Merge branch 'main' into PRMP-809

Author: NogaNHS

.github/PULL_REQUEST_TEMPLATE.md

@@ -0,0 +1,32 @@
+<!-- markdownlint-disable-next-line first-line-heading -->
+## Overview
+
+**Jira ticket**: [TBC](https://nhsd-jira.digital.nhs.uk/browse/XXX)
+
+### Description
+
+<!-- Describe your changes in detail. -->
+
+### Context
+
+<!-- Why is this change required? What problem does it solve? -->
+
+## Checklist
+
+<!--
+
+  Put an `x` in the completed tasks.
+
+  If a task is not relevant, `x` it, then strike through the text e.g.:
+  - [x] ~~This task is not relevant.~~
+
+-->
+
+Tasks for all changes:
+
+- [ ] 1. I have linked this PR to its Jira ticket.
+- [ ] 2. I have run git pre-commits.
+- [ ] 3. I have updated relevant documentation.
+- [ ] 4. I have considered the cross-team impact (and have PR approval from both Core & Demographics if necessary).
+- [ ] 5. I have successfully [deployed this change to a sandbox](https://github.com/NHSDigital/national-document-repository-infrastructure/actions/workflows/deploy-sandbox.yml) and witnessed it build: [Workflow run: TBC](https://github.com/NHSDigital/national-document-repository-infrastructure/actions/runs/XXX)
+- [ ] 6. I have checked the Terraform Plan from this PR against `ndr-dev`.

…b/workflows/automated-sbom-repo-scan.yml …hub/workflows/automated-pr-validator.yml.github/workflows/automated-sbom-repo-scan.yml renamed to .github/workflows/automated-pr-validator.yml .github/workflows/automated-sbom-repo-scan.yml renamed to .github/workflows/automated-pr-validator.yml

@@ -1,23 +1,25 @@
-name: 'Z-AUTOMATED: SBOM Repo Scan'
+name: "Z-AUTOMATED: PR Validator"
 
 on:
   pull_request:
-    types: [opened, synchronize, reopened]
+    types: [opened, synchronize, reopened, edited]
 
-permissions:
-  actions: read   # Required for anchore/sbom-action
-  contents: write # Required for anchore/sbom-action
-  id-token: write # Required for requesting the JWT
-  pull-requests: write
+permissions: {}
 
 jobs:
   sbom_scan:
     name: SBOM Repo Scan
     runs-on: ubuntu-latest
+    permissions:
+      actions: read # Required for anchore/sbom-action
+      contents: write # Required for anchore/sbom-action
+      id-token: write # Required for requesting the JWT
+      pull-requests: write
     steps:
-      - uses: actions/checkout@v5
+      - name: Checkout
+        uses: actions/checkout@v5
         with:
-          fetch-depth: 0  # Shallow clones should be disabled for a better relevancy of analysis
+          fetch-depth: 0
 
       - uses: anchore/sbom-action@v0
         with:
@@ -51,14 +53,14 @@ jobs:
               repo: context.repo.repo,
               issue_number: context.issue.number,
             })
-            
+
             const botComment = comments.find(comment => {
               return comment.user.type === 'Bot' && comment.body.includes('Code security issues found')
             })
 
             // 2. Prepare format of the comment
             const output = `### Code security issues found
-            
+
             View full details [here](https://github.com/${{ github.repository }}/security/code-scanning?query=is%3Aopen+pr%3A${{ github.event.pull_request.number }}).`;
 
             // 3. If we have a comment, update it, otherwise create a new one
@@ -70,7 +72,7 @@ jobs:
                 body: output
               })
             }
-            
+
             github.rest.issues.createComment({
               issue_number: context.issue.number,
               owner: context.repo.owner,
@@ -89,7 +91,7 @@ jobs:
               repo: context.repo.repo,
               issue_number: context.issue.number,
             })
-            
+
             const botComment = comments.find(comment => {
               return comment.user.type === 'Bot' && comment.body.includes('Code security issues found')
             })
@@ -102,3 +104,41 @@ jobs:
                 comment_id: botComment.id
               })
             }
+
+  markdown-validation:
+    name: Markdown Validation
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+
+      - name: Run Markdown Validation Script
+        id: validate
+        run: |
+          BRANCH_NAME=${{ github.event.repository.default_branch }}
+          chmod +x scripts/markdown-validator.sh
+          scripts/markdown-validator.sh
+
+  checklist_validator:
+    name: Checklist Validation
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v5
+
+    - name: Set up Python 3.11
+      uses: actions/setup-python@v6
+      with:
+        python-version: 3.11
+
+    - name: Run checklist validator
+      run: |
+        python3 scripts/github/checklist_validator/main.py
+      env:
+        PR_BODY: ${{ github.event.pull_request.body }}

.github/workflows/cron-daily-health-check.yml

@@ -119,6 +119,10 @@ jobs:
           runTests: false
           build: npm run build
           working-directory: ./app
+
+      - name: Copy main.html to index.html for serve compatibility
+        run: cp ./dist/main.html ./dist/index.html
+        working-directory: ./app
 
       - name: npm install serve -g
         run: npm install serve -g

.markdownlint.jsonc

@@ -0,0 +1,4 @@
+{
+    "MD013": false,
+    "MD033": false
+}

.terraform-docs.yml

@@ -14,8 +14,11 @@ sections:
 
 content: |-
   {{ .Requirements }}
+
   {{ .Resources }}
+
   {{ .Inputs }}
+
   {{ .Outputs }}
 
 output:

README.md

@@ -8,7 +8,8 @@ This repository is used to build the infrastructure the NDR. That is it's sole p
 - [Terraform docs](https://github.com/terraform-docs/terraform-docs)
 
 To install terraform-docs on WSL use the following commands (e.g. for v0.20.0):
-```
+
+```shell
 curl -sSLo ./terraform-docs.tar.gz https://terraform-docs.io/dl/v0.20.0/terraform-docs-v0.20.0-$(uname)-amd64.tar.gz
 tar -xzf terraform-docs.tar.gz
 chmod +x terraform-docs
@@ -24,8 +25,8 @@ As this repository is a standalone infrastructure there is no python/node based
 
 - Set this repository to get it's pre-commit hooks from .githooks
 
-```
+```shell
 git config core.hooksPath .githooks
 ```
 
-Pre-commits will run on any commit. This will build docs and format the terraform.
+Pre-commits will run on all commits. This will build docs and format the terraform.

bootstrap/README.md

@@ -1,3 +1,5 @@
+# Terraform Bootstrap
+
 ## Requirements
 
 | Name | Version |

infrastructure/README.md

@@ -1,3 +1,5 @@
+# National Document Repository - Infrastructure as Code
+
 ## Requirements
 
 | Name                                                         | Version |

infrastructure/api.tf

@@ -76,12 +76,15 @@ resource "aws_api_gateway_deployment" "ndr_api_deploy" {
     module.send-feedback-gateway,
     module.send-feedback-lambda,
     module.review_document_version_gateway,
+    module.review_document_status_gateway,
+    module.review-document-status-check-lambda,
     module.update-doc-ref-lambda,
     module.update-upload-state-gateway,
     module.update-upload-state-lambda,
     module.document-status-check-gateway,
     module.document-status-check-lambda,
     module.post-document-references-fhir-lambda,
+    module.post_document_review_lambda,
     module.patch_document_review_lambda,
     module.virus_scan_result_gateway,
     module.virus_scan_result_lambda

infrastructure/backup-cross-account.tf

@@ -60,7 +60,8 @@ resource "aws_backup_selection" "cross_account_backup_selection" {
     module.bulk_upload_report_dynamodb_table.dynamodb_table_arn,
     module.statistical-reports-store.bucket_arn,
     module.pdm_dynamodb_table.dynamodb_table_arn,
-    module.pdm-document-store.bucket_arn
+    module.pdm-document-store.bucket_arn,
+    module.core_dynamodb_table.dynamodb_table_arn,
   ]
 }