add secrets for tf and resolve sonar issues

Author: motola

infrastructure/instance/mns_publisher.tf

@@ -8,7 +8,7 @@ module "mns_publisher" {
   immunisation_account_id            = var.immunisation_account_id
   is_temp                            = local.is_temp
   resource_scope                     = local.resource_scope
-  sub_environment                    = strcontains(var.sub_environment, "pr-") ? "immunisation-fhir-api/FHIR/R4-${var.sub_environment}" : "immunisation-fhir-api/FHIR/R4"
+  imms-base-path                     = strcontains(var.sub_environment, "pr-") ? "immunisation-fhir-api/FHIR/R4-${var.sub_environment}" : "immunisation-fhir-api/FHIR/R4"
   lambda_kms_encryption_key_arn      = data.aws_kms_key.existing_lambda_encryption_key.arn
   mns_publisher_resource_name_prefix = "${local.resource_scope}-mns-outbound-events"
   pds_environment                    = var.pds_environment

infrastructure/instance/modules/mns_publisher/mns_publisher_lambda.tf

@@ -193,7 +193,7 @@ resource "aws_lambda_function" "mns_publisher_lambda" {
     variables = {
       SPLUNK_FIREHOSE_NAME   = var.splunk_firehose_stream_name
       IMMUNIZATION_ENV       = var.resource_scope,
-      IMMUNIZATION_BASE_PATH = var.sub_environment
+      IMMUNIZATION_BASE_PATH = var.imms_base_path
       PDS_ENV                = var.pds_environment
       MNS_ENV                = var.mns_environment
     }
@@ -207,6 +207,30 @@ resource "aws_lambda_function" "mns_publisher_lambda" {
   ]
 }
 
+
+data "aws_iam_policy_document" "mns_publisher_secrets_policy_document" {
+  source_policy_documents = [
+    templatefile("${local.policy_path}/secret_manager.json", {
+      "account_id" : data.aws_caller_identity.current.account_id,
+      "pds_environment" : var.pds_environment
+    }),
+  ]
+}
+
+resource "aws_iam_policy" "mns_publisher_lambda_secrets_policy" {
+  name        = "${local.mns_publisher_lambda_name}-secrets-policy"
+  description = "Allow Lambda to access Secrets Manager"
+  policy      = data.aws_iam_policy_document.mns_publisher_secrets_policy_document.json
+}
+
+
+# Attach the secrets/dynamodb access policy to the Lambda role
+resource "aws_iam_role_policy_attachment" "mns_publisher_lambda_secrets_policy_attachment" {
+  role       = aws_iam_role.mns_publisher_lambda_exec_role.name
+  policy_arn = aws_iam_policy.mns_publish_lambda_secrets_policy.arn
+}
+
+
 resource "aws_cloudwatch_log_group" "mns_publisher_lambda_log_group" {
   name              = "/aws/lambda/${local.mns_publisher_lambda_name}"
   retention_in_days = 30

infrastructure/instance/modules/mns_publisher/variables.tf

@@ -81,9 +81,9 @@ variable "resource_scope" {
   EOT
 }
 
-variable "sub_environment" {
+variable "imms_base_path" {
   type        = string
-  description = "Sub-environment name, e.g. internal-dev, internal-qa. The value is set in the Makefile"
+  description = "Base path for the Immunisation FHIR API. Used to construct environment-specific routes (e.g. PR preview paths or default R4 path)."
 }
 
 variable "mns_environment" {

lambdas/mns_publisher/src/process_records.py

@@ -12,7 +12,7 @@
 mns_env = os.getenv("MNS_ENV", "int")
 
 
-def process_records(records: list[SQSMessage]) -> list[dict]:
+def process_records(records: list[SQSMessage]) -> dict[str, list]:
     """
     Process multiple SQS records.
     Args: records: List of SQS records to process
@@ -23,9 +23,7 @@ def process_records(records: list[SQSMessage]) -> list[dict]:
 
     for record in records:
         try:
-            failed_batch_item = process_record(record, mns_service)
-            if failed_batch_item:
-                batch_item_failures.append(failed_batch_item)
+            process_record(record, mns_service)
         except Exception:
             message_id = record.get("messageId", "unknown")
             batch_item_failures.append({"itemIdentifier": message_id})