refactor(Lambda): make use of Parameter Store

.github/workflows/terraform-apply.yml

@@ -65,7 +65,6 @@ jobs:
         run: terraform apply tfplan
         working-directory: terraform
         env:
-          TF_VAR_email_function_parameters: ${{ secrets.EMAIL_FUNCTION_PARAMETERS }}
-          TF_VAR_scrape_discord_events_function_environment_variables: ${{ secrets.SCRAPE_DISCORD_EVENTS_FUNCTION_ENVIRONMENT_VARIABLES }}
-          TF_VAR_midnight_automations_environment_variables: ${{ secrets.MIDNIGHT_AUTOMATIONS_ENVIRONMENT_VARIABLES }}
-          TF_VAR_notification_router_environment_variables: ${{ secrets.NOTIFICATION_ROUTER_ENVIRONMENT_VARIABLES }}
+          TF_VAR_scrape_discord_events_function_environment_variables: ${{ vars.SCRAPE_DISCORD_EVENTS_FUNCTION_ENVIRONMENT_VARIABLES }}
+          TF_VAR_midnight_automations_environment_variables: ${{ vars.MIDNIGHT_AUTOMATIONS_ENVIRONMENT_VARIABLES }}
+          TF_VAR_notification_router_environment_variables: ${{ vars.NOTIFICATION_ROUTER_ENVIRONMENT_VARIABLES }}

.github/workflows/terraform-plan.yml

@@ -70,10 +70,9 @@ jobs:
         id: plan
         continue-on-error: true
         env:
-          TF_VAR_email_function_parameters: ${{ secrets.EMAIL_FUNCTION_PARAMETERS }}
-          TF_VAR_scrape_discord_events_function_environment_variables: ${{ secrets.SCRAPE_DISCORD_EVENTS_FUNCTION_ENVIRONMENT_VARIABLES }}
-          TF_VAR_midnight_automations_environment_variables: ${{ secrets.MIDNIGHT_AUTOMATIONS_ENVIRONMENT_VARIABLES }}
-          TF_VAR_notification_router_environment_variables: ${{ secrets.NOTIFICATION_ROUTER_ENVIRONMENT_VARIABLES }}
+          TF_VAR_scrape_discord_events_function_environment_variables: ${{ vars.SCRAPE_DISCORD_EVENTS_FUNCTION_ENVIRONMENT_VARIABLES }}
+          TF_VAR_midnight_automations_environment_variables: ${{ vars.MIDNIGHT_AUTOMATIONS_ENVIRONMENT_VARIABLES }}
+          TF_VAR_notification_router_environment_variables: ${{ vars.NOTIFICATION_ROUTER_ENVIRONMENT_VARIABLES }}
 
       - uses: actions/github-script@v8.0.0
         if: github.event_name == 'pull_request'

bun-packages/packages/email-function/src/index.ts

@@ -30,8 +30,7 @@ export const handler: SQSHandler = async (event) => {
 			}
 
 			const parameters = await fetchParameters({
-				// deepcode ignore HardcodedNonCryptoSecret: This is not the actual secret but a reference to the secret in the parameters store
-				mailgunApiKey: "/email-function/mailgun-api-key",
+				mailgunApiKey: "/mailgun/api_key",
 			});
 
 			await main({

docs/setup-test-and-production.md

@@ -16,12 +16,9 @@
 1. Create environments
    1. `terraform-test`
    2. `terraform-prod`
-2. Create environment secrets
-   - `EMAIL_FUNCTION_PARAMETERS`
-      - `[{"name":"...","value":"..."}]`
-3. Create environment variables
+2. Create environment variables
    - `IAM_ROLE`
-4. Enable "Allow GitHub Actions to create and approve pull requests" in Settings/Actions/General/Workflow permissions
+3. Enable "Allow GitHub Actions to create and approve pull requests" in Settings/Actions/General/Workflow permissions
 
 ## 5. Set up AWS
 

pnpm-monorepo/apps/lambda/.env.example

@@ -3,7 +3,7 @@ DATABASE_URL="postgresql://postgres:admin@localhost:5432/db"
 
 # Discord
 DISCORD_GUILD_ID=""
-DISCORD_TOKEN=""
+DISCORD_BOT_TOKEN=""
 
 # Web Push
 PUBLIC_VAPID_KEY=""

pnpm-monorepo/apps/lambda/package.json

@@ -2,17 +2,14 @@
   "name": "@sam-monorepo/lambda",
   "private": true,
   "scripts": {
-    "dev": "tsx watch src/local-api.ts",
     "build": "./scripts/build.sh"
   },
   "dependencies": {
     "@aws-sdk/client-dynamodb": "3.939.0",
     "@aws-sdk/client-eventbridge": "3.939.0",
-    "@hono/node-server": "1.19.6",
     "@paralleldrive/cuid2": "3.0.4",
     "@sam-monorepo/database": "workspace:*",
     "aws-xray-sdk-core": "3.12.0",
-    "hono": "4.10.6",
     "lodash": "4.17.21",
     "serialize-error": "12.0.0",
     "web-push": "3.6.7",
@@ -24,7 +21,6 @@
     "@types/node": "22.19.1",
     "@types/web-push": "3.6.4",
     "esbuild": "0.27.0",
-    "tsx": "4.20.6",
     "typescript": "5.9.3"
   }
 }

pnpm-monorepo/apps/lambda/scripts/build.sh

@@ -19,9 +19,9 @@ echo "Cleaning up old build..."
 rm -rf $OUTPUT_DIRECTORY $OUTPUT_DIRECTORY.zip
 
 # Get all functions
-FUNCTION_FILES=$(find src/functions -maxdepth 1 -type f -name "*.ts")
+FUNCTION_FILES=$(find src -maxdepth 1 -type f -name "*.ts")
 
-for file in "src/functions"/*.ts; do
+for file in "src"/*.ts; do
 	FUNCTION_FILENAME=$(basename "$file")
 	FUNCTION_NAME="${FUNCTION_FILENAME%.ts}"
 
@@ -31,7 +31,7 @@ for file in "src/functions"/*.ts; do
 	# - `--external:@aws-sdk` excludes any imported AWS SDKs from the bundle since they are already provided by the AWS Lambda runtime.
 	# - The banner is needed to allow usage of `require` in ESM modules (see https://github.com/aws/aws-sam-cli/issues/4827)
 	echo "Bundling $FUNCTION_NAME..."
-	esbuild src/functions/$FUNCTION_NAME.ts \
+	esbuild src/$FUNCTION_NAME.ts \
 		--bundle \
 		--outfile=$OUTPUT_DIRECTORY/$FUNCTION_NAME/index.mjs \
 		--format=esm \

pnpm-monorepo/apps/lambda/src/common/parameters.ts

@@ -0,0 +1,47 @@
+import { z } from "zod";
+import { log } from "./logger";
+
+export const fetchParameters = async <T extends Record<string, string>>(
+	parameters: T,
+): Promise<T> => {
+	if (!process.env.AWS_SESSION_TOKEN)
+		throw new Error("Missing AWS_SESSION_TOKEN for fetching parameter store");
+
+	const responses = await Promise.all(
+		Object.entries(parameters).map(async ([key, name]) => {
+			const uriEncodedParameterName = encodeURIComponent(name);
+
+			const response = await fetch(
+				`http://localhost:2773/systemsmanager/parameters/get?name=${uriEncodedParameterName}&withDecryption=true`,
+				{
+					headers: {
+						// biome-ignore lint/style/noNonNullAssertion: <explanation>
+						"X-Aws-Parameters-Secrets-Token": process.env.AWS_SESSION_TOKEN!,
+					},
+				},
+			);
+
+			if (!response.ok) {
+				void log.error("Failed to fetch parameter", {
+					name,
+					status: response.status,
+					body: await response.text(),
+				});
+				throw new Error("Failed to fetch parameter");
+			}
+
+			const body = await response.json();
+			const parameter = parameterSchema.parse(body);
+
+			return [key, parameter.Parameter.Value];
+		}),
+	);
+
+	return Object.fromEntries(responses);
+};
+
+const parameterSchema = z.object({
+	Parameter: z.object({
+		Value: z.string(),
+	}),
+});