Merge branch 'main' into feature/CCM-11586_enable-gw-mtls

Author: masl2

.github/actions/build-proxies/action.yml

@@ -54,7 +54,12 @@ runs:
       working-directory: .
       shell: bash
       run: |
-        make build-json-oas-spec APIM_ENV=dev
+        if [ -z $PR_NUMBER ]
+        then
+          make build-json-oas-spec APIM_ENV=dev
+        else
+          make build-json-oas-spec APIM_ENV=dev-pr
+        fi
 
     - name: Set target
       shell: bash

.tool-versions

@@ -8,6 +8,7 @@ terraform 1.10.1
 terraform-docs 0.19.0
 trivy 0.61.0
 vale 3.6.0
+poetry 2.1.4
 
 # ==============================================================================
 # The section below is reserved for Docker image versions.

Makefile

@@ -53,9 +53,17 @@ set-access: guard-APIM_ENV
 	envsubst '$${ACCESS}' \
 	< specification/api/components/x-nhsd-apim/access-template.yml > specification/api/components/x-nhsd-apim/access.yml
 
+set-security: guard-APIM_ENV
+	@ SECURITY=security-$$APIM_ENV.yml \
+	envsubst '$${SECURITY}' \
+	< specification/api/components/security/security-template.yml > specification/api/components/security/security.yml
+
 construct-spec: guard-APIM_ENV
 	$(MAKE) set-target APIM_ENV=$$APIM_ENV
 	$(MAKE) set-access APIM_ENV=$$APIM_ENV
+	$(MAKE) set-security APIM_ENV=$$APIM_ENV
+
+
 
 build-json-oas-spec: guard-APIM_ENV
 	$(MAKE) construct-spec APIM_ENV=$$APIM_ENV
@@ -75,6 +83,7 @@ bundle-oas:
 generate-sandbox:
 	$(MAKE) build-json-oas-spec APIM_ENV=sandbox
 	jq --slurpfile status sandbox/HealthcheckEndpoint.json '.paths += $$status[0]' build/notify-supplier.json > tmp.json && mv tmp.json build/notify-supplier.json
+	jq '.security = []' build/notify-supplier.json > tmp.json && mv tmp.json build/notify-supplier.json
 	npm run generate-sandbox
 
 serve-swagger:

eslint.config.mjs

@@ -12,7 +12,7 @@ import unicorn from 'eslint-plugin-unicorn';
 import { defineConfig, globalIgnores } from 'eslint/config';
 import js from '@eslint/js';
 import html from 'eslint-plugin-html';
-import tseslint from 'typescript-eslint';
+import tseslint from '@typescript-eslint/parser';
 import sortDestructureKeys from 'eslint-plugin-sort-destructure-keys';
 import {
   configs as airbnbConfigs,

infrastructure/terraform/components/api/module_lambda_get_letters.tf

@@ -36,7 +36,8 @@ module "get_letters" {
   log_subscription_role_arn = local.acct.log_subscription_role_arn
 
   lambda_env_vars = {
-    LETTERS_TABLE_NAME = aws_dynamodb_table.letters.name
+    LETTERS_TABLE_NAME = aws_dynamodb_table.letters.name,
+    LETTER_TTL_HOURS = 24
   }
 }
 
@@ -61,13 +62,9 @@ data "aws_iam_policy_document" "get_letters_lambda" {
 
     actions = [
       "dynamodb:BatchGetItem",
-      "dynamodb:BatchWriteItem",
-      "dynamodb:DeleteItem",
       "dynamodb:GetItem",
-      "dynamodb:PutItem",
       "dynamodb:Query",
       "dynamodb:Scan",
-      "dynamodb:UpdateItem",
     ]
 
     resources = [

infrastructure/terraform/components/api/module_lambda_patch_letters.tf

@@ -9,7 +9,6 @@ module "patch_letters" {
   environment    = var.environment
   project        = var.project
   region         = var.region
-
   group          = var.group
 
   log_retention_in_days = var.log_retention_in_days
@@ -37,6 +36,8 @@ module "patch_letters" {
   log_subscription_role_arn = local.acct.log_subscription_role_arn
 
   lambda_env_vars = {
+    LETTERS_TABLE_NAME = aws_dynamodb_table.letters.name,
+    LETTER_TTL_HOURS = 24
   }
 }
 
@@ -54,4 +55,23 @@ data "aws_iam_policy_document" "patch_letters_lambda" {
       module.kms.key_arn, ## Requires shared kms module
     ]
   }
+
+    statement {
+    sid    = "AllowDynamoDBAccess"
+    effect = "Allow"
+
+    actions = [
+      "dynamodb:BatchGetItem",
+      "dynamodb:BatchWriteItem",
+      "dynamodb:GetItem",
+      "dynamodb:PutItem",
+      "dynamodb:Query",
+      "dynamodb:Scan",
+      "dynamodb:UpdateItem",
+    ]
+
+    resources = [
+      aws_dynamodb_table.letters.arn,
+    ]
+  }
 }

internal/datastore/.eslintignore

@@ -0,0 +1 @@
+dist

internal/datastore/.gitignore

@@ -0,0 +1,4 @@
+coverage
+node_modules
+dist
+.reports

internal/datastore/jest.config.ts

@@ -0,0 +1,60 @@
+import type { Config } from 'jest';
+
+export const baseJestConfig: Config = {
+  preset: 'ts-jest',
+
+  // Automatically clear mock calls, instances, contexts and results before every test
+  clearMocks: true,
+
+  // Indicates whether the coverage information should be collected while executing the test
+  collectCoverage: true,
+
+  // The directory where Jest should output its coverage files
+  coverageDirectory: './.reports/unit/coverage',
+
+  // Indicates which provider should be used to instrument code for coverage
+  coverageProvider: 'babel',
+
+  coverageThreshold: {
+    global: {
+      branches: 100,
+      functions: 100,
+      lines: 100,
+      statements: -10,
+    },
+  },
+
+  coveragePathIgnorePatterns: ['/__tests__/'],
+  transform: { '^.+\\.ts$': 'ts-jest' },
+  testPathIgnorePatterns: ['.build'],
+  testMatch: ['**/?(*.)+(spec|test).[jt]s?(x)'],
+
+  // Use this configuration option to add custom reporters to Jest
+  reporters: [
+    'default',
+    [
+      'jest-html-reporter',
+      {
+        pageTitle: 'Test Report',
+        outputPath: './.reports/unit/test-report.html',
+        includeFailureMsg: true,
+      },
+    ],
+  ],
+
+  // The test environment that will be used for testing
+  testEnvironment: 'jsdom',
+};
+
+const utilsJestConfig = {
+  ...baseJestConfig,
+
+  testEnvironment: 'node',
+
+  coveragePathIgnorePatterns: [
+    ...(baseJestConfig.coveragePathIgnorePatterns ?? []),
+    'zod-validators.ts',
+  ],
+};
+
+export default utilsJestConfig;