diff --git a/.github/actions/tf-plan-apply/action.yml b/.github/actions/tf-plan-apply/action.yml
index 5070e763..c4bf0e35 100644
--- a/.github/actions/tf-plan-apply/action.yml
+++ b/.github/actions/tf-plan-apply/action.yml
@@ -22,7 +22,7 @@ inputs:
terraform_version:
description: "Terraform version to use"
required: false
- default: "1.14.6"
+ default: "1.14.7"
working_directory:
description: "Terraform working directory"
diff --git a/.github/workflows/automated-deploy-dev.yml b/.github/workflows/automated-deploy-dev.yml
index 0b504e60..e7205501 100644
--- a/.github/workflows/automated-deploy-dev.yml
+++ b/.github/workflows/automated-deploy-dev.yml
@@ -60,7 +60,7 @@ jobs:
- name: Setup Terraform
uses: hashicorp/setup-terraform@v4
with:
- terraform_version: 1.14.6
+ terraform_version: 1.14.7
terraform_wrapper: true
- name: Initialise Terraform
@@ -270,7 +270,7 @@ jobs:
echo "SLACK_BOT_TOKEN=$slack_bot_token" >> $GITHUB_ENV
- name: Send Slack Notification
- uses: slackapi/slack-github-action@v2.1.1
+ uses: slackapi/slack-github-action@v3.0.1
with:
method: chat.postMessage
token: ${{ env.SLACK_BOT_TOKEN }}
diff --git a/.github/workflows/automated-sonarqube-cloud-analysis.yml b/.github/workflows/automated-sonarqube-cloud-analysis.yml
index 1ca9e0e1..a182288d 100644
--- a/.github/workflows/automated-sonarqube-cloud-analysis.yml
+++ b/.github/workflows/automated-sonarqube-cloud-analysis.yml
@@ -49,7 +49,7 @@ jobs:
echo "SLACK_BOT_TOKEN=$slack_bot_token" >> $GITHUB_ENV
- name: Send Slack Notification
- uses: slackapi/slack-github-action@v2.1.1
+ uses: slackapi/slack-github-action@v3.0.1
with:
method: chat.postMessage
token: ${{ env.SLACK_BOT_TOKEN }}
diff --git a/.github/workflows/base-cleanup-lambda-edge.yml b/.github/workflows/base-cleanup-lambda-edge.yml
index 481f923d..fb4ca06a 100644
--- a/.github/workflows/base-cleanup-lambda-edge.yml
+++ b/.github/workflows/base-cleanup-lambda-edge.yml
@@ -69,7 +69,7 @@ jobs:
if: env.DISTRIBUTION_ID != ''
run: |
python3 -m venv ./venv
- ./venv/bin/pip3 install --upgrade pip boto3==1.42.59
+ ./venv/bin/pip3 install --upgrade pip boto3==1.42.68
- name: Remove Lambda@Edge & CloudFront Associations
if: env.DISTRIBUTION_ID != ''
diff --git a/.github/workflows/base-cleanup-workspace.yml b/.github/workflows/base-cleanup-workspace.yml
index 922fe1f9..e959b9aa 100644
--- a/.github/workflows/base-cleanup-workspace.yml
+++ b/.github/workflows/base-cleanup-workspace.yml
@@ -46,7 +46,7 @@ jobs:
run: |
python3 -m venv ./venv
./venv/bin/pip3 install --upgrade pip
- ./venv/bin/pip3 install boto3==1.42.59
+ ./venv/bin/pip3 install boto3==1.42.68
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v6
diff --git a/.github/workflows/cron-daily-health-check.yml b/.github/workflows/cron-daily-health-check.yml
index b1e4559b..78faac97 100644
--- a/.github/workflows/cron-daily-health-check.yml
+++ b/.github/workflows/cron-daily-health-check.yml
@@ -187,7 +187,7 @@ jobs:
echo "SLACK_BOT_TOKEN=$slack_bot_token" >> $GITHUB_ENV
- name: Send Slack Notification
- uses: slackapi/slack-github-action@v2.1.1
+ uses: slackapi/slack-github-action@v3.0.1
with:
method: chat.postMessage
token: ${{ env.SLACK_BOT_TOKEN }}
diff --git a/.github/workflows/cron-tear-down-test.yml b/.github/workflows/cron-tear-down-test.yml
index 5646b4a8..c372b556 100644
--- a/.github/workflows/cron-tear-down-test.yml
+++ b/.github/workflows/cron-tear-down-test.yml
@@ -57,7 +57,7 @@ jobs:
- name: Setup Terraform
uses: hashicorp/setup-terraform@v4
with:
- terraform_version: 1.14.6
+ terraform_version: 1.14.7
terraform_wrapper: false
- name: Initialise Terraform
@@ -114,14 +114,14 @@ jobs:
ref: main
- name: Configure AWS Credentials
- uses: aws-actions/configure-aws-credentials@v5
+ uses: aws-actions/configure-aws-credentials@v6
with:
role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/test-github-bootstrap
aws-region: ${{ vars.AWS_REGION }}
mask-aws-account-id: true
- name: Setup Terraform
- uses: hashicorp/setup-terraform@v3
+ uses: hashicorp/setup-terraform@v4
with:
terraform_version: 1.14.3
diff --git a/.github/workflows/tear-down-sandbox.yml b/.github/workflows/tear-down-sandbox.yml
index 9f1d9707..037ba242 100644
--- a/.github/workflows/tear-down-sandbox.yml
+++ b/.github/workflows/tear-down-sandbox.yml
@@ -87,7 +87,7 @@ jobs:
- name: Setup Terraform
uses: hashicorp/setup-terraform@v4
with:
- terraform_version: 1.14.6
+ terraform_version: 1.14.7
- name: Initialise Terraform
run: terraform init -backend-config=${{ vars.TF_BACKEND_FILE }}
@@ -124,7 +124,7 @@ jobs:
- name: Setup Terraform
uses: hashicorp/setup-terraform@v4
with:
- terraform_version: 1.14.6
+ terraform_version: 1.14.7
- name: Initialise Terraform
run: terraform init -backend-config=bucket=ndr-dev-terraform-state-${{ secrets.AWS_ACCOUNT_ID }}
diff --git a/bootstrap/README.md b/bootstrap/README.md
index 5a0e22bf..1956a862 100644
--- a/bootstrap/README.md
+++ b/bootstrap/README.md
@@ -4,7 +4,7 @@
| Name | Version |
|------|---------|
-| [terraform](#requirement\_terraform) | >= 1.14.6 |
+| [terraform](#requirement\_terraform) | >= 1.14.7 |
| [aws](#requirement\_aws) | >= 4.0 |
## Providers
diff --git a/bootstrap/main.tf b/bootstrap/main.tf
index 7c19471c..894a0144 100644
--- a/bootstrap/main.tf
+++ b/bootstrap/main.tf
@@ -1,9 +1,9 @@
terraform {
- required_version = ">= 1.14.6"
+ required_version = ">= 1.14.7"
required_providers {
aws = {
source = "hashicorp/aws"
- version = ">= 4.0"
+ version = "~> 4.0"
}
}
}
diff --git a/infrastructure/README.md b/infrastructure/README.md
index f59a9b02..bbc6e8e8 100644
--- a/infrastructure/README.md
+++ b/infrastructure/README.md
@@ -44,7 +44,7 @@
| [bulk-upload-report-lambda](#module_bulk-upload-report-lambda) | ./modules/lambda | n/a |
| [bulk_upload_metadata_preprocessor_lambda](#module_bulk_upload_metadata_preprocessor_lambda) | ./modules/lambda | n/a |
| [bulk_upload_report_dynamodb_table](#module_bulk_upload_report_dynamodb_table) | ./modules/dynamo_db | n/a |
-| [cloud_storage_security](#module_cloud_storage_security) | cloudstoragesec/cloud-storage-security/aws | 1.7.4+css8.08.002 |
+| [cloud_storage_security](#module_cloud_storage_security) | cloudstoragesec/cloud-storage-security/aws | 1.8.18+css9.08.000 |
| [cloudfront-distribution-lg](#module_cloudfront-distribution-lg) | ./modules/cloudfront | n/a |
| [cloudfront_edge_dynamodb_table](#module_cloudfront_edge_dynamodb_table) | ./modules/dynamo_db | n/a |
| [cloudfront_firewall_waf_v2](#module_cloudfront_firewall_waf_v2) | ./modules/firewall_waf_v2 | n/a |
diff --git a/infrastructure/api.tf b/infrastructure/api.tf
index 01bd8360..b18a0423 100644
--- a/infrastructure/api.tf
+++ b/infrastructure/api.tf
@@ -1,7 +1,8 @@
# Create Document Store API
resource "aws_api_gateway_rest_api" "ndr_doc_store_api" {
- name = "${terraform.workspace}-DocStoreAPI"
- description = "Document store API for Repo"
+ name = "${terraform.workspace}-DocStoreAPI"
+ description = "Document store API for Repo"
+ disable_execute_api_endpoint = true
tags = {
Name = "${terraform.workspace}-docstore-api"
@@ -199,8 +200,3 @@ resource "aws_api_gateway_resource" "document_reference_by_id" {
parent_id = module.fhir_document_reference_gateway[0].gateway_resource_id
path_part = "{id}"
}
-
-moved {
- from = aws_api_gateway_resource.get_document_reference
- to = aws_api_gateway_resource.document_reference_by_id
-}
diff --git a/infrastructure/api_mtls.tf b/infrastructure/api_mtls.tf
index f985abb3..d7d34af2 100644
--- a/infrastructure/api_mtls.tf
+++ b/infrastructure/api_mtls.tf
@@ -177,8 +177,3 @@ resource "aws_api_gateway_resource" "document_reference_by_id_mtls" {
parent_id = module.fhir_document_reference_mtls_gateway.gateway_resource_id
path_part = "{id}"
}
-
-moved {
- from = aws_api_gateway_resource.get_document_reference_mtls
- to = aws_api_gateway_resource.document_reference_by_id_mtls
-}
diff --git a/infrastructure/cloudfront.tf b/infrastructure/cloudfront.tf
index 48184f9c..76397c45 100644
--- a/infrastructure/cloudfront.tf
+++ b/infrastructure/cloudfront.tf
@@ -93,7 +93,7 @@ resource "aws_cloudfront_distribution" "s3_presign_mask" {
viewer_certificate {
acm_certificate_arn = aws_acm_certificate.cloudfront.arn
ssl_support_method = "sni-only"
- minimum_protocol_version = "TLSv1.2_2021"
+ minimum_protocol_version = "TLSv1.3_2025"
}
restrictions {
diff --git a/infrastructure/cloudwatch_rum.tf b/infrastructure/cloudwatch_rum.tf
index 77eda0e9..5993add6 100644
--- a/infrastructure/cloudwatch_rum.tf
+++ b/infrastructure/cloudwatch_rum.tf
@@ -39,7 +39,7 @@ resource "aws_iam_policy" "cloudwatch_rum_cognito_access" {
{
"Effect" : "Allow",
"Action" : "rum:PutRumEvents",
- "Resource" : "arn:aws:rum:${local.current_region}:${local.current_account_id}:appmonitor/${aws_rum_app_monitor.ndr.id}"
+ "Resource" : "arn:aws:rum:${data.aws_region.current.region}:${data.aws_caller_identity.current.account_id}:appmonitor/${aws_rum_app_monitor.ndr.id}"
}
]
})
@@ -63,7 +63,7 @@ resource "aws_cloudwatch_log_resource_policy" "rum_log" {
"logs:DeleteLogGroup",
"logs:DescribeLogGroups"
],
- Resource = "arn:aws:logs:${local.current_region}:${local.current_account_id}:log-group:/aws/vendedlogs/RUMService_*"
+ Resource = "arn:aws:logs:${data.aws_region.current.region}:${data.aws_caller_identity.current.account_id}:log-group:/aws/vendedlogs/RUMService_*"
}
]
})
diff --git a/infrastructure/dynamo_db.tf b/infrastructure/dynamo_db.tf
index 97a05065..4796c506 100644
--- a/infrastructure/dynamo_db.tf
+++ b/infrastructure/dynamo_db.tf
@@ -3,7 +3,6 @@ module "document_reference_dynamodb_table" {
table_name = var.docstore_dynamodb_table_name
hash_key = "ID"
deletion_protection_enabled = var.deletion_protection_enabled
- stream_enabled = true
stream_view_type = "OLD_IMAGE"
ttl_enabled = true
ttl_attribute_name = "TTL"
@@ -46,7 +45,6 @@ module "cloudfront_edge_dynamodb_table" {
table_name = var.cloudfront_edge_table_name
hash_key = "ID"
deletion_protection_enabled = var.deletion_protection_enabled
- stream_enabled = false
ttl_enabled = true
ttl_attribute_name = "TTL"
point_in_time_recovery_enabled = !local.is_sandbox
@@ -67,7 +65,6 @@ module "lloyd_george_reference_dynamodb_table" {
table_name = var.lloyd_george_dynamodb_table_name
hash_key = "ID"
deletion_protection_enabled = var.deletion_protection_enabled
- stream_enabled = true
stream_view_type = "OLD_IMAGE"
ttl_enabled = true
ttl_attribute_name = "TTL"
@@ -133,7 +130,6 @@ module "unstitched_lloyd_george_reference_dynamodb_table" {
table_name = var.unstitched_lloyd_george_dynamodb_table_name
hash_key = "ID"
deletion_protection_enabled = var.deletion_protection_enabled
- stream_enabled = true
stream_view_type = "OLD_IMAGE"
ttl_enabled = true
ttl_attribute_name = "TTL"
@@ -176,7 +172,7 @@ module "zip_store_reference_dynamodb_table" {
table_name = var.zip_store_dynamodb_table_name
hash_key = "ID"
deletion_protection_enabled = var.deletion_protection_enabled
- stream_enabled = true
+ stream_view_type = "NEW_AND_OLD_IMAGES"
ttl_enabled = false
attributes = [
@@ -207,7 +203,7 @@ module "stitch_metadata_reference_dynamodb_table" {
table_name = var.stitch_metadata_dynamodb_table_name
hash_key = "ID"
deletion_protection_enabled = var.deletion_protection_enabled
- stream_enabled = true
+ stream_view_type = "NEW_AND_OLD_IMAGES"
ttl_enabled = true
ttl_attribute_name = "ExpireAt"
@@ -239,7 +235,6 @@ module "auth_state_dynamodb_table" {
table_name = var.auth_state_dynamodb_table_name
hash_key = "State"
deletion_protection_enabled = var.deletion_protection_enabled
- stream_enabled = false
ttl_enabled = true
ttl_attribute_name = "TimeToExist"
attributes = [
@@ -266,7 +261,6 @@ module "auth_session_dynamodb_table" {
table_name = var.auth_session_dynamodb_table_name
hash_key = "NDRSessionId"
deletion_protection_enabled = var.deletion_protection_enabled
- stream_enabled = false
ttl_enabled = true
ttl_attribute_name = "TimeToExist"
attributes = [
@@ -293,7 +287,6 @@ module "bulk_upload_report_dynamodb_table" {
table_name = var.bulk_upload_report_dynamodb_table_name
hash_key = "ID"
deletion_protection_enabled = var.deletion_protection_enabled
- stream_enabled = false
ttl_enabled = false
point_in_time_recovery_enabled = !local.is_sandbox
@@ -340,7 +333,6 @@ module "statistics_dynamodb_table" {
hash_key = "Date"
sort_key = "StatisticID"
deletion_protection_enabled = var.deletion_protection_enabled
- stream_enabled = false
ttl_enabled = false
point_in_time_recovery_enabled = !local.is_sandbox
@@ -378,7 +370,6 @@ module "access_audit_dynamodb_table" {
hash_key = "Type"
sort_key = "ID"
deletion_protection_enabled = var.deletion_protection_enabled
- stream_enabled = false
ttl_enabled = false
point_in_time_recovery_enabled = !local.is_sandbox
@@ -432,7 +423,6 @@ module "pdm_dynamodb_table" {
table_name = var.pdm_dynamodb_table_name
hash_key = "ID"
deletion_protection_enabled = var.deletion_protection_enabled
- stream_enabled = true
stream_view_type = "OLD_IMAGE"
ttl_enabled = true
ttl_attribute_name = "TTL"
@@ -505,7 +495,6 @@ module "core_dynamodb_table" {
hash_key = "NhsNumber"
sort_key = "ID"
deletion_protection_enabled = var.deletion_protection_enabled
- stream_enabled = true
stream_view_type = "OLD_IMAGE"
ttl_enabled = true
ttl_attribute_name = "TTL"
@@ -544,7 +533,6 @@ module "alarm_state_history_table" {
sort_key = "TimeCreated"
deletion_protection_enabled = var.deletion_protection_enabled
point_in_time_recovery_enabled = false
- stream_enabled = false
ttl_enabled = true
ttl_attribute_name = "TimeToExist"
@@ -569,7 +557,6 @@ module "bulk_upload_contact_lookup_table" {
hash_key = "OdsCode"
deletion_protection_enabled = var.deletion_protection_enabled
point_in_time_recovery_enabled = !local.is_sandbox
- stream_enabled = false
ttl_enabled = false
attributes = [
diff --git a/infrastructure/dynamo_db_review.tf b/infrastructure/dynamo_db_review.tf
index 179640f6..d552423a 100644
--- a/infrastructure/dynamo_db_review.tf
+++ b/infrastructure/dynamo_db_review.tf
@@ -4,7 +4,6 @@ module "document_upload_review_dynamodb_table" {
hash_key = "ID"
sort_key = "Version"
deletion_protection_enabled = local.is_production
- stream_enabled = false
ttl_enabled = false
point_in_time_recovery_enabled = !local.is_sandbox
diff --git a/infrastructure/lambda-migration-dynamodb-segment.tf b/infrastructure/lambda-migration-dynamodb-segment.tf
index 1f9bc8ed..0553bc39 100644
--- a/infrastructure/lambda-migration-dynamodb-segment.tf
+++ b/infrastructure/lambda-migration-dynamodb-segment.tf
@@ -25,7 +25,7 @@ data "aws_iam_policy_document" "migration_dynamodb_access" {
"dynamodb:DescribeTable"
]
resources = [
- "arn:aws:dynamodb:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:table/${terraform.workspace}_*"
+ "arn:aws:dynamodb:${data.aws_region.current.region}:${data.aws_caller_identity.current.account_id}:table/${terraform.workspace}_*"
]
}
}
diff --git a/infrastructure/lambda-send-feedback.tf b/infrastructure/lambda-send-feedback.tf
index 2ac32c14..43f16c48 100644
--- a/infrastructure/lambda-send-feedback.tf
+++ b/infrastructure/lambda-send-feedback.tf
@@ -121,7 +121,7 @@ resource "aws_iam_policy" "ses_send_email_policy" {
"ses:SendEmail",
],
Resource = [
- "arn:aws:ses:${local.current_region}:${local.current_account_id}:identity/*",
+ "arn:aws:ses:${data.aws_region.current.region}:${data.aws_caller_identity.current.account_id}:identity/*",
]
}
]
diff --git a/infrastructure/main.tf b/infrastructure/main.tf
index 40ba8fdd..c459a263 100644
--- a/infrastructure/main.tf
+++ b/infrastructure/main.tf
@@ -4,7 +4,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
- version = "~> 5.0" # When upgrading to v6.x, please update cloudfront minimum_protocol_version
+ version = "~> 6.0"
}
awscc = {
source = "hashicorp/awscc"
diff --git a/infrastructure/modules/app_config/README.md b/infrastructure/modules/app_config/README.md
index f95b420d..e259465f 100644
--- a/infrastructure/modules/app_config/README.md
+++ b/infrastructure/modules/app_config/README.md
@@ -37,7 +37,7 @@ module "app_config" {
| Name | Version |
|------|---------|
-| [aws](#requirement\_aws) | ~> 5.0 |
+| [aws](#requirement\_aws) | ~> 6.0 |
## Resources
diff --git a/infrastructure/modules/app_config/provider.tf b/infrastructure/modules/app_config/provider.tf
index 3f773c6f..8b018572 100644
--- a/infrastructure/modules/app_config/provider.tf
+++ b/infrastructure/modules/app_config/provider.tf
@@ -2,7 +2,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
- version = "~> 5.0"
+ version = "~> 6.0"
}
}
}
\ No newline at end of file
diff --git a/infrastructure/modules/dynamo_db/README.md b/infrastructure/modules/dynamo_db/README.md
index 7aff4933..17822b45 100644
--- a/infrastructure/modules/dynamo_db/README.md
+++ b/infrastructure/modules/dynamo_db/README.md
@@ -47,7 +47,6 @@ module "document_reference_dynamodb_table" {
ttl_attribute_name = "TTL"
# Optional: enable streams
- stream_enabled = true
stream_view_type = "OLD_IMAGE"
# Optional: point-in-time recovery
@@ -83,7 +82,7 @@ module "document_reference_dynamodb_table" {
| Name | Version |
|------|---------|
-| [aws](#requirement\_aws) | ~> 5.0 |
+| [aws](#requirement\_aws) | ~> 6.0 |
## Resources
@@ -107,8 +106,7 @@ module "document_reference_dynamodb_table" {
| [owner](#input\_owner) | Identifies the team or person responsible for the resource (used for tagging). | `string` | n/a | yes |
| [point\_in\_time\_recovery\_enabled](#input\_point\_in\_time\_recovery\_enabled) | Enables PITR for backups. | `bool` | `false` | no |
| [sort\_key](#input\_sort\_key) | Optional range/sort key for composite primary key. | `string` | `null` | no |
-| [stream\_enabled](#input\_stream\_enabled) | Whether DynamoDB Streams are enabled. | `bool` | `false` | no |
-| [stream\_view\_type](#input\_stream\_view\_type) | Type of stream view (e.g., OLD\_IMAGE). | `string` | `"NEW_AND_OLD_IMAGES"` | no |
+| [stream\_view\_type](#input\_stream\_view\_type) | Type of stream view (e.g., OLD\_IMAGE). | `string` | `null` | no |
| [table\_name](#input\_table\_name) | Name of the DynamoDB table. | `string` | `null` | no |
| [ttl\_attribute\_name](#input\_ttl\_attribute\_name) | Name of the TTL attribute. | `string` | `""` | no |
| [ttl\_enabled](#input\_ttl\_enabled) | Whether to enable TTL (Time to Live) on items. | `bool` | `false` | no |
diff --git a/infrastructure/modules/dynamo_db/main.tf b/infrastructure/modules/dynamo_db/main.tf
index e4ed7280..e9cd6228 100644
--- a/infrastructure/modules/dynamo_db/main.tf
+++ b/infrastructure/modules/dynamo_db/main.tf
@@ -3,7 +3,7 @@ resource "aws_dynamodb_table" "ndr_dynamodb_table" {
hash_key = var.hash_key
range_key = var.sort_key
billing_mode = var.billing_mode
- stream_enabled = var.stream_enabled
+ stream_enabled = var.stream_view_type != null
stream_view_type = var.stream_view_type
deletion_protection_enabled = var.deletion_protection_enabled
@@ -26,9 +26,20 @@ resource "aws_dynamodb_table" "ndr_dynamodb_table" {
content {
name = global_secondary_index.value.name
- hash_key = global_secondary_index.value.hash_key
projection_type = global_secondary_index.value.projection_type
- range_key = lookup(global_secondary_index.value, "range_key", null)
+
+ key_schema {
+ attribute_name = global_secondary_index.value.hash_key
+ key_type = "HASH"
+ }
+
+ dynamic "key_schema" {
+ for_each = lookup(global_secondary_index.value, "range_key", null) != null ? [global_secondary_index.value.range_key] : []
+ content {
+ attribute_name = key_schema.value
+ key_type = "RANGE"
+ }
+ }
}
}
diff --git a/infrastructure/modules/dynamo_db/provider.tf b/infrastructure/modules/dynamo_db/provider.tf
index 3f773c6f..8b018572 100644
--- a/infrastructure/modules/dynamo_db/provider.tf
+++ b/infrastructure/modules/dynamo_db/provider.tf
@@ -2,7 +2,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
- version = "~> 5.0"
+ version = "~> 6.0"
}
}
}
\ No newline at end of file
diff --git a/infrastructure/modules/dynamo_db/variable.tf b/infrastructure/modules/dynamo_db/variable.tf
index 49f990d9..ed09f501 100644
--- a/infrastructure/modules/dynamo_db/variable.tf
+++ b/infrastructure/modules/dynamo_db/variable.tf
@@ -52,16 +52,10 @@ variable "deletion_protection_enabled" {
default = null
}
-variable "stream_enabled" {
- description = "Whether DynamoDB Streams are enabled."
- type = bool
- default = false
-}
-
variable "stream_view_type" {
description = "Type of stream view (e.g., OLD_IMAGE)."
type = string
- default = "NEW_AND_OLD_IMAGES"
+ default = null
}
variable "environment" {
diff --git a/infrastructure/modules/ecr/README.md b/infrastructure/modules/ecr/README.md
index 5fa7d087..ec9e85ca 100644
--- a/infrastructure/modules/ecr/README.md
+++ b/infrastructure/modules/ecr/README.md
@@ -34,7 +34,7 @@ module "ecr_repository" {
| Name | Version |
|------|---------|
-| [aws](#requirement\_aws) | ~> 5.0 |
+| [aws](#requirement\_aws) | ~> 6.0 |
## Resources
diff --git a/infrastructure/modules/ecr/provider.tf b/infrastructure/modules/ecr/provider.tf
index 3f773c6f..8b018572 100644
--- a/infrastructure/modules/ecr/provider.tf
+++ b/infrastructure/modules/ecr/provider.tf
@@ -2,7 +2,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
- version = "~> 5.0"
+ version = "~> 6.0"
}
}
}
\ No newline at end of file
diff --git a/infrastructure/modules/ecs/README.md b/infrastructure/modules/ecs/README.md
index d821669c..a1257071 100644
--- a/infrastructure/modules/ecs/README.md
+++ b/infrastructure/modules/ecs/README.md
@@ -54,7 +54,7 @@ module "ecs_service" {
| Name | Version |
|------|---------|
-| [aws](#requirement\_aws) | ~> 5.0 |
+| [aws](#requirement\_aws) | ~> 6.0 |
## Resources
diff --git a/infrastructure/modules/ecs/lb.tf b/infrastructure/modules/ecs/lb.tf
index 15f8dde0..34ab45e5 100644
--- a/infrastructure/modules/ecs/lb.tf
+++ b/infrastructure/modules/ecs/lb.tf
@@ -47,7 +47,7 @@ resource "aws_lb_listener" "https" {
load_balancer_arn = aws_lb.ecs_lb[0].arn
port = "443"
protocol = "HTTPS"
- ssl_policy = "ELBSecurityPolicy-TLS13-1-3-2021-06"
+ ssl_policy = "ELBSecurityPolicy-TLS13-1-3-PQ-2025-09"
certificate_arn = data.aws_acm_certificate.amazon_issued[0].arn
default_action {
diff --git a/infrastructure/modules/ecs/provider.tf b/infrastructure/modules/ecs/provider.tf
index 3f773c6f..8b018572 100644
--- a/infrastructure/modules/ecs/provider.tf
+++ b/infrastructure/modules/ecs/provider.tf
@@ -2,7 +2,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
- version = "~> 5.0"
+ version = "~> 6.0"
}
}
}
\ No newline at end of file
diff --git a/infrastructure/modules/firewall_waf_v2/README.md b/infrastructure/modules/firewall_waf_v2/README.md
index fb98fef5..4ca507cc 100644
--- a/infrastructure/modules/firewall_waf_v2/README.md
+++ b/infrastructure/modules/firewall_waf_v2/README.md
@@ -40,7 +40,7 @@ module "waf_acl" {
| Name | Version |
|------|---------|
-| [aws](#requirement\_aws) | ~> 5.0 |
+| [aws](#requirement\_aws) | ~> 6.0 |
## Resources
diff --git a/infrastructure/modules/firewall_waf_v2/provider.tf b/infrastructure/modules/firewall_waf_v2/provider.tf
index 3f773c6f..8b018572 100644
--- a/infrastructure/modules/firewall_waf_v2/provider.tf
+++ b/infrastructure/modules/firewall_waf_v2/provider.tf
@@ -2,7 +2,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
- version = "~> 5.0"
+ version = "~> 6.0"
}
}
}
\ No newline at end of file
diff --git a/infrastructure/modules/gateway/README.md b/infrastructure/modules/gateway/README.md
index 38a567ce..6aa7024c 100644
--- a/infrastructure/modules/gateway/README.md
+++ b/infrastructure/modules/gateway/README.md
@@ -53,7 +53,7 @@ module "api_gateway_resource" {
| Name | Version |
|------|---------|
-| [aws](#requirement\_aws) | ~> 5.0 |
+| [aws](#requirement\_aws) | ~> 6.0 |
## Resources
diff --git a/infrastructure/modules/gateway/provider.tf b/infrastructure/modules/gateway/provider.tf
index 3f773c6f..8b018572 100644
--- a/infrastructure/modules/gateway/provider.tf
+++ b/infrastructure/modules/gateway/provider.tf
@@ -2,7 +2,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
- version = "~> 5.0"
+ version = "~> 6.0"
}
}
}
\ No newline at end of file
diff --git a/infrastructure/modules/kms/README.md b/infrastructure/modules/kms/README.md
index 2abb6da9..26b952b4 100644
--- a/infrastructure/modules/kms/README.md
+++ b/infrastructure/modules/kms/README.md
@@ -54,7 +54,7 @@ module "kms_key" {
| Name | Version |
|------|---------|
-| [aws](#requirement\_aws) | ~> 5.0 |
+| [aws](#requirement\_aws) | ~> 6.0 |
## Resources
diff --git a/infrastructure/modules/kms/provider.tf b/infrastructure/modules/kms/provider.tf
index 3f773c6f..8b018572 100644
--- a/infrastructure/modules/kms/provider.tf
+++ b/infrastructure/modules/kms/provider.tf
@@ -2,7 +2,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
- version = "~> 5.0"
+ version = "~> 6.0"
}
}
}
\ No newline at end of file
diff --git a/infrastructure/modules/lambda/README.md b/infrastructure/modules/lambda/README.md
index 68c7f2c3..e358dc3e 100644
--- a/infrastructure/modules/lambda/README.md
+++ b/infrastructure/modules/lambda/README.md
@@ -72,7 +72,7 @@ module "lambda" {
| Name | Version |
|------|---------|
-| [aws](#requirement\_aws) | ~> 5.0 |
+| [aws](#requirement\_aws) | ~> 6.0 |
## Resources
diff --git a/infrastructure/modules/lambda/provider.tf b/infrastructure/modules/lambda/provider.tf
index 3f773c6f..8b018572 100644
--- a/infrastructure/modules/lambda/provider.tf
+++ b/infrastructure/modules/lambda/provider.tf
@@ -2,7 +2,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
- version = "~> 5.0"
+ version = "~> 6.0"
}
}
}
\ No newline at end of file
diff --git a/infrastructure/modules/lambda_alarms/README.md b/infrastructure/modules/lambda_alarms/README.md
index 2e640cf6..fd9fb96d 100644
--- a/infrastructure/modules/lambda_alarms/README.md
+++ b/infrastructure/modules/lambda_alarms/README.md
@@ -47,7 +47,7 @@ module "lambda_alarms" {
| Name | Version |
|------|---------|
-| [aws](#requirement\_aws) | ~> 5.0 |
+| [aws](#requirement\_aws) | ~> 6.0 |
## Resources
diff --git a/infrastructure/modules/lambda_alarms/provider.tf b/infrastructure/modules/lambda_alarms/provider.tf
index 3f773c6f..8b018572 100644
--- a/infrastructure/modules/lambda_alarms/provider.tf
+++ b/infrastructure/modules/lambda_alarms/provider.tf
@@ -2,7 +2,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
- version = "~> 5.0"
+ version = "~> 6.0"
}
}
}
\ No newline at end of file
diff --git a/infrastructure/modules/lambda_edge/README.md b/infrastructure/modules/lambda_edge/README.md
index 40293db1..62674a46 100644
--- a/infrastructure/modules/lambda_edge/README.md
+++ b/infrastructure/modules/lambda_edge/README.md
@@ -51,7 +51,7 @@ module "s3_proxy_lambda" {
| Name | Version |
|------|---------|
-| [aws](#requirement\_aws) | ~> 5.0 |
+| [aws](#requirement\_aws) | ~> 6.0 |
## Resources
diff --git a/infrastructure/modules/lambda_edge/provider.tf b/infrastructure/modules/lambda_edge/provider.tf
index 3f773c6f..8b018572 100644
--- a/infrastructure/modules/lambda_edge/provider.tf
+++ b/infrastructure/modules/lambda_edge/provider.tf
@@ -2,7 +2,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
- version = "~> 5.0"
+ version = "~> 6.0"
}
}
}
\ No newline at end of file
diff --git a/infrastructure/modules/lambda_layers/README.md b/infrastructure/modules/lambda_layers/README.md
index 9911456a..a1ed4f0a 100644
--- a/infrastructure/modules/lambda_layers/README.md
+++ b/infrastructure/modules/lambda_layers/README.md
@@ -32,7 +32,7 @@ module "lambda_layer" {
| Name | Version |
|------|---------|
-| [aws](#requirement\_aws) | ~> 5.0 |
+| [aws](#requirement\_aws) | ~> 6.0 |
## Resources
diff --git a/infrastructure/modules/lambda_layers/provider.tf b/infrastructure/modules/lambda_layers/provider.tf
index 3f773c6f..8b018572 100644
--- a/infrastructure/modules/lambda_layers/provider.tf
+++ b/infrastructure/modules/lambda_layers/provider.tf
@@ -2,7 +2,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
- version = "~> 5.0"
+ version = "~> 6.0"
}
}
}
\ No newline at end of file
diff --git a/infrastructure/modules/route53/README.md b/infrastructure/modules/route53/README.md
index e1a9a295..451b0c69 100644
--- a/infrastructure/modules/route53/README.md
+++ b/infrastructure/modules/route53/README.md
@@ -47,7 +47,7 @@ module "dns" {
| Name | Version |
|------|---------|
-| [aws](#requirement\_aws) | ~> 5.0 |
+| [aws](#requirement\_aws) | ~> 6.0 |
## Resources
diff --git a/infrastructure/modules/route53/provider.tf b/infrastructure/modules/route53/provider.tf
index 3f773c6f..8b018572 100644
--- a/infrastructure/modules/route53/provider.tf
+++ b/infrastructure/modules/route53/provider.tf
@@ -2,7 +2,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
- version = "~> 5.0"
+ version = "~> 6.0"
}
}
}
\ No newline at end of file
diff --git a/infrastructure/modules/s3/README.md b/infrastructure/modules/s3/README.md
index aac9e46d..88df1f7b 100644
--- a/infrastructure/modules/s3/README.md
+++ b/infrastructure/modules/s3/README.md
@@ -59,7 +59,7 @@ module "s3_bucket" {
| Name | Version |
|------|---------|
-| [aws](#requirement\_aws) | ~> 5.0 |
+| [aws](#requirement\_aws) | ~> 6.0 |
## Resources
diff --git a/infrastructure/modules/s3/provider.tf b/infrastructure/modules/s3/provider.tf
index 3f773c6f..8b018572 100644
--- a/infrastructure/modules/s3/provider.tf
+++ b/infrastructure/modules/s3/provider.tf
@@ -2,7 +2,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
- version = "~> 5.0"
+ version = "~> 6.0"
}
}
}
\ No newline at end of file
diff --git a/infrastructure/modules/ses/README.md b/infrastructure/modules/ses/README.md
index 26fb7f3c..c2e1478f 100644
--- a/infrastructure/modules/ses/README.md
+++ b/infrastructure/modules/ses/README.md
@@ -36,7 +36,7 @@ module "ses_identity" {
| Name | Version |
|------|---------|
-| [aws](#requirement\_aws) | ~> 5.0 |
+| [aws](#requirement\_aws) | ~> 6.0 |
## Resources
diff --git a/infrastructure/modules/ses/provider.tf b/infrastructure/modules/ses/provider.tf
index 3f773c6f..8b018572 100644
--- a/infrastructure/modules/ses/provider.tf
+++ b/infrastructure/modules/ses/provider.tf
@@ -2,7 +2,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
- version = "~> 5.0"
+ version = "~> 6.0"
}
}
}
\ No newline at end of file
diff --git a/infrastructure/modules/sns/README.md b/infrastructure/modules/sns/README.md
index e8869b94..226ce239 100644
--- a/infrastructure/modules/sns/README.md
+++ b/infrastructure/modules/sns/README.md
@@ -72,7 +72,7 @@ module "sns_topic" {
| Name | Version |
|------|---------|
-| [aws](#requirement\_aws) | ~> 5.0 |
+| [aws](#requirement\_aws) | ~> 6.0 |
## Resources
diff --git a/infrastructure/modules/sns/provider.tf b/infrastructure/modules/sns/provider.tf
index 3f773c6f..8b018572 100644
--- a/infrastructure/modules/sns/provider.tf
+++ b/infrastructure/modules/sns/provider.tf
@@ -2,7 +2,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
- version = "~> 5.0"
+ version = "~> 6.0"
}
}
}
\ No newline at end of file
diff --git a/infrastructure/modules/sqs/README.md b/infrastructure/modules/sqs/README.md
index 7033509b..1bac604c 100644
--- a/infrastructure/modules/sqs/README.md
+++ b/infrastructure/modules/sqs/README.md
@@ -54,7 +54,7 @@ module "sqs_queue" {
| Name | Version |
|------|---------|
-| [aws](#requirement\_aws) | ~> 5.0 |
+| [aws](#requirement\_aws) | ~> 6.0 |
## Resources
diff --git a/infrastructure/modules/sqs/provider.tf b/infrastructure/modules/sqs/provider.tf
index 3f773c6f..8b018572 100644
--- a/infrastructure/modules/sqs/provider.tf
+++ b/infrastructure/modules/sqs/provider.tf
@@ -2,7 +2,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
- version = "~> 5.0"
+ version = "~> 6.0"
}
}
}
\ No newline at end of file
diff --git a/infrastructure/modules/ssm_parameter/README.md b/infrastructure/modules/ssm_parameter/README.md
index 26d14297..abb39bd3 100644
--- a/infrastructure/modules/ssm_parameter/README.md
+++ b/infrastructure/modules/ssm_parameter/README.md
@@ -43,7 +43,7 @@ module "ssm_param" {
| Name | Version |
|------|---------|
-| [aws](#requirement\_aws) | ~> 5.0 |
+| [aws](#requirement\_aws) | ~> 6.0 |
## Resources
diff --git a/infrastructure/modules/ssm_parameter/provider.tf b/infrastructure/modules/ssm_parameter/provider.tf
index 3f773c6f..8b018572 100644
--- a/infrastructure/modules/ssm_parameter/provider.tf
+++ b/infrastructure/modules/ssm_parameter/provider.tf
@@ -2,7 +2,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
- version = "~> 5.0"
+ version = "~> 6.0"
}
}
}
\ No newline at end of file
diff --git a/infrastructure/modules/vpc/README.md b/infrastructure/modules/vpc/README.md
index bd9b4531..39e66188 100644
--- a/infrastructure/modules/vpc/README.md
+++ b/infrastructure/modules/vpc/README.md
@@ -62,7 +62,7 @@ module "vpc" {
| Name | Version |
|------|---------|
-| [aws](#requirement\_aws) | ~> 5.0 |
+| [aws](#requirement\_aws) | ~> 6.0 |
## Resources
diff --git a/infrastructure/modules/vpc/provider.tf b/infrastructure/modules/vpc/provider.tf
index 3f773c6f..8b018572 100644
--- a/infrastructure/modules/vpc/provider.tf
+++ b/infrastructure/modules/vpc/provider.tf
@@ -2,7 +2,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
- version = "~> 5.0"
+ version = "~> 6.0"
}
}
}
\ No newline at end of file
diff --git a/infrastructure/step-function-migration-dynmodb.tf b/infrastructure/step-function-migration-dynmodb.tf
index 51ce5d6b..eccfa85f 100644
--- a/infrastructure/step-function-migration-dynmodb.tf
+++ b/infrastructure/step-function-migration-dynmodb.tf
@@ -62,9 +62,9 @@ data "aws_iam_policy_document" "sfn_permissions" {
"states:ListMapRuns"
]
resources = [
- "arn:aws:states:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:stateMachine:${terraform.workspace}_migration_dynamodb_step_function",
- "arn:aws:states:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:execution:${terraform.workspace}_migration_dynamodb_step_function/*",
- "arn:aws:states:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:mapRun:${terraform.workspace}_migration_dynamodb_step_function/*"
+ "arn:aws:states:${data.aws_region.current.region}:${data.aws_caller_identity.current.account_id}:stateMachine:${terraform.workspace}_migration_dynamodb_step_function",
+ "arn:aws:states:${data.aws_region.current.region}:${data.aws_caller_identity.current.account_id}:execution:${terraform.workspace}_migration_dynamodb_step_function/*",
+ "arn:aws:states:${data.aws_region.current.region}:${data.aws_caller_identity.current.account_id}:mapRun:${terraform.workspace}_migration_dynamodb_step_function/*"
]
}
diff --git a/infrastructure/variable.tf b/infrastructure/variable.tf
index 5b0b19cd..3a96d919 100644
--- a/infrastructure/variable.tf
+++ b/infrastructure/variable.tf
@@ -300,9 +300,6 @@ locals {
cloudfront_full_domain_name = contains(["prod"], terraform.workspace) ? "${var.cloudfront_subdomain}${var.domain}" : "${var.cloudfront_subdomain}${terraform.workspace}.${var.domain}"
- current_region = data.aws_region.current.name
- current_account_id = data.aws_caller_identity.current.account_id
-
apim_api_url = "https://${var.apim_environment}api.service.nhs.uk/national-document-repository/FHIR/R4"
truststore_bucket_id = local.is_sandbox ? "ndr-dev-${var.truststore_bucket_name}" : module.ndr-truststore[0].bucket_id
diff --git a/infrastructure/virusscanner.tf b/infrastructure/virusscanner.tf
index 3231e411..cb0d228b 100644
--- a/infrastructure/virusscanner.tf
+++ b/infrastructure/virusscanner.tf
@@ -68,7 +68,7 @@ module "cloud_storage_security" {
count = local.is_production ? 1 : 0
source = "cloudstoragesec/cloud-storage-security/aws"
- version = "1.8.16+css9.06.000" # Check https://help.cloudstoragesec.com/release-notes/latest-v9 for updates
+ version = "1.8.18+css9.08.000" # Check https://help.cloudstoragesec.com/release-notes/latest-v9 for updates
cidr = [var.cloud_security_console_black_hole_address] # This is a reserved address that does not lead anywhere to make sure CloudStorageSecurity console is not available
email = data.aws_ssm_parameter.cloud_security_admin_email.value
subnet_a_id = aws_subnet.virus_scanning_a[0].id
diff --git a/scripts/cleanup_sandboxes.py b/scripts/cleanup_sandboxes.py
index 9b963695..19b9b125 100644
--- a/scripts/cleanup_sandboxes.py
+++ b/scripts/cleanup_sandboxes.py
@@ -7,13 +7,13 @@
def trigger_delete_workflow(token: str, sandbox: str):
owner = "NHSDigital"
repo = "national-document-repository-infrastructure"
- workflow = "tear-down-sandbox.yml"
+ workflow_id = "tear-down-sandbox.yml"
- url = f"https://api.github.com/repos/{owner}/{repo}/actions/workflows/{workflow}/dispatches"
+ url = f"https://api.github.com/repos/{owner}/{repo}/actions/workflows/{workflow_id}/dispatches"
headers = {
"Accept": "application/vnd.github+json",
"Authorization": f"Bearer {token}",
- "X-GitHub-Api-Version": "2022-11-28",
+ "X-GitHub-Api-Version": "2026-03-10",
}
inputs = {