Merge branch 'master' into VED-1235-Lambda-to-mock-PDS-in-Ref

Author: amarauzoma

.github/pull_request_template.md

@@ -1,25 +1,7 @@
-## Summary
+## PR Description
 
-- Routine Change
-- :exclamation: Breaking Change
-- :robot: Operational or Infrastructure Change
-- :sparkles: New Feature
-- :warning: Potential issues that might be caused by this change
+Description of the changes made.
 
-Add any other relevant notes or explanations here. **Remove this line if you have nothing to add.**
+## How were the changes tested
 
-## Reviews Required
-
-- [x] Dev
-- [ ] Test
-- [ ] Tech Author
-- [ ] Product Owner
-
-## Review Checklist
-
-:information_source: This section is to be filled in by the **reviewer**.
-
-- [ ] I have reviewed the changes in this PR and they fill all of the acceptance criteria of the ticket.
-- [ ] If there were infrastructure, operational, or build changes, I have made sure there is sufficient evidence that the changes will work.
-- [ ] If there were changes that are outside of the regular release processes e.g. account infrastructure to setup, manual setup for external API integrations, secrets to set, then I have checked that the developer has flagged this to the Tech Lead as release steps.
-- [ ] I have checked that no Personal Identifiable Data (PID) is logged as part of the changes.
+Describe how the changes were tested

.github/workflows/dependabot-auto-approve.yml

@@ -14,7 +14,7 @@ jobs:
       - name: Fetch Dependabot metadata
         id: metadata
         continue-on-error: true
-        uses: dependabot/fetch-metadata@ffa630c65fa7e0ecfa0625b5ceda64399aea1b36
+        uses: dependabot/fetch-metadata@25dd0e34f4fe68f24cc83900b1fe3fe149efef98
 
       - name: Auto-approve minor and patch updates
         if: steps.metadata.outcome == 'success' && contains(fromJSON('["version-update:semver-minor", "version-update:semver-patch"]'), steps.metadata.outputs.update-type)

.github/workflows/deploy-lambda-artifact.yml

@@ -235,11 +235,11 @@ jobs:
       - name: Login to Amazon ECR
         id: login-ecr
         if: ${{ steps.decide.outputs.deployment_mode == 'build' && !steps.build-check.outputs.existing_image_digest }}
-        uses: aws-actions/amazon-ecr-login@376925c9d111252e87ae59691e5a442dd100ef6a
+        uses: aws-actions/amazon-ecr-login@19d944daaa35f0fa1d3f7f8af1d3f2e5de25c5b7
 
       - name: Set up Docker Buildx
         if: ${{ steps.decide.outputs.deployment_mode == 'build' && !steps.build-check.outputs.existing_image_digest }}
-        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd
 
       - name: Build and publish image with layer caching
         id: build-image

.github/workflows/quality-checks.yml

@@ -18,7 +18,7 @@ jobs:
     steps:
       - uses: actions/checkout@0c366fd6a839edf440554fa01a7085ccba70ac98
 
-      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f
+      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e
         with:
           node-version: "23.11.0"
           cache: "npm"
@@ -268,7 +268,7 @@ jobs:
           fi
 
       - name: SonarCloud Scan
-        uses: SonarSource/sonarqube-scan-action@299e4b793aaa83bf2aba7c9c14bedbb485688ec4
+        uses: SonarSource/sonarqube-scan-action@55e44800a8f495208cce6e4e82f5dedb45fcf0ef
         env:
           GITHUB_TOKEN: ${{ github.token }} # Needed to get PR information, if any
           SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}

config/dev/permissions_config.json

@@ -46,6 +46,7 @@
       "FLU.CRUDS",
       "HPV.CRUDS",
       "MENACWY.CRUDS",
+      "MENB.CRUDS",
       "MMR.CRUDS",
       "MMRV.CRUDS",
       "PERTUSSIS.CRUDS",

config/preprod/permissions_config.json

@@ -43,6 +43,7 @@
       "FLU.CRUDS",
       "HPV.CRUDS",
       "MENACWY.CRUDS",
+      "MENB.CRUDS",
       "MMR.CRUDS",
       "MMRV.CRUDS",
       "PERTUSSIS.CRUDS",

config/prod/permissions_config.json

@@ -25,7 +25,12 @@
   },
   {
     "supplier": "RAVS",
-    "permissions": ["MMR.CRUDS", "RSV.CRUDS", "PNEUMOCOCCAL.CRUDS"],
+    "permissions": [
+      "MENB.CRUDS",
+      "MMR.CRUDS",
+      "RSV.CRUDS",
+      "PNEUMOCOCCAL.CRUDS"
+    ],
     "ods_codes": ["X26", "X8E5B"]
   },
   {

docs/architecture/system-overview.md

@@ -0,0 +1,76 @@
+# System Overview
+
+This page gives a high-level view of the Immunisation FHIR API runtime architecture.
+
+It focuses on the API path, batch ingestion path, outbound notification flow, runtime configuration, and NHS number change handling.
+
+## High-Level Diagram
+
+```mermaid
+flowchart LR
+    subgraph Ingress[Ingress and API]
+        Suppliers[Supplier systems] --> Apigee[Apigee proxy\nOAuth, rate limiting, supplier header]
+        Apigee --> ApiGw[AWS API Gateway HTTP API]
+        ApiGw --> Backend[Backend API Lambdas\nCRUD, search, status]
+        Backend --> IEDS[(IEDS DynamoDB\nImmunisation event store)]
+    end
+
+    subgraph Batch[Batch ingestion]
+        SupplierFiles[Supplier batch files in S3] --> Filename[Filename Processor Lambda]
+        Mesh[MESH mailbox bucket] --> MeshProc[Mesh Processor Lambda]
+        MeshProc --> Filename
+        Filename --> BatchCreated[SQS FIFO\nbatch-file-created]
+        BatchCreated --> BatchFilter[Batch Processor Filter Lambda]
+        BatchFilter --> SupplierQueue[SQS FIFO\nsupplier metadata queue]
+        SupplierQueue --> BatchPipe[EventBridge Pipe]
+        BatchPipe --> RecordProcessor[ECS Fargate Record Processor]
+        RecordProcessor --> Kinesis[Kinesis data stream]
+        Kinesis --> Forwarder[Record Forwarder Lambda]
+        Forwarder --> IEDS
+        Forwarder --> AckQueue[SQS FIFO\nack metadata queue]
+        AckQueue --> Ack[Ack Backend Lambda]
+    end
+
+    subgraph Outbound[Outbound notifications]
+        IEDS -->|DynamoDB stream| Delta[Delta Lambda]
+        Delta --> DeltaTable[(Delta DynamoDB)]
+        DeltaTable -->|DynamoDB stream| MnsPipe[EventBridge Pipe]
+        MnsPipe --> MnsQueue[SQS\nmns-outbound-events]
+        MnsQueue --> MnsPublisher[MNS Publisher Lambda]
+        MnsPublisher --> Subscribers[MNS subscribers]
+    end
+
+    subgraph Config[Runtime config]
+        ConfigBucket[S3 config bucket] --> RedisSync[Redis Sync Lambda]
+        RedisSync --> Redis[(Redis cache\npermissions, disease mappings, config)]
+        Redis --> Backend
+        Redis --> Filename
+        Redis --> RecordProcessor
+        Redis --> Forwarder
+    end
+
+    subgraph IdSync[Identity sync]
+        MnsIdEvent[MNS NHS number change event] --> IdQueue[SQS\nid-sync-queue]
+        IdQueue --> IdSyncLambda[ID Sync Lambda]
+        IdSyncLambda --> IEDS
+    end
+```
+
+## Key Runtime Stores
+
+| Store          | Purpose                                                             |
+| -------------- | ------------------------------------------------------------------- |
+| IEDS DynamoDB  | System of record for immunisation events                            |
+| Delta DynamoDB | Outbound change store derived from IEDS stream events               |
+| Redis          | Runtime cache for permissions, disease mappings, and related config |
+| Audit table    | Batch-processing control state, deduplication, and status tracking  |
+
+## Design Notes
+
+- The filename processor is the batch entry point for files placed in the source bucket.
+- The audit table is for deduplication, processing state, and ordering decisions.
+- The batch processor filter ensures only one event is processed at a time for a given supplier and vaccine-type combination.
+- The supplier metadata FIFO queue preserves ordering before work is dispatched to ECS through EventBridge Pipe.
+- ECS is used for record processing because batch row processing can be long-running.
+- The record forwarder is the component that applies processed batch changes to IEDS.
+- ACK creation is part of the batch lifecycle.