[PRMT-439] Update Infrastructure and workflows to handle CIS2 Mock workspaces (#333)

Author: abbas-khan10

.github/workflows/terraform-deploy-feature-to-sandbox-with-dispatch.yml

@@ -92,6 +92,16 @@ jobs:
         with:
           ref: ${{ inputs.build_branch }}
 
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: 3.11
+
+      - name: Install Python Dependencies
+        run: |
+          python3 -m venv ./venv
+          ./venv/bin/pip3 install --upgrade pip boto3
+
       - name: Configure AWS Credentials
         uses: aws-actions/configure-aws-credentials@v4
         with:
@@ -118,3 +128,6 @@ jobs:
       - name: Terraform Destroy
         run: terraform destroy -auto-approve -var-file="${{ inputs.terraform_vars }}"
         working-directory: ./infrastructure
+
+      - name: Run Terraform Workspace Cleanup Script
+        run: ./venv/bin/python3 -u scripts/cleanup_terraform_states.py ${{ inputs.sandbox_workspace }}

.github/workflows/terraform-destroy-dev-environments-cron.yml

@@ -0,0 +1,44 @@
+name: 'Destroy Sandbox Environments (CRON)'
+
+on:
+  schedule:
+    - cron: 59 17 * * 1-5 # utc time
+
+permissions:
+  pull-requests: write
+  id-token: write # This is required for requesting the JWT
+  contents: read # This is required for actions/checkout
+
+jobs:
+  destroy_process:
+    name: Destroy Sandbox Environments
+    runs-on: ubuntu-latest
+    environment: development
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          ref: main
+
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ secrets.AWS_ASSUME_ROLE }}
+          role-skip-session-tagging: true
+          aws-region: ${{ vars.AWS_REGION }}
+          mask-aws-account-id: true
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: 3.11
+
+      - name: Install Python Dependencies
+        run: |
+          python3 -m venv ./venv
+          ./venv/bin/pip3 install --upgrade pip boto3 requests
+
+      - name: Run Sandbox Cleanup Script
+        run: ./venv/bin/python3 -u scripts/cleanup_sandboxes.py
+        env:
+          GIT_WORKFLOW_PAT: ${{ secrets.GIT_WORKFLOW_PAT }}  # Has "repo" and "workflow" privileges

.github/workflows/terraform-destroy-environment-manual.yml

@@ -35,3 +35,4 @@ tfplan
 
 .idea/
 .vscode/
+venv/

.github/workflows/terraform-destroy-sandbox-environments-cron.yml

@@ -4,4 +4,5 @@ module "ndr-app-config" {
   owner                   = var.owner
   config_environment_name = terraform.workspace
   config_profile_name     = "config-profile-${terraform.workspace}"
+  dev_config_enabled      = !local.is_production
 }

.gitignore

@@ -1,13 +1,18 @@
 module "ndr-docker-ecr-ui" {
-  source      = "./modules/ecr/"
-  app_name    = "ndr-${terraform.workspace}-app"
+  source              = "./modules/ecr/"
+  app_name            = "ndr-${terraform.workspace}-app"
+  allow_force_destroy = local.is_force_destroy
+
   environment = var.environment
   owner       = var.owner
 }
+
 module "ndr-docker-ecr-data-collection" {
-  count       = local.is_sandbox ? 0 : 1
-  source      = "./modules/ecr/"
-  app_name    = "${terraform.workspace}-data-collection"
+  count               = local.is_sandbox ? 0 : 1
+  source              = "./modules/ecr/"
+  app_name            = "${terraform.workspace}-data-collection"
+  allow_force_destroy = local.is_force_destroy
+
   environment = var.environment
   owner       = var.owner
 }

infrastructure/app_config.tf

@@ -10,6 +10,7 @@ module "edge_presign_alarm" {
 }
 
 resource "aws_cloudwatch_log_metric_filter" "edge_presign_error" {
+  count          = local.is_sandbox ? 0 : 1
   name           = "EdgePresignErrorFilter"
   pattern        = "%LambdaError%"
   log_group_name = "/aws/lambda/us-east-1.${module.edge-presign-lambda.function_name}"

infrastructure/ecr.tf

@@ -57,6 +57,7 @@ module "app_config" {
 |------|-------------|------|---------|:--------:|
 | <a name="input_config_environment_name"></a> [config\_environment\_name](#input\_config\_environment\_name) | Name of the AppConfig environment (e.g., dev, prod). | `string` | n/a | yes |
 | <a name="input_config_profile_name"></a> [config\_profile\_name](#input\_config\_profile\_name) | Name of the AppConfig configuration profile. | `string` | n/a | yes |
+| <a name="input_dev_config_enabled"></a> [dev\_config\_enabled](#input\_dev\_config\_enabled) | n/a | `bool` | n/a | yes |
 | <a name="input_environment"></a> [environment](#input\_environment) | Deployment environment tag used for naming and labeling (e.g., dev, prod) | `string` | n/a | yes |
 | <a name="input_owner"></a> [owner](#input\_owner) | Identifies the team or person responsible for the resource (used for tagging). | `string` | n/a | yes |
 ## Outputs

infrastructure/lambda-edge-presign.tf

@@ -27,7 +27,7 @@
             "enabled": "false"
         },
         "useSmartcardAuth": {
-            "enabled": "false"
+            "enabled": "true"
         },
         "lloydGeorgeValidationStrictModeEnabled": {
             "enabled": "true"