Merge branch 'main' into PRM-562

samfallowfield · web-flow · commit e3974e1a5c3c · 2025-10-27T13:57:17.000Z
diff --git a/.github/workflows/cron-tear-down-sandbox.yml b/.github/workflows/cron-tear-down-sandbox.yml
@@ -2,7 +2,7 @@ name: 'Z-CRON: Tear down - Sandboxes'
 
 on:
   schedule:
-    - cron: 59 17 * * 1-5 # utc time
+    - cron: 59 18-21 * * 1-5 # utc time
 
 permissions:
   pull-requests: write
diff --git a/README.md b/README.md
@@ -7,6 +7,15 @@ This repository is used to build the infrastructure the NDR. That is it's sole p
 - [Terraform](https://developer.hashicorp.com/terraform/install)
 - [Terraform docs](https://github.com/terraform-docs/terraform-docs)
 
+To install terraform-docs on WSL use the following commands (e.g. for v0.20.0):
+```
+curl -sSLo ./terraform-docs.tar.gz https://terraform-docs.io/dl/v0.20.0/terraform-docs-v0.20.0-$(uname)-amd64.tar.gz
+tar -xzf terraform-docs.tar.gz
+chmod +x terraform-docs
+sudo mv terraform-docs /usr/local/bin/terraform-docs
+rm terraform-docs.tar.gz
+```
+
 ## Installation
 
 ### pre-commit hook
diff --git a/infrastructure/api.tf b/infrastructure/api.tf
@@ -95,6 +95,10 @@ resource "aws_api_gateway_stage" "ndr_api" {
   depends_on = [
     aws_cloudwatch_log_group.api_gateway_stage
   ]
+
+  lifecycle {
+    create_before_destroy = true
+  }
 }
 
 resource "aws_cloudwatch_log_group" "api_gateway_stage" {
diff --git a/infrastructure/api_mtls.tf b/infrastructure/api_mtls.tf
@@ -33,7 +33,10 @@ resource "aws_api_gateway_base_path_mapping" "api_mapping_mtls" {
   stage_name  = var.environment
   domain_name = aws_api_gateway_domain_name.custom_api_domain_mtls.domain_name
 
-  depends_on = [aws_api_gateway_deployment.ndr_api_deploy_mtls]
+  depends_on = [
+    aws_api_gateway_deployment.ndr_api_deploy_mtls,
+    aws_api_gateway_rest_api.ndr_doc_store_api_mtls
+  ]
 }
 
 resource "aws_api_gateway_deployment" "ndr_api_deploy_mtls" {
@@ -67,6 +70,12 @@ resource "aws_api_gateway_stage" "ndr_api_mtls" {
   rest_api_id          = aws_api_gateway_rest_api.ndr_doc_store_api_mtls.id
   stage_name           = var.environment
   xray_tracing_enabled = var.enable_xray_tracing
+
+  lifecycle {
+    create_before_destroy = true
+  }
+
+  depends_on = [aws_cloudwatch_log_group.mtls_api_gateway_stage]
 }
 
 resource "aws_cloudwatch_log_group" "mtls_api_gateway_stage" {
diff --git a/infrastructure/lambda-document-upload-check.tf b/infrastructure/lambda-document-upload-check.tf
@@ -60,6 +60,12 @@ resource "aws_s3_bucket_notification" "document_upload_check_lambda_trigger" {
     events              = ["s3:ObjectCreated:*"]
     filter_prefix       = "user_upload"
   }
+
+  lambda_function {
+    lambda_function_arn = module.document_upload_check_lambda.lambda_arn
+    events              = ["s3:ObjectCreated:*"]
+    filter_prefix       = "fhir_upload"
+  }
 }
 
 resource "aws_lambda_permission" "document_upload_check_lambda" {
diff --git a/infrastructure/lambda-dynamodb-migration.tf b/infrastructure/lambda-dynamodb-migration.tf
@@ -0,0 +1,39 @@
+module "migration-dynamodb-lambda" {
+  source  = "./modules/lambda"
+  name    = "MigrationDynamoDB"
+  handler = "handlers.migration_dynamodb_handler.lambda_handler"
+
+  iam_role_policy_documents = [
+    module.lloyd_george_reference_dynamodb_table.dynamodb_read_policy_document,
+    module.lloyd_george_reference_dynamodb_table.dynamodb_write_policy_document,
+    module.bulk_upload_report_dynamodb_table.dynamodb_read_policy_document,
+    module.ndr-bulk-staging-store.s3_read_policy_document,
+    module.ndr-lloyd-george-store.s3_read_policy_document,
+    aws_iam_policy.ssm_access_policy.policy,
+    module.ndr-app-config.app_config_policy
+  ]
+
+  kms_deletion_window           = var.kms_deletion_window
+  rest_api_id                   = null
+  api_execution_arn             = null
+  is_gateway_integration_needed = false
+  is_invoked_from_gateway       = false
+
+  lambda_environment_variables = {
+    WORKSPACE               = terraform.workspace
+    APPCONFIG_APPLICATION   = module.ndr-app-config.app_config_application_id
+    APPCONFIG_ENVIRONMENT   = module.ndr-app-config.app_config_environment_id
+    APPCONFIG_CONFIGURATION = module.ndr-app-config.app_config_configuration_profile_id
+  }
+
+  lambda_timeout                 = 900
+  memory_size                    = 1024
+  reserved_concurrent_executions = 200
+
+  depends_on = [
+    module.lloyd_george_reference_dynamodb_table,
+    module.bulk_upload_report_dynamodb_table,
+    module.ndr-app-config,
+    aws_iam_policy.ssm_access_policy,
+  ]
+}
diff --git a/scripts/cleanup_sandboxes.py b/scripts/cleanup_sandboxes.py
@@ -1,3 +1,4 @@
+import time
 import boto3, os, requests, sys
 
 from botocore.exceptions import ClientError
@@ -62,3 +63,4 @@ def get_workspaces() -> list[str]:
     for workspace in workspaces:
         if workspace not in excluded:
             trigger_delete_workflow(token=gh_pat, sandbox=workspace)
+            time.sleep(300) # Wait 5 min between executions to avoid an AWS concurrency issue.

Original file line number	Diff line number	Diff line change
`@@ -95,6 +95,10 @@ resource "aws_api_gateway_stage" "ndr_api" {`
`95`	`95`	`depends_on = [`
`96`	`96`	`aws_cloudwatch_log_group.api_gateway_stage`
`97`	`97`	`]`
	`98`	`+`
	`99`	`+ lifecycle {`
	`100`	`+ create_before_destroy = true`
	`101`	`+ }`
`98`	`102`	`}`
`99`	`103`
`100`	`104`	`resource "aws_cloudwatch_log_group" "api_gateway_stage" {`
Original file line number	Diff line number	Diff line change
`@@ -60,6 +60,12 @@ resource "aws_s3_bucket_notification" "document_upload_check_lambda_trigger" {`
`60`	`60`	`events = ["s3:ObjectCreated:*"]`
`61`	`61`	`filter_prefix = "user_upload"`
`62`	`62`	`}`
	`63`	`+`
	`64`	`+ lambda_function {`
	`65`	`+ lambda_function_arn = module.document_upload_check_lambda.lambda_arn`
	`66`	`+ events = ["s3:ObjectCreated:*"]`
	`67`	`+ filter_prefix = "fhir_upload"`
	`68`	`+ }`
`63`	`69`	`}`
`64`	`70`
`65`	`71`	`resource "aws_lambda_permission" "document_upload_check_lambda" {`