Merge branch 'PRMP-579' of https://github.com/nhsconnect/national-document-repository-infrastructure into PRMP-579

Author: steph-torres-nhs

.github/workflows/cron-daily-health-check.yml

@@ -88,7 +88,7 @@ jobs:
 
   run_cypress_tests:
     name: Run Cypress Tests
-    runs-on: ubuntu-22.04 
+    runs-on: ubuntu-latest 
     steps:
       - name: Checkout
         uses: actions/checkout@v5

infrastructure/lambda-document-upload-check.tf

@@ -60,6 +60,12 @@ resource "aws_s3_bucket_notification" "document_upload_check_lambda_trigger" {
     events              = ["s3:ObjectCreated:*"]
     filter_prefix       = "user_upload"
   }
+
+  lambda_function {
+    lambda_function_arn = module.document_upload_check_lambda.lambda_arn
+    events              = ["s3:ObjectCreated:*"]
+    filter_prefix       = "fhir_upload"
+  }
 }
 
 resource "aws_lambda_permission" "document_upload_check_lambda" {

infrastructure/lambda-dynamodb-migration.tf

@@ -0,0 +1,39 @@
+module "migration-dynamodb-lambda" {
+  source  = "./modules/lambda"
+  name    = "MigrationDynamoDB"
+  handler = "handlers.migration_dynamodb_handler.lambda_handler"
+
+  iam_role_policy_documents = [
+    module.lloyd_george_reference_dynamodb_table.dynamodb_read_policy_document,
+    module.lloyd_george_reference_dynamodb_table.dynamodb_write_policy_document,
+    module.bulk_upload_report_dynamodb_table.dynamodb_read_policy_document,
+    module.ndr-bulk-staging-store.s3_read_policy_document,
+    module.ndr-lloyd-george-store.s3_read_policy_document,
+    aws_iam_policy.ssm_access_policy.policy,
+    module.ndr-app-config.app_config_policy
+  ]
+
+  kms_deletion_window           = var.kms_deletion_window
+  rest_api_id                   = null
+  api_execution_arn             = null
+  is_gateway_integration_needed = false
+  is_invoked_from_gateway       = false
+
+  lambda_environment_variables = {
+    WORKSPACE               = terraform.workspace
+    APPCONFIG_APPLICATION   = module.ndr-app-config.app_config_application_id
+    APPCONFIG_ENVIRONMENT   = module.ndr-app-config.app_config_environment_id
+    APPCONFIG_CONFIGURATION = module.ndr-app-config.app_config_configuration_profile_id
+  }
+
+  lambda_timeout                 = 900
+  memory_size                    = 1024
+  reserved_concurrent_executions = 200
+
+  depends_on = [
+    module.lloyd_george_reference_dynamodb_table,
+    module.bulk_upload_report_dynamodb_table,
+    module.ndr-app-config,
+    aws_iam_policy.ssm_access_policy,
+  ]
+}

infrastructure/policies.tf

@@ -40,3 +40,30 @@ resource "aws_iam_policy" "read_only_role_extra_permissions" {
     Workspace = "core"
   }
 }
+
+resource "aws_iam_policy" "administrator_permission_restrictions" {
+  count = local.is_sandbox ? 0 : 1
+  name  = "AdministratorRestriction"
+  policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [
+      {
+        Effect = "Deny",
+        Action = [
+          "s3:DeleteObject",
+          "s3:DeleteObjectVersion",
+          "s3:PutLifecycleConfiguration",
+          "s3:PutObject",
+          "s3:RestoreObject"
+        ],
+        Resource = [
+          "arn:aws:s3:::*/*.tfstate"
+        ]
+      }
+    ]
+  })
+  tags = {
+    Name      = "AdministratorRestriction"
+    Workspace = "core"
+  }
+}