Merge branch 'main' into dependabot/npm_and_yarn/js-yaml-3.14.2

anthony-nhs · web-flow · commit 2f8c9520d923 · 2025-11-22T14:12:59.000Z
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -28,7 +28,7 @@ jobs:
           echo "TAG_FORMAT=$TAG_FORMAT" >> "$GITHUB_OUTPUT"
 
   quality_checks:
-    uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks.yml@a7daff06de7b695f601d9b1723ca184daca7d898
+    uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks.yml@4fb41faab9c92d8a1444719bc1ab45a989caf756
     needs: [get_asdf_version]
     with:
       asdfVersion: ${{ needs.get_asdf_version.outputs.asdf_version }}
diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml
@@ -10,7 +10,7 @@ env:
 jobs:
   dependabot-auto-approve-and-merge:
     needs: quality_checks
-    uses: NHSDigital/eps-common-workflows/.github/workflows/dependabot-auto-approve-and-merge.yml@a7daff06de7b695f601d9b1723ca184daca7d898
+    uses: NHSDigital/eps-common-workflows/.github/workflows/dependabot-auto-approve-and-merge.yml@4fb41faab9c92d8a1444719bc1ab45a989caf756
     secrets:
       AUTOMERGE_APP_ID: ${{ secrets.AUTOMERGE_APP_ID }}
       AUTOMERGE_PEM: ${{ secrets.AUTOMERGE_PEM }}
@@ -33,15 +33,15 @@ jobs:
           echo "TAG_FORMAT=$TAG_FORMAT" >> "$GITHUB_OUTPUT"
 
   quality_checks:
-    uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks.yml@a7daff06de7b695f601d9b1723ca184daca7d898
+    uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks.yml@4fb41faab9c92d8a1444719bc1ab45a989caf756
     needs: [get_asdf_version]
     with:
       asdfVersion: ${{ needs.get_asdf_version.outputs.asdf_version }}
     secrets:
       SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
 
   pr_title_format_check:
-    uses: NHSDigital/eps-common-workflows/.github/workflows/pr_title_check.yml@a7daff06de7b695f601d9b1723ca184daca7d898
+    uses: NHSDigital/eps-common-workflows/.github/workflows/pr_title_check.yml@4fb41faab9c92d8a1444719bc1ab45a989caf756
 
   get_issue_number:
     runs-on: ubuntu-22.04
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -32,7 +32,7 @@ jobs:
           echo "TAG_FORMAT=$TAG_FORMAT" >> "$GITHUB_OUTPUT"
 
   quality_checks:
-    uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks.yml@a7daff06de7b695f601d9b1723ca184daca7d898
+    uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks.yml@4fb41faab9c92d8a1444719bc1ab45a989caf756
     needs: [get_asdf_version]
     with:
       asdfVersion: ${{ needs.get_asdf_version.outputs.asdf_version }}
diff --git a/Makefile b/Makefile
@@ -130,3 +130,6 @@ cdk-watch:
 
 sync-docs: 
 	./scripts/sync_docs.sh
+
+compile:
+	echo "Does nothing currently"
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -19,7 +19,7 @@
   "devDependencies": {
     "@semantic-release/changelog": "^6.0.3",
     "@semantic-release/release-notes-generator": "^14.1.0",
-    "@types/aws-lambda": "^8.10.158",
+    "@types/aws-lambda": "^8.10.159",
     "@types/jest": "^30.0.0",
     "@types/node": "^24.10.1",
     "@typescript-eslint/eslint-plugin": "^8.46.4",
diff --git a/packages/cdk/constructs/DelayResource.ts b/packages/cdk/constructs/DelayResource.ts
@@ -58,7 +58,7 @@ def handler(event, context):
     print(f"Received event: {json.dumps(event, default=str)}")
 
     try:
-        if event["RequestType"] in ["Create", "Update"]:
+        if event["RequestType"] in ["Create"]:
             wait_seconds = int(event["ResourceProperties"].get("WaitSeconds", 0))
             print(f"Waiting for {wait_seconds} seconds...")
             sleep(wait_seconds)
diff --git a/packages/cdk/package.json b/packages/cdk/package.json
@@ -19,6 +19,6 @@
   },
   "devDependencies": {
     "@types/node": "^24.10.1",
-    "aws-cdk": "^2.1031.2"
+    "aws-cdk": "^2.1033.0"
   }
 }
diff --git a/packages/cdk/resources/OpenSearchResources.ts b/packages/cdk/resources/OpenSearchResources.ts
@@ -5,6 +5,8 @@ import {
   VectorCollection,
   VectorCollectionStandbyReplicas
 } from "@cdklabs/generative-ai-cdk-constructs/lib/cdk-lib/opensearchserverless"
+import {generatePhysicalNameV2} from "@cdklabs/generative-ai-cdk-constructs/lib/common/helpers/utils"
+import {CfnAccessPolicy} from "aws-cdk-lib/aws-opensearchserverless"
 
 export interface OpenSearchResourcesProps {
   readonly stackName: string
@@ -15,6 +17,7 @@ export interface OpenSearchResourcesProps {
 
 export class OpenSearchResources extends Construct {
   public readonly collection: VectorCollection
+  public readonly deploymentPolicy: CfnAccessPolicy
 
   constructor(scope: Construct, id: string, props: OpenSearchResourcesProps) {
     super(scope, id)
@@ -31,7 +34,34 @@ export class OpenSearchResources extends Construct {
 
     // Grant access to the Bedrock execution role
     this.collection.grantDataAccess(props.bedrockExecutionRole)
-    this.collection.grantDataAccess(props.cdkExecutionRole)
+
+    // Grant access to the CDK execution role for deployment operations
+    const dataAccessPolicyName = generatePhysicalNameV2(this,
+      "DataAccessPolicy",
+      {maxLength: 32, lower: true})
+    const dataAccessPolicyDocument = [{
+      Rules: [
+        {
+          Resource: [`index/${this.collection.collectionName}/*`],
+          Permission: [
+            "aoss:UpdateIndex",
+            "aoss:DescribeIndex",
+            "aoss:CreateIndex",
+            "aoss:DeleteIndex"
+          ],
+          ResourceType: "index"
+        }
+      ],
+      Principal: [
+        props.cdkExecutionRole.roleArn
+      ],
+      Description: ""
+    }]
+    this.deploymentPolicy = new CfnAccessPolicy(this, "DataAccessPolicy", {
+      name: dataAccessPolicyName,
+      type: "data",
+      policy: JSON.stringify(dataAccessPolicyDocument)
+    })
 
   }
 }
diff --git a/packages/cdk/resources/VectorIndex.ts b/packages/cdk/resources/VectorIndex.ts
@@ -70,7 +70,7 @@ export class VectorIndex extends Construct {
     // a fix for an annoying time sync issue that adds a small delay
     // to ensure data access policies are synced before index creation
     const policySyncWait = new DelayResource(this, "PolicySyncWait", {
-      delaySeconds: 15,
+      delaySeconds: 60,
       description: "Wait for OpenSearch data access policies to sync"
     })
 
@@ -84,7 +84,7 @@ export class VectorIndex extends Construct {
     // a fix for an annoying time sync issue that adds a small delay
     // to ensure index is actually available for Bedrock
     const indexReadyWait = new DelayResource(this, "IndexReadyWait", {
-      delaySeconds: 30,
+      delaySeconds: 60,
       description: "Wait for OpenSearch index to be fully available"
     })
 
diff --git a/packages/cdk/stacks/EpsAssistMeStack.ts b/packages/cdk/stacks/EpsAssistMeStack.ts
@@ -93,7 +93,7 @@ export class EpsAssistMeStack extends Stack {
       stackName: props.stackName,
       collection: openSearchResources.collection
     })
-
+    vectorIndex.node.addDependency(openSearchResources.deploymentPolicy)
     // Create VectorKnowledgeBase construct with Bedrock execution role
     const vectorKB = new VectorKnowledgeBaseResources(this, "VectorKB", {
       stackName: props.stackName,

Original file line number	Diff line number	Diff line change
`@@ -19,6 +19,6 @@`
`19`	`19`	`},`
`20`	`20`	`"devDependencies": {`
`21`	`21`	`"@types/node": "^24.10.1",`
`22`		`- "aws-cdk": "^2.1031.2"`
	`22`	`+ "aws-cdk": "^2.1033.0"`
`23`	`23`	`}`
`24`	`24`	`}`