Merge branch 'main' into feature/eja-eli-204-add-api-gateway

Author: eddalmond1

README.md

@@ -16,22 +16,22 @@ The software will only be used for signposting an individual to an appropriate s
   - [Setup](#setup)
     - [Prerequisites](#prerequisites)
     - [Configuration](#configuration)
-      - [Environment variables](#environment-variables)
+      - [Environment variables - Local](#environment-variables---local)
+      - [Environment variables - DEV, PROD or PRE-PROD](#environment-variables---dev-prod-or-pre-prod)
   - [Usage](#usage)
     - [Testing](#testing)
   - [Sandbox and Specification](#sandbox-and-specification)
   - [Conflict with yanai](#conflict-with-yanai)
   - [Creating a Postman collection](#creating-a-postman-collection)
   - [Design](#design)
     - [Diagrams](#diagrams)
-    - [Modularity](#modularity)
   - [Contributing](#contributing)
   - [Contacts](#contacts)
   - [Licence](#licence)
 
 ## Setup
 
-First, ensure [Pprerequisites](#prerequisites) are met. Then clone the repository, and install dependencies.
+First, ensure [Prerequisites](#prerequisites) are met. Then clone the repository, and install dependencies.
 
 ```shell
 git clone https://github.com/NHSDigital/eligibility-signposting-api.git
@@ -68,18 +68,32 @@ The following software packages, or their equivalents, are expected to be instal
 
 ### Configuration
 
-#### Environment variables
+#### Environment variables - Local
 
 | Variable                 | Default                      | Description                                                                                                                                                            |
 |--------------------------|------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
 | `AWS_ACCESS_KEY_ID`      | `dummy_key`                  | AWS Access Key                                                                                                                                                         |
 | `AWS_DEFAULT_REGION`     | `eu-west-1`                  | AWS Region                                                                                                                                                             |
 | `AWS_SECRET_ACCESS_KEY`  | `dummy_secret`               | AWS Secret Access Key                                                                                                                                                  |
 | `DYNAMODB_ENDPOINT`      | `http://localhost:4566`      | Endpoint for the app to access DynamoDB                                                                                                                                |
+| `S3_ENDPOINT`            | `http://localhost:4566`      | Endpoint for the app to access S3                                                                                                                                      |
 | `ELIGIBILITY_TABLE_NAME` | `test_eligibility_datastore` | AWS DynamoDB table for person data.                                                                                                                                    |
-| `LOG_LEVEL`              | `WARNING`                    | Logging level. Must be one of `DEBUG`, `INFO`, `WARNING`, `ERROR` or `CRITICAL` as per [Logging Levels](https://docs.python.org/3/library/logging.html#logging-levels) |
+| `LOG_LEVEL`              | `WARNING`                    | Logging level. Must be one of `DEBUG`, `INFO`, `WARNING`, `ERROR` or `CRITICAL` as per [Logging Levels](https://docs.python.org/3/library/logging.html#logging-levels)                                                           |
 | `RULES_BUCKET_NAME`      | `test-rules-bucket`          | AWS S3 bucket from which to read rules.                                                                                                                                |
 
+#### Environment variables - DEV, PROD or PRE-PROD
+
+| Variable                 | Default                      | Description                                                                                                                                                            | Comments                                                                                                                       |
+|--------------------------|------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------|
+| `AWS_DEFAULT_REGION`     | `eu-west-1`                  | AWS Region                                                                                                                                                             |                                                                                                                                |
+| `AWS_ACCESS_KEY_ID`      | None                         | AWS Access Key                                                                                                                                                         | **AWS_ACCESS_KEY_ID** is set to None, <br/>because it is provided by the AWS environment automatically.                        |
+| `AWS_SECRET_ACCESS_KEY`  | None                         | AWS Secret Access Key                                                                                                                                                  | **AWS_SECRET_ACCESS_KEY** is set to None, <br/>because it is provided by the AWS environment automatically.                    |
+| `DYNAMODB_ENDPOINT`      | None                         | Endpoint for the app to access DynamoDB                                                                                                                                | **DYNAMODB_ENDPOINT** are set to None, <br/>since we are using aws service default endpoints which are provided automatically. |
+| `S3_ENDPOINT`            | None                         | Endpoint for the app to access S3                                                                                                                                      | **S3_ENDPOINT** are set to None, <br/>since we are using aws service default endpoints which are provided automatically.       |
+| `ELIGIBILITY_TABLE_NAME` | `test_eligibility_datastore` | AWS DynamoDB table for person data.                                                                                                                                    |                                                                                                                                |
+| `LOG_LEVEL`              | `WARNING`                    | Logging level. Must be one of `DEBUG`, `INFO`, `WARNING`, `ERROR` or `CRITICAL` as per [Logging Levels](https://docs.python.org/3/library/logging.html#logging-levels) |                                                                                                                                |
+| `RULES_BUCKET_NAME`      | `test-rules-bucket`          | AWS S3 bucket from which to read rules.                                                                                                                                |                                                                                                                                |
+
 ## Usage
 
 After a successful installation, provide an informative example of how this project can be used. Additional code snippets, screenshots and demos work well in this space. You may also link to the other documentation resources, e.g. the [User Guide](./docs/user-guide.md) to demonstrate more use cases and to show more features.
@@ -128,25 +142,91 @@ Local tests will use [localstack](https://www.localstack.cloud/), started & stop
 
 ### Diagrams
 
-The [C4 model](https://c4model.com/) is a simple and intuitive way to create software architecture diagrams that are clear, consistent, scalable and most importantly collaborative. This should result in documenting all the system interfaces, external dependencies and integration points.
-
-![Repository Template](./docs/diagrams/Repository_Template_GitHub_Generic.png)
-
-The source for diagrams should be in Git for change control and review purposes. Recommendations are [draw.io](https://app.diagrams.net/) (example above in [docs](.docs/diagrams/) folder) and [Mermaids](https://github.com/mermaid-js/mermaid). Here is an example Mermaids sequence diagram:
-
 ```mermaid
-sequenceDiagram
-    User->>+Service: GET /users?params=...
-    Service->>Service: auth request
-    Service->>Database: get all users
-    Database-->>Service: list of users
-    Service->>Service: filter users
-    Service-->>-User: list[User]
-```
+graph TB
+    subgraph "System Context"
+        direction TB
+        Client["NHS App / Client"]
+        Consumer["Postman / Consumer"]
+        API["Eligibility Signposting API"]
+        AWS["AWS"]
+    end
+
+    Client -->|"HTTP Request"| API
+    Consumer -->|"HTTP Request"| API
+    API -->|"Deployed on"| AWS
+
+    subgraph "Container Diagram"
+        direction TB
+        subgraph "AWS Infrastructure"
+            direction TB
+            APIGW["API Gateway"]
+            Lambda["Python Lambda (app.py)"]
+            DynamoDB["DynamoDB Table"]
+            S3Bucket["S3 Bucket (rules)"]
+            IAM["IAM Roles & Policies"]
+        end
+        subgraph "CI/CD Pipeline"
+            direction TB
+            GH["GitHub Actions"]
+            TF["Terraform"]
+        end
+    end
+
+    Client -->|"HTTPS POST /eligibility"| APIGW
+    APIGW -->|"Invoke"| Lambda
+    Lambda -->|"GetItem/PutItem"| DynamoDB
+    Lambda -->|"GetObject"| S3Bucket
+    Lambda -->|"Uses"| IAM
+
+    GH -->|"runs pipelines"| TF
+    TF -->|"provisions"| APIGW
+    TF -->|"provisions"| DynamoDB
+    TF -->|"provisions"| S3Bucket
+    TF -->|"provisions"| IAM
+
+    subgraph "Eligibility Lambda Function - Components"
+        direction TB
+        App["app.py (WireUp DI)"]
+        Config["config.py, error_handler.py"]
+        subgraph "Presentation Layer"
+            direction TB
+            View["views/eligibility.py"]
+            ResponseModel["views/response_model/eligibility.py"]
+        end
+        subgraph "Business Logic Layer"
+            direction TB
+            Service["services/eligibility_services.py"]
+            Operators["services/rules/operators.py"]
+        end
+        subgraph "Data Access Layer"
+            direction TB
+            RepoElig["repos/eligibility_repo.py"]
+            RepoRules["repos/rules_repo.py"]
+            Factory["repos/factory.py, exceptions.py"]
+        end
+        subgraph "Models"
+            direction TB
+            ModelElig["model/eligibility.py"]
+            ModelRules["model/rules.py"]
+        end
+    end
+
+    Lambda -->|"loads"| App
+    App -->|injects| View
+    View -->|calls| Service
+    Service -->|calls| Operators
+    Service -->|calls| RepoElig
+    Service -->|calls| RepoRules
+    RepoElig -->|uses| DynamoDB
+    RepoRules -->|uses| S3Bucket
+    View -->|uses| ResponseModel
+    App -->|reads| Config
+    Service -->|uses| ModelElig
+    Operators -->|uses| ModelRules
+    App -->|wires| Factory
 
-### Modularity
-
-Most of the projects are built with customisability and extendability in mind. At a minimum, this can be achieved by implementing service level configuration options and settings. The intention of this section is to show how this can be used. If the system processes data, you could mention here for example how the input is prepared for testing - anonymised, synthetic or live data.
+```
 
 ## Contributing
 

infrastructure/.gitignore

@@ -3,6 +3,9 @@
 # Local .terraform directories
 **/.terraform/*
 
+# Ignore lock file
+*.terraform.lock.hcl
+
 # .tfstate files
 *.tfstate
 *.tfstate.*

infrastructure/Makefile

@@ -14,7 +14,7 @@ guard-%:
 # Initializes the Terraform configuration for the specified stack and environment.
 terraform-init: guard-env guard-stack
 	rm -rf ./stacks/$(stack)/.terraform
-	terraform -chdir=./stacks/$(stack) init -backend-config=backends/$(env).$(stack).tfbackend -upgrade -reconfigure
+	terraform -chdir=./stacks/$(stack) init -backend-config=backends/$(env).$(stack).tfbackend -upgrade
 	terraform -chdir=./stacks/$(stack) get -update
 
 # Selects or creates a Terraform workspace for the specified stack and environment.

infrastructure/modules/dynamodb/kms.tf

@@ -3,6 +3,7 @@ resource "aws_kms_key" "dynamodb_cmk" {
   deletion_window_in_days = 14
   is_enabled              = true
   enable_key_rotation     = true
+  tags                    = var.tags
 }
 
 resource "aws_kms_alias" "dynamodb_cmk" {

infrastructure/modules/dynamodb/outputs.tf

@@ -5,3 +5,12 @@ output "arn" {
 output "table_name" {
   value = aws_dynamodb_table.dynamodb_table.name
 }
+
+output "dynamodb_kms_key_arn" {
+  value = aws_kms_key.dynamodb_cmk.arn
+}
+
+output "dynamodb_kms_key_id" {
+  value = aws_kms_key.dynamodb_cmk.id
+}
+

infrastructure/modules/lambda/default_variables.tf

@@ -0,0 +1 @@
+../_shared/default_variables.tf

infrastructure/modules/lambda/kms.tf

@@ -0,0 +1,12 @@
+resource "aws_kms_key" "lambda_cmk" {
+  description             = "${terraform.workspace == "default" ? "" : "${terraform.workspace}-"}${var.lambda_func_name} Master Key"
+  deletion_window_in_days = 14
+  is_enabled              = true
+  enable_key_rotation     = true
+  tags                    = var.tags
+}
+
+resource "aws_kms_alias" "lambda_cmk" {
+  name          = "alias/${terraform.workspace == "default" ? "" : "${terraform.workspace}-"}${var.lambda_func_name}-cmk"
+  target_key_id = aws_kms_key.lambda_cmk.key_id
+}

infrastructure/modules/lambda/lambda.tf

@@ -0,0 +1,26 @@
+resource "aws_lambda_function" "eligibility_signposting_lambda" {
+  # If the file is not in the current working directory you will need to include a
+  # path.module in the filename.
+  filename      = var.file_name
+  function_name = var.lambda_func_name
+  role          = var.eligibility_lambda_role_arn
+  handler       = var.handler
+
+  source_code_hash = filebase64sha256(var.file_name)
+
+  runtime     = "python3.13"
+  timeout     = 30
+  memory_size = 128 # Default
+
+  environment {
+    variables = {
+      ELIGIBILITY_TABLE_NAME = var.eligibility_status_table_name,
+      RULES_BUCKET_NAME      = var.eligibility_rules_bucket_name,
+      ENV                    = var.environment
+    }
+  }
+  vpc_config {
+    subnet_ids         = var.vpc_intra_subnets
+    security_group_ids = var.security_group_ids
+  }
+}

infrastructure/modules/lambda/outputs.tf

@@ -0,0 +1,6 @@
+output "aws_lambda_function_id" {
+  value = aws_lambda_function.eligibility_signposting_lambda.id
+}
+output "aws_lambda_function_arn" {
+  value = aws_lambda_function.eligibility_signposting_lambda.arn
+}

infrastructure/modules/lambda/variables.tf

@@ -0,0 +1,45 @@
+variable "workspace" {
+  description = "Usually the developer short code or the name of the environment."
+  type        = string
+}
+
+variable "eligibility_lambda_role_arn" {
+  description = "lambda read role arn for dynamodb"
+  type        = string
+}
+
+variable "lambda_func_name" {
+  description = "Name of the Lambda function"
+  type        = string
+}
+
+variable "vpc_intra_subnets" {
+  description = "vpc private subnets for lambda"
+  type        = list(string)
+}
+
+variable "security_group_ids" {
+  description = "security groups for lambda"
+  type        = list(string)
+}
+
+variable "file_name" {
+  description = "path of the the zipped lambda"
+  type        = string
+}
+
+variable "handler" {
+  description = "lambda handler name"
+  type        = string
+}
+
+variable "eligibility_rules_bucket_name" {
+  description = "campaign config rules bucket name"
+  type        = string
+}
+
+variable "eligibility_status_table_name" {
+  description = "eligibility datastore table name"
+  type        = string
+}
+