Merge branch 'main' into PRMP-588

NogaNHS · NogaNHS · commit 9ce08e435ce8 · 2025-11-27T09:31:08.000Z
# Conflicts:
#	infrastructure/lambda-document-review-processor.tf
diff --git a/.github/workflows/automated-deploy-dev.yml b/.github/workflows/automated-deploy-dev.yml
@@ -222,15 +222,19 @@ jobs:
       AWS_ASSUME_ROLE: ${{ secrets.AWS_ASSUME_ROLE }}
 
   notify-slack:
+    name: Notify Slack on Failure
     runs-on: ubuntu-latest
+    environment: development
     needs: [terraform_plan_apply, deploy_lambdas, deploy_ui]
     if: failure() && github.event_name == 'push' && github.ref == 'refs/heads/main'
     steps:
       - name: Configure AWS Credentials
         uses: aws-actions/configure-aws-credentials@v5
         with:
           role-to-assume: ${{ secrets.AWS_ASSUME_ROLE }}
+          role-skip-session-tagging: true
           aws-region: ${{ vars.AWS_REGION }}
+          mask-aws-account-id: true
 
       - name: Get slack bot token from SSM parameter store
         run: |
diff --git a/.github/workflows/automated-sonarqube-cloud-analysis.yml b/.github/workflows/automated-sonarqube-cloud-analysis.yml
@@ -28,15 +28,19 @@ jobs:
           SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
 
   notify-slack:
+    name: Notify Slack on Failure
     runs-on: ubuntu-latest
+    environment: development
     needs: [sonarqube_cloud]
     if: failure() && github.event_name == 'push' && github.ref == 'refs/heads/main'
     steps:
       - name: Configure AWS Credentials
         uses: aws-actions/configure-aws-credentials@v5
         with:
           role-to-assume: ${{ secrets.AWS_ASSUME_ROLE }}
+          role-skip-session-tagging: true
           aws-region: ${{ vars.AWS_REGION }}
+          mask-aws-account-id: true
 
       - name: Get slack bot token from SSM parameter store
         run: |
diff --git a/.github/workflows/cron-daily-health-check.yml b/.github/workflows/cron-daily-health-check.yml
@@ -198,15 +198,19 @@ jobs:
     secrets: inherit
 
   notify-slack:
+    name: Notify Slack on Failure
     runs-on: ubuntu-latest
+    environment: development
     needs: [terraform_plan_apply, run_lambda_unit_tests, run_ui_unit_tests, run_cypress_tests, publish_lambda_layers, deploy_lambdas, deploy_ui]
     if: failure()
     steps:
       - name: Configure AWS Credentials
         uses: aws-actions/configure-aws-credentials@v5
         with:
           role-to-assume: ${{ secrets.AWS_ASSUME_ROLE }}
+          role-skip-session-tagging: true
           aws-region: ${{ vars.AWS_REGION }}
+          mask-aws-account-id: true
 
       - name: Get slack bot token from SSM parameter store
         run: |
diff --git a/infrastructure/buckets.tf b/infrastructure/buckets.tf
@@ -166,6 +166,8 @@ module "ndr-document-pending-review-store" {
   owner                     = var.owner
   enable_bucket_versioning  = true
   force_destroy             = local.is_force_destroy
+  cloudfront_enabled        = true
+  cloudfront_arn            = module.cloudfront-distribution-lg.cloudfront_arn
   enable_cors_configuration = true
   cors_rules = [
     {
diff --git a/infrastructure/cloudfront.tf b/infrastructure/cloudfront.tf
@@ -9,10 +9,15 @@ module "cloudfront_firewall_waf_v2" {
 }
 
 module "cloudfront-distribution-lg" {
-  source             = "./modules/cloudfront"
-  bucket_domain_name = "${terraform.workspace}-${var.lloyd_george_bucket_name}.s3.eu-west-2.amazonaws.com"
-  bucket_id          = module.ndr-lloyd-george-store.bucket_id
-  qualifed_arn       = module.edge-presign-lambda.qualified_arn
-  depends_on         = [module.edge-presign-lambda.qualified_arn, module.ndr-lloyd-george-store.bucket_id, module.ndr-lloyd-george-store.bucket_domain_name]
-  web_acl_id         = try(module.cloudfront_firewall_waf_v2[0].arn, "")
-}
+  source                        = "./modules/cloudfront"
+  bucket_domain_name            = module.ndr-lloyd-george-store.bucket_regional_domain_name
+  bucket_id                     = module.ndr-lloyd-george-store.bucket_id
+  qualifed_arn                  = module.edge-presign-lambda.qualified_arn
+  depends_on                    = [module.edge-presign-lambda.qualified_arn, module.ndr-lloyd-george-store.bucket_id, module.ndr-lloyd-george-store.bucket_domain_name, module.ndr-document-pending-review-store.bucket_id, module.ndr-document-pending-review-store.bucket_domain_name]
+  web_acl_id                    = try(module.cloudfront_firewall_waf_v2[0].arn, "")
+  has_secondary_bucket          = local.is_production ? false : true
+  secondary_bucket_domain_name  = module.ndr-document-pending-review-store.bucket_regional_domain_name
+  secondary_bucket_id           = module.ndr-document-pending-review-store.bucket_id
+  secondary_bucket_path_pattern = "/review/*"
+  log_bucket_id                 = local.access_logs_bucket_id
+}
diff --git a/infrastructure/lambda-bulk-upload-metadata-processor.tf b/infrastructure/lambda-bulk-upload-metadata-processor.tf
@@ -4,19 +4,19 @@ module "bulk-upload-metadata-processor-lambda" {
   handler        = "handlers.bulk_upload_metadata_processor_handler.lambda_handler"
   lambda_timeout = 900
   memory_size    = 1769
+
   iam_role_policy_documents = [
     module.ndr-bulk-staging-store.s3_read_policy_document,
     module.ndr-bulk-staging-store.s3_write_policy_document,
     module.bulk_upload_report_dynamodb_table.dynamodb_read_policy_document,
     module.bulk_upload_report_dynamodb_table.dynamodb_write_policy_document,
     module.sqs-lg-bulk-upload-metadata-queue.sqs_read_policy_document,
     module.sqs-lg-bulk-upload-metadata-queue.sqs_write_policy_document,
-    module.ndr-app-config.app_config_policy
+    module.ndr-app-config.app_config_policy,
+    aws_iam_policy.ssm_access_policy.policy,
+    data.aws_iam_policy.aws_lambda_vpc_access_execution_role.policy,
   ]
 
-  rest_api_id       = null
-  api_execution_arn = null
-
   lambda_environment_variables = {
     APPCONFIG_APPLICATION      = module.ndr-app-config.app_config_application_id
     APPCONFIG_ENVIRONMENT      = module.ndr-app-config.app_config_environment_id
@@ -27,7 +27,15 @@ module "bulk-upload-metadata-processor-lambda" {
     LLOYD_GEORGE_BUCKET_NAME   = "${terraform.workspace}-${var.lloyd_george_bucket_name}"
     LLOYD_GEORGE_DYNAMODB_NAME = "${terraform.workspace}_${var.lloyd_george_dynamodb_table_name}"
     METADATA_SQS_QUEUE_URL     = module.sqs-lg-bulk-upload-metadata-queue.sqs_url
+
+    VIRUS_SCAN_STUB = !local.is_production
   }
+
+  vpc_subnet_ids         = length(data.aws_security_groups.virus_scanner_api.ids) == 1 ? module.ndr-vpc-ui.private_subnets : []
+  vpc_security_group_ids = length(data.aws_security_groups.virus_scanner_api.ids) == 1 ? [data.aws_security_groups.virus_scanner_api.ids[0]] : []
+
+  rest_api_id                   = null
+  api_execution_arn             = null
   is_gateway_integration_needed = false
   is_invoked_from_gateway       = false
 }
diff --git a/infrastructure/lambda-document-review-processor.tf b/infrastructure/lambda-document-review-processor.tf
@@ -5,6 +5,7 @@ module "document_review_processor_lambda" {
   iam_role_policy_documents = [
     module.document_review_queue.sqs_read_policy_document,
     module.document_review_queue.sqs_write_policy_document,
+    module.ndr-document-pending-review-store.s3_write_policy_document,
     module.document_upload_review_dynamodb_table.dynamodb_read_policy_document,
     module.document_upload_review_dynamodb_table.dynamodb_write_policy_document,
     module.ndr-bulk-staging-store.s3_read_policy_document,
@@ -23,7 +24,6 @@ module "document_review_processor_lambda" {
     DOCUMENT_REVIEW_DYNAMODB_NAME = module.document_upload_review_dynamodb_table.table_name
     WORKSPACE                     = terraform.workspace
   }
-  depends_on = []
 }
 
 
diff --git a/infrastructure/lambda-edge-presign.tf b/infrastructure/lambda-edge-presign.tf
@@ -78,6 +78,6 @@ module "edge-presign-lambda" {
   providers = {
     aws = aws.us_east_1
   }
-  bucket_name = module.ndr-lloyd-george-store.bucket_id
-  table_name  = module.cloudfront_edge_dynamodb_table.table_name
-}
+  bucket_names = [module.ndr-lloyd-george-store.bucket_id, module.ndr-document-pending-review-store.bucket_id]
+  table_name   = module.cloudfront_edge_dynamodb_table.table_name
+}
diff --git a/infrastructure/modules/cloudfront/README.md b/infrastructure/modules/cloudfront/README.md
@@ -42,6 +42,7 @@ module "cloudfront" {
 |------|------|
 | [aws_cloudfront_cache_policy.nocache](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_cache_policy) | resource |
 | [aws_cloudfront_distribution.distribution](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_distribution) | resource |
+| [aws_cloudfront_distribution.distribution_with_secondary_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_distribution) | resource |
 | [aws_cloudfront_origin_access_control.cloudfront_s3_oac](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_origin_access_control) | resource |
 | [aws_cloudfront_origin_request_policy.viewer_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_origin_request_policy) | resource |
 ## Inputs
@@ -50,7 +51,12 @@ module "cloudfront" {
 |------|-------------|------|---------|:--------:|
 | <a name="input_bucket_domain_name"></a> [bucket\_domain\_name](#input\_bucket\_domain\_name) | Domain name to assign CloudFront distribution to. | `string` | n/a | yes |
 | <a name="input_bucket_id"></a> [bucket\_id](#input\_bucket\_id) | Bucket ID to assign CloudFront distribution to. | `string` | n/a | yes |
+| <a name="input_has_secondary_bucket"></a> [has\_secondary\_bucket](#input\_has\_secondary\_bucket) | Whether distribution is associated with a secondary bucket | `bool` | n/a | yes |
+| <a name="input_log_bucket_id"></a> [log\_bucket\_id](#input\_log\_bucket\_id) | The bucket ID to send access logs to | `string` | n/a | yes |
 | <a name="input_qualifed_arn"></a> [qualifed\_arn](#input\_qualifed\_arn) | Lambda@Edge function association. | `string` | n/a | yes |
+| <a name="input_secondary_bucket_domain_name"></a> [secondary\_bucket\_domain\_name](#input\_secondary\_bucket\_domain\_name) | Secondary bucket domain name | `string` | n/a | yes |
+| <a name="input_secondary_bucket_id"></a> [secondary\_bucket\_id](#input\_secondary\_bucket\_id) | Secondary bucket ID | `string` | n/a | yes |
+| <a name="input_secondary_bucket_path_pattern"></a> [secondary\_bucket\_path\_pattern](#input\_secondary\_bucket\_path\_pattern) | Path pattern for secondary bucket | `string` | n/a | yes |
 | <a name="input_web_acl_id"></a> [web\_acl\_id](#input\_web\_acl\_id) | Web ACL to associate this CloudFront distribution with. | `string` | `""` | no |
 ## Outputs
 
diff --git a/infrastructure/modules/cloudfront/main.tf b/infrastructure/modules/cloudfront/main.tf
@@ -13,13 +13,17 @@ resource "aws_cloudfront_origin_access_control" "cloudfront_s3_oac" {
 }
 
 resource "aws_cloudfront_distribution" "distribution" {
+  count       = var.has_secondary_bucket ? 0 : 1
+  price_class = "PriceClass_100"
+
   origin {
     domain_name              = var.bucket_domain_name
     origin_id                = var.bucket_id
     origin_access_control_id = aws_cloudfront_origin_access_control.cloudfront_s3_oac.id
   }
   enabled         = true
   is_ipv6_enabled = true
+
   default_cache_behavior {
     allowed_methods          = ["HEAD", "GET", "OPTIONS"]
     cached_methods           = ["HEAD", "GET", "OPTIONS"]
@@ -33,18 +37,99 @@ resource "aws_cloudfront_distribution" "distribution" {
       lambda_arn = var.qualifed_arn
     }
   }
+
   viewer_certificate {
     cloudfront_default_certificate = true
   }
+
   restrictions {
     geo_restriction {
       restriction_type = "whitelist"
       locations        = local.allow_us_comms ? ["GB", "US"] : ["GB"]
     }
   }
   web_acl_id = var.web_acl_id
+
+  dynamic "logging_config" {
+    for_each = var.log_bucket_id != "" ? [1] : []
+    content {
+      bucket = var.log_bucket_id
+      prefix = "cloudfront/"
+    }
+  }
 }
 
+resource "aws_cloudfront_distribution" "distribution_with_secondary_bucket" {
+  count           = var.has_secondary_bucket ? 1 : 0
+  enabled         = true
+  is_ipv6_enabled = true
+  price_class     = "PriceClass_100"
+
+  origin {
+    domain_name              = var.bucket_domain_name
+    origin_id                = var.bucket_id
+    origin_access_control_id = aws_cloudfront_origin_access_control.cloudfront_s3_oac.id
+  }
+
+  default_cache_behavior {
+    allowed_methods          = ["HEAD", "GET", "OPTIONS"]
+    cached_methods           = ["HEAD", "GET", "OPTIONS"]
+    target_origin_id         = var.bucket_id
+    viewer_protocol_policy   = "redirect-to-https"
+    cache_policy_id          = aws_cloudfront_cache_policy.nocache.id
+    origin_request_policy_id = aws_cloudfront_origin_request_policy.viewer_policy.id
+
+    lambda_function_association {
+      event_type = "origin-request"
+      lambda_arn = var.qualifed_arn
+    }
+  }
+
+  origin {
+    domain_name              = var.secondary_bucket_domain_name
+    origin_id                = var.secondary_bucket_id
+    origin_access_control_id = aws_cloudfront_origin_access_control.cloudfront_s3_oac.id
+  }
+
+  ordered_cache_behavior {
+    allowed_methods          = ["HEAD", "GET", "OPTIONS"]
+    cached_methods           = ["HEAD", "GET", "OPTIONS"]
+    path_pattern             = var.secondary_bucket_path_pattern
+    target_origin_id         = var.secondary_bucket_id
+    viewer_protocol_policy   = "redirect-to-https"
+    cache_policy_id          = aws_cloudfront_cache_policy.nocache.id
+    origin_request_policy_id = aws_cloudfront_origin_request_policy.viewer_policy.id
+
+    lambda_function_association {
+      event_type = "origin-request"
+      lambda_arn = var.qualifed_arn
+    }
+
+  }
+
+  dynamic "logging_config" {
+    for_each = var.log_bucket_id != "" ? [1] : []
+    content {
+      bucket = var.log_bucket_id
+      prefix = "cloudfront/"
+    }
+  }
+
+  viewer_certificate {
+    cloudfront_default_certificate = true
+  }
+
+  restrictions {
+    geo_restriction {
+      restriction_type = "whitelist"
+      locations        = local.allow_us_comms ? ["GB", "US"] : ["GB"]
+    }
+  }
+  web_acl_id = var.web_acl_id
+
+}
+
+
 resource "aws_cloudfront_origin_request_policy" "viewer_policy" {
   name = "${terraform.workspace}_BlockQueriesAndAllowViewer"
 
diff --git a/infrastructure/modules/cloudfront/output.tf b/infrastructure/modules/cloudfront/output.tf
@@ -1,8 +1,8 @@
 output "cloudfront_url" {
-  value = aws_cloudfront_distribution.distribution.domain_name
+  value = var.has_secondary_bucket ? aws_cloudfront_distribution.distribution_with_secondary_bucket[0].domain_name : aws_cloudfront_distribution.distribution[0].domain_name
 }
 
 output "cloudfront_arn" {
   description = "The ARN of the CloudFront Distribution"
-  value       = aws_cloudfront_distribution.distribution.arn
+  value       = var.has_secondary_bucket ? aws_cloudfront_distribution.distribution_with_secondary_bucket[0].arn : aws_cloudfront_distribution.distribution[0].arn
 }
diff --git a/infrastructure/modules/cloudfront/variable.tf b/infrastructure/modules/cloudfront/variable.tf
@@ -19,3 +19,28 @@ variable "web_acl_id" {
   default     = ""
 }
 
+variable "has_secondary_bucket" {
+  description = "Whether distribution is associated with a secondary bucket"
+  type        = bool
+}
+
+variable "secondary_bucket_id" {
+  description = "Secondary bucket ID"
+  type        = string
+}
+
+variable "secondary_bucket_domain_name" {
+  description = "Secondary bucket domain name"
+  type        = string
+}
+
+variable "secondary_bucket_path_pattern" {
+  description = "Path pattern for secondary bucket"
+  type        = string
+}
+
+variable "log_bucket_id" {
+  description = "The bucket ID to send access logs to"
+  type        = string
+}
+
diff --git a/infrastructure/modules/lambda_edge/README.md b/infrastructure/modules/lambda_edge/README.md
@@ -68,7 +68,7 @@ module "s3_proxy_lambda" {
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_bucket_name"></a> [bucket\_name](#input\_bucket\_name) | The name of the S3 bucket the Lambda will proxy requests to. | `string` | n/a | yes |
+| <a name="input_bucket_names"></a> [bucket\_names](#input\_bucket\_names) | The name of the S3 buckets the Lambda will proxy requests to. | `list(string)` | n/a | yes |
 | <a name="input_handler"></a> [handler](#input\_handler) | Handler function in the code package (e.g., 'index.handler'). | `string` | n/a | yes |
 | <a name="input_iam_role_policies"></a> [iam\_role\_policies](#input\_iam\_role\_policies) | List of IAM policy ARNs or JSON documents to attach to the Lambda execution role. | `list(string)` | n/a | yes |
 | <a name="input_lambda_ephemeral_storage"></a> [lambda\_ephemeral\_storage](#input\_lambda\_ephemeral\_storage) | Amount of ephemeral storage (in MB) allocated to the Lambda function. | `number` | `512` | no |
diff --git a/infrastructure/modules/lambda_edge/main.tf b/infrastructure/modules/lambda_edge/main.tf
@@ -43,6 +43,7 @@ data "aws_iam_policy_document" "assume_role" {
 }
 
 data "aws_iam_policy_document" "lambda_policy" {
+
   statement {
     effect = "Allow"
     actions = [
@@ -53,10 +54,13 @@ data "aws_iam_policy_document" "lambda_policy" {
     resources = ["arn:aws:logs:eu-west-2:${data.aws_caller_identity.current.account_id}:log-group:*"]
   }
 
-  statement {
-    effect    = "Allow"
-    actions   = ["s3:GetObject"]
-    resources = ["arn:aws:s3:::${var.bucket_name}/*"]
+  dynamic "statement" {
+    for_each = toset(var.bucket_names)
+    content {
+      effect    = "Allow"
+      actions   = ["s3:GetObject"]
+      resources = ["arn:aws:s3:::${statement.value}/*"]
+    }
   }
 
   statement {
@@ -80,4 +84,4 @@ resource "aws_iam_role_policy_attachment" "lambda_execution_policy" {
   count      = length(var.iam_role_policies)
   role       = aws_iam_role.lambda_exec_role.name
   policy_arn = var.iam_role_policies[count.index]
-}
+}
diff --git a/infrastructure/modules/lambda_edge/variable.tf b/infrastructure/modules/lambda_edge/variable.tf
diff --git a/infrastructure/modules/s3/README.md b/infrastructure/modules/s3/README.md
diff --git a/infrastructure/modules/s3/output.tf b/infrastructure/modules/s3/output.tf
diff --git a/infrastructure/moved-resources-v1.6.7.tf b/infrastructure/moved-resources-v1.6.7.tf
diff --git a/infrastructure/variable.tf b/infrastructure/variable.tf

Original file line number	Diff line number	Diff line change
`@@ -166,6 +166,8 @@ module "ndr-document-pending-review-store" {`
`166`	`166`	`owner = var.owner`
`167`	`167`	`enable_bucket_versioning = true`
`168`	`168`	`force_destroy = local.is_force_destroy`
	`169`	`+ cloudfront_enabled = true`
	`170`	`+ cloudfront_arn = module.cloudfront-distribution-lg.cloudfront_arn`
`169`	`171`	`enable_cors_configuration = true`
`170`	`172`	`cors_rules = [`
`171`	`173`	`{`
Original file line number	Diff line number	Diff line change
`@@ -5,6 +5,7 @@ module "document_review_processor_lambda" {`
`5`	`5`	`iam_role_policy_documents = [`
`6`	`6`	`module.document_review_queue.sqs_read_policy_document,`
`7`	`7`	`module.document_review_queue.sqs_write_policy_document,`
	`8`	`+ module.ndr-document-pending-review-store.s3_write_policy_document,`
`8`	`9`	`module.document_upload_review_dynamodb_table.dynamodb_read_policy_document,`
`9`	`10`	`module.document_upload_review_dynamodb_table.dynamodb_write_policy_document,`
`10`	`11`	`module.ndr-bulk-staging-store.s3_read_policy_document,`
`@@ -23,7 +24,6 @@ module "document_review_processor_lambda" {`
`23`	`24`	`DOCUMENT_REVIEW_DYNAMODB_NAME = module.document_upload_review_dynamodb_table.table_name`
`24`	`25`	`WORKSPACE = terraform.workspace`
`25`	`26`	`}`
`26`		`- depends_on = []`
`27`	`27`	`}`
`28`	`28`
`29`	`29`