ELI-365 - over 80s

.github/workflows/cicd-2-publish.yaml

@@ -141,7 +141,7 @@ jobs:
       #     asset_name: lambda-${{ needs.metadata.outputs.version }}.zip
       #     asset_content_type: application/zip
       - name: "Notify Slack on PR merge"
-        uses: slackapi/slack-github-action@v2.1.0
+        uses: slackapi/slack-github-action@v2.1.1
         with:
           webhook: ${{ secrets.SLACK_WEBHOOK_URL }}
           webhook-type: webhook-trigger

.tool-versions

@@ -3,8 +3,9 @@
 terraform 1.12.1
 pre-commit 4.2.0
 vale 3.11.2
-poetry 2.1.3
+poetry 2.1.4
 act 0.2.77
+nodejs 22.18.0
 
 # ==============================================================================
 # The section below is reserved for Docker image versions.

README.md

@@ -189,15 +189,25 @@ graph TB
         direction TB
         App["app.py (WireUp DI)"]
         Config["config.py, error_handler.py"]
+        subgraph "Audit Layer"
+            direction TB
+            Audit["audit/audit_service.py"]
+            AuditModels["audit/audit_models.py"]
+        end
+        subgraph "Validation Layer"
+            direction TB
+            Validator["common/request_validator.py"]
+            ApiErrResp["common/api_error_response.py"]
+        end
         subgraph "Presentation Layer"
             direction TB
             View["views/eligibility.py"]
-            ResponseModel["views/response_model/eligibility.py"]
+            ResponseModel["views/response_model/eligibility_response.py"]
         end
         subgraph "Business Logic Layer"
             direction TB
             Service["services/eligibility_services.py"]
-            Operators["services/rules/operators.py"]
+            Operators["services/operators/operators.py"]
         end
         subgraph "Data Access Layer"
             direction TB
@@ -207,24 +217,30 @@ graph TB
         end
         subgraph "Models"
             direction TB
-            ModelElig["model/eligibility.py"]
-            ModelRules["model/rules.py"]
+            ModelElig["model/eligibility_status.py"]
+            ModelRules["model/campaign_config.py"]
         end
     end
 
     Lambda -->|"loads"| App
     App -->|injects| View
     View -->|calls| Service
+    View -->|validates via| Validator
+    View -->|audits via| Audit
+    View -->|uses| RespModel
+    Audit -->|uses| AuditModels
+    Validator -->|uses| ApiErrResp
+
     Service -->|calls| Operators
     Service -->|calls| PersonRepo
     Service -->|calls| CampaignRepo
     PersonRepo -->|uses| DynamoDB
     CampaignRepo -->|uses| S3Bucket
-    View -->|uses| ResponseModel
     App -->|reads| Config
+    App -->|wires| Factory
+
     Service -->|uses| ModelElig
     Operators -->|uses| ModelRules
-    App -->|wires| Factory
 
 ```
 

infrastructure/modules/dynamodb/dynamodb.tf

@@ -2,6 +2,7 @@ resource "aws_dynamodb_table" "dynamodb_table" {
   name         = "${terraform.workspace == "default" ? "" : "${terraform.workspace}-"}${var.project_name}-${var.environment}-${var.table_name_suffix}"
   billing_mode = "PAY_PER_REQUEST"
   hash_key     = var.partition_key
+  deletion_protection_enabled = var.environment == "prod"
 
   attribute {
     name = var.partition_key

infrastructure/modules/lambda/lambda.tf

@@ -22,6 +22,7 @@ resource "aws_lambda_function" "eligibility_signposting_lambda" {
       KINESIS_AUDIT_STREAM_TO_S3 = var.kinesis_audit_stream_to_s3_name
       ENV                        = var.environment
       LOG_LEVEL                  = var.log_level
+      ENABLE_XRAY_PATCHING       = var.enable_xray_patching
     }
   }
 

infrastructure/modules/lambda/variables.tf

@@ -47,3 +47,8 @@ variable "log_level" {
   description = "log level"
   type        = string
 }
+
+variable "enable_xray_patching"{
+  description = "flag to enable xray tracing, which puts an entry for dynamodb, s3 and firehose in trace map"
+  type        = string
+}

infrastructure/modules/s3/s3.tf

@@ -105,14 +105,57 @@ data "aws_iam_policy_document" "access_logs_s3_bucket_policy" {
       variable = "aws:SecureTransport"
     }
   }
+
+  # Allow S3 Log Delivery service to write access logs
+  statement {
+    sid    = "S3ServerAccessLogsPolicy"
+    effect = "Allow"
+    principals {
+      type        = "Service"
+      identifiers = ["logging.s3.amazonaws.com"]
+    }
+    actions = [
+      "s3:PutObject"
+    ]
+    resources = [
+      "${aws_s3_bucket.storage_bucket_access_logs.arn}/*"
+    ]
+    condition {
+      test     = "ArnEquals"
+      variable = "aws:SourceArn"
+      values   = [aws_s3_bucket.storage_bucket.arn]
+    }
+  }
+
+  # Allow S3 Log Delivery service to check bucket location and get bucket ACL
+  statement {
+    sid    = "S3ServerAccessLogsDeliveryRootAccess"
+    effect = "Allow"
+    principals {
+      type        = "Service"
+      identifiers = ["logging.s3.amazonaws.com"]
+    }
+    actions = [
+      "s3:GetBucketAcl",
+      "s3:ListBucket"
+    ]
+    resources = [
+      aws_s3_bucket.storage_bucket_access_logs.arn
+    ]
+    condition {
+      test     = "ArnEquals"
+      variable = "aws:SourceArn"
+      values   = [aws_s3_bucket.storage_bucket.arn]
+    }
+  }
 }
 
 resource "aws_s3_bucket_server_side_encryption_configuration" "storage_bucket_access_logs_server_side_encryption_config" {
   bucket = aws_s3_bucket.storage_bucket_access_logs.id
 
   rule {
     apply_server_side_encryption_by_default {
-      sse_algorithm = "aws:kms"
+      sse_algorithm     = "aws:kms"
       kms_master_key_id = aws_kms_key.storage_bucket_cmk.arn
     }
   }

infrastructure/stacks/api-layer/assumed_role_permissions_boundary.tf

@@ -33,7 +33,8 @@ data "aws_iam_policy_document" "assumed_role_permissions_boundary" {
       "support:*",
       "sqs:*",
       "tag:*",
-      "trustedadvisor:*"
+      "trustedadvisor:*",
+      "xray:*"
     ]
 
     resources = ["*"]