NHSDigital
diff --git a/‎.github/workflows/terraform-deploy-feature-to-sandbox.yml‎
Lines changed: 43 additions & 16 deletions b/‎.github/workflows/terraform-deploy-feature-to-sandbox.yml‎
Lines changed: 43 additions & 16 deletions
diff --git a/‎.husky/pre-commit‎
Lines changed: 0 additions & 14 deletions b/‎.husky/pre-commit‎
Lines changed: 0 additions & 14 deletions
diff --git a/‎.pre-commit-config.yaml‎
Lines changed: 8 additions & 0 deletions b/‎.pre-commit-config.yaml‎
Lines changed: 8 additions & 0 deletions
diff --git a/‎.terraform-docs.yml‎
Lines changed: 50 additions & 0 deletions b/‎.terraform-docs.yml‎
Lines changed: 50 additions & 0 deletions
diff --git a/‎infrastructure/README.md‎
Lines changed: 9 additions & 0 deletions b/‎infrastructure/README.md‎
Lines changed: 9 additions & 0 deletions
diff --git a/‎infrastructure/dynamo_db.tf‎
Lines changed: 27 additions & 0 deletions b/‎infrastructure/dynamo_db.tf‎
Lines changed: 27 additions & 0 deletions
diff --git a/‎infrastructure/firewall.tf‎
Lines changed: 11 additions & 2 deletions b/‎infrastructure/firewall.tf‎
Lines changed: 11 additions & 2 deletions
@@ -1,22 +1,22 @@
 # .github/workflows/terraform-dev
-name: 'Deploy Feature Branch to Sandbox'
+name: "Deploy Feature Branch to Sandbox"
 
 on:
   workflow_dispatch:
     inputs:
       buildBranch:
-        description: 'Feature branch to push to sandbox.'
+        description: "Feature branch to push to sandbox."
         required: true
-        type: 'string'
+        type: "string"
       sandboxWorkspace:
-        description: 'Which Sandbox to push to.'
+        description: "Which Sandbox to push to."
         required: true
-        type: 'string'
+        type: "string"
       environment:
-        default: 'development'
-        description: 'Which environment should this run against'
+        default: "development"
+        description: "Which environment should this run against"
         required: true
-        type: 'string'
+        type: "string"
 
 permissions:
   pull-requests: write
@@ -29,11 +29,10 @@ jobs:
     environment: ${{ github.event.inputs.environment }}
 
     steps:
-      # Checkout the repository to the GitHub Actions runner
-      - name: Checkout
+      - name: Checkout Base
         uses: actions/checkout@v4
         with:
-          ref: ${{ github.event.inputs.buildBranch}}
+          ref: main
 
       - name: Configure AWS Credentials
         uses: aws-actions/configure-aws-credentials@v4
@@ -53,23 +52,51 @@ jobs:
           terraform_version: 1.11.4
           terraform_wrapper: false
 
-      - name: Terraform Init
-        id: init
+      - name: Terraform Init Base
+        id: base_init
         run: terraform init -backend-config=backend.conf
         working-directory: ./infrastructure
         shell: bash
 
-      - name: Terraform Set Workspace
-        id: workspace
+      - name: Terraform Set Workspace Base
+        id: base_workspace
         run: terraform workspace select -or-create ${{ github.event.inputs.sandboxWorkspace}}
         working-directory: ./infrastructure
         shell: bash
 
-        # Checks that all Terraform configuration files adhere to a canonical format
+      - name: Terraform Plan Base
+        id: base_plan
+        run: |
+          terraform plan -input=false -no-color -var-file="${{vars.TF_VARS_FILE}}" -out tf-base.plan
+        working-directory: ./infrastructure
+        shell: bash
+
+      - name: Terraform Apply Base
+        run: terraform apply -auto-approve -input=false tf-base.plan
+        working-directory: ./infrastructure
+
+      - name: Checkout Branch
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.inputs.buildBranch}}
+
+        # Checks that all Terraform configuration files adhere to a canonical format.
       - name: Terraform Format
         run: terraform fmt -check
         working-directory: ./infrastructure
 
+      - name: Terraform Init
+        id: init
+        run: terraform init -backend-config=backend.conf
+        working-directory: ./infrastructure
+        shell: bash
+
+      - name: Terraform Set Workspace
+        id: workspace
+        run: terraform workspace select ${{ github.event.inputs.sandboxWorkspace}}
+        working-directory: ./infrastructure
+        shell: bash
+
       - name: Terraform Plan
         id: plan
         run: |
 
@@ -0,0 +1,8 @@
+repos:
+  - repo: local
+    hooks:
+      - id: terraform-docs
+        name: terraform-docs
+        entry: python scripts/run_terraform_docs.py
+        language: python
+        pass_filenames: false
@@ -0,0 +1,50 @@
+formatter: "markdown table"
+version: "0.20"
+
+header-from: main.tf
+footer-from: ""
+
+recursive:
+  enabled: false
+  path: ""
+
+sections:
+  hide: []
+  show: []
+
+content: |-
+  {{ .Requirements }}
+  {{ .Resources }}
+  {{ .Inputs }}
+  {{ .Outputs }}
+
+output:
+  file: README.md
+  mode: inject
+  template: |-
+    <!-- BEGIN_TF_DOCS -->
+    {{ .Content }}
+    <!-- END_TF_DOCS -->
+
+output-values:
+  enabled: false
+  from: ""
+
+sort:
+  enabled: true
+  by: name
+
+settings:
+  anchor: true
+  color: true
+  default: true
+  description: true
+  escape: true
+  hide-empty: false
+  html: true
+  indent: 2
+  lockfile: true
+  read-comments: true
+  required: true
+  sensitive: true
+  type: true
@@ -20,6 +20,7 @@
 | <a name="module_access-audit-gateway"></a> [access-audit-gateway](#module\_access-audit-gateway) | ./modules/gateway | n/a |
 | <a name="module_access-audit-lambda"></a> [access-audit-lambda](#module\_access-audit-lambda) | ./modules/lambda | n/a |
 | <a name="module_access_audit_dynamodb_table"></a> [access\_audit\_dynamodb\_table](#module\_access\_audit\_dynamodb\_table) | ./modules/dynamo_db | n/a |
+| <a name="module_alarm_state_history_table"></a> [alarm\_state\_history\_table](#module\_alarm\_state\_history\_table) | ./modules/dynamo_db | n/a |
 | <a name="module_api_endpoint_url_ssm_parameter"></a> [api\_endpoint\_url\_ssm\_parameter](#module\_api\_endpoint\_url\_ssm\_parameter) | ./modules/ssm_parameter | n/a |
 | <a name="module_auth_session_dynamodb_table"></a> [auth\_session\_dynamodb\_table](#module\_auth\_session\_dynamodb\_table) | ./modules/dynamo_db | n/a |
 | <a name="module_auth_state_dynamodb_table"></a> [auth\_state\_dynamodb\_table](#module\_auth\_state\_dynamodb\_table) | ./modules/dynamo_db | n/a |
@@ -87,6 +88,7 @@
 | <a name="module_get-report-by-ods-alarm-topic"></a> [get-report-by-ods-alarm-topic](#module\_get-report-by-ods-alarm-topic) | ./modules/sns | n/a |
 | <a name="module_get-report-by-ods-gateway"></a> [get-report-by-ods-gateway](#module\_get-report-by-ods-gateway) | ./modules/gateway | n/a |
 | <a name="module_get-report-by-ods-lambda"></a> [get-report-by-ods-lambda](#module\_get-report-by-ods-lambda) | ./modules/lambda | n/a |
+| <a name="module_im-alerting-lambda"></a> [im-alerting-lambda](#module\_im-alerting-lambda) | ./modules/lambda | n/a |
 | <a name="module_lambda-layer-core"></a> [lambda-layer-core](#module\_lambda-layer-core) | ./modules/lambda_layers | n/a |
 | <a name="module_lambda-layer-data"></a> [lambda-layer-data](#module\_lambda-layer-data) | ./modules/lambda_layers | n/a |
 | <a name="module_lloyd-george-stitch-gateway"></a> [lloyd-george-stitch-gateway](#module\_lloyd-george-stitch-gateway) | ./modules/gateway | n/a |
@@ -247,6 +249,8 @@
 | [aws_cognito_identity_pool_roles_attachment.cloudwatch_rum](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cognito_identity_pool_roles_attachment) | resource |
 | [aws_default_security_group.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_security_group) | resource |
 | [aws_default_vpc.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_vpc) | resource |
+| [aws_iam_policy.alerting_lambda_alarms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_policy.alerting_lambda_tags](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.cloudwatch_log_query_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.cloudwatch_rum_cognito_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.copy_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
@@ -372,16 +376,21 @@
 | [aws_ssm_parameter.cloud_security_admin_email](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source |
 | [aws_ssm_parameter.cloud_security_notification_email_list](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source |
 | [aws_ssm_parameter.end_user_ods_code](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source |
+| [aws_ssm_parameter.im_alerting_confluence_url](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source |
 | [aws_ssm_parameter.mns_lambda_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source |
+| [aws_ssm_parameter.slack_alerting_bot_token](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source |
+| [aws_ssm_parameter.slack_alerting_channel_id](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source |
 | [aws_ssm_parameter.splunk_trusted_principal](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source |
 | [aws_ssm_parameter.target_backup_vault_arn](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source |
+| [aws_ssm_parameter.teams_alerting_webhook_url](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source |
 | [aws_ssm_parameter.virus_scanning_subnet_cidr_range](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_access_audit_dynamodb_table_name"></a> [access\_audit\_dynamodb\_table\_name](#input\_access\_audit\_dynamodb\_table\_name) | The name of the dynamodb table to store the audit of access to deceased patient records | `string` | `"AccessAudit"` | no |
+| <a name="input_alarm_state_history_table_name"></a> [alarm\_state\_history\_table\_name](#input\_alarm\_state\_history\_table\_name) | The name of the dynamodb table to store the history of recent alarms that have been triggered. | `string` | `"AlarmStateHistory"` | no |
 | <a name="input_apim_environment"></a> [apim\_environment](#input\_apim\_environment) | n/a | `any` | n/a | yes |
 | <a name="input_auth_session_dynamodb_table_name"></a> [auth\_session\_dynamodb\_table\_name](#input\_auth\_session\_dynamodb\_table\_name) | The name of the dynamodb table to store user login sessions | `string` | `"AuthSessionReferenceMetadata"` | no |
 | <a name="input_auth_state_dynamodb_table_name"></a> [auth\_state\_dynamodb\_table\_name](#input\_auth\_state\_dynamodb\_table\_name) | The name of the dynamodb table to store the state values (for CIS2 authorisation) | `string` | `"AuthStateReferenceMetadata"` | no |
 
@@ -483,3 +483,30 @@ module "pdm_dynamodb_table" {
   environment = var.environment
   owner       = var.owner
 }
+
+
+module "alarm_state_history_table" {
+  source                         = "./modules/dynamo_db"
+  table_name                     = var.alarm_state_history_table_name
+  hash_key                       = "AlarmNameMetric"
+  sort_key                       = "TimeCreated"
+  deletion_protection_enabled    = local.is_production
+  point_in_time_recovery_enabled = false
+  stream_enabled                 = false
+  ttl_enabled                    = true
+  ttl_attribute_name             = "TimeToExist"
+
+  attributes = [
+    {
+      name = "AlarmNameMetric",
+      type = "S"
+    },
+    {
+      name = "TimeCreated"
+      type = "N"
+    }
+  ]
+
+  environment = var.environment
+  owner       = var.owner
+}
@@ -6,6 +6,15 @@ module "firewall_waf_v2" {
   count          = local.is_sandbox ? 0 : 1
 }
 
+module "firewall_waf_v2_api" {
+  source         = "./modules/firewall_waf_v2"
+  cloudfront_acl = false
+  environment    = var.environment
+  owner          = var.owner
+  count          = local.is_sandbox ? 0 : 1
+  api            = true
+}
+
 resource "aws_wafv2_web_acl_association" "web_acl_association" {
   resource_arn = module.ndr-ecs-fargate-app.load_balancer_arn
   web_acl_arn  = module.firewall_waf_v2[0].arn
@@ -18,10 +27,10 @@ resource "aws_wafv2_web_acl_association" "web_acl_association" {
 
 resource "aws_wafv2_web_acl_association" "api_gateway" {
   resource_arn = aws_api_gateway_stage.ndr_api.arn
-  web_acl_arn  = module.firewall_waf_v2[0].arn
+  web_acl_arn  = module.firewall_waf_v2_api[0].arn
   count        = local.is_sandbox ? 0 : 1
   depends_on = [
     aws_api_gateway_stage.ndr_api,
-    module.firewall_waf_v2[0]
+    module.firewall_waf_v2_api[0]
   ]
 }