Merge branch 'master' into TDRD-447-rds-api-upgrade-v16-intg

root_draft_metadata.tf

@@ -48,11 +48,22 @@ module "draft_metadata_api_gateway" {
 resource "aws_iam_role" "draft_metadata_api_gateway_execution_role" {
   name               = "TDRMetadataChecksAPIGatewayExecutionRole${title(local.environment)}"
   assume_role_policy = templatefile("./templates/iam_policy/assume_role_policy.json.tpl", { service = "apigateway.amazonaws.com" })
+}
 
-  inline_policy {
-    name   = "TDRMetadataChecksAPIGatewayStepFunctionExecutionPolicy${title(local.environment)}"
-    policy = templatefile("./templates/iam_policy/api_gateway_state_machine_policy.json.tpl", { account_id = data.aws_caller_identity.current.account_id, state_machine_arn = module.draft_metadata_checks.step_function_arn })
-  }
+resource "aws_iam_policy" "api_gateway_execution_policy" {
+  name = "TDRMetadataChecksAPIGatewayStepFunctionExecutionPolicy${title(local.environment)}"
+  policy = templatefile(
+    "./templates/iam_policy/api_gateway_state_machine_policy.json.tpl",
+    {
+      account_id        = data.aws_caller_identity.current.account_id,
+      state_machine_arn = module.draft_metadata_checks.step_function_arn
+    }
+  )
+}
+
+resource "aws_iam_role_policy_attachment" "api_gateway_execution_policy" {
+  role       = aws_iam_role.draft_metadata_api_gateway_execution_role.name
+  policy_arn = aws_iam_policy.api_gateway_execution_policy.arn
 }
 
 module "draft_metadata_bucket" {

root_keycloak.tf

@@ -166,7 +166,7 @@ module "keycloak_database_instance" {
   availability_zone       = local.database_availability_zone
   common_tags             = local.common_tags
   database_name           = "keycloak"
-  database_version        = "14.12"
+  database_version        = local.environment == "prod" ? "14.12" : "16.3"
   environment             = local.environment
   kms_key_id              = module.encryption_key.kms_key_arn
   private_subnets         = module.shared_vpc.private_subnets