Use credentials output by terraform/development

.github/workflows/checks.yml

@@ -13,7 +13,6 @@ env:
   WERKZEUG_DEBUG_PIN: off
   REDIS_ENABLED: 0
   NODE_VERSION: 16.15.1
-  AWS_REGION: us-west-2
 
 jobs:
   build:

.github/workflows/daily_checks.yml

@@ -17,7 +17,6 @@ env:
   WERKZEUG_DEBUG_PIN: off
   REDIS_ENABLED: 0
   NODE_VERSION: 16.15.1
-  AWS_REGION: us-west-2
 
 jobs:
   dependency-audits:

app/config.py

@@ -74,12 +74,12 @@ class Config(object):
     }
 
 
-def _default_s3_credentials(bucket_name):
+def _s3_credentials_from_env(bucket_prefix):
     return {
-        'bucket': bucket_name,
-        'access_key_id': getenv('AWS_ACCESS_KEY_ID'),
-        'secret_access_key': getenv('AWS_SECRET_ACCESS_KEY'),
-        'region': getenv('AWS_REGION')
+        'bucket': getenv(f"{bucket_prefix}_BUCKET_NAME", f"{bucket_prefix}-test-bucket-name"),
+        'access_key_id': getenv(f"{bucket_prefix}_AWS_ACCESS_KEY_ID"),
+        'secret_access_key': getenv(f"{bucket_prefix}_AWS_SECRET_ACCESS_KEY"),
+        'region': getenv(f"{bucket_prefix}_AWS_REGION")
     }
 
 
@@ -93,9 +93,9 @@ class Development(Config):
     ASSET_PATH = '/static/'
 
     # Buckets
-    CSV_UPLOAD_BUCKET = _default_s3_credentials('local-notifications-csv-upload')
-    CONTACT_LIST_BUCKET = _default_s3_credentials('local-contact-list')
-    LOGO_UPLOAD_BUCKET = _default_s3_credentials('local-public-logos-tools')
+    CSV_UPLOAD_BUCKET = _s3_credentials_from_env('CSV')
+    CONTACT_LIST_BUCKET = _s3_credentials_from_env('CONTACT')
+    LOGO_UPLOAD_BUCKET = _s3_credentials_from_env('LOGO')
 
     # credential overrides
     DANGEROUS_SALT = 'development-notify-salt'
@@ -115,11 +115,6 @@ class Test(Development):
     REDIS_URL = 'redis://you-forgot-to-mock-a-redis-call-to'
     LOGO_CDN_DOMAIN = 'static-logos.test.com'
 
-    # Buckets
-    CSV_UPLOAD_BUCKET = _default_s3_credentials('test-csv-upload')
-    CONTACT_LIST_BUCKET = _default_s3_credentials('test-contact-list')
-    LOGO_UPLOAD_BUCKET = _default_s3_credentials('test-logo-upload')
-
 
 class Production(Config):
     HEADER_COLOUR = '#005EA5'  # $govuk-blue

tests/app/main/views/uploads/test_upload_contact_list.py

@@ -1,6 +1,5 @@
 import uuid
 from io import BytesIO
-from os import getenv
 from unittest.mock import ANY
 
 import pytest
@@ -178,6 +177,7 @@ def test_upload_contact_list_page(client_request):
 def test_upload_csv_file_shows_error_banner(
     client_request,
     mocker,
+    notify_admin,
     mock_s3_upload,
     mock_get_job_doesnt_exist,
     mock_get_users_by_service,
@@ -205,13 +205,14 @@ def test_upload_csv_file_shows_error_banner(
         _data={'file': (BytesIO(''.encode('utf-8')), 'invalid.csv')},
         _follow_redirects=True,
     )
+    bucket_creds = notify_admin.config['CONTACT_LIST_BUCKET']
     mock_upload.assert_called_once_with(
         filedata='',
-        region='us-west-2',
-        bucket_name='test-contact-list',
+        region=bucket_creds['region'],
+        bucket_name=bucket_creds['bucket'],
         file_location=f"service-{SERVICE_ONE_ID}-notify/{fake_uuid}.csv",
-        access_key=getenv('AWS_ACCESS_KEY_ID'),
-        secret_key=getenv('AWS_SECRET_ACCESS_KEY'),
+        access_key=bucket_creds['access_key_id'],
+        secret_key=bucket_creds['secret_access_key'],
     )
     mock_set_metadata.assert_called_once_with(
         ANY,

tests/app/s3_client/test_s3_logo_client.py

@@ -1,5 +1,4 @@
 from collections import namedtuple
-from os import getenv
 from unittest.mock import call
 
 import pytest
@@ -14,21 +13,10 @@ from app.s3_client.s3_logo_client import (
     upload_email_logo,
 )
 
-default_access_key = getenv('AWS_ACCESS_KEY_ID')
-default_secret_key = getenv('AWS_SECRET_ACCESS_KEY')
-default_region = getenv('AWS_REGION')
-bucket = 'test_bucket'
-bucket_credentials = {
-    'bucket': bucket,
-    'access_key_id': default_access_key,
-    'secret_access_key': default_secret_key,
-    'region': default_region
-}
 data = {'data': 'some_data'}
 filename = 'test.png'
 svg_filename = 'test.svg'
 upload_id = 'test_uuid'
-region = 'us-west-2'
 
 
 @pytest.fixture
@@ -37,26 +25,29 @@ def upload_filename(fake_uuid):
         temp=TEMP_TAG.format(user_id=fake_uuid), unique_id=upload_id, filename=filename)
 
 
-def test_upload_email_logo_calls_correct_args(client_request, mocker, fake_uuid, upload_filename):
+@pytest.fixture
+def bucket_credentials(notify_admin):
+    return notify_admin.config['LOGO_UPLOAD_BUCKET']
+
+
+def test_upload_email_logo_calls_correct_args(client_request, mocker, bucket_credentials, fake_uuid, upload_filename):
     mocker.patch('uuid.uuid4', return_value=upload_id)
-    mocker.patch.dict('flask.current_app.config', {'LOGO_UPLOAD_BUCKET': bucket_credentials})
     mocked_s3_upload = mocker.patch('app.s3_client.s3_logo_client.utils_s3upload')
 
     upload_email_logo(filename=filename, user_id=fake_uuid, filedata=data)
 
     mocked_s3_upload.assert_called_once_with(
         filedata=data,
-        region=region,
+        region=bucket_credentials['region'],
         file_location=upload_filename,
-        bucket_name=bucket,
+        bucket_name=bucket_credentials['bucket'],
         content_type='image/png',
-        access_key=default_access_key,
-        secret_key=default_secret_key,
+        access_key=bucket_credentials['access_key_id'],
+        secret_key=bucket_credentials['secret_access_key'],
     )
 
 
-def test_persist_logo(client_request, mocker, fake_uuid, upload_filename):
-    mocker.patch.dict('flask.current_app.config', {'LOGO_UPLOAD_BUCKET': bucket_credentials})
+def test_persist_logo(client_request, bucket_credentials, mocker, fake_uuid, upload_filename):
     mocked_get_s3_object = mocker.patch('app.s3_client.s3_logo_client.get_s3_object')
     mocked_delete_s3_object = mocker.patch('app.s3_client.s3_logo_client.delete_s3_object')
 
@@ -65,7 +56,11 @@ def test_persist_logo(client_request, mocker, fake_uuid, upload_filename):
     persist_logo(upload_filename, new_filename)
 
     mocked_get_s3_object.assert_called_once_with(
-        bucket, new_filename, default_access_key, default_secret_key, default_region)
+        bucket_credentials['bucket'],
+        new_filename,
+        bucket_credentials['access_key_id'],
+        bucket_credentials['secret_access_key'],
+        bucket_credentials['region'])
     mocked_delete_s3_object.assert_called_once_with(upload_filename)