NHSDigital
diff --git a/‎.github/dependabot.yml‎
Lines changed: 7 additions & 3 deletions b/‎.github/dependabot.yml‎
Lines changed: 7 additions & 3 deletions
diff --git a/‎.github/workflows/continuous-disintegration.yml‎
Lines changed: 0 additions & 23 deletions b/‎.github/workflows/continuous-disintegration.yml‎
Lines changed: 0 additions & 23 deletions
diff --git a/‎…hub/workflows/continuous-integration.yml‎ ‎.github/workflows/create-release-tag.yml‎.github/workflows/continuous-integration.yml renamed to .github/workflows/create-release-tag.yml
Lines changed: 8 additions & 6 deletions b/‎…hub/workflows/continuous-integration.yml‎ ‎.github/workflows/create-release-tag.yml‎.github/workflows/continuous-integration.yml renamed to .github/workflows/create-release-tag.yml
Lines changed: 8 additions & 6 deletions
diff --git a/‎.github/workflows/deploy-backend.yml‎
Lines changed: 150 additions & 0 deletions b/‎.github/workflows/deploy-backend.yml‎
Lines changed: 150 additions & 0 deletions
diff --git a/‎.github/workflows/pr-jira-link.yaml‎
Lines changed: 29 additions & 0 deletions b/‎.github/workflows/pr-jira-link.yaml‎
Lines changed: 29 additions & 0 deletions
diff --git a/‎.github/workflows/pr-lint.yaml‎
Lines changed: 0 additions & 27 deletions b/‎.github/workflows/pr-lint.yaml‎
Lines changed: 0 additions & 27 deletions
diff --git a/‎.github/workflows/pr-teardown.yml‎
Lines changed: 73 additions & 0 deletions b/‎.github/workflows/pr-teardown.yml‎
Lines changed: 73 additions & 0 deletions
@@ -7,7 +7,7 @@ version: 2
 updates:
   - package-ecosystem: "docker"
     directories:
-      - "/ack_backend"
+      - "/lambdas/ack_backend"
       - "/delta_backend"
       - "/filenameprocessor"
       - "/grafana/non-prod/docker"
@@ -49,14 +49,19 @@ updates:
   - package-ecosystem: "pip"
     directories:
       - "/"
-      - "/ack_backend"
       - "/backend"
+      - "/batch_processor_filter"
       - "/delta_backend"
       - "/e2e"
       - "/e2e_batch"
       - "/filenameprocessor"
       - "/mesh_processor"
       - "/recordprocessor"
+      - "/lambdas/ack_backend"
+      - "/lambdas/redis_sync"
+      - "/lambdas/id_sync"
+      - "/lambdas/mns_subscription"
+      - "/lambdas/shared"
     schedule:
       interval: "daily"
     open-pull-requests-limit: 1
@@ -70,7 +75,6 @@ updates:
     directories:
       - "/grafana/non-prod/terraform"
       - "/infra"
-      - "/mesh-infra"
       - "/terraform"
       - "/terraform_aws_backup/**"
     schedule:
 
@@ -1,14 +1,16 @@
-name: Create Release
-on: push
+name: Create Release Tag
+on:
+  push:
+    branches:
+      - master
 
 jobs:
   create_release:
-    name: build
+    name: Create Release
     runs-on: ubuntu-latest
-    if: github.ref == 'refs/heads/master'
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           fetch-depth: 0  # This causes all history to be fetched, which is required for calculate-version to function	
 
@@ -40,4 +42,4 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
           tag_name: ${{ env.SPEC_VERSION }}
-          release_name: ${{ env.SPEC_VERSION }}
+          release_name: ${{ env.SPEC_VERSION }}
@@ -0,0 +1,150 @@
+name: Deploy Backend
+
+on:
+  workflow_call:
+    inputs:
+      apigee_environment:
+        required: true
+        type: string
+      create_mns_subscription:
+        required: false
+        type: boolean
+        default: true
+      environment:
+        required: true
+        type: string
+      sub_environment:
+        required: true
+        type: string
+  workflow_dispatch:
+    inputs:
+      apigee_environment:
+        type: choice
+        description: Select the Apigee proxy environment
+        options:
+          - internal-dev
+          - int
+          - ref
+          - prod
+      create_mns_subscription:
+        description: Create an MNS Subscription. Only available in dev
+        required: false
+        type: boolean
+        default: true
+      environment:
+        type: string
+        description: Select the backend environment
+        options:
+          - dev
+          - preprod
+          - prod
+      sub_environment:
+        type: string
+        description: Set the sub environment name e.g. pr-xxx, or green/blue in higher environments
+
+jobs:
+  terraform-plan:
+    runs-on: ubuntu-latest
+    environment:
+      name: ${{ inputs.environment }}
+    env: # Sonarcloud - do not allow direct usage of untrusted data
+      APIGEE_ENVIRONMENT: ${{ inputs.apigee_environment }}
+      BACKEND_ENVIRONMENT: ${{ inputs.environment }}
+      BACKEND_SUB_ENVIRONMENT: ${{ inputs.sub_environment }}
+    permissions:
+      id-token: write
+      contents: read
+    steps:
+      - name: Connect to AWS
+        uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838
+        with:
+          aws-region: eu-west-2
+          role-to-assume: arn:aws:iam::${{ vars.AWS_ACCOUNT_ID }}:role/auto-ops
+          role-session-name: github-actions
+
+      - name: Whoami
+        run: aws sts get-caller-identity
+
+      - name: Checkout
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
+
+      - uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd
+        with:
+          terraform_version: "1.12.2"
+
+      - name: Terraform Init
+        working-directory: ${{ vars.TERRAFORM_DIR_PATH }}
+        run: make init apigee_environment=$APIGEE_ENVIRONMENT environment=$BACKEND_ENVIRONMENT sub_environment=$BACKEND_SUB_ENVIRONMENT
+
+      - name: Terraform Plan
+        working-directory: ${{ vars.TERRAFORM_DIR_PATH }}
+        run: make plan-ci apigee_environment=$APIGEE_ENVIRONMENT environment=$BACKEND_ENVIRONMENT sub_environment=$BACKEND_SUB_ENVIRONMENT
+
+      - name: Save Terraform Plan
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02
+        with:
+          name: tfplan
+          path: ${{ vars.TERRAFORM_DIR_PATH }}/tfplan
+
+  terraform-apply:
+    needs: terraform-plan
+    runs-on: ubuntu-latest
+    environment:
+      name: ${{ inputs.environment }}
+    env: # Sonarcloud - do not allow direct usage of untrusted data
+      APIGEE_ENVIRONMENT: ${{ inputs.apigee_environment }}
+      BACKEND_ENVIRONMENT: ${{ inputs.environment }}
+      BACKEND_SUB_ENVIRONMENT: ${{ inputs.sub_environment }}
+    permissions:
+      id-token: write
+      contents: read
+    steps:
+      - name: Checkout
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
+
+      - uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a
+        with:
+          aws-region: eu-west-2
+          role-to-assume: arn:aws:iam::${{ vars.AWS_ACCOUNT_ID }}:role/auto-ops
+          role-session-name: github-actions
+
+      - uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd
+        with:
+          terraform_version: "1.12.2"
+
+      - name: Retrieve Terraform Plan
+        uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0
+        with:
+          name: tfplan
+          path: ${{ vars.TERRAFORM_DIR_PATH }}
+
+      - name: Terraform Init
+        working-directory: ${{ vars.TERRAFORM_DIR_PATH }}
+        run: make init apigee_environment=$APIGEE_ENVIRONMENT environment=$BACKEND_ENVIRONMENT sub_environment=$BACKEND_SUB_ENVIRONMENT
+
+      - name: Terraform Apply
+        working-directory: ${{ vars.TERRAFORM_DIR_PATH }}
+        run: |
+          make apply-ci apigee_environment=$APIGEE_ENVIRONMENT environment=$BACKEND_ENVIRONMENT sub_environment=$BACKEND_SUB_ENVIRONMENT
+          echo "ID_SYNC_QUEUE_ARN=$(make -s output name=id_sync_queue_arn)" >> $GITHUB_ENV
+
+      - name: Install poetry
+        if: ${{ inputs.environment == 'dev' && inputs.create_mns_subscription }}
+        run: pip install poetry==2.1.4
+
+      - uses: actions/setup-python@v5
+        if: ${{ inputs.environment == 'dev' && inputs.create_mns_subscription }}
+        with:
+          python-version: 3.11
+          cache: 'poetry'
+
+      - name: Create MNS Subscription
+        if: ${{ inputs.environment == 'dev' && inputs.create_mns_subscription }}
+        working-directory: './lambdas/mns_subscription'
+        env:
+          APIGEE_ENVIRONMENT: ${{ inputs.apigee_environment }}
+          SQS_ARN: ${{ env.ID_SYNC_QUEUE_ARN }}
+        run: |
+          poetry install --no-root
+          echo "Subscribing SQS to MNS for notifications..."
+          make subscribe
@@ -0,0 +1,29 @@
+name: Create PR JIRA Link
+on:
+  pull_request:
+    types: [opened]
+
+jobs:
+  link-ticket:
+    runs-on: ubuntu-latest
+    env:
+      BRANCH_NAME: ${{ github.event.pull_request.head.ref }}
+    steps:
+      - name: Check ticket name conforms to requirements
+        run: echo $BRANCH_NAME | grep -i -E -q "(ved-[0-9]+)|(dependabot\/)"
+        continue-on-error: true
+
+      - name: Grab ticket name
+        run: echo "TICKET_NAME=$(echo $BRANCH_NAME | grep -i -o '\(ved-[0-9]\+\)' | tr '[:lower:]' '[:upper:]')" >> $GITHUB_ENV
+        continue-on-error: true
+
+      - name: Comment on PR with link to JIRA ticket
+        if: contains(env.TICKET_NAME, 'VED-')
+        continue-on-error: true
+        uses: unsplash/comment-on-pr@a9bf050e744c8282dee4bb0dbcf063186d8316c4
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          msg: |
+            This branch is working on a ticket in the NHS England VED JIRA Project. Here's a handy link to the ticket:
+            # [${{ env.TICKET_NAME }}](https://nhsd-jira.digital.nhs.uk/browse/${{ env.TICKET_NAME}})
@@ -0,0 +1,73 @@
+name: PR Teardown
+
+on:
+  pull_request:
+    types: [closed]
+  workflow_dispatch:
+    inputs:
+      pr_number:
+        description: The PR number of the environment to teardown e.g 123
+        required: true
+        type: string
+
+jobs:
+  teardown:
+    name: PR Teardown
+    runs-on: ubuntu-latest
+    environment:
+      name: dev
+    env:
+      APIGEE_ENVIRONMENT: internal-dev
+      BACKEND_ENVIRONMENT: dev
+      BACKEND_SUB_ENVIRONMENT: pr-${{ github.event_name == 'pull_request' && github.event.pull_request.number || inputs.pr_number }}
+    permissions:
+      id-token: write
+      contents: read
+  
+    steps:
+      - name: Connect to AWS
+        uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838
+        with:
+          aws-region: eu-west-2
+          role-to-assume: arn:aws:iam::${{ vars.AWS_ACCOUNT_ID }}:role/auto-ops
+          role-session-name: github-actions
+
+      - name: Whoami
+        run: aws sts get-caller-identity
+
+      - name: Checkout
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
+        
+      - uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd
+        with:
+          terraform_version: "1.12.2"
+
+      - name: Terraform Init and extract MNS SQS QUEUE ARN
+        working-directory: ${{ vars.TERRAFORM_DIR_PATH }}
+        run: |
+          make init apigee_environment=$APIGEE_ENVIRONMENT environment=$BACKEND_ENVIRONMENT sub_environment=$BACKEND_SUB_ENVIRONMENT
+          make workspace apigee_environment=$APIGEE_ENVIRONMENT environment=$BACKEND_ENVIRONMENT sub_environment=$BACKEND_SUB_ENVIRONMENT
+          echo "ID_SYNC_QUEUE_ARN=$(make -s output name=id_sync_queue_arn)" >> $GITHUB_ENV
+
+      - name: Install poetry
+        run: pip install poetry==2.1.4
+
+      - uses: actions/setup-python@v5
+        with:
+          python-version: 3.11
+          cache: 'poetry'
+
+      - name: Unsubscribe MNS
+        working-directory: './lambdas/mns_subscription'
+        env:
+          SQS_ARN: ${{ env.ID_SYNC_QUEUE_ARN }}
+        run: |
+          poetry install --no-root
+
+          echo "Unsubscribing SQS to MNS for notifications..."
+          make unsubscribe
+
+      - name: Terraform Destroy
+        working-directory: ${{ vars.TERRAFORM_DIR_PATH }}
+        run: |
+          make destroy apigee_environment=$APIGEE_ENVIRONMENT environment=$BACKEND_ENVIRONMENT sub_environment=$BACKEND_SUB_ENVIRONMENT