Merge branch 'VED-26-permissions-api' of https://github.com/NHSDigital/immunisation-fhir-api into VED-26-permissions-api

meger remote with the local branch

Author: Akol125

backend/src/clients.py

@@ -19,7 +19,6 @@
 
 logging.basicConfig(level="INFO")
 logger = logging.getLogger()
-logger.setLevel("INFO")
 logger.info(f"Connecting to Redis at {REDIS_HOST}:{REDIS_PORT}")
 
-redis_client = redis.StrictRedis(host=REDIS_HOST, port=REDIS_PORT, decode_responses=True)
+redis_client = redis.StrictRedis(host=REDIS_HOST, port=REDIS_PORT, decode_responses=True)

backend/src/models/utils/permissions.py

@@ -1,8 +1,11 @@
 from clients import redis_client
 import json
 
+
 def get_supplier_permissions(supplier: str) -> list[str]:
+    print(f"Getting permissions for supplier: {supplier}")
     permissions_data = redis_client.hget("supplier_permissions", supplier)
+    print(f"Got permissions: {permissions_data}")
     if not permissions_data:
         return []
     return json.loads(permissions_data)

backend/tests/test_fhir_service.py

@@ -3,6 +3,7 @@
 import datetime
 import unittest
 from copy import deepcopy
+from unittest import skip
 from unittest.mock import create_autospec
 from decimal import Decimal
 
@@ -304,7 +305,7 @@ def test_immunization_not_found(self):
 
         # Then
         self.imms_repo.get_immunization_by_identifier.assert_called_once_with(imms_id, "COVID19:search")
-        
+
         self.assertEqual(act_imms["entry"], [])
 
 
@@ -343,7 +344,7 @@ def test_create_immunization(self):
 
         # Then
         self.imms_repo.create_immunization.assert_called_once_with(req_imms, pds_patient, ["COVID19:create"], "Test")
-        
+
         self.validator.validate.assert_called_once_with(req_imms)
         self.fhir_service.pds_service.get_patient_details.assert_called_once_with(
             nhs_number

backend/tests/utils/test_permissions.py

@@ -2,6 +2,7 @@
 from unittest.mock import patch
 from src.models.utils.permissions import get_supplier_permissions
 
+
 class TestPermissions(unittest.TestCase):
 
     @patch("clients.redis_client.hget")
@@ -14,4 +15,4 @@ def test_returns_list_if_permissions_exist(self, mock_hget):
     def test_returns_empty_list_if_no_permissions(self, mock_hget):
         mock_hget.return_value = None
         result = get_supplier_permissions("UNKNOWN")
-        self.assertEqual(result, [])
+        self.assertEqual(result, [])

terraform/endpoints.tf

@@ -1,8 +1,7 @@
 /// This file creates all lambdas needed for each endpoint plus api-gateway
 
 locals {
-  policy_path     = "${path.root}/policies"
-  domain_name_url = "https://${local.service_domain_name}"
+  policy_path = "${path.root}/policies"
 }
 
 data "aws_iam_policy_document" "logs_policy_document" {
@@ -52,20 +51,23 @@ data "aws_iam_policy_document" "imms_policy_document" {
     }),
     templatefile("${local.policy_path}/secret_manager.json", {
       "account_id" : data.aws_caller_identity.current.account_id
-    })
+    }),
+    file("${local.policy_path}/ec2_network_interfaces.json")
   ]
 }
 
 module "imms_event_endpoint_lambdas" {
   source = "./lambda"
   count  = length(local.imms_endpoints)
 
-  prefix        = local.prefix
-  short_prefix  = local.short_prefix
-  function_name = local.imms_endpoints[count.index]
-  image_uri     = module.docker_image.image_uri
-  policy_json   = data.aws_iam_policy_document.imms_policy_document.json
-  environments  = local.imms_lambda_env_vars
+  prefix                 = local.prefix
+  short_prefix           = local.short_prefix
+  function_name          = local.imms_endpoints[count.index]
+  image_uri              = module.docker_image.image_uri
+  policy_json            = data.aws_iam_policy_document.imms_policy_document.json
+  environments           = local.imms_lambda_env_vars
+  vpc_subnet_ids         = data.aws_subnets.default.ids
+  vpc_security_group_ids = [data.aws_security_group.existing_securitygroup.id]
 }
 
 locals {

terraform/lambda/lambda.tf

@@ -13,6 +13,9 @@ module "lambda_function_container_image" {
     architectures = ["x86_64"]
     timeout = 6
 
+    vpc_subnet_ids = var.vpc_subnet_ids
+    vpc_security_group_ids = var.vpc_security_group_ids
+
     # A JWT encode took 7 seconds at default memory size of 128 and 0.8 seconds at 1024.
     # 2048 gets it down to around 0.5 but since Lambda is charged at GB * ms then it costs more for minimal benefit.
     memory_size = 1024

terraform/lambda/variables.tf

@@ -1,9 +1,34 @@
-variable "prefix" {}
-variable "short_prefix" {}
-variable "function_name" {}
-variable "image_uri" {}
+variable "prefix" {
+    type = string
+}
+
+variable "short_prefix" {
+    type = string
+}
+
+variable "function_name" {
+    type = string
+}
+
+variable "image_uri" {
+    type = string
+}
+
 variable "environments" {
+    type = map(string)
     default = {}
 }
 
-variable "policy_json" {}
+variable "policy_json" {
+    type = string
+}
+
+variable "vpc_security_group_ids" {
+    type = list(string)
+    default = null
+}
+
+variable "vpc_subnet_ids" {
+    type = list(string)
+    default = null
+}

terraform/policies/ec2_network_interfaces.json

@@ -0,0 +1,14 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+        "ec2:CreateNetworkInterface",
+        "ec2:DescribeNetworkInterfaces",
+        "ec2:DeleteNetworkInterface"
+      ],
+      "Resource": "*"
+    }
+  ]
+}