Migrate over state machine

wildjames · wildjames · commit 9ef599475d9f · 2026-04-09T16:03:37.000Z
diff --git a/Makefile b/Makefile
@@ -257,7 +257,17 @@ cdk-deploy:
 	npm run cdk-deploy --workspace packages/cdk
 
 cdk-synth:
-	CDK_CONFIG_stackName=psu-api \
+	CDK_CONFIG_stackName=psu-cdk \
+	CDK_CONFIG_samStackName=psu \
+	CDK_CONFIG_logRetentionInDays=30 \
+	CDK_CONFIG_logLevel=DEBUG \
+	CDK_CONFIG_environment=dev \
+	CDK_CONFIG_forwardCsocLogs=false \
+	CDK_CONFIG_deployCheckPrescriptionStatusUpdate=true \
+	CDK_CONFIG_exposeGetStatusUpdates=false \
+	CDK_CONFIG_enablePostDatedNotifications=false \
+	CDK_CONFIG_requireApplicationName=false \
+	CDK_CONFIG_enableBackup=false \
 	npm run cdk-synth --workspace packages/cdk
 
 cdk-diff:
diff --git a/packages/cdk/nagSuppressions.ts b/packages/cdk/nagSuppressions.ts
@@ -1,6 +1,80 @@
+/* eslint-disable max-len */
 import {Stack} from "aws-cdk-lib"
+import {safeAddNagSuppression, safeAddNagSuppressionGroup} from "@nhsdigital/eps-cdk-constructs"
 
-// eslint-disable-next-line @typescript-eslint/no-unused-vars
-export const nagSuppressions = (_stack: Stack) => {
-  // Nag suppressions will be added here as resources are migrated
+export const nagSuppressions = (stack: Stack) => {
+  // State machine log policies require wildcard for log streams and log delivery actions
+  safeAddNagSuppressionGroup(
+    stack,
+    [
+      "/PsuStatelessStack/StateMachines/UpdatePrescriptionStatusStateMachine/StateMachinePutLogsManagedPolicy/Resource",
+      "/PsuStatelessStack/StateMachines/Format1UpdatePrescriptionsStatusStateMachine/StateMachinePutLogsManagedPolicy/Resource"
+    ],
+    [
+      {
+        id: "AwsSolutions-IAM5",
+        reason: "Wildcard on log-stream is required to write to any log stream under the log group. Wildcard on Resource::* is required for log delivery management actions (DescribeLogGroups, ListLogDeliveries, etc.) which do not support resource-level permissions."
+      }
+    ]
+  )
+
+  // API Gateway does not use request validation — validation is handled by service logic
+  safeAddNagSuppression(
+    stack,
+    "/PsuStatelessStack/Apis/RestApiGateway/ApiGateway/Resource",
+    [
+      {
+        id: "AwsSolutions-APIG2",
+        reason: "Request validation is handled by the backend service logic and FHIR validation state machine, not at the API Gateway level."
+      }
+    ]
+  )
+
+  // API Gateway CloudWatch role uses AWS managed policy
+  safeAddNagSuppression(
+    stack,
+    "/PsuStatelessStack/Apis/RestApiGateway/ApiGateway/CloudWatchRole/Resource",
+    [
+      {
+        id: "AwsSolutions-IAM4",
+        reason: "AWS managed policy AmazonAPIGatewayPushToCloudWatchLogs is the standard approach for API Gateway logging and is maintained by AWS.",
+        appliesTo: ["Policy::arn:<AWS::Partition>:iam::aws:policy/service-role/AmazonAPIGatewayPushToCloudWatchLogs"]
+      }
+    ]
+  )
+
+  // API Gateway stage is not associated with WAFv2 — WAF is managed externally via Apigee
+  safeAddNagSuppression(
+    stack,
+    "/PsuStatelessStack/Apis/RestApiGateway/ApiGateway/DeploymentStage.prod/Resource",
+    [
+      {
+        id: "AwsSolutions-APIG3",
+        reason: "WAF is managed externally via the Apigee proxy layer, not at the API Gateway level."
+      }
+    ]
+  )
+
+  // API methods do not use authorization — mTLS and Apigee handle auth externally
+  safeAddNagSuppressionGroup(
+    stack,
+    [
+      "/PsuStatelessStack/Apis/RestApiGateway/ApiGateway/Default/POST/Resource",
+      "/PsuStatelessStack/Apis/RestApiGateway/ApiGateway/Default/format-1/POST/Resource",
+      "/PsuStatelessStack/Apis/RestApiGateway/ApiGateway/Default/notification-delivery-status-callback/POST/Resource",
+      "/PsuStatelessStack/Apis/RestApiGateway/ApiGateway/Default/_status/GET/Resource",
+      "/PsuStatelessStack/Apis/RestApiGateway/ApiGateway/Default/metadata/GET/Resource",
+      "/PsuStatelessStack/Apis/RestApiGateway/ApiGateway/Default/checkprescriptionstatusupdates/GET/Resource"
+    ],
+    [
+      {
+        id: "AwsSolutions-APIG4",
+        reason: "Authorization is handled externally via mutual TLS and the Apigee API gateway proxy. API Gateway methods do not require an additional authorizer."
+      },
+      {
+        id: "AwsSolutions-COG4",
+        reason: "This API does not use Cognito for authentication. Auth is handled via mutual TLS and the Apigee API gateway proxy."
+      }
+    ]
+  )
 }
diff --git a/packages/cdk/resources/StateMachineDefinitions/Format1UpdatePrescriptionsStatus.ts b/packages/cdk/resources/StateMachineDefinitions/Format1UpdatePrescriptionsStatus.ts
@@ -0,0 +1,127 @@
+import {IFunction} from "aws-cdk-lib/aws-lambda"
+import {LambdaInvoke} from "aws-cdk-lib/aws-stepfunctions-tasks"
+import {Construct} from "constructs"
+import {
+  Chain,
+  Choice,
+  Condition,
+  IChainable,
+  Pass,
+  TaskInput
+} from "aws-cdk-lib/aws-stepfunctions"
+
+export interface Format1UpdatePrescriptionsStatusDefinitionProps {
+  readonly convertRequestToFhirFormatFunction: IFunction
+  readonly updatePrescriptionStatusFunction: IFunction
+}
+
+export class Format1UpdatePrescriptionsStatusDefinition extends Construct {
+  public readonly definition: IChainable
+
+  public constructor(
+    scope: Construct, id: string, props: Format1UpdatePrescriptionsStatusDefinitionProps
+  ) {
+    super(scope, id)
+
+    const catchAllError = new Pass(this, "CatchAllError", {
+      result: {
+        value: {
+          Payload: {
+            statusCode: 500,
+            headers: {
+              "Content-Type": "application/fhir+json",
+              "Cache-Control": "no-cache"
+            },
+            body: JSON.stringify({
+              resourceType: "OperationOutcome",
+              issue: [{severity: "error", code: "processing", diagnostics: "System error"}]
+            })
+          }
+        }
+      }
+    })
+
+    const callConvertRequestToFhirFormat = new LambdaInvoke(
+      this, "Call Convert Request To Fhir Format", {
+        lambdaFunction: props.convertRequestToFhirFormatFunction,
+        assign: {
+          convertStatusCode: "{% $states.result.Payload.statusCode %}",
+          convertHeaders: "{% $states.result.Payload.headers %}",
+          convertBody: "{% $parse($states.result.Payload.body) %}"
+        }
+      }
+    )
+    callConvertRequestToFhirFormat.addCatch(catchAllError)
+
+    const failedConvertRequestToFhir = new Pass(this, "Failed Convert Request to FHIR", {
+      outputs: {
+        Payload: {
+          statusCode: "{% $convertStatusCode %}",
+          headers: "{% $convertHeaders %}",
+          body: "{% $string($convertBody) %}"
+        }
+      }
+    })
+
+    const callUpdatePrescriptionStatus = new LambdaInvoke(
+      this, "Call Update Prescription Status", {
+        lambdaFunction: props.updatePrescriptionStatusFunction,
+        payload: TaskInput.fromObject({
+          body: "{% $string($convertBody) %}",
+          headers: "{% $convertHeaders %}"
+        }),
+        assign: {
+          updateStatusCode: "{% $states.result.Payload.statusCode %}",
+          updatePayload: "{% $states.result.Payload %}"
+        }
+      }
+    )
+    callUpdatePrescriptionStatus.addCatch(catchAllError)
+
+    const translate409To202 = new Pass(this, "Translate 409 to 202", {
+      result: {
+        value: {
+          Payload: {
+            statusCode: 202,
+            headers: {
+              "Content-Type": "application/fhir+json",
+              "Cache-Control": "no-cache"
+            },
+            body: JSON.stringify({
+              resourceType: "OperationOutcome",
+              issue: [{
+                severity: "information",
+                code: "informational",
+                diagnostics:
+                  "Duplicate update detected. The message was valid but did not result in an update."
+              }]
+            })
+          }
+        }
+      }
+    })
+
+    const endState = new Pass(this, "End State")
+
+    const checkConvertResult = new Choice(this, "Convert Request to FHIR result")
+    const convertNotOk = Condition.jsonata("{% $convertStatusCode != 200 %}")
+
+    const checkUpdateResult = new Choice(this, "Check Update Prescription Status Result")
+    const updateIs409 = Condition.jsonata("{% $updateStatusCode = 409 %}")
+
+    this.definition = Chain
+      .start(callConvertRequestToFhirFormat)
+      .next(
+        checkConvertResult
+          .when(convertNotOk, failedConvertRequestToFhir)
+          .otherwise(
+            callUpdatePrescriptionStatus
+              .next(
+                checkUpdateResult
+                  .when(updateIs409, translate409To202)
+                  .otherwise(endState)
+              )
+          )
+      )
+  }
+}
diff --git a/packages/cdk/resources/StateMachineDefinitions/UpdatePrescriptionStatus.ts b/packages/cdk/resources/StateMachineDefinitions/UpdatePrescriptionStatus.ts
@@ -0,0 +1,84 @@
+import {IFunction} from "aws-cdk-lib/aws-lambda"
+import {LambdaInvoke} from "aws-cdk-lib/aws-stepfunctions-tasks"
+import {Construct} from "constructs"
+import {
+  Chain,
+  Choice,
+  Condition,
+  IChainable,
+  Pass
+} from "aws-cdk-lib/aws-stepfunctions"
+
+export interface UpdatePrescriptionStatusDefinitionProps {
+  readonly fhirValidationFunction: IFunction
+  readonly updatePrescriptionStatusFunction: IFunction
+}
+
+export class UpdatePrescriptionStatusDefinition extends Construct {
+  public readonly definition: IChainable
+
+  public constructor(
+    scope: Construct, id: string, props: UpdatePrescriptionStatusDefinitionProps
+  ) {
+    super(scope, id)
+
+    const catchAllError = new Pass(this, "CatchAllError", {
+      result: {
+        value: {
+          Payload: {
+            statusCode: 500,
+            headers: {
+              "Content-Type": "application/fhir+json",
+              "Cache-Control": "no-cache"
+            },
+            body: JSON.stringify({
+              resourceType: "OperationOutcome",
+              issue: [{severity: "error", code: "processing", diagnostics: "System error"}]
+            })
+          }
+        }
+      }
+    })
+
+    const callFhirValidation = new LambdaInvoke(this, "Call FHIR Validation", {
+      lambdaFunction: props.fhirValidationFunction,
+      assign: {
+        fhirValidationResponse: "{% $states.result.Payload %}",
+        fhirValidationErrorCount:
+          "{% $count($states.result.Payload.issue[severity = 'error']) %}"
+      }
+    })
+    callFhirValidation.addCatch(catchAllError)
+
+    const returnFailedFhirValidationErrors = new Pass(this, "Return Failed FHIR Validation Errors", {
+      outputs: {
+        Payload: {
+          statusCode: 400,
+          headers: {
+            "Content-Type": "application/fhir+json",
+            "Cache-Control": "no-cache"
+          },
+          body: "{% $string($fhirValidationResponse) %}"
+        }
+      }
+    })
+
+    const callUpdatePrescriptionStatus = new LambdaInvoke(
+      this, "Call Update Prescription Status", {
+        lambdaFunction: props.updatePrescriptionStatusFunction
+      }
+    )
+    callUpdatePrescriptionStatus.addCatch(catchAllError)
+
+    const doFhirValidationErrorsExist = new Choice(this, "Do FHIR Validation Errors Exist")
+    const hasErrors = Condition.jsonata("{% $fhirValidationErrorCount > 0 %}")
+
+    this.definition = Chain
+      .start(callFhirValidation)
+      .next(
+        doFhirValidationErrorsExist
+          .when(hasErrors, returnFailedFhirValidationErrors)
+          .otherwise(callUpdatePrescriptionStatus)
+      )
+  }
+}
diff --git a/packages/cdk/resources/StateMachines.ts b/packages/cdk/resources/StateMachines.ts
diff --git a/packages/cdk/stacks/PsuStatelessStack.ts b/packages/cdk/stacks/PsuStatelessStack.ts
