secret configurations

motola · motola · commit 1ef11247fa3b · 2026-02-25T10:34:57.000Z
diff --git a/infrastructure/instance/mns_publisher.tf b/infrastructure/instance/mns_publisher.tf
@@ -8,9 +8,11 @@ module "mns_publisher" {
   immunisation_account_id            = var.immunisation_account_id
   is_temp                            = local.is_temp
   resource_scope                     = local.resource_scope
-  imms-base-path                     = strcontains(var.sub_environment, "pr-") ? "immunisation-fhir-api/FHIR/R4-${var.sub_environment}" : "immunisation-fhir-api/FHIR/R4"
+  imms_base_path                     = strcontains(var.sub_environment, "pr-") ? "immunisation-fhir-api/FHIR/R4-${var.sub_environment}" : "immunisation-fhir-api/FHIR/R4"
   lambda_kms_encryption_key_arn      = data.aws_kms_key.existing_lambda_encryption_key.arn
   mns_publisher_resource_name_prefix = "${local.resource_scope}-mns-outbound-events"
+  secrets_manager_policy_path        = "${local.policy_path}/secret_manager.json"
+  account_id                         = data.aws_caller_identity.current.account_id
   pds_environment                    = var.pds_environment
   mns_environment                    = var.mns_environment
 
diff --git a/infrastructure/instance/modules/mns_publisher/mns_publisher_lambda.tf b/infrastructure/instance/modules/mns_publisher/mns_publisher_lambda.tf
@@ -210,8 +210,8 @@ resource "aws_lambda_function" "mns_publisher_lambda" {
 
 data "aws_iam_policy_document" "mns_publisher_secrets_policy_document" {
   source_policy_documents = [
-    templatefile("${local.policy_path}/secret_manager.json", {
-      "account_id" : data.aws_caller_identity.current.account_id,
+    templatefile("${var.secrets_manager_policy_path}", {
+      "account_id" : var.account_id,
       "pds_environment" : var.pds_environment
     }),
   ]
@@ -227,7 +227,7 @@ resource "aws_iam_policy" "mns_publisher_lambda_secrets_policy" {
 # Attach the secrets/dynamodb access policy to the Lambda role
 resource "aws_iam_role_policy_attachment" "mns_publisher_lambda_secrets_policy_attachment" {
   role       = aws_iam_role.mns_publisher_lambda_exec_role.name
-  policy_arn = aws_iam_policy.mns_publish_lambda_secrets_policy.arn
+  policy_arn = aws_iam_policy.mns_publisher_lambda_secrets_policy.arn
 }
 
 
diff --git a/infrastructure/instance/modules/mns_publisher/variables.tf b/infrastructure/instance/modules/mns_publisher/variables.tf
@@ -93,3 +93,13 @@ variable "mns_environment" {
 variable "pds_environment" {
   type = string
 }
+
+variable "account_id" {
+  type        = string
+  description = "AWS account ID used for IAM policy templating (e.g., Secrets Manager ARNs)."
+}
+
+variable "secrets_manager_policy_path" {
+  type        = string
+  description = "Path to the IAM policy JSON template for Secrets Manager access (e.g., ./policies/secret_manager.json)."
+}
