Revert "ELI-331: Mask PII/GDPR info (#239)" (#240)

shweta-nhs · web-flow · commit b465617bfd27 · 2025-07-16T16:22:52.000+01:00
This reverts commit 14d6a5e.
diff --git a/infrastructure/modules/api_gateway/cloudwatch.tf b/infrastructure/modules/api_gateway/cloudwatch.tf
@@ -8,96 +8,3 @@ resource "aws_cloudwatch_log_group" "api_gateway" {
     prevent_destroy = false
   }
 }
-
-resource "aws_cloudwatch_log_data_protection_policy" "api_gateway_data_protection" {
-  log_group_name = aws_cloudwatch_log_group.api_gateway.name
-  policy_document = jsonencode({
-    Name    = "data-protection-policy"
-    Version = "2021-06-01"
-    Statement = [
-      {
-        Sid      = "MaskSensitiveData"
-        Effect   = "Deny"
-        Principal = { "AWS" : "*" }
-        Action   = "cloudwatch:PutLogEvents"
-        Resource = "*"
-        DataIdentifier = [
-          "arn:aws:dataprotection::aws:data-identifier/DateOfBirth",
-          "arn:aws:dataprotection::aws:data-identifier/UkPostcode",
-          "arn:aws:dataprotection::aws:data-identifier/Custom:UkPostcodeSector",
-          "arn:aws:dataprotection::aws:data-identifier/Custom:GpPracticeCode",
-          "arn:aws:dataprotection::aws:data-identifier/Custom:13QFlag",
-          "arn:aws:dataprotection::aws:data-identifier/Custom:CareHomeFlag",
-          "arn:aws:dataprotection::aws:data-identifier/Custom:DEFlag",
-          "arn:aws:dataprotection::aws:data-identifier/Custom:RemovalReasonCode",
-          "arn:aws:dataprotection::aws:data-identifier/Custom:ValidDosesCount",
-          "arn:aws:dataprotection::aws:data-identifier/Custom:InvalidDosesCount",
-          "arn:aws:dataprotection::aws:data-identifier/Custom:LastSuccessfulDate",
-          "arn:aws:dataprotection::aws:data-identifier/Custom:LastValidDoseDate",
-          "arn:aws:dataprotection::aws:data-identifier/Custom:CohortLabel"
-
-        ]
-        Operation = {
-          "cloudwatch:Mask" = {}
-        }
-      },
-    ]
-    CustomDataIdentifier = [
-      {
-        Name     = "UkPostcodeSector"
-        Regex    = "[A-Z]{1,2}[0-9R-9][0A-Z]? ?[0-9]"
-        Severity = "High"
-      },
-      {
-        Name     = "GpPracticeCode"
-        Regex    = "GP_PRACTICE[\\s\\\"':=]*([A-Z][0-9]{5})"
-        Severity = "High"
-      },
-      {
-        Name     = "13QFlag"
-        Regex    = "13Q_FLAG[\\s\\\"':=]*[YN]"
-        Severity = "High"
-      },
-      {
-        Name     = "CareHomeFlag"
-        Regex    = "CARE_HOME_FLAG[\\s\\\"':=]*[YN]"
-        Severity = "High"
-      },
-      {
-        Name     = "DEFlag"
-        Regex    = "DE_FLAG[\\s\\\"':=]*[YN]"
-        Severity = "High"
-      },
-      {
-        Name     = "RemovalReasonCode"
-        Regex    = "REMOVAL_REASON_CODE[\\s\\\"':=]*([A-Z]{3})"
-        Severity = "High"
-      },
-      {
-        Name     = "ValidDosesCount"
-        Regex    = "VALID_DOSES_COUNT[\\s\\\"':=]*([0-9]{1,2}|100)"
-        Severity = "High"
-      },
-      {
-        Name     = "InvalidDosesCount"
-        Regex    = "INVALID_DOSES_COUNT[\\s\\\"':=]*([0-9]{1,2}|100)"
-        Severity = "High"
-      },
-      {
-        Name     = "LastSuccessfulDate"
-        Regex    = "LAST_SUCCESSFUL_DATE[\\s\\\"':=]*([0-9]{8})"
-        Severity = "High"
-      },
-      {
-        Name     = "LastValidDoseDate"
-        Regex    = "LAST_VALID_DOSE_DATE[\\s\\\"':=]*([0-9]{8})"
-        Severity = "High"
-      },
-      {
-        Name     = "CohortLabel"
-        Regex    = "COHORT_LABEL[\\s\\\"':=]*([A-Za-z0-9_ -]{1,100})"
-        Severity = "High"
-      }
-    ]
-  })
-}
diff --git a/src/eligibility_signposting_api/services/eligibility_services.py b/src/eligibility_signposting_api/services/eligibility_services.py
@@ -51,13 +51,6 @@ def get_eligibility_status(
                         "nhs_number": nhs_number,
                     },
                 )
-
-                if person_data and person_data[0] and campaign_configs and campaign_configs[0]:
-                    logger.info("Test data masking person data: %r", person_data[0])
-                    logger.info(
-                        "Test data masking campaign config data: %r", campaign_configs[0].model_dump(by_alias=True)
-                    )
-
             except NotFoundError as e:
                 raise UnknownPersonError from e
             else:
diff --git a/tests/integration/lambda/test_app_running_as_lambda.py b/tests/integration/lambda/test_app_running_as_lambda.py
@@ -1,3 +1,4 @@
+import base64
 import json
 import logging
 from http import HTTPStatus
@@ -68,6 +69,7 @@ def test_install_and_call_lambda_flask(
         Payload=json.dumps(request_payload),
         LogType="Tail",
     )
+    log_output = base64.b64decode(response["LogResult"]).decode("utf-8")
 
     # Then
     assert_that(response, has_entries(StatusCode=HTTPStatus.OK))
@@ -78,6 +80,8 @@ def test_install_and_call_lambda_flask(
         has_entries(statusCode=HTTPStatus.OK, body=is_json_that(has_key("processedSuggestions"))),
     )
 
+    assert_that(log_output, contains_string("person_data"))
+
 
 def test_install_and_call_flask_lambda_over_http(
     persisted_person: NHSNumber,
