Refactor: move OpenAI API key out of terraform.tfvars into SSM #394
Description
Problem
deploy/terraform/environments/dev/terraform.tfvars contains a plaintext OpenAI API key (embedding_api_key). While the file is properly .gitignored and not committed, having secrets in local files is fragile — one misconfigured gitignore rule or copy-paste and it's leaked.
The deploy script already has refresh-env.sh that pulls secrets from SSM at deploy time, so the pattern for runtime secrets is already correct. The gap is the Terraform apply path.
Proposed Changes
- Store the OpenAI API key in AWS SSM Parameter Store (SecureString) or Secrets Manager
- Reference it in Terraform via
data "aws_ssm_parameter"instead of a variable in tfvars - Remove
embedding_api_keyfromvariables.tfandterraform.tfvars.example - Rotate the current key since it's been on disk in plaintext
Context
Discovered during APTL requirements investigation — not urgent but should be cleaned up before any contributor onboarding.