From 4437d60dd7da82eba14628c23c5b04dfcf09bbf5 Mon Sep 17 00:00:00 2001
From: David McDonald <david.mcdonald@digital.cabinet-office.gov.uk>
Date: Mon, 12 Apr 2021 15:27:47 +0100
Subject: [PATCH] Only give broadcasts worker IAM creds for CBC proxy

There is no need to give it to any of the other workers and so the fewer
instances that have these creds the better.

You can verify this works by running
```
CF_APP=notify-api CF_SPACE=preview make generate-manifest
```

vs

```
CF_APP=notify-delivery-worker-broadcasts CF_SPACE=preview make generate-manifest
```
---
 manifest.yml.j2 | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/manifest.yml.j2 b/manifest.yml.j2
index 3acd561d8..59401d31f 100644
--- a/manifest.yml.j2
+++ b/manifest.yml.j2
@@ -67,6 +67,8 @@
   'notify-delivery-worker-broadcasts': {
     'additional_env_vars': {
       'CELERYD_PREFETCH_MULTIPLIER': 1,
+      'CBC_PROXY_AWS_ACCESS_KEY_ID': CBC_PROXY_AWS_ACCESS_KEY_ID,
+      'CBC_PROXY_AWS_SECRET_ACCESS_KEY': CBC_PROXY_AWS_SECRET_ACCESS_KEY,
     }
   },
   'notify-delivery-worker-receipts': {},
@@ -127,11 +129,6 @@ applications:
       AWS_ACCESS_KEY_ID: '{{ AWS_ACCESS_KEY_ID }}'
       AWS_SECRET_ACCESS_KEY: '{{ AWS_SECRET_ACCESS_KEY }}'
 
-      {% if CBC_PROXY_AWS_ACCESS_KEY_ID is defined %}
-      CBC_PROXY_AWS_ACCESS_KEY_ID: '{{ CBC_PROXY_AWS_ACCESS_KEY_ID }}'
-      CBC_PROXY_AWS_SECRET_ACCESS_KEY: '{{ CBC_PROXY_AWS_SECRET_ACCESS_KEY }}'
-      {% endif %}
-
       STATSD_HOST: "notify-statsd-exporter-{{ environment }}.apps.internal"
 
       ZENDESK_API_KEY: '{{ ZENDESK_API_KEY }}'