Merge branch 'main' into feature/CCM-8861_sftp-poll-2

Author: chris-elliott-nhsd

.gitignore

@@ -33,6 +33,7 @@ node_modules
 
 # production
 /build
+dist
 
 # misc
 .DS_Store

.gitleaksignore

@@ -1,7 +1,9 @@
-# SEE: https://github.com/gitleaks/gitleaks/blob/master/README.md#gitleaksignore
+# SEE: <https://github.com/gitleaks/gitleaks/blob/master/README.md#gitleaksignore>
 
 cd9c0efec38c5d63053dd865e5d4e207c0760d91:docs/guides/Perform_static_analysis.md:generic-api-key:37
 87312c6a627a7b0420956d49187fd15b130df170:src/__tests__/components/molecules/LoginStatus.test.tsx:jwt:23
 37ca9f5670f4cd7d91869845ca27defbe6156bb9:src/__tests__/components/molecules/LoginStatus.test.tsx:jwt:23
 b19d88d1d92b0530f065feefcf25d8cdd82a876a:tests/test-team/auth/user.json:jwt:15
 b19d88d1d92b0530f065feefcf25d8cdd82a876a:tests/test-team/auth/user.json:jwt:25
+bc79df4f82052918ae6bf69d36279e5dd391d61e:tests/test-team/auth/user.json:jwt:15
+bc79df4f82052918ae6bf69d36279e5dd391d61e:tests/test-team/auth/user.json:jwt:25

infrastructure/terraform/components/app/pre.sh

@@ -1,4 +1,5 @@
-
 npm ci
 
 npm run generate-dependencies --workspaces --if-present
+
+./lambdas/layers/pdfjs/build.sh

infrastructure/terraform/modules/backend-api/README.md

@@ -34,22 +34,21 @@ No requirements.
 | <a name="module_build_sftp_letters_lambdas"></a> [build\_sftp\_letters\_lambdas](#module\_build\_sftp\_letters\_lambdas) | ../typescript-build-zip | n/a |
 | <a name="module_build_template_client"></a> [build\_template\_client](#module\_build\_template\_client) | ../typescript-build-zip | n/a |
 | <a name="module_build_template_lambda"></a> [build\_template\_lambda](#module\_build\_template\_lambda) | ../typescript-build-zip | n/a |
-| <a name="module_build_virus_scan_lambdas"></a> [build\_virus\_scan\_lambdas](#module\_build\_virus\_scan\_lambdas) | ../typescript-build-zip | n/a |
 | <a name="module_create_letter_template_lambda"></a> [create\_letter\_template\_lambda](#module\_create\_letter\_template\_lambda) | ../lambda-function | n/a |
 | <a name="module_create_template_lambda"></a> [create\_template\_lambda](#module\_create\_template\_lambda) | ../lambda-function | n/a |
 | <a name="module_delete_template_lambda"></a> [delete\_template\_lambda](#module\_delete\_template\_lambda) | ../lambda-function | n/a |
 | <a name="module_get_template_lambda"></a> [get\_template\_lambda](#module\_get\_template\_lambda) | ../lambda-function | n/a |
 | <a name="module_lambda_copy_scanned_object_to_internal"></a> [lambda\_copy\_scanned\_object\_to\_internal](#module\_lambda\_copy\_scanned\_object\_to\_internal) | ../lambda-function | n/a |
 | <a name="module_lambda_delete_failed_scanned_object"></a> [lambda\_delete\_failed\_scanned\_object](#module\_lambda\_delete\_failed\_scanned\_object) | ../lambda-function | n/a |
-| <a name="module_lambda_enrich_guardduty_scan_result"></a> [lambda\_enrich\_guardduty\_scan\_result](#module\_lambda\_enrich\_guardduty\_scan\_result) | ../lambda-function | n/a |
 | <a name="module_lambda_send_letter_proof"></a> [lambda\_send\_letter\_proof](#module\_lambda\_send\_letter\_proof) | ../lambda-function | n/a |
 | <a name="module_lambda_set_file_virus_scan_status"></a> [lambda\_set\_file\_virus\_scan\_status](#module\_lambda\_set\_file\_virus\_scan\_status) | ../lambda-function | n/a |
 | <a name="module_lambda_sftp_poll"></a> [lambda\_sftp\_poll](#module\_lambda\_sftp\_poll) | ../lambda-function | n/a |
+| <a name="module_lambda_validate_letter_template_files"></a> [lambda\_validate\_letter\_template\_files](#module\_lambda\_validate\_letter\_template\_files) | ../lambda-function | n/a |
 | <a name="module_list_template_lambda"></a> [list\_template\_lambda](#module\_list\_template\_lambda) | ../lambda-function | n/a |
 | <a name="module_s3bucket_internal"></a> [s3bucket\_internal](#module\_s3bucket\_internal) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/s3bucket | v1.0.8 |
 | <a name="module_s3bucket_quarantine"></a> [s3bucket\_quarantine](#module\_s3bucket\_quarantine) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/s3bucket | v1.0.8 |
-| <a name="module_sqs_quarantine_scan_enrichment"></a> [sqs\_quarantine\_scan\_enrichment](#module\_sqs\_quarantine\_scan\_enrichment) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/sqs | v2.0.1 |
 | <a name="module_sqs_sftp_upload"></a> [sqs\_sftp\_upload](#module\_sqs\_sftp\_upload) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/sqs | v2.0.1 |
+| <a name="module_sqs_validate_letter_template_files"></a> [sqs\_validate\_letter\_template\_files](#module\_sqs\_validate\_letter\_template\_files) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/sqs | v2.0.1 |
 | <a name="module_sqs_virus_scan_failed_delete_object_dlq"></a> [sqs\_virus\_scan\_failed\_delete\_object\_dlq](#module\_sqs\_virus\_scan\_failed\_delete\_object\_dlq) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/sqs | v2.0.1 |
 | <a name="module_sqs_virus_scan_passed_copy_object_dlq"></a> [sqs\_virus\_scan\_passed\_copy\_object\_dlq](#module\_sqs\_virus\_scan\_passed\_copy\_object\_dlq) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/sqs | v2.0.1 |
 | <a name="module_sqs_virus_scan_set_file_status_dlq"></a> [sqs\_virus\_scan\_set\_file\_status\_dlq](#module\_sqs\_virus\_scan\_set\_file\_status\_dlq) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/sqs | v2.0.1 |

infrastructure/terraform/modules/backend-api/cloudwatch_event_rule_guardduty_quarantine_scan_failed.tf

@@ -0,0 +1,31 @@
+resource "aws_cloudwatch_event_rule" "guardduty_quarantine_scan_failed" {
+  name        = "${local.csi}-quarantine-scan-failed"
+  description = "Matches quarantine 'GuardDuty Malware Protection Object Scan Result' events where the scan result is not NO_THREATS_FOUND"
+
+  event_pattern = jsonencode({
+    source      = ["aws.guardduty"]
+    detail-type = ["GuardDuty Malware Protection Object Scan Result"]
+    resources   = [aws_guardduty_malware_protection_plan.quarantine.arn]
+    detail = {
+      s3ObjectDetails = {
+        bucketName = [module.s3bucket_quarantine.id]
+        objectKey  = [{ prefix = "pdf-template/" }, { prefix = "test-data/" }]
+      }
+      scanResultDetails = {
+        scanResultStatus = [{ anything-but = "NO_THREATS_FOUND" }]
+      }
+    }
+  })
+}
+
+resource "aws_cloudwatch_event_target" "quarantine_scan_failed_set_file_status" {
+  rule     = aws_cloudwatch_event_rule.guardduty_quarantine_scan_failed.name
+  arn      = module.lambda_set_file_virus_scan_status.function_arn
+  role_arn = aws_iam_role.quarantine_scan_failed.arn
+}
+
+resource "aws_cloudwatch_event_target" "quarantine_scan_failed_delete_object" {
+  rule     = aws_cloudwatch_event_rule.guardduty_quarantine_scan_failed.name
+  arn      = module.lambda_delete_failed_scanned_object.function_arn
+  role_arn = aws_iam_role.quarantine_scan_failed.arn
+}

infrastructure/terraform/modules/backend-api/cloudwatch_event_rule_guardduty_quarantine_scan_passed.tf

@@ -0,0 +1,37 @@
+resource "aws_cloudwatch_event_rule" "guardduty_quarantine_scan_passed" {
+  name        = "${local.csi}-quarantine-scan-passed"
+  description = "Matches quarantine 'GuardDuty Malware Protection Object Scan Result' events where the scan result is NO_THREATS_FOUND"
+
+  event_pattern = jsonencode({
+    source      = ["aws.guardduty"]
+    detail-type = ["GuardDuty Malware Protection Object Scan Result"]
+    resources   = [aws_guardduty_malware_protection_plan.quarantine.arn]
+    detail = {
+      s3ObjectDetails = {
+        bucketName = [module.s3bucket_quarantine.id]
+        objectKey  = [{ prefix = "pdf-template/" }, { prefix = "test-data/" }]
+      }
+      scanResultDetails = {
+        scanResultStatus = ["NO_THREATS_FOUND"]
+      }
+    }
+  })
+}
+
+resource "aws_cloudwatch_event_target" "quarantine_scan_passed_set_file_status" {
+  rule     = aws_cloudwatch_event_rule.guardduty_quarantine_scan_passed.name
+  arn      = module.lambda_set_file_virus_scan_status.function_arn
+  role_arn = aws_iam_role.quarantine_scan_passed.arn
+}
+
+resource "aws_cloudwatch_event_target" "quarantine_scan_passed_copy_object" {
+  rule     = aws_cloudwatch_event_rule.guardduty_quarantine_scan_passed.name
+  arn      = module.lambda_copy_scanned_object_to_internal.function_arn
+  role_arn = aws_iam_role.quarantine_scan_passed.arn
+}
+
+resource "aws_cloudwatch_event_target" "quarantine_scan_passed_validate_files" {
+  rule     = aws_cloudwatch_event_rule.guardduty_quarantine_scan_passed.name
+  arn      = module.sqs_validate_letter_template_files.sqs_queue_arn
+  role_arn = aws_iam_role.quarantine_scan_passed.arn
+}