Merge branch 'main' into cyp-config

.github/workflows/deploy.yml

@@ -10,17 +10,23 @@ on:
         - test
         - uat
       copilot:
-        description: Whether to deploy
+        description: Whether to deploy to AWS?
         type: boolean
         required: false
         default: false
+      deploy_to_dev:
+        required: false
+        default: false
+        type: boolean
+        description: Deploy to CloudFoundry dev?
+
   push:
     paths-ignore:
       - '**/README.md'
 jobs:
   test_and_deploy:
-    if: ${{ github.actor != 'dependabot[bot]' }}
-    uses: communitiesuk/funding-design-service-workflows/.github/workflows/deploy.yml@main
+    if: ${{ github.actor != 'dependabot[bot]' && !github.event.inputs.copilot }}
+    uses: communitiesuk/funding-service-design-workflows/.github/workflows/deploy.yml@main
     with:
       app_name: ${{ github.event.repository.name }}
       deploy_to_dev: true
@@ -38,14 +44,22 @@ jobs:
   paketo_build:
     permissions:
       packages: write
-    uses: communitiesuk/funding-design-service-workflows/.github/workflows/package.yml@main
+    uses: communitiesuk/funding-service-design-workflows/.github/workflows/package.yml@main
     with:
       version_to_build: $(echo "${{ github.ref }}" | sed -e 's,.*/\(.*\),\1,')
       owner: ${{ github.repository_owner }}
       application: funding-service-design-notification
+  pre_deploy_tests:
+    if: ${{ github.event.inputs.copilot }}
+    secrets:
+      E2E_PAT: ${{secrets.E2E_PAT}}
+      GOV_NOTIFY_API_KEY: ${{secrets.GOV_NOTIFY_API_KEY}}
+    uses: communitiesuk/funding-service-design-workflows/.github/workflows/pre-deploy.yml@main
+    with:
+      postgres_unit_testing: false
   copilot_build:
     if: ${{ github.event.inputs.copilot }}
-    needs: [test_and_deploy]
+    needs: [pre_deploy_tests, paketo_build]
     concurrency: deploy-${{ inputs.environment || 'test' }}
     permissions:
       id-token: write # This is required for requesting the JWT
@@ -77,7 +91,7 @@ jobs:
 
     - name: Inject replacement image into manifest
       run: |
-        yq -i '.image.location = "ghcr.io/communitiesuk/funding-service-design-notification:${{ github.ref_name }}"'  copilot/fsd-notification/manifest.yml
+        yq -i '.image.location = "ghcr.io/communitiesuk/funding-service-design-notification:${{ github.ref_name == 'main' && 'latest' || github.ref_name }}"'  copilot/fsd-notification/manifest.yml
 
     - name: Copilot deploy
       run: |

.github/workflows/tag-to-release.yml

@@ -25,7 +25,7 @@ jobs:
     needs: tag-to-release
     permissions:
       packages: write
-    uses: communitiesuk/funding-design-service-workflows/.github/workflows/package.yml@main
+    uses: communitiesuk/funding-service-design-workflows/.github/workflows/package.yml@main
     with:
       version_to_build: ${{ needs.tag-to-release.outputs.new_tag }}
       owner: ${{ github.repository_owner }}

app/notification/application/map_contents.py

@@ -102,7 +102,12 @@ def get_questions_and_answers(cls, notification: Notification) -> dict:
     @classmethod
     def get_fund_name(cls, notification):
         metadata = notification.content[NotifyConstants.APPLICATION_FIELD]
-        return metadata.get("fund_name")
+        fund_name = metadata.get("fund_name")
+        return (
+            f"{fund_name} {round_name}"
+            if (round_name := metadata.get("round_name"))
+            else fund_name
+        )
 
     @classmethod
     def bytes_object_for_questions_answers(

copilot/environments/addons/assessment-import-queue.yml

@@ -0,0 +1,40 @@
+Parameters:
+  App:
+    Type: String
+    Description: Your application's name.
+  Env:
+    Type: String
+    Description: The environment name your service, job, or workflow is being deployed to.
+  FifoQueueName:
+    Type: String
+    Description: Fifo Queue Name
+    Default: assessment-import-queue
+
+Resources:
+  AssessmentImportQueue:
+    Type: AWS::SQS::Queue
+    Properties:
+      QueueName: !Sub ${FifoQueueName}.fifo
+      FifoQueue: true
+      RedrivePolicy:
+        deadLetterTargetArn: !GetAtt DeadLetterQueue.Arn
+        maxReceiveCount: 3
+  DeadLetterQueue:
+    Type: AWS::SQS::Queue
+    Properties:
+      FifoQueue: true
+
+
+Outputs:
+  AssessmentImportQueueURL:
+    Description: Queue URL for Fifo queue
+    Value: !Ref AssessmentImportQueue
+  AssessmentImportQueueArn:
+    Description: Queue Arn for FIFO queue
+    Value: !GetAtt AssessmentImportQueue.Arn
+  DeadLetterQueueURL:
+    Description: "URL of dead-letter queue"
+    Value: !Ref DeadLetterQueue
+  DeadLetterQueueARN:
+    Description: "ARN of dead-letter queue"
+    Value: !GetAtt DeadLetterQueue.Arn

copilot/environments/addons/form-uploads.yml

@@ -0,0 +1,60 @@
+Parameters:
+  App:
+    Type: String
+    Description: Your application's name.
+  Env:
+    Type: String
+    Description: The environment name your service, job, or workflow is being deployed to.
+
+Resources:
+  FormUploadsBucket:
+    Metadata:
+      'aws:copilot:description': 'An Amazon S3 bucket, form-uploads, for storing and retrieving objects'
+    Type: AWS::S3::Bucket
+    Properties:
+      AccessControl: Private
+      BucketEncryption:
+        ServerSideEncryptionConfiguration:
+        - ServerSideEncryptionByDefault:
+            SSEAlgorithm: AES256
+      PublicAccessBlockConfiguration:
+        BlockPublicAcls: true
+        BlockPublicPolicy: true
+        IgnorePublicAcls: true
+        RestrictPublicBuckets: true
+      OwnershipControls:
+        Rules:
+          - ObjectOwnership: BucketOwnerEnforced
+
+  FormUploadsBucketPolicy:
+    Metadata:
+      'aws:copilot:description': 'A bucket policy to deny unencrypted access to the bucket and its contents'
+    Type: AWS::S3::BucketPolicy
+    DeletionPolicy: Retain
+    Properties:
+      PolicyDocument:
+        Version: '2012-10-17'
+        Statement:
+          - Sid: ForceHTTPS
+            Effect: Deny
+            Principal: '*'
+            Action: 's3:*'
+            Resource:
+              - !Sub ${ FormUploadsBucket.Arn}/*
+              - !Sub ${ FormUploadsBucket.Arn}
+            Condition:
+              Bool:
+                "aws:SecureTransport": false
+      Bucket: !Ref FormUploadsBucket
+
+Outputs:
+  FormUploadsName:
+    Description: "The name of a user-defined bucket."
+    Value: !Ref FormUploadsBucket
+    Export:
+      Name: !Sub fsd-form-uploads-${Env}
+  FormUploadsBucketARN:
+    Description: "The ARN of the form-uploads bucket."
+    Value: !GetAtt FormUploadsBucket.Arn
+    Export:
+      Name: !Sub ${App}-${Env}-FormUploadsBucketARN

copilot/environments/addons/funding-service-magic-links.yml

@@ -0,0 +1,93 @@
+Parameters:
+  App:
+    Type: String
+    Description: Your application's name.
+  Env:
+    Type: String
+    Description: The environment name your service, job, or workflow is being deployed to.
+
+Resources:
+  # Subnet group to control where the Redis gets placed
+  RedisSubnetGroup:
+    Type: AWS::ElastiCache::SubnetGroup
+    Properties:
+      Description: Group of subnets to place Redis into
+      SubnetIds: !Split [ ',', { 'Fn::ImportValue': !Sub '${App}-${Env}-PrivateSubnets' } ]
+
+  RedisSourceSecurityGroup:
+    Metadata:
+      'aws:copilot:description': 'An EC2 Security Group to add to our ECS Service, in order to consume Redis'
+    Type: AWS::EC2::SecurityGroup
+    Properties:
+      GroupDescription: "Redis Consumer Security Group"
+      VpcId:
+        Fn::ImportValue:
+          !Sub '${App}-${Env}-VpcId'
+      Tags:
+        - Key: Name
+          Value: !Sub 'copilot-${App}-${Env}-Redis'
+
+  # Security group to add the Redis cluster to the VPC,
+  # and to allow the Fargate containers to talk to Redis on port 6379
+  RedisSecurityGroup:
+    Type: AWS::EC2::SecurityGroup
+    Properties:
+      GroupDescription: "Redis Security Group"
+      VpcId: { 'Fn::ImportValue': !Sub '${App}-${Env}-VpcId' }
+
+  # Enable ingress from other ECS services created within the environment.
+  RedisIngress:
+    Type: AWS::EC2::SecurityGroupIngress
+    Properties:
+      Description: Ingress from Fargate containers
+      GroupId: !Ref 'RedisSecurityGroup'
+      IpProtocol: tcp
+      FromPort: 6379
+      ToPort: 6379
+      SourceSecurityGroupId: !GetAtt 'RedisSourceSecurityGroup.GroupId'
+
+  RedisSecret:
+    Metadata:
+      'aws:copilot:description': 'A Secrets Manager secret to store your DB credentials'
+    Type: AWS::SecretsManager::Secret
+    Properties:
+      Description: !Sub 'Redis main user secret for ${AWS::StackName}'
+      GenerateSecretString:
+        SecretStringTemplate: '{"username": "redis"}'
+        GenerateStringKey: "password"
+        ExcludePunctuation: true
+        IncludeSpace: false
+        PasswordLength: 16
+
+  # The cluster itself.
+  Redis:
+    Type: AWS::ElastiCache::CacheCluster
+    Properties:
+      ClusterName: !Sub 'funding-service-magic-links-${Env}'
+      Engine: redis
+      CacheNodeType: cache.m5.large
+      NumCacheNodes: 1
+      CacheSubnetGroupName: !Ref 'RedisSubnetGroup'
+      VpcSecurityGroupIds:
+        - !GetAtt 'RedisSecurityGroup.GroupId'
+
+  # Redis endpoint stored in SSM so that other services can retrieve the endpoint.
+  RedisEndpointAddressParam:
+    Type: AWS::SSM::Parameter
+    Properties:
+      Name: !Sub '/${App}/${Env}/redis'   # Other services can retrieve the endpoint from this path.
+      Type: String
+      Value: !GetAtt 'Redis.RedisEndpoint.Address'
+
+Outputs:
+  RedisEndpoint:
+    Description: The endpoint of the redis cluster
+    Value: !GetAtt 'Redis.RedisEndpoint.Address'
+  RedisInstanceURI:
+    Description: "The URI of the redis cluster."
+    Value:
+      !Sub
+      - "rediss://:${PASSWORD}@${HOSTNAME}:${PORT}"
+      - PASSWORD: !Join [ "",  [ '{{resolve:secretsmanager:', !Ref 'RedisSecret', ":SecretString:password}}" ]]
+        HOSTNAME: !GetAtt 'Redis.RedisEndpoint.Address'
+        PORT: !GetAtt 'Redis.RedisEndpoint.Port'

copilot/environments/dev/manifest.yml

@@ -0,0 +1,29 @@
+# The manifest for the "dev" environment.
+# Read the full specification for the "Environment" type at:
+#  https://aws.github.io/copilot-cli/docs/manifest/environment/
+
+# Your environment name will be used in naming your resources like VPC, cluster, etc.
+name: dev
+type: Environment
+
+# Import your own VPC and subnets or configure how they should be created.
+# Run this in uat/production only - in the test environments, these should be ad-hoc per deployment
+network:
+  vpc:
+    id: 'vpc-0850970940cee0412'
+    subnets:
+      public:
+        - id: 'subnet-0f7aa03feb2923658'
+        - id: 'subnet-0a8dfef78a0873187'
+      private:
+        - id: 'subnet-03caaa338a263f66f'
+        - id: 'subnet-0f4bdb0fe7e467743'
+
+# Configure the load balancers in your environment, once created.
+# http:
+#   public:
+#   private:
+
+# Configure observability for your environment resources.
+observability:
+  container_insights: false

requirements-dev.txt

@@ -1,5 +1,5 @@
 #
-# This file is autogenerated by pip-compile with Python 3.10
+# This file is autogenerated by pip-compile with Python 3.11
 # by the following command:
 #
 #    pip-compile requirements-dev.in
@@ -32,6 +32,7 @@ beautifulsoup4==4.12.2
     # via
     #   -r requirements-dev.in
     #   -r requirements.txt
+    #   funding-service-design-utils
 black==22.10.0
     # via -r requirements-dev.in
 blinker==1.6.2
@@ -145,7 +146,7 @@ flipper-client==1.3.2
     # via
     #   -r requirements.txt
     #   funding-service-design-utils
-funding-service-design-utils==2.0.13
+funding-service-design-utils==2.0.17
     # via -r requirements.txt
 gitdb==4.0.10
     # via gitpython

requirements.in

@@ -1,7 +1,7 @@
 #-----------------------------------
 #   FSD Utils
 #-----------------------------------
-funding-service-design-utils>=2.0.13,<2.1.0
+funding-service-design-utils>=2.0.17,<2.1.0
 requests
 
 #-----------------------------------

requirements.txt

@@ -1,5 +1,5 @@
 #
-# This file is autogenerated by pip-compile with Python 3.10
+# This file is autogenerated by pip-compile with Python 3.11
 # by the following command:
 #
 #    pip-compile requirements.in
@@ -72,7 +72,7 @@ flask-talisman==0.8.1
     # via -r requirements.in
 flipper-client==1.3.2
     # via funding-service-design-utils
-funding-service-design-utils==2.0.13
+funding-service-design-utils==2.0.17
     # via -r requirements.in
 greenlet==2.0.2
     # via sqlalchemy