Merge branch 'develop' into feature/made14-NRL-1631-multi-pointer-warnings

mattdean3-nhs · web-flow · commit 7cbedca3bc04 · 2025-10-17T10:33:48.000+01:00
diff --git a/Makefile b/Makefile
@@ -201,6 +201,9 @@ truststore-build-ca: check-warn ## Build a CA (Certificate Authority)
 truststore-build-cert: check-warn ## Build a certificate
 	@./scripts/truststore.sh build-cert "$(CA_NAME)" "$(CERT_NAME)" "$(CERT_SUBJECT)"
 
+truststore-pull-all: check-warn ## Pull all certificates
+	@./scripts/truststore.sh pull-all "$(ENV)"
+
 truststore-pull-server: check-warn ## Pull a server certificate
 	@./scripts/truststore.sh pull-server "$(ENV)"
 
diff --git a/README.md b/README.md
@@ -37,6 +37,36 @@ Then install all the dependency packages with:
 make configure
 ```
 
+### Set up AWS CLI access
+
+There are several ways to set up your AWS CLI access. The recommended way is to use [granted](https://docs.commonfate.io/granted/getting-started). Follow the instructions on their website to install and configure `granted`.
+
+One of the gotchas with using `granted` is that you need to ensure that you source the environment variables into your shell session. You can do this by running:
+
+```
+source assume <profile>
+```
+
+Where `<profile>` is one of the profiles which should be in your `~/.aws/config`. You can customize the profile names to your liking.
+
+From here on, you can use the AWS CLI as normal and run commands that need AWS access on that terminal session.
+
+As a short guideline about profiles to assume for a typical workflow:
+
+- Assume mgmt account for stack specific terraform deployment as indicated in `terraform/infrastructure/README.md`.
+- Assume the specific environment for running feature tests against that environment.
+
+### Set up NRLF certificates
+
+In order to execute make commands that need AWS access, you will need to pull the NRLF certificates.
+In order to do this, make sure you have AWS CLI installed and configured, then run:
+
+```
+make ENV=env truststore-pull-all
+```
+
+Where `env` is one of `dev`, `qa` , `int`, `ref` or `prod`.
+
 ## Getting Started
 
 To build packages:
diff --git a/api/producer/createDocumentReference/tests/test_create_document_reference.py b/api/producer/createDocumentReference/tests/test_create_document_reference.py
@@ -45,7 +45,7 @@ def test_create_document_reference_happy_path(repository: DocumentPointerReposit
     assert result == {
         "statusCode": "201",
         "headers": {
-            "Location": "/producer/FHIR/R4/DocumentReference/Y05868-00000000-0000-0000-0000-000000000001",
+            "Location": "/DocumentReference/Y05868-00000000-0000-0000-0000-000000000001",
             **default_response_headers(),
         },
         "isBase64Encoded": False,
@@ -111,7 +111,7 @@ def test_create_document_reference_happy_path_with_ssp(
     assert result == {
         "statusCode": "201",
         "headers": {
-            "Location": "/producer/FHIR/R4/DocumentReference/Y05868-00000000-0000-0000-0000-000000000001",
+            "Location": "/DocumentReference/Y05868-00000000-0000-0000-0000-000000000001",
             **default_response_headers(),
         },
         "isBase64Encoded": False,
@@ -1270,7 +1270,7 @@ def test_create_document_reference_supersede_deletes_old_pointers_replace(
     assert result == {
         "statusCode": "201",
         "headers": {
-            "Location": "/producer/FHIR/R4/DocumentReference/Y05868-00000000-0000-0000-0000-000000000001",
+            "Location": "/DocumentReference/Y05868-00000000-0000-0000-0000-000000000001",
             **default_response_headers(),
         },
         "isBase64Encoded": False,
@@ -1329,7 +1329,7 @@ def test_create_document_reference_supersede_succeeds_with_toggle(
     assert result == {
         "statusCode": "201",
         "headers": {
-            "Location": "/producer/FHIR/R4/DocumentReference/Y05868-00000000-0000-0000-0000-000000000001",
+            "Location": "/DocumentReference/Y05868-00000000-0000-0000-0000-000000000001",
             **default_response_headers(),
         },
         "isBase64Encoded": False,
@@ -1444,7 +1444,7 @@ def test_create_document_reference_create_relatesto_not_replaces(
     assert result == {
         "statusCode": "201",
         "headers": {
-            "Location": "/producer/FHIR/R4/DocumentReference/Y05868-00000000-0000-0000-0000-000000000001",
+            "Location": "/DocumentReference/Y05868-00000000-0000-0000-0000-000000000001",
             **default_response_headers(),
         },
         "isBase64Encoded": False,
@@ -1496,7 +1496,7 @@ def test_create_document_reference_with_date_ignored(
     assert result == {
         "statusCode": "201",
         "headers": {
-            "Location": "/producer/FHIR/R4/DocumentReference/Y05868-00000000-0000-0000-0000-000000000001",
+            "Location": "/DocumentReference/Y05868-00000000-0000-0000-0000-000000000001",
             **default_response_headers(),
         },
         "isBase64Encoded": False,
@@ -1562,7 +1562,7 @@ def test_create_document_reference_with_date_and_meta_lastupdated_ignored(
     assert result == {
         "statusCode": "201",
         "headers": {
-            "Location": "/producer/FHIR/R4/DocumentReference/Y05868-00000000-0000-0000-0000-000000000001",
+            "Location": "/DocumentReference/Y05868-00000000-0000-0000-0000-000000000001",
             **default_response_headers(),
         },
         "isBase64Encoded": False,
@@ -1626,7 +1626,7 @@ def test_create_document_reference_with_date_overidden(
     assert result == {
         "statusCode": "201",
         "headers": {
-            "Location": "/producer/FHIR/R4/DocumentReference/Y05868-00000000-0000-0000-0000-000000000001",
+            "Location": "/DocumentReference/Y05868-00000000-0000-0000-0000-000000000001",
             **default_response_headers(),
         },
         "isBase64Encoded": False,
diff --git a/api/producer/upsertDocumentReference/tests/test_upsert_document_reference.py b/api/producer/upsertDocumentReference/tests/test_upsert_document_reference.py
@@ -43,7 +43,7 @@ def test_upsert_document_reference_happy_path(repository: DocumentPointerReposit
     assert result == {
         "statusCode": "201",
         "headers": {
-            "Location": "/producer/FHIR/R4/DocumentReference/Y05868-99999-99999-999999",
+            "Location": "/DocumentReference/Y05868-99999-99999-999999",
             **default_response_headers(),
         },
         "isBase64Encoded": False,
@@ -105,7 +105,7 @@ def test_upsert_document_reference_happy_path_with_ssp(
     assert result == {
         "statusCode": "201",
         "headers": {
-            "Location": "/producer/FHIR/R4/DocumentReference/Y05868-99999-99999-999999",
+            "Location": "/DocumentReference/Y05868-99999-99999-999999",
             **default_response_headers(),
         },
         "isBase64Encoded": False,
@@ -915,7 +915,7 @@ def test_upsert_document_reference_invalid_relatesto_not_exists_still_creates_wi
     assert result == {
         "statusCode": "201",
         "headers": {
-            "Location": "/producer/FHIR/R4/DocumentReference/Y05868-99999-99999-999999",
+            "Location": "/DocumentReference/Y05868-99999-99999-999999",
             **default_response_headers(),
         },
         "isBase64Encoded": False,
@@ -1249,7 +1249,7 @@ def test_upsert_document_reference_supersede_deletes_old_pointers_replace(
     assert result == {
         "statusCode": "201",
         "headers": {
-            "Location": "/producer/FHIR/R4/DocumentReference/Y05868-99999-99999-111111",
+            "Location": "/DocumentReference/Y05868-99999-99999-111111",
             **default_response_headers(),
         },
         "isBase64Encoded": False,
@@ -1307,7 +1307,7 @@ def test_upsert_document_reference_supersede_succeeds_with_toggle(
     assert result == {
         "statusCode": "201",
         "headers": {
-            "Location": "/producer/FHIR/R4/DocumentReference/Y05868-99999-99999-999999",
+            "Location": "/DocumentReference/Y05868-99999-99999-999999",
             **default_response_headers(),
         },
         "isBase64Encoded": False,
@@ -1421,7 +1421,7 @@ def test_upsert_document_reference_create_relatesto_not_replaces(
     assert result == {
         "statusCode": "201",
         "headers": {
-            "Location": "/producer/FHIR/R4/DocumentReference/Y05868-99999-99999-111111",
+            "Location": "/DocumentReference/Y05868-99999-99999-111111",
             **default_response_headers(),
         },
         "isBase64Encoded": False,
@@ -1472,7 +1472,7 @@ def test_upsert_document_reference_with_date_ignored(
     assert result == {
         "statusCode": "201",
         "headers": {
-            "Location": "/producer/FHIR/R4/DocumentReference/Y05868-99999-99999-999999",
+            "Location": "/DocumentReference/Y05868-99999-99999-999999",
             **default_response_headers(),
         },
         "isBase64Encoded": False,
@@ -1534,7 +1534,7 @@ def test_upsert_document_reference_with_date_and_meta_lastupdated_ignored(
     assert result == {
         "statusCode": "201",
         "headers": {
-            "Location": "/producer/FHIR/R4/DocumentReference/Y05868-99999-99999-999999",
+            "Location": "/DocumentReference/Y05868-99999-99999-999999",
             **default_response_headers(),
         },
         "isBase64Encoded": False,
@@ -1594,7 +1594,7 @@ def test_upsert_document_reference_with_date_overidden(
     assert result == {
         "statusCode": "201",
         "headers": {
-            "Location": "/producer/FHIR/R4/DocumentReference/Y05868-99999-99999-999999",
+            "Location": "/DocumentReference/Y05868-99999-99999-999999",
             **default_response_headers(),
         },
         "isBase64Encoded": False,
diff --git a/layer/nrlf/core/constants.py b/layer/nrlf/core/constants.py
@@ -48,7 +48,7 @@ class Source(Enum):
 X_CORRELATION_ID_HEADER = "X-Correlation-Id"
 
 
-PRODUCER_URL_PATH = "/producer/FHIR/R4/DocumentReference"
+PRODUCER_URL_PATH = "/DocumentReference"
 
 
 class PointerTypes(Enum):
diff --git a/terraform/account-wide-infrastructure/dev/domain.tf b/terraform/account-wide-infrastructure/dev/domain.tf
@@ -1,14 +1,16 @@
 
 module "dev-custom-domain-name" {
-  source                = "../modules/env-custom-domain-name"
-  domain_name           = var.dev_api_domain_name
-  domain_zone           = aws_route53_zone.dev-ns.name
-  mtls_certificate_file = "s3://${module.dev-truststore-bucket.bucket_name}/${module.dev-truststore-bucket.certificates_object_key}"
+  source                        = "../modules/env-custom-domain-name"
+  domain_name                   = var.dev_api_domain_name
+  domain_zone                   = aws_route53_zone.dev-ns.name
+  mtls_certificate_file         = "s3://${module.dev-truststore-bucket.bucket_name}/${module.dev-truststore-bucket.certificates_object_key}"
+  mtls_certificate_file_version = module.dev-truststore-bucket.certificates_object_version
 }
 
 module "devsandbox-custom-domain-name" {
-  source                = "../modules/env-custom-domain-name"
-  domain_name           = var.devsandbox_api_domain_name
-  domain_zone           = aws_route53_zone.dev-ns.name
-  mtls_certificate_file = "s3://${module.dev-truststore-bucket.bucket_name}/${module.dev-truststore-bucket.certificates_object_key}"
+  source                        = "../modules/env-custom-domain-name"
+  domain_name                   = var.devsandbox_api_domain_name
+  domain_zone                   = aws_route53_zone.dev-ns.name
+  mtls_certificate_file         = "s3://${module.dev-truststore-bucket.bucket_name}/${module.dev-truststore-bucket.certificates_object_key}"
+  mtls_certificate_file_version = module.dev-truststore-bucket.certificates_object_version
 }
diff --git a/terraform/account-wide-infrastructure/dev/dynamodb__pointers-table.tf b/terraform/account-wide-infrastructure/dev/dynamodb__pointers-table.tf
@@ -1,7 +1,7 @@
 module "dev-pointers-table" {
   source         = "../modules/pointers-table"
   name_prefix    = "nhsd-nrlf--dev"
-  enable_backups = true
+  enable_backups = false
 }
 
 module "dev-sandbox-pointers-table" {
diff --git a/terraform/account-wide-infrastructure/dev/s3.tf b/terraform/account-wide-infrastructure/dev/s3.tf
@@ -1,7 +1,7 @@
 module "dev-permissions-store-bucket" {
   source         = "../modules/permissions-store-bucket"
   name_prefix    = "nhsd-nrlf--dev"
-  enable_backups = true
+  enable_backups = false
 }
 
 module "dev-sandbox-permissions-store-bucket" {
@@ -13,7 +13,7 @@ module "dev-truststore-bucket" {
   source                  = "../modules/truststore-bucket"
   name_prefix             = "nhsd-nrlf--dev"
   server_certificate_file = "../../../truststore/server/dev.pem"
-  enable_backups          = true
+  enable_backups          = false
 }
 
 module "dev-sandbox-truststore-bucket" {
diff --git a/terraform/account-wide-infrastructure/mgmt/iam__developer-role.tf b/terraform/account-wide-infrastructure/mgmt/iam__developer-role.tf
@@ -99,6 +99,19 @@ module "developer_policy" {
         "${data.aws_s3_bucket.ci_logging.arn}/*"
       ]
     },
+    {
+      Action = [
+        "s3:PutObject",
+        "s3:GetObject",
+        "s3:DeleteObject"
+      ]
+      Effect = "Deny"
+      Resource = [
+        "${data.aws_s3_bucket.truststore.arn}/ca/prod*",
+        "${data.aws_s3_bucket.truststore.arn}/client/prod*",
+        "${data.aws_s3_bucket.truststore.arn}/server/prod*"
+      ]
+    },
     {
       Action = [
         "s3:GetObject"
diff --git a/terraform/account-wide-infrastructure/modules/env-custom-domain-name/apigateway.tf b/terraform/account-wide-infrastructure/modules/env-custom-domain-name/apigateway.tf
@@ -7,7 +7,8 @@ resource "aws_api_gateway_domain_name" "domain" {
   }
 
   mutual_tls_authentication {
-    truststore_uri = var.mtls_certificate_file
+    truststore_uri     = var.mtls_certificate_file
+    truststore_version = var.mtls_certificate_file_version
   }
 
   depends_on = [
diff --git a/terraform/account-wide-infrastructure/modules/env-custom-domain-name/vars.tf b/terraform/account-wide-infrastructure/modules/env-custom-domain-name/vars.tf
@@ -19,3 +19,8 @@ variable "mtls_certificate_file" {
   description = "The path to the mtls certificate file"
   type        = string
 }
+
+variable "mtls_certificate_file_version" {
+  description = "The S3 version of the mtls certificate file"
+  type        = string
+}
diff --git a/terraform/account-wide-infrastructure/modules/truststore-bucket/output.tf b/terraform/account-wide-infrastructure/modules/truststore-bucket/output.tf
@@ -7,3 +7,8 @@ output "certificates_object_key" {
   description = "Key of the truststore certificates object"
   value       = aws_s3_object.api_truststore_certificate.key
 }
+
+output "certificates_object_version" {
+  description = "Version of the truststore certificates object"
+  value       = aws_s3_object.api_truststore_certificate.version_id
+}
diff --git a/terraform/account-wide-infrastructure/prod/domain.tf b/terraform/account-wide-infrastructure/prod/domain.tf
@@ -1,8 +1,9 @@
 
 
 module "dev-custom-domain-name" {
-  source                = "../modules/env-custom-domain-name"
-  domain_name           = var.prod_api_domain_name
-  domain_zone           = aws_route53_zone.prod-ns.name
-  mtls_certificate_file = "s3://${module.prod-truststore-bucket.bucket_name}/${module.prod-truststore-bucket.certificates_object_key}"
+  source                        = "../modules/env-custom-domain-name"
+  domain_name                   = var.prod_api_domain_name
+  domain_zone                   = aws_route53_zone.prod-ns.name
+  mtls_certificate_file         = "s3://${module.prod-truststore-bucket.bucket_name}/${module.prod-truststore-bucket.certificates_object_key}"
+  mtls_certificate_file_version = module.prod-truststore-bucket.certificates_object_version
 }
diff --git a/terraform/account-wide-infrastructure/test/domain.tf b/terraform/account-wide-infrastructure/test/domain.tf
@@ -1,35 +1,40 @@
 
 module "qa-custom-domain-name" {
-  source                = "../modules/env-custom-domain-name"
-  domain_name           = var.qa_api_domain_name
-  domain_zone           = aws_route53_zone.test-qa-ns.name
-  mtls_certificate_file = "s3://${module.qa-truststore-bucket.bucket_name}/${module.qa-truststore-bucket.certificates_object_key}"
+  source                        = "../modules/env-custom-domain-name"
+  domain_name                   = var.qa_api_domain_name
+  domain_zone                   = aws_route53_zone.test-qa-ns.name
+  mtls_certificate_file         = "s3://${module.qa-truststore-bucket.bucket_name}/${module.qa-truststore-bucket.certificates_object_key}"
+  mtls_certificate_file_version = module.qa-truststore-bucket.certificates_object_version
 }
 
 module "qasandbox-custom-domain-name" {
-  source                = "../modules/env-custom-domain-name"
-  domain_name           = var.qasandbox_api_domain_name
-  domain_zone           = aws_route53_zone.test-qa-ns.name
-  mtls_certificate_file = "s3://${module.qa-truststore-bucket.bucket_name}/${module.qa-truststore-bucket.certificates_object_key}"
+  source                        = "../modules/env-custom-domain-name"
+  domain_name                   = var.qasandbox_api_domain_name
+  domain_zone                   = aws_route53_zone.test-qa-ns.name
+  mtls_certificate_file         = "s3://${module.qa-truststore-bucket.bucket_name}/${module.qa-truststore-bucket.certificates_object_key}"
+  mtls_certificate_file_version = module.qa-truststore-bucket.certificates_object_version
 }
 
 module "int-custom-domain-name" {
-  source                = "../modules/env-custom-domain-name"
-  domain_name           = var.int_api_domain_name
-  domain_zone           = aws_route53_zone.test-int-ns.name
-  mtls_certificate_file = "s3://${module.int-truststore-bucket.bucket_name}/${module.int-truststore-bucket.certificates_object_key}"
+  source                        = "../modules/env-custom-domain-name"
+  domain_name                   = var.int_api_domain_name
+  domain_zone                   = aws_route53_zone.test-int-ns.name
+  mtls_certificate_file         = "s3://${module.int-truststore-bucket.bucket_name}/${module.int-truststore-bucket.certificates_object_key}"
+  mtls_certificate_file_version = module.int-truststore-bucket.certificates_object_version
 }
 
 module "intsandbox-custom-domain-name" {
-  source                = "../modules/env-custom-domain-name"
-  domain_name           = var.intsandbox_api_domain_name
-  domain_zone           = aws_route53_zone.test-int-ns.name
-  mtls_certificate_file = "s3://${module.int-truststore-bucket.bucket_name}/${module.int-truststore-bucket.certificates_object_key}"
+  source                        = "../modules/env-custom-domain-name"
+  domain_name                   = var.intsandbox_api_domain_name
+  domain_zone                   = aws_route53_zone.test-int-ns.name
+  mtls_certificate_file         = "s3://${module.int-truststore-bucket.bucket_name}/${module.int-truststore-bucket.certificates_object_key}"
+  mtls_certificate_file_version = module.int-truststore-bucket.certificates_object_version
 }
 
 module "ref-custom-domain-name" {
-  source                = "../modules/env-custom-domain-name"
-  domain_name           = var.ref_api_domain_name
-  domain_zone           = aws_route53_zone.test-ref-ns.name
-  mtls_certificate_file = "s3://${module.ref-truststore-bucket.bucket_name}/${module.ref-truststore-bucket.certificates_object_key}"
+  source                        = "../modules/env-custom-domain-name"
+  domain_name                   = var.ref_api_domain_name
+  domain_zone                   = aws_route53_zone.test-ref-ns.name
+  mtls_certificate_file         = "s3://${module.ref-truststore-bucket.bucket_name}/${module.ref-truststore-bucket.certificates_object_key}"
+  mtls_certificate_file_version = module.ref-truststore-bucket.certificates_object_version
 }
diff --git a/terraform/infrastructure/domain.tf b/terraform/infrastructure/domain.tf
@@ -46,7 +46,8 @@ resource "aws_api_gateway_domain_name" "domain" {
   }
 
   mutual_tls_authentication {
-    truststore_uri = "s3://${data.aws_s3_object.api-truststore-certificate.bucket}/${data.aws_s3_object.api-truststore-certificate.key}"
+    truststore_uri     = "s3://${data.aws_s3_object.api-truststore-certificate.bucket}/${data.aws_s3_object.api-truststore-certificate.key}"
+    truststore_version = data.aws_s3_object.api-truststore-certificate.version_id
   }
 
   depends_on = [
diff --git a/tests/features/producer/createDocumentReference-success.feature b/tests/features/producer/createDocumentReference-success.feature
diff --git a/tests/features/steps/3_assert.py b/tests/features/steps/3_assert.py

Original file line number	Diff line number	Diff line change
`@@ -1,7 +1,7 @@`
`1`	`1`	`module "dev-pointers-table" {`
`2`	`2`	`source = "../modules/pointers-table"`
`3`	`3`	`name_prefix = "nhsd-nrlf--dev"`
`4`		`- enable_backups = true`
	`4`	`+ enable_backups = false`
`5`	`5`	`}`
`6`	`6`
`7`	`7`	`module "dev-sandbox-pointers-table" {`
Original file line number	Diff line number	Diff line change
`@@ -7,7 +7,8 @@ resource "aws_api_gateway_domain_name" "domain" {`
`7`	`7`	`}`
`8`	`8`
`9`	`9`	`mutual_tls_authentication {`
`10`		`- truststore_uri = var.mtls_certificate_file`
	`10`	`+ truststore_uri = var.mtls_certificate_file`
	`11`	`+ truststore_version = var.mtls_certificate_file_version`
`11`	`12`	`}`
`12`	`13`
`13`	`14`	`depends_on = [`