Merge remote-tracking branch 'origin/main' into PRMP-739

PedroSoaresNHS · PedroSoaresNHS · commit 1c1ff3dada3a · 2026-02-04T09:39:23.000Z
# Conflicts:
#	.github/workflows/automated-deploy-dev.yml
diff --git a/.github/workflows/automated-deploy-dev.yml b/.github/workflows/automated-deploy-dev.yml
@@ -13,11 +13,37 @@ permissions:
   actions: read   # This is required for Plan comment
   id-token: write # This is required for requesting the JWT
   contents: write # This is required for SBOM action
-    
+
 jobs:
+
+  # Terraform apply of base_iam will only occur on a push (merge request completion)
+  terraform_plan_apply_base_iam:
+    if: github.ref == 'refs/heads/main'
+    name: Terraform Plan/Apply (base_iam)
+    runs-on: ubuntu-latest
+    environment: development
+    steps:
+      - name: Checkout branch
+        uses: actions/checkout@v6
+
+      - name: Apply base_iam
+        uses: ./.github/actions/tf-plan-apply
+        with:
+          aws_assume_role: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/dev-github-bootstrap
+          bucket_prefix: "dev"
+          aws_account_id: ${{ secrets.AWS_ACCOUNT_ID }}
+          aws_region: ${{ vars.AWS_REGION }}
+          working_directory: "./base_iam"  # Use separate base_iam directory
+          workspace: ${{ secrets.AWS_WORKSPACE }}
+          tf_vars_file: ${{ vars.TF_VARS_FILE }}
+          tf_extra_args: "-var aws_account_id=${{ secrets.AWS_ACCOUNT_ID }}"
+
   terraform_plan_apply:
     name: Terraform Plan/Apply (ndr-dev)
     runs-on: ubuntu-latest
+    needs: terraform_plan_apply_base_iam
+    # Will run when terraform_plan_apply_base_iam completes or is skipped
+    if: always() && (needs.terraform_plan_apply_base_iam.result == 'skipped' || needs.terraform_plan_apply_base_iam.result == 'success')
     environment: development
     steps:
       - name: Checkout
@@ -73,7 +99,7 @@ jobs:
               echo "::add-mask::$cert_block"
             fi
           done || echo "No certificate blocks found to mask."
-          
+
           # Mask sensitive URLs in the Terraform Plan output
           grep -Eo 'https://[a-zA-Z0-9.-]+\.execute-api\.[a-zA-Z0-9.-]+\.amazonaws\.com/[a-zA-Z0-9/._-]*' tfplan.txt | while read -r api_url; do
             if [ -n "$api_url" ]; then
@@ -97,6 +123,7 @@ jobs:
 
           # Mask GitHub secrets
           echo "::add-mask::${{ secrets.AWS_ASSUME_ROLE }}"
+          echo "::add-mask::arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_WORKSPACE }}-github-actions-role"
           echo "::add-mask::${{ secrets.GITHUB_TOKEN }}"
 
           # Mask Terraform variables
@@ -153,7 +180,7 @@ jobs:
 
             // 2. Prepare format of the comment
             const output = `### Report for environment: ndr-dev
-            
+
             #### Terraform Initialization ⚙️\`${{ steps.init.outcome }}\`
             <details><summary>Initialization Output</summary>
 
@@ -191,7 +218,7 @@ jobs:
                 body: output
               })
             }
-            
+
             github.rest.issues.createComment({
               issue_number: context.issue.number,
               owner: context.repo.owner,
diff --git a/infrastructure/cloudwatch_rum.tf b/infrastructure/cloudwatch_rum.tf
@@ -4,8 +4,7 @@ locals {
 }
 
 resource "aws_iam_role" "cognito_unauthenticated" {
-  count = local.is_production ? 0 : 1
-  name  = local.cognito_role_name
+  name = local.cognito_role_name
 
   assume_role_policy = jsonencode({
     Version = "2012-10-17",
@@ -18,7 +17,7 @@ resource "aws_iam_role" "cognito_unauthenticated" {
         Action = "sts:AssumeRoleWithWebIdentity",
         Condition = {
           StringEquals = {
-            "cognito-identity.amazonaws.com:aud" = aws_cognito_identity_pool.cloudwatch_rum[0].id
+            "cognito-identity.amazonaws.com:aud" = aws_cognito_identity_pool.cloudwatch_rum.id
           },
           "ForAnyValue:StringLike" = {
             "cognito-identity.amazonaws.com:amr" = "unauthenticated"
@@ -30,7 +29,6 @@ resource "aws_iam_role" "cognito_unauthenticated" {
 }
 
 resource "aws_iam_policy" "cloudwatch_rum_cognito_access" {
-  count       = local.is_production ? 0 : 1
   name        = "${terraform.workspace}-cloudwatch-rum-cognito-access-policy"
   description = "Policy for unauthenticated Cognito identities"
 
@@ -41,7 +39,7 @@ resource "aws_iam_policy" "cloudwatch_rum_cognito_access" {
         {
           "Effect" : "Allow",
           "Action" : "rum:PutRumEvents",
-          "Resource" : "arn:aws:rum:${local.current_region}:${local.current_account_id}:appmonitor/${aws_rum_app_monitor.ndr[0].id}"
+          "Resource" : "arn:aws:rum:${local.current_region}:${local.current_account_id}:appmonitor/${aws_rum_app_monitor.ndr.id}"
         }
       ]
   })
@@ -75,34 +73,29 @@ resource "aws_cloudwatch_log_resource_policy" "rum_log" {
 }
 
 resource "aws_iam_role_policy_attachment" "cloudwatch_rum_cognito_unauth" {
-  count      = local.is_production ? 0 : 1
-  role       = aws_iam_role.cognito_unauthenticated[0].name
-  policy_arn = aws_iam_policy.cloudwatch_rum_cognito_access[0].arn
+  role       = aws_iam_role.cognito_unauthenticated.name
+  policy_arn = aws_iam_policy.cloudwatch_rum_cognito_access.arn
 }
 
 resource "aws_cognito_identity_pool_roles_attachment" "cloudwatch_rum" {
-  count            = local.is_production ? 0 : 1
-  identity_pool_id = aws_cognito_identity_pool.cloudwatch_rum[0].id
-
+  identity_pool_id = aws_cognito_identity_pool.cloudwatch_rum.id
   roles = {
-    unauthenticated = aws_iam_role.cognito_unauthenticated[0].arn
+    unauthenticated = aws_iam_role.cognito_unauthenticated.arn
   }
 }
 
 resource "aws_cognito_identity_pool" "cloudwatch_rum" {
-  count                            = local.is_production ? 0 : 1
   identity_pool_name               = "${terraform.workspace}-cloudwatch-rum-identity-pool"
   allow_unauthenticated_identities = true
 }
 
 resource "aws_rum_app_monitor" "ndr" {
-  count          = local.is_production ? 0 : 1
   name           = "${terraform.workspace}-app-monitor"
   domain         = "*.${var.domain}"
   cw_log_enabled = true
 
   app_monitor_configuration {
-    identity_pool_id    = aws_cognito_identity_pool.cloudwatch_rum[0].id
+    identity_pool_id    = aws_cognito_identity_pool.cloudwatch_rum.id
     allow_cookies       = true
     enable_xray         = false
     session_sample_rate = 1.0
diff --git a/infrastructure/modules/lambda/README.md b/infrastructure/modules/lambda/README.md
@@ -113,7 +113,7 @@ module "lambda" {
 | <a name="input_lambda_environment_variables"></a> [lambda\_environment\_variables](#input\_lambda\_environment\_variables) | Map of environment variables to set in the Lambda function. | `map(string)` | `{}` | no |
 | <a name="input_lambda_ephemeral_storage"></a> [lambda\_ephemeral\_storage](#input\_lambda\_ephemeral\_storage) | Amount of ephemeral storage (in MB) to allocate to the Lambda function. | `number` | `512` | no |
 | <a name="input_lambda_timeout"></a> [lambda\_timeout](#input\_lambda\_timeout) | Function timeout in seconds. | `number` | `30` | no |
-| <a name="input_memory_size"></a> [memory\_size](#input\_memory\_size) | Amount of memory to allocate to the Lambda function (in MB). | `number` | `5038` | no |
+| <a name="input_memory_size"></a> [memory\_size](#input\_memory\_size) | Amount of memory to allocate to the Lambda function (in MB). | `number` | `5308` | no |
 | <a name="input_name"></a> [name](#input\_name) | Unique name for the Lambda function. | `string` | n/a | yes |
 | <a name="input_persistent_workspaces"></a> [persistent\_workspaces](#input\_persistent\_workspaces) | A list of workspaces that require persistent logs | `list(string)` | <pre>[<br/>  "ndr-dev",<br/>  "ndr-test",<br/>  "pre-prod",<br/>  "prod"<br/>]</pre> | no |
 | <a name="input_reserved_concurrent_executions"></a> [reserved\_concurrent\_executions](#input\_reserved\_concurrent\_executions) | The number of concurrent execution allowed for lambda. A value of 0 will stop lambda from running, and -1 removes any concurrency limitations. Default to -1. | `number` | `-1` | no |
diff --git a/infrastructure/moved-resources-v1.6.11.tf b/infrastructure/moved-resources-v1.6.11.tf
@@ -16,4 +16,34 @@ moved {
 moved {
   from = aws_cloudfront_cache_policy.nocache
   to   = aws_cloudfront_cache_policy.nocache[0]
+}
+
+moved {
+  from = aws_iam_role.cognito_unauthenticated[0]
+  to   = aws_iam_role.cognito_unauthenticated
+}
+
+moved {
+  from = aws_iam_policy.cloudwatch_rum_cognito_access[0]
+  to   = aws_iam_policy.cloudwatch_rum_cognito_access
+}
+
+moved {
+  from = aws_iam_role_policy_attachment.cloudwatch_rum_cognito_unauth[0]
+  to   = aws_iam_role_policy_attachment.cloudwatch_rum_cognito_unauth
+}
+
+moved {
+  from = aws_cognito_identity_pool.cloudwatch_rum[0]
+  to   = aws_cognito_identity_pool.cloudwatch_rum
+}
+
+moved {
+  from = aws_cognito_identity_pool_roles_attachment.cloudwatch_rum[0]
+  to   = aws_cognito_identity_pool_roles_attachment.cloudwatch_rum
+}
+
+moved {
+  from = aws_rum_app_monitor.ndr[0]
+  to   = aws_rum_app_monitor.ndr
 }
