move CLOUDFRONT_VERIFY to secrets

Author: sorah

tf/cloudfront.tf

@@ -131,3 +131,8 @@ resource "aws_cloudfront_distribution" "main" {
 resource "random_bytes" "cloudfront_verify" {
   length = 32
 }
+resource "aws_ssm_parameter" "cloudfront_verify" {
+  name  = "${var.ssm_parameter_prefix}X_CLOUDFRONT_VERIFY"
+  type  = "SecureString"
+  value = random_bytes.cloudfront_verify.base64
+}

tf/iam_EcsExecSponsorApp.tf

@@ -62,7 +62,7 @@ data "aws_iam_policy_document" "EcsExecSponsorApp" {
     actions = [
       "ssm:GetParameters",
     ]
-    resources = ["arn:aws:ssm:*:${data.aws_caller_identity.current.account_id}:parameter/sponsor-app/*"]
+    resources = ["arn:aws:ssm:*:${data.aws_caller_identity.current.account_id}:parameter${var.ssm_parameter_prefix}*"]
   }
   statement {
     effect = "Allow"

tf/locals.tf

@@ -22,12 +22,12 @@ locals {
     # Conditional: SQS (only when enabled)
     JOB_ADAPTER     = var.enable_sqs ? "lambdakiq" : "inline"
     LAMBDAKIQ_QUEUE = var.enable_sqs ? aws_sqs_queue.lambdakiq[0].name : ""
-
-    CLOUDFRONT_VERIFY = random_bytes.cloudfront_verify.base64
   }
 
   # Empty for now, will be populated when SSM parameters are migrated to Terraform
-  default_secrets = {}
+  default_secrets = {
+    CLOUDFRONT_VERIFY = aws_ssm_parameter.cloudfront_verify.arn
+  }
 
   # Transform secrets to SSM_SECRET__ environment variables for dynamic loading
   secret_loader_environments = {

tf/variables.tf

@@ -103,6 +103,11 @@ variable "github_actions_sub" {
   description = "GitHub Actions OIDC subject for deployment role"
 }
 
+variable "ssm_parameter_prefix" {
+  type        = string
+  description = "Prefix for SSM parameter paths (include leading/trailing slashes)"
+}
+
 variable "environments" {
   type        = map(string)
   default     = {}