Merge pull request #99 from guardian/pf/lambdas-can-edit-their-secrets

Pollers can update their own secrets
guardian · Jan 14, 2025 · d47d778 · d47d778
2 parents 0acedf6 + d8ff01a
commit d47d778
Show file tree

Hide file tree

Showing 4 changed files with 41 additions and 4 deletions.
diff --git a/cdk/lib/__snapshots__/newswires.test.ts.snap b/cdk/lib/__snapshots__/newswires.test.ts.snap
@@ -2530,6 +2530,16 @@ exports[`The Newswires stack matches the snapshot 1`] = `
                 "Ref": "apPollerSecret4DA8E7BD",
               },
             },
+            {
+              "Action": [
+                "secretsmanager:PutSecretValue",
+                "secretsmanager:UpdateSecret",
+              ],
+              "Effect": "Allow",
+              "Resource": {
+                "Ref": "apPollerSecret4DA8E7BD",
+              },
+            },
             {
               "Action": [
                 "sqs:ReceiveMessage",
@@ -3582,6 +3592,16 @@ dpkg -i /newswires/newswires.deb",
                 "Ref": "reutersSecretA9E37489",
               },
             },
+            {
+              "Action": [
+                "secretsmanager:PutSecretValue",
+                "secretsmanager:UpdateSecret",
+              ],
+              "Effect": "Allow",
+              "Resource": {
+                "Ref": "reutersSecretA9E37489",
+              },
+            },
             {
               "Action": [
                 "sqs:ReceiveMessage",

diff --git a/cdk/lib/constructs/pollerLambda.ts b/cdk/lib/constructs/pollerLambda.ts
@@ -103,6 +103,7 @@ export class PollerLambda {
 		});
 
 		secret.grantRead(lambda);
+		secret.grantWrite(lambda);
 
 		// wire up lambda to process its own queue
 		lambda.addEventSource(new SqsEventSource(lambdaQueue, { batchSize: 1 }));

diff --git a/poller-lambdas/src/index.ts b/poller-lambdas/src/index.ts
@@ -1,4 +1,7 @@
-import { GetSecretValueCommand } from '@aws-sdk/client-secrets-manager';
+import {
+	GetSecretValueCommand,
+	PutSecretValueCommand,
+} from '@aws-sdk/client-secrets-manager';
 import type { SendMessageCommandInput } from '@aws-sdk/client-sqs';
 import { SendMessageCommand } from '@aws-sdk/client-sqs';
 import type { PollerId } from '../../shared/pollers';
@@ -14,12 +17,13 @@ const pollerWrapper =
 	(pollerFunction: PollFunction) =>
 	async ({ Records }: HandlerInputSqsPayload) => {
 		const startTimeEpochMillis = Date.now();
+		const secretName = getEnvironmentVariableOrCrash(
+			POLLER_LAMBDA_ENV_VAR_KEYS.SECRET_NAME,
+		);
 		const secret = await secretsManager
 			.send(
 				new GetSecretValueCommand({
-					SecretId: getEnvironmentVariableOrCrash(
-						POLLER_LAMBDA_ENV_VAR_KEYS.SECRET_NAME,
-					),
+					SecretId: secretName,
 				}),
 			)
 			.then((_) => _.SecretString);
@@ -90,6 +94,17 @@ const pollerWrapper =
 							MessageBody: output.valueForNextPoll,
 						});
 					}
+
+					if (output.newSecretValue) {
+						// set new value in secrets manager
+						console.log(`Updating secret value for ${secretName}`);
+						await secretsManager.send(
+							new PutSecretValueCommand({
+								SecretId: secretName,
+								SecretString: output.newSecretValue,
+							}),
+						);
+					}
 				})
 				.catch((error) => {
 					console.error('FAILED', error);

diff --git a/poller-lambdas/src/types.ts b/poller-lambdas/src/types.ts
@@ -7,6 +7,7 @@ export type PollerInput = string;
 export interface CorePollerOutput {
 	payloadForIngestionLambda: IngestorPayload[] | IngestorPayload;
 	valueForNextPoll: PollerInput;
+	newSecretValue?: SecretValue;
 }
 export type LongPollOutput = CorePollerOutput;