cisco-open · edersonbrilhante · Dec 11, 2025 · Dec 11, 2025 · Dec 11, 2025
diff --git a/modules/platform/forge_runners/arc_runners.tf b/modules/platform/forge_runners/arc_runners.tf
@@ -21,9 +21,9 @@ module "arc_runners" {
     ghes_org                            = var.deployment_config.github.ghes_org
     runner_iam_role_managed_policy_arns = local.runner_iam_role_managed_policy_arns
     github_app = {
-      key_base64      = data.aws_secretsmanager_secret_version.data_cicd_secrets["${local.cicd_secrets_prefix}github_actions_runners_app_key"].secret_string
-      id              = data.aws_secretsmanager_secret_version.data_cicd_secrets["${local.cicd_secrets_prefix}github_actions_runners_app_id"].secret_string
-      installation_id = data.aws_secretsmanager_secret_version.data_cicd_secrets["${local.cicd_secrets_prefix}github_actions_runners_app_installation_id"].secret_string
+      key_base64      = data.aws_ssm_parameter.github_app_key.value
+      id              = var.deployment_config.github_app.id
+      installation_id = var.deployment_config.github_app.installation_id
     }
     runner_group_name = var.deployment_config.github.runner_group_name
     runner_specs      = var.arc_deployment_specs.runner_specs

diff --git a/modules/platform/forge_runners/ec2_runners.tf b/modules/platform/forge_runners/ec2_runners.tf
@@ -37,9 +37,9 @@ module "ec2_runners" {
     logging_retention_in_days           = var.logging_retention_in_days
     runner_iam_role_managed_policy_arns = local.runner_iam_role_managed_policy_arns
     github_app = {
-      key_base64     = data.aws_secretsmanager_secret_version.data_cicd_secrets["${local.cicd_secrets_prefix}github_actions_runners_app_key"].secret_string
-      id             = data.aws_secretsmanager_secret_version.data_cicd_secrets["${local.cicd_secrets_prefix}github_actions_runners_app_id"].secret_string
-      webhook_secret = random_id.random[0].hex
+      key_base64     = data.aws_ssm_parameter.github_app_key.value
+      id             = var.deployment_config.github_app.id
+      webhook_secret = aws_ssm_parameter.github_app_webhook_secret.value
     }
     runner_group_name = var.deployment_config.github.runner_group_name
     runner_specs      = var.ec2_deployment_specs.runner_specs

diff --git a/modules/platform/forge_runners/github_actions_job_log.tf b/modules/platform/forge_runners/github_actions_job_log.tf
@@ -25,5 +25,4 @@ module "github_actions_job_logs" {
   event_bus_name            = module.ec2_runners[0].event_bus_name
   ghes_url                  = var.deployment_config.github.ghes_url
 
-  depends_on = [data.aws_secretsmanager_secret_version.data_cicd_secrets]
 }
diff --git a/modules/platform/forge_runners/github_app_runner_group.tf b/modules/platform/forge_runners/github_app_runner_group.tf
@@ -25,5 +25,4 @@ module "github_app_runner_group" {
   runner_group_name         = var.deployment_config.github.runner_group_name
   repository_selection      = var.deployment_config.github.repository_selection
 
-  depends_on = [data.aws_secretsmanager_secret_version.data_cicd_secrets]
 }
diff --git a/modules/platform/forge_runners/github_global_lock.tf b/modules/platform/forge_runners/github_global_lock.tf
@@ -20,6 +20,4 @@ module "github_global_lock" {
   logging_retention_in_days = var.logging_retention_in_days
   log_level                 = var.log_level
   tags                      = local.all_security_tags
-
-  depends_on = [data.aws_secretsmanager_secret_version.data_cicd_secrets]
 }
diff --git a/modules/platform/forge_runners/github_webhook_relay.tf b/modules/platform/forge_runners/github_webhook_relay.tf
@@ -13,6 +13,4 @@ module "github_webhook_relay" {
   tags                      = local.all_security_tags
 
   github_webhook_relay = var.github_webhook_relay
-
-  depends_on = [data.aws_secretsmanager_secret_version.data_cicd_secrets]
 }
diff --git a/modules/platform/forge_runners/locals.tf b/modules/platform/forge_runners/locals.tf
@@ -8,6 +8,6 @@ locals {
     ]
   )
 
-  github_app_installation = "${var.deployment_config.github.ghes_url == "" ? "https://github.com" : var.deployment_config.github.ghes_url}/apps/${data.aws_secretsmanager_secret_version.data_cicd_secrets["${local.cicd_secrets_prefix}github_actions_runners_app_name"].secret_string}/installations/${data.aws_secretsmanager_secret_version.data_cicd_secrets["${local.cicd_secrets_prefix}github_actions_runners_app_installation_id"].secret_string}"
+  github_app_installation = "${var.deployment_config.github.ghes_url == "" ? "https://github.com" : var.deployment_config.github.ghes_url}/apps/${var.deployment_config.github_app.name}}/installations/${var.deployment_config.github_app.installation_id}"
   github_api              = var.deployment_config.github.ghes_url == "" ? "https://api.github.com" : "https://api.${replace(var.deployment_config.github.ghes_url, "https://", "")}"
 }
diff --git a/modules/platform/forge_runners/outputs.tf b/modules/platform/forge_runners/outputs.tf
@@ -43,8 +43,8 @@ output "forge_github_app" {
   description = "GitHub App related outputs."
   value = {
     installation_url = local.github_app_installation
-    installation_id  = try(data.aws_secretsmanager_secret_version.data_cicd_secrets["${local.cicd_secrets_prefix}github_actions_runners_app_installation_id"].secret_string, null)
-    name             = try(data.aws_secretsmanager_secret_version.data_cicd_secrets["${local.cicd_secrets_prefix}github_actions_runners_app_name"].secret_string, null)
+    installation_id  = var.deployment_config.github_app.installation_id
+    name             = var.deployment_config.github_app.name
   }
   sensitive = true
 }
diff --git a/modules/platform/forge_runners/secrets.tf b/modules/platform/forge_runners/secrets.tf
diff --git a/modules/platform/forge_runners/ssm.tf b/modules/platform/forge_runners/ssm.tf
@@ -69,3 +69,8 @@ resource "random_password" "github_app_webhook_secret" {
     rotation = time_rotating.every_30_days.id
   }
 }
+
+data "aws_ssm_parameter" "github_app_key" {
+  name       = aws_ssm_parameter.github_app_key.name
+  depends_on = [aws_ssm_parameter.github_app_key]
+}
diff --git a/modules/platform/forge_runners/update_gh_app.tf b/modules/platform/forge_runners/update_gh_app.tf
@@ -3,15 +3,15 @@ resource "null_resource" "update_github_app_webhook" {
     ghes_org       = var.deployment_config.github.ghes_org
     ghes_url       = var.deployment_config.github.ghes_url
     webhook_url    = try(module.ec2_runners[0].webhook_endpoint, "https://cisco-open.github.io/forge")
-    secret         = try(random_id.random[0].hex, null)
-    secret_version = data.aws_secretsmanager_secret_version.data_cicd_secrets["${local.cicd_secrets_prefix}github_actions_runners_app_key"].id
+    secret         = aws_ssm_parameter.github_app_webhook_secret.value
+    secret_version = aws_ssm_parameter.github_app_webhook_secret.version
   }
 
   provisioner "local-exec" {
     environment = {
-      CLIENT_ID = data.aws_secretsmanager_secret_version.data_cicd_secrets["${local.cicd_secrets_prefix}github_actions_runners_app_client_id"].secret_string
+      CLIENT_ID = var.deployment_config.github_app.client_id
       PRIVATE_KEY = base64decode(
-        data.aws_secretsmanager_secret_version.data_cicd_secrets["${local.cicd_secrets_prefix}github_actions_runners_app_key"].secret_string
+        data.aws_ssm_parameter.github_app_key.value
       )
       WEBHOOK_URL = self.triggers.webhook_url
       SECRET      = self.triggers.secret
@@ -21,8 +21,4 @@ resource "null_resource" "update_github_app_webhook" {
 
     command = "${path.module}/scripts/generate_and_patch_github_app.sh"
   }
-
-  depends_on = [
-    data.aws_secretsmanager_secret_version.data_cicd_secrets,
-  ]
 }