add ssm safety check

sapinvoices/config.py

@@ -49,12 +49,21 @@ def configure_sentry() -> str:
 
 
 def load_config_values() -> dict:
-    result = {}
-    for setting in CONFIG:
-        result[setting] = os.getenv(setting)
-        # all settings are required in prod and stage
-        if os.getenv("WORKSPACE") in ["prod", "stage"]:
-            for setting, value in result.items():
-                if not value:
-                    raise RuntimeError(f"Required env variable {setting} is not set")
-    return result
+    settings = {}
+    for variable in CONFIG:
+        settings[variable] = os.getenv(variable)
+    # all settings are required in prod and stage
+    if os.getenv("WORKSPACE") in ["prod", "stage"]:
+        for setting, value in settings.items():
+            if not value:
+                raise RuntimeError(f"Required env variable {setting} is not set")
+    ssm_safety_check(settings)
+    return settings
+
+
+def ssm_safety_check(settings):
+    if "prod" in settings["SSM_PATH"] and settings["WORKSPACE"] != "prod":
+        raise Exception(
+            "Production SSM_PATH may ONLY be used in the production "
+            "environment. Check your env variables and try again."
+        )

tests/test_config.py

@@ -97,3 +97,14 @@ def test_dev_missing_config_values_is_ok(monkeypatch):
     monkeypatch.delenv("ALMA_API_URL", raising=False)
     settings = load_config_values()
     assert not all(settings.values())
+
+
+def test_ssm_safety_check_raises_error(monkeypatch):
+    monkeypatch.setenv("WORKSPACE", "whatever")
+    monkeypatch.setenv("SSM_PATH", "/test/example/prod")
+    with pytest.raises(Exception) as e:
+        load_config_values()
+    assert str(e.value) == (
+        "Production SSM_PATH may ONLY be used in the production environment. "
+        "Check your env variables and try again."
+    )