ONS-Innovation
diff --git a/‎README.md‎
Lines changed: 42 additions & 20 deletions b/‎README.md‎
Lines changed: 42 additions & 20 deletions
diff --git a/‎poetry.lock‎
Lines changed: 5 additions & 5 deletions b/‎poetry.lock‎
Lines changed: 5 additions & 5 deletions
diff --git a/‎terraform/main.tf‎
Lines changed: 14 additions & 56 deletions b/‎terraform/main.tf‎
Lines changed: 14 additions & 56 deletions
diff --git a/‎terraform/secrets.tf‎
Lines changed: 0 additions & 14 deletions b/‎terraform/secrets.tf‎
Lines changed: 0 additions & 14 deletions
@@ -95,23 +95,39 @@ To run the Lambda function outside of a container, we need to execute the `handl
 
    **Please Note:** If uncommenting the above in `main.py`, make sure you re-comment the code _before_ pushing back to GitHub.
 
-2. Export the required environment variables:
+2. Sign in with AWS SSO, and export the correct profile for this service:
 
-   ```bash
-   export AWS_ACCESS_KEY_ID=<aws_access_key_id>
-   export AWS_SECRET_ACCESS_KEY=<aws_secret_access_key>
-   export AWS_DEFAULT_REGION=eu-west-2
-   export AWS_SECRET_NAME=<aws_secret_name>
-   export GITHUB_ORG=ONSDigital
-   export GITHUB_APP_CLIENT_ID=<github_app_client_id>
-   export AWS_ACCOUNT_NAME=<sdp-dev/sdp-prod>
-   ```
+    ```bash
+    aws sso login
 
-3. Run the script.
+    export AWS_PROFILE=github-copilot-usage-lambda
+    ```
 
-   ```bash
-   python3 src/main.py
-   ```
+    This allows you to assume the AWS IAM role for the service, enabling the most secure development experience. This also means you will have limited permissions until you exit out of the profile.
+
+    **Note:** See the Developer Onboarding Guide on the "Using AWS SSO for Local Development" page on Confluence to set up service profile selection on your local machine.
+
+3. Export the required environment variables:
+
+    ```bash
+    export AWS_DEFAULT_REGION=eu-west-2
+    export AWS_SECRET_NAME=<aws_secret_name>
+    export AWS_ACCOUNT_NAME=<sdp-dev/sdp-prod>
+    export GITHUB_ORG=ONSDigital
+    export GITHUB_APP_CLIENT_ID=<github_app_client_id>
+    ```
+
+4. Run the script.
+
+    ```bash
+    python3 src/main.py
+    ```
+
+5. To exit the profile:
+
+    ```bash
+    unset AWS_PROFILE
+    ```
 
 ### Running in a container
 
@@ -133,14 +149,20 @@ To run the Lambda function outside of a container, we need to execute the `handl
    | --------------------------- | ------ | ------------ | -------------- | ----- |
    | copilot-usage-lambda-script | latest | 0bbe73d9256f | 11 seconds ago | 224MB |
 
-3. Run the image locally mapping local host port (9000) to container port (8080) and passing in AWS credentials to download a .pem file from the AWS Secrets Manager to the running container. These credentials will also be used to upload and download `historic_usage_data.json` to and from S3.
+3. Sign in with AWS SSO:
+
+   ```bash
+   aws sso login
+   ```
+
+   **Note:** See the Developer Onboarding Guide on the "Using AWS SSO for Local Development" page on Confluence to set up service profile selection on your local machine. This is essential as the `~/.aws` directory is mounted to the container, so it can use the SSO session for AWS authentication.
 
-   The credentials used in the below command are for a user in AWS that has permissions to retrieve secrets from AWS Secrets Manager and upload and download files from AWS S3.
+4. Run the image locally mapping local host port (9000) to container port (8080).
 
    ```bash
    docker run --platform linux/amd64 -p 9000:8080 \
-   -e AWS_ACCESS_KEY_ID=<aws_access_key_id> \
-   -e AWS_SECRET_ACCESS_KEY=<aws_secret_access_key> \
+   -v ~/.aws:/root/.aws \
+   -e AWS_PROFILE=github-copilot-usage-lambda \
    -e AWS_DEFAULT_REGION=eu-west-2 \
    -e AWS_SECRET_NAME=<aws_secret_name> \
    -e GITHUB_ORG=ONSDigital \
@@ -151,15 +173,15 @@ To run the Lambda function outside of a container, we need to execute the `handl
 
    Once the container is running, a local endpoint is created at `localhost:9000/2015-03-31/functions/function/invocations`.
 
-4. Post to the endpoint to trigger the function
+5. Post to the endpoint to trigger the function
 
    ```bash
    curl "http://localhost:9000/2015-03-31/functions/function/invocations" -d '{}'
    ```
 
    This should return a message if successful.
 
-5. Once testing is finished, stop the running container
+6. Once testing is finished, stop the running container
 
    To check the container is running
 
 
@@ -73,6 +73,20 @@ resource "aws_iam_role" "lambda_function_role" {
         Principal = {
           Service = "lambda.amazonaws.com"
         }
+      },
+      {
+        Action = "sts:AssumeRole"
+        Effect = "Allow"
+        Principal = {
+          AWS = "arn:aws:iam::${var.aws_account_id}:root"
+        }
+        Condition = {
+          ArnLike = {
+            "aws:PrincipalArn" = [
+              "arn:aws:iam::${var.aws_account_id}:role/aws-reserved/sso.amazonaws.com/eu-west-2/AWSReservedSSO_Standard_Administrator_Access_*"
+            ]
+          }
+        }
       }
     ]
   })
@@ -138,59 +152,3 @@ resource "aws_cloudwatch_log_group" "loggroup" {
   name              = "/aws/lambda/${aws_lambda_function.lambda_function.function_name}"
   retention_in_days = var.log_retention_days
 }
-
-# IAM User Group
-resource "aws_iam_group" "group" {
-  name = "${var.env_name}-${var.lambda_name}-user-group"
-  path = "/"
-}
-
-resource "aws_iam_group_policy_attachment" "group_vpc_permissions_attachment" {
-  group      = aws_iam_group.group.name
-  policy_arn = aws_iam_policy.vpc_permissions.arn
-}
-
-resource "aws_iam_group_policy_attachment" "group_lambda_logging_attachment" {
-  group      = aws_iam_group.group.name
-  policy_arn = aws_iam_policy.lambda_logging.arn
-}
-
-resource "aws_iam_group_policy_attachment" "group_lambda_s3_policy_attachment" {
-  group      = aws_iam_group.group.name
-  policy_arn = aws_iam_policy.lambda_s3_policy.arn
-}
-
-resource "aws_iam_group_policy_attachment" "group_lambda_secret_manager_policy_attachment" {
-  group      = aws_iam_group.group.name
-  policy_arn = aws_iam_policy.lambda_secret_manager_policy.arn
-}
-
-resource "aws_iam_group_policy_attachment" "group_lambda_eventbridge_policy_attachment" {
-  group      = aws_iam_group.group.name
-  policy_arn = aws_iam_policy.lambda_eventbridge_policy.arn
-}
-
-# IAM User
-resource "aws_iam_user" "user" {
-  name = "${var.env_name}-${var.lambda_name}"
-  path = "/"
-}
-
-# Assign IAM User to group
-resource "aws_iam_user_group_membership" "user_group_attach" {
-  user = aws_iam_user.user.name
-
-  groups = [
-    aws_iam_group.group.name
-  ]
-}
-
-# IAM Key Rotation Module
-module "iam_key_rotation" {
-  source = "git::https://github.com/ONS-Innovation/keh-aws-iam-key-rotation.git?ref=v0.1.1"
-
-  iam_username          = aws_iam_user.user.name
-  access_key_secret_arn = aws_secretsmanager_secret.access_key.arn
-  secret_key_secret_arn = aws_secretsmanager_secret.secret_key.arn
-  rotation_in_days      = 45
-}