From c50055199dfb56387b123ac9add5b12a5d926594 Mon Sep 17 00:00:00 2001
From: Ben Larabie <ben.larabie@cds-snc.ca>
Date: Wed, 27 Nov 2024 13:22:29 -0500
Subject: [PATCH] API secrets (#1676)

* API secrets
[review]

* newline
[review]
---
 aws/github/api-secrets.tf | 47 +++++++++++++++++++++++++++++++++++++++
 env/variables.tf          |  3 ++-
 2 files changed, 49 insertions(+), 1 deletion(-)
 create mode 100644 aws/github/api-secrets.tf

diff --git a/aws/github/api-secrets.tf b/aws/github/api-secrets.tf
new file mode 100644
index 000000000..9b222104a
--- /dev/null
+++ b/aws/github/api-secrets.tf
@@ -0,0 +1,47 @@
+resource "github_actions_secret" "api_account_id" {
+  repository      = data.github_repository.notification_api.name
+  secret_name     = "${upper(var.env)}_ACCOUNT_ID"
+  plaintext_value = var.account_id
+}
+
+resource "github_actions_secret" "api_aws_access_key_id" {
+  count           = var.env == "production" || var.env == "staging" ? 1 : 0
+  repository      = data.github_repository.notification_api.name
+  secret_name     = "${upper(var.env)}_AWS_ACCESS_KEY_ID"
+  plaintext_value = var.aws_access_key_id
+}
+
+resource "github_actions_secret" "api_aws_secret_access_key" {
+  count           = var.env == "production" || var.env == "staging" ? 1 : 0
+  repository      = data.github_repository.notification_api.name
+  secret_name     = "${upper(var.env)}_AWS_SECRET_ACCESS_KEY"
+  plaintext_value = var.aws_secret_access_key
+}
+
+resource "github_actions_secret" "api_cypress_user_pw_secret" {
+  count           = var.env == "staging" ? 1 : 0
+  repository      = data.github_repository.notification_api.name
+  secret_name     = "CYPRESS_USER_PW_SECRET"
+  plaintext_value = var.manifest_cypress_user_pw_secret
+}
+
+resource "github_actions_secret" "api_openai_api_key" {
+  count           = var.env == "production" ? 1 : 0
+  repository      = data.github_repository.notification_api.name
+  secret_name     = "OPENAI_API_KEY"
+  plaintext_value = var.openai_api_key
+}
+
+resource "github_actions_secret" "api_op_service_account_token" {
+  count           = var.env == "production" || var.env == "staging" ? 1 : 0
+  repository      = data.github_repository.notification_api.name
+  secret_name     = "OP_SERVICE_ACCOUNT_TOKEN_${upper(var.env)}"
+  plaintext_value = var.op_service_account_token
+}
+
+resource "github_actions_secret" "api_slack_webhook" {
+  count           = var.env == "production" ? 1 : 0
+  repository      = data.github_repository.notification_api.name
+  secret_name     = "SLACK_WEBHOOK"
+  plaintext_value = var.notify_dev_slack_webhook
+}
diff --git a/env/variables.tf b/env/variables.tf
index ef565a1a7..5882cdf5c 100644
--- a/env/variables.tf
+++ b/env/variables.tf
@@ -1058,4 +1058,5 @@ variable "admin_a11y_tracker_key" {
   type      = string
   sensitive = true
   default   = "prodonly"
-}
\ No newline at end of file
+}
+