Merge branch 'main' of https://github.com/NHSDigital/eps-assist-me into dependabot/pip/boto3-stubs-1.40.39

Author: kris-szlapa

.pre-commit-config.yaml

@@ -65,7 +65,7 @@ repos:
         entry: bash
         args:
           - -c
-          - 'docker run -v "$(pwd):/src" git-secrets --pre_commit_hook'
+          - 'docker run -v "$LOCAL_WORKSPACE_FOLDER:/src" git-secrets --pre_commit_hook'
         language: system
 
 fail_fast: true

package-lock.json

@@ -19,20 +19,20 @@
   "devDependencies": {
     "@semantic-release/changelog": "^6.0.3",
     "@semantic-release/release-notes-generator": "^14.1.0",
-    "@types/aws-lambda": "^8.10.152",
+    "@types/aws-lambda": "^8.10.153",
     "@types/jest": "^30.0.0",
-    "@types/node": "^24.5.2",
-    "@typescript-eslint/eslint-plugin": "^8.44.1",
+    "@types/node": "^24.6.2",
+    "@typescript-eslint/eslint-plugin": "^8.45.0",
     "@typescript-eslint/parser": "^8.44.1",
     "eslint": "^9.36.0",
     "eslint-plugin-import-newlines": "^1.4.0",
-    "jest": "^30.1.3",
+    "jest": "^30.2.0",
     "jest-junit": "^16.0.0",
     "license-checker": "^25.0.1",
     "semantic-release": "^24.2.9",
     "ts-jest": "^29.4.4",
     "ts-node": "^10.9.2",
-    "typescript": "^5.9.2"
+    "typescript": "^5.9.3"
   },
   "dependencies": {
     "conventional-changelog-eslint": "^6.0.0",

package.json

@@ -37,6 +37,7 @@ const insightsLayerArn = "arn:aws:lambda:eu-west-2:580247275435:layer:LambdaInsi
 export class LambdaFunction extends Construct {
   public readonly executionPolicy: ManagedPolicy
   public readonly function: LambdaFunctionResource
+  public readonly executionRole: Role
 
   public constructor(scope: Construct, id: string, props: LambdaFunctionProps) {
     super(scope, id)
@@ -169,5 +170,6 @@ export class LambdaFunction extends Construct {
     // Export Lambda function and execution policy for use by other constructs
     this.function = lambdaFunction
     this.executionPolicy = executionManagedPolicy
+    this.executionRole = role
   }
 }

packages/cdk/constructs/LambdaFunction.ts

@@ -12,13 +12,13 @@
   "dependencies": {
     "@aws-cdk/aws-lambda-python-alpha": "^2.205.0-alpha.0",
     "@cdklabs/generative-ai-cdk-constructs": "^0.1.309",
-    "aws-cdk-lib": "^2.217.0",
-    "cdk-nag": "^2.37.38",
+    "aws-cdk-lib": "^2.219.0",
+    "cdk-nag": "^2.37.42",
     "constructs": "^10.4.2",
     "source-map-support": "^0.5.21"
   },
   "devDependencies": {
-    "@types/node": "^24.5.2",
-    "aws-cdk": "^2.1029.3"
+    "@types/node": "^24.6.2",
+    "aws-cdk": "^2.1029.4"
   }
 }

packages/cdk/package.json

@@ -7,7 +7,6 @@ import {HttpMethod} from "aws-cdk-lib/aws-lambda"
 export interface ApisProps {
   readonly stackName: string
   readonly logRetentionInDays: number
-  readonly enableMutalTls: boolean
   functions: {[key: string]: LambdaFunction}
 }
 

packages/cdk/resources/Apis.ts

@@ -1,6 +1,6 @@
 import {Construct} from "constructs"
 import {LambdaFunction} from "../constructs/LambdaFunction"
-import {ManagedPolicy} from "aws-cdk-lib/aws-iam"
+import {ManagedPolicy, PolicyStatement, Role} from "aws-cdk-lib/aws-iam"
 import {StringParameter} from "aws-cdk-lib/aws-ssm"
 import {Secret} from "aws-cdk-lib/aws-secretsmanager"
 import {TableV2} from "aws-cdk-lib/aws-dynamodb"
@@ -35,10 +35,13 @@ export interface FunctionsProps {
   readonly slackBotSigningSecret: Secret
   readonly slackBotStateTable: TableV2
   readonly promptName: string
+  readonly isPullRequest: boolean
+  readonly mainSlackBotLambdaExecutionRoleArn : string
 }
 
 export class Functions extends Construct {
-  public readonly functions: {[key: string]: LambdaFunction}
+  public readonly slackBotLambda: LambdaFunction
+  public readonly syncKnowledgeBaseFunction: LambdaFunction
 
   constructor(scope: Construct, id: string, props: FunctionsProps) {
     super(scope, id)
@@ -73,6 +76,30 @@ export class Functions extends Construct {
     props.slackBotTokenSecret.grantRead(slackBotLambda.function)
     props.slackBotSigningSecret.grantRead(slackBotLambda.function)
 
+    if (props.isPullRequest) {
+      const mainSlackBotLambdaExecutionRole = Role.fromRoleArn(
+        this,
+        "mainRoleArn",
+        props.mainSlackBotLambdaExecutionRoleArn, {
+          mutable: true
+        })
+
+      const executeSlackBotPolicy = new ManagedPolicy(this, "ExecuteSlackBotPolicy", {
+        description: "foo",
+        statements: [
+          new PolicyStatement({
+            actions: [
+              "lambda:invokeFunction"
+            ],
+            resources: [
+              slackBotLambda.function.functionArn
+            ]
+          })
+        ]
+      })
+      mainSlackBotLambdaExecutionRole.addManagedPolicy(executeSlackBotPolicy)
+    }
+
     // Lambda function to sync knowledge base on S3 events
     const syncKnowledgeBaseFunction = new LambdaFunction(this, "SyncKnowledgeBaseFunction", {
       stackName: props.stackName,
@@ -89,9 +116,7 @@ export class Functions extends Construct {
       additionalPolicies: [props.syncKnowledgeBaseManagedPolicy]
     })
 
-    this.functions = {
-      slackBot: slackBotLambda,
-      syncKnowledgeBase: syncKnowledgeBaseFunction
-    }
+    this.slackBotLambda = slackBotLambda
+    this.syncKnowledgeBaseFunction = syncKnowledgeBaseFunction
   }
 }

packages/cdk/resources/Functions.ts

@@ -135,6 +135,15 @@ export class RuntimePolicies extends Construct {
       resources: [props.slackBotStateTableKmsKeyArn]
     })
 
+    const slackBotDescribeCfStacks = new PolicyStatement({
+      actions: [
+        "cloudformation:DescribeStacks"
+      ],
+      resources: [
+        `arn:aws:cloudformation:eu-west-2:${props.account}:stack/epsam-pr-*`
+      ]
+    })
+
     this.slackBotPolicy = new ManagedPolicy(this, "SlackBotPolicy", {
       description: "Policy for SlackBot Lambda to access Bedrock, SSM, Lambda, DynamoDB, and KMS",
       statements: [
@@ -145,7 +154,8 @@ export class RuntimePolicies extends Construct {
         slackBotLambdaPolicy,
         slackBotGuardrailPolicy,
         slackBotDynamoDbPolicy,
-        slackBotKmsPolicy
+        slackBotKmsPolicy,
+        slackBotDescribeCfStacks
       ]
     })
 

packages/cdk/resources/RuntimePolicies.ts

@@ -2,7 +2,8 @@ import {
   App,
   Stack,
   StackProps,
-  CfnOutput
+  CfnOutput,
+  Fn
 } from "aws-cdk-lib"
 import {nagSuppressions} from "../nagSuppressions"
 import {Apis} from "../resources/Apis"
@@ -30,6 +31,9 @@ export class EpsAssistMeStack extends Stack {
   public constructor(scope: App, id: string, props: EpsAssistMeStackProps) {
     super(scope, id, props)
 
+    // imports
+    const mainSlackBotLambdaExecutionRoleArn = Fn.importValue("epsam:lambda:SlackBot:ExecutionRole:Arn")
+
     // Get variables from context
     const region = Stack.of(this).region
     const account = Stack.of(this).account
@@ -131,7 +135,9 @@ export class EpsAssistMeStack extends Stack {
       slackBotTokenSecret: secrets.slackBotTokenSecret,
       slackBotSigningSecret: secrets.slackBotSigningSecret,
       slackBotStateTable: tables.slackBotStateTable.table,
-      promptName: bedrockPromptResources.queryReformulationPrompt.promptName
+      promptName: bedrockPromptResources.queryReformulationPrompt.promptName,
+      isPullRequest: isPullRequest,
+      mainSlackBotLambdaExecutionRoleArn: mainSlackBotLambdaExecutionRoleArn
     })
 
     // Create vector index after Functions are created
@@ -147,16 +153,15 @@ export class EpsAssistMeStack extends Stack {
     // Add S3 notification to trigger sync Lambda function
     new S3LambdaNotification(this, "S3LambdaNotification", {
       bucket: storage.kbDocsBucket.bucket,
-      lambdaFunction: functions.functions.syncKnowledgeBase.function
+      lambdaFunction: functions.syncKnowledgeBaseFunction.function
     })
 
     // Create Apis and pass the Lambda function
     const apis = new Apis(this, "Apis", {
       stackName: props.stackName,
       logRetentionInDays,
-      enableMutalTls: false,
       functions: {
-        slackBot: functions.functions.slackBot
+        slackBot: functions.slackBotLambda
       }
     })
 
@@ -180,6 +185,12 @@ export class EpsAssistMeStack extends Stack {
       value: storage.kbDocsBucket.bucket.bucketName,
       exportName: `${props.stackName}:kbDocsBucket:Name`
     })
+
+    new CfnOutput(this, "SlackBotLambdaRoleArn", {
+      value: functions.slackBotLambda.executionRole.roleArn,
+      exportName: `${props.stackName}:lambda:SlackBot:ExecutionRole:Arn`
+    })
+
     if (isPullRequest) {
       new CfnOutput(this, "VERSION_NUMBER", {
         value: props.version,

packages/cdk/stacks/EpsAssistMeStack.ts

@@ -8,17 +8,24 @@
 import os
 import json
 import traceback
+from typing import Tuple
 import boto3
 from aws_lambda_powertools import Logger
+from aws_lambda_powertools.logging import utils
 from aws_lambda_powertools.utilities.parameters import get_parameter
 from mypy_boto3_dynamodb.service_resource import Table
 
+# we use lru_cache for lots of configs so they are cached
+
 
 @lru_cache()
 def get_logger() -> Logger:
-    return Logger(service="slackBotFunction")
+    powertools_logger = Logger(service="slackBotFunction")
+    utils.copy_config_to_registered_loggers(source_logger=powertools_logger, ignore_log_level=True)
+    return powertools_logger
 
 
+# set up logger as its used in other functions
 logger = get_logger()
 
 
@@ -30,7 +37,7 @@ def get_slack_bot_state_table() -> Table:
 
 
 @lru_cache()
-def get_ssm_params():
+def get_ssm_params() -> Tuple[str, str]:
     bot_token_parameter = os.environ["SLACK_BOT_TOKEN_PARAMETER"]
     signing_secret_parameter = os.environ["SLACK_SIGNING_SECRET_PARAMETER"]
     try:
@@ -57,13 +64,35 @@ def get_ssm_params():
     return bot_token, signing_secret
 
 
+@lru_cache
+def get_bot_token() -> str:
+    bot_token, _ = get_ssm_params()
+    return bot_token
+
+
+@lru_cache
+def get_guardrail_config() -> Tuple[str, str, str, str, str]:
+    # Bedrock configuration from environment
+    KNOWLEDGEBASE_ID = os.environ["KNOWLEDGEBASE_ID"]
+    RAG_MODEL_ID = os.environ["RAG_MODEL_ID"]
+    AWS_REGION = os.environ["AWS_REGION"]
+    GUARD_RAIL_ID = os.environ["GUARD_RAIL_ID"]
+    GUARD_VERSION = os.environ["GUARD_RAIL_VERSION"]
+
+    logger.info(
+        "Guardrail configuration loaded", extra={"guardrail_id": GUARD_RAIL_ID, "guardrail_version": GUARD_VERSION}
+    )
+    return KNOWLEDGEBASE_ID, RAG_MODEL_ID, AWS_REGION, GUARD_RAIL_ID, GUARD_VERSION
+
+
 @dataclass
 class Constants:
     FEEDBACK_PREFIX: str
     CONTEXT_TYPE_DM: str
     CONTEXT_TYPE_THREAD: str
     CHANNEL_TYPE_IM: str
     SESSION_SK: str
+    PULL_REQUEST_SK: str
     DEDUP_SK: str
     EVENT_PREFIX: str
     FEEDBACK_PREFIX_KEY: str
@@ -74,6 +103,7 @@ class Constants:
     TTL_EVENT_DEDUP: int
     TTL_FEEDBACK: int
     TTL_SESSION: int
+    PULL_REQUEST_PREFIX: str
 
 
 constants = Constants(
@@ -82,6 +112,7 @@ class Constants:
     CONTEXT_TYPE_THREAD="thread",
     CHANNEL_TYPE_IM="im",
     SESSION_SK="session",
+    PULL_REQUEST_SK="pull_request",
     DEDUP_SK="dedup",
     EVENT_PREFIX="event#",
     FEEDBACK_PREFIX_KEY="feedback#",
@@ -92,45 +123,32 @@ class Constants:
     TTL_EVENT_DEDUP=3600,  # 1 hour
     TTL_FEEDBACK=7776000,  # 90 days
     TTL_SESSION=2592000,  # 30 days
+    PULL_REQUEST_PREFIX="pr:",
 )
 
 
-@lru_cache
-def get_bot_token():
-    bot_token, _ = get_ssm_params()
-    return bot_token
-
-
-@lru_cache()
-def get_bot_messages():
-
-    # Bot response messages
-    BOT_MESSAGES = {
-        "empty_query": "Hi there! Please ask me a question and I'll help you find information from our knowledge base.",
-        "error_response": "Sorry, an error occurred while processing your request. Please try again later.",
-        "feedback_positive_thanks": "Thank you for your feedback.",
-        "feedback_negative_thanks": (
-            'Please let us know how the answer could be improved. Start your message with "feedback:"'
-        ),
-        "feedback_thanks": "Thank you for your feedback.",
-        "feedback_prompt": "Was this helpful?",
-        "feedback_yes": "Yes",
-        "feedback_no": "No",
-    }
-
-    return BOT_MESSAGES
-
-
-@lru_cache
-def get_guardrail_config():
-    # Bedrock configuration from environment
-    KNOWLEDGEBASE_ID = os.environ["KNOWLEDGEBASE_ID"]
-    RAG_MODEL_ID = os.environ["RAG_MODEL_ID"]
-    AWS_REGION = os.environ["AWS_REGION"]
-    GUARD_RAIL_ID = os.environ["GUARD_RAIL_ID"]
-    GUARD_VERSION = os.environ["GUARD_RAIL_VERSION"]
-
-    logger.info(
-        "Guardrail configuration loaded", extra={"guardrail_id": GUARD_RAIL_ID, "guardrail_version": GUARD_VERSION}
-    )
-    return KNOWLEDGEBASE_ID, RAG_MODEL_ID, AWS_REGION, GUARD_RAIL_ID, GUARD_VERSION
+@dataclass
+class BotMessages:
+    EMPTY_QUERY: str
+    ERROR_RESPONSE: str
+    FEEDBACK_POSITIVE_THANKS: str
+    FEEDBACK_NEGATIVE_THANKS: str
+    FEEDBACK_THANKS: str
+    FEEDBACK_PROMPT: str
+    FEEDBACK_YES: str
+    FEEDBACK_NO: str
+
+
+# Bot response messages
+bot_messages = BotMessages(
+    EMPTY_QUERY="Hi there! Please ask me a question and I'll help you find information from our knowledge base.",
+    ERROR_RESPONSE="Sorry, an error occurred while processing your request. Please try again later.",
+    FEEDBACK_POSITIVE_THANKS="Thank you for your feedback.",
+    FEEDBACK_NEGATIVE_THANKS=(
+        'Please let us know how the answer could be improved. Start your message with "feedback:"'
+    ),
+    FEEDBACK_THANKS="Thank you for your feedback.",
+    FEEDBACK_PROMPT="Was this helpful?",
+    FEEDBACK_YES="Yes",
+    FEEDBACK_NO="No",
+)