Merge branch 'main' into CCM_11015_HelloWorldProxy

Author: aidenvaines-cgi

.github/workflows/pr_closed.yaml

@@ -0,0 +1,56 @@
+name: PR Closed
+
+on:
+  workflow_dispatch:
+  pull_request:
+    types: [closed]
+    branches:
+      - main
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: false
+
+jobs:
+  check-merge-or-workflow-dispatch:
+    runs-on: ubuntu-latest
+    outputs:
+      deploy: ${{ steps.check.outputs.deploy }}
+    steps:
+      - name: Check if PR was merged or workflow is triggered by workflow_dispatch
+        id: check
+        run: |
+          if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then
+            echo "deploy=true" >> $GITHUB_OUTPUT
+            echo "Job triggered by workflow_dispatch - running 'deploy-main'"
+          elif [[ "${{ github.event_name }}" == "pull_request" && "${{ github.event.pull_request.merged }}" == "true" ]]; then
+            echo "deploy=true" >> $GITHUB_OUTPUT
+            echo "Job triggered by Merged PR - running 'deploy-main'"
+          else
+            echo "deploy=false" >> $GITHUB_OUTPUT
+            echo "Job not triggered by workflow_dispatch or Merged PR - Skipping 'deploy-main'"
+          fi
+
+  deploy-main:
+    needs: check-merge-or-workflow-dispatch
+    name: Deploy changes to main in dev AWS account
+    if: needs.check-merge-or-workflow-dispatch.outputs.deploy == 'true'
+
+    permissions:
+      id-token: write
+      contents: read
+
+    strategy:
+      max-parallel: 1
+      matrix:
+        component: [api]
+
+    uses: ./.github/workflows/reusable_internal_repo_build.yaml
+    secrets: inherit
+    with:
+      releaseVersion: main
+      targetWorkflow: "dispatch-deploy-static-notify-supplier-api-env.yaml"
+      targetEnvironment: "main"
+      targetAccountGroup: "nhs-notify-supplier-api-dev"
+      targetComponent: ${{ matrix.component }}
+      terraformAction: "apply"

.github/workflows/pr_create_dynamic_env.yaml

@@ -0,0 +1,51 @@
+name: PR Create Environment
+
+on:
+  pull_request:
+    types: [labeled, opened, synchronize, reopened, unlabeled, edited]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: false
+
+jobs:
+  create-dynamic-environment:
+    name: Create Dynamic Environment
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Trigger nhs-notify-internal dynamic environment workflow
+        shell: bash
+        run: |
+          set -x
+          this_repo_name=$(echo ${{ github.repository }} | cut -d'/' -f2)
+
+          DISPATCH_EVENT=$(jq -ncM \
+            --arg infraRepoName "${this_repo_name}" \
+            --arg releaseVersion "${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}}" \
+            --arg targetProject "nhs" \
+            --arg targetEnvironment "pr${{ github.event.number }}" \
+            --arg targetAccountGroup "nhs-notify-supplier-api-dev" \
+            --arg targetComponent "api" \
+            --arg terraformAction "apply" \
+            --arg overrides "branch_name=${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}}" \
+            '{ "ref": "main",
+              "inputs": {
+                "infraRepoName": $infraRepoName,
+                "releaseVersion", $releaseVersion,
+                "targetProject", $targetProject,
+                "targetEnvironment", $targetEnvironment,
+                "targetAccountGroup", $targetAccountGroup,
+                "targetComponent", $targetComponent,
+                "terraformAction", $terraformAction,
+                "overrides", $overrides,
+              }
+            }')
+
+          curl --fail -L \
+            -X POST \
+            -H "Accept: application/vnd.github+json" \
+            -H "Authorization: Bearer ${{ secrets.PR_TRIGGER_PAT }}" \
+            -H "X-GitHub-Api-Version: 2022-11-28" \
+            https://api.github.com/repos/NHSDigital/nhs-notify-internal/actions/workflows/dispatch-deploy-dynamic-env.yaml/dispatches \
+            -d "${DISPATCH_EVENT}"

.github/workflows/pr_destroy_dynamic_env.yaml

@@ -0,0 +1,49 @@
+name: PR Destroy Environment
+
+on:
+  pull_request:
+    types: [closed]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: false
+
+jobs:
+  create-dynamic-environment:
+    name: Destroy Dynamic Environment
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Trigger nhs-notify-internal dynamic environment destruction
+        shell: bash
+        run: |
+          set -x
+          this_repo_name=$(echo ${{ github.repository }} | cut -d'/' -f2)
+
+          DISPATCH_EVENT=$(jq -ncM \
+            --arg infraRepoName "${this_repo_name}" \
+            --arg releaseVersion "main" \
+            --arg targetProject "nhs" \
+            --arg targetEnvironment "pr${{ github.event.number }}" \
+            --arg targetAccountGroup "nhs-notify-supplier-api-dev" \
+            --arg targetComponent "api" \
+            --arg terraformAction "destroy" \
+            '{ "ref": "main",
+              "inputs": {
+                "infraRepoName": $infraRepoName,
+                "releaseVersion", $releaseVersion,
+                "targetProject", $targetProject,
+                "targetEnvironment", $targetEnvironment,
+                "targetAccountGroup", $targetAccountGroup,
+                "targetComponent", $targetComponent,
+                "terraformAction", $terraformAction,
+              }
+            }')
+
+          curl --fail -L \
+            -X POST \
+            -H "Accept: application/vnd.github+json" \
+            -H "Authorization: Bearer ${{ secrets.PR_TRIGGER_PAT }}" \
+            -H "X-GitHub-Api-Version: 2022-11-28" \
+            https://api.github.com/repos/NHSDigital/nhs-notify-internal/actions/workflows/dispatch-deploy-dynamic-env.yaml/dispatches \
+            -d "${DISPATCH_EVENT}"

.github/workflows/release_created.yaml

@@ -0,0 +1,32 @@
+name: Github Release Created
+
+on:
+  release:
+    types: ["published"] # Inherits all input defaults
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: false
+
+jobs:
+  deploy-main:
+    name: Deploy changes to main in nonprod AWS Account
+
+    permissions:
+      id-token: write
+      contents: read
+
+    strategy:
+      max-parallel: 1
+      matrix:
+        component: [api]
+
+    uses: ./.github/workflows/reusable_internal_repo_build.yaml
+    secrets: inherit
+    with:
+      releaseVersion: ${{ github.event.release.tag_name }}
+      targetWorkflow: "dispatch-deploy-static-notify-supliers-api-env.yaml"
+      targetEnvironment: "main"
+      targetAccountGroup: "nhs-notify-supliers-api-nonprod"
+      targetComponent: ${{ matrix.component }}
+      terraformAction: "apply"

.github/workflows/reusable_internal_repo_build.yaml

@@ -0,0 +1,142 @@
+name: Call Notify Internal Infrastructure Deployment
+## Sub workflow which plans and deploys Notify components as part of the workflow.
+## Review Gates may be required to proceed on triggered builds.
+
+on:
+  workflow_call:
+    inputs:
+      releaseVersion:
+        type: string
+        description: The Github release version, commit, or tag.
+        default: main
+      targetWorkflow:
+        type: string
+        description: The name of the github workflow to call.
+        default: main
+      targetEnvironment:
+        type: string
+        description: The Terraform environment to deploy
+        default: main
+      targetComponent:
+        type: string
+        description: The Terraform component to deploy
+        required: true
+      targetAccountGroup:
+        type: string
+        description: The Terraform group to deploy
+        required: true
+      terraformAction:
+        type: string
+        description: The Terraform component to deploy
+        default: plan
+
+concurrency:
+  group: ${{ inputs.targetEnvironment }}-${{ inputs.targetAccountGroup }}-${{ inputs.targetComponent }}-${{ inputs.terraformAction }}
+
+jobs:
+  trigger:
+    runs-on: ubuntu-latest
+
+    permissions:
+      id-token: write
+      contents: read
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Trigger nhs-notify-internal static environment workflow deployment
+        shell: bash
+        run: |
+          set -x
+
+          DISPATCH_EVENT=$(jq -ncM \
+            --arg releaseVersion ${{ inputs.releaseVersion }} \
+            --arg targetEnvironment ${{ inputs.targetEnvironment }} \
+            --arg targetAccountGroup ${{ inputs.targetAccountGroup }} \
+            --arg targetComponent ${{ inputs.targetComponent }} \
+            --arg terraformAction ${{ inputs.terraformAction }} \
+            '{ "ref": "main",
+              "inputs": {
+                "releaseVersion", $releaseVersion,
+                "targetEnvironment", $targetEnvironment,
+                "targetAccountGroup", $targetAccountGroup,
+                "targetComponent", $targetComponent,
+                "terraformAction", $terraformAction
+              }
+            }')
+
+          # Trigger The workflow
+          curl -L \
+            --fail \
+            --silent \
+            -X POST \
+            -H "Accept: application/vnd.github+json" \
+            -H "Authorization: Bearer ${{ secrets.PR_TRIGGER_PAT }}" \
+            -H "X-GitHub-Api-Version: 2022-11-28" \
+            "https://api.github.com/repos/NHSDigital/nhs-notify-internal/actions/workflows/${{ inputs.targetWorkflow }}/dispatches" \
+            -d "${DISPATCH_EVENT}"
+
+          echo "Workflow triggered successfully. HTTP response. Waiting for the workflow to complete.."
+
+          # Poll GitHub API to check the workflow status
+          run_id=""
+          for i in {1..12}; do
+            in_progress=$(curl -s \
+              -H "Accept: application/vnd.github+json" \
+              -H "Authorization: Bearer ${{ secrets.PR_TRIGGER_PAT }}" \
+              -H "X-GitHub-Api-Version: 2022-11-28" \
+              "https://api.github.com/repos/NHSDigital/nhs-notify-internal/actions/runs?event=workflow_dispatch&status=in_progress")
+
+            run_id=$(echo "$in_progress" | jq -r \
+              --arg env "${{ inputs.targetEnvironment }}" \
+              --arg component "${{ inputs.targetComponent }}" \
+              --arg group "${{ inputs.targetAccountGroup }}" \
+              --arg releaseVersion "${{ inputs.releaseVersion }}" \
+              '.workflow_runs[]
+                | select(.name | contains($env) and contains($component) and contains($group) and contains($releaseVersion))
+                | .id' | head -n 1)
+
+            if [[ -n "$run_id" && "$run_id" != null ]]; then
+              echo "Found workflow run with ID: $run_id"
+              break
+            fi
+
+            echo "Waiting for workflow to start..."
+            sleep 10
+          done
+
+          if [[ -z "$run_id" || "$run_id" == null ]]; then
+            echo "Failed to get the workflow run ID. Exiting."
+            exit 1
+          fi
+
+          # Wait for workflow completion
+          while true; do
+            sleep 10
+            status=$(curl -s \
+              -H "Accept: application/vnd.github+json" \
+              -H "Authorization: Bearer ${{ secrets.PR_TRIGGER_PAT }}" \
+              -H "X-GitHub-Api-Version: 2022-11-28" \
+              "https://api.github.com/repos/NHSDigital/nhs-notify-internal/actions/runs/$run_id" \
+              | jq -r '.status')
+
+            conclusion=$(curl -s \
+              -H "Accept: application/vnd.github+json" \
+              -H "Authorization: Bearer ${{ secrets.PR_TRIGGER_PAT }}" \
+              -H "X-GitHub-Api-Version: 2022-11-28" \
+              "https://api.github.com/repos/NHSDigital/nhs-notify-internal/actions/runs/$run_id" \
+              | jq -r '.conclusion')
+
+            if [ "$status" == "completed" ]; then
+              if [ "$conclusion" == "success" ]; then
+                echo "Workflow completed successfully."
+                exit 0
+              else
+                echo "Workflow failed with conclusion: $conclusion"
+                exit 1
+              fi
+            fi
+
+            echo "Workflow still running..."
+            sleep 20
+          done

.github/workflows/scorecard.yml

@@ -68,6 +68,6 @@ jobs:
       # Upload the results to GitHub's code scanning dashboard (optional).
       # Commenting out will disable upload of results to your repo's Code Scanning dashboard
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@45775bd8235c68ba998cffa5171334d58593da47 # v3.28.15
+        uses: github/codeql-action/upload-sarif@181d5eefc20863364f96762470ba6f862bdef56b # v3.29.2
         with:
           sarif_file: results.sarif

.tool-versions

@@ -1,10 +1,7 @@
 act 0.2.64
-editorconfig-checker 3.3.0
 gitleaks 8.24.0
 jq 1.6
-markdownlint-cli2 0.18.1
 nodejs 22.11.0
-pnpm 10.4.1
 pre-commit 3.6.0
 python 3.13.2
 terraform 1.9.2

infrastructure/terraform/bin/terraform.sh

@@ -403,7 +403,7 @@ readonly component_name=$(basename ${component_path});
 # verify terraform version matches .tool-versions
 echo ${PWD}
 tool_version=$(grep "terraform " .tool-versions | cut -d ' ' -f 2)
-asdf plugin-add terraform && asdf install terraform "${tool_version}"
+asdf plugin add terraform && asdf install terraform "${tool_version}"
 current_version=$(terraform --version | head -n 1 | cut -d 'v' -f 2)
 
 if [ -z "${current_version}" ] || [ "${current_version}" != "${tool_version}" ]; then

…mponents/examplecomponent/.tool-versions …/terraform/components/api/.tool-versionsinfrastructure/terraform/components/examplecomponent/.tool-versions renamed to infrastructure/terraform/components/api/.tool-versions infrastructure/terraform/components/examplecomponent/.tool-versions renamed to infrastructure/terraform/components/api/.tool-versions

@@ -10,20 +10,29 @@ No requirements.
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_aws_account_id"></a> [aws\_account\_id](#input\_aws\_account\_id) | The AWS Account ID (numeric) | `string` | n/a | yes |
-| <a name="input_component"></a> [component](#input\_component) | The variable encapsulating the name of this component | `string` | `"examplecomponent"` | no |
+| <a name="input_component"></a> [component](#input\_component) | The variable encapsulating the name of this component | `string` | `"supapi"` | no |
 | <a name="input_default_tags"></a> [default\_tags](#input\_default\_tags) | A map of default tags to apply to all taggable resources within the component | `map(string)` | `{}` | no |
 | <a name="input_environment"></a> [environment](#input\_environment) | The name of the tfscaffold environment | `string` | n/a | yes |
 | <a name="input_force_lambda_code_deploy"></a> [force\_lambda\_code\_deploy](#input\_force\_lambda\_code\_deploy) | If the lambda package in s3 has the same commit id tag as the terraform build branch, the lambda will not update automatically. Set to True if making changes to Lambda code from on the same commit for example during development | `bool` | `false` | no |
 | <a name="input_group"></a> [group](#input\_group) | The group variables are being inherited from (often synonmous with account short-name) | `string` | n/a | yes |
+| <a name="input_kms_deletion_window"></a> [kms\_deletion\_window](#input\_kms\_deletion\_window) | When a kms key is deleted, how long should it wait in the pending deletion state? | `string` | `"30"` | no |
+| <a name="input_log_level"></a> [log\_level](#input\_log\_level) | The log level to be used in lambda functions within the component. Any log with a lower severity than the configured value will not be logged: https://docs.python.org/3/library/logging.html#levels | `string` | `"INFO"` | no |
 | <a name="input_log_retention_in_days"></a> [log\_retention\_in\_days](#input\_log\_retention\_in\_days) | The retention period in days for the Cloudwatch Logs events to be retained, default of 0 is indefinite | `number` | `0` | no |
+| <a name="input_parent_acct_environment"></a> [parent\_acct\_environment](#input\_parent\_acct\_environment) | Name of the environment responsible for the acct resources used, affects things like DNS zone. Useful for named dev environments | `string` | `"main"` | no |
 | <a name="input_project"></a> [project](#input\_project) | The name of the tfscaffold project | `string` | n/a | yes |
 | <a name="input_region"></a> [region](#input\_region) | The AWS Region | `string` | n/a | yes |
 ## Modules
 
-No modules.
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_authorizer_lambda"></a> [authorizer\_lambda](#module\_authorizer\_lambda) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/lambda | v2.0.4 |
+| <a name="module_hello_world"></a> [hello\_world](#module\_hello\_world) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/lambda | v2.0.10 |
+| <a name="module_kms"></a> [kms](#module\_kms) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/kms | v2.0.10 |
 ## Outputs
 
-No outputs.
+| Name | Description |
+|------|-------------|
+| <a name="output_api_urll"></a> [api\_urll](#output\_api\_urll) | n/a |
 <!-- vale on -->
 <!-- markdownlint-enable -->
 <!-- END_TF_DOCS -->