DDLS-392 add encryption to secrets (#1731)

ministryofjustice · Nov 14, 2024 · 91b67c2 · 91b67c2
1 parent a2b8b59
commit 91b67c2
Showing 1 changed file with 3 additions and 5 deletions.
diff --git a/terraform/account/region/secrets.tf b/terraform/account/region/secrets.tf
@@ -12,14 +12,13 @@ module "environment_secrets" {
     "front-api-client-secret",
     "front-frontend-secret",
     "front-notify-api-key",
-    "synchronisation-jwt-token",
     "public-jwt-key-base64",
     "private-jwt-key-base64",
     "smoke-test-variables",
     "custom-sql-db-password",
     "readonly-sql-db-password"
   ]
-  kms_key = ""
+  kms_key = module.secret_kms.eu_west_1_target_key_arn
   tags    = var.default_tags
 }
 
@@ -32,15 +31,14 @@ module "development_environment_secrets" {
     "browserstack-username",
     "browserstack-access-key"
   ]
-  kms_key = ""
+  kms_key = module.secret_kms.eu_west_1_target_key_arn
   tags    = var.default_tags
 }
 
 # Account wide secrets
 resource "aws_secretsmanager_secret" "cloud9_users" {
   name        = "cloud9-users"
   description = "Digideps team Cloud9 users"
-  kms_key_id  = ""
   tags        = var.default_tags
 }
 
@@ -58,6 +56,6 @@ resource "aws_secretsmanager_secret" "slack_webhook_url" {
 resource "aws_secretsmanager_secret" "preproduction_anonymise_default_pw" {
   name        = "anonymisation-default-user-pw"
   description = "Default password for anonymisation users"
-  kms_key_id  = ""
+  kms_key_id  = module.secret_kms.eu_west_1_target_key_arn
   tags        = var.default_tags
 }