Merge pull request #3930 from nhsuk/next

Version 2.8.0

Author: benilovj

.github/workflows/data-replication-pipeline.yml

@@ -1,5 +1,5 @@
 name: Data replication pipeline
-run-name: ${{ inputs.action }} data replication resources for ${{ inputs.environment }}
+run-name: ${{ inputs.deployment_type }} for data replication resources for ${{ inputs.environment }}
 
 on:
   workflow_dispatch:
@@ -15,18 +15,17 @@ on:
           - qa
           - sandbox-alpha
           - sandbox-beta
+      deployment_type:
+        description: Deployment type
+        required: true
+        type: choice
+        options:
+          - Deployment with DB recreation
+          - Application only deployment
       image_tag:
         description: Docker image tag to deploy
         required: false
         type: string
-      action:
-        description: Action to perform on data replication env
-        required: true
-        type: choice
-        options:
-          - Destroy
-          - Recreate
-        default: Recreate
       db_snapshot_arn:
         description: ARN of the DB snapshot to use (optional)
         required: false
@@ -50,8 +49,8 @@ concurrency:
   group: deploy-data-replica-${{ inputs.environment }}
 
 jobs:
-  prepare:
-    if: ${{ inputs.action == 'Recreate' }}
+  prepare-db-replica:
+    if: ${{ inputs.deployment_type == 'Deployment with DB recreation' }}
     name: Prepare data replica
     runs-on: ubuntu-latest
     permissions:
@@ -95,58 +94,13 @@ jobs:
           terraform init -backend-config="env/${{ inputs.environment }}-backend.hcl" -upgrade
           DB_SECRET_ARN=$(terraform output --raw db_secret_arn)
           echo "DB_SECRET_ARN=$DB_SECRET_ARN" >> $GITHUB_OUTPUT
-      - name: ECR login
-        id: login-ecr
-        uses: aws-actions/amazon-ecr-login@v2
-      - name: Get docker image digest
-        id: get-docker-image-digest
-        run: |
-          set -e
-          DOCKER_IMAGE="${{ steps.login-ecr.outputs.registry }}/mavis/webapp:${{ inputs.image_tag || github.sha }}"
-          docker pull "$DOCKER_IMAGE"
-          DOCKER_DIGEST=$(docker inspect --format='{{index .RepoDigests 0}}' "$DOCKER_IMAGE")
-          DIGEST="${DOCKER_DIGEST#*@}"
-          echo "DIGEST=$DIGEST" >> $GITHUB_OUTPUT
     outputs:
       SNAPSHOT_ARN: ${{ steps.get-latest-snapshot.outputs.SNAPSHOT_ARN }}
       DB_SECRET_ARN: ${{ steps.get-db-secret-arn.outputs.DB_SECRET_ARN }}
-      DOCKER_DIGEST: ${{ steps.get-docker-image-digest.outputs.DIGEST }}
-
-  plan-destroy:
-    name: Plan destruction job
-    runs-on: ubuntu-latest
-    permissions:
-      id-token: write
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-      - name: Configure AWS Credentials
-        uses: aws-actions/configure-aws-credentials@v4
-        with:
-          role-to-assume: ${{ env.aws_role }}
-          aws-region: eu-west-2
-      - name: Install terraform
-        uses: hashicorp/setup-terraform@v3
-        with:
-          terraform_version: 1.11.4
-      - name: Terraform Plan
-        run: |
-          set -e
-          terraform init -backend-config="env/${{ inputs.environment }}-backend.hcl" -upgrade
-          terraform plan -destroy -var-file="env/${{ inputs.environment }}.tfvars" -var="image_digest=filler_value" \
-          -var="db_secret_arn=filler_value" -var="imported_snapshot=filler_value" \
-          -out ${{ runner.temp }}/tfplan_destroy | tee ${{ runner.temp }}/tf_stdout
-      - name: Upload artifact
-        uses: actions/upload-artifact@v4
-        with:
-          name: tfplan_destroy_infrastructure-${{ inputs.environment }}
-          path: ${{ runner.temp }}/tfplan_destroy
 
-  destroy:
-    name: Destroy data replication infrastructure
+  prepare-webapp:
+    name: Prepare webapp
     runs-on: ubuntu-latest
-    needs: plan-destroy
-    environment: ${{ inputs.environment }}
     permissions:
       id-token: write
     steps:
@@ -157,32 +111,35 @@ jobs:
         with:
           role-to-assume: ${{ env.aws_role }}
           aws-region: eu-west-2
-      - name: Install terraform
-        uses: hashicorp/setup-terraform@v3
-        with:
-          terraform_version: 1.11.4
-      - name: Download artifact
-        uses: actions/download-artifact@v4
-        with:
-          name: tfplan_destroy_infrastructure-${{ inputs.environment }}
-          path: ${{ runner.temp }}
-      - name: Terraform Destroy
-        id: destroy
+      - name: ECR login
+        id: login-ecr
+        uses: aws-actions/amazon-ecr-login@v2
+      - name: Get docker image digest
+        id: get-docker-image-digest
         run: |
           set -e
-          terraform init -backend-config="env/${{ inputs.environment }}-backend.hcl" -upgrade
-          terraform apply ${{ runner.temp }}/tfplan_destroy
+          DOCKER_IMAGE="${{ steps.login-ecr.outputs.registry }}/mavis/webapp:${{ inputs.image_tag || github.sha }}"
+          docker pull "$DOCKER_IMAGE"
+          DOCKER_DIGEST=$(docker inspect --format='{{index .RepoDigests 0}}' "$DOCKER_IMAGE")
+          DIGEST="${DOCKER_DIGEST#*@}"
+          echo "DIGEST=$DIGEST" >> $GITHUB_OUTPUT
+    outputs:
+      DOCKER_DIGEST: ${{ steps.get-docker-image-digest.outputs.DIGEST }}
 
   plan:
     name: Terraform plan
     runs-on: ubuntu-latest
     needs:
-      - prepare
-      - destroy
+      - prepare-db-replica
+      - prepare-webapp
+    if: ${{ !cancelled() &&
+          (needs.prepare-db-replica.result == 'success' || needs.prepare-db-replica.result == 'skipped') &&
+          needs.prepare-webapp.result == 'success' }}
     env:
-      SNAPSHOT_ARN: ${{ needs.prepare.outputs.SNAPSHOT_ARN }}
-      DB_SECRET_ARN: ${{ needs.prepare.outputs.DB_SECRET_ARN }}
-      DOCKER_DIGEST: ${{ needs.prepare.outputs.DOCKER_DIGEST }}
+      SNAPSHOT_ARN: ${{ needs.prepare-db-replica.outputs.SNAPSHOT_ARN }}
+      DB_SECRET_ARN: ${{ needs.prepare-db-replica.outputs.DB_SECRET_ARN || 'arn:aws:secretsmanager:eu-west-2:000000000000:secret:placeholder' }}
+      DOCKER_DIGEST: ${{ needs.prepare-webapp.outputs.DOCKER_DIGEST }}
+      REPLACE_DB_CLUSTER: ${{ inputs.deployment_type == 'Deployment with DB recreation' }}
     permissions:
       id-token: write
     steps:
@@ -200,12 +157,24 @@ jobs:
       - name: Terraform Plan
         id: plan
         run: |
-          set -e
+          set -eo pipefail
           terraform init -backend-config="env/${{ inputs.environment }}-backend.hcl" -upgrade
-          terraform plan -var="image_digest=${{ env.DOCKER_DIGEST }}" -var="db_secret_arn=${{ env.DB_SECRET_ARN }}" \
-          -var="imported_snapshot=${{ env.SNAPSHOT_ARN }}" -var-file="env/${{ inputs.environment }}.tfvars" \
-          -var='allowed_egress_cidr_blocks=${{ inputs.egress_cidr }}' \
-          -out ${{ runner.temp }}/tfplan | tee ${{ runner.temp }}/tf_stdout
+          
+          CIDR_BLOCKS='${{ inputs.egress_cidr }}'
+          PLAN_ARGS=(
+            "plan"
+            "-var=image_digest=${{ env.DOCKER_DIGEST }}"
+            "-var=db_secret_arn=${{ env.DB_SECRET_ARN }}"
+            "-var=imported_snapshot=${{ env.SNAPSHOT_ARN }}"
+            "-var-file=env/${{ inputs.environment }}.tfvars"
+            "-var=allowed_egress_cidr_blocks=$CIDR_BLOCKS"
+            "-out=${{ runner.temp }}/tfplan"
+          )
+          
+          if [ "${{ env.REPLACE_DB_CLUSTER }}" = "true" ]; then
+            PLAN_ARGS+=("-replace" "aws_rds_cluster.cluster")
+          fi
+          terraform "${PLAN_ARGS[@]}" | tee ${{ runner.temp }}/tf_stdout
       - name: Upload artifact
         uses: actions/upload-artifact@v4
         with:
@@ -216,6 +185,7 @@ jobs:
     name: Terraform apply
     runs-on: ubuntu-latest
     needs: plan
+    if: ${{ !cancelled() && needs.plan.result == 'success' }}
     environment: ${{ inputs.environment }}
     permissions:
       id-token: write

.github/workflows/destroy-infrastructure.yml

@@ -47,10 +47,9 @@ jobs:
         run: |
           set -e
           terraform init -backend-config="env/${{ inputs.environment }}-backend.hcl" -upgrade
-          if terraform state list | grep -q 'aws_rds_cluster.aurora_cluster'; then
-            echo "DB cluster exsits: removing delete protection"
-            CLUSTER_IDENTIFIER=$(grep -oP 'db_cluster\s*=\s*"\K[^"]+' env/${{ inputs.environment }}.tfvars)
-            aws rds modify-db-cluster --db-cluster-identifier "$CLUSTER_IDENTIFIER" --no-deletion-protection
+          if terraform state list | grep -q 'aws_rds_cluster.core'; then
+            echo "DB cluster exists: removing delete protection"
+            aws rds modify-db-cluster --db-cluster-identifier mavis-${{ inputs.environment }} --no-deletion-protection
             echo "DB cluster delete protection removed: proceeding to delete stage"
           else
             echo "DB cluster not in state: proceeding to delete stage"

Dockerfile

@@ -10,7 +10,7 @@ WORKDIR /rails
 
 # Install base packages
 RUN apt-get update -qq && \
-    apt-get install --no-install-recommends -y curl libjemalloc2 libvips libicu-dev postgresql-client && \
+    apt-get install --no-install-recommends -y curl libjemalloc2 libvips libicu-dev postgresql-client jq && \
     rm -rf /var/lib/apt/lists /var/cache/apt/archives
 
 # Set production environment

Gemfile.lock

@@ -113,7 +113,7 @@ GEM
     ast (2.4.3)
     attr_required (1.0.2)
     aws-eventstream (1.4.0)
-    aws-partitions (1.1125.0)
+    aws-partitions (1.1126.0)
     aws-sdk-accessanalyzer (1.73.0)
       aws-sdk-core (~> 3, >= 3.225.0)
       aws-sigv4 (~> 1.5)
@@ -124,7 +124,7 @@ GEM
       base64
       jmespath (~> 1, >= 1.6.1)
       logger
-    aws-sdk-ec2 (1.533.0)
+    aws-sdk-ec2 (1.537.0)
       aws-sdk-core (~> 3, >= 3.225.0)
       aws-sigv4 (~> 1.5)
     aws-sdk-ecr (1.104.0)
@@ -139,7 +139,7 @@ GEM
     aws-sdk-rds (1.283.0)
       aws-sdk-core (~> 3, >= 3.225.0)
       aws-sigv4 (~> 1.5)
-    aws-sdk-s3 (1.191.0)
+    aws-sdk-s3 (1.192.0)
       aws-sdk-core (~> 3, >= 3.225.0)
       aws-sdk-kms (~> 1)
       aws-sigv4 (~> 1.5)
@@ -229,15 +229,15 @@ GEM
     factory_bot_rails (6.5.0)
       factory_bot (~> 6.5)
       railties (>= 6.1.0)
-    faker (3.5.1)
+    faker (3.5.2)
       i18n (>= 1.8.11, < 2)
-    faraday (2.13.1)
+    faraday (2.13.2)
       faraday-net_http (>= 2.0, < 3.5)
       json
       logger
     faraday-follow_redirects (0.3.0)
       faraday (>= 1, < 3)
-    faraday-net_http (3.4.0)
+    faraday-net_http (3.4.1)
       net-http (>= 0.5.0)
     ferrum (0.17.1)
       addressable (~> 2.5)
@@ -252,14 +252,14 @@ GEM
       date_time_precision (>= 0.8)
       mime-types (>= 3.0)
       nokogiri (>= 1.11.4)
-    flipper (1.3.4)
+    flipper (1.3.5)
       concurrent-ruby (< 2)
-    flipper-active_record (1.3.4)
+    flipper-active_record (1.3.5)
       activerecord (>= 4.2, < 9)
-      flipper (~> 1.3.4)
-    flipper-ui (1.3.4)
+      flipper (~> 1.3.5)
+    flipper-ui (1.3.5)
       erubi (>= 1.0.0, < 2.0.0)
-      flipper (~> 1.3.4)
+      flipper (~> 1.3.5)
       rack (>= 1.4, < 4)
       rack-protection (>= 1.5.3, < 5.0.0)
       rack-session (>= 1.0.2, < 3.0.0)
@@ -423,13 +423,13 @@ GEM
       webfinger (~> 2.0)
     orm_adapter (0.5.0)
     ostruct (0.6.2)
-    pagy (9.3.4)
+    pagy (9.3.5)
     parallel (1.27.0)
     parser (3.3.8.0)
       ast (~> 2.4.1)
       racc
     pg (1.5.9)
-    phonelib (0.10.9)
+    phonelib (0.10.10)
     pp (0.6.2)
       prettyprint
     prettier_print (1.2.1)
@@ -552,7 +552,7 @@ GEM
       rspec-mocks (~> 3.13)
       rspec-support (~> 3.13)
     rspec-support (3.13.4)
-    rubocop (1.76.2)
+    rubocop (1.77.0)
       json (~> 2.3)
       language_server-protocol (~> 3.17.0.2)
       lint_roller (~> 1.1.0)
@@ -569,8 +569,8 @@ GEM
     rubocop-capybara (2.22.1)
       lint_roller (~> 1.1)
       rubocop (~> 1.72, >= 1.72.1)
-    rubocop-govuk (5.1.15)
-      rubocop (= 1.76.2)
+    rubocop-govuk (5.1.16)
+      rubocop (= 1.77.0)
       rubocop-ast (= 1.45.1)
       rubocop-capybara (= 2.22.1)
       rubocop-rails (= 2.32.0)
@@ -618,7 +618,7 @@ GEM
       simplecov_json_formatter (~> 0.1)
     simplecov-html (0.12.3)
     simplecov_json_formatter (0.1.4)
-    solargraph (0.55.4)
+    solargraph (0.56.0)
       backport (~> 1.2)
       benchmark (~> 0.4)
       bundler (~> 2.0)
@@ -630,16 +630,17 @@ GEM
       observer (~> 0.1)
       ostruct (~> 0.6)
       parser (~> 3.0)
+      prism (~> 1.4)
       rbs (~> 3.3)
       reverse_markdown (~> 3.0)
       rubocop (~> 1.38)
       thor (~> 1.0)
       tilt (~> 2.0)
       yard (~> 0.9, >= 0.9.24)
       yard-solargraph (~> 0.1)
-    solargraph-rails (1.1.0)
+    solargraph-rails (1.2.0)
       activesupport
-      solargraph
+      solargraph (= 0.56.0)
     splunk-sdk-ruby (1.0.5)
     stackprof (0.2.27)
     stimulus-rails (1.3.4)

app/components/app_vaccinate_form_component.rb

@@ -19,16 +19,11 @@ def url
   end
 
   def delivery_method
-    triage_status = patient.triage_status(programme:)
-
-    status =
-      if triage_status.not_required?
-        patient.consent_status(programme:)
-      else
-        triage_status
-      end
-
-    status.vaccine_method_nasal? ? :nasal_spray : :intramuscular
+    if patient.approved_vaccine_methods(programme:).include?("nasal")
+      :nasal_spray
+    else
+      :intramuscular
+    end
   end
 
   def dose_sequence

app/components/app_vaccination_record_summary_component.rb

@@ -329,8 +329,6 @@ def dose_number_value
   end
 
   def dose_number
-    return nil if @programme.seasonal?
-
     dose_sequence = @vaccination_record.dose_sequence
 
     if dose_sequence.nil?

app/controllers/draft_vaccination_records_controller.rb

@@ -120,6 +120,8 @@ def handle_confirm
 
     send_vaccination_confirmation(@vaccination_record) if should_notify_parents
 
+    EnqueueSyncVaccinationRecordToNHS.call(@vaccination_record)
+
     # In case the user navigates back to try and edit the newly created
     # vaccination record.
     @draft_vaccination_record.update!(editing_id: @vaccination_record.id)