From fafb85e212d8ccdb1f4b27a6f9424fe74d3dd2e1 Mon Sep 17 00:00:00 2001
From: Jacob Winch <jacob.winch@guardian.co.uk>
Date: Thu, 26 Feb 2026 12:07:05 +0000
Subject: [PATCH] [expired-registration-cleaner] Use dedicated security group
 for accessing Postgres

---
 .../expired-registration-cleaner-cfn.yaml                 | 8 +++++++-
 notificationworkerlambda/riff-raff.yaml                   | 5 +++++
 2 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/notificationworkerlambda/expired-registration-cleaner-cfn.yaml b/notificationworkerlambda/expired-registration-cleaner-cfn.yaml
index 171ffd19f..00ec54afe 100644
--- a/notificationworkerlambda/expired-registration-cleaner-cfn.yaml
+++ b/notificationworkerlambda/expired-registration-cleaner-cfn.yaml
@@ -25,6 +25,12 @@ Parameters:
   VpcSubnets:
     Description: Subnets to use in the VPC
     Type: List<AWS::EC2::Subnet::Id>
+  DbAccessSecurityGroup:
+    Description: Security group which grants access to Postgres (the stage-specific parameter store name is injected by Riff-Raff)
+    Type: AWS::SSM::Parameter::Value<AWS::EC2::SecurityGroup::Id>
+    AllowedValues:
+      - /CODE/mobile-notifications/registrations-db/postgres-access-security-group
+      - /PROD/mobile-notifications/registrations-db/postgres-access-security-group
 Resources:
   ExecutionRole:
     Type: AWS::IAM::Role
@@ -100,7 +106,7 @@ Resources:
       Timeout: 60
       VpcConfig:
         SecurityGroupIds:
-          - !ImportValue NotificationsDefaultSecurityGroup-NotificationsMainSecurityGroup
+          - !Ref DbAccessSecurityGroup
         SubnetIds: !Ref VpcSubnets
 
   DailyEvent:
diff --git a/notificationworkerlambda/riff-raff.yaml b/notificationworkerlambda/riff-raff.yaml
index ae81ae287..96d383b07 100644
--- a/notificationworkerlambda/riff-raff.yaml
+++ b/notificationworkerlambda/riff-raff.yaml
@@ -56,6 +56,11 @@ deployments:
       prependStackToCloudFormationStackName: false
       cloudFormationStackName: expired-registration-cleaner-cfn
       templatePath: expired-registration-cleaner-cfn.yaml
+      templateStageParameters:
+        CODE:
+          DbAccessSecurityGroup: /CODE/mobile-notifications/registrations-db/postgres-access-security-group
+        PROD:
+          DbAccessSecurityGroup: /PROD/mobile-notifications/registrations-db/postgres-access-security-group
   registrations-db-proxy-cfn:
     type: cloud-formation
     app: registrations-db-proxy