Merge branch 'master' into feature/VED-804-move-record-processor-to-lambdas

dlzhry2nhs · web-flow · commit 483a523e804a · 2025-10-28T09:17:34.000Z
diff --git a/.github/workflows/deploy-backend.yml b/.github/workflows/deploy-backend.yml
@@ -137,6 +137,7 @@ jobs:
         if: ${{ inputs.environment == 'dev' && inputs.create_mns_subscription }}
         working-directory: "./lambdas/mns_subscription"
         env:
+          APIGEE_ENVIRONMENT: int
           SQS_ARN: ${{ env.ID_SYNC_QUEUE_ARN }}
         run: |
           poetry install --no-root
diff --git a/infrastructure/account/environments/dev/variables.tfvars b/infrastructure/account/environments/dev/variables.tfvars
@@ -1,10 +1,8 @@
 imms_account_id  = "345594581768"
 dspp_account_id  = "603871901111"
 mns_account_id   = "631615744739"
-csoc_account_id  = "693466633220"
 admin_role       = "root" # We shouldn't be using the root account. There should be an Admin role
 dev_ops_role     = "role/aws-reserved/sso.amazonaws.com/eu-west-2/AWSReservedSSO_DEV-IMMS-Devops_745af4f208886ecc"
 dspp_admin_role  = "root"
-mns_admin_role   = "role/nhs-mns-events-lambda-delivery"
 environment      = "dev"
 blue_green_split = false
diff --git a/infrastructure/account/environments/preprod/variables.tfvars b/infrastructure/account/environments/preprod/variables.tfvars
@@ -1,11 +1,9 @@
 imms_account_id = "084828561157"
 dspp_account_id = "603871901111"
 mns_account_id  = "631615744739"
-csoc_account_id = "693466633220"
 # admin_role               = "role/aws-reserved/sso.amazonaws.com/eu-west-2/AWSReservedSSO_PREPROD-IMMS-Admin_acce656dcacf6f4c"
 admin_role       = "root"
 dev_ops_role     = "role/aws-reserved/sso.amazonaws.com/eu-west-2/AWSReservedSSO_PREPROD-IMMS-Devops_1d28e4f37b940bcd"
 dspp_admin_role  = "root"
-mns_admin_role   = "role/nhs-mns-events-lambda-delivery"
 environment      = "preprod"
 blue_green_split = true
diff --git a/infrastructure/account/environments/prod/variables.tfvars b/infrastructure/account/environments/prod/variables.tfvars
@@ -1,11 +1,9 @@
 imms_account_id = "664418956997"
 dspp_account_id = "232116723729"
 mns_account_id  = "758334270304"
-csoc_account_id = "693466633220"
 # admin_role               = "role/aws-reserved/sso.amazonaws.com/eu-west-2/AWSReservedSSO_PROD-IMMS-Admin_edd6691e4b74064e"
 admin_role       = "root"
 dev_ops_role     = "role/aws-reserved/sso.amazonaws.com/eu-west-2/AWSReservedSSO_PROD-IMMS-Devops_8f32c62195d56b76"
 dspp_admin_role  = "root"
-mns_admin_role   = "role/nhs-mns-events-lambda-delivery"
 environment      = "prod"
 blue_green_split = true
diff --git a/infrastructure/account/kms.tf b/infrastructure/account/kms.tf
@@ -71,7 +71,7 @@ locals {
     Sid    = "AllowMNSLambdaDelivery",
     Effect = "Allow",
     Principal = {
-      AWS = "arn:aws:iam::${var.mns_account_id}:${var.mns_admin_role}"
+      AWS = "arn:aws:iam::${var.mns_account_id}:${var.mns_delivery_role}"
     },
     Action   = "kms:GenerateDataKey",
     Resource = "*"
diff --git a/infrastructure/account/main.tf b/infrastructure/account/main.tf
@@ -6,8 +6,9 @@ terraform {
     }
   }
   backend "s3" {
-    region = "eu-west-2"
-    key    = "state"
+    region       = "eu-west-2"
+    key          = "state"
+    use_lockfile = true
   }
   required_version = ">= 1.5.0"
 }
@@ -31,4 +32,4 @@ provider "aws" {
       Environment = var.environment
     }
   }
-}
+}
diff --git a/infrastructure/account/variables.tf b/infrastructure/account/variables.tf
@@ -11,9 +11,13 @@ variable "dspp_account_id" {
   type        = string
 }
 variable "csoc_account_id" {
-  description = "CSOC Core AWS account ID"
+  description = "CSOC AWS account ID - destination for log forwarding"
   type        = string
-
+  default     = "693466633220"
+}
+variable "mns_account_id" {
+  type        = string
+  description = "MNS AWS account ID - trusted source for MNS notifications"
 }
 
 variable "auto_ops_role" {
@@ -30,6 +34,11 @@ variable "dev_ops_role" {
 variable "dspp_admin_role" {
   type = string
 }
+variable "mns_delivery_role" {
+  type    = string
+  default = "role/nhs-mns-events-lambda-delivery"
+}
+
 variable "build_agent_account_id" {
   type    = string
   default = "958002497996"
@@ -44,6 +53,3 @@ variable "blue_green_split" {
   description = "Whether this account uses blue / green split deployments"
   default     = false
 }
-
-variable "mns_account_id" {}
-variable "mns_admin_role" {}
diff --git a/infrastructure/grafana/non-prod/terraform/main.tf b/infrastructure/grafana/non-prod/terraform/main.tf
@@ -1,4 +1,4 @@
-# main.tf 
+# main.tf
 terraform {
   required_providers {
     aws = {
@@ -15,8 +15,9 @@ terraform {
     }
   }
   backend "s3" {
-    bucket = "immunisation-grafana-terraform-state"
-    region = "eu-west-2"
+    bucket       = "immunisation-grafana-terraform-state"
+    region       = "eu-west-2"
+    use_lockfile = true
   }
   required_version = ">= 1.5.0"
 }
@@ -63,4 +64,4 @@ resource "null_resource" "natgw_message" {
 #   vpc_id = aws_vpc.grafana_main.id
 #   ecs_sg_id = aws_security_group.ecs_tasks.id
 #   route_table_ids = aws_route_table.private[*].id
-# }
+# }
diff --git a/infrastructure/instance/environments/dev/int/variables.tfvars b/infrastructure/instance/environments/dev/int/variables.tfvars
@@ -1,7 +1,6 @@
 environment                       = "dev"
 immunisation_account_id           = "345594581768"
 dspp_core_account_id              = "603871901111"
-csoc_account_id                   = "693466633220"
 pds_environment                   = "int"
 batch_error_notifications_enabled = true
 pds_check_enabled                 = false
diff --git a/infrastructure/instance/environments/dev/internal-dev/variables.tfvars b/infrastructure/instance/environments/dev/internal-dev/variables.tfvars
@@ -1,7 +1,6 @@
 environment                       = "dev"
 immunisation_account_id           = "345594581768"
 dspp_core_account_id              = "603871901111"
-csoc_account_id                   = "693466633220"
 pds_environment                   = "int"
 batch_error_notifications_enabled = true
 pds_check_enabled                 = true
diff --git a/infrastructure/instance/environments/dev/pr/variables.tfvars b/infrastructure/instance/environments/dev/pr/variables.tfvars
@@ -1,7 +1,6 @@
 environment                       = "dev"
 immunisation_account_id           = "345594581768"
 dspp_core_account_id              = "603871901111"
-csoc_account_id                   = "693466633220"
 pds_environment                   = "int"
 batch_error_notifications_enabled = false
 pds_check_enabled                 = true
diff --git a/infrastructure/instance/environments/dev/ref/variables.tfvars b/infrastructure/instance/environments/dev/ref/variables.tfvars
@@ -1,7 +1,6 @@
 environment                       = "dev"
 immunisation_account_id           = "345594581768"
 dspp_core_account_id              = "603871901111"
-csoc_account_id                   = "693466633220"
 pds_environment                   = "ref"
 batch_error_notifications_enabled = true
 pds_check_enabled                 = true
diff --git a/infrastructure/instance/id_sync_lambda.tf b/infrastructure/instance/id_sync_lambda.tf
@@ -181,7 +181,7 @@ resource "aws_iam_policy" "id_sync_lambda_exec_policy" {
           "sqs:DeleteMessage",
           "sqs:GetQueueAttributes"
         ],
-        Resource = "arn:aws:sqs:eu-west-2:${var.immunisation_account_id}:${local.short_prefix}-id-sync-queue"
+        Resource = aws_sqs_queue.id_sync_queue.arn
       },
       # NB anomaly: in redis_sync this appears in "redis_sync_lambda_kms_access_policy"
       {
@@ -313,8 +313,8 @@ resource "aws_cloudwatch_log_group" "id_sync_log_group" {
 
 # NEW
 resource "aws_lambda_event_source_mapping" "id_sync_sqs_trigger" {
-  event_source_arn = "arn:aws:sqs:eu-west-2:${var.immunisation_account_id}:${local.short_prefix}-id-sync-queue"
-  function_name    = aws_lambda_function.id_sync_lambda.arn # TODO
+  event_source_arn = aws_sqs_queue.id_sync_queue.arn
+  function_name    = aws_lambda_function.id_sync_lambda.arn
 
   # Optional: Configure batch size and other settings
   batch_size                         = 10
diff --git a/infrastructure/instance/main.tf b/infrastructure/instance/main.tf
@@ -10,8 +10,9 @@ terraform {
     }
   }
   backend "s3" {
-    region = "eu-west-2"
-    key    = "state"
+    region       = "eu-west-2"
+    key          = "state"
+    use_lockfile = true
   }
   required_version = ">= 1.5.0"
 }
diff --git a/infrastructure/instance/sqs_id_sync.tf b/infrastructure/instance/sqs_id_sync.tf
@@ -1,5 +1,5 @@
 resource "aws_sqs_queue" "id_sync_queue" {
-  name                       = "${local.short_prefix}-id-sync-queue"
+  name                       = "imms-${local.resource_scope}-id-sync-queue"
   kms_master_key_id          = data.aws_kms_key.existing_id_sync_sqs_encryption_key.arn
   visibility_timeout_seconds = 360
   redrive_policy = jsonencode({
@@ -9,7 +9,7 @@ resource "aws_sqs_queue" "id_sync_queue" {
 }
 
 resource "aws_sqs_queue" "id_sync_dlq" {
-  name = "${local.short_prefix}-id-sync-dlq"
+  name = "imms-${local.resource_scope}-id-sync-dlq"
 }
 
 resource "aws_sqs_queue_redrive_allow_policy" "id_sync_queue_redrive_allow_policy" {
diff --git a/infrastructure/instance/variables.tf b/infrastructure/instance/variables.tf
@@ -6,7 +6,9 @@ variable "sub_environment" {
 
 variable "immunisation_account_id" {}
 variable "dspp_core_account_id" {}
-variable "csoc_account_id" {}
+variable "csoc_account_id" {
+  default = "693466633220"
+}
 
 variable "create_mesh_processor" {
   default = false
diff --git a/infrastructure/mesh/main.tf b/infrastructure/mesh/main.tf
@@ -6,8 +6,9 @@ terraform {
     }
   }
   backend "s3" {
-    region = "eu-west-2"
-    key    = "state"
+    region       = "eu-west-2"
+    key          = "state"
+    use_lockfile = true
   }
   required_version = ">= 1.5.0"
 }
diff --git a/infrastructure/terraform_aws_backup/aws-backup-destination/main.tf b/infrastructure/terraform_aws_backup/aws-backup-destination/main.tf
@@ -10,8 +10,9 @@ terraform {
     }
   }
   backend "s3" {
-    region = "eu-west-2"
-    key    = "state"
+    region       = "eu-west-2"
+    key          = "state"
+    use_lockfile = true
   }
   required_version = ">= 1.5.0"
 }
@@ -52,4 +53,4 @@ locals {
 
 variable "region" {
   default = "eu-west-2"
-}
+}
diff --git a/infrastructure/terraform_aws_backup/aws-backup-source/main.tf b/infrastructure/terraform_aws_backup/aws-backup-source/main.tf
@@ -10,8 +10,9 @@ terraform {
     }
   }
   backend "s3" {
-    region = "eu-west-2"
-    key    = "state"
+    region       = "eu-west-2"
+    key          = "state"
+    use_lockfile = true
   }
   required_version = ">= 1.5.0"
 }
@@ -95,4 +96,4 @@ module "source" {
     ],
     "selection_tag" : "NHSE-Enable-Dynamo-Backup"
   }
-}
+}
diff --git a/lambdas/mns_subscription/src/subscribe_mns.py b/lambdas/mns_subscription/src/subscribe_mns.py
@@ -1,10 +1,13 @@
 import logging
+import os
 
 from mns_setup import get_mns_service
 
+apigee_env = os.getenv("APIGEE_ENVIRONMENT", "int")
+
 
 def run_subscription():
-    mns = get_mns_service()
+    mns = get_mns_service(mns_env=apigee_env)
     return mns.check_subscription()
 
 
diff --git a/lambdas/mns_subscription/src/unsubscribe_mns.py b/lambdas/mns_subscription/src/unsubscribe_mns.py
@@ -1,12 +1,14 @@
 import logging
+import os
 
 from mns_setup import get_mns_service
 
+apigee_env = os.getenv("APIGEE_ENVIRONMENT", "int")
+
 
 def run_unsubscribe():
-    mns = get_mns_service()
-    result = mns.check_delete_subscription()
-    return result
+    mns = get_mns_service(mns_env=apigee_env)
+    return mns.check_delete_subscription()
 
 
 if __name__ == "__main__":

Original file line number	Diff line number	Diff line change
`@@ -6,8 +6,9 @@ terraform {`
`6`	`6`	`}`
`7`	`7`	`}`
`8`	`8`	`backend "s3" {`
`9`		`- region = "eu-west-2"`
`10`		`- key = "state"`
	`9`	`+ region = "eu-west-2"`
	`10`	`+ key = "state"`
	`11`	`+ use_lockfile = true`
`11`	`12`	`}`
`12`	`13`	`required_version = ">= 1.5.0"`
`13`	`14`	`}`
`@@ -31,4 +32,4 @@ provider "aws" {`
`31`	`32`	`Environment = var.environment`
`32`	`33`	`}`
`33`	`34`	`}`
`34`		`-}`
	`35`	`+}`
Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-# main.tf`
	`1`	`+# main.tf`
`2`	`2`	`terraform {`
`3`	`3`	`required_providers {`
`4`	`4`	`aws = {`
`@@ -15,8 +15,9 @@ terraform {`
`15`	`15`	`}`
`16`	`16`	`}`
`17`	`17`	`backend "s3" {`
`18`		`- bucket = "immunisation-grafana-terraform-state"`
`19`		`- region = "eu-west-2"`
	`18`	`+ bucket = "immunisation-grafana-terraform-state"`
	`19`	`+ region = "eu-west-2"`
	`20`	`+ use_lockfile = true`
`20`	`21`	`}`
`21`	`22`	`required_version = ">= 1.5.0"`
`22`	`23`	`}`
`@@ -63,4 +64,4 @@ resource "null_resource" "natgw_message" {`
`63`	`64`	`# vpc_id = aws_vpc.grafana_main.id`
`64`	`65`	`# ecs_sg_id = aws_security_group.ecs_tasks.id`
`65`	`66`	`# route_table_ids = aws_route_table.private[*].id`
`66`		`-# }`
	`67`	`+# }`