CCM-11164: update RC (#714)

Co-authored-by: Michael Harrison <[email protected]>

Author: alexnuttall

infrastructure/terraform/modules/backend-api/README.md

@@ -63,7 +63,9 @@ No requirements.
 | <a name="module_sqs_template_mgmt_events"></a> [sqs\_template\_mgmt\_events](#module\_sqs\_template\_mgmt\_events) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.20/terraform-sqs.zip | n/a |
 | <a name="module_sqs_template_table_events_pipe_dlq"></a> [sqs\_template\_table\_events\_pipe\_dlq](#module\_sqs\_template\_table\_events\_pipe\_dlq) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.20/terraform-sqs.zip | n/a |
 | <a name="module_sqs_validate_letter_template_files"></a> [sqs\_validate\_letter\_template\_files](#module\_sqs\_validate\_letter\_template\_files) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.20/terraform-sqs.zip | n/a |
+| <a name="module_submit_routing_config_lambda"></a> [submit\_routing\_config\_lambda](#module\_submit\_routing\_config\_lambda) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.22/terraform-lambda.zip | n/a |
 | <a name="module_submit_template_lambda"></a> [submit\_template\_lambda](#module\_submit\_template\_lambda) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.22/terraform-lambda.zip | n/a |
+| <a name="module_update_routing_config_lambda"></a> [update\_routing\_config\_lambda](#module\_update\_routing\_config\_lambda) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.22/terraform-lambda.zip | n/a |
 | <a name="module_update_template_lambda"></a> [update\_template\_lambda](#module\_update\_template\_lambda) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.22/terraform-lambda.zip | n/a |
 | <a name="module_upload_letter_template_lambda"></a> [upload\_letter\_template\_lambda](#module\_upload\_letter\_template\_lambda) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.22/terraform-lambda.zip | n/a |
 ## Outputs

infrastructure/terraform/modules/backend-api/iam_role_api_gateway_execution_role.tf

@@ -61,6 +61,8 @@ data "aws_iam_policy_document" "api_gateway_execution_policy" {
       module.list_template_lambda.function_arn,
       module.request_proof_lambda.function_arn,
       module.submit_template_lambda.function_arn,
+      module.submit_routing_config_lambda.function_arn,
+      module.update_routing_config_lambda.function_arn,
       module.update_template_lambda.function_arn,
     ]
   }

infrastructure/terraform/modules/backend-api/locals.tf

@@ -25,7 +25,9 @@ locals {
     LIST_ROUTING_CONFIGS_LAMBDA_ARN  = module.list_routing_configs_lambda.function_arn
     REQUEST_PROOF_LAMBDA_ARN         = module.request_proof_lambda.function_arn
     SUBMIT_LAMBDA_ARN                = module.submit_template_lambda.function_arn
+    SUBMIT_ROUTING_CONFIG_LAMBDA_ARN = module.submit_routing_config_lambda.function_arn
     UPDATE_LAMBDA_ARN                = module.update_template_lambda.function_arn
+    UPDATE_ROUTING_CONFIG_LAMBDA_ARN = module.update_routing_config_lambda.function_arn
     UPLOAD_LETTER_LAMBDA_ARN         = module.upload_letter_template_lambda.function_arn
   })
 

infrastructure/terraform/modules/backend-api/module_create_routing_config_lambda.tf

@@ -65,4 +65,15 @@ data "aws_iam_policy_document" "create_routing_config_lambda_policy" {
       var.kms_key_arn
     ]
   }
+
+  statement {
+    sid    = "AllowSSMParameterRead"
+    effect = "Allow"
+
+    actions = [
+      "ssm:GetParameter",
+    ]
+
+    resources = [local.client_ssm_path_pattern]
+  }
 }

infrastructure/terraform/modules/backend-api/module_submit_routing_config_lambda.tf

@@ -0,0 +1,68 @@
+module "submit_routing_config_lambda" {
+  source = "https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.22/terraform-lambda.zip"
+
+  project        = var.project
+  environment    = var.environment
+  component      = var.component
+  aws_account_id = var.aws_account_id
+  region         = var.region
+
+  kms_key_arn = var.kms_key_arn
+
+  function_name = "submit-routing-config"
+
+  function_module_name  = "submit-routing-config"
+  handler_function_name = "handler"
+  description           = "Submit Routing Config API endpoint"
+
+  memory  = 512
+  timeout = 3
+  runtime = "nodejs20.x"
+
+  log_retention_in_days = var.log_retention_in_days
+
+  iam_policy_document = {
+    body = data.aws_iam_policy_document.submit_routing_config_lambda_policy.json
+  }
+
+  lambda_env_vars         = local.backend_lambda_environment_variables
+  function_s3_bucket      = var.function_s3_bucket
+  function_code_base_path = local.lambdas_dir
+  function_code_dir       = "backend-api/dist/submit-routing-config"
+
+  send_to_firehose          = var.send_to_firehose
+  log_destination_arn       = var.log_destination_arn
+  log_subscription_role_arn = var.log_subscription_role_arn
+}
+
+data "aws_iam_policy_document" "submit_routing_config_lambda_policy" {
+  statement {
+    sid    = "AllowDynamoAccess"
+    effect = "Allow"
+
+    actions = [
+      "dynamodb:UpdateItem",
+    ]
+
+    resources = [
+      aws_dynamodb_table.routing_configuration.arn,
+    ]
+  }
+
+  statement {
+    sid    = "AllowKMSAccess"
+    effect = "Allow"
+
+    actions = [
+      "kms:Decrypt",
+      "kms:DescribeKey",
+      "kms:Encrypt",
+      "kms:GenerateDataKey*",
+      "kms:ReEncrypt*",
+    ]
+
+    resources = [
+      var.kms_key_arn
+    ]
+  }
+}

infrastructure/terraform/modules/backend-api/module_update_routing_config_lambda.tf

@@ -0,0 +1,79 @@
+module "update_routing_config_lambda" {
+  source = "https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.22/terraform-lambda.zip"
+
+  project        = var.project
+  environment    = var.environment
+  component      = var.component
+  aws_account_id = var.aws_account_id
+  region         = var.region
+
+  kms_key_arn = var.kms_key_arn
+
+  function_name = "update-routing-config"
+
+  function_module_name  = "update-routing-config"
+  handler_function_name = "handler"
+  description           = "Submit Routing Config API endpoint"
+
+  memory  = 512
+  timeout = 3
+  runtime = "nodejs20.x"
+
+  log_retention_in_days = var.log_retention_in_days
+
+  iam_policy_document = {
+    body = data.aws_iam_policy_document.update_routing_config_lambda_policy.json
+  }
+
+  lambda_env_vars         = local.backend_lambda_environment_variables
+  function_s3_bucket      = var.function_s3_bucket
+  function_code_base_path = local.lambdas_dir
+  function_code_dir       = "backend-api/dist/update-routing-config"
+
+  send_to_firehose          = var.send_to_firehose
+  log_destination_arn       = var.log_destination_arn
+  log_subscription_role_arn = var.log_subscription_role_arn
+}
+
+data "aws_iam_policy_document" "update_routing_config_lambda_policy" {
+  statement {
+    sid    = "AllowDynamoAccess"
+    effect = "Allow"
+
+    actions = [
+      "dynamodb:UpdateItem",
+    ]
+
+    resources = [
+      aws_dynamodb_table.routing_configuration.arn,
+    ]
+  }
+
+  statement {
+    sid    = "AllowKMSAccess"
+    effect = "Allow"
+
+    actions = [
+      "kms:Decrypt",
+      "kms:DescribeKey",
+      "kms:Encrypt",
+      "kms:GenerateDataKey*",
+      "kms:ReEncrypt*",
+    ]
+
+    resources = [
+      var.kms_key_arn
+    ]
+  }
+
+  statement {
+    sid    = "AllowSSMParameterRead"
+    effect = "Allow"
+
+    actions = [
+      "ssm:GetParameter",
+    ]
+
+    resources = [local.client_ssm_path_pattern]
+  }
+}

infrastructure/terraform/modules/backend-api/spec.tmpl.json

@@ -1155,6 +1155,145 @@
           "type": "AWS_PROXY",
           "uri": "arn:aws:apigateway:${AWS_REGION}:lambda:path/2015-03-31/functions/${GET_ROUTING_CONFIG_LAMBDA_ARN}/invocations"
         }
+      },
+      "put": {
+        "description": "Update a routing configuration by Id",
+        "requestBody": {
+          "content": {
+            "application/json": {
+              "schema": {
+                "$ref": "#/components/schemas/CreateUpdateRoutingConfig"
+              }
+            }
+          },
+          "description": "Routing configuration update to apply",
+          "required": true
+        },
+        "parameters": [
+          {
+            "description": "ID of routing configuration to update",
+            "in": "path",
+            "name": "routingConfigId",
+            "required": true,
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "content": {
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/RoutingConfigSuccess"
+                }
+              }
+            },
+            "description": "200 response",
+            "headers": {
+              "Content-Type": {
+                "schema": {
+                  "type": "string"
+                }
+              }
+            }
+          },
+          "default": {
+            "content": {
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/Failure"
+                }
+              }
+            },
+            "description": "Error"
+          }
+        },
+        "security": [
+          {
+            "authorizer": []
+          }
+        ],
+        "summary": "Update a routing config",
+        "x-amazon-apigateway-integration": {
+          "contentHandling": "CONVERT_TO_TEXT",
+          "credentials": "${APIG_EXECUTION_ROLE_ARN}",
+          "httpMethod": "POST",
+          "passthroughBehavior": "WHEN_NO_TEMPLATES",
+          "responses": {
+            ".*": {
+              "statusCode": "200"
+            }
+          },
+          "timeoutInMillis": 29000,
+          "type": "AWS_PROXY",
+          "uri": "arn:aws:apigateway:${AWS_REGION}:lambda:path/2015-03-31/functions/${UPDATE_ROUTING_CONFIG_LAMBDA_ARN}/invocations"
+        }
+      }
+    },
+    "/v1/routing-configuration/{routingConfigId}/submit": {
+      "patch": {
+        "description": "Finalise a routing configuration by Id",
+        "parameters": [
+          {
+            "description": "ID of routing configuration to finalise",
+            "in": "path",
+            "name": "routingConfigId",
+            "required": true,
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "content": {
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/RoutingConfigSuccess"
+                }
+              }
+            },
+            "description": "200 response",
+            "headers": {
+              "Content-Type": {
+                "schema": {
+                  "type": "string"
+                }
+              }
+            }
+          },
+          "default": {
+            "content": {
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/Failure"
+                }
+              }
+            },
+            "description": "Error"
+          }
+        },
+        "security": [
+          {
+            "authorizer": []
+          }
+        ],
+        "summary": "Finalise a routing configuration",
+        "x-amazon-apigateway-integration": {
+          "contentHandling": "CONVERT_TO_TEXT",
+          "credentials": "${APIG_EXECUTION_ROLE_ARN}",
+          "httpMethod": "POST",
+          "passthroughBehavior": "WHEN_NO_TEMPLATES",
+          "responses": {
+            ".*": {
+              "statusCode": "200"
+            }
+          },
+          "timeoutInMillis": 29000,
+          "type": "AWS_PROXY",
+          "uri": "arn:aws:apigateway:${AWS_REGION}:lambda:path/2015-03-31/functions/${SUBMIT_ROUTING_CONFIG_LAMBDA_ARN}/invocations"
+        }
       }
     },
     "/v1/routing-configurations": {
@@ -1477,7 +1616,7 @@
           "uri": "arn:aws:apigateway:${AWS_REGION}:lambda:path/2015-03-31/functions/${GET_LAMBDA_ARN}/invocations"
         }
       },
-      "post": {
+      "put": {
         "description": "Update a template template by Id",
         "parameters": [
           {
@@ -1619,10 +1758,10 @@
     },
     "/v1/template/{templateId}/submit": {
       "patch": {
-        "description": "Update a template status by Id",
+        "description": "Submit a template by Id",
         "parameters": [
           {
-            "description": "ID of template to update",
+            "description": "ID of template to submit",
             "in": "path",
             "name": "templateId",
             "required": true,