code clean up and fixes

Author: Karthikeyannhs

infrastructure/stacks/api-layer/iam_policies.tf

@@ -56,9 +56,9 @@ resource "aws_iam_role_policy" "lambda_s3_read_policy" {
   policy = data.aws_iam_policy_document.s3_rules_bucket_policy.json
 }
 
-# Attach s3 read policy to kinesis firehose role
+# Attach s3 write policy to kinesis firehose role
 resource "aws_iam_role_policy" "kinesis_firehose_s3_read_policy" {
-  name   = "S3ReadAccess"
+  name   = "S3WriteAccess"
   role   = aws_iam_role.eligibility_audit_firehose_role.id
   policy = data.aws_iam_policy_document.s3_audit_bucket_policy.json
 }

infrastructure/stacks/api-layer/iam_roles.tf

@@ -52,4 +52,5 @@ resource "aws_iam_role" "write_access_role" {
 resource "aws_iam_role" "eligibility_audit_firehose_role" {
   name               = "eligibility_audit_firehouse-role${terraform.workspace == "default" ? "" : "-${terraform.workspace}"}"
   assume_role_policy = data.aws_iam_policy_document.firehose_assume_role.json
+  permissions_boundary = aws_iam_policy.assumed_role_permissions_boundary.arn
 }

tests/integration/conftest.py

@@ -386,12 +386,9 @@ def rules_bucket(s3_client: BaseClient) -> Generator[BucketName]:
 
 
 @pytest.fixture(scope="session")
-def audit_bucket(s3_client: BaseClient) -> Generator[BucketName, None, None]:
+def audit_bucket(s3_client: BaseClient) -> Generator[BucketName]:
     bucket_name = BucketName(os.getenv("AUDIT_BUCKET_NAME", "test-audit-bucket"))
-    s3_client.create_bucket(
-        Bucket=bucket_name,
-        CreateBucketConfiguration={"LocationConstraint": AWS_REGION}
-    )
+    s3_client.create_bucket(Bucket=bucket_name, CreateBucketConfiguration={"LocationConstraint": AWS_REGION})
     yield bucket_name
 
     # Delete all objects in the bucket before deletion
@@ -410,14 +407,12 @@ def firehose_delivery_stream(firehose_client: BaseClient, audit_bucket: BucketNa
             "BucketARN": f"arn:aws:s3:::{audit_bucket}",
             "RoleARN": "arn:aws:iam::000000000000:role/firehose_delivery_role",
             "Prefix": "audit-logs/",
-            "BufferingHints": {
-                "SizeInMBs": 1,
-                "IntervalInSeconds": 60
-            },
+            "BufferingHints": {"SizeInMBs": 1, "IntervalInSeconds": 60},
             "CompressionFormat": "UNCOMPRESSED",
-        }
+        },
     )
 
+
 @pytest.fixture(scope="class")
 def campaign_config(s3_client: BaseClient, rules_bucket: BucketName) -> Generator[rules.CampaignConfig]:
     campaign: rules.CampaignConfig = rule.CampaignConfigFactory.build(

tests/integration/lambda/test_app_running_as_lambda.py

@@ -1,7 +1,6 @@
 import base64
 import json
 import logging
-import time
 from http import HTTPStatus
 
 import httpx
@@ -11,7 +10,7 @@
 from brunns.matchers.data import json_matching as is_json_that
 from brunns.matchers.response import is_response
 from faker import Faker
-from hamcrest import assert_that, contains_exactly, contains_string, has_entries, has_item, has_key, any_of, starts_with
+from hamcrest import assert_that, contains_exactly, contains_string, has_entries, has_item, has_key
 from yarl import URL
 
 from eligibility_signposting_api.model.eligibility import NHSNumber
@@ -154,7 +153,7 @@ def get_log_messages(flask_function: str, logs_client: BaseClient) -> list[str]:
     return [e["message"] for e in log_events["events"]]
 
 
-def test_given_nhs_number_in_path_matches_with_nhs_number_in_headers(
+def test_given_nhs_number_in_path_matches_with_nhs_number_in_headers(  # noqa: PLR0913
     lambda_client: BaseClient,  # noqa:ARG001
     persisted_person: NHSNumber,
     campaign_config: CampaignConfig,  # noqa:ARG001
@@ -171,8 +170,6 @@ def test_given_nhs_number_in_path_matches_with_nhs_number_in_headers(
         timeout=10,
     )
 
-    time.sleep(40)
-
     # Then
     assert_that(
         response,