Merge branch 'main' into PRMP-557

Author: steph-torres-nhs

.github/workflows/cron-tear-down-sandbox.yml

@@ -41,4 +41,4 @@ jobs:
       - name: Run Sandbox Cleanup Script
         run: ./venv/bin/python3 -u scripts/cleanup_sandboxes.py
         env:
-          GIT_WORKFLOW_PAT: ${{ secrets.GIT_WORKFLOW_PAT }}  # Has "repo" and "workflow" privileges
+          GIT_WORKFLOW_PAT: ${{ secrets.GIT_WORKFLOW_PAT }} # See https://docs.github.com/en/rest/actions/workflows?apiVersion=2022-11-28#create-a-workflow-dispatch-event

infrastructure/buckets.tf

@@ -73,6 +73,18 @@ module "ndr-lloyd-george-store" {
   ]
 }
 
+module "migration-dynamodb-segment-store" {
+  source                    = "./modules/s3/"
+  access_logs_enabled       = local.is_production
+  access_logs_bucket_id     = local.access_logs_bucket_id
+  bucket_name               = var.migration_dynamodb_segment_store_bucket_name
+  enable_cors_configuration = false
+  enable_bucket_versioning  = true
+  environment               = var.environment
+  owner                     = var.owner
+  force_destroy             = local.is_force_destroy
+}
+
 module "statistical-reports-store" {
   source                    = "./modules/s3/"
   access_logs_enabled       = local.is_production

infrastructure/lambda-migration-dynamodb-segment.tf

@@ -0,0 +1,32 @@
+module "migration-dynamodb-segment-lambda" {
+  source         = "./modules/lambda"
+  name           = "MigrationDynamodbSegment"
+  handler        = "handlers.migration_dynamodb_segment_handler.lambda_handler"
+  lambda_timeout = 900
+  memory_size    = 1792
+  iam_role_policy_documents = [
+    module.migration-dynamodb-segment-store.s3_read_policy_document,
+    module.migration-dynamodb-segment-store.s3_write_policy_document,
+    data.aws_iam_policy_document.migration_dynamodb_access.json
+  ]
+  kms_deletion_window = var.kms_deletion_window
+
+  lambda_environment_variables = {
+    WORKSPACE                     = terraform.workspace
+    MIGRATION_SEGMENT_BUCKET_NAME = "${terraform.workspace}-${var.migration_dynamodb_segment_store_bucket_name}"
+  }
+  is_gateway_integration_needed = false
+  is_invoked_from_gateway       = false
+}
+
+data "aws_iam_policy_document" "migration_dynamodb_access" {
+  statement {
+    effect = "Allow"
+    actions = [
+      "dynamodb:DescribeTable"
+    ]
+    resources = [
+      "arn:aws:dynamodb:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:table/${terraform.workspace}_*"
+    ]
+  }
+}

infrastructure/variable.tf

@@ -33,6 +33,12 @@ variable "docstore_bucket_name" {
   default     = "ndr-document-store"
 }
 
+variable "migration_dynamodb_segment_store_bucket_name" {
+  description = "The name of the S3 bucket to store the segments for DynamoDB migration."
+  type        = string
+  default     = "migration-dynamodb-segment-store"
+}
+
 variable "zip_store_bucket_name" {
   description = "The name of the S3 bucket used as a zip store."
   type        = string

infrastructure/virusscanner.tf

@@ -68,7 +68,7 @@ module "cloud_storage_security" {
   count = local.is_production ? 1 : 0
 
   source                       = "cloudstoragesec/cloud-storage-security/aws"
-  version                      = "1.8.9+css9.02.001"                             # Check https://help.cloudstoragesec.com/release-notes/latest-v9 for updates
+  version                      = "1.8.10+css9.03.000"                            # Check https://help.cloudstoragesec.com/release-notes/latest-v9 for updates
   cidr                         = [var.cloud_security_console_black_hole_address] # This is a reserved address that does not lead anywhere to make sure CloudStorageSecurity console is not available
   email                        = data.aws_ssm_parameter.cloud_security_admin_email.value
   subnet_a_id                  = aws_subnet.virus_scanning_a[0].id