From a2488054d7f8bc3d311e5b4c1085559bfced725c Mon Sep 17 00:00:00 2001 From: Shweta <216860557+shweta-nhs@users.noreply.github.com> Date: Wed, 16 Jul 2025 16:10:37 +0100 Subject: [PATCH] Revert "ELI-331: Mask PII/GDPR info (#239)" This reverts commit 14d6a5ec9cc71b193e68ffc7169fdb3e3a1c2ee6. --- .../modules/api_gateway/cloudwatch.tf | 93 ------------------- .../services/eligibility_services.py | 7 -- .../lambda/test_app_running_as_lambda.py | 4 + 3 files changed, 4 insertions(+), 100 deletions(-) diff --git a/infrastructure/modules/api_gateway/cloudwatch.tf b/infrastructure/modules/api_gateway/cloudwatch.tf index a124c8434..272a1c465 100644 --- a/infrastructure/modules/api_gateway/cloudwatch.tf +++ b/infrastructure/modules/api_gateway/cloudwatch.tf @@ -8,96 +8,3 @@ resource "aws_cloudwatch_log_group" "api_gateway" { prevent_destroy = false } } - -resource "aws_cloudwatch_log_data_protection_policy" "api_gateway_data_protection" { - log_group_name = aws_cloudwatch_log_group.api_gateway.name - policy_document = jsonencode({ - Name = "data-protection-policy" - Version = "2021-06-01" - Statement = [ - { - Sid = "MaskSensitiveData" - Effect = "Deny" - Principal = { "AWS" : "*" } - Action = "cloudwatch:PutLogEvents" - Resource = "*" - DataIdentifier = [ - "arn:aws:dataprotection::aws:data-identifier/DateOfBirth", - "arn:aws:dataprotection::aws:data-identifier/UkPostcode", - "arn:aws:dataprotection::aws:data-identifier/Custom:UkPostcodeSector", - "arn:aws:dataprotection::aws:data-identifier/Custom:GpPracticeCode", - "arn:aws:dataprotection::aws:data-identifier/Custom:13QFlag", - "arn:aws:dataprotection::aws:data-identifier/Custom:CareHomeFlag", - "arn:aws:dataprotection::aws:data-identifier/Custom:DEFlag", - "arn:aws:dataprotection::aws:data-identifier/Custom:RemovalReasonCode", - "arn:aws:dataprotection::aws:data-identifier/Custom:ValidDosesCount", - "arn:aws:dataprotection::aws:data-identifier/Custom:InvalidDosesCount", - "arn:aws:dataprotection::aws:data-identifier/Custom:LastSuccessfulDate", - "arn:aws:dataprotection::aws:data-identifier/Custom:LastValidDoseDate", - "arn:aws:dataprotection::aws:data-identifier/Custom:CohortLabel" - - ] - Operation = { - "cloudwatch:Mask" = {} - } - }, - ] - CustomDataIdentifier = [ - { - Name = "UkPostcodeSector" - Regex = "[A-Z]{1,2}[0-9R-9][0A-Z]? ?[0-9]" - Severity = "High" - }, - { - Name = "GpPracticeCode" - Regex = "GP_PRACTICE[\\s\\\"':=]*([A-Z][0-9]{5})" - Severity = "High" - }, - { - Name = "13QFlag" - Regex = "13Q_FLAG[\\s\\\"':=]*[YN]" - Severity = "High" - }, - { - Name = "CareHomeFlag" - Regex = "CARE_HOME_FLAG[\\s\\\"':=]*[YN]" - Severity = "High" - }, - { - Name = "DEFlag" - Regex = "DE_FLAG[\\s\\\"':=]*[YN]" - Severity = "High" - }, - { - Name = "RemovalReasonCode" - Regex = "REMOVAL_REASON_CODE[\\s\\\"':=]*([A-Z]{3})" - Severity = "High" - }, - { - Name = "ValidDosesCount" - Regex = "VALID_DOSES_COUNT[\\s\\\"':=]*([0-9]{1,2}|100)" - Severity = "High" - }, - { - Name = "InvalidDosesCount" - Regex = "INVALID_DOSES_COUNT[\\s\\\"':=]*([0-9]{1,2}|100)" - Severity = "High" - }, - { - Name = "LastSuccessfulDate" - Regex = "LAST_SUCCESSFUL_DATE[\\s\\\"':=]*([0-9]{8})" - Severity = "High" - }, - { - Name = "LastValidDoseDate" - Regex = "LAST_VALID_DOSE_DATE[\\s\\\"':=]*([0-9]{8})" - Severity = "High" - }, - { - Name = "CohortLabel" - Regex = "COHORT_LABEL[\\s\\\"':=]*([A-Za-z0-9_ -]{1,100})" - Severity = "High" - } - ] - }) -} diff --git a/src/eligibility_signposting_api/services/eligibility_services.py b/src/eligibility_signposting_api/services/eligibility_services.py index e8db56d69..48586290b 100644 --- a/src/eligibility_signposting_api/services/eligibility_services.py +++ b/src/eligibility_signposting_api/services/eligibility_services.py @@ -51,13 +51,6 @@ def get_eligibility_status( "nhs_number": nhs_number, }, ) - - if person_data and person_data[0] and campaign_configs and campaign_configs[0]: - logger.info("Test data masking person data: %r", person_data[0]) - logger.info( - "Test data masking campaign config data: %r", campaign_configs[0].model_dump(by_alias=True) - ) - except NotFoundError as e: raise UnknownPersonError from e else: diff --git a/tests/integration/lambda/test_app_running_as_lambda.py b/tests/integration/lambda/test_app_running_as_lambda.py index 3328a8939..b157fe44f 100644 --- a/tests/integration/lambda/test_app_running_as_lambda.py +++ b/tests/integration/lambda/test_app_running_as_lambda.py @@ -1,3 +1,4 @@ +import base64 import json import logging from http import HTTPStatus @@ -68,6 +69,7 @@ def test_install_and_call_lambda_flask( Payload=json.dumps(request_payload), LogType="Tail", ) + log_output = base64.b64decode(response["LogResult"]).decode("utf-8") # Then assert_that(response, has_entries(StatusCode=HTTPStatus.OK)) @@ -78,6 +80,8 @@ def test_install_and_call_lambda_flask( has_entries(statusCode=HTTPStatus.OK, body=is_json_that(has_key("processedSuggestions"))), ) + assert_that(log_output, contains_string("person_data")) + def test_install_and_call_flask_lambda_over_http( persisted_person: NHSNumber,