[Issue #2278] Attempting to add another S3 bucket for API usage (#2740)

## Summary
Fixes #2278

### Time to review: __3 mins__

## Changes proposed
Adding a 2nd bucket to store non-published Documents/Attachments
associated with Opportunities.

---------

Co-authored-by: kai [they] <[email protected]>

.github/workflows/cd-api-infra.yml

@@ -9,6 +9,17 @@ on:
       - "infra/api/**"
   release:
     types: [published]
+  workflow_dispatch:
+    inputs:
+      environment:
+        description: "target environment"
+        required: true
+        default: "dev"
+        type: choice
+        options:
+          - dev
+          - staging
+          - prod
 
 jobs:
   build-repository:

infra/api/service/draft_documents.tf

@@ -0,0 +1,83 @@
+resource "aws_s3_bucket" "draft_documents" {
+  bucket_prefix = "${var.service_name}-documents-draft"
+  force_destroy = false
+  # checkov:skip=CKV2_AWS_62:Event notification not necessary for this bucket especially due to likely use of lifecycle rules
+  # checkov:skip=CKV_AWS_18:Access logging was not considered necessary for this bucket
+  # checkov:skip=CKV_AWS_144:Not considered critical to the point of cross region replication
+  # checkov:skip=CKV_AWS_300:Known issue where Checkov gets confused by multiple rules
+  # checkov:skip=CKV_AWS_21:Bucket versioning is not worth it in this use case
+}
+
+resource "aws_s3_bucket_public_access_block" "draft_documents" {
+  bucket = aws_s3_bucket.draft_documents.id
+
+  block_public_acls       = true
+  block_public_policy     = true
+  ignore_public_acls      = true
+  restrict_public_buckets = true
+}
+
+data "aws_iam_policy_document" "draft_documents_put_access" {
+  statement {
+    effect = "Allow"
+    resources = [
+      aws_s3_bucket.draft_documents.arn,
+      "${aws_s3_bucket.draft_documents.arn}/*"
+    ]
+    actions = ["s3:*"]
+
+    principals {
+      type        = "AWS"
+      identifiers = [aws_iam_role.app_service.arn]
+    }
+  }
+
+  statement {
+    sid    = "AllowSSLRequestsOnly"
+    effect = "Deny"
+    resources = [
+      aws_s3_bucket.draft_documents.arn,
+      "${aws_s3_bucket.draft_documents.arn}/*"
+    ]
+    actions = ["s3:*"]
+    condition {
+      test     = "Bool"
+      variable = "aws:SecureTransport"
+      values   = [false]
+    }
+    principals {
+      type        = "AWS"
+      identifiers = ["*"]
+    }
+  }
+}
+
+resource "aws_s3_bucket_lifecycle_configuration" "draft_documents" {
+  bucket = aws_s3_bucket.draft_documents.id
+
+  rule {
+    id     = "AbortIncompleteUpload"
+    status = "Enabled"
+    abort_incomplete_multipart_upload {
+      days_after_initiation = 7
+    }
+  }
+
+  # checkov:skip=CKV_AWS_300:There is a known issue where this check brings up false positives
+}
+
+
+resource "aws_s3_bucket_server_side_encryption_configuration" "draft_documents_encryption" {
+  bucket = aws_s3_bucket.draft_documents.id
+  rule {
+    apply_server_side_encryption_by_default {
+      sse_algorithm = "aws:kms"
+    }
+    bucket_key_enabled = true
+  }
+}
+
+resource "aws_s3_bucket_policy" "draft_documents" {
+  bucket = aws_s3_bucket.draft_documents.id
+  policy = data.aws_iam_policy_document.draft_documents_put_access.json
+}

infra/api/service/main.tf

@@ -144,7 +144,11 @@ module "service" {
     }
   } : null
 
-  extra_environment_variables = merge(local.service_config.extra_environment_variables, { "ENVIRONMENT" : var.environment_name })
+  extra_environment_variables = merge(
+    local.service_config.extra_environment_variables,
+    { "ENVIRONMENT" : var.environment_name },
+    { "DRAFTS_S3_BUCKET_ARN" : aws_s3_bucket.draft_documents.arn }
+  )
 
   secrets = concat(
     [for secret_name in keys(local.service_config.secrets) : {