merge latest from feature/CCM-12180-TestsOnPipeline into my branch

Author: Vlasis-Perdikidis

infrastructure/terraform/components/api/README.md

@@ -13,6 +13,8 @@ No requirements.
 | <a name="input_ca_pem_filename"></a> [ca\_pem\_filename](#input\_ca\_pem\_filename) | Filename for the CA truststore file within the s3 bucket | `string` | `null` | no |
 | <a name="input_commit_id"></a> [commit\_id](#input\_commit\_id) | The commit to deploy. Must be in the tree for branch\_name | `string` | `"HEAD"` | no |
 | <a name="input_component"></a> [component](#input\_component) | The variable encapsulating the name of this component | `string` | `"supapi"` | no |
+| <a name="input_core_account_id"></a> [core\_account\_id](#input\_core\_account\_id) | AWS Account ID for Core | `string` | `"000000000000"` | no |
+| <a name="input_core_environment"></a> [core\_environment](#input\_core\_environment) | Environment of Core | `string` | `"prod"` | no |
 | <a name="input_default_tags"></a> [default\_tags](#input\_default\_tags) | A map of default tags to apply to all taggable resources within the component | `map(string)` | `{}` | no |
 | <a name="input_disable_gateway_execute_endpoint"></a> [disable\_gateway\_execute\_endpoint](#input\_disable\_gateway\_execute\_endpoint) | Disable the execution endpoint for the API Gateway | `bool` | `true` | no |
 | <a name="input_enable_backups"></a> [enable\_backups](#input\_enable\_backups) | Enable backups | `bool` | `false` | no |

infrastructure/terraform/components/api/event_source_mapping_letter_updates.tf

@@ -1,11 +1,11 @@
 resource "aws_lambda_event_source_mapping" "letter_updates_transformer_kinesis" {
-  event_source_arn                     = aws_kinesis_stream.letter_change_stream.arn
-  function_name                        = module.letter_updates_transformer.function_arn
-  starting_position                    = "LATEST"
-  batch_size                           = 10
-  maximum_batching_window_in_seconds   = 1
+  event_source_arn                   = aws_kinesis_stream.letter_change_stream.arn
+  function_name                      = module.letter_updates_transformer.function_arn
+  starting_position                  = "LATEST"
+  batch_size                         = 10
+  maximum_batching_window_in_seconds = 1
 
   depends_on = [
-    module.letter_updates_transformer    # ensures updates transformer exists
+    module.letter_updates_transformer # ensures updates transformer exists
   ]
 }

infrastructure/terraform/components/api/locals.tf

@@ -28,4 +28,7 @@ locals {
     APIM_CORRELATION_HEADER  = "nhsd-correlation-id",
     DOWNLOAD_URL_TTL_SECONDS = 60
   }
+
+  core_pdf_bucket_arn        = "arn:aws:s3:::comms-${var.core_account_id}-eu-west-2-${var.core_environment}-api-stg-pdf-pipeline"
+  core_s3_kms_key_alias_name = "alias/comms-${var.core_environment}-api-s3"
 }

infrastructure/terraform/components/api/module_lambda_get_letter_data.tf

@@ -68,11 +68,43 @@ data "aws_iam_policy_document" "get_letter_data_lambda" {
     ]
   }
 
+  statement {
+    sid = "S3ListBucketForPresign"
+    actions = [
+      "s3:ListBucket"
+    ]
+    resources = [
+      module.s3bucket_test_letters.arn,
+      local.core_pdf_bucket_arn
+    ]
+  }
+
   statement {
     sid = "S3GetObjectForPresign"
     actions = [
       "s3:GetObject",
-    "s3:ListBucket"] # allows 404 response instead of 403 if object missing
-    resources = ["${module.s3bucket_test_letters.arn}/*"]
+      "s3:PutObject",
+    ] # allows 404 response instead of 403 if object missing
+    resources = [
+      "${module.s3bucket_test_letters.arn}/*",
+      "${local.core_pdf_bucket_arn}/*",
+    ]
+  }
+
+  statement {
+    sid = "KMSForCoreS3Access"
+    actions = [
+      "kms:Decrypt",
+      "kms:GenerateDataKey",
+      "kms:DescribeKey"
+    ]
+    resources = [
+      "arn:aws:kms:${var.region}:${var.core_account_id}:key/*"
+    ]
+    condition {
+      test     = "ForAnyValue:StringEquals"
+      variable = "kms:ResourceAliases"
+      values   = [local.core_s3_kms_key_alias_name]
+    }
   }
 }

infrastructure/terraform/components/api/variables.tf

@@ -155,3 +155,15 @@ variable "letter_variant_map" {
     "lv3" = { supplierId = "supplier2", specId = "spec3" }
   }
 }
+
+variable "core_account_id" {
+  type        = string
+  description = "AWS Account ID for Core"
+  default     = "000000000000"
+}
+
+variable "core_environment" {
+  type        = string
+  description = "Environment of Core"
+  default     = "prod"
+}

tests/helpers/generate-fetch-test-data.ts

@@ -105,7 +105,7 @@ export async function checkSupplierExists(
 
 export async function createSupplierEntry(supplierId: string): Promise<void> {
   await createSupplierData({
-    filter: "nhs-notify-supplier-api-letter-test-data-utility",
+    filter: "nhs-notify-supplier-api-suppliers-data-utility",
     supplierId,
     apimId: supplierId,
     name: "TestSupplier",