From d0fbc9a1eff9520f86b95bfe9290fdc870d75f6e Mon Sep 17 00:00:00 2001 From: simonlabarere Date: Mon, 16 Mar 2026 13:55:19 +0000 Subject: [PATCH 1/6] CCM-14961: Supplier API to Digital Letters event rule --- ...nt_rule_supplier_api_to_digital_letters.tf | 23 +++++++++++++++++++ .../terraform/components/events/variables.tf | 11 +++++---- 2 files changed, 29 insertions(+), 5 deletions(-) create mode 100644 infrastructure/terraform/components/events/cloudwatch_event_rule_supplier_api_to_digital_letters.tf diff --git a/infrastructure/terraform/components/events/cloudwatch_event_rule_supplier_api_to_digital_letters.tf b/infrastructure/terraform/components/events/cloudwatch_event_rule_supplier_api_to_digital_letters.tf new file mode 100644 index 0000000..324a359 --- /dev/null +++ b/infrastructure/terraform/components/events/cloudwatch_event_rule_supplier_api_to_digital_letters.tf @@ -0,0 +1,23 @@ +resource "aws_cloudwatch_event_rule" "supplier_api_to_digital_letters" { + name = "${local.csi}-supplier-api-to-digital-letters" + description = "Supplier API events routed to Digital Letters" + event_bus_name = aws_cloudwatch_event_bus.data_plane.name + + event_pattern = jsonencode({ + "detail" : { + "type" : [ + { "prefix" : "uk.nhs.notify.supplier-api.letter." }, + ] + } + }) +} + +resource "aws_cloudwatch_event_target" "supplier_api_to_digital_letters" { + count = var.event_target_arns["digital_letters_eventbus"] != null ? 1 : 0 + + rule = aws_cloudwatch_event_rule.supplier_api_to_digital_letters.name + arn = var.event_target_arns["digital_letters_eventbus"] + target_id = "supplier-api-to-digital-letters-eventbus" + event_bus_name = aws_cloudwatch_event_bus.data_plane.name + input_path = "$.detail" +} diff --git a/infrastructure/terraform/components/events/variables.tf b/infrastructure/terraform/components/events/variables.tf index 99863c7..7237682 100644 --- a/infrastructure/terraform/components/events/variables.tf +++ b/infrastructure/terraform/components/events/variables.tf @@ -90,11 +90,12 @@ variable "event_publisher_account_ids" { variable "event_target_arns" { description = "A map of event target ARNs keyed by name" type = object({ - sms_nudge = string - notify_core_sns_topic = optional(string, null) - supplier_api_sns_topic = optional(string, null) - app_response = optional(string, null) - client_callbacks = optional(string, null) + sms_nudge = string + notify_core_sns_topic = optional(string, null) + supplier_api_sns_topic = optional(string, null) + app_response = optional(string, null) + client_callbacks = optional(string, null) + digital_letters_eventbus = optional(string, null) }) } From 34be97a52a8a73a2779fff643fe09e8a0d6ad177 Mon Sep 17 00:00:00 2001 From: simonlabarere Date: Mon, 16 Mar 2026 14:29:32 +0000 Subject: [PATCH 2/6] CCM-14961: Fix trivy vulnerability --- docs/adr/assets/ADR-003/examples/python/requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/adr/assets/ADR-003/examples/python/requirements.txt b/docs/adr/assets/ADR-003/examples/python/requirements.txt index b7e317b..2217ba5 100644 --- a/docs/adr/assets/ADR-003/examples/python/requirements.txt +++ b/docs/adr/assets/ADR-003/examples/python/requirements.txt @@ -1,2 +1,2 @@ -PyJWT==2.8.0 +PyJWT==2.12.0 requests==2.32.4 From e7887bef8f5b23019e29128a2a92fc66fd358d6f Mon Sep 17 00:00:00 2001 From: simonlabarere Date: Mon, 16 Mar 2026 14:45:10 +0000 Subject: [PATCH 3/6] CCM-14961: Supplier API to Digital Letters event rule --- .../cloudwatch_event_rule_supplier_api_to_digital_letters.tf | 1 - 1 file changed, 1 deletion(-) diff --git a/infrastructure/terraform/components/events/cloudwatch_event_rule_supplier_api_to_digital_letters.tf b/infrastructure/terraform/components/events/cloudwatch_event_rule_supplier_api_to_digital_letters.tf index 324a359..53332de 100644 --- a/infrastructure/terraform/components/events/cloudwatch_event_rule_supplier_api_to_digital_letters.tf +++ b/infrastructure/terraform/components/events/cloudwatch_event_rule_supplier_api_to_digital_letters.tf @@ -19,5 +19,4 @@ resource "aws_cloudwatch_event_target" "supplier_api_to_digital_letters" { arn = var.event_target_arns["digital_letters_eventbus"] target_id = "supplier-api-to-digital-letters-eventbus" event_bus_name = aws_cloudwatch_event_bus.data_plane.name - input_path = "$.detail" } From eb99736c7de9817e965879c332cdb908d496ae4b Mon Sep 17 00:00:00 2001 From: simonlabarere Date: Tue, 17 Mar 2026 16:30:26 +0000 Subject: [PATCH 4/6] CCM-14961: Add role to target --- ...nt_rule_supplier_api_to_digital_letters.tf | 32 +++++++++++++++++++ 1 file changed, 32 insertions(+) diff --git a/infrastructure/terraform/components/events/cloudwatch_event_rule_supplier_api_to_digital_letters.tf b/infrastructure/terraform/components/events/cloudwatch_event_rule_supplier_api_to_digital_letters.tf index 53332de..7a5100c 100644 --- a/infrastructure/terraform/components/events/cloudwatch_event_rule_supplier_api_to_digital_letters.tf +++ b/infrastructure/terraform/components/events/cloudwatch_event_rule_supplier_api_to_digital_letters.tf @@ -19,4 +19,36 @@ resource "aws_cloudwatch_event_target" "supplier_api_to_digital_letters" { arn = var.event_target_arns["digital_letters_eventbus"] target_id = "supplier-api-to-digital-letters-eventbus" event_bus_name = aws_cloudwatch_event_bus.data_plane.name + role_arn = aws_iam_role.supplier_api_to_digital_letters.arn +} + +resource "aws_iam_role" "supplier_api_to_digital_letters" { + count = var.event_target_arns["digital_letters_eventbus"] != null ? 1 : 0 + + name = "eventbridge-cross-account" + + assume_role_policy = jsonencode({ + Version = "2012-10-17" + Statement = [{ + Effect = "Allow" + Principal = { + Service = "events.amazonaws.com" + } + Action = "sts:AssumeRole" + }] + }) +} + +resource "aws_iam_role_policy" "supplier_api_to_digital_letters" { + count = var.event_target_arns["digital_letters_eventbus"] != null ? 1 : 0 + + role = aws_iam_role.supplier_api_to_digital_letters.id + + policy = jsonencode({ + Statement = [{ + Effect = "Allow" + Action = "events:PutEvents" + Resource = var.event_target_arns["digital_letters_eventbus"] + }] + }) } From cd2aa7979260fbbf45ecf077e491a2ad382d9d14 Mon Sep 17 00:00:00 2001 From: simonlabarere Date: Tue, 17 Mar 2026 16:33:11 +0000 Subject: [PATCH 5/6] CCM-14961: Add role to target --- .../cloudwatch_event_rule_supplier_api_to_digital_letters.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/infrastructure/terraform/components/events/cloudwatch_event_rule_supplier_api_to_digital_letters.tf b/infrastructure/terraform/components/events/cloudwatch_event_rule_supplier_api_to_digital_letters.tf index 7a5100c..ae287a3 100644 --- a/infrastructure/terraform/components/events/cloudwatch_event_rule_supplier_api_to_digital_letters.tf +++ b/infrastructure/terraform/components/events/cloudwatch_event_rule_supplier_api_to_digital_letters.tf @@ -19,7 +19,7 @@ resource "aws_cloudwatch_event_target" "supplier_api_to_digital_letters" { arn = var.event_target_arns["digital_letters_eventbus"] target_id = "supplier-api-to-digital-letters-eventbus" event_bus_name = aws_cloudwatch_event_bus.data_plane.name - role_arn = aws_iam_role.supplier_api_to_digital_letters.arn + role_arn = aws_iam_role.supplier_api_to_digital_letters[0].arn } resource "aws_iam_role" "supplier_api_to_digital_letters" { @@ -42,7 +42,7 @@ resource "aws_iam_role" "supplier_api_to_digital_letters" { resource "aws_iam_role_policy" "supplier_api_to_digital_letters" { count = var.event_target_arns["digital_letters_eventbus"] != null ? 1 : 0 - role = aws_iam_role.supplier_api_to_digital_letters.id + role = aws_iam_role.supplier_api_to_digital_letters[0].id policy = jsonencode({ Statement = [{ From 2a53cb4609ce8672f596bab6ddf71e9e2920f100 Mon Sep 17 00:00:00 2001 From: simonlabarere Date: Wed, 18 Mar 2026 11:43:30 +0000 Subject: [PATCH 6/6] CCM-14961: Additional filters on event going from the Supplier API to Digital Letters --- ...event_rule_supplier_api_to_digital_letters.tf | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/infrastructure/terraform/components/events/cloudwatch_event_rule_supplier_api_to_digital_letters.tf b/infrastructure/terraform/components/events/cloudwatch_event_rule_supplier_api_to_digital_letters.tf index ae287a3..5570a18 100644 --- a/infrastructure/terraform/components/events/cloudwatch_event_rule_supplier_api_to_digital_letters.tf +++ b/infrastructure/terraform/components/events/cloudwatch_event_rule_supplier_api_to_digital_letters.tf @@ -6,7 +6,17 @@ resource "aws_cloudwatch_event_rule" "supplier_api_to_digital_letters" { event_pattern = jsonencode({ "detail" : { "type" : [ - { "prefix" : "uk.nhs.notify.supplier-api.letter." }, + { prefix = "uk.nhs.notify.supplier-api.letter.ACCEPTED" }, + { prefix = "uk.nhs.notify.supplier-api.letter.CANCELLED" }, + { prefix = "uk.nhs.notify.supplier-api.letter.DELIVERED" }, + { prefix = "uk.nhs.notify.supplier-api.letter.DISPATCHED" }, + { prefix = "uk.nhs.notify.supplier-api.letter.ENCLOSED" }, + { prefix = "uk.nhs.notify.supplier-api.letter.FAILED" }, + { prefix = "uk.nhs.notify.supplier-api.letter.FORWARDED" }, + { prefix = "uk.nhs.notify.supplier-api.letter.PENDING" }, + { prefix = "uk.nhs.notify.supplier-api.letter.PRINTED" }, + { prefix = "uk.nhs.notify.supplier-api.letter.REJECTED" }, + { prefix = "uk.nhs.notify.supplier-api.letter.RETURNED" } ] } }) @@ -46,8 +56,8 @@ resource "aws_iam_role_policy" "supplier_api_to_digital_letters" { policy = jsonencode({ Statement = [{ - Effect = "Allow" - Action = "events:PutEvents" + Effect = "Allow" + Action = "events:PutEvents" Resource = var.event_target_arns["digital_letters_eventbus"] }] })