Merge branch 'main' into feature/CCM-12997

Author: masl2

.github/workflows/stage-1-commit.yaml

@@ -152,9 +152,16 @@ jobs:
     timeout-minutes: 10
     needs: detect-terraform-changes
     if: needs.detect-terraform-changes.outputs.terraform_changed == 'true'
+    env:
+      NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     steps:
       - name: "Checkout code"
         uses: actions/checkout@v5
+      - name: Setup NodeJS
+        uses: actions/setup-node@v4
+        with:
+          node-version: ${{ inputs.nodejs_version }}
+          registry-url: 'https://npm.pkg.github.com'
       - name: "Setup ASDF"
         uses: asdf-vm/actions/setup@v4
       - name: "Trivy Scan"

infrastructure/terraform/components/api/event_source_mapping_letter_updates.tf

@@ -1,11 +1,11 @@
 resource "aws_lambda_event_source_mapping" "letter_updates_transformer_kinesis" {
-  event_source_arn                     = aws_kinesis_stream.letter_change_stream.arn
-  function_name                        = module.letter_updates_transformer.function_arn
-  starting_position                    = "LATEST"
-  batch_size                           = 10
-  maximum_batching_window_in_seconds   = 1
+  event_source_arn                   = aws_kinesis_stream.letter_change_stream.arn
+  function_name                      = module.letter_updates_transformer.function_arn
+  starting_position                  = "LATEST"
+  batch_size                         = 10
+  maximum_batching_window_in_seconds = 1
 
   depends_on = [
-    module.letter_updates_transformer    # ensures updates transformer exists
+    module.letter_updates_transformer # ensures updates transformer exists
   ]
 }

infrastructure/terraform/components/api/locals.tf

@@ -28,4 +28,7 @@ locals {
     APIM_CORRELATION_HEADER  = "nhsd-correlation-id",
     DOWNLOAD_URL_TTL_SECONDS = 60
   }
+
+  core_pdf_bucket_arn        = "arn:aws:s3:::comms-${var.core_account_id}-eu-west-2-${var.core_environment}-api-stg-pdf-pipeline"
+  core_s3_kms_key_alias_name = "alias/comms-${var.core_environment}-api-s3"
 }

infrastructure/terraform/components/api/module_lambda_get_letter_data.tf

@@ -68,11 +68,43 @@ data "aws_iam_policy_document" "get_letter_data_lambda" {
     ]
   }
 
+  statement {
+    sid = "S3ListBucketForPresign"
+    actions = [
+      "s3:ListBucket"
+    ]
+    resources = [
+      module.s3bucket_test_letters.arn,
+      local.core_pdf_bucket_arn
+    ]
+  }
+
   statement {
     sid = "S3GetObjectForPresign"
     actions = [
       "s3:GetObject",
-    "s3:ListBucket"] # allows 404 response instead of 403 if object missing
-    resources = ["${module.s3bucket_test_letters.arn}/*"]
+      "s3:PutObject",
+    ] # allows 404 response instead of 403 if object missing
+    resources = [
+      "${module.s3bucket_test_letters.arn}/*",
+      "${local.core_pdf_bucket_arn}/*",
+    ]
+  }
+
+  statement {
+    sid = "KMSForCoreS3Access"
+    actions = [
+      "kms:Decrypt",
+      "kms:GenerateDataKey",
+      "kms:DescribeKey"
+    ]
+    resources = [
+      "arn:aws:kms:${var.region}:${var.core_account_id}:key/*"
+    ]
+    condition {
+      test     = "ForAnyValue:StringEquals"
+      variable = "kms:ResourceAliases"
+      values   = [local.core_s3_kms_key_alias_name]
+    }
   }
 }

infrastructure/terraform/components/api/variables.tf

@@ -142,4 +142,16 @@ variable "letter_variant_map" {
     "lv2" = { supplierId = "supplier1", specId = "spec2" },
     "lv3" = { supplierId = "supplier2", specId = "spec3" }
   }
+
+variable "core_account_id" {
+  type        = string
+  description = "AWS Account ID for Core"
+  default     = "000000000000"
+}
+
+variable "core_environment" {
+  type        = string
+  description = "Environment of Core"
+  default     = "prod"
+
 }

sandbox/data/examples/errors/responses/bad-gateway.json

@@ -0,0 +1,3 @@
+{
+  "message": "Bad Gateway"
+}

sandbox/data/examples/errors/responses/tooManyRequests.json

@@ -1,14 +1,10 @@
 {
-  "errors": [
-    {
-      "code": "NOTIFY_QUOTA",
-      "detail": "You have made too many requests. Please try again later.",
-      "id": "rrt-1931948104716186917-c-geu2-10664-3111479-3.0",
-      "links": {
-        "about": "https://digital.nhs.uk/developer/api-catalogue/nhs-notify-supplier"
-      },
-      "status": "429",
-      "title": "Too many requests"
-    }
-  ]
+  "interval": 1,
+  "limit": 1,
+  "message": "Your application, Notify-Supplier-App-Restricted - Internal Dev 2, has exceeded its quota of 1 requests every 1 minute(s) and is being rate limited.",
+  "message_id": "rrt-4773181658036170775-c-geu2-321623-73628915-2",
+  "policy": "quota",
+  "ratelimiting_expiry_time_ms": 1765372560000,
+  "scope": "application",
+  "timeunit": "minute"
 }

specification/api/components/endpoints/createMI.yml

@@ -15,3 +15,5 @@ responses:
     $ref: "../responses/errors/tooManyRequests.yml"
   '500':
     $ref: "../responses/errors/serverError.yml"
+  '502':
+    $ref: "../responses/errors/badGateway.yml"

specification/api/components/endpoints/getDataId.yml

@@ -13,3 +13,5 @@ responses:
     $ref: "../responses/errors/tooManyRequests.yml"
   "500":
     $ref: "../responses/errors/serverError.yml"
+  "502":
+    $ref: "../responses/errors/badGateway.yml"

specification/api/components/endpoints/getLetterStatus.yml

@@ -11,5 +11,7 @@ responses:
     $ref: "../responses/errors/tooManyRequests.yml"
   "500":
     $ref: "../responses/errors/serverError.yml"
+  "502":
+    $ref: "../responses/errors/badGateway.yml"
 tags:
   - letter