CCM-14325: Remove authentication from PDM mock

Author: gareth-allan

infrastructure/terraform/components/dl/README.md

@@ -40,8 +40,6 @@ No requirements.
 | <a name="input_mesh_poll_schedule"></a> [mesh\_poll\_schedule](#input\_mesh\_poll\_schedule) | Schedule to poll MESH for messages | `string` | `"rate(5 minutes)"` | no |
 | <a name="input_metadata_refresh_schedule"></a> [metadata\_refresh\_schedule](#input\_metadata\_refresh\_schedule) | Schedule for refreshing reporting metadata. | `string` | `"cron(10 6-22 * * ? *)"` | no |
 | <a name="input_parent_acct_environment"></a> [parent\_acct\_environment](#input\_parent\_acct\_environment) | Name of the environment responsible for the acct resources used, affects things like DNS zone. Useful for named dev environments | `string` | `"main"` | no |
-| <a name="input_pdm_mock_access_token"></a> [pdm\_mock\_access\_token](#input\_pdm\_mock\_access\_token) | Mock access token for PDM API authentication (used in local/dev environments) | `string` | `"mock-pdm-token"` | no |
-| <a name="input_pdm_use_non_mock_token"></a> [pdm\_use\_non\_mock\_token](#input\_pdm\_use\_non\_mock\_token) | Whether to use the shared APIM access token from SSM (/component/environment/apim/access\_token) instead of the mock token | `bool` | `false` | no |
 | <a name="input_pii_data_retention_policy_days"></a> [pii\_data\_retention\_policy\_days](#input\_pii\_data\_retention\_policy\_days) | The number of days for data retention policy for PII | `number` | `534` | no |
 | <a name="input_project"></a> [project](#input\_project) | The name of the tfscaffold project | `string` | n/a | yes |
 | <a name="input_queue_batch_size"></a> [queue\_batch\_size](#input\_queue\_batch\_size) | maximum number of queue items to process | `number` | `10` | no |

infrastructure/terraform/components/dl/locals.tf

@@ -4,6 +4,7 @@ locals {
   apim_keystore_s3_bucket              = "nhs-${var.aws_account_id}-${var.region}-${var.environment}-${var.component}-static-assets"
   apim_private_key_ssm_parameter_name  = "/${var.component}/${var.environment}/apim/private_key"
   aws_lambda_functions_dir_path        = "../../../../lambdas"
+  pdm_access_token_ssm_parameter_name  = var.enable_pdm_mock ? "" : "${local.apim_access_token_ssm_parameter_name}"
   pdm_url                              = var.enable_pdm_mock ? aws_api_gateway_stage.pdm_mock[0].invoke_url : var.apim_base_url
   firehose_output_path_prefix          = "kinesis-firehose-output"
   log_destination_arn                  = "arn:aws:logs:${var.region}:${var.shared_infra_account_id}:destination:nhs-main-obs-firehose-logs"

infrastructure/terraform/components/dl/module_lambda_pdm_poll.tf

@@ -36,7 +36,7 @@ module "pdm_poll" {
 
   lambda_env_vars = {
     "APIM_BASE_URL"                        = local.pdm_url
-    "APIM_ACCESS_TOKEN_SSM_PARAMETER_NAME" = local.apim_access_token_ssm_parameter_name
+    "APIM_ACCESS_TOKEN_SSM_PARAMETER_NAME" = local.pdm_access_token_ssm_parameter_name
     "EVENT_PUBLISHER_EVENT_BUS_ARN"        = aws_cloudwatch_event_bus.main.arn
     "EVENT_PUBLISHER_DLQ_URL"              = module.sqs_event_publisher_errors.sqs_queue_url
     "POLL_MAX_RETRIES"                     = 10

infrastructure/terraform/components/dl/module_lambda_pdm_uploader.tf

@@ -36,7 +36,7 @@ module "pdm_uploader" {
 
   lambda_env_vars = {
     "APIM_BASE_URL"                        = local.pdm_url
-    "APIM_ACCESS_TOKEN_SSM_PARAMETER_NAME" = local.apim_access_token_ssm_parameter_name
+    "APIM_ACCESS_TOKEN_SSM_PARAMETER_NAME" = local.pdm_access_token_ssm_parameter_name
     "EVENT_PUBLISHER_EVENT_BUS_ARN"        = aws_cloudwatch_event_bus.main.arn
     "EVENT_PUBLISHER_DLQ_URL"              = module.sqs_event_publisher_errors.sqs_queue_url
   }

infrastructure/terraform/components/dl/ssm_parameter_access_token.tf

@@ -2,9 +2,8 @@ resource "aws_ssm_parameter" "access_token" {
   name        = local.apim_access_token_ssm_parameter_name
   description = "Access token for APIM"
   type        = "SecureString"
-  value = jsonencode({
-    tokens = []
-  })
+  value       = jsonencode({})
+
   tags = merge(local.default_tags, { Backup = "true" })
 
   lifecycle {

infrastructure/terraform/components/dl/variables.tf

@@ -122,18 +122,6 @@ variable "ttl_poll_schedule" {
   default     = "rate(10 minutes)" # Every 10 minutes
 }
 
-variable "pdm_mock_access_token" {
-  type        = string
-  description = "Mock access token for PDM API authentication (used in local/dev environments)"
-  default     = "mock-pdm-token"
-}
-
-variable "pdm_use_non_mock_token" {
-  type        = bool
-  description = "Whether to use the shared APIM access token from SSM (/component/environment/apim/access_token) instead of the mock token"
-  default     = false
-}
-
 variable "apim_base_url" {
   type        = string
   description = "The URL used to send requests to PDM"

lambdas/pdm-mock-lambda/src/__tests__/authenticator.test.ts

@@ -35,16 +35,11 @@ describe('Container', () => {
 
   it('should create a container with all required dependencies', () => {
     expect(container).toBeDefined();
-    expect(container.authenticator).toBeDefined();
     expect(container.getResourceHandler).toBeDefined();
     expect(container.createResourceHandler).toBeDefined();
     expect(container.logger).toBeDefined();
   });
 
-  it('should create an authenticator function', () => {
-    expect(typeof container.authenticator).toBe('function');
-  });
-
   it('should create a getResourceHandler function', () => {
     expect(typeof container.getResourceHandler).toBe('function');
   });
@@ -74,14 +69,4 @@ describe('Container', () => {
     expect(result).toBeDefined();
     expect(result.statusCode).toBeDefined();
   });
-
-  it('should create authenticator that can be called', async () => {
-    const mockEvent = {
-      headers: { Authorization: 'Bearer test-token' },
-    };
-
-    const result = await container.authenticator(mockEvent);
-    expect(result).toBeDefined();
-    expect(result.isValid).toBeDefined();
-  });
 });

lambdas/pdm-mock-lambda/src/__tests__/container.test.ts

@@ -66,41 +66,18 @@ const createMockEvent = (
 };
 
 describe('Lambda Handler Integration', () => {
-  let mockAuthenticator: jest.Mock;
   let mockGetResourceHandler: jest.Mock;
   let mockCreateResourceHandler: jest.Mock;
 
   beforeEach(() => {
     jest.clearAllMocks();
 
     const container = createContainer();
-    mockAuthenticator = container.authenticator as jest.Mock;
     mockGetResourceHandler = container.getResourceHandler as jest.Mock;
     mockCreateResourceHandler = container.createResourceHandler as jest.Mock;
   });
 
-  it('should return authentication error when authentication fails', async () => {
-    mockAuthenticator.mockResolvedValue({
-      isValid: false,
-      error: {
-        statusCode: 401,
-        body: JSON.stringify({ error: 'Unauthorized' }),
-      },
-    });
-
-    const event = createMockEvent();
-    const response = (await handler(
-      event,
-      {} as Context,
-      {} as Callback,
-    )) as APIGatewayProxyResult;
-
-    expect(response.statusCode).toBe(401);
-    expect(mockGetResourceHandler).not.toHaveBeenCalled();
-  });
-
   it('should route GET requests to getResourceHandler', async () => {
-    mockAuthenticator.mockResolvedValue({ isValid: true });
     mockGetResourceHandler.mockResolvedValue({
       statusCode: 200,
       body: JSON.stringify({ id: 'test-id' }),
@@ -117,13 +94,11 @@ describe('Lambda Handler Integration', () => {
       {} as Callback,
     )) as APIGatewayProxyResult;
 
-    expect(mockAuthenticator).toHaveBeenCalledWith(event);
     expect(mockGetResourceHandler).toHaveBeenCalledWith(event);
     expect(response.statusCode).toBe(200);
   });
 
   it('should route POST requests to createResourceHandler', async () => {
-    mockAuthenticator.mockResolvedValue({ isValid: true });
     mockCreateResourceHandler.mockResolvedValue({
       statusCode: 201,
       body: JSON.stringify({ id: 'new-id' }),
@@ -141,14 +116,11 @@ describe('Lambda Handler Integration', () => {
       {} as Callback,
     )) as APIGatewayProxyResult;
 
-    expect(mockAuthenticator).toHaveBeenCalledWith(event);
     expect(mockCreateResourceHandler).toHaveBeenCalledWith(event);
     expect(response.statusCode).toBe(201);
   });
 
   it('should return 404 for unsupported endpoints', async () => {
-    mockAuthenticator.mockResolvedValue({ isValid: true });
-
     const event = createMockEvent({
       httpMethod: 'DELETE',
       path: '/unsupported',
@@ -165,7 +137,7 @@ describe('Lambda Handler Integration', () => {
   });
 
   it('should handle unexpected errors gracefully', async () => {
-    mockAuthenticator.mockRejectedValue(new Error('Unexpected error'));
+    mockGetResourceHandler.mockRejectedValue(new Error('Unexpected error'));
 
     const event = createMockEvent();
     const response = (await handler(