eligibility-signposting-api/infrastructure/stacks/api-layer/scripts/promote_to_current.py at b78df45c5ae2eab607f4e7c2544b980eb657a5af · NHSDigital/eligibility-signposting-api · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
import json
import logging
import os

import boto3
from mangum.types import LambdaContext, LambdaEvent

SECRET_NAME = os.environ.get("SECRET_NAME")
REGION_NAME = os.environ.get("AWS_REGION")

logger = logging.getLogger()
logger.setLevel(logging.INFO)


def lambda_handler(
    event: LambdaEvent,  # noqa: ARG001
    context: LambdaContext,
) -> dict:
    sm_client = boto3.client("secretsmanager", region_name=REGION_NAME)
    logger.info(
        json.dumps(
            {
                "event": "promotion_started",
                "request_id": context.aws_request_id,
                "secret_name": SECRET_NAME,
                "function": "promote_to_current",
            }
        )
    )

    try:
        metadata = sm_client.describe_secret(SecretId=SECRET_NAME)
        pending_version = None

        for version_id, stages in metadata["VersionIdsToStages"].items():
            if "AWSPENDING" in stages:
                pending_version = version_id
                break

        if pending_version:
            logger.info(
                json.dumps(
                    {"event": "promoting_version", "pending_version_id": pending_version, "action": "swap_AWSCURRENT"}
                )
            )

            sm_client.update_secret_version_stage(
                SecretId=SECRET_NAME, VersionStage="AWSCURRENT", MoveToVersionId=pending_version
            )

            sm_client.update_secret_version_stage(
                SecretId=SECRET_NAME, VersionStage="AWSPENDING", RemoveFromVersionId=pending_version
            )

            logger.info(
                json.dumps({"event": "promotion_complete", "new_current_version": pending_version, "status": "success"})
            )

            return {"status": "success", "action": "promoted_and_cleaned", "new_current_version": pending_version}

    except Exception as e:
        logger.exception(json.dumps({"event": "promotion_failed", "type": type(e).__name__}))
        raise

    else:
        logger.warning(
            json.dumps({"event": "promotion_skipped", "reason": "no_pending_version_found", "secret_name": SECRET_NAME})
        )
        return {"status": "skipped", "reason": "no_pending_version"}