From ee35a3c8a43cf8fdf8079837983c9f923ec79846 Mon Sep 17 00:00:00 2001
From: Marjan Kalanaki <marjan.kalanaki@guardian.co.uk>
Date: Tue, 23 Jan 2024 18:15:54 +0000
Subject: [PATCH] add ssm read policy to api lambda

---
 package-lock.json                         |  6 ++++++
 packages/cdk/lib/transcription-service.ts | 11 ++++++++++-
 packages/cdk/package.json                 |  3 ++-
 3 files changed, 18 insertions(+), 2 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index 61951d95..ba660616 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -1834,6 +1834,11 @@
         "tslib": "^2.6.2"
       }
     },
+    "node_modules/@guardian/private-infrastructure-config": {
+      "version": "2.3.0",
+      "resolved": "git+ssh://git@github.com/guardian/private-infrastructure-config.git#5242448b2aabea0e5d7c1729d49113709428f5b3",
+      "dev": true
+    },
     "node_modules/@guardian/tsconfig": {
       "version": "0.2.0",
       "resolved": "https://registry.npmjs.org/@guardian/tsconfig/-/tsconfig-0.2.0.tgz",
@@ -9920,6 +9925,7 @@
         "@guardian/cdk": "53.0.3",
         "@guardian/eslint-config-typescript": "8.0.0",
         "@guardian/prettier": "5.0.0",
+        "@guardian/private-infrastructure-config": "github:guardian/private-infrastructure-config#v2.4.0",
         "@guardian/tsconfig": "^0.2.0",
         "@types/jest": "^29.5.11",
         "@types/node": "20.11.5",
diff --git a/packages/cdk/lib/transcription-service.ts b/packages/cdk/lib/transcription-service.ts
index 58a5533b..005863ac 100644
--- a/packages/cdk/lib/transcription-service.ts
+++ b/packages/cdk/lib/transcription-service.ts
@@ -3,6 +3,8 @@ import { GuStack } from "@guardian/cdk/lib/constructs/core";
 import type { GuStackProps } from "@guardian/cdk/lib/constructs/core";
 import type { App } from "aws-cdk-lib";
 import { Runtime } from "aws-cdk-lib/aws-lambda";
+import { Effect, PolicyStatement } from "aws-cdk-lib/aws-iam";
+import { GuardianAwsAccounts } from "@guardian/private-infrastructure-config";
 
 export class TranscriptionService extends GuStack {
   constructor(scope: App, id: string, props: GuStackProps) {
@@ -10,8 +12,9 @@ export class TranscriptionService extends GuStack {
 
     const APP_NAME = "transcription-service";
     const apiId = `${APP_NAME}-${props.stage}`
+    const ssmPrefix = `arn:aws:ssm:${props.env.region}:${GuardianAwsAccounts.Investigations}:parameter`;
 
-    new GuApiLambda(this, "transcription-service-api", {
+    const apiLambda = new GuApiLambda(this, "transcription-service-api", {
       fileName: "api.zip",
       handler: "index.api",
       runtime: Runtime.NODEJS_20_X,
@@ -24,5 +27,11 @@ export class TranscriptionService extends GuStack {
         description: "API for transcription service frontend",
       },
     });
+
+    apiLambda.addToRolePolicy(new PolicyStatement({
+      effect: Effect.ALLOW,
+      actions: ["ssm:GetParameter", "ssm:GetParametersByPath"],
+      resources: [`${ssmPrefix}/${this.stage}/${this.stack}/${APP_NAME}/*`],
+    }));
   }
 }
diff --git a/packages/cdk/package.json b/packages/cdk/package.json
index c3f47b7e..29fd55e6 100644
--- a/packages/cdk/package.json
+++ b/packages/cdk/package.json
@@ -16,6 +16,7 @@
     "@guardian/cdk": "53.0.3",
     "@guardian/eslint-config-typescript": "8.0.0",
     "@guardian/prettier": "5.0.0",
+    "@guardian/private-infrastructure-config": "github:guardian/private-infrastructure-config#v2.4.0",
     "@guardian/tsconfig": "^0.2.0",
     "@types/jest": "^29.5.11",
     "@types/node": "20.11.5",
@@ -70,4 +71,4 @@
       "jest.config.js"
     ]
   }
-}
\ No newline at end of file
+}