fix: fix dependency in reader_profile

Author: edersonbrilhante

modules/integrations/github_webhook_relay_destination/outputs.tf

@@ -4,7 +4,7 @@ output "role_arn" {
 }
 
 output "webhook" {
-  value       = try(jsondecode(data.aws_secretsmanager_secret_version.target[0].secret_string), null)
+  value       = try(data.external.fetch_secret_value[0].result.secret_value, null)
   sensitive   = true
   description = "Webhook relay and secret fetched from source account."
 }

modules/integrations/github_webhook_relay_destination/scripts/create_assume_profile.sh

@@ -0,0 +1,51 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+READER_ROLE_ARN="$1"
+SOURCE_ROLE_ARN="$2"
+SOURCE_SECRET_ARN="$3"
+AWS_PROFILE="$4"
+AWS_REGION="$5"
+
+############################################
+# 1. Assume the reader role (first hop)
+############################################
+aws sts assume-role \
+    --role-arn "$READER_ROLE_ARN" \
+    --role-session-name reader-temp \
+    --profile "$AWS_PROFILE" \
+    --region "$AWS_REGION" \
+    --query 'Credentials' \
+    --output json >/tmp/reader-creds.json
+
+aws configure set aws_access_key_id "$(jq -r .AccessKeyId /tmp/reader-creds.json)" --profile reader-temp
+aws configure set aws_secret_access_key "$(jq -r .SecretAccessKey /tmp/reader-creds.json)" --profile reader-temp
+aws configure set aws_session_token "$(jq -r .SessionToken /tmp/reader-creds.json)" --profile reader-temp
+
+############################################
+# 2. Assume the external secret source role (second hop)
+############################################
+aws sts assume-role \
+    --role-arn "$SOURCE_ROLE_ARN" \
+    --role-session-name source-temp \
+    --profile reader-temp \
+    --region "$AWS_REGION" \
+    --query 'Credentials' \
+    --output json >/tmp/source-creds.json
+
+aws configure set aws_access_key_id "$(jq -r .AccessKeyId /tmp/source-creds.json)" --profile source-temp
+aws configure set aws_secret_access_key "$(jq -r .SecretAccessKey /tmp/source-creds.json)" --profile source-temp
+aws configure set aws_session_token "$(jq -r .SessionToken /tmp/source-creds.json)" --profile source-temp
+
+############################################
+# 3. Use the final profile for AWS calls
+############################################
+SECRET_VALUE=$(aws secretsmanager get-secret-value \
+    --secret-id "$SOURCE_SECRET_ARN" \
+    --region "$AWS_REGION" \
+    --query 'SecretString' \
+    --profile source-temp \
+    --output text)
+
+# 4. Return as JSON to Terraform
+jq -n --arg secret_value "$SECRET_VALUE" '{"secret_value":$secret_value}'

modules/integrations/github_webhook_relay_destination/scripts/fetch_secret_value.sh

@@ -34,36 +34,25 @@ resource "aws_iam_role_policy" "allow_assume_external_inline" {
   policy = data.aws_iam_policy_document.allow_assume_external[0].json
 }
 
+# Use an external script that:
+# 1. Assumes the reader role (first hop)
+# 2. From that session, assumes the external source_secret_role_arn (second hop)
+# 3. Fetches the secret from source_secret_arn
+# 4. Returns the secret value to Terraform as JSON
+data "external" "fetch_secret_value" {
+  count = var.reader_config.enable_secret_fetch ? 1 : 0
 
-data "external" "reader_profile" {
   program = [
     "bash",
-    "${path.module}/scripts/create_assume_profile.sh",
+    "${path.module}/scripts/fetch_secret_value.sh",
     aws_iam_role.reader.arn,
+    var.reader_config.source_secret_role_arn,
+    var.reader_config.source_secret_arn,
     var.aws_profile,
-    "reader-temp",
     var.aws_region
   ]
 
-  depends_on = [aws_iam_role.reader]
-}
-
-
-provider "aws" {
-  alias   = "external_secret"
-  profile = data.external.reader_profile.result.profile
-  region  = var.reader_config.source_secret_region
-
-  dynamic "assume_role" {
-    for_each = var.reader_config.enable_secret_fetch ? [1] : []
-    content {
-      role_arn = var.reader_config.source_secret_role_arn
-    }
-  }
-}
-
-data "aws_secretsmanager_secret_version" "target" {
-  count     = var.reader_config.enable_secret_fetch ? 1 : 0
-  provider  = aws.external_secret
-  secret_id = var.reader_config.source_secret_arn
+  depends_on = [
+    aws_iam_role_policy.allow_assume_external_inline
+  ]
 }

modules/integrations/github_webhook_relay_destination/webhook_relay_source.tf

@@ -25,7 +25,7 @@ output "forge_webhook_relay" {
   description = "Webhook relay integration outputs."
   value = {
     source_secret_arn      = try(aws_secretsmanager_secret.github_webhook_relay[0].arn, null)
-    source_secret_role_arn = try(aws_iam_role.secret_reader[0].id, null)
+    source_secret_role_arn = try(aws_iam_role.secret_reader[0].arn, null)
   }
 }