Merge branch 'main' into PRMP-1469

Author: NogaNHS

.github/workflows/terraform-deploy-to-pre-prod-manual.yml

@@ -1,53 +1,57 @@
-# .github/workflows/terraform-dev
-name: 'Deploy and Version Main to Pre-Prod'
+name: 'Deploy to Pre-Prod'
 
 on:
   workflow_dispatch:
+    inputs:
+      branch_or_tag:
+        description: "Which branch or tag do you want to deploy to pre-prod?"
+        required: true
+        type: string
+        default: main
 
 permissions:
   pull-requests: write
   id-token: write # This is required for requesting the JWT
   contents: read  # This is required for actions/checkout
 
 jobs:
-
   tag_and_release:
     runs-on: ubuntu-latest
     outputs:
-      tag: ${{steps.versioning.outputs.tag}}
-      new_tag: ${{steps.versioning.outputs.new_tag}}
+      version: ${{ steps.versioning.outputs.tag || github.event.inputs.branch_or_tag }}
     permissions: write-all
 
     steps:
-
-    - uses: actions/checkout@v4
+    - name: Checkout main
+      if: ${{ github.event.inputs.branch_or_tag == 'main' }}
+      uses: actions/checkout@v4
       with:
         ref: main
         fetch-depth: '0'
 
     - name: Bump version and push tag
+      if: ${{ github.event.inputs.branch_or_tag == 'main' }}
       id: versioning
       uses: anothrNick/[email protected]
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         WITH_V: false
         DEFAULT_BUMP: patch
-    
+
     - name: View outputs
       run: |
-        echo Current tag: ${{steps.versioning.outputs.tag}} 
-        echo New tag: ${{steps.versioning.outputs.new_tag}}
+        echo Deploying branch or tagged version to pre-prod: ${{ steps.versioning.outputs.tag || github.event.inputs.branch_or_tag }}
 
   terraform_process:
     runs-on: ubuntu-latest
     needs: ['tag_and_release']
     environment: pre-prod
+
     steps:
-    # Checkout the repository to the GitHub Actions runner
     - name: Checkout
       uses: actions/checkout@v4
       with:
-        ref: ${{needs.tag_and_release.outputs.tag}}
+        ref: ${{needs.tag_and_release.outputs.version}}
         fetch-depth: '0'
 
     - name: Configure AWS Credentials
@@ -57,11 +61,7 @@ jobs:
         role-skip-session-tagging: true
         aws-region: ${{ vars.AWS_REGION }}
         mask-aws-account-id: true
-      
-    - name: View AWS Role
-      run: aws sts get-caller-identity
 
-    # Install the latest version of Terraform CLI and configure the Terraform CLI configuration file with a Terraform Cloud user API token
     - name: Setup Terraform
       uses: hashicorp/setup-terraform@v3
       with:
@@ -79,8 +79,7 @@ jobs:
       run:  terraform workspace select ${{ secrets.AWS_WORKSPACE }}
       working-directory: ./infrastructure 
       shell: bash
-      
-      # Checks that all Terraform configuration files adhere to a canonical format
+
     - name: Terraform Format
       run: terraform fmt -check
       working-directory: ./infrastructure 
@@ -95,5 +94,3 @@ jobs:
     - name: Terraform Apply 
       run: terraform apply -auto-approve -input=false tf.plan
       working-directory: ./infrastructure
-        
-        

infrastructure/README.md

@@ -8,7 +8,7 @@
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | ~> 5.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.72.1 |
 
 ## Modules
 
@@ -163,11 +163,24 @@
 | [aws_api_gateway_domain_name.custom_api_domain](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_domain_name) | resource |
 | [aws_api_gateway_gateway_response.bad_gateway_response](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_gateway_response) | resource |
 | [aws_api_gateway_gateway_response.unauthorised_response](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_gateway_response) | resource |
+| [aws_api_gateway_integration.get_document_reference_mock](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_integration) | resource |
+| [aws_api_gateway_integration_response.get_document_reference_mock_200_response](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_integration_response) | resource |
+| [aws_api_gateway_integration_response.get_document_reference_mock_401_response](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_integration_response) | resource |
+| [aws_api_gateway_integration_response.get_document_reference_mock_403_response](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_integration_response) | resource |
+| [aws_api_gateway_integration_response.get_document_reference_mock_404_response](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_integration_response) | resource |
 | [aws_api_gateway_method.get_document_reference](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_method) | resource |
 | [aws_api_gateway_method.login_proxy_method](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_method) | resource |
+| [aws_api_gateway_method.sandbox_get_document_reference](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_method) | resource |
+| [aws_api_gateway_method_response.response_200](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_method_response) | resource |
+| [aws_api_gateway_method_response.response_401](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_method_response) | resource |
+| [aws_api_gateway_method_response.response_403](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_method_response) | resource |
+| [aws_api_gateway_method_response.response_404](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_method_response) | resource |
 | [aws_api_gateway_resource.auth_resource](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_resource) | resource |
 | [aws_api_gateway_resource.get_document_reference](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_resource) | resource |
 | [aws_api_gateway_resource.login_resource](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_resource) | resource |
+| [aws_api_gateway_resource.nrl_sandbox](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_resource) | resource |
+| [aws_api_gateway_resource.sandbox_get_document_reference](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_resource) | resource |
+| [aws_api_gateway_resource.sandbox_get_document_reference_path_parameter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_resource) | resource |
 | [aws_api_gateway_rest_api.ndr_doc_store_api](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_rest_api) | resource |
 | [aws_api_gateway_stage.ndr_api](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_stage) | resource |
 | [aws_api_gateway_usage_plan.apim](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_usage_plan) | resource |
@@ -186,10 +199,12 @@
 | [aws_cloudwatch_event_target.data_collection_schedule_event](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_target) | resource |
 | [aws_cloudwatch_event_target.statistical_report_schedule_event](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_target) | resource |
 | [aws_cloudwatch_log_group.mesh_log_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
+| [aws_cloudwatch_log_metric_filter.edge_presign_error](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_metric_filter) | resource |
 | [aws_cloudwatch_log_metric_filter.error_log_metric_filter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_metric_filter) | resource |
 | [aws_cloudwatch_log_metric_filter.inbox_message_count](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_metric_filter) | resource |
 | [aws_cloudwatch_metric_alarm.api_gateway_alarm_4XX](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_metric_alarm) | resource |
 | [aws_cloudwatch_metric_alarm.api_gateway_alarm_5XX](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_metric_alarm) | resource |
+| [aws_cloudwatch_metric_alarm.edge_presign_lambda_error](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_metric_alarm) | resource |
 | [aws_cloudwatch_metric_alarm.error_log_alarm](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_metric_alarm) | resource |
 | [aws_cloudwatch_metric_alarm.inbox-messages-not-consumed](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_metric_alarm) | resource |
 | [aws_cloudwatch_metric_alarm.nrl_dlq_new_messages](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_metric_alarm) | resource |
@@ -280,6 +295,8 @@
 | [aws_s3_bucket_lifecycle_configuration.lg-lifecycle-rules](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_lifecycle_configuration) | resource |
 | [aws_s3_bucket_lifecycle_configuration.staging-store-lifecycle-rules](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_lifecycle_configuration) | resource |
 | [aws_s3_bucket_policy.logs_bucket_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource |
+| [aws_s3_bucket_public_access_block.logs_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource |
+| [aws_s3_bucket_versioning.logs_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_versioning) | resource |
 | [aws_scheduler_schedule.ods_weekly_update_ecs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/scheduler_schedule) | resource |
 | [aws_security_group.ndr_mesh_sg](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
 | [aws_sns_topic.alarm_notifications_topic](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic) | resource |
@@ -306,6 +323,7 @@
 | [aws_iam_policy_document.ecs-assume-role-policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.ecs_execution](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.kms_policy_doc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.logs_bucket_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.logs_policy_doc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.sns_failure_feedback_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.sns_policy_doc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |

infrastructure/api.tf

@@ -14,6 +14,7 @@ resource "aws_api_gateway_rest_api" "ndr_doc_store_api" {
 resource "aws_api_gateway_domain_name" "custom_api_domain" {
   domain_name              = local.api_gateway_full_domain_name
   regional_certificate_arn = module.ndr-ecs-fargate-app.certificate_arn
+  security_policy          = "TLS_1_2"
 
   endpoint_configuration {
     types = ["REGIONAL"]
@@ -40,6 +41,7 @@ resource "aws_api_gateway_deployment" "ndr_api_deploy" {
   triggers = {
     redeployment = sha1(jsonencode([
       aws_api_gateway_rest_api.ndr_doc_store_api.body,
+      aws_api_gateway_authorizer.repo_authoriser,
       module.authoriser-lambda,
       module.back-channel-logout-gateway,
       module.back_channel_logout_lambda,
@@ -112,9 +114,10 @@ resource "aws_api_gateway_deployment" "ndr_api_deploy" {
 }
 
 resource "aws_api_gateway_stage" "ndr_api" {
-  deployment_id = aws_api_gateway_deployment.ndr_api_deploy.id
-  rest_api_id   = aws_api_gateway_rest_api.ndr_doc_store_api.id
-  stage_name    = var.environment
+  deployment_id        = aws_api_gateway_deployment.ndr_api_deploy.id
+  rest_api_id          = aws_api_gateway_rest_api.ndr_doc_store_api.id
+  stage_name           = var.environment
+  xray_tracing_enabled = false
 }
 
 resource "aws_api_gateway_gateway_response" "unauthorised_response" {

infrastructure/buckets.tf

@@ -171,20 +171,70 @@ resource "aws_s3_bucket" "logs_bucket" {
   }
 }
 
-resource "aws_s3_bucket_policy" "logs_bucket_policy" {
+resource "aws_s3_bucket_versioning" "logs_bucket" {
+  count = local.is_production ? 1 : 0
+
   bucket = aws_s3_bucket.logs_bucket.id
-  policy = jsonencode({
-    "Version" : "2012-10-17",
-    "Statement" : [
-      {
-        "Principal" : {
-          "AWS" : data.aws_elb_service_account.main.arn
-        },
-        "Action" : "s3:PutObject",
-        "Resource" : "${aws_s3_bucket.logs_bucket.arn}/AWSLogs/${data.aws_caller_identity.current.account_id}/*"
-        "Effect" : "Allow",
-      }
+
+  versioning_configuration {
+    status = "Enabled"
+  }
+}
+
+resource "aws_s3_bucket_public_access_block" "logs_bucket" {
+  bucket = aws_s3_bucket.logs_bucket.id
+
+  block_public_acls       = true
+  block_public_policy     = true
+  ignore_public_acls      = true
+  restrict_public_buckets = true
+}
+
+data "aws_iam_policy_document" "logs_bucket_policy" {
+  statement {
+    effect = "Deny"
+
+    principals {
+      type        = "*"
+      identifiers = ["*"]
+    }
+
+    actions = [
+      "s3:*",
+    ]
+
+    resources = [
+      "${aws_s3_bucket.logs_bucket.arn}/*",
     ]
-  })
-  depends_on = [aws_s3_bucket.logs_bucket]
+
+    condition {
+      test     = "Bool"
+      variable = "aws:SecureTransport"
+      values   = ["false"]
+    }
+  }
+
+  statement {
+    effect = "Allow"
+
+    principals {
+      type        = "AWS"
+      identifiers = [data.aws_elb_service_account.main.arn]
+    }
+
+    actions = [
+      "s3:PutObject",
+    ]
+
+    resources = [
+      "${aws_s3_bucket.logs_bucket.arn}/AWSLogs/${data.aws_caller_identity.current.account_id}/*",
+    ]
+  }
+}
+
+resource "aws_s3_bucket_policy" "logs_bucket_policy" {
+  bucket = aws_s3_bucket.logs_bucket.id
+  policy = data.aws_iam_policy_document.logs_bucket_policy.json
 }
+
+

infrastructure/lambda-authoriser.tf

@@ -75,7 +75,7 @@ module "authoriser-alarm-topic" {
 
 resource "aws_api_gateway_authorizer" "repo_authoriser" {
   name                             = "${terraform.workspace}_repo_authoriser"
-  type                             = "TOKEN"
+  type                             = "REQUEST"
   identity_source                  = "method.request.header.Authorization"
   rest_api_id                      = aws_api_gateway_rest_api.ndr_doc_store_api.id
   authorizer_uri                   = module.authoriser-lambda.invoke_arn

infrastructure/lambda-edge-presign.tf

@@ -9,6 +9,32 @@ module "edge_presign_alarm" {
   depends_on           = [module.edge-presign-lambda, module.edge_presign_alarm_topic]
 }
 
+resource "aws_cloudwatch_log_metric_filter" "edge_presign_error" {
+  name           = "EdgePresignErrorFilter"
+  pattern        = "%LambdaError%"
+  log_group_name = "/aws/lambda/us-east-1.${module.edge-presign-lambda.function_name}"
+  metric_transformation {
+    name      = "EdgePresignErrorCount"
+    namespace = "EdgeLambdaInsights"
+    value     = "1"
+  }
+}
+
+resource "aws_cloudwatch_metric_alarm" "edge_presign_lambda_error" {
+  alarm_name          = "${module.edge-presign-lambda.function_name}_error_alarm"
+  metric_name         = "EdgePresignErrorCount"
+  namespace           = "EdgeLambdaInsights"
+  threshold           = 0
+  statistic           = "Sum"
+  period              = "300"
+  comparison_operator = "GreaterThanThreshold"
+  evaluation_periods  = "1"
+  alarm_actions       = [aws_sns_topic.alarm_notifications_topic[0].arn]
+  ok_actions          = [module.edge_presign_alarm_topic.arn]
+  depends_on          = [module.edge-presign-lambda, aws_sns_topic.alarm_notifications_topic[0]]
+  alarm_description   = "Triggers when Edge Presign Lambda errors."
+  count               = local.is_sandbox ? 0 : 1
+}
 
 module "edge_presign_alarm_topic" {
   source                = "./modules/sns"

infrastructure/lambda-search-patient.tf

@@ -68,7 +68,9 @@ module "search-patient-details-lambda" {
   handler = "handlers.search_patient_details_handler.lambda_handler"
   iam_role_policy_documents = [
     aws_iam_policy.ssm_access_policy.policy,
-    module.ndr-app-config.app_config_policy
+    module.ndr-app-config.app_config_policy,
+    module.auth_session_dynamodb_table.dynamodb_write_policy_document,
+    module.auth_session_dynamodb_table.dynamodb_read_policy_document,
   ]
   rest_api_id  = aws_api_gateway_rest_api.ndr_doc_store_api.id
   resource_id  = module.search-patient-details-gateway.gateway_resource_id
@@ -82,6 +84,7 @@ module "search-patient-details-lambda" {
     PDS_FHIR_IS_STUBBED            = local.is_sandbox,
     SPLUNK_SQS_QUEUE_URL           = try(module.sqs-splunk-queue[0].sqs_url, null)
     WORKSPACE                      = terraform.workspace
+    AUTH_SESSION_TABLE_NAME        = "${terraform.workspace}_${var.auth_session_dynamodb_table_name}"
   }
   api_execution_arn = aws_api_gateway_rest_api.ndr_doc_store_api.execution_arn
   depends_on = [

infrastructure/mesh-forwarder.tf

@@ -392,8 +392,9 @@ data "aws_iam_policy_document" "sns_failure_feedback_policy" {
 
 # CloudWatch groups
 resource "aws_cloudwatch_log_group" "mesh_log_group" {
-  count = local.is_mesh_forwarder_enable ? 1 : 0
-  name  = "/nhs/deductions/${terraform.workspace}/${var.mesh_component_name}"
+  count             = local.is_mesh_forwarder_enable ? 1 : 0
+  name              = "/nhs/deductions/${terraform.workspace}/${var.mesh_component_name}"
+  retention_in_days = 0
 
   tags = {
     Environment = var.environment

infrastructure/modules/ecs/README.md

@@ -63,7 +63,7 @@ No modules.
 | <a name="input_ecs_task_definition_cpu"></a> [ecs\_task\_definition\_cpu](#input\_ecs\_task\_definition\_cpu) | n/a | `number` | `1024` | no |
 | <a name="input_ecs_task_definition_memory"></a> [ecs\_task\_definition\_memory](#input\_ecs\_task\_definition\_memory) | n/a | `number` | `2048` | no |
 | <a name="input_environment"></a> [environment](#input\_environment) | n/a | `string` | n/a | yes |
-| <a name="input_environment_vars"></a> [environment\_vars](#input\_environment\_vars) | n/a | `list` | <pre>[<br>  null<br>]</pre> | no |
+| <a name="input_environment_vars"></a> [environment\_vars](#input\_environment\_vars) | n/a | `list` | <pre>[<br/>  null<br/>]</pre> | no |
 | <a name="input_is_autoscaling_needed"></a> [is\_autoscaling\_needed](#input\_is\_autoscaling\_needed) | n/a | `bool` | `true` | no |
 | <a name="input_is_lb_needed"></a> [is\_lb\_needed](#input\_is\_lb\_needed) | n/a | `bool` | `false` | no |
 | <a name="input_is_service_needed"></a> [is\_service\_needed](#input\_is\_service\_needed) | n/a | `bool` | `true` | no |

infrastructure/modules/ecs/cluster.tf

@@ -19,5 +19,6 @@ resource "aws_ecs_cluster" "ndr_ecs_cluster" {
 }
 
 resource "aws_cloudwatch_log_group" "ecs_cluster_logs" {
-  name = "${terraform.workspace}-${var.ecs_cluster_name}-logs"
+  name              = "${terraform.workspace}-${var.ecs_cluster_name}-logs"
+  retention_in_days = 0
 }