Merge branch 'master' into VED-971-Mesh-Processor-Alerting

Akol125 · web-flow · commit e5928c1410b4 · 2025-12-23T12:29:38.000Z
diff --git a/.github/workflows/create-release-tag.yml b/.github/workflows/create-release-tag.yml
@@ -29,9 +29,7 @@ jobs:
         run: pip install semver
 
       - name: Set SPEC_VERSION env var
-        run: echo ::set-env name=SPEC_VERSION::$(python utilities/scripts/calculate_version.py)
-        env:
-          ACTIONS_ALLOW_UNSECURE_COMMANDS: true
+        run: echo "SPEC_VERSION=$(python utilities/scripts/calculate_version.py)" >> $GITHUB_ENV
 
       - name: Create release (master only)
         id: create-release
diff --git a/.github/workflows/deploy-backend.yml b/.github/workflows/deploy-backend.yml
@@ -48,14 +48,13 @@ env: # Sonarcloud - do not allow direct usage of untrusted data
   ENVIRONMENT: ${{ inputs.environment }}
   SUB_ENVIRONMENT: ${{ inputs.sub_environment }}
 
-permissions:
-  id-token: write
-  contents: read
-
 run-name: Deploy Backend - ${{ inputs.environment }} ${{ inputs.sub_environment }}
 
 jobs:
   terraform-plan:
+    permissions:
+      id-token: write
+      contents: read
     runs-on: ubuntu-latest
     environment:
       name: ${{ inputs.environment }}
@@ -89,6 +88,9 @@ jobs:
           path: infrastructure/instance/tfplan
 
   terraform-apply:
+    permissions:
+      id-token: write
+      contents: read
     needs: terraform-plan
     runs-on: ubuntu-latest
     environment:
diff --git a/.github/workflows/run-e2e-tests.yml b/.github/workflows/run-e2e-tests.yml
@@ -54,12 +54,10 @@ env:
   STATUS_API_KEY: ${{ secrets.STATUS_API_KEY }}
   SOURCE_COMMIT_ID: ${{ github.sha }}
 
-permissions:
-  id-token: write
-  contents: read
-
 jobs:
   wait-for-deployment:
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     environment: ${{ inputs.apigee_environment }}
     outputs:
@@ -109,6 +107,9 @@ jobs:
           fi
 
   e2e-tests:
+    permissions:
+      id-token: write
+      contents: read
     runs-on: ubuntu-latest
     needs: [wait-for-deployment]
     environment: ${{ inputs.apigee_environment }}
@@ -202,6 +203,9 @@ jobs:
         run: poetry run python -m unittest
 
   batch-e2e-tests:
+    permissions:
+      id-token: write
+      contents: read
     needs: [wait-for-deployment, e2e-tests]
     # Only actually depend on wait-for-deployment, but run after e2e-tests
     if: ${{ !cancelled() && needs.wait-for-deployment.result == 'success' && needs.wait-for-deployment.outputs.RUN_BATCH_E2E_TESTS == 'true' }}
diff --git a/Makefile b/Makefile
@@ -32,6 +32,9 @@ publish: clean
 	cp build/immunisation-fhir-api.json sandbox/
 	cp -r specification sandbox/specification
 
+make serve: publish
+	npm run serve
+
 #Creates a minified OAS spec in JSON for sending to APIM
 oas: publish
 	mkdir -p oas
diff --git a/README.specification.md b/README.specification.md
@@ -55,12 +55,13 @@ There are `make` commands that alias some of this functionality:
 
 - `lint` -- Lints the spec and code
 - `publish` -- Outputs the specification as a **single** JSON file into the `build/` directory
+- `serve` -- Serves a preview of the API document locally
 
 ### Modifying the OAS file
 
 Note that the master OAS file is now the **YAML** version, as it is far easier to maintain than the JSON.
 
-To review your modifications, use Swagger Editor (https://editor.swagger.io).
+To review your modifications, use Swagger Editor (https://editor.swagger.io). Or, alternatively, use the `make serve` command.
 
 ### Update the OAS file to the public website
 
diff --git a/azure/templates/build.yml b/azure/templates/build.yml
@@ -4,7 +4,7 @@ steps:
       npm run publish 2> /dev/null
       cp build/immunisation-fhir-api.json sandbox/
 
-        cd sandbox
+      cd sandbox
       docker build -t sandbox .
     displayName: Build sandbox image
     workingDirectory: "$(Pipeline.Workspace)/s/$(SERVICE_NAME)"
diff --git a/infrastructure/instance/id_sync_lambda.tf b/infrastructure/instance/id_sync_lambda.tf
@@ -309,6 +309,38 @@ resource "aws_cloudwatch_log_group" "id_sync_log_group" {
   retention_in_days = 30
 }
 
+resource "aws_cloudwatch_log_metric_filter" "id_sync_error_logs" {
+  count = var.error_alarm_notifications_enabled ? 1 : 0
+
+  name           = "${local.short_prefix}-IdSyncErrorLogsFilter"
+  pattern        = "%\\[ERROR\\]%"
+  log_group_name = aws_cloudwatch_log_group.id_sync_log_group.name
+
+  metric_transformation {
+    name      = "${local.short_prefix}-IdSyncErrorLogs"
+    namespace = "${local.short_prefix}-IdSyncLambda"
+    value     = "1"
+  }
+}
+
+resource "aws_cloudwatch_metric_alarm" "id_sync_error_alarm" {
+  count = var.error_alarm_notifications_enabled ? 1 : 0
+
+  alarm_name          = "${local.short_prefix}-id-sync-lambda-error"
+  comparison_operator = "GreaterThanOrEqualToThreshold"
+  evaluation_periods  = 1
+  metric_name         = "${local.short_prefix}-IdSyncErrorLogs"
+  namespace           = "${local.short_prefix}-IdSyncLambda"
+  period              = 120
+  statistic           = "Sum"
+  threshold           = 1
+  alarm_description   = "This sets off an alarm for any error logs found in the id sync (nhs number change) Lambda function"
+  alarm_actions       = [data.aws_sns_topic.imms_system_alert_errors.arn]
+  treat_missing_data  = "notBreaching"
+}
+
+
+
 # delete config_lambda_notification / new_s3_invoke_permission - not required; duplicate
 
 # NEW
diff --git a/infrastructure/instance/redis_sync_lambda.tf b/infrastructure/instance/redis_sync_lambda.tf
@@ -253,6 +253,36 @@ resource "aws_cloudwatch_log_group" "redis_sync_log_group" {
   retention_in_days = 30
 }
 
+resource "aws_cloudwatch_log_metric_filter" "redis_sync_error_logs" {
+  count = var.error_alarm_notifications_enabled ? 1 : 0
+
+  name           = "${local.short_prefix}-RedisSyncErrorLogsFilter"
+  pattern        = "%\\[ERROR\\]%"
+  log_group_name = aws_cloudwatch_log_group.redis_sync_log_group.name
+
+  metric_transformation {
+    name      = "${local.short_prefix}-RedisSyncErrorLogs"
+    namespace = "${local.short_prefix}-RedisSyncLambda"
+    value     = "1"
+  }
+}
+
+resource "aws_cloudwatch_metric_alarm" "redis_sync_error_alarm" {
+  count = var.error_alarm_notifications_enabled ? 1 : 0
+
+  alarm_name          = "${local.short_prefix}-id-sync-lambda-error"
+  comparison_operator = "GreaterThanOrEqualToThreshold"
+  evaluation_periods  = 1
+  metric_name         = "${local.short_prefix}-RedisSyncErrorLogs"
+  namespace           = "${local.short_prefix}-RedisSyncLambda"
+  period              = 120
+  statistic           = "Sum"
+  threshold           = 1
+  alarm_description   = "This sets off an alarm for any error logs found in the redis sync Lambda function"
+  alarm_actions       = [data.aws_sns_topic.imms_system_alert_errors.arn]
+  treat_missing_data  = "notBreaching"
+}
+
 # S3 Bucket notification to trigger Lambda function for config bucket
 resource "aws_s3_bucket_notification" "config_lambda_notification" {
 
diff --git a/infrastructure/proxies/sandbox/apiproxy/policies/AssignMessage.AddCors.xml b/infrastructure/proxies/sandbox/apiproxy/policies/AssignMessage.AddCors.xml
@@ -4,8 +4,8 @@
     <Set>
         <Headers>
             <Header name="Access-Control-Allow-Origin">{request.header.origin}</Header>
-            <Header name="Access-Control-Allow-Headers">origin, x-requested-with, accept, content-type, nhsd-session-urid, X-Request-Id, X-Correlation-Id, Location</Header>
-            <Header name="Access-Control-Expose-Headers">origin, x-requested-with, accept, content-type, nhsd-session-urid, X-Request-Id, X-Correlation-Id, Location</Header>
+            <Header name="Access-Control-Allow-Headers">origin, x-requested-with, accept, content-type, e-tag, nhsd-session-urid, X-Request-Id, X-Correlation-Id, Location</Header>
+            <Header name="Access-Control-Expose-Headers">origin, x-requested-with, accept, content-type, e-tag, nhsd-session-urid, X-Request-Id, X-Correlation-Id, Location</Header>
             <Header name="Access-Control-Max-Age">3628800</Header>
             <Header name="Access-Control-Allow-Methods">GET, PUT, POST, DELETE</Header>
         </Headers>
diff --git a/lambdas/backend/src/controller/parameter_parser.py b/lambdas/backend/src/controller/parameter_parser.py
@@ -166,7 +166,7 @@ def parse_search_params(search_params_in_req: dict[str, list[str]]) -> dict[str,
     """Ensures the search params provided in the event do not contain duplicated keys. Will split the parameters
     provided by comma separators. Raises a ParameterExceptionError for duplicated keys. Existing business logic stipulated
     that the API only accepts comma separated values rather than multi-value."""
-    if any([len(values) > 1 for _, values in search_params_in_req.items()]):
+    if any(len(values) > 1 for _, values in search_params_in_req.items()):
         raise ParameterExceptionError(DUPLICATED_PARAMETERS_ERROR_MESSAGE)
 
     parsed_params = {}
diff --git a/lambdas/shared/src/common/models/errors.py b/lambdas/shared/src/common/models/errors.py
@@ -67,7 +67,7 @@ def to_operation_outcome(self) -> dict:
 
 class ApiValidationError(RuntimeError):
     def to_operation_outcome(self) -> dict:
-        pass
+        raise NotImplementedError("Improper usage: base class")
 
 
 @dataclass
diff --git a/lambdas/shared/tests/test_common/test_errors.py b/lambdas/shared/tests/test_common/test_errors.py
@@ -129,11 +129,14 @@ def test_errors_unhandled_response_error(self):
         self.assertEqual(issue.get("diagnostics"), f"{test_message}\n{test_response}")
 
     def test_errors_api_validation_error(self):
-        """Test correct operation of ApiValidationError"""
-        with self.assertRaises(errors.ApiValidationError) as context:
+        """Test base ApiValidationError class cannot be used"""
+        with self.assertRaises(errors.ApiValidationError) as initial_error:
             raise errors.ApiValidationError()
-        outcome = context.exception.to_operation_outcome()
-        self.assertIsNone(outcome)
+
+        with self.assertRaises(NotImplementedError) as not_implemented_error:
+            initial_error.exception.to_operation_outcome()
+
+        self.assertEqual(str(not_implemented_error.exception), "Improper usage: base class")
 
     def test_errors_custom_validation_error(self):
         """Test correct operation of CustomValidationError"""
diff --git a/package.json b/package.json
@@ -8,7 +8,8 @@
     "format-check": "prettier --check .",
     "publish": "redocly bundle specification/immunisation-fhir-api.yaml --remove-unused-components --ext json -o build/immunisation-fhir-api.json",
     "check-licenses": "node_modules/.bin/license-checker --failOn GPL --failOn LGPL",
-    "prepare": "husky"
+    "prepare": "husky",
+    "serve": "redocly preview --project-dir ./build"
   },
   "author": "NHS Digital",
   "license": "MIT",
diff --git a/specification/immunisation-fhir-api.yaml b/specification/immunisation-fhir-api.yaml
@@ -2207,26 +2207,22 @@ paths:
       description: >
         ## Overview
 
-        This interaction allows you to add a new updated record of a vaccination
-        event. Update replaces the full immunization resource, so you must
-        provide all data fields, not just the change (Patch is not currently
-        supported). You may obtain all the current data for the vaccination
-        event using the read interaction, which will also return an eTag for the
-        version. 
+        The Update Immunization endpoint allows you to update or reinstate a vaccination event.
 
+        - You must provide the full FHIR immunization in the request body. (Patch is not currently
+        supported, so it is not possible to just provide the updated fields.)
 
-        You may use update to re-instate a deleted record, but our update
-        interaction does not support creating a new vaccination event where one
-        does not currently exist. 
+        - You may need to first retrieve the existing vaccination record using the GET endpoint, which
+        will also return an E-Tag header for the resource version. When performing an update, the E-Tag
+        header must match the current resource version for the resource you are updating.
 
+        - The `id` and `identifier` in the request body and the `id` in the path parameters must match
+        the existing record for an update to succeed.
 
-        You must not change the identifier when updating a vaccination event.
-        The identifier is used as a primary identifier by downstream systems.  
-
-
-        You must be authorised for update interaction and the disease type
-        associated with the vaccination event in order to update the record. 
+        - You may also use this endpoint to reinstate a deleted record.
 
+        - Finally, you must be authorised for the update interaction and the vaccination type of the
+        existing record in order for the update to succeed.
 
         ## Sandbox testing        
 
@@ -4610,6 +4606,7 @@ components:
                 description: >
                   Specific procedures, disorders, diseases, infections or
                   organisms.
+                example: FLU
                 enum:
                   - 3IN1
                   - COVID
@@ -4714,6 +4711,7 @@ components:
       required: true
       schema:
         type: string
+        example: FLU
         enum:
           - 3IN1
           - COVID
