Authoriser lambda (#230)

* add product id header

* CCM-11600: supplier repository and table

* CCM-11600: cli interface for supplier repo

* CCM-11600: lock for new packages

* Update .gitleaksignore

added gitleaks ignore

* CCM-11600: fix some imports

* Add certificate expiry check

* Added supplier ID lookup

* Test fix

* Further development

* Fix dependencies

* Temp commit to force cloudwatch logging

* Removed Cloudwatch client

* Tidy up packages

* CCM-11600: correct target attr

* CCM-11600: header name, targets, add alarm

* CCM-11600: correct env ref

* CCM-11600: fix header lookup

* lockfile

* remove placeholder blurb

* fix copy pasta

* workspace refs

* lock

* CCM-11600: header references, format, name consistency

---------

Co-authored-by: David Wass <[email protected]>
Co-authored-by: Mark Slowey <[email protected]>
Co-authored-by: Mark Slowey <[email protected]>
Co-authored-by: Tim Ireland <[email protected]>

Author: 4 people

.github/actions/build-docs/action.yml

@@ -11,7 +11,7 @@ runs:
       uses: actions/checkout@v4
     - uses: actions/setup-node@v4
       with:
-        node-version: 18
+        node-version: 22
     - name: Npm cli install
       working-directory: .
       run: npm ci

.github/actions/build-libraries/action.yml

@@ -11,7 +11,7 @@ runs:
       uses: actions/checkout@v4
     - uses: actions/setup-node@v4
       with:
-        node-version: 24
+        node-version: 22
 
     - name: Npm install
       working-directory: .

.github/actions/build-sandbox/action.yml

@@ -12,7 +12,7 @@ runs:
       uses: actions/checkout@v4
     - uses: actions/setup-node@v4
       with:
-        node-version: 24
+        node-version: 22
 
     - name: Npm install
       working-directory: .

.github/actions/build-sdk/action.yml

@@ -11,7 +11,7 @@ runs:
       uses: actions/checkout@v4
     - uses: actions/setup-node@v4
       with:
-        node-version: 18
+        node-version: 22
 
     - name: Npm install
       working-directory: .

.github/actions/build-server/action.yml

@@ -11,7 +11,7 @@ runs:
       uses: actions/checkout@v4
     - uses: actions/setup-node@v4
       with:
-        node-version: 24
+        node-version: 22
 
     - name: Npm install
       working-directory: .

.github/workflows/manual-proxy-environment-deploy.yaml

@@ -32,7 +32,7 @@ jobs:
 
       - uses: actions/setup-node@v6
         with:
-          node-version: 24
+          node-version: 22
 
       - name: Npm install
         working-directory: .

infrastructure/terraform/components/api/cloudwatch_metric_alarm_apim_auth_cert_expirty.tf

@@ -0,0 +1,22 @@
+resource "aws_cloudwatch_metric_alarm" "alm-apim-client-certificate-near-expiry" {
+  alarm_name        = "${local.csi}-alm-apim-client-certificate-near-expiry"
+  alarm_description = "RELIABILITY: An APIM client certificate is due to expire soon"
+
+  metric_name = "apim-client-certificate-near-expiry"
+  namespace   = "comms-apim-authorizer"
+
+  dimensions = {
+    Environment = var.environment
+  }
+
+  period              = 60 * 60 * 4 //4 hours
+  comparison_operator = "GreaterThanThreshold"
+  threshold           = "0"
+  evaluation_periods  = "1"
+  statistic           = "Sum"
+  treat_missing_data  = "notBreaching"
+
+  actions_enabled = "false"
+  alarm_actions   = []
+  ok_actions      = []
+}

infrastructure/terraform/components/api/ddb_table_suppliers.tf

@@ -0,0 +1,34 @@
+resource "aws_dynamodb_table" "suppliers" {
+  name         = "${local.csi}-suppliers"
+  billing_mode = "PAY_PER_REQUEST"
+
+  hash_key  = "id"
+  range_key = "apimId"
+
+  ttl {
+    attribute_name = "ttl"
+    enabled        = false
+  }
+
+  global_secondary_index {
+    name            = "supplier-apim-index"
+    hash_key        = "apimId"
+    projection_type = "ALL"
+  }
+
+  attribute {
+    name = "id"
+    type = "S"
+  }
+
+  attribute {
+    name = "apimId"
+    type = "S"
+  }
+
+  point_in_time_recovery {
+    enabled = true
+  }
+
+  tags = var.default_tags
+}

infrastructure/terraform/components/api/module_authorizer_lambda.tf

@@ -11,6 +11,10 @@ module "authorizer_lambda" {
   log_retention_in_days = var.log_retention_in_days
   kms_key_arn           = module.kms.key_arn
 
+  iam_policy_document = {
+    body = data.aws_iam_policy_document.authorizer_lambda.json
+  }
+
   function_name = "authorizer"
   description   = "Authorizer for Suppliers API"
 
@@ -30,4 +34,40 @@ module "authorizer_lambda" {
   send_to_firehose          = true
   log_destination_arn       = local.destination_arn
   log_subscription_role_arn = local.acct.log_subscription_role_arn
+
+  lambda_env_vars = {
+    CLOUDWATCH_NAMESPACE                     = "/aws/api-gateway/supplier/alarms",
+    CLIENT_CERTIFICATE_EXPIRATION_ALERT_DAYS = 14,
+    APIM_SUPPLIER_ID_HEADER               = "NHSD-Supplier-ID",
+    SUPPLIERS_TABLE_NAME                     = aws_dynamodb_table.suppliers.name
+  }
+}
+
+data "aws_iam_policy_document" "authorizer_lambda" {
+  statement {
+    sid    = "AllowPutMetricData"
+    effect = "Allow"
+
+    actions = [
+      "cloudwatch:PutMetricData"
+    ]
+
+    resources = [
+      "*"
+    ]
+  }
+
+  statement {
+    sid    = "AllowDynamoDBAccess"
+    effect = "Allow"
+
+    actions = [
+      "dynamodb:Query"
+    ]
+
+    resources = [
+      aws_dynamodb_table.suppliers.arn,
+      "${aws_dynamodb_table.suppliers.arn}/index/supplier-apim-index"
+    ]
+  }
 }

internal/datastore/src/__test__/db.ts

@@ -31,6 +31,7 @@ export async function setupDynamoDBContainer() {
     endpoint,
     lettersTableName: 'letters',
     miTableName: 'management-info',
+    suppliersTableName: 'suppliers',
     lettersTtlHours: 1,
     miTtlHours: 1
   };
@@ -94,6 +95,29 @@ const createMITableCommand = new CreateTableCommand({
     ]
   });
 
+const createSupplierTableCommand = new CreateTableCommand({
+    TableName: 'suppliers',
+    BillingMode: 'PAY_PER_REQUEST',
+    KeySchema: [
+      { AttributeName: 'id', KeyType: 'HASH' }  // Partition key
+    ],
+    GlobalSecondaryIndexes: [
+      {
+        IndexName: 'supplier-apim-index',
+        KeySchema: [
+          { AttributeName: 'apimId', KeyType: 'HASH' } // Partition key for GSI
+        ],
+        Projection: {
+          ProjectionType: 'ALL'
+        }
+      }
+    ],
+    AttributeDefinitions: [
+      { AttributeName: 'id', AttributeType: 'S' },
+      { AttributeName: 'apimId', AttributeType: 'S' }
+    ]
+  });
+
 
 export async function createTables(context: DBContext) {
   const { ddbClient } = context;
@@ -102,6 +126,7 @@ export async function createTables(context: DBContext) {
   await ddbClient.send(updateTimeToLiveCommand);
 
   await ddbClient.send(createMITableCommand);
+  await ddbClient.send(createSupplierTableCommand);
 }
 
 
@@ -115,4 +140,8 @@ export async function deleteTables(context: DBContext) {
   await ddbClient.send(new DeleteTableCommand({
     TableName: 'management-info'
   }));
+
+  await ddbClient.send(new DeleteTableCommand({
+    TableName: 'suppliers'
+  }));
 }