ELI-331: Mask PII/GDPR info (#239)

shweta-nhs · web-flow · commit 14d6a5ec9cc7 · 2025-07-16T14:20:39.000+01:00
* ELI-331: Mask PII/GDPR info

* ELI-331: Fix formatting

* ELI-331: Fix format and lint
diff --git a/infrastructure/modules/api_gateway/cloudwatch.tf b/infrastructure/modules/api_gateway/cloudwatch.tf
@@ -8,3 +8,96 @@ resource "aws_cloudwatch_log_group" "api_gateway" {
     prevent_destroy = false
   }
 }
+
+resource "aws_cloudwatch_log_data_protection_policy" "api_gateway_data_protection" {
+  log_group_name = aws_cloudwatch_log_group.api_gateway.name
+  policy_document = jsonencode({
+    Name    = "data-protection-policy"
+    Version = "2021-06-01"
+    Statement = [
+      {
+        Sid      = "MaskSensitiveData"
+        Effect   = "Deny"
+        Principal = { "AWS" : "*" }
+        Action   = "cloudwatch:PutLogEvents"
+        Resource = "*"
+        DataIdentifier = [
+          "arn:aws:dataprotection::aws:data-identifier/DateOfBirth",
+          "arn:aws:dataprotection::aws:data-identifier/UkPostcode",
+          "arn:aws:dataprotection::aws:data-identifier/Custom:UkPostcodeSector",
+          "arn:aws:dataprotection::aws:data-identifier/Custom:GpPracticeCode",
+          "arn:aws:dataprotection::aws:data-identifier/Custom:13QFlag",
+          "arn:aws:dataprotection::aws:data-identifier/Custom:CareHomeFlag",
+          "arn:aws:dataprotection::aws:data-identifier/Custom:DEFlag",
+          "arn:aws:dataprotection::aws:data-identifier/Custom:RemovalReasonCode",
+          "arn:aws:dataprotection::aws:data-identifier/Custom:ValidDosesCount",
+          "arn:aws:dataprotection::aws:data-identifier/Custom:InvalidDosesCount",
+          "arn:aws:dataprotection::aws:data-identifier/Custom:LastSuccessfulDate",
+          "arn:aws:dataprotection::aws:data-identifier/Custom:LastValidDoseDate",
+          "arn:aws:dataprotection::aws:data-identifier/Custom:CohortLabel"
+
+        ]
+        Operation = {
+          "cloudwatch:Mask" = {}
+        }
+      },
+    ]
+    CustomDataIdentifier = [
+      {
+        Name     = "UkPostcodeSector"
+        Regex    = "[A-Z]{1,2}[0-9R-9][0A-Z]? ?[0-9]"
+        Severity = "High"
+      },
+      {
+        Name     = "GpPracticeCode"
+        Regex    = "GP_PRACTICE[\\s\\\"':=]*([A-Z][0-9]{5})"
+        Severity = "High"
+      },
+      {
+        Name     = "13QFlag"
+        Regex    = "13Q_FLAG[\\s\\\"':=]*[YN]"
+        Severity = "High"
+      },
+      {
+        Name     = "CareHomeFlag"
+        Regex    = "CARE_HOME_FLAG[\\s\\\"':=]*[YN]"
+        Severity = "High"
+      },
+      {
+        Name     = "DEFlag"
+        Regex    = "DE_FLAG[\\s\\\"':=]*[YN]"
+        Severity = "High"
+      },
+      {
+        Name     = "RemovalReasonCode"
+        Regex    = "REMOVAL_REASON_CODE[\\s\\\"':=]*([A-Z]{3})"
+        Severity = "High"
+      },
+      {
+        Name     = "ValidDosesCount"
+        Regex    = "VALID_DOSES_COUNT[\\s\\\"':=]*([0-9]{1,2}|100)"
+        Severity = "High"
+      },
+      {
+        Name     = "InvalidDosesCount"
+        Regex    = "INVALID_DOSES_COUNT[\\s\\\"':=]*([0-9]{1,2}|100)"
+        Severity = "High"
+      },
+      {
+        Name     = "LastSuccessfulDate"
+        Regex    = "LAST_SUCCESSFUL_DATE[\\s\\\"':=]*([0-9]{8})"
+        Severity = "High"
+      },
+      {
+        Name     = "LastValidDoseDate"
+        Regex    = "LAST_VALID_DOSE_DATE[\\s\\\"':=]*([0-9]{8})"
+        Severity = "High"
+      },
+      {
+        Name     = "CohortLabel"
+        Regex    = "COHORT_LABEL[\\s\\\"':=]*([A-Za-z0-9_ -]{1,100})"
+        Severity = "High"
+      }
+    ]
+  })
+}
diff --git a/src/eligibility_signposting_api/services/eligibility_services.py b/src/eligibility_signposting_api/services/eligibility_services.py
@@ -51,6 +51,13 @@ def get_eligibility_status(
                         "nhs_number": nhs_number,
                     },
                 )
+
+                if person_data and person_data[0] and campaign_configs and campaign_configs[0]:
+                    logger.info("Test data masking person data: %r", person_data[0])
+                    logger.info(
+                        "Test data masking campaign config data: %r", campaign_configs[0].model_dump(by_alias=True)
+                    )
+
             except NotFoundError as e:
                 raise UnknownPersonError from e
             else:
diff --git a/tests/integration/lambda/test_app_running_as_lambda.py b/tests/integration/lambda/test_app_running_as_lambda.py
@@ -1,4 +1,3 @@
-import base64
 import json
 import logging
 from http import HTTPStatus
@@ -69,7 +68,6 @@ def test_install_and_call_lambda_flask(
         Payload=json.dumps(request_payload),
         LogType="Tail",
     )
-    log_output = base64.b64decode(response["LogResult"]).decode("utf-8")
 
     # Then
     assert_that(response, has_entries(StatusCode=HTTPStatus.OK))
@@ -80,8 +78,6 @@ def test_install_and_call_lambda_flask(
         has_entries(statusCode=HTTPStatus.OK, body=is_json_that(has_key("processedSuggestions"))),
     )
 
-    assert_that(log_output, contains_string("person_data"))
-
 
 def test_install_and_call_flask_lambda_over_http(
     persisted_person: NHSNumber,
