[PLT-1358] Add SOPS to cdap to manage SSM parameter store #324
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
gsf
reviewed
Oct 3, 2025
gsf
reviewed
Oct 6, 2025
Member
gsf
left a comment
gsf
left a comment
There was a problem hiding this comment.
Please add a tf workflow to plan and apply the terraform in the new config service.
gsf
reviewed
Oct 6, 2025
#319) ## 🎫 Ticket https://jira.cms.gov/browse/PLT-1108 ## 🛠 Changes This PR updates the web module README sample usage section with commit hashes instead of branch references now that the branch has been merged. ## ℹ️ Context The CDAP web module contains a sample usage snippet in the README that contains three references to the branch in which changes were being made. Since that branch has now been merged to main these references should now be updated to the commit hash of that merge. ## 🧪 Validation This is a README update that does not require validation.
## 🎫 Ticket https://jira.cms.gov/browse/PLT-1299 ## 🛠 Changes Expanded platform variable and edited readme ## ℹ️ Context These changes are for the ecs service module. ## 🧪 Validation <details> <summary>Tofu Plan Output</summary> ``` OpenTofu will perform the following actions: # aws_ecs_service.worker will be updated in-place ~ resource "aws_ecs_service" "worker" { id = "arn:aws:ecs:us-east-1:***:service/ab2d-test-worker/ab2d-test-worker" name = "ab2d-test-worker" tags = {} ~ task_definition = "arn:aws:ecs:us-east-1:***:task-definition/ab2d-test-worker:227" -> (known after apply) # (17 unchanged attributes hidden) # (3 unchanged blocks hidden) } # aws_ecs_task_definition.worker must be replaced -/+ resource "aws_ecs_task_definition" "worker" { ~ arn = "arn:aws:ecs:us-east-1:***:task-definition/ab2d-test-worker:227" -> (known after apply) ~ arn_without_revision = "arn:aws:ecs:us-east-1:***:task-definition/ab2d-test-worker" -> (known after apply) ~ container_definitions = jsonencode( ~ [ ~ { ~ environment = [ # (12 unchanged elements hidden) { name = "AWS_SQS_URL" value = "https://sqs.us-east-1.amazonaws.com/***/ab2d-test-events" }, ~ { name = "IMAGE_VERSION" ~ value = "ab2d-worker-1626-merge-682775a" -> "ab2d-worker-1626-merge-37a4551" }, { name = "MICROSERVICES_URL" value = "http://internal-ab2d-test-microservices-87290984.us-east-1.elb.amazonaws.com/" }, # (1 unchanged element hidden) ] ~ image = "***.dkr.ecr.us-east-1.amazonaws.com/ab2d-worker:ab2d-worker-1626-merge-682775a" -> "***.dkr.ecr.us-east-1.amazonaws.com/ab2d-worker:ab2d-worker-1626-merge-37a4551" name = "worker" - portMappings = [] - systemControls = [] - volumesFrom = [] # (5 unchanged attributes hidden) }, ] # forces replacement ) ~ enable_fault_injection = false -> (known after apply) ~ id = "ab2d-test-worker" -> (known after apply) ~ revision = 227 -> (known after apply) - tags = {} -> null # (10 unchanged attributes hidden) - volume { - configure_at_launch = false -> null - name = "efs" -> null - efs_volume_configuration { - file_system_id = "fs-06898a9a35a2a8959" -> null - root_directory = "/" -> null - transit_encryption = "ENABLED" -> null - transit_encryption_port = 0 -> null - authorization_config { - access_point_id = "fsap-09a16152758024a89" -> null } } } - volume { - configure_at_launch = false -> null - name = "newrelic_logs" -> null } - volume { - configure_at_launch = false -> null - name = "tmp" -> null } - volume { - configure_at_launch = false -> null - name = "var_logs" -> null } + volume { + configure_at_launch = (known after apply) + name = "efs" + efs_volume_configuration { + file_system_id = "fs-06898a9a35a2a8959" + root_directory = "/" + transit_encryption = "ENABLED" + transit_encryption_port = 0 + authorization_config { + access_point_id = "fsap-09a16152758024a89" } } } + volume { + configure_at_launch = (known after apply) + name = "newrelic_logs" } + volume { + configure_at_launch = (known after apply) + name = "tmp" } + volume { + configure_at_launch = (known after apply) + name = "var_logs" } } Plan: 1 to add, 1 to change, 1 to destroy. ```
## 🎫 Ticket https://jira.cms.gov/browse/PLT-1371 ## 🛠 Changes Add coverage for workflows in the .cdap dependabot configuration, including terraform. ## ℹ️ Context Changes are for extended scan coverage by dependabot. ## 🧪 Validation see checks --------- Co-authored-by: Sean Fern <[email protected]>
## 🎫 Ticket https://jira.cms.gov/browse/BCDA-9395 ## 🛠 Changes Updated the name of the ecs service execution role to include the full service name (including app and env) to avoid name clashes between different apps and envs. ## ℹ️ Context <!-- Why were these changes made? Add background context suitable for a non-technical audience. --> <!-- If any of the following security implications apply, this PR must not be merged without Stephen Walter's approval. Explain in this section and add @SJWalter11 as a reviewer. - Adds a new software dependency or dependencies. - Modifies or invalidates one or more of our security controls. - Stores or transmits data that was not stored or transmitted before. - Requires additional review of security implications for other reasons. --> ## 🧪 Validation <!-- How were the changes verified? Did you fully test the acceptance criteria in the ticket? Provide reproducible testing instructions and screenshots if applicable. -->
juliareynolds-nava
requested review from
a team,
gfreeman-navapbc and
jscott-nava
juliareynolds-nava
force-pushed
the
plt-1358_sops
branch
2 times, most recently
from
13a4845 to
012b65f
Compare
gsf
reviewed
Nov 19, 2025
gsf
reviewed
Nov 19, 2025
gsf
reviewed
Nov 20, 2025
gsf
reviewed
Nov 20, 2025
gsf
approved these changes
Nov 20, 2025
jscott-nava
approved these changes
Nov 20, 2025
juliareynolds-nava
added a commit
that referenced
this pull request
Nov 20, 2025
## 🎫 Ticket https://jira.cms.gov/browse/PLT-1358 ## 🛠 Changes restored missing symlink ## ℹ️ Context To correct merge errors from #324. This sopsw symlink is needed in the sops module. ## 🧪 Validation See plan in checks.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
🎫 Ticket
https://jira.cms.gov/browse/PLT-1358
🛠 Changes
Added a config service that uses SOPS to store parameters
ℹ️ Context
Adoption of the SOPS standard for CDAP
🧪 Validation
See successful test run here: https://github.com/CMSgov/cdap/actions/runs/19517296089