wip

CMSgov · Mar 11, 2024 · 8030eb9 · 8030eb9
1 parent 27453dc
commit 8030eb9
Show file tree

Hide file tree

Showing 5 changed files with 34 additions and 57 deletions.
diff --git a/optout/build.gradle b/optout/build.gradle
@@ -15,7 +15,8 @@ dependencies {
     implementation 'com.amazonaws:aws-lambda-java-events:2.2.2'
     implementation 'com.amazonaws:aws-java-sdk-s3:1.12.406'
     implementation 'org.postgresql:postgresql:42.5.1'
-    implementation 'software.amazon.awssdk:s3:2.21.7'
+    implementation 'software.amazon.awssdk:s3:2.25.6'
+    implementation 'software.amazon.awssdk:sts:2.25.6'
     implementation 'software.amazon.awssdk:secretsmanager:2.23.12'
     implementation 'com.googlecode.json-simple:json-simple:1.1.1'
     implementation project(':database-management')

diff --git a/optout/src/main/java/gov/cms/ab2d/optout/OptOutConstants.java b/optout/src/main/java/gov/cms/ab2d/optout/OptOutConstants.java
@@ -3,6 +3,9 @@
 import software.amazon.awssdk.regions.Region;
 
 public class OptOutConstants {
+
+    public static final String ROLE = "arn:aws:iam::330810004472:role/delegatedadmin/developer/ab2d-test-github-actions";
+            //"arn:aws:iam::330810004472:role/delegatedadmin/developer/ab2d-test-opt-out-import-function"
     public static final String ENDPOINT = "https://s3.amazonaws.com";
     public static final Region S3_REGION = Region.US_EAST_1;
     public static final String HEADER_RESP = "HDR_BENEDATARSP";

diff --git a/optout/src/main/java/gov/cms/ab2d/optout/OptOutHandler.java b/optout/src/main/java/gov/cms/ab2d/optout/OptOutHandler.java
@@ -43,14 +43,6 @@ public void processSQSMessage(SQSEvent.SQSMessage msg, Context context) {
 
     public OptOutProcessor processorInit(String fileName, String bfdBucket, LambdaLogger logger) throws URISyntaxException {
         return new OptOutProcessor(fileName, bfdBucket, ENDPOINT, logger);
-        //ToDo: uncomment when permanent credentials will be available
-//        var creds = SecretManager.getS3Credentials(ACCESS_KEY_ID, SECRET_ACCESS_KEY, ACCESS_TOKEN, logger);
-//        if (creds.isPresent())
-//            return new OptOutProcessing(msg, ENDPOINT, creds.get(), logger);
-//        else {
-//            logger.log("Can't get Credentials from Secret manager");
-//            throw new OptOutException("Can't get Credentials from Secret manager");
-//        }
     }
 
     public String getBucketName(S3EventNotification.S3EventNotificationRecord record) {

diff --git a/optout/src/main/java/gov/cms/ab2d/optout/OptOutProcessor.java b/optout/src/main/java/gov/cms/ab2d/optout/OptOutProcessor.java
@@ -4,6 +4,9 @@
 import com.amazonaws.services.lambda.runtime.LambdaLogger;
 import gov.cms.ab2d.databasemanagement.DatabaseUtil;
 import software.amazon.awssdk.services.s3.S3Client;
+import software.amazon.awssdk.services.sts.StsClient;
+import software.amazon.awssdk.services.sts.auth.StsAssumeRoleCredentialsProvider;
+import software.amazon.awssdk.services.sts.model.AssumeRoleRequest;
 
 import java.io.BufferedReader;
 import java.io.IOException;
@@ -28,15 +31,36 @@ public class OptOutProcessor {
     public OptOutProcessor(String fileName, String bfdBucket, String endpoint, LambdaLogger logger) throws URISyntaxException {
         this.logger = logger;
         this.optOutInformationMap = new TreeMap<>();
-        var s3Client = S3Client.builder()
-                //    .credentialsProvider(credentials)
-                .region(S3_REGION)
-                .endpointOverride(new URI(endpoint))
-                .build();
+        var s3Client = getS3Client(endpoint);
         isRejected = false;
         optOutS3 = new OptOutS3(s3Client, fileName, bfdBucket, logger);
     }
 
+    private static S3Client getS3Client(String endpoint) throws URISyntaxException {
+        var stsClient = StsClient.builder().region(S3_REGION).build();
+
+        var assumeRoleRequest = AssumeRoleRequest
+                .builder()
+                .roleArn(ROLE)
+                .roleSessionName("roleSessionName")
+                .build();
+
+        var credentials = StsAssumeRoleCredentialsProvider
+                .builder()
+                .stsClient(stsClient)
+                .refreshRequest(assumeRoleRequest)
+                .build();
+
+        var client = S3Client.builder()
+                .region(S3_REGION)
+                .endpointOverride(new URI(endpoint));
+
+        if (endpoint.equals(ENDPOINT))
+            client.credentialsProvider(credentials);
+
+        return client.build();
+    }
+
     public void process() {
         processFileFromS3(optOutS3.openFileS3());
         optOutS3.createResponseOptOutFile(createResponseContent());

diff --git a/optout/src/main/java/gov/cms/ab2d/optout/SecretManager.java b/optout/src/main/java/gov/cms/ab2d/optout/SecretManager.java