CUMULUS-4364/4357: Backport to 20.2.x 4354/4272/4279 and Forward Release 4354 (#4130)

* CUMULUS-4354: Provider mismatches from CUMULUS-4191 preventing ingest (#4121)

* first commit - still need int/unit tests

* unit tests + small operator fix

* fixing tf var value

* fixing var name

* adding units for lambdas

* changing lambda var name casing + changelog update

* removing erroneous tf json state file

* small fixes to parsing of env var

* backport 20.2.3 release PR

* CUMULUS-4272: Support user-provided security group in RDS cluster (#4115)

* CUMULUS-4272:Support user-provided or snapshot-derived security group in tf-modules/cumulus-rds-tf

* changelog comment

* fix terraform syntex

* snapshot uses default sg if not provided

* update changelog

* add variable to example

* update security group reference

* CUMULUS-4279:Grant privileges on the public schema of the user database (#4110)

* CUMULUS-4279:Grant privileges on the public schema of the user database

* adding a release-20-2 stack for CI

* CUMULUS-4275: Fix unit tests broken by updated HTTP error messages in got (#4102)

* fix send-pan unit test http error

* fix test-HttpsProviderClient ci unit test

---------

Co-authored-by: jennyhliu <34660846+jennyhliu@users.noreply.github.com>

Author: Nnaga1

CHANGELOG.md

@@ -6,6 +6,39 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/).
 
 ## [Unreleased]
 
+## [v20.2.3] 2025-12-01
+
+### Notable Changes
+
+- **CUMULUS-4272**
+  - The `tf-modules/cumulus-rds-tf` module now allows specifying an existing security group.
+    This enhancement enables DAACs to migrate their existing RDS deployments to Aurora while
+    reusing their existing security group, ensuring compatibility with existing
+    `data-persistence-tf` and `cumulus-tf` modules.
+
+### Fixed
+
+- **CUMULUS-4279**
+  - Updated the `ProvisionPostgresDatabase` Lambda to grant `create` and `usage` privileges
+    on the public schema of the user database to the database user.
+    This change is required because, starting with PostgreSQL 15, new databases assign ownership
+    of the public schema to the pg_database_owner role. Existing clusters upgraded from versions
+    prior to v15 preserve the previous ownership of the public schema.
+- **CUMULUS-4275**
+  - Fixed unit tests broken by updated HTTP error messages in got
+
+### Added
+
+- **CUMULUS-4272**
+  - Added `input_security_group_id` variable to `tf-modules/cumulus-rds-tf` module to allow
+    specifying an existing security group when creating or restoring an Aurora PostgreSQL RDS cluster.
+
+- **CUMULUS-4354**
+  - Added an optional terraform-configurable lambda level env variable `allow_provider_mismatch_on_rule_filter` to `message-consumer` and `sqs-message-consumer` to check
+  whether to consider rule/message provider mismatches
+  - Added a `rule.meta.allowProviderMismatchOnRuleFilter` check to `filterRulesByRuleParams` as a rule-level fallback to check
+  whether to consider rule/message provider mismatches for the specific rule
+
 ## [v20.2.2] 2025-10-08
 
 ### Changed
@@ -8666,7 +8699,8 @@ Note: There was an issue publishing 1.12.0. Upgrade to 1.12.1.
 ## [v1.0.0] - 2018-02-23
 
 
-[Unreleased]: https://github.com/nasa/cumulus/compare/v20.2.2...HEAD
+[Unreleased]: https://github.com/nasa/cumulus/compare/v20.2.3...HEAD
+[v20.2.3]: https://github.com/nasa/cumulus/compare/v20.2.2...v20.2.3
 [v20.2.2]: https://github.com/nasa/cumulus/compare/v20.2.1...v20.2.2
 [v20.2.1]: https://github.com/nasa/cumulus/compare/v20.2.0...v20.2.1
 [v20.2.0]: https://github.com/nasa/cumulus/compare/v20.1.2...v20.2.0

example/cumulus-tf/main.tf

@@ -213,6 +213,9 @@ module "cumulus" {
   additional_log_groups_to_elk = var.additional_log_groups_to_elk
 
   tags = local.tags
+
+  # For message consumer lambdas in order to disable rule/message mismatches
+  allow_provider_mismatch_on_rule_filter = var.allow_provider_mismatch_on_rule_filter
 }
 
 resource "aws_security_group" "no_ingress_all_egress" {

example/cumulus-tf/variables.tf

@@ -200,6 +200,12 @@ variable "default_s3_multipart_chunksize_mb" {
   default = 256
 }
 
+variable "allow_provider_mismatch_on_rule_filter" {
+  description = "optional variable to be used in message_consumer lambdas for disabling rule/message provider mismatches"
+  type = bool
+  default = false
+}
+
 variable "tea_distribution_url" {
   type    = string
   default = null

example/data-persistence-tf/main.tf

@@ -36,7 +36,8 @@ module "provision_database" {
   permissions_boundary_arn               = var.permissions_boundary_arn
   rds_user_password                      = var.rds_user_password == "" ? random_string.db_pass.result : var.rds_user_password
   rds_connection_timing_configuration    = var.rds_connection_timing_configuration
-  dbRecreation                           = true
+  # dbRecreation should not be enabled in production
+  dbRecreation                           = var.dbRecreation
   lambda_timeouts                        = var.lambda_timeouts
   lambda_memory_sizes                    = var.lambda_memory_sizes
 }

example/data-persistence-tf/variables.tf

@@ -90,3 +90,10 @@ variable "lambda_timeouts" {
     ProvisionPostgresDatabase = 600 # data-persistence
   }
 }
+
+variable "dbRecreation" {
+  type        = bool
+  description = "**Warning** Data loss will occur if set to 'true'. Boolean flag to set user database to be wiped and recreated on provision for each deploy"
+  default     = true
+}
+

example/deployments/cumulus/cumulus-std.tfvars

@@ -63,3 +63,5 @@ lambda_timeouts = {
   queue_granules_task_timeout: 900,
   discover_granules_task_timeout: 900
 }
+
+dbRecreation = false

example/deployments/cumulus/release-20-2-ci-tf.tfvars

@@ -0,0 +1 @@
+prefix = "release-20-2-ci-tf"

example/deployments/data-persistence/release-20-2-ci-tf.tfvars

@@ -0,0 +1 @@
+prefix = "release-20-2-ci-tf"

example/deployments/db-migration/release-20-2-ci-tf.tfvars

@@ -0,0 +1 @@
+prefix = "release-20-2-ci-tf"

example/lambdas/asyncOperations/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cumulus/test-async-operations",
-  "version": "20.2.2",
+  "version": "20.2.3",
   "description": "AsyncOperations Test Lambda",
   "main": "index.js",
   "private": true,