Merge branch 'main' into feature/CCM-11192_test_data

Author: masl2

.github/actions/build-proxies/action.yml

@@ -1,9 +1,11 @@
 name: "Build Proxies"
 description: "Build Proxies"
+
 inputs:
   version:
     description: "Version number"
     required: true
+
 runs:
   using: composite
 
@@ -19,7 +21,6 @@ runs:
       run: npm ci
       shell: bash
 
-
     - name: Setup Proxy Name and target
       shell: bash
       run: |
@@ -35,10 +36,8 @@ runs:
           echo "INSTANCE=$PROXYGEN_API_NAME-PR-$PR_NUMBER" >> $GITHUB_ENV
           echo "SANDBOX_TAG=pr$PR_NUMBER" >> $GITHUB_ENV
           echo "MTLS_NAME=notify-supplier-mtls-pr$PR_NUMBER" >> $GITHUB_ENV
-
         fi
 
-
     - name: Install Proxygen client
       shell: bash
       run: |
@@ -54,29 +53,6 @@ runs:
         envsubst < ./.github/proxygen-settings.yaml > ${HOME}/.proxygen/settings.yaml
         envsubst < ./.github/proxygen-settings.yaml | cat
 
-
-    - name: Build internal dev oas
-      working-directory: .
-      shell: bash
-      run: |
-        if [ -z $PR_NUMBER ]
-        then
-          make build-json-oas-spec APIM_ENV=internal-dev
-        else
-          make build-json-oas-spec APIM_ENV=internal-dev-pr
-        fi
-
-    - name: Set target and cert
-      shell: bash
-      run: |
-        jq --arg newurl "$TARGET" '.["x-nhsd-apim"].target.url = $newurl' build/notify-supplier.json > build/notify-supplier_target.json && mv build/notify-supplier_target.json build/notify-supplier.json
-        jq --arg newmtls "$MTLS_NAME" '.["x-nhsd-apim"].target.security.secret = $newmtls' build/notify-supplier.json > build/notify-supplier_target.json && mv build/notify-supplier_target.json build/notify-supplier.json
-
-    - name: Deploy to Internal Dev
-      shell: bash
-      run: |
-        proxygen instance deploy internal-dev $INSTANCE build/notify-supplier.json --no-confirm
-
     - name: Build sandbox oas
       working-directory: .
       shell: bash

.github/workflows/manual-proxy-internal-dev-deploy.yaml

@@ -0,0 +1,107 @@
+name: Deploy proxy to internal-dev
+
+on:
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  deploy-internal-dev:
+    runs-on: ubuntu-latest
+    name: Deploy to Internal Dev
+    env:
+      PROXYGEN_PRIVATE_KEY: ${{ secrets.PROXYGEN_ENCODED_NOTIFY_SUPPLIER_PRIVATE_KEY }}
+      PROXYGEN_KID: notify-supplier-key-1
+      PROXYGEN_CLIENT_ID: nhs-notify-supplier-client
+      PROXYGEN_API_NAME: nhs-notify-supplier
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 24
+
+      - name: Npm install
+        working-directory: .
+        run: npm ci
+        shell: bash
+
+      - name: "Check if pull request exists for this branch"
+        id: pr_exists
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          branch_name=${GITHUB_HEAD_REF:-$(echo $GITHUB_REF | sed 's#refs/heads/##')}
+          echo "Current branch is '$branch_name'"
+
+          pr_json=$(gh pr list --head "$branch_name" --state open --json number --limit 1)
+          pr_number=$(echo "$pr_json" | jq -r '.[0].number // empty')
+
+          if [[ -n "$pr_number" ]]; then
+            echo "Pull request exists: #$pr_number"
+            echo "does_pull_request_exist=true" >> $GITHUB_OUTPUT
+            echo "pr_number=$pr_number" >> $GITHUB_OUTPUT
+          else
+            echo "Pull request doesn't exist"
+            echo "does_pull_request_exist=false" >> $GITHUB_OUTPUT
+            echo "pr_number=" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Setup Proxy Name and target
+        shell: bash
+        env:
+          PR_NUMBER: ${{ steps.pr_exists.outputs.pr_number }}
+        run: |
+          if [ -z $PR_NUMBER ]
+          then
+            echo "INSTANCE=$PROXYGEN_API_NAME" >> $GITHUB_ENV
+            echo "TARGET=https://main.suppliers.dev.nhsnotify.national.nhs.uk" >> $GITHUB_ENV
+            echo "SANDBOX_TAG=latest" >> $GITHUB_ENV
+            echo "MTLS_NAME=notify-supplier-mtls" >> $GITHUB_ENV
+          else
+            echo "TARGET=https://pr$PR_NUMBER.suppliers.dev.nhsnotify.national.nhs.uk" >> $GITHUB_ENV
+            echo "INSTANCE=$PROXYGEN_API_NAME-PR-$PR_NUMBER" >> $GITHUB_ENV
+            echo "SANDBOX_TAG=pr$PR_NUMBER" >> $GITHUB_ENV
+            echo "MTLS_NAME=notify-supplier-mtls-pr$PR_NUMBER" >> $GITHUB_ENV
+          fi
+
+      - name: Install Proxygen client
+        shell: bash
+        run: |
+          # Install proxygen cli
+          pip install pipx
+          pipx install proxygen-cli
+
+          # Setup proxygen auth and settings
+          mkdir -p ${HOME}/.proxygen
+          echo -n $PROXYGEN_PRIVATE_KEY | base64 --decode > ${HOME}/.proxygen/key
+          envsubst < ./.github/proxygen-credentials-template.yaml > ${HOME}/.proxygen/credentials.yaml
+          envsubst < ./.github/proxygen-credentials-template.yaml | cat
+          envsubst < ./.github/proxygen-settings.yaml > ${HOME}/.proxygen/settings.yaml
+          envsubst < ./.github/proxygen-settings.yaml | cat
+
+      - name: Build internal dev oas
+        working-directory: .
+        shell: bash
+        env:
+          PR_NUMBER: ${{ steps.pr_exists.outputs.pr_number }}
+        run: |
+          if [ -z $PR_NUMBER ]
+          then
+            make build-json-oas-spec APIM_ENV=internal-dev
+          else
+            make build-json-oas-spec APIM_ENV=internal-dev-pr
+          fi
+
+      - name: Set target and cert
+        shell: bash
+        run: |
+          jq --arg newurl "$TARGET" '.["x-nhsd-apim"].target.url = $newurl' build/notify-supplier.json > build/notify-supplier_target.json && mv build/notify-supplier_target.json build/notify-supplier.json
+          jq --arg newmtls "$MTLS_NAME" '.["x-nhsd-apim"].target.security.secret = $newmtls' build/notify-supplier.json > build/notify-supplier_target.json && mv build/notify-supplier_target.json build/notify-supplier.json
+
+      - name: Deploy to Internal Dev
+        shell: bash
+        run: |
+          proxygen instance deploy internal-dev $INSTANCE build/notify-supplier.json --no-confirm

.github/workflows/stage-1-commit.yaml

@@ -149,7 +149,7 @@ jobs:
   trivy:
     name: "Trivy Scan"
     runs-on: ubuntu-latest
-    timeout-minutes: 5
+    timeout-minutes: 10
     needs: detect-terraform-changes
     if: needs.detect-terraform-changes.outputs.terraform_changed == 'true'
     steps:

.gitignore

@@ -12,6 +12,7 @@ version.json
 
 # Please, add your custom content below!
 .idea
+.env
 
 # dependencies
 node_modules

.vscode/settings.json

@@ -11,5 +11,5 @@
     //".devcontainer": true,
     ".github": false,
     ".vscode": false
-  }
+  },
 }

README.md

@@ -68,7 +68,7 @@ If packages are unavailable the latest SDKs can be downloaded directly from:
 
 ### Examples
 
-TODO: Links to example clients.
+TODO:CCM-11209 Links to example clients.
 
 ## API Developers
 
@@ -106,7 +106,7 @@ should understand the below.
 ##### Servers
 
 - Servers folder is being built at build time from OAS specs.
-- TODO: Build actual servers
+- TODO:CCM-12139 Build actual servers
 
 ##### Libs
 

infrastructure/terraform/components/api/README.md

@@ -19,9 +19,11 @@ No requirements.
 | <a name="input_force_lambda_code_deploy"></a> [force\_lambda\_code\_deploy](#input\_force\_lambda\_code\_deploy) | If the lambda package in s3 has the same commit id tag as the terraform build branch, the lambda will not update automatically. Set to True if making changes to Lambda code from on the same commit for example during development | `bool` | `false` | no |
 | <a name="input_group"></a> [group](#input\_group) | The group variables are being inherited from (often synonmous with account short-name) | `string` | n/a | yes |
 | <a name="input_kms_deletion_window"></a> [kms\_deletion\_window](#input\_kms\_deletion\_window) | When a kms key is deleted, how long should it wait in the pending deletion state? | `string` | `"30"` | no |
+| <a name="input_letter_table_ttl_hours"></a> [letter\_table\_ttl\_hours](#input\_letter\_table\_ttl\_hours) | Number of hours to set as TTL on letters table | `number` | `24` | no |
 | <a name="input_log_level"></a> [log\_level](#input\_log\_level) | The log level to be used in lambda functions within the component. Any log with a lower severity than the configured value will not be logged: https://docs.python.org/3/library/logging.html#levels | `string` | `"INFO"` | no |
 | <a name="input_log_retention_in_days"></a> [log\_retention\_in\_days](#input\_log\_retention\_in\_days) | The retention period in days for the Cloudwatch Logs events to be retained, default of 0 is indefinite | `number` | `0` | no |
 | <a name="input_manually_configure_mtls_truststore"></a> [manually\_configure\_mtls\_truststore](#input\_manually\_configure\_mtls\_truststore) | Manually manage the truststore used for API Gateway mTLS (e.g. for prod environment) | `bool` | `false` | no |
+| <a name="input_max_get_limit"></a> [max\_get\_limit](#input\_max\_get\_limit) | Default limit to apply to GET requests that support pagination | `number` | `2500` | no |
 | <a name="input_parent_acct_environment"></a> [parent\_acct\_environment](#input\_parent\_acct\_environment) | Name of the environment responsible for the acct resources used, affects things like DNS zone. Useful for named dev environments | `string` | `"main"` | no |
 | <a name="input_project"></a> [project](#input\_project) | The name of the tfscaffold project | `string` | n/a | yes |
 | <a name="input_region"></a> [region](#input\_region) | The AWS Region | `string` | n/a | yes |

infrastructure/terraform/components/api/ddb_table_letters.tf

@@ -13,7 +13,7 @@ resource "aws_dynamodb_table" "letters" {
   global_secondary_index {
     name            = "supplierStatus-index"
     hash_key        = "supplierStatus"
-    range_key       = "id"
+    range_key       = "supplierStatusSk"
     projection_type = "ALL"
   }
 
@@ -32,6 +32,11 @@ resource "aws_dynamodb_table" "letters" {
     type = "S"
   }
 
+  attribute {
+    name = "supplierStatusSk"
+    type = "S"
+  }
+
   point_in_time_recovery {
     enabled = true
   }

infrastructure/terraform/components/api/module_lambda_get_letters.tf

@@ -37,7 +37,8 @@ module "get_letters" {
 
   lambda_env_vars = {
     LETTERS_TABLE_NAME = aws_dynamodb_table.letters.name,
-    LETTER_TTL_HOURS   = 24
+    LETTER_TTL_HOURS   = var.letter_table_ttl_hours,
+    MAX_LIMIT          = var.max_get_limit,
   }
 }
 
@@ -69,6 +70,7 @@ data "aws_iam_policy_document" "get_letters_lambda" {
 
     resources = [
       aws_dynamodb_table.letters.arn,
+      "${aws_dynamodb_table.letters.arn}/index/supplierStatus-index"
     ]
   }
 }

infrastructure/terraform/components/api/variables.tf

@@ -99,7 +99,6 @@ variable "enable_backups" {
   default     = false
 }
 
-
 variable "ca_pem_filename" {
   type        = string
   description = "Filename for the CA truststore file within the s3 bucket"
@@ -111,3 +110,15 @@ variable "force_destroy" {
   description = "Flag to force deletion of S3 buckets"
   default     = false
 }
+
+variable "letter_table_ttl_hours" {
+  type        = number
+  description = "Number of hours to set as TTL on letters table"
+  default     = 24
+}
+
+variable "max_get_limit" {
+  type        = number
+  description = "Default limit to apply to GET requests that support pagination"
+  default     = 2500
+}