Merge branch 'main' into feature/CCM-8493-missing-nhs-app-markdown-guidance

Author: nicki-nhs

infrastructure/terraform/components/app/module_backend_api.tf

@@ -30,4 +30,5 @@ module "backend_api" {
 
   email_domain                            = module.ses.domain
   template_submitted_sender_email_address = "template-submitted@${module.ses.domain}"
+  proof_requested_sender_email_address    = "proof-requested@${module.ses.domain}"
 }

infrastructure/terraform/components/sandbox/README.md

@@ -41,13 +41,14 @@
 | <a name="output_download_bucket_name"></a> [download\_bucket\_name](#output\_download\_bucket\_name) | n/a |
 | <a name="output_internal_bucket_name"></a> [internal\_bucket\_name](#output\_internal\_bucket\_name) | n/a |
 | <a name="output_quarantine_bucket_name"></a> [quarantine\_bucket\_name](#output\_quarantine\_bucket\_name) | n/a |
-| <a name="output_send_proof_queue_url"></a> [send\_proof\_queue\_url](#output\_send\_proof\_queue\_url) | n/a |
+| <a name="output_request_proof_queue_url"></a> [request\_proof\_queue\_url](#output\_request\_proof\_queue\_url) | n/a |
 | <a name="output_sftp_environment"></a> [sftp\_environment](#output\_sftp\_environment) | n/a |
 | <a name="output_sftp_mock_credential_path"></a> [sftp\_mock\_credential\_path](#output\_sftp\_mock\_credential\_path) | n/a |
 | <a name="output_sftp_poll_lambda_name"></a> [sftp\_poll\_lambda\_name](#output\_sftp\_poll\_lambda\_name) | n/a |
 | <a name="output_templates_table_name"></a> [templates\_table\_name](#output\_templates\_table\_name) | n/a |
 | <a name="output_test_email_bucket_name"></a> [test\_email\_bucket\_name](#output\_test\_email\_bucket\_name) | n/a |
-| <a name="output_test_email_prefix"></a> [test\_email\_prefix](#output\_test\_email\_prefix) | n/a |
+| <a name="output_test_proof_requested_email_prefix"></a> [test\_proof\_requested\_email\_prefix](#output\_test\_proof\_requested\_email\_prefix) | n/a |
+| <a name="output_test_template_submitted_email_prefix"></a> [test\_template\_submitted\_email\_prefix](#output\_test\_template\_submitted\_email\_prefix) | n/a |
 <!-- vale on -->
 <!-- markdownlint-enable -->
 <!-- END_TF_DOCS -->

infrastructure/terraform/components/sandbox/locals.tf

@@ -3,9 +3,10 @@ locals {
 
   use_sftp_letter_supplier_mock = lookup(var.letter_suppliers, local.mock_letter_supplier_name, null) != null
 
-  email_domain                           = "sandbox.${local.acct.dns_zone["name"]}"
-  sandbox_letter_supplier_mock_sender    = "template-submitted-sender-${var.environment}@${local.email_domain}"
-  sandbox_letter_supplier_mock_recipient = "template-submitted-recipient-${var.environment}@${local.email_domain}"
+  email_domain                                           = "sandbox.${local.acct.dns_zone["name"]}"
+  sandbox_letter_supplier_mock_proof_requested_sender    = "proof-requested-sender-${var.environment}@${local.email_domain}"
+  sandbox_letter_supplier_mock_template_submitted_sender = "template-submitted-sender-${var.environment}@${local.email_domain}"
+  sandbox_letter_supplier_mock_recipient                 = "supplier-recipient-${var.environment}@${local.email_domain}"
 
   # var.letter_suppliers is defined at a point where we don't know what the environment is, so
   # we need to add the environment-dependent test recipient separately here

infrastructure/terraform/components/sandbox/module_backend_api.tf

@@ -27,5 +27,6 @@ module "backend_api" {
   enable_event_stream = true
 
   email_domain                            = local.email_domain
-  template_submitted_sender_email_address = local.sandbox_letter_supplier_mock_sender
+  template_submitted_sender_email_address = local.sandbox_letter_supplier_mock_template_submitted_sender
+  proof_requested_sender_email_address    = local.sandbox_letter_supplier_mock_proof_requested_sender
 }

infrastructure/terraform/components/sandbox/outputs.tf

@@ -22,8 +22,8 @@ output "internal_bucket_name" {
   value = module.backend_api.internal_bucket_name
 }
 
-output "send_proof_queue_url" {
-  value = module.backend_api.send_proof_queue_url
+output "request_proof_queue_url" {
+  value = module.backend_api.request_proof_queue_url
 }
 
 output "sftp_mock_credential_path" {
@@ -62,6 +62,11 @@ output "test_email_bucket_name" {
   value = local.acct["ses_testing_config"].bucket_name
 }
 
-output "test_email_prefix" {
-  value = "emails-${var.environment}"
+output "test_proof_requested_email_prefix" {
+  value = "proof-requested-emails-${var.environment}"
+}
+
+
+output "test_template_submitted_email_prefix" {
+  value = "template-submitted-emails-${var.environment}"
 }

…m/components/sandbox/ses_receipt_rule.tf …dbox/ses_receipt_rule_proof_requested.tfinfrastructure/terraform/components/sandbox/ses_receipt_rule.tf renamed to infrastructure/terraform/components/sandbox/ses_receipt_rule_proof_requested.tf infrastructure/terraform/components/sandbox/ses_receipt_rule.tf renamed to infrastructure/terraform/components/sandbox/ses_receipt_rule_proof_requested.tf

@@ -1,17 +1,17 @@
-resource "aws_ses_receipt_rule" "main" {
-  name          = "${local.csi}-store-email-sandbox"
+resource "aws_ses_receipt_rule" "proof_requested" {
+  name          = "${local.csi}-store-email-proof-requested"
   rule_set_name = local.acct["ses_testing_config"].rule_set_name
 
   # Despite being called "recipients", AWS appears to apply this check to the sender email
-  recipients    = [local.sandbox_letter_supplier_mock_sender]
+  recipients    = [local.sandbox_letter_supplier_mock_proof_requested_sender]
   enabled       = true
   scan_enabled  = true
   tls_policy    = "Optional"
 
   s3_action {
     position          = 1
     bucket_name       = local.acct["ses_testing_config"].bucket_name
-    object_key_prefix = "emails-${var.environment}/"
+    object_key_prefix = "proof-requested-emails-${var.environment}/"
     iam_role_arn      = local.acct["ses_testing_config"].iam_role_arn
   }
 }

infrastructure/terraform/components/sandbox/ses_receipt_rule_template_submitted.tf

@@ -0,0 +1,17 @@
+resource "aws_ses_receipt_rule" "template_submitted" {
+  name          = "${local.csi}-store-email-template-submitted"
+  rule_set_name = local.acct["ses_testing_config"].rule_set_name
+
+  # Despite being called "recipients", AWS appears to apply this check to the sender email
+  recipients    = [local.sandbox_letter_supplier_mock_template_submitted_sender]
+  enabled       = true
+  scan_enabled  = true
+  tls_policy    = "Optional"
+
+  s3_action {
+    position          = 1
+    bucket_name       = local.acct["ses_testing_config"].bucket_name
+    object_key_prefix = "template-submitted-emails-${var.environment}/"
+    iam_role_arn      = local.acct["ses_testing_config"].iam_role_arn
+  }
+}

infrastructure/terraform/modules/backend-api/README.md

@@ -29,6 +29,7 @@ No requirements.
 | <a name="input_module"></a> [module](#input\_module) | The variable encapsulating the name of this module | `string` | `"api"` | no |
 | <a name="input_parent_acct_environment"></a> [parent\_acct\_environment](#input\_parent\_acct\_environment) | Name of the environment responsible for the acct resources used | `string` | n/a | yes |
 | <a name="input_project"></a> [project](#input\_project) | The name of the tfscaffold project | `string` | n/a | yes |
+| <a name="input_proof_requested_sender_email_address"></a> [proof\_requested\_sender\_email\_address](#input\_proof\_requested\_sender\_email\_address) | Proof requested sender email address | `string` | n/a | yes |
 | <a name="input_region"></a> [region](#input\_region) | The AWS Region | `string` | n/a | yes |
 | <a name="input_send_to_firehose"></a> [send\_to\_firehose](#input\_send\_to\_firehose) | Flag indicating whether logs should be sent to firehose | `bool` | n/a | yes |
 | <a name="input_template_submitted_sender_email_address"></a> [template\_submitted\_sender\_email\_address](#input\_template\_submitted\_sender\_email\_address) | Template submitted sender email address | `string` | n/a | yes |
@@ -45,9 +46,9 @@ No requirements.
 | <a name="module_lambda_copy_scanned_object_to_internal"></a> [lambda\_copy\_scanned\_object\_to\_internal](#module\_lambda\_copy\_scanned\_object\_to\_internal) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/lambda | v2.0.4 |
 | <a name="module_lambda_delete_failed_scanned_object"></a> [lambda\_delete\_failed\_scanned\_object](#module\_lambda\_delete\_failed\_scanned\_object) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/lambda | v2.0.4 |
 | <a name="module_lambda_process_proof"></a> [lambda\_process\_proof](#module\_lambda\_process\_proof) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/lambda | v2.0.4 |
-| <a name="module_lambda_send_letter_proof"></a> [lambda\_send\_letter\_proof](#module\_lambda\_send\_letter\_proof) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/lambda | v2.0.4 |
 | <a name="module_lambda_set_file_virus_scan_status_for_upload"></a> [lambda\_set\_file\_virus\_scan\_status\_for\_upload](#module\_lambda\_set\_file\_virus\_scan\_status\_for\_upload) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/lambda | v2.0.4 |
 | <a name="module_lambda_sftp_poll"></a> [lambda\_sftp\_poll](#module\_lambda\_sftp\_poll) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/lambda | v2.0.4 |
+| <a name="module_lambda_sftp_request_proof"></a> [lambda\_sftp\_request\_proof](#module\_lambda\_sftp\_request\_proof) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/lambda | v2.0.4 |
 | <a name="module_lambda_validate_letter_template_files"></a> [lambda\_validate\_letter\_template\_files](#module\_lambda\_validate\_letter\_template\_files) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/lambda | v2.0.4 |
 | <a name="module_list_template_lambda"></a> [list\_template\_lambda](#module\_list\_template\_lambda) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/lambda | v2.0.4 |
 | <a name="module_request_proof_lambda"></a> [request\_proof\_lambda](#module\_request\_proof\_lambda) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/lambda | v2.0.4 |
@@ -70,7 +71,7 @@ No requirements.
 | <a name="output_download_bucket_regional_domain_name"></a> [download\_bucket\_regional\_domain\_name](#output\_download\_bucket\_regional\_domain\_name) | n/a |
 | <a name="output_internal_bucket_name"></a> [internal\_bucket\_name](#output\_internal\_bucket\_name) | n/a |
 | <a name="output_quarantine_bucket_name"></a> [quarantine\_bucket\_name](#output\_quarantine\_bucket\_name) | n/a |
-| <a name="output_send_proof_queue_url"></a> [send\_proof\_queue\_url](#output\_send\_proof\_queue\_url) | n/a |
+| <a name="output_request_proof_queue_url"></a> [request\_proof\_queue\_url](#output\_request\_proof\_queue\_url) | n/a |
 | <a name="output_sftp_environment"></a> [sftp\_environment](#output\_sftp\_environment) | n/a |
 | <a name="output_sftp_mock_credential_path"></a> [sftp\_mock\_credential\_path](#output\_sftp\_mock\_credential\_path) | n/a |
 | <a name="output_sftp_poll_lambda_name"></a> [sftp\_poll\_lambda\_name](#output\_sftp\_poll\_lambda\_name) | n/a |

…d-api/module_lambda_send_letter_proof.tf …-api/module_lambda_sftp_request_proof.tfinfrastructure/terraform/modules/backend-api/module_lambda_send_letter_proof.tf renamed to infrastructure/terraform/modules/backend-api/module_lambda_sftp_request_proof.tf infrastructure/terraform/modules/backend-api/module_lambda_send_letter_proof.tf renamed to infrastructure/terraform/modules/backend-api/module_lambda_sftp_request_proof.tf

@@ -1,4 +1,4 @@
-module "lambda_send_letter_proof" {
+module "lambda_sftp_request_proof" {
   source = "git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/lambda?ref=v2.0.4"
 
   project        = var.project
@@ -9,30 +9,32 @@ module "lambda_send_letter_proof" {
 
   kms_key_arn = var.kms_key_arn
 
-  function_name = "send-letter-proof"
+  function_name = "sftp-request-proof"
 
-  function_module_name  = "send-proof"
+  function_module_name  = "sftp-request-proof"
   handler_function_name = "handler"
-  description           = "Send proof and test data to letter supplier via SFTP"
+  description           = "Send template and test data to letter supplier via SFTP to request a proof"
 
   memory  = 512
   timeout = 20
   runtime = "nodejs20.x"
 
   log_retention_in_days = var.log_retention_in_days
   iam_policy_document = {
-    body = data.aws_iam_policy_document.send_letter_proof.json
+    body = data.aws_iam_policy_document.sftp_request_proof.json
   }
 
   lambda_env_vars = {
-    CREDENTIALS_TTL_SECONDS = 900
-    CSI                     = local.csi
-    INTERNAL_BUCKET_NAME    = module.s3bucket_internal.id
-    NODE_OPTIONS            = "--enable-source-maps",
-    REGION                  = var.region
-    SEND_LOCK_TTL_MS        = 50 * 1000 # this must be less than the visibility timeout
-    SFTP_ENVIRONMENT        = local.sftp_environment
-    TEMPLATES_TABLE_NAME    = aws_dynamodb_table.templates.name
+    CREDENTIALS_TTL_SECONDS              = 900
+    CSI                                  = local.csi
+    INTERNAL_BUCKET_NAME                 = module.s3bucket_internal.id
+    NODE_OPTIONS                         = "--enable-source-maps",
+    REGION                               = var.region
+    SEND_LOCK_TTL_MS                     = 50 * 1000 # this must be less than the visibility timeout
+    SFTP_ENVIRONMENT                     = local.sftp_environment
+    TEMPLATES_TABLE_NAME                 = aws_dynamodb_table.templates.name
+    PROOF_REQUESTED_SENDER_EMAIL_ADDRESS = var.proof_requested_sender_email_address
+    SUPPLIER_RECIPIENT_EMAIL_ADDRESSES   = jsonencode({ for k, v in var.letter_suppliers : k => v.email_addresses })
   }
 
   function_s3_bucket      = var.function_s3_bucket
@@ -49,9 +51,9 @@ module "lambda_send_letter_proof" {
   log_subscription_role_arn = var.log_subscription_role_arn
 }
 
-resource "aws_lambda_event_source_mapping" "send_letter_proof" {
+resource "aws_lambda_event_source_mapping" "sftp_request_proof" {
   event_source_arn                   = module.sqs_sftp_upload.sqs_queue_arn
-  function_name                      = module.lambda_send_letter_proof.function_name
+  function_name                      = module.lambda_sftp_request_proof.function_name
   batch_size                         = 5
   maximum_batching_window_in_seconds = 0
   function_response_types = [
@@ -63,7 +65,7 @@ resource "aws_lambda_event_source_mapping" "send_letter_proof" {
   }
 }
 
-data "aws_iam_policy_document" "send_letter_proof" {
+data "aws_iam_policy_document" "sftp_request_proof" {
   statement {
     sid    = "AllowDynamoAccess"
     effect = "Allow"
@@ -187,4 +189,17 @@ data "aws_iam_policy_document" "send_letter_proof" {
       "*"
     ]
   }
+
+  statement {
+    sid    = "AllowSESAccess"
+    effect = "Allow"
+
+    actions = ["ses:SendRawEmail"]
+
+    resources = flatten([
+      "arn:aws:ses:${var.region}:${var.aws_account_id}:identity/${var.proof_requested_sender_email_address}",
+      "arn:aws:ses:${var.region}:${var.aws_account_id}:identity/${var.email_domain}",
+      [for k, v in var.letter_suppliers : [for email in v.email_addresses : "arn:aws:ses:${var.region}:${var.aws_account_id}:identity/${email}"]]
+    ])
+  }
 }

infrastructure/terraform/modules/backend-api/outputs.tf

@@ -18,7 +18,7 @@ output "internal_bucket_name" {
   value = module.s3bucket_internal.id
 }
 
-output "send_proof_queue_url" {
+output "request_proof_queue_url" {
   value = module.sqs_sftp_upload.sqs_queue_url
 }