allow access ssm parameters

guardian · Jan 20, 2025 · 26e116b · 26e116b
1 parent 8f4af1b
commit 26e116b
Show file tree

Hide file tree

Showing 4 changed files with 76 additions and 27 deletions.
diff --git a/cdk/lib/__snapshots__/dotcom-components.test.ts.snap b/cdk/lib/__snapshots__/dotcom-components.test.ts.snap
diff --git a/cdk/lib/dotcom-components.ts b/cdk/lib/dotcom-components.ts
@@ -9,6 +9,7 @@ import {
 	GuStringParameter,
 } from '@guardian/cdk/lib/constructs/core';
 import {
+    GuAllowPolicy,
 	GuDynamoDBReadPolicy,
 	GuGetS3ObjectsPolicy,
 	GuPutCloudwatchMetricsPolicy,
@@ -207,7 +208,11 @@ chown -R dotcom-components:support /var/log/dotcom-components
 			new GuDynamoDBReadPolicy(this, 'DynamoBanditReadPolicy', {
 				tableName: `support-bandit-${this.stage}`,
 			}),
-		];
+            new GuAllowPolicy(this, 'SSMGet', {
+                actions: ['ssm:GetParameter'],
+                resources: ['*'],
+            }),
+        ];
 
 		const scaling: GuAsgCapacity = {
 			minimumInstances: this.stage === 'CODE' ? 1 : 3,
@@ -249,5 +254,5 @@ chown -R dotcom-components:support /var/log/dotcom-components
 		ec2App.autoScalingGroup.scaleOnCpuUtilization('CpuScalingPolicy', {
 			targetUtilizationPercent: 40,
 		});
-	}
+    }
 }
diff --git a/src/server/api/auxiaProxyRouter.ts b/src/server/api/auxiaProxyRouter.ts
@@ -1,5 +1,6 @@
 import express, { Router } from 'express';
 import { getSsmValue } from '../utils/ssm';
+import fetch from 'node-fetch';
 
 interface AuxiaApiRequestPayloadContextualAttributes {
     key: string;
@@ -52,17 +53,7 @@ interface AuxiaProxyResponseData {
     shouldShowSignInGate: boolean;
 }
 
-const buildAuxiaAPIRequestPayload = async (): Promise<AuxiaAPIRequestPayload> => {
-    const projectId = await getSsmValue('PROD', 'auxia-projectId');
-    if (projectId === undefined) {
-        throw new Error('auxia-projectId is undefined');
-    }
-
-    const userId = await getSsmValue('PROD', 'auxia-userId');
-    if (userId === undefined) {
-        throw new Error('auxia-userId is undefined');
-    }
-
+const buildAuxiaAPIRequestPayload = (projectId: string, userId: string): AuxiaAPIRequestPayload => {
     // For the moment we are hard coding the data provided in contextualAttributes and surfaces.
     return {
         projectId: projectId,
@@ -88,22 +79,19 @@ const buildAuxiaAPIRequestPayload = async (): Promise<AuxiaAPIRequestPayload> =>
     };
 };
 
-const fetchAuxiaData = async (): Promise<AuxiaAPIAnswerData> => {
+const fetchAuxiaData = async (
+    apiKey: string,
+    projectId: string,
+    userId: string,
+): Promise<AuxiaAPIAnswerData> => {
     const url = 'https://apis.auxia.io/v1/GetTreatments';
 
-    // We are hardcoding PROD for the moment, because I haven't created a CODE key
-    const apiKey = await getSsmValue('PROD', 'auxia-api-key');
-
-    if (apiKey === undefined) {
-        throw new Error('auxia-api-key is undefined');
-    }
-
     const headers = {
         'Content-Type': 'application/json',
         'x-api-key': apiKey,
     };
 
-    const payload = await buildAuxiaAPIRequestPayload();
+    const payload = await buildAuxiaAPIRequestPayload(projectId, userId);
 
     const params = {
         method: 'POST',
@@ -130,9 +118,37 @@ const buildAuxiaProxyResponseData = (auxiaData: AuxiaAPIAnswerData): AuxiaProxyR
     return { shouldShowSignInGate };
 };
 
-export const buildAuxiaProxyRouter = (): Router => {
-    const router = Router();
+interface AuxiaRouterConfig {
+    apiKey: string;
+    projectId: string;
+    userId: string;
+}
 
+export const getAuxiaRouterConfig = async (): Promise<AuxiaRouterConfig> => {
+    const apiKey = await getSsmValue('PROD', 'auxia-api-key');
+    if (apiKey === undefined) {
+        throw new Error('auxia-api-key is undefined');
+    }
+
+    const projectId = await getSsmValue('PROD', 'auxia-projectId');
+    if (projectId === undefined) {
+        throw new Error('auxia-projectId is undefined');
+    }
+
+    const userId = await getSsmValue('PROD', 'auxia-userId');
+    if (userId === undefined) {
+        throw new Error('auxia-userId is undefined');
+    }
+
+    return {
+        apiKey,
+        projectId,
+        userId,
+    };
+};
+
+export const buildAuxiaProxyRouter = (config: AuxiaRouterConfig): Router => {
+    const router = Router();
     router.post(
         '/auxia',
 
@@ -142,7 +158,11 @@ export const buildAuxiaProxyRouter = (): Router => {
 
         async (req: express.Request, res: express.Response, next: express.NextFunction) => {
             try {
-                const auxiaData = await fetchAuxiaData();
+                const auxiaData = await fetchAuxiaData(
+                    config.apiKey,
+                    config.projectId,
+                    config.userId,
+                );
                 const response = buildAuxiaProxyResponseData(auxiaData);
 
                 res.send(response);

diff --git a/src/server/server.ts b/src/server/server.ts
@@ -11,7 +11,7 @@ import { logError } from './utils/logging';
 import { buildEpicRouter } from './api/epicRouter';
 import { buildBannerRouter } from './api/bannerRouter';
 import { buildHeaderRouter } from './api/headerRouter';
-import { buildAuxiaProxyRouter } from './api/auxiaProxyRouter';
+import { buildAuxiaProxyRouter, getAuxiaRouterConfig } from './api/auxiaProxyRouter';
 import { buildAmpEpicRouter } from './api/ampEpicRouter';
 import { buildChannelSwitchesReloader } from './channelSwitches';
 import { buildSuperModeArticlesReloader } from './lib/superMode';
@@ -114,7 +114,7 @@ const buildApp = async (): Promise<Express> => {
         ),
     );
     app.use(buildHeaderRouter(channelSwitches, headerTests));
-    app.use(buildAuxiaProxyRouter());
+
     app.use('/amp', buildAmpEpicRouter(choiceCardAmounts, tickerData, ampEpicTests));
 
     app.use(errorHandlingMiddleware);
@@ -124,6 +124,8 @@ const buildApp = async (): Promise<Express> => {
         res.send('OK');
     });
 
+    app.use(buildAuxiaProxyRouter(await getAuxiaRouterConfig()));
+
     return Promise.resolve(app);
 };