Merge branch 'main' into fix/internal-event-datastore-dep

Author: masl2

.github/PULL_REQUEST_TEMPLATE.md

@@ -25,7 +25,7 @@
 - [ ] I have added tests to cover my changes
 - [ ] I have updated the documentation accordingly
 - [ ] This PR is a result of pair or mob programming
-- [ ] If I have used the 'skip-trivy-package' label I have done so responsibly and in the knowledge that this is being fixed as part of a separate ticket/PR.
+<!-- - [ ] If I have used the 'skip-trivy-package' label I have done so responsibly and in the knowledge that this is being fixed as part of a separate ticket/PR. TODO - Re-visit Trivy usage https://nhsd-jira.digital.nhs.uk/browse/CCM-15549 -->
 
 ---
 

.github/actions/trivy-iac/action.yaml

@@ -1,19 +1,20 @@
-name: "Trivy IaC Scan"
-description: "Scan Terraform IaC using Trivy"
-runs:
-  using: "composite"
-  steps:
-    - name: "Trivy Terraform IaC Scan"
-      shell: bash
-      run: |
-        components_exit_code=0
-        modules_exit_code=0
-        asdf plugin add trivy || true
-        asdf install trivy || true
-        ./scripts/terraform/trivy-scan.sh --mode iac ./infrastructure/terraform/components || components_exit_code=$?
-        ./scripts/terraform/trivy-scan.sh --mode iac ./infrastructure/terraform/modules || modules_exit_code=$?
+# TODO - Re-visit Trivy usage https://nhsd-jira.digital.nhs.uk/browse/CCM-15549
+# name: "Trivy IaC Scan"
+# description: "Scan Terraform IaC using Trivy"
+# runs:
+#   using: "composite"
+#   steps:
+#     - name: "Trivy Terraform IaC Scan"
+#       shell: bash
+#       run: |
+#         components_exit_code=0
+#         modules_exit_code=0
+#         asdf plugin add trivy || true
+#         asdf install trivy || true
+#         ./scripts/terraform/trivy-scan.sh --mode iac ./infrastructure/terraform/components || components_exit_code=$?
+#         ./scripts/terraform/trivy-scan.sh --mode iac ./infrastructure/terraform/modules || modules_exit_code=$?
 
-        if [ $components_exit_code -ne 0 ] || [ $modules_exit_code -ne 0 ]; then
-          echo "Trivy misconfigurations detected."
-          exit 1
-        fi
+#         if [ $components_exit_code -ne 0 ] || [ $modules_exit_code -ne 0 ]; then
+#           echo "Trivy misconfigurations detected."
+#           exit 1
+#         fi

.github/actions/trivy-package/action.yaml

@@ -1,17 +1,18 @@
-name: "Trivy Package Scan"
-description: "Scan project packages using Trivy"
-runs:
-  using: "composite"
-  steps:
-    - name: "Trivy Package Scan"
-      shell: bash
-      run: |
-        exit_code=0
-        asdf plugin add trivy || true
-        asdf install trivy || true
-        ./scripts/terraform/trivy-scan.sh --mode package . || exit_code=$?
+# TODO - Re-visit Trivy usage https://nhsd-jira.digital.nhs.uk/browse/CCM-15549
+# name: "Trivy Package Scan"
+# description: "Scan project packages using Trivy"
+# runs:
+#   using: "composite"
+#   steps:
+#     - name: "Trivy Package Scan"
+#       shell: bash
+#       run: |
+#         exit_code=0
+#         asdf plugin add trivy || true
+#         asdf install trivy || true
+#         ./scripts/terraform/trivy-scan.sh --mode package . || exit_code=$?
 
-        if [ $exit_code -ne 0 ]; then
-          echo "Trivy has detected package vulnerablilites. Please refer to https://nhsd-confluence.digital.nhs.uk/spaces/RIS/pages/1257636917/PLAT-KOP-012+-+Trivy+Pipeline+Vulnerability+Scanning+Exemption"
-          exit 1
-        fi
+#         if [ $exit_code -ne 0 ]; then
+#           echo "Trivy has detected package vulnerablilites. Please refer to https://nhsd-confluence.digital.nhs.uk/spaces/RIS/pages/1257636917/PLAT-KOP-012+-+Trivy+Pipeline+Vulnerability+Scanning+Exemption"
+#           exit 1
+#         fi

.github/workflows/cicd-1-pull-request.yaml

@@ -28,7 +28,8 @@ jobs:
       is_version_prerelease: ${{ steps.variables.outputs.is_version_prerelease }}
       does_pull_request_exist: ${{ steps.pr_exists.outputs.does_pull_request_exist }}
       pr_number: ${{ steps.pr_exists.outputs.pr_number }}
-      skip_trivy_package: ${{ steps.skip_trivy.outputs.skip_trivy_package }}
+      # TODO - Re-visit Trivy usage https://nhsd-jira.digital.nhs.uk/browse/CCM-15549
+      # skip_trivy_package: ${{ steps.skip_trivy.outputs.skip_trivy_package }}
       deploy_proxy: ${{ steps.deploy_proxy.outputs.deploy_proxy }}
     steps:
       - name: "Checkout code"
@@ -68,26 +69,27 @@ jobs:
             echo "does_pull_request_exist=false" >> $GITHUB_OUTPUT
             echo "pr_number=" >> $GITHUB_OUTPUT
           fi
-      - name: "Determine if Trivy package scan should be skipped"
-        id: skip_trivy
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          PR_NUMBER: ${{ steps.pr_exists.outputs.pr_number }}
-        run: |
-          if [[ -z "$PR_NUMBER" ]]; then
-            echo "No pull request detected; Trivy package scan will run."
-            echo "skip_trivy_package=false" >> $GITHUB_OUTPUT
-            exit 0
-          fi
+      # TODO - Re-visit Trivy usage https://nhsd-jira.digital.nhs.uk/browse/CCM-15549
+      # - name: "Determine if Trivy package scan should be skipped"
+      #   id: skip_trivy
+      #   env:
+      #     GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      #     PR_NUMBER: ${{ steps.pr_exists.outputs.pr_number }}
+      #   run: |
+      #     if [[ -z "$PR_NUMBER" ]]; then
+      #       echo "No pull request detected; Trivy package scan will run."
+      #       echo "skip_trivy_package=false" >> $GITHUB_OUTPUT
+      #       exit 0
+      #     fi
 
-          labels=$(gh pr view "$PR_NUMBER" --json labels --jq '.labels[].name')
-          echo "Labels on PR #$PR_NUMBER: $labels"
+      #     labels=$(gh pr view "$PR_NUMBER" --json labels --jq '.labels[].name')
+      #     echo "Labels on PR #$PR_NUMBER: $labels"
 
-          if echo "$labels" | grep -Fxq 'skip-trivy-package'; then
-            echo "skip_trivy_package=true" >> $GITHUB_OUTPUT
-          else
-            echo "skip_trivy_package=false" >> $GITHUB_OUTPUT
-          fi
+      #     if echo "$labels" | grep -Fxq 'skip-trivy-package'; then
+      #       echo "skip_trivy_package=true" >> $GITHUB_OUTPUT
+      #     else
+      #       echo "skip_trivy_package=false" >> $GITHUB_OUTPUT
+      #     fi
       - name: "Determine if proxy should be deployed"
         id: deploy_proxy
         env:
@@ -131,7 +133,8 @@ jobs:
       build_epoch: "${{ needs.metadata.outputs.build_epoch }}"
       nodejs_version: "${{ needs.metadata.outputs.nodejs_version }}"
       python_version: "${{ needs.metadata.outputs.python_version }}"
-      skip_trivy_package: ${{ needs.metadata.outputs.skip_trivy_package == 'true' }}
+      # TODO - Re-visit Trivy usage https://nhsd-jira.digital.nhs.uk/browse/CCM-15549
+      # skip_trivy_package: ${{ needs.metadata.outputs.skip_trivy_package == 'true' }}
       terraform_version: "${{ needs.metadata.outputs.terraform_version }}"
       version: "${{ needs.metadata.outputs.version }}"
     secrets: inherit

.github/workflows/stage-1-commit.yaml

@@ -26,10 +26,11 @@ on:
         description: "Python version, set by the CI/CD pipeline workflow"
         required: true
         type: string
-      skip_trivy_package:
-        description: "Skip Trivy package scan when true"
-        type: boolean
-        default: false
+      # TODO - Re-visit Trivy usage https://nhsd-jira.digital.nhs.uk/browse/CCM-15549
+      # skip_trivy_package:
+      #   description: "Skip Trivy package scan when true"
+      #   type: boolean
+      #   default: false
       terraform_version:
         description: "Terraform version, set by the CI/CD pipeline workflow"
         required: true
@@ -155,6 +156,40 @@ jobs:
         uses: asdf-vm/actions/setup@1902764435ca0dd2f3388eea723a4f92a4eb8302
       - name: "Lint Terraform"
         uses: ./.github/actions/lint-terraform
+  # TODO - Re-visit Trivy usage https://nhsd-jira.digital.nhs.uk/browse/CCM-15549
+  # trivy-iac:
+  #   name: "Trivy IaC Scan"
+  #   permissions:
+  #     contents: read
+  #     packages: read
+  #   runs-on: ubuntu-latest
+  #   timeout-minutes: 10
+  #   needs: detect-terraform-changes
+  #   if: needs.detect-terraform-changes.outputs.terraform_changed == 'true'
+  #   env:
+  #     NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  #   steps:
+  #     - name: "Checkout code"
+  #       uses: actions/checkout@v4
+  #     - name: "Setup ASDF"
+  #       uses: asdf-vm/actions/setup@b7bcd026f18772e44fe1026d729e1611cc435d47
+  #     - name: "Trivy IaC Scan"
+  #       uses: ./.github/actions/trivy-iac
+  # trivy-package:
+  #   if: ${{ !inputs.skip_trivy_package }}
+  #   name: "Trivy Package Scan"
+  #   permissions:
+  #     contents: read
+  #     packages: read
+  #   runs-on: ubuntu-latest
+  #   timeout-minutes: 10
+  #   steps:
+  #     - name: "Checkout code"
+  #       uses: actions/checkout@v4
+  #     - name: "Setup ASDF"
+  #       uses: asdf-vm/actions/setup@b7bcd026f18772e44fe1026d729e1611cc435d47
+  #     - name: "Trivy Package Scan"
+  #       uses: ./.github/actions/trivy-package
   count-lines-of-code:
     name: "Count lines of code"
     runs-on: ubuntu-latest

.github/workflows/stage-3-build.yaml

@@ -182,5 +182,6 @@ jobs:
           environment: ${{ needs.pr-create-dynamic-environment.outputs.environment_name }}
           apimEnv: "internal-dev-sandbox"
           runId: "${{ github.run_id }}"
-          buildSandbox: true
+          # TODO: CCM-15527: Do not deploy sandbox - new certs do not appear to auth for docker correctly
+          buildSandbox: false
           releaseVersion: ${{ github.head_ref || github.ref_name }}

infrastructure/terraform/components/api/README.md

@@ -35,7 +35,7 @@ No requirements.
 | <a name="input_kms_deletion_window"></a> [kms\_deletion\_window](#input\_kms\_deletion\_window) | When a kms key is deleted, how long should it wait in the pending deletion state? | `string` | `"30"` | no |
 | <a name="input_letter_event_source"></a> [letter\_event\_source](#input\_letter\_event\_source) | Source value to use for the letter status event updates | `string` | `"/data-plane/supplier-api/nhs-supplier-api-prod/main/update-status"` | no |
 | <a name="input_letter_table_ttl_hours"></a> [letter\_table\_ttl\_hours](#input\_letter\_table\_ttl\_hours) | Number of hours to set as TTL on letters table | `number` | `24` | no |
-| <a name="input_letter_variant_map"></a> [letter\_variant\_map](#input\_letter\_variant\_map) | n/a | `map(object({ supplierId = string, specId = string, priority = number }))` | <pre>{<br/>  "lv1": {<br/>    "priority": 10,<br/>    "specId": "spec1",<br/>    "supplierId": "supplier1"<br/>  },<br/>  "lv2": {<br/>    "priority": 10,<br/>    "specId": "spec2",<br/>    "supplierId": "supplier1"<br/>  },<br/>  "lv3": {<br/>    "priority": 10,<br/>    "specId": "spec3",<br/>    "supplierId": "supplier2"<br/>  }<br/>}</pre> | no |
+| <a name="input_letter_variant_map"></a> [letter\_variant\_map](#input\_letter\_variant\_map) | n/a | `map(object({ supplierId = string, specId = string, priority = number, billingId = string }))` | <pre>{<br/>  "lv1": {<br/>    "billingId": "billing1",<br/>    "priority": 10,<br/>    "specId": "spec1",<br/>    "supplierId": "supplier1"<br/>  },<br/>  "lv2": {<br/>    "billingId": "billing1",<br/>    "priority": 10,<br/>    "specId": "spec2",<br/>    "supplierId": "supplier1"<br/>  },<br/>  "lv3": {<br/>    "billingId": "billing1",<br/>    "priority": 10,<br/>    "specId": "spec3",<br/>    "supplierId": "supplier2"<br/>  }<br/>}</pre> | no |
 | <a name="input_log_level"></a> [log\_level](#input\_log\_level) | The log level to be used in lambda functions within the component. Any log with a lower severity than the configured value will not be logged: https://docs.python.org/3/library/logging.html#levels | `string` | `"INFO"` | no |
 | <a name="input_log_retention_in_days"></a> [log\_retention\_in\_days](#input\_log\_retention\_in\_days) | The retention period in days for the Cloudwatch Logs events to be retained, default of 0 is indefinite | `number` | `0` | no |
 | <a name="input_manually_configure_mtls_truststore"></a> [manually\_configure\_mtls\_truststore](#input\_manually\_configure\_mtls\_truststore) | Manually manage the truststore used for API Gateway mTLS (e.g. for prod environment) | `bool` | `false` | no |

infrastructure/terraform/components/api/variables.tf

@@ -136,11 +136,11 @@ variable "eventpub_control_plane_bus_arn" {
 }
 
 variable "letter_variant_map" {
-  type = map(object({ supplierId = string, specId = string, priority = number }))
+  type = map(object({ supplierId = string, specId = string, priority = number, billingId = string }))
   default = {
-    "lv1" = { supplierId = "supplier1", specId = "spec1", priority = 10 },
-    "lv2" = { supplierId = "supplier1", specId = "spec2", priority = 10 },
-    "lv3" = { supplierId = "supplier2", specId = "spec3", priority = 10 }
+    "lv1" = { supplierId = "supplier1", specId = "spec1", priority = 10, billingId = "billing1" },
+    "lv2" = { supplierId = "supplier1", specId = "spec2", priority = 10, billingId = "billing1" },
+    "lv3" = { supplierId = "supplier2", specId = "spec3", priority = 10, billingId = "billing1" }
   }
 }
 

internal/datastore/src/__test__/letter-repository.test.ts

@@ -30,6 +30,7 @@ function createLetter(
     source: "/data-plane/letter-rendering/pdf",
     subject: `client/1/letter-request/${letterId}`,
     billingRef: "specification1",
+    specificationBillingId: "billing1",
   };
 }
 

internal/datastore/src/types.ts

@@ -54,6 +54,7 @@ export const LetterSchema = LetterSchemaBase.extend({
   source: z.string(),
   subject: z.string(),
   billingRef: z.string(),
+  specificationBillingId: z.string(),
 }).describe("Letter");
 
 /**