eli-239 making resources workflow safe and amending dynamoDB naming t…

infrastructure/modules/dynamodb/default_variables.tf

@@ -0,0 +1 @@
+../_shared/default_variables.tf

infrastructure/modules/dynamodb/dynamodb.tf

@@ -1,5 +1,5 @@
 resource "aws_dynamodb_table" "dynamodb_table" {
-  name         = "${terraform.workspace == "default" ? "" : "${terraform.workspace}-"}${var.table_name_suffix}"
+  name         = "${terraform.workspace == "default" ? "" : "${terraform.workspace}-"}${var.project_name}-${var.environment}-${var.table_name_suffix}"
   billing_mode = "PAY_PER_REQUEST"
   hash_key     = var.partition_key
 

infrastructure/modules/dynamodb/variables.tf

@@ -1,13 +1,3 @@
-variable "workspace" {
-  description = "Usually the developer short code or the name of the environment."
-  type        = string
-}
-
-variable "project_name" {
-  default = "eligibility-signposting-api"
-  type    = string
-}
-
 variable "table_name_suffix" {
   description = "Name of the DynamoDB table"
   type        = string
@@ -34,9 +24,3 @@ variable "sort_key_type" {
   type        = string
   default     = null
 }
-
-variable "tags" {
-  description = "A map of tags to assign to resources."
-  type        = map(string)
-  default     = {}
-}

infrastructure/modules/s3/default_variables.tf

@@ -0,0 +1 @@
+../_shared/default_variables.tf

infrastructure/modules/s3/variables.tf

@@ -3,16 +3,6 @@ variable "bucket_name" {
   type        = string
 }
 
-variable "project_name" {
-  default = "eligibility-signposting-api"
-  type    = string
-}
-
-variable "environment" {
-  description = "The purpose of the account dev/test/ref/prod or the workspace"
-  type        = string
-}
-
 variable "bucket_expiration_days" {
   default     = 90
   description = "How long to keep bucket contents before expiring"

infrastructure/stacks/_shared/locals.tf

@@ -17,24 +17,9 @@ locals {
     workspace       = lower(terraform.workspace)
   }
 
-  sso_role_patterns = {
-    dev     = "AWSReservedSSO_vdselid_dev_*"
-    test    = "AWSReservedSSO_vdselid_test_*"
-    preprod = "AWSReservedSSO_vdselid_preprod_*"
-  }
-
   terraform_state_bucket_name = "eligibility-signposting-api-${var.environment}-tfstate"
   terraform_state_bucket_arn  = "arn:aws:s3:::eligibility-signposting-api-${var.environment}-tfstate"
 
-  account_ids = {
-    dev     = "448049830832"
-    test    = "050451367081"
-    preprod = "203918864209"
-    # prod    = "476114145616"
-  }
-
-  current_account_id = lookup(local.account_ids, var.environment, data.aws_caller_identity.current.account_id)
-
   role_arn_pre  = "arn:aws:iam::603871901111:role/db-system-worker"
   role_arn_prod = "arn:aws:iam::232116723729:role/db-system-worker"
 

infrastructure/stacks/api-layer/dynamodb.tf

@@ -1,10 +1,12 @@
 module "eligibility_status_table" {
   source             = "../../modules/dynamodb"
   workspace          = local.workspace
-  table_name_suffix  = "eligibilty_data_store"
+  table_name_suffix  = "eligibility_datastore"
   partition_key      = "NHS_NUMBER"
   partition_key_type = "S"
   sort_key           = "ATTRIBUTE_TYPE"
   sort_key_type      = "S"
   tags               = local.tags
+  environment        = local.environment
+  stack_name         = local.stack_name
 }

infrastructure/stacks/api-layer/iam_roles.tf

@@ -31,7 +31,8 @@ resource "aws_iam_role" "eligibility_lambda_role" {
 
 
 resource "aws_iam_role" "write_access_role" {
-  name                 = "external-write-role-${terraform.workspace == "default" ? "" : "-${terraform.workspace}"}"
+  count                = terraform.workspace == "default" ? 1 : 0
+  name                 = "eligibility-signposting-api-${local.environment}-external-write-role"
   assume_role_policy   = data.aws_iam_policy_document.dps_assume_role.json
   permissions_boundary = aws_iam_policy.assumed_role_permissions_boundary.arn
 }

infrastructure/stacks/api-layer/s3_buckets.tf

@@ -3,6 +3,8 @@ module "s3_rules_bucket" {
   bucket_name  = "eli-rules"
   environment  = var.environment
   project_name = var.project_name
+  stack_name   = local.stack_name
+  workspace    = terraform.workspace
 }
 
 module "s3_audit_bucket" {
@@ -11,4 +13,6 @@ module "s3_audit_bucket" {
   environment            = var.environment
   project_name           = var.project_name
   bucket_expiration_days = 180
+  stack_name             = local.stack_name
+  workspace              = terraform.workspace
 }

infrastructure/stacks/api-layer/truststore_s3_bucket.tf

@@ -3,6 +3,8 @@ module "s3_truststore_bucket" {
   bucket_name  = "truststore"
   environment  = var.environment
   project_name = var.project_name
+  stack_name   = local.stack_name
+  workspace    = terraform.workspace
 }
 
 resource "aws_s3_bucket_policy" "truststore" {

infrastructure/stacks/bootstrap/README.md

@@ -62,7 +62,7 @@ make bootstrap-terraform env=<env> tf-command=plan
 Workspaces allow for alternative deployments within the same environment (e.g., testing changes in `dev`). Create a workspace with the same name as the environment:
 
 ```bash
-make terraform-workspace env=<env> stack=bootstrap workspace=<env>
+make terraform-workspace env=<env> stack=bootstrap workspace=default
 ```
 
 ### 1.4 Apply Terraform Changes
@@ -105,7 +105,7 @@ terraform {
 Reinitialize Terraform to migrate the state to the S3 bucket:
 
 ```bash
-make terraform env=<env> workspace=<env> stack=bootstrap tf-command=apply
+make terraform env=<env> workspace=default stack=bootstrap tf-command=apply
 ```
 
 You will see a prompt like the following:

infrastructure/stacks/bootstrap/locals.tf

@@ -0,0 +1,5 @@
+locals {
+
+    stack_name = "bootstrap"
+
+}

infrastructure/stacks/bootstrap/modules.tf

@@ -3,4 +3,6 @@ module "tfstate" {
 
   project_name = var.project_name
   environment  = var.environment
+  workspace    = terraform.workspace
+  stack_name   = local.stack_name
 }

infrastructure/stacks/bootstrap/shared_locals.tf

@@ -0,0 +1 @@
+../_shared/locals.tf

infrastructure/stacks/iams-developer-roles/README.md

@@ -37,13 +37,13 @@ This stack creates the following AWS resources:
 3. Plan the deployment:
 
     ```bash
-    make terraform env=dev stack=iams-developer-roles tf-command=plan workspace=dev
+    make terraform env=dev stack=iams-developer-roles tf-command=plan workspace=default
     ```
 
 4. Apply the configuration:
 
     ```bash
-    make terraform env=dev stack=iams-developer-roles tf-command=apply workspace=dev
+    make terraform env=dev stack=iams-developer-roles tf-command=apply workspace=default
     ```
 
 5. Verify the role was created:

infrastructure/stacks/networking/README.md

@@ -84,16 +84,16 @@ For a high-level overview, see the [VPC Structure Confluence Page](https://nhsd-
 Run the following command to initialize Terraform and generate a plan. Replace `<env>` with your target environment (e.g., `dev`):
 
 ```bash
-make terraform env=dev stack=networking tf-command=init workspace=<env>
-make terraform env=dev stack=networking tf-command=plan workspace=<env>
+make terraform env=dev stack=networking tf-command=init workspace=default
+make terraform env=dev stack=networking tf-command=plan workspace=default
 ```
 
 ### 2. Apply Terraform Changes
 
 Deploy the Terraform configuration:
 
 ```bash
-make terraform env=dev stack=networking tf-command=apply workspace=<env>
+make terraform env=dev stack=networking tf-command=apply workspace=default
 ```
 
 For more on Terraform, see the [Terraform Documentation](https://developer.hashicorp.com/terraform/docs).