Skip to content

Commit

Permalink
[PRMP-760] - add iam policy for ssm and use SSM service
Browse files Browse the repository at this point in the history
  • Loading branch information
NogaNHS committed Aug 27, 2024
1 parent 74e29e6 commit 064afd8
Show file tree
Hide file tree
Showing 3 changed files with 24 additions and 3 deletions.
4 changes: 3 additions & 1 deletion lambda/bulk-ods-update/bulk_ods_update.py
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@

from utils.enums.trud import OdsDownloadType, TrudItem
from utils.models.ods_models import PracticeOds, IcbOds
from utils.services.ssm_service import SsmSecretManager
from utils.services.trud_api_service import TrudApiService

import logging
Expand All @@ -33,7 +34,8 @@ def lambda_handler(event, context):
download_type = determine_ods_manifest_download_type()
ssm = boto3.client("ssm")
trud_api_key_param = os.environ.get("TRUD_API_KEY_PARAM_NAME")
trud_api_key = ssm.get_parameter(trud_api_key_param) if trud_api_key_param else ""
ssm_service = SsmSecretManager(ssm)
trud_api_key = ssm_service.get_secret(trud_api_key_param) if trud_api_key_param else ""
trud_service = TrudApiService(
api_key=trud_api_key,
api_url=os.environ.get("TRUD_FHIR_API_URL_PARAM_NAME"),
Expand Down
21 changes: 20 additions & 1 deletion stacks/gp-registrations-mi/terraform/iam-event-enrichment.tf
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,8 @@ resource "aws_iam_role" "bulk_ods_lambda" {
aws_iam_policy.dynamodb_policy_bulk_icb_ods_data_lambda.arn,
aws_iam_policy.dynamodb_policy_bulk_ods_data_lambda.arn,
aws_iam_policy.bulk_ods_update_lambda_cloudwatch_log_access.arn,
aws_iam_policy.ods_csv_files_data_policy.arn
aws_iam_policy.ods_csv_files_data_policy.arn,
aws_iam_policy.bulk_ods_lambda_ssm_access.arn
]
}

Expand All @@ -44,6 +45,24 @@ data "aws_iam_policy_document" "event_enrichment_lambda_ssm_access" {
}
}

resource "aws_iam_policy" "bulk_ods_lambda_ssm_access" {
name = "${var.environment}-bulk-ods-lambda-ssm-access"
policy = data.aws_iam_policy_document.bulk_ods_lambda_ssm_access.json
}

data "aws_iam_policy_document" "bulk_ods_lambda_ssm_access" {
statement {
sid = "GetSSMParameter"

actions = [
"ssm:GetParameter"
]
resources = [
"arn:aws:ssm:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:parameter${data.aws_ssm_parameter.trud_api_key.name}",
]
}
}

#SQS - inbound
resource "aws_iam_policy" "incoming_mi_events_for_event_enrichment_lambda_sqs_read_access" {
name = "${var.environment}-incoming-mi-events-enrichment-lambda-sqs-read"
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ resource "aws_lambda_function" "ods_bulk_update" {
filename = var.bulk_ods_update_lambda_zip
function_name = "${var.environment}-${var.ods_bulk_update_lambda_name}"
role = aws_iam_role.bulk_ods_lambda.arn
handler = "ods_bulk_update.lambda_handler"
handler = "bulk_ods_update.lambda_handler"
source_code_hash = filebase64sha256(var.bulk_ods_update_lambda_zip)
runtime = "python3.12"
timeout = 300
Expand Down

0 comments on commit 064afd8

Please sign in to comment.