VED-1050: Enable PITR in preprod and enable S3 versioning on additional buckets. (#1232)

Author: mfjarvis

infrastructure/instance/dynamodb.tf

@@ -31,19 +31,31 @@ resource "aws_dynamodb_table" "audit-table" {
 
   global_secondary_index {
     name            = "filename_index"
-    hash_key        = "filename"
     projection_type = "ALL"
+
+    key_schema {
+      attribute_name = "filename"
+      key_type       = "HASH"
+    }
   }
 
   global_secondary_index {
     name            = "queue_name_index"
-    hash_key        = "queue_name"
-    range_key       = "status"
     projection_type = "ALL"
+
+    key_schema {
+      attribute_name = "queue_name"
+      key_type       = "HASH"
+    }
+
+    key_schema {
+      attribute_name = "status"
+      key_type       = "RANGE"
+    }
   }
 
   point_in_time_recovery {
-    enabled = var.environment == "prod"
+    enabled = var.dynamodb_point_in_time_recovery_enabled
   }
 
   server_side_encryption {
@@ -95,26 +107,46 @@ resource "aws_dynamodb_table" "delta-dynamodb-table" {
 
   global_secondary_index {
     name            = "SearchIndex"
-    hash_key        = "Operation"
-    range_key       = "DateTimeStamp"
     projection_type = "ALL"
+
+    key_schema {
+      attribute_name = "Operation"
+      key_type       = "HASH"
+    }
+
+    key_schema {
+      attribute_name = "DateTimeStamp"
+      key_type       = "RANGE"
+    }
   }
 
   global_secondary_index {
     name            = "SecondarySearchIndex"
-    hash_key        = "SupplierSystem"
-    range_key       = "VaccineType"
     projection_type = "ALL"
+
+    key_schema {
+      attribute_name = "SupplierSystem"
+      key_type       = "HASH"
+    }
+
+    key_schema {
+      attribute_name = "VaccineType"
+      key_type       = "RANGE"
+    }
   }
 
   global_secondary_index {
     name            = "ImmunisationIdIndex"
-    hash_key        = "ImmsID"
     projection_type = "ALL"
+
+    key_schema {
+      attribute_name = "ImmsID"
+      key_type       = "HASH"
+    }
   }
 
   point_in_time_recovery {
-    enabled = var.environment == "prod"
+    enabled = var.dynamodb_point_in_time_recovery_enabled
   }
 
   server_side_encryption {
@@ -154,19 +186,31 @@ resource "aws_dynamodb_table" "events-dynamodb-table" {
 
   global_secondary_index {
     name            = "PatientGSI"
-    hash_key        = "PatientPK"
-    range_key       = "PatientSK"
     projection_type = "ALL"
+
+    key_schema {
+      attribute_name = "PatientPK"
+      key_type       = "HASH"
+    }
+
+    key_schema {
+      attribute_name = "PatientSK"
+      key_type       = "RANGE"
+    }
   }
 
   global_secondary_index {
     name            = "IdentifierGSI"
-    hash_key        = "IdentifierPK"
     projection_type = "ALL"
+
+    key_schema {
+      attribute_name = "IdentifierPK"
+      key_type       = "HASH"
+    }
   }
 
   point_in_time_recovery {
-    enabled = var.environment == "prod"
+    enabled = var.dynamodb_point_in_time_recovery_enabled
   }
 
   server_side_encryption {

infrastructure/instance/environments/preprod/int-blue/variables.tfvars

@@ -1,7 +1,8 @@
-environment                       = "preprod"
-immunisation_account_id           = "084828561157"
-dspp_core_account_id              = "603871901111"
-pds_environment                   = "int"
-batch_error_notifications_enabled = true
-create_mesh_processor             = true
-has_sub_environment_scope         = false
+environment                             = "preprod"
+immunisation_account_id                 = "084828561157"
+dspp_core_account_id                    = "603871901111"
+pds_environment                         = "int"
+batch_error_notifications_enabled       = true
+create_mesh_processor                   = true
+has_sub_environment_scope               = false
+dynamodb_point_in_time_recovery_enabled = true

infrastructure/instance/environments/preprod/int-green/variables.tfvars

@@ -1,7 +1,8 @@
-environment                       = "preprod"
-immunisation_account_id           = "084828561157"
-dspp_core_account_id              = "603871901111"
-pds_environment                   = "int"
-batch_error_notifications_enabled = true
-create_mesh_processor             = true
-has_sub_environment_scope         = false
+environment                             = "preprod"
+immunisation_account_id                 = "084828561157"
+dspp_core_account_id                    = "603871901111"
+pds_environment                         = "int"
+batch_error_notifications_enabled       = true
+create_mesh_processor                   = true
+has_sub_environment_scope               = false
+dynamodb_point_in_time_recovery_enabled = true

infrastructure/instance/environments/prod/blue/variables.tfvars

@@ -1,10 +1,11 @@
-environment                       = "prod"
-immunisation_account_id           = "664418956997"
-dspp_core_account_id              = "232116723729"
-mns_account_id                    = "758334270304"
-pds_environment                   = "prod"
-batch_error_notifications_enabled = true
-create_mesh_processor             = true
-has_sub_environment_scope         = false
-dspp_submission_s3_bucket_name    = "nhsd-dspp-core-prod-s3-submission-upload"
-dspp_submission_kms_key_alias     = "nhsd-dspp-core-prod-s3-submission-upload-key"
+environment                             = "prod"
+immunisation_account_id                 = "664418956997"
+dspp_core_account_id                    = "232116723729"
+mns_account_id                          = "758334270304"
+pds_environment                         = "prod"
+batch_error_notifications_enabled       = true
+create_mesh_processor                   = true
+has_sub_environment_scope               = false
+dspp_submission_s3_bucket_name          = "nhsd-dspp-core-prod-s3-submission-upload"
+dspp_submission_kms_key_alias           = "nhsd-dspp-core-prod-s3-submission-upload-key"
+dynamodb_point_in_time_recovery_enabled = true

infrastructure/instance/environments/prod/green/variables.tfvars

@@ -1,10 +1,11 @@
-environment                       = "prod"
-immunisation_account_id           = "664418956997"
-dspp_core_account_id              = "232116723729"
-mns_account_id                    = "758334270304"
-pds_environment                   = "prod"
-batch_error_notifications_enabled = true
-create_mesh_processor             = true
-has_sub_environment_scope         = false
-dspp_submission_s3_bucket_name    = "nhsd-dspp-core-prod-s3-submission-upload"
-dspp_submission_kms_key_alias     = "nhsd-dspp-core-prod-s3-submission-upload-key"
+environment                             = "prod"
+immunisation_account_id                 = "664418956997"
+dspp_core_account_id                    = "232116723729"
+mns_account_id                          = "758334270304"
+pds_environment                         = "prod"
+batch_error_notifications_enabled       = true
+create_mesh_processor                   = true
+has_sub_environment_scope               = false
+dspp_submission_s3_bucket_name          = "nhsd-dspp-core-prod-s3-submission-upload"
+dspp_submission_kms_key_alias           = "nhsd-dspp-core-prod-s3-submission-upload-key"
+dynamodb_point_in_time_recovery_enabled = true

infrastructure/instance/s3_config.tf

@@ -117,6 +117,13 @@ resource "aws_s3_bucket_public_access_block" "batch_data_destination_bucket_publ
   restrict_public_buckets = true
 }
 
+resource "aws_s3_bucket_versioning" "batch_data_destination" {
+  bucket = aws_s3_bucket.batch_data_destination_bucket.bucket
+  versioning_configuration {
+    status = "Enabled"
+  }
+}
+
 resource "aws_s3_bucket_policy" "batch_data_destination_bucket_policy" {
   bucket = aws_s3_bucket.batch_data_destination_bucket.id
   policy = jsonencode({
@@ -215,6 +222,13 @@ resource "aws_s3_bucket_public_access_block" "batch_config_bucket_public_access_
   restrict_public_buckets = true
 }
 
+resource "aws_s3_bucket_versioning" "batch_config" {
+  bucket = aws_s3_bucket.batch_config_bucket.bucket
+  versioning_configuration {
+    status = "Enabled"
+  }
+}
+
 resource "aws_s3_bucket_policy" "batch_config_bucket_policy" {
   bucket = aws_s3_bucket.batch_config_bucket.id
 

infrastructure/instance/variables.tf

@@ -81,6 +81,12 @@ variable "has_sub_environment_scope" {
   default     = false
 }
 
+variable "dynamodb_point_in_time_recovery_enabled" {
+  description = "Whether to enable PITR on DynamoDB tables"
+  type        = bool
+  default     = false
+}
+
 locals {
   prefix              = "${var.project_name}-${var.service}-${var.sub_environment}"
   short_prefix        = "${var.project_short_name}-${var.sub_environment}"