Merge remote-tracking branch 'origin/main' into feature/CCM-13188-contract-test

Author: alexnuttall

.github/workflows/pr_closed.yaml

@@ -61,7 +61,9 @@ jobs:
             --targetEnvironment "main" \
             --targetAccountGroup "nhs-notify-supplier-api-dev" \
             --targetComponent "${{ matrix.component }}" \
-            --terraformAction "apply"
+            --terraformAction "apply" \
+            --overrideProjectName "nhs" \
+            --overrideRoleName "nhs-main-acct-supplier-api-github-deploy"
 
   check-event-schemas-version-change:
     name: Check for event schemas package version change

.github/workflows/release_created.yaml

@@ -37,4 +37,6 @@ jobs:
             --targetEnvironment "main" \
             --targetAccountGroup "nhs-notify-supplier-api-nonprod" \
             --targetComponent "${{ matrix.component }}" \
-            --terraformAction "apply"
+            --terraformAction "apply" \
+            --overrideProjectName "nhs" \
+            --overrideRoleName "nhs-main-acct-supplier-api-github-deploy"

Makefile

@@ -45,6 +45,11 @@ publish-oas:
 	$(MAKE) copy-examples
 	npm run publish-oas
 
+set-authorization: guard-APIM_ENV
+	@ AUTHORIZATION=authorization-$$APIM_ENV.yml \
+	envsubst '$${AUTHORIZATION}' \
+	< specification/api/components/parameters/authorization/authorization-template.yml > specification/api/components/parameters/authorization/authorization.yml
+
 set-target: guard-APIM_ENV
 	@ TARGET=target-$$APIM_ENV.yml \
 	envsubst '$${TARGET}' \
@@ -64,6 +69,7 @@ set-security: guard-APIM_ENV
 	< specification/api/components/security-schemes/security-schemes-template.yml > specification/api/components/security-schemes/security-schemes.yml
 
 construct-spec: guard-APIM_ENV
+	$(MAKE) set-authorization APIM_ENV=$$APIM_ENV
 	$(MAKE) set-target APIM_ENV=$$APIM_ENV
 	$(MAKE) set-access APIM_ENV=$$APIM_ENV
 	$(MAKE) set-security APIM_ENV=$$APIM_ENV

VERSION

@@ -1 +1 @@
-1.0.0-${yyyy}${mm}${dd}.${HH}${MM}${SS}+${hash}
+1.0.1-${yyyy}${mm}${dd}.${HH}${MM}${SS}+${hash}

eslint.config.mjs

@@ -80,7 +80,7 @@ export default defineConfig([
         eslintImportResolverTypescript.createTypeScriptImportResolver({
           project: [
             'lambdas/*/tsconfig.json',
-            'tests/test-team/tsconfig.json',
+            'tests/tsconfig.json',
             'internal/*/tsconfig.json',
           ],
         }),
@@ -167,7 +167,7 @@ export default defineConfig([
     rules: { 'import-x/no-unresolved': 0 },
   },
   {
-    files: ['tests/test-team/**'],
+    files: ['tests/**'],
     rules: {
       'import-x/no-extraneous-dependencies': [
         2,
@@ -176,7 +176,7 @@ export default defineConfig([
     },
   },
   {
-    files: ['**/utils/**', 'tests/test-team/**'],
+    files: ['**/utils/**', 'tests/**'],
     rules: { 'import-x/prefer-default-export': 0 },
   },
   {
@@ -221,6 +221,20 @@ export default defineConfig([
     },
   },
 
+  // No use before define relaxations
+  {
+    rules: {
+      "no-use-before-define": "off",
+      "@typescript-eslint/no-use-before-define": [ "error", {"functions": false}]
+    }
+  },
+
+  // Lambda specific relaxations
+  {
+    files: ['lambdas/**'],
+    rules: { 'import-x/prefer-default-export': 1 },
+  },
+
   // misc rule overrides
   {
     rules: {

infrastructure/terraform/bin/terraform.sh

@@ -599,7 +599,6 @@ readonly backend_config="terraform {
     region         = \"${region}\"
     bucket         = \"${bucket}\"
     key            = \"${backend_key}\"
-    dynamodb_table = \"${bucket}\"
     use_lockfile   = true
   }
 }";

infrastructure/terraform/components/api/event_source_mapping_status_updates_to_handler.tf

@@ -6,7 +6,7 @@ resource "aws_lambda_event_source_mapping" "status_updates_sqs_to_status_update_
   scaling_config { maximum_concurrency = 10 }
 
   depends_on = [
-    module.letter_status_updates_queue,         # ensures queue exists
-    module.letter_status_update                 # ensures update handler exists
+    module.letter_status_updates_queue, # ensures queue exists
+    module.letter_status_update         # ensures update handler exists
   ]
 }

infrastructure/terraform/components/api/locals.tf

@@ -5,16 +5,16 @@ locals {
   root_domain_nameservers       = local.acct.route53_zone_nameservers["supplier-api"]
 
   openapi_spec = templatefile("${path.module}/resources/spec.tmpl.json", {
-    APIG_EXECUTION_ROLE_ARN             = aws_iam_role.api_gateway_execution_role.arn
-    AWS_REGION                          = var.region
-    AUTHORIZER_LAMBDA_ARN               = module.authorizer_lambda.function_arn
-    GET_LETTER_LAMBDA_ARN               = module.get_letter.function_arn
-    GET_LETTERS_LAMBDA_ARN              = module.get_letters.function_arn
-    GET_LETTER_DATA_LAMBDA_ARN          = module.get_letter_data.function_arn
-    GET_STATUS_LAMBDA_ARN               = module.get_status.function_arn
-    PATCH_LETTER_LAMBDA_ARN             = module.patch_letter.function_arn
-    POST_LETTERS_LAMBDA_ARN             = module.post_letters.function_arn
-    POST_MI_LAMBDA_ARN                  = module.post_mi.function_arn
+    APIG_EXECUTION_ROLE_ARN    = aws_iam_role.api_gateway_execution_role.arn
+    AWS_REGION                 = var.region
+    AUTHORIZER_LAMBDA_ARN      = module.authorizer_lambda.function_arn
+    GET_LETTER_LAMBDA_ARN      = module.get_letter.function_arn
+    GET_LETTERS_LAMBDA_ARN     = module.get_letters.function_arn
+    GET_LETTER_DATA_LAMBDA_ARN = module.get_letter_data.function_arn
+    GET_STATUS_LAMBDA_ARN      = module.get_status.function_arn
+    PATCH_LETTER_LAMBDA_ARN    = module.patch_letter.function_arn
+    POST_LETTERS_LAMBDA_ARN    = module.post_letters.function_arn
+    POST_MI_LAMBDA_ARN         = module.post_mi.function_arn
   })
 
   destination_arn = "arn:aws:logs:${var.region}:${var.shared_infra_account_id}:destination:nhs-main-obs-firehose-logs"
@@ -23,7 +23,7 @@ locals {
     LETTERS_TABLE_NAME       = aws_dynamodb_table.letters.name,
     MI_TABLE_NAME            = aws_dynamodb_table.mi.name,
     LETTER_TTL_HOURS         = 12960, # 18 months * 30 days * 24 hours
-    MI_TTL_HOURS             = 2160 # 90 days * 24 hours
+    MI_TTL_HOURS             = 2160   # 90 days * 24 hours
     SUPPLIER_ID_HEADER       = "nhsd-supplier-id",
     APIM_CORRELATION_HEADER  = "nhsd-correlation-id",
     DOWNLOAD_URL_TTL_SECONDS = 60

infrastructure/terraform/components/api/module_authorizer_lambda.tf

@@ -38,7 +38,7 @@ module "authorizer_lambda" {
   lambda_env_vars = {
     CLOUDWATCH_NAMESPACE                     = "/aws/api-gateway/supplier/alarms",
     CLIENT_CERTIFICATE_EXPIRATION_ALERT_DAYS = 14,
-    APIM_SUPPLIER_ID_HEADER               = "NHSD-Supplier-ID",
+    APIM_SUPPLIER_ID_HEADER                  = "NHSD-Supplier-ID",
     SUPPLIERS_TABLE_NAME                     = aws_dynamodb_table.suppliers.name
   }
 }

infrastructure/terraform/components/api/module_lambda_get_letter_data.tf

@@ -69,10 +69,10 @@ data "aws_iam_policy_document" "get_letter_data_lambda" {
   }
 
   statement {
-    sid       = "S3GetObjectForPresign"
-    actions   = [
+    sid = "S3GetObjectForPresign"
+    actions = [
       "s3:GetObject",
-      "s3:ListBucket"] # allows 404 response instead of 403 if object missing
+    "s3:ListBucket"] # allows 404 response instead of 403 if object missing
     resources = ["${module.s3bucket_test_letters.arn}/*"]
   }
 }