CCM-10980: merge

mark-r-bjss · mark-r-bjss · commit d7c4e0d46b86 · 2025-07-31T11:07:46.000+01:00
diff --git a/infrastructure/terraform/components/acct/README.md b/infrastructure/terraform/components/acct/README.md
@@ -22,7 +22,7 @@
 | <a name="input_group"></a> [group](#input\_group) | The group variables are being inherited from (often synonmous with account short-name) | `string` | n/a | yes |
 | <a name="input_initial_cli_secrets_provision_override"></a> [initial\_cli\_secrets\_provision\_override](#input\_initial\_cli\_secrets\_provision\_override) | A map of default value to intialise SSM secret values with. Only useful for initial setup of the account due to lifecycle rules. | `map(string)` | `{}` | no |
 | <a name="input_kms_deletion_window"></a> [kms\_deletion\_window](#input\_kms\_deletion\_window) | When a kms key is deleted, how long should it wait in the pending deletion state? | `string` | `"30"` | no |
-| <a name="input_letter_suppliers"></a> [letter\_suppliers](#input\_letter\_suppliers) | Letter suppliers enabled in the account (across all environments) | <pre>map(object({<br>    enable_polling   = bool<br>    default_supplier = optional(bool)<br>  }))</pre> | `{}` | no |
+| <a name="input_letter_suppliers"></a> [letter\_suppliers](#input\_letter\_suppliers) | Letter suppliers enabled in the account (across all environments) | <pre>map(object({<br/>    enable_polling   = bool<br/>    default_supplier = optional(bool)<br/>  }))</pre> | `{}` | no |
 | <a name="input_log_retention_in_days"></a> [log\_retention\_in\_days](#input\_log\_retention\_in\_days) | The retention period in days for the Cloudwatch Logs events to be retained, default of 0 is indefinite | `number` | `0` | no |
 | <a name="input_oam_sink_id"></a> [oam\_sink\_id](#input\_oam\_sink\_id) | The ID of the Cloudwatch OAM sink in the appropriate observability account. | `string` | `""` | no |
 | <a name="input_observability_account_id"></a> [observability\_account\_id](#input\_observability\_account\_id) | The Observability Account ID that needs access | `string` | n/a | yes |
@@ -31,7 +31,7 @@
 | <a name="input_root_domain_name"></a> [root\_domain\_name](#input\_root\_domain\_name) | The service's root DNS root nameespace, like nonprod.nhsnotify.national.nhs.uk | `string` | `"nonprod.nhsnotify.national.nhs.uk"` | no |
 | <a name="input_support_sandbox_environments"></a> [support\_sandbox\_environments](#input\_support\_sandbox\_environments) | Does this account support dev sandbox environments? | `bool` | `false` | no |
 | <a name="input_vpc_cidr"></a> [vpc\_cidr](#input\_vpc\_cidr) | n/a | `string` | `"10.0.0.0/16"` | no |
-| <a name="input_vpc_subnet_cidr_bits"></a> [vpc\_subnet\_cidr\_bits](#input\_vpc\_subnet\_cidr\_bits) | Number of additional bits to use for subnetting the VPC CIDR block. The bits are evently distributed | <pre>object({<br>    public  = number<br>    private = number<br>  })</pre> | <pre>{<br>  "private": 3,<br>  "public": 12<br>}</pre> | no |
+| <a name="input_vpc_subnet_cidr_bits"></a> [vpc\_subnet\_cidr\_bits](#input\_vpc\_subnet\_cidr\_bits) | Number of additional bits to use for subnetting the VPC CIDR block. The bits are evently distributed | <pre>object({<br/>    public  = number<br/>    private = number<br/>  })</pre> | <pre>{<br/>  "private": 3,<br/>  "public": 12<br/>}</pre> | no |
 ## Modules
 
 | Name | Source | Version |
@@ -57,7 +57,6 @@
 | <a name="output_ses_testing_config"></a> [ses\_testing\_config](#output\_ses\_testing\_config) | n/a |
 | <a name="output_vpc_nat_ips"></a> [vpc\_nat\_ips](#output\_vpc\_nat\_ips) | n/a |
 | <a name="output_vpc_subnets"></a> [vpc\_subnets](#output\_vpc\_subnets) | n/a |
-
 <!-- vale on -->
 <!-- markdownlint-enable -->
 <!-- END_TF_DOCS -->
diff --git a/infrastructure/terraform/components/app/README.md b/infrastructure/terraform/components/app/README.md
@@ -37,7 +37,7 @@
 | <a name="input_external_email_domain"></a> [external\_email\_domain](#input\_external\_email\_domain) | Externally managed domain used to create an SES identity for sending emails from. Validation DNS records will need to be manually configured in the DNS provider. | `string` | `null` | no |
 | <a name="input_group"></a> [group](#input\_group) | The group variables are being inherited from (often synonmous with account short-name) | `string` | n/a | yes |
 | <a name="input_kms_deletion_window"></a> [kms\_deletion\_window](#input\_kms\_deletion\_window) | When a kms key is deleted, how long should it wait in the pending deletion state? | `string` | `"30"` | no |
-| <a name="input_letter_suppliers"></a> [letter\_suppliers](#input\_letter\_suppliers) | Letter suppliers enabled in the environment | <pre>map(object({<br>    email_addresses  = list(string)<br>    enable_polling   = bool<br>    default_supplier = optional(bool)<br>  }))</pre> | `{}` | no |
+| <a name="input_letter_suppliers"></a> [letter\_suppliers](#input\_letter\_suppliers) | Letter suppliers enabled in the environment | <pre>map(object({<br/>    email_addresses  = list(string)<br/>    enable_polling   = bool<br/>    default_supplier = optional(bool)<br/>  }))</pre> | `{}` | no |
 | <a name="input_log_retention_in_days"></a> [log\_retention\_in\_days](#input\_log\_retention\_in\_days) | The retention period in days for the Cloudwatch Logs events to be retained, default of 0 is indefinite | `number` | `0` | no |
 | <a name="input_observability_account_id"></a> [observability\_account\_id](#input\_observability\_account\_id) | The Observability Account ID that needs access | `string` | n/a | yes |
 | <a name="input_parent_acct_environment"></a> [parent\_acct\_environment](#input\_parent\_acct\_environment) | Name of the environment responsible for the acct resources used, affects things like DNS zone. Useful for named dev environments | `string` | `"main"` | no |
@@ -64,7 +64,6 @@
 |------|-------------|
 | <a name="output_amplify"></a> [amplify](#output\_amplify) | n/a |
 | <a name="output_deployment"></a> [deployment](#output\_deployment) | Deployment details used for post-deployment scripts |
-
 <!-- vale on -->
 <!-- markdownlint-enable -->
 <!-- END_TF_DOCS -->
diff --git a/infrastructure/terraform/components/branch/README.md b/infrastructure/terraform/components/branch/README.md
@@ -29,7 +29,6 @@
 ## Outputs
 
 No outputs.
-
 <!-- vale on -->
 <!-- markdownlint-enable -->
 <!-- END_TF_DOCS -->
diff --git a/infrastructure/terraform/components/sandbox/README.md b/infrastructure/terraform/components/sandbox/README.md
@@ -18,7 +18,6 @@
 | <a name="input_environment"></a> [environment](#input\_environment) | The name of the tfscaffold environment | `string` | n/a | yes |
 | <a name="input_group"></a> [group](#input\_group) | The group variables are being inherited from (often synonymous with account short-name) | `string` | n/a | yes |
 | <a name="input_kms_deletion_window"></a> [kms\_deletion\_window](#input\_kms\_deletion\_window) | When a kms key is deleted, how long should it wait in the pending deletion state? | `string` | `"30"` | no |
-| <a name="input_letter_suppliers"></a> [letter\_suppliers](#input\_letter\_suppliers) | Letter suppliers enabled in the environment | <pre>map(object({<br>    email_addresses  = list(string)<br>    enable_polling   = bool<br>    default_supplier = optional(bool)<br>  }))</pre> | <pre>{<br>  "WTMMOCK": {<br>    "default_supplier": true,<br>    "email_addresses": [],<br>    "enable_polling": true<br>  }<br>}</pre> | no |
 | <a name="input_log_retention_in_days"></a> [log\_retention\_in\_days](#input\_log\_retention\_in\_days) | The retention period in days for the Cloudwatch Logs events to be retained, default of 0 is indefinite | `number` | `0` | no |
 | <a name="input_parent_acct_environment"></a> [parent\_acct\_environment](#input\_parent\_acct\_environment) | Name of the environment responsible for the acct resources used, affects things like DNS zone. Useful for named dev environments | `string` | `"main"` | no |
 | <a name="input_project"></a> [project](#input\_project) | The name of the tfscaffold project | `string` | n/a | yes |
@@ -47,9 +46,7 @@
 | <a name="output_sftp_poll_lambda_name"></a> [sftp\_poll\_lambda\_name](#output\_sftp\_poll\_lambda\_name) | n/a |
 | <a name="output_templates_table_name"></a> [templates\_table\_name](#output\_templates\_table\_name) | n/a |
 | <a name="output_test_email_bucket_name"></a> [test\_email\_bucket\_name](#output\_test\_email\_bucket\_name) | n/a |
-| <a name="output_test_proof_requested_email_prefix"></a> [test\_proof\_requested\_email\_prefix](#output\_test\_proof\_requested\_email\_prefix) | n/a |
-| <a name="output_test_template_submitted_email_prefix"></a> [test\_template\_submitted\_email\_prefix](#output\_test\_template\_submitted\_email\_prefix) | n/a |
-
+| <a name="output_test_email_bucket_prefix"></a> [test\_email\_bucket\_prefix](#output\_test\_email\_bucket\_prefix) | n/a |
 <!-- vale on -->
 <!-- markdownlint-enable -->
 <!-- END_TF_DOCS -->
diff --git a/infrastructure/terraform/components/sandbox/locals.tf b/infrastructure/terraform/components/sandbox/locals.tf
@@ -1,21 +1,6 @@
 locals {
-  mock_letter_supplier_name = "WTMMOCK"
-
-  use_sftp_letter_supplier_mock = lookup(var.letter_suppliers, local.mock_letter_supplier_name, null) != null
-
   email_domain                                           = "sandbox.${local.acct.dns_zone["name"]}"
   sandbox_letter_supplier_mock_proof_requested_sender    = "proof-requested-sender-${var.environment}@${local.email_domain}"
   sandbox_letter_supplier_mock_template_submitted_sender = "template-submitted-sender-${var.environment}@${local.email_domain}"
   sandbox_letter_supplier_mock_recipient                 = "supplier-recipient-${var.environment}@${local.email_domain}"
-
-  # var.letter_suppliers is defined at a point where we don't know what the environment is, so
-  # we need to add the environment-dependent test recipient separately here
-  letter_suppliers = local.use_sftp_letter_supplier_mock ? merge(
-    var.letter_suppliers,
-    { WTMMOCK = {
-      email_addresses  = concat(var.letter_suppliers.WTMMOCK.email_addresses, [local.sandbox_letter_supplier_mock_recipient])
-      enable_polling   = true
-      default_supplier = true
-    } }
-  ) : var.letter_suppliers
 }
diff --git a/infrastructure/terraform/components/sandbox/module_backend_api.tf b/infrastructure/terraform/components/sandbox/module_backend_api.tf
@@ -18,7 +18,13 @@ module "backend_api" {
   }
 
   enable_proofing  = true
-  letter_suppliers = local.letter_suppliers
+  letter_suppliers = {
+    WTMMOCK = {
+      email_addresses  = [local.sandbox_letter_supplier_mock_recipient]
+      enable_polling   = true
+      default_supplier = true
+    }
+  }
 
   kms_key_arn = data.aws_kms_key.sandbox.arn
 
diff --git a/infrastructure/terraform/components/sandbox/outputs.tf b/infrastructure/terraform/components/sandbox/outputs.tf
@@ -62,11 +62,6 @@ output "test_email_bucket_name" {
   value = local.acct["ses_testing_config"].bucket_name
 }
 
-output "test_proof_requested_email_prefix" {
-  value = "proof-requested-emails-${var.environment}"
-}
-
-
-output "test_template_submitted_email_prefix" {
-  value = "template-submitted-emails-${var.environment}"
+output "test_email_bucket_prefix" {
+  value = "emails-${var.environment}"
 }
diff --git a/infrastructure/terraform/components/sandbox/ses_receipt_rule.tf b/infrastructure/terraform/components/sandbox/ses_receipt_rule.tf
@@ -2,16 +2,15 @@ resource "aws_ses_receipt_rule" "proof_requested" {
   name          = "${local.csi}-store-email-proof-requested"
   rule_set_name = local.acct["ses_testing_config"].rule_set_name
 
-  # Despite being called "recipients", AWS appears to apply this check to the sender email
-  recipients    = [local.sandbox_letter_supplier_mock_proof_requested_sender]
+  recipients    = [local.sandbox_letter_supplier_mock_recipient]
   enabled       = true
   scan_enabled  = true
   tls_policy    = "Optional"
 
   s3_action {
     position          = 1
     bucket_name       = local.acct["ses_testing_config"].bucket_name
-    object_key_prefix = "proof-requested-emails-${var.environment}/"
+    object_key_prefix = "emails-${var.environment}/"
     iam_role_arn      = local.acct["ses_testing_config"].iam_role_arn
   }
 }
diff --git a/infrastructure/terraform/components/sandbox/ses_receipt_rule_template_submitted.tf b/infrastructure/terraform/components/sandbox/ses_receipt_rule_template_submitted.tf
diff --git a/infrastructure/terraform/components/sandbox/variables.tf b/infrastructure/terraform/components/sandbox/variables.tf
@@ -63,32 +63,6 @@ variable "kms_deletion_window" {
   default     = "30"
 }
 
-variable "letter_suppliers" {
-  type = map(object({
-    email_addresses  = list(string)
-    enable_polling   = bool
-    default_supplier = optional(bool)
-  }))
-
-  default = {
-    "WTMMOCK" = {
-      email_addresses  = []
-      enable_polling   = true
-      default_supplier = true
-    }
-  }
-
-  validation {
-    condition = (
-      length(var.letter_suppliers) == 0 ||
-      length([for s in values(var.letter_suppliers) : s if s.default_supplier]) == 1
-    )
-    error_message = "If letter suppliers are configured, exactly one must be default_supplier"
-  }
-
-  description = "Letter suppliers enabled in the environment"
-}
-
 variable "parent_acct_environment" {
   type        = string
   description = "Name of the environment responsible for the acct resources used, affects things like DNS zone. Useful for named dev environments"
diff --git a/infrastructure/terraform/modules/acct-ses-testing/README.md b/infrastructure/terraform/modules/acct-ses-testing/README.md
@@ -30,7 +30,6 @@ No requirements.
 | <a name="output_bucket_name"></a> [bucket\_name](#output\_bucket\_name) | n/a |
 | <a name="output_iam_role_arn"></a> [iam\_role\_arn](#output\_iam\_role\_arn) | n/a |
 | <a name="output_rule_set_name"></a> [rule\_set\_name](#output\_rule\_set\_name) | n/a |
-
 <!-- vale on -->
 <!-- markdownlint-enable -->
 <!-- END_TF_DOCS -->
diff --git a/infrastructure/terraform/modules/backend-api/README.md b/infrastructure/terraform/modules/backend-api/README.md
@@ -11,7 +11,7 @@ No requirements.
 |------|-------------|------|---------|:--------:|
 | <a name="input_aws_account_id"></a> [aws\_account\_id](#input\_aws\_account\_id) | The AWS Account ID (numeric) | `string` | n/a | yes |
 | <a name="input_cloudfront_distribution_arn"></a> [cloudfront\_distribution\_arn](#input\_cloudfront\_distribution\_arn) | ARN of the cloudfront distribution to serve files from | `string` | `null` | no |
-| <a name="input_cognito_config"></a> [cognito\_config](#input\_cognito\_config) | Cognito config | <pre>object({<br>    USER_POOL_ID : string,<br>    USER_POOL_CLIENT_ID : string<br>  })</pre> | n/a | yes |
+| <a name="input_cognito_config"></a> [cognito\_config](#input\_cognito\_config) | Cognito config | <pre>object({<br/>    USER_POOL_ID : string,<br/>    USER_POOL_CLIENT_ID : string<br/>  })</pre> | n/a | yes |
 | <a name="input_component"></a> [component](#input\_component) | The variable encapsulating the name of this component | `string` | n/a | yes |
 | <a name="input_csi"></a> [csi](#input\_csi) | CSI from the parent component | `string` | n/a | yes |
 | <a name="input_email_domain"></a> [email\_domain](#input\_email\_domain) | Email domain | `string` | n/a | yes |
@@ -22,7 +22,7 @@ No requirements.
 | <a name="input_function_s3_bucket"></a> [function\_s3\_bucket](#input\_function\_s3\_bucket) | Name of S3 bucket to upload lambda artefacts to | `string` | n/a | yes |
 | <a name="input_group"></a> [group](#input\_group) | The group variables are being inherited from (often synonmous with account short-name) | `string` | n/a | yes |
 | <a name="input_kms_key_arn"></a> [kms\_key\_arn](#input\_kms\_key\_arn) | KMS Key ARN | `string` | n/a | yes |
-| <a name="input_letter_suppliers"></a> [letter\_suppliers](#input\_letter\_suppliers) | Letter suppliers enabled in the environment | <pre>map(object({<br>    email_addresses  = list(string)<br>    enable_polling   = bool<br>    default_supplier = optional(bool)<br>  }))</pre> | n/a | yes |
+| <a name="input_letter_suppliers"></a> [letter\_suppliers](#input\_letter\_suppliers) | Letter suppliers enabled in the environment | <pre>map(object({<br/>    email_addresses  = list(string)<br/>    enable_polling   = bool<br/>    default_supplier = optional(bool)<br/>  }))</pre> | n/a | yes |
 | <a name="input_log_destination_arn"></a> [log\_destination\_arn](#input\_log\_destination\_arn) | Destination ARN to use for the log subscription filter | `string` | `""` | no |
 | <a name="input_log_retention_in_days"></a> [log\_retention\_in\_days](#input\_log\_retention\_in\_days) | The retention period in days for the Cloudwatch Logs events to be retained, default of 0 is indefinite | `number` | `0` | no |
 | <a name="input_log_subscription_role_arn"></a> [log\_subscription\_role\_arn](#input\_log\_subscription\_role\_arn) | The ARN of the IAM role to use for the log subscription filter | `string` | `""` | no |
@@ -78,7 +78,6 @@ No requirements.
 | <a name="output_sftp_mock_credential_path"></a> [sftp\_mock\_credential\_path](#output\_sftp\_mock\_credential\_path) | n/a |
 | <a name="output_sftp_poll_lambda_name"></a> [sftp\_poll\_lambda\_name](#output\_sftp\_poll\_lambda\_name) | n/a |
 | <a name="output_templates_table_name"></a> [templates\_table\_name](#output\_templates\_table\_name) | n/a |
-
 <!-- vale on -->
 <!-- markdownlint-enable -->
 <!-- END_TF_DOCS -->
diff --git a/infrastructure/terraform/modules/cognito-triggers/README.md b/infrastructure/terraform/modules/cognito-triggers/README.md
@@ -29,7 +29,6 @@ No requirements.
 | Name | Description |
 |------|-------------|
 | <a name="output_pre_token_generation_lambda_function_arn"></a> [pre\_token\_generation\_lambda\_function\_arn](#output\_pre\_token\_generation\_lambda\_function\_arn) | n/a |
-
 <!-- vale on -->
 <!-- markdownlint-enable -->
 <!-- END_TF_DOCS -->
diff --git a/infrastructure/terraform/modules/ses/README.md b/infrastructure/terraform/modules/ses/README.md
@@ -25,7 +25,6 @@ No modules.
 | Name | Description |
 |------|-------------|
 | <a name="output_domain"></a> [domain](#output\_domain) | n/a |
-
 <!-- vale on -->
 <!-- markdownlint-enable -->
 <!-- END_TF_DOCS -->
diff --git a/tests/test-team/global.d.ts b/tests/test-team/global.d.ts
@@ -14,8 +14,7 @@ declare global {
       TEMPLATES_INTERNAL_BUCKET_NAME: string;
       TEMPLATES_QUARANTINE_BUCKET_NAME: string;
       TEMPLATES_DOWNLOAD_BUCKET_NAME: string;
-      TEST_TEMPLATE_SUBMITTED_EMAIL_PREFIX: string;
-      TEST_PROOF_REQUESTED_EMAIL_PREFIX: string;
+      TEST_EMAIL_BUCKET_PREFIX: string;
     }
   }
 
diff --git a/tests/test-team/helpers/email-helper.ts b/tests/test-team/helpers/email-helper.ts
@@ -54,7 +54,8 @@ export class EmailHelper {
   async getEmailForTemplateId(
     prefix: string,
     templateId: string,
-    dateCutoff: Date
+    dateCutoff: Date,
+    extraTextToSearch: string
   ) {
     const s3Items = await this.getAllS3Items(prefix);
 
@@ -82,7 +83,7 @@ export class EmailHelper {
 
       const content = await streamToString(Body);
 
-      if (content.includes(templateId)) {
+      if (content.includes(templateId) && content.includes(extraTextToSearch)) {
         return content;
       }
     }
diff --git a/tests/test-team/template-mgmt-api-tests/submit-template.api.spec.ts b/tests/test-team/template-mgmt-api-tests/submit-template.api.spec.ts
@@ -200,9 +200,10 @@ test.describe('POST /v1/template/:templateId/submit', () => {
 
       await expect(async () => {
         const emailContents = await emailHelper.getEmailForTemplateId(
-          process.env.TEST_TEMPLATE_SUBMITTED_EMAIL_PREFIX,
+          process.env.TEST_EMAIL_BUCKET_PREFIX,
           templateId,
-          start
+          start,
+          'template-submitted-sender'
         );
 
         expect(emailContents).toContain(templateId);
diff --git a/tests/test-team/template-mgmt-e2e-tests/template-mgmt-letter-full.e2e.spec.ts b/tests/test-team/template-mgmt-e2e-tests/template-mgmt-letter-full.e2e.spec.ts
@@ -260,20 +260,22 @@ function submit(
 function checkEmail(
   expandedTemplateId: string,
   testStart: Date,
-  prefix: string,
-  emailTitle: string
+  emailTitle: string,
+  extraTextToSearch: string
 ) {
   return test.step('check email', async () => {
     await expect(async () => {
       const emailContents = await emailHelper.getEmailForTemplateId(
-        prefix,
+        process.env.TEST_EMAIL_BUCKET_PREFIX,
         expandedTemplateId,
-        testStart
+        testStart,
+        extraTextToSearch
       );
 
       expect(emailContents).toContain(expandedTemplateId);
       expect(emailContents).toContain('Valid Letter Template'); // template name
       expect(emailContents).toContain(emailTitle);
+      expect(emailContents).toContain(extraTextToSearch);
     }).toPass({ timeout: 60_000 });
   });
 }
@@ -322,17 +324,17 @@ test.describe('letter complete e2e journey', () => {
     await checkEmail(
       expandedTemplateId,
       testStart,
-      process.env.TEST_PROOF_REQUESTED_EMAIL_PREFIX,
-      'Proof Requested'
+      'Proof Requested',
+      'proof-requested-sender'
     );
 
     await submit(page, templateStorageHelper, templateKey);
 
     await checkEmail(
       expandedTemplateId,
       testStart,
-      process.env.TEST_TEMPLATE_SUBMITTED_EMAIL_PREFIX,
-      'Template Submitted'
+      'Template Submitted',
+      'template-submitted-sender'
     );
   });
 
diff --git a/utils/backend-config/src/backend-config.ts b/utils/backend-config/src/backend-config.ts

Original file line number	Diff line number	Diff line change
`@@ -62,11 +62,6 @@ output "test_email_bucket_name" {`
`62`	`62`	`value = local.acct["ses_testing_config"].bucket_name`
`63`	`63`	`}`
`64`	`64`
`65`		`-output "test_proof_requested_email_prefix" {`
`66`		`- value = "proof-requested-emails-${var.environment}"`
`67`		`-}`
`68`		`-`
`69`		`-`
`70`		`-output "test_template_submitted_email_prefix" {`
`71`		`- value = "template-submitted-emails-${var.environment}"`
	`65`	`+output "test_email_bucket_prefix" {`
	`66`	`+ value = "emails-${var.environment}"`
`72`	`67`	`}`