feat(athena): FDOS-614 Add Athena stack with DynamoDB and RDS connectors

mmg-nhse · mmg-nhse · commit ca5d7241f79c · 2026-02-06T18:01:32.000Z
diff --git a/infrastructure/stacks/athena/athena_locals.tf b/infrastructure/stacks/athena/athena_locals.tf
@@ -1,3 +1,4 @@
 locals {
   stack_enabled = var.athena_stack_enabled ? 1 : 0
+  rds_secret    = local.stack_enabled == 1 && local.is_primary_environment ? jsondecode(data.aws_secretsmanager_secret_version.target_rds_credentials[0].secret_string) : null
 }
diff --git a/infrastructure/stacks/athena/data.tf b/infrastructure/stacks/athena/data.tf
@@ -34,3 +34,13 @@ data "aws_lambda_function" "rds_lambda_connector" {
 data "aws_security_group" "dms_replication_security_group" {
   name = "${local.project_prefix}-account-wide-etl-replication-sg"
 }
+
+data "aws_secretsmanager_secret" "target_rds_credentials" {
+  count = local.stack_enabled == 1 && local.is_primary_environment ? 1 : 0
+  name  = "/${var.project}/${var.environment}/${var.target_rds_credentials}"
+}
+
+data "aws_secretsmanager_secret_version" "target_rds_credentials" {
+  count     = local.stack_enabled == 1 && local.is_primary_environment ? 1 : 0
+  secret_id = data.aws_secretsmanager_secret.target_rds_credentials[0].id
+}
diff --git a/infrastructure/stacks/athena/security_group.tf b/infrastructure/stacks/athena/security_group.tf
@@ -18,6 +18,7 @@ resource "aws_vpc_security_group_egress_rule" "rds_connector_allow_egress_to_rds
   to_port                      = var.rds_port
 }
 
+# trivy:ignore:aws-vpc-no-public-egress-sgr : Justification: This security group is for the Athena RDS Connector Lambda, which requires egress access to the internet for S3 and Secrets Manager, as well as access to the RDS instance.
 resource "aws_vpc_security_group_egress_rule" "rds_connector_allow_egress_https" {
   count = local.stack_enabled == 1 && local.is_primary_environment ? 1 : 0
 
diff --git a/infrastructure/stacks/athena/variables.tf b/infrastructure/stacks/athena/variables.tf
@@ -21,3 +21,9 @@ variable "athena_dynamodb_connector_app_id" {
   type        = string
   default     = "arn:aws:serverlessrepo:us-east-1:292517598671:applications/AthenaDynamoDBConnector"
 }
+
+variable "target_rds_credentials" {
+  description = "The secrets manager name for the target RDS credentials"
+  type        = string
+  default     = "target-rds-credentials"
+}
diff --git a/infrastructure/stacks/data_migration/data.tf b/infrastructure/stacks/data_migration/data.tf
@@ -290,5 +290,5 @@ data "aws_security_group" "processor_lambda_security_group" {
 
 data "aws_security_group" "rds_connector_security_group" {
   count = var.athena_stack_enabled && local.is_primary_environment ? 1 : 0
-  name  = "${local.account_prefix}-rds-connector-sg"
+  name  = "${local.project_prefix}-athena-rds-connector-sg"
 }
diff --git a/infrastructure/stacks/data_migration/security_group.tf b/infrastructure/stacks/data_migration/security_group.tf
@@ -95,7 +95,7 @@ resource "aws_vpc_security_group_egress_rule" "rds_allow_egress_to_internet" {
 }
 
 resource "aws_vpc_security_group_ingress_rule" "rds_allow_ingress_from_athena_connector" {
-  count                        = var.athena_stack_enabled && local.is_primary_environment ? 1 : 0
+  count                        = (var.athena_stack_enabled && local.is_primary_environment) ? 1 : 0
   security_group_id            = try(aws_security_group.rds_security_group[0].id, data.aws_security_group.rds_security_group[0].id)
   referenced_security_group_id = data.aws_security_group.rds_connector_security_group[0].id
   description                  = "Allow incoming Postgres from Athena RDS Connector Lambda"

Original file line number	Diff line number	Diff line change
`@@ -1,3 +1,4 @@`
`1`	`1`	`locals {`
`2`	`2`	`stack_enabled = var.athena_stack_enabled ? 1 : 0`
	`3`	`+ rds_secret = local.stack_enabled == 1 && local.is_primary_environment ? jsondecode(data.aws_secretsmanager_secret_version.target_rds_credentials[0].secret_string) : null`
`3`	`4`	`}`
Original file line number	Diff line number	Diff line change
`@@ -18,6 +18,7 @@ resource "aws_vpc_security_group_egress_rule" "rds_connector_allow_egress_to_rds`
`18`	`18`	`to_port = var.rds_port`
`19`	`19`	`}`
`20`	`20`
	`21`	`+# trivy:ignore:aws-vpc-no-public-egress-sgr : Justification: This security group is for the Athena RDS Connector Lambda, which requires egress access to the internet for S3 and Secrets Manager, as well as access to the RDS instance.`
`21`	`22`	`resource "aws_vpc_security_group_egress_rule" "rds_connector_allow_egress_https" {`
`22`	`23`	`count = local.stack_enabled == 1 && local.is_primary_environment ? 1 : 0`
`23`	`24`
Original file line number	Diff line number	Diff line change
`@@ -290,5 +290,5 @@ data "aws_security_group" "processor_lambda_security_group" {`
`290`	`290`
`291`	`291`	`data "aws_security_group" "rds_connector_security_group" {`
`292`	`292`	`count = var.athena_stack_enabled && local.is_primary_environment ? 1 : 0`
`293`		`- name = "${local.account_prefix}-rds-connector-sg"`
	`293`	`+ name = "${local.project_prefix}-athena-rds-connector-sg"`
`294`	`294`	`}`
Original file line number	Diff line number	Diff line change
`@@ -95,7 +95,7 @@ resource "aws_vpc_security_group_egress_rule" "rds_allow_egress_to_internet" {`
`95`	`95`	`}`
`96`	`96`
`97`	`97`	`resource "aws_vpc_security_group_ingress_rule" "rds_allow_ingress_from_athena_connector" {`
`98`		`- count = var.athena_stack_enabled && local.is_primary_environment ? 1 : 0`
	`98`	`+ count = (var.athena_stack_enabled && local.is_primary_environment) ? 1 : 0`
`99`	`99`	`security_group_id = try(aws_security_group.rds_security_group[0].id, data.aws_security_group.rds_security_group[0].id)`
`100`	`100`	`referenced_security_group_id = data.aws_security_group.rds_connector_security_group[0].id`
`101`	`101`	`description = "Allow incoming Postgres from Athena RDS Connector Lambda"`