preprod db seeding

Author: Karthikeyannhs

…thub/workflows/cicd-4-preprod-deploy.yml …hub/workflows/cicd-4a-preprod-deploy.yml.github/workflows/cicd-4-preprod-deploy.yml renamed to .github/workflows/cicd-4a-preprod-deploy.yml .github/workflows/cicd-4-preprod-deploy.yml renamed to .github/workflows/cicd-4a-preprod-deploy.yml

@@ -0,0 +1,43 @@
+name: Preprod - Seed DynamoDB table
+
+on:
+  push:
+    branches:
+      - ELI-417-preprod-db-seeding
+
+jobs:
+  seed:
+    runs-on: ubuntu-latest
+    environment: "dev"
+    permissions:
+      id-token: write
+      contents: read
+    env:
+      AWS_REGION: eu-west-2
+      DATA_FOLDER: vitaIntegrationTestData/
+      DYNAMODB_TABLE: eligibility-signposting-api-dev-eligibility_datastore
+
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v5
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.13'
+
+      - name: Install dependencies
+        run: pip install boto3
+
+      - name: "Configure AWS Credentials"
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/service-roles/github-actions-api-deployment-role
+          aws-region: ${{ env.AWS_REGION }}
+
+      - name: Run seed script
+        run: |
+          python .github/scripts/seed_dynamodb.py \
+            --table-name "${{ env.DYNAMODB_TABLE }}" \
+            --region "${{ env.AWS_REGION }}" \
+            --data-folder "${{ env.DATA_FOLDER }}"

.github/workflows/cicd-4b-preprod-seed-users.yml

@@ -89,24 +89,40 @@ resource "aws_iam_policy" "dynamodb_management" {
 
   policy = jsonencode({
     Version = "2012-10-17",
-    Statement = [
-      {
-        Effect = "Allow",
-        Action = [
-          "dynamodb:DescribeTimeToLive",
-          "dynamodb:DescribeTable",
-          "dynamodb:DescribeContinuousBackups",
-          "dynamodb:ListTables",
-          "dynamodb:DeleteTable",
-          "dynamodb:CreateTable",
-          "dynamodb:TagResource",
-          "dynamodb:ListTagsOfResource",
-        ],
-        Resource = [
-          "arn:aws:dynamodb:*:${data.aws_caller_identity.current.account_id}:table/*eligibility-signposting-api-${var.environment}-eligibility_datastore"
-        ]
-      }
-    ]
+    Statement = concat(
+      [
+        {
+          Effect = "Allow",
+          Action = [
+            "dynamodb:DescribeTimeToLive",
+            "dynamodb:DescribeTable",
+            "dynamodb:DescribeContinuousBackups",
+            "dynamodb:ListTables",
+            "dynamodb:DeleteTable",
+            "dynamodb:CreateTable",
+            "dynamodb:TagResource",
+            "dynamodb:ListTagsOfResource",
+          ],
+          Resource = [
+            "arn:aws:dynamodb:*:${data.aws_caller_identity.current.account_id}:table/*eligibility-signposting-api-${var.environment}-eligibility_datastore"
+          ]
+        }
+      ],
+      # to create test users in preprod
+      var.environment == "preprod" ? [
+        {
+          Effect = "Allow",
+          Action = [
+            "dynamodb:GetItem",
+            "dynamodb:PutItem",
+            "dynamodb:DeleteItem",
+          ],
+          Resource = [
+            "arn:aws:dynamodb:*:${data.aws_caller_identity.current.account_id}:table/*eligibility-signposting-api-preprod-eligibility_datastore"
+          ]
+        }
+      ] : []
+    )
   })
 
   tags = merge(local.tags, { Name = "dynamodb-management" })
@@ -465,8 +481,8 @@ resource "aws_iam_policy" "iam_management" {
 # Assume role policy document for GitHub Actions
 data "aws_iam_policy_document" "github_actions_assume_role" {
   statement {
-    sid     = "OidcAssumeRoleWithWebIdentity"
-    effect  = "Allow"
+    sid    = "OidcAssumeRoleWithWebIdentity"
+    effect = "Allow"
     actions = ["sts:AssumeRoleWithWebIdentity"]
 
     principals {
@@ -479,13 +495,13 @@ data "aws_iam_policy_document" "github_actions_assume_role" {
     condition {
       test     = "StringLike"
       variable = "token.actions.githubusercontent.com:sub"
-      values   = ["repo:${var.github_org}/${var.github_repo}:*"]
+      values = ["repo:${var.github_org}/${var.github_repo}:*"]
     }
 
     condition {
       test     = "StringEquals"
       variable = "token.actions.githubusercontent.com:aud"
-      values   = ["sts.amazonaws.com"]
+      values = ["sts.amazonaws.com"]
     }
   }
 }
@@ -514,8 +530,8 @@ resource "aws_iam_policy" "firehose_readonly" {
           "firehose:StopDeliveryStreamEncryption"
         ]
         Resource = [
-            "arn:aws:firehose:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:deliverystream/eligibility-signposting-api*",
-            "arn:aws:firehose:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:deliverystream/splunk-alarm-events*"
+          "arn:aws:firehose:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:deliverystream/eligibility-signposting-api*",
+          "arn:aws:firehose:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:deliverystream/splunk-alarm-events*"
         ]
       }
     ]

infrastructure/stacks/iams-developer-roles/github_actions_policies.tf

@@ -36,6 +36,10 @@ data "aws_iam_policy_document" "permissions_boundary" {
       "dynamodb:CreateTable",
       "dynamodb:TagResource",
       "dynamodb:ListTagsOfResource",
+      # Only used in preprod
+      "dynamodb:GetItem",
+      "dynamodb:PutItem",
+      "dynamodb:DeleteItem",
 
       # EC2 - networking infrastructure
       "ec2:Describe*",

infrastructure/stacks/iams-developer-roles/iams_permissions_boundary.tf

@@ -0,0 +1,56 @@
+import argparse
+import glob
+import json
+import os
+
+import boto3
+
+
+def parse_args():
+    parser = argparse.ArgumentParser(description="Seed DynamoDB table with JSON data.")
+    parser.add_argument("--table-name", required=True, help="Name of the DynamoDB table")
+    parser.add_argument("--region", default="eu-west-2", help="AWS region")
+    parser.add_argument("--data-folder", default="vitaIntegrationTestData/", help="Folder containing JSON seed data")
+    return parser.parse_args()
+
+
+def clear_table(table):
+    scan = table.scan(
+        ProjectionExpression="#nhs, #type", ExpressionAttributeNames={"#nhs": "NHS_NUMBER", "#type": "ATTRIBUTE_TYPE"}
+    )
+    with table.batch_writer() as batch:
+        for item in scan["Items"]:
+            batch.delete_item(Key={"NHS_NUMBER": item["NHS_NUMBER"], "ATTRIBUTE_TYPE": item["ATTRIBUTE_TYPE"]})
+
+
+def insert_data_from_folder(table, data_folder):
+    json_files = glob.glob(os.path.join(data_folder, "*.json"))
+    for file_path in json_files:
+        with open(file_path) as f:
+            try:
+                payload = json.load(f)
+                items = payload.get("data", [])
+            except Exception as e:
+                print(f"Skipping {file_path}: {e}")
+                continue
+
+        with table.batch_writer() as batch:
+            for item in items:
+                nhs_number = item.get("NHS_NUMBER")
+                attr_type = item.get("ATTRIBUTE_TYPE")
+                if nhs_number and attr_type:
+                    item["id"] = nhs_number
+                    batch.put_item(Item=item)
+
+
+def main():
+    args = parse_args()
+    dynamodb = boto3.resource("dynamodb", region_name=args.region)
+    table = dynamodb.Table(args.table_name)
+
+    clear_table(table)
+    insert_data_from_folder(table, args.data_folder)
+
+
+if __name__ == "__main__":
+    main()

scripts/seed_users/__init__.py

@@ -0,0 +1,40 @@
+{
+  "scenario_name": "RSV - Vita Integration - Actionable - You should have the RSV vaccine ( in CP area ) - age rolling - BookNBS",
+  "request_headers": {
+    "nhs-login-nhs-number": "9686368973"
+  },
+  "config_filenames": [
+    "vita_integration_test_config.json"
+  ],
+  "data": [
+    {
+      "NHS_NUMBER": "9686368973",
+      "ATTRIBUTE_TYPE": "COHORTS",
+      "COHORT_MEMBERSHIPS": [
+        {
+          "COHORT_LABEL": "rsv_75to79",
+          "DATE_JOINED": "20231020"
+        }
+      ]
+    },
+    {
+      "NHS_NUMBER": "9686368973",
+      "ATTRIBUTE_TYPE": "PERSON",
+      "DATE_OF_BIRTH": "<<DATE_AGE_75>>",
+      "GENDER": "0",
+      "POSTCODE": "SG8 6EG",
+      "POSTCODE_SECTOR": "SG86",
+      "POSTCODE_OUTCODE": "SG8",
+      "MSOA": "E02003792",
+      "LSOA": "E01018267",
+      "LOCAL_AUTHORITY": "E08000011",
+      "GP_PRACTICE_CODE": "D81046",
+      "PCN": "U75549",
+      "ICB": "QUE",
+      "COMMISSIONING_REGION": "Y61",
+      "13Q_FLAG": "N",
+      "CARE_HOME_FLAG": "N",
+      "DE_FLAG": "N"
+    }
+  ]
+}

scripts/seed_users/seed_dynamodb.py

@@ -0,0 +1,39 @@
+{
+  "scenario_name": "RSV - Vita Integration - Actionable - You should have the RSV vaccine ( out CP area ) - age rolling - age rolling - BookLocal",
+  "request_headers": {
+    "nhs-login-nhs-number": "9686368906"
+  },
+  "config_filenames": [
+    "vita_integration_test_config.json"
+  ],
+  "data": [
+    {
+      "NHS_NUMBER": "9686368906",
+      "ATTRIBUTE_TYPE": "COHORTS",
+      "COHORT_MEMBERSHIPS": [
+        {
+          "COHORT_LABEL": "rsv_75to79",
+          "DATE_JOINED": "20231020"
+        }
+      ]
+    },
+    {
+      "NHS_NUMBER": "9686368906",
+      "ATTRIBUTE_TYPE": "PERSON",
+      "DATE_OF_BIRTH": "19500601",
+      "GENDER": "2",
+      "POSTCODE": "CB3 8DX",
+      "POSTCODE_SECTOR": "CB38",
+      "POSTCODE_OUTCODE": "CB3",
+      "MSOA": "E02007085",
+      "LSOA": "E01018223",
+      "GP_PRACTICE_CODE": "D81046",
+      "PCN": "U75549",
+      "ICB": "QUE",
+      "COMMISSIONING_REGION": "Y61",
+      "13Q_FLAG": "N",
+      "CARE_HOME_FLAG": "N",
+      "DE_FLAG": "N"
+    }
+  ]
+}

scripts/seed_users/vitaIntegrationTestData/AUTO_RSV_VITA_INT_001.json

@@ -0,0 +1,39 @@
+{
+  "scenario_name": "RSV - Vita Integration - Actionable - You should have the RSV vaccine ( out CP area ) - age catchup - BookLocal",
+  "request_headers": {
+    "nhs-login-nhs-number": "9658218873"
+  },
+  "config_filenames": [
+    "vita_integration_test_config.json"
+  ],
+  "data": [
+    {
+      "NHS_NUMBER": "9658218873",
+      "ATTRIBUTE_TYPE": "COHORTS",
+      "COHORT_MEMBERSHIPS": [
+        {
+          "COHORT_LABEL": "rsv_80_since_02_Sept_2024",
+          "DATE_JOINED": "20231020"
+        }
+      ]
+    },
+    {
+      "NHS_NUMBER": "9658218873",
+      "ATTRIBUTE_TYPE": "PERSON",
+      "DATE_OF_BIRTH": "19500601",
+      "GENDER": "2",
+      "POSTCODE": "CB3 8DX",
+      "POSTCODE_SECTOR": "CB38",
+      "POSTCODE_OUTCODE": "CB3",
+      "MSOA": "E02007085",
+      "LSOA": "E01018223",
+      "GP_PRACTICE_CODE": "D81046",
+      "PCN": "U75549",
+      "ICB": "QUE",
+      "COMMISSIONING_REGION": "Y61",
+      "13Q_FLAG": "N",
+      "CARE_HOME_FLAG": "N",
+      "DE_FLAG": "N"
+    }
+  ]
+}

scripts/seed_users/vitaIntegrationTestData/AUTO_RSV_VITA_INT_002.json

@@ -0,0 +1,35 @@
+{
+  "scenario_name": "RSV - Vita Integration - Actionable - You should have the RSV vaccine ( existing NBS booking ) - empty cohorts - AmendNBS",
+  "request_headers": {
+    "nhs-login-nhs-number": "9658218881"
+  },
+  "config_filenames": [
+    "vita_integration_test_config.json"
+  ],
+  "data": [
+    {
+      "NHS_NUMBER": "9658218881",
+      "ATTRIBUTE_TYPE": "PERSON",
+      "DATE_OF_BIRTH": "19500601",
+      "GENDER": "2",
+      "POSTCODE": "CB3 8DX",
+      "POSTCODE_SECTOR": "CB38",
+      "POSTCODE_OUTCODE": "CB3",
+      "MSOA": "E02007085",
+      "LSOA": "E01018223",
+      "GP_PRACTICE_CODE": "D81046",
+      "PCN": "U75549",
+      "ICB": "QUE",
+      "COMMISSIONING_REGION": "Y61",
+      "13Q_FLAG": "N",
+      "CARE_HOME_FLAG": "N",
+      "DE_FLAG": "N"
+    },
+    {
+      "NHS_NUMBER": "9658218881",
+      "ATTRIBUTE_TYPE": "RSV",
+      "BOOKED_APPOINTMENT_DATE": "<<DATE_DAY_+720>>",
+      "BOOKED_APPOINTMENT_PROVIDER": "NBS"
+    }
+  ]
+}