From d2333ff8aabb7256684d6106779aad2c9cf03a99 Mon Sep 17 00:00:00 2001 From: jamesthompson26-nhs Date: Mon, 9 Feb 2026 17:39:01 +0000 Subject: [PATCH 01/50] CCM-14149: Letter Preview Placeholder --- .../components/acct/ecr_repository_main.tf | 29 +++++++++ .../terraform/components/app/README.md | 1 + .../terraform/components/app/pre.sh | 4 ++ .../terraform/components/app/variables.tf | 6 ++ lambdas/letter-preview-renderer/.eslintignore | 1 + lambdas/letter-preview-renderer/.gitignore | 4 ++ .../__tests__/index.test.ts | 17 ++++++ lambdas/letter-preview-renderer/build.sh | 16 +++++ lambdas/letter-preview-renderer/docker.sh | 28 +++++++++ .../docker/lambda/Dockerfile | 17 ++++++ lambdas/letter-preview-renderer/index.ts | 10 ++++ .../letter-preview-renderer/jest.config.ts | 60 +++++++++++++++++++ lambdas/letter-preview-renderer/package.json | 23 +++++++ .../src/__tests__/index.test.ts | 17 ++++++ lambdas/letter-preview-renderer/src/index.ts | 10 ++++ lambdas/letter-preview-renderer/tsconfig.json | 7 +++ 16 files changed, 250 insertions(+) create mode 100644 lambdas/letter-preview-renderer/.eslintignore create mode 100644 lambdas/letter-preview-renderer/.gitignore create mode 100644 lambdas/letter-preview-renderer/__tests__/index.test.ts create mode 100644 lambdas/letter-preview-renderer/build.sh create mode 100644 lambdas/letter-preview-renderer/docker.sh create mode 100644 lambdas/letter-preview-renderer/docker/lambda/Dockerfile create mode 100644 lambdas/letter-preview-renderer/index.ts create mode 100644 lambdas/letter-preview-renderer/jest.config.ts create mode 100644 lambdas/letter-preview-renderer/package.json create mode 100644 lambdas/letter-preview-renderer/src/__tests__/index.test.ts create mode 100644 lambdas/letter-preview-renderer/src/index.ts create mode 100644 lambdas/letter-preview-renderer/tsconfig.json diff --git a/infrastructure/terraform/components/acct/ecr_repository_main.tf b/infrastructure/terraform/components/acct/ecr_repository_main.tf index 369ffcb6a..903e466c4 100644 --- a/infrastructure/terraform/components/acct/ecr_repository_main.tf +++ b/infrastructure/terraform/components/acct/ecr_repository_main.tf @@ -11,3 +11,32 @@ resource "aws_ecr_repository" "main" { scan_on_push = true } } + +data "aws_iam_policy_document" "ecr_lambda_pull" { + statement { + sid = "AllowLambdaPull" + effect = "Allow" + + principals { + type = "Service" + identifiers = ["lambda.amazonaws.com"] + } + + actions = [ + "ecr:BatchCheckLayerAvailability", + "ecr:BatchGetImage", + "ecr:GetDownloadUrlForLayer", + ] + + condition { + test = "StringEquals" + variable = "aws:SourceAccount" + values = [var.aws_account_id] + } + } +} + +resource "aws_ecr_repository_policy" "main" { + repository = aws_ecr_repository.main.name + policy = data.aws_iam_policy_document.ecr_lambda_pull.json +} diff --git a/infrastructure/terraform/components/app/README.md b/infrastructure/terraform/components/app/README.md index 288aa43b3..2dc48aa44 100644 --- a/infrastructure/terraform/components/app/README.md +++ b/infrastructure/terraform/components/app/README.md @@ -37,6 +37,7 @@ | [external\_email\_domain](#input\_external\_email\_domain) | Externally managed domain used to create an SES identity for sending emails from. Validation DNS records will need to be manually configured in the DNS provider. | `string` | `null` | no | | [group](#input\_group) | The group variables are being inherited from (often synonymous with account short-name) | `string` | n/a | yes | | [kms\_deletion\_window](#input\_kms\_deletion\_window) | When a kms key is deleted, how long should it wait in the pending deletion state? | `string` | `"30"` | no | +| [letter\_preview\_renderer\_ecr\_repo](#input\_letter\_preview\_renderer\_ecr\_repo) | ECR repository name for the letter-preview-renderer container image | `string` | `"nhs-notify-main-acct"` | no | | [letter\_suppliers](#input\_letter\_suppliers) | Letter suppliers enabled in the environment | 
map(object({
    email_addresses  = list(string)
    enable_polling   = bool
    default_supplier = optional(bool)
  }))
| `{}` | no | | [log\_retention\_in\_days](#input\_log\_retention\_in\_days) | The retention period in days for the Cloudwatch Logs events to be retained, default of 0 is indefinite | `number` | `0` | no | | [observability\_account\_id](#input\_observability\_account\_id) | The Observability Account ID that needs access | `string` | n/a | yes | diff --git a/infrastructure/terraform/components/app/pre.sh b/infrastructure/terraform/components/app/pre.sh index c887517a4..1560ac492 100755 --- a/infrastructure/terraform/components/app/pre.sh +++ b/infrastructure/terraform/components/app/pre.sh @@ -10,6 +10,10 @@ npm ci npm run generate-dependencies --workspaces --if-present +export AWS_REGION="${AWS_REGION:-${TF_VAR_region:-}}" +export AWS_ACCOUNT_ID="${AWS_ACCOUNT_ID:-${TF_VAR_aws_account_id:-}}" +export ECR_REPO="${ECR_REPO:-${TF_VAR_letter_preview_renderer_ecr_repo:-nhs-notify-main-acct}}" + npm run lambda-build --workspaces --if-present lambdas/layers/pdfjs/build.sh diff --git a/infrastructure/terraform/components/app/variables.tf b/infrastructure/terraform/components/app/variables.tf index f6f54c2bf..7800d3e53 100644 --- a/infrastructure/terraform/components/app/variables.tf +++ b/infrastructure/terraform/components/app/variables.tf @@ -173,6 +173,12 @@ variable "event_delivery_logging_success_sample_percentage" { default = 0 } +variable "letter_preview_renderer_ecr_repo" { + type = string + description = "ECR repository name for the letter-preview-renderer container image" + default = "nhs-notify-main-acct" +} + variable "data_plane_bus_arn" { type = string description = "Data plane event bus arn" diff --git a/lambdas/letter-preview-renderer/.eslintignore b/lambdas/letter-preview-renderer/.eslintignore new file mode 100644 index 000000000..1521c8b76 --- /dev/null +++ b/lambdas/letter-preview-renderer/.eslintignore @@ -0,0 +1 @@ +dist diff --git a/lambdas/letter-preview-renderer/.gitignore b/lambdas/letter-preview-renderer/.gitignore new file mode 100644 index 000000000..80323f7cf --- /dev/null +++ b/lambdas/letter-preview-renderer/.gitignore @@ -0,0 +1,4 @@ +coverage +node_modules +dist +.reports diff --git a/lambdas/letter-preview-renderer/__tests__/index.test.ts b/lambdas/letter-preview-renderer/__tests__/index.test.ts new file mode 100644 index 000000000..768b0f2c8 --- /dev/null +++ b/lambdas/letter-preview-renderer/__tests__/index.test.ts @@ -0,0 +1,17 @@ +import { handler } from '../index'; +import type { Context } from 'aws-lambda'; +import { mockDeep } from 'jest-mock-extended'; + +describe('event-logging Lambda', () => { + it('logs the input event and returns 200', async () => { + const event = { foo: 'bar' }; + const context = mockDeep(); + const callback = jest.fn(); + const result = await handler(event, context, callback); + + expect(result).toEqual({ + statusCode: 200, + body: 'Event logged', + }); + }); +}); diff --git a/lambdas/letter-preview-renderer/build.sh b/lambdas/letter-preview-renderer/build.sh new file mode 100644 index 000000000..232d68e6a --- /dev/null +++ b/lambdas/letter-preview-renderer/build.sh @@ -0,0 +1,16 @@ +#!/bin/bash + +set -euo pipefail + +rm -rf dist + +npx esbuild \ + --bundle \ + --minify \ + --sourcemap \ + --target=es2020 \ + --platform=node \ + --loader:.node=file \ + --entry-names=[name] \ + --outdir=dist \ + src/index.ts diff --git a/lambdas/letter-preview-renderer/docker.sh b/lambdas/letter-preview-renderer/docker.sh new file mode 100644 index 000000000..f13c5e358 --- /dev/null +++ b/lambdas/letter-preview-renderer/docker.sh @@ -0,0 +1,28 @@ +#!/bin/bash + +set -euo pipefail + +./build.sh + +: "${AWS_ACCOUNT_ID:?AWS_ACCOUNT_ID is required}" +: "${AWS_REGION:?AWS_REGION is required}" +: "${ECR_REPO:?ECR_REPO is required}" + +GIT_SHA=$(git rev-parse --short HEAD) +if [ "${GITHUB_REF_TYPE:-}" = "tag" ] && [ -n "${GITHUB_REF_NAME:-}" ]; then + IMAGE_TAG="${GITHUB_REF_NAME}" +else + IMAGE_TAG="main-${GIT_SHA}" +fi + +ECR_IMAGE="${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com/${ECR_REPO}:${IMAGE_TAG}" + +BASE_IMAGE_ARG=${BASE_IMAGE:-ghcr.io/nhsdigital/nhs-notify/letter-renderer-node-22:latest} + +docker build \ + -f docker/lambda/Dockerfile \ + --build-arg BASE_IMAGE="${BASE_IMAGE_ARG}" \ + -t "${ECR_IMAGE}" \ + . + +docker push "${ECR_IMAGE}" diff --git a/lambdas/letter-preview-renderer/docker/lambda/Dockerfile b/lambdas/letter-preview-renderer/docker/lambda/Dockerfile new file mode 100644 index 000000000..d38445441 --- /dev/null +++ b/lambdas/letter-preview-renderer/docker/lambda/Dockerfile @@ -0,0 +1,17 @@ +ARG BASE_IMAGE=ghcr.io/nhsdigital/nhs-notify/letter-renderer-node-22:latest + +FROM node:22-alpine AS build + +WORKDIR /app +COPY package.json package-lock.json ./ +RUN npm ci +COPY build.sh ./ +COPY src ./src +COPY tsconfig.json ./ +RUN chmod +x ./build.sh && ./build.sh + +FROM ${BASE_IMAGE} + +COPY --from=build /app/dist/index.js ${LAMBDA_TASK_ROOT}/index.js + +CMD [ "index.handler" ] diff --git a/lambdas/letter-preview-renderer/index.ts b/lambdas/letter-preview-renderer/index.ts new file mode 100644 index 000000000..3b5a5bff8 --- /dev/null +++ b/lambdas/letter-preview-renderer/index.ts @@ -0,0 +1,10 @@ +// Replace me with the actual code for your Lambda function +import { Handler } from 'aws-lambda'; + +export const handler: Handler = async (event) => { + console.log('Received event:', event); + return { + statusCode: 200, + body: 'Event logged', + }; +}; diff --git a/lambdas/letter-preview-renderer/jest.config.ts b/lambdas/letter-preview-renderer/jest.config.ts new file mode 100644 index 000000000..d30f4cd1c --- /dev/null +++ b/lambdas/letter-preview-renderer/jest.config.ts @@ -0,0 +1,60 @@ +import type { Config } from 'jest'; + +export const baseJestConfig: Config = { + preset: 'ts-jest', + + // Automatically clear mock calls, instances, contexts and results before every test + clearMocks: true, + + // Indicates whether the coverage information should be collected while executing the test + collectCoverage: true, + + // The directory where Jest should output its coverage files + coverageDirectory: './.reports/unit/coverage', + + // Indicates which provider should be used to instrument code for coverage + coverageProvider: 'babel', + + coverageThreshold: { + global: { + branches: 100, + functions: 100, + lines: 100, + statements: -10, + }, + }, + + coveragePathIgnorePatterns: ['/__tests__/'], + transform: { '^.+\\.ts$': 'ts-jest' }, + testPathIgnorePatterns: ['.build'], + testMatch: ['**/?(*.)+(spec|test).[jt]s?(x)'], + + // Use this configuration option to add custom reporters to Jest + reporters: [ + 'default', + [ + 'jest-html-reporter', + { + pageTitle: 'Test Report', + outputPath: './.reports/unit/test-report.html', + includeFailureMsg: true, + }, + ], + ], + + // The test environment that will be used for testing + testEnvironment: 'jsdom', +}; + +const utilsJestConfig = { + ...baseJestConfig, + + testEnvironment: 'node', + + coveragePathIgnorePatterns: [ + ...(baseJestConfig.coveragePathIgnorePatterns ?? []), + 'zod-validators.ts', + ], +}; + +export default utilsJestConfig; diff --git a/lambdas/letter-preview-renderer/package.json b/lambdas/letter-preview-renderer/package.json new file mode 100644 index 000000000..a9be46b7c --- /dev/null +++ b/lambdas/letter-preview-renderer/package.json @@ -0,0 +1,23 @@ +{ + "dependencies": { + "esbuild": "^0.25.0" + }, + "devDependencies": { + "@tsconfig/node22": "^22.0.2", + "@types/aws-lambda": "^8.10.148", + "@types/jest": "^29.5.14", + "jest": "^29.7.0", + "jest-mock-extended": "^3.0.7", + "typescript": "^5.8.2" + }, + "name": "nhs-notify-templates-letter-preview-renderer", + "private": true, + "scripts": { + "lambda-build": "./docker.sh", + "lint": "eslint .", + "lint:fix": "eslint . --fix", + "test:unit": "jest", + "typecheck": "tsc --noEmit" + }, + "version": "0.0.1" +} diff --git a/lambdas/letter-preview-renderer/src/__tests__/index.test.ts b/lambdas/letter-preview-renderer/src/__tests__/index.test.ts new file mode 100644 index 000000000..768b0f2c8 --- /dev/null +++ b/lambdas/letter-preview-renderer/src/__tests__/index.test.ts @@ -0,0 +1,17 @@ +import { handler } from '../index'; +import type { Context } from 'aws-lambda'; +import { mockDeep } from 'jest-mock-extended'; + +describe('event-logging Lambda', () => { + it('logs the input event and returns 200', async () => { + const event = { foo: 'bar' }; + const context = mockDeep(); + const callback = jest.fn(); + const result = await handler(event, context, callback); + + expect(result).toEqual({ + statusCode: 200, + body: 'Event logged', + }); + }); +}); diff --git a/lambdas/letter-preview-renderer/src/index.ts b/lambdas/letter-preview-renderer/src/index.ts new file mode 100644 index 000000000..3b5a5bff8 --- /dev/null +++ b/lambdas/letter-preview-renderer/src/index.ts @@ -0,0 +1,10 @@ +// Replace me with the actual code for your Lambda function +import { Handler } from 'aws-lambda'; + +export const handler: Handler = async (event) => { + console.log('Received event:', event); + return { + statusCode: 200, + body: 'Event logged', + }; +}; diff --git a/lambdas/letter-preview-renderer/tsconfig.json b/lambdas/letter-preview-renderer/tsconfig.json new file mode 100644 index 000000000..ea37d6966 --- /dev/null +++ b/lambdas/letter-preview-renderer/tsconfig.json @@ -0,0 +1,7 @@ +{ + "extends": "@tsconfig/node22/tsconfig.json", + "include": [ + "src/**/*", + "jest.config.ts" + ] +} From dbc8abb2081128b02399725d1011806c7e9a72b5 Mon Sep 17 00:00:00 2001 From: jamesthompson26-nhs Date: Tue, 10 Feb 2026 11:58:35 +0000 Subject: [PATCH 02/50] CCM-14149: Letter Preview Placeholder --- .../terraform/components/app/README.md | 1 + .../module_letter_preview_renderer_lambda.tf | 31 +++++++++++++++++++ lambdas/letter-preview-renderer/docker.sh | 16 ++++++++++ 3 files changed, 48 insertions(+) create mode 100644 infrastructure/terraform/components/app/module_letter_preview_renderer_lambda.tf diff --git a/infrastructure/terraform/components/app/README.md b/infrastructure/terraform/components/app/README.md index 2dc48aa44..2ecf93115 100644 --- a/infrastructure/terraform/components/app/README.md +++ b/infrastructure/terraform/components/app/README.md @@ -56,6 +56,7 @@ | [eventpub](#module\_eventpub) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/eventpub | v2.0.28 | | [kms](#module\_kms) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.20/terraform-kms.zip | n/a | | [kms\_us\_east\_1](#module\_kms\_us\_east\_1) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.20/terraform-kms.zip | n/a | +| [letter\_preview\_renderer\_lambda](#module\_letter\_preview\_renderer\_lambda) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/lambda | feature/CCM-14149_Support_Container_Based_Lambdas | | [nhse\_backup\_vault](#module\_nhse\_backup\_vault) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.25/terraform-aws-backup-source.zip | n/a | | [s3bucket\_cf\_logs](#module\_s3bucket\_cf\_logs) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.20/terraform-s3bucket.zip | n/a | | [ses](#module\_ses) | ../../modules/ses | n/a | diff --git a/infrastructure/terraform/components/app/module_letter_preview_renderer_lambda.tf b/infrastructure/terraform/components/app/module_letter_preview_renderer_lambda.tf new file mode 100644 index 000000000..829a052d8 --- /dev/null +++ b/infrastructure/terraform/components/app/module_letter_preview_renderer_lambda.tf @@ -0,0 +1,31 @@ +locals { + letter_preview_renderer_image_tag = var.environment == "dev" ? substr(var.commit_id, 0, 7) : var.letter_preview_renderer_git_tag +} + +module "letter_preview_renderer_lambda" { + source = "git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/lambda?ref=feature/CCM-14149_Support_Container_Based_Lambdas" + + project = var.project + environment = var.environment + component = var.component + aws_account_id = var.aws_account_id + region = var.region + group = var.group + + function_name = "letter-preview-renderer" + description = "Letter preview renderer Lambda" + + kms_key_arn = module.kms.key_arn + + package_type = "Image" + image_uri = "${var.aws_account_id}.dkr.ecr.${var.region}.amazonaws.com/${var.letter_preview_renderer_ecr_repo}:${local.letter_preview_renderer_image_tag}" + image_repository_names = [var.letter_preview_renderer_ecr_repo] + + memory = 1024 + timeout = 30 + + log_retention_in_days = var.log_retention_in_days + + log_destination_arn = local.log_destination_arn + log_subscription_role_arn = local.acct.log_subscription_role_arn +} diff --git a/lambdas/letter-preview-renderer/docker.sh b/lambdas/letter-preview-renderer/docker.sh index f13c5e358..16975d539 100644 --- a/lambdas/letter-preview-renderer/docker.sh +++ b/lambdas/letter-preview-renderer/docker.sh @@ -1,13 +1,25 @@ #!/bin/bash +# Fail fast on errors, unset variables, and pipeline failures. set -euo pipefail +# Build the lambda artifacts before producing the Docker image. ./build.sh +# Ensure required AWS/ECR configuration is present. : "${AWS_ACCOUNT_ID:?AWS_ACCOUNT_ID is required}" : "${AWS_REGION:?AWS_REGION is required}" : "${ECR_REPO:?ECR_REPO is required}" +# Authenticate Docker with AWS ECR using an ephemeral login token. +aws ecr get-login-password --region "${AWS_REGION}" | docker login --username AWS --password-stdin "${AWS_ACCOUNT_ID}".dkr.ecr."${AWS_REGION}".amazonaws.com + +# Optionally authenticate to GitHub Container Registry for base images. +if [ -n "${GHCR_LOGIN_USER:-}" ] && [ -n "${GHCR_LOGIN_TOKEN:-}" ]; then + echo "${GHCR_LOGIN_TOKEN}" | docker login ghcr.io --username "${GHCR_LOGIN_USER}" --password-stdin +fi + +# Resolve the image tag: prefer a GitHub tag, otherwise use main-. GIT_SHA=$(git rev-parse --short HEAD) if [ "${GITHUB_REF_TYPE:-}" = "tag" ] && [ -n "${GITHUB_REF_NAME:-}" ]; then IMAGE_TAG="${GITHUB_REF_NAME}" @@ -15,14 +27,18 @@ else IMAGE_TAG="main-${GIT_SHA}" fi +# Compose the full ECR image reference. ECR_IMAGE="${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com/${ECR_REPO}:${IMAGE_TAG}" +# Allow an override for the base image used in the Docker build. BASE_IMAGE_ARG=${BASE_IMAGE:-ghcr.io/nhsdigital/nhs-notify/letter-renderer-node-22:latest} +# Build and tag the Docker image for the lambda. docker build \ -f docker/lambda/Dockerfile \ --build-arg BASE_IMAGE="${BASE_IMAGE_ARG}" \ -t "${ECR_IMAGE}" \ . +# Push the image to ECR. docker push "${ECR_IMAGE}" From 709fed1f60ec16f83ae1a864c5cc5f48e9645183 Mon Sep 17 00:00:00 2001 From: jamesthompson26-nhs Date: Tue, 10 Feb 2026 12:10:36 +0000 Subject: [PATCH 03/50] CCM-14149: Letter Preview Placeholder --- .../components/app/module_letter_preview_renderer_lambda.tf | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/infrastructure/terraform/components/app/module_letter_preview_renderer_lambda.tf b/infrastructure/terraform/components/app/module_letter_preview_renderer_lambda.tf index 829a052d8..702700ec9 100644 --- a/infrastructure/terraform/components/app/module_letter_preview_renderer_lambda.tf +++ b/infrastructure/terraform/components/app/module_letter_preview_renderer_lambda.tf @@ -1,7 +1,3 @@ -locals { - letter_preview_renderer_image_tag = var.environment == "dev" ? substr(var.commit_id, 0, 7) : var.letter_preview_renderer_git_tag -} - module "letter_preview_renderer_lambda" { source = "git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/lambda?ref=feature/CCM-14149_Support_Container_Based_Lambdas" @@ -18,7 +14,7 @@ module "letter_preview_renderer_lambda" { kms_key_arn = module.kms.key_arn package_type = "Image" - image_uri = "${var.aws_account_id}.dkr.ecr.${var.region}.amazonaws.com/${var.letter_preview_renderer_ecr_repo}:${local.letter_preview_renderer_image_tag}" + image_uri = "${var.aws_account_id}.dkr.ecr.${var.region}.amazonaws.com/${var.letter_preview_renderer_ecr_repo}:main-${substr(var.commit_id, 0, 7)}" image_repository_names = [var.letter_preview_renderer_ecr_repo] memory = 1024 From 277bf45bce2af49d29fe4c9ae8331eec191f0dfd Mon Sep 17 00:00:00 2001 From: jamesthompson26-nhs Date: Tue, 10 Feb 2026 14:45:15 +0000 Subject: [PATCH 04/50] CCM-14149: Letter Preview Placeholder --- .../module_letter_preview_renderer_lambda.tf | 2 +- .../terraform/components/app/pre.sh | 3 ++ .../terraform/components/sandbox/pre.sh | 7 +++++ lambdas/letter-preview-renderer/docker.sh | 28 +++++++++++-------- 4 files changed, 28 insertions(+), 12 deletions(-) diff --git a/infrastructure/terraform/components/app/module_letter_preview_renderer_lambda.tf b/infrastructure/terraform/components/app/module_letter_preview_renderer_lambda.tf index 702700ec9..0cf4a0be4 100644 --- a/infrastructure/terraform/components/app/module_letter_preview_renderer_lambda.tf +++ b/infrastructure/terraform/components/app/module_letter_preview_renderer_lambda.tf @@ -14,7 +14,7 @@ module "letter_preview_renderer_lambda" { kms_key_arn = module.kms.key_arn package_type = "Image" - image_uri = "${var.aws_account_id}.dkr.ecr.${var.region}.amazonaws.com/${var.letter_preview_renderer_ecr_repo}:main-${substr(var.commit_id, 0, 7)}" + image_uri = "${var.aws_account_id}.dkr.ecr.${var.region}.amazonaws.com/${var.letter_preview_renderer_ecr_repo}:${local.csi}-latest" image_repository_names = [var.letter_preview_renderer_ecr_repo] memory = 1024 diff --git a/infrastructure/terraform/components/app/pre.sh b/infrastructure/terraform/components/app/pre.sh index 1560ac492..f7b70c5cd 100755 --- a/infrastructure/terraform/components/app/pre.sh +++ b/infrastructure/terraform/components/app/pre.sh @@ -13,6 +13,9 @@ npm run generate-dependencies --workspaces --if-present export AWS_REGION="${AWS_REGION:-${TF_VAR_region:-}}" export AWS_ACCOUNT_ID="${AWS_ACCOUNT_ID:-${TF_VAR_aws_account_id:-}}" export ECR_REPO="${ECR_REPO:-${TF_VAR_letter_preview_renderer_ecr_repo:-nhs-notify-main-acct}}" +export CSI="${CSI:-${TF_VAR_project:-}-${TF_VAR_environment:-}-${TF_VAR_component:-}}" +CSI="${CSI//_/}" +export CSI npm run lambda-build --workspaces --if-present diff --git a/infrastructure/terraform/components/sandbox/pre.sh b/infrastructure/terraform/components/sandbox/pre.sh index ebec8fafa..6c9142d96 100755 --- a/infrastructure/terraform/components/sandbox/pre.sh +++ b/infrastructure/terraform/components/sandbox/pre.sh @@ -25,6 +25,13 @@ if [ "${ACTION}" == "apply" ]; then npm run generate-dependencies --workspaces --if-present + export AWS_REGION="${AWS_REGION:-${TF_VAR_region:-}}" + export AWS_ACCOUNT_ID="${AWS_ACCOUNT_ID:-${TF_VAR_aws_account_id:-}}" + export ECR_REPO="${ECR_REPO:-${TF_VAR_letter_preview_renderer_ecr_repo:-nhs-notify-main-acct}}" + export CSI="${CSI:-${TF_VAR_project:-}-${TF_VAR_environment:-}-${TF_VAR_component:-}}" + CSI="${CSI//_/}" + export CSI + npm run lambda-build --workspaces --if-present lambdas/layers/pdfjs/build.sh diff --git a/lambdas/letter-preview-renderer/docker.sh b/lambdas/letter-preview-renderer/docker.sh index 16975d539..2ed2bbe23 100644 --- a/lambdas/letter-preview-renderer/docker.sh +++ b/lambdas/letter-preview-renderer/docker.sh @@ -10,6 +10,7 @@ set -euo pipefail : "${AWS_ACCOUNT_ID:?AWS_ACCOUNT_ID is required}" : "${AWS_REGION:?AWS_REGION is required}" : "${ECR_REPO:?ECR_REPO is required}" +: "${CSI:?CSI is required}" # Authenticate Docker with AWS ECR using an ephemeral login token. aws ecr get-login-password --region "${AWS_REGION}" | docker login --username AWS --password-stdin "${AWS_ACCOUNT_ID}".dkr.ecr."${AWS_REGION}".amazonaws.com @@ -19,16 +20,17 @@ if [ -n "${GHCR_LOGIN_USER:-}" ] && [ -n "${GHCR_LOGIN_TOKEN:-}" ]; then echo "${GHCR_LOGIN_TOKEN}" | docker login ghcr.io --username "${GHCR_LOGIN_USER}" --password-stdin fi -# Resolve the image tag: prefer a GitHub tag, otherwise use main-. +# Resolve git references for image tags. GIT_SHA=$(git rev-parse --short HEAD) -if [ "${GITHUB_REF_TYPE:-}" = "tag" ] && [ -n "${GITHUB_REF_NAME:-}" ]; then - IMAGE_TAG="${GITHUB_REF_NAME}" -else - IMAGE_TAG="main-${GIT_SHA}" -fi -# Compose the full ECR image reference. -ECR_IMAGE="${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com/${ECR_REPO}:${IMAGE_TAG}" +# Namespace tags by CSI to avoid cross-environment collisions. +IMAGE_TAG_LATEST="${CSI}-latest" +IMAGE_TAG_COMMIT="${CSI}-${GIT_SHA}" + +# Compose the full ECR image references. +ECR_REPO_URI="${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com/${ECR_REPO}" +ECR_IMAGE_LATEST="${ECR_REPO_URI}:${IMAGE_TAG_LATEST}" +ECR_IMAGE_COMMIT="${ECR_REPO_URI}:${IMAGE_TAG_COMMIT}" # Allow an override for the base image used in the Docker build. BASE_IMAGE_ARG=${BASE_IMAGE:-ghcr.io/nhsdigital/nhs-notify/letter-renderer-node-22:latest} @@ -37,8 +39,12 @@ BASE_IMAGE_ARG=${BASE_IMAGE:-ghcr.io/nhsdigital/nhs-notify/letter-renderer-node- docker build \ -f docker/lambda/Dockerfile \ --build-arg BASE_IMAGE="${BASE_IMAGE_ARG}" \ - -t "${ECR_IMAGE}" \ + -t "${ECR_IMAGE_LATEST}" \ . -# Push the image to ECR. -docker push "${ECR_IMAGE}" +# Apply additional tag containing the commit identifier. +docker tag "${ECR_IMAGE_LATEST}" "${ECR_IMAGE_COMMIT}" + +# Push the image tags to ECR. +docker push "${ECR_IMAGE_LATEST}" +docker push "${ECR_IMAGE_COMMIT}" From a0da312e909854f9e4c07274a8083b6c30555a11 Mon Sep 17 00:00:00 2001 From: jamesthompson26-nhs Date: Tue, 10 Feb 2026 14:50:43 +0000 Subject: [PATCH 05/50] CCM-14149: Letter Preview Placeholder --- package-lock.json | 123 ++++++++-------------------------------------- 1 file changed, 21 insertions(+), 102 deletions(-) diff --git a/package-lock.json b/package-lock.json index b426ccbc7..c81fdf2b8 100644 --- a/package-lock.json +++ b/package-lock.json @@ -13217,13 +13217,13 @@ } }, "node_modules/axios": { - "version": "1.13.4", - "resolved": "https://registry.npmjs.org/axios/-/axios-1.13.4.tgz", - "integrity": "sha512-1wVkUaAO6WyaYtCkcYCOx12ZgpGf9Zif+qXa4n+oYzK558YryKqiL6UWwd5DqiH3VRW0GYhTZQ/vlgJrCoNQlg==", + "version": "1.13.5", + "resolved": "https://registry.npmjs.org/axios/-/axios-1.13.5.tgz", + "integrity": "sha512-cz4ur7Vb0xS4/KUN0tPWe44eqxrIu31me+fbang3ijiNscE129POzipJJA6zniq2C/Z6sJCjMimjS8Lc/GAs8Q==", "license": "MIT", "dependencies": { - "follow-redirects": "^1.15.6", - "form-data": "^4.0.4", + "follow-redirects": "^1.15.11", + "form-data": "^4.0.5", "proxy-from-env": "^1.1.0" } }, @@ -20537,20 +20537,20 @@ } }, "node_modules/jsonpath": { - "version": "1.1.1", - "resolved": "https://registry.npmjs.org/jsonpath/-/jsonpath-1.1.1.tgz", - "integrity": "sha512-l6Cg7jRpixfbgoWgkrl77dgEj8RPvND0wMH6TwQmi9Qs4TFfS9u5cUFnbeKTwj5ga5Y3BTGGNI28k117LJ009w==", + "version": "1.2.1", + "resolved": "https://registry.npmjs.org/jsonpath/-/jsonpath-1.2.1.tgz", + "integrity": "sha512-Jl6Jhk0jG+kP3yk59SSeGq7LFPR4JQz1DU0K+kXTysUhMostbhU3qh5mjTuf0PqFcXpAT7kvmMt9WxV10NyIgQ==", "license": "MIT", "dependencies": { - "esprima": "1.2.2", - "static-eval": "2.0.2", - "underscore": "1.12.1" + "esprima": "1.2.5", + "static-eval": "2.1.1", + "underscore": "1.13.6" } }, "node_modules/jsonpath/node_modules/esprima": { - "version": "1.2.2", - "resolved": "https://registry.npmjs.org/esprima/-/esprima-1.2.2.tgz", - "integrity": "sha512-+JpPZam9w5DuJ3Q67SqsMGtiHKENSMRVoxvArfJZK01/BfLEObtZ6orJa/MtoGNR/rfMgp5837T41PAmTwAv/A==", + "version": "1.2.5", + "resolved": "https://registry.npmjs.org/esprima/-/esprima-1.2.5.tgz", + "integrity": "sha512-S9VbPDU0adFErpDai3qDkjq8+G05ONtKzcyNrPKg/ZKa+tf879nX2KexNU95b31UoTJjRLInNBHHHjFPoCd7lQ==", "bin": { "esparse": "bin/esparse.js", "esvalidate": "bin/esvalidate.js" @@ -25155,93 +25155,12 @@ } }, "node_modules/static-eval": { - "version": "2.0.2", - "resolved": "https://registry.npmjs.org/static-eval/-/static-eval-2.0.2.tgz", - "integrity": "sha512-N/D219Hcr2bPjLxPiV+TQE++Tsmrady7TqAJugLy7Xk1EumfDWS/f5dtBbkRCGE7wKKXuYockQoj8Rm2/pVKyg==", - "license": "MIT", - "dependencies": { - "escodegen": "^1.8.1" - } - }, - "node_modules/static-eval/node_modules/escodegen": { - "version": "1.14.3", - "resolved": "https://registry.npmjs.org/escodegen/-/escodegen-1.14.3.tgz", - "integrity": "sha512-qFcX0XJkdg+PB3xjZZG/wKSuT1PnQWx57+TVSjIMmILd2yC/6ByYElPwJnslDsuWuSAp4AwJGumarAAmJch5Kw==", - "license": "BSD-2-Clause", - "dependencies": { - "esprima": "^4.0.1", - "estraverse": "^4.2.0", - "esutils": "^2.0.2", - "optionator": "^0.8.1" - }, - "bin": { - "escodegen": "bin/escodegen.js", - "esgenerate": "bin/esgenerate.js" - }, - "engines": { - "node": ">=4.0" - }, - "optionalDependencies": { - "source-map": "~0.6.1" - } - }, - "node_modules/static-eval/node_modules/estraverse": { - "version": "4.3.0", - "resolved": "https://registry.npmjs.org/estraverse/-/estraverse-4.3.0.tgz", - "integrity": "sha512-39nnKffWz8xN1BU/2c79n9nB9HDzo0niYUqx6xyqUnyoAnQyyWpOTdZEeiCch8BBu515t4wp9ZmgVfVhn9EBpw==", - "license": "BSD-2-Clause", - "engines": { - "node": ">=4.0" - } - }, - "node_modules/static-eval/node_modules/levn": { - "version": "0.3.0", - "resolved": "https://registry.npmjs.org/levn/-/levn-0.3.0.tgz", - "integrity": "sha512-0OO4y2iOHix2W6ujICbKIaEQXvFQHue65vUG3pb5EUomzPI90z9hsA1VsO/dbIIpC53J8gxM9Q4Oho0jrCM/yA==", - "license": "MIT", - "dependencies": { - "prelude-ls": "~1.1.2", - "type-check": "~0.3.2" - }, - "engines": { - "node": ">= 0.8.0" - } - }, - "node_modules/static-eval/node_modules/optionator": { - "version": "0.8.3", - "resolved": "https://registry.npmjs.org/optionator/-/optionator-0.8.3.tgz", - "integrity": "sha512-+IW9pACdk3XWmmTXG8m3upGUJst5XRGzxMRjXzAuJ1XnIFNvfhjjIuYkDvysnPQ7qzqVzLt78BCruntqRhWQbA==", - "license": "MIT", - "dependencies": { - "deep-is": "~0.1.3", - "fast-levenshtein": "~2.0.6", - "levn": "~0.3.0", - "prelude-ls": "~1.1.2", - "type-check": "~0.3.2", - "word-wrap": "~1.2.3" - }, - "engines": { - "node": ">= 0.8.0" - } - }, - "node_modules/static-eval/node_modules/prelude-ls": { - "version": "1.1.2", - "resolved": "https://registry.npmjs.org/prelude-ls/-/prelude-ls-1.1.2.tgz", - "integrity": "sha512-ESF23V4SKG6lVSGZgYNpbsiaAkdab6ZgOxe52p7+Kid3W3u3bxR4Vfd/o21dmN7jSt0IwgZ4v5MUd26FEtXE9w==", - "engines": { - "node": ">= 0.8.0" - } - }, - "node_modules/static-eval/node_modules/type-check": { - "version": "0.3.2", - "resolved": "https://registry.npmjs.org/type-check/-/type-check-0.3.2.tgz", - "integrity": "sha512-ZCmOJdvOWDBYJlzAoFkC+Q0+bUyEOS1ltgp1MGU03fqHG+dbi9tBFU2Rd9QKiDZFAYrhPh2JUf7rZRIuHRKtOg==", + "version": "2.1.1", + "resolved": "https://registry.npmjs.org/static-eval/-/static-eval-2.1.1.tgz", + "integrity": "sha512-MgWpQ/ZjGieSVB3eOJVs4OA2LT/q1vx98KPCTTQPzq/aLr0YUXTsgryTXr4SLfR0ZfUUCiedM9n/ABeDIyy4mA==", "license": "MIT", "dependencies": { - "prelude-ls": "~1.1.2" - }, - "engines": { - "node": ">= 0.8.0" + "escodegen": "^2.1.0" } }, "node_modules/statuses": { @@ -26809,9 +26728,9 @@ } }, "node_modules/underscore": { - "version": "1.12.1", - "resolved": "https://registry.npmjs.org/underscore/-/underscore-1.12.1.tgz", - "integrity": "sha512-hEQt0+ZLDVUMhebKxL4x1BTtDY7bavVofhZ9KZ4aI26X9SRaE+Y3m83XUL1UP2jn8ynjndwCCpEHdUG+9pP1Tw==", + "version": "1.13.6", + "resolved": "https://registry.npmjs.org/underscore/-/underscore-1.13.6.tgz", + "integrity": "sha512-+A5Sja4HP1M08MaXya7p5LvjuM7K6q/2EaC0+iovj/wOcMsTzMvDFbasi/oSapiwOlt252IqsKqPjCl7huKS0A==", "license": "MIT" }, "node_modules/undici": { From bf7c298cdbb25475f68b64b979fc70d82c141c41 Mon Sep 17 00:00:00 2001 From: jamesthompson26-nhs Date: Tue, 10 Feb 2026 15:19:34 +0000 Subject: [PATCH 06/50] CCM-14149: Letter Preview Placeholder --- .../components/acct/ecr_repository_main.tf | 34 +++++++++++++++++++ .../module_letter_preview_renderer_lambda.tf | 2 +- lambdas/letter-preview-renderer/docker.sh | 15 +++----- 3 files changed, 39 insertions(+), 12 deletions(-) diff --git a/infrastructure/terraform/components/acct/ecr_repository_main.tf b/infrastructure/terraform/components/acct/ecr_repository_main.tf index 903e466c4..ece9da713 100644 --- a/infrastructure/terraform/components/acct/ecr_repository_main.tf +++ b/infrastructure/terraform/components/acct/ecr_repository_main.tf @@ -40,3 +40,37 @@ resource "aws_ecr_repository_policy" "main" { repository = aws_ecr_repository.main.name policy = data.aws_iam_policy_document.ecr_lambda_pull.json } + +resource "aws_ecr_lifecycle_policy" "main" { + repository = aws_ecr_repository.main.name + + policy = jsonencode({ + rules = [ + { + rulePriority = 1 + description = "Retain last 30 tagged images" + selection = { + tagStatus = "tagged" + countType = "imageCountMoreThan" + countNumber = 30 + } + action = { + type = "expire" + } + }, + { + rulePriority = 2 + description = "Expire untagged images older than 7 days" + selection = { + tagStatus = "untagged" + countType = "sinceImagePushed" + countUnit = "days" + countNumber = 7 + } + action = { + type = "expire" + } + } + ] + }) +} diff --git a/infrastructure/terraform/components/app/module_letter_preview_renderer_lambda.tf b/infrastructure/terraform/components/app/module_letter_preview_renderer_lambda.tf index 0cf4a0be4..5e4aca429 100644 --- a/infrastructure/terraform/components/app/module_letter_preview_renderer_lambda.tf +++ b/infrastructure/terraform/components/app/module_letter_preview_renderer_lambda.tf @@ -14,7 +14,7 @@ module "letter_preview_renderer_lambda" { kms_key_arn = module.kms.key_arn package_type = "Image" - image_uri = "${var.aws_account_id}.dkr.ecr.${var.region}.amazonaws.com/${var.letter_preview_renderer_ecr_repo}:${local.csi}-latest" + image_uri = "${var.aws_account_id}.dkr.ecr.${var.region}.amazonaws.com/${var.letter_preview_renderer_ecr_repo}:${local.csi}-letter-preview-renderer-latest" image_repository_names = [var.letter_preview_renderer_ecr_repo] memory = 1024 diff --git a/lambdas/letter-preview-renderer/docker.sh b/lambdas/letter-preview-renderer/docker.sh index 2ed2bbe23..d0c3e171e 100644 --- a/lambdas/letter-preview-renderer/docker.sh +++ b/lambdas/letter-preview-renderer/docker.sh @@ -11,6 +11,7 @@ set -euo pipefail : "${AWS_REGION:?AWS_REGION is required}" : "${ECR_REPO:?ECR_REPO is required}" : "${CSI:?CSI is required}" +LAMBDA_NAME="${LAMBDA_NAME:-letter-preview-renderer}" # Authenticate Docker with AWS ECR using an ephemeral login token. aws ecr get-login-password --region "${AWS_REGION}" | docker login --username AWS --password-stdin "${AWS_ACCOUNT_ID}".dkr.ecr."${AWS_REGION}".amazonaws.com @@ -21,16 +22,12 @@ if [ -n "${GHCR_LOGIN_USER:-}" ] && [ -n "${GHCR_LOGIN_TOKEN:-}" ]; then fi # Resolve git references for image tags. -GIT_SHA=$(git rev-parse --short HEAD) - -# Namespace tags by CSI to avoid cross-environment collisions. -IMAGE_TAG_LATEST="${CSI}-latest" -IMAGE_TAG_COMMIT="${CSI}-${GIT_SHA}" +# Namespace tag by CSI and lambda name to avoid cross-environment collisions. +IMAGE_TAG_LATEST="${CSI}-${LAMBDA_NAME}-latest" # Compose the full ECR image references. ECR_REPO_URI="${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com/${ECR_REPO}" ECR_IMAGE_LATEST="${ECR_REPO_URI}:${IMAGE_TAG_LATEST}" -ECR_IMAGE_COMMIT="${ECR_REPO_URI}:${IMAGE_TAG_COMMIT}" # Allow an override for the base image used in the Docker build. BASE_IMAGE_ARG=${BASE_IMAGE:-ghcr.io/nhsdigital/nhs-notify/letter-renderer-node-22:latest} @@ -42,9 +39,5 @@ docker build \ -t "${ECR_IMAGE_LATEST}" \ . -# Apply additional tag containing the commit identifier. -docker tag "${ECR_IMAGE_LATEST}" "${ECR_IMAGE_COMMIT}" - -# Push the image tags to ECR. +# Push the image tag to ECR. docker push "${ECR_IMAGE_LATEST}" -docker push "${ECR_IMAGE_COMMIT}" From 8353e57b72a692985494d721068d6e53066cc5cd Mon Sep 17 00:00:00 2001 From: jamesthompson26-nhs Date: Tue, 10 Feb 2026 15:57:39 +0000 Subject: [PATCH 07/50] CCM-14149: Letter Preview Placeholder --- lambdas/letter-preview-renderer/docker.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lambdas/letter-preview-renderer/docker.sh b/lambdas/letter-preview-renderer/docker.sh index d0c3e171e..44d83f053 100644 --- a/lambdas/letter-preview-renderer/docker.sh +++ b/lambdas/letter-preview-renderer/docker.sh @@ -39,5 +39,5 @@ docker build \ -t "${ECR_IMAGE_LATEST}" \ . -# Push the image tag to ECR. +# Push the image tag to ECR. The Terraform configuration will reference this tag for the lambda image. docker push "${ECR_IMAGE_LATEST}" From b470d2cfa2a43a4ab3bde1c58a67a1465c6e7a38 Mon Sep 17 00:00:00 2001 From: jamesthompson26-nhs Date: Tue, 10 Feb 2026 16:43:28 +0000 Subject: [PATCH 08/50] CCM-14149: Letter Preview Placeholder --- infrastructure/terraform/components/app/README.md | 3 ++- .../app/module_letter_preview_renderer_lambda.tf | 4 ++-- infrastructure/terraform/components/app/pre.sh | 4 +++- infrastructure/terraform/components/app/variables.tf | 9 +++++++-- infrastructure/terraform/components/sandbox/pre.sh | 4 +++- lambdas/letter-preview-renderer/docker.sh | 3 ++- 6 files changed, 19 insertions(+), 8 deletions(-) diff --git a/infrastructure/terraform/components/app/README.md b/infrastructure/terraform/components/app/README.md index 2ecf93115..318f8932c 100644 --- a/infrastructure/terraform/components/app/README.md +++ b/infrastructure/terraform/components/app/README.md @@ -22,6 +22,7 @@ | [cognito\_user\_pool\_additional\_callback\_urls](#input\_cognito\_user\_pool\_additional\_callback\_urls) | A list of additional callback\_urls for the cognito user pool | `list(string)` | `[]` | no | | [commit\_id](#input\_commit\_id) | The commit to deploy. Must be in the tree for branch\_name | `string` | `"HEAD"` | no | | [component](#input\_component) | The variable encapsulating the name of this component | `string` | `"app"` | no | +| [container\_lambda\_ecr\_repo](#input\_container\_lambda\_ecr\_repo) | ECR repository name for container-based lambda images | `string` | `"nhs-notify-main-acct"` | no | | [control\_plane\_bus\_arn](#input\_control\_plane\_bus\_arn) | Data plane event bus arn | `string` | n/a | yes | | [data\_plane\_bus\_arn](#input\_data\_plane\_bus\_arn) | Data plane event bus arn | `string` | n/a | yes | | [default\_tags](#input\_default\_tags) | A map of default tags to apply to all taggable resources within the component | `map(string)` | `{}` | no | @@ -37,7 +38,7 @@ | [external\_email\_domain](#input\_external\_email\_domain) | Externally managed domain used to create an SES identity for sending emails from. Validation DNS records will need to be manually configured in the DNS provider. | `string` | `null` | no | | [group](#input\_group) | The group variables are being inherited from (often synonymous with account short-name) | `string` | n/a | yes | | [kms\_deletion\_window](#input\_kms\_deletion\_window) | When a kms key is deleted, how long should it wait in the pending deletion state? | `string` | `"30"` | no | -| [letter\_preview\_renderer\_ecr\_repo](#input\_letter\_preview\_renderer\_ecr\_repo) | ECR repository name for the letter-preview-renderer container image | `string` | `"nhs-notify-main-acct"` | no | +| [letter\_preview\_renderer\_image\_tag](#input\_letter\_preview\_renderer\_image\_tag) | Full ECR image tag for the letter-preview-renderer container image (e.g. -letter-preview-renderer--latest) | `string` | n/a | yes | | [letter\_suppliers](#input\_letter\_suppliers) | Letter suppliers enabled in the environment | 
map(object({
    email_addresses  = list(string)
    enable_polling   = bool
    default_supplier = optional(bool)
  }))
| `{}` | no | | [log\_retention\_in\_days](#input\_log\_retention\_in\_days) | The retention period in days for the Cloudwatch Logs events to be retained, default of 0 is indefinite | `number` | `0` | no | | [observability\_account\_id](#input\_observability\_account\_id) | The Observability Account ID that needs access | `string` | n/a | yes | diff --git a/infrastructure/terraform/components/app/module_letter_preview_renderer_lambda.tf b/infrastructure/terraform/components/app/module_letter_preview_renderer_lambda.tf index 5e4aca429..daf37bfff 100644 --- a/infrastructure/terraform/components/app/module_letter_preview_renderer_lambda.tf +++ b/infrastructure/terraform/components/app/module_letter_preview_renderer_lambda.tf @@ -14,8 +14,8 @@ module "letter_preview_renderer_lambda" { kms_key_arn = module.kms.key_arn package_type = "Image" - image_uri = "${var.aws_account_id}.dkr.ecr.${var.region}.amazonaws.com/${var.letter_preview_renderer_ecr_repo}:${local.csi}-letter-preview-renderer-latest" - image_repository_names = [var.letter_preview_renderer_ecr_repo] + image_uri = "${var.aws_account_id}.dkr.ecr.${var.region}.amazonaws.com/${var.container_lambda_ecr_repo}:${var.letter_preview_renderer_image_tag}" + image_repository_names = [var.container_lambda_ecr_repo] memory = 1024 timeout = 30 diff --git a/infrastructure/terraform/components/app/pre.sh b/infrastructure/terraform/components/app/pre.sh index f7b70c5cd..762ba7b55 100755 --- a/infrastructure/terraform/components/app/pre.sh +++ b/infrastructure/terraform/components/app/pre.sh @@ -12,10 +12,12 @@ npm run generate-dependencies --workspaces --if-present export AWS_REGION="${AWS_REGION:-${TF_VAR_region:-}}" export AWS_ACCOUNT_ID="${AWS_ACCOUNT_ID:-${TF_VAR_aws_account_id:-}}" -export ECR_REPO="${ECR_REPO:-${TF_VAR_letter_preview_renderer_ecr_repo:-nhs-notify-main-acct}}" +export ECR_REPO="${ECR_REPO:-${TF_VAR_container_lambda_ecr_repo:-nhs-notify-main-acct}}" export CSI="${CSI:-${TF_VAR_project:-}-${TF_VAR_environment:-}-${TF_VAR_component:-}}" CSI="${CSI//_/}" export CSI +export SHORT_SHA="${SHORT_SHA:-$(git rev-parse --short HEAD)}" +export TF_VAR_letter_preview_renderer_image_tag="${TF_VAR_letter_preview_renderer_image_tag:-${CSI}-letter-preview-renderer-${SHORT_SHA}-latest}" npm run lambda-build --workspaces --if-present diff --git a/infrastructure/terraform/components/app/variables.tf b/infrastructure/terraform/components/app/variables.tf index 7800d3e53..659e762f9 100644 --- a/infrastructure/terraform/components/app/variables.tf +++ b/infrastructure/terraform/components/app/variables.tf @@ -173,12 +173,17 @@ variable "event_delivery_logging_success_sample_percentage" { default = 0 } -variable "letter_preview_renderer_ecr_repo" { +variable "container_lambda_ecr_repo" { type = string - description = "ECR repository name for the letter-preview-renderer container image" + description = "ECR repository name for container-based lambda images" default = "nhs-notify-main-acct" } +variable "letter_preview_renderer_image_tag" { + type = string + description = "Full ECR image tag for the letter-preview-renderer container image (e.g. -letter-preview-renderer--latest)" +} + variable "data_plane_bus_arn" { type = string description = "Data plane event bus arn" diff --git a/infrastructure/terraform/components/sandbox/pre.sh b/infrastructure/terraform/components/sandbox/pre.sh index 6c9142d96..da05999cb 100755 --- a/infrastructure/terraform/components/sandbox/pre.sh +++ b/infrastructure/terraform/components/sandbox/pre.sh @@ -27,10 +27,12 @@ if [ "${ACTION}" == "apply" ]; then export AWS_REGION="${AWS_REGION:-${TF_VAR_region:-}}" export AWS_ACCOUNT_ID="${AWS_ACCOUNT_ID:-${TF_VAR_aws_account_id:-}}" - export ECR_REPO="${ECR_REPO:-${TF_VAR_letter_preview_renderer_ecr_repo:-nhs-notify-main-acct}}" + export ECR_REPO="${ECR_REPO:-${TF_VAR_container_lambda_ecr_repo:-nhs-notify-main-acct}}" export CSI="${CSI:-${TF_VAR_project:-}-${TF_VAR_environment:-}-${TF_VAR_component:-}}" CSI="${CSI//_/}" export CSI + export SHORT_SHA="${SHORT_SHA:-$(git rev-parse --short HEAD)}" + export TF_VAR_letter_preview_renderer_image_tag="${TF_VAR_letter_preview_renderer_image_tag:-${CSI}-letter-preview-renderer-${SHORT_SHA}-latest}" npm run lambda-build --workspaces --if-present diff --git a/lambdas/letter-preview-renderer/docker.sh b/lambdas/letter-preview-renderer/docker.sh index 44d83f053..53fda972b 100644 --- a/lambdas/letter-preview-renderer/docker.sh +++ b/lambdas/letter-preview-renderer/docker.sh @@ -12,6 +12,7 @@ set -euo pipefail : "${ECR_REPO:?ECR_REPO is required}" : "${CSI:?CSI is required}" LAMBDA_NAME="${LAMBDA_NAME:-letter-preview-renderer}" +SHORT_SHA="${SHORT_SHA:-$(git rev-parse --short HEAD)}" # Authenticate Docker with AWS ECR using an ephemeral login token. aws ecr get-login-password --region "${AWS_REGION}" | docker login --username AWS --password-stdin "${AWS_ACCOUNT_ID}".dkr.ecr."${AWS_REGION}".amazonaws.com @@ -23,7 +24,7 @@ fi # Resolve git references for image tags. # Namespace tag by CSI and lambda name to avoid cross-environment collisions. -IMAGE_TAG_LATEST="${CSI}-${LAMBDA_NAME}-latest" +IMAGE_TAG_LATEST="${CSI}-${LAMBDA_NAME}--${SHORT_SHA}-latest" # Compose the full ECR image references. ECR_REPO_URI="${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com/${ECR_REPO}" From e095e522ce046c8ca29e35b19a3b1b0ed677680e Mon Sep 17 00:00:00 2001 From: jamesthompson26-nhs Date: Tue, 10 Feb 2026 16:45:30 +0000 Subject: [PATCH 09/50] CCM-14149: Letter Preview Placeholder --- infrastructure/terraform/components/sandbox/pre.sh | 9 --------- 1 file changed, 9 deletions(-) diff --git a/infrastructure/terraform/components/sandbox/pre.sh b/infrastructure/terraform/components/sandbox/pre.sh index da05999cb..ebec8fafa 100755 --- a/infrastructure/terraform/components/sandbox/pre.sh +++ b/infrastructure/terraform/components/sandbox/pre.sh @@ -25,15 +25,6 @@ if [ "${ACTION}" == "apply" ]; then npm run generate-dependencies --workspaces --if-present - export AWS_REGION="${AWS_REGION:-${TF_VAR_region:-}}" - export AWS_ACCOUNT_ID="${AWS_ACCOUNT_ID:-${TF_VAR_aws_account_id:-}}" - export ECR_REPO="${ECR_REPO:-${TF_VAR_container_lambda_ecr_repo:-nhs-notify-main-acct}}" - export CSI="${CSI:-${TF_VAR_project:-}-${TF_VAR_environment:-}-${TF_VAR_component:-}}" - CSI="${CSI//_/}" - export CSI - export SHORT_SHA="${SHORT_SHA:-$(git rev-parse --short HEAD)}" - export TF_VAR_letter_preview_renderer_image_tag="${TF_VAR_letter_preview_renderer_image_tag:-${CSI}-letter-preview-renderer-${SHORT_SHA}-latest}" - npm run lambda-build --workspaces --if-present lambdas/layers/pdfjs/build.sh From ffbf6354ac4f4ff24409107e781e86dbd12b0d9a Mon Sep 17 00:00:00 2001 From: jamesthompson26-nhs Date: Tue, 10 Feb 2026 16:55:13 +0000 Subject: [PATCH 10/50] CCM-14149: Letter Preview Placeholder --- lambdas/letter-preview-renderer/docker.sh | 2 +- package-lock.json | 47 ++++++++++------------- package.json | 1 + 3 files changed, 22 insertions(+), 28 deletions(-) diff --git a/lambdas/letter-preview-renderer/docker.sh b/lambdas/letter-preview-renderer/docker.sh index 53fda972b..a516a1acc 100644 --- a/lambdas/letter-preview-renderer/docker.sh +++ b/lambdas/letter-preview-renderer/docker.sh @@ -24,7 +24,7 @@ fi # Resolve git references for image tags. # Namespace tag by CSI and lambda name to avoid cross-environment collisions. -IMAGE_TAG_LATEST="${CSI}-${LAMBDA_NAME}--${SHORT_SHA}-latest" +IMAGE_TAG_LATEST="${CSI}-${LAMBDA_NAME}-${SHORT_SHA}-latest" # Compose the full ECR image references. ECR_REPO_URI="${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com/${ECR_REPO}" diff --git a/package-lock.json b/package-lock.json index c81fdf2b8..4ce2778df 100644 --- a/package-lock.json +++ b/package-lock.json @@ -14,6 +14,7 @@ "lambdas/backend-client", "lambdas/download-authorizer", "lambdas/sftp-letters", + "lambdas/letter-preview-renderer", "packages/event-schemas", "tests/accessibility", "tests/contracts/provider", @@ -662,6 +663,21 @@ "node": ">=18.0.0" } }, + "lambdas/letter-preview-renderer": { + "name": "nhs-notify-templates-letter-preview-renderer", + "version": "0.0.1", + "dependencies": { + "esbuild": "^0.25.0" + }, + "devDependencies": { + "@tsconfig/node22": "^22.0.2", + "@types/aws-lambda": "^8.10.148", + "@types/jest": "^29.5.14", + "jest": "^29.7.0", + "jest-mock-extended": "^3.0.7", + "typescript": "^5.8.2" + } + }, "lambdas/sftp-letters": { "name": "nhs-notify-sftp-letters-lambdas", "version": "0.0.1", @@ -6498,7 +6514,6 @@ "cpu": [ "ppc64" ], - "dev": true, "license": "MIT", "optional": true, "os": [ @@ -6515,7 +6530,6 @@ "cpu": [ "arm" ], - "dev": true, "license": "MIT", "optional": true, "os": [ @@ -6532,7 +6546,6 @@ "cpu": [ "arm64" ], - "dev": true, "license": "MIT", "optional": true, "os": [ @@ -6549,7 +6562,6 @@ "cpu": [ "x64" ], - "dev": true, "license": "MIT", "optional": true, "os": [ @@ -6566,7 +6578,6 @@ "cpu": [ "arm64" ], - "dev": true, "license": "MIT", "optional": true, "os": [ @@ -6583,7 +6594,6 @@ "cpu": [ "x64" ], - "dev": true, "license": "MIT", "optional": true, "os": [ @@ -6600,7 +6610,6 @@ "cpu": [ "arm64" ], - "dev": true, "license": "MIT", "optional": true, "os": [ @@ -6617,7 +6626,6 @@ "cpu": [ "x64" ], - "dev": true, "license": "MIT", "optional": true, "os": [ @@ -6634,7 +6642,6 @@ "cpu": [ "arm" ], - "dev": true, "license": "MIT", "optional": true, "os": [ @@ -6651,7 +6658,6 @@ "cpu": [ "arm64" ], - "dev": true, "license": "MIT", "optional": true, "os": [ @@ -6668,7 +6674,6 @@ "cpu": [ "ia32" ], - "dev": true, "license": "MIT", "optional": true, "os": [ @@ -6685,7 +6690,6 @@ "cpu": [ "loong64" ], - "dev": true, "license": "MIT", "optional": true, "os": [ @@ -6702,7 +6706,6 @@ "cpu": [ "mips64el" ], - "dev": true, "license": "MIT", "optional": true, "os": [ @@ -6719,7 +6722,6 @@ "cpu": [ "ppc64" ], - "dev": true, "license": "MIT", "optional": true, "os": [ @@ -6736,7 +6738,6 @@ "cpu": [ "riscv64" ], - "dev": true, "license": "MIT", "optional": true, "os": [ @@ -6753,7 +6754,6 @@ "cpu": [ "s390x" ], - "dev": true, "license": "MIT", "optional": true, "os": [ @@ -6770,7 +6770,6 @@ "cpu": [ "x64" ], - "dev": true, "license": "MIT", "optional": true, "os": [ @@ -6787,7 +6786,6 @@ "cpu": [ "arm64" ], - "dev": true, "license": "MIT", "optional": true, "os": [ @@ -6804,7 +6802,6 @@ "cpu": [ "x64" ], - "dev": true, "license": "MIT", "optional": true, "os": [ @@ -6821,7 +6818,6 @@ "cpu": [ "arm64" ], - "dev": true, "license": "MIT", "optional": true, "os": [ @@ -6838,7 +6834,6 @@ "cpu": [ "x64" ], - "dev": true, "license": "MIT", "optional": true, "os": [ @@ -6855,7 +6850,6 @@ "cpu": [ "arm64" ], - "dev": true, "license": "MIT", "optional": true, "os": [ @@ -6872,7 +6866,6 @@ "cpu": [ "x64" ], - "dev": true, "license": "MIT", "optional": true, "os": [ @@ -6889,7 +6882,6 @@ "cpu": [ "arm64" ], - "dev": true, "license": "MIT", "optional": true, "os": [ @@ -6906,7 +6898,6 @@ "cpu": [ "ia32" ], - "dev": true, "license": "MIT", "optional": true, "os": [ @@ -6923,7 +6914,6 @@ "cpu": [ "x64" ], - "dev": true, "license": "MIT", "optional": true, "os": [ @@ -15459,7 +15449,6 @@ "version": "0.25.12", "resolved": "https://registry.npmjs.org/esbuild/-/esbuild-0.25.12.tgz", "integrity": "sha512-bbPBYYrtZbkt6Os6FiTLCTFxvq4tt3JKall1vRwshA3fdVztsLAatFaZobhkBC8/BrPetoa0oksYoKXoG4ryJg==", - "dev": true, "hasInstallScript": true, "license": "MIT", "bin": { @@ -21650,6 +21639,10 @@ "resolved": "lambdas/event-publisher", "link": true }, + "node_modules/nhs-notify-templates-letter-preview-renderer": { + "resolved": "lambdas/letter-preview-renderer", + "link": true + }, "node_modules/nhs-notify-web-template-management-accessibility-test": { "resolved": "tests/accessibility", "link": true diff --git a/package.json b/package.json index d7d4a590b..915554d9f 100644 --- a/package.json +++ b/package.json @@ -61,6 +61,7 @@ "lambdas/backend-client", "lambdas/download-authorizer", "lambdas/sftp-letters", + "lambdas/letter-preview-renderer", "packages/event-schemas", "tests/accessibility", "tests/contracts/provider", From 87653c1715b4c3338dc15762457ee3755215cda7 Mon Sep 17 00:00:00 2001 From: jamesthompson26-nhs Date: Wed, 11 Feb 2026 07:37:59 +0000 Subject: [PATCH 11/50] CCM-14149: Letter Preview Placeholder --- lambdas/letter-preview-renderer/docker.sh | 0 1 file changed, 0 insertions(+), 0 deletions(-) mode change 100644 => 100755 lambdas/letter-preview-renderer/docker.sh diff --git a/lambdas/letter-preview-renderer/docker.sh b/lambdas/letter-preview-renderer/docker.sh old mode 100644 new mode 100755 From 9e52454a849250528b7619dd10590f327288531c Mon Sep 17 00:00:00 2001 From: jamesthompson26-nhs Date: Wed, 11 Feb 2026 07:43:08 +0000 Subject: [PATCH 12/50] CCM-14149: Letter Preview Placeholder --- lambdas/letter-preview-renderer/docker.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/lambdas/letter-preview-renderer/docker.sh b/lambdas/letter-preview-renderer/docker.sh index a516a1acc..18e28829f 100755 --- a/lambdas/letter-preview-renderer/docker.sh +++ b/lambdas/letter-preview-renderer/docker.sh @@ -3,7 +3,8 @@ # Fail fast on errors, unset variables, and pipeline failures. set -euo pipefail -# Build the lambda artifacts before producing the Docker image. +# Ensure build.sh is executable and build the lambda artifacts before producing the Docker image. +chmod +x ./build.sh ./build.sh # Ensure required AWS/ECR configuration is present. From 48f09a8163516e3b3409f1804f0be9fc92020f42 Mon Sep 17 00:00:00 2001 From: jamesthompson26-nhs Date: Wed, 11 Feb 2026 08:11:39 +0000 Subject: [PATCH 13/50] CCM-14149: Letter Preview Placeholder --- lambdas/letter-preview-renderer/docker.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lambdas/letter-preview-renderer/docker.sh b/lambdas/letter-preview-renderer/docker.sh index 18e28829f..7f52821e5 100755 --- a/lambdas/letter-preview-renderer/docker.sh +++ b/lambdas/letter-preview-renderer/docker.sh @@ -9,8 +9,8 @@ chmod +x ./build.sh # Ensure required AWS/ECR configuration is present. : "${AWS_ACCOUNT_ID:?AWS_ACCOUNT_ID is required}" -: "${AWS_REGION:?AWS_REGION is required}" -: "${ECR_REPO:?ECR_REPO is required}" +AWS_REGION="${AWS_REGION:-eu-west-2}" +ECR_REPO="${ECR_REPO:-nhs-notify-main-acct}" : "${CSI:?CSI is required}" LAMBDA_NAME="${LAMBDA_NAME:-letter-preview-renderer}" SHORT_SHA="${SHORT_SHA:-$(git rev-parse --short HEAD)}" From 1ded16f9fc6f6d68c99317cb5dd6e8ae8b896526 Mon Sep 17 00:00:00 2001 From: jamesthompson26-nhs Date: Wed, 11 Feb 2026 08:15:03 +0000 Subject: [PATCH 14/50] CCM-14149: Letter Preview Placeholder --- lambdas/letter-preview-renderer/docker.sh | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/lambdas/letter-preview-renderer/docker.sh b/lambdas/letter-preview-renderer/docker.sh index 7f52821e5..4305d0e10 100755 --- a/lambdas/letter-preview-renderer/docker.sh +++ b/lambdas/letter-preview-renderer/docker.sh @@ -11,7 +11,11 @@ chmod +x ./build.sh : "${AWS_ACCOUNT_ID:?AWS_ACCOUNT_ID is required}" AWS_REGION="${AWS_REGION:-eu-west-2}" ECR_REPO="${ECR_REPO:-nhs-notify-main-acct}" -: "${CSI:?CSI is required}" +CSI="${CSI:-nhs-notify-${ENVIRONMENT:-}}" +if [ -z "$CSI" ]; then + echo "CSI is required (set CSI or ENVIRONMENT)" >&2 + exit 1 +fi LAMBDA_NAME="${LAMBDA_NAME:-letter-preview-renderer}" SHORT_SHA="${SHORT_SHA:-$(git rev-parse --short HEAD)}" From e6393096c7552522b3d71acf7a990410c096cb87 Mon Sep 17 00:00:00 2001 From: jamesthompson26-nhs Date: Wed, 11 Feb 2026 08:45:17 +0000 Subject: [PATCH 15/50] CCM-14149: Template Management Support Container Builds --- lambdas/letter-preview-renderer/docker.sh | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/lambdas/letter-preview-renderer/docker.sh b/lambdas/letter-preview-renderer/docker.sh index 4305d0e10..48e44e88c 100755 --- a/lambdas/letter-preview-renderer/docker.sh +++ b/lambdas/letter-preview-renderer/docker.sh @@ -7,7 +7,16 @@ set -euo pipefail chmod +x ./build.sh ./build.sh + # Ensure required AWS/ECR configuration is present. +echo "AWS_ACCOUNT_ID: ${AWS_ACCOUNT_ID:-}" +echo "AWS_REGION: ${AWS_REGION:-}" +echo "ECR_REPO: ${ECR_REPO:-}" +echo "ENVIRONMENT: ${ENVIRONMENT:-}" +echo "CSI: ${CSI:-}" +echo "LAMBDA_NAME: ${LAMBDA_NAME:-}" +echo "SHORT_SHA: ${SHORT_SHA:-}" + : "${AWS_ACCOUNT_ID:?AWS_ACCOUNT_ID is required}" AWS_REGION="${AWS_REGION:-eu-west-2}" ECR_REPO="${ECR_REPO:-nhs-notify-main-acct}" @@ -19,6 +28,15 @@ fi LAMBDA_NAME="${LAMBDA_NAME:-letter-preview-renderer}" SHORT_SHA="${SHORT_SHA:-$(git rev-parse --short HEAD)}" +# Ensure required AWS/ECR configuration is present. +echo "AWS_ACCOUNT_ID: ${AWS_ACCOUNT_ID:-}" +echo "AWS_REGION: ${AWS_REGION:-}" +echo "ECR_REPO: ${ECR_REPO:-}" +echo "ENVIRONMENT: ${ENVIRONMENT:-}" +echo "CSI: ${CSI:-}" +echo "LAMBDA_NAME: ${LAMBDA_NAME:-}" +echo "SHORT_SHA: ${SHORT_SHA:-}" + # Authenticate Docker with AWS ECR using an ephemeral login token. aws ecr get-login-password --region "${AWS_REGION}" | docker login --username AWS --password-stdin "${AWS_ACCOUNT_ID}".dkr.ecr."${AWS_REGION}".amazonaws.com From db75d60075da6d8f1ea2159ca9cdbb32098cea88 Mon Sep 17 00:00:00 2001 From: jamesthompson26-nhs Date: Wed, 11 Feb 2026 09:02:52 +0000 Subject: [PATCH 16/50] CCM-14149: Template Management Support Container Builds --- lambdas/letter-preview-renderer/docker.sh | 16 +--------------- 1 file changed, 1 insertion(+), 15 deletions(-) diff --git a/lambdas/letter-preview-renderer/docker.sh b/lambdas/letter-preview-renderer/docker.sh index 48e44e88c..44058ea96 100755 --- a/lambdas/letter-preview-renderer/docker.sh +++ b/lambdas/letter-preview-renderer/docker.sh @@ -7,24 +7,10 @@ set -euo pipefail chmod +x ./build.sh ./build.sh - -# Ensure required AWS/ECR configuration is present. -echo "AWS_ACCOUNT_ID: ${AWS_ACCOUNT_ID:-}" -echo "AWS_REGION: ${AWS_REGION:-}" -echo "ECR_REPO: ${ECR_REPO:-}" -echo "ENVIRONMENT: ${ENVIRONMENT:-}" -echo "CSI: ${CSI:-}" -echo "LAMBDA_NAME: ${LAMBDA_NAME:-}" -echo "SHORT_SHA: ${SHORT_SHA:-}" - : "${AWS_ACCOUNT_ID:?AWS_ACCOUNT_ID is required}" AWS_REGION="${AWS_REGION:-eu-west-2}" ECR_REPO="${ECR_REPO:-nhs-notify-main-acct}" -CSI="${CSI:-nhs-notify-${ENVIRONMENT:-}}" -if [ -z "$CSI" ]; then - echo "CSI is required (set CSI or ENVIRONMENT)" >&2 - exit 1 -fi +CSI="nhs-notify-${ENVIRONMENT}" LAMBDA_NAME="${LAMBDA_NAME:-letter-preview-renderer}" SHORT_SHA="${SHORT_SHA:-$(git rev-parse --short HEAD)}" From d54ee7963af2a03438fbd2f4cfc93ddab6b8b40a Mon Sep 17 00:00:00 2001 From: jamesthompson26-nhs Date: Wed, 11 Feb 2026 09:12:08 +0000 Subject: [PATCH 17/50] CCM-14149: Template Management Support Container Builds --- lambdas/letter-preview-renderer/docker.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/lambdas/letter-preview-renderer/docker.sh b/lambdas/letter-preview-renderer/docker.sh index 44058ea96..3a1dc8249 100755 --- a/lambdas/letter-preview-renderer/docker.sh +++ b/lambdas/letter-preview-renderer/docker.sh @@ -13,6 +13,8 @@ ECR_REPO="${ECR_REPO:-nhs-notify-main-acct}" CSI="nhs-notify-${ENVIRONMENT}" LAMBDA_NAME="${LAMBDA_NAME:-letter-preview-renderer}" SHORT_SHA="${SHORT_SHA:-$(git rev-parse --short HEAD)}" +GHCR_LOGIN_USER="${GITHUB_ACTOR:-}" +GHCR_LOGIN_TOKEN="${GITHUB_TOKEN:-}" # Ensure required AWS/ECR configuration is present. echo "AWS_ACCOUNT_ID: ${AWS_ACCOUNT_ID:-}" From 4d7aa81f94918ebd2b0150b49f3563bdcaa76057 Mon Sep 17 00:00:00 2001 From: jamesthompson26-nhs Date: Wed, 11 Feb 2026 09:21:22 +0000 Subject: [PATCH 18/50] CCM-14149: Template Management Support Container Builds --- lambdas/letter-preview-renderer/docker.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/lambdas/letter-preview-renderer/docker.sh b/lambdas/letter-preview-renderer/docker.sh index 3a1dc8249..8f76caab3 100755 --- a/lambdas/letter-preview-renderer/docker.sh +++ b/lambdas/letter-preview-renderer/docker.sh @@ -24,6 +24,8 @@ echo "ENVIRONMENT: ${ENVIRONMENT:-}" echo "CSI: ${CSI:-}" echo "LAMBDA_NAME: ${LAMBDA_NAME:-}" echo "SHORT_SHA: ${SHORT_SHA:-}" +echo "GHCR_LOGIN_USER: ${GHCR_LOGIN_USER:-}" +echo "GHCR_LOGIN_TOKEN: ${GHCR_LOGIN_TOKEN:-}" # Authenticate Docker with AWS ECR using an ephemeral login token. aws ecr get-login-password --region "${AWS_REGION}" | docker login --username AWS --password-stdin "${AWS_ACCOUNT_ID}".dkr.ecr."${AWS_REGION}".amazonaws.com From aa112d18b6c6f1fca26f239e158b2aca68df8146 Mon Sep 17 00:00:00 2001 From: jamesthompson26-nhs Date: Wed, 11 Feb 2026 09:31:13 +0000 Subject: [PATCH 19/50] CCM-14149: Letter Preview Placeholder --- lambdas/letter-preview-renderer/docker.sh | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/lambdas/letter-preview-renderer/docker.sh b/lambdas/letter-preview-renderer/docker.sh index 8f76caab3..fe6157bb4 100755 --- a/lambdas/letter-preview-renderer/docker.sh +++ b/lambdas/letter-preview-renderer/docker.sh @@ -32,7 +32,12 @@ aws ecr get-login-password --region "${AWS_REGION}" | docker login --username AW # Optionally authenticate to GitHub Container Registry for base images. if [ -n "${GHCR_LOGIN_USER:-}" ] && [ -n "${GHCR_LOGIN_TOKEN:-}" ]; then - echo "${GHCR_LOGIN_TOKEN}" | docker login ghcr.io --username "${GHCR_LOGIN_USER}" --password-stdin + echo "Attempting GHCR login as ${GHCR_LOGIN_USER}..." + if echo "${GHCR_LOGIN_TOKEN}" | docker login ghcr.io --username "${GHCR_LOGIN_USER}" --password-stdin; then + echo "GHCR login successful." + else + echo "GHCR login failed!" >&2 + fi fi # Resolve git references for image tags. From fc1e972be0b86872778e83d786241b88e1e87c0f Mon Sep 17 00:00:00 2001 From: jamesthompson26-nhs Date: Wed, 11 Feb 2026 10:00:06 +0000 Subject: [PATCH 20/50] CCM-14149: Letter Preview Placeholder --- lambdas/letter-preview-renderer/docker/lambda/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lambdas/letter-preview-renderer/docker/lambda/Dockerfile b/lambdas/letter-preview-renderer/docker/lambda/Dockerfile index d38445441..d15393011 100644 --- a/lambdas/letter-preview-renderer/docker/lambda/Dockerfile +++ b/lambdas/letter-preview-renderer/docker/lambda/Dockerfile @@ -3,7 +3,7 @@ ARG BASE_IMAGE=ghcr.io/nhsdigital/nhs-notify/letter-renderer-node-22:latest FROM node:22-alpine AS build WORKDIR /app -COPY package.json package-lock.json ./ +COPY package.json ./ RUN npm ci COPY build.sh ./ COPY src ./src From 7797341d999346c9e881238c0028e1a59ed3aa78 Mon Sep 17 00:00:00 2001 From: jamesthompson26-nhs Date: Wed, 11 Feb 2026 10:19:14 +0000 Subject: [PATCH 21/50] CCM-14149: Letter Preview Placeholder --- .../docker/lambda/Dockerfile | 13 ++----------- 1 file changed, 2 insertions(+), 11 deletions(-) diff --git a/lambdas/letter-preview-renderer/docker/lambda/Dockerfile b/lambdas/letter-preview-renderer/docker/lambda/Dockerfile index d15393011..5f2a170e4 100644 --- a/lambdas/letter-preview-renderer/docker/lambda/Dockerfile +++ b/lambdas/letter-preview-renderer/docker/lambda/Dockerfile @@ -1,17 +1,8 @@ ARG BASE_IMAGE=ghcr.io/nhsdigital/nhs-notify/letter-renderer-node-22:latest -FROM node:22-alpine AS build - -WORKDIR /app -COPY package.json ./ -RUN npm ci -COPY build.sh ./ -COPY src ./src -COPY tsconfig.json ./ -RUN chmod +x ./build.sh && ./build.sh - FROM ${BASE_IMAGE} -COPY --from=build /app/dist/index.js ${LAMBDA_TASK_ROOT}/index.js +# Copy the built output from the build context (docker.sh should have run build.sh already) +COPY dist/index.js ${LAMBDA_TASK_ROOT}/index.js CMD [ "index.handler" ] From 14a80d78d38d376ea968704663e8ece35f4c5d22 Mon Sep 17 00:00:00 2001 From: jamesthompson26-nhs Date: Wed, 11 Feb 2026 10:48:09 +0000 Subject: [PATCH 22/50] CCM-14149: Letter Preview Placeholder --- infrastructure/terraform/components/app/pre.sh | 8 ++++---- lambdas/letter-preview-renderer/docker.sh | 8 ++++---- lambdas/letter-preview-renderer/package.json | 2 +- 3 files changed, 9 insertions(+), 9 deletions(-) diff --git a/infrastructure/terraform/components/app/pre.sh b/infrastructure/terraform/components/app/pre.sh index 762ba7b55..cfb08a6f0 100755 --- a/infrastructure/terraform/components/app/pre.sh +++ b/infrastructure/terraform/components/app/pre.sh @@ -13,11 +13,11 @@ npm run generate-dependencies --workspaces --if-present export AWS_REGION="${AWS_REGION:-${TF_VAR_region:-}}" export AWS_ACCOUNT_ID="${AWS_ACCOUNT_ID:-${TF_VAR_aws_account_id:-}}" export ECR_REPO="${ECR_REPO:-${TF_VAR_container_lambda_ecr_repo:-nhs-notify-main-acct}}" -export CSI="${CSI:-${TF_VAR_project:-}-${TF_VAR_environment:-}-${TF_VAR_component:-}}" -CSI="${CSI//_/}" -export CSI +export CSI="${CSI:-${TF_VAR_project:-}-${TF_VAR_environment:-}}" export SHORT_SHA="${SHORT_SHA:-$(git rev-parse --short HEAD)}" -export TF_VAR_letter_preview_renderer_image_tag="${TF_VAR_letter_preview_renderer_image_tag:-${CSI}-letter-preview-renderer-${SHORT_SHA}-latest}" + +export TF_VAR_letter_preview_renderer_image_tag="${TF_VAR_letter_preview_renderer_image_tag:-${CSI}-letter-preview-renderer-${SHORT_SHA}}" +echo "TF_VAR_letter_preview_renderer_image_tag: $TF_VAR_letter_preview_renderer_image_tag" npm run lambda-build --workspaces --if-present diff --git a/lambdas/letter-preview-renderer/docker.sh b/lambdas/letter-preview-renderer/docker.sh index fe6157bb4..fd0a93332 100755 --- a/lambdas/letter-preview-renderer/docker.sh +++ b/lambdas/letter-preview-renderer/docker.sh @@ -11,7 +11,7 @@ chmod +x ./build.sh AWS_REGION="${AWS_REGION:-eu-west-2}" ECR_REPO="${ECR_REPO:-nhs-notify-main-acct}" CSI="nhs-notify-${ENVIRONMENT}" -LAMBDA_NAME="${LAMBDA_NAME:-letter-preview-renderer}" +LAMBDA_NAME="${LAMBDA_NAME:-$(basename $(cd "$(dirname "$0")/.." && pwd))}" SHORT_SHA="${SHORT_SHA:-$(git rev-parse --short HEAD)}" GHCR_LOGIN_USER="${GITHUB_ACTOR:-}" GHCR_LOGIN_TOKEN="${GITHUB_TOKEN:-}" @@ -42,14 +42,14 @@ fi # Resolve git references for image tags. # Namespace tag by CSI and lambda name to avoid cross-environment collisions. -IMAGE_TAG_LATEST="${CSI}-${LAMBDA_NAME}-${SHORT_SHA}-latest" +IMAGE_TAG_LATEST="${CSI}-${LAMBDA_NAME}-${SHORT_SHA}" # Compose the full ECR image references. ECR_REPO_URI="${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com/${ECR_REPO}" ECR_IMAGE_LATEST="${ECR_REPO_URI}:${IMAGE_TAG_LATEST}" -# Allow an override for the base image used in the Docker build. -BASE_IMAGE_ARG=${BASE_IMAGE:-ghcr.io/nhsdigital/nhs-notify/letter-renderer-node-22:latest} +# Use only the first input argument for BASE_IMAGE_ARG (no fallback) +BASE_IMAGE_ARG="$1" # Build and tag the Docker image for the lambda. docker build \ diff --git a/lambdas/letter-preview-renderer/package.json b/lambdas/letter-preview-renderer/package.json index a9be46b7c..333d50993 100644 --- a/lambdas/letter-preview-renderer/package.json +++ b/lambdas/letter-preview-renderer/package.json @@ -13,7 +13,7 @@ "name": "nhs-notify-templates-letter-preview-renderer", "private": true, "scripts": { - "lambda-build": "./docker.sh", + "lambda-build": "./docker.sh ghcr.io/nhsdigital/nhs-notify/letter-renderer-node-22:latest", "lint": "eslint .", "lint:fix": "eslint . --fix", "test:unit": "jest", From b072c65d035db24ef8f0a95e965e14bfa862659f Mon Sep 17 00:00:00 2001 From: jamesthompson26-nhs Date: Wed, 11 Feb 2026 10:51:26 +0000 Subject: [PATCH 23/50] CCM-14149: Letter Preview Placeholder --- lambdas/letter-preview-renderer/docker.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lambdas/letter-preview-renderer/docker.sh b/lambdas/letter-preview-renderer/docker.sh index fd0a93332..4b0f2beba 100755 --- a/lambdas/letter-preview-renderer/docker.sh +++ b/lambdas/letter-preview-renderer/docker.sh @@ -11,7 +11,7 @@ chmod +x ./build.sh AWS_REGION="${AWS_REGION:-eu-west-2}" ECR_REPO="${ECR_REPO:-nhs-notify-main-acct}" CSI="nhs-notify-${ENVIRONMENT}" -LAMBDA_NAME="${LAMBDA_NAME:-$(basename $(cd "$(dirname "$0")/.." && pwd))}" +LAMBDA_NAME="${LAMBDA_NAME:-$(basename "$(cd "$(dirname "$0")" && pwd)")}" SHORT_SHA="${SHORT_SHA:-$(git rev-parse --short HEAD)}" GHCR_LOGIN_USER="${GITHUB_ACTOR:-}" GHCR_LOGIN_TOKEN="${GITHUB_TOKEN:-}" From 423baec740bac5bf11fb4009c002458bde9db460 Mon Sep 17 00:00:00 2001 From: jamesthompson26-nhs Date: Wed, 11 Feb 2026 11:02:27 +0000 Subject: [PATCH 24/50] CCM-14149: Letter Preview Placeholder --- infrastructure/terraform/components/app/pre.sh | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/infrastructure/terraform/components/app/pre.sh b/infrastructure/terraform/components/app/pre.sh index cfb08a6f0..476264275 100755 --- a/infrastructure/terraform/components/app/pre.sh +++ b/infrastructure/terraform/components/app/pre.sh @@ -10,11 +10,11 @@ npm ci npm run generate-dependencies --workspaces --if-present -export AWS_REGION="${AWS_REGION:-${TF_VAR_region:-}}" -export AWS_ACCOUNT_ID="${AWS_ACCOUNT_ID:-${TF_VAR_aws_account_id:-}}" -export ECR_REPO="${ECR_REPO:-${TF_VAR_container_lambda_ecr_repo:-nhs-notify-main-acct}}" -export CSI="${CSI:-${TF_VAR_project:-}-${TF_VAR_environment:-}}" -export SHORT_SHA="${SHORT_SHA:-$(git rev-parse --short HEAD)}" +export AWS_REGION="${TF_VAR_region}" +export AWS_ACCOUNT_ID="${TF_VAR_aws_account_id}" +export ECR_REPO="${TF_VAR_container_lambda_ecr_repo}" +export CSI="${TF_VAR_project}-${TF_VAR_environment}" +export SHORT_SHA="$(git rev-parse --short HEAD)" export TF_VAR_letter_preview_renderer_image_tag="${TF_VAR_letter_preview_renderer_image_tag:-${CSI}-letter-preview-renderer-${SHORT_SHA}}" echo "TF_VAR_letter_preview_renderer_image_tag: $TF_VAR_letter_preview_renderer_image_tag" From c58ab932ae2beed600c0ea831acb89efc8d322be Mon Sep 17 00:00:00 2001 From: jamesthompson26-nhs Date: Wed, 11 Feb 2026 11:11:55 +0000 Subject: [PATCH 25/50] CCM-14149: Letter Preview Placeholder --- infrastructure/terraform/components/app/pre.sh | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/infrastructure/terraform/components/app/pre.sh b/infrastructure/terraform/components/app/pre.sh index 476264275..6c2b5cb4b 100755 --- a/infrastructure/terraform/components/app/pre.sh +++ b/infrastructure/terraform/components/app/pre.sh @@ -11,10 +11,15 @@ npm ci npm run generate-dependencies --workspaces --if-present export AWS_REGION="${TF_VAR_region}" +echo "AWS_REGION: $AWS_REGION" export AWS_ACCOUNT_ID="${TF_VAR_aws_account_id}" +echo "AWS_ACCOUNT_ID: $AWS_ACCOUNT_ID" export ECR_REPO="${TF_VAR_container_lambda_ecr_repo}" +echo "ECR_REPO: $ECR_REPO" export CSI="${TF_VAR_project}-${TF_VAR_environment}" +echo "CSI: $CSI" export SHORT_SHA="$(git rev-parse --short HEAD)" +echo "SHORT_SHA: $SHORT_SHA" export TF_VAR_letter_preview_renderer_image_tag="${TF_VAR_letter_preview_renderer_image_tag:-${CSI}-letter-preview-renderer-${SHORT_SHA}}" echo "TF_VAR_letter_preview_renderer_image_tag: $TF_VAR_letter_preview_renderer_image_tag" From a549f4f928684abf985170b5b586e084da1d5bcc Mon Sep 17 00:00:00 2001 From: jamesthompson26-nhs Date: Wed, 11 Feb 2026 11:23:27 +0000 Subject: [PATCH 26/50] CCM-14149: Letter Preview Placeholder --- infrastructure/terraform/components/app/pre.sh | 16 +++------------- lambdas/letter-preview-renderer/docker.sh | 2 ++ 2 files changed, 5 insertions(+), 13 deletions(-) diff --git a/infrastructure/terraform/components/app/pre.sh b/infrastructure/terraform/components/app/pre.sh index 6c2b5cb4b..2beccff04 100755 --- a/infrastructure/terraform/components/app/pre.sh +++ b/infrastructure/terraform/components/app/pre.sh @@ -10,19 +10,9 @@ npm ci npm run generate-dependencies --workspaces --if-present -export AWS_REGION="${TF_VAR_region}" -echo "AWS_REGION: $AWS_REGION" -export AWS_ACCOUNT_ID="${TF_VAR_aws_account_id}" -echo "AWS_ACCOUNT_ID: $AWS_ACCOUNT_ID" -export ECR_REPO="${TF_VAR_container_lambda_ecr_repo}" -echo "ECR_REPO: $ECR_REPO" -export CSI="${TF_VAR_project}-${TF_VAR_environment}" -echo "CSI: $CSI" -export SHORT_SHA="$(git rev-parse --short HEAD)" -echo "SHORT_SHA: $SHORT_SHA" - -export TF_VAR_letter_preview_renderer_image_tag="${TF_VAR_letter_preview_renderer_image_tag:-${CSI}-letter-preview-renderer-${SHORT_SHA}}" -echo "TF_VAR_letter_preview_renderer_image_tag: $TF_VAR_letter_preview_renderer_image_tag" +# export CSI="${CSI:-${TF_VAR_project:-}-${TF_VAR_environment:-}}" +# export SHORT_SHA="${SHORT_SHA:-$(git rev-parse --short HEAD)}" +# export TF_VAR_letter_preview_renderer_image_tag="${TF_VAR_letter_preview_renderer_image_tag:-${CSI}-letter-preview-renderer-${SHORT_SHA}}" npm run lambda-build --workspaces --if-present diff --git a/lambdas/letter-preview-renderer/docker.sh b/lambdas/letter-preview-renderer/docker.sh index 4b0f2beba..6271b179b 100755 --- a/lambdas/letter-preview-renderer/docker.sh +++ b/lambdas/letter-preview-renderer/docker.sh @@ -60,3 +60,5 @@ docker build \ # Push the image tag to ECR. The Terraform configuration will reference this tag for the lambda image. docker push "${ECR_IMAGE_LATEST}" + +export TF_VAR_letter_preview_renderer_image_tag="${ECR_IMAGE_LATEST}" From 9e1f13c90d0c520f4f0c0fc4b7f3f0e04113738c Mon Sep 17 00:00:00 2001 From: jamesthompson26-nhs Date: Wed, 11 Feb 2026 11:38:49 +0000 Subject: [PATCH 27/50] CCM-14149: Letter Preview Placeholder --- .../app/module_letter_preview_renderer_lambda.tf | 2 +- infrastructure/terraform/components/app/pre.sh | 4 +--- lambdas/letter-preview-renderer/docker.sh | 7 ++----- 3 files changed, 4 insertions(+), 9 deletions(-) diff --git a/infrastructure/terraform/components/app/module_letter_preview_renderer_lambda.tf b/infrastructure/terraform/components/app/module_letter_preview_renderer_lambda.tf index daf37bfff..1fcd1ab99 100644 --- a/infrastructure/terraform/components/app/module_letter_preview_renderer_lambda.tf +++ b/infrastructure/terraform/components/app/module_letter_preview_renderer_lambda.tf @@ -14,7 +14,7 @@ module "letter_preview_renderer_lambda" { kms_key_arn = module.kms.key_arn package_type = "Image" - image_uri = "${var.aws_account_id}.dkr.ecr.${var.region}.amazonaws.com/${var.container_lambda_ecr_repo}:${var.letter_preview_renderer_image_tag}" + image_uri = "${var.aws_account_id}.dkr.ecr.${var.region}.amazonaws.com/${var.container_lambda_ecr_repo}:${var.project}-${var.environment}-letter_preview_renderer-${var.short_sha}" image_repository_names = [var.container_lambda_ecr_repo] memory = 1024 diff --git a/infrastructure/terraform/components/app/pre.sh b/infrastructure/terraform/components/app/pre.sh index 2beccff04..9cbf69f09 100755 --- a/infrastructure/terraform/components/app/pre.sh +++ b/infrastructure/terraform/components/app/pre.sh @@ -10,9 +10,7 @@ npm ci npm run generate-dependencies --workspaces --if-present -# export CSI="${CSI:-${TF_VAR_project:-}-${TF_VAR_environment:-}}" -# export SHORT_SHA="${SHORT_SHA:-$(git rev-parse --short HEAD)}" -# export TF_VAR_letter_preview_renderer_image_tag="${TF_VAR_letter_preview_renderer_image_tag:-${CSI}-letter-preview-renderer-${SHORT_SHA}}" +export TF_VAR_SHORT_SHA="$(git rev-parse --short HEAD)" npm run lambda-build --workspaces --if-present diff --git a/lambdas/letter-preview-renderer/docker.sh b/lambdas/letter-preview-renderer/docker.sh index 6271b179b..37c47d064 100755 --- a/lambdas/letter-preview-renderer/docker.sh +++ b/lambdas/letter-preview-renderer/docker.sh @@ -7,14 +7,13 @@ set -euo pipefail chmod +x ./build.sh ./build.sh -: "${AWS_ACCOUNT_ID:?AWS_ACCOUNT_ID is required}" AWS_REGION="${AWS_REGION:-eu-west-2}" ECR_REPO="${ECR_REPO:-nhs-notify-main-acct}" CSI="nhs-notify-${ENVIRONMENT}" LAMBDA_NAME="${LAMBDA_NAME:-$(basename "$(cd "$(dirname "$0")" && pwd)")}" SHORT_SHA="${SHORT_SHA:-$(git rev-parse --short HEAD)}" -GHCR_LOGIN_USER="${GITHUB_ACTOR:-}" -GHCR_LOGIN_TOKEN="${GITHUB_TOKEN:-}" +GHCR_LOGIN_USER="${GITHUB_ACTOR}" +GHCR_LOGIN_TOKEN="${GITHUB_TOKEN}" # Ensure required AWS/ECR configuration is present. echo "AWS_ACCOUNT_ID: ${AWS_ACCOUNT_ID:-}" @@ -60,5 +59,3 @@ docker build \ # Push the image tag to ECR. The Terraform configuration will reference this tag for the lambda image. docker push "${ECR_IMAGE_LATEST}" - -export TF_VAR_letter_preview_renderer_image_tag="${ECR_IMAGE_LATEST}" From 160c889c61562f52d5f90da19629e92bc34b59aa Mon Sep 17 00:00:00 2001 From: jamesthompson26-nhs Date: Wed, 11 Feb 2026 11:44:42 +0000 Subject: [PATCH 28/50] CCM-14149: Letter Preview Placeholder --- infrastructure/terraform/components/app/README.md | 2 +- infrastructure/terraform/components/app/variables.tf | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/infrastructure/terraform/components/app/README.md b/infrastructure/terraform/components/app/README.md index 318f8932c..e12bc6ae5 100644 --- a/infrastructure/terraform/components/app/README.md +++ b/infrastructure/terraform/components/app/README.md @@ -38,7 +38,6 @@ | [external\_email\_domain](#input\_external\_email\_domain) | Externally managed domain used to create an SES identity for sending emails from. Validation DNS records will need to be manually configured in the DNS provider. | `string` | `null` | no | | [group](#input\_group) | The group variables are being inherited from (often synonymous with account short-name) | `string` | n/a | yes | | [kms\_deletion\_window](#input\_kms\_deletion\_window) | When a kms key is deleted, how long should it wait in the pending deletion state? | `string` | `"30"` | no | -| [letter\_preview\_renderer\_image\_tag](#input\_letter\_preview\_renderer\_image\_tag) | Full ECR image tag for the letter-preview-renderer container image (e.g. -letter-preview-renderer--latest) | `string` | n/a | yes | | [letter\_suppliers](#input\_letter\_suppliers) | Letter suppliers enabled in the environment | 
map(object({
    email_addresses  = list(string)
    enable_polling   = bool
    default_supplier = optional(bool)
  }))
| `{}` | no | | [log\_retention\_in\_days](#input\_log\_retention\_in\_days) | The retention period in days for the Cloudwatch Logs events to be retained, default of 0 is indefinite | `number` | `0` | no | | [observability\_account\_id](#input\_observability\_account\_id) | The Observability Account ID that needs access | `string` | n/a | yes | @@ -46,6 +45,7 @@ | [project](#input\_project) | The name of the tfscaffold project | `string` | n/a | yes | | [region](#input\_region) | The AWS Region | `string` | n/a | yes | | [retention\_period](#input\_retention\_period) | Backup Vault Retention Period | `number` | `31` | no | +| [short\_sha](#input\_short\_sha) | Short SHA of the commit used to identify the lambda image tag. This is expected to be set from CI variables and not committed to any codebase | `string` | n/a | yes | | [url\_prefix](#input\_url\_prefix) | The url prefix to use for the deployed branch | `string` | `"main"` | no | ## Modules diff --git a/infrastructure/terraform/components/app/variables.tf b/infrastructure/terraform/components/app/variables.tf index 659e762f9..844025691 100644 --- a/infrastructure/terraform/components/app/variables.tf +++ b/infrastructure/terraform/components/app/variables.tf @@ -179,9 +179,9 @@ variable "container_lambda_ecr_repo" { default = "nhs-notify-main-acct" } -variable "letter_preview_renderer_image_tag" { +variable "short_sha" { type = string - description = "Full ECR image tag for the letter-preview-renderer container image (e.g. -letter-preview-renderer--latest)" + description = "Short SHA of the commit used to identify the lambda image tag. This is expected to be set from CI variables and not committed to any codebase" } variable "data_plane_bus_arn" { From 23b4e8f38f29545fcd9edaddfa6dea28956ab767 Mon Sep 17 00:00:00 2001 From: jamesthompson26-nhs Date: Wed, 11 Feb 2026 11:50:44 +0000 Subject: [PATCH 29/50] CCM-14149: Letter Preview Placeholder --- infrastructure/terraform/components/app/pre.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infrastructure/terraform/components/app/pre.sh b/infrastructure/terraform/components/app/pre.sh index 9cbf69f09..368381299 100755 --- a/infrastructure/terraform/components/app/pre.sh +++ b/infrastructure/terraform/components/app/pre.sh @@ -10,7 +10,7 @@ npm ci npm run generate-dependencies --workspaces --if-present -export TF_VAR_SHORT_SHA="$(git rev-parse --short HEAD)" +export TF_VAR_short_sha="$(git rev-parse --short HEAD)" npm run lambda-build --workspaces --if-present From c6945f2d2fca20af33d969b31aba41ed8c67ea57 Mon Sep 17 00:00:00 2001 From: jamesthompson26-nhs Date: Wed, 11 Feb 2026 11:55:21 +0000 Subject: [PATCH 30/50] CCM-14149: Letter Preview Placeholder --- infrastructure/terraform/components/app/README.md | 2 +- infrastructure/terraform/components/app/variables.tf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/infrastructure/terraform/components/app/README.md b/infrastructure/terraform/components/app/README.md index e12bc6ae5..d8400b69f 100644 --- a/infrastructure/terraform/components/app/README.md +++ b/infrastructure/terraform/components/app/README.md @@ -45,7 +45,7 @@ | [project](#input\_project) | The name of the tfscaffold project | `string` | n/a | yes | | [region](#input\_region) | The AWS Region | `string` | n/a | yes | | [retention\_period](#input\_retention\_period) | Backup Vault Retention Period | `number` | `31` | no | -| [short\_sha](#input\_short\_sha) | Short SHA of the commit used to identify the lambda image tag. This is expected to be set from CI variables and not committed to any codebase | `string` | n/a | yes | +| [short\_sha](#input\_short\_sha) | Short SHA of the commit used to identify the lambda image tag. This is expected to be set by pre.sh at deploy time using git rev-parse --short HEAD | `string` | n/a | yes | | [url\_prefix](#input\_url\_prefix) | The url prefix to use for the deployed branch | `string` | `"main"` | no | ## Modules diff --git a/infrastructure/terraform/components/app/variables.tf b/infrastructure/terraform/components/app/variables.tf index 844025691..57be585f3 100644 --- a/infrastructure/terraform/components/app/variables.tf +++ b/infrastructure/terraform/components/app/variables.tf @@ -181,7 +181,7 @@ variable "container_lambda_ecr_repo" { variable "short_sha" { type = string - description = "Short SHA of the commit used to identify the lambda image tag. This is expected to be set from CI variables and not committed to any codebase" + description = "Short SHA of the commit used to identify the lambda image tag. This is expected to be set by pre.sh at deploy time using git rev-parse --short HEAD" } variable "data_plane_bus_arn" { From 39f9182636db4bf58915ef4fe26e1f1aedd61467 Mon Sep 17 00:00:00 2001 From: jamesthompson26-nhs Date: Wed, 11 Feb 2026 12:10:21 +0000 Subject: [PATCH 31/50] CCM-14149: Letter Preview Placeholder --- .../components/app/module_letter_preview_renderer_lambda.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infrastructure/terraform/components/app/module_letter_preview_renderer_lambda.tf b/infrastructure/terraform/components/app/module_letter_preview_renderer_lambda.tf index 1fcd1ab99..1a0574c9d 100644 --- a/infrastructure/terraform/components/app/module_letter_preview_renderer_lambda.tf +++ b/infrastructure/terraform/components/app/module_letter_preview_renderer_lambda.tf @@ -14,7 +14,7 @@ module "letter_preview_renderer_lambda" { kms_key_arn = module.kms.key_arn package_type = "Image" - image_uri = "${var.aws_account_id}.dkr.ecr.${var.region}.amazonaws.com/${var.container_lambda_ecr_repo}:${var.project}-${var.environment}-letter_preview_renderer-${var.short_sha}" + image_uri = "${var.aws_account_id}.dkr.ecr.${var.region}.amazonaws.com/${var.container_lambda_ecr_repo}:${var.project}-${var.environment}-letter-preview-renderer-${var.short_sha}" image_repository_names = [var.container_lambda_ecr_repo] memory = 1024 From e413d8d6d26f499c1efef1b4d6a95a809fcf6afc Mon Sep 17 00:00:00 2001 From: jamesthompson26-nhs Date: Wed, 11 Feb 2026 12:32:44 +0000 Subject: [PATCH 32/50] CCM-14149: Letter Preview Placeholder --- infrastructure/terraform/components/app/pre.sh | 5 +++++ lambdas/letter-preview-renderer/docker.sh | 8 +++++++- 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/infrastructure/terraform/components/app/pre.sh b/infrastructure/terraform/components/app/pre.sh index 368381299..7a6d94c60 100755 --- a/infrastructure/terraform/components/app/pre.sh +++ b/infrastructure/terraform/components/app/pre.sh @@ -12,6 +12,11 @@ npm run generate-dependencies --workspaces --if-present export TF_VAR_short_sha="$(git rev-parse --short HEAD)" +if [ "$TF_ACTION" = "apply" ]; then + export PUBLISH_LAMBDA_IMAGE="true" +fi + + npm run lambda-build --workspaces --if-present lambdas/layers/pdfjs/build.sh diff --git a/lambdas/letter-preview-renderer/docker.sh b/lambdas/letter-preview-renderer/docker.sh index 37c47d064..bb7c54b6d 100755 --- a/lambdas/letter-preview-renderer/docker.sh +++ b/lambdas/letter-preview-renderer/docker.sh @@ -58,4 +58,10 @@ docker build \ . # Push the image tag to ECR. The Terraform configuration will reference this tag for the lambda image. -docker push "${ECR_IMAGE_LATEST}" +if [ "${PUBLISH_LAMBDA_IMAGE:-false}" = "true" ]; then + echo "Pushing Docker image to ECR: ${ECR_IMAGE_LATEST}" + docker push "${ECR_IMAGE_LATEST}" +else + echo "PUBLISH_LAMBDA_IMAGE is not set to true (we are most likely running in the context of a TF Plan). Skipping Docker push." + exit 0 +fi From c1c1863a6e56ae2959edb4171ef33200d7f25315 Mon Sep 17 00:00:00 2001 From: jamesthompson26-nhs Date: Wed, 11 Feb 2026 12:34:42 +0000 Subject: [PATCH 33/50] CCM-14149: Letter Preview Placeholder --- .../components/acct/ecr_repository_main.tf | 63 ------------------- 1 file changed, 63 deletions(-) diff --git a/infrastructure/terraform/components/acct/ecr_repository_main.tf b/infrastructure/terraform/components/acct/ecr_repository_main.tf index ece9da713..369ffcb6a 100644 --- a/infrastructure/terraform/components/acct/ecr_repository_main.tf +++ b/infrastructure/terraform/components/acct/ecr_repository_main.tf @@ -11,66 +11,3 @@ resource "aws_ecr_repository" "main" { scan_on_push = true } } - -data "aws_iam_policy_document" "ecr_lambda_pull" { - statement { - sid = "AllowLambdaPull" - effect = "Allow" - - principals { - type = "Service" - identifiers = ["lambda.amazonaws.com"] - } - - actions = [ - "ecr:BatchCheckLayerAvailability", - "ecr:BatchGetImage", - "ecr:GetDownloadUrlForLayer", - ] - - condition { - test = "StringEquals" - variable = "aws:SourceAccount" - values = [var.aws_account_id] - } - } -} - -resource "aws_ecr_repository_policy" "main" { - repository = aws_ecr_repository.main.name - policy = data.aws_iam_policy_document.ecr_lambda_pull.json -} - -resource "aws_ecr_lifecycle_policy" "main" { - repository = aws_ecr_repository.main.name - - policy = jsonencode({ - rules = [ - { - rulePriority = 1 - description = "Retain last 30 tagged images" - selection = { - tagStatus = "tagged" - countType = "imageCountMoreThan" - countNumber = 30 - } - action = { - type = "expire" - } - }, - { - rulePriority = 2 - description = "Expire untagged images older than 7 days" - selection = { - tagStatus = "untagged" - countType = "sinceImagePushed" - countUnit = "days" - countNumber = 7 - } - action = { - type = "expire" - } - } - ] - }) -} From 37701774d528b18aa62e2eb8f91ea3de32a4604e Mon Sep 17 00:00:00 2001 From: jamesthompson26-nhs Date: Wed, 11 Feb 2026 13:00:06 +0000 Subject: [PATCH 34/50] CCM-14149: Letter Preview Placeholder --- infrastructure/terraform/components/app/pre.sh | 4 +++- lambdas/letter-preview-renderer/docker.sh | 4 ++-- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/infrastructure/terraform/components/app/pre.sh b/infrastructure/terraform/components/app/pre.sh index 7a6d94c60..41a956e1c 100755 --- a/infrastructure/terraform/components/app/pre.sh +++ b/infrastructure/terraform/components/app/pre.sh @@ -13,10 +13,12 @@ npm run generate-dependencies --workspaces --if-present export TF_VAR_short_sha="$(git rev-parse --short HEAD)" if [ "$TF_ACTION" = "apply" ]; then + echo "Setting PUBLISH_LAMBDA_IMAGE to true for apply action" export PUBLISH_LAMBDA_IMAGE="true" +else + echo "Not setting PUBLISH_LAMBDA_IMAGE for non-apply action (e.g. plan)" fi - npm run lambda-build --workspaces --if-present lambdas/layers/pdfjs/build.sh diff --git a/lambdas/letter-preview-renderer/docker.sh b/lambdas/letter-preview-renderer/docker.sh index bb7c54b6d..7fb96b923 100755 --- a/lambdas/letter-preview-renderer/docker.sh +++ b/lambdas/letter-preview-renderer/docker.sh @@ -57,9 +57,9 @@ docker build \ -t "${ECR_IMAGE_LATEST}" \ . -# Push the image tag to ECR. The Terraform configuration will reference this tag for the lambda image. +# Push the image tag to ECR on apply only. The Terraform configuration will reference this tag for the lambda image. if [ "${PUBLISH_LAMBDA_IMAGE:-false}" = "true" ]; then - echo "Pushing Docker image to ECR: ${ECR_IMAGE_LATEST}" + echo "PUBLISH_LAMBDA_IMAGE is set to true. Pushing Docker image to ECR: ${ECR_IMAGE_LATEST}" docker push "${ECR_IMAGE_LATEST}" else echo "PUBLISH_LAMBDA_IMAGE is not set to true (we are most likely running in the context of a TF Plan). Skipping Docker push." From 7c7536364fcfd57c2bcf818c0d796cf5b4dd8680 Mon Sep 17 00:00:00 2001 From: jamesthompson26-nhs Date: Wed, 11 Feb 2026 13:46:37 +0000 Subject: [PATCH 35/50] CCM-14149: Letter Preview Placeholder --- .../terraform/components/app/README.md | 2 +- .../module_letter_preview_renderer_lambda.tf | 2 +- .../terraform/components/app/pre.sh | 21 ++++++++++++++++++- .../terraform/components/app/variables.tf | 4 ++-- 4 files changed, 24 insertions(+), 5 deletions(-) diff --git a/infrastructure/terraform/components/app/README.md b/infrastructure/terraform/components/app/README.md index d8400b69f..3a66b3343 100644 --- a/infrastructure/terraform/components/app/README.md +++ b/infrastructure/terraform/components/app/README.md @@ -37,6 +37,7 @@ | [event\_delivery\_logging\_success\_sample\_percentage](#input\_event\_delivery\_logging\_success\_sample\_percentage) | Enable caching of events to an S3 bucket | `number` | `0` | no | | [external\_email\_domain](#input\_external\_email\_domain) | Externally managed domain used to create an SES identity for sending emails from. Validation DNS records will need to be manually configured in the DNS provider. | `string` | `null` | no | | [group](#input\_group) | The group variables are being inherited from (often synonymous with account short-name) | `string` | n/a | yes | +| [image\_tag\_suffix](#input\_image\_tag\_suffix) | The short SHA or Release Tag to append to the container lambda image tag | `string` | n/a | yes | | [kms\_deletion\_window](#input\_kms\_deletion\_window) | When a kms key is deleted, how long should it wait in the pending deletion state? | `string` | `"30"` | no | | [letter\_suppliers](#input\_letter\_suppliers) | Letter suppliers enabled in the environment | 
map(object({
    email_addresses  = list(string)
    enable_polling   = bool
    default_supplier = optional(bool)
  }))
| `{}` | no | | [log\_retention\_in\_days](#input\_log\_retention\_in\_days) | The retention period in days for the Cloudwatch Logs events to be retained, default of 0 is indefinite | `number` | `0` | no | @@ -45,7 +46,6 @@ | [project](#input\_project) | The name of the tfscaffold project | `string` | n/a | yes | | [region](#input\_region) | The AWS Region | `string` | n/a | yes | | [retention\_period](#input\_retention\_period) | Backup Vault Retention Period | `number` | `31` | no | -| [short\_sha](#input\_short\_sha) | Short SHA of the commit used to identify the lambda image tag. This is expected to be set by pre.sh at deploy time using git rev-parse --short HEAD | `string` | n/a | yes | | [url\_prefix](#input\_url\_prefix) | The url prefix to use for the deployed branch | `string` | `"main"` | no | ## Modules diff --git a/infrastructure/terraform/components/app/module_letter_preview_renderer_lambda.tf b/infrastructure/terraform/components/app/module_letter_preview_renderer_lambda.tf index 1a0574c9d..a3a3c2a1d 100644 --- a/infrastructure/terraform/components/app/module_letter_preview_renderer_lambda.tf +++ b/infrastructure/terraform/components/app/module_letter_preview_renderer_lambda.tf @@ -14,7 +14,7 @@ module "letter_preview_renderer_lambda" { kms_key_arn = module.kms.key_arn package_type = "Image" - image_uri = "${var.aws_account_id}.dkr.ecr.${var.region}.amazonaws.com/${var.container_lambda_ecr_repo}:${var.project}-${var.environment}-letter-preview-renderer-${var.short_sha}" + image_uri = "${var.aws_account_id}.dkr.ecr.${var.region}.amazonaws.com/${var.container_lambda_ecr_repo}:${var.project}-${var.environment}-letter-preview-renderer-${var.image_tag_suffix}" image_repository_names = [var.container_lambda_ecr_repo] memory = 1024 diff --git a/infrastructure/terraform/components/app/pre.sh b/infrastructure/terraform/components/app/pre.sh index 41a956e1c..b02e846a2 100755 --- a/infrastructure/terraform/components/app/pre.sh +++ b/infrastructure/terraform/components/app/pre.sh @@ -10,7 +10,26 @@ npm ci npm run generate-dependencies --workspaces --if-present -export TF_VAR_short_sha="$(git rev-parse --short HEAD)" + +echo "Checking if current commit is a tag..." +GIT_TAG="$(git describe --tags --exact-match 2>/dev/null || true)" +if [ -n "$GIT_TAG" ]; then + echo "On tag: $GIT_TAG, exporting TF_VAR_image_tag_suffix as tag" + export TF_VAR_image_tag_suffix="$GIT_TAG" +else + SHORT_SHA="$(git rev-parse --short HEAD)" + echo "Not on a tag, exporting TF_VAR_image_tag_suffix as short SHA: $SHORT_SHA" + export TF_VAR_image_tag_suffix="$SHORT_SHA" +fi + +echo "Checking if TF_ACTION is 'apply' to set PUBLISH_LAMBDA_IMAGE..." +if [ "$TF_ACTION" = "apply" ]; then + echo "Setting PUBLISH_LAMBDA_IMAGE to true for apply action" + export PUBLISH_LAMBDA_IMAGE="true" +else + echo "Not setting PUBLISH_LAMBDA_IMAGE for non-apply action (e.g. plan)" +fi + if [ "$TF_ACTION" = "apply" ]; then echo "Setting PUBLISH_LAMBDA_IMAGE to true for apply action" diff --git a/infrastructure/terraform/components/app/variables.tf b/infrastructure/terraform/components/app/variables.tf index 57be585f3..e6f8f9bb6 100644 --- a/infrastructure/terraform/components/app/variables.tf +++ b/infrastructure/terraform/components/app/variables.tf @@ -179,9 +179,9 @@ variable "container_lambda_ecr_repo" { default = "nhs-notify-main-acct" } -variable "short_sha" { +variable "image_tag_suffix" { type = string - description = "Short SHA of the commit used to identify the lambda image tag. This is expected to be set by pre.sh at deploy time using git rev-parse --short HEAD" + description = "The short SHA or Release Tag to append to the container lambda image tag" } variable "data_plane_bus_arn" { From 910f74b1ce0529fbebf4c3f0a787baa872952b36 Mon Sep 17 00:00:00 2001 From: jamesthompson26-nhs Date: Wed, 11 Feb 2026 14:26:05 +0000 Subject: [PATCH 36/50] CCM-14149: Template Management Support Container Builds --- lambdas/letter-preview-renderer/docker.sh | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/lambdas/letter-preview-renderer/docker.sh b/lambdas/letter-preview-renderer/docker.sh index 7fb96b923..360f82efd 100755 --- a/lambdas/letter-preview-renderer/docker.sh +++ b/lambdas/letter-preview-renderer/docker.sh @@ -9,9 +9,9 @@ chmod +x ./build.sh AWS_REGION="${AWS_REGION:-eu-west-2}" ECR_REPO="${ECR_REPO:-nhs-notify-main-acct}" -CSI="nhs-notify-${ENVIRONMENT}" +CSI="nhs-notify-${ENVIRONMENT}-${COMPONENT}" LAMBDA_NAME="${LAMBDA_NAME:-$(basename "$(cd "$(dirname "$0")" && pwd)")}" -SHORT_SHA="${SHORT_SHA:-$(git rev-parse --short HEAD)}" +IMAGE_TAG_SUFFIX="${TF_VAR_image_tag_suffix}" GHCR_LOGIN_USER="${GITHUB_ACTOR}" GHCR_LOGIN_TOKEN="${GITHUB_TOKEN}" @@ -22,7 +22,7 @@ echo "ECR_REPO: ${ECR_REPO:-}" echo "ENVIRONMENT: ${ENVIRONMENT:-}" echo "CSI: ${CSI:-}" echo "LAMBDA_NAME: ${LAMBDA_NAME:-}" -echo "SHORT_SHA: ${SHORT_SHA:-}" +echo "IMAGE_TAG_SUFFIX: ${IMAGE_TAG_SUFFIX:-}" echo "GHCR_LOGIN_USER: ${GHCR_LOGIN_USER:-}" echo "GHCR_LOGIN_TOKEN: ${GHCR_LOGIN_TOKEN:-}" @@ -41,7 +41,7 @@ fi # Resolve git references for image tags. # Namespace tag by CSI and lambda name to avoid cross-environment collisions. -IMAGE_TAG_LATEST="${CSI}-${LAMBDA_NAME}-${SHORT_SHA}" +IMAGE_TAG_LATEST="${CSI}-${LAMBDA_NAME}-${IMAGE_TAG_SUFFIX}" # Compose the full ECR image references. ECR_REPO_URI="${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com/${ECR_REPO}" @@ -51,7 +51,7 @@ ECR_IMAGE_LATEST="${ECR_REPO_URI}:${IMAGE_TAG_LATEST}" BASE_IMAGE_ARG="$1" # Build and tag the Docker image for the lambda. -docker build \ +docker buildx build \ -f docker/lambda/Dockerfile \ --build-arg BASE_IMAGE="${BASE_IMAGE_ARG}" \ -t "${ECR_IMAGE_LATEST}" \ From c90ae613b0a8c4c6c6af7e4c1b12928bfe4ac1d9 Mon Sep 17 00:00:00 2001 From: jamesthompson26-nhs Date: Wed, 11 Feb 2026 14:27:49 +0000 Subject: [PATCH 37/50] CCM-14149: Letter Preview Placeholder --- .../app/module_letter_preview_renderer_lambda.tf | 2 +- lambdas/letter-preview-renderer/docker.sh | 11 +++++------ 2 files changed, 6 insertions(+), 7 deletions(-) diff --git a/infrastructure/terraform/components/app/module_letter_preview_renderer_lambda.tf b/infrastructure/terraform/components/app/module_letter_preview_renderer_lambda.tf index a3a3c2a1d..7ecb8ec07 100644 --- a/infrastructure/terraform/components/app/module_letter_preview_renderer_lambda.tf +++ b/infrastructure/terraform/components/app/module_letter_preview_renderer_lambda.tf @@ -14,7 +14,7 @@ module "letter_preview_renderer_lambda" { kms_key_arn = module.kms.key_arn package_type = "Image" - image_uri = "${var.aws_account_id}.dkr.ecr.${var.region}.amazonaws.com/${var.container_lambda_ecr_repo}:${var.project}-${var.environment}-letter-preview-renderer-${var.image_tag_suffix}" + image_uri = "${var.aws_account_id}.dkr.ecr.${var.region}.amazonaws.com/${var.container_lambda_ecr_repo}:${var.project}-${var.environment}-${var.component}-letter-preview-renderer-${var.image_tag_suffix}" image_repository_names = [var.container_lambda_ecr_repo] memory = 1024 diff --git a/lambdas/letter-preview-renderer/docker.sh b/lambdas/letter-preview-renderer/docker.sh index 360f82efd..372b98a62 100755 --- a/lambdas/letter-preview-renderer/docker.sh +++ b/lambdas/letter-preview-renderer/docker.sh @@ -41,12 +41,11 @@ fi # Resolve git references for image tags. # Namespace tag by CSI and lambda name to avoid cross-environment collisions. -IMAGE_TAG_LATEST="${CSI}-${LAMBDA_NAME}-${IMAGE_TAG_SUFFIX}" +IMAGE_TAG="${CSI}-${LAMBDA_NAME}-${IMAGE_TAG_SUFFIX}" # Compose the full ECR image references. ECR_REPO_URI="${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com/${ECR_REPO}" -ECR_IMAGE_LATEST="${ECR_REPO_URI}:${IMAGE_TAG_LATEST}" - +ECR_IMAGE="${ECR_REPO_URI}:${IMAGE_TAG}" # Use only the first input argument for BASE_IMAGE_ARG (no fallback) BASE_IMAGE_ARG="$1" @@ -54,13 +53,13 @@ BASE_IMAGE_ARG="$1" docker buildx build \ -f docker/lambda/Dockerfile \ --build-arg BASE_IMAGE="${BASE_IMAGE_ARG}" \ - -t "${ECR_IMAGE_LATEST}" \ + -t "${ECR_IMAGE}" \ . # Push the image tag to ECR on apply only. The Terraform configuration will reference this tag for the lambda image. if [ "${PUBLISH_LAMBDA_IMAGE:-false}" = "true" ]; then - echo "PUBLISH_LAMBDA_IMAGE is set to true. Pushing Docker image to ECR: ${ECR_IMAGE_LATEST}" - docker push "${ECR_IMAGE_LATEST}" + echo "PUBLISH_LAMBDA_IMAGE is set to true. Pushing Docker image to ECR: ${ECR_IMAGE}" + docker push "${ECR_IMAGE}" else echo "PUBLISH_LAMBDA_IMAGE is not set to true (we are most likely running in the context of a TF Plan). Skipping Docker push." exit 0 From c3f5ff4656cf12ee8493987046bdbb2bf9bf52c1 Mon Sep 17 00:00:00 2001 From: jamesthompson26-nhs Date: Wed, 11 Feb 2026 14:28:43 +0000 Subject: [PATCH 38/50] CCM-14149: Letter Preview Placeholder --- lambdas/letter-preview-renderer/docker.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/lambdas/letter-preview-renderer/docker.sh b/lambdas/letter-preview-renderer/docker.sh index 372b98a62..d7c4e6076 100755 --- a/lambdas/letter-preview-renderer/docker.sh +++ b/lambdas/letter-preview-renderer/docker.sh @@ -20,6 +20,7 @@ echo "AWS_ACCOUNT_ID: ${AWS_ACCOUNT_ID:-}" echo "AWS_REGION: ${AWS_REGION:-}" echo "ECR_REPO: ${ECR_REPO:-}" echo "ENVIRONMENT: ${ENVIRONMENT:-}" +echo "COMPONENT: ${COMPONENT:-}" echo "CSI: ${CSI:-}" echo "LAMBDA_NAME: ${LAMBDA_NAME:-}" echo "IMAGE_TAG_SUFFIX: ${IMAGE_TAG_SUFFIX:-}" From c96205601180937eefd6c433ef70b7d5bd639bcb Mon Sep 17 00:00:00 2001 From: jamesthompson26-nhs Date: Wed, 11 Feb 2026 14:41:14 +0000 Subject: [PATCH 39/50] CCM-14149: Letter Preview Placeholder --- lambdas/letter-preview-renderer/docker.sh | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/lambdas/letter-preview-renderer/docker.sh b/lambdas/letter-preview-renderer/docker.sh index d7c4e6076..b9e0c937e 100755 --- a/lambdas/letter-preview-renderer/docker.sh +++ b/lambdas/letter-preview-renderer/docker.sh @@ -7,25 +7,26 @@ set -euo pipefail chmod +x ./build.sh ./build.sh + AWS_REGION="${AWS_REGION:-eu-west-2}" -ECR_REPO="${ECR_REPO:-nhs-notify-main-acct}" CSI="nhs-notify-${ENVIRONMENT}-${COMPONENT}" -LAMBDA_NAME="${LAMBDA_NAME:-$(basename "$(cd "$(dirname "$0")" && pwd)")}" -IMAGE_TAG_SUFFIX="${TF_VAR_image_tag_suffix}" -GHCR_LOGIN_USER="${GITHUB_ACTOR}" +ECR_REPO="${ECR_REPO:-nhs-notify-main-acct}" GHCR_LOGIN_TOKEN="${GITHUB_TOKEN}" +GHCR_LOGIN_USER="${GITHUB_ACTOR}" +IMAGE_TAG_SUFFIX="${TF_VAR_image_tag_suffix}" +LAMBDA_NAME="${LAMBDA_NAME:-$(basename "$(cd "$(dirname "$0")" && pwd)")}" # Ensure required AWS/ECR configuration is present. echo "AWS_ACCOUNT_ID: ${AWS_ACCOUNT_ID:-}" echo "AWS_REGION: ${AWS_REGION:-}" -echo "ECR_REPO: ${ECR_REPO:-}" -echo "ENVIRONMENT: ${ENVIRONMENT:-}" echo "COMPONENT: ${COMPONENT:-}" echo "CSI: ${CSI:-}" -echo "LAMBDA_NAME: ${LAMBDA_NAME:-}" -echo "IMAGE_TAG_SUFFIX: ${IMAGE_TAG_SUFFIX:-}" -echo "GHCR_LOGIN_USER: ${GHCR_LOGIN_USER:-}" +echo "ECR_REPO: ${ECR_REPO:-}" +echo "ENVIRONMENT: ${ENVIRONMENT:-}" echo "GHCR_LOGIN_TOKEN: ${GHCR_LOGIN_TOKEN:-}" +echo "GHCR_LOGIN_USER: ${GHCR_LOGIN_USER:-}" +echo "IMAGE_TAG_SUFFIX: ${IMAGE_TAG_SUFFIX:-}" +echo "LAMBDA_NAME: ${LAMBDA_NAME:-}" # Authenticate Docker with AWS ECR using an ephemeral login token. aws ecr get-login-password --region "${AWS_REGION}" | docker login --username AWS --password-stdin "${AWS_ACCOUNT_ID}".dkr.ecr."${AWS_REGION}".amazonaws.com From 95c0972cbea0787c1229ed0b520d385ffd896094 Mon Sep 17 00:00:00 2001 From: jamesthompson26-nhs Date: Wed, 11 Feb 2026 15:20:54 +0000 Subject: [PATCH 40/50] CCM-14149: Letter Preview Placeholder --- infrastructure/terraform/components/app/pre.sh | 4 ++++ infrastructure/terraform/components/sandbox/pre.sh | 4 ++++ 2 files changed, 8 insertions(+) diff --git a/infrastructure/terraform/components/app/pre.sh b/infrastructure/terraform/components/app/pre.sh index b02e846a2..695c0a7cf 100755 --- a/infrastructure/terraform/components/app/pre.sh +++ b/infrastructure/terraform/components/app/pre.sh @@ -39,6 +39,10 @@ else fi npm run lambda-build --workspaces --if-present +if [ $? -ne 0 ]; then + echo "npm run lambda-build failed!" >&2 + exit 1 +fi lambdas/layers/pdfjs/build.sh diff --git a/infrastructure/terraform/components/sandbox/pre.sh b/infrastructure/terraform/components/sandbox/pre.sh index ebec8fafa..cba6d1250 100755 --- a/infrastructure/terraform/components/sandbox/pre.sh +++ b/infrastructure/terraform/components/sandbox/pre.sh @@ -26,6 +26,10 @@ if [ "${ACTION}" == "apply" ]; then npm run generate-dependencies --workspaces --if-present npm run lambda-build --workspaces --if-present + if [ $? -ne 0 ]; then + echo "npm run lambda-build failed!" >&2 + exit 1 + fi lambdas/layers/pdfjs/build.sh else From 32b1939da8b6a2d3edb177393fb5cf58c22b2144 Mon Sep 17 00:00:00 2001 From: jamesthompson26-nhs Date: Wed, 11 Feb 2026 15:39:05 +0000 Subject: [PATCH 41/50] CCM-14149: Letter Preview Placeholder --- infrastructure/terraform/components/app/pre.sh | 9 ++++++--- lambdas/letter-preview-renderer/docker.sh | 3 ++- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/infrastructure/terraform/components/app/pre.sh b/infrastructure/terraform/components/app/pre.sh index 695c0a7cf..e59c8e474 100755 --- a/infrastructure/terraform/components/app/pre.sh +++ b/infrastructure/terraform/components/app/pre.sh @@ -1,5 +1,8 @@ # pre.sh runs in the same shell as terraform.sh, not in a subshell # any variables set or changed, any change of directory will persist once this script exits and returns control to terraform.sh +REGION=$1 +ENVIRONMENT=$2 +ACTION=$3 echo "Running app pre.sh" @@ -22,8 +25,8 @@ else export TF_VAR_image_tag_suffix="$SHORT_SHA" fi -echo "Checking if TF_ACTION is 'apply' to set PUBLISH_LAMBDA_IMAGE..." -if [ "$TF_ACTION" = "apply" ]; then +echo "Checking if ACTION is 'apply' to set PUBLISH_LAMBDA_IMAGE..." +if [ "$ACTION" = "apply" ]; then echo "Setting PUBLISH_LAMBDA_IMAGE to true for apply action" export PUBLISH_LAMBDA_IMAGE="true" else @@ -31,7 +34,7 @@ else fi -if [ "$TF_ACTION" = "apply" ]; then +if [ "$ACTION" = "apply" ]; then echo "Setting PUBLISH_LAMBDA_IMAGE to true for apply action" export PUBLISH_LAMBDA_IMAGE="true" else diff --git a/lambdas/letter-preview-renderer/docker.sh b/lambdas/letter-preview-renderer/docker.sh index b9e0c937e..15266eccd 100755 --- a/lambdas/letter-preview-renderer/docker.sh +++ b/lambdas/letter-preview-renderer/docker.sh @@ -8,7 +8,8 @@ chmod +x ./build.sh ./build.sh -AWS_REGION="${AWS_REGION:-eu-west-2}" +AWS_REGION="${REGION}" +COMPONENT="${COMPONENT}" CSI="nhs-notify-${ENVIRONMENT}-${COMPONENT}" ECR_REPO="${ECR_REPO:-nhs-notify-main-acct}" GHCR_LOGIN_TOKEN="${GITHUB_TOKEN}" From b71925bb924f68eb4df088b5a95c9bc384d3f81b Mon Sep 17 00:00:00 2001 From: jamesthompson26-nhs Date: Wed, 11 Feb 2026 15:48:35 +0000 Subject: [PATCH 42/50] CCM-14149: Letter Preview Placeholder --- infrastructure/terraform/components/app/pre.sh | 5 +++++ lambdas/letter-preview-renderer/docker.sh | 6 +++--- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/infrastructure/terraform/components/app/pre.sh b/infrastructure/terraform/components/app/pre.sh index e59c8e474..6e0961098 100755 --- a/infrastructure/terraform/components/app/pre.sh +++ b/infrastructure/terraform/components/app/pre.sh @@ -5,6 +5,11 @@ ENVIRONMENT=$2 ACTION=$3 echo "Running app pre.sh" +echo "REGION=$REGION" +echo "ENVIRONMENT=$ENVIRONMENT" +echo "ACTION=$ACTION" +export TF_REGION="$REGION" +export TF_ENVIRONMENT="$ENVIRONMENT" # change to monorepo root cd $(git rev-parse --show-toplevel) diff --git a/lambdas/letter-preview-renderer/docker.sh b/lambdas/letter-preview-renderer/docker.sh index 15266eccd..53ac38447 100755 --- a/lambdas/letter-preview-renderer/docker.sh +++ b/lambdas/letter-preview-renderer/docker.sh @@ -7,10 +7,10 @@ set -euo pipefail chmod +x ./build.sh ./build.sh - -AWS_REGION="${REGION}" +# Set Variables. TF_REGION and TF_ENVIRONMENT are set in pre.sh and exported for use here. COMPONENT is passed in the reusable workflow. +AWS_REGION="${TF_REGION}" COMPONENT="${COMPONENT}" -CSI="nhs-notify-${ENVIRONMENT}-${COMPONENT}" +CSI="nhs-notify-${TF_ENVIRONMENT}-${COMPONENT}" ECR_REPO="${ECR_REPO:-nhs-notify-main-acct}" GHCR_LOGIN_TOKEN="${GITHUB_TOKEN}" GHCR_LOGIN_USER="${GITHUB_ACTOR}" From 98625887ca6799b20e4fd02a8f6d7921481e6908 Mon Sep 17 00:00:00 2001 From: jamesthompson26-nhs Date: Wed, 11 Feb 2026 16:12:56 +0000 Subject: [PATCH 43/50] CCM-14149: Letter Preview Placeholder --- infrastructure/terraform/components/app/pre.sh | 2 ++ lambdas/letter-preview-renderer/docker.sh | 1 + 2 files changed, 3 insertions(+) diff --git a/infrastructure/terraform/components/app/pre.sh b/infrastructure/terraform/components/app/pre.sh index 6e0961098..ea64642c3 100755 --- a/infrastructure/terraform/components/app/pre.sh +++ b/infrastructure/terraform/components/app/pre.sh @@ -10,6 +10,8 @@ echo "ENVIRONMENT=$ENVIRONMENT" echo "ACTION=$ACTION" export TF_REGION="$REGION" export TF_ENVIRONMENT="$ENVIRONMENT" +echo "COMPONENT_NAME=${component_name}" +echo "AWS_ACCOUNT_ID=${aws_account_id}" # change to monorepo root cd $(git rev-parse --show-toplevel) diff --git a/lambdas/letter-preview-renderer/docker.sh b/lambdas/letter-preview-renderer/docker.sh index 53ac38447..0f8e67ea6 100755 --- a/lambdas/letter-preview-renderer/docker.sh +++ b/lambdas/letter-preview-renderer/docker.sh @@ -12,6 +12,7 @@ AWS_REGION="${TF_REGION}" COMPONENT="${COMPONENT}" CSI="nhs-notify-${TF_ENVIRONMENT}-${COMPONENT}" ECR_REPO="${ECR_REPO:-nhs-notify-main-acct}" +ENVIRONMENT="${TF_ENVIRONMENT}" GHCR_LOGIN_TOKEN="${GITHUB_TOKEN}" GHCR_LOGIN_USER="${GITHUB_ACTOR}" IMAGE_TAG_SUFFIX="${TF_VAR_image_tag_suffix}" From 5e2d5a37ad0d475447abd76f6290fc89f4cec13f Mon Sep 17 00:00:00 2001 From: jamesthompson26-nhs Date: Wed, 11 Feb 2026 16:29:00 +0000 Subject: [PATCH 44/50] CCM-14149: Letter Preview Placeholder --- infrastructure/terraform/components/app/pre.sh | 4 ---- lambdas/letter-preview-renderer/docker.sh | 17 +++++++---------- 2 files changed, 7 insertions(+), 14 deletions(-) diff --git a/infrastructure/terraform/components/app/pre.sh b/infrastructure/terraform/components/app/pre.sh index ea64642c3..c02616460 100755 --- a/infrastructure/terraform/components/app/pre.sh +++ b/infrastructure/terraform/components/app/pre.sh @@ -8,10 +8,6 @@ echo "Running app pre.sh" echo "REGION=$REGION" echo "ENVIRONMENT=$ENVIRONMENT" echo "ACTION=$ACTION" -export TF_REGION="$REGION" -export TF_ENVIRONMENT="$ENVIRONMENT" -echo "COMPONENT_NAME=${component_name}" -echo "AWS_ACCOUNT_ID=${aws_account_id}" # change to monorepo root cd $(git rev-parse --show-toplevel) diff --git a/lambdas/letter-preview-renderer/docker.sh b/lambdas/letter-preview-renderer/docker.sh index 0f8e67ea6..8cea79827 100755 --- a/lambdas/letter-preview-renderer/docker.sh +++ b/lambdas/letter-preview-renderer/docker.sh @@ -8,30 +8,27 @@ chmod +x ./build.sh ./build.sh # Set Variables. TF_REGION and TF_ENVIRONMENT are set in pre.sh and exported for use here. COMPONENT is passed in the reusable workflow. -AWS_REGION="${TF_REGION}" -COMPONENT="${COMPONENT}" -CSI="nhs-notify-${TF_ENVIRONMENT}-${COMPONENT}" +CSI="${project-name}-${environment}-${component_name}" ECR_REPO="${ECR_REPO:-nhs-notify-main-acct}" -ENVIRONMENT="${TF_ENVIRONMENT}" GHCR_LOGIN_TOKEN="${GITHUB_TOKEN}" GHCR_LOGIN_USER="${GITHUB_ACTOR}" IMAGE_TAG_SUFFIX="${TF_VAR_image_tag_suffix}" LAMBDA_NAME="${LAMBDA_NAME:-$(basename "$(cd "$(dirname "$0")" && pwd)")}" # Ensure required AWS/ECR configuration is present. -echo "AWS_ACCOUNT_ID: ${AWS_ACCOUNT_ID:-}" -echo "AWS_REGION: ${AWS_REGION:-}" -echo "COMPONENT: ${COMPONENT:-}" +echo "aws_account_id: ${aws_account_id:-}" +echo "aws_region: ${region:-}" +echo "component_name: ${component_name:-}" echo "CSI: ${CSI:-}" echo "ECR_REPO: ${ECR_REPO:-}" -echo "ENVIRONMENT: ${ENVIRONMENT:-}" +echo "environment: ${environment:-}" echo "GHCR_LOGIN_TOKEN: ${GHCR_LOGIN_TOKEN:-}" echo "GHCR_LOGIN_USER: ${GHCR_LOGIN_USER:-}" echo "IMAGE_TAG_SUFFIX: ${IMAGE_TAG_SUFFIX:-}" echo "LAMBDA_NAME: ${LAMBDA_NAME:-}" # Authenticate Docker with AWS ECR using an ephemeral login token. -aws ecr get-login-password --region "${AWS_REGION}" | docker login --username AWS --password-stdin "${AWS_ACCOUNT_ID}".dkr.ecr."${AWS_REGION}".amazonaws.com +aws ecr get-login-password --region "${region}" | docker login --username AWS --password-stdin "${aws_account_id}".dkr.ecr."${region}".amazonaws.com # Optionally authenticate to GitHub Container Registry for base images. if [ -n "${GHCR_LOGIN_USER:-}" ] && [ -n "${GHCR_LOGIN_TOKEN:-}" ]; then @@ -48,7 +45,7 @@ fi IMAGE_TAG="${CSI}-${LAMBDA_NAME}-${IMAGE_TAG_SUFFIX}" # Compose the full ECR image references. -ECR_REPO_URI="${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com/${ECR_REPO}" +ECR_REPO_URI="${aws_account_id}.dkr.ecr.${region}.amazonaws.com/${ECR_REPO}" ECR_IMAGE="${ECR_REPO_URI}:${IMAGE_TAG}" # Use only the first input argument for BASE_IMAGE_ARG (no fallback) BASE_IMAGE_ARG="$1" From 885e4ebf2b897e6601a7a93809a4ffe3a3d111a3 Mon Sep 17 00:00:00 2001 From: jamesthompson26-nhs Date: Wed, 11 Feb 2026 16:39:11 +0000 Subject: [PATCH 45/50] CCM-14149: Letter Preview Placeholder --- infrastructure/terraform/components/app/pre.sh | 3 +++ lambdas/letter-preview-renderer/docker.sh | 1 - 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/infrastructure/terraform/components/app/pre.sh b/infrastructure/terraform/components/app/pre.sh index c02616460..b5816a377 100755 --- a/infrastructure/terraform/components/app/pre.sh +++ b/infrastructure/terraform/components/app/pre.sh @@ -8,6 +8,9 @@ echo "Running app pre.sh" echo "REGION=$REGION" echo "ENVIRONMENT=$ENVIRONMENT" echo "ACTION=$ACTION" +echo "component_name=$component_name" +echo "project-name=$project_name" +echo "aws_account_id=$aws_account_id" # change to monorepo root cd $(git rev-parse --show-toplevel) diff --git a/lambdas/letter-preview-renderer/docker.sh b/lambdas/letter-preview-renderer/docker.sh index 8cea79827..6ffbee529 100755 --- a/lambdas/letter-preview-renderer/docker.sh +++ b/lambdas/letter-preview-renderer/docker.sh @@ -40,7 +40,6 @@ if [ -n "${GHCR_LOGIN_USER:-}" ] && [ -n "${GHCR_LOGIN_TOKEN:-}" ]; then fi fi -# Resolve git references for image tags. # Namespace tag by CSI and lambda name to avoid cross-environment collisions. IMAGE_TAG="${CSI}-${LAMBDA_NAME}-${IMAGE_TAG_SUFFIX}" From a2ba8520424d8506aa5a10b4dc90e7e685e373bb Mon Sep 17 00:00:00 2001 From: jamesthompson26-nhs Date: Wed, 11 Feb 2026 16:44:31 +0000 Subject: [PATCH 46/50] CCM-14149: Letter Preview Placeholder --- infrastructure/terraform/components/app/pre.sh | 8 +++----- lambdas/letter-preview-renderer/docker.sh | 2 +- 2 files changed, 4 insertions(+), 6 deletions(-) diff --git a/infrastructure/terraform/components/app/pre.sh b/infrastructure/terraform/components/app/pre.sh index b5816a377..e30bbacdc 100755 --- a/infrastructure/terraform/components/app/pre.sh +++ b/infrastructure/terraform/components/app/pre.sh @@ -1,16 +1,14 @@ # pre.sh runs in the same shell as terraform.sh, not in a subshell # any variables set or changed, any change of directory will persist once this script exits and returns control to terraform.sh -REGION=$1 -ENVIRONMENT=$2 ACTION=$3 echo "Running app pre.sh" -echo "REGION=$REGION" -echo "ENVIRONMENT=$ENVIRONMENT" echo "ACTION=$ACTION" echo "component_name=$component_name" -echo "project-name=$project_name" +echo "project=$project" echo "aws_account_id=$aws_account_id" +echo "environment=$environment" +echo "region=$region" # change to monorepo root cd $(git rev-parse --show-toplevel) diff --git a/lambdas/letter-preview-renderer/docker.sh b/lambdas/letter-preview-renderer/docker.sh index 6ffbee529..fe9e590f7 100755 --- a/lambdas/letter-preview-renderer/docker.sh +++ b/lambdas/letter-preview-renderer/docker.sh @@ -8,7 +8,7 @@ chmod +x ./build.sh ./build.sh # Set Variables. TF_REGION and TF_ENVIRONMENT are set in pre.sh and exported for use here. COMPONENT is passed in the reusable workflow. -CSI="${project-name}-${environment}-${component_name}" +CSI="${project}-${environment}-${component_name}" ECR_REPO="${ECR_REPO:-nhs-notify-main-acct}" GHCR_LOGIN_TOKEN="${GITHUB_TOKEN}" GHCR_LOGIN_USER="${GITHUB_ACTOR}" From 9ccbb67e9941045c958767dcd3c12f11651f900a Mon Sep 17 00:00:00 2001 From: jamesthompson26-nhs Date: Wed, 11 Feb 2026 16:55:44 +0000 Subject: [PATCH 47/50] CCM-14149: Letter Preview Placeholder --- infrastructure/terraform/components/app/pre.sh | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/infrastructure/terraform/components/app/pre.sh b/infrastructure/terraform/components/app/pre.sh index e30bbacdc..36f36fc51 100755 --- a/infrastructure/terraform/components/app/pre.sh +++ b/infrastructure/terraform/components/app/pre.sh @@ -1,5 +1,7 @@ # pre.sh runs in the same shell as terraform.sh, not in a subshell # any variables set or changed, any change of directory will persist once this script exits and returns control to terraform.sh +REGION=$1 +ENVIRONMENT=$2 ACTION=$3 echo "Running app pre.sh" @@ -10,6 +12,9 @@ echo "aws_account_id=$aws_account_id" echo "environment=$environment" echo "region=$region" +# Export values so subprocesses (e.g. npm run lambda-build -> docker.sh) can access them. +export component_name project aws_account_id environment region + # change to monorepo root cd $(git rev-parse --show-toplevel) From 1e829d92bde58bff61b237609d01d8a6a5938bee Mon Sep 17 00:00:00 2001 From: jamesthompson26-nhs Date: Thu, 12 Feb 2026 10:14:16 +0000 Subject: [PATCH 48/50] CCM-14149: Letter Preview Placeholder --- .../components/acct/ecr_repository_main.tf | 63 +++++++++++++++++++ .../terraform/components/app/pre.sh | 8 ++- 2 files changed, 68 insertions(+), 3 deletions(-) diff --git a/infrastructure/terraform/components/acct/ecr_repository_main.tf b/infrastructure/terraform/components/acct/ecr_repository_main.tf index 369ffcb6a..a51974a1c 100644 --- a/infrastructure/terraform/components/acct/ecr_repository_main.tf +++ b/infrastructure/terraform/components/acct/ecr_repository_main.tf @@ -11,3 +11,66 @@ resource "aws_ecr_repository" "main" { scan_on_push = true } } + +resource "aws_ecr_lifecycle_policy" "main" { + repository = aws_ecr_repository.main.name + + policy = < Date: Thu, 12 Feb 2026 10:30:58 +0000 Subject: [PATCH 49/50] CCM-14149: Letter Preview Placeholder --- .../terraform/components/app/pre.sh | 3 ++- .../terraform/components/sandbox/pre.sh | 21 +++++++++++++++++++ 2 files changed, 23 insertions(+), 1 deletion(-) diff --git a/infrastructure/terraform/components/app/pre.sh b/infrastructure/terraform/components/app/pre.sh index 4e1825ee4..42bcfbb9b 100755 --- a/infrastructure/terraform/components/app/pre.sh +++ b/infrastructure/terraform/components/app/pre.sh @@ -22,7 +22,8 @@ npm ci npm run generate-dependencies --workspaces --if-present - +## Set TF_VAR_image_tag_suffix based on git tag or short SHA for unique lambda image tagging in ECR. +#This ensures that each build produces a uniquely identifiable image, and tagged releases are easily traceable. echo "Checking if current commit is a tag..." GIT_TAG="$(git describe --tags --exact-match 2>/dev/null || true)" if [ -n "$GIT_TAG" ]; then diff --git a/infrastructure/terraform/components/sandbox/pre.sh b/infrastructure/terraform/components/sandbox/pre.sh index cba6d1250..aab83e4c5 100755 --- a/infrastructure/terraform/components/sandbox/pre.sh +++ b/infrastructure/terraform/components/sandbox/pre.sh @@ -10,11 +10,31 @@ echo "REGION=$REGION" echo "ENVIRONMENT=$ENVIRONMENT" echo "ACTION=$ACTION" +# Export values so subprocesses (e.g. npm run lambda-build -> docker.sh) can access them. +export component_name project aws_account_id environment region + # change to monorepo root cd $(git rev-parse --show-toplevel) +## Set TF_VAR_image_tag_suffix based on git tag or short SHA for unique lambda image tagging in ECR. +## This ensures that each build produces a uniquely identifiable image, and tagged releases are easily traceable. +echo "Checking if current commit is a tag..." +GIT_TAG="$(git describe --tags --exact-match 2>/dev/null || true)" +if [ -n "$GIT_TAG" ]; then + TAGGED="tag-$GIT_TAG" + echo "On tag: $GIT_TAG, exporting TF_VAR_image_tag_suffix as tag: $TAGGED" + export TF_VAR_image_tag_suffix="$TAGGED" + +else + SHORT_SHA="sha-$(git rev-parse --short HEAD)" + echo "Not on a tag, exporting TF_VAR_image_tag_suffix as short SHA: $SHORT_SHA" + export TF_VAR_image_tag_suffix="$SHORT_SHA" +fi + if [ "${ACTION}" == "apply" ]; then echo "Building lambdas for distribution" + echo "Setting PUBLISH_LAMBDA_IMAGE to true for apply action" + export PUBLISH_LAMBDA_IMAGE="true" if [[ -z $SKIP_SANDBOX_INSTALL ]]; then echo "Installing dependencies" @@ -34,6 +54,7 @@ if [ "${ACTION}" == "apply" ]; then lambdas/layers/pdfjs/build.sh else echo "Skipping lambda build for action $ACTION" + echo "Not setting PUBLISH_LAMBDA_IMAGE for non-apply action (e.g. plan)" fi # revert back to original directory From 9f5b224f65c6c97dee8393906a455a0c83891aeb Mon Sep 17 00:00:00 2001 From: jamesthompson26-nhs Date: Thu, 12 Feb 2026 10:59:49 +0000 Subject: [PATCH 50/50] CCM-14149: Rename Letter Renderer to Libreoffice --- lambdas/letter-preview-renderer/docker.sh | 6 ++++-- lambdas/letter-preview-renderer/package.json | 2 +- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/lambdas/letter-preview-renderer/docker.sh b/lambdas/letter-preview-renderer/docker.sh index fe9e590f7..241a815a4 100755 --- a/lambdas/letter-preview-renderer/docker.sh +++ b/lambdas/letter-preview-renderer/docker.sh @@ -7,7 +7,8 @@ set -euo pipefail chmod +x ./build.sh ./build.sh -# Set Variables. TF_REGION and TF_ENVIRONMENT are set in pre.sh and exported for use here. COMPONENT is passed in the reusable workflow. +# Set Variables required for Docker Build. TF_REGION and TF_ENVIRONMENT are set in pre.sh and exported for use here. COMPONENT is passed in the reusable workflow. +BASE_IMAGE="$1" CSI="${project}-${environment}-${component_name}" ECR_REPO="${ECR_REPO:-nhs-notify-main-acct}" GHCR_LOGIN_TOKEN="${GITHUB_TOKEN}" @@ -16,6 +17,7 @@ IMAGE_TAG_SUFFIX="${TF_VAR_image_tag_suffix}" LAMBDA_NAME="${LAMBDA_NAME:-$(basename "$(cd "$(dirname "$0")" && pwd)")}" # Ensure required AWS/ECR configuration is present. +echo "BASE_IMAGE: ${BASE_IMAGE:-}" echo "aws_account_id: ${aws_account_id:-}" echo "aws_region: ${region:-}" echo "component_name: ${component_name:-}" @@ -52,7 +54,7 @@ BASE_IMAGE_ARG="$1" # Build and tag the Docker image for the lambda. docker buildx build \ -f docker/lambda/Dockerfile \ - --build-arg BASE_IMAGE="${BASE_IMAGE_ARG}" \ + --build-arg BASE_IMAGE="${BASE_IMAGE}" \ -t "${ECR_IMAGE}" \ . diff --git a/lambdas/letter-preview-renderer/package.json b/lambdas/letter-preview-renderer/package.json index 333d50993..362d895fe 100644 --- a/lambdas/letter-preview-renderer/package.json +++ b/lambdas/letter-preview-renderer/package.json @@ -13,7 +13,7 @@ "name": "nhs-notify-templates-letter-preview-renderer", "private": true, "scripts": { - "lambda-build": "./docker.sh ghcr.io/nhsdigital/nhs-notify/letter-renderer-node-22:latest", + "lambda-build": "./docker.sh ghcr.io/nhsdigital/nhs-notify/libreoffice-node-22:latest", "lint": "eslint .", "lint:fix": "eslint . --fix", "test:unit": "jest",