actions/runs/19517296089

---------

Co-authored-by: jscott-nava <julianscott@navapbc.com>
Co-authored-by: Sean Fern <seanfern@navapbc.com>
Co-authored-by: Michael Valdes <michaelvaldes@navapbc.com>

Author: 4 people

.github/workflows/tf-config.yml

@@ -0,0 +1,60 @@
+name: tf-config
+run-name: tf-config ${{ (inputs.apply || (github.event_name == 'push' && github.ref == 'refs/heads/main') || github.event_name == 'schedule') && 'apply' || 'plan' }}
+
+on:
+  push:
+    paths:
+      - .github/workflows/tf-config.yml
+      - terraform/services/config/**
+  schedule:
+    - cron: "12 14 * * 1-5"
+  workflow_dispatch:
+    inputs:
+      apply:
+        required: false
+        type: boolean
+        description: "Apply the terraform?"
+
+env:
+  TENV_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+defaults:
+  run:
+    working-directory: ./terraform/services/config
+
+jobs:
+  check-fmt:
+    runs-on: codebuild-cdap-${{github.run_id}}-${{github.run_attempt}}
+    steps:
+      - uses: actions/checkout@v4
+      - uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159 # v3.9.2
+      - uses: cmsgov/cdap/actions/setup-tenv@8343fb96563ce4b74c4dececee9b268f42bd4a40
+      - run: tofu fmt -check -diff -recursive .
+  plan-apply:
+    needs: check-fmt
+    permissions:
+      contents: read
+      id-token: write
+    runs-on: codebuild-cdap-${{github.run_id}}-${{github.run_attempt}}
+    strategy:
+      fail-fast: false
+      matrix:
+        app: [bcda]
+        env: [test,prod]
+    steps:
+      - uses: actions/checkout@v4
+      - uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159 # v3.9.2
+      - uses: cmsgov/cdap/actions/setup-tenv@8343fb96563ce4b74c4dececee9b268f42bd4a40
+      - uses: cmsgov/cdap/actions/setup-yq@328406d6e1d435b4e3da598bcdab22e576c3945e
+      - uses: cmsgov/cdap/actions/setup-sops@84a6bcee5b70d63c44f8fec4f9b542cb5ec29a54
+      - uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: arn:aws:iam::${{ contains(fromJSON('["dev", "test"]'), matrix.env) && secrets.NON_PROD_ACCOUNT || secrets.PROD_ACCOUNT }}:role/delegatedadmin/developer/${{ matrix.app }}-${{ matrix.env }}-github-actions
+          aws-region: ${{ vars.AWS_REGION }}
+      - run: tofu init -backend-config=../../backends/${{ matrix.app }}-${{ matrix.env }}.s3.tfbackend
+      - run: tofu plan -out=tf.plan
+        env:
+          TF_VAR_app: ${{ matrix.app }}
+          TF_VAR_env: ${{ matrix.env }}
+      - if: inputs.apply || (github.event_name == 'push' && github.ref == 'refs/heads/main') || github.event_name == 'schedule'
+        run: tofu apply -auto-approve tf.plan

terraform/modules/sops/README.md

@@ -42,8 +42,7 @@ output "edit" {
   value = module.sops.sopsw
 }
 ```
-
-
+SOPS documentation:  https://confluence.cms.gov/spaces/ODI/pages/1353352386/SOPS+for+Secrets+Management
 
 <!-- TODO: Write standards, examples, etc for usage of this module -->
 

terraform/modules/sops/variables.tf

@@ -1,6 +1,15 @@
 variable "platform" {
   description = "Object that describes standardized platform values."
-  type        = any
+  type = object({
+    app        = string,
+    parent_env = string,
+    env        = string,
+    kms_alias_primary = object({
+      target_key_arn = string,
+    }),
+    service          = string,
+    is_ephemeral_env = string
+  })
 }
 
 variable "sopsw_values_file_extension" {

terraform/services/config/README.md

@@ -0,0 +1,40 @@
+# CDAP Config Root Module
+
+This root module is responsible for configuring the sops-enabled strategy for storing sensitive and nonsensitive configuration in AWS SSM Parameter Store.
+The _parent environment_ specific configuration values are located in the `values` directory.
+
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 5 |
+
+## Providers
+
+No providers.
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_platform"></a> [platform](#module\_platform) | github.com/CMSgov/cdap//terraform/modules/platform | ff2ef539fb06f2c98f0e3ce0c8f922bdacb96d66 |
+| <a name="module_sops"></a> [sops](#module\_sops) | github.com/CMSgov/cdap//terraform/modules/sops | ff2ef539fb06f2c98f0e3ce0c8f922bdacb96d66 |
+
+## Resources
+
+No resources.
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_region"></a> [region](#input\_region) | n/a | `string` | `"us-east-1"` | no |
+| <a name="input_secondary_region"></a> [secondary\_region](#input\_secondary\_region) | n/a | `string` | `"us-west-2"` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_edit"></a> [edit](#output\_edit) | n/a |
+<!-- END_TF_DOCS -->

terraform/modules/sops/bin/sopsw terraform/services/config/bin/sopswterraform/modules/sops/bin/sopsw renamed to terraform/services/config/bin/sopsw

@@ -0,0 +1,25 @@
+# TODO replace ref with hash after merging
+module "platform" {
+  source    = "github.com/CMSgov/cdap//terraform/modules/platform?ref=plt-1358_sops"
+  providers = { aws = aws, aws.secondary = aws.secondary }
+
+  app         = "bcda"
+  env         = var.env
+  root_module = "https://github.com/CMSgov/cdap/tree/terraform/services/config"
+  service     = local.service
+}
+
+locals {
+  default_tags = module.platform.default_tags
+  env          = terraform.workspace
+  service      = "config"
+}
+
+module "sops" {
+  source   = "github.com/CMSgov/cdap//terraform/modules/sops?ref=ff2ef539fb06f2c98f0e3ce0c8f922bdacb96d66"
+  platform = module.platform
+}
+
+output "edit" {
+  value = module.sops.sopsw
+}

terraform/services/config/main.tf

@@ -0,0 +1,20 @@
+provider "aws" {
+  region = "us-east-1"
+  default_tags {
+    tags = local.default_tags
+  }
+}
+
+provider "aws" {
+  alias  = "secondary"
+  region = "us-west-2"
+  default_tags {
+    tags = local.default_tags
+  }
+}
+
+terraform {
+  backend "s3" {
+    key = "config/terraform.tfstate"
+  }
+}

terraform/services/config/tofu.tf

@@ -0,0 +1,22 @@
+/cdap/account/nonsensitive/security_events_slack_renotify_after_days: 30
+/cdap/account/nonsensitive/security_events_slack_severity_list: CRITICAL,HIGH,MEDIUM
+/cdap/sensitive/account/security_events_slack_webhook_url: ENC[AES256_GCM,data:z9MLEAlb76u6MZ+GWcWcfnRtax1J677k47tabDmwCqAGN7H2BrmTnkIs1fAhl9dShaL5qZrq78s0sY9b2hCAGIWWaUenVbGGpWBuZvh7rw==,iv:kbgCH76ryIbnU40SWd/Wgg+hULSgGsTO4LLWIPoDE68=,tag:NmwrTB/oVI0WEhL9R5eV2g==,type:str]
+/cdap/sensitive/bucket-access-logs-bucket: ENC[AES256_GCM,data:TjwtktvWlh7Gt7JrTuxZganUT3AotzmEAeYKkpn5GutLcIT1/KSpTV1kjMxV,iv:fSMld0pXjqKabcq+8CK7kG018tspwVAS30ngYFepJKw=,tag:dMsUtxHVSpiHb9U+ebUbNg==,type:str]
+/cdap/sensitive/mgmt-vpc/cidr: ENC[AES256_GCM,data:uNKE6Nckt24ZWHDHEWjU,iv:yVvl1HbK7ljy6lgZdGUkfi0CeIHPnd2uof9tVB1z008=,tag:9tQ1atj1Vwkgw6j1FQ8p5w==,type:str]
+/cdap/mgmt/public_nat_ipv4/sensitive/cdap-east-mgmt-a: ENC[AES256_GCM,data:FlVrW4HMpGxShfezY7k=,iv:5pZNFGbdfyrGCti7cL/7pfm4S3i5VpnESEO5Rglqw7E=,tag:NZIPNuaSZD/NSD6Q2sE2PQ==,type:str]
+/cdap/mgmt/public_nat_ipv4/sensitive/cdap-east-mgmt-b: ENC[AES256_GCM,data:N1zEW1bym0cRrT5b,iv:+i6TbqeQLVdZRGUb/O0FUDSEXHsuxxW8hEJbQJYy8gU=,tag:dypP4NS1W0h0c+SeMmuI+g==,type:str]
+/cdap/mgmt/public_nat_ipv4/sensitive/cdap-east-mgmt-c: ENC[AES256_GCM,data:dE2gJAAstO0VcCol,iv:C5g6vtQbu6AQUmtobCrnZmFcBc4Pn6EZmex1YhQqXA8=,tag:gsAznB9ygxhNdpK73HbAwQ==,type:str]
+/cdap/sensitive/sonarqube/token: ENC[AES256_GCM,data:IzX5uyi0n7Jas1UuHPP7pdmGpYlWuXdAh5cXOgBAc4D+I8vBQese8RZa8zs=,iv:jnjgYubcGBKeA+S+puNWR5OY+xxisorfNXBm8rLbwFI=,tag:r4JfuxyGxmqmdHB4JRb3cw==,type:str]
+/cdap/nonsensitive/sonarqube/url: https://sonarqube.cloud.cms.gov
+/cdap/sensitive/artifactory/password: ENC[AES256_GCM,data:Y0pqIlDqheFTaH7RGDS/c8D59emCj969TT2N0GVPcJln3cJF3fkhlvdaDugjwSoaxisLuNXV0nQYs/g80lPHAw==,iv:bur6pAEm5V+M/Jfn1YNXZAYMs60rqGjnkPCMR2Z+Isw=,tag:bwMQmmK7S99EvgdApgTLJQ==,type:str]
+/cdap/nonsensitive/artifactory/url: https://artifactory.cloud.cms.gov/artifactory
+/cdap/nonsensitive/artifactory/user: ab2d-bcda-dpc-plt
+sops:
+  kms:
+    - arn: arn:aws:kms:us-east-1:${ACCOUNT_ID}:key/e32dffdb-97e7-4b64-b5cb-f6dc4e6fabca
+      created_at: "2025-10-03T17:27:53Z"
+      enc: AQICAHiXhc+HhELIyRKOpc5vBWQJB9/2XFW+CxWFIfUyci0r/wGkXSt3AG0b8bCJ0pVuEmyuAAAAfjB8BgkqhkiG9w0BBwagbzBtAgEAMGgGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQM+S5DlWnhTDkMvmOxAgEQgDvMXlly/I5Vb2ah1KX2fSbY3mMOxA92rK4MU/rsyUN2oR8WXebzzW+ooNY1pEdGE4FMUmLUrU5qbcUoPg==
+      aws_profile: ""
+  unencrypted_regex: /nonsensitive/
+  mac_only_encrypted: true
+  version: 3.11.0

terraform/services/config/values/prod.sopsw.yaml

@@ -0,0 +1,23 @@
+/cdap/nonsensitive/account/security_events_slack_renotify_after_days: 30
+/cdap/nonsensitive/account/security_events_slack_severity_list: CRITICAL,HIGH,MEDIUM
+/cdap/sensitive/account/security_events_slack_webhook_url: ENC[AES256_GCM,data:aiW0cRzw2ZBM+WmgyXYeEGTIgP3Rm2vL6wa8+mGYyMnMQ718iODap66yNHLkOttq2Lz3V+HDdvjwYXDfG+IBvj9zVpQTjC3EabvByOCIeA==,iv:3GRLuWVe8Z5N3I9JY0DVyrPcwmIv+5vMwIS5ZR4P/v0=,tag:N4Hq6cI/JUUkCzR0BaL/sA==,type:str]
+/cdap/sensitive/bucket-access-logs-bucket: ENC[AES256_GCM,data:a9oeAjfhElMm1bceKXkQiZuCnvKGJ4KZdUDHHgbcJhV/KDOJ/Kms+ThAl4s1,iv:86Bff+m1IP0eMbEEzTql64XjeXqkXqEpWXHc9HElkAU=,tag:bAIb8jWb4VQXw603f3zv1g==,type:str]
+/cdap/sensitive/mgmt-vpc/cidr: ENC[AES256_GCM,data:EFep+iQ02YJJe22XX4LZ,iv:nOoqFQiizuPIHDzR5xsLDeIDjZvGxmnDaWu8eGzjWrQ=,tag:En0682ms1NNWjCZhnOtrkg==,type:str]
+/cdap/sensitive/gmt/public_nat_ipv4/cdap-east-mgmt-a: ENC[AES256_GCM,data:Q//cSfZmUiNc5FqmzII=,iv:BDII9+oRF8tlpoZAGsH6eE0UBigdaZEwDWFs/saYvqQ=,tag:WwfrS9Wn1+aL2xieWP+pXA==,type:str]
+/cdap/sensitive/mgmt/public_nat_ipv4/cdap-east-mgmt-b: ENC[AES256_GCM,data:zznp+VJvDrbdMFgz,iv:/gS+Vtt+rBsKbyjLJAyYXeAWkMHAxYClv/kqocwGUfs=,tag:CpOs+maoTJChJW7lz72Slw==,type:str]
+/cdap/sensitive/mgmt/public_nat_ipv4/cdap-east-mgmt-c: ENC[AES256_GCM,data:jmZGAzdcyIwPdq69,iv:jlAyPtL700BnqiWtsqQSrmZmt2TXtSzJUM2cR07bRrc=,tag:Zul0kmzRQZNMkbsLwmiUIA==,type:str]
+/cdap/sensitive/sonarqube/token: ENC[AES256_GCM,data:G8DmkxGggaryrx9+eIGmOtgM2DW931q3k9X/Cjy58Q2ZQ/Tp/bgx4yoJ7Do=,iv:IgsPiB8Fjbw984dB6tgjJa2nQrGl6Ko9TiNWNI+VIUE=,tag:SP61z5HnoDjbe3HVkLfJiQ==,type:str]
+/cdap/nonsensitive/sonarqube/url: https://sonarqube.cloud.cms.gov
+/cdap/sensitive/artifactory/password: ENC[AES256_GCM,data:YHIx5dSONjUgnO/rAP7JsvIR0PElCzLiARuABts0zcAUTYXC4hl4M+MGabhEzrUAqtRfD3wvIw2RiXmFrKqRNQ==,iv:UCrI+tMCwoYtf1gWAlr1/7PWHzj/Tqvc5lajjbCxAd0=,tag:02HC5T7mi2mZi0euLEwELA==,type:str]
+/cdap/nonsensitive/artifactory/url: https://artifactory.cloud.cms.gov/artifactory
+/cdap/nonsensitive/artifactory/user: ab2d-bcda-dpc-plt
+sops:
+    kms:
+        - arn: arn:aws:kms:us-east-1:539247469933:alias/bcda-test
+          created_at: "2025-11-17T21:10:18Z"
+          enc: AQICAHjmpdIoLQvhLo0ak4uYFiScF9EZlYU3g9HHyCuiUTXbOwHLNWrV6czniW+ynxVXARD/AAAAfjB8BgkqhkiG9w0BBwagbzBtAgEAMGgGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMl7Aj8t3HMIwdjbVFAgEQgDsvvnioXJMRDPB5vydrZbzQKqEpISs9UOYX4OUGEfNHl7dGxI/3BA6yoZPn/GU7zl3RDZfxs9QQdZaIcg==
+          aws_profile: ""
+    lastmodified: "2025-11-17T21:19:40Z"
+    mac: ENC[AES256_GCM,data:bssj91Ngo0DYAM6FItDqsWez3ycy4efnMAQ+D/nRyYsQ35LC5J+Ra0iE0GwqJjInt3iggKvNWGX8JPa4Xo0vDI9TCS+rBVT0keB0af0k6eApLPGavDC1LW0VWfZjBuIvx881HmGgAO10SrIGlBJV9Vv7y4injBJVvIB68PSO4aQ=,iv:EnEYf8SGUVQdQDNXNV++d+tcqaZsP0eW4Zb1/8xNgfs=,tag:Gn3IYLAGqQxHk9H8P/MjSg==,type:str]
+    unencrypted_regex: /nonsensitive/
+    version: 3.11.0

terraform/services/config/values/test.sopsw.yaml

@@ -0,0 +1,8 @@
+variable "env" {
+  description = "The application environment (test, prod)"
+  type        = string
+  validation {
+    condition     = contains(["test", "prod"], var.env)
+    error_message = "Valid value for env is test or prod."
+  }
+}