Merge branch 'main' into PRMP-1048

Author: robg-test

.github/actions/tf-plan-apply/action.yml

@@ -0,0 +1,88 @@
+name: "Terraform Plan & Apply"
+description: "Run Terraform Plan & Apply for a given component"
+
+inputs:
+  aws_assume_role:
+    description: "AWS IAM Role to assume"
+    required: true
+
+  aws_region:
+    description: "AWS Region to use"
+    required: true
+    default: "eu-west-2"
+
+  terraform_version:
+    description: "Terraform version to use"
+    required: false
+    default: "1.13.3"
+
+  backend_conf:
+    description: "Terraform backend config file"
+    required: true
+
+  working_directory:
+    description: "Terraform working directory"
+    required: false
+    default: "./infrastructure"
+
+  workspace:
+    description: "Workspace (ndr-dev, ndr-test, pre-prod, prod) or Sandbox name [a-z0-9]{1,8}"
+    required: true
+
+  tf_vars_file:
+    description: "Terraform variables file"
+    required: true
+
+  tf_extra_args:
+    description: "Additional Terraform arguments to pass in"
+    required: false
+    default: ""
+
+  do_apply:
+    description: "Whether to run 'terraform apply' after 'terraform plan'"
+    required: false
+    default: "true"
+
+runs:
+  using: "composite"
+  steps:
+    - name: Configure AWS Credentials
+      uses: aws-actions/configure-aws-credentials@v5
+      with:
+        role-to-assume: ${{ inputs.aws_assume_role }}
+        role-skip-session-tagging: true
+        aws-region: ${{ inputs.aws_region }}
+        mask-aws-account-id: true
+
+    - name: Setup Terraform
+      uses: hashicorp/setup-terraform@v3
+      with:
+        terraform_version: ${{ inputs.terraform_version }}
+        terraform_wrapper: false
+
+    - name: Initialise Terraform
+      run: terraform init -backend-config=${{ inputs.backend_conf }}
+      working-directory: ${{ inputs.working_directory }}
+      shell: bash
+
+    - name: Select Terraform Workspace
+      run: terraform workspace select -or-create ${{ inputs.workspace }}
+      working-directory: ${{ inputs.working_directory }}
+      shell: bash
+
+    - name: Check Terraform Formatting
+      run: terraform fmt -check
+      working-directory: ${{ inputs.working_directory }}
+      shell: bash
+
+    - name: Run Terraform Plan
+      run: |
+        terraform plan -input=false -no-color -var-file="${{ inputs.tf_vars_file }}" ${{ inputs.tf_extra_args }} -out tf.plan
+      working-directory: ${{ inputs.working_directory }}
+      shell: bash
+
+    - name: Run Terraform Apply
+      if: ${{ inputs.do_apply == 'true' }}
+      run: terraform apply -auto-approve -input=false tf.plan
+      working-directory: ${{ inputs.working_directory }}
+      shell: bash

.github/workflows/deploy-sandbox.yml

@@ -10,7 +10,7 @@ on:
         required: true
         type: "string"
       sandbox_name:
-        description: "Sandbox name [a-z0-9]{1,8}"
+        description: "Sandbox name [a-z0-9]{1,7}"
         required: true
         type: "string"
 
@@ -27,8 +27,8 @@ jobs:
     steps:
       - name: Validate sandbox name
         run: |
-          if ! [[ "$SANDBOX_NAME" =~ ^[a-z0-9]{1,8}$ ]]; then
-            echo "Sandbox name must match [a-z0-9]{1,8} (lowercase letters and digits only, 1-8 chars)."
+          if ! [[ "$SANDBOX_NAME" =~ ^[a-z0-9]{1,7}$ ]]; then
+            echo "Sandbox name must match [a-z0-9]{1,7} (lowercase letters and digits only, 1-7 chars)."
             exit 1
           fi
         env:

infrastructure/cloudfront.tf

@@ -80,7 +80,7 @@ resource "aws_cloudfront_distribution" "s3_presign_mask" {
     target_origin_id         = module.ndr-bulk-staging-store.bucket_id
     viewer_protocol_policy   = "redirect-to-https"
     cache_policy_id          = aws_cloudfront_cache_policy.nocache.id
-    origin_request_policy_id = aws_cloudfront_origin_request_policy.viewer.id
+    origin_request_policy_id = aws_cloudfront_origin_request_policy.uploader.id
 
     lambda_function_association {
       event_type = "origin-request"
@@ -124,9 +124,44 @@ resource "aws_cloudfront_origin_request_policy" "viewer" {
     header_behavior = "whitelist"
     headers {
       items = [
-        "Host",
         "CloudFront-Viewer-Country",
-        "X-Forwarded-For"
+        "X-Forwarded-For",
+      ]
+    }
+  }
+
+  cookies_config {
+    cookie_behavior = "none"
+  }
+}
+
+resource "aws_cloudfront_origin_request_policy" "uploader" {
+  name = "${terraform.workspace}_BlockQueriesAndAllowUploader"
+
+  query_strings_config {
+    query_string_behavior = "whitelist"
+    query_strings {
+      items = [
+        "X-Amz-Algorithm",
+        "X-Amz-Credential",
+        "X-Amz-Date",
+        "X-Amz-Expires",
+        "X-Amz-SignedHeaders",
+        "X-Amz-Signature",
+        "X-Amz-Security-Token"
+      ]
+    }
+  }
+
+  headers_config {
+    header_behavior = "whitelist"
+    headers {
+      items = [
+        "CloudFront-Viewer-Country",
+        "X-Forwarded-For",
+        "Access-Control-Request-Method",
+        "Access-Control-Request-Headers",
+        "Origin"
       ]
     }
   }

infrastructure/dynamo_db.tf

@@ -557,3 +557,34 @@ module "alarm_state_history_table" {
   environment = var.environment
   owner       = var.owner
 }
+
+module "bulk_upload_contact_lookup_table" {
+  source                         = "./modules/dynamo_db"
+  table_name                     = var.bulk_upload_contact_lookup_table_name
+  hash_key                       = "OdsCode"
+  deletion_protection_enabled    = var.deletion_protection_enabled
+  point_in_time_recovery_enabled = !local.is_sandbox
+  stream_enabled                 = false
+  ttl_enabled                    = false
+
+  attributes = [
+    {
+      name = "OdsCode",
+      type = "S"
+    },
+    {
+      name = "Email"
+      type = "S"
+    }
+  ]
+  global_secondary_indexes = [
+    {
+      name            = "EmailIndex"
+      hash_key        = "Email"
+      projection_type = "ALL"
+    },
+  ]
+
+  environment = var.environment
+  owner       = var.owner
+}

infrastructure/lambda-document-upload-check.tf

@@ -10,8 +10,6 @@ module "document_upload_check_lambda" {
     aws_iam_policy.ssm_access_policy.policy,
     module.lloyd_george_reference_dynamodb_table.dynamodb_read_policy_document,
     module.lloyd_george_reference_dynamodb_table.dynamodb_write_policy_document,
-    module.pdm_dynamodb_table.dynamodb_read_policy_document,
-    module.pdm_dynamodb_table.dynamodb_write_policy_document,
     data.aws_iam_policy.aws_lambda_vpc_access_execution_role.policy,
     module.document_upload_review_dynamodb_table.dynamodb_read_policy_document,
     module.document_upload_review_dynamodb_table.dynamodb_write_policy_document,
@@ -24,9 +22,7 @@ module "document_upload_check_lambda" {
   http_methods        = null
   api_execution_arn   = null
   lambda_environment_variables = {
-    LLOYD_GEORGE_DYNAMODB_NAME    = module.lloyd_george_reference_dynamodb_table.table_name
     DOCUMENT_REVIEW_DYNAMODB_NAME = module.document_upload_review_dynamodb_table.table_name
-    PDM_DYNAMODB_NAME             = module.pdm_dynamodb_table.table_name
     STAGING_STORE_BUCKET_NAME     = module.ndr-bulk-staging-store.bucket_id
     LLOYD_GEORGE_BUCKET_NAME      = module.ndr-lloyd-george-store.bucket_id
     PDM_BUCKET_NAME               = module.pdm-document-store.bucket_id
@@ -45,6 +41,7 @@ module "document_upload_check_lambda" {
     module.ndr-bulk-staging-store,
     module.ndr-lloyd-george-store,
     module.lloyd_george_reference_dynamodb_table,
+    module.core_dynamodb_table,
   ]
 }
 

infrastructure/lambda-get-document-fhir.tf

@@ -39,7 +39,6 @@ module "get-doc-fhir-lambda" {
   iam_role_policy_documents = [
     module.ndr-app-config.app_config_policy,
     module.lloyd_george_reference_dynamodb_table.dynamodb_read_policy_document,
-    module.pdm_dynamodb_table.dynamodb_read_policy_document,
     module.core_dynamodb_table.dynamodb_read_policy_document,
     aws_iam_policy.ssm_access_policy.policy,
     aws_iam_policy.mtls_access_ssm_policy.policy,
@@ -52,21 +51,18 @@ module "get-doc-fhir-lambda" {
   http_methods        = ["GET"]
   api_execution_arn   = aws_api_gateway_rest_api.ndr_doc_store_api.execution_arn
   lambda_environment_variables = {
-    APPCONFIG_APPLICATION      = module.ndr-app-config.app_config_application_id
-    APPCONFIG_ENVIRONMENT      = module.ndr-app-config.app_config_environment_id
-    APPCONFIG_CONFIGURATION    = module.ndr-app-config.app_config_configuration_profile_id
-    WORKSPACE                  = terraform.workspace
-    ENVIRONMENT                = var.environment
-    PRESIGNED_ASSUME_ROLE      = aws_iam_role.get_fhir_doc_presign_url_role.arn
-    LLOYD_GEORGE_DYNAMODB_NAME = module.lloyd_george_reference_dynamodb_table.table_name
-    PDM_DYNAMODB_NAME          = module.pdm_dynamodb_table.table_name
-    OIDC_CALLBACK_URL          = contains(["prod"], terraform.workspace) ? "https://${var.domain}/auth-callback" : "https://${terraform.workspace}.${var.domain}/auth-callback"
-    CLOUDFRONT_URL             = aws_cloudfront_distribution.s3_presign_mask.domain_name
-    PDS_FHIR_IS_STUBBED        = local.is_sandbox
+    APPCONFIG_APPLICATION   = module.ndr-app-config.app_config_application_id
+    APPCONFIG_ENVIRONMENT   = module.ndr-app-config.app_config_environment_id
+    APPCONFIG_CONFIGURATION = module.ndr-app-config.app_config_configuration_profile_id
+    WORKSPACE               = terraform.workspace
+    ENVIRONMENT             = var.environment
+    PRESIGNED_ASSUME_ROLE   = aws_iam_role.get_fhir_doc_presign_url_role.arn
+    OIDC_CALLBACK_URL       = contains(["prod"], terraform.workspace) ? "https://${var.domain}/auth-callback" : "https://${terraform.workspace}.${var.domain}/auth-callback"
+    CLOUDFRONT_URL          = aws_cloudfront_distribution.s3_presign_mask.domain_name
+    PDS_FHIR_IS_STUBBED     = local.is_sandbox
   }
   depends_on = [
     aws_api_gateway_method.get_document_reference,
-    module.pdm_dynamodb_table,
     module.lloyd_george_reference_dynamodb_table,
     module.core_dynamodb_table,
   ]

infrastructure/lambda-post-document-fhir.tf

@@ -5,7 +5,6 @@ module "post-document-references-fhir-lambda" {
   iam_role_policy_documents = [
     module.document_reference_dynamodb_table.dynamodb_write_policy_document,
     module.lloyd_george_reference_dynamodb_table.dynamodb_write_policy_document,
-    module.pdm_dynamodb_table.dynamodb_write_policy_document,
     module.core_dynamodb_table.dynamodb_write_policy_document,
     module.ndr-bulk-staging-store.s3_write_policy_document,
     module.ndr-app-config.app_config_policy,
@@ -21,8 +20,6 @@ module "post-document-references-fhir-lambda" {
     APPCONFIG_APPLICATION           = module.ndr-app-config.app_config_application_id
     APPCONFIG_ENVIRONMENT           = module.ndr-app-config.app_config_environment_id
     APPCONFIG_CONFIGURATION         = module.ndr-app-config.app_config_configuration_profile_id
-    LLOYD_GEORGE_DYNAMODB_NAME      = module.lloyd_george_reference_dynamodb_table.table_name
-    PDM_DYNAMODB_NAME               = module.pdm_dynamodb_table.table_name
     STAGING_STORE_BUCKET_NAME       = "${terraform.workspace}-${var.staging_store_bucket_name}"
     DOCUMENT_RETRIEVE_ENDPOINT_APIM = "${local.apim_api_url}/DocumentReference"
     PDS_FHIR_IS_STUBBED             = local.is_sandbox
@@ -31,7 +28,6 @@ module "post-document-references-fhir-lambda" {
   }
 
   depends_on = [
-    module.pdm_dynamodb_table,
     module.core_dynamodb_table,
     module.lloyd_george_reference_dynamodb_table,
   ]

infrastructure/lambda-search-document-references-fhir.tf

@@ -7,8 +7,6 @@ module "search-document-references-fhir-lambda" {
     module.document_reference_dynamodb_table.dynamodb_write_policy_document,
     module.lloyd_george_reference_dynamodb_table.dynamodb_read_policy_document,
     module.lloyd_george_reference_dynamodb_table.dynamodb_write_policy_document,
-    module.pdm_dynamodb_table.dynamodb_read_policy_document,
-    module.pdm_dynamodb_table.dynamodb_write_policy_document,
     module.core_dynamodb_table.dynamodb_read_policy_document,
     module.core_dynamodb_table.dynamodb_write_policy_document,
     module.ndr-lloyd-george-store.s3_read_policy_document,
@@ -26,15 +24,14 @@ module "search-document-references-fhir-lambda" {
     APPCONFIG_APPLICATION           = module.ndr-app-config.app_config_application_id
     APPCONFIG_ENVIRONMENT           = module.ndr-app-config.app_config_environment_id
     APPCONFIG_CONFIGURATION         = module.ndr-app-config.app_config_configuration_profile_id
-    DYNAMODB_TABLE_LIST             = "[\u0022${module.pdm_dynamodb_table.table_name}\u0022, \u0022${module.lloyd_george_reference_dynamodb_table.table_name}\u0022]"
+    DYNAMODB_TABLE_LIST             = "[\u0022${module.core_dynamodb_table.table_name}\u0022, \u0022${module.lloyd_george_reference_dynamodb_table.table_name}\u0022]"
     DOCUMENT_RETRIEVE_ENDPOINT_APIM = "${local.apim_api_url}/DocumentReference"
     WORKSPACE                       = terraform.workspace
   }
   depends_on = [
     aws_api_gateway_rest_api.ndr_doc_store_api,
     module.search-document-references-gateway,
     module.ndr-app-config,
-    module.pdm_dynamodb_table,
     module.core_dynamodb_table,
     module.lloyd_george_reference_dynamodb_table,
   ]

infrastructure/modules/app_config/configurations/dev.json

@@ -36,7 +36,7 @@
             "enabled": "false"
         },
         "lloydGeorgeValidationStrictModeEnabled": {
-            "enabled": "true"
+            "enabled": "false"
         },
         "uploadDocumentIteration2Enabled": {
             "enabled": "false"

infrastructure/modules/app_config/configurations/pre-prod.json

@@ -36,7 +36,7 @@
             "enabled": "true"
         },
         "lloydGeorgeValidationStrictModeEnabled": {
-            "enabled": "true"
+            "enabled": "false"
         },
         "uploadDocumentIteration2Enabled": {
             "enabled": "false"