[PRM-756] Mar 26 upgrades II

.github/actions/tf-plan-apply/action.yml

@@ -22,7 +22,7 @@ inputs:
   terraform_version:
     description: "Terraform version to use"
     required: false
-    default: "1.14.6"
+    default: "1.14.7"
 
   working_directory:
     description: "Terraform working directory"

.github/workflows/automated-deploy-dev.yml

@@ -60,7 +60,7 @@ jobs:
       - name: Setup Terraform
         uses: hashicorp/setup-terraform@v4
         with:
-          terraform_version: 1.14.6
+          terraform_version: 1.14.7
           terraform_wrapper: true
 
       - name: Initialise Terraform
@@ -270,7 +270,7 @@ jobs:
           echo "SLACK_BOT_TOKEN=$slack_bot_token" >> $GITHUB_ENV
 
       - name: Send Slack Notification
-        uses: slackapi/slack-github-action@v2.1.1
+        uses: slackapi/slack-github-action@v3.0.1
         with:
           method: chat.postMessage
           token: ${{ env.SLACK_BOT_TOKEN }}

.github/workflows/automated-sonarqube-cloud-analysis.yml

@@ -49,7 +49,7 @@ jobs:
           echo "SLACK_BOT_TOKEN=$slack_bot_token" >> $GITHUB_ENV
 
       - name: Send Slack Notification
-        uses: slackapi/slack-github-action@v2.1.1
+        uses: slackapi/slack-github-action@v3.0.1
         with:
           method: chat.postMessage
           token: ${{ env.SLACK_BOT_TOKEN }}

.github/workflows/base-cleanup-lambda-edge.yml

@@ -69,7 +69,7 @@ jobs:
         if: env.DISTRIBUTION_ID != ''
         run: |
           python3 -m venv ./venv
-          ./venv/bin/pip3 install --upgrade pip boto3==1.42.59
+          ./venv/bin/pip3 install --upgrade pip boto3==1.42.68
 
       - name: Remove Lambda@Edge & CloudFront Associations
         if: env.DISTRIBUTION_ID != ''

.github/workflows/base-cleanup-workspace.yml

@@ -46,7 +46,7 @@ jobs:
         run: |
           python3 -m venv ./venv
           ./venv/bin/pip3 install --upgrade pip
-          ./venv/bin/pip3 install boto3==1.42.59
+          ./venv/bin/pip3 install boto3==1.42.68
 
       - name: Configure AWS Credentials
         uses: aws-actions/configure-aws-credentials@v6

.github/workflows/cron-daily-health-check.yml

@@ -187,7 +187,7 @@ jobs:
           echo "SLACK_BOT_TOKEN=$slack_bot_token" >> $GITHUB_ENV
 
       - name: Send Slack Notification
-        uses: slackapi/slack-github-action@v2.1.1
+        uses: slackapi/slack-github-action@v3.0.1
         with:
           method: chat.postMessage
           token: ${{ env.SLACK_BOT_TOKEN }}

.github/workflows/cron-tear-down-test.yml

@@ -57,7 +57,7 @@ jobs:
       - name: Setup Terraform
         uses: hashicorp/setup-terraform@v4
         with:
-          terraform_version: 1.14.6
+          terraform_version: 1.14.7
           terraform_wrapper: false
 
       - name: Initialise Terraform
@@ -114,14 +114,14 @@ jobs:
           ref: main
 
       - name: Configure AWS Credentials
-        uses: aws-actions/configure-aws-credentials@v5
+        uses: aws-actions/configure-aws-credentials@v6
         with:
           role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/test-github-bootstrap
           aws-region: ${{ vars.AWS_REGION }}
           mask-aws-account-id: true
 
       - name: Setup Terraform
-        uses: hashicorp/setup-terraform@v3
+        uses: hashicorp/setup-terraform@v4
         with:
           terraform_version: 1.14.3
 

.github/workflows/tear-down-sandbox.yml

@@ -87,7 +87,7 @@ jobs:
       - name: Setup Terraform
         uses: hashicorp/setup-terraform@v4
         with:
-          terraform_version: 1.14.6
+          terraform_version: 1.14.7
 
       - name: Initialise Terraform
         run: terraform init -backend-config=${{ vars.TF_BACKEND_FILE }}
@@ -124,7 +124,7 @@ jobs:
       - name: Setup Terraform
         uses: hashicorp/setup-terraform@v4
         with:
-          terraform_version: 1.14.6
+          terraform_version: 1.14.7
 
       - name: Initialise Terraform
         run: terraform init -backend-config=bucket=ndr-dev-terraform-state-${{ secrets.AWS_ACCOUNT_ID }}

bootstrap/README.md

@@ -4,7 +4,7 @@
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.14.6 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.14.7 |
 | <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.0 |
 
 ## Providers

bootstrap/main.tf

@@ -1,9 +1,9 @@
 terraform {
-  required_version = ">= 1.14.6"
+  required_version = ">= 1.14.7"
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 4.0"
+      version = "~> 4.0"
     }
   }
 }

infrastructure/api.tf

@@ -1,7 +1,8 @@
 # Create Document Store API
 resource "aws_api_gateway_rest_api" "ndr_doc_store_api" {
-  name        = "${terraform.workspace}-DocStoreAPI"
-  description = "Document store API for Repo"
+  name                         = "${terraform.workspace}-DocStoreAPI"
+  description                  = "Document store API for Repo"
+  disable_execute_api_endpoint = true
 
   tags = {
     Name = "${terraform.workspace}-docstore-api"
@@ -11,10 +12,11 @@
 resource "aws_api_gateway_domain_name" "custom_api_domain" {
   domain_name              = local.api_gateway_full_domain_name
   regional_certificate_arn = module.ndr-ecs-fargate-app.certificate_arn
-  security_policy          = "TLS_1_2"
+  security_policy          = "SecurityPolicy_TLS13_2025_EDGE"
+  endpoint_access_mode     = "BASIC"
 
   endpoint_configuration {
-    types = ["REGIONAL"]
+    types = ["EDGE"]
   }
 }
 
@@ -199,8 +201,3 @@
   parent_id   = module.fhir_document_reference_gateway[0].gateway_resource_id
   path_part   = "{id}"
 }
-
-moved {
-  from = aws_api_gateway_resource.get_document_reference
-  to   = aws_api_gateway_resource.document_reference_by_id
-}

infrastructure/api_mtls.tf

@@ -16,7 +16,8 @@
 resource "aws_api_gateway_domain_name" "custom_api_domain_mtls" {
   domain_name              = local.mtls_api_gateway_full_domain_name
   regional_certificate_arn = aws_acm_certificate_validation.mtls_api_gateway_cert.certificate_arn
-  security_policy          = "TLS_1_2"
+  security_policy          = "SecurityPolicy_TLS13_1_3_FIPS_2025_09"
+  endpoint_access_mode     = "BASIC"
 
   endpoint_configuration {
     types = ["REGIONAL"]
@@ -177,8 +178,3 @@
   parent_id   = module.fhir_document_reference_mtls_gateway.gateway_resource_id
   path_part   = "{id}"
 }
-
-moved {
-  from = aws_api_gateway_resource.get_document_reference_mtls
-  to   = aws_api_gateway_resource.document_reference_by_id_mtls
-}

infrastructure/cloudfront.tf

@@ -93,7 +93,7 @@ resource "aws_cloudfront_distribution" "s3_presign_mask" {
   viewer_certificate {
     acm_certificate_arn      = aws_acm_certificate.cloudfront.arn
     ssl_support_method       = "sni-only"
-    minimum_protocol_version = "TLSv1.2_2021"
+    minimum_protocol_version = "TLSv1.3_2025"
   }
 
   restrictions {

infrastructure/cloudwatch_rum.tf

@@ -39,7 +39,7 @@ resource "aws_iam_policy" "cloudwatch_rum_cognito_access" {
         {
           "Effect" : "Allow",
           "Action" : "rum:PutRumEvents",
-          "Resource" : "arn:aws:rum:${local.current_region}:${local.current_account_id}:appmonitor/${aws_rum_app_monitor.ndr.id}"
+          "Resource" : "arn:aws:rum:${data.aws_region.current.region}:${data.aws_caller_identity.current.account_id}:appmonitor/${aws_rum_app_monitor.ndr.id}"
         }
       ]
   })
@@ -63,7 +63,7 @@ resource "aws_cloudwatch_log_resource_policy" "rum_log" {
           "logs:DeleteLogGroup",
           "logs:DescribeLogGroups"
         ],
-        Resource = "arn:aws:logs:${local.current_region}:${local.current_account_id}:log-group:/aws/vendedlogs/RUMService_*"
+        Resource = "arn:aws:logs:${data.aws_region.current.region}:${data.aws_caller_identity.current.account_id}:log-group:/aws/vendedlogs/RUMService_*"
       }
     ]
   })

infrastructure/dynamo_db.tf

@@ -3,7 +3,6 @@ module "document_reference_dynamodb_table" {
   table_name                     = var.docstore_dynamodb_table_name
   hash_key                       = "ID"
   deletion_protection_enabled    = var.deletion_protection_enabled
-  stream_enabled                 = true
   stream_view_type               = "OLD_IMAGE"
   ttl_enabled                    = true
   ttl_attribute_name             = "TTL"
@@ -46,7 +45,6 @@ module "cloudfront_edge_dynamodb_table" {
   table_name                     = var.cloudfront_edge_table_name
   hash_key                       = "ID"
   deletion_protection_enabled    = var.deletion_protection_enabled
-  stream_enabled                 = false
   ttl_enabled                    = true
   ttl_attribute_name             = "TTL"
   point_in_time_recovery_enabled = !local.is_sandbox
@@ -67,7 +65,6 @@ module "lloyd_george_reference_dynamodb_table" {
   table_name                     = var.lloyd_george_dynamodb_table_name
   hash_key                       = "ID"
   deletion_protection_enabled    = var.deletion_protection_enabled
-  stream_enabled                 = true
   stream_view_type               = "OLD_IMAGE"
   ttl_enabled                    = true
   ttl_attribute_name             = "TTL"
@@ -133,7 +130,6 @@ module "unstitched_lloyd_george_reference_dynamodb_table" {
   table_name                     = var.unstitched_lloyd_george_dynamodb_table_name
   hash_key                       = "ID"
   deletion_protection_enabled    = var.deletion_protection_enabled
-  stream_enabled                 = true
   stream_view_type               = "OLD_IMAGE"
   ttl_enabled                    = true
   ttl_attribute_name             = "TTL"
@@ -176,7 +172,7 @@ module "zip_store_reference_dynamodb_table" {
   table_name                  = var.zip_store_dynamodb_table_name
   hash_key                    = "ID"
   deletion_protection_enabled = var.deletion_protection_enabled
-  stream_enabled              = true
+  stream_view_type            = "NEW_AND_OLD_IMAGES"
   ttl_enabled                 = false
 
   attributes = [
@@ -207,7 +203,7 @@ module "stitch_metadata_reference_dynamodb_table" {
   table_name                  = var.stitch_metadata_dynamodb_table_name
   hash_key                    = "ID"
   deletion_protection_enabled = var.deletion_protection_enabled
-  stream_enabled              = true
+  stream_view_type            = "NEW_AND_OLD_IMAGES"
   ttl_enabled                 = true
   ttl_attribute_name          = "ExpireAt"
 
@@ -239,7 +235,6 @@ module "auth_state_dynamodb_table" {
   table_name                  = var.auth_state_dynamodb_table_name
   hash_key                    = "State"
   deletion_protection_enabled = var.deletion_protection_enabled
-  stream_enabled              = false
   ttl_enabled                 = true
   ttl_attribute_name          = "TimeToExist"
   attributes = [
@@ -266,7 +261,6 @@ module "auth_session_dynamodb_table" {
   table_name                  = var.auth_session_dynamodb_table_name
   hash_key                    = "NDRSessionId"
   deletion_protection_enabled = var.deletion_protection_enabled
-  stream_enabled              = false
   ttl_enabled                 = true
   ttl_attribute_name          = "TimeToExist"
   attributes = [
@@ -293,7 +287,6 @@ module "bulk_upload_report_dynamodb_table" {
   table_name                     = var.bulk_upload_report_dynamodb_table_name
   hash_key                       = "ID"
   deletion_protection_enabled    = var.deletion_protection_enabled
-  stream_enabled                 = false
   ttl_enabled                    = false
   point_in_time_recovery_enabled = !local.is_sandbox
 
@@ -340,7 +333,6 @@ module "statistics_dynamodb_table" {
   hash_key                       = "Date"
   sort_key                       = "StatisticID"
   deletion_protection_enabled    = var.deletion_protection_enabled
-  stream_enabled                 = false
   ttl_enabled                    = false
   point_in_time_recovery_enabled = !local.is_sandbox
 
@@ -378,7 +370,6 @@ module "access_audit_dynamodb_table" {
   hash_key                       = "Type"
   sort_key                       = "ID"
   deletion_protection_enabled    = var.deletion_protection_enabled
-  stream_enabled                 = false
   ttl_enabled                    = false
   point_in_time_recovery_enabled = !local.is_sandbox
 
@@ -432,7 +423,6 @@ module "pdm_dynamodb_table" {
   table_name                     = var.pdm_dynamodb_table_name
   hash_key                       = "ID"
   deletion_protection_enabled    = var.deletion_protection_enabled
-  stream_enabled                 = true
   stream_view_type               = "OLD_IMAGE"
   ttl_enabled                    = true
   ttl_attribute_name             = "TTL"
@@ -505,7 +495,6 @@ module "core_dynamodb_table" {
   hash_key                       = "NhsNumber"
   sort_key                       = "ID"
   deletion_protection_enabled    = var.deletion_protection_enabled
-  stream_enabled                 = true
   stream_view_type               = "OLD_IMAGE"
   ttl_enabled                    = true
   ttl_attribute_name             = "TTL"
@@ -544,7 +533,6 @@ module "alarm_state_history_table" {
   sort_key                       = "TimeCreated"
   deletion_protection_enabled    = var.deletion_protection_enabled
   point_in_time_recovery_enabled = false
-  stream_enabled                 = false
   ttl_enabled                    = true
   ttl_attribute_name             = "TimeToExist"
 
@@ -569,7 +557,6 @@ module "bulk_upload_contact_lookup_table" {
   hash_key                       = "OdsCode"
   deletion_protection_enabled    = var.deletion_protection_enabled
   point_in_time_recovery_enabled = !local.is_sandbox
-  stream_enabled                 = false
   ttl_enabled                    = false
 
   attributes = [

infrastructure/dynamo_db_review.tf

@@ -4,7 +4,6 @@ module "document_upload_review_dynamodb_table" {
   hash_key                       = "ID"
   sort_key                       = "Version"
   deletion_protection_enabled    = local.is_production
-  stream_enabled                 = false
   ttl_enabled                    = false
   point_in_time_recovery_enabled = !local.is_sandbox
 

infrastructure/lambda-migration-dynamodb-segment.tf

@@ -25,7 +25,7 @@ data "aws_iam_policy_document" "migration_dynamodb_access" {
       "dynamodb:DescribeTable"
     ]
     resources = [
-      "arn:aws:dynamodb:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:table/${terraform.workspace}_*"
+      "arn:aws:dynamodb:${data.aws_region.current.region}:${data.aws_caller_identity.current.account_id}:table/${terraform.workspace}_*"
     ]
   }
 }

infrastructure/lambda-send-feedback.tf

@@ -121,7 +121,7 @@ resource "aws_iam_policy" "ses_send_email_policy" {
           "ses:SendEmail",
         ],
         Resource = [
-          "arn:aws:ses:${local.current_region}:${local.current_account_id}:identity/*",
+          "arn:aws:ses:${data.aws_region.current.region}:${data.aws_caller_identity.current.account_id}:identity/*",
         ]
       }
     ]

infrastructure/main.tf

@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = "~> 5.0" # When upgrading to v6.x, please update cloudfront minimum_protocol_version
+      version = "~> 6.0"
     }
     awscc = {
       source  = "hashicorp/awscc"

infrastructure/modules/app_config/README.md

@@ -37,7 +37,7 @@ module "app_config" {
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 5.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 6.0 |
 
 ## Resources
 

infrastructure/modules/app_config/provider.tf

@@ -2,7 +2,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = "~> 5.0"
+      version = "~> 6.0"
     }
   }
 }