ELI-597: Adding metadata to emails for rotation

shweta-nhs · shweta-nhs · commit bcb22b060a37 · 2026-01-16T15:00:54.000Z
diff --git a/infrastructure/stacks/api-layer/step_functions.tf b/infrastructure/stacks/api-layer/step_functions.tf
@@ -24,6 +24,7 @@ resource "aws_sfn_state_machine" "rotation_machine" {
         Resource       = "arn:aws:states:::sns:publish.waitForTaskToken",
         TimeoutSeconds = 86400,
         Parameters = {
+          Subject     = "Action required: AWSPENDING secret created (Environment: ${var.environment})",
           TopicArn    = aws_sns_topic.secret_rotation.arn,
           "Message.$" = local.add_jobs_message
         },
@@ -44,6 +45,7 @@ resource "aws_sfn_state_machine" "rotation_machine" {
         Resource       = "arn:aws:states:::sns:publish.waitForTaskToken",
         TimeoutSeconds = 86400,
         Parameters = {
+          Subject     = "Action required: Secret AWSPENDING promoted to AWSCURRENT (Environment: ${var.environment})",
           TopicArn    = aws_sns_topic.secret_rotation.arn,
           "Message.$" = local.delete_jobs_message
         },
@@ -59,7 +61,7 @@ resource "aws_sfn_state_machine" "rotation_machine" {
         Resource = "arn:aws:states:::sns:publish",
         Parameters = {
           TopicArn    = aws_sns_topic.secret_rotation.arn,
-          Subject     = "WARNING: Secret Rotation Timed Out",
+          Subject     = "Warning: Secret rotation timed out (Environment: ${var.environment})",
           "Message.$" = local.timeout_message
         },
         Next = "Fail_Timeout"
@@ -75,7 +77,7 @@ resource "aws_sfn_state_machine" "rotation_machine" {
         Resource = "arn:aws:states:::sns:publish",
         Parameters = {
           TopicArn    = aws_sns_topic.secret_rotation.arn,
-          Subject     = "CRITICAL: Secret Rotation Failed",
+          Subject     = "Critical: Secret Rotation Failed (Environment: ${var.environment})",
           "Message.$" = local.failure_message
         },
         Next = "Fail_Generic"
@@ -91,7 +93,7 @@ locals {
   add_jobs_message = <<EOT
 States.Format('
 ======================================================
-ACTION REQUIRED: PENDING SECRET CREATED
+Action required: AWSPENDING secret created (Environment: ${var.environment})
 ======================================================
 
 A manual action is required to proceed.
@@ -100,20 +102,19 @@ CONTEXT:
 Secret Name: ${module.secrets_manager.aws_hashing_secret_name}
 
 INSTRUCTIONS:
-1. Run the "Add New Hashes" job.
+1. Run the "Add New Hashes (elid_add_new_salt)" job.
 2. Ensure the new hashes are working as expected.
 3. Run the command below to approve and resume the workflow:
 
-aws stepfunctions send-task-success --task-token {}
+aws stepfunctions send-task-success --task-token $$.Task.Token --task-output {{}}
 
 ======================================================
-', $$.Task.Token)
 EOT
 
   delete_jobs_message = <<EOT
 States.Format('
 ======================================================
-ACTION REQUIRED: SECRET AWSPENDING PROMOTED TO AWSCURRENT
+Action required: Secret AWSPENDING promoted to AWSCURRENT (Environment: ${var.environment})
 ======================================================
 
 A manual action is required to proceed.
@@ -122,24 +123,26 @@ CONTEXT:
 Secret Name: ${module.secrets_manager.aws_hashing_secret_name}
 
 INSTRUCTIONS:
-1. Run the "Delete Old Hashes" job.
+1. Run the "Delete Old Hashes (elid_delete_old_salt)" job.
 2. Ensure the old hashes have been removed successfully.
 3. Run the command below to approve and resume the workflow:
 
-aws stepfunctions send-task-success --task-token {}
+aws stepfunctions send-task-success --task-token $$.Task.Token --task-output {{}}
 
 ======================================================
-', $$.Task.Token)
 EOT
 
   failure_message = <<EOT
 States.Format('
 ======================================================
-CRITICAL: ROTATION FAILED
+Critical: Rotation failed (Environment: ${var.environment})
 ======================================================
 
 The workflow encountered an error and could not complete.
 
+CONTEXT:
+Secret Name: ${module.secrets_manager.aws_hashing_secret_name}
+
 ERROR DETAILS:
 {}
 
@@ -162,7 +165,7 @@ EOT
   timeout_message = <<EOT
 States.Format('
 ======================================================
-WARNING: ROTATION TIMED OUT
+Warning: Rotation timed out (Environment: ${var.environment})
 ======================================================
 
 The manual verification step was not completed within the 24-hour limit.
