CCM-12875: Initial setup for APIM PDM Mock

Author: ScottFullerton-NHSE

.gitleaksignore

@@ -9,3 +9,10 @@ cd9c0efec38c5d63053dd865e5d4e207c0760d91:docs/guides/Perform_static_analysis.md:
 0cbdddbf54927dfc4a226b88d2fed045dfc0cb92:docs/cloudevents/digital-letters/2025-10/example-events/file-deleted-event.md:ipv4:42
 0cbdddbf54927dfc4a226b88d2fed045dfc0cb92:docs/cloudevents/digital-letters/2025-10/example-events/file-deleted-event.json:ipv4:21
 52386bca9b88c0c8c7dee52ab0ec69d04fb72c46:src/TESTING_PLAN.md:ipv4:145
+973c8a1feb76f3cd8743ce27b14e4acc4252240c:src/TESTING_PLAN.md:ipv4:2507
+cc74128e4207833109339e96f3aaebf3cd40dd65:src/TESTING_PLAN.md:ipv4:2507
+791619daf5af4806da7266fa301c0e82145b6de8:src/TESTING_PLAN.md:ipv4:2507
+d1c0a37078cbed4fbedae044e5cbafac71717af0:utils/utils/src/__tests__/key-generation/validate-private-key.test.ts:private-key:7
+d1c0a37078cbed4fbedae044e5cbafac71717af0:utils/utils/src/__tests__/key-generation/get-private-key.test.ts:private-key:23
+d1c0a37078cbed4fbedae044e5cbafac71717af0:utils/utils/src/__tests__/key-generation/get-private-key.test.ts:private-key:30
+d1c0a37078cbed4fbedae044e5cbafac71717af0:utils/utils/src/__tests__/key-generation/get-private-key.test.ts:private-key:46

infrastructure/terraform/components/dl/README.md

@@ -21,6 +21,9 @@ No requirements.
 | <a name="input_log_retention_in_days"></a> [log\_retention\_in\_days](#input\_log\_retention\_in\_days) | The retention period in days for the Cloudwatch Logs events to be retained, default of 0 is indefinite | `number` | `0` | no |
 | <a name="input_mesh_poll_schedule"></a> [mesh\_poll\_schedule](#input\_mesh\_poll\_schedule) | Schedule to poll MESH for messages | `string` | `"cron(0,30 8-16 ? * MON-FRI *)"` | no |
 | <a name="input_parent_acct_environment"></a> [parent\_acct\_environment](#input\_parent\_acct\_environment) | Name of the environment responsible for the acct resources used, affects things like DNS zone. Useful for named dev environments | `string` | `"main"` | no |
+| <a name="input_pdm_access_token_ssm_path"></a> [pdm\_access\_token\_ssm\_path](#input\_pdm\_access\_token\_ssm\_path) | SSM Parameter path for the PDM API access token | `string` | `"/digital-letters/pdm/access-token"` | no |
+| <a name="input_pdm_mock_access_token"></a> [pdm\_mock\_access\_token](#input\_pdm\_mock\_access\_token) | Mock access token for PDM API authentication (used in local/dev environments) | `string` | `"mock-pdm-token"` | no |
+| <a name="input_pdm_use_non_mock_token"></a> [pdm\_use\_non\_mock\_token](#input\_pdm\_use\_non\_mock\_token) | Whether to use the SSM parameter token instead of the mock token | `bool` | `false` | no |
 | <a name="input_project"></a> [project](#input\_project) | The name of the tfscaffold project | `string` | n/a | yes |
 | <a name="input_queue_batch_size"></a> [queue\_batch\_size](#input\_queue\_batch\_size) | maximum number of queue items to process | `number` | `10` | no |
 | <a name="input_queue_batch_window_seconds"></a> [queue\_batch\_window\_seconds](#input\_queue\_batch\_window\_seconds) | maximum time in seconds between processing events | `number` | `10` | no |
@@ -33,6 +36,7 @@ No requirements.
 |------|--------|---------|
 | <a name="module_kms"></a> [kms](#module\_kms) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.24/terraform-kms.zip | n/a |
 | <a name="module_mesh_poll"></a> [mesh\_poll](#module\_mesh\_poll) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.24/terraform-lambda.zip | n/a |
+| <a name="module_pdm_mock_api"></a> [pdm\_mock\_api](#module\_pdm\_mock\_api) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.24/terraform-lambda.zip | n/a |
 | <a name="module_s3bucket_letters"></a> [s3bucket\_letters](#module\_s3bucket\_letters) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.24/terraform-s3bucket.zip | n/a |
 | <a name="module_sqs_event_publisher_errors"></a> [sqs\_event\_publisher\_errors](#module\_sqs\_event\_publisher\_errors) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.24/terraform-sqs.zip | n/a |
 | <a name="module_sqs_ttl"></a> [sqs\_ttl](#module\_sqs\_ttl) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.24/terraform-sqs.zip | n/a |
@@ -43,6 +47,8 @@ No requirements.
 | Name | Description |
 |------|-------------|
 | <a name="output_deployment"></a> [deployment](#output\_deployment) | Deployment details used for post-deployment scripts |
+| <a name="output_pdm_mock_api_endpoint"></a> [pdm\_mock\_api\_endpoint](#output\_pdm\_mock\_api\_endpoint) | The base URL of the PDM Mock API |
+| <a name="output_pdm_mock_api_id"></a> [pdm\_mock\_api\_id](#output\_pdm\_mock\_api\_id) | The ID of the PDM Mock API Gateway |
 <!-- vale on -->
 <!-- markdownlint-enable -->
 <!-- END_TF_DOCS -->

infrastructure/terraform/components/dl/apigateway_pdm_mock.tf

@@ -0,0 +1,159 @@
+# API Gateway REST API for PDM Mock
+resource "aws_api_gateway_rest_api" "pdm_mock" {
+  name        = "${var.project}-${var.environment}-pdm-mock-api"
+  description = "PDM Mock API for testing integration with Patient Data Manager"
+
+  endpoint_configuration {
+    types = ["REGIONAL"]
+  }
+
+  tags = {
+    Name        = "${var.project}-${var.environment}-pdm-mock-api"
+    Project     = var.project
+    Environment = var.environment
+    Component   = local.component
+  }
+}
+
+# /resource path
+resource "aws_api_gateway_resource" "resource" {
+  rest_api_id = aws_api_gateway_rest_api.pdm_mock.id
+  parent_id   = aws_api_gateway_rest_api.pdm_mock.root_resource_id
+  path_part   = "resource"
+}
+
+# /resource/{id} path
+resource "aws_api_gateway_resource" "resource_id" {
+  rest_api_id = aws_api_gateway_rest_api.pdm_mock.id
+  parent_id   = aws_api_gateway_resource.resource.id
+  path_part   = "{id}"
+}
+
+# POST /resource - Create resource
+resource "aws_api_gateway_method" "create_resource" {
+  rest_api_id   = aws_api_gateway_rest_api.pdm_mock.id
+  resource_id   = aws_api_gateway_resource.resource.id
+  http_method   = "POST"
+  authorization = "NONE"
+}
+
+resource "aws_api_gateway_integration" "create_resource" {
+  rest_api_id = aws_api_gateway_rest_api.pdm_mock.id
+  resource_id = aws_api_gateway_resource.resource.id
+  http_method = aws_api_gateway_method.create_resource.http_method
+
+  integration_http_method = "POST"
+  type                    = "AWS_PROXY"
+  uri                     = module.pdm_mock_api.lambda_invoke_arn
+}
+
+# GET /resource/{id} - Get resource
+resource "aws_api_gateway_method" "get_resource" {
+  rest_api_id   = aws_api_gateway_rest_api.pdm_mock.id
+  resource_id   = aws_api_gateway_resource.resource_id.id
+  http_method   = "GET"
+  authorization = "NONE"
+}
+
+resource "aws_api_gateway_integration" "get_resource" {
+  rest_api_id = aws_api_gateway_rest_api.pdm_mock.id
+  resource_id = aws_api_gateway_resource.resource_id.id
+  http_method = aws_api_gateway_method.get_resource.http_method
+
+  integration_http_method = "POST"
+  type                    = "AWS_PROXY"
+  uri                     = module.pdm_mock_api.lambda_invoke_arn
+}
+
+# Lambda permission for API Gateway
+resource "aws_lambda_permission" "pdm_mock_api_gateway" {
+  statement_id  = "AllowAPIGatewayInvoke"
+  action        = "lambda:InvokeFunction"
+  function_name = module.pdm_mock_api.lambda_function_name
+  principal     = "apigateway.amazonaws.com"
+
+  # More specific source ARN for better security
+  source_arn = "${aws_api_gateway_rest_api.pdm_mock.execution_arn}/*/*"
+}
+
+# Deployment
+resource "aws_api_gateway_deployment" "pdm_mock" {
+  depends_on = [
+    aws_api_gateway_integration.create_resource,
+    aws_api_gateway_integration.get_resource,
+  ]
+
+  rest_api_id = aws_api_gateway_rest_api.pdm_mock.id
+
+  triggers = {
+    redeployment = sha1(jsonencode([
+      aws_api_gateway_resource.resource.id,
+      aws_api_gateway_resource.resource_id.id,
+      aws_api_gateway_method.create_resource.id,
+      aws_api_gateway_method.get_resource.id,
+      aws_api_gateway_integration.create_resource.id,
+      aws_api_gateway_integration.get_resource.id,
+    ]))
+  }
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+
+# Stage
+resource "aws_api_gateway_stage" "pdm_mock" {
+  deployment_id = aws_api_gateway_deployment.pdm_mock.id
+  rest_api_id   = aws_api_gateway_rest_api.pdm_mock.id
+  stage_name    = var.environment
+
+  xray_tracing_enabled = true
+
+  access_log_settings {
+    destination_arn = aws_cloudwatch_log_group.pdm_mock_api_gateway.arn
+    format = jsonencode({
+      requestId      = "$context.requestId"
+      ip             = "$context.identity.sourceIp"
+      caller         = "$context.identity.caller"
+      user           = "$context.identity.user"
+      requestTime    = "$context.requestTime"
+      httpMethod     = "$context.httpMethod"
+      resourcePath   = "$context.resourcePath"
+      status         = "$context.status"
+      protocol       = "$context.protocol"
+      responseLength = "$context.responseLength"
+    })
+  }
+
+  tags = {
+    Name        = "${var.project}-${var.environment}-pdm-mock-api-stage"
+    Project     = var.project
+    Environment = var.environment
+    Component   = local.component
+  }
+}
+
+# CloudWatch Log Group for API Gateway
+resource "aws_cloudwatch_log_group" "pdm_mock_api_gateway" {
+  name              = "/aws/apigateway/${var.project}-${var.environment}-pdm-mock-api"
+  retention_in_days = var.log_retention_in_days
+  kms_key_id        = module.kms.key_arn
+
+  tags = {
+    Name        = "${var.project}-${var.environment}-pdm-mock-api-logs"
+    Project     = var.project
+    Environment = var.environment
+    Component   = local.component
+  }
+}
+
+# Outputs
+output "pdm_mock_api_endpoint" {
+  description = "The base URL of the PDM Mock API"
+  value       = aws_api_gateway_stage.pdm_mock.invoke_url
+}
+
+output "pdm_mock_api_id" {
+  description = "The ID of the PDM Mock API Gateway"
+  value       = aws_api_gateway_rest_api.pdm_mock.id
+}

infrastructure/terraform/components/dl/module_lambda_pdm_mock_api.tf

@@ -0,0 +1,73 @@
+module "pdm_mock_api" {
+  source = "https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.24/terraform-lambda.zip"
+
+  function_name = "pdm-mock-api"
+  description   = "A lambda function for mocking PDM (Patient Data Manager) API endpoints"
+
+  aws_account_id = var.aws_account_id
+  component      = local.component
+  environment    = var.environment
+  project        = var.project
+  region         = var.region
+  group          = var.group
+
+  log_retention_in_days = var.log_retention_in_days
+  kms_key_arn           = module.kms.key_arn
+
+  iam_policy_document = {
+    body = data.aws_iam_policy_document.pdm_mock_api_lambda.json
+  }
+
+  function_s3_bucket      = local.acct.s3_buckets["lambda_function_artefacts"]["id"]
+  function_code_base_path = local.aws_lambda_functions_dir_path
+  function_code_dir       = "pdm-mock-api/dist"
+  function_include_common = true
+  handler_function_name   = "handler"
+  runtime                 = "nodejs22.x"
+  memory                  = 256
+  timeout                 = 30
+  log_level               = var.log_level
+
+  force_lambda_code_deploy = var.force_lambda_code_deploy
+  enable_lambda_insights   = false
+
+  send_to_firehose          = true
+  log_destination_arn       = local.log_destination_arn
+  log_subscription_role_arn = local.acct.log_subscription_role_arn
+
+  lambda_env_vars = {
+    MOCK_ACCESS_TOKEN     = var.pdm_mock_access_token
+    ACCESS_TOKEN_SSM_PATH = var.pdm_access_token_ssm_path
+    USE_NON_MOCK_TOKEN    = var.pdm_use_non_mock_token
+  }
+}
+
+data "aws_iam_policy_document" "pdm_mock_api_lambda" {
+  statement {
+    sid    = "KMSPermissions"
+    effect = "Allow"
+
+    actions = [
+      "kms:Decrypt",
+      "kms:GenerateDataKey",
+    ]
+
+    resources = [
+      module.kms.key_arn,
+    ]
+  }
+
+  statement {
+    sid    = "SSMParameterAccess"
+    effect = "Allow"
+
+    actions = [
+      "ssm:GetParameter",
+      "ssm:GetParameters",
+    ]
+
+    resources = [
+      "arn:aws:ssm:${var.region}:${var.aws_account_id}:parameter${var.pdm_access_token_ssm_path}",
+    ]
+  }
+}

infrastructure/terraform/components/dl/variables.tf

@@ -115,3 +115,21 @@ variable "ttl_poll_schedule" {
   description = "Schedule to poll for any overdue TTL records"
   default     = "rate(10 minutes)"  # Every 10 minutes
 }
+
+variable "pdm_mock_access_token" {
+  type        = string
+  description = "Mock access token for PDM API authentication (used in local/dev environments)"
+  default     = "mock-pdm-token"
+}
+
+variable "pdm_access_token_ssm_path" {
+  type        = string
+  description = "SSM Parameter path for the PDM API access token"
+  default     = "/digital-letters/pdm/access-token"
+}
+
+variable "pdm_use_non_mock_token" {
+  type        = bool
+  description = "Whether to use the SSM parameter token instead of the mock token"
+  default     = false
+}

lambdas/pdm-mock-api/.eslintignore

@@ -0,0 +1,3 @@
+dist
+node_modules
+coverage