feat(athena): FDOS-614 Add Athena stack with DynamoDB and RDS connectors (#833)

* feat(athena): FDOS-614 Add Athena stack with DynamoDB and RDS connectors

* feat(athena): FDOS-614 Add serverlessrepo permissions for SAR deployments

* feat(athena): FDOS-614 Update IAM policy for enhanced permissions and resource specificity

* feat(athena): FDOS-614 Add KMS encryption for Athena resources and update IAM policies

Author: mmg-nhse

.github/actions/derive-workspace/action.yaml

@@ -12,19 +12,25 @@ runs:
     - name: "Derive workspace"
       id: "derive-workspace"
       shell: bash
+      env:
+        GITHUB_REF_TYPE: ${{ github.ref_type }}
+        GITHUB_REF_NAME: ${{ github.ref_name }}
+        GITHUB_EVENT_NAME: ${{ github.event_name }}
+        GITHUB_HEAD_REF: ${{ github.head_ref }}
+        GITHUB_EVENT_REF: ${{ github.event.ref }}
       run: |
         # Determine if we're on a tag
         if git describe --exact-match --tags HEAD 2>/dev/null; then
           export TRIGGER=tag
           export TRIGGER_REFERENCE=$(git describe --exact-match --tags HEAD)
         else
-          export TRIGGER=${{ github.ref_type }}
-          export TRIGGER_REFERENCE=${{ github.ref_name }}
+          export TRIGGER="$GITHUB_REF_TYPE"
+          export TRIGGER_REFERENCE="$GITHUB_REF_NAME"
         fi
 
-        export TRIGGER_ACTION=${{ github.event_name }}
-        export TRIGGER_HEAD_REFERENCE=${{ github.head_ref }}
-        export TRIGGER_EVENT_REF=${{ github.event.ref}}
+        export TRIGGER_ACTION="$GITHUB_EVENT_NAME"
+        export TRIGGER_HEAD_REFERENCE="$GITHUB_HEAD_REF"
+        export TRIGGER_EVENT_REF="$GITHUB_EVENT_REF"
         export COMMIT_HASH=$(git rev-parse --short $GITHUB_SHA)
         . scripts/workflow/derive-workspace.sh
         echo "Workspace Name: ${WORKSPACE}"

.github/workflows/infrastructure-cleardown.yaml

@@ -72,7 +72,7 @@ jobs:
       release_tag: ${{ inputs.release_tag }}
       download_appconfig_artifact: true
       appconfig_artifact_name: "appconfig_feature_flags"
-      stacks: "['database', 'crud_apis', 'data_migration', 'read_only_viewer', 'opensearch', 'etl_ods', 'dos_search', 'is_performance', 'ui']"
+      stacks: "['database', 'crud_apis', 'data_migration', 'read_only_viewer', 'opensearch', 'etl_ods', 'dos_search', 'is_performance', 'ui', 'athena']"
     secrets:
       ACCOUNT_ID: ${{ secrets.ACCOUNT_ID }}
       MGMT_ACCOUNT_ID: ${{ secrets.MGMT_ACCOUNT_ID }}

.github/workflows/pipeline-build-release.yaml

@@ -149,7 +149,7 @@ jobs:
       - deploy-toggle-infrastructure
     uses: ./.github/workflows/deploy-application-infrastructure.yaml
     with:
-      stacks: "['database', 'crud_apis', 'data_migration', 'read_only_viewer', 'opensearch', 'etl_ods', 'dos_search', 'is_performance', 'ui']"
+      stacks: "['database', 'crud_apis', 'data_migration', 'read_only_viewer', 'opensearch', 'etl_ods', 'dos_search', 'is_performance', 'ui', 'athena']"
       environment: ${{ needs.metadata.outputs.environment }}
       workspace: "rc"
       release_tag: ${{ needs.tag-release.outputs.release_tag }}

.github/workflows/pipeline-deploy-application.yaml

@@ -48,7 +48,7 @@ jobs:
     with:
       environment: ${{ needs.metadata.outputs.environment }}
       workspace: ${{ needs.metadata.outputs.workspace }}
-      stacks: "['database', 'crud_apis', 'data_migration', 'read_only_viewer', 'opensearch', 'etl_ods', 'dos_search', 'is_performance', 'ui']"
+      stacks: "['database', 'crud_apis', 'data_migration', 'read_only_viewer', 'opensearch', 'etl_ods', 'dos_search', 'is_performance', 'ui', 'athena']"
       type: app
       build_timestamp: ${{ needs.metadata.outputs.build_timestamp }}
       skip_dirs: "services/dos-ui,services/read-only-viewer"
@@ -191,7 +191,7 @@ jobs:
       workspace: ${{ needs.metadata.outputs.workspace }}
       ref: ${{ inputs.ref }}
       workflow_timeout: 30
-      stacks: "['database', 'crud_apis', 'data_migration', 'read_only_viewer', 'opensearch', 'etl_ods', 'dos_search', 'is_performance', 'ui']"
+      stacks: "['database', 'crud_apis', 'data_migration', 'read_only_viewer', 'opensearch', 'etl_ods', 'dos_search', 'is_performance', 'ui', 'athena']"
     secrets:
       ACCOUNT_ID: ${{ secrets.ACCOUNT_ID }}
       MGMT_ACCOUNT_ID: ${{ secrets.MGMT_ACCOUNT_ID }}

.github/workflows/pipeline-deploy-release.yaml

@@ -29,8 +29,9 @@ jobs:
     steps:
       - name: "Validate release tag"
         id: validate
+        env:
+          RELEASE_TAG: ${{ inputs.release_tag }}
         run: |
-          RELEASE_TAG="${{ inputs.release_tag }}"
           if [[ ! $RELEASE_TAG =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
             echo "Invalid release tag format: $RELEASE_TAG"
             exit 1

infrastructure/common/common-variables.tf

@@ -196,3 +196,9 @@ variable "read_only_viewer_stack_enabled" {
   type        = bool
   default     = true
 }
+
+variable "athena_stack_enabled" {
+  description = "Enable or disable the Amazon athena stack"
+  type        = bool
+  default     = true
+}

infrastructure/common/locals.tf

@@ -54,6 +54,7 @@ locals {
     s3              = "alias/${local.project_prefix}-s3-kms"
     rds             = "alias/${local.project_prefix}-rds-kms"
     opensearch      = "alias/${local.project_prefix}-opensearch-kms"
+    athena          = "alias/${local.project_prefix}-athena-kms"
     firehose        = "alias/${local.project_prefix}-firehose-kms"
   }
 

infrastructure/stacks/account_policies/policies/rw_compute.json

@@ -5,10 +5,12 @@
             "Sid": "ComputeFullAccess",
             "Action": [
                 "ec2:*",
+                "ecr:*",
                 "elasticloadbalancing:*",
                 "autoscaling:*",
                 "kms:ListAliases",
                 "lambda:*",
+                "serverlessrepo:*",
                 "states:DescribeStateMachine",
                 "states:ListStateMachines",
                 "tag:GetResources",
@@ -45,4 +47,4 @@
             }
         }
     ]
-}
+}

infrastructure/stacks/account_wide/kms.tf

@@ -138,6 +138,14 @@ module "s3_encryption_key" {
   ]
 }
 
+module "athena_encryption_key" {
+  source           = "../../modules/kms"
+  alias_name       = local.kms_aliases.athena
+  account_id       = data.aws_caller_identity.current.account_id
+  aws_service_name = "athena.amazonaws.com"
+  description      = "Encryption key for Athena workgroups in ${var.environment} environment"
+}
+
 module "firehose_encryption_key" {
   source           = "../../modules/kms"
   alias_name       = local.kms_aliases.firehose

infrastructure/stacks/athena/athena.tf

@@ -0,0 +1,108 @@
+resource "aws_glue_catalog_database" "athena_glue_catalog_database" {
+  count = local.stack_enabled == 1 && local.is_primary_environment ? 1 : 0
+
+  name = "${local.resource_prefix}-glue-db"
+}
+
+resource "aws_athena_workgroup" "athena_workgroup" {
+  count = local.stack_enabled == 1 && local.is_primary_environment ? 1 : 0
+
+  name = "${local.resource_prefix}-workgroup"
+  configuration {
+    result_configuration {
+      output_location = "s3://${module.athena_output_bucket[0].s3_bucket_id}/results/"
+      encryption_configuration {
+        encryption_option = "SSE_KMS"
+        kms_key_arn       = data.aws_kms_key.athena_kms_key[0].arn
+      }
+    }
+  }
+}
+
+# Athena Federated Query (DynamoDB Connector)
+# Use this approach if you require real-time querying of DynamoDB tables via Athena.
+
+resource "aws_serverlessapplicationrepository_cloudformation_stack" "dynamodb_connector" {
+  count = local.stack_enabled == 1 && local.is_primary_environment ? 1 : 0
+
+  name           = "${local.resource_prefix}-dynamodb-connector"
+  application_id = var.athena_dynamodb_connector_app_id
+
+  capabilities = [
+    "CAPABILITY_IAM",
+    "CAPABILITY_RESOURCE_POLICY",
+  ]
+
+  parameters = {
+    AthenaCatalogName = "${local.resource_prefix}-dynamodb-connector"
+    SpillBucket       = module.athena_spill_bucket[0].s3_bucket_id
+    LambdaRole        = aws_iam_role.athena_dynamodb_role[0].arn
+  }
+
+  depends_on = [
+    module.athena_spill_bucket,
+    aws_iam_role.athena_dynamodb_role,
+    aws_iam_role_policy.athena_dynamodb_policy
+  ]
+}
+
+resource "aws_athena_data_catalog" "athena_data_catalog_dynamodb" {
+  count = local.stack_enabled == 1 && local.is_primary_environment ? 1 : 0
+
+  name        = "${local.resource_prefix}-dynamodb-connector"
+  description = "Athena DynamoDB data catalog"
+  type        = "LAMBDA"
+
+  parameters = {
+    "function" = data.aws_lambda_function.dynamodb_lambda_connector[0].arn
+  }
+
+  depends_on = [
+    aws_serverlessapplicationrepository_cloudformation_stack.dynamodb_connector
+  ]
+}
+
+# Athena Federated Query (RDS Connector)
+# Use this approach if you require real-time querying of RDS databases via Athena.
+
+resource "aws_serverlessapplicationrepository_cloudformation_stack" "rds_connector" {
+  count = local.stack_enabled == 1 && local.is_primary_environment ? 1 : 0
+
+  name           = "${local.resource_prefix}-rds-connector"
+  application_id = var.athena_postgres_connector_app_id
+
+  capabilities = [
+    "CAPABILITY_IAM",
+    "CAPABILITY_AUTO_EXPAND",
+    "CAPABILITY_RESOURCE_POLICY",
+  ]
+
+  parameters = {
+    SpillBucket             = module.athena_spill_bucket[0].s3_bucket_id
+    DefaultConnectionString = "postgres://jdbc:postgresql://${local.rds_secret.host}:${local.rds_secret.port}/${local.rds_secret.dbname}"
+    SecretNamePrefix        = "/${var.project}/${var.environment}/target-rds"
+    LambdaFunctionName      = "${local.resource_prefix}-rds-connector"
+    SecurityGroupIds        = aws_security_group.rds_connector_sg[0].id
+    SubnetIds               = join(",", data.aws_subnets.private_subnets.ids)
+  }
+
+  depends_on = [
+    module.athena_spill_bucket
+  ]
+}
+
+resource "aws_athena_data_catalog" "athena_data_catalog_rds" {
+  count = local.stack_enabled == 1 && local.is_primary_environment ? 1 : 0
+
+  name        = "${local.resource_prefix}-rds-connector"
+  description = "Athena RDS data catalog"
+  type        = "LAMBDA"
+
+  parameters = {
+    "function" = data.aws_lambda_function.rds_lambda_connector[0].arn
+  }
+
+  depends_on = [
+    aws_serverlessapplicationrepository_cloudformation_stack.rds_connector
+  ]
+}