Provision SSM parameters for One Login secrets

[stephencdaly]

What problem does this pull request solve?

Trello card: https://trello.com/c/tKtA1VPQ/

Add parameters for storing the One Login client ID and private key.

Don't use them in forms-runner yet as they need to be set to valid values first.

Things to consider when reviewing

• Ensure that you consider the wider context.
• Does it work when run on your machine?
• Is it clear what the code is doing?
• Do the commit messages explain why the changes were made?
• Are there all the unit tests needed?
• Has all relevant documentation been updated?

Reminders

If you've made changes to the deployer role (files in modules/deployer-access):

• Remember to run make <environment> forms/account apply on the relevant environments (dev, staging, user-research, and/or prod)
• Check the #govuk-forms-deployment-notifications Slack channel to ensure the apply-forms-terraform-<environment> pipelines have run successfully

[Copilot]

Pull request overview

Adds new AWS SSM Parameter Store entries in the forms-runner Terraform module to hold GOV.UK One Login credentials (client ID + private key) per environment, without wiring them into the running service yet.

Changes:

• Provision /forms-runner-${env}/... SecureString parameters for One Login client ID and private key
• Use lifecycle.ignore_changes so values can be set/rotated out-of-band without Terraform overwriting them

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.