move API gateway to stateless stack

wildjames · wildjames · commit 0728630964ca · 2026-04-09T14:49:09.000Z
diff --git a/.github/workflows/cdk_release_code.yml b/.github/workflows/cdk_release_code.yml
@@ -29,6 +29,18 @@ on:
       IS_PULL_REQUEST:
         type: boolean
         required: true
+      TRUSTSTORE_FILE:
+        type: string
+        required: true
+      FORWARD_CSOC_LOGS:
+        type: boolean
+        required: true
+      DEPLOY_CHECK_PRESCRIPTION_STATUS_UPDATE:
+        type: boolean
+        required: true
+      EXPOSE_GET_STATUS_UPDATES:
+        type: boolean
+        required: true
       pinned_image:
         required: true
         type: string
@@ -91,6 +103,10 @@ jobs:
           CDK_CONFIG_environment: "${{ inputs.AWS_ENVIRONMENT }}"
           CDK_CONFIG_logRetentionInDays: "${{ inputs.LOG_RETENTION_IN_DAYS }}"
           CDK_CONFIG_logLevel: "${{ inputs.LOG_LEVEL }}"
+          CDK_CONFIG_trustStoreFile: "${{ inputs.TRUSTSTORE_FILE }}"
+          CDK_CONFIG_forwardCsocLogs: "${{ inputs.FORWARD_CSOC_LOGS }}"
+          CDK_CONFIG_deployCheckPrescriptionStatusUpdate: "${{ inputs.DEPLOY_CHECK_PRESCRIPTION_STATUS_UPDATE }}"
+          CDK_CONFIG_exposeGetStatusUpdates: "${{ inputs.EXPOSE_GET_STATUS_UPDATES }}"
           REQUIRE_APPROVAL: "never"
 
 # later, there will be API deployment steps c.f. https://github.com/NHSDigital/electronic-prescription-service-clinical-prescription-tracker/blob/main/.github/workflows/cdk_release_code.yml
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -81,6 +81,10 @@ jobs:
       LOG_RETENTION_IN_DAYS: "30"
       LOG_LEVEL: DEBUG
       IS_PULL_REQUEST: false
+      TRUSTSTORE_FILE: psu-truststore.pem
+      FORWARD_CSOC_LOGS: false
+      DEPLOY_CHECK_PRESCRIPTION_STATUS_UPDATE: true
+      EXPOSE_GET_STATUS_UPDATES: false
     secrets:
       CLOUD_FORMATION_DEPLOY_ROLE: ${{ secrets.DEV_CLOUD_FORMATION_DEPLOY_ROLE }}
 
diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml
@@ -124,6 +124,10 @@ jobs:
       LOG_RETENTION_IN_DAYS: "30"
       LOG_LEVEL: DEBUG
       IS_PULL_REQUEST: true
+      TRUSTSTORE_FILE: psu-truststore.pem
+      FORWARD_CSOC_LOGS: false
+      DEPLOY_CHECK_PRESCRIPTION_STATUS_UPDATE: true
+      EXPOSE_GET_STATUS_UPDATES: false
     secrets:
       CLOUD_FORMATION_DEPLOY_ROLE: ${{ secrets.DEV_CLOUD_FORMATION_DEPLOY_ROLE }}
 
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -83,6 +83,10 @@ jobs:
       LOG_RETENTION_IN_DAYS: "30"
       LOG_LEVEL: DEBUG
       IS_PULL_REQUEST: false
+      TRUSTSTORE_FILE: psu-truststore.pem
+      FORWARD_CSOC_LOGS: false
+      DEPLOY_CHECK_PRESCRIPTION_STATUS_UPDATE: true
+      EXPOSE_GET_STATUS_UPDATES: false
     secrets:
       CLOUD_FORMATION_DEPLOY_ROLE: ${{ secrets.DEV_CLOUD_FORMATION_DEPLOY_ROLE }}
 
diff --git a/Makefile b/Makefile
@@ -8,6 +8,10 @@ export CDK_CONFIG_isPullRequest=true
 export CDK_CONFIG_environment=dev
 export CDK_CONFIG_logRetentionInDays=30
 export CDK_CONFIG_logLevel=DEBUG
+export CDK_CONFIG_trustStoreFile=psu-truststore.pem
+export CDK_CONFIG_forwardCsocLogs=false
+export CDK_CONFIG_deployCheckPrescriptionStatusUpdate=true
+export CDK_CONFIG_exposeGetStatusUpdates=false
 
 guard-%:
 	@ if [ "${${*}}" = "" ]; then \
diff --git a/packages/cdk/bin/PsuStatelessApp.ts b/packages/cdk/bin/PsuStatelessApp.ts
@@ -1,4 +1,10 @@
-import {calculateVersionedStackName, createApp, getConfigFromEnvVar} from "@nhsdigital/eps-cdk-constructs"
+import {
+  calculateVersionedStackName,
+  createApp,
+  getBooleanConfigFromEnvVar,
+  getConfigFromEnvVar,
+  getNumberConfigFromEnvVar
+} from "@nhsdigital/eps-cdk-constructs"
 import {PsuStatelessStack} from "../stacks/PsuStatelessStack"
 
 async function main() {
@@ -11,7 +17,13 @@ async function main() {
 
   new PsuStatelessStack(app, "PsuStatelessStack", {
     ...props,
-    stackName: calculateVersionedStackName(getConfigFromEnvVar("stackName"), props)
+    stackName: calculateVersionedStackName(getConfigFromEnvVar("stackName"), props),
+    logRetentionInDays: getNumberConfigFromEnvVar("logRetentionInDays"),
+    mutualTlsTrustStoreKey: props.isPullRequest ? undefined : getConfigFromEnvVar("trustStoreFile"),
+    csocApiGatewayDestination: "arn:aws:logs:eu-west-2:693466633220:destination:api_gateway_log_destination",
+    forwardCsocLogs: getBooleanConfigFromEnvVar("forwardCsocLogs"),
+    deployCheckPrescriptionStatusUpdate: getBooleanConfigFromEnvVar("deployCheckPrescriptionStatusUpdate"),
+    exposeGetStatusUpdates: getBooleanConfigFromEnvVar("exposeGetStatusUpdates")
   })
 }
 
diff --git a/packages/cdk/resources/Apis.ts b/packages/cdk/resources/Apis.ts
@@ -0,0 +1,151 @@
+import {LambdaIntegration, PassthroughBehavior, StepFunctionsIntegration} from "aws-cdk-lib/aws-apigateway"
+import {IManagedPolicy} from "aws-cdk-lib/aws-iam"
+import {HttpMethod} from "aws-cdk-lib/aws-lambda"
+import {Construct} from "constructs"
+import {
+  ExpressStateMachine,
+  LambdaEndpoint,
+  RestApiGateway,
+  StateMachineEndpoint,
+  TypescriptLambdaFunction
+} from "@nhsdigital/eps-cdk-constructs"
+
+export interface ApisProps {
+  readonly stackName: string
+  readonly logRetentionInDays: number
+  readonly mutualTlsTrustStoreKey: string | undefined
+  readonly forwardCsocLogs: boolean
+  readonly csocApiGatewayDestination: string
+  readonly deployCheckPrescriptionStatusUpdate: boolean
+  readonly exposeGetStatusUpdates: boolean
+  functions: {[key: string]: TypescriptLambdaFunction}
+  stateMachines: {[key: string]: ExpressStateMachine}
+}
+
+export class Apis extends Construct {
+  public constructor(scope: Construct, id: string, props: ApisProps) {
+    super(scope, id)
+
+    // Collect execution policies for all resources that need API Gateway access
+    const executionPolicies: Array<IManagedPolicy> = [
+      props.stateMachines.updatePrescriptionStatus.executionPolicy,
+      props.stateMachines.format1UpdatePrescriptionsStatus.executionPolicy,
+      props.functions.status.executionPolicy,
+      props.functions.capabilityStatement.executionPolicy,
+      props.functions.nhsNotifyUpdateCallback.executionPolicy
+    ]
+
+    if (props.exposeGetStatusUpdates) {
+      executionPolicies.push(props.functions.getStatusUpdates.executionPolicy)
+    }
+
+    if (props.deployCheckPrescriptionStatusUpdate) {
+      executionPolicies.push(props.functions.checkPrescriptionStatusUpdates.executionPolicy)
+    }
+
+    const apiGateway = new RestApiGateway(this, "RestApiGateway", {
+      stackName: props.stackName,
+      logRetentionInDays: props.logRetentionInDays,
+      mutualTlsTrustStoreKey: props.mutualTlsTrustStoreKey,
+      forwardCsocLogs: props.forwardCsocLogs,
+      csocApiGatewayDestination: props.csocApiGatewayDestination,
+      executionPolicies
+    })
+
+    const rootResource = apiGateway.api.root
+
+    // POST / — UpdatePrescriptionStatus state machine integration (root resource)
+    rootResource.addMethod(
+      HttpMethod.POST,
+      StepFunctionsIntegration.startExecution(
+        props.stateMachines.updatePrescriptionStatus.stateMachine,
+        {
+          credentialsRole: apiGateway.role,
+          passthroughBehavior: PassthroughBehavior.WHEN_NO_MATCH
+        }
+      ),
+      {
+        methodResponses: [
+          {statusCode: "200"},
+          {statusCode: "400"},
+          {statusCode: "500"}
+        ]
+      }
+    )
+
+    // POST /format-1 — Format1 state machine integration
+    new StateMachineEndpoint(this, "Format1UpdatePrescriptionStatusEndpoint", {
+      parentResource: rootResource,
+      resourceName: "format-1",
+      method: HttpMethod.POST,
+      restApiGatewayRole: apiGateway.role,
+      stateMachine: props.stateMachines.format1UpdatePrescriptionsStatus
+    })
+
+    // POST /notification-delivery-status-callback — Lambda proxy integration
+    new LambdaEndpoint(this, "NotificationDeliveryStatusCallbackEndpoint", {
+      parentResource: rootResource,
+      resourceName: "notification-delivery-status-callback",
+      method: HttpMethod.POST,
+      restApiGatewayRole: apiGateway.role,
+      lambdaFunction: props.functions.nhsNotifyUpdateCallback
+    })
+
+    // GET /_status — Lambda proxy integration
+    new LambdaEndpoint(this, "StatusEndpoint", {
+      parentResource: rootResource,
+      resourceName: "_status",
+      method: HttpMethod.GET,
+      restApiGatewayRole: apiGateway.role,
+      lambdaFunction: props.functions.status
+    })
+
+    // GET /metadata — Lambda proxy integration
+    new LambdaEndpoint(this, "CapabilityStatementEndpoint", {
+      parentResource: rootResource,
+      resourceName: "metadata",
+      method: HttpMethod.GET,
+      restApiGatewayRole: apiGateway.role,
+      lambdaFunction: props.functions.capabilityStatement
+    })
+
+    // GET /checkprescriptionstatusupdates — conditional Lambda proxy integration
+    if (props.deployCheckPrescriptionStatusUpdate) {
+      new LambdaEndpoint(this, "CheckPrescriptionStatusUpdatesEndpoint", {
+        parentResource: rootResource,
+        resourceName: "checkprescriptionstatusupdates",
+        method: HttpMethod.GET,
+        restApiGatewayRole: apiGateway.role,
+        lambdaFunction: props.functions.checkPrescriptionStatusUpdates
+      })
+    }
+
+    // POST /get-status-updates — conditional Lambda integration (non-proxy)
+    if (props.exposeGetStatusUpdates) {
+      const getStatusUpdatesResource = rootResource.addResource("get-status-updates")
+      getStatusUpdatesResource.addMethod(
+        HttpMethod.POST,
+        new LambdaIntegration(props.functions.getStatusUpdates.function, {
+          credentialsRole: apiGateway.role,
+          proxy: false,
+          requestTemplates: {
+            "application/json": "$input.json('$')"
+          },
+          integrationResponses: [
+            {
+              statusCode: "200",
+              responseTemplates: {
+                "application/json": "$input.body"
+              }
+            }
+          ]
+        }),
+        {
+          methodResponses: [
+            {statusCode: "200"}
+          ]
+        }
+      )
+    }
+  }
+}
diff --git a/packages/cdk/stacks/PsuStatelessStack.ts b/packages/cdk/stacks/PsuStatelessStack.ts
@@ -4,13 +4,33 @@ import {StandardStackProps} from "@nhsdigital/eps-cdk-constructs"
 
 export interface PsuStatelessStackProps extends StandardStackProps {
   readonly stackName: string
+  readonly logRetentionInDays: number
+  readonly mutualTlsTrustStoreKey: string | undefined
+  readonly forwardCsocLogs: boolean
+  readonly csocApiGatewayDestination: string
+  readonly deployCheckPrescriptionStatusUpdate: boolean
+  readonly exposeGetStatusUpdates: boolean
 }
 
 export class PsuStatelessStack extends Stack {
   public constructor(scope: App, id: string, props: PsuStatelessStackProps) {
     super(scope, id, props)
 
-    // Resources will be added here as they are migrated from SAM templates
+    // Apis construct will be instantiated here once Functions and StateMachines are migrated:
+    //
+    // const functions = new Functions(this, "Functions", { ... })
+    // const stateMachines = new StateMachines(this, "StateMachines", { ... })
+    // new Apis(this, "Apis", {
+    //   stackName: props.stackName,
+    //   logRetentionInDays: props.logRetentionInDays,
+    //   mutualTlsTrustStoreKey: props.mutualTlsTrustStoreKey,
+    //   forwardCsocLogs: props.forwardCsocLogs,
+    //   csocApiGatewayDestination: props.csocApiGatewayDestination,
+    //   deployCheckPrescriptionStatusUpdate: props.deployCheckPrescriptionStatusUpdate,
+    //   exposeGetStatusUpdates: props.exposeGetStatusUpdates,
+    //   functions: functions.functions,
+    //   stateMachines: stateMachines.stateMachines,
+    // })
 
     nagSuppressions(this)
   }
diff --git a/packages/cdk/tsconfig.json b/packages/cdk/tsconfig.json
@@ -28,6 +28,7 @@
   "include": [
     "stacks/**/*",
     "bin/**/*",
+    "resources/**/*",
     "nagSuppressions.ts"
   ],
   "exclude": [
