CCM-12615: APIM Authentication

Author: simonlabarere

eslint.config.mjs

@@ -253,6 +253,7 @@ export default defineConfig([
       'no-await-in-loop': 0,
       'no-plusplus': [2, { allowForLoopAfterthoughts: true }],
       'unicorn/prefer-top-level-await': 0, // top level await is not available in commonjs
+      'import-x/prefer-default-export': "off"
     },
   },
 ]);

infrastructure/terraform/components/dl/README.md

@@ -9,6 +9,10 @@ No requirements.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| <a name="input_apim_auth_token_schedule"></a> [apim\_auth\_token\_schedule](#input\_apim\_auth\_token\_schedule) | Schedule to renew the APIM auth token | `string` | `"rate(9 minutes)"` | no |
+| <a name="input_apim_auth_token_url"></a> [apim\_auth\_token\_url](#input\_apim\_auth\_token\_url) | URL to generate an APIM auth token | `string` | `"https://int.api.service.nhs.uk/oauth2/token"` | no |
+| <a name="input_apim_base_url"></a> [apim\_base\_url](#input\_apim\_base\_url) | The NHS Notify send message target for nudge communications. Defaults to sandbox | `string` | `"https://sandbox.api.service.nhs.uk"` | no |
+| <a name="input_apim_keygen_schedule"></a> [apim\_keygen\_schedule](#input\_apim\_keygen\_schedule) | Schedule to refresh key pairs if necessary | `string` | `"cron(0 14 * * ? *)"` | no |
 | <a name="input_aws_account_id"></a> [aws\_account\_id](#input\_aws\_account\_id) | The AWS Account ID (numeric) | `string` | n/a | yes |
 | <a name="input_component"></a> [component](#input\_component) | The variable encapsulating the name of this component | `string` | `"dl"` | no |
 | <a name="input_default_tags"></a> [default\_tags](#input\_default\_tags) | A map of default tags to apply to all taggable resources within the component | `map(string)` | `{}` | no |
@@ -32,6 +36,8 @@ No requirements.
 | Name | Source | Version |
 |------|--------|---------|
 | <a name="module_kms"></a> [kms](#module\_kms) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.24/terraform-kms.zip | n/a |
+| <a name="module_lambda_apim_key_generation"></a> [lambda\_apim\_key\_generation](#module\_lambda\_apim\_key\_generation) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.20/terraform-lambda.zip | n/a |
+| <a name="module_lambda_lambda_apim_refresh_token"></a> [lambda\_lambda\_apim\_refresh\_token](#module\_lambda\_lambda\_apim\_refresh\_token) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.20/terraform-lambda.zip | n/a |
 | <a name="module_mesh_poll"></a> [mesh\_poll](#module\_mesh\_poll) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.24/terraform-lambda.zip | n/a |
 | <a name="module_s3bucket_letters"></a> [s3bucket\_letters](#module\_s3bucket\_letters) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.24/terraform-s3bucket.zip | n/a |
 | <a name="module_sqs_event_publisher_errors"></a> [sqs\_event\_publisher\_errors](#module\_sqs\_event\_publisher\_errors) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.24/terraform-sqs.zip | n/a |

infrastructure/terraform/components/dl/locals.tf

@@ -1,6 +1,9 @@
 locals {
   aws_lambda_functions_dir_path = "../../../../lambdas"
   log_destination_arn           = "arn:aws:logs:${var.region}:${var.shared_infra_account_id}:destination:nhs-main-obs-firehose-logs"
-
+  apim_access_token_ssm_parameter_name = "/${var.component}/${var.environment}/apim/access_token"
+  apim_api_key_ssm_parameter_name      = "/${var.component}/${var.environment}/apim/api_key"
+  apim_private_key_ssm_parameter_name  = "/${var.component}/${var.environment}/apim/private_key"
+  apim_keystore_s3_bucket              = "nhs-${var.aws_account_id}-${var.region}-${var.environment}-${var.component}-static-assets"
   ttl_shard_count = 3
 }

infrastructure/terraform/components/dl/module_lambda_apim_key_generation.tf

@@ -0,0 +1,78 @@
+module "lambda_apim_key_generation" {
+  source = "https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.20/terraform-lambda.zip"
+
+  function_name = "apim-key-generation"
+  description   = "A function to generate APIM public and private keys"
+
+  aws_account_id = var.aws_account_id
+  component      = var.component
+  environment    = var.environment
+  project        = var.project
+  region         = var.region
+  group          = var.group
+
+  log_retention_in_days = var.log_retention_in_days
+  kms_key_arn           = module.kms.key_arn
+
+  iam_policy_document = {
+    body = data.aws_iam_policy_document.lambda_apim_key_generation.json
+  }
+
+  function_s3_bucket      = local.acct.s3_buckets["lambda_function_artefacts"]["id"]
+  function_code_base_path = local.aws_lambda_functions_dir_path
+  function_code_dir       = "key-generation/dist"
+  function_include_common = true
+  function_module_name    = "lambda"
+  handler_function_name   = "handler"
+  runtime                 = "nodejs22.x"
+  memory                  = 512
+  timeout                 = 300
+  log_level               = var.log_level
+  schedule                = var.apim_keygen_schedule
+
+  force_lambda_code_deploy = var.force_lambda_code_deploy
+  enable_lambda_insights   = false
+
+  send_to_firehose          = true
+  log_destination_arn       = local.log_destination_arn
+  log_subscription_role_arn = local.acct.log_subscription_role_arn
+
+  lambda_env_vars = {
+    SSM_PRIVATE_KEY_PARAMETER_NAME = local.apim_private_key_ssm_parameter_name
+    KEYSTORE_S3_BUCKET             = local.apim_keystore_s3_bucket
+    ENVIRONMENT                    = var.environment
+  }
+}
+
+data "aws_iam_policy_document" "lambda_apim_key_generation" {
+  statement {
+    sid    = "AllowS3List"
+    effect = "Allow"
+
+    actions = [
+      "s3:ListBucket",
+      "s3:PutObject"
+    ]
+
+    resources = [
+      "arn:aws:s3:::${local.apim_keystore_s3_bucket}/*"
+    ]
+  }
+
+  statement {
+    sid    = "AllowSSMParam"
+    effect = "Allow"
+
+    actions = [
+      "ssm:DeleteParameter",
+      "ssm:GetParameter",
+      "ssm:GetParameters",
+      "ssm:GetParametersByPath",
+      "ssm:PutParameter",
+    ]
+
+    resources = [
+      "arn:aws:ssm:${var.region}:${var.aws_account_id}:parameter/${var.component}/${var.environment}/apim/*"
+    ]
+  }
+}

infrastructure/terraform/components/dl/module_lambda_apim_refresh_token.tf

@@ -0,0 +1,65 @@
+module "lambda_lambda_apim_refresh_token" {
+  source = "https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.20/terraform-lambda.zip"
+
+  function_name = "apim-refresh-token"
+  description   = "A function to generate APIM access tokens"
+
+  aws_account_id = var.aws_account_id
+  component      = var.component
+  environment    = var.environment
+  project        = var.project
+  region         = var.region
+  group          = var.group
+
+  log_retention_in_days = var.log_retention_in_days
+  kms_key_arn           = module.kms.key_arn
+
+  iam_policy_document = {
+    body = data.aws_iam_policy_document.lambda_apim_refresh_token.json
+  }
+
+  function_s3_bucket      = local.acct.s3_buckets["lambda_function_artefacts"]["id"]
+  function_code_base_path = local.aws_lambda_functions_dir_path
+  function_code_dir       = "refresh-apim-access-token/dist"
+  function_include_common = true
+  handler_function_name   = "handler"
+  runtime                 = "nodejs22.x"
+  memory                  = 128
+  timeout                 = 5
+  log_level               = var.log_level
+  schedule                = var.apim_auth_token_schedule
+
+  force_lambda_code_deploy = var.force_lambda_code_deploy
+  enable_lambda_insights   = false
+
+  send_to_firehose          = true
+  log_destination_arn       = local.log_destination_arn
+  log_subscription_role_arn = local.acct.log_subscription_role_arn
+
+  lambda_env_vars = {
+    NHS_AUTH_SERVER_TOKEN_ENDPOINT  = var.apim_auth_token_url
+    SSM_ACCESS_TOKEN_PARAMETER_NAME = local.apim_access_token_ssm_parameter_name
+    SSM_API_KEY_PARAMETER_NAME      = local.apim_api_key_ssm_parameter_name
+    SSM_PRIVATE_KEY_PARAMETER_NAME  = local.apim_private_key_ssm_parameter_name
+    ENVIRONMENT                     = var.environment
+  }
+}
+
+data "aws_iam_policy_document" "lambda_apim_refresh_token" {
+  statement {
+    sid    = "AllowSSMParam"
+    effect = "Allow"
+
+    actions = [
+      "ssm:DeleteParameter",
+      "ssm:GetParameter",
+      "ssm:GetParameters",
+      "ssm:GetParametersByPath",
+      "ssm:PutParameter",
+    ]
+
+    resources = [
+      "arn:aws:ssm:${var.region}:${var.aws_account_id}:parameter/${var.component}/${var.environment}/apim/*"
+    ]
+  }
+}

infrastructure/terraform/components/dl/ssm_parameter_access_token.tf

@@ -0,0 +1,15 @@
+resource "aws_ssm_parameter" "access_token" {
+  name        = local.apim_access_token_ssm_parameter_name
+  description = "Access token for APIM"
+  type        = "SecureString"
+  value = jsonencode({
+    tokens = []
+  })
+  tags = merge(local.default_tags, { Backup = "true" })
+
+  lifecycle {
+    ignore_changes = [
+      value
+    ]
+  }
+}

infrastructure/terraform/components/dl/ssm_parameter_api_key.tf

@@ -0,0 +1,13 @@
+resource "aws_ssm_parameter" "api_key" {
+  name        = local.apim_api_key_ssm_parameter_name
+  description = "Access token for APIM"
+  type        = "SecureString"
+  value       = "unset"
+  tags        = merge(local.default_tags, { Backup = "true" })
+
+  lifecycle {
+    ignore_changes = [
+      value
+    ]
+  }
+}

infrastructure/terraform/components/dl/variables.tf

@@ -115,3 +115,27 @@ variable "ttl_poll_schedule" {
   description = "Schedule to poll for any overdue TTL records"
   default     = "rate(10 minutes)"  # Every 10 minutes
 }
+
+variable "apim_base_url" {
+  type        = string
+  description = "The NHS Notify send message target for nudge communications. Defaults to sandbox"
+  default     = "https://sandbox.api.service.nhs.uk"
+}
+
+variable "apim_auth_token_url" {
+  type        = string
+  description = "URL to generate an APIM auth token"
+  default     = "https://int.api.service.nhs.uk/oauth2/token"
+}
+
+variable "apim_keygen_schedule" {
+  type        = string
+  description = "Schedule to refresh key pairs if necessary"
+  default     = "cron(0 14 * * ? *)"
+}
+
+variable "apim_auth_token_schedule" {
+  type        = string
+  description = "Schedule to renew the APIM auth token"
+  default     = "rate(9 minutes)"
+}

lambdas/key-generation/jest.config.ts

@@ -0,0 +1,61 @@
+import type { Config } from 'jest';
+
+export const baseJestConfig: Config = {
+  preset: 'ts-jest',
+
+  // Automatically clear mock calls, instances, contexts and results before every test
+  clearMocks: true,
+
+  // Indicates whether the coverage information should be collected while executing the test
+  collectCoverage: true,
+
+  // The directory where Jest should output its coverage files
+  coverageDirectory: './.reports/unit/coverage',
+
+  // Indicates which provider should be used to instrument code for coverage
+  coverageProvider: 'babel',
+
+  coverageThreshold: {
+    global: {
+      branches: 90,
+      functions: 90,
+      lines: 90,
+      statements: -10,
+    },
+  },
+
+  coveragePathIgnorePatterns: ['/__tests__/', 'lambda.ts', '/config.ts'],
+  transform: { '^.+\\.ts$': 'ts-jest' },
+  testPathIgnorePatterns: ['.build'],
+  testMatch: ['**/?(*.)+(spec|test).[jt]s?(x)'],
+
+  // Use this configuration option to add custom reporters to Jest
+  reporters: [
+    'default',
+    [
+      'jest-html-reporter',
+      {
+        pageTitle: 'Test Report',
+        outputPath: './.reports/unit/test-report.html',
+        includeFailureMsg: true,
+      },
+    ],
+  ],
+
+  // The test environment that will be used for testing
+  testEnvironment: 'jsdom',
+};
+
+const utilsJestConfig = {
+  ...baseJestConfig,
+
+  testEnvironment: 'node',
+
+  coveragePathIgnorePatterns: [
+    ...(baseJestConfig.coveragePathIgnorePatterns ?? []),
+  ],
+
+  moduleDirectories: ['node_modules', 'src'],
+};
+
+export default utilsJestConfig;

lambdas/key-generation/package.json

@@ -0,0 +1,32 @@
+{
+  "dependencies": {
+    "aws-lambda": "^1.0.7",
+    "date-fns": "^4.1.0",
+    "esbuild": "^0.25.9",
+    "utils": "*",
+    "node-jose": "^2.2.0"
+  },
+  "devDependencies": {
+    "@tsconfig/node22": "^22.0.2",
+    "@types/aws-lambda": "^8.10.148",
+    "@types/jest": "^29.5.14",
+    "@types/node": "^24.0.10",
+    "@types/node-jose": "^1.1.13",
+    "jest": "^29.7.0",
+    "jest-mock-extended": "^3.0.7",
+    "typescript": "^5.8.2"
+  },
+  "exports": {
+    ".": "./src/index.ts"
+  },
+  "name": "key-generation",
+  "private": true,
+  "scripts": { 
+    "lambda-build": "rm -rf dist && npx esbuild --bundle --minify --sourcemap --target=es2020 --platform=node --loader:.node=file --entry-names=[name] --outdir=dist src/lambda.ts",
+    "lint": "eslint .",
+    "lint:fix": "eslint . --fix",
+    "test:unit": "jest",
+    "typecheck": "tsc --noEmit"
+  },
+  "version": "0.0.1"
+}