refactor: consume dynamic env vars from SSM rather than env vars [CHI-2897]

hrm-domain/hrm-core/app.ts

@@ -25,20 +25,21 @@ import {
   adminAuthorizationMiddleware,
   staticKeyAuthorizationMiddleware,
 } from '@tech-matters/twilio-worker-auth';
+import { defaultAuthSecretsLookup } from './config/authSecretsLookup';
+import type { AuthSecretsLookup } from '@tech-matters/twilio-worker-auth';
 import { adminApiV0, internalApiV0 } from './routes';
-import { AccountSID } from '@tech-matters/types';
 import { setupPermissions } from './permissions';
 
 type ServiceCreationOptions = Partial<{
   permissions: Permissions;
-  authTokenLookup: (accountSid: AccountSID) => string;
+  authSecretsLookup: AuthSecretsLookup;
   enableProcessContactJobs: boolean;
   webServer: Express;
 }>;
 
 export function configureService({
   permissions = jsonPermissions,
-  authTokenLookup,
+  authSecretsLookup = defaultAuthSecretsLookup,
   webServer = express(),
 }: ServiceCreationOptions = {}) {
   webServer.get('/', (req, res) => {
@@ -47,14 +48,20 @@ export function configureService({
     });
   });
 
-  setUpHrmRoutes(webServer, authTokenLookup, permissions);
+  setUpHrmRoutes(webServer, authSecretsLookup, permissions);
 
   console.log(`${new Date().toLocaleString()}: app.js has been created`);
 
   return webServer;
 }
 
-export const configureInternalService = ({ webServer }: { webServer: Express }) => {
+export const configureInternalService = ({
+  webServer,
+  authSecretsLookup,
+}: {
+  webServer: Express;
+  authSecretsLookup: AuthSecretsLookup;
+}) => {
   webServer.get('/', (req, res) => {
     res.json({
       Message: 'HRM internal service is up and running!',
@@ -64,15 +71,15 @@ export const configureInternalService = ({ webServer }: { webServer: Express })
   webServer.use(
     '/admin/v0/accounts/:accountSid',
     addAccountSidMiddleware,
-    adminAuthorizationMiddleware('ADMIN_HRM'),
+    adminAuthorizationMiddleware(authSecretsLookup.staticKeyLookup)('ADMIN_HRM'),
     setupPermissions(openPermissions),
     adminApiV0(),
   );
 
   webServer.use(
     '/internal/v0/accounts/:accountSid',
     addAccountSidMiddleware,
-    staticKeyAuthorizationMiddleware,
+    staticKeyAuthorizationMiddleware(authSecretsLookup.staticKeyLookup),
     setupPermissions(openPermissions),
     internalApiV0(),
   );

hrm-domain/hrm-core/config/authSecretsLookup.ts

@@ -0,0 +1,42 @@
+/**
+ * Copyright (C) 2021-2023 Technology Matters
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published
+ * by the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see https://www.gnu.org/licenses/.
+ */
+
+import type { AuthSecretsLookup } from '@tech-matters/twilio-worker-auth';
+import { getFromSSMCache } from './ssm-cache';
+
+const authTokenLookup = async (accountSid: string) => {
+  if (process.env[`TWILIO_AUTH_TOKEN_${accountSid}`]) {
+    return process.env[`TWILIO_AUTH_TOKEN_${accountSid}`] || '';
+  }
+
+  const { authToken } = await getFromSSMCache(accountSid);
+  return authToken;
+};
+
+const staticKeyLookup = async (keySuffix: string) => {
+  const staticSecretKey = `STATIC_KEY_${keySuffix}`;
+  if (process.env[staticSecretKey]) {
+    return process.env[staticSecretKey] || '';
+  }
+
+  const { staticKey } = await getFromSSMCache(keySuffix);
+  return staticKey;
+};
+
+export const defaultAuthSecretsLookup: AuthSecretsLookup = {
+  authTokenLookup,
+  staticKeyLookup,
+};

hrm-domain/hrm-core/config/ssm-cache.ts

@@ -0,0 +1,66 @@
+/**
+ * Copyright (C) 2021-2023 Technology Matters
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published
+ * by the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see https://www.gnu.org/licenses/.
+ */
+
+import { loadSsmCache as loadSsmCacheRoot, ssmCache } from '@tech-matters/ssm-cache';
+
+import env from 'dotenv';
+
+env.config();
+
+const ssmCacheConfigs = [
+  {
+    path: `/${process.env.NODE_ENV}/${
+      process.env.AWS_REGION ?? process.env.AWS_DEFAULT_REGION
+    }/sqs/jobs/contact`,
+    regex: /queue-url-*/,
+  },
+  {
+    path: `/${process.env.NODE_ENV}/twilio`,
+    regex: /\/.*\/static_key/,
+  },
+  {
+    path: `/${process.env.NODE_ENV}/twilio`,
+    regex: /\/.*\/auth_token/,
+  },
+  {
+    path: `/${process.env.NODE_ENV}/config`,
+    regex: /\/.*\/permission_config/,
+  },
+];
+
+export const loadSsmCache = async () => {
+  await loadSsmCacheRoot({
+    configs: ssmCacheConfigs,
+    cacheDurationMilliseconds: 3600000 * 24, // cache for a day
+  });
+};
+
+export const getFromSSMCache = async (accountSid: string) => {
+  // does nothing if cache is still valid
+  await loadSsmCache();
+
+  return {
+    staticKey:
+      ssmCache.values[`/${process.env.NODE_ENV}/twilio/${accountSid}/static_key`]
+        ?.value || '',
+    authToken:
+      ssmCache.values[`/${process.env.NODE_ENV}/twilio/${accountSid}/auth_token`]
+        ?.value || '',
+    permissionConfig:
+      ssmCache.values[`/${process.env.NODE_ENV}/config/${accountSid}/permission_config`]
+        ?.value || '',
+  };
+};

hrm-domain/hrm-core/contact-job/client-sqs.ts

@@ -19,10 +19,9 @@ import {
   receiveSqsMessage,
   sendSqsMessage,
 } from '@tech-matters/sqs-client';
-import { getSsmParameter } from '../config/ssmCache';
 
 import type { PublishToContactJobsTopicParams } from '@tech-matters/types';
-import { SsmParameterNotFound } from '@tech-matters/ssm-cache';
+import { SsmParameterNotFound, getSsmParameter } from '@tech-matters/ssm-cache';
 
 const COMPLETED_QUEUE_SSM_PATH = `/${process.env.NODE_ENV}/${
   process.env.AWS_REGION ?? process.env.AWS_DEFAULT_REGION

hrm-domain/hrm-core/contact-job/contact-job-publish.ts

@@ -22,8 +22,7 @@ import {
 } from './contact-job-data-access';
 import { publishToContactJobs } from './client-sqs';
 import { assertExhaustive, ContactJobType } from '@tech-matters/types';
-import { getSsmParameter } from '../config/ssmCache';
-import { SsmParameterNotFound } from '@tech-matters/ssm-cache';
+import { SsmParameterNotFound, getSsmParameter } from '@tech-matters/ssm-cache';
 
 export const publishRetrieveContactTranscript = (
   contactJob: RetrieveContactTranscriptJob,

hrm-domain/hrm-core/contact/canPerformContactAction.ts

@@ -110,7 +110,6 @@ const canPerformActionOnContact = (
             const accountSid = user.accountSid;
             const twilioClient = await getClient({
               accountSid,
-              authToken: process.env[`TWILIO_AUTH_TOKEN_${accountSid}`],
             });
             const isTransferTarget = await isTwilioTaskTransferTarget(
               twilioClient,

hrm-domain/hrm-core/notifications/entityChangeNotify.ts

@@ -15,12 +15,11 @@
  */
 
 import { sendSqsMessage } from '@tech-matters/sqs-client';
-import { getSsmParameter } from '../config/ssmCache';
+import { SsmParameterNotFound, getSsmParameter } from '@tech-matters/ssm-cache';
 import { IndexMessage } from '@tech-matters/hrm-search-config';
 import { CaseService, Contact } from '@tech-matters/hrm-types';
 import { AccountSID, HrmAccountId } from '@tech-matters/types';
 import { publishSns, PublishSnsParams } from '@tech-matters/sns-client';
-import { SsmParameterNotFound } from '@tech-matters/ssm-cache';
 import { NotificationOperation } from '@tech-matters/hrm-types';
 
 type DeleteNotificationPayload = {

hrm-domain/hrm-core/permissions/index.ts

@@ -38,7 +38,7 @@ declare global {
 const canCache: Record<string, InitializedCan> = {};
 
 export type Permissions = {
-  rules: (accountSid: AccountSID) => RulesFile;
+  rules: (accountSid: AccountSID) => Promise<RulesFile>;
   cachePermissions: boolean;
 };
 
@@ -54,10 +54,10 @@ export const applyPermissions = (req: Request, initializedCan: InitializedCan) =
 };
 
 export const setupPermissions =
-  (lookup: Permissions) => (req: Request, res: Response, next: NextFunction) => {
+  (lookup: Permissions) => async (req: Request, res: Response, next: NextFunction) => {
     const { accountSid } = <TwilioUser>(<any>req).user;
 
-    const accountRules = lookup.rules(accountSid);
+    const accountRules = await lookup.rules(accountSid);
     if (lookup.cachePermissions) {
       canCache[accountSid] = canCache[accountSid] ?? initializeCanForRules(accountRules);
       const initializedCan = canCache[accountSid];

hrm-domain/hrm-core/permissions/json-permissions.ts

@@ -14,41 +14,54 @@
  * along with this program.  If not, see https://www.gnu.org/licenses/.
  */
 
+import { getFromSSMCache } from '../config/ssm-cache';
 import { rulesMap } from './rulesMap';
 import { Permissions } from './index';
 import { AccountSID } from '@tech-matters/types';
 
-export const getPermissionsConfigName = (accountSid: AccountSID) => {
+export const getPermissionsConfigName = async (accountSid: AccountSID) => {
   const permissionsKey = `PERMISSIONS_${accountSid}`;
 
-  const permissionsConfigName = process.env[permissionsKey];
+  if (process.env[permissionsKey]) {
+    const permissionConfig = process.env[permissionsKey];
 
-  if (!permissionsConfigName)
-    throw new Error(`No permissions set for account ${accountSid}.`);
+    if (!rulesMap[permissionConfig])
+      throw new Error(
+        `Permissions rules with name ${permissionConfig} missing in rules map.`,
+      );
 
-  if (!rulesMap[permissionsConfigName])
+    return permissionConfig;
+  }
+
+  const { permissionConfig } = await getFromSSMCache(accountSid);
+
+  if (!permissionConfig) throw new Error(`No permissions set for account ${accountSid}.`);
+
+  if (!rulesMap[permissionConfig])
     throw new Error(
-      `Permissions rules with name ${permissionsConfigName} missing in rules map.`,
+      `Permissions rules with name ${permissionConfig} missing in rules map.`,
     );
 
-  return permissionsConfigName;
+  return permissionConfig;
 };
 
 /**
  * @throws Will throw if there is no env var set for PERMISSIONS_${accountSid} or if it's an invalid key in rulesMap
  */
 export const jsonPermissions: Permissions = {
-  rules: (accountSid: AccountSID) => {
-    const permissionsConfigName = getPermissionsConfigName(accountSid);
+  rules: async (accountSid: AccountSID) => {
+    const permissionConfig = await getPermissionsConfigName(accountSid);
 
-    const rules = rulesMap[permissionsConfigName];
-    if (!rules) throw new Error(`Cannot find rules for ${permissionsConfigName}`);
+    const rules = rulesMap[permissionConfig];
+    if (!rules) throw new Error(`Cannot find rules for ${permissionConfig}`);
     return rules;
   },
   cachePermissions: true,
 };
 
 export const openPermissions: Permissions = {
-  rules: () => rulesMap.open,
+  rules: () => Promise.resolve(rulesMap.open),
   cachePermissions: true,
 };
+
+export const openRules = rulesMap.open;

hrm-domain/hrm-core/permissions/permissions-routes-v0.ts

@@ -27,24 +27,28 @@ import { TResult, newErr, isErr, newOk, mapHTTPError } from '@tech-matters/types
 
 export default (permissions: Permissions) => {
   const permissionsRouter = SafeRouter();
-  permissionsRouter.get('/', publicEndpoint, (req: Request, res: Response, next) => {
-    try {
-      const { accountSid } = req.user;
-      if (!permissions.rules) {
-        return next(
-          createError(
-            400,
-            'Reading rules is not supported by the permissions implementation being used by this instance of the HRM service.',
-          ),
-        );
-      }
-      const rules = permissions.rules(accountSid);
+  permissionsRouter.get(
+    '/',
+    publicEndpoint,
+    async (req: Request, res: Response, next) => {
+      try {
+        const { accountSid } = req.user;
+        if (!permissions.rules) {
+          return next(
+            createError(
+              400,
+              'Reading rules is not supported by the permissions implementation being used by this instance of the HRM service.',
+            ),
+          );
+        }
+        const rules = await permissions.rules(accountSid);
 
-      res.json(rules);
-    } catch (error) {
-      return next(createError(500, error.message));
-    }
-  });
+        res.json(rules);
+      } catch (error) {
+        return next(createError(500, error.message));
+      }
+    },
+  );
 
   const parseActionGetPayload = ({
     objectType,