add ssm read policy to api lambda

packages/cdk/lib/transcription-service.ts

@@ -3,15 +3,18 @@ import { GuStack } from "@guardian/cdk/lib/constructs/core";
 import type { GuStackProps } from "@guardian/cdk/lib/constructs/core";
 import type { App } from "aws-cdk-lib";
 import { Runtime } from "aws-cdk-lib/aws-lambda";
+import { Effect, PolicyStatement } from "aws-cdk-lib/aws-iam";
+import { GuardianAwsAccounts } from "@guardian/private-infrastructure-config";
 
 export class TranscriptionService extends GuStack {
   constructor(scope: App, id: string, props: GuStackProps) {
     super(scope, id, props);
 
     const APP_NAME = "transcription-service";
     const apiId = `${APP_NAME}-${props.stage}`
+    const ssmPrefix = `arn:aws:ssm:${props.env.region}:${GuardianAwsAccounts.Investigations}:parameter`;
 
-    new GuApiLambda(this, "transcription-service-api", {
+    const apiLambda = new GuApiLambda(this, "transcription-service-api", {
       fileName: "api.zip",
       handler: "index.api",
       runtime: Runtime.NODEJS_20_X,
@@ -24,5 +27,11 @@ export class TranscriptionService extends GuStack {
         description: "API for transcription service frontend",
       },
     });
+
+    apiLambda.addToRolePolicy(new PolicyStatement({
+      effect: Effect.ALLOW,
+      actions: ["ssm:GetParameter", "ssm:GetParametersByPath"],
+      resources: [`${ssmPrefix}/${this.stage}/${this.stack}/${APP_NAME}/*`],
+    }));
   }
 }

packages/cdk/package.json

@@ -16,6 +16,7 @@
     "@guardian/cdk": "53.0.3",
     "@guardian/eslint-config-typescript": "8.0.0",
     "@guardian/prettier": "5.0.0",
+    "@guardian/private-infrastructure-config": "github:guardian/private-infrastructure-config#v2.4.0",
     "@guardian/tsconfig": "^0.2.0",
     "@types/jest": "^29.5.11",
     "@types/node": "20.11.5",
@@ -70,4 +71,4 @@
       "jest.config.js"
     ]
   }
-}
+}