Use SSM parameters for secrets

stevebux · stevebux · commit 4a44cc58a6c6 · 2026-04-21T11:10:59.000+01:00
diff --git a/.github/actions/acceptance-tests-e2e/action.yml b/.github/actions/acceptance-tests-e2e/action.yml
@@ -59,6 +59,31 @@ runs:
         pipx install poetry
         cd tests/e2e-tests && poetry install
 
+    - name: Retrieve acceptance test secrets from SSM
+      if: ${{ steps.check_proxy_deployed.outputs.proxy_deployed == 'true' }}
+      shell: bash
+      run: |
+        get_param() {
+          aws ssm get-parameter --name "$1" --with-decryption --query "Parameter.Value" --output text)
+        }
+
+        APIM_API_KEY=$(get_param '/acceptance/apiKeys/main')
+        echo "::add-mask::$APIM_API_KEY"
+        echo "APIM_API_KEY=$APIM_API_KEY" >> $GITHUB_ENV
+
+        APIM_PR_API_KEY=$(get_param '/acceptance/apiKeys/pr')
+        echo "::add-mask::$APIM_PR_API_KEY"
+        echo "APIM_PR_API_KEY=$APIM_PR_API_KEY" >> $GITHUB_ENV
+
+        APIM_STATUS_API_KEY=$(get_param '/acceptance/apiKeys/status')
+        echo "::add-mask::$APIM_STATUS_API_KEY"
+        echo "APIM_STATUS_API_KEY=$APIM_STATUS_API_KEY" >> $GITHUB_ENV
+
+        SUPPLIER_API_PRIVATE_KEY=$(get_param '/acceptance/keys/nonprod/private')
+        echo "::add-mask::$SUPPLIER_API_PRIVATE_KEY"
+        echo "SUPPLIER_API_PRIVATE_KEY=$SUPPLIER_API_PRIVATE_KEY" >> $GITHUB_ENV
+
+
     - name: Run tests
       if: ${{ steps.check_proxy_deployed.outputs.proxy_deployed == 'true' }}
       shell: bash
diff --git a/infrastructure/terraform/components/api/ssm_acceptance_tests.tf b/infrastructure/terraform/components/api/ssm_acceptance_tests.tf
@@ -0,0 +1,39 @@
+resource "aws_ssm_parameter" "acceptance_api_key_main" {
+
+  count = var.environment == "main" || startswith(var.environment, "pr") ? 1 : 0
+
+  name        = "/acceptance/apiKeys/main"
+  description = "The APIM API key for the main dev environment, to be overwritten by the internal repo when acceptance tests run"
+  type        = "SecureString"
+  value       = "Dummy"
+}
+
+resource "aws_ssm_parameter" "acceptance_api_key_pr" {
+
+  count = var.environment == "main" || startswith(var.environment, "pr") ? 1 : 0
+
+  name        = "/acceptance/apiKeys/pr"
+  description = "The APIM API key for the PR dev environment, to be overwritten by the internal repo when acceptance tests run"
+  type        = "SecureString"
+  value       = "Dummy"
+}
+
+resource "aws_ssm_parameter" "acceptance_api_key_status" {
+
+  count = var.environment == "main" || startswith(var.environment, "pr") ? 1 : 0
+
+  name        = "/acceptance/apiKeys/status"
+  description = "The APIM API key for the status endpoint, to be overwritten by the internal repo when acceptance tests run"
+  type        = "SecureString"
+  value       = "Dummy"
+}
+
+resource "aws_ssm_parameter" "acceptance_key_nonprod_private" {
+
+  count = var.environment == "main" || startswith(var.environment, "pr") ? 1 : 0
+
+  name        = "/acceptance/keys/nonprod/private"
+  description = "The non-prod private key for the supplier API, to be overwritten by the internal repo when acceptance tests run"
+  type        = "SecureString"
+  value       = "Dummy"
+}
