Merge remote-tracking branch 'origin/main' into PRMP-386

PedroSoaresNHS · PedroSoaresNHS · commit 02f611717a66 · 2025-11-21T11:34:50.000Z
diff --git a/.github/workflows/automated-deploy-dev.yml b/.github/workflows/automated-deploy-dev.yml
@@ -220,3 +220,68 @@ jobs:
     uses: NHSDigital/national-document-repository/.github/workflows/ui-dev-to-main-ci.yml@main
     secrets:
       AWS_ASSUME_ROLE: ${{ secrets.AWS_ASSUME_ROLE }}
+
+  notify-slack:
+    runs-on: ubuntu-latest
+    needs: [terraform_plan_apply, deploy_lambdas, deploy_ui]
+    if: failure() && github.event_name == 'push' && github.ref == 'refs/heads/main'
+    steps:
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v5
+        with:
+          role-to-assume: ${{ secrets.AWS_ASSUME_ROLE }}
+          aws-region: ${{ vars.AWS_REGION }}
+
+      - name: Get slack bot token from SSM parameter store
+        run: |
+          slack_bot_token=$(aws ssm get-parameter --name "/ndr/alerting/slack/bot_token" --with-decryption --query "Parameter.Value" --output text)
+          echo "::add-mask::$slack_bot_token"
+          echo "SLACK_BOT_TOKEN=$slack_bot_token" >> $GITHUB_ENV
+
+      - name: Send Slack Notification
+        uses: slackapi/slack-github-action@v2.1.1
+        with:
+          method: chat.postMessage
+          token: ${{ env.SLACK_BOT_TOKEN }}
+          payload: |
+            {
+              "channel": "${{ vars.ALERTS_SLACK_CHANNEL_ID }}",
+              "attachments": [
+                {
+                  "color": "#ff0000",
+                  "blocks": [
+                    {
+                      "type": "header",
+                      "text": {
+                        "type": "plain_text",
+                        "text": "❌ Workflow `${{ github.workflow }}` failed"
+                      }
+                    },
+                    {
+                      "type": "section",
+                      "text": {
+                        "type": "mrkdwn",
+                        "text": "*Triggered by:* `${{ github.actor }}`\n*Branch:* `${{ github.ref_name }}`\n*Workflow:* <${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|${{ github.workflow }}>"
+                      }
+                    },
+                    {
+                      "type": "divider"
+                    },
+                    {
+                      "type": "section",
+                      "fields": [
+                        { "type": "mrkdwn", "text": "*terraform_plan_apply:* ${{ needs.terraform_plan_apply.result == 'success' && ':white_check_mark:' || ':x:' }}" },
+                        { "type": "mrkdwn", "text": "*deploy_lambdas:* ${{ needs.deploy_lambdas.result == 'success' && ':white_check_mark:' || ':x:' }}" },
+                        { "type": "mrkdwn", "text": "*deploy_ui:* ${{ needs.deploy_ui.result == 'success' && ':white_check_mark:' || ':x:' }}" }
+                      ]
+                    },
+                    {
+                      "type": "context",
+                      "elements": [
+                        { "type": "mrkdwn", "text": "Environment: `development` | Sandbox: `ndr-dev`" }
+                      ]
+                    }
+                  ]
+                }
+              ]
+            }
diff --git a/.github/workflows/automated-sonarqube-cloud-analysis.yml b/.github/workflows/automated-sonarqube-cloud-analysis.yml
@@ -26,3 +26,60 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}  # Needed to get PR information, if any
           SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+
+  notify-slack:
+    runs-on: ubuntu-latest
+    needs: [sonarqube_cloud]
+    if: failure() && github.event_name == 'push' && github.ref == 'refs/heads/main'
+    steps:
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v5
+        with:
+          role-to-assume: ${{ secrets.AWS_ASSUME_ROLE }}
+          aws-region: ${{ vars.AWS_REGION }}
+
+      - name: Get slack bot token from SSM parameter store
+        run: |
+          slack_bot_token=$(aws ssm get-parameter --name "/ndr/alerting/slack/bot_token" --with-decryption --query "Parameter.Value" --output text)
+          echo "::add-mask::$slack_bot_token"
+          echo "SLACK_BOT_TOKEN=$slack_bot_token" >> $GITHUB_ENV
+
+      - name: Send Slack Notification
+        uses: slackapi/slack-github-action@v2.1.1
+        with:
+          method: chat.postMessage
+          token: ${{ env.SLACK_BOT_TOKEN }}
+          payload: |
+            {
+              "channel": "${{ vars.ALERTS_SLACK_CHANNEL_ID }}",
+              "attachments": [
+                {
+                  "color": "#ff0000",
+                  "blocks": [
+                    {
+                      "type": "header",
+                      "text": {
+                        "type": "plain_text",
+                        "text": "❌ Workflow `${{ github.workflow }}` failed"
+                      }
+                    },
+                    {
+                      "type": "section",
+                      "text": {
+                        "type": "mrkdwn",
+                        "text": "*Triggered by:* `${{ github.actor }}`\n*Branch:* `${{ github.ref_name }}`\n*Workflow:* <${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|${{ github.workflow }}>"
+                      }
+                    },
+                    {
+                      "type": "divider"
+                    },
+                    {
+                      "type": "section",
+                      "fields": [
+                        { "type": "mrkdwn", "text": "*sonarqube_cloud:* ${{ needs.sonarqube_cloud.result == 'success' && ':white_check_mark:' || ':x:' }}" }
+                      ]
+                    }
+                  ]
+                }
+              ]
+            }
diff --git a/.github/workflows/cron-daily-health-check.yml b/.github/workflows/cron-daily-health-check.yml
@@ -160,7 +160,7 @@ jobs:
       environment: development
       python_version: "3.11"
     secrets:
-        AWS_ASSUME_ROLE: ${{ secrets.AWS_ASSUME_ROLE }}
+      AWS_ASSUME_ROLE: ${{ secrets.AWS_ASSUME_ROLE }}
         
   deploy_lambdas:
     name: Deploy Lambdas
@@ -196,3 +196,72 @@ jobs:
       sandbox_name: ${{ needs.set_workspace.outputs.workspace }}
       environment: development
     secrets: inherit
+
+  notify-slack:
+    runs-on: ubuntu-latest
+    needs: [terraform_plan_apply, run_lambda_unit_tests, run_ui_unit_tests, run_cypress_tests, publish_lambda_layers, deploy_lambdas, deploy_ui]
+    if: failure()
+    steps:
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v5
+        with:
+          role-to-assume: ${{ secrets.AWS_ASSUME_ROLE }}
+          aws-region: ${{ vars.AWS_REGION }}
+
+      - name: Get slack bot token from SSM parameter store
+        run: |
+          slack_bot_token=$(aws ssm get-parameter --name "/ndr/alerting/slack/bot_token" --with-decryption --query "Parameter.Value" --output text)
+          echo "::add-mask::$slack_bot_token"
+          echo "SLACK_BOT_TOKEN=$slack_bot_token" >> $GITHUB_ENV
+
+      - name: Send Slack Notification
+        uses: slackapi/slack-github-action@v2.1.1
+        with:
+          method: chat.postMessage
+          token: ${{ env.SLACK_BOT_TOKEN }}
+          payload: |
+            {
+              "channel": "${{ vars.ALERTS_SLACK_CHANNEL_ID }}",
+              "attachments": [
+                {
+                  "color": "#ff0000",
+                  "blocks": [
+                    {
+                      "type": "header",
+                      "text": {
+                        "type": "plain_text",
+                        "text": "❌ Workflow `${{ github.workflow }}` failed"
+                      }
+                    },
+                    {
+                      "type": "section",
+                      "text": {
+                        "type": "mrkdwn",
+                        "text": "*Triggered by:* `Scheduled Job`\n*Workflow:* <${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|${{ github.workflow }}>"
+                      }
+                    },
+                    {
+                      "type": "divider"
+                    },
+                    {
+                      "type": "section",
+                      "fields": [
+                        { "type": "mrkdwn", "text": "*terraform_plan_apply:* ${{ needs.terraform_plan_apply.result == 'success' && ':white_check_mark:' || ':x:' }}" },
+                        { "type": "mrkdwn", "text": "*run_lambda_unit_tests:* ${{ needs.run_lambda_unit_tests.result == 'success' && ':white_check_mark:' || ':x:' }}" },
+                        { "type": "mrkdwn", "text": "*run_ui_unit_tests:* ${{ needs.run_ui_unit_tests.result == 'success' && ':white_check_mark:' || ':x:' }}" },
+                        { "type": "mrkdwn", "text": "*run_cypress_tests:* ${{ needs.run_cypress_tests.result == 'success' && ':white_check_mark:' || ':x:' }}" },
+                        { "type": "mrkdwn", "text": "*publish_lambda_layers:* ${{ needs.publish_lambda_layers.result == 'success' && ':white_check_mark:' || ':x:' }}" },
+                        { "type": "mrkdwn", "text": "*deploy_lambdas:* ${{ needs.deploy_lambdas.result == 'success' && ':white_check_mark:' || ':x:' }}" },
+                        { "type": "mrkdwn", "text": "*deploy_ui:* ${{ needs.deploy_ui.result == 'success' && ':white_check_mark:' || ':x:' }}" }
+                      ]
+                    },
+                    {
+                      "type": "context",
+                      "elements": [
+                        { "type": "mrkdwn", "text": "Environment: `development` | Sandbox: `${{ needs.set_workspace.outputs.workspace }}`" }
+                      ]
+                    }
+                  ]
+                }
+              ]
+            }
diff --git a/infrastructure/lambda-bulk-upload.tf b/infrastructure/lambda-bulk-upload.tf
@@ -17,6 +17,8 @@ module "bulk-upload-lambda" {
     module.sqs-lg-bulk-upload-metadata-queue.sqs_write_policy_document,
     module.sqs-lg-bulk-upload-invalid-queue.sqs_read_policy_document,
     module.sqs-lg-bulk-upload-invalid-queue.sqs_write_policy_document,
+    module.lg-bulk-upload-expedite-metadata-queue.sqs_write_policy_document,
+    module.lg-bulk-upload-expedite-metadata-queue.sqs_read_policy_document,
     aws_iam_policy.ssm_access_policy.policy,
     module.ndr-app-config.app_config_policy
   ]
@@ -53,6 +55,7 @@ module "bulk-upload-lambda" {
     module.lloyd_george_reference_dynamodb_table,
     module.bulk_upload_report_dynamodb_table,
     aws_iam_policy.ssm_access_policy,
+    module.lg-bulk-upload-expedite-metadata-queue,
   ]
 }
 
@@ -71,6 +74,18 @@ resource "aws_lambda_event_source_mapping" "bulk_upload_lambda" {
   ]
 }
 
+resource "aws_lambda_event_source_mapping" "bulk_upload_lambda_expedite_trigger" {
+  event_source_arn = module.lg-bulk-upload-expedite-metadata-queue.sqs_arn
+  function_name    = module.bulk-upload-lambda.lambda_arn
+  batch_size       = 10
+  enabled          = true
+
+  depends_on = [
+    module.bulk-upload-lambda,
+    module.lg-bulk-upload-expedite-metadata-queue
+  ]
+}
+
 module "bulk-upload-alarm" {
   source               = "./modules/lambda_alarms"
   lambda_function_name = module.bulk-upload-lambda.function_name
diff --git a/infrastructure/sqs-expedite.tf b/infrastructure/sqs-expedite.tf
@@ -0,0 +1,14 @@
+module "lg-bulk-upload-expedite-metadata-queue" {
+  source                = "./modules/sqs"
+  name                  = "lg-bulk-upload-expedite-metadata-queue.fifo"
+  max_size_message      = 256 * 1024        # allow message size up to 256 KB
+  message_retention     = 60 * 60 * 24 * 14 # 14 days
+  environment           = var.environment
+  owner                 = var.owner
+  max_visibility        = 1020
+  enable_fifo           = true
+  enable_deduplication  = true
+  delay                 = 60
+  enable_dlq            = true
+  dlq_message_retention = 1209600 # 14 days
+}
diff --git a/infrastructure/sqs_alarms.tf b/infrastructure/sqs_alarms.tf
@@ -1,15 +1,17 @@
 locals {
   monitored_queues = {
     # main queues
-    "nrl_main"       = module.sqs-nrl-queue.sqs_name
-    "stitching_main" = module.sqs-stitching-queue.sqs_name
-    "lg_bulk_main"   = module.sqs-lg-bulk-upload-metadata-queue.sqs_name
-    "lg_inv_main"    = module.sqs-lg-bulk-upload-invalid-queue.sqs_name
-    "mns_main"       = module.sqs-mns-notification-queue[0].sqs_name
+    "nrl_main"              = module.sqs-nrl-queue.sqs_name
+    "stitching_main"        = module.sqs-stitching-queue.sqs_name
+    "lg_bulk_main"          = module.sqs-lg-bulk-upload-metadata-queue.sqs_name
+    "lg_inv_main"           = module.sqs-lg-bulk-upload-invalid-queue.sqs_name
+    "mns_main"              = module.sqs-mns-notification-queue[0].sqs_name
+    "lg_bulk_expedite_main" = module.lg-bulk-upload-expedite-metadata-queue.sqs_name
     # dead-letter queues
-    "nrl_dlq"       = module.sqs-nrl-queue.dlq_name
-    "stitching_dlq" = module.sqs-stitching-queue.dlq_name
-    "mns_dlq"       = module.sqs-mns-notification-queue[0].dlq_name
+    "nrl_dlq"              = module.sqs-nrl-queue.dlq_name
+    "stitching_dlq"        = module.sqs-stitching-queue.dlq_name
+    "mns_dlq"              = module.sqs-mns-notification-queue[0].dlq_name
+    "lg_bulk_expedite_dlq" = module.lg-bulk-upload-expedite-metadata-queue.dlq_name
   }
 
 
