diff --git a/env/dev/README.md b/env/dev/README.md
index be50fcb..5e5c283 100644
--- a/env/dev/README.md
+++ b/env/dev/README.md
@@ -18,6 +18,8 @@ The optional components can be removed by simply deleting the `.tf` file.
 | [autoscale-perf.tf][edap] | Performance-based auto scaling | Yes |
 | [autoscale-time.tf][edat] | Time-based auto scaling | Yes |
 | [logs-logzio.tf][edll] | Ship container logs to logz.io | Yes |
+| [secretsmanager.tf][edsm] | Add a Secrets Manager secret with a CMK KMS key. Also gives app role and ECS task definition role access to read secrets from Secrets Manager | Yes |
+| [ssm-parameters.tf][ssm] | Add a CMK KMS key for use with SSM Parameter Store. Also gives ECS task definition role access to read secrets from parameter store. | Yes |
 
 
 ## Usage
@@ -92,3 +94,5 @@ $ terraform apply
 [edll]: logs-logzio.tf
 [alb-docs]: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/application-load-balancers.html
 [up]: https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/ScheduledEvents.html
+[edsm]: secretsmanager.tf
+[ssm]: ssm-parameters.tf
diff --git a/env/dev/ecs-event-stream.tf b/env/dev/ecs-event-stream.tf
new file mode 100644
index 0000000..8fe7d35
--- /dev/null
+++ b/env/dev/ecs-event-stream.tf
@@ -0,0 +1,120 @@
+/**
+ * ECS Event Stream
+ * This component gives you full access to the ECS event logs
+ * for your cluster by creating a cloudwatch event rule that listens for 
+ * events for this cluster and calls a lambda that writes them to cloudwatch logs.
+ * It then adds a cloudwatch dashboard the displays the results of a
+ * logs insights query against the lambda logs
+ */
+
+# cw event rule
+resource "aws_cloudwatch_event_rule" "ecs_event_stream" {
+  name        = "${var.app}-${var.environment}-ecs-event-stream"
+  description = "Passes ecs event logs for ${var.app}-${var.environment} to a lambda that writes them to cw logs"
+
+  event_pattern = <<PATTERN
+  {
+    "detail": {
+      "clusterArn": ["${aws_ecs_cluster.app.arn}"]
+    }
+  }
+  
+PATTERN
+
+}
+
+resource "aws_cloudwatch_event_target" "ecs_event_stream" {
+  rule = aws_cloudwatch_event_rule.ecs_event_stream.name
+  arn  = aws_lambda_function.ecs_event_stream.arn
+}
+
+data "template_file" "lambda_source" {
+  template = <<EOF
+exports.handler = (event, context, callback) => {
+  console.log(JSON.stringify(event));
+}
+EOF
+
+}
+
+data "archive_file" "lambda_zip" {
+  type                    = "zip"
+  source_content          = data.template_file.lambda_source.rendered
+  source_content_filename = "index.js"
+  output_path             = "lambda-${var.app}.zip"
+}
+
+resource "aws_lambda_permission" "ecs_event_stream" {
+  statement_id  = "AllowExecutionFromCloudWatch"
+  action        = "lambda:InvokeFunction"
+  function_name = aws_lambda_function.ecs_event_stream.arn
+  principal     = "events.amazonaws.com"
+  source_arn    = aws_cloudwatch_event_rule.ecs_event_stream.arn
+}
+
+resource "aws_lambda_function" "ecs_event_stream" {
+  function_name    = "${var.app}-${var.environment}-ecs-event-stream"
+  role             = aws_iam_role.ecs_event_stream.arn
+  filename         = data.archive_file.lambda_zip.output_path
+  source_code_hash = data.archive_file.lambda_zip.output_base64sha256
+  handler          = "index.handler"
+  runtime          = "nodejs8.10"
+  tags             = var.tags
+}
+
+resource "aws_lambda_alias" "ecs_event_stream" {
+  name             = aws_lambda_function.ecs_event_stream.function_name
+  description      = "latest"
+  function_name    = aws_lambda_function.ecs_event_stream.function_name
+  function_version = "$LATEST"
+}
+
+resource "aws_iam_role" "ecs_event_stream" {
+  name = aws_cloudwatch_event_rule.ecs_event_stream.name
+
+  assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": "sts:AssumeRole",
+      "Principal": {
+        "Service": "lambda.amazonaws.com"
+      },
+      "Effect": "Allow",
+      "Sid": ""
+    }
+  ]
+}
+EOF
+
+}
+
+resource "aws_iam_role_policy_attachment" "ecs_event_stream" {
+  role       = aws_iam_role.ecs_event_stream.name
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
+}
+
+# cloudwatch dashboard with logs insights query
+resource "aws_cloudwatch_dashboard" "ecs-event-stream" {
+  dashboard_name = "${var.app}-${var.environment}-ecs-event-stream"
+
+  dashboard_body = <<EOF
+{
+  "widgets": [
+    {
+      "type": "log",
+      "x": 0,
+      "y": 0,
+      "width": 24,
+      "height": 18,
+      "properties": {
+        "query": "SOURCE '/aws/lambda/${var.app}-${var.environment}-ecs-event-stream' | fields @timestamp as time, detail.desiredStatus as desired, detail.lastStatus as latest, detail.stoppedReason as reason, detail.containers.0.reason as container_reason, detail.taskDefinitionArn as task_definition\n| filter @type != \"START\" and @type != \"END\" and @type != \"REPORT\"\n| sort detail.updatedAt desc, detail.version desc\n| limit 100",
+        "region": "us-east-1",
+        "title": "ECS Event Log"
+      }
+    }
+  ]
+}
+EOF
+}
diff --git a/env/dev/ecs.tf b/env/dev/ecs.tf
index 7bde7b3..efa9458 100644
--- a/env/dev/ecs.tf
+++ b/env/dev/ecs.tf
@@ -172,9 +172,14 @@ resource "aws_iam_role_policy_attachment" "ecsTaskExecutionRole_policy" {
   policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
 }
 
-resource "aws_cloudwatch_log_group" "logs" {
-  name = "/fargate/service/${var.app}-${var.environment}"
-  retention_in_days = "14"
-  tags = var.tags
+variable "logs_retention_in_days" {
+  type        = number
+  default     = 90
+  description = "Specifies the number of days you want to retain log events"
 }
 
+resource "aws_cloudwatch_log_group" "logs" {
+  name              = "/fargate/service/${var.app}-${var.environment}"
+  retention_in_days = var.logs_retention_in_days
+  tags              = var.tags
+}
diff --git a/env/dev/fargate-create.yml b/env/dev/fargate-create.yml
index a3d6543..2f6c40e 100644
--- a/env/dev/fargate-create.yml
+++ b/env/dev/fargate-create.yml
@@ -23,4 +23,19 @@ prompts:
     default: "no"
     filesToDeleteIfNo:
       - "logs-logzio.tf"      
-      - "logs-logzio.zip"
\ No newline at end of file
+      - "logs-logzio.zip"
+
+  - question: "Would you like to use Secrets Manager for secrets?"
+    default: "no"
+    filesToDeleteIfNo:
+      - "secretsmanager.tf"
+
+  - question: "Would you like to use SSM Parameter Store for secrets?"
+    default: "no"
+    filesToDeleteIfNo:
+      - "ssm-parameters.tf"
+
+  - question: "Would you like an ECS event log dashboard?"
+    default: "yes"
+    filesToDeleteIfNo:
+      - "ecs-event-stream.tf"      
diff --git a/env/dev/logs-logzio.tf b/env/dev/logs-logzio.tf
index 6c24498..cd30614 100644
--- a/env/dev/logs-logzio.tf
+++ b/env/dev/logs-logzio.tf
@@ -55,41 +55,39 @@ EOF
 
 #function code from logzio: https://github.com/logzio/cloudwatch-logs-shipper-lambda
 resource "aws_lambda_function" "lambda_logz" {
-function_name    = "${var.app}-${var.environment}-logz"
-description      = "Sends Cloudwatch logs to logz."
-runtime          = "python2.7"
-timeout          = 60
-memory_size      = 512
-role             = aws_iam_role.iam_for_lambda_logz.arn
-handler          = "lambda_function.lambda_handler"
-filename         = "logs-logzio.zip"
-source_code_hash = filebase64sha256("logs-logzio.zip")
+  function_name    = "${var.app}-${var.environment}-logz"
+  description      = "Sends Cloudwatch logs to logz."
+  runtime          = "python2.7"
+  timeout          = 60
+  memory_size      = 512
+  role             = aws_iam_role.iam_for_lambda_logz.arn
+  handler          = "lambda_function.lambda_handler"
+  filename         = "logs-logzio.zip"
+  source_code_hash = filebase64sha256("logs-logzio.zip")
 
-tags = var.tags
+  tags = var.tags
 
-environment {
-variables = {
-TOKEN = var.logz_token
-URL   = var.logz_url
-TYPE  = "elb"
-}
-}
+  environment {
+    variables = {
+      TOKEN = var.logz_token
+      URL   = var.logz_url
+      TYPE  = "elb"
+    }
+  }
 }
 
 resource "aws_lambda_permission" "allow_cloudwatch" {
-statement_id  = "${var.app}-${var.environment}-logz"
-action        = "lambda:InvokeFunction"
-function_name = aws_lambda_function.lambda_logz.arn
-principal     = "logs.${var.region}.amazonaws.com"
-source_arn    = aws_cloudwatch_log_group.logs.arn
+  statement_id  = "${var.app}-${var.environment}-logz"
+  action        = "lambda:InvokeFunction"
+  function_name = aws_lambda_function.lambda_logz.arn
+  principal     = "logs.${var.region}.amazonaws.com"
+  source_arn    = aws_cloudwatch_log_group.logs.arn
 }
 
 resource "aws_cloudwatch_log_subscription_filter" "cloudwatch_lambda_subscription" {
-depends_on      = [aws_lambda_permission.allow_cloudwatch]
-name            = "${var.app}-${var.environment}-logz"
-log_group_name  = aws_cloudwatch_log_group.logs.name
-filter_pattern  = ""
-destination_arn = aws_lambda_function.lambda_logz.arn
-distribution    = "ByLogStream"
+  depends_on      = [aws_lambda_permission.allow_cloudwatch]
+  name            = "${var.app}-${var.environment}-logz"
+  log_group_name  = aws_cloudwatch_log_group.logs.name
+  filter_pattern  = ""
+  destination_arn = aws_lambda_function.lambda_logz.arn
 }
-
diff --git a/env/dev/main.tf b/env/dev/main.tf
index 4801fa1..2c7438b 100644
--- a/env/dev/main.tf
+++ b/env/dev/main.tf
@@ -1,5 +1,5 @@
 terraform {
-  required_version = ">= 0.12.0"
+  required_version = ">= 0.12"
 
   backend "s3" {
     region  = "us-east-1"
@@ -45,4 +45,3 @@ output "scale_out" {
 output "aws_profile" {
   value = var.aws_profile
 }
-
diff --git a/env/dev/secretsmanager.tf b/env/dev/secretsmanager.tf
new file mode 100644
index 0000000..bcf5832
--- /dev/null
+++ b/env/dev/secretsmanager.tf
@@ -0,0 +1,283 @@
+# Allow for code reuse...
+locals {
+  # KMS write actions
+  kms_write_actions = [
+    "kms:CancelKeyDeletion",
+    "kms:CreateAlias",
+    "kms:CreateGrant",
+    "kms:CreateKey",
+    "kms:DeleteAlias",
+    "kms:DeleteImportedKeyMaterial",
+    "kms:DisableKey",
+    "kms:DisableKeyRotation",
+    "kms:EnableKey",
+    "kms:EnableKeyRotation",
+    "kms:Encrypt",
+    "kms:GenerateDataKey",
+    "kms:GenerateDataKeyWithoutPlaintext",
+    "kms:GenerateRandom",
+    "kms:GetKeyPolicy",
+    "kms:GetKeyRotationStatus",
+    "kms:GetParametersForImport",
+    "kms:ImportKeyMaterial",
+    "kms:PutKeyPolicy",
+    "kms:ReEncryptFrom",
+    "kms:ReEncryptTo",
+    "kms:RetireGrant",
+    "kms:RevokeGrant",
+    "kms:ScheduleKeyDeletion",
+    "kms:TagResource",
+    "kms:UntagResource",
+    "kms:UpdateAlias",
+    "kms:UpdateKeyDescription",
+  ]
+
+  # KMS read actions
+  kms_read_actions = [
+    "kms:Decrypt",
+    "kms:DescribeKey",
+    "kms:List*",
+  ]
+
+  # secretsmanager write actions
+  sm_write_actions = [
+    "secretsmanager:CancelRotateSecret",
+    "secretsmanager:CreateSecret",
+    "secretsmanager:DeleteSecret",
+    "secretsmanager:PutSecretValue",
+    "secretsmanager:RestoreSecret",
+    "secretsmanager:RotateSecret",
+    "secretsmanager:TagResource",
+    "secretsmanager:UntagResource",
+    "secretsmanager:UpdateSecret",
+    "secretsmanager:UpdateSecretVersionStage",
+  ]
+
+  # secretsmanager read actions
+  sm_read_actions = [
+    "secretsmanager:DescribeSecret",
+    "secretsmanager:List*",
+    "secretsmanager:GetRandomPassword",
+    "secretsmanager:GetSecretValue",
+  ]
+
+  # list of saml users for policies
+  saml_user_ids = flatten([
+    data.aws_caller_identity.current.user_id,
+    data.aws_caller_identity.current.account_id,
+    formatlist(
+      "%s:%s",
+      data.aws_iam_role.saml_role.unique_id,
+      var.secrets_saml_users,
+    ),
+  ])
+
+  # list of role users and saml users for policies
+  role_and_saml_ids = flatten([
+    "${aws_iam_role.app_role.unique_id}:*",
+    "${aws_iam_role.ecsTaskExecutionRole.unique_id}:*",
+    local.saml_user_ids,
+  ])
+
+  sm_arn = "arn:aws:secretsmanager:${var.region}:${data.aws_caller_identity.current.account_id}:secret:${var.app}-${var.environment}-??????"
+}
+
+# create the KMS key for this secret
+resource "aws_kms_key" "sm_kms_key" {
+  description = "${var.app}-${var.environment}"
+  policy      = data.aws_iam_policy_document.kms_resource_policy_doc.json
+  tags = merge(
+    var.tags,
+    {
+      "Name" = format("%s-%s", var.app, var.environment)
+    },
+  )
+}
+
+# alias for the key
+resource "aws_kms_alias" "sm_kms_alias" {
+  name          = "alias/${var.app}-${var.environment}"
+  target_key_id = aws_kms_key.sm_kms_key.key_id
+}
+
+# the kms key policy
+data "aws_iam_policy_document" "kms_resource_policy_doc" {
+  statement {
+    sid    = "DenyWriteToAllExceptSAMLUsers"
+    effect = "Deny"
+
+    principals {
+      type        = "AWS"
+      identifiers = ["*"]
+    }
+
+    actions   = local.kms_write_actions
+    resources = ["*"]
+
+    condition {
+      test     = "StringNotLike"
+      variable = "aws:userId"
+      values   = local.saml_user_ids
+    }
+  }
+
+  statement {
+    sid    = "DenyReadToAllExceptRoleAndSAMLUsers"
+    effect = "Deny"
+
+    principals {
+      type        = "AWS"
+      identifiers = ["*"]
+    }
+
+    actions   = local.kms_read_actions
+    resources = ["*"]
+
+    condition {
+      test     = "StringNotLike"
+      variable = "aws:userId"
+      values   = local.role_and_saml_ids
+    }
+  }
+
+  statement {
+    sid    = "AllowWriteToSAMLUsers"
+    effect = "Allow"
+
+    principals {
+      type        = "AWS"
+      identifiers = ["*"]
+    }
+
+    actions   = local.kms_write_actions
+    resources = ["*"]
+
+    condition {
+      test     = "StringLike"
+      variable = "aws:userId"
+      values   = local.saml_user_ids
+    }
+  }
+
+  statement {
+    sid    = "AllowReadRoleAndSAMLUsers"
+    effect = "Allow"
+
+    principals {
+      type        = "AWS"
+      identifiers = ["*"]
+    }
+
+    actions   = local.kms_read_actions
+    resources = ["*"]
+
+    condition {
+      test     = "StringLike"
+      variable = "aws:userId"
+      values   = local.role_and_saml_ids
+    }
+  }
+}
+
+# create the secretsmanager secret
+resource "aws_secretsmanager_secret" "sm_secret" {
+  name       = "${var.app}-${var.environment}"
+  kms_key_id = aws_kms_key.sm_kms_key.key_id
+  tags       = var.tags
+  policy     = data.aws_iam_policy_document.sm_resource_policy_doc.json
+}
+
+# create the placeholder secret json
+resource "aws_secretsmanager_secret_version" "initial" {
+  secret_id     = aws_secretsmanager_secret.sm_secret.id
+  secret_string = "{}"
+}
+
+# get the saml user info so we can get the unique_id
+data "aws_iam_role" "saml_role" {
+  name = var.saml_role
+}
+
+# resource policy doc that limits access to secret
+data "aws_iam_policy_document" "sm_resource_policy_doc" {
+  statement {
+    sid    = "DenyWriteToAllExceptSAMLUsers"
+    effect = "Deny"
+
+    principals {
+      type        = "AWS"
+      identifiers = ["*"]
+    }
+
+    actions   = local.sm_write_actions
+    resources = [local.sm_arn]
+
+    condition {
+      test     = "StringNotLike"
+      variable = "aws:userId"
+      values   = local.saml_user_ids
+    }
+  }
+
+  statement {
+    sid    = "DenyReadToAllExceptRoleAndSAMLUsers"
+    effect = "Deny"
+
+    principals {
+      type        = "AWS"
+      identifiers = ["*"]
+    }
+
+    actions   = local.sm_read_actions
+    resources = [local.sm_arn]
+
+    condition {
+      test     = "StringNotLike"
+      variable = "aws:userId"
+      values   = local.role_and_saml_ids
+    }
+  }
+
+  statement {
+    sid    = "AllowWriteToSAMLUsers"
+    effect = "Allow"
+
+    principals {
+      type        = "AWS"
+      identifiers = ["*"]
+    }
+
+    actions   = local.sm_write_actions
+    resources = [local.sm_arn]
+
+    condition {
+      test     = "StringLike"
+      variable = "aws:userId"
+      values   = local.saml_user_ids
+    }
+  }
+
+  statement {
+    sid    = "AllowReadRoleAndSAMLUsers"
+    effect = "Allow"
+
+    principals {
+      type        = "AWS"
+      identifiers = ["*"]
+    }
+
+    actions   = local.sm_read_actions
+    resources = [local.sm_arn]
+
+    condition {
+      test     = "StringLike"
+      variable = "aws:userId"
+      values   = local.role_and_saml_ids
+    }
+  }
+}
+
+# The users (email addresses) from the saml role to give access
+variable "secrets_saml_users" {
+  type = list(string)
+}
diff --git a/env/dev/ssm-parameters.tf b/env/dev/ssm-parameters.tf
new file mode 100644
index 0000000..80d2bf1
--- /dev/null
+++ b/env/dev/ssm-parameters.tf
@@ -0,0 +1,199 @@
+locals {
+  # KMS write actions
+  kms_write_actions = [
+    "kms:CancelKeyDeletion",
+    "kms:CreateAlias",
+    "kms:CreateGrant",
+    "kms:CreateKey",
+    "kms:DeleteAlias",
+    "kms:DeleteImportedKeyMaterial",
+    "kms:DisableKey",
+    "kms:DisableKeyRotation",
+    "kms:EnableKey",
+    "kms:EnableKeyRotation",
+    "kms:Encrypt",
+    "kms:GenerateDataKey",
+    "kms:GenerateDataKeyWithoutPlaintext",
+    "kms:GenerateRandom",
+    "kms:GetKeyPolicy",
+    "kms:GetKeyRotationStatus",
+    "kms:GetParametersForImport",
+    "kms:ImportKeyMaterial",
+    "kms:PutKeyPolicy",
+    "kms:ReEncryptFrom",
+    "kms:ReEncryptTo",
+    "kms:RetireGrant",
+    "kms:RevokeGrant",
+    "kms:ScheduleKeyDeletion",
+    "kms:TagResource",
+    "kms:UntagResource",
+    "kms:UpdateAlias",
+    "kms:UpdateKeyDescription",
+  ]
+
+  # KMS read actions
+  kms_read_actions = [
+    "kms:Decrypt",
+    "kms:DescribeKey",
+    "kms:List*",
+  ]
+
+  # list of saml users for policies
+  saml_user_ids = flatten([
+    data.aws_caller_identity.current.user_id,
+    data.aws_caller_identity.current.account_id,
+    formatlist(
+      "%s:%s",
+      data.aws_iam_role.saml_role_ssm.unique_id,
+      var.secrets_saml_users,
+    ),
+  ])
+
+  # list of role users and saml users for policies
+  role_and_saml_ids = flatten([
+    "${aws_iam_role.ecsTaskExecutionRole.unique_id}:*",
+    local.saml_user_ids,
+  ])
+}
+
+# get the saml user info so we can get the unique_id
+data "aws_iam_role" "saml_role_ssm" {
+  name = var.saml_role
+}
+
+# The users (email addresses) from the saml role to give access
+# case sensitive
+variable "secrets_saml_users" {
+  type = list(string)
+}
+
+# kms key used to encrypt ssm parameters
+resource "aws_kms_key" "ssm" {
+  description             = "ssm parameters key for ${var.app}-${var.environment}"
+  deletion_window_in_days = 7
+  enable_key_rotation     = true
+  tags                    = var.tags
+  policy                  = data.aws_iam_policy_document.ssm.json
+}
+
+resource "aws_kms_alias" "ssm" {
+  name          = "alias/${var.app}-${var.environment}"
+  target_key_id = "${aws_kms_key.ssm.id}"
+}
+
+data "aws_iam_policy_document" "ssm" {
+  statement {
+    sid    = "DenyWriteToAllExceptSAMLUsers"
+    effect = "Deny"
+
+    principals {
+      type        = "AWS"
+      identifiers = ["*"]
+    }
+
+    actions   = local.kms_write_actions
+    resources = ["*"]
+
+    condition {
+      test     = "StringNotLike"
+      variable = "aws:userId"
+      values   = local.saml_user_ids
+    }
+  }
+
+  statement {
+    sid    = "DenyReadToAllExceptRoleAndSAMLUsers"
+    effect = "Deny"
+
+    principals {
+      type        = "AWS"
+      identifiers = ["*"]
+    }
+
+    actions   = local.kms_read_actions
+    resources = ["*"]
+
+    condition {
+      test     = "StringNotLike"
+      variable = "aws:userId"
+      values   = local.role_and_saml_ids
+    }
+  }
+
+  statement {
+    sid    = "AllowWriteToSAMLUsers"
+    effect = "Allow"
+
+    principals {
+      type        = "AWS"
+      identifiers = ["*"]
+    }
+
+    actions   = local.kms_write_actions
+    resources = ["*"]
+
+    condition {
+      test     = "StringLike"
+      variable = "aws:userId"
+      values   = local.saml_user_ids
+    }
+  }
+
+  statement {
+    sid    = "AllowReadRoleAndSAMLUsers"
+    effect = "Allow"
+
+    principals {
+      type        = "AWS"
+      identifiers = ["*"]
+    }
+
+    actions   = local.kms_read_actions
+    resources = ["*"]
+
+    condition {
+      test     = "StringLike"
+      variable = "aws:userId"
+      values   = local.role_and_saml_ids
+    }
+  }
+}
+
+# allow ecs task execution role to read this app's parameters
+resource "aws_iam_policy" "ecsTaskExecutionRole_ssm" {
+  name        = "${var.app}-${var.environment}-ecs-ssm"
+  path        = "/"
+  description = "allow ecs task execution role to read this app's parameters"
+
+  policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+        "ssm:GetParameters"
+      ],
+      "Resource": "arn:aws:ssm:${var.region}:${data.aws_caller_identity.current.account_id}:parameter/${var.app}/${var.environment}/*"
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_role_policy_attachment" "ecsTaskExecutionRole_ssm" {
+  role       = aws_iam_role.ecsTaskExecutionRole.name
+  policy_arn = aws_iam_policy.ecsTaskExecutionRole_ssm.arn
+}
+
+output "ssm_add_secret" {
+  value = "aws ssm put-parameter --overwrite --type \"SecureString\" --key-id \"${aws_kms_alias.ssm.name}\" --name \"/${var.app}/${var.environment}/PASSWORD\" --value \"password\""
+}
+
+output "ssm_add_secret_ref" {
+  value = "fargate service env set --secret PASSWORD=/${var.app}/${var.environment}/PASSWORD"
+}
+
+output "ssm_key_id" {
+  value = aws_kms_key.ssm.key_id
+}
\ No newline at end of file