pulling in main

Author: TOEL2

infrastructure/stacks/networking/README.md

@@ -40,16 +40,14 @@ For a high-level overview, see the [VPC Structure Confluence Page](https://nhsd-
 
 ### Public HTTPS Request Flow
 
-1. External client makes HTTPS request → Internet Gateway
-2. Request routes to Load Balancer or API Gateway in public subnet
-3. Request forwards to Lambda (or other application) in private subnet
-4. Lambda processes the request and returns response
-5. Response returns to client through the same path
+1. External client makes HTTPS request to API Gateway
+2. Request forwards to Lambda (or other application) in private subnet
+3. Lambda processes the request and returns response
+4. Response returns to client through the same path
 
 ### Outbound Internet Access
 
-- Lambda functions in private subnets can make outbound internet calls via NAT Gateways
-- No direct inbound access to Lambda from the internet
+- No direct inbound or outbound access to Lambda from the internet
 
 ### Internal-Only Traffic
 
@@ -64,7 +62,6 @@ For a high-level overview, see the [VPC Structure Confluence Page](https://nhsd-
 
 ### Network ACLs
 
-- **Public subnets:** Allow HTTP (80), HTTPS (443), ephemeral ports
 - **Private subnets:** Allow VPC traffic and responses to outbound requests
 
 ### Security Groups
@@ -74,8 +71,7 @@ For a high-level overview, see the [VPC Structure Confluence Page](https://nhsd-
 
 ### Route Tables
 
-- **Public subnets:** Route to Internet Gateway for external access
-- **Private subnets:** Route to NAT Gateways for outbound-only access
+- **Private subnets:** Route to VPC Endpoints only
 
 ---
 

infrastructure/stacks/networking/acm_certificates.tf

@@ -28,8 +28,8 @@ resource "aws_acm_certificate" "domain_validation" {
   }
 
   tags = {
-    Region        = local.region
-    Stack         = local.stack_name
-    CerticateType = "DomainValidation"
+    Region          = local.region
+    Stack           = local.stack_name
+    CertificateType = "DomainValidation"
   }
 }

infrastructure/stacks/networking/internet_gateway.tf

@@ -1,9 +1,6 @@
 locals {
   any_ip_cidr           = "0.0.0.0/0"
   vpc_cidr_block        = "10.0.0.0/16"
-  public_subnet_1_cidr  = "10.0.3.0/24"
-  public_subnet_2_cidr  = "10.0.4.0/24"
-  public_subnet_3_cidr  = "10.0.5.0/24"
   private_subnet_1_cidr = "10.0.6.0/24"
   private_subnet_2_cidr = "10.0.7.0/24"
   private_subnet_3_cidr = "10.0.8.0/24"

infrastructure/stacks/networking/locals.tf

@@ -42,68 +42,3 @@ resource "aws_network_acl" "private" {
     Stack = local.stack_name
   }
 }
-
-# Network ACL for Public Subnets
-resource "aws_network_acl" "public" {
-  vpc_id = aws_vpc.main.id
-  subnet_ids = [
-    aws_subnet.public_1.id,
-    aws_subnet.public_2.id,
-    aws_subnet.public_3.id
-  ]
-
-  # Allow all outbound traffic from public subnets
-  egress {
-    rule_no    = 100
-    action     = "allow"
-    cidr_block = "0.0.0.0/0"
-    protocol   = -1
-    from_port  = 0
-    to_port    = 0
-  }
-
-  # Allow inbound HTTP
-  ingress {
-    rule_no    = 100
-    action     = "allow"
-    cidr_block = "0.0.0.0/0"
-    protocol   = "tcp"
-    from_port  = 80
-    to_port    = 80
-  }
-
-  # Allow inbound HTTPS
-  ingress {
-    rule_no    = 110
-    action     = "allow"
-    cidr_block = "0.0.0.0/0"
-    protocol   = "tcp"
-    from_port  = 443
-    to_port    = 443
-  }
-
-  # Allow responses to outbound requests (ephemeral ports)
-  ingress {
-    rule_no    = 120
-    action     = "allow"
-    cidr_block = "0.0.0.0/0"
-    protocol   = "tcp"
-    from_port  = 1024
-    to_port    = 65535
-  }
-
-  # Allow inbound VPC traffic
-  ingress {
-    rule_no    = 130
-    action     = "allow"
-    cidr_block = local.vpc_cidr_block
-    protocol   = -1
-    from_port  = 0
-    to_port    = 0
-  }
-
-  tags = {
-    Name  = "public-nacl",
-    Stack = local.stack_name
-  }
-}

infrastructure/stacks/networking/network_acls.tf

@@ -1,44 +1,3 @@
-# Public Route Tables
-resource "aws_route_table" "public_1" {
-  vpc_id = aws_vpc.main.id
-  tags = {
-    Name  = "public-route-1",
-    Stack = local.stack_name
-  }
-}
-
-resource "aws_route_table" "public_2" {
-  vpc_id = aws_vpc.main.id
-  tags = {
-    Name  = "public-route-2",
-    Stack = local.stack_name
-  }
-}
-
-resource "aws_route_table" "public_3" {
-  vpc_id = aws_vpc.main.id
-  tags = {
-    Name  = "public-route-3",
-    Stack = local.stack_name
-  }
-}
-
-# Associate Public Route Tables with Public Subnets
-resource "aws_route_table_association" "public_1" {
-  subnet_id      = aws_subnet.public_1.id
-  route_table_id = aws_route_table.public_1.id
-}
-
-resource "aws_route_table_association" "public_2" {
-  subnet_id      = aws_subnet.public_2.id
-  route_table_id = aws_route_table.public_2.id
-}
-
-resource "aws_route_table_association" "public_3" {
-  subnet_id      = aws_subnet.public_3.id
-  route_table_id = aws_route_table.public_3.id
-}
-
 # Private Route Tables
 resource "aws_route_table" "private_1" {
   vpc_id = aws_vpc.main.id
@@ -79,22 +38,3 @@ resource "aws_route_table_association" "private_association_3" {
   subnet_id      = aws_subnet.private_3.id
   route_table_id = aws_route_table.private_3.id
 }
-
-# Egress Internet Access
-resource "aws_route" "public_internet_access" {
-  route_table_id         = aws_route_table.public_1.id
-  destination_cidr_block = local.any_ip_cidr
-  gateway_id             = aws_internet_gateway.vpc_external_access.id
-}
-
-resource "aws_route" "public_internet_access_2" {
-  route_table_id         = aws_route_table.public_2.id
-  destination_cidr_block = local.any_ip_cidr
-  gateway_id             = aws_internet_gateway.vpc_external_access.id
-}
-
-resource "aws_route" "public_internet_access_3" {
-  route_table_id         = aws_route_table.public_3.id
-  destination_cidr_block = local.any_ip_cidr
-  gateway_id             = aws_internet_gateway.vpc_external_access.id
-}

infrastructure/stacks/networking/route_tables.tf

@@ -1,37 +1,3 @@
-# Public Subnets
-resource "aws_subnet" "public_1" {
-  vpc_id                  = aws_vpc.main.id
-  cidr_block              = local.public_subnet_1_cidr
-  availability_zone       = local.availability_zone_1
-  map_public_ip_on_launch = false
-  tags = {
-    Name  = "public-subnet-1",
-    Stack = local.stack_name
-  }
-}
-
-resource "aws_subnet" "public_2" {
-  vpc_id                  = aws_vpc.main.id
-  cidr_block              = local.public_subnet_2_cidr
-  availability_zone       = local.availability_zone_2
-  map_public_ip_on_launch = false
-  tags = {
-    Name  = "public-subnet-2",
-    Stack = local.stack_name
-  }
-}
-
-resource "aws_subnet" "public_3" {
-  vpc_id                  = aws_vpc.main.id
-  cidr_block              = local.public_subnet_3_cidr
-  availability_zone       = local.availability_zone_3
-  map_public_ip_on_launch = false
-  tags = {
-    Name  = "public-subnet-3",
-    Stack = local.stack_name
-  }
-}
-
 # Private Subnets
 resource "aws_subnet" "private_1" {
   vpc_id            = aws_vpc.main.id

infrastructure/stacks/networking/subnets.tf

@@ -29,6 +29,7 @@
 StartDate = NewType("StartDate", date)
 EndDate = NewType("EndDate", date)
 CohortLabel = NewType("CohortLabel", str)
+RuleStop = NewType("RuleStop", bool)
 
 
 class RuleType(StrEnum):
@@ -99,6 +100,13 @@ class IterationRule(BaseModel):
     operator: RuleOperator = Field(..., alias="Operator")
     comparator: RuleComparator = Field(..., alias="Comparator")
     attribute_target: RuleAttributeTarget | None = Field(None, alias="AttributeTarget")
+    rule_stop: RuleStop = Field(RuleStop(False), alias="RuleStop")  # noqa: FBT003
+
+    @field_validator("rule_stop", mode="before")
+    def parse_yn_to_bool(cls, v: str | bool) -> bool:  # noqa: N805
+        if isinstance(v, str):
+            return v.upper() == "Y"
+        return v
 
     model_config = {"populate_by_name": True, "extra": "ignore"}
 

src/eligibility_signposting_api/model/rules.py

@@ -106,11 +106,15 @@ def evaluate_eligibility_by_iteration_rules(
             exclusion_reasons, actionable_reasons = [], []
             by_priority = sorted(iteration.iteration_rules, key=priority_getter)
             for _, rule_group in groupby(by_priority, key=priority_getter):
-                status, group_actionable, group_exclusions = self.evaluate_priority_group(rule_group, worst_status)
+                status, group_actionable, group_exclusions, is_rule_stop = self.evaluate_priority_group(
+                    rule_group, worst_status
+                )
                 # Merge results
                 worst_status = status
                 actionable_reasons.extend(group_actionable)
                 exclusion_reasons.extend(group_exclusions)
+                if is_rule_stop:
+                    break
             condition_status_entry = status_with_reasons.setdefault(worst_status, [])
             condition_status_entry.extend(
                 actionable_reasons if worst_status is eligibility.Status.actionable else exclusion_reasons
@@ -124,9 +128,9 @@ def evaluate_priority_group(
         self,
         iteration_rule_group: Iterator[rules.IterationRule],
         worst_status_so_far_for_condition: eligibility.Status,
-    ) -> tuple[eligibility.Status, list[eligibility.Reason], list[eligibility.Reason]]:
+    ) -> tuple[eligibility.Status, list[eligibility.Reason], list[eligibility.Reason], bool]:
+        is_rule_stop = False
         exclusion_reasons, actionable_reasons = [], []
-
         exclude_capable_rules = [
             ir
             for ir in iteration_rule_group
@@ -147,4 +151,6 @@ def evaluate_priority_group(
                 actionable_reasons.append(reason)
 
         worst_group_status = eligibility.Status.worst(best_status, worst_status_so_far_for_condition)
-        return worst_group_status, actionable_reasons, exclusion_reasons
+        if worst_group_status.is_exclusion:
+            is_rule_stop = any(rule.rule_stop for rule in exclude_capable_rules)
+        return worst_group_status, actionable_reasons, exclusion_reasons, is_rule_stop

src/eligibility_signposting_api/services/calculators/eligibility_calculator.py

@@ -22,6 +22,7 @@ class IterationCohortFactory(ModelFactory[rules.IterationCohort]): ...
 class IterationRuleFactory(ModelFactory[rules.IterationRule]):
     attribute_target = None
     cohort_label = None
+    rule_stop = False
 
 
 class IterationFactory(ModelFactory[rules.Iteration]):