Task/npt 951 dynamo db logging

.github/actions/cleardown-tf-state/action.yaml

@@ -0,0 +1,25 @@
+name: "Cleardown terraform state action"
+description: "Delete the terraform state"
+inputs:
+  workspace:
+        description: "The name of the workspace to action the infrastructure into."
+        required: true
+  environment:
+        description: "The name of the environment to action the infrastructure into."
+        required: true
+  stack:
+        description: "A single variable for the stack to be cleared."
+        required: true
+
+runs:
+  using: composite
+  steps:
+    - name: Delete terraform state
+      id: delete_tf_state
+      shell: bash
+      env:
+        WORKSPACE: ${{ inputs.workspace }}
+        ENVIRONMENT: ${{ inputs.environment }}
+        STACK: ${{ inputs.stack }}
+      run: |
+        ./scripts/workflow/cleardown-terraform-state.sh

.github/workflows/artefacts-cleardown.yaml

@@ -26,6 +26,13 @@ on:
         description: "The type of permissions (e.g., account, app)"
         required: true
         type: string
+    secrets:
+      ACCOUNT_ID:
+        description: "AWS account ID for credentials"
+        required: true
+      MGMT_ACCOUNT_ID:
+        description: "AWS management account ID for credentials"
+        required: false
 
 jobs:
   cleardown-artefacts:

.github/workflows/infrastructure-cleardown.yaml

@@ -43,6 +43,13 @@ on:
         description: "The type of permissions (e.g., account, app)"
         required: true
         type: string
+    secrets:
+      ACCOUNT_ID:
+        description: "AWS account ID for credentials"
+        required: true
+      MGMT_ACCOUNT_ID:
+        description: "AWS management account ID for credentials"
+        required: true
 
 jobs:
   destroy-application-infrastructure:

.github/workflows/pipeline-infrastructure-cleardown.yaml

@@ -31,10 +31,17 @@ on:
         description: "Specify the workspace to cleardown"
         required: true
         type: string
-
 jobs:
   metadata:
-    if: github.actor != 'github-merge-queue[bot]'
+    if: >-
+      github.actor != 'github-merge-queue[bot]' &&
+      (
+        github.event_name != 'delete' ||
+        (
+          github.event.ref_type == 'branch' &&
+          (startsWith(github.event.ref, 'task/') || startsWith(github.event.ref, 'dependabot/'))
+        )
+      )
     name: "Get Metadata"
     uses: ./.github/workflows/metadata.yaml
 
@@ -49,7 +56,7 @@ jobs:
     with:
       environment: ${{ github.event.client_payload.environment || inputs.environment || needs.metadata.outputs.environment }}
       workspace: ${{ github.event.client_payload.workspace || inputs.workspace || needs.metadata.outputs.workspace }}
-      stacks: "['triage]"
+      stacks: "['triage']"
       application_tag: ${{ inputs.application_tag || github.event.client_payload.application_tag  || 'latest' }}
       commit_hash: ${{ needs.metadata.outputs.commit_hash }}
       workflow_timeout: 30

infrastructure/stacks/triage/alarms.tf

@@ -0,0 +1,49 @@
+locals {
+  dynamodb_alarm_table_names = {
+    starting_coords = module.starting_coords.dynamodb_table_name
+    triage_nodes    = module.triage_nodes.dynamodb_table_name
+    bodymaps        = module.bodymaps.dynamodb_table_name
+  }
+}
+
+resource "aws_cloudwatch_metric_alarm" "dynamodb_system_errors" {
+  for_each = var.enable_dynamodb_basic_alarms ? local.dynamodb_alarm_table_names : {}
+
+  alarm_name          = "${local.resource_prefix}-${each.key}-dynamodb-system-errors${local.workspace_suffix}"
+  alarm_description   = "DynamoDB system errors detected for ${each.value}"
+  namespace           = "AWS/DynamoDB"
+  metric_name         = "SystemErrors"
+  statistic           = "Sum"
+  period              = var.dynamodb_alarm_period_seconds
+  evaluation_periods  = var.dynamodb_alarm_evaluation_periods
+  threshold           = var.dynamodb_system_errors_threshold
+  comparison_operator = "GreaterThanThreshold"
+  treat_missing_data  = "notBreaching"
+  alarm_actions       = var.dynamodb_alarm_actions
+  ok_actions          = var.dynamodb_alarm_ok_actions
+
+  dimensions = {
+    TableName = each.value
+  }
+}
+
+resource "aws_cloudwatch_metric_alarm" "dynamodb_throttled_requests" {
+  for_each = var.enable_dynamodb_basic_alarms ? local.dynamodb_alarm_table_names : {}
+
+  alarm_name          = "${local.resource_prefix}-${each.key}-dynamodb-throttled-requests${local.workspace_suffix}"
+  alarm_description   = "DynamoDB throttled requests detected for ${each.value}"
+  namespace           = "AWS/DynamoDB"
+  metric_name         = "ThrottledRequests"
+  statistic           = "Sum"
+  period              = var.dynamodb_alarm_period_seconds
+  evaluation_periods  = var.dynamodb_alarm_evaluation_periods
+  threshold           = var.dynamodb_throttled_requests_threshold
+  comparison_operator = "GreaterThanThreshold"
+  treat_missing_data  = "notBreaching"
+  alarm_actions       = var.dynamodb_alarm_actions
+  ok_actions          = var.dynamodb_alarm_ok_actions
+
+  dimensions = {
+    TableName = each.value
+  }
+}

infrastructure/stacks/triage/s3.tf

@@ -1,4 +1,4 @@
 module "clinical_data_uploader_bucket" {
   source      = "../../modules/s3"
-  bucket_name = "${local.account_prefix}-clinical-data-uploader"
+  bucket_name = "${local.account_prefix}-clinical-data-uploader-${local.workspace_suffix}"
 }

infrastructure/stacks/triage/variables.tf

@@ -51,6 +51,7 @@ variable "log_retention_days" {
   description = "Number of days to retain CloudWatch logs for API Gateway access logs"
   type        = number
   default     = 365
+  default     = 365
 }
 
 # API Gateway X-Ray Tracing
@@ -71,3 +72,46 @@ variable "splunk_hec_token" {
   type        = string
   default     = ""
 }
+
+# DynamoDB basic alarms
+variable "enable_dynamodb_basic_alarms" {
+  description = "Enable basic CloudWatch alarms for DynamoDB table health metrics"
+  type        = bool
+  default     = true
+}
+
+variable "dynamodb_alarm_actions" {
+  description = "List of ARNs for CloudWatch alarm actions (for example SNS topic ARNs)"
+  type        = list(string)
+  default     = []
+}
+
+variable "dynamodb_alarm_ok_actions" {
+  description = "List of ARNs for CloudWatch OK actions"
+  type        = list(string)
+  default     = []
+}
+
+variable "dynamodb_alarm_period_seconds" {
+  description = "Period in seconds over which DynamoDB alarm metrics are evaluated"
+  type        = number
+  default     = 300
+}
+
+variable "dynamodb_alarm_evaluation_periods" {
+  description = "Number of periods over which data is compared to alarm threshold"
+  type        = number
+  default     = 1
+}
+
+variable "dynamodb_system_errors_threshold" {
+  description = "Threshold for the DynamoDB SystemErrors alarm"
+  type        = number
+  default     = 0
+}
+
+variable "dynamodb_throttled_requests_threshold" {
+  description = "Threshold for the DynamoDB ThrottledRequests alarm"
+  type        = number
+  default     = 0
+}

scripts/githooks/check-commit-message.sh

@@ -20,18 +20,17 @@ function check_jira_ref {
   fi
 
   echo $COMMIT_MESSAGE
-  return
+  return 0
 }
 
 function check_commit_message_format {
   COMMIT_MESSAGE="$1"
-  local regex='^(feat|fix|chore|docs|style|refactor|perf|test|ci|build|revert|style)(\([a-z0-9_-]+\))?: (SAET)-[0-9]+ .+'
+  local REGEX='^(feat|fix|chore|docs|style|refactor|perf|test|ci|build|revert|style)(\([a-z0-9_-]+\))?: (SAET)-[0-9]+ .+'
 
-  if ! [[ $COMMIT_MESSAGE =~ $regex ]]; then
+  if ! [[ $COMMIT_MESSAGE =~ $REGEX ]]; then
     echo -e "\033[0;31mInvalid conventional commit message format! Expected: <type>(<scope>): <JIRA-1234> <Description>\033[0m"
     return 1
   fi
-  return
 }
 
 function check_commit_message_length {
@@ -41,7 +40,6 @@ function check_commit_message_length {
     if [[ "$COMMIT_MESSAGE_LENGTH" -gt $GIT_COMMIT_MESSAGE_MAX_LENGTH ]] ; then
     echo "At $COMMIT_MESSAGE_LENGTH characters the commit message exceeds limit of $GIT_COMMIT_MESSAGE_MAX_LENGTH"
   fi
-  return
 }
 
 function check_git_commit_message {
@@ -55,7 +53,6 @@ function check_git_commit_message {
     [[ ! -z "$VALID_LENGTH" ]] && echo $VALID_LENGTH
     return 1
   fi
-  return
 }
 
 # ---- MAIN EXECUTION ----