From 840ab00eb5e8c34caa032536b57467bd4d9927ba Mon Sep 17 00:00:00 2001 From: Hari Chintala Date: Wed, 27 Nov 2024 09:33:42 +0000 Subject: [PATCH 01/13] Adjust AWS S3 Lifecycle Management Intelligent Lifecycle --- .../digital-prison-reporting/main.tf | 15 +-- .../modules/s3_bucket/main.tf | 115 +++++++++--------- .../modules/s3_bucket/variables.tf | 22 ++-- 3 files changed, 72 insertions(+), 80 deletions(-) diff --git a/terraform/environments/digital-prison-reporting/main.tf b/terraform/environments/digital-prison-reporting/main.tf index 739647360bb..5968653ae62 100644 --- a/terraform/environments/digital-prison-reporting/main.tf +++ b/terraform/environments/digital-prison-reporting/main.tf @@ -850,12 +850,13 @@ module "s3_structured_bucket" { # S3 Curated module "s3_curated_bucket" { - source = "./modules/s3_bucket" - create_s3 = local.setup_buckets - name = "${local.project}-curated-zone-${local.env}" - custom_kms_key = local.s3_kms_arn - create_notification_queue = false # For SQS Queue - enable_lifecycle = true + source = "./modules/s3_bucket" + create_s3 = local.setup_buckets + name = "${local.project}-curated-zone-${local.env}" + custom_kms_key = local.s3_kms_arn + create_notification_queue = false # For SQS Queue + enable_lifecycle = true + enable_intelligent_tiering = false tags = merge( local.all_tags, @@ -866,7 +867,7 @@ module "s3_curated_bucket" { ) } -# S3 Curated +# S3 Temp Reload module "s3_temp_reload_bucket" { source = "./modules/s3_bucket" create_s3 = local.setup_buckets diff --git a/terraform/environments/digital-prison-reporting/modules/s3_bucket/main.tf b/terraform/environments/digital-prison-reporting/modules/s3_bucket/main.tf index 173b5775db8..4ecf5830546 100644 --- a/terraform/environments/digital-prison-reporting/modules/s3_bucket/main.tf +++ b/terraform/environments/digital-prison-reporting/modules/s3_bucket/main.tf @@ -31,78 +31,75 @@ resource "aws_s3_bucket_public_access_block" "storage" { restrict_public_buckets = true } -# Resource to define S3 bucket lifecycle configuration resource "aws_s3_bucket_lifecycle_configuration" "lifecycle" { - #checkov:skip=CKV_AWS_300: "Ensure S3 lifecycle configuration sets period for aborting failed uploads" - # Enable the lifecycle configuration only if the variable `enable_lifecycle` is true - count = var.enable_lifecycle ? 1 : 0 + # Create the lifecycle configuration if either lifecycle or Intelligent-Tiering is enabled + count = var.enable_lifecycle || var.enable_intelligent_tiering ? 1 : 0 + bucket = aws_s3_bucket.storage[0].id - # Main lifecycle rule for standard categories (short_term, long_term, temporary) - rule { - id = var.name - status = "Enabled" - - # Short-Term Retention Policy - # - Transitions objects to STANDARD_IA after 30 days (cost-effective storage for infrequent access). - # - Deletes objects after 90 days. - dynamic "transition" { - for_each = var.lifecycle_category == "short_term" ? [{ days = 30, storage_class = "STANDARD_IA" }] : [] - content { - days = transition.value.days - storage_class = transition.value.storage_class + # Main lifecycle rule for standard categories (short_term, long_term, temporary, standard) + dynamic "rule" { + for_each = var.enable_lifecycle ? [1] : [] + content { + id = var.name + status = "Enabled" + + # Short-Term Retention Policy + dynamic "transition" { + for_each = var.lifecycle_category == "short_term" ? [{ days = 30, storage_class = "STANDARD_IA" }] : [] + content { + days = transition.value.days + storage_class = transition.value.storage_class + } } - } - dynamic "expiration" { - for_each = var.lifecycle_category == "short_term" ? [{ days = 90 }] : ( - var.lifecycle_category == "temporary" ? [{ days = 30 }] : []) - content { - days = expiration.value.days + # Standard Retention Policy: Move to STANDARD_IA after 30 days and remain there indefinitely + dynamic "transition" { + for_each = var.lifecycle_category == "standard" ? [{ days = 30, storage_class = "STANDARD_IA" }] : [] + content { + days = transition.value.days + storage_class = transition.value.storage_class + } + } + + # Expiration logic for short-term and temporary categories + dynamic "expiration" { + for_each = var.lifecycle_category == "short_term" ? [{ days = 90 }] : ( + var.lifecycle_category == "temporary" ? [{ days = 30 }] : []) + content { + days = expiration.value.days + } } - } - # Long-Term Retention Policy - # - Transitions objects to progressively cheaper storage classes: - # - STANDARD_IA after 60 days. - # - GLACIER after 180 days. - # - DEEP_ARCHIVE after 365 days. - # - Does not delete objects (no expiration). - dynamic "transition" { - for_each = var.lifecycle_category == "long_term" ? [ - { days = 60, storage_class = "STANDARD_IA" }, - { days = 180, storage_class = "GLACIER" }, - { days = 365, storage_class = "DEEP_ARCHIVE" } - ] : [] - content { - days = transition.value.days - storage_class = transition.value.storage_class + # Long-Term Retention Policy + dynamic "transition" { + for_each = var.lifecycle_category == "long_term" ? [ + { days = 30, storage_class = "STANDARD_IA" }, + { days = 180, storage_class = "GLACIER" }, + { days = 365, storage_class = "DEEP_ARCHIVE" } + ] : [] + content { + days = transition.value.days + storage_class = transition.value.storage_class + } } } } - # Dynamic rule for custom expiration rules - # - Allows adding additional lifecycle policies dynamically using the `override_expiration_rules` variable. - # - Each custom rule is defined with: - # - A unique prefix to filter objects (e.g., "reports/", "dpr/"). - # - An expiration time in days for objects under that prefix. - # - The `id` for each rule is derived dynamically based on the prefix (slashes `/` are replaced with dashes `-` for compatibility). - # - Rules are enabled or disabled based on the `enable_lifecycle_expiration` variable. - dynamic "rule" { - for_each = var.override_expiration_rules - content { - # Generate rule ID without worrying about trailing slashes in the prefix - id = "${var.name}-${rule.value.prefix}" - status = var.enable_lifecycle_expiration ? "Enabled" : "Disabled" + # Intelligent-Tiering rule (applied if enable_intelligent_tiering is true) + rule { + id = "${var.name}-intelligent-tiering" + status = var.enable_intelligent_tiering ? "Enabled" : "Disabled" - filter { - # Append '/' directly in the filter block to ensure proper prefix format - prefix = "${rule.value.prefix}/" - } + filter { + # Apply to all objects + prefix = "" + } - expiration { - days = rule.value.days - } + transition { + # Move objects to Intelligent-Tiering storage class + days = 0 # Immediately move to Intelligent-Tiering + storage_class = "INTELLIGENT_TIERING" } } } diff --git a/terraform/environments/digital-prison-reporting/modules/s3_bucket/variables.tf b/terraform/environments/digital-prison-reporting/modules/s3_bucket/variables.tf index a836cecc077..683e34f1677 100644 --- a/terraform/environments/digital-prison-reporting/modules/s3_bucket/variables.tf +++ b/terraform/environments/digital-prison-reporting/modules/s3_bucket/variables.tf @@ -1,6 +1,5 @@ variable "name" { - type = string description = "Name of the Bucket" default = "" } @@ -24,13 +23,11 @@ variable "cloudtrail_access_policy" { } variable "s3_notification_name" { - type = string description = "S3 Notification Event Name" default = "s3-notification-event" } variable "create_s3" { - type = bool description = "Setup S3 Buckets" default = false } @@ -42,25 +39,21 @@ variable "custom_kms_key" { } variable "create_notification_queue" { - type = bool description = "Setup Notification Queue" default = false } variable "sqs_msg_retention_seconds" { - type = number description = "SQS Message Retention" default = 86400 } variable "filter_prefix" { - type = string description = "S3 Notification Filter Prefix" default = null } variable "enable_lifecycle" { - type = bool description = "Enabled Lifecycle for S3 Storage, Default is False" default = false } @@ -81,19 +74,16 @@ variable "enable_lifecycle" { #} variable "enable_versioning_config" { - type = string description = "Enable Versioning Config for S3 Storage, Default is Disabled" default = "Disabled" } variable "enable_s3_versioning" { - type = bool description = "Enable Versioning for S3 Bucket, Default is false" default = false } variable "enable_notification" { - type = bool description = "Enable S3 Bucket Notifications, Default is false" default = false } @@ -121,12 +111,11 @@ variable "dependency_lambda" { } variable "bucket_key" { - type = bool description = "If Bucket Key is Enabled or Disabled" default = true } -## Dynamic override_expiration_rules +## Dynamic override_expiration_rules variable "override_expiration_rules" { type = list(object({ prefix = string, days = number })) default = [] @@ -134,11 +123,16 @@ variable "override_expiration_rules" { variable "lifecycle_category" { type = string - default = "long_term" # Options: "short_term", "long_term", "temporary" + default = "standard" # Options: "short_term", "long_term", "temporary", "standard" } variable "enable_lifecycle_expiration" { - type = bool description = "Enable item expiration - requires 'enable_lifecycle' and 'override_expiration_rules' to be defined/enabled." default = false +} + +variable "enable_intelligent_tiering" { + description = "Enable Intelligent-Tiering storage class for S3 bucket" + type = bool + default = false } \ No newline at end of file From 2f2a38c64ea374c93c26fc051406070e7b00f539 Mon Sep 17 00:00:00 2001 From: Hari Chintala Date: Thu, 28 Nov 2024 11:40:00 +0000 Subject: [PATCH 02/13] Enable S3 Migration lambda --- .../Operations/aws_s3_data_migrate.tf | 33 +++++++++++++++++++ .../application_variables.json | 12 ++++--- .../digital-prison-reporting/locals.tf | 14 ++++++++ 3 files changed, 55 insertions(+), 4 deletions(-) create mode 100644 terraform/environments/digital-prison-reporting/Operations/aws_s3_data_migrate.tf diff --git a/terraform/environments/digital-prison-reporting/Operations/aws_s3_data_migrate.tf b/terraform/environments/digital-prison-reporting/Operations/aws_s3_data_migrate.tf new file mode 100644 index 00000000000..35d7c06f093 --- /dev/null +++ b/terraform/environments/digital-prison-reporting/Operations/aws_s3_data_migrate.tf @@ -0,0 +1,33 @@ +# Domain Builder Backend Lambda function +module "aws_s3_data_migrate" { + source = "./modules/lambdas/generic" + + enable_lambda = local.enable_s3_data_migrate_lambda + name = local.lambda_s3_data_migrate_name + s3_bucket = local.lambda_s3_data_migrate_code_s3_bucket + s3_key = local.lambda_s3_data_migrate_code_s3_key + handler = local.lambda_s3_data_migrate_handler + runtime = local.lambda_s3_data_migrate_runtime + policies = local.lambda_s3_data_migrate_policies + tracing = local.lambda_s3_data_migrate_tracing + timeout = 60 + + log_retention_in_days = local.lambda_log_retention_in_days + + vpc_settings = { + subnet_ids = [data.aws_subnet.data_subnets_a.id, data.aws_subnet.data_subnets_b.id, data.aws_subnet.data_subnets_c.id] + security_group_ids = [aws_security_group.lambda_generic[0].id, ] + } + + tags = merge( + local.all_tags, + { + Resource_Group = "dpr-operations" + Jira = "DPR2-1368" + Resource_Type = "lambda" + Name = local.lambda_s3_data_migrate_name + } + ) + + depends_on = [aws_iam_policy.s3_read_access_policy, aws_iam_policy.s3_read_write_policy, aws_iam_policy.kms_read_access_policy] +} \ No newline at end of file diff --git a/terraform/environments/digital-prison-reporting/application_variables.json b/terraform/environments/digital-prison-reporting/application_variables.json index 18c80c7cd78..8e58007fb93 100644 --- a/terraform/environments/digital-prison-reporting/application_variables.json +++ b/terraform/environments/digital-prison-reporting/application_variables.json @@ -173,7 +173,8 @@ "enable_dbt_k8s_secrets": true, "dpr_generic_athena_workgroup": true, "analytics_generic_athena_workgroup": true, - "redshift_table_expiry_seconds": "604800" + "redshift_table_expiry_seconds": "604800", + "enable_s3_data_migrate_lambda": true }, "test": { "project_short_id": "dpr", @@ -348,7 +349,8 @@ "enable_dbt_k8s_secrets": true, "dpr_generic_athena_workgroup": true, "analytics_generic_athena_workgroup": true, - "redshift_table_expiry_seconds": "604800" + "redshift_table_expiry_seconds": "604800", + "enable_s3_data_migrate_lambda": true }, "preproduction": { "project_short_id": "dpr", @@ -543,7 +545,8 @@ ] } ], - "redshift_table_expiry_seconds": "604800" + "redshift_table_expiry_seconds": "604800", + "enable_s3_data_migrate_lambda": true }, "production": { "project_short_id": "dpr", @@ -733,7 +736,8 @@ ] } ], - "redshift_table_expiry_seconds": "86400" + "redshift_table_expiry_seconds": "86400", + "enable_s3_data_migrate_lambda": false } } } diff --git a/terraform/environments/digital-prison-reporting/locals.tf b/terraform/environments/digital-prison-reporting/locals.tf index fb54482bba6..6acdddf4aaf 100644 --- a/terraform/environments/digital-prison-reporting/locals.tf +++ b/terraform/environments/digital-prison-reporting/locals.tf @@ -427,4 +427,18 @@ locals { Name = local.application_name } ) + + # DPR Operations, + # S3 Data Migration Lambda + enable_s3_data_migrate_lambda = local.application_data.accounts[local.environment].enable_s3_data_migrate_lambda + lambda_s3_data_migrate_name = "${local.project}-s3-data-lifecycle-migration-lambda" + lambda_s3_data_migrate_code_s3_bucket = module.s3_artifacts_store.bucket_id + lambda_s3_data_migrate_code_s3_key = "build-artifacts/dpr-operations/py_files/dpr-s3-data-lifecycle-migration-lambda.py" + lambda_s3_data_migrate_handler = "dpr-s3-data-lifecycle-migration-lambda.lambda_handler" + lambda_s3_data_migrate_runtime = "python3.11" + lambda_s3_data_migrate_policies = [ + "arn:aws:iam::${local.account_id}:policy/${local.s3_read_access_policy}", + "arn:aws:iam::${local.account_id}:policy/${local.kms_read_access_policy}", + "arn:aws:iam::${local.account_id}:policy/${local.s3_read_write_policy}" + ] } From 20a095ad60003e756cc4fda0b0b84ef59ee2b155 Mon Sep 17 00:00:00 2001 From: Hari Chintala Date: Thu, 28 Nov 2024 11:51:35 +0000 Subject: [PATCH 03/13] Enable S3 Migration lambda --- ..._s3_data_migrate.tf => dpr_aws_s3_data_lifecycle_migrate.tf} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename terraform/environments/digital-prison-reporting/{Operations/aws_s3_data_migrate.tf => dpr_aws_s3_data_lifecycle_migrate.tf} (96%) diff --git a/terraform/environments/digital-prison-reporting/Operations/aws_s3_data_migrate.tf b/terraform/environments/digital-prison-reporting/dpr_aws_s3_data_lifecycle_migrate.tf similarity index 96% rename from terraform/environments/digital-prison-reporting/Operations/aws_s3_data_migrate.tf rename to terraform/environments/digital-prison-reporting/dpr_aws_s3_data_lifecycle_migrate.tf index 35d7c06f093..187aff8582f 100644 --- a/terraform/environments/digital-prison-reporting/Operations/aws_s3_data_migrate.tf +++ b/terraform/environments/digital-prison-reporting/dpr_aws_s3_data_lifecycle_migrate.tf @@ -1,6 +1,6 @@ # Domain Builder Backend Lambda function module "aws_s3_data_migrate" { - source = "./modules/lambdas/generic" + source = "../modules/lambdas/generic" enable_lambda = local.enable_s3_data_migrate_lambda name = local.lambda_s3_data_migrate_name From 4fdddae3a719207061663bd364379c51731d0aa6 Mon Sep 17 00:00:00 2001 From: Hari Chintala Date: Thu, 28 Nov 2024 11:54:36 +0000 Subject: [PATCH 04/13] Enable S3 Migration lambda --- .../dpr_aws_s3_data_lifecycle_migrate.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/digital-prison-reporting/dpr_aws_s3_data_lifecycle_migrate.tf b/terraform/environments/digital-prison-reporting/dpr_aws_s3_data_lifecycle_migrate.tf index 187aff8582f..35d7c06f093 100644 --- a/terraform/environments/digital-prison-reporting/dpr_aws_s3_data_lifecycle_migrate.tf +++ b/terraform/environments/digital-prison-reporting/dpr_aws_s3_data_lifecycle_migrate.tf @@ -1,6 +1,6 @@ # Domain Builder Backend Lambda function module "aws_s3_data_migrate" { - source = "../modules/lambdas/generic" + source = "./modules/lambdas/generic" enable_lambda = local.enable_s3_data_migrate_lambda name = local.lambda_s3_data_migrate_name From acbeff42f5c2a4bde7bca2c301d32e5446b5f0a6 Mon Sep 17 00:00:00 2001 From: Hari Chintala Date: Thu, 28 Nov 2024 12:06:37 +0000 Subject: [PATCH 05/13] Enable S3 Migration lambda --- terraform/environments/digital-prison-reporting/locals.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/terraform/environments/digital-prison-reporting/locals.tf b/terraform/environments/digital-prison-reporting/locals.tf index 6acdddf4aaf..641731d9a1e 100644 --- a/terraform/environments/digital-prison-reporting/locals.tf +++ b/terraform/environments/digital-prison-reporting/locals.tf @@ -436,6 +436,7 @@ locals { lambda_s3_data_migrate_code_s3_key = "build-artifacts/dpr-operations/py_files/dpr-s3-data-lifecycle-migration-lambda.py" lambda_s3_data_migrate_handler = "dpr-s3-data-lifecycle-migration-lambda.lambda_handler" lambda_s3_data_migrate_runtime = "python3.11" + lambda_dbuilder_tracing = "PassThrough" lambda_s3_data_migrate_policies = [ "arn:aws:iam::${local.account_id}:policy/${local.s3_read_access_policy}", "arn:aws:iam::${local.account_id}:policy/${local.kms_read_access_policy}", From 59a4ee056e54e9ec0dfa66774da134515214ee1d Mon Sep 17 00:00:00 2001 From: Hari Chintala Date: Thu, 28 Nov 2024 12:19:15 +0000 Subject: [PATCH 06/13] Enable S3 Migration lambda --- terraform/environments/digital-prison-reporting/locals.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/digital-prison-reporting/locals.tf b/terraform/environments/digital-prison-reporting/locals.tf index 641731d9a1e..c7dd653e5f4 100644 --- a/terraform/environments/digital-prison-reporting/locals.tf +++ b/terraform/environments/digital-prison-reporting/locals.tf @@ -436,7 +436,7 @@ locals { lambda_s3_data_migrate_code_s3_key = "build-artifacts/dpr-operations/py_files/dpr-s3-data-lifecycle-migration-lambda.py" lambda_s3_data_migrate_handler = "dpr-s3-data-lifecycle-migration-lambda.lambda_handler" lambda_s3_data_migrate_runtime = "python3.11" - lambda_dbuilder_tracing = "PassThrough" + lambda_s3_data_migrate_tracing = "PassThrough" lambda_s3_data_migrate_policies = [ "arn:aws:iam::${local.account_id}:policy/${local.s3_read_access_policy}", "arn:aws:iam::${local.account_id}:policy/${local.kms_read_access_policy}", From 207dd4b60eb3b3d2c9925517b56d37f158428ebe Mon Sep 17 00:00:00 2001 From: Hari Chintala Date: Thu, 28 Nov 2024 12:40:27 +0000 Subject: [PATCH 07/13] Enable S3 Migration lambda --- terraform/environments/digital-prison-reporting/locals.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/digital-prison-reporting/locals.tf b/terraform/environments/digital-prison-reporting/locals.tf index c7dd653e5f4..e3db7e1df24 100644 --- a/terraform/environments/digital-prison-reporting/locals.tf +++ b/terraform/environments/digital-prison-reporting/locals.tf @@ -433,7 +433,7 @@ locals { enable_s3_data_migrate_lambda = local.application_data.accounts[local.environment].enable_s3_data_migrate_lambda lambda_s3_data_migrate_name = "${local.project}-s3-data-lifecycle-migration-lambda" lambda_s3_data_migrate_code_s3_bucket = module.s3_artifacts_store.bucket_id - lambda_s3_data_migrate_code_s3_key = "build-artifacts/dpr-operations/py_files/dpr-s3-data-lifecycle-migration-lambda.py" + lambda_s3_data_migrate_code_s3_key = "build-artifacts/dpr-operations/py_files/dpr-s3-data-lifecycle-migration-lambda.zip" lambda_s3_data_migrate_handler = "dpr-s3-data-lifecycle-migration-lambda.lambda_handler" lambda_s3_data_migrate_runtime = "python3.11" lambda_s3_data_migrate_tracing = "PassThrough" From 772c6321a2da437b1ccdea88eb6279ae809617d4 Mon Sep 17 00:00:00 2001 From: Hari Chintala Date: Fri, 29 Nov 2024 10:38:56 +0000 Subject: [PATCH 08/13] Enable S3 Migration lambda --- terraform/environments/digital-prison-reporting/locals.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/digital-prison-reporting/locals.tf b/terraform/environments/digital-prison-reporting/locals.tf index e3db7e1df24..3027619a01d 100644 --- a/terraform/environments/digital-prison-reporting/locals.tf +++ b/terraform/environments/digital-prison-reporting/locals.tf @@ -433,7 +433,7 @@ locals { enable_s3_data_migrate_lambda = local.application_data.accounts[local.environment].enable_s3_data_migrate_lambda lambda_s3_data_migrate_name = "${local.project}-s3-data-lifecycle-migration-lambda" lambda_s3_data_migrate_code_s3_bucket = module.s3_artifacts_store.bucket_id - lambda_s3_data_migrate_code_s3_key = "build-artifacts/dpr-operations/py_files/dpr-s3-data-lifecycle-migration-lambda.zip" + lambda_s3_data_migrate_code_s3_key = "build-artifacts/dpr-operations/py_files/dpr-s3-data-lifecycle-migration-lambda-v1.zip" lambda_s3_data_migrate_handler = "dpr-s3-data-lifecycle-migration-lambda.lambda_handler" lambda_s3_data_migrate_runtime = "python3.11" lambda_s3_data_migrate_tracing = "PassThrough" From 5c2a52313d9514669268637298cfa83196f812b4 Mon Sep 17 00:00:00 2001 From: Hari Chintala Date: Fri, 29 Nov 2024 10:54:59 +0000 Subject: [PATCH 09/13] Enable S3 Migration lambda --- terraform/environments/digital-prison-reporting/locals.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/digital-prison-reporting/locals.tf b/terraform/environments/digital-prison-reporting/locals.tf index 3027619a01d..4296b1ec895 100644 --- a/terraform/environments/digital-prison-reporting/locals.tf +++ b/terraform/environments/digital-prison-reporting/locals.tf @@ -434,7 +434,7 @@ locals { lambda_s3_data_migrate_name = "${local.project}-s3-data-lifecycle-migration-lambda" lambda_s3_data_migrate_code_s3_bucket = module.s3_artifacts_store.bucket_id lambda_s3_data_migrate_code_s3_key = "build-artifacts/dpr-operations/py_files/dpr-s3-data-lifecycle-migration-lambda-v1.zip" - lambda_s3_data_migrate_handler = "dpr-s3-data-lifecycle-migration-lambda.lambda_handler" + lambda_s3_data_migrate_handler = "dpr-s3-data-lifecycle-migration-lambda-v1.lambda_handler" lambda_s3_data_migrate_runtime = "python3.11" lambda_s3_data_migrate_tracing = "PassThrough" lambda_s3_data_migrate_policies = [ From af8b70fbf283e25b3607ce99cf156dd13de75637 Mon Sep 17 00:00:00 2001 From: Hari Chintala Date: Fri, 29 Nov 2024 11:15:11 +0000 Subject: [PATCH 10/13] Adjust Timeout and Memory --- .../dpr_aws_s3_data_lifecycle_migrate.tf | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/terraform/environments/digital-prison-reporting/dpr_aws_s3_data_lifecycle_migrate.tf b/terraform/environments/digital-prison-reporting/dpr_aws_s3_data_lifecycle_migrate.tf index 35d7c06f093..75236ef0eac 100644 --- a/terraform/environments/digital-prison-reporting/dpr_aws_s3_data_lifecycle_migrate.tf +++ b/terraform/environments/digital-prison-reporting/dpr_aws_s3_data_lifecycle_migrate.tf @@ -14,6 +14,12 @@ module "aws_s3_data_migrate" { log_retention_in_days = local.lambda_log_retention_in_days + # Set timeout to the maximum of 900 seconds (15 minutes) + timeout = 900 + + # Optional: Adjust memory size if needed + memory_size = 512 + vpc_settings = { subnet_ids = [data.aws_subnet.data_subnets_a.id, data.aws_subnet.data_subnets_b.id, data.aws_subnet.data_subnets_c.id] security_group_ids = [aws_security_group.lambda_generic[0].id, ] From 292e2a9f0f2feacac3a1dc06e98439b4ac6a1bfb Mon Sep 17 00:00:00 2001 From: Hari Chintala Date: Fri, 29 Nov 2024 11:16:06 +0000 Subject: [PATCH 11/13] Adjust Timeout and Memory --- .../dpr_aws_s3_data_lifecycle_migrate.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/digital-prison-reporting/dpr_aws_s3_data_lifecycle_migrate.tf b/terraform/environments/digital-prison-reporting/dpr_aws_s3_data_lifecycle_migrate.tf index 75236ef0eac..9a04ba0ccab 100644 --- a/terraform/environments/digital-prison-reporting/dpr_aws_s3_data_lifecycle_migrate.tf +++ b/terraform/environments/digital-prison-reporting/dpr_aws_s3_data_lifecycle_migrate.tf @@ -18,7 +18,7 @@ module "aws_s3_data_migrate" { timeout = 900 # Optional: Adjust memory size if needed - memory_size = 512 + memory_size = 2048 vpc_settings = { subnet_ids = [data.aws_subnet.data_subnets_a.id, data.aws_subnet.data_subnets_b.id, data.aws_subnet.data_subnets_c.id] From 9a6b75962b058590541fab3ada98cba147585eb0 Mon Sep 17 00:00:00 2001 From: Hari Chintala Date: Fri, 29 Nov 2024 11:17:30 +0000 Subject: [PATCH 12/13] Adjust Timeout and Memory --- .../dpr_aws_s3_data_lifecycle_migrate.tf | 1 - 1 file changed, 1 deletion(-) diff --git a/terraform/environments/digital-prison-reporting/dpr_aws_s3_data_lifecycle_migrate.tf b/terraform/environments/digital-prison-reporting/dpr_aws_s3_data_lifecycle_migrate.tf index 9a04ba0ccab..29ce32d7ef9 100644 --- a/terraform/environments/digital-prison-reporting/dpr_aws_s3_data_lifecycle_migrate.tf +++ b/terraform/environments/digital-prison-reporting/dpr_aws_s3_data_lifecycle_migrate.tf @@ -10,7 +10,6 @@ module "aws_s3_data_migrate" { runtime = local.lambda_s3_data_migrate_runtime policies = local.lambda_s3_data_migrate_policies tracing = local.lambda_s3_data_migrate_tracing - timeout = 60 log_retention_in_days = local.lambda_log_retention_in_days From 2fe3b6543a83ad93b87a7c9d873320bb4a922bee Mon Sep 17 00:00:00 2001 From: Hari Chintala Date: Fri, 29 Nov 2024 12:44:28 +0000 Subject: [PATCH 13/13] Fix checkov warnings --- terraform/environments/digital-prison-reporting/sg.tf | 3 +++ 1 file changed, 3 insertions(+) diff --git a/terraform/environments/digital-prison-reporting/sg.tf b/terraform/environments/digital-prison-reporting/sg.tf index a00ec259001..20d12db345c 100644 --- a/terraform/environments/digital-prison-reporting/sg.tf +++ b/terraform/environments/digital-prison-reporting/sg.tf @@ -40,6 +40,7 @@ resource "aws_security_group_rule" "lambda_ingress_generic" { } resource "aws_security_group_rule" "lambda_egress_generic" { + #checkov:skip=CKV_AWS_382: "Ensure no security groups allow egress from 0.0.0.0:0 to port -1" count = local.enable_generic_lambda_sg ? 1 : 0 type = "egress" @@ -88,6 +89,7 @@ resource "aws_security_group_rule" "serverless_gw_ingress" { } resource "aws_security_group_rule" "serverless_gw_egress" { + #checkov:skip=CKV_AWS_382: "Ensure no security groups allow egress from 0.0.0.0:0 to port -1" count = local.enable_dbuilder_serverless_gw ? 1 : 0 type = "egress" @@ -102,6 +104,7 @@ resource "aws_security_group_rule" "serverless_gw_egress" { # VPC Gateway Endpoint SG resource "aws_security_group" "gateway_endpoint_sg" { #checkov:skip=CKV_AWS_23: "Ensure every security group and rule has a description" + #checkov:skip=CKV_AWS_382: "Ensure no security groups allow egress from 0.0.0.0:0 to port -1" count = local.include_dbuilder_gw_vpclink ? 1 : 0