Skip to content

BCDA-9874: Initial file_ingestion Implementation (bene-prefs) #1323

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
juliareynolds-nava merged 24 commits into from
Mar 11, 2026
Merged

BCDA-9874: Initial file_ingestion Implementation (bene-prefs) #1323

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
24 commits
Select commit Hold shift + click to select a range
ac7d9df
BCDA-9874: Initial Bene Prefs Implementation
mjburling Mar 5, 2026
5bb0089
Merge branch 'main' into bcda-9874
juliareynolds-nava Mar 6, 2026
924316c
Standardize root.tofu.tf for workspaces, ephemera
mjburling Mar 6, 2026
1b1a690
Update bene_prefs arns
mjburling Mar 6, 2026
7544981
Tidy lambda definition
mjburling Mar 6, 2026
c804963
Tidy security group
mjburling Mar 6, 2026
77aa8ac
Add queue
mjburling Mar 6, 2026
eec6183
Add db lookup
mjburling Mar 6, 2026
2293ee7
Add triggering mechanism
mjburling Mar 6, 2026
bc7538f
Tidy locals
mjburling Mar 6, 2026
0e42425
Replace inline policies with managed policies
juliareynolds-nava Mar 6, 2026
a6a7be3
Merge branch 'main' into bcda-9874
juliareynolds-nava Mar 6, 2026
4306e92
Update config to standard form
mjburling Mar 6, 2026
e2ce961
Convert assume bucket role policy to policy doc
mjburling Mar 6, 2026
76661ec
Convert default_function policy to policy doc
mjburling Mar 6, 2026
ceacb9f
Conver managed_policy_arns to policy attachments
mjburling Mar 6, 2026
36de626
Remove TODO
mjburling Mar 6, 2026
99900ab
Use service_prefix in name_prefix
mjburling Mar 6, 2026
b8979a6
Add initial README for bene-prefs
mjburling Mar 6, 2026
93cd52e
Ensure parent_env is described
mjburling Mar 6, 2026
4f1589b
Introduce terraservice README
mjburling Mar 6, 2026
9a3a808
append lambda to bucket name pr feedback.
juliareynolds-nava Mar 10, 2026
b859618
removed ec2 permissions per PR feedback
juliareynolds-nava Mar 10, 2026
680b9b8
removed fixme annotation.
juliareynolds-nava Mar 10, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions ops/services/10-config/values/prod.sopsw.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -202,6 +202,7 @@
/bcda/${env}/sensitive/worker/BB_CLIENT_CERT.pem: ENC[AES256_GCM,data:Z1SWm5RHSywB5qDwuY+VsIHBks5iretz7by7v7/H3Ezo2ZbnPHHx99qYPB/lS9N/lYRQgTM+zgEFjVup6yO23fbWpHTwaQ+WqyI8/tMLmtZXOxg7xDAXiF+bbLBuqiY/1OvLPh892ClwX8wn1dfrhV0/4t+GQ++amXVctGvVaqTkenw823qR6i9vxxQLCxj2EAW1ASd1+vRCesdEQdMb/Rkjp8gzutpKNBRF6RgsVtpFW6Qh42K+H1kXRdy4w8mE7t3rYpb6ELiVlD9m2ZEWSOExkx2D5YrqXEKA9tdXy/sDP5XIC6Q6ZSlbBX1sq0q73Eu7oj1UjwzCPMGUY4DquyM9RusWqeMWTdV+MYAZ9SNvlqoWCd03bKcL//K5WghPMud/n+6wpObWZQBKw64hPm2kNLo6MS+CkUzCEp+1JMmdnSoFso0Ci4g9Xf1YSqK1Ex8yGzeVq2Hzboercw81SortfMKK1Y6kse9KluVVdvhN4O5W2xGeIxlIyEzKAHF5ASmfO0Xc8siL4mPEVYUr45abF/HSjs0sByOwecUZ26usJvkHPveDFSaAeKnffuPJ5M5cmwkhnJ/cybpMJkEyHuYxg7ttNtPKJxk9l6JtTvi3ssodxSoG3dZsQ6Vyx1cdCFedehaFStzGTZjutprsHW4UW2BCluh7a+wc5fVccZ1jz/a+tKn6dGp5ztsrTluQd/N8fDyko+Aq173p8aVftnhbP+t9UTF2gV5y9SYThtRuOXuHNSu2BOqYjRCHN7CcqBpgQIFhJ14ChrHK6auY/m1Oj10s1voQqVDrvZ3rJdCiVuYzNpF6S3ZKPT6sG5o8FyvSbcv0uGpTdu1XXArPE+yxTajGW6+nEVhzrlxWEXvqqyLKP/KiQqhjShj4RIFQtuhCZgCOP85RUB8VDzhK+DqisoH65ZEjOQOD4Em0BufoCCnCXSBU9HFviGImCtljasIvFZlTpsVTgVZqARWpMywSGIGVWclNHYOboviJmy6xER35XI7m0kXbzwgjJoPNVZU9AwM7TvJH34s974KwW2DEu1qfQRppoMSabRBa7CAsVWdI7K/XOJbk1I3bJEayCvNKJdzTwlwty2zK9sr1f6VAutRVZ80izPbMQru1Gi3KJDL/C1c4IafxaapPcJcAjYGuZPQ4dMYrJge+WmWUeiW3P9rHClz7NHkYLfIXgpweHYfvd61XaF0Qau8nemv6isgvPTh4abkG4dchQ7Apdcgkb9e9dY/nLebcDGqTEwcfDsqEpLlBUIXEG0AKfN4diTD/4cgPblr9ugDDmbVZ4kzx9X0sVhnhoDSvJFpcX3GJgY72bVLcpxSCAJxaz0FuA/Fbhjox8uoRHx/deC3BwMZu0kxgbKN+tELiPMWinh/jymadA94Xrvl+mXm0Cfc8e/WQKsEc3MItMp3A9nkFJjusfSroGZt7+nc0JPX+VaLVfg2ZY+7zzzECA1PZOjGMeg1QFUtzdYHXWsYM2q+TxBqr34mmlHjWCPVZLI+GAq9TGnzamdZBBAC3wrPlQGmSxM0OyA0xSgXFRqrH1LqYnQwBmGzCxY86qAFVrel+b24ZqC723F8qabpyw7Uiwr38nCuqkJGyhLwW6jqX8qhJ4uns0LmRi894j8+W3MLuLPOsmed6ONJJkziyK3YNw15ovag4FkwPBNypHpf+3UF2iZ2+Vkrrmbd61WC1nvua1J+ndTbp0JdIDL9mjFIps38oNtE/PfdJeBe1aPWM+ZxahO0cjzJVbchAB4TLSCVs7xFRRwGxBOcQFia6lNrEgPbT/wGmmb7M+nhn5LEQsIJKvyCoY3Xw5EnW5P6Zoq3jhb8/oiMSJhICmrrQ3nbZ5nUcXPoJaWYZrO81biUbSKyrkC9MgkO/Wna3rbhwCFx4iYKHnwL1aq4nS3RcfxkYsWkdR1HIpZ2K85BCRDocAxcJqjmY6mMuD6x+ZqGtlTc6SIs46dz/RdBThpX7vL6OVNMHqoTqJQaFuNENC+uY4XXFaCMKuZadJqSaR0X6Xi4qtY4mWSbGo/06lm7/Q7EMbvwUgXOjxsbi/D91uwadrd7bZdjsCxRzOT3MRh0aJbxhWFdr8c5VoxWUPJVPRGhh+0JhyVAo14HqiRYRIS2wirCGB5ffqpJu0cuynAgjexeDI7pNqX+cwCe93absq6rfDOGIH/XiDBryi/hB2PAFJLCEo5biuakO+A+xArIXQt5awjU5sUAb8NYjU1LZlIJ1CC4Vav1lrajMvoUktQ2tCdSYK0Hj4ZPZFap9t/FIRe+ams+MmRLKyJlyYQYmsfcz2Aj/26fbB8yeIaGSC/ohpFou4kWuy+2zSreEQUjer0sat/IY6qCmn1tGypeA2VXZnL6z2AsofOonxXNRwDyYyKt+zkABvcLn5E8uqZbMK9M=,iv:yMdChzg2fjmCbjmchIuuSvoz+/6+FQILgqRhNs+2N2g=,tag:o8XGfQaH0jsabSkDO8q9NA==,type:str]
/bcda/${env}/sensitive/worker/BB_CLIENT_KEY.pem: ENC[AES256_GCM,data:pVWUkY8D+Qou0dsVRsUcj1cF7+rN+2MD5pD3Do5GwFIq9qNgCez+fzzswI04gOg15SIxWFtwASOXNDtjOE11uzcwS8rAsuIzKALrbJXLywtsUG8aOcbu74vSg16BUmltxr5ZICQJ87F1LcZbfVsi2B6gEDC1/cGs4H4MVVm9kuwjPM1LuLYVYdcKzJmXpWkefsQgWoiLw7VLo+aZ7XPjfVjNmNfMeSOW0iG3h6j0y8xOmdkz5YXJKa8n/4PGVOJsIqD1XqUMLIAmPoEtwO7fcvWsCjp9Wv099DjB5QJFSC02lSX8nPIL43THYm6rSAnCPsJRey1r3EO9uWiDu0NAgcWBI1y1HjvsTbb1SzQGZe3IbF5fRMVKQW/2tzKovQgvpFNXkfnJXItS90fl7eQJm2bAGnJmwZ/Dj2wWETwFQRJCE5EP/ajTEPMV7NzNzik7BiT/QFaCdd9Og8Lw+CB3h3TEACcIMU6ku+6IVSqYSjNKmJRKl9MtjCV2W4wZu6APAHrfn3b950YFQBrtqqkZ+K0FNz1VAEPQhz9NCxOxR5AeU3lqc1mUkkosJaXNZEyEkkWYuDM1qh/Lx8bcNtgAuFjIvv/7EQYgTPKn08h/RQcpdUd01xuWq+GjA0aBedIxMgT/FFnKyTMS1smq07GfZklY1Fn9PbyjBXm+emvj4xELeps0mvUSLD0+Cg2ehsE74dTpEbK7XC94RItvhnajoM1tcBBfV02v6uQSeXD73idoc/2JK99eoBtBQGXMBPm1Mmni4O0UOPxatYzsmQzFInv9EjXXFRaAtaTngIkENA1SyBM0ePD7sqDjW/s0d8QuID8xuY/fEeEJGY43Pjas1c4H/agWh532WCINUCjn5RBMcsV3KFCNaQ2CPKuNXK1/TagIR4Wgqc6StMX2z7k6fb7jTwXg8ytZ+8xXkFR1sHMa4w6bqELrfokqyToj63iUfIEAaEwTzUauTbjErfVQ/Kztz9cKaFyrx4SsycRuXwJaN0wFiRfWULc+caaXyAmu6Fkilz7LTeD2rmmIJlQVqvaNqejBv+IKUXogNkXT2D1KDu/cTR8bRDmEDkgjiRlcRPUQ/EzGRwEdabyoSyr76prepamMd3LmnqcpgGGRhE/dBwBQOOZQf+2Rd6c6Jh3jFqB6LyDowzCGSoBAhXASwSpfabqXO09Sk+1VIK/c+XuxMpi3gP90eM0pIw/hKJyrIVTG/o74+1b5aVrTsXOW/z5CyCBzbewcL4M0P8v84inr0d6Pd7C4U6F+DqowKu1gcFSCZOXxt+SoHvtcdcZRoz8N3ou8vZE/CMOCzcNmcALGFrCQGe+BuoSD68+M3IkozLztyD72T5wkuT4IWY23saJ7fQX000Te29b6dYO/wW2kL8t+iJ6ia19Gk5xJNdFVbHFrTnME+nCMXNgEINBF8lR7ubkokVc7LyBo5o+Bq9JXlt42c1rGCF4dk9cTWi2HNzfx6USq4QclyDc1ENNUdB58C3aKe77+A09kSvsQg2N4vLZjQPXCBRM0VgMgQSU2vmCSZR2qHmc7p3p/2NlmFwK//x4KkoUdSkqCZy8hBSKArRtHfNbQjFGj/LvPsu6fT4jTkW9wG+d8CBFF8W8eG4bG9u1qM8x3s1ao82Vd3FPbjUl9W6lgN7HFQCLHwlhcuHkWxDX15zklY9q5jLCYYzQx3oU4rLE8mnBaapjdCM65YwZFAIHEEWWlZbrfXVcjrTYcJvBx4cuDvBVKr6IFZN4WnMshh32t89yPlB6y85F8imQRw0FGhhBoG6TUk2A28lBEuNlUlOrjtkgfIOiC5I3krvZBAw6UzN5GqYbcwsWm7CKsvzKAhDYmDkyomXQOnwdOfTI3zKcU6uQDHR8JpYCkcrCaQmFNFL8+Vts4rI+3mBWu4KqJKDXiiORGifQLkXroavPj2Vxphht5o3UaUnjpfdSHtUxubOfFBAxsLhPScMkm0Uw9EzzwVwQP26gauYS7TmImwmV9SWBokjFnDvuqMsWzNuYJ9mXc/5y04zwQoNbC6ZHd2Y+zXlr6+Dca5dQ1ztpL3JZ1QBETeHcmf0FvvEq1Pqa3MJBj8cRXZj9Naq9kqoaaDwZF6cJX1wrH8cgmIfd8lEiQIuo82LcmnH3E/XeZVdbW/uAxajQ24GclVs9h0yy98EnKdA9qGz2VTIYb0yOvfwi5RdSpndX0+v6vK4QCw8stw20UMmWu50PfgSqkjCJGWSlpSS/K338PJSXu1Pr3SMgTwUZ/gnubBpEaEqVkzj8cjn5mTGI74uSlj5izhY6GVAsrpdPdQA4zSowgdV3JYY+VO5+ViQjFRFhqpUdOIladlsO8bco/yqACSSqm90U7yowG6z2ns5Kc84B+8oEQILZ3kORF5oqxC2x9ALwa56TTlwu1Yp4eBpBp3/Cw13LdVusSzQ0z/VTeXFsVMpSrObgqWxthZPKKj/JSJNBX+J1CKonBqhXCJ+br5htg1hHw0jrAWz8+QwLm7DcwccpO1ulLiE/MBVZ541undw9zxCJL26W1eDGheAa0MrgR4xNfoKkW0eMGA4fSOxa8yKN4yj8Rq5WWSyfCW16eFJ39zPEow7sO8A6D3/3cQEWUKrckNw04kcgcFzpni75gx7Akd1La9Cw7lEVbQeSk65QWDpUQEdl/kkY1tTBygPCgVEDUrIUOQKmoJHVZOEf9MgjX1u0sapUFlDYhWQ6/cd77Lg5Jj8Y4P4rZL1DgB2eZ8ITX5jos6sejXUjHEQrLqhxPq0QmzzShxVg1Bo4EhSv9X6zP7/Kq7zwXmC1QxZJunZ4fQk4g6I7mcTzf1Us3i06E4krYXMGn27h6e43qXRS1lyEl1YO7qyMBtzvovjwwLWLeUFqiR5K2Qe6mPmgTBTTwTZrwnq5ypTziSMkq6mWNbqkoPlNJzWilYJsiLtIox0vPc938W8t6/daGNkS5D2jUnDXB0OgzkIv9Uu/yX1g1U51Jcgk68/2a+pZKtdAZiVnNCWcnFYvjP43h4jkw5LUINCyoYXxUBdCPfrB4iIY79MA5snuibnqiZYLN2fxKYPnaYb6ifM4vR3gTLfwmGi96+U+Fk/ZsD4L7Cb15/1FnaRQTbfTnPxDMpALNbcMI0ffnrtL27YKJQ6oMgGPVb+Q5kzgd18IK98RfHQY39mGBvupD8YkvsxsQKu7e8FVlu7SUVfhg7TvXlDhA5FOp74Pmzsm4y3qmP6cdXx8rBKBxDNkm+Bh+Fm/9dk2N+I9tjBWsUkQX5bLzG8qSFsHs4GyY2v1Rt7vBreLMXHkirC4tjBwMgGvLTq2SDrIwfYp0YNZX02D6jppeTSITHezgjghEjoyKpSXSWABESu81z1LPjl1xDhn+BIm3V0kdajZcd/L/xLUO6Ng4hXYaGSYxIX6qLwtq+/y0dC3d0t4zLptCjCo8BA9Dm/hrefuv59RKYZCGfd4TEM7Tga58xkf/sAbbJIYNj3+qtm61NH44NlXYX8/CFpDmLymBP1i9glZPoeS+AEi7qi1js4C8RLMHNuICo5zA7QIggbWEYlzGayibPPf1siGzd+yVyvl4tBnhf27HMM2bFvzJcPmh1sMscse2c99jxC2r5KKajDrbe18pmNb6ZljR/odf/zVepp8pALtk68r31HBZFb/KiYzrAbLN4kaTk52uUR7U/vBahsdsFECSTivQlXdRxkjjux32jwtiIbQS3ef1HVNBF5zYBB53YKzuHRna4Wnju46k5jHjdDzpphz3fQNwZWFR4ptVndLJ54Dq/twAt431Nk/fV399yv6CLlOZ2hcg0B2sBJ6xXS+8jtsWHhWcrI7NbkduFedv/XIcbFkIwmro2UNh0TiCZSILr9UAHTfGr0uCx4Jt/n7s0uL9ulA+GVGSQ2ECtXpcsDkQblJ0uPL1gVm8rE+umepW3nXcaHcuTLDw7M0+58JsBkIVqExzCsjLtE73+tnrsQLdt1ogyeVD4TQztsFIaq+hwoStiXofeTNq0eRKXdeY+7zWu+8PeVFIruoxH5CqGvI1AibjTESBPnqtg/BlLs/PmxlSm3v12gUYbFRCDAHETNLEKwcapCI4xPbCH5F0U32k9KYnCDtdJNnHe3ZD1wqcAzw85t+4CiClq05Rih8W5+TM0Rm1aFf5xYoVtOI9UKPgaDBZVSdUy1S/YyhczBfAfMXJXV3AietIulhArqS7jRAFUg/jTyc7agxcmusFrESyvo0TF8na7g9Q8w2KqCPNMvVmd7aRt3HIoWutWwObXFVKI2eLzzYQeVXrdy0QYuwTjgB0VNvQ4oNcYx0qy8RBdNaI+KKxkZrkeSnGDLnqaKStue7Qoa4EZvehQPZX38m5Q9Mml9wMrYgyq576pIE=,iv:UBLyIpokk1J1orOziKIMepzkV5sbFem4U1Bwzan8EKo=,tag:h1232aCofGKIEVwJlQV9wg==,type:str]
/bcda/${env}/sensitive/worker/config.yml: ENC[AES256_GCM,data:ykBTV0zHAOZ6tUt8joi45cTTzS0HH7stcT0beQBPrGNNjdz/xYDjCfePeAXuYV40e+dQUXOuJZKsABw/yBFfJ3bFZrT5q+KhMgAtMUbz8r/vGEFRMCNEf4QOdA5ZqZRH7LRK038dmtYyNdyNxWbUT4acroWPGPqkpfu2XiApHNcLgLKW68voShiJxXhWUWLI+tUQu42nRtwvW9KUd/ylvo1ekdO5fnwlNvXQkvYz76yxfqam9axGShu/EdwVk1OEP/EYNz4MzlTQZUEb8t1t/FeV8IVQfeAytrmyVlkK29subbAWIoUFFkQ1I7bc9ZvIQ8Qj3C+25GiF6Ce8NaLOYFEasQmjVOGUxpXuWv7TM+ItzCouuJQjNqtwKnsNDNJKP7vwrQykFxSGxVmH6cex5xeNSBEJ+UvMclgPsu9N1rAK4X9XRr/iEYMa/ddpFl6AnqYfcGbkdh3TAmErnDsC2AFz3wYYqDCfZvIyqj9DzX7ZYGaDjA2wfJT1azsPPavBr2yUOs0dotOtdgo5aBgIzNsd/z18T0mYiSvBo/J66khL/f7m95J8ww0dfSkZXuyVkibao1sqT5GVubPyQ2XazocxjJyc/yChC7N3punnE0d1zL18KbextG/JJsW3xppKJRYbrSl6EbbqVt7UWvFWjvO/TWR5doKdoaKrInrzlvNeYBnGfEs9rfHWcGHQ2RGVHOMXGkJ4OJXfPu8+5SCcZYNtKBYb3V1tTX15S6RYPhzsQ3QFtw+lj7w6eL5HreryCGQXsLbhXXs9WlFCwL7KIgUBHEqAdcFB4+AV+26wVq6DWwg3xX+DDhf5fzr5MHuXfxpAwKh0jHTwtoIKLxQTFErXOpDkWOwmBs+tXMJsM1Hufon6QTPWzi2qfvBtnaTSnlUBKhcLopzxEAwBEvD9KcyKs/SRmdQSXXzsAzdvuz2zKtQURY0cJT9UlkqLDQRMEn0M+VwUX3BPiuv8hCl1uHgzCuyRhhlYiq2dqdepMlRX8wE/VU1ogSM8/sLPMqH6+Ujk/lGGgOHMCoe1GCINryTYSlcB0GwrtCXOKuWopA/gM8q+OU5w4ejZw6cfq838fUT9LF4ZZ9VgVxjKCukqKdyNKYuJOaE59Ae8BlkaXsr5+xtBMf19x0M7RAJ+9Eqb9dT6avRVDMDVli3N7Z1srrIzX3FUPVlt2A/BBUbPAzDwWkoSRMN5yvWpX0S1clvKOrwJFVdEOCidVFMjoG7kKHERLtDz1jzSWzZbLMsj2VfYlJEcAVrLfcVTr2dRJtu2zA9VsXXITxbk1oIQZsgJqwSFqIxZp1p7F5bJs/Bp/Bv/B4Le3qhnyqROSPB66alONF9kYqjcl0Qk0ifGfHqmyokm+s7uoXKGgsVIrpjGXiKUsLMj8+JpmvF1VzXP2NQoX1k7MtGv/V1Eeqd1w7NzMAY1gQnMTS9l5hXSbGjHHWVCOm99lk4uNN6H5KwsvUikBBQidXZsVRlr8ZCyofmvP3Ls0TF/kcGcWEusq0a5SvlHzRCJUTO2JaxiXUC1D5H2PnOgQa0d9AXkxowJcnX8+2ZVZ/F3EOLTPz06fybO3leXKzMEAHtBNqKDC5h0qsYDTZqvB1E+mlsTDjjKuQGGF0oEJ+AN+EyEiVWInGeGkNEIpBU1lMAiuh6rU+cXlTsE+PKuHbFjjNXBnHjlXgBk2HY4pXXWykcD4AB1rGCSJDNsMTrNzBTILgYqx4CUkuSZU9OsV4YBGKtwrAEQUtboObq6GJC9I1vU/SqN6JiJ73C6c1wufzA7x9QIXflnZF8d0ib7a+rW/0kI8Vn3crfxXggVVPsw5lK3C36INDTIYivYkQieh+WyEyl/JGeWfsqiZC9ohI5cX5F7s0u2AsyMJTKC8NCHB8edhwvxQ7ssGkWPLl31QrS6OHlVU4Kcj8hWLGKTRmlPi4c6OBxbcPZZcANmD8OgtJTtPRbDqjcZhSA0wpIT4AUzmiM9OXpyELUrhhCFSqiebPrD2+7KSiSrW3Acbugy8sv33sTH1Weousav65g1iMKH3ctVzYxVzPLjtDMntM9y2W7devysSlm0YLoc/cUE2Jys9Nwwk9xmVo5CwogbM9IJRf36teONCxUaSMuGo8ViSp+ca4MmnJAcnJNyjwhwEUvXJbaihHCwfcRimoncqwBQAU2DxMex0eQUwHE4IW0KrvHNFyvpFeXmJGFnVi8c41ByhVO0XbHIPRHi5vvkYcJIMraICWFz452uemv8s3nhibvjfU39IkcBvamR6xpTFyvpusj1isqlv65fdr6LfiM65Z+CNnM8QvEo0QbwKm0Y6/dzQIjD+J8/Hs9EM/poxEjqg6pqswQqWxf1UbbM3YgsiXNLpyqVG3pE+sNAwaYzB5FdQBOZsMoqtvjU7VWgTcTK9YIDUURfpQ7L9ik3cM24rFQd9Utr3Mnhqc+c7GLPgcbYEnDTWhx8d3lw1WYKoqVJqa/7EaAQzuGfvLd28R1fsZpr9j1MKtZWzc/rRkBWyB95xQyZEfteFQLFJbc8073dgHtEc3/sLYwa1rL7CDk8uznlKdlFQ3p3iRdtZ2bj+54WxK3vwkglRnkM+RHfNp0XDvXYh9vCyBsBDjPoRWgHs2p37W08Iud/mpma4mOXkSnE/FmV1iHRx4EZiU1eIbR1BF+a6kgjDDK0C3+lqW+N2LjmdvK2onC6sHBQPN8hSkPyZXiQSvpL4JtfHpN+QFhmrIkif7ffuZAo+8mvnvP6/eMjincWTZ5am3YSlRnRvdFy0cNVQIgcMbpgA70d20VWKfpLT0IBkRCcX30Cn4pNZZRdI2xoEARamLl7CYxxywFuIeyPG4j9vkiJ9QcqnpuPg0k9++iCjT6PeSVJG2naILxKh5j8n1TD+MJ3RgvFHoOh5UlwGAJUeKoZAQJMoGO9H0aHE/ef3kxjUIkphkpGqbkPvWDO6ajwm/dGqTc=,iv:J/1ZH/uHwqaQJZY5GBaAtOJ90chS+IaoMEl203kzEAE=,tag:yBlnx3KxItJcRSvEoM/K5w==,type:str]
/bcda/${env}/bene_prefs/sensitive/iam_bucket_role_arn: ENC[AES256_GCM,data:gEfFqkTZ3pgeDYx9qq2dLE5v63SKIcUHLojNWMdGRw4WV6bi9kWI0da9DuDW/iL/Dm4yVPpjyq8kg8QP8kcx+uIXVCpJCOylCZMl0MIdfWpxaiNRKvEqdA==,iv:FEjl8+Hyqftilk3jbY0qAXicUaFcJxKDpQ6RBfCJRqU=,tag:/k8ImBW70WfkwjJ2cckWfg==,type:str]
sops:
kms:
- arn: arn:aws:kms:us-east-1:${ACCOUNT_ID}:alias/bcda-prod
Expand Down
233 changes: 233 additions & 0 deletions ops/services/20-bene-prefs/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,233 @@
locals {
service = "bene-prefs"

account_id = module.platform.aws_caller_identity.account_id
kms_key_arn_primary = module.platform.kms_alias_primary.target_key_arn
kms_key_arn_secondary = module.platform.kms_alias_secondary.target_key_arn
name_prefix = "${local.app}-${local.env}-${local.service}"
private_subnets = nonsensitive(toset(keys(module.platform.private_subnets)))
vpc_id = module.platform.vpc_id
}

module "platform" {
source = "github.com/CMSgov/cdap//terraform/modules/platform?ref=ff2ef539fb06f2c98f0e3ce0c8f922bdacb96d66"

providers = { aws = aws, aws.secondary = aws.secondary }

app = local.app
env = local.env
root_module = "https://github.com/CMSgov/bcda-app/tree/main/ops/services/10-config"
service = local.service
ssm_root_map = {
bene_prefs = "/bcda/${local.env}/bene_prefs/"
}
}

data "aws_rds_cluster" "this" {
cluster_identifier = "${local.app}-${local.env}-aurora"
}

resource "aws_iam_role" "this" {
assume_role_policy = jsonencode(
{
Statement = [
{
Action = "sts:AssumeRole"
Effect = "Allow"
Principal = {
Service = "lambda.amazonaws.com"
}
},
{
Action = [
"sts:TagSession",
"sts:AssumeRoleWithWebIdentity",
]
Condition = {
StringEquals = {
"token.actions.githubusercontent.com:aud" = "sts.amazonaws.com"
}
StringLike = {
"token.actions.githubusercontent.com:sub" = "repo:CMSgov/bcda-app:*"
}
}
Effect = "Allow"
Principal = {
Federated = "arn:aws:iam::${local.account_id}:oidc-provider/token.actions.githubusercontent.com"
}
},
{
Action = [
"sts:TagSession",
"sts:AssumeRole",
]
Effect = "Allow"
Principal = {
AWS = [
module.platform.kion_roles["ct-ado-dasg-application-admin"].arn,
module.platform.kion_roles["ct-ado-bcda-application-admin"].arn
]
}
},
]
Version = "2012-10-17"
}
)
force_detach_policies = true
managed_policy_arns = [] #FIXME: populate with standalone policies that were once in-line
name = "bcda-${local.env}-${local.service}"
path = module.platform.iam_defaults.path
permissions_boundary = module.platform.iam_defaults.boundary

#FIXME: convert into policy
inline_policy {
name = "assume-bucket-role"
policy = jsonencode(
{
Statement = [
{
Action = "sts:AssumeRole"
Effect = "Allow"
Resource = module.platform.ssm.bene_prefs.iam_bucket_role_arn.value
},
]
Version = "2012-10-17"
}
)
}
#FIXME: convert into appropriately scoped policy
inline_policy {
name = "default-function"
policy = jsonencode(
{
Statement = [
{
Action = [
"ssm:GetParameters",
"ssm:GetParameter",
"sqs:ReceiveMessage",
"sqs:GetQueueAttributes",
"sqs:DeleteMessage",
"logs:PutLogEvents",
"logs:CreateLogStream",
"logs:CreateLogGroup",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeAccountAttributes",
"ec2:DeleteNetworkInterface",
"ec2:CreateNetworkInterface",
]
Effect = "Allow"
Resource = "*"
},
{
Action = [
"kms:GenerateDataKey",
"kms:Encrypt",
"kms:Decrypt",
]
Effect = "Allow"
Resource = [
local.kms_key_arn_primary,
local.kms_key_arn_secondary
]
},
]
Version = "2012-10-17"
}
)
}
}

module "bucket" {
source = "github.com/CMSgov/cdap//terraform/modules/bucket?ref=787224b"

app = local.app
env = local.env
name = "${local.app}-${local.env}-${local.service}"
ssm_parameter = "/${local.app}/${local.env}/${local.service}/nonsensitive/bucket_name"
}



resource "aws_lambda_function" "this" {
s3_key = "function-6f861e8517dd1cce3731b9a4864d1182f405875e.zip"
s3_bucket = module.bucket.id
package_type = "Zip"
handler = "bootstrap"

function_name = local.name_prefix
description = "Ingests the most recent beneficiary opt-out list from BFD" #FIXME
kms_key_arn = local.kms_key_arn_primary
memory_size = 128
reserved_concurrent_executions = 1
role = aws_iam_role.this.arn
runtime = "provided.al2"
skip_destroy = false
timeout = 900
architectures = [
"arm64",
]

tags = {
code = "https://github.com/CMSgov/cdap/tree/main/terraform/services/opt-out-import" #FIXME
}

lifecycle {
# As of this writing, delivery of the opt-out function is separate from deployment of this module.
# As such, we must ignore the specific s3_key and s3_object_version configuration.
ignore_changes = [
s3_object_version,
s3_key
]
}

environment {
variables = {
APP_NAME = local.name_prefix
DB_HOST = "postgres://${data.aws_rds_cluster.this.endpoint}:${data.aws_rds_cluster.this.port}/bcda"
ENV = local.env
}
}

ephemeral_storage {
size = 512
}

logging_config {
log_format = "Text"
log_group = "/aws/lambda/bcda-${local.env}-${local.service}"
}

tracing_config {
mode = "Active"
}

vpc_config {
ipv6_allowed_for_dual_stack = false
security_group_ids = [aws_security_group.this.id]
subnet_ids = local.private_subnets
}
}

resource "aws_security_group" "this" { #FIXME TODO: Replace with e.g. module.platform.security_groups.egress_only PLT-ASK JULIA
description = "Temporary SG for ${local.name_prefix}"
egress = [
{
cidr_blocks = [
"0.0.0.0/0",
]
description = ""
from_port = 0
ipv6_cidr_blocks = [
"::/0",
]
prefix_list_ids = []
protocol = "-1"
security_groups = []
self = false
to_port = 0
},
]
name = local.name_prefix
tags = { name = local.name_prefix }
}
1 change: 1 addition & 0 deletions ops/services/20-bene-prefs/tofu.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
../root.tofu.tf
Loading