Merge branch 'main' into task/FTRS-3181-use-eventbridge-cmk

Author: AITR1

.github/workflows/pipeline-build-release.yaml

@@ -159,6 +159,31 @@ jobs:
       ACCOUNT_ID: ${{ secrets.ACCOUNT_ID }}
       MGMT_ACCOUNT_ID: ${{ secrets.MGMT_ACCOUNT_ID }}
 
+  deploy-proxy-to-apim:
+    name: "Deploy ${{ matrix.api_name }} API to Proxygen"
+    needs:
+      - metadata
+      - tag-release
+      - deploy-application-infrastructure
+    uses: ./.github/workflows/authenticate-and-deploy-to-apim.yaml
+    strategy:
+      fail-fast: false
+      matrix:
+        api_name:
+          - dos-search
+          - dos-ingest
+          # Add more API names here as needed
+    with:
+      environment: ${{ needs.metadata.outputs.environment }}
+      workspace: "rc"
+      api_name: ${{ matrix.api_name }}
+      apim_env: ${{ needs.metadata.outputs.environment == 'dev' && 'internal-dev' || needs.metadata.outputs.environment == 'test' && 'internal-qa' || needs.metadata.outputs.environment }}
+      ref: ${{ needs.tag-release.outputs.release_tag }}
+    secrets:
+      ACCOUNT_ID: ${{ secrets.ACCOUNT_ID }}
+      AWS_REGION: ${{ vars.AWS_REGION }}
+      PROXYGEN_URL: ${{ secrets.PROXYGEN_URL }}
+
   restore-dynamodb-from-s3:
     name: "Restore S3 data to DynamoDB tables for release candidate in the ${{ needs.metadata.outputs.environment }} environment"
     if: ${{ needs.metadata.outputs.environment && needs.metadata.outputs.environment != 'prod' }}
@@ -247,6 +272,7 @@ jobs:
       - metadata
       - tag-release
       - deploy-data-migration-service
+      - deploy-proxy-to-apim
     uses: ./.github/workflows/service-automation-test.yaml
     with:
       environment: ${{ needs.metadata.outputs.environment }}

.github/workflows/pipeline-deploy-account-infrastructure.yaml

@@ -23,7 +23,6 @@ on:
       - "infrastructure/modules/aws-backup-source/**"
       - "infrastructure/modules/s3/**"
       - "infrastructure/modules/shield/**"
-      - "infrastructure/stacks/slack_notifier/**"
   workflow_run:
     workflows: ["Pipeline Deploy Policies Infrastructure"]
     types:
@@ -148,6 +147,27 @@ jobs:
       workspace: "default"
       ref: ${{ inputs.ref }}
 
+  build-services:
+    name: "Build slack-notifier"
+    needs:
+      - metadata
+      - quality-checks
+      - check-stack-toggles
+    uses: ./.github/workflows/build-project.yaml
+    with:
+      name: "slack-notifier"
+      build_type: "service"
+      python_version: ${{ needs.metadata.outputs.python_version }}
+      commit_hash: ${{ needs.metadata.outputs.commit_hash }}
+      environment: ${{ needs.metadata.outputs.mgmt_environment }}
+      repo_name: ${{ needs.metadata.outputs.reponame }}
+      workspace: "default"
+      type: account
+      ref: ${{ inputs.ref }}
+      build_enabled: ${{ needs.check-stack-toggles.outputs.slack_notifier_enabled == 'true' }}
+    secrets:
+      ACCOUNT_ID: ${{ secrets.ACCOUNT_ID }}
+
   plan-infrastructure:
     name: "Plan ${{ matrix.name }} infrastructure deployment for ${{ matrix.environment }}"
     concurrency:
@@ -157,6 +177,7 @@ jobs:
       - metadata
       - quality-checks
       - check-stack-toggles
+      - build-services
     strategy:
       fail-fast: false
       matrix:

.github/workflows/pipeline-deploy-application.yaml

@@ -97,9 +97,6 @@ jobs:
           - name: "python"
             build_type: "package"
             build_enabled: true
-          - name: "slack-notifier"
-            build_type: "service"
-            build_enabled: ${{ needs.check-stack-toggles.outputs.slack_notifier_enabled == 'true' }}
           - name: "crud-apis"
             build_type: "service"
             build_enabled: true
@@ -197,7 +194,7 @@ jobs:
       workspace: ${{ needs.metadata.outputs.workspace }}
       ref: ${{ inputs.ref }}
       workflow_timeout: 30
-      stacks: "['slack_notifier', 'database', 'crud_apis', 'data_migration', 'read_only_viewer', 'opensearch', 'etl_ods', 'dos_search', 'is_performance', 'ui', 'athena']"
+      stacks: "['database', 'crud_apis', 'data_migration', 'read_only_viewer', 'opensearch', 'etl_ods', 'dos_search', 'is_performance', 'ui', 'athena']"
     secrets:
       ACCOUNT_ID: ${{ secrets.ACCOUNT_ID }}
       MGMT_ACCOUNT_ID: ${{ secrets.MGMT_ACCOUNT_ID }}

.github/workflows/pipeline-deploy-release.yaml

@@ -120,6 +120,29 @@ jobs:
       ACCOUNT_ID: ${{ secrets.ACCOUNT_ID }}
       MGMT_ACCOUNT_ID: ${{ secrets.MGMT_ACCOUNT_ID }}
 
+  deploy-proxy-to-apim:
+    name: "Deploy ${{ matrix.api_name }} API to Proxygen"
+    needs:
+      - deploy-application-infrastructure
+    uses: ./.github/workflows/authenticate-and-deploy-to-apim.yaml
+    strategy:
+      fail-fast: false
+      matrix:
+        api_name:
+          - dos-search
+          - dos-ingest
+          # Add more API names here as needed
+    with:
+      environment: ${{ inputs.environment }}
+      workspace: default
+      api_name: ${{ matrix.api_name }}
+      apim_env: ${{ inputs.environment == 'dev' && 'internal-dev' || inputs.environment == 'test' && 'internal-qa' || inputs.environment }}
+      ref: ${{ inputs.release_tag }}
+    secrets:
+      ACCOUNT_ID: ${{ secrets.ACCOUNT_ID }}
+      AWS_REGION: ${{ vars.AWS_REGION }}
+      PROXYGEN_URL: ${{ secrets.PROXYGEN_URL }}
+
   deploy-frontend-services:
     name: "Deploy ${{ matrix.name }} to ${{ inputs.environment }}"
     concurrency:
@@ -165,6 +188,7 @@ jobs:
             type: "bdd"
     needs:
       - deploy-application-infrastructure
+      - deploy-proxy-to-apim
     uses: ./.github/workflows/service-automation-test.yaml
     with:
       environment: ${{ inputs.environment }}

infrastructure/stacks/account_wide/kms.tf

@@ -282,24 +282,42 @@ module "scheduler_encryption_key" {
   description      = "Encryption key for EventBridge scheduler in ${var.environment} environment"
   additional_policy_statements = [
     {
-      "Sid" : "AllowEventBridgeSchedulerToUseKMS",
-      "Effect" : "Allow",
-      "Principal" : {
-        "Service" : "scheduler.amazonaws.com"
-      },
-      "Action" : [
+      Sid    = "AllowEventBridgeSchedulerToUseKMS"
+      Effect = "Allow"
+      Principal = {
+        Service = ["scheduler.amazonaws.com"]
+      }
+      Action = [
         "kms:CreateGrant",
         "kms:RetireGrant",
         "kms:Decrypt",
         "kms:GenerateDataKey*",
         "kms:DescribeKey"
-      ],
-      "Resource" : "*",
-      "Condition" : {
-        "StringEquals" : {
-          "aws:SourceAccount" : data.aws_caller_identity.current.account_id
+      ]
+      Resource = "*"
+      Condition = {
+        StringEquals = {
+          "aws:SourceAccount" = data.aws_caller_identity.current.account_id
         }
       }
+    },
+    {
+      Sid    = "AllowGitHubRunnerAccess"
+      Effect = "Allow"
+      Principal = {
+        AWS = [
+          "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/${local.account_prefix}-${var.app_github_runner_role_name}",
+          "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/${local.account_prefix}-${var.account_github_runner_role_name}"
+        ]
+      }
+      Action = [
+        "kms:Decrypt",
+        "kms:Encrypt",
+        "kms:GenerateDataKey*",
+        "kms:DescribeKey"
+      ]
+      Resource  = "*"
+      Condition = {}
     }
   ]
 }