Merge branch 'main' into PRM-526

Author: chrisbloe

bootstrap/README.md

@@ -19,7 +19,6 @@ No modules.
 
 | Name | Type |
 |------|------|
-| [aws_dynamodb_table.dynamodb_terraform_state_lock](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/dynamodb_table) | resource |
 | [aws_kms_key.ndr_state_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
 | [aws_s3_bucket.ndr_lock_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
 | [aws_s3_bucket_acl.ndr_lock_bucket_acl](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_acl) | resource |

bootstrap/main.tf

@@ -67,21 +67,6 @@ resource "aws_s3_bucket_public_access_block" "public_access_block" {
   restrict_public_buckets = true
 }
 
-resource "aws_dynamodb_table" "dynamodb_terraform_state_lock" {
-  name           = "ndr-terraform-locks"
-  hash_key       = "LockID"
-  read_capacity  = 20
-  write_capacity = 20
-
-  attribute {
-    name = "LockID"
-    type = "S"
-  }
-  lifecycle {
-    prevent_destroy = true
-  }
-}
-
 data "aws_caller_identity" "current" {}
 
 variable "region" {

infrastructure/lambda-mns-notification.tf

@@ -1,15 +1,16 @@
 module "mns-notification-lambda" {
+  count   = 1
   source  = "./modules/lambda"
   name    = "MNSNotificationLambda"
   handler = "handlers.mns_notification_handler.lambda_handler"
   iam_role_policy_documents = [
-    module.sqs-mns-notification-queue.sqs_read_policy_document,
-    module.sqs-mns-notification-queue.sqs_write_policy_document,
+    module.sqs-mns-notification-queue[0].sqs_read_policy_document,
+    module.sqs-mns-notification-queue[0].sqs_write_policy_document,
     module.lloyd_george_reference_dynamodb_table.dynamodb_write_policy_document,
     module.lloyd_george_reference_dynamodb_table.dynamodb_read_policy_document,
     aws_iam_policy.ssm_access_policy.policy,
     module.ndr-app-config.app_config_policy,
-    aws_iam_policy.kms_mns_lambda_access.policy,
+    aws_iam_policy.kms_mns_lambda_access[0].policy,
   ]
   kms_deletion_window = var.kms_deletion_window
   rest_api_id         = null
@@ -20,7 +21,7 @@ module "mns-notification-lambda" {
     APPCONFIG_CONFIGURATION    = module.ndr-app-config.app_config_configuration_profile_id
     WORKSPACE                  = terraform.workspace
     LLOYD_GEORGE_DYNAMODB_NAME = "${terraform.workspace}_${var.lloyd_george_dynamodb_table_name}"
-    MNS_NOTIFICATION_QUEUE_URL = module.sqs-mns-notification-queue.sqs_url
+    MNS_NOTIFICATION_QUEUE_URL = module.sqs-mns-notification-queue[0].sqs_url
     PDS_FHIR_IS_STUBBED        = local.is_sandbox
   }
   is_gateway_integration_needed = false
@@ -29,26 +30,27 @@ module "mns-notification-lambda" {
 }
 
 resource "aws_lambda_event_source_mapping" "mns_notification_lambda" {
-  event_source_arn = module.sqs-mns-notification-queue.endpoint
-  function_name    = module.mns-notification-lambda.lambda_arn
+  event_source_arn = module.sqs-mns-notification-queue[0].endpoint
+  function_name    = module.mns-notification-lambda[0].lambda_arn
 }
 
 module "mns-notification-alarm" {
   source               = "./modules/lambda_alarms"
-  lambda_function_name = module.mns-notification-lambda.function_name
-  lambda_timeout       = module.mns-notification-lambda.timeout
+  lambda_function_name = module.mns-notification-lambda[0].function_name
+  lambda_timeout       = module.mns-notification-lambda[0].timeout
   lambda_name          = "mns_notification_handler"
   namespace            = "AWS/Lambda"
-  alarm_actions        = [module.mns-notification-alarm-topic.arn]
-  ok_actions           = [module.mns-notification-alarm-topic.arn]
+  alarm_actions        = [module.mns-notification-alarm-topic[0].arn]
+  ok_actions           = [module.mns-notification-alarm-topic[0].arn]
 }
 
 module "mns-notification-alarm-topic" {
+  count                 = 1
   source                = "./modules/sns"
   sns_encryption_key_id = module.sns_encryption_key.id
   topic_name            = "mns-notification-topic"
   topic_protocol        = "lambda"
-  topic_endpoint        = module.mns-notification-lambda.lambda_arn
+  topic_endpoint        = module.mns-notification-lambda[0].lambda_arn
   delivery_policy = jsonencode({
     "Version" : "2012-10-17",
     "Statement" : [
@@ -72,6 +74,7 @@ module "mns-notification-alarm-topic" {
 }
 
 resource "aws_iam_policy" "kms_mns_lambda_access" {
+  count       = 1
   name        = "${terraform.workspace}_mns_notification_lambda_access_policy"
   description = "KMS policy to allow lambda to read and write MNS SQS messages"
 
@@ -84,7 +87,7 @@ resource "aws_iam_policy" "kms_mns_lambda_access" {
           "kms:GenerateDataKey"
         ]
         Effect   = "Allow"
-        Resource = module.mns_encryption_key.kms_arn
+        Resource = module.mns_encryption_key[0].kms_arn
       },
     ]
   })

infrastructure/mns.tf

@@ -4,6 +4,7 @@ data "aws_ssm_parameter" "mns_lambda_role" {
 
 
 module "mns_encryption_key" {
+  count                 = 1
   source                = "./modules/kms"
   kms_key_name          = "alias/mns-notification-encryption-key-kms-${terraform.workspace}"
   kms_key_description   = "Custom KMS Key to enable server side encryption for mns subscriptions"
@@ -16,6 +17,7 @@ module "mns_encryption_key" {
 }
 
 module "sqs-mns-notification-queue" {
+  count                  = 1
   source                 = "./modules/sqs"
   name                   = "mns-notification-queue"
   max_size_message       = 256 * 1024        # allow message size up to 256 KB
@@ -25,14 +27,14 @@ module "sqs-mns-notification-queue" {
   max_visibility         = 901
   delay                  = 60
   enable_sse             = null
-  kms_master_key_id      = module.mns_encryption_key.id
+  kms_master_key_id      = module.mns_encryption_key[0].id
   enable_dlq             = true
   dlq_visibility_timeout = 0
   max_receive_count      = 3
 }
 
 resource "aws_sqs_queue_policy" "mns_sqs_access" {
-  queue_url = module.sqs-mns-notification-queue.sqs_url
+  queue_url = module.sqs-mns-notification-queue[0].sqs_url
 
   policy = jsonencode({
     Version = "2012-10-17"
@@ -43,7 +45,7 @@ resource "aws_sqs_queue_policy" "mns_sqs_access" {
           AWS = data.aws_ssm_parameter.mns_lambda_role.value
         },
         Action   = "SQS:SendMessage",
-        Resource = module.sqs-mns-notification-queue.sqs_arn
+        Resource = module.sqs-mns-notification-queue[0].sqs_arn
       }
     ]
   })
@@ -62,7 +64,7 @@ resource "aws_cloudwatch_metric_alarm" "msn_dlq_new_message" {
   alarm_actions       = [module.mns-dlq-alarm-topic.arn]
 
   dimensions = {
-    QueueName = module.sqs-mns-notification-queue.dlq_name
+    QueueName = module.sqs-mns-notification-queue[0].dlq_name
   }
 }
 
@@ -93,5 +95,5 @@ module "mns-dlq-alarm-topic" {
       }
     ]
   })
-  depends_on = [module.sqs-mns-notification-queue]
+  depends_on = [module.sqs-mns-notification-queue[0]]
 }

infrastructure/schedules.tf

@@ -57,64 +57,6 @@ resource "aws_lambda_permission" "bulk_upload_report_schedule_permission" {
   ]
 }
 
-resource "aws_cloudwatch_event_rule" "data_collection_schedule" {
-  name                = "${terraform.workspace}_data_collection_schedule"
-  description         = "Schedule for Data Collection Lambda"
-  schedule_expression = "cron(0 20 ? * SAT *)"
-}
-
-resource "aws_cloudwatch_event_target" "data_collection_schedule_event" {
-  rule      = aws_cloudwatch_event_rule.data_collection_schedule.name
-  target_id = "data_collection_schedule"
-
-  arn = module.data-collection-lambda.lambda_arn
-  depends_on = [
-    module.data-collection-lambda,
-    aws_cloudwatch_event_rule.data_collection_schedule
-  ]
-}
-
-resource "aws_lambda_permission" "data_collection_schedule_permission" {
-  statement_id  = "AllowExecutionFromCloudWatch"
-  action        = "lambda:InvokeFunction"
-  function_name = module.data-collection-lambda.function_name
-  principal     = "events.amazonaws.com"
-  source_arn    = aws_cloudwatch_event_rule.data_collection_schedule.arn
-  depends_on = [
-    module.data-collection-lambda,
-    aws_cloudwatch_event_rule.data_collection_schedule
-  ]
-}
-
-resource "aws_cloudwatch_event_rule" "statistical_report_schedule" {
-  name                = "${terraform.workspace}_statistical_report_schedule"
-  description         = "Schedule for Statistical Report Lambda"
-  schedule_expression = "cron(0 8 ? * MON *)"
-}
-
-resource "aws_cloudwatch_event_target" "statistical_report_schedule_event" {
-  rule      = aws_cloudwatch_event_rule.statistical_report_schedule.name
-  target_id = "statistical_report_schedule"
-
-  arn = module.statistical-report-lambda.lambda_arn
-  depends_on = [
-    module.statistical-report-lambda,
-    aws_cloudwatch_event_rule.statistical_report_schedule
-  ]
-}
-
-resource "aws_lambda_permission" "statistical_report_schedule_permission" {
-  statement_id  = "AllowExecutionFromCloudWatch"
-  action        = "lambda:InvokeFunction"
-  function_name = module.statistical-report-lambda.function_name
-  principal     = "events.amazonaws.com"
-  source_arn    = aws_cloudwatch_event_rule.statistical_report_schedule.arn
-  depends_on = [
-    module.statistical-report-lambda,
-    aws_cloudwatch_event_rule.statistical_report_schedule
-  ]
-}
-
 resource "aws_scheduler_schedule" "data_collection_ecs" {
   count       = local.is_sandbox ? 0 : 1
   name_prefix = "${terraform.workspace}_data_collection_ecs"

infrastructure/sqs_alarms.tf

@@ -5,11 +5,11 @@ locals {
     "stitching_main" = module.sqs-stitching-queue.sqs_name
     "lg_bulk_main"   = module.sqs-lg-bulk-upload-metadata-queue.sqs_name
     "lg_inv_main"    = module.sqs-lg-bulk-upload-invalid-queue.sqs_name
-    "mns_main"       = module.sqs-mns-notification-queue.sqs_name
+    "mns_main"       = module.sqs-mns-notification-queue[0].sqs_name
     # dead-letter queues
     "nrl_dlq"       = module.sqs-nrl-queue.dlq_name
     "stitching_dlq" = module.sqs-stitching-queue.dlq_name
-    "mns_dlq"       = module.sqs-mns-notification-queue.dlq_name
+    "mns_dlq"       = module.sqs-mns-notification-queue[0].dlq_name
   }
 
 

infrastructure/virusscanner.tf

@@ -68,7 +68,7 @@ module "cloud_storage_security" {
   count = local.is_production ? 1 : 0
 
   source                       = "cloudstoragesec/cloud-storage-security/aws"
-  version                      = "1.8.8+css9.02.000"                             # Check https://help.cloudstoragesec.com/release-notes/latest-v9 for updates
+  version                      = "1.8.9+css9.02.001"                             # Check https://help.cloudstoragesec.com/release-notes/latest-v9 for updates
   cidr                         = [var.cloud_security_console_black_hole_address] # This is a reserved address that does not lead anywhere to make sure CloudStorageSecurity console is not available
   email                        = data.aws_ssm_parameter.cloud_security_admin_email.value
   subnet_a_id                  = aws_subnet.virus_scanning_a[0].id

scripts/cleanup_terraform_states.py

@@ -8,7 +8,6 @@ class CleanupTerraformStates:
     def __init__(self):
         self.env_folder = "env:/"
         self.s3_client = boto3.client("s3")
-        self.dynamo_client = boto3.client("dynamodb")
         self.objects_paginator = self.s3_client.get_paginator('list_objects_v2')
         self.object_versions_paginator = self.s3_client.get_paginator('list_object_versions')
 
@@ -47,18 +46,6 @@ def remove_object_versions(self, tf_bucket: str, folder_prefix: str) -> None:
                 )
             print("All object versions deleted.")
 
-    def delete_record_in_dynamo(self, tf_bucket: str, file_key: str):
-        print(f"Deleting sandbox tfstate DynamoDB record")
-        table_name = "ndr-terraform-locks"
-        lock_id = f'{tf_bucket}/{file_key}-md5'
-
-        self.dynamo_client.delete_item(
-            TableName=table_name,
-            Key={'LockID': {'S': lock_id}},
-            ConditionExpression="attribute_exists(LockID)"
-        )
-        print("DynamoDB record deleted successfully")
-
 
     def main(self, sandbox: str):
         tf_bucket = self.get_terraform_bucket()
@@ -71,7 +58,6 @@ def main(self, sandbox: str):
                 if parent_folder == sandbox:
                     folder_prefix = f"{self.env_folder}{parent_folder}/"
                     self.remove_object_versions(tf_bucket=tf_bucket, folder_prefix=folder_prefix)
-                    self.delete_record_in_dynamo(tf_bucket, key)
 
 if __name__ == '__main__':
     sandbox = sys.argv[1]