Merge pull request #265 from nationalarchives/TDRD-461-fix-connection…

…-secrets-rotation Fix api request to update connection api secret
nationalarchives · Jan 24, 2025 · 0e95b8f · 0e95b8f
2 parents bbfd428 + f6c3e77
commit 0e95b8f
Show file tree

Hide file tree

Showing 6 changed files with 12 additions and 9 deletions.
diff --git a/README.md b/README.md
@@ -42,4 +42,5 @@ AUTH_URL: https://auth.tdr-integration.nationalarchives.gov.uk
 AUTH_SECRET_PATH: /intg/keycloak/rotate_secrets_client/secret
 ENVIRONMENT: intg
 SNS_TOPIC: arn:aws:sns:eu-west-2:${intg_account_number}:tdr-notifications-intg
+CONSIGNMENT_API_CONNECTION_NAME: {name of the api connection for the environment}
 ```
diff --git a/src/main/resources/application.conf b/src/main/resources/application.conf
@@ -16,5 +16,5 @@ ssm {
   endpoint = "https://ssm.eu-west-2.amazonaws.com"
 }
 eventBridge {
-  consignmentApiConnectionArn = ${CONSIGNMENT_API_CONNECTION_ARN}
+  consignmentApiConnectionName = ${CONSIGNMENT_API_CONNECTION_NAME}
 }
diff --git a/src/main/scala/uk/gov/nationalarchives/rotate/ApplicationConfig.scala b/src/main/scala/uk/gov/nationalarchives/rotate/ApplicationConfig.scala
@@ -12,5 +12,5 @@ object ApplicationConfig {
   val ssmEndpoint: String = config.getString("ssm.endpoint")
   val snsEndpoint: String = config.getString("sns.endpoint")
   val snsTopic: String = config.getString("sns.topic")
-  val consignmentApiConnectionArn: String = config.getString("eventBridge.consignmentApiConnectionArn")
+  val consignmentApiConnectionName: String = config.getString("eventBridge.consignmentApiConnectionName")
 }
diff --git a/src/main/scala/uk/gov/nationalarchives/rotate/RotateClientSecrets.scala b/src/main/scala/uk/gov/nationalarchives/rotate/RotateClientSecrets.scala
@@ -34,7 +34,7 @@ class RotateClientSecrets(keycloakClient: Keycloak,
     EcsService(s"transferservice_service_$stage", s"transferservice_$stage")
   )
 
-  private def updateEventBridgeConnectionSecret(connectionArn: String, tdrClientId: String, secretValue: String): Message = {
+  private def updateEventBridgeConnectionSecret(connectionName: String, tdrClientId: String, secretValue: String): Message = {
 
     val updateSecretRequest: UpdateConnectionOAuthClientRequestParameters = UpdateConnectionOAuthClientRequestParameters.builder()
       .clientID(tdrClientId)
@@ -50,13 +50,14 @@ class RotateClientSecrets(keycloakClient: Keycloak,
       .build()
 
     val updateConnectionRequest = UpdateConnectionRequest.builder()
-      .name(connectionArn)
+      .authorizationType("OAUTH_CLIENT_CREDENTIALS")
+      .name(connectionName)
       .authParameters(updateConnectionAuthRequest)
       .build()
 
     Try {
       eventBridgeClient.updateConnection(updateConnectionRequest)
-      logger.info(s"EventBridge connection $connectionArn secret updated")
+      logger.info(s"EventBridge connection $connectionName secret updated")
       Message(s"EventBridge connections secrets using $tdrClientId updated")
     } match {
       case Failure(exception) =>
@@ -104,7 +105,7 @@ class RotateClientSecrets(keycloakClient: Keycloak,
               case Some(connectionClient) =>
                 List(
                   result.resultMessage,
-                  updateEventBridgeConnectionSecret(connectionClient.connectionArn, resultClient, result.newSecretValue.get)
+                  updateEventBridgeConnectionSecret(connectionClient.connectionName, resultClient, result.newSecretValue.get)
                 )
               case None =>
                 List(result.resultMessage)
@@ -123,7 +124,7 @@ class RotateClientSecrets(keycloakClient: Keycloak,
   }
 }
 object RotateClientSecrets {
-  case class ApiConnectionClient(tdrClient: String, connectionArn: String)
+  case class ApiConnectionClient(tdrClient: String, connectionName: String)
 
   val ssmClient: SsmClient = SsmClient.builder()
     .region(Region.EU_WEST_2)
@@ -151,7 +152,7 @@ object RotateClientSecrets {
   )
 
   val apiConnectionClients: Set[ApiConnectionClient] = Set(
-    ApiConnectionClient(tdrBackendChecksClient, consignmentApiConnectionArn)
+    ApiConnectionClient(tdrBackendChecksClient, consignmentApiConnectionName)
   )
 
   case class ClientSecretRotationResult(tdrClient: String, resultMessage: Message, newSecretValue: Option[String])

diff --git a/src/test/resources/application.conf b/src/test/resources/application.conf
@@ -16,5 +16,5 @@ ssm {
   endpoint = "http://localhost:8080"
 }
 eventBridge {
-  consignmentApiConnectionArn = "connectionArn"
+  consignmentApiConnectionName = "connectionName"
 }
diff --git a/src/test/scala/uk/gov/nationalarchives/rotate/ApplicationConfigSpec.scala b/src/test/scala/uk/gov/nationalarchives/rotate/ApplicationConfigSpec.scala
@@ -12,5 +12,6 @@ class ApplicationConfigSpec extends AnyFlatSpec with Matchers {
     ssmEndpoint should equal("http://localhost:8080")
     snsEndpoint should equal("test")
     snsTopic should equal("arn:aws:sns:region:account:name")
+    consignmentApiConnectionName should equal("connectionName")
   }
 }