Merge branch 'main' into PRMT-439

adamwhitingnhs · web-flow · commit 759ca9b9883c · 2025-07-17T10:17:28.000+01:00
diff --git a/bootstrap/README.md b/bootstrap/README.md
@@ -9,7 +9,7 @@
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.70.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.0 |
 
 ## Modules
 
diff --git a/infrastructure/README.md b/infrastructure/README.md
@@ -9,7 +9,7 @@
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.86.1 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | ~> 5.0 |
 
 ## Modules
 
@@ -50,6 +50,7 @@
 | <a name="module_create-token-lambda"></a> [create-token-lambda](#module\_create-token-lambda) | ./modules/lambda | n/a |
 | <a name="module_create_doc_alarm"></a> [create\_doc\_alarm](#module\_create\_doc\_alarm) | ./modules/lambda_alarms | n/a |
 | <a name="module_create_doc_alarm_topic"></a> [create\_doc\_alarm\_topic](#module\_create\_doc\_alarm\_topic) | ./modules/sns | n/a |
+| <a name="module_create_document_reference_gateway"></a> [create\_document\_reference\_gateway](#module\_create\_document\_reference\_gateway) | ./modules/gateway | n/a |
 | <a name="module_create_token-alarm"></a> [create\_token-alarm](#module\_create\_token-alarm) | ./modules/lambda_alarms | n/a |
 | <a name="module_create_token-alarm_topic"></a> [create\_token-alarm\_topic](#module\_create\_token-alarm\_topic) | ./modules/sns | n/a |
 | <a name="module_data-collection-alarm"></a> [data-collection-alarm](#module\_data-collection-alarm) | ./modules/lambda_alarms | n/a |
@@ -128,6 +129,7 @@
 | <a name="module_pdf-stitching-alarm-topic"></a> [pdf-stitching-alarm-topic](#module\_pdf-stitching-alarm-topic) | ./modules/sns | n/a |
 | <a name="module_pdf-stitching-lambda"></a> [pdf-stitching-lambda](#module\_pdf-stitching-lambda) | ./modules/lambda | n/a |
 | <a name="module_pdf-stitching-lambda-alarms"></a> [pdf-stitching-lambda-alarms](#module\_pdf-stitching-lambda-alarms) | ./modules/lambda_alarms | n/a |
+| <a name="module_post-document-references-fhir-lambda"></a> [post-document-references-fhir-lambda](#module\_post-document-references-fhir-lambda) | ./modules/lambda | n/a |
 | <a name="module_pdm-document-store"></a> [pdm-document-store](#module\_pdm-document-store) | ./modules/s3/ | n/a |
 | <a name="module_pdm_dynamodb_table"></a> [pdm\_dynamodb\_table](#module\_pdm\_dynamodb\_table) | ./modules/dynamo_db | n/a |
 | <a name="module_route53_fargate_ui"></a> [route53\_fargate\_ui](#module\_route53\_fargate\_ui) | ./modules/route53 | n/a |
@@ -177,6 +179,7 @@
 
 | Name | Type |
 |------|------|
+| [aws_api_gateway_account.logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_account) | resource |
 | [aws_api_gateway_api_key.api_key_pdm](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_api_key) | resource |
 | [aws_api_gateway_api_key.apim](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_api_key) | resource |
 | [aws_api_gateway_authorizer.repo_authoriser](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_authorizer) | resource |
@@ -192,7 +195,6 @@
 | [aws_api_gateway_integration_response.get_document_reference_mock_403_response](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_integration_response) | resource |
 | [aws_api_gateway_integration_response.get_document_reference_mock_404_response](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_integration_response) | resource |
 | [aws_api_gateway_method.get_document_reference](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_method) | resource |
-| [aws_api_gateway_method.get_document_references_fhir](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_method) | resource |
 | [aws_api_gateway_method.login_proxy_method](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_method) | resource |
 | [aws_api_gateway_method.sandbox_get_document_reference](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_method) | resource |
 | [aws_api_gateway_method_response.response_200](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_method_response) | resource |
@@ -258,6 +260,7 @@
 | [aws_iam_policy.ses_send_email_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.ssm_access_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.ssm_access_policy_authoriser](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_role.api_gateway_cloudwatch](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role.cognito_unauthenticated](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role.create_post_presign_url_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role.cross_account_backup_iam_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
@@ -270,6 +273,7 @@
 | [aws_iam_role.splunk_sqs_forwarder](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role.stitch_presign_url_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role_policy.splunk_access_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
+| [aws_iam_role_policy_attachment.api_gateway_logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.backup_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.cloudwatch_rum_cognito_unauth](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.create_post_presign_url](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
diff --git a/infrastructure/api.tf b/infrastructure/api.tf
@@ -49,6 +49,7 @@ resource "aws_api_gateway_deployment" "ndr_api_deploy" {
     module.back_channel_logout_lambda,
     module.document_reference_gateway,
     module.create-doc-ref-lambda,
+    module.create_document_reference_gateway,
     module.create-token-gateway,
     module.create-token-lambda,
     module.delete-doc-ref-gateway,
@@ -74,6 +75,7 @@ resource "aws_api_gateway_deployment" "ndr_api_deploy" {
     module.update-upload-state-lambda,
     module.upload_confirm_result_gateway,
     module.upload_confirm_result_lambda,
+    module.post-document-references-fhir-lambda,
     module.virus_scan_result_gateway,
     module.virus_scan_result_lambda
   ]
@@ -93,14 +95,19 @@ resource "aws_api_gateway_stage" "ndr_api" {
   stage_name           = var.environment
   xray_tracing_enabled = var.enable_xray_tracing
 
-  depends_on = [aws_cloudwatch_log_group.api_gateway_stage]
+  depends_on = [
+    aws_cloudwatch_log_group.api_gateway_stage
+  ]
 }
 
 resource "aws_cloudwatch_log_group" "api_gateway_stage" {
   # Name must follow this format to allow execution logging 
   # https://docs.aws.amazon.com/apigateway/latest/developerguide/set-up-logging.html
   name              = "API-Gateway-Execution-Logs_${aws_api_gateway_rest_api.ndr_doc_store_api.id}/${var.environment}"
   retention_in_days = 0
+  depends_on = [
+    aws_api_gateway_account.logging
+  ]
 }
 
 resource "aws_api_gateway_method_settings" "api_gateway_stage" {
diff --git a/infrastructure/firewall.tf b/infrastructure/firewall.tf
@@ -6,6 +6,15 @@ module "firewall_waf_v2" {
   count          = local.is_sandbox ? 0 : 1
 }
 
+module "firewall_waf_v2_api" {
+  source         = "./modules/firewall_waf_v2"
+  cloudfront_acl = false
+  environment    = var.environment
+  owner          = var.owner
+  count          = local.is_sandbox ? 0 : 1
+  api            = true
+}
+
 resource "aws_wafv2_web_acl_association" "web_acl_association" {
   resource_arn = module.ndr-ecs-fargate-app.load_balancer_arn
   web_acl_arn  = module.firewall_waf_v2[0].arn
@@ -18,10 +27,10 @@ resource "aws_wafv2_web_acl_association" "web_acl_association" {
 
 resource "aws_wafv2_web_acl_association" "api_gateway" {
   resource_arn = aws_api_gateway_stage.ndr_api.arn
-  web_acl_arn  = module.firewall_waf_v2[0].arn
+  web_acl_arn  = module.firewall_waf_v2_api[0].arn
   count        = local.is_sandbox ? 0 : 1
   depends_on = [
     aws_api_gateway_stage.ndr_api,
-    module.firewall_waf_v2[0]
+    module.firewall_waf_v2_api[0]
   ]
 }
diff --git a/infrastructure/gateway-document-reference.tf b/infrastructure/gateway-document-reference.tf
@@ -0,0 +1,10 @@
+module "document_reference_gateway" {
+  source              = "./modules/gateway"
+  api_gateway_id      = aws_api_gateway_rest_api.ndr_doc_store_api.id
+  parent_id           = aws_api_gateway_rest_api.ndr_doc_store_api.root_resource_id
+  http_methods        = ["POST", "GET"]
+  authorization       = "NONE"
+  api_key_required    = true
+  gateway_path        = "DocumentReference"
+  require_credentials = true
+}
diff --git a/infrastructure/iam.tf b/infrastructure/iam.tf
@@ -20,8 +20,12 @@ data "aws_iam_policy_document" "assume_role_policy_for_create_lambda" {
     actions = ["sts:AssumeRole"]
 
     principals {
-      type        = "AWS"
-      identifiers = [module.create-doc-ref-lambda.lambda_execution_role_arn]
+      type = "AWS"
+      identifiers = compact([
+        module.create-doc-ref-lambda.lambda_execution_role_arn,
+        local.is_production ? null : module.post-document-references-fhir-lambda[0].lambda_execution_role_arn
+      ])
+
     }
   }
 }
@@ -193,3 +197,32 @@ resource "aws_iam_role_policy_attachment" "ods_report_presign_url" {
   role       = aws_iam_role.ods_report_presign_url_role.name
   policy_arn = aws_iam_policy.s3_document_data_policy_for_ods_report_lambda.arn
 }
+
+resource "aws_iam_role" "api_gateway_cloudwatch" {
+  count = local.is_sandbox ? 0 : 1
+  name  = "${terraform.workspace}_NdrAPIGatewayLogs"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Action = "sts:AssumeRole"
+        Effect = "Allow"
+        Principal = {
+          Service = "apigateway.amazonaws.com"
+        }
+      },
+    ]
+  })
+}
+
+resource "aws_iam_role_policy_attachment" "api_gateway_logs" {
+  count      = local.is_sandbox ? 0 : 1
+  role       = aws_iam_role.api_gateway_cloudwatch[0].name
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonAPIGatewayPushToCloudWatchLogs"
+}
+
+resource "aws_api_gateway_account" "logging" {
+  count               = local.is_sandbox ? 0 : 1
+  cloudwatch_role_arn = aws_iam_role.api_gateway_cloudwatch[0].arn
+}
diff --git a/infrastructure/lambda-create-doc-ref.tf b/infrastructure/lambda-create-doc-ref.tf
@@ -1,10 +1,10 @@
-module "document_reference_gateway" {
+module "create_document_reference_gateway" {
   source              = "./modules/gateway"
   api_gateway_id      = aws_api_gateway_rest_api.ndr_doc_store_api.id
   parent_id           = aws_api_gateway_rest_api.ndr_doc_store_api.root_resource_id
   http_methods        = ["POST"]
   authorization       = "CUSTOM"
-  gateway_path        = "DocumentReference"
+  gateway_path        = "CreateDocumentReference"
   authorizer_id       = aws_api_gateway_authorizer.repo_authoriser.id
   require_credentials = true
   origin              = contains(["prod"], terraform.workspace) ? "'https://${var.domain}'" : "'https://${terraform.workspace}.${var.domain}'"
@@ -73,7 +73,7 @@ module "create-doc-ref-lambda" {
     module.ndr-app-config.app_config_policy,
   ]
   rest_api_id  = aws_api_gateway_rest_api.ndr_doc_store_api.id
-  resource_id  = module.document_reference_gateway.gateway_resource_id
+  resource_id  = module.create_document_reference_gateway.gateway_resource_id
   http_methods = ["POST"]
   memory_size  = 512
 
diff --git a/infrastructure/lambda-post-document-fhir.tf b/infrastructure/lambda-post-document-fhir.tf
@@ -0,0 +1,29 @@
+module "post-document-references-fhir-lambda" {
+  count   = local.is_production ? 0 : 1
+  source  = "./modules/lambda"
+  name    = "PostDocumentReferencesFHIR"
+  handler = "handlers.post_fhir_document_reference_handler.lambda_handler"
+  iam_role_policy_documents = [
+    module.document_reference_dynamodb_table.dynamodb_write_policy_document,
+    module.lloyd_george_reference_dynamodb_table.dynamodb_write_policy_document,
+    module.ndr-bulk-staging-store.s3_write_policy_document,
+    module.ndr-app-config.app_config_policy,
+    aws_iam_policy.ssm_access_policy.policy
+  ]
+  rest_api_id       = aws_api_gateway_rest_api.ndr_doc_store_api.id
+  resource_id       = module.document_reference_gateway.gateway_resource_id
+  http_methods      = ["POST"]
+  api_execution_arn = aws_api_gateway_rest_api.ndr_doc_store_api.execution_arn
+  lambda_environment_variables = {
+    APPCONFIG_APPLICATION           = module.ndr-app-config.app_config_application_id
+    APPCONFIG_ENVIRONMENT           = module.ndr-app-config.app_config_environment_id
+    APPCONFIG_CONFIGURATION         = module.ndr-app-config.app_config_configuration_profile_id
+    DOCUMENT_STORE_DYNAMODB_NAME    = "${terraform.workspace}_${var.docstore_dynamodb_table_name}"
+    LLOYD_GEORGE_DYNAMODB_NAME      = "${terraform.workspace}_${var.lloyd_george_dynamodb_table_name}"
+    STAGING_STORE_BUCKET_NAME       = "${terraform.workspace}-${var.staging_store_bucket_name}"
+    DOCUMENT_RETRIEVE_ENDPOINT_APIM = "${local.apim_api_url}/DocumentReference"
+    PDS_FHIR_IS_STUBBED             = local.is_sandbox
+    WORKSPACE                       = terraform.workspace
+    PRESIGNED_ASSUME_ROLE           = aws_iam_role.create_post_presign_url_role.arn
+  }
+}
diff --git a/infrastructure/lambda-search-document-references-fhir.tf b/infrastructure/lambda-search-document-references-fhir.tf
@@ -1,13 +1,3 @@
-resource "aws_api_gateway_method" "get_document_references_fhir" {
-  count            = local.is_production ? 0 : 1
-  rest_api_id      = aws_api_gateway_rest_api.ndr_doc_store_api.id
-  resource_id      = module.document_reference_gateway.gateway_resource_id
-  http_method      = "GET"
-  authorization    = "NONE"
-  api_key_required = true
-}
-
-
 module "search-document-references-fhir-lambda" {
   count   = local.is_production ? 0 : 1
   source  = "./modules/lambda"
diff --git a/infrastructure/modules/firewall_waf_v2/local.tf b/infrastructure/modules/firewall_waf_v2/local.tf
@@ -2,7 +2,7 @@ locals {
 
   image_regex = "^\\/images(\\/\\w+)+\\/$"
 
-  waf_rules = [
+  waf_rules_raw = [
     {
       name                    = "AWSCoreRuleSet"
       managed_rule_name       = "AWSManagedRulesCommonRuleSet"
@@ -47,8 +47,14 @@ locals {
     }
   ]
 
+  # Filter out AWSBotControl if var.api is true
+  waf_rules = [
+    for rule in local.waf_rules_raw : rule
+    if !(var.api && rule.name == "AWSBotControl")
+  ]
+
   waf_rules_map = zipmap(
     range(0, length(local.waf_rules)),
     local.waf_rules
   )
-}
+}
diff --git a/infrastructure/modules/firewall_waf_v2/main.tf b/infrastructure/modules/firewall_waf_v2/main.tf
@@ -1,5 +1,5 @@
 resource "aws_wafv2_web_acl" "waf_v2_acl" {
-  name        = "${terraform.workspace}-${var.cloudfront_acl ? "cloudfront" : ""}-fw-waf-v2"
+  name        = "${terraform.workspace}${var.api ? "-api" : var.cloudfront_acl ? "-cloudfront" : ""}-fw-waf-v2"
   description = "A WAF to secure the Repo application."
   scope       = var.cloudfront_acl ? "CLOUDFRONT" : "REGIONAL"
 
diff --git a/infrastructure/modules/firewall_waf_v2/regex.tf b/infrastructure/modules/firewall_waf_v2/regex.tf
@@ -1,5 +1,5 @@
 resource "aws_wafv2_regex_pattern_set" "large_body_uri" {
-  name        = "${terraform.workspace}-fw-waf-body-size"
+  name        = "${terraform.workspace}-fw-waf-body-size${var.api ? "-api" : ""}"
   description = "A set of regex to allow specific pages to bypass the large body check"
   scope       = var.cloudfront_acl ? "CLOUDFRONT" : "REGIONAL"
 
@@ -22,7 +22,7 @@ resource "aws_wafv2_regex_pattern_set" "large_body_uri" {
 }
 
 resource "aws_wafv2_regex_pattern_set" "xss_body_uri" {
-  name        = "${terraform.workspace}-fw-waf-body-xss"
+  name        = "${terraform.workspace}-fw-waf-body-xss${var.api ? "-api" : ""}"
   description = "A regex to allow specific pages to bypass XSS checks on body"
   scope       = var.cloudfront_acl ? "CLOUDFRONT" : "REGIONAL"
 
@@ -40,7 +40,7 @@ resource "aws_wafv2_regex_pattern_set" "xss_body_uri" {
 }
 
 resource "aws_wafv2_regex_pattern_set" "exclude_cms_uri" {
-  name        = "${terraform.workspace}-fw-waf-cms-exclude"
+  name        = "${terraform.workspace}-fw-waf-cms-exclude${var.api ? "-api" : ""}"
   description = "A regex to allow CMS calls to bypass firewalls"
   scope       = var.cloudfront_acl ? "CLOUDFRONT" : "REGIONAL"
 
@@ -55,4 +55,4 @@ resource "aws_wafv2_regex_pattern_set" "exclude_cms_uri" {
     Environment = var.environment
     Workspace   = terraform.workspace
   }
-}
+}
diff --git a/infrastructure/modules/firewall_waf_v2/variables.tf b/infrastructure/modules/firewall_waf_v2/variables.tf
@@ -10,3 +10,9 @@ variable "cloudfront_acl" {
   type = bool
 }
 
+variable "api" {
+  type        = bool
+  description = "True if using the firewall for an api - removes AWSBotControl"
+  default     = false
+}
+
diff --git a/infrastructure/modules/gateway/outputs.tf b/infrastructure/modules/gateway/outputs.tf
@@ -1,3 +1,3 @@
-output "gateway_resource_id" {
-  value = aws_api_gateway_resource.gateway_resource.id
+output "gateway_resource_id" {
+  value = aws_api_gateway_resource.gateway_resource.id
 }
diff --git a/infrastructure/modules/gateway/variable.tf b/infrastructure/modules/gateway/variable.tf
@@ -30,7 +30,8 @@ variable "require_credentials" {
 }
 
 variable "origin" {
-  type = string
+  type    = string
+  default = "'*'"
 }
 
 variable "api_key_required" {
diff --git a/infrastructure/modules/lambda/outputs.tf b/infrastructure/modules/lambda/outputs.tf
diff --git a/infrastructure/modules/sqs/README.md b/infrastructure/modules/sqs/README.md
diff --git a/infrastructure/modules/sqs/main.tf b/infrastructure/modules/sqs/main.tf
diff --git a/infrastructure/modules/sqs/variable.tf b/infrastructure/modules/sqs/variable.tf
diff --git a/infrastructure/moved-resources.tf b/infrastructure/moved-resources.tf
diff --git a/infrastructure/sqs-stitching.tf b/infrastructure/sqs-stitching.tf
diff --git a/virusscanner/terraform/README.md b/virusscanner/terraform/README.md

Original file line number	Diff line number	Diff line change
`@@ -2,7 +2,7 @@ locals {`
`2`	`2`
`3`	`3`	`image_regex = "^\\/images(\\/\\w+)+\\/$"`
`4`	`4`
`5`		`- waf_rules = [`
	`5`	`+ waf_rules_raw = [`
`6`	`6`	`{`
`7`	`7`	`name = "AWSCoreRuleSet"`
`8`	`8`	`managed_rule_name = "AWSManagedRulesCommonRuleSet"`
`@@ -47,8 +47,14 @@ locals {`
`47`	`47`	`}`
`48`	`48`	`]`
`49`	`49`
	`50`	`+ # Filter out AWSBotControl if var.api is true`
	`51`	`+ waf_rules = [`
	`52`	`+ for rule in local.waf_rules_raw : rule`
	`53`	`+ if !(var.api && rule.name == "AWSBotControl")`
	`54`	`+ ]`
	`55`	`+`
`50`	`56`	`waf_rules_map = zipmap(`
`51`	`57`	`range(0, length(local.waf_rules)),`
`52`	`58`	`local.waf_rules`
`53`	`59`	`)`
`54`		`-}`
	`60`	`+}`