Fixed database credential retrieval

infrastructure/stack.py

@@ -7,6 +7,7 @@ from aws_cdk import (
     aws_iam as iam,
     aws_cognito as cognito,
     aws_rds as rds,
+    aws_ssm as ssm,
     CfnOutput
 )
 from constructs import Construct
@@ -224,13 +225,32 @@ class IptvUpdaterStack(Stack):
             )
         )
 
-        # Update instance with userdata and DB connection info
-        userdata.add_commands(
-            f'echo "DB_HOST={db.db_instance_endpoint_address}" >> /etc/environment',
-            f'echo "DB_NAME=iptv_updater" >> /etc/environment',
-            f'echo "DB_USER={db.secret.secret_value_from_json("username").to_string()}" >> /etc/environment',
-            f'echo "DB_PASSWORD={db.secret.secret_value_from_json("password").to_string()}" >> /etc/environment'
+        # Store DB connection info in SSM Parameter Store
+        ssm.StringParameter(self, "DBHostParam",
+            parameter_name="/iptv-updater/DB_HOST",
+            string_value=db.db_instance_endpoint_address
         )
+        ssm.StringParameter(self, "DBNameParam",
+            parameter_name="/iptv-updater/DB_NAME",
+            string_value="iptv_updater"
+        )
+        ssm.StringParameter(self, "DBUserParam",
+            parameter_name="/iptv-updater/DB_USER",
+            string_value=db.secret.secret_value_from_json("username").to_string()
+        )
+        ssm.StringParameter(self, "DBPassParam",
+            parameter_name="/iptv-updater/DB_PASSWORD",
+            string_value=db.secret.secret_value_from_json("password").to_string()
+        )
+
+        # Add SSM read permissions to instance role
+        role.add_managed_policy(
+            iam.ManagedPolicy.from_aws_managed_policy_name(
+                "AmazonSSMReadOnlyAccess"
+            )
+        )
+
+        # Update instance with userdata
         instance.add_user_data(userdata.render())
 
         # Outputs