diff --git a/lambda/bulk-ods-update/bulk_ods_update.py b/lambda/bulk-ods-update/bulk_ods_update.py index 0fab56b..dd088f3 100644 --- a/lambda/bulk-ods-update/bulk_ods_update.py +++ b/lambda/bulk-ods-update/bulk_ods_update.py @@ -8,6 +8,7 @@ from utils.enums.trud import OdsDownloadType, TrudItem from utils.models.ods_models import PracticeOds, IcbOds +from utils.services.ssm_service import SsmSecretManager from utils.services.trud_api_service import TrudApiService import logging @@ -33,7 +34,8 @@ def lambda_handler(event, context): download_type = determine_ods_manifest_download_type() ssm = boto3.client("ssm") trud_api_key_param = os.environ.get("TRUD_API_KEY_PARAM_NAME") - trud_api_key = ssm.get_parameter(trud_api_key_param) if trud_api_key_param else "" + ssm_service = SsmSecretManager(ssm) + trud_api_key = ssm_service.get_secret(trud_api_key_param) if trud_api_key_param else "" trud_service = TrudApiService( api_key=trud_api_key, api_url=os.environ.get("TRUD_FHIR_API_URL_PARAM_NAME"), diff --git a/stacks/gp-registrations-mi/terraform/iam-event-enrichment.tf b/stacks/gp-registrations-mi/terraform/iam-event-enrichment.tf index de482f3..f8f3f3a 100644 --- a/stacks/gp-registrations-mi/terraform/iam-event-enrichment.tf +++ b/stacks/gp-registrations-mi/terraform/iam-event-enrichment.tf @@ -20,7 +20,8 @@ resource "aws_iam_role" "bulk_ods_lambda" { aws_iam_policy.dynamodb_policy_bulk_icb_ods_data_lambda.arn, aws_iam_policy.dynamodb_policy_bulk_ods_data_lambda.arn, aws_iam_policy.bulk_ods_update_lambda_cloudwatch_log_access.arn, - aws_iam_policy.ods_csv_files_data_policy.arn + aws_iam_policy.ods_csv_files_data_policy.arn, + aws_iam_policy.bulk_ods_lambda_ssm_access.arn ] } @@ -44,6 +45,24 @@ data "aws_iam_policy_document" "event_enrichment_lambda_ssm_access" { } } +resource "aws_iam_policy" "bulk_ods_lambda_ssm_access" { + name = "${var.environment}-bulk-ods-lambda-ssm-access" + policy = data.aws_iam_policy_document.bulk_ods_lambda_ssm_access.json +} + +data "aws_iam_policy_document" "bulk_ods_lambda_ssm_access" { + statement { + sid = "GetSSMParameter" + + actions = [ + "ssm:GetParameter" + ] + resources = [ + "arn:aws:ssm:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:parameter${data.aws_ssm_parameter.trud_api_key.name}", + ] + } +} + #SQS - inbound resource "aws_iam_policy" "incoming_mi_events_for_event_enrichment_lambda_sqs_read_access" { name = "${var.environment}-incoming-mi-events-enrichment-lambda-sqs-read" diff --git a/stacks/gp-registrations-mi/terraform/lambda-bulk-ods-update.tf b/stacks/gp-registrations-mi/terraform/lambda-bulk-ods-update.tf index 6b9a2d7..78e4076 100644 --- a/stacks/gp-registrations-mi/terraform/lambda-bulk-ods-update.tf +++ b/stacks/gp-registrations-mi/terraform/lambda-bulk-ods-update.tf @@ -2,7 +2,7 @@ resource "aws_lambda_function" "ods_bulk_update" { filename = var.bulk_ods_update_lambda_zip function_name = "${var.environment}-${var.ods_bulk_update_lambda_name}" role = aws_iam_role.bulk_ods_lambda.arn - handler = "ods_bulk_update.lambda_handler" + handler = "bulk_ods_update.lambda_handler" source_code_hash = filebase64sha256(var.bulk_ods_update_lambda_zip) runtime = "python3.12" timeout = 300