SSM Parameters and Secrets

This repo automates SSM parameters for service credentials and supports referencing existing ones.

Two paths:

• Create new parameters: set entries in ssm_parameters or rely on autowiring from iam_users.
• Reference existing parameters: set existing = true and name.

Autowiring from IAM Users:

• Root main.ssm_parameters.tf merges in username and SES v4 SMTP password for each iam_users entry that includes an ssm block and has created an access key.
• Parameters are named by the paths in the user’s ssm block, e.g., /infra/smtp/username, /infra/smtp/password.

Module behavior:

• modules/ssm_parameter creates parameters when existing = false and reads when existing = true.

Example:

ssm_parameters = {
  # Optional manual entries; otherwise autowire handles iam_users.smtp
}

iam_users = {
  smtp_user = {
    name              = "smtp_user"
    create_access_key = true
    policy_arns       = ["SESSendOnly"]
    ssm = {
      username_param = "/infra/smtp/username"
      password_param = "/infra/smtp/password"
    }
  }
}