Merge branch 'main' into feature/CCM-17208_Supplier_api_pact_tests

Author: simonlabarere

infrastructure/terraform/components/dl/README.md

@@ -84,7 +84,6 @@ No requirements.
 | <a name="module_report_generator"></a> [report\_generator](#module\_report\_generator) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/3.0.6/terraform-lambda.zip | n/a |
 | <a name="module_report_scheduler"></a> [report\_scheduler](#module\_report\_scheduler) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/3.0.6/terraform-lambda.zip | n/a |
 | <a name="module_report_sender"></a> [report\_sender](#module\_report\_sender) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/3.0.6/terraform-lambda.zip | n/a |
-| <a name="module_s3bucket_cf_logs"></a> [s3bucket\_cf\_logs](#module\_s3bucket\_cf\_logs) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/3.0.6/terraform-s3bucket.zip | n/a |
 | <a name="module_s3bucket_file_quarantine"></a> [s3bucket\_file\_quarantine](#module\_s3bucket\_file\_quarantine) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/3.0.6/terraform-s3bucket.zip | n/a |
 | <a name="module_s3bucket_file_safe"></a> [s3bucket\_file\_safe](#module\_s3bucket\_file\_safe) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/3.0.6/terraform-s3bucket.zip | n/a |
 | <a name="module_s3bucket_letters"></a> [s3bucket\_letters](#module\_s3bucket\_letters) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/3.0.6/terraform-s3bucket.zip | n/a |

infrastructure/terraform/components/dl/cloudfront_distribution_static_assets_hosting.tf

@@ -22,7 +22,8 @@ resource "aws_cloudfront_distribution" "static_assets_hosting" {
 
   logging_config {
     include_cookies = false
-    bucket          = module.s3bucket_cf_logs.bucket_regional_domain_name
+    bucket          = "${local.acct.additional_s3_buckets_us["digital-letters_cdn-logs"].id}.s3.amazonaws.com"
+    prefix          = "${local.csi}/static-assets/"
   }
 
   origin {

infrastructure/terraform/components/dl/module_lambda_mesh_download.tf

@@ -37,16 +37,17 @@ module "mesh_download" {
   log_subscription_role_arn = local.acct.log_subscription_role_arn
 
   lambda_env_vars = {
-    DOWNLOAD_METRIC_NAME           = "mesh-download-successful-downloads"
-    DUPLICATE_DOWNLOAD_METRIC_NAME = "mesh-duplicate-downloads"
-    DOWNLOAD_METRIC_NAMESPACE      = "dl-mesh-download"
-    ENVIRONMENT                    = var.environment
-    EVENT_PUBLISHER_DLQ_URL        = module.sqs_event_publisher_errors.sqs_queue_url
-    EVENT_PUBLISHER_EVENT_BUS_ARN  = aws_cloudwatch_event_bus.main.arn
-    PII_BUCKET                     = module.s3bucket_pii_data.bucket
-    SSM_MESH_PREFIX                = local.ssm_mesh_prefix
-    SSM_SENDERS_PREFIX             = local.ssm_senders_prefix
-    USE_MESH_MOCK                  = var.enable_mock_mesh ? "true" : "false"
+    DOWNLOAD_METRIC_NAME                    = "mesh-download-successful-downloads"
+    INTERNAL_DUPLICATE_DOWNLOAD_METRIC_NAME = "mesh-internal-duplicate-downloads"
+    TRUST_DUPLICATE_DOWNLOAD_METRIC_NAME    = "mesh-trust-duplicate-downloads"
+    DOWNLOAD_METRIC_NAMESPACE               = "dl-mesh-download"
+    ENVIRONMENT                             = var.environment
+    EVENT_PUBLISHER_DLQ_URL                 = module.sqs_event_publisher_errors.sqs_queue_url
+    EVENT_PUBLISHER_EVENT_BUS_ARN           = aws_cloudwatch_event_bus.main.arn
+    PII_BUCKET                              = module.s3bucket_pii_data.bucket
+    SSM_MESH_PREFIX                         = local.ssm_mesh_prefix
+    SSM_SENDERS_PREFIX                      = local.ssm_senders_prefix
+    USE_MESH_MOCK                           = var.enable_mock_mesh ? "true" : "false"
   }
 
 }

infrastructure/terraform/components/dl/module_s3_bucket_cf_logs.tf

@@ -2,7 +2,12 @@
 import pytest
 from unittest.mock import Mock
 from botocore.exceptions import ClientError
-from mesh_download.document_store import DocumentStore, IntermediaryBodyStoreError, DocumentAlreadyExistsError
+from mesh_download.document_store import (
+    DocumentStore,
+    IntermediaryBodyStoreError,
+    DocumentAlreadyExistsError,
+    DocumentAlreadyExistsInternalRetryError,
+)
 
 
 def make_client_error(code):
@@ -36,11 +41,12 @@ def test_store_document_success(self):
             content=b'test content'
         )
 
-        assert result == 'document-reference/SENDER-001/ref-123_mesh-456'
+        assert result == 'document-reference/SENDER-001/ref-123'
         mock_s3_client.put_object.assert_called_once_with(
             Bucket='test-pii-bucket',
-            Key='document-reference/SENDER-001/ref-123_mesh-456',
+            Key='document-reference/SENDER-001/ref-123',
             Body=b'test content',
+            Metadata={'mesh_message_id': 'mesh-456'},
             IfNoneMatch='*'
         )
 
@@ -84,21 +90,56 @@ def test_store_document_raises_error_on_non_200_response(self):
                 content=b'test content'
             )
 
-    def test_store_document_precondition_failed_raises_document_already_exists(self):
-        """Raises DocumentAlreadyExistsError when S3 returns PreconditionFailed (object already exists)"""
+    def test_store_document_precondition_failed_same_mesh_message_id_raises_internal_retry(self):
+        """Raises DocumentAlreadyExistsInternalRetryError when stored meshMessageId matches incoming (internal retry)"""
         mock_s3_client = Mock()
         mock_s3_client.put_object.side_effect = make_client_error('PreconditionFailed')
+        mock_s3_client.head_object.return_value = {
+            'Metadata': {'mesh_message_id': 'mesh-456'}
+        }
 
         config = Mock()
         config.s3_client = mock_s3_client
         config.transactional_data_bucket = 'test-pii-bucket'
 
         store = DocumentStore(config)
 
-        with pytest.raises(DocumentAlreadyExistsError, match='document-reference/SENDER-001/ref-123_mesh-456'):
+        with pytest.raises(DocumentAlreadyExistsInternalRetryError, match='document-reference/SENDER-001/ref-123'):
             store.store_document(
                 sender_id='SENDER-001',
                 message_reference='ref-123',
                 mesh_message_id='mesh-456',
                 content=b'test content'
             )
+
+        mock_s3_client.head_object.assert_called_once_with(
+            Bucket='test-pii-bucket',
+            Key='document-reference/SENDER-001/ref-123'
+        )
+
+    def test_store_document_precondition_failed_different_mesh_message_id_raises_trust_duplicate(self):
+        """Raises DocumentAlreadyExistsError when stored meshMessageId differs from incoming (trust duplicate)"""
+        mock_s3_client = Mock()
+        mock_s3_client.put_object.side_effect = make_client_error('PreconditionFailed')
+        mock_s3_client.head_object.return_value = {
+            'Metadata': {'mesh_message_id': 'original-mesh-id'}
+        }
+
+        config = Mock()
+        config.s3_client = mock_s3_client
+        config.transactional_data_bucket = 'test-pii-bucket'
+
+        store = DocumentStore(config)
+
+        with pytest.raises(DocumentAlreadyExistsError, match='document-reference/SENDER-001/ref-123'):
+            store.store_document(
+                sender_id='SENDER-001',
+                message_reference='ref-123',
+                mesh_message_id='new-mesh-id',
+                content=b'test content'
+            )
+
+        mock_s3_client.head_object.assert_called_once_with(
+            Bucket='test-pii-bucket',
+            Key='document-reference/SENDER-001/ref-123'
+        )