Update: [AEA-5874] - adds direct slackbot lambda invocation role (#145)

## Summary

**Remove items from this list if they are not relevant. Remove this line
once this has been done**

- Routine Change
- ❗ Breaking Change
- 🤖 Operational or Infrastructure Change
- ✨ New Feature
- ⚠️ Potential issues that might be caused by this change

### Details

Add any summary information of what is in the change. **Remove this line
if you have nothing to add.**

## Pull Request Naming

Pull requests should be named using the following format:

```text
Tag: [AEA-NNNN] - Short description
```

Tag can be one of:

- `Fix` - for a bug fix. (Patch release)
- `Update` - either for a backwards-compatible enhancement or for a rule
change that adds reported problems. (Patch release)
- `New` - implemented a new feature. (Minor release)
- `Breaking` - for a backwards-incompatible enhancement or feature.
(Major release)
- `Docs` - changes to documentation only. (Patch release)
- `Build` - changes to build process only. (No release)
- `Upgrade` - for a dependency upgrade. (Patch release)
- `Chore` - for refactoring, adding tests, etc. (anything that isn't
user-facing). (Patch release)

If the current release is x.y.z then
- a patch release increases z by 1
- a minor release increases y by 1
- a major release increases x by 1

Correct tagging is necessary for our automated versioning and release
process.

The description of your pull request will be used as the commit message
for the merge, and also be included in the changelog. Please ensure that
your title is sufficiently descriptive.

### Rerunning Checks

If you need to rename your pull request, you can restart the checks by
either:

- Closing and reopening the pull request
- pushing an empty commit 
  ```bash
  git commit --allow-empty -m 'trigger build'
  git push
  ```
- Amend your last commit and force push to the branch
  ```bash
  git commit --amend --no-edit
  git push --force
  ```

Rerunning the checks from within the pull request will not use the
updated title.

Author: bencegadanyi1-nhs

.github/workflows/run_regression_tests.yml

@@ -54,9 +54,9 @@ jobs:
         with:
           path: |
             ~/.asdf
-          key: ${{ runner.os }}-asdf-${{ hashFiles('**/.tool-versions') }}
+          key: ${{ runner.os }}-asdf-${{ hashFiles('**/.tool-versions') }}-${{ steps.asdf-version.outputs.version }}
           restore-keys: |
-            ${{ runner.os }}-asdf-
+            ${{ runner.os }}-asdf-${{ hashFiles('**/.tool-versions') }}-${{ steps.asdf-version.outputs.version }}
 
       - name: Install asdf dependencies in .tool-versions
         uses: asdf-vm/actions/install@b7bcd026f18772e44fe1026d729e1611cc435d47
@@ -73,14 +73,28 @@ jobs:
           GITHUB-TOKEN: ${{ steps.generate-token.outputs.token }}
         run: |
           if [[ "$TARGET_ENVIRONMENT" != "prod" && "$TARGET_ENVIRONMENT" != "ref" ]]; then
-            # this should be the tag of the tests you want to run
-            REGRESSION_TEST_REPO_TAG=v3.4.26
+            REGRESSION_TEST_REPO_TAG="v3.5.0" # This is the tag or branch of the regression test code to run, usually a version tag like v3.1.0 or a branch name
+            REGRESSION_TEST_WORKFLOW_TAG="v3.5.0" # This is the tag of the github workflow to run, usually the same as REGRESSION_TEST_REPO_TAG
 
-            # this should be the tag of the regression test workflow you want to run
-            # This will normally be the same as REGRESSION_TEST_REPO_TAG
-            REGRESSION_TEST_WORKFLOW_TAG=v3.4.26
+            if [[ -z "$REGRESSION_TEST_REPO_TAG" || -z "$REGRESSION_TEST_WORKFLOW_TAG" ]]; then
+              echo "Error: One or both tag variables are not set" >&2
+              exit 1
+            fi
+
+            # HELPER IF STATEMENT - It will automatically determine the correct Git URL to use based on the REGRESSION_TEST_WORKFLOW_TAG value
+            if [[ "$REGRESSION_TEST_WORKFLOW_TAG" =~ ^v([0-9]+)\.([0-9]+)\.([0-9]+)$ ]]; then
+              echo "REGRESSION_TEST_WORKFLOW_TAG is a version tag, using tag link"
+              curl "https://raw.githubusercontent.com/NHSDigital/electronic-prescription-service-api-regression-tests/refs/tags/${REGRESSION_TEST_WORKFLOW_TAG}/scripts/run_regression_tests.py" -o run_regression_tests.py
+            else
+              echo "REGRESSION_TEST_WORKFLOW_TAG doesn't look like a version tag, using branch link"
+              curl "https://raw.githubusercontent.com/NHSDigital/electronic-prescription-service-api-regression-tests/refs/heads/${REGRESSION_TEST_REPO_TAG}/scripts/run_regression_tests.py" -o run_regression_tests.py
+            fi
+
+            if [[ ! -f run_regression_tests.py ]]; then
+              echo "Error: run_regression_tests.py not found" >&2
+              exit 1
+            fi
 
-            curl https://raw.githubusercontent.com/NHSDigital/electronic-prescription-service-api-regression-tests/refs/tags/${REGRESSION_TEST_WORKFLOW_TAG}/scripts/run_regression_tests.py -o run_regression_tests.py
             poetry install
             echo Running regression tests in the "$TARGET_ENVIRONMENT" environment
             poetry run python -u run_regression_tests.py \

packages/cdk/nagSuppressions.ts

@@ -280,6 +280,17 @@ export const nagSuppressions = (stack: Stack) => {
     ]
   )
 
+  safeAddNagSuppression(
+    stack,
+    "/EpsAssistMeStack/RegressionTestPolicy/Resource",
+    [
+      {
+        id: "AwsSolutions-IAM5",
+        reason: "Auto-generated CDK Provider role requires wildcard permissions for cloudformation stack listing."
+      }
+    ]
+  )
+
 }
 
 const safeAddNagSuppression = (stack: Stack, path: string, suppressions: Array<NagPackSuppression>) => {

packages/cdk/resources/Functions.ts

@@ -75,6 +75,7 @@ export class Functions extends Construct {
     props.slackBotTokenSecret.grantRead(slackBotLambda.function)
     props.slackBotSigningSecret.grantRead(slackBotLambda.function)
 
+    // pr environments need main bot to invoke pr-specific lambda
     if (props.isPullRequest) {
       const mainSlackBotLambdaExecutionRole = Role.fromRoleArn(
         this,
@@ -84,7 +85,7 @@ export class Functions extends Construct {
         })
 
       const executeSlackBotPolicy = new ManagedPolicy(this, "ExecuteSlackBotPolicy", {
-        description: "foo",
+        description: "cross-lambda invocation for pr: command routing",
         statements: [
           new PolicyStatement({
             actions: [

packages/cdk/stacks/EpsAssistMeStack.ts

@@ -18,7 +18,7 @@ import {DatabaseTables} from "../resources/DatabaseTables"
 import {BedrockPromptResources} from "../resources/BedrockPromptResources"
 import {S3LambdaNotification} from "../constructs/S3LambdaNotification"
 import {VectorIndex} from "../resources/VectorIndex"
-import {Role} from "aws-cdk-lib/aws-iam"
+import {ManagedPolicy, PolicyStatement, Role} from "aws-cdk-lib/aws-iam"
 
 export interface EpsAssistMeStackProps extends StackProps {
   readonly stackName: string
@@ -32,6 +32,8 @@ export class EpsAssistMeStack extends Stack {
 
     // imports
     const mainSlackBotLambdaExecutionRoleArn = Fn.importValue("epsam:lambda:SlackBot:ExecutionRole:Arn")
+    // regression testing needs direct lambda invoke — bypasses slack webhooks entirely
+    const regressionTestRoleArn = Fn.importValue("ci-resources:AssistMeRegressionTestRole")
 
     // Get variables from context
     const region = Stack.of(this).region
@@ -165,6 +167,36 @@ export class EpsAssistMeStack extends Stack {
       }
     })
 
+    // enable direct lambda testing — regression tests bypass slack infrastructure
+    const regressionTestRole = Role.fromRoleArn(
+      this,
+      "regressionTestRole",
+      regressionTestRoleArn, {
+        mutable: true
+      })
+
+    const regressionTestPolicy = new ManagedPolicy(this, "RegressionTestPolicy", {
+      description: "regression test cross-account invoke permission for direct ai validation",
+      statements: [
+        new PolicyStatement({
+          actions: [
+            "lambda:InvokeFunction"
+          ],
+          resources: [
+            functions.slackBotLambda.function.functionArn
+          ]
+        }),
+        new PolicyStatement({
+          actions: [
+            "cloudformation:ListStacks",
+            "cloudformation:DescribeStacks"
+          ],
+          resources: ["*"]
+        })
+      ]
+    })
+    regressionTestRole.addManagedPolicy(regressionTestPolicy)
+
     // Output: SlackBot Endpoint
     new CfnOutput(this, "SlackBotEventsEndpoint", {
       value: `https://${apis.apis["api"].api.domainName?.domainName}/slack/events`,
@@ -196,6 +228,11 @@ export class EpsAssistMeStack extends Stack {
       exportName: `${props.stackName}:lambda:SlackBot:Arn`
     })
 
+    new CfnOutput(this, "SlackBotLambdaName", {
+      value: functions.slackBotLambda.function.functionName,
+      exportName: `${props.stackName}:lambda:SlackBot:FunctionName`
+    })
+
     if (isPullRequest) {
       new CfnOutput(this, "VERSION_NUMBER", {
         value: props.version,