Merge branch 'main' into PRMP-538

Author: MohammadIqbalAD-NHS

.github/workflows/automated-deploy-dev.yml

@@ -61,7 +61,7 @@ jobs:
       - name: Run Terraform Plan
         id: plan
         run: |
-          terraform plan -input=false -no-color -var-file="${{vars.TF_VARS_FILE}}" -out tf.plan > plan_output.txt 2>&1
+          terraform plan -lock-timeout=20m -input=false -no-color -var-file="${{vars.TF_VARS_FILE}}" -out tf.plan > plan_output.txt 2>&1
           terraform show -no-color tf.plan > tfplan.txt 2>&1
 
           # Mask PEM certificates (BEGIN...END CERTIFICATE)
@@ -202,7 +202,7 @@ jobs:
       # Terraform apply will only occur on a push (merge request completion)
       - name: Run Terraform Apply
         if: github.ref == 'refs/heads/main'
-        run: terraform apply -auto-approve -input=false tf.plan
+        run: terraform apply -lock-timeout=20m -auto-approve -input=false tf.plan
         working-directory: ./infrastructure
 
   deploy_lambdas:

backup-vault/teraform/README.md

@@ -1,33 +1,23 @@
-## Requirements
+# AWS Backup Vault Terraform Configuration
 
-| Name | Version |
-|------|---------|
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.0 |
+To create or update the AWS config, Terraform must be run from a local machine, as there is currently no GitHub Action set up for this.
 
-## Providers
+The following commands should be used as a suggestion for the process:
 
-| Name | Version |
-|------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.0 |
+```shell
+aws sso login --sso-session PRM
 
-## Modules
+export AWS_PROFILE=NDR-Pre-Prod-Backup-RW
+terraform init -backend-config=pre-prod.s3.tfbackend -upgrade -reconfigure
+terraform workspace list
+terraform workspace select pre-prod
+terraform plan
+terraform apply
 
-No modules.
-
-## Resources
-
-| Name | Type |
-|------|------|
-| [aws_backup_vault.backup_vault](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/backup_vault) | resource |
-| [aws_backup_vault_policy.backup_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/backup_vault_policy) | resource |
-| [aws_kms_alias.encryption_key_alias](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource |
-| [aws_kms_key.encryption_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
-| [aws_ssm_parameter.backup-source-account](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source |
-
-## Inputs
-
-No inputs.
-
-## Outputs
-
-No outputs.
+export AWS_PROFILE=NDR-Prod-Backup-RW
+terraform init -backend-config=prod.s3.tfbackend -upgrade -reconfigure
+terraform workspace list
+terraform workspace select prod-backup
+terraform plan
+terraform apply
+```

backup-vault/teraform/backup-vault.tf

@@ -12,7 +12,6 @@ resource "aws_kms_alias" "encryption_key_alias" {
   target_key_id = aws_kms_key.encryption_key.id
 }
 
-
 resource "aws_backup_vault_policy" "backup_policy" {
   backup_vault_name = aws_backup_vault.backup_vault.name
 
@@ -21,10 +20,10 @@ resource "aws_backup_vault_policy" "backup_policy" {
       "Version" : "2012-10-17",
       "Statement" : [
         {
-          "Sid" : "Allow ${data.aws_ssm_parameter.backup-source-account.value} to copy into pre-prod_backup_vault",
+          "Sid" : "Allow ${data.aws_ssm_parameter.backup_source_account.value} to copy into pre-prod_backup_vault",
           "Effect" : "Allow",
           "Principal" : {
-            "AWS" : "arn:aws:iam::${data.aws_ssm_parameter.backup-source-account.value}:root"
+            "AWS" : "arn:aws:iam::${data.aws_ssm_parameter.backup_source_account.value}:root"
           },
           "Action" : "backup:CopyIntoBackupVault",
           "Resource" : "*"
@@ -34,7 +33,6 @@ resource "aws_backup_vault_policy" "backup_policy" {
   )
 }
 
-data "aws_ssm_parameter" "backup-source-account" {
+data "aws_ssm_parameter" "backup_source_account" {
   name = "backup-source-account"
 }
-

backup-vault/teraform/iam.tf

@@ -0,0 +1,25 @@
+resource "aws_iam_policy" "administrator_permission_restrictions" {
+  name = "AdministratorRestriction"
+  policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [
+      {
+        Effect = "Deny",
+        Action = [
+          "s3:DeleteObject",
+          "s3:DeleteObjectVersion",
+          "s3:PutLifecycleConfiguration",
+          "s3:PutObject",
+          "s3:RestoreObject"
+        ],
+        Resource = [
+          "arn:aws:s3:::*/*.tfstate"
+        ]
+      }
+    ]
+  })
+  tags = {
+    Name      = "AdministratorRestriction"
+    Workspace = "core"
+  }
+}

backup-vault/teraform/main.tf

@@ -2,16 +2,18 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 4.0"
+      version = "~> 6.0"
     }
   }
+
   backend "s3" {
     use_lockfile = true
     region       = "eu-west-2"
     key          = "ndr/terraform.tfstate"
     encrypt      = true
   }
 }
+
 provider "aws" {
   region = "eu-west-2"
 }

backup-vault/teraform/pre-prod.s3.tfbackend

@@ -1,5 +1,4 @@
 bucket          = "ndr-backup-terraform-state"
-dynamodb_table  = "ndr-backup-terraform-lock"
 region          = "eu-west-2"
 key             = "backup/terraform.tfstate"
 encrypt         = true

backup-vault/teraform/prod.s3.tfbackend

@@ -1,5 +1,4 @@
-bucket          = "ndr-backup-terraform-state"
-dynamodb_table  = "ndr-backup-terraform-lock"
+bucket          = "ndr-prod-backup-terraform-state"
 region          = "eu-west-2"
-key             = "backup/terraform.tfstate"
+key             = "ndr/terraform.tfstate"
 encrypt         = true

infrastructure/README.md

@@ -51,7 +51,7 @@
 | <a name="module_create-token-lambda"></a> [create-token-lambda](#module_create-token-lambda)                                                                                        | ./modules/lambda                           | n/a               |
 | <a name="module_create_doc_alarm"></a> [create_doc_alarm](#module_create_doc_alarm)                                                                                                 | ./modules/lambda_alarms                    | n/a               |
 | <a name="module_create_doc_alarm_topic"></a> [create_doc_alarm_topic](#module_create_doc_alarm_topic)                                                                               | ./modules/sns                              | n/a               |
-| <a name="module_create_document_reference_gateway"></a> [create_document_reference_gateway](#module_create_document_reference_gateway)                                              | ./modules/gateway                          | n/a               |
+| <a name="module_document_reference_gateway"></a> [document_reference_gateway](#module_document_reference_gateway)                                              | ./modules/gateway                          | n/a               |
 | <a name="module_create_token-alarm"></a> [create_token-alarm](#module_create_token-alarm)                                                                                           | ./modules/lambda_alarms                    | n/a               |
 | <a name="module_create_token-alarm_topic"></a> [create_token-alarm_topic](#module_create_token-alarm_topic)                                                                         | ./modules/sns                              | n/a               |
 | <a name="module_data-collection-alarm"></a> [data-collection-alarm](#module_data-collection-alarm)                                                                                  | ./modules/lambda_alarms                    | n/a               |

infrastructure/api.tf

@@ -23,7 +23,11 @@ resource "aws_api_gateway_base_path_mapping" "api_mapping" {
   stage_name  = var.environment
   domain_name = local.api_gateway_full_domain_name
 
-  depends_on = [aws_api_gateway_deployment.ndr_api_deploy, aws_api_gateway_rest_api.ndr_doc_store_api]
+  depends_on = [
+    aws_api_gateway_deployment.ndr_api_deploy,
+    aws_api_gateway_rest_api.ndr_doc_store_api,
+    aws_api_gateway_stage.ndr_api
+  ]
 }
 
 resource "aws_api_gateway_resource" "auth_resource" {
@@ -45,13 +49,13 @@ resource "aws_api_gateway_deployment" "ndr_api_deploy" {
     module.back-channel-logout-gateway,
     module.back_channel_logout_lambda,
     module.create-doc-ref-lambda,
-    module.create_document_reference_gateway,
     module.create-token-gateway,
     module.create-token-lambda,
     module.delete-doc-ref-gateway,
     module.delete-doc-ref-lambda,
     module.document-manifest-job-gateway,
     module.document-manifest-job-lambda,
+    module.document_reference_gateway,
     module.feature-flags-gateway,
     module.feature-flags-lambda,
     module.fhir_document_reference_gateway,
@@ -68,6 +72,7 @@ resource "aws_api_gateway_deployment" "ndr_api_deploy" {
     module.search-patient-details-lambda,
     module.send-feedback-gateway,
     module.send-feedback-lambda,
+    module.update_doc_ref_lambda,
     module.update-upload-state-gateway,
     module.update-upload-state-lambda,
     module.document-status-check-gateway,

infrastructure/api_mtls.tf

@@ -35,7 +35,8 @@ resource "aws_api_gateway_base_path_mapping" "api_mapping_mtls" {
 
   depends_on = [
     aws_api_gateway_deployment.ndr_api_deploy_mtls,
-    aws_api_gateway_rest_api.ndr_doc_store_api_mtls
+    aws_api_gateway_rest_api.ndr_doc_store_api_mtls,
+    aws_api_gateway_stage.ndr_api_mtls
   ]
 }