Skip to content

[PRM-756] Mar 26 upgrades II #641

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
chrisbloe merged 10 commits into from
Mar 19, 2026
Merged

[PRM-756] Mar 26 upgrades II #641

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
6c97dd2
[PRM-756] Mar 26 upgrades II
chrisbloe Mar 16, 2026
08f9d38
README.md
chrisbloe Mar 16, 2026
2e790ca
Terraform tweaks
chrisbloe Mar 16, 2026
fab0b56
README
chrisbloe Mar 16, 2026
0602890
More tweaks
chrisbloe Mar 16, 2026
b158dde
README update
chrisbloe Mar 18, 2026
9051404
Remove changes which the provider can't update
chrisbloe Mar 18, 2026
064810f
Reverting the change as I can't get it to work in time
chrisbloe Mar 18, 2026
0fa3c65
Merge branch 'main' into PRM-756
chrisbloe Mar 18, 2026
cdcee70
Merge branch 'main' into PRM-756
chrisbloe Mar 19, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/actions/tf-plan-apply/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ inputs:
terraform_version:
description: "Terraform version to use"
required: false
default: "1.14.6"
default: "1.14.7"

working_directory:
description: "Terraform working directory"
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/automated-deploy-dev.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -60,7 +60,7 @@ jobs:
- name: Setup Terraform
uses: hashicorp/setup-terraform@v4
with:
terraform_version: 1.14.6
terraform_version: 1.14.7
terraform_wrapper: true

- name: Initialise Terraform
Expand Down Expand Up @@ -270,7 +270,7 @@ jobs:
echo "SLACK_BOT_TOKEN=$slack_bot_token" >> $GITHUB_ENV

- name: Send Slack Notification
uses: slackapi/slack-github-action@v2.1.1
uses: slackapi/slack-github-action@v3.0.1
with:
method: chat.postMessage
token: ${{ env.SLACK_BOT_TOKEN }}
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/automated-sonarqube-cloud-analysis.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,7 @@ jobs:
echo "SLACK_BOT_TOKEN=$slack_bot_token" >> $GITHUB_ENV

- name: Send Slack Notification
uses: slackapi/slack-github-action@v2.1.1
uses: slackapi/slack-github-action@v3.0.1
with:
method: chat.postMessage
token: ${{ env.SLACK_BOT_TOKEN }}
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/base-cleanup-lambda-edge.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -69,7 +69,7 @@ jobs:
if: env.DISTRIBUTION_ID != ''
run: |
python3 -m venv ./venv
./venv/bin/pip3 install --upgrade pip boto3==1.42.59
./venv/bin/pip3 install --upgrade pip boto3==1.42.68

- name: Remove Lambda@Edge & CloudFront Associations
if: env.DISTRIBUTION_ID != ''
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/base-cleanup-workspace.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,7 +46,7 @@ jobs:
run: |
python3 -m venv ./venv
./venv/bin/pip3 install --upgrade pip
./venv/bin/pip3 install boto3==1.42.59
./venv/bin/pip3 install boto3==1.42.68

- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v6
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/cron-daily-health-check.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -187,7 +187,7 @@ jobs:
echo "SLACK_BOT_TOKEN=$slack_bot_token" >> $GITHUB_ENV

- name: Send Slack Notification
uses: slackapi/slack-github-action@v2.1.1
uses: slackapi/slack-github-action@v3.0.1
with:
method: chat.postMessage
token: ${{ env.SLACK_BOT_TOKEN }}
Expand Down
6 changes: 3 additions & 3 deletions .github/workflows/cron-tear-down-test.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -57,7 +57,7 @@ jobs:
- name: Setup Terraform
uses: hashicorp/setup-terraform@v4
with:
terraform_version: 1.14.6
terraform_version: 1.14.7
terraform_wrapper: false

- name: Initialise Terraform
Expand Down Expand Up @@ -114,14 +114,14 @@ jobs:
ref: main

- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v5
uses: aws-actions/configure-aws-credentials@v6
with:
role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/test-github-bootstrap
aws-region: ${{ vars.AWS_REGION }}
mask-aws-account-id: true

- name: Setup Terraform
uses: hashicorp/setup-terraform@v3
uses: hashicorp/setup-terraform@v4
with:
terraform_version: 1.14.3

Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/tear-down-sandbox.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -87,7 +87,7 @@ jobs:
- name: Setup Terraform
uses: hashicorp/setup-terraform@v4
with:
terraform_version: 1.14.6
terraform_version: 1.14.7

- name: Initialise Terraform
run: terraform init -backend-config=${{ vars.TF_BACKEND_FILE }}
Expand Down Expand Up @@ -124,7 +124,7 @@ jobs:
- name: Setup Terraform
uses: hashicorp/setup-terraform@v4
with:
terraform_version: 1.14.6
terraform_version: 1.14.7

- name: Initialise Terraform
run: terraform init -backend-config=bucket=ndr-dev-terraform-state-${{ secrets.AWS_ACCOUNT_ID }}
Expand Down
2 changes: 1 addition & 1 deletion bootstrap/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@

| Name | Version |
|------|---------|
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.14.6 |
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.14.7 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.0 |

## Providers
Expand Down
4 changes: 2 additions & 2 deletions bootstrap/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,9 +1,9 @@
terraform {
required_version = ">= 1.14.6"
required_version = ">= 1.14.7"
required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 4.0"
version = "~> 4.0"
}
}
}
Expand Down
2 changes: 1 addition & 1 deletion infrastructure/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,7 +44,7 @@
| <a name="module_bulk-upload-report-lambda"></a> [bulk-upload-report-lambda](#module_bulk-upload-report-lambda) | ./modules/lambda | n/a |
| <a name="module_bulk_upload_metadata_preprocessor_lambda"></a> [bulk_upload_metadata_preprocessor_lambda](#module_bulk_upload_metadata_preprocessor_lambda) | ./modules/lambda | n/a |
| <a name="module_bulk_upload_report_dynamodb_table"></a> [bulk_upload_report_dynamodb_table](#module_bulk_upload_report_dynamodb_table) | ./modules/dynamo_db | n/a |
| <a name="module_cloud_storage_security"></a> [cloud_storage_security](#module_cloud_storage_security) | cloudstoragesec/cloud-storage-security/aws | 1.7.4+css8.08.002 |
| <a name="module_cloud_storage_security"></a> [cloud_storage_security](#module_cloud_storage_security) | cloudstoragesec/cloud-storage-security/aws | 1.8.18+css9.08.000 |
| <a name="module_cloudfront-distribution-lg"></a> [cloudfront-distribution-lg](#module_cloudfront-distribution-lg) | ./modules/cloudfront | n/a |
| <a name="module_cloudfront_edge_dynamodb_table"></a> [cloudfront_edge_dynamodb_table](#module_cloudfront_edge_dynamodb_table) | ./modules/dynamo_db | n/a |
| <a name="module_cloudfront_firewall_waf_v2"></a> [cloudfront_firewall_waf_v2](#module_cloudfront_firewall_waf_v2) | ./modules/firewall_waf_v2 | n/a |
Expand Down
10 changes: 3 additions & 7 deletions infrastructure/api.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,8 @@
# Create Document Store API
resource "aws_api_gateway_rest_api" "ndr_doc_store_api" {
name = "${terraform.workspace}-DocStoreAPI"
description = "Document store API for Repo"
name = "${terraform.workspace}-DocStoreAPI"
description = "Document store API for Repo"
disable_execute_api_endpoint = true

tags = {
Name = "${terraform.workspace}-docstore-api"
Expand Down Expand Up @@ -199,8 +200,3 @@ resource "aws_api_gateway_resource" "document_reference_by_id" {
parent_id = module.fhir_document_reference_gateway[0].gateway_resource_id
path_part = "{id}"
}

moved {
from = aws_api_gateway_resource.get_document_reference
to = aws_api_gateway_resource.document_reference_by_id
}
5 changes: 0 additions & 5 deletions infrastructure/api_mtls.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -177,8 +177,3 @@ resource "aws_api_gateway_resource" "document_reference_by_id_mtls" {
parent_id = module.fhir_document_reference_mtls_gateway.gateway_resource_id
path_part = "{id}"
}

moved {
from = aws_api_gateway_resource.get_document_reference_mtls
to = aws_api_gateway_resource.document_reference_by_id_mtls
}
2 changes: 1 addition & 1 deletion infrastructure/cloudfront.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -93,7 +93,7 @@ resource "aws_cloudfront_distribution" "s3_presign_mask" {
viewer_certificate {
acm_certificate_arn = aws_acm_certificate.cloudfront.arn
ssl_support_method = "sni-only"
minimum_protocol_version = "TLSv1.2_2021"
minimum_protocol_version = "TLSv1.3_2025"
}

restrictions {
Expand Down
4 changes: 2 additions & 2 deletions infrastructure/cloudwatch_rum.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,7 @@ resource "aws_iam_policy" "cloudwatch_rum_cognito_access" {
{
"Effect" : "Allow",
"Action" : "rum:PutRumEvents",
"Resource" : "arn:aws:rum:${local.current_region}:${local.current_account_id}:appmonitor/${aws_rum_app_monitor.ndr.id}"
"Resource" : "arn:aws:rum:${data.aws_region.current.region}:${data.aws_caller_identity.current.account_id}:appmonitor/${aws_rum_app_monitor.ndr.id}"
}
]
})
Expand All @@ -63,7 +63,7 @@ resource "aws_cloudwatch_log_resource_policy" "rum_log" {
"logs:DeleteLogGroup",
"logs:DescribeLogGroups"
],
Resource = "arn:aws:logs:${local.current_region}:${local.current_account_id}:log-group:/aws/vendedlogs/RUMService_*"
Resource = "arn:aws:logs:${data.aws_region.current.region}:${data.aws_caller_identity.current.account_id}:log-group:/aws/vendedlogs/RUMService_*"
}
]
})
Expand Down
17 changes: 2 additions & 15 deletions infrastructure/dynamo_db.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,6 @@ module "document_reference_dynamodb_table" {
table_name = var.docstore_dynamodb_table_name
hash_key = "ID"
deletion_protection_enabled = var.deletion_protection_enabled
stream_enabled = true
stream_view_type = "OLD_IMAGE"
ttl_enabled = true
ttl_attribute_name = "TTL"
Expand Down Expand Up @@ -46,7 +45,6 @@ module "cloudfront_edge_dynamodb_table" {
table_name = var.cloudfront_edge_table_name
hash_key = "ID"
deletion_protection_enabled = var.deletion_protection_enabled
stream_enabled = false
ttl_enabled = true
ttl_attribute_name = "TTL"
point_in_time_recovery_enabled = !local.is_sandbox
Expand All @@ -67,7 +65,6 @@ module "lloyd_george_reference_dynamodb_table" {
table_name = var.lloyd_george_dynamodb_table_name
hash_key = "ID"
deletion_protection_enabled = var.deletion_protection_enabled
stream_enabled = true
stream_view_type = "OLD_IMAGE"
ttl_enabled = true
ttl_attribute_name = "TTL"
Expand Down Expand Up @@ -133,7 +130,6 @@ module "unstitched_lloyd_george_reference_dynamodb_table" {
table_name = var.unstitched_lloyd_george_dynamodb_table_name
hash_key = "ID"
deletion_protection_enabled = var.deletion_protection_enabled
stream_enabled = true
stream_view_type = "OLD_IMAGE"
ttl_enabled = true
ttl_attribute_name = "TTL"
Expand Down Expand Up @@ -176,7 +172,7 @@ module "zip_store_reference_dynamodb_table" {
table_name = var.zip_store_dynamodb_table_name
hash_key = "ID"
deletion_protection_enabled = var.deletion_protection_enabled
stream_enabled = true
stream_view_type = "NEW_AND_OLD_IMAGES"
ttl_enabled = false

attributes = [
Expand Down Expand Up @@ -207,7 +203,7 @@ module "stitch_metadata_reference_dynamodb_table" {
table_name = var.stitch_metadata_dynamodb_table_name
hash_key = "ID"
deletion_protection_enabled = var.deletion_protection_enabled
stream_enabled = true
stream_view_type = "NEW_AND_OLD_IMAGES"
ttl_enabled = true
ttl_attribute_name = "ExpireAt"

Expand Down Expand Up @@ -239,7 +235,6 @@ module "auth_state_dynamodb_table" {
table_name = var.auth_state_dynamodb_table_name
hash_key = "State"
deletion_protection_enabled = var.deletion_protection_enabled
stream_enabled = false
ttl_enabled = true
ttl_attribute_name = "TimeToExist"
attributes = [
Expand All @@ -266,7 +261,6 @@ module "auth_session_dynamodb_table" {
table_name = var.auth_session_dynamodb_table_name
hash_key = "NDRSessionId"
deletion_protection_enabled = var.deletion_protection_enabled
stream_enabled = false
ttl_enabled = true
ttl_attribute_name = "TimeToExist"
attributes = [
Expand All @@ -293,7 +287,6 @@ module "bulk_upload_report_dynamodb_table" {
table_name = var.bulk_upload_report_dynamodb_table_name
hash_key = "ID"
deletion_protection_enabled = var.deletion_protection_enabled
stream_enabled = false
ttl_enabled = false
point_in_time_recovery_enabled = !local.is_sandbox

Expand Down Expand Up @@ -340,7 +333,6 @@ module "statistics_dynamodb_table" {
hash_key = "Date"
sort_key = "StatisticID"
deletion_protection_enabled = var.deletion_protection_enabled
stream_enabled = false
ttl_enabled = false
point_in_time_recovery_enabled = !local.is_sandbox

Expand Down Expand Up @@ -378,7 +370,6 @@ module "access_audit_dynamodb_table" {
hash_key = "Type"
sort_key = "ID"
deletion_protection_enabled = var.deletion_protection_enabled
stream_enabled = false
ttl_enabled = false
point_in_time_recovery_enabled = !local.is_sandbox

Expand Down Expand Up @@ -432,7 +423,6 @@ module "pdm_dynamodb_table" {
table_name = var.pdm_dynamodb_table_name
hash_key = "ID"
deletion_protection_enabled = var.deletion_protection_enabled
stream_enabled = true
stream_view_type = "OLD_IMAGE"
ttl_enabled = true
ttl_attribute_name = "TTL"
Expand Down Expand Up @@ -505,7 +495,6 @@ module "core_dynamodb_table" {
hash_key = "NhsNumber"
sort_key = "ID"
deletion_protection_enabled = var.deletion_protection_enabled
stream_enabled = true
stream_view_type = "OLD_IMAGE"
ttl_enabled = true
ttl_attribute_name = "TTL"
Expand Down Expand Up @@ -544,7 +533,6 @@ module "alarm_state_history_table" {
sort_key = "TimeCreated"
deletion_protection_enabled = var.deletion_protection_enabled
point_in_time_recovery_enabled = false
stream_enabled = false
ttl_enabled = true
ttl_attribute_name = "TimeToExist"

Expand All @@ -569,7 +557,6 @@ module "bulk_upload_contact_lookup_table" {
hash_key = "OdsCode"
deletion_protection_enabled = var.deletion_protection_enabled
point_in_time_recovery_enabled = !local.is_sandbox
stream_enabled = false
ttl_enabled = false

attributes = [
Expand Down
1 change: 0 additions & 1 deletion infrastructure/dynamo_db_review.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,6 @@ module "document_upload_review_dynamodb_table" {
hash_key = "ID"
sort_key = "Version"
deletion_protection_enabled = local.is_production
stream_enabled = false
ttl_enabled = false
point_in_time_recovery_enabled = !local.is_sandbox

Expand Down
2 changes: 1 addition & 1 deletion infrastructure/lambda-migration-dynamodb-segment.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ data "aws_iam_policy_document" "migration_dynamodb_access" {
"dynamodb:DescribeTable"
]
resources = [
"arn:aws:dynamodb:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:table/${terraform.workspace}_*"
"arn:aws:dynamodb:${data.aws_region.current.region}:${data.aws_caller_identity.current.account_id}:table/${terraform.workspace}_*"
]
}
}
2 changes: 1 addition & 1 deletion infrastructure/lambda-send-feedback.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -121,7 +121,7 @@ resource "aws_iam_policy" "ses_send_email_policy" {
"ses:SendEmail",
],
Resource = [
"arn:aws:ses:${local.current_region}:${local.current_account_id}:identity/*",
"arn:aws:ses:${data.aws_region.current.region}:${data.aws_caller_identity.current.account_id}:identity/*",
]
}
]
Expand Down
2 changes: 1 addition & 1 deletion infrastructure/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 5.0" # When upgrading to v6.x, please update cloudfront minimum_protocol_version
version = "~> 6.0"
}
awscc = {
source = "hashicorp/awscc"
Expand Down
2 changes: 1 addition & 1 deletion infrastructure/modules/app_config/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,7 @@ module "app_config" {

| Name | Version |
|------|---------|
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 5.0 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 6.0 |

## Resources

Expand Down
2 changes: 1 addition & 1 deletion infrastructure/modules/app_config/provider.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 5.0"
version = "~> 6.0"
Comment thread
jameslinnell marked this conversation as resolved.
}
}
}
6 changes: 2 additions & 4 deletions infrastructure/modules/dynamo_db/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,6 @@ module "document_reference_dynamodb_table" {
ttl_attribute_name = "TTL"

# Optional: enable streams
stream_enabled = true
stream_view_type = "OLD_IMAGE"

# Optional: point-in-time recovery
Expand Down Expand Up @@ -83,7 +82,7 @@ module "document_reference_dynamodb_table" {

| Name | Version |
|------|---------|
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 5.0 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 6.0 |

## Resources

Expand All @@ -107,8 +106,7 @@ module "document_reference_dynamodb_table" {
| <a name="input_owner"></a> [owner](#input\_owner) | Identifies the team or person responsible for the resource (used for tagging). | `string` | n/a | yes |
| <a name="input_point_in_time_recovery_enabled"></a> [point\_in\_time\_recovery\_enabled](#input\_point\_in\_time\_recovery\_enabled) | Enables PITR for backups. | `bool` | `false` | no |
| <a name="input_sort_key"></a> [sort\_key](#input\_sort\_key) | Optional range/sort key for composite primary key. | `string` | `null` | no |
| <a name="input_stream_enabled"></a> [stream\_enabled](#input\_stream\_enabled) | Whether DynamoDB Streams are enabled. | `bool` | `false` | no |
| <a name="input_stream_view_type"></a> [stream\_view\_type](#input\_stream\_view\_type) | Type of stream view (e.g., OLD\_IMAGE). | `string` | `"NEW_AND_OLD_IMAGES"` | no |
| <a name="input_stream_view_type"></a> [stream\_view\_type](#input\_stream\_view\_type) | Type of stream view (e.g., OLD\_IMAGE). | `string` | `null` | no |
| <a name="input_table_name"></a> [table\_name](#input\_table\_name) | Name of the DynamoDB table. | `string` | `null` | no |
| <a name="input_ttl_attribute_name"></a> [ttl\_attribute\_name](#input\_ttl\_attribute\_name) | Name of the TTL attribute. | `string` | `""` | no |
| <a name="input_ttl_enabled"></a> [ttl\_enabled](#input\_ttl\_enabled) | Whether to enable TTL (Time to Live) on items. | `bool` | `false` | no |
Expand Down
Loading
Loading