[registration-cleaning-worker] Use dedicated security group for accessing Postgres

jacobwinch · jacobwinch · commit 146259b1d808 · 2026-02-26T16:28:28.000Z
diff --git a/notificationworkerlambda/registration-cleaning-worker-cfn.yaml b/notificationworkerlambda/registration-cleaning-worker-cfn.yaml
@@ -32,6 +32,12 @@ Parameters:
   FullyQualifiedHandler:
     Description: The full name of the handler, including path, class name and method
     Type: String
+  DbAccessSecurityGroup:
+    Description: Security group which grants access to Postgres (the stage-specific parameter store name is injected by Riff-Raff)
+    Type: AWS::SSM::Parameter::Value<AWS::EC2::SecurityGroup::Id>
+    AllowedValues:
+      - /CODE/mobile-notifications/registrations-db/postgres-access-security-group
+      - /PROD/mobile-notifications/registrations-db/postgres-access-security-group
 
 Resources:
 
@@ -150,7 +156,7 @@ Resources:
       VpcConfig:
         SecurityGroupIds:
           - !GetAtt LambdaSecurityGroup.GroupId
-          - !ImportValue NotificationsDefaultSecurityGroup-NotificationsMainSecurityGroup
+          - !Ref DbAccessSecurityGroup
         SubnetIds: !Ref VpcSubnets
       Tags:
         - Key: Stage
diff --git a/notificationworkerlambda/riff-raff.yaml b/notificationworkerlambda/riff-raff.yaml
@@ -37,6 +37,11 @@ deployments:
       prependStackToCloudFormationStackName: false
       cloudFormationStackName: registration-cleaning-worker-cfn
       templatePath: registration-cleaning-worker-cfn.yaml
+      templateStageParameters:
+        CODE:
+          DbAccessSecurityGroup: /CODE/mobile-notifications/registrations-db/postgres-access-security-group
+        PROD:
+          DbAccessSecurityGroup: /PROD/mobile-notifications/registrations-db/postgres-access-security-group
   mobile-notifications-expired-registration-cleaner-cfn:
     type: cloud-formation
     app: expired-registration-cleaner
