New: [AEA-5199] - Setup notifications flow (#1546)

## Summary

- ✨ New Feature

### Details

This PR is to add the various components needed for the NHS notify
integration to the PSU.

There are four new things to deploy:
- EventBridge scheduler
- Lambda function to handle the processing, triggered by the scheduler
- SQS (eventually to be populated by the existing PSU function)
- Notifications state Dynamo database

Initially, the only requirement is that the lambda function is executed
every minute. The PSU will not push anything to SQS yet. The lambda will
only log that it has been run.

Author: wildjames

.pre-commit-config.yaml

@@ -86,6 +86,16 @@ repos:
         files: ^packages\/checkPrescriptionStatusUpdates
         types_or: [ts, tsx, javascript, jsx, json]
         pass_filenames: false
+        
+      - id: lint-nhsNotifyLambda
+        name: Lint nhsNotifyLambda
+        entry: npm
+        args:
+          ["run", "--prefix=packages/nhsNotifyLambda", "lint"]
+        language: system
+        files: ^packages\/nhsNotifyLambda
+        types_or: [ts, tsx, javascript, jsx, json]
+        pass_filenames: false
 
       - id: lint-commonTesting
         name: Lint common/testing

.vscode/eps-prescription-status-update-api.code-workspace

@@ -28,6 +28,10 @@
       "name": "packages/cpsuLambda",
       "path": "../packages/cpsuLambda"
     },
+    {
+      "name": "packages/nhsNotifyLambda",
+      "path": "../packages/nhsNotifyLambda"
+    },
     {
       "name": "packages/capabilityStatement",
       "path": "../packages/capabilityStatement"
@@ -36,6 +40,10 @@
       "name": "packages/checkPrescriptionStatusUpdates",
       "path": "../packages/checkPrescriptionStatusUpdates"
     },
+    {
+      "name": "packages/common/commonTypes",
+      "path": "../packages/common/commonTypes"
+    },
     {
       "name": "packages/common/testing",
       "path": "../packages/common/testing"

Makefile

@@ -116,8 +116,10 @@ lint-node: compile-node
 	npm run lint --workspace packages/capabilityStatement
 	npm run lint --workspace packages/cpsuLambda
 	npm run lint --workspace packages/checkPrescriptionStatusUpdates
+	npm run lint --workspace packages/nhsNotifyLambda
 	npm run lint --workspace packages/common/testing
 	npm run lint --workspace packages/common/middyErrorHandler
+	npm run lint --workspace packages/common/commonTypes
 
 lint-specification: compile-specification
 	npm run lint --workspace packages/specification
@@ -144,6 +146,7 @@ test: compile
 	npm run test --workspace packages/capabilityStatement
 	npm run test --workspace packages/cpsuLambda
 	npm run test --workspace packages/checkPrescriptionStatusUpdates
+	npm run test --workspace packages/nhsNotifyLambda
 	npm run test --workspace packages/common/middyErrorHandler
 
 clean:
@@ -159,9 +162,12 @@ clean:
 	rm -rf packages/capabilityStatement/lib
 	rm -rf packages/cpsuLambda/coverage
 	rm -rf packages/cpsuLambda/lib
+	rm -rf packages/nhsNotifyLambda/coverage
+	rm -rf packages/nhsNotifyLambda/lib
 	rm -rf packages/checkPrescriptionStatusUpdates/lib
 	rm -rf packages/common/testing/lib
 	rm -rf packages/common/middyErrorHandler/lib
+	rm -rf packages/common/commonTypes/lib
 	rm -rf .aws-sam
 
 deep-clean: clean

README.md

@@ -19,6 +19,7 @@ This is the AWS layer that provides an API for EPS Prescription Status Update.
 - `packages/statusLambda/` Returns the status of the updatePrescriptionStatus endpoint
 - `packages/capabilityStatement/` Returns a static capability statement.
 - `packages/cpsuLambda` Handles updating prescription status using a custom format.
+- `packages/nhsNotifyLambda` Handles sending prescription notifications to the NHS notify service.
 - `scripts/` Utilities helpful to developers of this specification.
 - `postman/` Postman collections to call the APIs. Documentation on how to use them are in the collections.
 - `SAMtemplates/` Contains the SAM templates used to define the stacks.

SAMtemplates/functions/main.yaml

@@ -25,6 +25,14 @@ Parameters:
     Type: String
     Default: none
 
+  PrescriptionNotificationStateTableName:
+    Type: String
+    Default: none
+
+  NHSNotifyPrescriptionsSQSQueueUrl:
+    Type: String
+    Default: none
+
   LogLevel:
     Type: String
 
@@ -62,6 +70,7 @@ Resources:
       Environment:
         Variables:
           TABLE_NAME: !Ref PrescriptionStatusUpdatesTableName
+          NHS_NOTIFY_PRESCRIPTIONS_SQS_QUEUE_URL: !Ref NHSNotifyPrescriptionsSQSQueueUrl
           LOG_LEVEL: !Ref LogLevel
           ENVIRONMENT: !Ref Environment
           TEST_PRESCRIPTIONS_1: "None"
@@ -96,6 +105,8 @@ Resources:
           - - Fn::ImportValue: !Sub ${StackName}:tables:${PrescriptionStatusUpdatesTableName}:TableWritePolicyArn
             - Fn::ImportValue: !Sub ${StackName}:tables:${PrescriptionStatusUpdatesTableName}:TableReadPolicyArn
             - Fn::ImportValue: !Sub ${StackName}:tables:UsePrescriptionStatusUpdatesKMSKeyPolicyArn
+            - Fn::ImportValue: !Sub ${StackName}-UseNotificationSQSQueueKMSKeyPolicyArn
+            - Fn::ImportValue: !Sub ${StackName}-WriteNHSNotifyPrescriptionsSQSQueuePolicyArn
         LogRetentionInDays: !Ref LogRetentionInDays
         CloudWatchKMSKeyId: !ImportValue account-resources:CloudwatchLogsKmsKeyArn
         EnableSplunk: !Ref EnableSplunk
@@ -320,6 +331,91 @@ Resources:
         SplunkSubscriptionFilterRole: !ImportValue lambda-resources:SplunkSubscriptionFilterRole
         SplunkDeliveryStreamArn: !ImportValue lambda-resources:SplunkDeliveryStream
 
+  NHSNotifyLambdaScheduleEventRole:
+    Type: AWS::IAM::Role
+    Properties:
+      AssumeRolePolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Principal:
+              Service:
+                - scheduler.amazonaws.com
+            Action:
+              - sts:AssumeRole
+      ManagedPolicyArns:
+        - !Ref NHSNotifyLambdaScheduleEventRolePolicy
+
+  NHSNotifyLambdaScheduleEventRolePolicy:
+    Type: AWS::IAM::ManagedPolicy
+    Properties:
+      PolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Action:
+              - lambda:InvokeFunction
+            Resource:
+              - !GetAtt NHSNotifyLambda.Arn
+
+  NHSNotifyLambda:
+    Type: AWS::Serverless::Function
+    Properties:
+      FunctionName: !Sub ${StackName}-NHSNotifyLambda
+      CodeUri: ../../packages/
+      Handler: nhsNotifyLambda.handler
+      Role: !GetAtt NHSNotifyLambdaResources.Outputs.LambdaRoleArn
+      Environment:
+        Variables:
+          LOG_LEVEL: !Ref LogLevel
+          NHS_NOTIFY_PRESCRIPTIONS_SQS_QUEUE_URL: !Ref NHSNotifyPrescriptionsSQSQueueUrl
+          TABLE_NAME: !Ref PrescriptionNotificationStateTableName
+      Events:
+        ScheduleEvent:
+          Type: ScheduleV2
+          Properties:
+            Name: !Sub ${StackName}-NHSNotifySchedule
+            ScheduleExpression: "rate(1 minute)"
+            RoleArn: !GetAtt NHSNotifyLambdaScheduleEventRole.Arn
+    Metadata:
+      BuildMethod: esbuild
+      guard:
+        SuppressedRules:
+        - LAMBDA_DLQ_CHECK
+        - LAMBDA_INSIDE_VPC
+        - LAMBDA_CONCURRENCY_CHECK
+      BuildProperties:
+        Minify: true
+        Target: es2020
+        Sourcemap: true
+        tsconfig: nhsNotifyLambda/tsconfig.json
+        packages: bundle
+        EntryPoints:
+          - nhsNotifyLambda/src/nhsNotifyLambda.ts
+
+  NHSNotifyLambdaResources:
+    Type: AWS::Serverless::Application
+    Properties:
+      Location: lambda_resources.yaml
+      Parameters:
+        StackName: !Ref StackName
+        LambdaName: !Sub ${StackName}-NHSNotifyLambda
+        LambdaArn: !Sub arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:${StackName}-NHSNotifyLambda
+        LogRetentionInDays: !Ref LogRetentionInDays
+        CloudWatchKMSKeyId: !ImportValue account-resources:CloudwatchLogsKmsKeyArn
+        EnableSplunk: !Ref EnableSplunk
+        SplunkSubscriptionFilterRole: !ImportValue lambda-resources:SplunkSubscriptionFilterRole
+        SplunkDeliveryStreamArn: !ImportValue lambda-resources:SplunkDeliveryStream
+        IncludeAdditionalPolicies: true
+        AdditionalPolicies: !Join
+          - ","
+          - - Fn::ImportValue: !Sub ${StackName}-WriteNHSNotifyPrescriptionsSQSQueuePolicyArn
+            - Fn::ImportValue: !Sub ${StackName}-ReadNHSNotifyPrescriptionsSQSQueuePolicyArn
+            - Fn::ImportValue: !Sub ${StackName}-UseNotificationSQSQueueKMSKeyPolicyArn
+            - Fn::ImportValue: !Sub ${StackName}:tables:${PrescriptionNotificationStateTableName}:TableReadPolicyArn
+            - Fn::ImportValue: !Sub ${StackName}:tables:${PrescriptionNotificationStateTableName}:TableWritePolicyArn
+            - Fn::ImportValue: !Sub ${StackName}:tables:UsePrescriptionNotificationStateKMSKeyPolicyArn
+
 Outputs:
   UpdatePrescriptionStatusFunctionName:
     Description: The function name of the UpdatePrescriptionStatus lambda
@@ -378,3 +474,11 @@ Outputs:
       - ShouldDeployCheckPrescriptionStatusUpdate
       - !GetAtt CheckPrescriptionStatusUpdates.Arn
       - ""
+
+  NHSNotifyLambdaFunctionName:
+    Description: The function name of the NHS Notify lambda
+    Value: !Ref NHSNotifyLambda
+
+  NHSNotifyLambdaFunctionArn:
+    Description: The function ARN of the NHS Notify lambda
+    Value: !GetAtt NHSNotifyLambda.Arn

SAMtemplates/main_template.yaml

@@ -98,6 +98,13 @@ Resources:
         StackName: !Ref AWS::StackName
         EnableDynamoDBAutoScaling: !Ref EnableDynamoDBAutoScaling
 
+  Messaging:
+    Type: AWS::Serverless::Application
+    Properties:
+      Location: messaging/main.yaml
+      Parameters:
+        StackName: !Ref AWS::StackName
+
   Apis:
     Type: AWS::Serverless::Application
     Properties:
@@ -127,6 +134,8 @@ Resources:
       Parameters:
         StackName: !Ref AWS::StackName
         PrescriptionStatusUpdatesTableName: !GetAtt Tables.Outputs.PrescriptionStatusUpdatesTableName
+        PrescriptionNotificationStateTableName: !GetAtt Tables.Outputs.PrescriptionNotificationStateTableName
+        NHSNotifyPrescriptionsSQSQueueUrl: !GetAtt Messaging.Outputs.NHSNotifyPrescriptionsSQSQueueUrl
         LogLevel: !Ref LogLevel
         LogRetentionInDays: !Ref LogRetentionInDays
         EnableSplunk: !Ref EnableSplunk

SAMtemplates/messaging/main.yaml

@@ -0,0 +1,129 @@
+AWSTemplateFormatVersion: "2010-09-09"
+Transform: AWS::Serverless-2016-10-31
+Description: |
+  SQS messaging stacks used by the PSU
+
+Parameters:
+  StackName:
+    Type: String
+
+Resources:
+  NotificationSQSQueueKMSKey:
+    Type: AWS::KMS::Key
+    Properties:
+      EnableKeyRotation: true
+      KeyPolicy:
+        Version: 2012-10-17
+        Id: NotificationSQSQueueKeyPolicy
+        Statement:
+          - Sid: EnableIAMUserPermissions
+            Effect: Allow
+            Principal:
+              AWS: !Sub "arn:aws:iam::${AWS::AccountId}:root"
+            Action: kms:*
+            Resource: "*"
+
+  NotificationSQSQueueKMSKeyAlias:
+    Type: AWS::KMS::Alias
+    Properties:
+      AliasName: !Sub alias/${StackName}-NotificationSQSQueueKMSKey
+      TargetKeyId: !Ref NotificationSQSQueueKMSKey
+
+  UseNotificationSQSQueueKMSKeyPolicy:
+    Type: AWS::IAM::ManagedPolicy
+    Properties:
+      ManagedPolicyName: !Sub ${StackName}-UseNotificationSQSQueueKMSKey
+      PolicyDocument:
+        Version: "2012-10-17"
+        Statement:
+          - Sid: AllowKmsForSqsEncryption
+            Effect: Allow
+            Action:
+              - kms:DescribeKey
+              - kms:GenerateDataKey*
+              - kms:Encrypt
+              - kms:Decrypt
+            Resource: !GetAtt NotificationSQSQueueKMSKey.Arn
+
+  NHSNotifyPrescriptionsSQSQueue:
+    Type: AWS::SQS::Queue
+    Properties:
+      QueueName: !Sub ${StackName}-NHSNotifyPrescriptions
+      KmsMasterKeyId: !Ref NotificationSQSQueueKMSKeyAlias
+      MessageRetentionPeriod: 86400    # 1 day in seconds
+      RedrivePolicy:
+        deadLetterTargetArn: !GetAtt NHSNotifyPrescriptionsDeadLetterQueue.Arn
+        maxReceiveCount: 5
+      VisibilityTimeout: 300
+
+  NHSNotifyPrescriptionsDeadLetterQueue:
+    Type: AWS::SQS::Queue
+    Properties:
+      QueueName: !Sub ${StackName}-NHSNotifyPrescriptionsDeadLetter
+      KmsMasterKeyId: !Ref NotificationSQSQueueKMSKeyAlias
+      MessageRetentionPeriod: 604800   # 1 week in seconds
+      VisibilityTimeout: 300
+
+  ReadNHSNotifyPrescriptionsSQSQueuePolicy:
+    Type: AWS::IAM::ManagedPolicy
+    Properties:
+      PolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Action:
+              - sqs:ReceiveMessage
+              - sqs:DeleteMessage
+              - sqs:ChangeMessageVisibility
+              - sqs:GetQueueAttributes
+              - sqs:GetQueueUrl
+              - kms:GenerateDataKey
+              - kms:Decrypt
+            Resource: !GetAtt NHSNotifyPrescriptionsSQSQueue.Arn
+            
+  WriteNHSNotifyPrescriptionsSQSQueuePolicy:
+    Type: AWS::IAM::ManagedPolicy
+    Properties:
+      ManagedPolicyName: !Sub ${StackName}-NHSNotifyPrescriptionsSendMessagePolicy
+      PolicyDocument:
+        Version: "2012-10-17"
+        Statement:
+          - Effect: Allow
+            Action:
+              - sqs:SendMessage
+              - sqs:SendMessageBatch
+              - sqs:GetQueueUrl
+              - kms:GenerateDataKey
+              - kms:Decrypt
+            Resource: !GetAtt NHSNotifyPrescriptionsSQSQueue.Arn
+            
+Outputs:
+  NHSNotifyPrescriptionsSQSQueueUrl:
+    Description: The URL of the NHS Notify Prescriptions SQS Queue
+    Value: !Ref NHSNotifyPrescriptionsSQSQueue
+    Export:
+      Name: !Sub ${StackName}-NHSNotifyPrescriptionsSQSQueueUrl
+
+  NHSNotifyPrescriptionsSQSQueueArn:
+    Description: The ARN of the NHS Notify Prescriptions SQS Queue
+    Value: !GetAtt NHSNotifyPrescriptionsSQSQueue.Arn
+    Export:
+      Name: !Sub ${StackName}-NHSNotifyPrescriptionsSQSQueueArn
+
+  ReadNHSNotifyPrescriptionsSQSQueuePolicyArn:
+    Description: ARN of policy granting permission to read the prescriptions queue
+    Value: !Ref ReadNHSNotifyPrescriptionsSQSQueuePolicy
+    Export:
+      Name: !Sub ${StackName}-ReadNHSNotifyPrescriptionsSQSQueuePolicyArn
+
+  WriteNHSNotifyPrescriptionsSQSQueuePolicyArn:
+    Description: ARN of policy granting permission to write to the prescriptions queue
+    Value: !Ref WriteNHSNotifyPrescriptionsSQSQueuePolicy
+    Export:
+      Name: !Sub ${StackName}-WriteNHSNotifyPrescriptionsSQSQueuePolicyArn
+
+  UseNotificationSQSQueueKMSKeyPolicyArn:
+    Description: ARN of managed policy granting prescriptions queue KMS usage
+    Value: !Ref UseNotificationSQSQueueKMSKeyPolicy
+    Export:
+      Name: !Sub ${StackName}-UseNotificationSQSQueueKMSKeyPolicyArn