Release/2024 04 26 (#184)

megan-bower4 · Rohoolio · jaklinger · web-flow · commit 7e0b67baa980 · 2024-05-02T11:19:46.000+01:00
* feature/PI-213-connect_to_ldap squash commits

* feature/PI-315-update_trigger updated update trigger

* feature/PI-315-update_trigger fixed action

* feature/PI-315-update_trigger need to add policy to lambda to allow trigger to work

* feature/PI-315-update_trigger removed policy as the lambda got triggered by sched

* feature/PI-315-update_trigger update make command

* feature/PI-315-update_trigger removed duplicate test

* feature/PI-315-update_trigger removed unnecessary integration test - covered in individual cases

* feature/PI-315-update_trigger removed unnecessary code

* feature/PI-315-update_trigger removed unnecessary code

* Created release branch

* feature/PI-315-update_trigger squash commits

* release/2024-04-26 fixed password logging security issue &amp; updated etl-clear-state to work with persistent envs

* [release/2024-04-26] Fix-forward: filter out people

* [release/2024-04-26] add more person filters

* [release/2024-04-26] move filter to ldap search

* [release/2024-04-26] update readme

* [release/2024-04-26] update our changelog

---------

Co-authored-by: Rowan Gill &lt;rowan.gill1@nhs.net&gt;
Co-authored-by: Joel Klinger &lt;joel.klinger1@nhs.net&gt;
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,9 @@
 # Changelog
 
+## 2024-04-26
+- [PI-315] Update trigger
+- [PI-343] Remove people branch
+
 ## 2024-04-16
 - [PI-311] Smoke tests
 - [PI-213] Connect to LDAP
diff --git a/README.md b/README.md
@@ -271,3 +271,21 @@ Before running the bulk trigger, you need to clear the initial ETL state, do:
 ```
 make etl--clear-state
 ```
+
+Before running the changelog trigger you additionally need to specify a changelog number (ideally close to the true latest changelog number, otherwise the logs will be pretty heavy!)
+
+```
+make etl--clear-state SET_CHANGELOG_NUMBER=540210
+```
+
+You can additionally set the workspace name if you want to clear the state for a given (e.g. persistent) workspace name:
+
+```
+make etl--clear-state WORKSPACE=dev
+```
+
+and
+
+```
+make etl--clear-state WORKSPACE=dev SET_CHANGELOG_NUMBER=540210
+```
diff --git a/VERSION b/VERSION
@@ -1 +1 @@
-2024.04.16
+2024.04.26
diff --git a/changelog/2024-04-26.md b/changelog/2024-04-26.md
@@ -0,0 +1,2 @@
+- [PI-315] Update trigger
+- [PI-343] Remove people branch
diff --git a/infrastructure/terraform/per_account/dev/parameters/main.tf b/infrastructure/terraform/per_account/dev/parameters/main.tf
@@ -45,3 +45,11 @@ resource "aws_secretsmanager_secret" "sds-hscn-endpoint" {
 resource "aws_secretsmanager_secret" "ldap-host" {
   name = "${terraform.workspace}-ldap-host"
 }
+
+resource "aws_secretsmanager_secret" "ldap-changelog-user" {
+  name = "${terraform.workspace}-ldap-changelog-user"
+}
+
+resource "aws_secretsmanager_secret" "ldap-changelog-password" {
+  name = "${terraform.workspace}-ldap-changelog-password"
+}
diff --git a/infrastructure/terraform/per_account/int/parameters/main.tf b/infrastructure/terraform/per_account/int/parameters/main.tf
@@ -38,3 +38,19 @@ resource "aws_secretsmanager_secret" "apigee-cpm-apikey" {
 resource "aws_secretsmanager_secret" "apigee-app-key" {
   name = "${terraform.workspace}-apigee-app-key"
 }
+
+resource "aws_secretsmanager_secret" "sds-hscn-endpoint" {
+  name = "${terraform.workspace}-sds-hscn-endpoint"
+}
+
+resource "aws_secretsmanager_secret" "ldap-host" {
+  name = "${terraform.workspace}-ldap-host"
+}
+
+resource "aws_secretsmanager_secret" "ldap-changelog-user" {
+  name = "${terraform.workspace}-ldap-changelog-user"
+}
+
+resource "aws_secretsmanager_secret" "ldap-changelog-password" {
+  name = "${terraform.workspace}-ldap-changelog-password"
+}
diff --git a/infrastructure/terraform/per_account/prod/parameters/main.tf b/infrastructure/terraform/per_account/prod/parameters/main.tf
@@ -38,3 +38,19 @@ resource "aws_secretsmanager_secret" "apigee-cpm-apikey" {
 resource "aws_secretsmanager_secret" "apigee-app-key" {
   name = "${terraform.workspace}-apigee-app-key"
 }
+
+resource "aws_secretsmanager_secret" "sds-hscn-endpoint" {
+  name = "${terraform.workspace}-sds-hscn-endpoint"
+}
+
+resource "aws_secretsmanager_secret" "ldap-host" {
+  name = "${terraform.workspace}-ldap-host"
+}
+
+resource "aws_secretsmanager_secret" "ldap-changelog-user" {
+  name = "${terraform.workspace}-ldap-changelog-user"
+}
+
+resource "aws_secretsmanager_secret" "ldap-changelog-password" {
+  name = "${terraform.workspace}-ldap-changelog-password"
+}
diff --git a/infrastructure/terraform/per_account/qa/parameters/main.tf b/infrastructure/terraform/per_account/qa/parameters/main.tf
@@ -38,3 +38,19 @@ resource "aws_secretsmanager_secret" "apigee-cpm-apikey" {
 resource "aws_secretsmanager_secret" "apigee-app-key" {
   name = "${terraform.workspace}-apigee-app-key"
 }
+
+resource "aws_secretsmanager_secret" "sds-hscn-endpoint" {
+  name = "${terraform.workspace}-sds-hscn-endpoint"
+}
+
+resource "aws_secretsmanager_secret" "ldap-host" {
+  name = "${terraform.workspace}-ldap-host"
+}
+
+resource "aws_secretsmanager_secret" "ldap-changelog-user" {
+  name = "${terraform.workspace}-ldap-changelog-user"
+}
+
+resource "aws_secretsmanager_secret" "ldap-changelog-password" {
+  name = "${terraform.workspace}-ldap-changelog-password"
+}
diff --git a/infrastructure/terraform/per_account/ref/parameters/main.tf b/infrastructure/terraform/per_account/ref/parameters/main.tf
@@ -46,3 +46,11 @@ resource "aws_secretsmanager_secret" "sds-hscn-endpoint" {
 resource "aws_secretsmanager_secret" "ldap-host" {
   name = "${terraform.workspace}-ldap-host"
 }
+
+resource "aws_secretsmanager_secret" "ldap-changelog-user" {
+  name = "${terraform.workspace}-ldap-changelog-user"
+}
+
+resource "aws_secretsmanager_secret" "ldap-changelog-password" {
+  name = "${terraform.workspace}-ldap-changelog-password"
+}
diff --git a/infrastructure/terraform/per_workspace/modules/etl/sds/main.tf b/infrastructure/terraform/per_workspace/modules/etl/sds/main.tf
@@ -319,6 +319,12 @@ data "aws_security_groups" "sds-ldap" {
 data "aws_secretsmanager_secret_version" "ldap_host" {
   secret_id = "${var.environment}-ldap-host"
 }
+data "aws_secretsmanager_secret_version" "ldap_changelog_user" {
+  secret_id = "${var.environment}-ldap-changelog-user"
+}
+data "aws_secretsmanager_secret_version" "ldap_changelog_password" {
+  secret_id = "${var.environment}-ldap-changelog-password"
+}
 
 module "trigger_update" {
   source = "./trigger/"
@@ -341,11 +347,13 @@ module "trigger_update" {
     # all compiled dependencies can find each other. Note: this is a hack - and
     # may result in version mismatches between system libs on the lambda. The stable
     # alternative is to run or deploy the service from a container.
-    LD_LIBRARY_PATH   = "/opt/python:/var/lang/lib:/lib64:/usr/lib64:/var/runtime:/var/runtime/lib:/var/task:/var/task/lib:/opt/lib"
-    TRUSTSTORE_BUCKET = var.truststore_bucket.id
-    CPM_FQDN          = "cpm.thirdparty.nhs.uk"
-    LDAP_HOST         = data.aws_secretsmanager_secret_version.ldap_host.secret_string
-    ETL_BUCKET        = module.bucket.s3_bucket_id
+    LD_LIBRARY_PATH         = "/opt/python:/var/lang/lib:/lib64:/usr/lib64:/var/runtime:/var/runtime/lib:/var/task:/var/task/lib:/opt/lib"
+    TRUSTSTORE_BUCKET       = var.truststore_bucket.id
+    CPM_FQDN                = "cpm.thirdparty.nhs.uk"
+    LDAP_HOST               = data.aws_secretsmanager_secret_version.ldap_host.secret_string
+    LDAP_CHANGELOG_USER     = data.aws_secretsmanager_secret_version.ldap_changelog_user.secret_string
+    LDAP_CHANGELOG_PASSWORD = data.aws_secretsmanager_secret_version.ldap_changelog_password.secret_string
+    ETL_BUCKET              = module.bucket.s3_bucket_id
   }
 
   vpc_subnet_ids         = data.aws_subnets.lambda-connectivity-private.ids
diff --git a/pyproject.toml b/pyproject.toml
@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "connecting-party-manager"
-version = "2024.04.16"
+version = "2024.04.26"
 description = "Repository for the Connecting Party Manager API and related services"
 authors = ["NHS England"]
 license = "LICENSE.md"
diff --git a/scripts/etl/clear_state_inputs.py b/scripts/etl/clear_state_inputs.py
@@ -4,7 +4,7 @@
     poetry run python scripts/etl/clear_state_inputs.py
 """
 
-import os
+import sys
 from collections import deque
 
 import boto3
@@ -19,8 +19,12 @@
 EMPTY_JSON_DATA = pkl_dumps_lz4(deque())
 
 
-def main():
-    etl_bucket = read_terraform_output("sds_etl.value.bucket")
+def main(changelog_number, workspace):
+    etl_bucket = (
+        f"nhse-cpm--{workspace}--sds--etl"
+        if workspace
+        else read_terraform_output("sds_etl.value.bucket")
+    )
 
     with aws_session():
         s3_client = boto3.client("s3")
@@ -35,11 +39,12 @@ def main():
         )
         s3_client.delete_object(Bucket=etl_bucket, Key=CHANGELOG_NUMBER)
 
-        if os.environ.get("SET_CHANGELOG_NUMBER"):
-            s3_client.put_object(
-                Bucket=etl_bucket, Key=CHANGELOG_NUMBER, Body=EXPECTED_CHANGELOG_NUMBER
-            )
+    if changelog_number:
+        s3_client.put_object(
+            Bucket=etl_bucket, Key=CHANGELOG_NUMBER, Body=changelog_number
+        )
 
 
 if __name__ == "__main__":
-    main()
+    _, changelog_number, workspace = sys.argv
+    main(changelog_number, workspace)
diff --git a/scripts/etl/etl.mk b/scripts/etl/etl.mk
@@ -1,4 +1,5 @@
 SET_CHANGELOG_NUMBER :=
+WORKSPACE :=
 
 etl--clear-state: aws--login ## Clear the ETL state
-	AWS_DEFAULT_REGION=$(AWS_DEFAULT_REGION) AWS_ACCESS_KEY_ID=$(AWS_ACCESS_KEY_ID) AWS_SECRET_ACCESS_KEY=$(AWS_SECRET_ACCESS_KEY) AWS_SESSION_TOKEN=$(AWS_SESSION_TOKEN) SET_CHANGELOG_NUMBER=$(SET_CHANGELOG_NUMBER) poetry run python scripts/etl/clear_state_inputs.py
+	AWS_DEFAULT_REGION=$(AWS_DEFAULT_REGION) AWS_ACCESS_KEY_ID=$(AWS_ACCESS_KEY_ID) AWS_SECRET_ACCESS_KEY=$(AWS_SECRET_ACCESS_KEY) AWS_SESSION_TOKEN=$(AWS_SESSION_TOKEN) poetry run python scripts/etl/clear_state_inputs.py "$(SET_CHANGELOG_NUMBER)" "$(WORKSPACE)"
diff --git a/scripts/infrastructure/policies/deployment1-policy.json b/scripts/infrastructure/policies/deployment1-policy.json
@@ -254,7 +254,9 @@
       "Action": ["secretsmanager:GetSecretValue"],
       "Resource": [
         "arn:aws:secretsmanager:*:${ACCOUNT_ID}:secret:*-sds-hscn-endpoint-*",
-        "arn:aws:secretsmanager:*:${ACCOUNT_ID}:secret:*-ldap-host-*"
+        "arn:aws:secretsmanager:*:${ACCOUNT_ID}:secret:*-ldap-host-*",
+        "arn:aws:secretsmanager:*:${ACCOUNT_ID}:secret:*-ldap-changelog-user-*",
+        "arn:aws:secretsmanager:*:${ACCOUNT_ID}:secret:*-ldap-changelog-password-*"
       ]
     },
     {
diff --git a/scripts/infrastructure/roles.mk b/scripts/infrastructure/roles.mk
@@ -4,4 +4,7 @@ manage--non-mgmt-roles: aws--login ## Create or update IAM Roles
 	@AWS_ACCESS_KEY_ID=$(AWS_ACCESS_KEY_ID) AWS_SECRET_ACCESS_KEY=$(AWS_SECRET_ACCESS_KEY) AWS_SESSION_TOKEN=$(AWS_SESSION_TOKEN) bash $(PATH_TO_INFRASTRUCTURE)/roles/manage-non-mgmt-aws-roles.sh
 
 manage--non-mgmt-policies: aws--login ## Create or update IAM Policies
-	@AWS_ACCESS_KEY_ID=$(AWS_ACCESS_KEY_ID) AWS_SECRET_ACCESS_KEY=$(AWS_SECRET_ACCESS_KEY) AWS_SESSION_TOKEN=$(AWS_SESSION_TOKEN) bash $(PATH_TO_INFRASTRUCTURE)/roles/manage-non-mgmt-aws-policies.sh
+	@AWS_ACCESS_KEY_ID=$(AWS_ACCESS_KEY_ID) AWS_SECRET_ACCESS_KEY=$(AWS_SECRET_ACCESS_KEY) AWS_SESSION_TOKEN=$(AWS_SESSION_TOKEN) bash $(PATH_TO_INFRASTRUCTURE)/roles/manage-non-mgmt-aws-deployment-policies.sh
+
+manage--non-mgmt-test-policies: aws--login ## Create or update IAM Policies
+	@AWS_ACCESS_KEY_ID=$(AWS_ACCESS_KEY_ID) AWS_SECRET_ACCESS_KEY=$(AWS_SECRET_ACCESS_KEY) AWS_SESSION_TOKEN=$(AWS_SESSION_TOKEN) bash $(PATH_TO_INFRASTRUCTURE)/roles/manage-non-mgmt-aws-support-integration-policies.sh
diff --git a/src/etl/sds/trigger/update/operations.py b/src/etl/sds/trigger/update/operations.py
@@ -1,7 +1,15 @@
 from pathlib import Path
+from types import FunctionType
 from typing import TYPE_CHECKING
 
-from etl_utils.constants import CHANGELOG_NUMBER  # , CHANGELOG_QUERY
+from etl_utils.constants import (
+    CHANGELOG_BASE,
+    CHANGELOG_NUMBER,
+    FILTERED_OUT,
+    LDAP_FILTER_ALL,
+    SDS_ORGANISATIONAL_UNIT_PEOPLE,
+    ChangelogAttributes,
+)
 from etl_utils.ldap_typing import LdapClientProtocol, LdapModuleProtocol
 from etl_utils.ldif.model import DistinguishedName
 from etl_utils.trigger.operations import object_exists
@@ -28,14 +36,19 @@ def get_certs_from_s3_truststore(
 
 
 def prepare_ldap_client(
-    ldap: LdapModuleProtocol, ldap_host: str, cert_file: str, key_file: str
+    ldap: LdapModuleProtocol,
+    ldap_host: str,
+    cert_file: str,
+    key_file: str,
+    ldap_changelog_user: str,
+    ldap_changelog_password: str,
 ) -> LdapClientProtocol:
     ldap_client = ldap.initialize(ldap_host)
     ldap_client.set_option(ldap.OPT_X_TLS_CERTFILE, cert_file)
     ldap_client.set_option(ldap.OPT_X_TLS_KEYFILE, key_file)
     ldap_client.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_ALLOW)
     ldap_client.set_option(ldap.OPT_X_TLS_NEWCTX, 0)
-    ldap_client.simple_bind_s()
+    ldap_client.simple_bind_s(ldap_changelog_user, ldap_changelog_password)
     return ldap_client
 
 
@@ -58,28 +71,37 @@ def _ldap_search(
     scope: str,
     filterstr: str,
     attrlist: list[str] = None,
+    filter_function: FunctionType = None,
 ):
     ldap_client.search(base=base, scope=scope, filterstr=filterstr, attrlist=attrlist)
-    return ldap_client.result()
+    status, records = ldap_client.result()
+    if filter_function:
+        records = [
+            FILTERED_OUT if filter_function(record) else (dn, record)
+            for dn, record in records
+        ]
+    return status, records
 
 
 def get_latest_changelog_number_from_ldap(
     ldap_client: LdapClientProtocol, ldap: LdapModuleProtocol
 ) -> int:
-    """
-    'record' returned / printed below *should* contain the first and last changelog number,
-    but currently doesn't. Speak with Arvind to understand why not.
-    In the meanwhile, we return the value int(2) as a placeholder.
-    """
     _, (record,) = _ldap_search(
         ldap_client=ldap_client,
-        base="cn=Changelog,o=nhs",
+        base=CHANGELOG_BASE,
         scope=ldap.SCOPE_BASE,
-        filterstr="(objectClass=*)",
-        attrlist=["firstchangenumber", "lastchangenumber"],
+        filterstr=LDAP_FILTER_ALL,
+        attrlist=[
+            ChangelogAttributes.FIRST_CHANGELOG_NUMBER,
+            ChangelogAttributes.LAST_CHANGELOG_NUMBER,
+        ],
+    )
+
+    _, (unpack_record) = record
+
+    return int(
+        unpack_record[ChangelogAttributes.LAST_CHANGELOG_NUMBER][0].decode("utf-8")
     )
-    # return record["lastchangenumber"]  <-- think this is what we need to return, but currently empty
-    return 0
 
 
 def get_changelog_entries_from_ldap(
@@ -94,14 +116,28 @@ def get_changelog_entries_from_ldap(
     ):
         _, (record,) = _ldap_search(
             ldap_client=ldap_client,
-            base="cn=Changelog,o=nhs",
+            base=CHANGELOG_BASE,
             scope=ldap.SCOPE_ONELEVEL,
             filterstr=f"(changenumber={changelog_number})",
+            filter_function=(
+                lambda record: SDS_ORGANISATIONAL_UNIT_PEOPLE
+                in record["targetDN"][0].lower()
+            ),
         )
-        changelog_records.append(record)
+        if record != FILTERED_OUT:
+            changelog_records.append(record)
+
     return changelog_records
 
 
-def parse_changelog_changes(distinguished_name: str, record: dict) -> str:
+def _normalise_value(v: list[bytes]) -> set:
+    return {value.decode("unicode_escape") for value in v}
+
+
+def parse_changelog_changes(distinguished_name: str, record: dict[str, any]) -> str:
     _distinguished_name = DistinguishedName.parse(distinguished_name)
-    return ChangelogRecord(_distinguished_name=_distinguished_name, **record).changes
+    normalised_record = {k.lower(): _normalise_value(v) for k, v in record.items()}
+    changelog = ChangelogRecord(
+        _distinguished_name=_distinguished_name, **normalised_record
+    )
+    return changelog.changes_as_ldif()
diff --git a/src/etl/sds/trigger/update/steps.py b/src/etl/sds/trigger/update/steps.py
@@ -1,3 +1,4 @@
+import base64
 from itertools import starmap
 from pathlib import Path
 from typing import TYPE_CHECKING, TypedDict
@@ -53,6 +54,12 @@ def _prepare_ldap_client(data, cache: Cache):
         ldap_host=cache["ldap_host"],
         cert_file=str(cache["cert_file"]),
         key_file=str(cache["key_file"]),
+        ldap_changelog_user=cache["ldap_changelog_user"],
+        ldap_changelog_password=str(
+            base64.b64decode(cache["ldap_changelog_password"].encode("utf-8")).decode(
+                "utf-8"
+            )
+        ),
     )
 
 
@@ -107,9 +114,8 @@ def _get_changelog_entries_from_ldap(data, cache: Cache):
 
 def _parse_and_join_changelog_changes(data, cache):
     changelog_records: list[tuple[str, dict]] = data[_get_changelog_entries_from_ldap]
-    return LDIF_RECORD_DELIMITER.join(
-        starmap(parse_changelog_changes, changelog_records)
-    )
+    changes_ldif = starmap(parse_changelog_changes, changelog_records)
+    return LDIF_RECORD_DELIMITER.join(changes_ldif)
 
 
 def _put_to_state_machine(data, cache: Cache):
diff --git a/src/etl/sds/trigger/update/tests/test_update_trigger.py b/src/etl/sds/trigger/update/tests/test_update_trigger.py
diff --git a/src/etl/sds/trigger/update/tests/test_update_trigger_operations.py b/src/etl/sds/trigger/update/tests/test_update_trigger_operations.py
diff --git a/src/etl/sds/trigger/update/update.py b/src/etl/sds/trigger/update/update.py
diff --git a/src/layers/etl_utils/constants/__init__.py b/src/layers/etl_utils/constants/__init__.py
diff --git a/src/layers/etl_utils/trigger/operations.py b/src/layers/etl_utils/trigger/operations.py
diff --git a/src/layers/sds/domain/changelog.py b/src/layers/sds/domain/changelog.py

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+- [PI-315] Update trigger`
	`2`	`+- [PI-343] Remove people branch`