Merge remote-tracking branch 'origin/main' into PRMP-862

Author: PedroSoaresNHS

…b/workflows/automated-sbom-repo-scan.yml …hub/workflows/automated-pr-validator.yml.github/workflows/automated-sbom-repo-scan.yml renamed to .github/workflows/automated-pr-validator.yml .github/workflows/automated-sbom-repo-scan.yml renamed to .github/workflows/automated-pr-validator.yml

@@ -1,23 +1,23 @@
-name: 'Z-AUTOMATED: SBOM Repo Scan'
+name: "Z-AUTOMATED: PR Validator"
 
 on:
   pull_request:
     types: [opened, synchronize, reopened]
 
-permissions:
-  actions: read   # Required for anchore/sbom-action
-  contents: write # Required for anchore/sbom-action
-  id-token: write # Required for requesting the JWT
-  pull-requests: write
-
 jobs:
   sbom_scan:
     name: SBOM Repo Scan
     runs-on: ubuntu-latest
+    permissions:
+      actions: read # Required for anchore/sbom-action
+      contents: write # Required for anchore/sbom-action
+      id-token: write # Required for requesting the JWT
+      pull-requests: write
     steps:
-      - uses: actions/checkout@v5
+      - name: Checkout
+        uses: actions/checkout@v5
         with:
-          fetch-depth: 0  # Shallow clones should be disabled for a better relevancy of analysis
+          fetch-depth: 0
 
       - uses: anchore/sbom-action@v0
         with:
@@ -51,14 +51,14 @@ jobs:
               repo: context.repo.repo,
               issue_number: context.issue.number,
             })
-            
+
             const botComment = comments.find(comment => {
               return comment.user.type === 'Bot' && comment.body.includes('Code security issues found')
             })
 
             // 2. Prepare format of the comment
             const output = `### Code security issues found
-            
+
             View full details [here](https://github.com/${{ github.repository }}/security/code-scanning?query=is%3Aopen+pr%3A${{ github.event.pull_request.number }}).`;
 
             // 3. If we have a comment, update it, otherwise create a new one
@@ -70,7 +70,7 @@ jobs:
                 body: output
               })
             }
-            
+
             github.rest.issues.createComment({
               issue_number: context.issue.number,
               owner: context.repo.owner,
@@ -89,7 +89,7 @@ jobs:
               repo: context.repo.repo,
               issue_number: context.issue.number,
             })
-            
+
             const botComment = comments.find(comment => {
               return comment.user.type === 'Bot' && comment.body.includes('Code security issues found')
             })
@@ -102,3 +102,21 @@ jobs:
                 comment_id: botComment.id
               })
             }
+
+  markdown-validation:
+    name: Markdown Validation
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+
+      - name: Run Markdown Validation Script
+        id: validate
+        run: |
+          BRANCH_NAME=${{ github.event.repository.default_branch }}
+          chmod +x scripts/markdown-validator.sh
+          scripts/markdown-validator.sh

.markdownlint.jsonc

@@ -0,0 +1,4 @@
+{
+    "MD013": false,
+    "MD033": false
+}

.terraform-docs.yml

@@ -14,8 +14,11 @@ sections:
 
 content: |-
   {{ .Requirements }}
+
   {{ .Resources }}
+
   {{ .Inputs }}
+
   {{ .Outputs }}
 
 output:

README.md

@@ -8,7 +8,8 @@ This repository is used to build the infrastructure the NDR. That is it's sole p
 - [Terraform docs](https://github.com/terraform-docs/terraform-docs)
 
 To install terraform-docs on WSL use the following commands (e.g. for v0.20.0):
-```
+
+```shell
 curl -sSLo ./terraform-docs.tar.gz https://terraform-docs.io/dl/v0.20.0/terraform-docs-v0.20.0-$(uname)-amd64.tar.gz
 tar -xzf terraform-docs.tar.gz
 chmod +x terraform-docs
@@ -24,7 +25,7 @@ As this repository is a standalone infrastructure there is no python/node based
 
 - Set this repository to get it's pre-commit hooks from .githooks
 
-```
+```shell
 git config core.hooksPath .githooks
 ```
 

bootstrap/README.md

@@ -1,3 +1,5 @@
+# Terraform Bootstrap
+
 ## Requirements
 
 | Name | Version |

infrastructure/README.md

@@ -1,3 +1,5 @@
+# National Document Repository - Infrastructure as Code
+
 ## Requirements
 
 | Name                                                         | Version |

infrastructure/api.tf

@@ -76,12 +76,15 @@ resource "aws_api_gateway_deployment" "ndr_api_deploy" {
     module.send-feedback-gateway,
     module.send-feedback-lambda,
     module.review_document_version_gateway,
+    module.review_document_status_gateway,
+    module.review-document-status-check-lambda,
     module.update-doc-ref-lambda,
     module.update-upload-state-gateway,
     module.update-upload-state-lambda,
     module.document-status-check-gateway,
     module.document-status-check-lambda,
     module.post-document-references-fhir-lambda,
+    module.post_document_review_lambda,
     module.patch_document_review_lambda,
     module.virus_scan_result_gateway,
     module.virus_scan_result_lambda

infrastructure/dynamo_db.tf

@@ -2,7 +2,7 @@ module "document_reference_dynamodb_table" {
   source                         = "./modules/dynamo_db"
   table_name                     = var.docstore_dynamodb_table_name
   hash_key                       = "ID"
-  deletion_protection_enabled    = local.is_production
+  deletion_protection_enabled    = var.deletion_protection_enabled
   stream_enabled                 = true
   stream_view_type               = "OLD_IMAGE"
   ttl_enabled                    = true
@@ -45,7 +45,7 @@ module "cloudfront_edge_dynamodb_table" {
   source                         = "./modules/dynamo_db"
   table_name                     = var.cloudfront_edge_table_name
   hash_key                       = "ID"
-  deletion_protection_enabled    = local.is_production
+  deletion_protection_enabled    = var.deletion_protection_enabled
   stream_enabled                 = false
   ttl_enabled                    = true
   ttl_attribute_name             = "TTL"
@@ -66,7 +66,7 @@ module "lloyd_george_reference_dynamodb_table" {
   source                         = "./modules/dynamo_db"
   table_name                     = var.lloyd_george_dynamodb_table_name
   hash_key                       = "ID"
-  deletion_protection_enabled    = local.is_production
+  deletion_protection_enabled    = var.deletion_protection_enabled
   stream_enabled                 = true
   stream_view_type               = "OLD_IMAGE"
   ttl_enabled                    = true
@@ -127,7 +127,7 @@ module "unstitched_lloyd_george_reference_dynamodb_table" {
   source                         = "./modules/dynamo_db"
   table_name                     = var.unstitched_lloyd_george_dynamodb_table_name
   hash_key                       = "ID"
-  deletion_protection_enabled    = local.is_production
+  deletion_protection_enabled    = var.deletion_protection_enabled
   stream_enabled                 = true
   stream_view_type               = "OLD_IMAGE"
   ttl_enabled                    = true
@@ -170,7 +170,7 @@ module "zip_store_reference_dynamodb_table" {
   source                      = "./modules/dynamo_db"
   table_name                  = var.zip_store_dynamodb_table_name
   hash_key                    = "ID"
-  deletion_protection_enabled = local.is_production
+  deletion_protection_enabled = var.deletion_protection_enabled
   stream_enabled              = true
   ttl_enabled                 = false
 
@@ -201,7 +201,7 @@ module "stitch_metadata_reference_dynamodb_table" {
   source                      = "./modules/dynamo_db"
   table_name                  = var.stitch_metadata_dynamodb_table_name
   hash_key                    = "ID"
-  deletion_protection_enabled = local.is_production
+  deletion_protection_enabled = var.deletion_protection_enabled
   stream_enabled              = true
   ttl_enabled                 = true
   ttl_attribute_name          = "ExpireAt"
@@ -233,7 +233,7 @@ module "auth_state_dynamodb_table" {
   source                      = "./modules/dynamo_db"
   table_name                  = var.auth_state_dynamodb_table_name
   hash_key                    = "State"
-  deletion_protection_enabled = local.is_production
+  deletion_protection_enabled = var.deletion_protection_enabled
   stream_enabled              = false
   ttl_enabled                 = true
   ttl_attribute_name          = "TimeToExist"
@@ -260,7 +260,7 @@ module "auth_session_dynamodb_table" {
   source                      = "./modules/dynamo_db"
   table_name                  = var.auth_session_dynamodb_table_name
   hash_key                    = "NDRSessionId"
-  deletion_protection_enabled = local.is_production
+  deletion_protection_enabled = var.deletion_protection_enabled
   stream_enabled              = false
   ttl_enabled                 = true
   ttl_attribute_name          = "TimeToExist"
@@ -287,7 +287,7 @@ module "bulk_upload_report_dynamodb_table" {
   source                         = "./modules/dynamo_db"
   table_name                     = var.bulk_upload_report_dynamodb_table_name
   hash_key                       = "ID"
-  deletion_protection_enabled    = local.is_production
+  deletion_protection_enabled    = var.deletion_protection_enabled
   stream_enabled                 = false
   ttl_enabled                    = false
   point_in_time_recovery_enabled = !local.is_sandbox
@@ -334,7 +334,7 @@ module "statistics_dynamodb_table" {
   table_name                     = var.statistics_dynamodb_table_name
   hash_key                       = "Date"
   sort_key                       = "StatisticID"
-  deletion_protection_enabled    = local.is_production
+  deletion_protection_enabled    = var.deletion_protection_enabled
   stream_enabled                 = false
   ttl_enabled                    = false
   point_in_time_recovery_enabled = !local.is_sandbox
@@ -372,7 +372,7 @@ module "access_audit_dynamodb_table" {
   table_name                     = var.access_audit_dynamodb_table_name
   hash_key                       = "Type"
   sort_key                       = "ID"
-  deletion_protection_enabled    = local.is_production
+  deletion_protection_enabled    = var.deletion_protection_enabled
   stream_enabled                 = false
   ttl_enabled                    = false
   point_in_time_recovery_enabled = !local.is_sandbox
@@ -426,7 +426,7 @@ module "pdm_dynamodb_table" {
   source                         = "./modules/dynamo_db"
   table_name                     = var.pdm_dynamodb_table_name
   hash_key                       = "ID"
-  deletion_protection_enabled    = local.is_production
+  deletion_protection_enabled    = var.deletion_protection_enabled
   stream_enabled                 = true
   stream_view_type               = "OLD_IMAGE"
   ttl_enabled                    = true
@@ -494,12 +494,50 @@ module "pdm_dynamodb_table" {
 }
 
 
+module "core_dynamodb_table" {
+  source                         = "./modules/dynamo_db"
+  table_name                     = var.core_dynamodb_table_name
+  hash_key                       = "NhsNumber"
+  sort_key                       = "ID"
+  deletion_protection_enabled    = var.deletion_protection_enabled
+  stream_enabled                 = true
+  stream_view_type               = "OLD_IMAGE"
+  ttl_enabled                    = true
+  ttl_attribute_name             = "TTL"
+  point_in_time_recovery_enabled = !local.is_sandbox
+  attributes = [
+    {
+      name = "ID"
+      type = "S"
+    },
+    {
+      name = "NhsNumber"
+      type = "S"
+    },
+    {
+      name = "DocumentSnomedCodeType"
+      type = "S"
+    }
+  ]
+  global_secondary_indexes = [
+    {
+      name            = "idx_gsi_snomed_code"
+      hash_key        = "DocumentSnomedCodeType"
+      range_key       = "ID"
+      projection_type = "ALL"
+    }
+  ]
+  environment = var.environment
+  owner       = var.owner
+}
+
+
 module "alarm_state_history_table" {
   source                         = "./modules/dynamo_db"
   table_name                     = var.alarm_state_history_table_name
   hash_key                       = "AlarmNameMetric"
   sort_key                       = "TimeCreated"
-  deletion_protection_enabled    = local.is_production
+  deletion_protection_enabled    = var.deletion_protection_enabled
   point_in_time_recovery_enabled = false
   stream_enabled                 = false
   ttl_enabled                    = true

infrastructure/gateway-review-document.tf

@@ -2,7 +2,7 @@ module "review_document_gateway" {
   source              = "./modules/gateway"
   api_gateway_id      = aws_api_gateway_rest_api.ndr_doc_store_api.id
   parent_id           = aws_api_gateway_rest_api.ndr_doc_store_api.root_resource_id
-  http_methods        = ["GET"]
+  http_methods        = ["GET", "POST"]
   authorization       = "CUSTOM"
   gateway_path        = "DocumentReview"
   authorizer_id       = aws_api_gateway_authorizer.repo_authoriser.id
@@ -32,3 +32,15 @@ module "review_document_version_gateway" {
     "method.request.path.version" = true
   }
 }
+
+module "review_document_status_gateway" {
+  source              = "./modules/gateway"
+  api_gateway_id      = aws_api_gateway_rest_api.ndr_doc_store_api.id
+  parent_id           = module.review_document_version_gateway.gateway_resource_id
+  gateway_path        = "Status"
+  http_methods        = ["GET"]
+  require_credentials = true
+  authorization       = "CUSTOM"
+  authorizer_id       = aws_api_gateway_authorizer.repo_authoriser.id
+  origin              = contains(["prod"], terraform.workspace) ? "'https://${var.domain}'" : "'https://${terraform.workspace}.${var.domain}'"
+}

infrastructure/iam.tf

@@ -317,3 +317,41 @@ resource "aws_iam_role_policy_attachment" "get_doc_ref_presign_url" {
   role       = aws_iam_role.get_doc_ref_presign_url_role.name
   policy_arn = aws_iam_policy.s3_document_data_policy_for_get_doc_ref_lambda.arn
 }
+
+data "aws_iam_policy_document" "assume_role_policy_post_document_review_lambda" {
+  statement {
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      type        = "AWS"
+      identifiers = [module.post_document_review_lambda.lambda_execution_role_arn]
+    }
+  }
+}
+
+resource "aws_iam_role" "post_document_review_presign" {
+  name               = "${terraform.workspace}_post_review_presign_url_role"
+  assume_role_policy = data.aws_iam_policy_document.assume_role_policy_post_document_review_lambda.json
+}
+
+resource "aws_iam_role_policy_attachment" "post_document_review" {
+  role       = aws_iam_role.post_document_review_presign.name
+  policy_arn = aws_iam_policy.s3_document_data_policy_post_document_review_lambda.arn
+}
+
+resource "aws_iam_policy" "s3_document_data_policy_post_document_review_lambda" {
+  name = "${terraform.workspace}_put_document_only_policy_for_post_document_review_lambda"
+
+  policy = jsonencode({
+    "Version" : "2012-10-17",
+    "Statement" : [
+      {
+        "Effect" : "Allow",
+        "Action" : [
+          "s3:PutObject",
+        ],
+        "Resource" : ["${module.ndr-bulk-staging-store.bucket_arn}/review/*"]
+      }
+    ]
+  })
+}