specify alarm conditions, improve readability of policy allowing lambda to send emails using SES

cemms1 · cemms1 · commit ba9e381d3654 · 2026-01-06T16:43:22.000Z
diff --git a/ab-testing/cdk/lib/__snapshots__/notificationLambda.test.ts.snap b/ab-testing/cdk/lib/__snapshots__/notificationLambda.test.ts.snap
@@ -265,7 +265,10 @@ exports[`The AB testing notification lambda stack > matches the CODE snapshot 1`
               }
             },
             {
-              "Action": "ses:SendEmail",
+              "Action": [
+                "ses:SendEmail",
+                "ses:SendRawEmail"
+              ],
               "Effect": "Allow",
               "Resource": {
                 "Fn::Join": [
@@ -383,9 +386,10 @@ exports[`The AB testing notification lambda stack > matches the CODE snapshot 1`
             ]
           }
         ],
-        "AlarmDescription": "Something went wrong notifying test owners of upcoming AB test expiries in the CODE AB Testing Notification Lambda. Please check the logs",
-        "AlarmName": "AB Testing Notification Lambda Failures",
+        "AlarmDescription": "Something went wrong notifying test owners of upcoming AB test expiries in ab-testing-notification-lambda-CODE. Please check the logs",
+        "AlarmName": "AB Testing Notification Failures",
         "ComparisonOperator": "GreaterThanThreshold",
+        "DatapointsToAlarm": 1,
         "EvaluationPeriods": 1,
         "Metrics": [
           {
@@ -445,26 +449,6 @@ exports[`The AB testing notification lambda stack > matches the CODE snapshot 1`
             "ReturnData": false
           }
         ],
-        "OKActions": [
-          {
-            "Fn::Join": [
-              "",
-              [
-                "arn:aws:sns:eu-west-1:",
-                {
-                  "Ref": "AWS::AccountId"
-                },
-                ":",
-                {
-                  "Fn::GetAtt": [
-                    "AbTestingNotificationSnsTopicB3559144",
-                    "TopicName"
-                  ]
-                }
-              ]
-            ]
-          }
-        ],
         "Tags": [
           {
             "Key": "gu:cdk:version",
@@ -775,7 +759,10 @@ exports[`The AB testing notification lambda stack > matches the PROD snapshot 1`
               }
             },
             {
-              "Action": "ses:SendEmail",
+              "Action": [
+                "ses:SendEmail",
+                "ses:SendRawEmail"
+              ],
               "Effect": "Allow",
               "Resource": {
                 "Fn::Join": [
@@ -953,9 +940,10 @@ exports[`The AB testing notification lambda stack > matches the PROD snapshot 1`
             ]
           }
         ],
-        "AlarmDescription": "Something went wrong notifying test owners of upcoming AB test expiries in the PROD AB Testing Notification Lambda. Please check the logs",
-        "AlarmName": "AB Testing Notification Lambda Failures",
+        "AlarmDescription": "Something went wrong notifying test owners of upcoming AB test expiries in ab-testing-notification-lambda-PROD. Please check the logs",
+        "AlarmName": "AB Testing Notification Failures",
         "ComparisonOperator": "GreaterThanThreshold",
+        "DatapointsToAlarm": 1,
         "EvaluationPeriods": 1,
         "Metrics": [
           {
@@ -1015,26 +1003,6 @@ exports[`The AB testing notification lambda stack > matches the PROD snapshot 1`
             "ReturnData": false
           }
         ],
-        "OKActions": [
-          {
-            "Fn::Join": [
-              "",
-              [
-                "arn:aws:sns:eu-west-1:",
-                {
-                  "Ref": "AWS::AccountId"
-                },
-                ":",
-                {
-                  "Fn::GetAtt": [
-                    "AbTestingNotificationSnsTopicB3559144",
-                    "TopicName"
-                  ]
-                }
-              ]
-            ]
-          }
-        ],
         "Tags": [
           {
             "Key": "gu:cdk:version",
diff --git a/ab-testing/cdk/lib/notificationLambda.ts b/ab-testing/cdk/lib/notificationLambda.ts
@@ -4,9 +4,8 @@ import {
 	type GuStackProps,
 } from "@guardian/cdk/lib/constructs/core/stack.js";
 import { GuEmailIdentity } from "@guardian/cdk/lib/constructs/ses/index.js";
-import type { App } from "aws-cdk-lib";
+import { type App, Duration } from "aws-cdk-lib";
 import { Schedule } from "aws-cdk-lib/aws-events";
-import { Effect, PolicyStatement } from "aws-cdk-lib/aws-iam";
 import { Runtime } from "aws-cdk-lib/aws-lambda";
 import { Subscription, SubscriptionProtocol, Topic } from "aws-cdk-lib/aws-sns";
 
@@ -61,9 +60,11 @@ export class AbTestingNotificationLambda extends GuStack {
 				monitoringConfiguration: {
 					snsTopicName: snsTopic.topicName,
 					toleratedErrorPercentage: 0,
-					alarmName: "AB Testing Notification Lambda Failures",
-					alarmDescription: `Something went wrong notifying test owners of upcoming AB test expiries in the ${props.stage} AB Testing Notification Lambda. Please check the logs`,
-					okAction: true,
+					alarmName: "AB Testing Notification Failures",
+					alarmDescription: `Something went wrong notifying test owners of upcoming AB test expiries in ${appName}-${props.stage}. Please check the logs`,
+					lengthOfEvaluationPeriod: Duration.minutes(1),
+					numberOfEvaluationPeriodsAboveThresholdBeforeAlarm: 1,
+					datapointsToAlarm: 1,
 				},
 				runtime: Runtime.NODEJS_22_X,
 				environment: {
@@ -73,12 +74,6 @@ export class AbTestingNotificationLambda extends GuStack {
 			},
 		);
 
-		lambda.addToRolePolicy(
-			new PolicyStatement({
-				effect: Effect.ALLOW,
-				actions: ["ses:SendEmail"],
-				resources: [emailIdentity.emailIdentityArn],
-			}),
-		);
+		emailIdentity.grantSendEmail(lambda);
 	}
 }
