Merge pull request #310 from nationalarchives/TDRD-461-adjust-env-var…

…iable-connection Tdrd 461 adjust env variable connection
nationalarchives · Jan 24, 2025 · 3b74b57 · 3b74b57
2 parents fb70bb3 + 44185cc
commit 3b74b57
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 17 deletions.
diff --git a/lambda/rotate_keycloak_secrets.tf b/lambda/rotate_keycloak_secrets.tf
@@ -11,11 +11,11 @@ resource "aws_lambda_function" "rotate_keycloak_secrets_lambda_function" {
   tags                           = var.common_tags
   environment {
     variables = {
-      AUTH_URL                       = var.auth_url
-      AUTH_SECRET_PATH               = var.rotate_secrets_client_path
-      ENVIRONMENT                    = local.environment
-      SNS_TOPIC                      = var.notifications_topic
-      CONSIGNMENT_API_CONNECTION_ARN = var.api_connection_arn
+      AUTH_URL                        = var.auth_url
+      AUTH_SECRET_PATH                = var.rotate_secrets_client_path
+      ENVIRONMENT                     = local.environment
+      SNS_TOPIC                       = var.notifications_topic
+      CONSIGNMENT_API_CONNECTION_NAME = var.api_connection_name
     }
   }
 
@@ -39,10 +39,10 @@ resource "aws_cloudwatch_log_group" "rotate_keycloak_secrets_lambda_log_group" {
 resource "aws_iam_policy" "rotate_keycloak_secrets_lambda_policy" {
   count = local.count_rotate_keycloak_secrets
   policy = templatefile("${path.module}/templates/rotate_keycloak_secrets_policy.json.tpl", {
-    account_id         = data.aws_caller_identity.current.account_id,
-    environment        = local.environment,
-    kms_arn            = var.kms_key_arn
-    api_connection_arn = var.api_connection_arn
+    account_id          = data.aws_caller_identity.current.account_id,
+    environment         = local.environment,
+    kms_arn             = var.kms_key_arn
+    api_connection_name = var.api_connection_name
   })
   name = "${upper(var.project)}RotateKeycloakSecretsLambdaPolicy${title(local.environment)}"
 }

diff --git a/lambda/templates/rotate_keycloak_secrets_policy.json.tpl b/lambda/templates/rotate_keycloak_secrets_policy.json.tpl
@@ -46,12 +46,7 @@
         "events:DescribeConnection",
         "events:UpdateConnection"
       ],
-      "Resource": "${api_connection_arn}",
-      "Condition": {
-        "StringEquals": {
-          "aws:SourceAccount": "${account_id}"
-        }
-      }
+      "Resource": "arn:aws:events:eu-west-2:${account_id}:connection/${api_connection_name}"
     }
   ]
 }
diff --git a/lambda/variables.tf b/lambda/variables.tf
@@ -381,7 +381,7 @@ variable "notifications_vpc_config" {
   }
 }
 
-variable "api_connection_arn" {
-  description = "Arn of the EventBridge connection for the Consignment Api"
+variable "api_connection_name" {
+  description = "Name of the EventBridge connection for the Consignment Api"
   default     = ""
 }