DS-2843 Enable dynamodb delete protection for live profile (#1040)

# Task Branch Pull Request

**<https://nhsd-jira.digital.nhs.uk/browse/DS-2843>**

## Description of Changes

This PR change enables the delete protection on change event DB in prod
environment. This delete protection not enabled on any other env as we
will require to tear the lower envs down after the development/testing
purpose is fulfilled and tested in these lower env and hence it's
enabled for prod env only to avoid accidental deletion of DB
## Type of change

Delete not appropriate

- Security enhancement for dynamodb table in prod env

## Development Checklist

- [x] I have performed a self-review of my own code
- [x] Tests have added that prove my fix is effective or that my feature
works (Integration tests)
- [x] I have updated Dependabot to include my changes (if applicable)

## Code Reviewer Checklist

- [x] I can confirm the changes have been tested or approved by a tester

Author: ajmu1

build/automation/var/profile/demo.mk

@@ -40,6 +40,7 @@ SLACK_ALERT_CHANNEL := dos-integration-dev-status
 
 # WAF
 WAF_ENABLED := true
+DDB_DELETE_PROTECTION :=false
 
 # ==============================================================================
 # Performance variables

build/automation/var/profile/dev.mk

@@ -39,6 +39,7 @@ SLACK_ALERT_CHANNEL := dos-integration-dev-status
 
 # WAF
 WAF_ENABLED := false
+DDB_DELETE_PROTECTION :=false
 
 # ==============================================================================
 # Performance variables

build/automation/var/profile/live.mk

@@ -41,6 +41,7 @@ SLACK_ALERT_CHANNEL := dos-integration-live-status
 
 # WAF
 WAF_ENABLED := true
+DDB_DELETE_PROTECTION :=true
 
 # ==============================================================================
 # Performance variables

build/automation/var/profile/pen.mk

@@ -2,3 +2,4 @@
 
 # WAF
 WAF_ENABLED := true
+DDB_DELETE_PROTECTION :=false

build/automation/var/profile/perf.mk

@@ -39,6 +39,7 @@ SLACK_ALERT_CHANNEL := dos-integration-dev-status
 
 # WAF
 WAF_ENABLED := true
+DDB_DELETE_PROTECTION :=false
 
 # ==============================================================================
 # Performance variables

build/automation/var/profile/perf2.mk

@@ -39,6 +39,7 @@ SLACK_ALERT_CHANNEL := dos-integration-dev-status
 
 # WAF
 WAF_ENABLED := true
+DDB_DELETE_PROTECTION :=false
 
 # ==============================================================================
 # Performance variables

build/automation/var/project.mk

@@ -109,6 +109,7 @@ TF_VAR_change_event_dlq := $(PROJECT_ID)-$(SHARED_ENVIRONMENT)-change-event-dead
 # Dynamodb
 TF_VAR_change_events_table_name := $(PROJECT_ID)-$(SHARED_ENVIRONMENT)-change-events
 DYNAMO_DB_TABLE := $(TF_VAR_change_events_table_name)
+TF_VAR_ddb_delete_protection :=$(DDB_DELETE_PROTECTION)
 
 # Log Group Filters for Firehose
 TF_VAR_change_event_gateway_subscription_filter_name := $(PROJECT_ID)-$(SHARED_ENVIRONMENT)-change-event-api-gateway-cw-logs-firehose-subscription

infrastructure/stacks/shared-resources/dynamodb.tf

@@ -3,6 +3,7 @@ resource "aws_dynamodb_table" "message-history-table" {
   billing_mode = "PAY_PER_REQUEST"
   hash_key     = "Id"
   range_key    = "ODSCode"
+  deletion_protection_enabled = var.ddb_delete_protection
 
   server_side_encryption {
     enabled     = true

infrastructure/stacks/shared-resources/variables.tf

@@ -158,6 +158,11 @@ variable "waf_enabled" {
   description = "Whether to enable WAF"
 }
 
+variable "ddb_delete_protection" {
+  type        = bool
+  description = "Whether to enable delete protection"
+}
+
 variable "waf_acl_name" {
   type        = string
   description = "Name of the WAF ACL"