Merge branch 'main' into task/FTRS-3181-use-eventbridge-cmk

Author: AITR1

.github/workflows/pipeline-deploy-architecture-pages.yaml

@@ -20,10 +20,7 @@ on:
   workflow_dispatch:
 
 # Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages
-permissions:
-  contents: read
-  pages: write
-  id-token: write
+permissions: {}
 
 # secrets: inherit
 
@@ -37,6 +34,9 @@ jobs:
   # Build job
   build-pages:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pages: write
     steps:
       - name: "Checkout code"
         uses: actions/checkout@v6
@@ -67,6 +67,9 @@ jobs:
       name: github-pages
       url: ${{ steps.deployment.outputs.page_url }}
     runs-on: ubuntu-latest
+    permissions:
+      pages: write
+      id-token: write
     needs: build-pages
     if: github.event_name == 'push' && github.ref == 'refs/heads/main'
     steps:

.github/workflows/pipeline-deploy-docs-pages.yaml

@@ -13,9 +13,7 @@ on:
 
   workflow_call:
 
-permissions:
-  contents: read
-  pages: write
+permissions: {}
 
 concurrency:
   group: "docs-pages"
@@ -24,6 +22,8 @@ concurrency:
 jobs:
   check-docs:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: "Checkout code"
         uses: actions/checkout@v6

.github/workflows/pipeline-truncate-workflow-history.yaml

@@ -1,9 +1,6 @@
 name: Truncate Workflow History Pipeline
 
-permissions:
-  actions: write
-  id-token: write
-  contents: read
+permissions: {}
 on:
   # Run daily, at 01:00.
   schedule:
@@ -14,6 +11,8 @@ jobs:
     name: "Truncate github workflow run history"
     timeout-minutes: 15
     runs-on: ubuntu-latest
+    permissions:
+      actions: write
     steps:
       - name: "Delete workflow runs"
         uses: Mattraks/delete-workflow-runs@v2

.github/workflows/quality-checks.yaml

@@ -1,8 +1,6 @@
 name: Code Quality Checks Workflow
 
-permissions:
-  id-token: write
-  contents: read
+permissions: {}
 on:
   workflow_call:
     inputs:
@@ -81,6 +79,8 @@ jobs:
     name: "Scan secrets"
     runs-on: ubuntu-latest
     timeout-minutes: 2
+    permissions:
+      contents: read
     steps:
       - name: "Checkout code"
         uses: actions/checkout@v6
@@ -94,6 +94,8 @@ jobs:
     name: "Check file format"
     runs-on: ubuntu-latest
     timeout-minutes: 2
+    permissions:
+      contents: read
     steps:
       - name: "Checkout code"
         uses: actions/checkout@v6
@@ -107,6 +109,8 @@ jobs:
     name: "Check Markdown format"
     runs-on: ubuntu-latest
     timeout-minutes: 2
+    permissions:
+      contents: read
     steps:
       - name: "Checkout code"
         uses: actions/checkout@v6
@@ -120,6 +124,8 @@ jobs:
     name: "Check English usage"
     runs-on: ubuntu-latest
     timeout-minutes: 2
+    permissions:
+      contents: read
     steps:
       - name: "Checkout code"
         uses: actions/checkout@v6
@@ -132,7 +138,9 @@ jobs:
   count-lines-of-code:
     name: "Count lines of code"
     runs-on: ubuntu-latest
-
+    permissions:
+      contents: read
+      id-token: write
     timeout-minutes: 2
     steps:
       - name: "Checkout code"
@@ -153,6 +161,9 @@ jobs:
     name: "Scan dependencies"
     runs-on: ubuntu-latest
     timeout-minutes: 2
+    permissions:
+      contents: read
+      id-token: write
     steps:
       - name: "Checkout code"
         uses: actions/checkout@v6
@@ -174,6 +185,9 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: ${{ inputs.workflow_timeout }}
     environment: ${{ inputs.environment }}
+    permissions:
+      contents: read
+      id-token: write
     strategy:
       matrix:
         stack: ${{ fromJson(inputs.stacks) }}
@@ -208,6 +222,8 @@ jobs:
     name: "Check Terraform format"
     runs-on: ubuntu-latest
     timeout-minutes: ${{ inputs.workflow_timeout }}
+    permissions:
+      contents: read
     steps:
       - name: "Checkout code"
         uses: actions/checkout@v6
@@ -250,6 +266,8 @@ jobs:
     name: "Lint service automation tests"
     runs-on: ubuntu-latest
     timeout-minutes: 2
+    permissions:
+      contents: read
     steps:
       - name: "Checkout code"
         uses: actions/checkout@v6

architecture/diagrams/likec4_parser.py

@@ -311,7 +311,7 @@ def _parse_views(self, content: str) -> None:
             title = title_match.group(1) if title_match else view_name
 
             # Extract description (may be multi-line)
-            desc_match = re.search(r'description\s+"([^"]+(?:\n[^"]+)*)"', view_content, re.DOTALL)
+            desc_match = re.search(r'description\s+"([^"]*)"', view_content, re.DOTALL)
             desc = desc_match.group(1) if desc_match else ""
 
             # Extract includes

infrastructure/environments/dev/account_wide.tfvars

@@ -12,6 +12,10 @@ vpc = {
   private_subnet_b = "10.170.132.0/24"
   private_subnet_c = "10.170.133.0/24"
 
+  private_subnet_d = "10.170.8.0/22"
+  private_subnet_e = "10.170.12.0/22"
+  private_subnet_f = "10.170.16.0/22"
+
   database_subnet_a = "10.170.201.0/24"
   database_subnet_b = "10.170.202.0/24"
   database_subnet_c = "10.170.203.0/24"

infrastructure/stacks/account_wide/data.tf

@@ -62,3 +62,7 @@ data "aws_iam_policy_document" "regional_waf_log_group_policy_document" {
     }
   }
 }
+
+data "aws_prefix_list" "s3" {
+  name = "com.amazonaws.${var.aws_region}.s3"
+}

infrastructure/stacks/account_wide/security_group.tf

@@ -96,6 +96,16 @@ resource "aws_vpc_security_group_egress_rule" "athena_rds_connector_allow_egress
   to_port                      = var.https_port
 }
 
+resource "aws_vpc_security_group_egress_rule" "athena_rds_connector_allow_s3_access" {
+  count             = var.athena_stack_enabled ? 1 : 0
+  security_group_id = aws_security_group.athena_rds_connector_sg[0].id
+  description       = "Athena Connector egress rule to allow S3 traffic"
+  prefix_list_id    = data.aws_prefix_list.s3.id
+  ip_protocol       = "tcp"
+  from_port         = var.https_port
+  to_port           = var.https_port
+}
+
 # Security group for interface VPC endpoints
 resource "aws_security_group" "vpce_interface_security_group" {
   name        = "${local.account_prefix}-vpce-interface-sg"

infrastructure/stacks/account_wide/vpc.tf

@@ -48,7 +48,7 @@ module "vpc" {
 locals {
 
   public_subnets   = [var.vpc["public_subnet_a"], var.vpc["public_subnet_b"], var.vpc["public_subnet_c"]]
-  private_subnets  = [var.vpc["private_subnet_a"], var.vpc["private_subnet_b"], var.vpc["private_subnet_c"]]
+  private_subnets  = var.environment == "dev" ? [var.vpc["private_subnet_a"], var.vpc["private_subnet_b"], var.vpc["private_subnet_c"], var.vpc["private_subnet_d"], var.vpc["private_subnet_e"], var.vpc["private_subnet_f"]] : [var.vpc["private_subnet_a"], var.vpc["private_subnet_b"], var.vpc["private_subnet_c"]]
   database_subnets = [var.vpc["database_subnet_a"], var.vpc["database_subnet_b"], var.vpc["database_subnet_c"]]
   vpn_subnets      = var.environment == "dev" ? [var.vpc["vpn_subnet"]] : []
 

services/data-migration/src/dms_provisioner/dms_service.py

@@ -126,8 +126,10 @@ def extract_indexes_from_sql_file(sql_file_path: Path = SCHEMA_FILE) -> List[str
 
     # Regex to match CREATE INDEX and CREATE UNIQUE INDEX statements
     # Matches multi-line statements ending with semicolon
+    # Bounded quantifier {1,4000} prevents quadratic backtracking on malformed input
+    # 4000 chars accommodates even extremely complex index definitions
     index_pattern = re.compile(
-        r"CREATE\s+(?:UNIQUE\s+)?INDEX\s+[^;]+;",
+        r"CREATE\s+(?:UNIQUE\s+)?INDEX\s+[^;]{1,4000};",
         re.IGNORECASE | re.MULTILINE | re.DOTALL,
     )