Merge branch 'main' into ELI-578/consumer-campaign-config-mappings

# Conflicts:
#	src/eligibility_signposting_api/common/request_validator.py
#	tests/unit/common/test_request_validator.py

Author: Karthikeyannhs

.github/workflows/release-candidate.yml

@@ -24,6 +24,7 @@ resource "aws_sfn_state_machine" "rotation_machine" {
         Resource       = "arn:aws:states:::sns:publish.waitForTaskToken",
         TimeoutSeconds = 86400,
         Parameters = {
+          Subject     = "Action required: AWSPENDING secret created (Environment: ${var.environment})",
           TopicArn    = aws_sns_topic.secret_rotation.arn,
           "Message.$" = local.add_jobs_message
         },
@@ -44,6 +45,7 @@ resource "aws_sfn_state_machine" "rotation_machine" {
         Resource       = "arn:aws:states:::sns:publish.waitForTaskToken",
         TimeoutSeconds = 86400,
         Parameters = {
+          Subject     = "Action required: Secret AWSPENDING promoted to AWSCURRENT (Environment: ${var.environment})",
           TopicArn    = aws_sns_topic.secret_rotation.arn,
           "Message.$" = local.delete_jobs_message
         },
@@ -59,7 +61,7 @@ resource "aws_sfn_state_machine" "rotation_machine" {
         Resource = "arn:aws:states:::sns:publish",
         Parameters = {
           TopicArn    = aws_sns_topic.secret_rotation.arn,
-          Subject     = "WARNING: Secret Rotation Timed Out",
+          Subject     = "Warning: Secret rotation timed out (Environment: ${var.environment})",
           "Message.$" = local.timeout_message
         },
         Next = "Fail_Timeout"
@@ -75,7 +77,7 @@ resource "aws_sfn_state_machine" "rotation_machine" {
         Resource = "arn:aws:states:::sns:publish",
         Parameters = {
           TopicArn    = aws_sns_topic.secret_rotation.arn,
-          Subject     = "CRITICAL: Secret Rotation Failed",
+          Subject     = "Critical: Secret Rotation Failed (Environment: ${var.environment})",
           "Message.$" = local.failure_message
         },
         Next = "Fail_Generic"
@@ -91,7 +93,7 @@ locals {
   add_jobs_message = <<EOT
 States.Format('
 ======================================================
-ACTION REQUIRED: PENDING SECRET CREATED
+Action required: AWSPENDING secret created (Environment: ${var.environment})
 ======================================================
 
 A manual action is required to proceed.
@@ -100,20 +102,20 @@ CONTEXT:
 Secret Name: ${module.secrets_manager.aws_hashing_secret_name}
 
 INSTRUCTIONS:
-1. Run the "Add New Hashes" job.
+1. Run the "Add New Hashes (elid_add_new_salt)" job.
 2. Ensure the new hashes are working as expected.
 3. Run the command below to approve and resume the workflow:
 
-aws stepfunctions send-task-success --task-token {}
+aws stepfunctions send-task-success --task-token {} --task-output {}
 
 ======================================================
-', $$.Task.Token)
+', $$.Task.Token, '{}')
 EOT
 
   delete_jobs_message = <<EOT
 States.Format('
 ======================================================
-ACTION REQUIRED: SECRET AWSPENDING PROMOTED TO AWSCURRENT
+Action required: Secret AWSPENDING promoted to AWSCURRENT (Environment: ${var.environment})
 ======================================================
 
 A manual action is required to proceed.
@@ -122,24 +124,27 @@ CONTEXT:
 Secret Name: ${module.secrets_manager.aws_hashing_secret_name}
 
 INSTRUCTIONS:
-1. Run the "Delete Old Hashes" job.
+1. Run the "Delete Old Hashes (elid_delete_old_salt)" job.
 2. Ensure the old hashes have been removed successfully.
 3. Run the command below to approve and resume the workflow:
 
-aws stepfunctions send-task-success --task-token {}
+aws stepfunctions send-task-success --task-token {} --task-output {}
 
 ======================================================
-', $$.Task.Token)
+', $$.Task.Token, '{}')
 EOT
 
   failure_message = <<EOT
 States.Format('
 ======================================================
-CRITICAL: ROTATION FAILED
+Critical: Rotation failed (Environment: ${var.environment})
 ======================================================
 
 The workflow encountered an error and could not complete.
 
+CONTEXT:
+Secret Name: ${module.secrets_manager.aws_hashing_secret_name}
+
 ERROR DETAILS:
 {}
 
@@ -162,7 +167,7 @@ EOT
   timeout_message = <<EOT
 States.Format('
 ======================================================
-WARNING: ROTATION TIMED OUT
+Warning: Rotation timed out (Environment: ${var.environment})
 ======================================================
 
 The manual verification step was not completed within the 24-hour limit.

infrastructure/stacks/api-layer/step_functions.tf

@@ -70,6 +70,7 @@ resource "aws_iam_policy" "lambda_management" {
           "lambda:PutProvisionedConcurrencyConfig",
           "lambda:DeleteProvisionedConcurrencyConfig",
           "lambda:ListProvisionedConcurrencyConfigs",
+          "lambda:PutFunctionConcurrency",
 
         ],
         Resource = [
@@ -290,7 +291,8 @@ resource "aws_iam_policy" "api_infrastructure" {
           # CloudWatch Logs subscription filters for CSOC forwarding
           "logs:PutSubscriptionFilter",
           "logs:DeleteSubscriptionFilter",
-          "logs:DescribeSubscriptionFilters"
+          "logs:DescribeSubscriptionFilters",
+          "logs:PutRetentionPolicy"
         ],
         Resource = [
           # VPC Flow Logs
@@ -304,7 +306,8 @@ resource "aws_iam_policy" "api_infrastructure" {
           # WAF v2 logs (both naming conventions)
           "arn:aws:logs:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:log-group:/aws/wafv2/*",
           "arn:aws:logs:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:log-group:aws-wafv2-logs-*",
-          "arn:aws:logs:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:log-group:aws-waf-logs-*"
+          "arn:aws:logs:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:log-group:aws-waf-logs-*",
+          "arn:aws:logs:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:log-group:/aws/stepfunctions/*"
         ]
       },
       {
@@ -427,7 +430,11 @@ resource "aws_iam_policy" "api_infrastructure" {
           # State Machine
           "states:DescribeStateMachine",
           "states:ListStateMachineVersions",
-          "states:ListTagsForResource"
+          "states:ListTagsForResource",
+          "states:ValidateStateMachineDefinition",
+          "states:CreateStateMachine",
+          "states:TagResource",
+          "states:UpdateStateMachine",
         ],
 
 
@@ -450,7 +457,8 @@ resource "aws_iam_policy" "api_infrastructure" {
           "arn:aws:events:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:rule/cloudwatch-alarm-state-change-to-splunk*",
           "arn:aws:wafv2:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:regional/webacl/*",
           "arn:aws:wafv2:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:regional/managedruleset/*",
-          "arn:aws:states:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:stateMachine:SecretRotationWorkflow",
+          "arn:aws:states:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:stateMachine:*",
+          "arn:aws:events:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:rule/*"
         ]
       },
     ]

infrastructure/stacks/iams-developer-roles/github_actions_policies.tf

@@ -21,18 +21,15 @@ data "aws_iam_policy_document" "permissions_boundary" {
       # CloudWatch - monitoring and alarms
       "cloudwatch:PutMetricAlarm",
       "cloudwatch:DeleteAlarms",
-      "cloudwatch:DescribeAlarms",
-      "cloudwatch:DescribeAlarmsForMetric",
+      "cloudwatch:DescribeAlarms*",
       "cloudwatch:ListTagsForResource",
       "cloudwatch:TagResource",
       "cloudwatch:UntagResource",
       "cloudwatch:GetDashboard",
       "cloudwatch:GetMetricWidgetImage",
 
       # DynamoDB - table management
-      "dynamodb:DescribeTimeToLive",
-      "dynamodb:DescribeTable",
-      "dynamodb:DescribeContinuousBackups",
+      "dynamodb:Describe*",
       "dynamodb:ListTables",
       "dynamodb:DeleteTable",
       "dynamodb:CreateTable",
@@ -47,12 +44,10 @@ data "aws_iam_policy_document" "permissions_boundary" {
       "ec2:ModifyVpcBlockPublicAccessOptions",
       "ec2:CreateTags",
       "ec2:DeleteTags",
-      "ec2:CreateNetworkAclEntry",
-      "ec2:DeleteNetworkAclEntry",
-      "ec2:CreateNetworkAcl",
-      "ec2:DeleteNetworkAcl",
+      "ec2:CreateNetworkAcl*",
+      "ec2:DeleteNetworkAcl*",
       "ec2:AssociateRouteTable",
-      "ec2:CreateVpc",
+      "ec2:CreateVpc*",
       "ec2:ModifyVpcAttribute",
       "ec2:DeleteVpc",
       "ec2:CreateRouteTable",
@@ -62,7 +57,6 @@ data "aws_iam_policy_document" "permissions_boundary" {
       "ec2:RevokeSecurityGroupEgress",
       "ec2:AuthorizeSecurityGroupIngress",
       "ec2:AuthorizeSecurityGroupEgress",
-      "ec2:CreateVpcEndpoint",
       "ec2:CreateFlowLogs",
       "ec2:ReplaceNetworkAclAssociation",
       "ec2:DeleteSecurityGroup",
@@ -93,13 +87,10 @@ data "aws_iam_policy_document" "permissions_boundary" {
       "firehose:StopDeliveryStreamEncryption",
 
       # IAM - specific role and policy management
-      "iam:GetRole",
-      "iam:GetRolePolicy",
-      "iam:GetPolicy",
-      "iam:GetPolicyVersion",
-      "iam:ListRoles",
+      "iam:GetRole*",
+      "iam:GetPolicy*",
+      "iam:ListRole*",
       "iam:ListPolicies",
-      "iam:ListRolePolicies",
       "iam:ListAttachedRolePolicies",
       "iam:ListPolicyVersions",
       "iam:CreateRole",
@@ -110,10 +101,8 @@ data "aws_iam_policy_document" "permissions_boundary" {
       "iam:PutRolePermissionsBoundary",
       "iam:AttachRolePolicy",
       "iam:DetachRolePolicy",
-      "iam:CreatePolicy",
-      "iam:CreatePolicyVersion",
-      "iam:DeletePolicy",
-      "iam:DeletePolicyVersion",
+      "iam:CreatePolicy*",
+      "iam:DeletePolicy*",
       "iam:TagRole",
       "iam:UntagPolicy",
       "iam:PassRole",
@@ -122,13 +111,9 @@ data "aws_iam_policy_document" "permissions_boundary" {
 
       # KMS - encryption key management
       "kms:CreateKey",
-      "kms:DescribeKey",
       "kms:Describe*",
       "kms:CreateAlias",
-      "kms:ListKeys",
       "kms:List*",
-      "kms:ListAliases",
-      "kms:GetKeyPolicy",
       "kms:GetKeyPolicy*",
       "kms:GetKeyRotationStatus",
       "kms:DeleteAlias",
@@ -140,19 +125,15 @@ data "aws_iam_policy_document" "permissions_boundary" {
       "kms:ScheduleKeyDeletion",
       "kms:PutKeyPolicy",
       "kms:Encrypt",
-      "kms:Decrypt",
       "kms:Decrypt*",
       "kms:ReEncrypt*",
       "kms:GenerateDataKey",
 
       # Lambda - function management
       "lambda:CreateFunction",
-      "lambda:UpdateFunctionCode",
-      "lambda:UpdateFunctionConfiguration",
+      "lambda:UpdateFunction*",
       "lambda:DeleteFunction",
-      "lambda:GetFunction",
-      "lambda:GetFunctionConfiguration",
-      "lambda:GetFunctionCodeSigningConfig",
+      "lambda:GetFunction*",
       "lambda:ListVersionsByFunction",
       "lambda:TagResource",
       "lambda:UntagResource",
@@ -171,44 +152,26 @@ data "aws_iam_policy_document" "permissions_boundary" {
       "lambda:PutProvisionedConcurrencyConfig",
       "lambda:DeleteProvisionedConcurrencyConfig",
       "lambda:ListProvisionedConcurrencyConfigs",
+      "lambda:PutFunctionConcurrency",
 
       # CloudWatch Logs - log management
       "logs:*",
 
       # S3 - bucket and object management
       "s3:GetLifecycleConfiguration",
       "s3:PutLifecycleConfiguration",
-      "s3:GetBucketVersioning",
       "s3:GetEncryptionConfiguration",
       "s3:PutEncryptionConfiguration",
-      "s3:GetBucketPolicy",
-      "s3:GetBucketObjectLockConfiguration",
-      "s3:GetBucketLogging",
       "s3:GetReplicationConfiguration",
-      "s3:GetBucketWebsite",
-      "s3:GetBucketRequestPayment",
-      "s3:GetBucketCORS",
-      "s3:GetBucketAcl",
-      "s3:PutBucketAcl",
       "s3:GetAccelerateConfiguration",
       "s3:ListBucket",
-      "s3:GetObject",
-      "s3:PutObject",
+      "s3:GetObject*",
+      "s3:PutObject*",
       "s3:DeleteObject",
-      "s3:GetBucketLocation",
-      "s3:GetBucketPublicAccessBlock",
-      "s3:PutBucketCORS",
+      "s3:GetBucket*",
       "s3:CreateBucket",
       "s3:DeleteBucket",
-      "s3:GetBucketTagging",
-      "s3:PutBucketPolicy",
-      "s3:PutBucketVersioning",
-      "s3:PutBucketPublicAccessBlock",
-      "s3:PutBucketLogging",
-      "s3:GetObjectTagging",
-      "s3:PutObjectTagging",
-      "s3:GetObjectVersion",
-      "s3:PutBucketTagging",
+      "s3:PutBucket*",
 
       # SNS - notification management
       "sns:CreateTopic",
@@ -221,23 +184,20 @@ data "aws_iam_policy_document" "permissions_boundary" {
       "sns:UntagResource",
       "sns:Subscribe",
       "sns:Unsubscribe",
-      "sns:ListSubscriptions",
-      "sns:ListSubscriptionsByTopic",
+      "sns:ListSubscriptions*",
       "sns:GetSubscriptionAttributes",
 
       # SSM - parameter management
       "ssm:DescribeParameters",
-      "ssm:GetParameter",
-      "ssm:GetParameters",
+      "ssm:GetParameter*",
       "ssm:ListTagsForResource",
       "ssm:PutParameter",
       "ssm:AddTagsToResource",
 
       # WAFv2 - web application firewall management
       "wafv2:CreateWebACL",
       "wafv2:DeleteWebACL",
-      "wafv2:GetWebACL",
-      "wafv2:GetWebACLForResource",
+      "wafv2:GetWebACL*",
       "wafv2:UpdateWebACL",
       "wafv2:ListWebACLs",
       "wafv2:TagResource",
@@ -255,7 +215,11 @@ data "aws_iam_policy_document" "permissions_boundary" {
       # State Machine management
       "states:DescribeStateMachine",
       "states:ListStateMachineVersions",
-      "states:ListTagsForResource"
+      "states:ListTagsForResource",
+      "states:ValidateStateMachineDefinition",
+      "states:CreateStateMachine",
+      "states:TagResource",
+      "states:UpdateStateMachine",
     ]
 
     resources = ["*"]

infrastructure/stacks/iams-developer-roles/iams_permissions_boundary.tf

@@ -128,7 +128,7 @@ def log_and_generate_response(
     fhir_display_message="An unexpected internal server error occurred.",
 )
 
-NHS_NUMBER_MISMATCH_ERROR = APIErrorResponse(
+NHS_NUMBER_ERROR = APIErrorResponse(
     status_code=HTTPStatus.FORBIDDEN,
     fhir_issue_code=FHIRIssueCode.FORBIDDEN,
     fhir_issue_severity=FHIRIssueSeverity.ERROR,