Merge branch 'main' into PRMT-439

Author: MohammadIqbalAD-NHS

.github/workflows/terraform-deploy-feature-to-sandbox.yml

@@ -1,22 +1,22 @@
 # .github/workflows/terraform-dev
-name: 'Deploy Feature Branch to Sandbox'
+name: "Deploy Feature Branch to Sandbox"
 
 on:
   workflow_dispatch:
     inputs:
       buildBranch:
-        description: 'Feature branch to push to sandbox.'
+        description: "Feature branch to push to sandbox."
         required: true
-        type: 'string'
+        type: "string"
       sandboxWorkspace:
-        description: 'Which Sandbox to push to.'
+        description: "Which Sandbox to push to."
         required: true
-        type: 'string'
+        type: "string"
       environment:
-        default: 'development'
-        description: 'Which environment should this run against'
+        default: "development"
+        description: "Which environment should this run against"
         required: true
-        type: 'string'
+        type: "string"
 
 permissions:
   pull-requests: write
@@ -29,11 +29,10 @@ jobs:
     environment: ${{ github.event.inputs.environment }}
 
     steps:
-      # Checkout the repository to the GitHub Actions runner
-      - name: Checkout
+      - name: Checkout Base
         uses: actions/checkout@v4
         with:
-          ref: ${{ github.event.inputs.buildBranch}}
+          ref: main
 
       - name: Configure AWS Credentials
         uses: aws-actions/configure-aws-credentials@v4
@@ -53,23 +52,51 @@ jobs:
           terraform_version: 1.11.4
           terraform_wrapper: false
 
-      - name: Terraform Init
-        id: init
+      - name: Terraform Init Base
+        id: base_init
         run: terraform init -backend-config=backend.conf
         working-directory: ./infrastructure
         shell: bash
 
-      - name: Terraform Set Workspace
-        id: workspace
+      - name: Terraform Set Workspace Base
+        id: base_workspace
         run: terraform workspace select -or-create ${{ github.event.inputs.sandboxWorkspace}}
         working-directory: ./infrastructure
         shell: bash
 
-        # Checks that all Terraform configuration files adhere to a canonical format
+      - name: Terraform Plan Base
+        id: base_plan
+        run: |
+          terraform plan -input=false -no-color -var-file="${{vars.TF_VARS_FILE}}" -out tf-base.plan
+        working-directory: ./infrastructure
+        shell: bash
+
+      - name: Terraform Apply Base
+        run: terraform apply -auto-approve -input=false tf-base.plan
+        working-directory: ./infrastructure
+
+      - name: Checkout Branch
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.inputs.buildBranch}}
+
+        # Checks that all Terraform configuration files adhere to a canonical format.
       - name: Terraform Format
         run: terraform fmt -check
         working-directory: ./infrastructure
 
+      - name: Terraform Init
+        id: init
+        run: terraform init -backend-config=backend.conf
+        working-directory: ./infrastructure
+        shell: bash
+
+      - name: Terraform Set Workspace
+        id: workspace
+        run: terraform workspace select ${{ github.event.inputs.sandboxWorkspace}}
+        working-directory: ./infrastructure
+        shell: bash
+
       - name: Terraform Plan
         id: plan
         run: |

.husky/pre-commit

@@ -0,0 +1,8 @@
+repos:
+  - repo: local
+    hooks:
+      - id: terraform-docs
+        name: terraform-docs
+        entry: python scripts/run_terraform_docs.py
+        language: python
+        pass_filenames: false

.pre-commit-config.yaml

@@ -0,0 +1,50 @@
+formatter: "markdown table"
+version: "0.20"
+
+header-from: main.tf
+footer-from: ""
+
+recursive:
+  enabled: false
+  path: ""
+
+sections:
+  hide: []
+  show: []
+
+content: |-
+  {{ .Requirements }}
+  {{ .Resources }}
+  {{ .Inputs }}
+  {{ .Outputs }}
+
+output:
+  file: README.md
+  mode: inject
+  template: |-
+    <!-- BEGIN_TF_DOCS -->
+    {{ .Content }}
+    <!-- END_TF_DOCS -->
+
+output-values:
+  enabled: false
+  from: ""
+
+sort:
+  enabled: true
+  by: name
+
+settings:
+  anchor: true
+  color: true
+  default: true
+  description: true
+  escape: true
+  hide-empty: false
+  html: true
+  indent: 2
+  lockfile: true
+  read-comments: true
+  required: true
+  sensitive: true
+  type: true

.terraform-docs.yml

@@ -20,6 +20,7 @@
 | <a name="module_access-audit-gateway"></a> [access-audit-gateway](#module\_access-audit-gateway) | ./modules/gateway | n/a |
 | <a name="module_access-audit-lambda"></a> [access-audit-lambda](#module\_access-audit-lambda) | ./modules/lambda | n/a |
 | <a name="module_access_audit_dynamodb_table"></a> [access\_audit\_dynamodb\_table](#module\_access\_audit\_dynamodb\_table) | ./modules/dynamo_db | n/a |
+| <a name="module_alarm_state_history_table"></a> [alarm\_state\_history\_table](#module\_alarm\_state\_history\_table) | ./modules/dynamo_db | n/a |
 | <a name="module_api_endpoint_url_ssm_parameter"></a> [api\_endpoint\_url\_ssm\_parameter](#module\_api\_endpoint\_url\_ssm\_parameter) | ./modules/ssm_parameter | n/a |
 | <a name="module_auth_session_dynamodb_table"></a> [auth\_session\_dynamodb\_table](#module\_auth\_session\_dynamodb\_table) | ./modules/dynamo_db | n/a |
 | <a name="module_auth_state_dynamodb_table"></a> [auth\_state\_dynamodb\_table](#module\_auth\_state\_dynamodb\_table) | ./modules/dynamo_db | n/a |
@@ -88,6 +89,7 @@
 | <a name="module_get-report-by-ods-alarm-topic"></a> [get-report-by-ods-alarm-topic](#module\_get-report-by-ods-alarm-topic) | ./modules/sns | n/a |
 | <a name="module_get-report-by-ods-gateway"></a> [get-report-by-ods-gateway](#module\_get-report-by-ods-gateway) | ./modules/gateway | n/a |
 | <a name="module_get-report-by-ods-lambda"></a> [get-report-by-ods-lambda](#module\_get-report-by-ods-lambda) | ./modules/lambda | n/a |
+| <a name="module_im-alerting-lambda"></a> [im-alerting-lambda](#module\_im-alerting-lambda) | ./modules/lambda | n/a |
 | <a name="module_lambda-layer-core"></a> [lambda-layer-core](#module\_lambda-layer-core) | ./modules/lambda_layers | n/a |
 | <a name="module_lambda-layer-data"></a> [lambda-layer-data](#module\_lambda-layer-data) | ./modules/lambda_layers | n/a |
 | <a name="module_lloyd-george-stitch-gateway"></a> [lloyd-george-stitch-gateway](#module\_lloyd-george-stitch-gateway) | ./modules/gateway | n/a |
@@ -243,6 +245,8 @@
 | [aws_cognito_identity_pool_roles_attachment.cloudwatch_rum](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cognito_identity_pool_roles_attachment) | resource |
 | [aws_default_security_group.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_security_group) | resource |
 | [aws_default_vpc.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_vpc) | resource |
+| [aws_iam_policy.alerting_lambda_alarms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_policy.alerting_lambda_tags](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.cloudwatch_log_query_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.cloudwatch_rum_cognito_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.copy_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
@@ -364,16 +368,21 @@
 | [aws_ssm_parameter.cloud_security_admin_email](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source |
 | [aws_ssm_parameter.cloud_security_notification_email_list](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source |
 | [aws_ssm_parameter.end_user_ods_code](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source |
+| [aws_ssm_parameter.im_alerting_confluence_url](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source |
 | [aws_ssm_parameter.mns_lambda_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source |
+| [aws_ssm_parameter.slack_alerting_bot_token](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source |
+| [aws_ssm_parameter.slack_alerting_channel_id](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source |
 | [aws_ssm_parameter.splunk_trusted_principal](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source |
 | [aws_ssm_parameter.target_backup_vault_arn](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source |
+| [aws_ssm_parameter.teams_alerting_webhook_url](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source |
 | [aws_ssm_parameter.virus_scanning_subnet_cidr_range](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_access_audit_dynamodb_table_name"></a> [access\_audit\_dynamodb\_table\_name](#input\_access\_audit\_dynamodb\_table\_name) | The name of the dynamodb table to store the audit of access to deceased patient records | `string` | `"AccessAudit"` | no |
+| <a name="input_alarm_state_history_table_name"></a> [alarm\_state\_history\_table\_name](#input\_alarm\_state\_history\_table\_name) | The name of the dynamodb table to store the history of recent alarms that have been triggered. | `string` | `"AlarmStateHistory"` | no |
 | <a name="input_apim_environment"></a> [apim\_environment](#input\_apim\_environment) | n/a | `any` | n/a | yes |
 | <a name="input_auth_session_dynamodb_table_name"></a> [auth\_session\_dynamodb\_table\_name](#input\_auth\_session\_dynamodb\_table\_name) | The name of the dynamodb table to store user login sessions | `string` | `"AuthSessionReferenceMetadata"` | no |
 | <a name="input_auth_state_dynamodb_table_name"></a> [auth\_state\_dynamodb\_table\_name](#input\_auth\_state\_dynamodb\_table\_name) | The name of the dynamodb table to store the state values (for CIS2 authorisation) | `string` | `"AuthStateReferenceMetadata"` | no |

infrastructure/README.md

@@ -47,7 +47,6 @@ resource "aws_api_gateway_deployment" "ndr_api_deploy" {
     module.access-audit-lambda,
     module.back-channel-logout-gateway,
     module.back_channel_logout_lambda,
-    module.document_reference_gateway,
     module.create-doc-ref-lambda,
     module.create_document_reference_gateway,
     module.create-token-gateway,
@@ -58,6 +57,7 @@ resource "aws_api_gateway_deployment" "ndr_api_deploy" {
     module.document-manifest-job-lambda,
     module.feature-flags-gateway,
     module.feature-flags-lambda,
+    module.fhir_document_reference_gateway,
     module.get-doc-fhir-lambda,
     module.get-report-by-ods-gateway,
     module.get-report-by-ods-lambda,

infrastructure/api.tf

@@ -483,3 +483,30 @@ module "pdm_dynamodb_table" {
   environment = var.environment
   owner       = var.owner
 }
+
+
+module "alarm_state_history_table" {
+  source                         = "./modules/dynamo_db"
+  table_name                     = var.alarm_state_history_table_name
+  hash_key                       = "AlarmNameMetric"
+  sort_key                       = "TimeCreated"
+  deletion_protection_enabled    = local.is_production
+  point_in_time_recovery_enabled = false
+  stream_enabled                 = false
+  ttl_enabled                    = true
+  ttl_attribute_name             = "TimeToExist"
+
+  attributes = [
+    {
+      name = "AlarmNameMetric",
+      type = "S"
+    },
+    {
+      name = "TimeCreated"
+      type = "N"
+    }
+  ]
+
+  environment = var.environment
+  owner       = var.owner
+}

infrastructure/dynamo_db.tf

@@ -1,10 +1,11 @@
-module "document_reference_gateway" {
+module "fhir_document_reference_gateway" {
+  count               = local.is_production ? 0 : 1
   source              = "./modules/gateway"
   api_gateway_id      = aws_api_gateway_rest_api.ndr_doc_store_api.id
   parent_id           = aws_api_gateway_rest_api.ndr_doc_store_api.root_resource_id
   http_methods        = ["POST", "GET"]
   authorization       = "NONE"
   api_key_required    = true
-  gateway_path        = "DocumentReference"
+  gateway_path        = "FhirDocumentReference"
   require_credentials = true
 }

infrastructure/gateway-document-reference.tf

@@ -25,7 +25,6 @@ data "aws_iam_policy_document" "assume_role_policy_for_create_lambda" {
         module.create-doc-ref-lambda.lambda_execution_role_arn,
         local.is_production ? null : module.post-document-references-fhir-lambda[0].lambda_execution_role_arn
       ])
-
     }
   }
 }