Merge branch 'main' into PRMP-594

Author: adamwhitingnhs

.github/workflows/automated-deploy-dev.yml

@@ -61,7 +61,7 @@ jobs:
       - name: Run Terraform Plan
         id: plan
         run: |
-          terraform plan -input=false -no-color -var-file="${{vars.TF_VARS_FILE}}" -out tf.plan > plan_output.txt 2>&1
+          terraform plan -lock-timeout=20m -input=false -no-color -var-file="${{vars.TF_VARS_FILE}}" -out tf.plan > plan_output.txt 2>&1
           terraform show -no-color tf.plan > tfplan.txt 2>&1
 
           # Mask PEM certificates (BEGIN...END CERTIFICATE)
@@ -202,7 +202,7 @@ jobs:
       # Terraform apply will only occur on a push (merge request completion)
       - name: Run Terraform Apply
         if: github.ref == 'refs/heads/main'
-        run: terraform apply -auto-approve -input=false tf.plan
+        run: terraform apply -lock-timeout=20m -auto-approve -input=false tf.plan
         working-directory: ./infrastructure
 
   deploy_lambdas:
@@ -220,3 +220,68 @@ jobs:
     uses: NHSDigital/national-document-repository/.github/workflows/ui-dev-to-main-ci.yml@main
     secrets:
       AWS_ASSUME_ROLE: ${{ secrets.AWS_ASSUME_ROLE }}
+
+  notify-slack:
+    runs-on: ubuntu-latest
+    needs: [terraform_plan_apply, deploy_lambdas, deploy_ui]
+    if: failure() && github.event_name == 'push' && github.ref == 'refs/heads/main'
+    steps:
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v5
+        with:
+          role-to-assume: ${{ secrets.AWS_ASSUME_ROLE }}
+          aws-region: ${{ vars.AWS_REGION }}
+
+      - name: Get slack bot token from SSM parameter store
+        run: |
+          slack_bot_token=$(aws ssm get-parameter --name "/ndr/alerting/slack/bot_token" --with-decryption --query "Parameter.Value" --output text)
+          echo "::add-mask::$slack_bot_token"
+          echo "SLACK_BOT_TOKEN=$slack_bot_token" >> $GITHUB_ENV
+
+      - name: Send Slack Notification
+        uses: slackapi/[email protected]
+        with:
+          method: chat.postMessage
+          token: ${{ env.SLACK_BOT_TOKEN }}
+          payload: |
+            {
+              "channel": "${{ vars.ALERTS_SLACK_CHANNEL_ID }}",
+              "attachments": [
+                {
+                  "color": "#ff0000",
+                  "blocks": [
+                    {
+                      "type": "header",
+                      "text": {
+                        "type": "plain_text",
+                        "text": "❌ Workflow `${{ github.workflow }}` failed"
+                      }
+                    },
+                    {
+                      "type": "section",
+                      "text": {
+                        "type": "mrkdwn",
+                        "text": "*Triggered by:* `${{ github.actor }}`\n*Branch:* `${{ github.ref_name }}`\n*Workflow:* <${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|${{ github.workflow }}>"
+                      }
+                    },
+                    {
+                      "type": "divider"
+                    },
+                    {
+                      "type": "section",
+                      "fields": [
+                        { "type": "mrkdwn", "text": "*terraform_plan_apply:* ${{ needs.terraform_plan_apply.result == 'success' && ':white_check_mark:' || ':x:' }}" },
+                        { "type": "mrkdwn", "text": "*deploy_lambdas:* ${{ needs.deploy_lambdas.result == 'success' && ':white_check_mark:' || ':x:' }}" },
+                        { "type": "mrkdwn", "text": "*deploy_ui:* ${{ needs.deploy_ui.result == 'success' && ':white_check_mark:' || ':x:' }}" }
+                      ]
+                    },
+                    {
+                      "type": "context",
+                      "elements": [
+                        { "type": "mrkdwn", "text": "Environment: `development` | Sandbox: `ndr-dev`" }
+                      ]
+                    }
+                  ]
+                }
+              ]
+            }

.github/workflows/automated-sonarqube-cloud-analysis.yml

@@ -26,3 +26,60 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}  # Needed to get PR information, if any
           SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+
+  notify-slack:
+    runs-on: ubuntu-latest
+    needs: [sonarqube_cloud]
+    if: failure() && github.event_name == 'push' && github.ref == 'refs/heads/main'
+    steps:
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v5
+        with:
+          role-to-assume: ${{ secrets.AWS_ASSUME_ROLE }}
+          aws-region: ${{ vars.AWS_REGION }}
+
+      - name: Get slack bot token from SSM parameter store
+        run: |
+          slack_bot_token=$(aws ssm get-parameter --name "/ndr/alerting/slack/bot_token" --with-decryption --query "Parameter.Value" --output text)
+          echo "::add-mask::$slack_bot_token"
+          echo "SLACK_BOT_TOKEN=$slack_bot_token" >> $GITHUB_ENV
+
+      - name: Send Slack Notification
+        uses: slackapi/[email protected]
+        with:
+          method: chat.postMessage
+          token: ${{ env.SLACK_BOT_TOKEN }}
+          payload: |
+            {
+              "channel": "${{ vars.ALERTS_SLACK_CHANNEL_ID }}",
+              "attachments": [
+                {
+                  "color": "#ff0000",
+                  "blocks": [
+                    {
+                      "type": "header",
+                      "text": {
+                        "type": "plain_text",
+                        "text": "❌ Workflow `${{ github.workflow }}` failed"
+                      }
+                    },
+                    {
+                      "type": "section",
+                      "text": {
+                        "type": "mrkdwn",
+                        "text": "*Triggered by:* `${{ github.actor }}`\n*Branch:* `${{ github.ref_name }}`\n*Workflow:* <${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|${{ github.workflow }}>"
+                      }
+                    },
+                    {
+                      "type": "divider"
+                    },
+                    {
+                      "type": "section",
+                      "fields": [
+                        { "type": "mrkdwn", "text": "*sonarqube_cloud:* ${{ needs.sonarqube_cloud.result == 'success' && ':white_check_mark:' || ':x:' }}" }
+                      ]
+                    }
+                  ]
+                }
+              ]
+            }

.github/workflows/cron-daily-health-check.yml

@@ -160,7 +160,7 @@ jobs:
       environment: development
       python_version: "3.11"
     secrets:
-        AWS_ASSUME_ROLE: ${{ secrets.AWS_ASSUME_ROLE }}
+      AWS_ASSUME_ROLE: ${{ secrets.AWS_ASSUME_ROLE }}
 
   deploy_lambdas:
     name: Deploy Lambdas
@@ -196,3 +196,72 @@ jobs:
       sandbox_name: ${{ needs.set_workspace.outputs.workspace }}
       environment: development
     secrets: inherit
+
+  notify-slack:
+    runs-on: ubuntu-latest
+    needs: [terraform_plan_apply, run_lambda_unit_tests, run_ui_unit_tests, run_cypress_tests, publish_lambda_layers, deploy_lambdas, deploy_ui]
+    if: failure()
+    steps:
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v5
+        with:
+          role-to-assume: ${{ secrets.AWS_ASSUME_ROLE }}
+          aws-region: ${{ vars.AWS_REGION }}
+
+      - name: Get slack bot token from SSM parameter store
+        run: |
+          slack_bot_token=$(aws ssm get-parameter --name "/ndr/alerting/slack/bot_token" --with-decryption --query "Parameter.Value" --output text)
+          echo "::add-mask::$slack_bot_token"
+          echo "SLACK_BOT_TOKEN=$slack_bot_token" >> $GITHUB_ENV
+
+      - name: Send Slack Notification
+        uses: slackapi/[email protected]
+        with:
+          method: chat.postMessage
+          token: ${{ env.SLACK_BOT_TOKEN }}
+          payload: |
+            {
+              "channel": "${{ vars.ALERTS_SLACK_CHANNEL_ID }}",
+              "attachments": [
+                {
+                  "color": "#ff0000",
+                  "blocks": [
+                    {
+                      "type": "header",
+                      "text": {
+                        "type": "plain_text",
+                        "text": "❌ Workflow `${{ github.workflow }}` failed"
+                      }
+                    },
+                    {
+                      "type": "section",
+                      "text": {
+                        "type": "mrkdwn",
+                        "text": "*Triggered by:* `Scheduled Job`\n*Workflow:* <${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|${{ github.workflow }}>"
+                      }
+                    },
+                    {
+                      "type": "divider"
+                    },
+                    {
+                      "type": "section",
+                      "fields": [
+                        { "type": "mrkdwn", "text": "*terraform_plan_apply:* ${{ needs.terraform_plan_apply.result == 'success' && ':white_check_mark:' || ':x:' }}" },
+                        { "type": "mrkdwn", "text": "*run_lambda_unit_tests:* ${{ needs.run_lambda_unit_tests.result == 'success' && ':white_check_mark:' || ':x:' }}" },
+                        { "type": "mrkdwn", "text": "*run_ui_unit_tests:* ${{ needs.run_ui_unit_tests.result == 'success' && ':white_check_mark:' || ':x:' }}" },
+                        { "type": "mrkdwn", "text": "*run_cypress_tests:* ${{ needs.run_cypress_tests.result == 'success' && ':white_check_mark:' || ':x:' }}" },
+                        { "type": "mrkdwn", "text": "*publish_lambda_layers:* ${{ needs.publish_lambda_layers.result == 'success' && ':white_check_mark:' || ':x:' }}" },
+                        { "type": "mrkdwn", "text": "*deploy_lambdas:* ${{ needs.deploy_lambdas.result == 'success' && ':white_check_mark:' || ':x:' }}" },
+                        { "type": "mrkdwn", "text": "*deploy_ui:* ${{ needs.deploy_ui.result == 'success' && ':white_check_mark:' || ':x:' }}" }
+                      ]
+                    },
+                    {
+                      "type": "context",
+                      "elements": [
+                        { "type": "mrkdwn", "text": "Environment: `development` | Sandbox: `${{ needs.set_workspace.outputs.workspace }}`" }
+                      ]
+                    }
+                  ]
+                }
+              ]
+            }

infrastructure/buckets.tf

@@ -85,6 +85,18 @@ module "migration-dynamodb-segment-store" {
   force_destroy             = local.is_force_destroy
 }
 
+module "migration-failed-items-store" {
+  source                    = "./modules/s3/"
+  access_logs_enabled       = local.is_production
+  access_logs_bucket_id     = local.access_logs_bucket_id
+  bucket_name               = var.migration_failed_items_store_bucket_name
+  enable_cors_configuration = false
+  enable_bucket_versioning  = true
+  environment               = var.environment
+  owner                     = var.owner
+  force_destroy             = local.is_force_destroy
+}
+
 module "statistical-reports-store" {
   source                    = "./modules/s3/"
   access_logs_enabled       = local.is_production

infrastructure/dynamo_db_review.tf

@@ -1,4 +1,5 @@
 module "document_review_dynamodb_table" {
+  count                          = local.is_production ? 0 : 1
   source                         = "./modules/dynamo_db"
   table_name                     = var.document_review_table_name
   hash_key                       = "ID"

infrastructure/lambda-bulk-upload-metadata-processor.tf

@@ -72,3 +72,47 @@ module "bulk-upload-metadata-processor-alarm-topic" {
 
   depends_on = [module.bulk-upload-metadata-processor-lambda, module.sns_encryption_key]
 }
+
+resource "aws_cloudwatch_event_rule" "bulk_upload_metadata_processor_lambda_expedite" {
+  name        = "${terraform.workspace}-staging-bulk-store-expedite-folder-object-created-rule"
+  description = "Trigger bulk_upload_metadata_processor_lambda when a file is added to the expedite/ folder in the staging-bulk-store bucket"
+  event_pattern = jsonencode({
+    "source" : ["aws.s3"],
+    "detail-type" : ["Object Created"],
+    "detail" : {
+      "bucket" : {
+        "name" : [module.ndr-bulk-staging-store.bucket_id]
+      },
+      "object" : {
+        "key" : [{
+          "prefix" : "expedite/"
+        }]
+      }
+    }
+  })
+  depends_on = [
+    module.ndr-bulk-staging-store
+  ]
+}
+
+resource "aws_cloudwatch_event_target" "bulk_upload_metadata_processor_lambda" {
+  rule      = aws_cloudwatch_event_rule.bulk_upload_metadata_processor_lambda_expedite.name
+  arn       = module.bulk-upload-metadata-processor-lambda.lambda_arn
+  target_id = "bulk-upload-metadata-processor-lambda"
+  depends_on = [
+    module.bulk-upload-metadata-processor-lambda,
+    aws_cloudwatch_event_rule.bulk_upload_metadata_processor_lambda_expedite
+  ]
+}
+
+resource "aws_lambda_permission" "bulk_upload_metadata_processor_lambda_expedite" {
+  statement_id  = "AllowEventBridgeInvoke"
+  action        = "lambda:InvokeFunction"
+  function_name = module.bulk-upload-metadata-processor-lambda.function_name
+  principal     = "events.amazonaws.com"
+  source_arn    = aws_cloudwatch_event_rule.bulk_upload_metadata_processor_lambda_expedite.arn
+  depends_on = [
+    module.bulk-upload-metadata-processor-lambda,
+    aws_cloudwatch_event_rule.bulk_upload_metadata_processor_lambda_expedite
+  ]
+}

infrastructure/lambda-dynamodb-migration.tf

@@ -10,7 +10,8 @@ module "migration-dynamodb-lambda" {
     module.ndr-bulk-staging-store.s3_read_policy_document,
     module.ndr-lloyd-george-store.s3_read_policy_document,
     aws_iam_policy.ssm_access_policy.policy,
-    module.ndr-app-config.app_config_policy
+    module.ndr-app-config.app_config_policy,
+    module.migration-failed-items-store.s3_write_policy_document
   ]
 
   kms_deletion_window           = var.kms_deletion_window
@@ -20,10 +21,11 @@ module "migration-dynamodb-lambda" {
   is_invoked_from_gateway       = false
 
   lambda_environment_variables = {
-    WORKSPACE               = terraform.workspace
-    APPCONFIG_APPLICATION   = module.ndr-app-config.app_config_application_id
-    APPCONFIG_ENVIRONMENT   = module.ndr-app-config.app_config_environment_id
-    APPCONFIG_CONFIGURATION = module.ndr-app-config.app_config_configuration_profile_id
+    WORKSPACE                                = terraform.workspace
+    APPCONFIG_APPLICATION                    = module.ndr-app-config.app_config_application_id
+    APPCONFIG_ENVIRONMENT                    = module.ndr-app-config.app_config_environment_id
+    APPCONFIG_CONFIGURATION                  = module.ndr-app-config.app_config_configuration_profile_id
+    MIGRATION_FAILED_ITEMS_STORE_BUCKET_NAME = "${terraform.workspace}-${var.migration_failed_items_store_bucket_name}"
   }
 
   lambda_timeout                 = 900
@@ -35,5 +37,6 @@ module "migration-dynamodb-lambda" {
     module.bulk_upload_report_dynamodb_table,
     module.ndr-app-config,
     aws_iam_policy.ssm_access_policy,
+    module.migration-failed-items-store
   ]
 }

infrastructure/lambda-mns-notification.tf

@@ -8,8 +8,8 @@ module "mns-notification-lambda" {
     module.sqs-mns-notification-queue[0].sqs_write_policy_document,
     module.lloyd_george_reference_dynamodb_table.dynamodb_write_policy_document,
     module.lloyd_george_reference_dynamodb_table.dynamodb_read_policy_document,
-    module.document_review_dynamodb_table.dynamodb_write_policy_document,
-    module.document_review_dynamodb_table.dynamodb_read_policy_document,
+    local.is_production ? "" : module.document_review_dynamodb_table[0].dynamodb_write_policy_document,
+    local.is_production ? "" : module.document_review_dynamodb_table[0].dynamodb_read_policy_document,
     aws_iam_policy.ssm_access_policy.policy,
     module.ndr-app-config.app_config_policy,
     aws_iam_policy.kms_mns_lambda_access[0].policy,
@@ -23,7 +23,7 @@ module "mns-notification-lambda" {
     APPCONFIG_CONFIGURATION       = module.ndr-app-config.app_config_configuration_profile_id
     WORKSPACE                     = terraform.workspace
     LLOYD_GEORGE_DYNAMODB_NAME    = module.lloyd_george_reference_dynamodb_table.table_name
-    DOCUMENT_REVIEW_DYNAMODB_NAME = module.document_review_dynamodb_table.table_name
+    DOCUMENT_REVIEW_DYNAMODB_NAME = local.is_production ? "" : module.document_review_dynamodb_table[0].table_name
     MNS_NOTIFICATION_QUEUE_URL    = module.sqs-mns-notification-queue[0].sqs_url
     PDS_FHIR_IS_STUBBED           = local.is_sandbox
   }

infrastructure/lambda-search-doc-references.tf

@@ -63,7 +63,8 @@ module "search-document-references-lambda" {
     module.lloyd_george_reference_dynamodb_table.dynamodb_write_policy_document,
     module.ndr-lloyd-george-store.s3_read_policy_document,
     module.ndr-document-store.s3_read_policy_document,
-    module.ndr-app-config.app_config_policy
+    module.ndr-app-config.app_config_policy,
+    aws_iam_policy.ssm_access_policy.policy
   ]
   kms_deletion_window = var.kms_deletion_window
   rest_api_id         = aws_api_gateway_rest_api.ndr_doc_store_api.id

infrastructure/modules/app_config/configurations/dev.json

@@ -30,7 +30,7 @@
             "enabled": "true"
         },
         "uploadArfWorkflowEnabled": {
-            "enabled": "true"
+            "enabled": "false"
         },
         "useSmartcardAuth": {
             "enabled": "false"
@@ -39,10 +39,10 @@
             "enabled": "true"
         },
         "uploadDocumentIteration2Enabled": {
-            "enabled": "true"
+            "enabled": "false"
         },
         "uploadDocumentIteration3Enabled": {
-            "enabled": "true"
+            "enabled": "false"
         }
     },
     "version": "1"