wip

francisco-videira-nhs · francisco-videira-nhs · commit 0d5b6d66f87b · 2025-10-08T10:29:40.000Z
diff --git a/infrastructure/terraform/components/api/README.md b/infrastructure/terraform/components/api/README.md
@@ -34,6 +34,7 @@ No requirements.
 |------|--------|---------|
 | <a name="module_authorizer_lambda"></a> [authorizer\_lambda](#module\_authorizer\_lambda) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.20/terraform-lambda.zip | n/a |
 | <a name="module_domain_truststore"></a> [domain\_truststore](#module\_domain\_truststore) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.20/terraform-s3bucket.zip | n/a |
+| <a name="module_get_letter_data"></a> [get\_letter\_data](#module\_get\_letter\_data) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.20/terraform-lambda.zip | n/a |
 | <a name="module_get_letters"></a> [get\_letters](#module\_get\_letters) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.20/terraform-lambda.zip | n/a |
 | <a name="module_kms"></a> [kms](#module\_kms) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.20/terraform-kms.zip | n/a |
 | <a name="module_logging_bucket"></a> [logging\_bucket](#module\_logging\_bucket) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.20/terraform-s3bucket.zip | n/a |
diff --git a/infrastructure/terraform/components/api/locals.tf b/infrastructure/terraform/components/api/locals.tf
@@ -9,6 +9,7 @@ locals {
     AWS_REGION               = var.region
     AUTHORIZER_LAMBDA_ARN    = module.authorizer_lambda.function_arn
     GET_LETTERS_LAMBDA_ARN  = module.get_letters.function_arn
+    GET_LETTER_DATA_LAMBDA_ARN  = module.get_letters.function_arn
     PATCH_LETTER_LAMBDA_ARN  = module.patch_letter.function_arn
   })
 
diff --git a/infrastructure/terraform/components/api/module_lambda_get_letter_data.tf b/infrastructure/terraform/components/api/module_lambda_get_letter_data.tf
@@ -0,0 +1,72 @@
+module "get_letter_data" {
+  source = "https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.20/terraform-lambda.zip"
+
+  function_name = "get_letter_data"
+  description   = "Get the letter data"
+
+  aws_account_id = var.aws_account_id
+  component      = var.component
+  environment    = var.environment
+  project        = var.project
+  region         = var.region
+  group          = var.group
+
+  log_retention_in_days = var.log_retention_in_days
+  kms_key_arn           = module.kms.key_arn
+
+  iam_policy_document = {
+    body = data.aws_iam_policy_document.get_letter_data_lambda.json
+  }
+
+  function_s3_bucket      = local.acct.s3_buckets["lambda_function_artefacts"]["id"]
+  function_code_base_path = local.aws_lambda_functions_dir_path
+  function_code_dir       = "api-handler/dist"
+  function_include_common = true
+  handler_function_name   = "getLetterData"
+  runtime                 = "nodejs22.x"
+  memory                  = 128
+  timeout                 = 5
+  log_level               = var.log_level
+
+  force_lambda_code_deploy = var.force_lambda_code_deploy
+  enable_lambda_insights   = false
+
+  send_to_firehose          = true
+  log_destination_arn       = local.destination_arn
+  log_subscription_role_arn = local.acct.log_subscription_role_arn
+
+  lambda_env_vars = merge(local.common_lambda_env_vars, {})
+}
+
+data "aws_iam_policy_document" "get_letter_data_lambda" {
+  statement {
+    sid    = "KMSPermissions"
+    effect = "Allow"
+
+    actions = [
+      "kms:Decrypt",
+      "kms:GenerateDataKey",
+    ]
+
+    resources = [
+      module.kms.key_arn, ## Requires shared kms module
+    ]
+  }
+
+  statement {
+    sid    = "AllowDynamoDBAccess"
+    effect = "Allow"
+
+    actions = [
+      "dynamodb:BatchGetItem",
+      "dynamodb:GetItem",
+      "dynamodb:Query",
+      "dynamodb:Scan",
+    ]
+
+    resources = [
+      aws_dynamodb_table.letters.arn,
+      "${aws_dynamodb_table.letters.arn}/index/supplierStatus-index"
+    ]
+  }
+}
diff --git a/infrastructure/terraform/components/api/resources/spec.tmpl.json b/infrastructure/terraform/components/api/resources/spec.tmpl.json
@@ -54,6 +54,34 @@
       }
     },
     "/letters/{id}": {
+      "get": {
+        "description": "Returns 302 with pre-signed URL to the letter data",
+        "responses": {
+          "302": {
+            "description": "Found"
+          }
+        },
+        "security": [
+          {
+            "LambdaAuthorizer": []
+          }
+        ],
+        "summary": "Get letter data",
+        "x-amazon-apigateway-integration": {
+          "contentHandling": "CONVERT_TO_TEXT",
+          "credentials": "${APIG_EXECUTION_ROLE_ARN}",
+          "httpMethod": "POST",
+          "passthroughBehavior": "WHEN_NO_TEMPLATES",
+          "responses": {
+            ".*": {
+              "statusCode": "200"
+            }
+          },
+          "timeoutInMillis": 29000,
+          "type": "AWS_PROXY",
+          "uri": "arn:aws:apigateway:${AWS_REGION}:lambda:path/2015-03-31/functions/${GET_LETTER_DATA_LAMBDA_ARN}/invocations"
+        }
+      },
       "parameters": [
         {
           "description": "Unique identifier of this resource",
diff --git a/lambdas/api-handler/package.json b/lambdas/api-handler/package.json
@@ -3,6 +3,7 @@
     "esbuild": "^0.24.0"
   },
   "devDependencies": {
+    "@aws-sdk/s3-request-presigner": "^3.901.0",
     "@tsconfig/node22": "^22.0.2",
     "@types/aws-lambda": "^8.10.148",
     "@types/jest": "^29.5.14",
diff --git a/lambdas/api-handler/src/handlers/get-letter-data.ts b/lambdas/api-handler/src/handlers/get-letter-data.ts
@@ -3,18 +3,13 @@ import { createLetterRepository } from "../infrastructure/letter-repo-factory";
 import { assertNotEmpty, lowerCaseKeys } from "../utils/validation";
 import { ApiErrorDetail } from '../contracts/errors';
 import { lambdaConfig } from "../config/lambda-config";
-import pino from 'pino';
 import { mapErrorToResponse } from "../mappers/error-mapper";
 import { ValidationError } from "../errors";
+import { getLetterDataUrl } from "../services/letter-operations";
 
 const letterRepo = createLetterRepository();
 
-const log = pino();
-
-// The endpoint should only return pending letters for now
-const status = "PENDING";
-
-export const getLetters: APIGatewayProxyHandler = async (event) => {
+export const getLetterData: APIGatewayProxyHandler = async (event) => {
 
   let correlationId;
 
@@ -23,16 +18,12 @@ export const getLetters: APIGatewayProxyHandler = async (event) => {
     const lowerCasedHeaders = lowerCaseKeys(event.headers);
     correlationId = assertNotEmpty(lowerCasedHeaders[lambdaConfig.APIM_CORRELATION_HEADER], new Error("The request headers don't contain the APIM correlation id"));
     const supplierId = assertNotEmpty(lowerCasedHeaders[lambdaConfig.SUPPLIER_ID_HEADER], new ValidationError(ApiErrorDetail.InvalidRequestMissingSupplierId));
-
-    // assert if letter exists and retrieve
-    // call service
-
-
-    // map response
+    const letterId = assertNotEmpty( event.pathParameters?.id, new ValidationError(ApiErrorDetail.InvalidRequestMissingLetterIdPathParameter));
 
     return {
-      statusCode: 200,
-      body: JSON.stringify({}, null, 2),
+      statusCode: 302,
+      Location: getLetterDataUrl(supplierId, letterId, letterRepo),
+      body: ''
     };
   }
   catch (error) {
diff --git a/lambdas/api-handler/src/services/letter-operations.ts b/lambdas/api-handler/src/services/letter-operations.ts
@@ -3,6 +3,8 @@ import { NotFoundError, ValidationError } from '../errors';
 import { LetterDto, PatchLetterResponse } from '../contracts/letters';
 import { mapToPatchLetterResponse } from '../mappers/letter-mapper';
 import { ApiErrorDetail } from '../contracts/errors';
+import { getSignedUrl } from "@aws-sdk/s3-request-presigner";
+import { S3Client, GetObjectCommand } from "@aws-sdk/client-s3";
 
 
 export const getLettersForSupplier = async (supplierId: string, status: string, limit: number, letterRepo: LetterRepository): Promise<LetterBase[]> => {
@@ -30,7 +32,7 @@ export const patchLetterStatus = async (letterToUpdate: LetterDto, letterId: str
   return mapToPatchLetterResponse(updatedLetter);
 }
 
-export const getLetterData = async (supplierId: string, letterId: string, letterRepo: LetterRepository): Promise<LetterBase> => {
+export const getLetterDataUrl = async (supplierId: string, letterId: string, letterRepo: LetterRepository): Promise<string> => {
 
   let letter;
 
@@ -43,5 +45,20 @@ export const getLetterData = async (supplierId: string, letterId: string, letter
     throw error;
   }
 
+  return getPresignedUrl(letter.url);
+}
+
+async function getPresignedUrl(s3Uri: string) {
+  const client = new S3Client();
+
+  const url = new URL(s3Uri); // works for s3:// URIs
+  const bucket = url.hostname;
+  const key = url.pathname.slice(1); // remove leading '/'
+
+  const command = new GetObjectCommand({
+    Bucket: bucket,
+    Key: key,
+  });
 
+  return await getSignedUrl(client, command, { expiresIn: 3600 });
 }
diff --git a/package-lock.json b/package-lock.json
