DO-1394: fix bug, and specify resource for SM permission

aligent · Dec 19, 2023 · 9d991eb · 9d991eb
1 parent 08dd424
commit 9d991eb
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 33 deletions.
diff --git a/packages/prerender-fargate/lib/recaching/prerender-recache-api-construct.api.ts b/packages/prerender-fargate/lib/recaching/prerender-recache-api-construct.api.ts
@@ -39,7 +39,6 @@ const QueueUrl = process.env.SQS_QUEUE_URL;
 const Bucket = process.env.PRERENDER_CACHE_BUCKET;
 
 export const MAX_URLS = 1000;
-// export const PARAM_PREFIX = "prerender/recache/tokens"; // TO-DO: parse TOKEN_SECRET into tokens and URLs
 
 const sqsClient = new SQSClient({});
 const s3Client = new S3Client({});
@@ -124,51 +123,26 @@ const getUrlsToRecache = async (body: string): Promise<string[]> => {
   }
 
   // Use SecretsManager
-
   const token = requestBody.prerenderToken;
-
-  //  { "tokenABC": "https://URL_A,https://URL_B,...", ..., "tokenXYZ":"https://URL_Y,https://URL_Z" }
-
   interface TokenSecret {
     [key: string]: string;
   }
 
-  // const prerenderToken = "tokenabc" // passed into recache function
-  // const recacheUrl = "" // url to be recached
-
-  // var secretsString = "{\"token11233\": \"https\", \"tokenabc\": \"https://aligent.com,https://example.com\"}"; // value from secrets manager
-
   console.log(`Looking for allowed urls in secretsmanager:${secret_name}`);
 
   const getAllowedUrls = new GetSecretValueCommand({
     SecretId: secret_name,
   });
-  console.log(getAllowedUrls);
 
-  // const ssmResponse = await ssmClient.send(getAllowedUrls);
   const smResponse = await smClient.send(getAllowedUrls);
 
   if (smResponse.SecretString === undefined) {
     throw "No secret found";
   }
 
-  const secretsString = JSON.parse(smResponse.SecretString);
-  var secretsData: TokenSecret = JSON.parse(secretsString); // parse data and define it as token secret
-
+  const secretsData: TokenSecret = JSON.parse(smResponse.SecretString);
   const allowedUrls = secretsData[token].split(","); // get comma delimited urls from string
 
-  // for (const url of urls) {
-  //   for (const allowedUrl of allowedUrls) {
-  //     if (allowedUrls && url.startsWith(allowedUrl)) {
-  //       // checks that allowedUrls is not undefined or empty and that it includes the requested url
-  //       // TODO: allow recache
-  //     }
-  //   }
-  // }
-
-  // allowedURLs : https://www.aligent.com.au,https://staging.aligent.com.au
-  // urls: https://www.aligent.com.au/abc,https://testing.aligent.com.au/abc
-
   console.log(`Allowed urls for ${token}: ${allowedUrls.join(", ")}`);
 
   const isValidUrlForToken = (url: string): boolean =>

diff --git a/packages/prerender-fargate/lib/recaching/prerender-recache-api-construct.ts b/packages/prerender-fargate/lib/recaching/prerender-recache-api-construct.ts
@@ -4,7 +4,7 @@ import { LambdaToSqsToLambda } from "@aws-solutions-constructs/aws-lambda-sqs-la
 import { NodejsFunction } from "aws-cdk-lib/aws-lambda-nodejs";
 import * as iam from "aws-cdk-lib/aws-iam";
 import { Bucket } from "aws-cdk-lib/aws-s3";
-import { Duration } from "aws-cdk-lib";
+import { Stack, Duration } from "aws-cdk-lib";
 
 /**
  * Options for the Prerender Recache API.
@@ -28,6 +28,9 @@ export interface PrerenderRecacheApiOptions {
 /**
  * Represents an API for recaching prerendered pages.
  */
+let region: string;
+let account: string;
+
 export class PrerenderRecacheApi extends Construct {
   readonly api: LambdaRestApi;
 
@@ -58,6 +61,8 @@ export class PrerenderRecacheApi extends Construct {
       queueProps: { visibilityTimeout: Duration.minutes(60) },
     });
   }
+  region = Stack.of(this).region;
+  account = Stack.of(this).account;
 }
 
 /**
@@ -92,13 +97,17 @@ const createApiLambdaFunction = (
   // });
 
   const smGetSecretPolicy = new iam.PolicyStatement({
-    actions: ["ssm:GetSecretValue"],
-    resources: ["*"], // TODO: use `arn:aws:secretsmanager:Region:AccountId:secret:${options.tokenSecret}`
+    actions: ["secretsmanager:GetSecretValue"],
+    resources: [
+      `arn:aws:secretsmanager:${region}:${account}:secret:${options.tokenSecret}`,
+    ],
   });
 
   const smDescribeSecretPolicy = new iam.PolicyStatement({
-    actions: ["ssm:DescribeSecret"],
-    resources: ["*"], // TODO: use `arn:aws:secretsmanager:Region:AccountId:secret:${options.tokenSecret}`
+    actions: ["secretsmanager:DescribeSecret"],
+    resources: [
+      `arn:aws:secretsmanager:${region}:${account}:secret:${options.tokenSecret}`,
+    ],
   });
 
   const s3DeleteObjectPolicy = new iam.PolicyStatement({

diff --git a/packages/prerender-fargate/package.json b/packages/prerender-fargate/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@aligent/cdk-prerender-fargate",
-  "version": "2.3.0-alpha4",
+  "version": "2.3.0-beta3",
   "description": "A construct to host Prerender in Fargate",
   "main": "index.js",
   "scripts": {