Merge branch 'main' into feature/CCM-14502-Optional-Proxy-Build

Author: stevebux

docs/package.json

@@ -4,7 +4,6 @@
     "nhsuk-frontend": "^10.1.0"
   },
   "description": "",
-  "devDependencies": {},
   "engines": {},
   "keywords": [],
   "license": "ISC",

eslint.config.mjs

@@ -20,13 +20,31 @@ import {
 } from 'eslint-config-airbnb-extended';
 import { rules as prettierConfigRules } from 'eslint-config-prettier';
 
-import { dirname } from 'node:path';
+import { readFileSync } from 'node:fs';
+import { dirname, resolve } from 'node:path';
 import { fileURLToPath } from 'node:url';
 import { FlatCompat } from '@eslint/eslintrc';
+import { globSync } from 'glob';
 
 const __filename = fileURLToPath(import.meta.url);
 const __dirname = dirname(__filename);
 
+const rootPackageJson = JSON.parse(
+  readFileSync(new URL('./package.json', import.meta.url), 'utf8'),
+);
+const workspacePatterns = rootPackageJson.workspaces ?? [];
+const workspacePackageDirs = workspacePatterns.flatMap((pattern) =>
+  globSync(`${pattern}/package.json`, {
+    cwd: __dirname,
+    ignore: ['**/node_modules/**'],
+  }).map((packageJsonPath) =>
+    resolve(__dirname, packageJsonPath.replace(/\/package\.json$/, '')),
+  ),
+);
+const monorepoPackageDirs = Array.from(
+  new Set([__dirname, ...workspacePackageDirs]),
+);
+
 const compat = new FlatCompat({
   baseDirectory: __dirname,
 });
@@ -171,7 +189,7 @@ export default defineConfig([
     rules: {
       'import-x/no-extraneous-dependencies': [
         2,
-        { devDependencies: true },
+        { devDependencies: true, packageDir: monorepoPackageDirs },
       ],
     },
   },
@@ -188,7 +206,7 @@ export default defineConfig([
     rules: {
       'import-x/no-extraneous-dependencies': [
         'error',
-        { devDependencies: true },
+        { devDependencies: true, packageDir: monorepoPackageDirs },
       ],
     },
   },

infrastructure/terraform/components/api/README.md

@@ -17,6 +17,7 @@ No requirements.
 | <a name="input_core_environment"></a> [core\_environment](#input\_core\_environment) | Environment of Core | `string` | `"prod"` | no |
 | <a name="input_default_tags"></a> [default\_tags](#input\_default\_tags) | A map of default tags to apply to all taggable resources within the component | `map(string)` | `{}` | no |
 | <a name="input_disable_gateway_execute_endpoint"></a> [disable\_gateway\_execute\_endpoint](#input\_disable\_gateway\_execute\_endpoint) | Disable the execution endpoint for the API Gateway | `bool` | `true` | no |
+| <a name="input_enable_alarms"></a> [enable\_alarms](#input\_enable\_alarms) | Enable CloudWatch alarms for this deployed environment | `bool` | `true` | no |
 | <a name="input_enable_api_data_trace"></a> [enable\_api\_data\_trace](#input\_enable\_api\_data\_trace) | Enable API Gateway data trace logging | `bool` | `false` | no |
 | <a name="input_enable_backups"></a> [enable\_backups](#input\_enable\_backups) | Enable backups | `bool` | `false` | no |
 | <a name="input_enable_event_cache"></a> [enable\_event\_cache](#input\_enable\_event\_cache) | Enable caching of events to an S3 bucket | `bool` | `true` | no |
@@ -46,26 +47,32 @@ No requirements.
 | <a name="module_amendment_event_transformer"></a> [amendment\_event\_transformer](#module\_amendment\_event\_transformer) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.29/terraform-lambda.zip | n/a |
 | <a name="module_amendments_queue"></a> [amendments\_queue](#module\_amendments\_queue) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.24/terraform-sqs.zip | n/a |
 | <a name="module_authorizer_lambda"></a> [authorizer\_lambda](#module\_authorizer\_lambda) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.29/terraform-lambda.zip | n/a |
-| <a name="module_domain_truststore"></a> [domain\_truststore](#module\_domain\_truststore) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.26/terraform-s3bucket.zip | n/a |
-| <a name="module_eventpub"></a> [eventpub](#module\_eventpub) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.31/terraform-eventpub.zip | n/a |
+| <a name="module_ddb_alarms_letter_queue"></a> [ddb\_alarms\_letter\_queue](#module\_ddb\_alarms\_letter\_queue) | ../../modules/alarms-ddb | n/a |
+| <a name="module_ddb_alarms_letters"></a> [ddb\_alarms\_letters](#module\_ddb\_alarms\_letters) | ../../modules/alarms-ddb | n/a |
+| <a name="module_ddb_alarms_mi"></a> [ddb\_alarms\_mi](#module\_ddb\_alarms\_mi) | ../../modules/alarms-ddb | n/a |
+| <a name="module_ddb_alarms_suppliers"></a> [ddb\_alarms\_suppliers](#module\_ddb\_alarms\_suppliers) | ../../modules/alarms-ddb | n/a |
+| <a name="module_domain_truststore"></a> [domain\_truststore](#module\_domain\_truststore) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/3.0.4/terraform-s3bucket.zip | n/a |
+| <a name="module_eventpub"></a> [eventpub](#module\_eventpub) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/3.0.4/terraform-eventpub.zip | n/a |
 | <a name="module_eventsub"></a> [eventsub](#module\_eventsub) | ../../modules/eventsub | n/a |
 | <a name="module_get_letter"></a> [get\_letter](#module\_get\_letter) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.29/terraform-lambda.zip | n/a |
 | <a name="module_get_letter_data"></a> [get\_letter\_data](#module\_get\_letter\_data) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.29/terraform-lambda.zip | n/a |
 | <a name="module_get_letters"></a> [get\_letters](#module\_get\_letters) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.29/terraform-lambda.zip | n/a |
 | <a name="module_get_status"></a> [get\_status](#module\_get\_status) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.29/terraform-lambda.zip | n/a |
 | <a name="module_kms"></a> [kms](#module\_kms) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.26/terraform-kms.zip | n/a |
+| <a name="module_lambda_alarms"></a> [lambda\_alarms](#module\_lambda\_alarms) | ../../modules/alarms-lambda | n/a |
 | <a name="module_letter_status_updates_queue"></a> [letter\_status\_updates\_queue](#module\_letter\_status\_updates\_queue) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.24/terraform-sqs.zip | n/a |
 | <a name="module_letter_updates_transformer"></a> [letter\_updates\_transformer](#module\_letter\_updates\_transformer) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.29/terraform-lambda.zip | n/a |
-| <a name="module_logging_bucket"></a> [logging\_bucket](#module\_logging\_bucket) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.26/terraform-s3bucket.zip | n/a |
 | <a name="module_mi_updates_transformer"></a> [mi\_updates\_transformer](#module\_mi\_updates\_transformer) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.26/terraform-lambda.zip | n/a |
 | <a name="module_patch_letter"></a> [patch\_letter](#module\_patch\_letter) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.29/terraform-lambda.zip | n/a |
 | <a name="module_post_letters"></a> [post\_letters](#module\_post\_letters) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.29/terraform-lambda.zip | n/a |
 | <a name="module_post_mi"></a> [post\_mi](#module\_post\_mi) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.29/terraform-lambda.zip | n/a |
 | <a name="module_s3bucket_test_letters"></a> [s3bucket\_test\_letters](#module\_s3bucket\_test\_letters) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.26/terraform-s3bucket.zip | n/a |
+| <a name="module_sqs_alarms"></a> [sqs\_alarms](#module\_sqs\_alarms) | ../../modules/alarms-sqs | n/a |
 | <a name="module_sqs_letter_updates"></a> [sqs\_letter\_updates](#module\_sqs\_letter\_updates) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.26/terraform-sqs.zip | n/a |
 | <a name="module_sqs_supplier_allocator"></a> [sqs\_supplier\_allocator](#module\_sqs\_supplier\_allocator) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.26/terraform-sqs.zip | n/a |
 | <a name="module_supplier_allocator"></a> [supplier\_allocator](#module\_supplier\_allocator) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.29/terraform-lambda.zip | n/a |
 | <a name="module_supplier_ssl"></a> [supplier\_ssl](#module\_supplier\_ssl) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.26/terraform-ssl.zip | n/a |
+| <a name="module_update_letter_queue"></a> [update\_letter\_queue](#module\_update\_letter\_queue) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.29/terraform-lambda.zip | n/a |
 | <a name="module_upsert_letter"></a> [upsert\_letter](#module\_upsert\_letter) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.29/terraform-lambda.zip | n/a |
 ## Outputs
 

infrastructure/terraform/components/api/cloudwatch_metric_alarm_apigw_5xx.tf

@@ -0,0 +1,24 @@
+resource "aws_cloudwatch_metric_alarm" "apigw_five_xx" {
+  count = local.alarms_enabled ? 1 : 0
+
+  alarm_name        = "${local.csi}-apigw-5xx"
+  alarm_description = "RELIABILITY: API Gateway 5xx responses"
+
+  namespace   = "AWS/ApiGateway"
+  metric_name = "5XXError"
+  statistic   = "Sum"
+  period      = 60
+
+  evaluation_periods  = 1
+  threshold           = 0
+  comparison_operator = "GreaterThanThreshold"
+  treat_missing_data  = "notBreaching"
+
+  dimensions = local.apigw_alarm_dimensions
+
+  actions_enabled           = false
+  alarm_actions             = []
+  ok_actions                = []
+  insufficient_data_actions = []
+  tags                      = local.default_tags
+}

infrastructure/terraform/components/api/cloudwatch_metric_alarm_apigw_latency_anomaly.tf

@@ -0,0 +1,36 @@
+resource "aws_cloudwatch_metric_alarm" "apigw_latency_anomaly" {
+  count = local.alarms_enabled ? 1 : 0
+
+  alarm_name          = "${local.csi}-apigw-latency-anomaly"
+  alarm_description   = "RELIABILITY: API Gateway latency anomaly"
+  comparison_operator = "GreaterThanUpperThreshold"
+  evaluation_periods  = 5
+  datapoints_to_alarm = 3
+  threshold_metric_id = "ad1"
+  treat_missing_data  = "notBreaching"
+
+  actions_enabled           = false
+  alarm_actions             = []
+  ok_actions                = []
+  insufficient_data_actions = []
+  tags                      = local.default_tags
+
+  metric_query {
+    id = "m1"
+    metric {
+      metric_name = "Latency"
+      namespace   = "AWS/ApiGateway"
+      stat        = "Average"
+      period      = 60
+      dimensions  = local.apigw_alarm_dimensions
+    }
+    return_data = true
+  }
+
+  metric_query {
+    id          = "ad1"
+    expression  = "ANOMALY_DETECTION_BAND(m1, 2)"
+    label       = "Latency (expected)"
+    return_data = true
+  }
+}

infrastructure/terraform/components/api/cloudwatch_metric_alarm_apigw_latency_threshold.tf

@@ -0,0 +1,24 @@
+resource "aws_cloudwatch_metric_alarm" "apigw_latency_threshold" {
+  count = local.alarms_enabled ? 1 : 0
+
+  alarm_name        = "${local.csi}-apigw-latency-threshold"
+  alarm_description = "RELIABILITY: API Gateway latency above threshold"
+
+  namespace   = "AWS/ApiGateway"
+  metric_name = "Latency"
+  statistic   = "Average"
+  period      = 60
+
+  evaluation_periods  = 5
+  threshold           = 29000
+  comparison_operator = "GreaterThanThreshold"
+  treat_missing_data  = "notBreaching"
+
+  dimensions = local.apigw_alarm_dimensions
+
+  actions_enabled           = false
+  alarm_actions             = []
+  ok_actions                = []
+  insufficient_data_actions = []
+  tags                      = local.default_tags
+}

…h_metric_alarm_apim_auth_cert_expirty.tf …ch_metric_alarm_apim_auth_cert_expiry.tfinfrastructure/terraform/components/api/cloudwatch_metric_alarm_apim_auth_cert_expirty.tf renamed to infrastructure/terraform/components/api/cloudwatch_metric_alarm_apim_auth_cert_expiry.tf infrastructure/terraform/components/api/cloudwatch_metric_alarm_apim_auth_cert_expirty.tf renamed to infrastructure/terraform/components/api/cloudwatch_metric_alarm_apim_auth_cert_expiry.tf

@@ -0,0 +1,44 @@
+resource "aws_dynamodb_table" "letter_queue" {
+  name         = "${local.csi}-letter-queue"
+  billing_mode = "PAY_PER_REQUEST"
+
+  hash_key  = "supplierId"
+  range_key = "queueTimestamp"
+
+  ttl {
+    attribute_name = "ttl"
+    enabled        = true
+  }
+
+  local_secondary_index {
+    name            = "letterId-index"
+    range_key       = "letterId"
+    projection_type = "ALL"
+  }
+
+  attribute {
+    name = "supplierId"
+    type = "S"
+  }
+
+  attribute {
+    name = "letterId"
+    type = "S"
+  }
+
+  attribute {
+    name = "queueTimestamp"
+    type = "S"
+  }
+
+  point_in_time_recovery {
+    enabled = true
+  }
+
+  tags = merge(
+    local.default_tags,
+    {
+      NHSE-Enable-Dynamo-Backup-Acct = "True"
+    }
+  )
+}

infrastructure/terraform/components/api/ddb_table_letter_queue.tf

@@ -0,0 +1,11 @@
+resource "aws_lambda_event_source_mapping" "update_letter_queue_kinesis" {
+  event_source_arn                   = aws_kinesis_stream.letter_change_stream.arn
+  function_name                      = module.update_letter_queue.function_arn
+  starting_position                  = "LATEST"
+  batch_size                         = 10
+  maximum_batching_window_in_seconds = 1
+
+  depends_on = [
+    module.update_letter_queue # ensures update letter queue lambda exists
+  ]
+}

infrastructure/terraform/components/api/event_source_mapping_update_letter_queue.tf

@@ -0,0 +1,32 @@
+locals {
+  alarms_enabled = var.enable_alarms
+
+  apigw_alarm_dimensions = {
+    ApiName = aws_api_gateway_rest_api.main.name
+    Stage   = aws_api_gateway_stage.main.stage_name
+  }
+
+  lambda_alarm_targets = {
+    authorizer_lambda           = module.authorizer_lambda.function_name
+    get_letter                  = module.get_letter.function_name
+    get_letters                 = module.get_letters.function_name
+    get_letter_data             = module.get_letter_data.function_name
+    get_status                  = module.get_status.function_name
+    patch_letter                = module.patch_letter.function_name
+    post_letters                = module.post_letters.function_name
+    post_mi                     = module.post_mi.function_name
+    update_letter_queue         = module.update_letter_queue.function_name
+    upsert_letter               = module.upsert_letter.function_name
+    amendment_event_transformer = module.amendment_event_transformer.function_name
+    letter_updates_transformer  = module.letter_updates_transformer.function_name
+    mi_updates_transformer      = module.mi_updates_transformer.function_name
+    supplier_allocator          = module.supplier_allocator.function_name
+  }
+
+  sqs_alarm_targets = {
+    sqs_letter_updates          = module.sqs_letter_updates.sqs_queue_name
+    amendments_queue            = module.amendments_queue.sqs_queue_name
+    letter_status_updates_queue = module.letter_status_updates_queue.sqs_queue_name
+    sqs_supplier_allocator      = module.sqs_supplier_allocator.sqs_queue_name
+  }
+}