From bae1735e23c00e653803f9438d60d65c30af7be5 Mon Sep 17 00:00:00 2001
From: Daniel Roth <daniel_roth@hotmail.co.uk>
Date: Fri, 6 Feb 2026 16:22:53 +0000
Subject: [PATCH] try using shared resource to fetch secrets

---
 .github/workflows/_deploy_lambda.yml          | 34 ++++--------
 .github/workflows/deploy_terraform.yml        | 52 ++++++++++---------
 .../terraform/lambda/condition-etl/main.tf    | 23 +++++---
 .../lambda/condition-etl/variables.tf         |  4 --
 4 files changed, 53 insertions(+), 60 deletions(-)

diff --git a/.github/workflows/_deploy_lambda.yml b/.github/workflows/_deploy_lambda.yml
index 35275341..f883636e 100644
--- a/.github/workflows/_deploy_lambda.yml
+++ b/.github/workflows/_deploy_lambda.yml
@@ -23,9 +23,9 @@ on:
         required: true
         type: string
 
-      environment_vars:
-        required: false
-        type: string
+      # environment_vars:
+      #   required: false
+      #   type: string
 
     secrets:
       AWS_ACCESS_KEY_ID:
@@ -83,28 +83,12 @@ jobs:
       - name: Terraform Plan
         working-directory: ${{ inputs.lambda_path }}
         run: |
-          ENV_VARS=""
-          if [ -n "${{ inputs.environment_vars }}" ]; then
-            # Convert multiline KEY=VALUE into JSON
-            ENV_VARS=$(echo "${{ inputs.environment_vars }}" | \
-              jq -Rn '
-                [inputs | split("=")] |
-                { (.[0]): .[1] }' | jq -s add | jq -c .)
-          fi
-
-          PLAN_CMD="terraform plan \
-            -var=\"stage=${{ inputs.stage }}\" \
-            -var=\"lambda_name=${{ inputs.lambda_name }}\" \
-            -var=\"ecr_repo_url=${{ steps.repo.outputs.ecr_repo_url }}\" \
-            -var=\"image_digest=${{ inputs.image_digest }}\""
-
-          if [ -n "$ENV_VARS" ]; then
-            PLAN_CMD="$PLAN_CMD -var=\"environment_vars=$ENV_VARS\""
-          fi
-
-          PLAN_CMD="$PLAN_CMD -out=lambdaplan"
-          # echo "Running: $PLAN_CMD"
-          eval $PLAN_CMD
+          terraform plan \
+            -var="stage=${{ inputs.stage }}" \
+            -var="lambda_name=${{ inputs.lambda_name }}" \
+            -var="ecr_repo_url=${{ inputs.ecr_repo }}" \
+            -var="image_digest=${{ inputs.image_digest }}" \
+            -out=lambdaplan
 
       - name: Terraform Apply
         working-directory: ${{ inputs.lambda_path }}
diff --git a/.github/workflows/deploy_terraform.yml b/.github/workflows/deploy_terraform.yml
index df620d04..52f64f68 100644
--- a/.github/workflows/deploy_terraform.yml
+++ b/.github/workflows/deploy_terraform.yml
@@ -69,30 +69,30 @@ jobs:
   # ============================================================
   # Fetch DB credentials
   # ============================================================
-  fetch_db:
-    needs: determine_stage
-    runs-on: ubuntu-latest
-    outputs:
-      db_username: ${{ steps.get_db.outputs.db_username }}
-      db_password: ${{ steps.get_db.outputs.db_password }}
+  # fetch_db:
+  #   needs: determine_stage
+  #   runs-on: ubuntu-latest
+  #   outputs:
+  #     db_username: ${{ steps.get_db.outputs.db_username }}
+  #     db_password: ${{ steps.get_db.outputs.db_password }}
 
-    steps:
-      - uses: actions/checkout@v4
+  #   steps:
+  #     - uses: actions/checkout@v4
 
-      - name: Configure AWS
-        uses: aws-actions/configure-aws-credentials@v4
-        with:
-          aws-access-key-id: ${{ secrets.DEV_AWS_ACCESS_KEY_ID }}
-          aws-secret-access-key: ${{ secrets.DEV_AWS_SECRET_ACCESS_KEY }}
-          aws-region: ${{ secrets.DEV_AWS_REGION }}
+  #     - name: Configure AWS
+  #       uses: aws-actions/configure-aws-credentials@v4
+  #       with:
+  #         aws-access-key-id: ${{ secrets.DEV_AWS_ACCESS_KEY_ID }}
+  #         aws-secret-access-key: ${{ secrets.DEV_AWS_SECRET_ACCESS_KEY }}
+  #         aws-region: ${{ secrets.DEV_AWS_REGION }}
 
-      - id: get_db
-        run: |
-          SECRET=$(aws secretsmanager get-secret-value \
-            --secret-id "${{ needs.determine_stage.outputs.stage }}/assessment_model/db_credentials" \
-            --query SecretString --output text)
-          echo "db_username=$(echo $SECRET | jq -r .db_assessment_model_username)" >> $GITHUB_OUTPUT
-          echo "db_password=$(echo $SECRET | jq -r .db_assessment_model_password)" >> $GITHUB_OUTPUT
+  #     - id: get_db
+  #       run: |
+  #         SECRET=$(aws secretsmanager get-secret-value \
+  #           --secret-id "${{ needs.determine_stage.outputs.stage }}/assessment_model/db_credentials" \
+  #           --query SecretString --output text)
+  #         echo "db_username=$(echo $SECRET | jq -r .db_assessment_model_username)" >> $GITHUB_OUTPUT
+  #         echo "db_password=$(echo $SECRET | jq -r .db_assessment_model_password)" >> $GITHUB_OUTPUT
 
 
   # ============================================================
@@ -186,7 +186,8 @@ jobs:
   # Deploy Condition ETL Lambda
   # ============================================================
   condition_etl_lambda:
-    needs: [condition_etl_image, fetch_db, determine_stage]
+    # needs: [condition_etl_image, fetch_db, determine_stage]
+    needs: [condition_etl_image, determine_stage]
     uses: ./.github/workflows/_deploy_lambda.yml
     with:
       lambda_name: condition-etl
@@ -194,9 +195,10 @@ jobs:
       stage: ${{ needs.determine_stage.outputs.stage }}
       ecr_repo: condition-etl-${{ needs.determine_stage.outputs.stage }}
       image_digest: ${{ needs.condition_etl_image.outputs.image_digest }}
-      environment_vars: |
-        DB_USERNAME=${{ needs.fetch_db.outputs.db_username }}
-        DB_PASSWORD=${{ needs.fetch_db.outputs.db_password }}
+      # environment_vars: ${{ toJSON({
+      #   DB_USERNAME: needs.fetch_db.outputs.db_username,
+      #   DB_PASSWORD: needs.fetch_db.outputs.db_password
+      # }) }}
     secrets:
       AWS_ACCESS_KEY_ID: ${{ secrets.DEV_AWS_ACCESS_KEY_ID }}
       AWS_SECRET_ACCESS_KEY: ${{ secrets.DEV_AWS_SECRET_ACCESS_KEY }}
diff --git a/infrastructure/terraform/lambda/condition-etl/main.tf b/infrastructure/terraform/lambda/condition-etl/main.tf
index 2e2ee69b..dda57385 100644
--- a/infrastructure/terraform/lambda/condition-etl/main.tf
+++ b/infrastructure/terraform/lambda/condition-etl/main.tf
@@ -1,3 +1,12 @@
+data "aws_secretsmanager_secret_version" "db_credentials" {
+  secret_id = "${var.stage}/assessment_model/db_credentials"
+}
+
+locals {
+  db_credentials = jsondecode(data.aws_secretsmanager_secret_version.db_credentials.secret_string)
+}
+
+
 module "lambda" {
   source = "../modules/lambda_with_sqs"
 
@@ -7,11 +16,13 @@ module "lambda" {
   image_uri = local.image_uri
 
 
-  environment = {
-    STAGE = var.stage
-    LOG_LEVEL = "info"
-    DB_USERNAME = var.environment_vars.DB_USERNAME
-    DAN = "hello"
-  }
+  environment = merge(
+    {
+      STAGE     = var.stage
+      LOG_LEVEL = "info"
+      DB_USERNAME = local.db_credentials.db_assessment_model_username
+      DB_PASSWORD = local.db_credentials.db_assessment_model_password
+    },
+  )
 
 }
diff --git a/infrastructure/terraform/lambda/condition-etl/variables.tf b/infrastructure/terraform/lambda/condition-etl/variables.tf
index 3f5004a9..e4bab243 100644
--- a/infrastructure/terraform/lambda/condition-etl/variables.tf
+++ b/infrastructure/terraform/lambda/condition-etl/variables.tf
@@ -17,10 +17,6 @@ variable "image_digest" {
   description = "Image digest (sha256:...)"
 }
 
-variable "environment_vars" {
-  type    = map(string)
-  default = {}
-}
 
 locals {
   image_uri = "${var.ecr_repo_url}@${var.image_digest}"