Merge branch 'main' into PRM-134-v2

Author: AndyFlintNHS

.github/workflows/terraform-dev-to-main-ci.yml

@@ -72,6 +72,16 @@ jobs:
       run: |
         terraform plan -input=false -no-color -var-file="${{vars.TF_VARS_FILE}}" -out tf.plan > plan_output.txt 2>&1
         terraform show -no-color tf.plan > tfplan.txt 2>&1
+
+        # Mask PEM certificates (BEGIN...END CERTIFICATE)
+        awk 'BEGIN{cert=""}
+        /-----BEGIN CERTIFICATE-----/{cert=$0; in_cert=1; next}
+        /-----END CERTIFICATE-----/{cert=cert"\n"$0; print cert; cert=""; in_cert=0; next}
+        in_cert{cert=cert"\n"$0}' tfplan.txt | while IFS= read -r cert_block; do
+          if [ -n "$cert_block" ]; then
+            echo "::add-mask::$cert_block"
+          fi
+        done || echo "No certificate blocks found to mask."
         
         # Mask sensitive URLs in the Terraform Plan output
         grep -Eo 'https://[a-zA-Z0-9.-]+\.execute-api\.[a-zA-Z0-9.-]+\.amazonaws\.com/[a-zA-Z0-9/._-]*' tfplan.txt | while read -r api_url; do
@@ -125,6 +135,7 @@ jobs:
         PLAN_FULL=$(echo "$PLAN_FULL" | sed -E 's/[0-9]{12}/[REDACTED_AWS_ACCOUNT_ID]/g')
         PLAN_FULL=$(echo "$PLAN_FULL" | sed -E 's#https://[a-zA-Z0-9.-]+\.lambda\.amazonaws\.com/[a-zA-Z0-9/._-]+#[REDACTED_LAMBDA_URL]#g')
         PLAN_FULL=$(echo "$PLAN_FULL" | sed -E 's#https://[a-zA-Z0-9.-]+\.execute-api\.[a-zA-Z0-9.-]+\.amazonaws\.com/[a-zA-Z0-9/._-]*#[REDACTED_API_GATEWAY_URL]#g')
+        PLAN_FULL=$(echo "$PLAN_FULL" | sed -E '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/s/.*/[REDACTED_PEM_CERT]/')
 
         echo "PLAN<<EOF" >> $GITHUB_ENV
         echo "${PLAN_FULL::$LENGTH}" >> $GITHUB_ENV

infrastructure/README.md

@@ -0,0 +1,17 @@
+resource "aws_api_gateway_usage_plan" "api_key_pdm" {
+  name = "${terraform.workspace}_pdm-usage-plan"
+  api_stages {
+    api_id = aws_api_gateway_rest_api.ndr_doc_store_api.id
+    stage  = aws_api_gateway_stage.ndr_api.stage_name
+  }
+}
+
+resource "aws_api_gateway_api_key" "api_key_pdm" {
+  name = "${terraform.workspace}_pdm-api-key"
+}
+
+resource "aws_api_gateway_usage_plan_key" "api_key_pdm" {
+  key_id        = aws_api_gateway_api_key.api_key_pdm.id
+  key_type      = "API_KEY"
+  usage_plan_id = aws_api_gateway_usage_plan.api_key_pdm.id
+}

infrastructure/api-key-pdm.tf

@@ -47,7 +47,7 @@ resource "aws_api_gateway_deployment" "ndr_api_deploy" {
     module.access-audit-lambda,
     module.back-channel-logout-gateway,
     module.back_channel_logout_lambda,
-    module.create-doc-ref-gateway,
+    module.document_reference_gateway,
     module.create-doc-ref-lambda,
     module.create-token-gateway,
     module.create-token-lambda,
@@ -91,7 +91,28 @@ resource "aws_api_gateway_stage" "ndr_api" {
   deployment_id        = aws_api_gateway_deployment.ndr_api_deploy.id
   rest_api_id          = aws_api_gateway_rest_api.ndr_doc_store_api.id
   stage_name           = var.environment
-  xray_tracing_enabled = false
+  xray_tracing_enabled = var.enable_xray_tracing
+
+  depends_on = [aws_cloudwatch_log_group.api_gateway_stage]
+}
+
+resource "aws_cloudwatch_log_group" "api_gateway_stage" {
+  # Name must follow this format to allow execution logging 
+  # https://docs.aws.amazon.com/apigateway/latest/developerguide/set-up-logging.html
+  name              = "API-Gateway-Execution-Logs_${aws_api_gateway_rest_api.ndr_doc_store_api.id}/${var.environment}"
+  retention_in_days = 0
+}
+
+resource "aws_api_gateway_method_settings" "api_gateway_stage" {
+  rest_api_id = aws_api_gateway_rest_api.ndr_doc_store_api.id
+  stage_name  = aws_api_gateway_stage.ndr_api.stage_name
+  method_path = "*/*"
+
+  settings {
+    logging_level      = "INFO"
+    metrics_enabled    = true
+    data_trace_enabled = true
+  }
 }
 
 resource "aws_api_gateway_gateway_response" "unauthorised_response" {
@@ -110,6 +131,10 @@ resource "aws_api_gateway_gateway_response" "unauthorised_response" {
   }
 }
 
+resource "aws_api_gateway_client_certificate" "ndr_api" {
+  description = "Client certificate used for backend authentication in HTTP integrations with the NDR API Gateway (${var.environment})"
+}
+
 resource "aws_api_gateway_gateway_response" "bad_gateway_response" {
   rest_api_id   = aws_api_gateway_rest_api.ndr_doc_store_api.id
   response_type = "DEFAULT_5XX"

infrastructure/api.tf

@@ -58,7 +58,9 @@ resource "aws_backup_selection" "cross_account_backup_selection" {
     module.document_reference_dynamodb_table.dynamodb_table_arn,
     module.lloyd_george_reference_dynamodb_table.dynamodb_table_arn,
     module.bulk_upload_report_dynamodb_table.dynamodb_table_arn,
-    module.statistical-reports-store.bucket_arn
+    module.statistical-reports-store.bucket_arn,
+    module.pdm_dynamodb_table.dynamodb_table_arn,
+    module.pdm-document-store.bucket_arn
   ]
 }
 

infrastructure/backup-cross-account.tf

@@ -53,22 +53,22 @@ module "ndr-lloyd-george-store" {
   cloudfront_enabled        = true
   cloudfront_arn            = module.cloudfront-distribution-lg.cloudfront_arn
   bucket_name               = var.lloyd_george_bucket_name
-  enable_cors_configuration = contains(["prod"], terraform.workspace) ? false : true
   enable_bucket_versioning  = true
   environment               = var.environment
   owner                     = var.owner
   force_destroy             = local.is_force_destroy
+  enable_cors_configuration = true
   cors_rules = [
     {
       allowed_headers = ["*"]
       allowed_methods = ["POST", "PUT", "DELETE"]
-      allowed_origins = ["https://${terraform.workspace}.${var.domain}"]
+      allowed_origins = [contains(["prod"], terraform.workspace) ? "https://${var.domain}" : "https://${terraform.workspace}.${var.domain}"]
       expose_headers  = ["ETag"]
       max_age_seconds = 3000
     },
     {
       allowed_methods = ["GET"]
-      allowed_origins = ["https://${terraform.workspace}.${var.domain}"]
+      allowed_origins = [contains(["prod"], terraform.workspace) ? "https://${var.domain}" : "https://${terraform.workspace}.${var.domain}"]
     }
   ]
 }
@@ -342,3 +342,25 @@ resource "aws_s3_bucket_logging" "logs_bucket_logging" {
   target_bucket = local.access_logs_bucket_id
   target_prefix = "${aws_s3_bucket.logs_bucket.id}/"
 }
+
+module "pdm-document-store" {
+  source                   = "./modules/s3/"
+  access_logs_enabled      = local.is_production
+  access_logs_bucket_id    = local.access_logs_bucket_id
+  bucket_name              = var.pdm_document_bucket_name
+  enable_bucket_versioning = true
+  environment              = var.environment
+  owner                    = var.owner
+  force_destroy            = local.is_force_destroy
+}
+
+resource "aws_s3_bucket_lifecycle_configuration" "pdm_document_store" {
+  bucket = module.pdm-document-store.bucket_id
+  rule {
+    id     = "default-to-intelligent-tiering"
+    status = "Enabled"
+    transition {
+      storage_class = "INTELLIGENT_TIERING"
+    }
+  }
+}

infrastructure/buckets.tf

@@ -0,0 +1,21 @@
+locals {
+  pds_tracking_lambdas = [
+    "SearchPatientDetailsLambda",
+    "BulkUploadLambda",
+    "MNSNotificationLambda"
+  ]
+}
+
+resource "aws_cloudwatch_log_metric_filter" "pds_tracker" {
+  for_each = local.is_sandbox ? [] : toset(local.pds_tracking_lambdas)
+
+  name           = "PDSUsageMetricFilter-${each.key}"
+  pattern        = "%NDR-TR1%"
+  log_group_name = "/aws/lambda/${terraform.workspace}_${each.key}"
+
+  metric_transformation {
+    name      = "PDSEventCount"
+    namespace = "NDRInsights"
+    value     = "1"
+  }
+}

infrastructure/cloudwatch_metrics.tf

@@ -8,4 +8,8 @@ cloudwatch_alarm_evaluation_periods = 5
 poll_frequency                      = "3600"
 
 standalone_vpc_tag    = "ndr-dev"
-standalone_vpc_ig_tag = "ndr-dev"
+standalone_vpc_ig_tag = "ndr-dev"
+
+cloud_security_email_param_environment = "dev"
+
+apim_environment = "internal-dev."

infrastructure/dev.tfvars

@@ -413,6 +413,78 @@ module "access_audit_dynamodb_table" {
   owner       = var.owner
 }
 
+module "pdm_dynamodb_table" {
+  source                         = "./modules/dynamo_db"
+  table_name                     = var.pdm_dynamodb_table_name
+  hash_key                       = "ID"
+  deletion_protection_enabled    = local.is_production
+  stream_enabled                 = true
+  stream_view_type               = "OLD_IMAGE"
+  ttl_enabled                    = true
+  ttl_attribute_name             = "TTL"
+  point_in_time_recovery_enabled = !local.is_sandbox
+
+  attributes = [
+    {
+      name = "ID"
+      type = "S"
+    },
+    {
+      name = "NhsNumber"
+      type = "S"
+    },
+    {
+      name = "DocumentSnomedCodeType"
+      type = "S"
+    },
+    {
+      name = "DocStatus"
+      type = "S"
+    },
+    {
+      name = "Author"
+      type = "S"
+    },
+    {
+      name = "Custodian"
+      type = "S"
+    }
+  ]
+
+  global_secondary_indexes = [
+
+    {
+      name            = "NhsNumberIndex"
+      hash_key        = "NhsNumber"
+      projection_type = "ALL"
+    },
+    {
+      name            = "DocumentSnomedCodeTypeIndex"
+      hash_key        = "DocumentSnomedCodeType"
+      projection_type = "ALL"
+    },
+    {
+      name            = "DocStatusIndex"
+      hash_key        = "DocStatus"
+      projection_type = "ALL"
+    },
+    {
+      name            = "AuthorIndex"
+      hash_key        = "Author"
+      projection_type = "ALL"
+    },
+    {
+      name            = "CustodianIndex"
+      hash_key        = "Custodian"
+      projection_type = "ALL"
+    }
+  ]
+
+  environment = var.environment
+  owner       = var.owner
+}
+
+
 module "alarm_state_history_table" {
   source                         = "./modules/dynamo_db"
   table_name                     = var.alarm_state_history_table_name
@@ -437,4 +509,4 @@ module "alarm_state_history_table" {
 
   environment = var.environment
   owner       = var.owner
-}
+}

infrastructure/dynamo_db.tf

@@ -16,3 +16,12 @@ resource "aws_wafv2_web_acl_association" "web_acl_association" {
   ]
 }
 
+resource "aws_wafv2_web_acl_association" "api_gateway" {
+  resource_arn = aws_api_gateway_stage.ndr_api.arn
+  web_acl_arn  = module.firewall_waf_v2[0].arn
+  count        = local.is_sandbox ? 0 : 1
+  depends_on = [
+    aws_api_gateway_stage.ndr_api,
+    module.firewall_waf_v2[0]
+  ]
+}