Migrate from Secrets Manager to SSM Parameter Store

[Alexanderamiri]

Summary

• service-secret module: Replaced aws_secretsmanager_secret with aws_ssm_parameter (SecureString) at /{project}/apps/{service}/{name}. Outputs renamed: secret_arn → parameter_arn, secret_name → parameter_name
• service-rds module: Removed manage_master_user_password = true (which forced Secrets Manager). Now uses random_password + SSM parameter at /{project}/apps/{name}/db-master-password with ignore_changes on both the parameter value and RDS password
• ECS execution role: secretsmanager:GetSecretValue → ssm:GetParameters scoped to parameter/${project}/apps/*
• Identity Center developer permission set: secretsmanager:DescribeSecret/ListSecrets → ssm:DescribeParameters/GetParametersByPath
• registry.py: Updated output_map and exports for both secret and RDS entries
• All 5 doc files updated

Cost impact: Eliminates $0.40/secret/month Secrets Manager charges. SSM Parameter Store SecureString is free (standard tier).

Scoped access verified: All SSM permissions use specific ARN paths — no Resource = "*" on any read/write action. ECS execution role is scoped to parameter/${project}/apps/*.

Note: No RDS or service-secret resources are deployed yet, so this is a pure code change with no state migration needed.

Test plan

• terraform fmt -recursive passes
• terraform validate passes on platform/ and modules
• CI plan shows no unexpected changes (no secrets/RDS deployed yet)
• Verify ECS secrets block valueFrom works with SSM parameter ARNs (supported natively by ECS)

[github-actions]

Terraform Plan

🚧 Changes detected — Plan: 0 to add, 1 to change, 0 to destroy.

Plan output

Acquiring state lock. This may take a few moments...

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # module.iam.aws_iam_role_policy.ecs_execution_secrets will be updated in-place
  ~ resource "aws_iam_role_policy" "ecs_execution_secrets" {
        id     = "javabin-ecs-execution:secrets-read"
        name   = "secrets-read"
      ~ policy = jsonencode(
          ~ {
              ~ Statement = [
                  ~ {
                      ~ Action   = [
                          - "secretsmanager:GetSecretValue",
                          + "ssm:GetParameters",
                        ]
                      ~ Resource = "arn:aws:secretsmanager:eu-central-1:553637109631:secret:javabin/*" -> "arn:aws:ssm:eu-central-1:553637109631:parameter/javabin/apps/*"
                      + Sid      = "SSMAppSecrets"
                        # (1 unchanged attribute hidden)
                    },
                ]
                # (1 unchanged attribute hidden)
            }
        )
        # (1 unchanged attribute hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

─────────────────────────────────────────────────────────────────────────────

Saved the plan to: tfplan

To perform exactly these actions, run the following command to apply:
    terraform apply "tfplan"

---

LLM Review

Risk: 🟢 LOW

Routine IAM policy update migrating ECS execution role from Secrets Manager to SSM Parameter Store for application secrets access.

• ✅ [routine] Single in-place update to ECS execution role policy: replacing secretsmanager:GetSecretValue permission with ssm:GetParameters permission and updating resource ARN from Secrets Manager to SSM Parameter Store
• ✅ [routine] No resources being created, destroyed, or force-replaced. This is a straightforward permission scope change for the same role
• ✅ [routine] Migration from AWS Secrets Manager to SSM Parameter Store is a common operational pattern with no security degradation - both services provide encrypted secret storage