Dev-to-Stage: Create ECR for dpsace-fulltext-harvester Application

.pre-commit-config.yaml

@@ -7,12 +7,12 @@ repos:
           - --args=-recursive
       - id: terraform_validate
   - repo: https://github.com/terraform-docs/terraform-docs
-    rev: "v0.21.0"
+    rev: "v0.23.0"
     hooks:
       - id: terraform-docs-go
         args: ["markdown", "table", "--config", "./.terraform-docs.yaml", "--recursive", "--output-file", "README.md", "./"]
   - repo: https://github.com/bridgecrewio/checkov.git
-    rev: '3.2.500'
+    rev: '3.2.526'
     hooks:
       - id: checkov
         verbose: false

README.md

@@ -125,6 +125,7 @@ This is a core infrastructure repository that defines infrastructure related to
 * [TIMDEX](https://github.com/MITLibraries/mitlib-tf-workloads-timdex-infrastructure)
   * [TIMDEX Application](https://github.com/MITLibraries/timdex)
   * [TIMDEX Dataset API](https://github.com/MITLibraries/timdex-dataset-api)
+  * [TIMDES DSpace Fulltext Harvester](https://github.com/MITLibraries/dspace-fulltext-harvester)
   * [TIMDEX Embeddings](https://github.com/MITLibraries/timdex-embeddings)
   * [TIMDEX Index Manager](https://github.com/MITLibraries/timdex-index-manager)
   * [TIMDEX Pipeline Lambdas](https://github.com/MITLibraries/timdex-pipeline-lambdas)
@@ -141,28 +142,28 @@ This is a core infrastructure repository that defines infrastructure related to
 
 * Owner: See [CODEOWNERS](./.github/CODEOWNERS)
 * Team: See [CODEOWNERS](./.github/CODEOWNERS)
-* Last Maintenance: 2026-03
+* Last Maintenance: 2026-05
 
 ## TF markdown is automatically inserted at the bottom of this file, nothing should be written beyond this point
 
 <!-- BEGIN_TF_DOCS -->
 ## Requirements
 
 | Name | Version |
-|------|---------|
+| ---- | ------- |
 | terraform | ~> 1.14 |
 | aws | ~> 6.0 |
 
 ## Providers
 
 | Name | Version |
-|------|---------|
-| aws | 6.35.0 |
+| ---- | ------- |
+| aws | 6.44.0 |
 
 ## Modules
 
 | Name | Source | Version |
-|------|--------|---------|
+| ---- | ------ | ------- |
 | ecr\_alma\_webhook\_lambdas | ./modules/ecr | n/a |
 | ecr\_apt | ./modules/ecr | n/a |
 | ecr\_asati | ./modules/ecr | n/a |
@@ -173,6 +174,7 @@ This is a core infrastructure repository that defines infrastructure related to
 | ecr\_cdps\_s3\_bagit\_validator\_west | ./modules/ecr | n/a |
 | ecr\_creditcardslips | ./modules/ecr | n/a |
 | ecr\_dsc | ./modules/ecr | n/a |
+| ecr\_dspace\_fulltext\_harvester | ./modules/ecr | n/a |
 | ecr\_dss | ./modules/ecr | n/a |
 | ecr\_hrqb\_client | ./modules/ecr | n/a |
 | ecr\_marimo | ./modules/ecr | n/a |
@@ -198,15 +200,15 @@ This is a core infrastructure repository that defines infrastructure related to
 ## Resources
 
 | Name | Type |
-|------|------|
+| ---- | ---- |
 | [aws_iam_policy.login](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy_document.login](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_ssm_parameter.oidc_arn](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
-|------|-------------|------|---------|:--------:|
+| ---- | ----------- | ---- | ------- | :------: |
 | appinput\_ssm\_path | Standard prefix in Parameter Store for Terraform outputs specifically needed by <app-name> | `string` | n/a | yes |
 | aws\_region | The AWS region where this infrastructure will be deployed. | `string` | `"us-east-1"` | no |
 | environment | The name of the environment/stage/workspace (e.g., `stage`, `prod`, `dev`) | `string` | n/a | yes |
@@ -219,7 +221,7 @@ This is a core infrastructure repository that defines infrastructure related to
 ## Outputs
 
 | Name | Description |
-|------|-------------|
+| ---- | ----------- |
 | alma\_webhook\_lambdas\_dev\_build\_workflow | Full contents of the dev-build.yml for the alma-webhook-lambdas repo |
 | alma\_webhook\_lambdas\_makefile | Full contents of the Makefile for the alma-webhook-lambdas repo (allows devs to push to Dev account only) |
 | alma\_webhook\_lambdas\_prod\_promote\_workflow | Full contents of the prod-promote.yml for the alma-webhook-lambdas repo |
@@ -256,6 +258,10 @@ This is a core infrastructure repository that defines infrastructure related to
 | dsc\_fargate\_makefile | Full contents of the Makefile for the dsc repo (allows devs to push to Dev account only) |
 | dsc\_fargate\_prod\_promote\_workflow | Full contents of the prod-promote.yml for the dsc repo |
 | dsc\_fargate\_stage\_build\_workflow | Full contents of the stage-build.yml for the dsc repo |
+| dspace\_fulltext\_harvester\_fargate\_dev\_build\_workflow | Full contents of the dev-build.yml for the dspace-fulltext-harvester repo |
+| dspace\_fulltext\_harvester\_fargate\_makefile | Full contents of the Makefile for the dspace-fulltext-harvester repo (allows devs to push to Dev account only) |
+| dspace\_fulltext\_harvester\_fargate\_prod\_promote\_workflow | Full contents of the prod-promote.yml for the dspace-fulltext-harvester repo |
+| dspace\_fulltext\_harvester\_fargate\_stage\_build\_workflow | Full contents of the stage-build.yml for the dspace-fulltext-harvester repo |
 | dss\_fargate\_dev\_build\_workflow | Full contents of the dev-build.yml for the dss repo |
 | dss\_fargate\_makefile | Full contents of the Makefile for the dss repo (allows devs to push to Dev account only) |
 | dss\_fargate\_prod\_promote\_workflow | Full contents of the prod-promote.yml for the dss repo |

files/dev-build-cpu-arch-extra-region.tpl

@@ -3,15 +3,14 @@
 ### This should be added to jobs section of the dev-build.yml. If this is  ### 
 ### a Lambda function, uncomment the FUNCTION: line                        ###
 
-  deploy-${region}:
-    needs: prep
-    name: Dev Deploy ${region}
+  build-push-${region}:
+    name: Dev Build and Push ${region}
     uses: mitlibraries/.github/.github/workflows/ecr-multi-arch-deploy-dev.yml@main
     secrets: inherit
     with:
       AWS_REGION: "${region}"
       GHA_ROLE: "${role}"
       ECR: "${ecr}"
-      CPU_ARCH: $${{ needs.prep.outputs.cpuarch }}
+      # DOCKERFILE: # only if the name of the Dockerfile is not "Dockerfile"!
       # FUNCTION: "${function}"
       # PREBUILD: 

files/dev-build-cpu-arch.tpl

@@ -19,42 +19,14 @@ permissions:
   contents: read
 
 jobs:
-  prep:
-    name: Prep for Build
-    runs-on: ubuntu-latest
-    outputs: 
-      cpuarch: $${{ steps.setarch.outputs.cpuarch }}
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v5
-
-      - name: Set CPU Architecture
-        id: setarch
-        run: |
-          echo "### :abacus: Architecture Selection" >> $GITHUB_STEP_SUMMARY
-          if [[ -f .aws-architecture ]]; then
-            ARCH=$(cat .aws-architecture)
-            echo "\`$ARCH\` was read from \`.aws-architecture\` and passed to the deploy job." >> $GITHUB_STEP_SUMMARY
-          else
-            ARCH="linux/amd64"
-            echo "No \`.aws-architecture\` file, so default \`$ARCH\` was passed to the deploy job." >> $GITHUB_STEP_SUMMARY
-          fi
-          if [[ "$ARCH" != "linux/arm64" && "$ARCH" != "linux/amd64" ]]; then
-            echo "$ARCH is INVALID architecture!"
-            echo "$ARCH is INVALID architecture!" >> $GITHUB_STEP_SUMMARY
-            exit 1
-          fi
-          echo "cpuarch=$ARCH" >> $GITHUB_OUTPUT
-
-  deploy:
-    needs: prep
-    name: Dev Deploy
+  build-push:
+    name: Dev Build and Push
     uses: mitlibraries/.github/.github/workflows/ecr-multi-arch-deploy-dev.yml@main
     secrets: inherit
     with:
       AWS_REGION: "${region}"
       GHA_ROLE: "${role}"
       ECR: "${ecr}"
-      CPU_ARCH: $${{ needs.prep.outputs.cpuarch }}
+      # DOCKERFILE: # only if the name of the Dockerfile is not "Dockerfile"!
       # FUNCTION: "${function}"
       # PREBUILD: 

files/prod-promote-cpu-arch-extra-region.tpl

@@ -1,9 +1,8 @@
 ### This should be added to jobs section of the prod-promote.yml.
 ### If this is a Lambda function, uncomment the FUNCTION: line
 
-  deploy-${region}:
-    needs: prep
-    name: Deploy ${region}
+  promote-${region}:
+    name: Prod promote ${region}
     uses: mitlibraries/.github/.github/workflows/ecr-multi-arch-promote-prod.yml@main
     secrets: inherit
     with:
@@ -12,6 +11,6 @@
       GHA_ROLE_PROD: ${role_prod}
       ECR_STAGE: "${ecr_stage}"
       ECR_PROD: "${ecr_prod}"
-      CPU_ARCH: $${{ needs.prep.outputs.cpuarch }}
+      # DEFAULT_BRANCH: # Only if the default branch is not "main"!
       # FUNCTION: "${function}"
 

files/prod-promote-cpu-arch.tpl

@@ -14,36 +14,8 @@ permissions:
   contents: read
 
 jobs:
-  prep:
-    name: Prep for Promote
-    runs-on: ubuntu-latest
-    outputs: 
-      cpuarch: $${{ steps.setarch.outputs.cpuarch }}
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v5
-
-      - name: Set CPU Architecture
-        id: setarch
-        run: |
-          echo "### :abacus: Architecture Selection" >> $GITHUB_STEP_SUMMARY
-          if [[ -f .aws-architecture ]]; then
-            ARCH=$(cat .aws-architecture)
-            echo "\`$ARCH\` was read from \`.aws-architecture\` and passed to the deploy job." >> $GITHUB_STEP_SUMMARY
-          else
-            ARCH="linux/amd64"
-            echo "No \`.aws-architecture\` file, so default \`$ARCH\` was passed to the deploy job." >> $GITHUB_STEP_SUMMARY
-          fi
-          if [[ "$ARCH" != "linux/arm64" && "$ARCH" != "linux/amd64" ]]; then
-            echo "$ARCH is INVALID architecture!"
-            echo "$ARCH is INVALID architecture!" >> $GITHUB_STEP_SUMMARY
-            exit 1
-          fi
-          echo "cpuarch=$ARCH" >> $GITHUB_OUTPUT
-
   deploy:
-    needs: prep
-    name: Deploy
+    name: Prod promote
     uses: mitlibraries/.github/.github/workflows/ecr-multi-arch-promote-prod.yml@main
     secrets: inherit
     with:
@@ -52,6 +24,6 @@ jobs:
       GHA_ROLE_PROD: ${role_prod}
       ECR_STAGE: "${ecr_stage}"
       ECR_PROD: "${ecr_prod}"
-      CPU_ARCH: $${{ needs.prep.outputs.cpuarch }}
+      # DEFAULT_BRANCH: # Only if the default branch is not "main"!
       # FUNCTION: "${function}"
 

files/stage-build-cpu-arch-extra-region.tpl

@@ -3,15 +3,14 @@
 ### This should be added to jobs section of the stage-build.yml. If this   ### 
 ### is a Lambda function, uncomment the FUNCTION: line                     ###
 
-  deploy-${region}:
-    needs: prep
-    name: Stage Deploy ${region}
+  build-push-${region}:
+    name: Stage Build and Push ${region}
     uses: mitlibraries/.github/.github/workflows/ecr-multi-arch-deploy-stage.yml@main
     secrets: inherit
     with:
       AWS_REGION: "${region}"
       GHA_ROLE: "${role}"
       ECR: "${ecr}"
-      CPU_ARCH: $${{ needs.prep.outputs.cpuarch }}
+      # DOCKERFILE: # only if the name of the Dockerfile is not "Dockerfile"!
       # FUNCTION: "${function}"
       # PREBUILD: 

files/stage-build-cpu-arch.tpl

@@ -19,42 +19,14 @@ permissions:
   contents: read
 
 jobs:
-  prep:
-    name: Prep for Build
-    runs-on: ubuntu-latest
-    outputs: 
-      cpuarch: $${{ steps.setarch.outputs.cpuarch }}
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v5
-
-      - name: Set CPU Architecture
-        id: setarch
-        run: |
-          echo "### :abacus: Architecture Selection" >> $GITHUB_STEP_SUMMARY
-          if [[ -f .aws-architecture ]]; then
-            ARCH=$(cat .aws-architecture)
-            echo "\`$ARCH\` was read from \`.aws-architecture\` and passed to the deploy job." >> $GITHUB_STEP_SUMMARY
-          else
-            ARCH="linux/amd64"
-            echo "No \`.aws-architecture\` file, so default \`$ARCH\` was passed to the deploy job." >> $GITHUB_STEP_SUMMARY
-          fi
-          if [[ "$ARCH" != "linux/arm64" && "$ARCH" != "linux/amd64" ]]; then
-            echo "$ARCH is INVALID architecture!"
-            echo "$ARCH is INVALID architecture!" >> $GITHUB_STEP_SUMMARY
-            exit 1
-          fi
-          echo "cpuarch=$ARCH" >> $GITHUB_OUTPUT
-
-  deploy:
-    needs: prep
-    name: Stage Deploy
+  build-push:
+    name: Stage Build and Push
     uses: mitlibraries/.github/.github/workflows/ecr-multi-arch-deploy-stage.yml@main
     secrets: inherit
     with:
       AWS_REGION: "${region}"
       GHA_ROLE: "${role}"
       ECR: "${ecr}"
-      CPU_ARCH: $${{ needs.prep.outputs.cpuarch }}
+      # DOCKERFILE: # only if the name of the Dockerfile is not "Dockerfile"!
       # FUNCTION: "${function}"
       # PREBUILD: 

matomo_ecr.tf

@@ -21,7 +21,7 @@ module "ecr_matomo" {
 ## For matomo application repo and ECR repository
 # Outputs in dev
 output "matomo_fargate_dev_build_workflow" {
-  value = var.environment == "prod" || var.environment == "stage" ? null : templatefile("${path.module}/files/dev-build.tpl", {
+  value = var.environment == "prod" || var.environment == "stage" ? null : templatefile("${path.module}/files/dev-build-cpu-arch-extra-region.tpl", {
     region   = var.aws_region
     role     = module.ecr_matomo.gha_role
     ecr      = module.ecr_matomo.repository_name
@@ -31,7 +31,7 @@ output "matomo_fargate_dev_build_workflow" {
   description = "Full contents of the dev-build.yml for the matomo repo"
 }
 output "matomo_fargate_makefile" {
-  value = var.environment == "prod" || var.environment == "stage" ? null : templatefile("${path.module}/files/makefile.tpl", {
+  value = var.environment == "prod" || var.environment == "stage" ? null : templatefile("${path.module}/files/makefile-cpu-arch.tpl", {
     ecr_name = module.ecr_matomo.repository_name
     ecr_url  = module.ecr_matomo.repository_url
     function = ""
@@ -42,7 +42,7 @@ output "matomo_fargate_makefile" {
 
 # Outputs in stage
 output "matomo_fargate_stage_build_workflow" {
-  value = var.environment == "prod" || var.environment == "dev" ? null : templatefile("${path.module}/files/stage-build.tpl", {
+  value = var.environment == "prod" || var.environment == "dev" ? null : templatefile("${path.module}/files/stage-build-cpu-arch-extra-region.tpl", {
     region   = var.aws_region
     role     = module.ecr_matomo.gha_role
     ecr      = module.ecr_matomo.repository_name
@@ -54,7 +54,7 @@ output "matomo_fargate_stage_build_workflow" {
 
 # Outputs after promotion to prod
 output "matomo_fargate_prod_promote_workflow" {
-  value = var.environment == "stage" || var.environment == "dev" ? null : templatefile("${path.module}/files/prod-promote.tpl", {
+  value = var.environment == "stage" || var.environment == "dev" ? null : templatefile("${path.module}/files/prod-promote-cpu-arch-extra-region.tpl", {
     region     = var.aws_region
     role_stage = "${module.ecr_matomo.repo_name}-gha-stage"
     role_prod  = "${module.ecr_matomo.repo_name}-gha-prod"