Configure secrets

The AWS stack creates Secrets Manager entries and returns their ARNs:

tofu output -json secret_arns

Do not place secret values in terraform.tfvars or Terraform state.

Populate these secrets after the first apply:

The Terraform/OpenTofu stack creates empty Secrets Manager entries. It does not generate Helmr internal secret values. Use the bootstrap helper from the AWS profile directory to generate the internal values locally and write them directly to Secrets Manager:

../../../scripts/aws-bootstrap-helmr-secrets.sh

Set these environment variables to populate application secrets in the same run:

• HELMR_DATABASE_URL
• HELMR_GITHUB_OAUTH_CLIENT_SECRET

The helper uses tofu output -json secret_arns by default. Set TOFU=terraform when using Terraform, and set OVERWRITE_SECRETS=1 only when intentionally rotating existing values.

Use the RDS endpoint output when building the database URL:

tofu output postgres_endpoint

Read the generated RDS master password from the RDS-managed secret:

aws secretsmanager get-secret-value \
  --secret-id "$(tofu output -raw database_master_user_secret_arn)" \
  --query SecretString \
  --output text | jq -r '.password'

The format is:

postgres://helmr:<password>@<postgres_endpoint>/helmr?sslmode=require

Write a value with AWS CLI:

aws secretsmanager put-secret-value \
  --secret-id <secret_arn> \
  --secret-string '<secret_value>'

When email_provider = "resend" is set, the stack creates a secret_arns.resend_api_key Secrets Manager secret. Populate it with the raw Resend API key before starting the control service.

When email_provider = "smtp" and smtp_password_enabled = true are set, the stack creates a secret_arns.smtp_password Secrets Manager secret. Populate it with the raw SMTP password before starting the control service.