feat: Update registrations to use new database access security group

akash1810 · JuliaBrigitte · akash1810 · commit f286f556a620 · 2026-01-22T15:26:41.000Z
Co-authored-by: Julia &lt;JuliaBrigitte@users.noreply.github.com&gt;
diff --git a/cdk/lib/__snapshots__/registration.test.ts.snap b/cdk/lib/__snapshots__/registration.test.ts.snap
@@ -64,6 +64,14 @@ exports[`The Registration stack matches the snapshot for CODE 1`] = `
       "Description": "ACM Certificate for app use",
       "Type": "String",
     },
+    "DatabaseAccessSecurityGroup": {
+      "AllowedValues": [
+        "/CODE/mobile-notifications/registrations-db/postgres-access-security-group",
+        "/PROD/mobile-notifications/registrations-db/postgres-access-security-group",
+      ],
+      "Description": "The security group that allows access to the database",
+      "Type": "AWS::SSM::Parameter::Value<AWS::EC2::SecurityGroup::Id>",
+    },
     "DistBucket": {
       "Description": "The name of the s3 bucket containing the server artifact",
       "Type": "String",
@@ -112,10 +120,6 @@ exports[`The Registration stack matches the snapshot for CODE 1`] = `
       "Description": "Environment name",
       "Type": "String",
     },
-    "VPCSecurityGroup": {
-      "Description": "The default security group of the VPC",
-      "Type": "AWS::EC2::SecurityGroup::Id",
-    },
     "VpcId": {
       "Description": "The VPC",
       "Type": "AWS::EC2::VPC::Id",
@@ -795,7 +799,7 @@ exports[`The Registration stack matches the snapshot for CODE 1`] = `
             "Ref": "InstanceSecurityGroup",
           },
           {
-            "Ref": "VPCSecurityGroup",
+            "Ref": "DatabaseAccessSecurityGroup",
           },
         ],
         "UserData": {
@@ -917,6 +921,14 @@ exports[`The Registration stack matches the snapshot for PROD 1`] = `
       "Description": "ACM Certificate for app use",
       "Type": "String",
     },
+    "DatabaseAccessSecurityGroup": {
+      "AllowedValues": [
+        "/CODE/mobile-notifications/registrations-db/postgres-access-security-group",
+        "/PROD/mobile-notifications/registrations-db/postgres-access-security-group",
+      ],
+      "Description": "The security group that allows access to the database",
+      "Type": "AWS::SSM::Parameter::Value<AWS::EC2::SecurityGroup::Id>",
+    },
     "DistBucket": {
       "Description": "The name of the s3 bucket containing the server artifact",
       "Type": "String",
@@ -965,10 +977,6 @@ exports[`The Registration stack matches the snapshot for PROD 1`] = `
       "Description": "Environment name",
       "Type": "String",
     },
-    "VPCSecurityGroup": {
-      "Description": "The default security group of the VPC",
-      "Type": "AWS::EC2::SecurityGroup::Id",
-    },
     "VpcId": {
       "Description": "The VPC",
       "Type": "AWS::EC2::VPC::Id",
@@ -1648,7 +1656,7 @@ exports[`The Registration stack matches the snapshot for PROD 1`] = `
             "Ref": "InstanceSecurityGroup",
           },
           {
-            "Ref": "VPCSecurityGroup",
+            "Ref": "DatabaseAccessSecurityGroup",
           },
         ],
         "UserData": {
diff --git a/registration/conf/registration.yaml b/registration/conf/registration.yaml
@@ -38,9 +38,12 @@ Parameters:
     - CODE
     - PROD
     Description: Environment name
-  VPCSecurityGroup:
-    Type: AWS::EC2::SecurityGroup::Id
-    Description: The default security group of the VPC
+  DatabaseAccessSecurityGroup:
+    Type: AWS::SSM::Parameter::Value<AWS::EC2::SecurityGroup::Id>
+    Description: The security group that allows access to the database
+    AllowedValues:
+      - /CODE/mobile-notifications/registrations-db/postgres-access-security-group
+      - /PROD/mobile-notifications/registrations-db/postgres-access-security-group
   AlarmTopic:
     Type: String
     Description: The ARN of the SNS topic to send all the cloudwatch alarms to
@@ -291,7 +294,7 @@ Resources:
       InstanceType: !FindInMap [StageVariables, !Ref Stage, InstanceType]
       SecurityGroups:
       - !Ref InstanceSecurityGroup
-      - !Ref VPCSecurityGroup
+      - !Ref DatabaseAccessSecurityGroup
       MetadataOptions:
         HttpTokens: required
       UserData:
diff --git a/registration/conf/riff-raff.yaml b/registration/conf/riff-raff.yaml
@@ -16,8 +16,10 @@ deployments:
       templateStageParameters:
         CODE:
           LoggingStreamName: /account/services/logging.stream.name.code
+          DatabaseAccessSecurityGroup: /CODE/mobile-notifications/registrations-db/postgres-access-security-group
         PROD:
           LoggingStreamName: /account/services/logging.stream.name
+          DatabaseAccessSecurityGroup: /PROD/mobile-notifications/registrations-db/postgres-access-security-group
   registration:
     type: autoscaling
     parameters:
