From c988b08a52fe649ea8288a7575b963f37f12e6a0 Mon Sep 17 00:00:00 2001
From: Larisa-Roxana Bucur <larisa-roxana.bucur@uniserv.com>
Date: Sat, 7 Oct 2023 13:34:13 +0300
Subject: [PATCH] add new secrets for passport vc

---
 infra/production/index.ts | 7 ++++---
 infra/review/index.ts     | 7 ++++---
 infra/staging/index.ts    | 7 ++++---
 3 files changed, 12 insertions(+), 9 deletions(-)

diff --git a/infra/production/index.ts b/infra/production/index.ts
index 4f0c5142b8..60ed035314 100644
--- a/infra/production/index.ts
+++ b/infra/production/index.ts
@@ -9,6 +9,7 @@ import { createIAMLogGroup, createPagerdutyTopic } from "../lib/service";
 let route53Zone = `${process.env["ROUTE_53_ZONE"]}`;
 let domain = `${process.env["DOMAIN"]}`;
 let IAM_SERVER_SSM_ARN = `${process.env["IAM_SERVER_SSM_ARN"]}`;
+let PASSPORT_VC_SECRETS_ARN = `${process.env["PASSPORT_VC_SECRETS_ARN"]}`;
 
 export const dockerGtcPassportIamImage = `${process.env["DOCKER_GTC_PASSPORT_IAM_IMAGE"]}`;
 
@@ -133,7 +134,7 @@ const dpoppEcsRole = new aws.iam.Role("dpoppEcsRole", {
           {
             Action: ["secretsmanager:GetSecretValue"],
             Effect: "Allow",
-            Resource: IAM_SERVER_SSM_ARN,
+            Resource: [IAM_SERVER_SSM_ARN, PASSPORT_VC_SECRETS_ARN],
           },
         ],
       }),
@@ -171,7 +172,7 @@ const service = new awsx.ecs.FargateService("dpopp-iam", {
         secrets: [
           {
             name: "IAM_JWK",
-            valueFrom: `${IAM_SERVER_SSM_ARN}:IAM_JWK::`,
+            valueFrom: `${PASSPORT_VC_SECRETS_ARN}:IAM_JWK::`,
           },
           {
             name: "GOOGLE_CLIENT_ID",
@@ -339,7 +340,7 @@ const service = new awsx.ecs.FargateService("dpopp-iam", {
           },
           {
             name: "IAM_JWK_EIP712",
-            valueFrom: `${IAM_SERVER_SSM_ARN}:IAM_JWK_EIP712::`,
+            valueFrom: `${PASSPORT_VC_SECRETS_ARN}:IAM_JWK_EIP712::`,
           },
         ],
       },
diff --git a/infra/review/index.ts b/infra/review/index.ts
index e931f78d95..df11499839 100644
--- a/infra/review/index.ts
+++ b/infra/review/index.ts
@@ -7,6 +7,7 @@ import * as awsx from "@pulumi/awsx";
 let route53Zone = `${process.env["ROUTE_53_ZONE"]}`;
 export const domain = `iam.${process.env["DOMAIN"]}`; // like: iam.review.passport.gitcoin.co
 let IAM_SERVER_SSM_ARN = `${process.env["IAM_SERVER_SSM_ARN"]}`;
+let PASSPORT_VC_SECRETS_ARN = `${process.env["PASSPORT_VC_SECRETS_ARN"]}`;
 
 export const dockerGtcPassportIamImage = `${process.env["DOCKER_GTC_PASSPORT_IAM_IMAGE"]}`;
 
@@ -130,7 +131,7 @@ const dpoppEcsRole = new aws.iam.Role("dpoppEcsRole", {
           {
             Action: ["secretsmanager:GetSecretValue"],
             Effect: "Allow",
-            Resource: IAM_SERVER_SSM_ARN,
+            Resource: [IAM_SERVER_SSM_ARN, PASSPORT_VC_SECRETS_ARN],
           },
         ],
       }),
@@ -164,7 +165,7 @@ const service = new awsx.ecs.FargateService("dpopp-iam", {
         secrets: [
           {
             name: "IAM_JWK",
-            valueFrom: `${IAM_SERVER_SSM_ARN}:IAM_JWK::`,
+            valueFrom: `${PASSPORT_VC_SECRETS_ARN}:IAM_JWK::`,
           },
           {
             name: "GOOGLE_CLIENT_ID",
@@ -332,7 +333,7 @@ const service = new awsx.ecs.FargateService("dpopp-iam", {
           },
           {
             name: "IAM_JWK_EIP712",
-            valueFrom: `${IAM_SERVER_SSM_ARN}:IAM_JWK_EIP712::`,
+            valueFrom: `${PASSPORT_VC_SECRETS_ARN}:IAM_JWK_EIP712::`,
           },
         ],
       },
diff --git a/infra/staging/index.ts b/infra/staging/index.ts
index 3b3d5bdd4e..34783a852d 100644
--- a/infra/staging/index.ts
+++ b/infra/staging/index.ts
@@ -9,6 +9,7 @@ import { createIAMLogGroup, createPagerdutyTopic } from "../lib/service";
 let route53Zone = `${process.env["ROUTE_53_ZONE"]}`;
 let domain = `iam.${process.env["DOMAIN"]}`;
 let IAM_SERVER_SSM_ARN = `${process.env["IAM_SERVER_SSM_ARN"]}`;
+let PASSPORT_VC_SECRETS_ARN = `${process.env["PASSPORT_VC_SECRETS_ARN"]}`;
 
 export const dockerGtcPassportIamImage = `${process.env["DOCKER_GTC_PASSPORT_IAM_IMAGE"]}`;
 
@@ -136,7 +137,7 @@ const dpoppEcsRole = new aws.iam.Role("dpoppEcsRole", {
           {
             Action: ["secretsmanager:GetSecretValue"],
             Effect: "Allow",
-            Resource: IAM_SERVER_SSM_ARN,
+            Resource: [IAM_SERVER_SSM_ARN, PASSPORT_VC_SECRETS_ARN],
           },
         ],
       }),
@@ -173,7 +174,7 @@ const service = new awsx.ecs.FargateService("dpopp-iam", {
         secrets: [
           {
             name: "IAM_JWK",
-            valueFrom: `${IAM_SERVER_SSM_ARN}:IAM_JWK::`,
+            valueFrom: `${PASSPORT_VC_SECRETS_ARN}:IAM_JWK::`,
           },
           {
             name: "GOOGLE_CLIENT_ID",
@@ -341,7 +342,7 @@ const service = new awsx.ecs.FargateService("dpopp-iam", {
           },
           {
             name: "IAM_JWK_EIP712",
-            valueFrom: `${IAM_SERVER_SSM_ARN}:IAM_JWK_EIP712::`,
+            valueFrom: `${PASSPORT_VC_SECRETS_ARN}:IAM_JWK_EIP712::`,
           },
         ],
       },