VED-1050: Enable PITR in preprod and enable S3 versioning on additional buckets. (#1232)

Author: mfjarvis

infrastructure/instance/dynamodb.tf

@@ -31,19 +31,31 @@ resource "aws_dynamodb_table" "audit-table" {
 
   global_secondary_index {
     name            = "filename_index"
-    hash_key        = "filename"
     projection_type = "ALL"
+
+    key_schema {
+      attribute_name = "filename"
+      key_type       = "HASH"
+    }
   }
 
   global_secondary_index {
     name            = "queue_name_index"
-    hash_key        = "queue_name"
-    range_key       = "status"
     projection_type = "ALL"
+
+    key_schema {
+      attribute_name = "queue_name"
+      key_type       = "HASH"
+    }
+
+    key_schema {
+      attribute_name = "status"
+      key_type       = "RANGE"
+    }
   }
 
   point_in_time_recovery {
-    enabled = var.environment == "prod"
+    enabled = var.dynamodb_point_in_time_recovery_enabled
   }
 
   server_side_encryption {
@@ -95,26 +107,46 @@ resource "aws_dynamodb_table" "delta-dynamodb-table" {
 
   global_secondary_index {
     name            = "SearchIndex"
-    hash_key        = "Operation"
-    range_key       = "DateTimeStamp"
     projection_type = "ALL"
+
+    key_schema {
+      attribute_name = "Operation"
+      key_type       = "HASH"
+    }
+
+    key_schema {
+      attribute_name = "DateTimeStamp"
+      key_type       = "RANGE"
+    }
   }
 
   global_secondary_index {
     name            = "SecondarySearchIndex"
-    hash_key        = "SupplierSystem"
-    range_key       = "VaccineType"
     projection_type = "ALL"
+
+    key_schema {
+      attribute_name = "SupplierSystem"
+      key_type       = "HASH"
+    }
+
+    key_schema {
+      attribute_name = "VaccineType"
+      key_type       = "RANGE"
+    }
   }
 
   global_secondary_index {
     name            = "ImmunisationIdIndex"
-    hash_key        = "ImmsID"
     projection_type = "ALL"
+
+    key_schema {
+      attribute_name = "ImmsID"
+      key_type       = "HASH"
+    }
   }
 
   point_in_time_recovery {
-    enabled = var.environment == "prod"
+    enabled = var.dynamodb_point_in_time_recovery_enabled
   }
 
   server_side_encryption {
@@ -154,19 +186,31 @@ resource "aws_dynamodb_table" "events-dynamodb-table" {
 
   global_secondary_index {
     name            = "PatientGSI"
-    hash_key        = "PatientPK"
-    range_key       = "PatientSK"
     projection_type = "ALL"
+
+    key_schema {
+      attribute_name = "PatientPK"
+      key_type       = "HASH"
+    }
+
+    key_schema {
+      attribute_name = "PatientSK"
+      key_type       = "RANGE"
+    }
   }
 
   global_secondary_index {
     name            = "IdentifierGSI"
-    hash_key        = "IdentifierPK"
     projection_type = "ALL"
+
+    key_schema {
+      attribute_name = "IdentifierPK"
+      key_type       = "HASH"
+    }
   }
 
   point_in_time_recovery {
-    enabled = var.environment == "prod"
+    enabled = var.dynamodb_point_in_time_recovery_enabled
   }
 
   server_side_encryption {

infrastructure/instance/environments/preprod/int-blue/variables.tfvars

@@ -5,6 +5,7 @@ pds_environment                   = "int"
 error_alarm_notifications_enabled = true
 
 # mesh no invocation period metric set to 3 days (in seconds) for preprod environment i.e 3 * 24 * 60 * 60
-mesh_no_invocation_period_seconds = 259200
-create_mesh_processor             = true
-has_sub_environment_scope         = false
+mesh_no_invocation_period_seconds       = 259200
+create_mesh_processor                   = true
+has_sub_environment_scope               = false
+dynamodb_point_in_time_recovery_enabled = true

infrastructure/instance/environments/preprod/int-green/variables.tfvars

@@ -5,6 +5,7 @@ pds_environment                   = "int"
 error_alarm_notifications_enabled = true
 
 # mesh no invocation period metric set to 3 days (in seconds) for preprod environment i.e 3 * 24 * 60 * 60
-mesh_no_invocation_period_seconds = 259200
-create_mesh_processor             = true
-has_sub_environment_scope         = false
+mesh_no_invocation_period_seconds       = 259200
+create_mesh_processor                   = true
+has_sub_environment_scope               = false
+dynamodb_point_in_time_recovery_enabled = true

infrastructure/instance/environments/prod/blue/variables.tfvars

@@ -6,8 +6,9 @@ pds_environment                   = "prod"
 error_alarm_notifications_enabled = true
 
 # mesh no invocation period metric set to 1 day (in seconds) for prod environment i.e 1 * 24 * 60 * 60
-mesh_no_invocation_period_seconds = 86400
-create_mesh_processor             = true
-has_sub_environment_scope         = false
-dspp_submission_s3_bucket_name    = "nhsd-dspp-core-prod-s3-submission-upload"
-dspp_submission_kms_key_alias     = "nhsd-dspp-core-prod-s3-submission-upload-key"
+mesh_no_invocation_period_seconds       = 86400
+create_mesh_processor                   = true
+has_sub_environment_scope               = false
+dspp_submission_s3_bucket_name          = "nhsd-dspp-core-prod-s3-submission-upload"
+dspp_submission_kms_key_alias           = "nhsd-dspp-core-prod-s3-submission-upload-key"
+dynamodb_point_in_time_recovery_enabled = true

infrastructure/instance/environments/prod/green/variables.tfvars

@@ -6,8 +6,9 @@ pds_environment                   = "prod"
 error_alarm_notifications_enabled = true
 
 # mesh no invocation period metric set to 1 day (in seconds) for prod environment i.e 1 * 24 * 60 * 60
-mesh_no_invocation_period_seconds = 86400
-create_mesh_processor             = true
-has_sub_environment_scope         = false
-dspp_submission_s3_bucket_name    = "nhsd-dspp-core-prod-s3-submission-upload"
-dspp_submission_kms_key_alias     = "nhsd-dspp-core-prod-s3-submission-upload-key"
+mesh_no_invocation_period_seconds       = 86400
+create_mesh_processor                   = true
+has_sub_environment_scope               = false
+dspp_submission_s3_bucket_name          = "nhsd-dspp-core-prod-s3-submission-upload"
+dspp_submission_kms_key_alias           = "nhsd-dspp-core-prod-s3-submission-upload-key"
+dynamodb_point_in_time_recovery_enabled = true

infrastructure/instance/s3_config.tf

@@ -205,6 +205,13 @@ resource "aws_s3_bucket_public_access_block" "batch_data_destination_bucket_publ
   restrict_public_buckets = true
 }
 
+resource "aws_s3_bucket_versioning" "batch_data_destination" {
+  bucket = aws_s3_bucket.batch_data_destination_bucket.bucket
+  versioning_configuration {
+    status = "Enabled"
+  }
+}
+
 resource "aws_s3_bucket_policy" "batch_data_destination_bucket_policy" {
   bucket = aws_s3_bucket.batch_data_destination_bucket.id
   policy = jsonencode({
@@ -303,6 +310,13 @@ resource "aws_s3_bucket_public_access_block" "batch_config_bucket_public_access_
   restrict_public_buckets = true
 }
 
+resource "aws_s3_bucket_versioning" "batch_config" {
+  bucket = aws_s3_bucket.batch_config_bucket.bucket
+  versioning_configuration {
+    status = "Enabled"
+  }
+}
+
 resource "aws_s3_bucket_policy" "batch_config_bucket_policy" {
   bucket = aws_s3_bucket.batch_config_bucket.id
 

infrastructure/instance/variables.tf

@@ -93,6 +93,12 @@ variable "has_sub_environment_scope" {
   default     = false
 }
 
+variable "dynamodb_point_in_time_recovery_enabled" {
+  description = "Whether to enable PITR on DynamoDB tables"
+  type        = bool
+  default     = false
+}
+
 locals {
   prefix              = "${var.project_name}-${var.service}-${var.sub_environment}"
   short_prefix        = "${var.project_short_name}-${var.sub_environment}"