Merge branch 'main' into feature/eja-eli-238-address-checkov-flagged-issues

Author: eddalmond1

.github/workflows/cicd-2-publish.yaml

@@ -9,6 +9,10 @@ on:
     branches:
       - main
 
+concurrency:
+  group: terraform-dev
+  cancel-in-progress: false
+
 jobs:
   metadata:
     name: "Set CI/CD metadata"
@@ -100,10 +104,10 @@ jobs:
         # just planning for now for safety and until review
         run: |
           mkdir -p ./build
-          echo "Running: make terraform env=$ENVIRONMENT workspace=$WORKSPACE stack=networking tf-command=plan"
-          make terraform env=$ENVIRONMENT stack=networking tf-command=plan workspace=$WORKSPACE
-          echo "Running: make terraform env=$ENVIRONMENT workspace=$WORKSPACE stack=api-layer tf-command=plan"
-          make terraform env=$ENVIRONMENT stack=api-layer tf-command=plan workspace=$WORKSPACE
+          echo "Running: make terraform env=$ENVIRONMENT workspace=$WORKSPACE stack=networking tf-command=apply"
+          make terraform env=$ENVIRONMENT stack=networking tf-command=apply workspace=$WORKSPACE
+          echo "Running: make terraform env=$ENVIRONMENT workspace=$WORKSPACE stack=api-layer tf-command=apply"
+          make terraform env=$ENVIRONMENT stack=api-layer tf-command=apply workspace=$WORKSPACE
         working-directory: ./infrastructure
 
       - name: "Tag the dev deployment"
@@ -136,20 +140,14 @@ jobs:
       #     asset_path: ./build/lambda.zip
       #     asset_name: lambda-${{ needs.metadata.outputs.version }}.zip
       #     asset_content_type: application/zip
-  success:
-    name: "Success notification"
-    runs-on: ubuntu-latest
-    needs: [publish]
-    steps:
-      - name: "Check prerequisites for notification"
-        id: check
-        run: echo "secret_exist=${{ secrets.TEAMS_NOTIFICATION_WEBHOOK_URL != '' }}" >> $GITHUB_OUTPUT
-      - name: "Notify on publishing packages"
-        if: steps.check.outputs.secret_exist == 'true'
-        uses: nhs-england-tools/notify-msteams-action@v1.0.0
+      - name: "Notify Slack on PR merge"
+        uses: slackapi/slack-github-action@v2.1.0
         with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          teams-webhook-url: ${{ secrets.TEAMS_NOTIFICATION_WEBHOOK_URL }}
-          message-title: "Notification title"
-          message-text: "This is a notification body"
-          link: ${{ github.event.pull_request.html_url }}
+          webhook: ${{ secrets.SLACK_WEBHOOK_URL }}
+          webhook-type: webhook-trigger
+          payload: |
+            status: "${{ job.status }}"
+            link: "https://github.com/${{ github.repository }}/commit/${{ github.sha }}"
+            Author: "${{ github.actor }}"
+            title: "Pushed to main"
+            version: "${{ needs.metadata.outputs.version }}"

.github/workflows/cicd-3-deploy.yaml

@@ -3,6 +3,10 @@
 
 name: "CI/CD deploy"
 
+concurrency:
+  group: terraform-deploy-${{ github.event.inputs.environment }}
+  cancel-in-progress: false
+
 on:
   workflow_dispatch:
     inputs:

infrastructure/Makefile

@@ -35,7 +35,9 @@ terraform-workspace-delete: guard-env guard-stack
 
 # Runs a specified Terraform command (e.g., plan, apply) for the stack and environment.
 terraform: guard-env guard-stack guard-tf-command terraform-init terraform-workspace
-	terraform -chdir=./stacks/$(stack) $(tf-command) $(args) $(if $(filter $(tf-command),init),,--parallelism=30)
+	terraform -chdir=./stacks/$(stack) $(tf-command) $(args) \
+		$(if $(filter init,$(tf-command)),,--parallelism=30) \
+		$(if $(filter apply,$(tf-command)),-auto-approve)
 	rm -f ./terraform_outputs_$(stack).json || true
 	mkdir -p ./build
 	terraform -chdir=./stacks/$(stack) output -json > ./build/terraform_outputs_$(stack).json

infrastructure/modules/dynamodb/default_variables.tf

@@ -0,0 +1 @@
+../_shared/default_variables.tf

infrastructure/modules/dynamodb/dynamodb.tf

@@ -1,5 +1,5 @@
 resource "aws_dynamodb_table" "dynamodb_table" {
-  name         = "${terraform.workspace == "default" ? "" : "${terraform.workspace}-"}${var.table_name_suffix}"
+  name         = "${terraform.workspace == "default" ? "" : "${terraform.workspace}-"}${var.project_name}-${var.environment}-${var.table_name_suffix}"
   billing_mode = "PAY_PER_REQUEST"
   hash_key     = var.partition_key
 

infrastructure/modules/dynamodb/variables.tf

@@ -1,13 +1,3 @@
-variable "workspace" {
-  description = "Usually the developer short code or the name of the environment."
-  type        = string
-}
-
-variable "project_name" {
-  default = "eligibility-signposting-api"
-  type    = string
-}
-
 variable "table_name_suffix" {
   description = "Name of the DynamoDB table"
   type        = string
@@ -34,14 +24,3 @@ variable "sort_key_type" {
   type        = string
   default     = null
 }
-
-variable "tags" {
-  description = "A map of tags to assign to resources."
-  type        = map(string)
-  default     = {}
-}
-
-variable "environment" {
-  description = "The purpose of the account dev/test/ref/prod or the workspace"
-  type        = string
-}

infrastructure/modules/s3/default_variables.tf

@@ -0,0 +1 @@
+../_shared/default_variables.tf

infrastructure/modules/s3/variables.tf

@@ -3,16 +3,6 @@ variable "bucket_name" {
   type        = string
 }
 
-variable "project_name" {
-  default = "eligibility-signposting-api"
-  type    = string
-}
-
-variable "environment" {
-  description = "The purpose of the account dev/test/ref/prod or the workspace"
-  type        = string
-}
-
 variable "bucket_expiration_days" {
   default     = 90
   description = "How long to keep bucket contents before expiring"

infrastructure/stacks/_shared/locals.tf

@@ -17,24 +17,9 @@ locals {
     workspace       = lower(terraform.workspace)
   }
 
-  sso_role_patterns = {
-    dev     = "AWSReservedSSO_vdselid_dev_*"
-    test    = "AWSReservedSSO_vdselid_test_*"
-    preprod = "AWSReservedSSO_vdselid_preprod_*"
-  }
-
   terraform_state_bucket_name = "eligibility-signposting-api-${var.environment}-tfstate"
   terraform_state_bucket_arn  = "arn:aws:s3:::eligibility-signposting-api-${var.environment}-tfstate"
 
-  account_ids = {
-    dev     = "448049830832"
-    test    = "050451367081"
-    preprod = "203918864209"
-    # prod    = "476114145616"
-  }
-
-  current_account_id = lookup(local.account_ids, var.environment, data.aws_caller_identity.current.account_id)
-
   role_arn_pre  = "arn:aws:iam::603871901111:role/db-system-worker"
   role_arn_prod = "arn:aws:iam::232116723729:role/db-system-worker"
 

infrastructure/stacks/api-layer/dynamodb.tf

@@ -1,11 +1,12 @@
 module "eligibility_status_table" {
   source             = "../../modules/dynamodb"
   workspace          = local.workspace
-  table_name_suffix  = "eligibilty_data_store"
+  table_name_suffix  = "eligibility_datastore"
   partition_key      = "NHS_NUMBER"
   partition_key_type = "S"
   sort_key           = "ATTRIBUTE_TYPE"
   sort_key_type      = "S"
   tags               = local.tags
-  environment        = var.environment
+  environment        = local.environment
+  stack_name         = local.stack_name
 }