Merge remote-tracking branch 'origin/main' into PRMP-374

PedroSoaresNHS · PedroSoaresNHS · commit e788d405aa6e · 2025-10-30T15:12:40.000Z
diff --git a/.github/workflows/cron-daily-health-check.yml b/.github/workflows/cron-daily-health-check.yml
@@ -88,7 +88,7 @@ jobs:
 
   run_cypress_tests:
     name: Run Cypress Tests
-    runs-on: ubuntu-22.04 
+    runs-on: ubuntu-latest 
     steps:
       - name: Checkout
         uses: actions/checkout@v5
diff --git a/infrastructure/lambda-dynamodb-migration.tf b/infrastructure/lambda-dynamodb-migration.tf
@@ -28,7 +28,7 @@ module "migration-dynamodb-lambda" {
 
   lambda_timeout                 = 900
   memory_size                    = 1024
-  reserved_concurrent_executions = 200
+  reserved_concurrent_executions = contains(["prod"], terraform.workspace) ? 100 : 5
 
   depends_on = [
     module.lloyd_george_reference_dynamodb_table,
diff --git a/infrastructure/policies.tf b/infrastructure/policies.tf
@@ -40,3 +40,30 @@ resource "aws_iam_policy" "read_only_role_extra_permissions" {
     Workspace = "core"
   }
 }
+
+resource "aws_iam_policy" "administrator_permission_restrictions" {
+  count = local.is_sandbox ? 0 : 1
+  name  = "AdministratorRestriction"
+  policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [
+      {
+        Effect = "Deny",
+        Action = [
+          "s3:DeleteObject",
+          "s3:DeleteObjectVersion",
+          "s3:PutLifecycleConfiguration",
+          "s3:PutObject",
+          "s3:RestoreObject"
+        ],
+        Resource = [
+          "arn:aws:s3:::*/*.tfstate"
+        ]
+      }
+    ]
+  })
+  tags = {
+    Name      = "AdministratorRestriction"
+    Workspace = "core"
+  }
+}
diff --git a/infrastructure/variable.tf b/infrastructure/variable.tf
@@ -243,7 +243,7 @@ locals {
   current_region     = data.aws_region.current.name
   current_account_id = data.aws_caller_identity.current.account_id
 
-  apim_api_url = "https://${var.apim_environment}api.service.nhs.uk/national-document-repository"
+  apim_api_url = "https://${var.apim_environment}api.service.nhs.uk/national-document-repository/FHIR/R4"
 
   truststore_bucket_id = local.is_sandbox ? "ndr-dev-${var.truststore_bucket_name}" : module.ndr-truststore[0].bucket_id
   truststore_uri       = "s3://${local.truststore_bucket_id}/${var.ca_pem_filename}"
