Merge branch 'main' into PRMP-579

Author: NogaNHS

.github/workflows/automated-deploy-dev.yml

@@ -220,3 +220,68 @@ jobs:
     uses: NHSDigital/national-document-repository/.github/workflows/ui-dev-to-main-ci.yml@main
     secrets:
       AWS_ASSUME_ROLE: ${{ secrets.AWS_ASSUME_ROLE }}
+
+  notify-slack:
+    runs-on: ubuntu-latest
+    needs: [terraform_plan_apply, deploy_lambdas, deploy_ui]
+    if: failure() && github.event_name == 'push' && github.ref == 'refs/heads/main'
+    steps:
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v5
+        with:
+          role-to-assume: ${{ secrets.AWS_ASSUME_ROLE }}
+          aws-region: ${{ vars.AWS_REGION }}
+
+      - name: Get slack bot token from SSM parameter store
+        run: |
+          slack_bot_token=$(aws ssm get-parameter --name "/ndr/alerting/slack/bot_token" --with-decryption --query "Parameter.Value" --output text)
+          echo "::add-mask::$slack_bot_token"
+          echo "SLACK_BOT_TOKEN=$slack_bot_token" >> $GITHUB_ENV
+
+      - name: Send Slack Notification
+        uses: slackapi/[email protected]
+        with:
+          method: chat.postMessage
+          token: ${{ env.SLACK_BOT_TOKEN }}
+          payload: |
+            {
+              "channel": "${{ vars.ALERTS_SLACK_CHANNEL_ID }}",
+              "attachments": [
+                {
+                  "color": "#ff0000",
+                  "blocks": [
+                    {
+                      "type": "header",
+                      "text": {
+                        "type": "plain_text",
+                        "text": "❌ Workflow `${{ github.workflow }}` failed"
+                      }
+                    },
+                    {
+                      "type": "section",
+                      "text": {
+                        "type": "mrkdwn",
+                        "text": "*Triggered by:* `${{ github.actor }}`\n*Branch:* `${{ github.ref_name }}`\n*Workflow:* <${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|${{ github.workflow }}>"
+                      }
+                    },
+                    {
+                      "type": "divider"
+                    },
+                    {
+                      "type": "section",
+                      "fields": [
+                        { "type": "mrkdwn", "text": "*terraform_plan_apply:* ${{ needs.terraform_plan_apply.result == 'success' && ':white_check_mark:' || ':x:' }}" },
+                        { "type": "mrkdwn", "text": "*deploy_lambdas:* ${{ needs.deploy_lambdas.result == 'success' && ':white_check_mark:' || ':x:' }}" },
+                        { "type": "mrkdwn", "text": "*deploy_ui:* ${{ needs.deploy_ui.result == 'success' && ':white_check_mark:' || ':x:' }}" }
+                      ]
+                    },
+                    {
+                      "type": "context",
+                      "elements": [
+                        { "type": "mrkdwn", "text": "Environment: `development` | Sandbox: `ndr-dev`" }
+                      ]
+                    }
+                  ]
+                }
+              ]
+            }

.github/workflows/automated-sonarqube-cloud-analysis.yml

@@ -26,3 +26,60 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}  # Needed to get PR information, if any
           SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+
+  notify-slack:
+    runs-on: ubuntu-latest
+    needs: [sonarqube_cloud]
+    if: failure() && github.event_name == 'push' && github.ref == 'refs/heads/main'
+    steps:
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v5
+        with:
+          role-to-assume: ${{ secrets.AWS_ASSUME_ROLE }}
+          aws-region: ${{ vars.AWS_REGION }}
+
+      - name: Get slack bot token from SSM parameter store
+        run: |
+          slack_bot_token=$(aws ssm get-parameter --name "/ndr/alerting/slack/bot_token" --with-decryption --query "Parameter.Value" --output text)
+          echo "::add-mask::$slack_bot_token"
+          echo "SLACK_BOT_TOKEN=$slack_bot_token" >> $GITHUB_ENV
+
+      - name: Send Slack Notification
+        uses: slackapi/[email protected]
+        with:
+          method: chat.postMessage
+          token: ${{ env.SLACK_BOT_TOKEN }}
+          payload: |
+            {
+              "channel": "${{ vars.ALERTS_SLACK_CHANNEL_ID }}",
+              "attachments": [
+                {
+                  "color": "#ff0000",
+                  "blocks": [
+                    {
+                      "type": "header",
+                      "text": {
+                        "type": "plain_text",
+                        "text": "❌ Workflow `${{ github.workflow }}` failed"
+                      }
+                    },
+                    {
+                      "type": "section",
+                      "text": {
+                        "type": "mrkdwn",
+                        "text": "*Triggered by:* `${{ github.actor }}`\n*Branch:* `${{ github.ref_name }}`\n*Workflow:* <${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|${{ github.workflow }}>"
+                      }
+                    },
+                    {
+                      "type": "divider"
+                    },
+                    {
+                      "type": "section",
+                      "fields": [
+                        { "type": "mrkdwn", "text": "*sonarqube_cloud:* ${{ needs.sonarqube_cloud.result == 'success' && ':white_check_mark:' || ':x:' }}" }
+                      ]
+                    }
+                  ]
+                }
+              ]
+            }

.github/workflows/cron-daily-health-check.yml

@@ -160,7 +160,7 @@ jobs:
       environment: development
       python_version: "3.11"
     secrets:
-        AWS_ASSUME_ROLE: ${{ secrets.AWS_ASSUME_ROLE }}
+      AWS_ASSUME_ROLE: ${{ secrets.AWS_ASSUME_ROLE }}
 
   deploy_lambdas:
     name: Deploy Lambdas
@@ -196,3 +196,72 @@ jobs:
       sandbox_name: ${{ needs.set_workspace.outputs.workspace }}
       environment: development
     secrets: inherit
+
+  notify-slack:
+    runs-on: ubuntu-latest
+    needs: [terraform_plan_apply, run_lambda_unit_tests, run_ui_unit_tests, run_cypress_tests, publish_lambda_layers, deploy_lambdas, deploy_ui]
+    if: failure()
+    steps:
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v5
+        with:
+          role-to-assume: ${{ secrets.AWS_ASSUME_ROLE }}
+          aws-region: ${{ vars.AWS_REGION }}
+
+      - name: Get slack bot token from SSM parameter store
+        run: |
+          slack_bot_token=$(aws ssm get-parameter --name "/ndr/alerting/slack/bot_token" --with-decryption --query "Parameter.Value" --output text)
+          echo "::add-mask::$slack_bot_token"
+          echo "SLACK_BOT_TOKEN=$slack_bot_token" >> $GITHUB_ENV
+
+      - name: Send Slack Notification
+        uses: slackapi/[email protected]
+        with:
+          method: chat.postMessage
+          token: ${{ env.SLACK_BOT_TOKEN }}
+          payload: |
+            {
+              "channel": "${{ vars.ALERTS_SLACK_CHANNEL_ID }}",
+              "attachments": [
+                {
+                  "color": "#ff0000",
+                  "blocks": [
+                    {
+                      "type": "header",
+                      "text": {
+                        "type": "plain_text",
+                        "text": "❌ Workflow `${{ github.workflow }}` failed"
+                      }
+                    },
+                    {
+                      "type": "section",
+                      "text": {
+                        "type": "mrkdwn",
+                        "text": "*Triggered by:* `Scheduled Job`\n*Workflow:* <${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|${{ github.workflow }}>"
+                      }
+                    },
+                    {
+                      "type": "divider"
+                    },
+                    {
+                      "type": "section",
+                      "fields": [
+                        { "type": "mrkdwn", "text": "*terraform_plan_apply:* ${{ needs.terraform_plan_apply.result == 'success' && ':white_check_mark:' || ':x:' }}" },
+                        { "type": "mrkdwn", "text": "*run_lambda_unit_tests:* ${{ needs.run_lambda_unit_tests.result == 'success' && ':white_check_mark:' || ':x:' }}" },
+                        { "type": "mrkdwn", "text": "*run_ui_unit_tests:* ${{ needs.run_ui_unit_tests.result == 'success' && ':white_check_mark:' || ':x:' }}" },
+                        { "type": "mrkdwn", "text": "*run_cypress_tests:* ${{ needs.run_cypress_tests.result == 'success' && ':white_check_mark:' || ':x:' }}" },
+                        { "type": "mrkdwn", "text": "*publish_lambda_layers:* ${{ needs.publish_lambda_layers.result == 'success' && ':white_check_mark:' || ':x:' }}" },
+                        { "type": "mrkdwn", "text": "*deploy_lambdas:* ${{ needs.deploy_lambdas.result == 'success' && ':white_check_mark:' || ':x:' }}" },
+                        { "type": "mrkdwn", "text": "*deploy_ui:* ${{ needs.deploy_ui.result == 'success' && ':white_check_mark:' || ':x:' }}" }
+                      ]
+                    },
+                    {
+                      "type": "context",
+                      "elements": [
+                        { "type": "mrkdwn", "text": "Environment: `development` | Sandbox: `${{ needs.set_workspace.outputs.workspace }}`" }
+                      ]
+                    }
+                  ]
+                }
+              ]
+            }

infrastructure/api.tf

@@ -60,6 +60,8 @@ resource "aws_api_gateway_deployment" "ndr_api_deploy" {
     module.feature-flags-lambda,
     module.fhir_document_reference_gateway,
     module.get-doc-fhir-lambda,
+    module.get_document_review_lambda,
+    module.get-doc-ref-lambda,
     module.get-report-by-ods-gateway,
     module.get-report-by-ods-lambda,
     module.lloyd-george-stitch-gateway,
@@ -68,16 +70,19 @@ resource "aws_api_gateway_deployment" "ndr_api_deploy" {
     module.logout_lambda,
     module.search-document-references-gateway,
     module.search-document-references-lambda,
+    module.search_document_review_lambda,
     module.search-patient-details-gateway,
     module.search-patient-details-lambda,
     module.send-feedback-gateway,
     module.send-feedback-lambda,
-    module.update_doc_ref_lambda,
+    module.review_document_version_gateway,
+    module.update-doc-ref-lambda,
     module.update-upload-state-gateway,
     module.update-upload-state-lambda,
     module.document-status-check-gateway,
     module.document-status-check-lambda,
     module.post-document-references-fhir-lambda,
+    module.patch_document_review_lambda,
     module.virus_scan_result_gateway,
     module.virus_scan_result_lambda
   ]

infrastructure/buckets.tf

@@ -283,7 +283,6 @@ resource "aws_s3_bucket_lifecycle_configuration" "ndr_document_pending_review_st
   }
 }
 
-
 # Logging Buckets
 resource "aws_s3_bucket" "access_logs" {
   count         = local.access_logs_count

infrastructure/gateway-document-reference.tf

@@ -26,7 +26,7 @@ module "document_reference_id_gateway" {
   source              = "./modules/gateway"
   api_gateway_id      = aws_api_gateway_rest_api.ndr_doc_store_api.id
   parent_id           = module.document_reference_gateway.gateway_resource_id
-  http_methods        = ["PUT"]
+  http_methods        = ["PUT", "GET"]
   authorization       = "CUSTOM"
   gateway_path        = "{id}"
   authorizer_id       = aws_api_gateway_authorizer.repo_authoriser.id
@@ -36,4 +36,6 @@ module "document_reference_id_gateway" {
   request_parameters = {
     "method.request.path.id" = true
   }
+
+  depends_on = [module.document_reference_gateway]
 }

infrastructure/gateway-review-document.tf

@@ -0,0 +1,34 @@
+module "review_document_gateway" {
+  source              = "./modules/gateway"
+  api_gateway_id      = aws_api_gateway_rest_api.ndr_doc_store_api.id
+  parent_id           = aws_api_gateway_rest_api.ndr_doc_store_api.root_resource_id
+  http_methods        = ["GET"]
+  authorization       = "CUSTOM"
+  gateway_path        = "DocumentReview"
+  authorizer_id       = aws_api_gateway_authorizer.repo_authoriser.id
+  require_credentials = true
+  origin              = contains(["prod"], terraform.workspace) ? "'https://${var.domain}'" : "'https://${terraform.workspace}.${var.domain}'"
+}
+
+resource "aws_api_gateway_resource" "review_document_id" {
+  rest_api_id = aws_api_gateway_rest_api.ndr_doc_store_api.id
+  parent_id   = module.review_document_gateway.gateway_resource_id
+  path_part   = "{id}"
+}
+
+module "review_document_version_gateway" {
+  source              = "./modules/gateway"
+  api_gateway_id      = aws_api_gateway_rest_api.ndr_doc_store_api.id
+  parent_id           = aws_api_gateway_resource.review_document_id.id
+  http_methods        = ["GET", "PATCH"]
+  authorization       = "CUSTOM"
+  gateway_path        = "{version}"
+  authorizer_id       = aws_api_gateway_authorizer.repo_authoriser.id
+  require_credentials = true
+  origin              = contains(["prod"], terraform.workspace) ? "'https://${var.domain}'" : "'https://${terraform.workspace}.${var.domain}'"
+
+  request_parameters = {
+    "method.request.path.id"      = true
+    "method.request.path.version" = true
+  }
+}

infrastructure/iam.tf

@@ -139,8 +139,11 @@ data "aws_iam_policy_document" "assume_role_policy_for_get_doc_ref_lambda" {
     actions = ["sts:AssumeRole"]
 
     principals {
-      type        = "AWS"
-      identifiers = [module.get-doc-fhir-lambda.lambda_execution_role_arn]
+      type = "AWS"
+      identifiers = [
+        module.get-doc-fhir-lambda.lambda_execution_role_arn,
+        module.get-doc-ref-lambda.lambda_execution_role_arn
+      ]
     }
   }
 }
@@ -251,7 +254,7 @@ data "aws_iam_policy_document" "assume_role_policy_for_update_lambda" {
     principals {
       type = "AWS"
       identifiers = compact([
-        module.update_doc_ref_lambda.lambda_execution_role_arn
+        module.update-doc-ref-lambda.lambda_execution_role_arn
       ])
     }
   }
@@ -266,3 +269,51 @@ resource "aws_iam_role_policy_attachment" "update_put_presign_url" {
   role       = aws_iam_role.update_put_presign_url_role.name
   policy_arn = aws_iam_policy.s3_document_data_policy_put_only.arn
 }
+
+data "aws_iam_policy_document" "assume_role_policy_get_document_review_lambda" {
+  statement {
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      type        = "AWS"
+      identifiers = [module.get_document_review_lambda.lambda_execution_role_arn]
+    }
+  }
+}
+
+resource "aws_iam_role" "get_document_review_presign" {
+  name               = "${terraform.workspace}_get_review_presign_url_role"
+  assume_role_policy = data.aws_iam_policy_document.assume_role_policy_get_document_review_lambda.json
+}
+
+resource "aws_iam_role_policy_attachment" "get_document_review" {
+  role       = aws_iam_role.get_document_review_presign.name
+  policy_arn = aws_iam_policy.s3_document_data_policy_get_document_review_lambda.arn
+}
+
+resource "aws_iam_policy" "s3_document_data_policy_get_document_review_lambda" {
+  name = "${terraform.workspace}_get_document_only_policy_for_get_document_review_lambda"
+
+  policy = jsonencode({
+    "Version" : "2012-10-17",
+    "Statement" : [
+      {
+        "Effect" : "Allow",
+        "Action" : [
+          "s3:GetObject",
+        ],
+        "Resource" : ["${module.ndr-document-pending-review-store.bucket_arn}/*"]
+      }
+    ]
+  })
+}
+
+resource "aws_iam_role" "get_doc_ref_presign_url_role" {
+  name               = "${terraform.workspace}_get_doc_ref_presign_url_role"
+  assume_role_policy = data.aws_iam_policy_document.assume_role_policy_for_get_doc_ref_lambda.json
+}
+
+resource "aws_iam_role_policy_attachment" "get_doc_ref_presign_url" {
+  role       = aws_iam_role.get_doc_ref_presign_url_role.name
+  policy_arn = aws_iam_policy.s3_document_data_policy_for_get_doc_ref_lambda.arn
+}