chore: FDOS-614 Merge remote-tracking branch main (#848)

Author: mmg-nhse

infrastructure/stacks/account_wide/kms.tf

@@ -45,6 +45,25 @@ module "secrets_manager_encryption_key" {
         "kms:DescribeKey"
       ]
       Resource = "*"
+    },
+    {
+      Sid    = "AllowAthenaConnectorSecretsAccess"
+      Effect = "Allow"
+      Principal = {
+        AWS = "*"
+      }
+      Action = [
+        "kms:Decrypt",
+        "kms:DescribeKey"
+      ]
+      Resource = "*"
+      Condition = {
+        ArnLike = {
+          "aws:PrincipalArn" = [
+            "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/serverlessrepo-${local.project_prefix}-*"
+          ]
+        }
+      }
     }
   ]
 }

infrastructure/stacks/athena/athena.tf

@@ -79,8 +79,8 @@ resource "aws_serverlessapplicationrepository_cloudformation_stack" "rds_connect
 
   parameters = {
     SpillBucket             = module.athena_spill_bucket[0].s3_bucket_id
-    DefaultConnectionString = "postgres://jdbc:postgresql://${local.rds_secret.host}:${local.rds_secret.port}/${local.rds_secret.dbname}"
-    SecretNamePrefix        = "/${var.project}/${var.environment}/target-rds"
+    DefaultConnectionString = "postgres://jdbc:postgresql://${local.rds_secret.host}:${local.rds_secret.port}/${local.rds_secret.dbname}?$${${data.aws_secretsmanager_secret.target_rds_credentials[0].name}}"
+    SecretNamePrefix        = "/${var.project}/${var.environment}/${var.target_rds_credentials}"
     LambdaFunctionName      = "${local.resource_prefix}-rds-connector"
     SecurityGroupIds        = aws_security_group.rds_connector_sg[0].id
     SubnetIds               = join(",", data.aws_subnets.private_subnets.ids)

infrastructure/stacks/athena/data.tf

@@ -32,7 +32,7 @@ data "aws_lambda_function" "rds_lambda_connector" {
 }
 
 data "aws_security_group" "dms_replication_security_group" {
-  name = "${local.project_prefix}-account-wide-etl-replication-sg"
+  name = "${local.project_prefix}-data-migration-rds-sg"
 }
 
 data "aws_secretsmanager_secret" "target_rds_credentials" {

infrastructure/stacks/athena/iam.tf

@@ -78,7 +78,7 @@ resource "aws_iam_role_policy" "athena_dynamodb_policy" {
           "dynamodb:Scan",
           "dynamodb:PartiQLSelect"
         ],
-        Resource = "arn:aws:dynamodb:${var.aws_region}:${data.aws_caller_identity.current.account_id}:table/${local.account_prefix}-*"
+        Resource = "arn:aws:dynamodb:${var.aws_region}:${data.aws_caller_identity.current.account_id}:table/*"
       },
       # checkov:skip=CKV_AWS_355: Justification: S3 DynamoDB list tables
       # checkov:skip=CKV_AWS_290: Justification: S3 DynamoDB list tables

infrastructure/stacks/github_runner/app_github_runner_policy.json.tpl

@@ -23,6 +23,7 @@
                 "resource-groups:*",
                 "dynamodb:*",
                 "rds:*",
+                "athena:*",
                 "dms:*",
                 "glue:*"
             ],
@@ -139,6 +140,7 @@
             "Resource": [
                 "arn:aws:iam::*:role/${repo_name}-*",
                 "arn:aws:iam::*:role/${project}-*",
+                "arn:aws:iam::*:role/serverlessrepo-${project}-*",
                 "arn:aws:iam::*:policy/${project}-*",
                 "arn:aws:iam::aws:policy/AWSXRayDaemonWriteAccess",
                 "arn:aws:iam::*:role/aws-service-role/shield.amazonaws.com/AWSServiceRoleForAWSShield",