Merge branch 'master' into dependabot/terraform/infrastructure/account/terraform-minor-patch-815482342b

Author: dlzhry2nhs

.github/workflows/deploy-backend.yml

@@ -83,7 +83,7 @@ jobs:
         run: make plan-ci
 
       - name: Save Terraform Plan
-        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f
         with:
           name: ${{ env.ENVIRONMENT }}-${{ env.SUB_ENVIRONMENT }}-tfplan
           path: infrastructure/instance/tfplan

.github/workflows/quality-checks.yml

@@ -247,7 +247,7 @@ jobs:
           fi
 
       - name: SonarCloud Scan
-        uses: SonarSource/sonarqube-scan-action@fd88b7d7ccbaefd23d8f36f73b59db7a3d246602
+        uses: SonarSource/sonarqube-scan-action@a31c9398be7ace6bbfaf30c0bd5d415f843d45e9
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any
           SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}

README.specification.md

@@ -143,6 +143,39 @@ See the APM confluence for more information on how the [\_ping](https://nhsd-con
 This folder contains a template for a sandbox API. This example is a NodeJs application running in Docker. The application handles a few simple endpoints such as: /\_ping, /health, /\_status, /hello and some logging logic.
 For more information about building sandbox APIs see the [API Producer Zone confluence](https://nhsd-confluence.digital.nhs.uk/display/APM/Setting+up+your+API+sandbox).
 
+### Testing the sandbox
+
+The sandbox can be tested locally by changing to the `/sandbox` folder in a terminal and running `make run`. This will spin up a mock Prism web server at http://0.0.0.0:9000/.
+
+From a separate terminal, test each endpoint as follows:
+
+- Copy the appropriate `curl` command. These can be retrieved by opening the `specification/immunisation-fhir-api.yaml` file in the Swagger editor; expand the required endpoint, select 'Try it out', and then 'Execute'. The `curl` command to use will appear in the Curl window.
+
+- Replace
+  https://sandbox.api.service.nhs.uk/immunisation-fhir-api/FHIR/R4/ with http://0.0.0.0:9000/
+
+- Add the -i option in order to see the response headers.
+
+Examples:
+
+- GET Search:
+
+curl -i -X 'GET' \  
+ 'http://0.0.0.0:9000/Immunization?patient.identifier=https%3A%2F%2Ffhir.nhs.uk%2FId%2Fnhs-number%7C9000000009&-immunization.target=3IN1&-date.from=1900-01-01&-date.to=9999-12-31&_include=Immunization%3Apatient' \  
+ -H 'accept: application/fhir+json' \  
+ -H 'X-Correlation-ID: 60E0B220-8136-4CA5-AE46-1D97EF59D068' \  
+ -H 'X-Request-ID: 60E0B220-8136-4CA5-AE46-1D97EF59D068'
+
+- POST Search:
+
+curl -i -X 'POST' \  
+ 'http://0.0.0.0:9000/Immunization/_search' \  
+ -H 'accept: application/fhir+json' \  
+ -H 'X-Correlation-ID: 60E0B220-8136-4CA5-AE46-1D97EF59D068' \  
+ -H 'X-Request-ID: 60E0B220-8136-4CA5-AE46-1D97EF59D068' \  
+ -H 'Content-Type: application/x-www-form-urlencoded' \  
+ -d 'patient.identifier=https%3A%2F%2Ffhir.nhs.uk%2FId%2Fnhs-number%7C9000000009&-immunization.target=3IN1&-date.from=1900-01-01&-date.to=9999-12-31&\_include=Immunization%3Apatient'
+
 #### `utilities/scripts`:
 
 Contains useful scripts that are used throughout the project, for example in Makefile and Github workflows

infrastructure/instance/environments/prod/blue/variables.tfvars

@@ -5,3 +5,4 @@ pds_environment                   = "prod"
 batch_error_notifications_enabled = true
 create_mesh_processor             = true
 has_sub_environment_scope         = false
+dspp_kms_key_alias                = "nhsd-dspp-core-prod-extended-attributes-gdp-key"

infrastructure/instance/environments/prod/green/variables.tfvars

@@ -5,3 +5,4 @@ pds_environment                   = "prod"
 batch_error_notifications_enabled = true
 create_mesh_processor             = true
 has_sub_environment_scope         = false
+dspp_kms_key_alias                = "nhsd-dspp-core-prod-extended-attributes-gdp-key"

infrastructure/instance/file_name_processor.tf

@@ -253,13 +253,44 @@ resource "aws_iam_policy" "filenameprocessor_dynamo_access_policy" {
   })
 }
 
+# Kms policy setup on filenameprocessor lambda for dps cross account bucket access
+resource "aws_iam_policy" "filenameprocessor_dps_extended_attribute_kms_policy" {
+  name        = "${local.short_prefix}-filenameproc-dps-kms-policy"
+  description = "Allow Lambda to use DPS KMS key for SSE-KMS encrypted S3 bucket access"
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect = "Allow",
+        Action = [
+          "kms:Decrypt",
+          "kms:GenerateDataKey",
+          "kms:DescribeKey"
+        ],
+        Resource = "arn:aws:kms:eu-west-2:${var.dspp_core_account_id}:key/*",
+        "Condition" = {
+          "ForAnyValue:StringEquals" = {
+            "kms:ResourceAliases" = "alias/${var.dspp_kms_key_alias}"
+          }
+        }
+      }
+    ]
+  })
+}
 
 # Attach the execution policy to the Lambda role
 resource "aws_iam_role_policy_attachment" "filenameprocessor_lambda_exec_policy_attachment" {
   role       = aws_iam_role.filenameprocessor_lambda_exec_role.name
   policy_arn = aws_iam_policy.filenameprocessor_lambda_exec_policy.arn
 }
 
+#Attach the dps kms policy to the Lambda role
+resource "aws_iam_role_policy_attachment" "filenameprocessor_lambda_dps_kms_ea_policy_attachment" {
+  role       = aws_iam_role.filenameprocessor_lambda_exec_role.name
+  policy_arn = aws_iam_policy.filenameprocessor_dps_extended_attribute_kms_policy.arn
+}
+
 # Attach the SQS policy to the Lambda role
 resource "aws_iam_role_policy_attachment" "filenameprocessor_lambda_sqs_policy_attachment" {
   role       = aws_iam_role.filenameprocessor_lambda_exec_role.name

infrastructure/instance/mesh_processor.tf

@@ -33,8 +33,9 @@ resource "aws_ecr_repository" "mesh_file_converter_lambda_repository" {
 module "mesh_processor_docker_image" {
   count = var.create_mesh_processor ? 1 : 0
 
-  source  = "terraform-aws-modules/lambda/aws//modules/docker-build"
-  version = "8.1.2"
+  source           = "terraform-aws-modules/lambda/aws//modules/docker-build"
+  version          = "8.1.2"
+  docker_file_path = "./mesh_processor/Dockerfile"
 
   create_ecr_repo = false
   ecr_repo        = aws_ecr_repository.mesh_file_converter_lambda_repository[0].name
@@ -57,9 +58,10 @@ module "mesh_processor_docker_image" {
 
   platform      = "linux/amd64"
   use_image_tag = false
-  source_path   = local.mesh_processor_lambda_dir
+  source_path   = abspath("${path.root}/../../lambdas")
   triggers = {
-    dir_sha = local.mesh_processor_lambda_dir_sha
+    dir_sha        = local.mesh_processor_lambda_dir_sha
+    shared_dir_sha = local.shared_dir_sha
   }
 }
 

infrastructure/instance/variables.tf

@@ -10,6 +10,12 @@ variable "csoc_account_id" {
   default = "693466633220"
 }
 
+variable "dspp_kms_key_alias" {
+  description = "Alias name of the DPS KMS key allowed for SSE-KMS encryption"
+  type        = string
+  default     = "nhsd-dspp-core-ref-extended-attributes-gdp-key"
+}
+
 variable "create_mesh_processor" {
   default = false
 }

lambdas/backend/src/controller/fhir_controller.py

@@ -36,6 +36,7 @@
 from service.fhir_service import FhirService, get_service_url
 
 IMMUNIZATION_ENV = os.getenv("IMMUNIZATION_ENV")
+IMMUNIZATION_BASE_PATH = os.getenv("IMMUNIZATION_BASE_PATH")
 
 
 def make_controller(
@@ -51,7 +52,7 @@ def make_controller(
 
 class FhirController:
     _IMMUNIZATION_ID_PATTERN = r"^[A-Za-z0-9\-.]{1,64}$"
-    _API_SERVICE_URL = get_service_url()
+    _API_SERVICE_URL = get_service_url(IMMUNIZATION_ENV, IMMUNIZATION_BASE_PATH)
 
     def __init__(
         self,

lambdas/backend/src/service/constants.py

@@ -0,0 +1,4 @@
+"""Constants for the fhir_service layer"""
+
+DEFAULT_BASE_PATH = "immunisation-fhir-api/FHIR/R4"
+PR_ENV_PREFIX = "pr-"