ELI-365 - over 80s (#288)

* ELI-318: Adds content-type in 404 and 500 error response (#232)

* ELI-294: Personalised/customised status text (#234)

* ELI-294: Personalised/customised status text

* ELI-294: Personalised/customised status text

* ELI-294: Adds unit tests for Status Enum

* ELI-294: Fix sonar issues

* ELI-318: Adds application/fhir+json as valid mime type in Mangum (#235)

* ELI-331: Mask PII/GDPR info (#239)

* ELI-331: Mask PII/GDPR info

* ELI-331: Fix formatting

* ELI-331: Fix format and lint

* Revert "ELI-331: Mask PII/GDPR info (#239)" (#240)

This reverts commit 14d6a5e.

* Feature/eli 295 generic text for not eligible xrules (#238)

* WIP: drafting out X and Y rules.

* WIP: updated config with x and y rule idea.

* WIP: Stub out x and y rules impl

* WIP: stubbing out impl.

* Refactored action support functions and renamed vars

* WIP: Added X/Y Rule logic and test.

* Added tests for eligible and actionable actions.

* WIP: Added more tests for X and Y rule scenarios.

* WIP: flaky tests.

* WIP: Fixed failing tests for empty actions.

* WIP: added audit record check to tests.

* WIP: file format and added audit rule priority and name test.

* Working tests. Refactored some audit logic.

* Minor refactor

* Addressed linting issues

* WIP: fixed failing unit tests.

* Format.

* Added tests.

* File format

---------

Co-authored-by: Robert <rob.bailiff1@nhs.net>

* Bump polyfactory from 2.21.0 to 2.22.1

---
updated-dependencies:
- dependency-name: polyfactory
  dependency-version: 2.22.1
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

* Revert "Bump polyfactory from 2.21.0 to 2.22.1" (#241)

* Bump aiohttp from 3.12.13 to 3.12.14

---
updated-dependencies:
- dependency-name: aiohttp
  dependency-version: 3.12.14
  dependency-type: direct:development
...

Signed-off-by: dependabot[bot] <support@github.com>

* provided appropriate values factory methods in tests (#245)

* Refactor package structure (#247)

* eli-343 following on from suggestions from AWS Security Hub, restricting access to public internet via Internet Gateway, and adding table protection in Prod for DynamoDB

* add lambda request id in logs events (#248)

* add lambda request id in logs events

* linting fix

* revoked custom formatter and reapplied JsonFormatter

* revoked formatting

* added wrapper for registering requestid

* Adds unit tests for log format

---------

Co-authored-by: Shweta <216860557+shweta-nhs@users.noreply.github.com>

* Feature/rgjb aa eli 329 add xray tracing for lambda (#243)

* Added xray permissions policy for lambda

* Add xray vpc endpoint

* Added xray to the permissions boundary

* Added xray to the assumed role permissions boundary

* Testing permission boundary.

* testing perm bound.

---------

Co-authored-by: ayeshalshukri1-nhs <112615598+ayeshalshukri1-nhs@users.noreply.github.com>

* bugfix - Github action needs permission to modify public access block

* bugfix - changing permission to be wildcard resource, as it's an account level permission

* Added api gateway request id, moved request id logging to app.py (#252)

* ELI-351 and ELI-342: Refactors and fixes Cohort Schema Mismatch (#253)

* Adds campaign_evaluator and tests

* Adds person_data_reader and tests

* Injects person data reader and campaign processor into eligibility calculator

* ELI-342 Dynamo Cohort Schema Mismatch

* ELI-342: Fixes usage of person cohorts method and tests

* Feature/eli 369 dynamodb x ray tracing (#256)

* handled none headers from request

* x-ray tracing setup for dynamo, s3, firehose

* enable_xray_patching env variable for lambda

* sonar fixes

---------

Co-authored-by: karthikeyannhs <174426205+Karthikeyannhs@users.noreply.github.com>

* Bump slackapi/slack-github-action from 2.1.0 to 2.1.1

Bumps [slackapi/slack-github-action](https://github.com/slackapi/slack-github-action) from 2.1.0 to 2.1.1.
- [Release notes](https://github.com/slackapi/slack-github-action/releases)
- [Commits](slackapi/slack-github-action@v2.1.0...v2.1.1)

---
updated-dependencies:
- dependency-name: slackapi/slack-github-action
  dependency-version: 2.1.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

* ELI-351: Refactor (#254)

* ELI-351: Renames rules model to campaign_config

* ELI-351: Extracts Person data class

* ELI-351: Adds rule processor

* ELI-351: Adds tests for rule processor

* ELI-351: Moves get_cohort_group_results to rule processor

* ELI-351: Adds tests for rule processor

* ELI-351: Adds cohort handler using Chain of responsibility pattern

* ELI-351: Renames

* ELI-351: Fixes lint

* ELI-351: Renames evaluate_eligibility to get_eligibility_status

* ELI-351: Refactoring to get better readability for chaining

* ELI-351: Fix lint

* Bump botocore from 1.38.42 to 1.38.46

Bumps [botocore](https://github.com/boto/botocore) from 1.38.42 to 1.38.46.
- [Commits](boto/botocore@1.38.42...1.38.46)

---
updated-dependencies:
- dependency-name: botocore
  dependency-version: 1.38.46
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

* Bump moto from 5.1.6 to 5.1.9

Bumps [moto](https://github.com/getmoto/moto) from 5.1.6 to 5.1.9.
- [Release notes](https://github.com/getmoto/moto/releases)
- [Changelog](https://github.com/getmoto/moto/blob/master/CHANGELOG.md)
- [Commits](getmoto/moto@5.1.6...5.1.9)

---
updated-dependencies:
- dependency-name: moto
  dependency-version: 5.1.9
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

* Bump localstack from 4.5.0 to 4.6.0

Bumps [localstack](https://github.com/localstack/localstack) from 4.5.0 to 4.6.0.
- [Release notes](https://github.com/localstack/localstack/releases)
- [Commits](localstack/localstack@v4.5.0...v4.6.0)

---
updated-dependencies:
- dependency-name: localstack
  dependency-version: 4.6.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

* Bump pytest-asyncio from 1.0.0 to 1.1.0

---
updated-dependencies:
- dependency-name: pytest-asyncio
  dependency-version: 1.1.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

* Bump pytest-docker from 3.2.2 to 3.2.3

Bumps [pytest-docker](https://github.com/avast/pytest-docker) from 3.2.2 to 3.2.3.
- [Release notes](https://github.com/avast/pytest-docker/releases)
- [Changelog](https://github.com/avast/pytest-docker/blob/master/CHANGELOG.md)
- [Commits](avast/pytest-docker@v3.2.2...v3.2.3)

---
updated-dependencies:
- dependency-name: pytest-docker
  dependency-version: 3.2.3
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

* ELI-351: Refactor (#258)

* ELI-351: Refactor

* ELI-351: Adds tests for action rule handler

* ELI-351: Renames and fixes tests

* ELI-351: Renames and fixes tests

* Bump asgiref from 3.8.1 to 3.9.1

Bumps [asgiref](https://github.com/django/asgiref) from 3.8.1 to 3.9.1.
- [Changelog](https://github.com/django/asgiref/blob/main/CHANGELOG.txt)
- [Commits](django/asgiref@3.8.1...3.9.1)

---
updated-dependencies:
- dependency-name: asgiref
  dependency-version: 3.9.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

* Bump gitpython from 3.1.44 to 3.1.45

Bumps [gitpython](https://github.com/gitpython-developers/GitPython) from 3.1.44 to 3.1.45.
- [Release notes](https://github.com/gitpython-developers/GitPython/releases)
- [Changelog](https://github.com/gitpython-developers/GitPython/blob/main/CHANGES)
- [Commits](gitpython-developers/GitPython@3.1.44...3.1.45)

---
updated-dependencies:
- dependency-name: gitpython
  dependency-version: 3.1.45
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

* Bump pyright from 1.1.402 to 1.1.403

Bumps [pyright](https://github.com/RobertCraigie/pyright-python) from 1.1.402 to 1.1.403.
- [Release notes](https://github.com/RobertCraigie/pyright-python/releases)
- [Commits](RobertCraigie/pyright-python@v1.1.402...v1.1.403)

---
updated-dependencies:
- dependency-name: pyright
  dependency-version: 1.1.403
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

* ELI-351: Moves/deletes tests after refactoring (#265)

* ELI-351: Moves/deletes tests after refactoring

* ELI-351: Extracts EligibilityResultBuilder and adds tests

* ELI-351: De-extracts EligibilityResultBuilder and moves tests to Eligibility Calculator tests

* ELI-351: Removes duplicated tests

* ELI-351: Removes duplicated tests #2

* ELI-351: Adds validation and audit layer to Readme

* Bump aiohttp from 3.12.14 to 3.12.15

---
updated-dependencies:
- dependency-name: aiohttp
  dependency-version: 3.12.15
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

* trying an approach to ensure correct version of python used in lambda build (#271)

* ELI-311: Campaign Config Data Type Changes (#269)

* eli-285 and eli-349 adding cloudwatch alarms for a) security and b) ops - API Gateway and Lambda execution

* eli-285 - disabling action on API calls as our internal security are triggering this

* eli-285 and 349 adding kms for sns, checkov skip for disabled alarms

* work in progress

* eli-285 enable kms key rotation

* eli-285 get rid of false flag gitleak

* eli-388 adding access log permissions for audit buckets

* eli-386 blocking s3 public access at account level

* ELI-376: Audit record should log multiple F and S rules (#275)

* ELI-376: Audit record should log multiple F and S rules

* ELI-376: Fixing int test

* ELI-150: campaign config validation (#264)

* validations - wip

* iteration validation

* iteration rules

* campaign config validation

* made BUC tests bit more clear

* Renaming for clarity.

* lint and formatting fixes.

* wip

* Integration Rules Test

* Actions mapper validator

* Iterations BUC

* available_actions tests

* lint fixes

* lint fixes

* Bump asgiref from 3.8.1 to 3.9.1

Bumps [asgiref](https://github.com/django/asgiref) from 3.8.1 to 3.9.1.
- [Changelog](https://github.com/django/asgiref/blob/main/CHANGELOG.txt)
- [Commits](django/asgiref@3.8.1...3.9.1)

---
updated-dependencies:
- dependency-name: asgiref
  dependency-version: 3.9.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

* Bump gitpython from 3.1.44 to 3.1.45

Bumps [gitpython](https://github.com/gitpython-developers/GitPython) from 3.1.44 to 3.1.45.
- [Release notes](https://github.com/gitpython-developers/GitPython/releases)
- [Changelog](https://github.com/gitpython-developers/GitPython/blob/main/CHANGES)
- [Commits](gitpython-developers/GitPython@3.1.44...3.1.45)

---
updated-dependencies:
- dependency-name: gitpython
  dependency-version: 3.1.45
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

* Bump pyright from 1.1.402 to 1.1.403

Bumps [pyright](https://github.com/RobertCraigie/pyright-python) from 1.1.402 to 1.1.403.
- [Release notes](https://github.com/RobertCraigie/pyright-python/releases)
- [Commits](RobertCraigie/pyright-python@v1.1.402...v1.1.403)

---
updated-dependencies:
- dependency-name: pyright
  dependency-version: 1.1.403
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

* ELI-351: Moves/deletes tests after refactoring (#265)

* ELI-351: Moves/deletes tests after refactoring

* ELI-351: Extracts EligibilityResultBuilder and adds tests

* ELI-351: De-extracts EligibilityResultBuilder and moves tests to Eligibility Calculator tests

* ELI-351: Removes duplicated tests

* ELI-351: Removes duplicated tests #2

* ELI-351: Adds validation and audit layer to Readme

* wip - has failing tests

* test fixed and lint error fixed

* warning fixed

* rules validation added

* test commit

* tests updated w.r.t to datatype changes from main

* updated output message

* arguments added to app.py

* sonar fix

* sonar fix

* sonar fix

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: karthikeyannhs <174426205+Karthikeyannhs@users.noreply.github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Shweta <216860557+shweta-nhs@users.noreply.github.com>

* eli-386 adding github permissions to make account level public access block changes

* all tests passing

* Revert "eli-386 blocking s3 public access at account level"

* extracting method for readability

* ELI-399: Fixing Future Iteration.StartDate Resulting in 500 Error (#282)

* ELI-399: Fixing Future Iteration.StartDate Resulting in 500 Error

* ELI-399: Adds empty rules to fix flakiness

* applying to filter rules and adding test

* ELI-397: Fixing nhs number missing from path error to be FHIR compliant (#284)

* Added new tests
updated poetry version

* ELI-399: Fixing start date validation (#287)

* ELI-399: Fixing start date validation

* ELI-399: Fixing annotation

* ELI-328: cohort validations (#281)

* test action mapper doesn't accept invalid actions

* Attribute level and name relations when it is cohort

* added iteration_cohorts_validation

* chainging the validations

* fix

* fix

* fix lint

* fix lint

* lint fixes

* lint fixes

* test fixes

* lint fixes

* Removed defaultcomms from iteration level of test config.

* Reorder feilds in config.

* Update to config.

* default comm routing validation

* unit tests default comm routing validation

* default comm routing validation in rules

* lint fixes

* test data fixed

* grouped model validators

---------

Co-authored-by: ayeshalshukri1-nhs <112615598+ayeshalshukri1-nhs@users.noreply.github.com>

* fixed new tests

* ELI-404: Fix Error message returned for authorisation failure (#289)

* ELI-404: Fix Error message returned for authorisation failure

* ELI-404: Fix sonar

* update packages

* Bugfix to change response grouping from name to priority (#286)

* changed grouping from name to priority

* changed grouping from name to priority, type

* sonar code complexity fix

* sonar code complexity fix

* updated names in the code for better clarity

* regroup the suitability tests

* fix - ordering regroup the suitability tests

* test for cohort groups

---------

Co-authored-by: karthikeyannhs <174426205+Karthikeyannhs@users.noreply.github.com>

* ELI-397: AWS api gateway to handle bad request param error (#291)

* Changes to tests
added 1 more test
fixed 365 config to work with all test cases

* linting and formatting update
package updates

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: Shweta <216860557+shweta-nhs@users.noreply.github.com>
Co-authored-by: ayeshalshukri1-nhs <112615598+ayeshalshukri1-nhs@users.noreply.github.com>
Co-authored-by: Robert <rob.bailiff1@nhs.net>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: eddalmond1 <edd.almond1@nhs.net>
Co-authored-by: Karthikeyannhs <174426205+Karthikeyannhs@users.noreply.github.com>
Co-authored-by: eddalmond1 <102675624+eddalmond1@users.noreply.github.com>
Co-authored-by: TOEL2 <tom.eldridge1@nhs.net>

Author: 8 people

.github/workflows/cicd-2-publish.yaml

@@ -141,7 +141,7 @@ jobs:
       #     asset_name: lambda-${{ needs.metadata.outputs.version }}.zip
       #     asset_content_type: application/zip
       - name: "Notify Slack on PR merge"
-        uses: slackapi/slack-github-action@v2.1.0
+        uses: slackapi/slack-github-action@v2.1.1
         with:
           webhook: ${{ secrets.SLACK_WEBHOOK_URL }}
           webhook-type: webhook-trigger

.tool-versions

@@ -3,8 +3,9 @@
 terraform 1.12.1
 pre-commit 4.2.0
 vale 3.11.2
-poetry 2.1.3
+poetry 2.1.4
 act 0.2.77
+nodejs 22.18.0
 
 # ==============================================================================
 # The section below is reserved for Docker image versions.

README.md

@@ -189,15 +189,25 @@ graph TB
         direction TB
         App["app.py (WireUp DI)"]
         Config["config.py, error_handler.py"]
+        subgraph "Audit Layer"
+            direction TB
+            Audit["audit/audit_service.py"]
+            AuditModels["audit/audit_models.py"]
+        end
+        subgraph "Validation Layer"
+            direction TB
+            Validator["common/request_validator.py"]
+            ApiErrResp["common/api_error_response.py"]
+        end
         subgraph "Presentation Layer"
             direction TB
             View["views/eligibility.py"]
-            ResponseModel["views/response_model/eligibility.py"]
+            ResponseModel["views/response_model/eligibility_response.py"]
         end
         subgraph "Business Logic Layer"
             direction TB
             Service["services/eligibility_services.py"]
-            Operators["services/rules/operators.py"]
+            Operators["services/operators/operators.py"]
         end
         subgraph "Data Access Layer"
             direction TB
@@ -207,24 +217,30 @@ graph TB
         end
         subgraph "Models"
             direction TB
-            ModelElig["model/eligibility.py"]
-            ModelRules["model/rules.py"]
+            ModelElig["model/eligibility_status.py"]
+            ModelRules["model/campaign_config.py"]
         end
     end
 
     Lambda -->|"loads"| App
     App -->|injects| View
     View -->|calls| Service
+    View -->|validates via| Validator
+    View -->|audits via| Audit
+    View -->|uses| RespModel
+    Audit -->|uses| AuditModels
+    Validator -->|uses| ApiErrResp
+
     Service -->|calls| Operators
     Service -->|calls| PersonRepo
     Service -->|calls| CampaignRepo
     PersonRepo -->|uses| DynamoDB
     CampaignRepo -->|uses| S3Bucket
-    View -->|uses| ResponseModel
     App -->|reads| Config
+    App -->|wires| Factory
+
     Service -->|uses| ModelElig
     Operators -->|uses| ModelRules
-    App -->|wires| Factory
 
 ```
 

infrastructure/modules/dynamodb/dynamodb.tf

@@ -2,6 +2,7 @@ resource "aws_dynamodb_table" "dynamodb_table" {
   name         = "${terraform.workspace == "default" ? "" : "${terraform.workspace}-"}${var.project_name}-${var.environment}-${var.table_name_suffix}"
   billing_mode = "PAY_PER_REQUEST"
   hash_key     = var.partition_key
+  deletion_protection_enabled = var.environment == "prod"
 
   attribute {
     name = var.partition_key

infrastructure/modules/lambda/lambda.tf

@@ -22,6 +22,7 @@ resource "aws_lambda_function" "eligibility_signposting_lambda" {
       KINESIS_AUDIT_STREAM_TO_S3 = var.kinesis_audit_stream_to_s3_name
       ENV                        = var.environment
       LOG_LEVEL                  = var.log_level
+      ENABLE_XRAY_PATCHING       = var.enable_xray_patching
     }
   }
 

infrastructure/modules/lambda/variables.tf

@@ -47,3 +47,8 @@ variable "log_level" {
   description = "log level"
   type        = string
 }
+
+variable "enable_xray_patching"{
+  description = "flag to enable xray tracing, which puts an entry for dynamodb, s3 and firehose in trace map"
+  type        = string
+}

infrastructure/modules/s3/s3.tf

@@ -105,14 +105,57 @@ data "aws_iam_policy_document" "access_logs_s3_bucket_policy" {
       variable = "aws:SecureTransport"
     }
   }
+
+  # Allow S3 Log Delivery service to write access logs
+  statement {
+    sid    = "S3ServerAccessLogsPolicy"
+    effect = "Allow"
+    principals {
+      type        = "Service"
+      identifiers = ["logging.s3.amazonaws.com"]
+    }
+    actions = [
+      "s3:PutObject"
+    ]
+    resources = [
+      "${aws_s3_bucket.storage_bucket_access_logs.arn}/*"
+    ]
+    condition {
+      test     = "ArnEquals"
+      variable = "aws:SourceArn"
+      values   = [aws_s3_bucket.storage_bucket.arn]
+    }
+  }
+
+  # Allow S3 Log Delivery service to check bucket location and get bucket ACL
+  statement {
+    sid    = "S3ServerAccessLogsDeliveryRootAccess"
+    effect = "Allow"
+    principals {
+      type        = "Service"
+      identifiers = ["logging.s3.amazonaws.com"]
+    }
+    actions = [
+      "s3:GetBucketAcl",
+      "s3:ListBucket"
+    ]
+    resources = [
+      aws_s3_bucket.storage_bucket_access_logs.arn
+    ]
+    condition {
+      test     = "ArnEquals"
+      variable = "aws:SourceArn"
+      values   = [aws_s3_bucket.storage_bucket.arn]
+    }
+  }
 }
 
 resource "aws_s3_bucket_server_side_encryption_configuration" "storage_bucket_access_logs_server_side_encryption_config" {
   bucket = aws_s3_bucket.storage_bucket_access_logs.id
 
   rule {
     apply_server_side_encryption_by_default {
-      sse_algorithm = "aws:kms"
+      sse_algorithm     = "aws:kms"
       kms_master_key_id = aws_kms_key.storage_bucket_cmk.arn
     }
   }

infrastructure/stacks/api-layer/assumed_role_permissions_boundary.tf

@@ -33,7 +33,8 @@ data "aws_iam_policy_document" "assumed_role_permissions_boundary" {
       "support:*",
       "sqs:*",
       "tag:*",
-      "trustedadvisor:*"
+      "trustedadvisor:*",
+      "xray:*"
     ]
 
     resources = ["*"]