Fix: [AEA-0000] - dual compile different hapi versions

.github/workflows/pull_request.yml

@@ -59,7 +59,7 @@ jobs:
     needs: get_issue_number
     uses: ./.github/workflows/sam_package_code.yml
 
-  release_code:
+  release_dev:
     needs: [get_issue_number, package_code, get_commit_id]
     uses: ./.github/workflows/sam_release_code.yml
     with:
@@ -74,3 +74,18 @@ jobs:
       ENABLE_ALERTS: false
     secrets:
       CLOUD_FORMATION_DEPLOY_ROLE: ${{ secrets.DEV_CLOUD_FORMATION_DEPLOY_ROLE }}
+  release_ref:
+    needs: [release_dev, get_issue_number, package_code, get_commit_id]
+    uses: ./.github/workflows/sam_release_code.yml
+    with:
+      ARTIFACT_BUCKET_PREFIX: fhir-validator-PR-${{needs.get_issue_number.outputs.issue_number}}
+      STACK_NAME: fhir-validator-pr-${{needs.get_issue_number.outputs.issue_number}}
+      TARGET_ENVIRONMENT: ref
+      BUILD_ARTIFACT: packaged_code
+      VERSION_NUMBER: fhir-validator-PR-${{ needs.get_issue_number.outputs.issue_number }}
+      COMMIT_ID: ${{needs.get_commit_id.outputs.commit_id}}
+      LOG_LEVEL: INFO
+      LOG_RETENTION_DAYS: 30
+      ENABLE_ALERTS: true
+    secrets:
+      CLOUD_FORMATION_DEPLOY_ROLE: ${{ secrets.REF_CLOUD_FORMATION_DEPLOY_ROLE }}

Makefile

@@ -34,7 +34,26 @@ lint-githubaction-scripts:
 # test targets
 
 test: download-dependencies
-	mvn test
+	mvn clean test -Pcurrent
+	mvn clean test -Plegacy
+
+# build targets for SAM
+# the target must be build-<RESOURCE_NAME>
+# note - we skip tests here as they will have already been run as part of the pipeline
+build-FHIRValidatorUKCore: download-dependencies
+	mvn clean package -Pcurrent -Dmaven.test.skip=true
+	mkdir -p $(ARTIFACTS_DIR)/lib
+	cp  ./target/FHIRValidator-current.jar $(ARTIFACTS_DIR)/lib/
+
+build-FHIRValidatorNHSDigitalLegacy: download-dependencies
+	mvn clean package -Plegacy -Dmaven.test.skip=true
+	mkdir -p $(ARTIFACTS_DIR)/lib
+	cp  ./target/FHIRValidator-legacy.jar $(ARTIFACTS_DIR)/lib/
+
+build-FHIRValidatorNHSDigitalCurrent: download-dependencies
+	mvn clean package -Pcurrent -Dmaven.test.skip=true
+	mkdir -p $(ARTIFACTS_DIR)/lib
+	cp  ./target/FHIRValidator-current.jar $(ARTIFACTS_DIR)/lib/
 
 check-licenses: check-licenses-python check-licenses-java
 
@@ -67,7 +86,7 @@ deep-clean: clean
 
 # build targets
 compile: download-dependencies
-	mvn package
+	mvn package -Pcurrent
 
 download-dependencies:
 	poetry run scripts/download_dependencies.py

SAMtemplates/lambda_resources.yaml

@@ -20,11 +20,6 @@ Parameters:
     Type: String
     Description: Splunk delivery stream
     Default: none
-  EnableSplunk:
-    Type: String
-    Description: Whether to use splunk
-    Default: false
-    AllowedValues: [true, false]
   LambdaName:
     Type: String
     Description: Name of lambda we are creating for
@@ -60,9 +55,20 @@ Parameters:
         3288,
         3653,
       ]
+  ExecutePolicyExportName:
+    Type: String
+  IncludeAdditionalPolicies:
+    Type: String
+    Default: false
+  AdditionalPolicies:
+    Type: CommaDelimitedList
+    Description: A list of additional policies to attach the lambdas role (comma delimited).
+    Default: none
 
 Conditions:
-  ShouldUseSplunk: !Equals [true, !Ref EnableSplunk]
+  ShouldIncludeAdditionalPolicies: !Equals
+    - true
+    - !Ref IncludeAdditionalPolicies
 
 Resources:
   ExecuteLambdaManagedPolicy:
@@ -87,15 +93,23 @@ Resources:
             Principal:
               Service: "lambda.amazonaws.com"
             Action: "sts:AssumeRole"
-      ManagedPolicyArns:
-        - !ImportValue lambda-resources:LambdaInsightsLogGroupPolicy
-        - !ImportValue account-resources:LambdaEncryptCloudwatchKMSPolicy
+      ManagedPolicyArns: !Split
+        - ","
+        - !Join
+          - ","
+          - - !Ref LambdaManagedPolicy
+            - !ImportValue lambda-resources:LambdaInsightsLogGroupPolicy
+            - !ImportValue account-resources:CloudwatchEncryptionKMSPolicyArn
+            - !If
+              - ShouldIncludeAdditionalPolicies
+              - !Join
+                - ","
+                - !Ref AdditionalPolicies
+              - !Ref AWS::NoValue
 
   LambdaManagedPolicy:
     Type: AWS::IAM::ManagedPolicy
     Properties:
-      Roles:
-        - !Ref LambdaRole
       PolicyDocument:
         Version: 2012-10-17
         Statement:
@@ -104,8 +118,8 @@ Resources:
               - logs:CreateLogStream
               - logs:PutLogEvents
             Resource:
-              - !Sub "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:${LambdaLogGroup}"
-              - !Sub "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:${LambdaLogGroup}:log-stream:*"
+              - !GetAtt LambdaLogGroup.Arn
+              - !Sub ${LambdaLogGroup.Arn}:log-stream:*
 
   LambdaLogGroup:
     Type: "AWS::Logs::LogGroup"
@@ -119,7 +133,6 @@ Resources:
       KmsKeyId: !Ref CloudWatchKMSKey
 
   LambdaSplunkSubscriptionFilter:
-    Condition: ShouldUseSplunk
     Type: AWS::Logs::SubscriptionFilter
     Properties:
       RoleArn: !Ref SplunkSubscriptionFilterRole
@@ -132,7 +145,12 @@ Outputs:
     Description: Lambda execution policy arn
     Value: !GetAtt ExecuteLambdaManagedPolicy.PolicyArn
     Export:
-      Name: !Sub ${StackName}:FHIRValidatorUKCoreExecuteLambdaPolicyArn
+      Name: !Sub ${StackName}:${ExecutePolicyExportName}
+  ExecuteLambdaPolicyArnNewFormat:
+    Description: Lambda execution policy arn
+    Value: !GetAtt ExecuteLambdaManagedPolicy.PolicyArn
+    Export:
+      Name: !Sub ${StackName}:functions:${LambdaName}:ExecutePolicy:Arn
   LambdaRoleArn:
     Description: "LambdaRole ARN"
     Value: !GetAtt LambdaRole.Arn

SAMtemplates/main_template.yaml

@@ -54,10 +54,10 @@ Resources:
         CloudWatchKMSKey: !ImportValue account-resources:CloudwatchLogsKmsKeyArn
         SplunkSubscriptionFilterRole: !ImportValue lambda-resources:SplunkSubscriptionFilterRole
         SplunkDeliveryStream: !ImportValue lambda-resources:SplunkDeliveryStream
-        EnableSplunk: "true"
         LambdaName: !Sub "${AWS::StackName}-FHIRValidatorUKCore"
         LambdaArn: !Sub arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:${AWS::StackName}-FHIRValidatorUKCore
         LogRetentionDays: !Ref LogRetentionDays
+        ExecutePolicyExportName: FHIRValidatorUKCoreExecuteLambdaPolicyArn
 
   FHIRValidatorUKCore:
     Type: AWS::Serverless::Function
@@ -75,19 +75,153 @@ Resources:
         - x86_64
       Runtime: java21
       Layers:
-        - !Sub "arn:aws:lambda:${AWS::Region}:580247275435:layer:LambdaInsightsExtension:38"
+        - !Sub "arn:aws:lambda:${AWS::Region}:580247275435:layer:LambdaInsightsExtension:56"
       Environment:
         Variables:
           AWS_LAMBDA_LOG_LEVEL: !Ref LogLevel
           POWERTOOLS_LOG_LEVEL: !Ref LogLevel
           PROFILE_MANIFEST_FILE: uk_core.manifest.json
     Metadata:
+      BuildMethod: makefile
       guard:
         SuppressedRules:
           - LAMBDA_DLQ_CHECK
           - LAMBDA_INSIDE_VPC
           - LAMBDA_CONCURRENCY_CHECK
 
+  SecurityGroupWithoutEgress:
+    Type: AWS::EC2::SecurityGroup
+    Properties:
+      GroupDescription: Limits security group egress traffic
+      # fix this to allow egress to service endpoints?
+      SecurityGroupEgress:
+        - CidrIp: 0.0.0.0/0
+          IpProtocol: "-1"
+      SecurityGroupIngress:
+        - CidrIp: 0.0.0.0/0
+          IpProtocol: "-1"
+      VpcId: !ImportValue vpc-resources:VpcId
+
+  LambdaVPCPolicy:
+    Type: AWS::IAM::ManagedPolicy
+    Properties:
+      PolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Action:
+              - ec2:CreateNetworkInterface
+              - ec2:DescribeNetworkInterfaces
+              - ec2:DescribeSubnets
+              - ec2:DeleteNetworkInterface
+              - ec2:AssignPrivateIpAddresses
+              - ec2:UnassignPrivateIpAddresses
+            Resource: "*"
+
+  FHIRValidatorNHSDigitalLegacyResources:
+    Type: AWS::Serverless::Application
+    Properties:
+      Location: lambda_resources.yaml
+      Parameters:
+        StackName: !Ref AWS::StackName
+        CloudWatchKMSKey: !ImportValue account-resources:CloudwatchLogsKmsKeyArn
+        SplunkSubscriptionFilterRole: !ImportValue lambda-resources:SplunkSubscriptionFilterRole
+        SplunkDeliveryStream: !ImportValue lambda-resources:SplunkDeliveryStream
+        LambdaName: !Sub "${AWS::StackName}-FHIRValidatorNHSDigitalLegacy"
+        LambdaArn: !Sub arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:${AWS::StackName}-FHIRValidatorNHSDigitalLegacy
+        LogRetentionDays: !Ref LogRetentionDays
+        ExecutePolicyExportName: FHIRValidatorNHSDigitalLegacyExecuteLambdaPolicyArn
+        IncludeAdditionalPolicies: true
+        AdditionalPolicies: !Ref LambdaVPCPolicy
+
+  FHIRValidatorNHSDigitalLegacy:
+    Type: AWS::Serverless::Function
+    Properties:
+      FunctionName: !Sub "${AWS::StackName}-FHIRValidatorNHSDigitalLegacy"
+      CodeUri: ../
+      Handler: software.nhs.fhirvalidator.handler.HandlerStream::handleRequest
+      Role: !GetAtt FHIRValidatorNHSDigitalLegacyResources.Outputs.LambdaRoleArn
+      SnapStart:
+        ApplyOn: PublishedVersions
+      AutoPublishAlias: snap
+      Timeout: 600
+      MemorySize: 4096
+      Architectures:
+        - x86_64
+      Runtime: java21
+      Layers:
+        - !Sub "arn:aws:lambda:${AWS::Region}:580247275435:layer:LambdaInsightsExtension:56"
+      VpcConfig:
+        SecurityGroupIds:
+          - !Ref SecurityGroupWithoutEgress
+        SubnetIds:
+          - !ImportValue vpc-resources:PrivateSubnetA
+          - !ImportValue vpc-resources:PrivateSubnetB
+          - !ImportValue vpc-resources:PrivateSubnetC
+      Environment:
+        Variables:
+          AWS_LAMBDA_LOG_LEVEL: !Ref LogLevel
+          POWERTOOLS_LOG_LEVEL: !Ref LogLevel
+          PROFILE_MANIFEST_FILE: nhs_digital.manifest.json
+    Metadata:
+      BuildMethod: makefile
+      guard:
+        SuppressedRules:
+          - LAMBDA_DLQ_CHECK
+          - LAMBDA_CONCURRENCY_CHECK
+
+  FHIRValidatorNHSDigitalCurrentResources:
+    Type: AWS::Serverless::Application
+    Properties:
+      Location: lambda_resources.yaml
+      Parameters:
+        StackName: !Ref AWS::StackName
+        CloudWatchKMSKey: !ImportValue account-resources:CloudwatchLogsKmsKeyArn
+        SplunkSubscriptionFilterRole: !ImportValue lambda-resources:SplunkSubscriptionFilterRole
+        SplunkDeliveryStream: !ImportValue lambda-resources:SplunkDeliveryStream
+        LambdaName: !Sub "${AWS::StackName}-FHIRValidatorNHSDigitalCurrent"
+        LambdaArn: !Sub arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:${AWS::StackName}-FHIRValidatorNHSDigitalCurrent
+        LogRetentionDays: !Ref LogRetentionDays
+        ExecutePolicyExportName: FHIRValidatorNHSDigitalCurrentExecuteLambdaPolicyArn
+        IncludeAdditionalPolicies: true
+        AdditionalPolicies: !Ref LambdaVPCPolicy
+
+  FHIRValidatorNHSDigitalCurrent:
+    Type: AWS::Serverless::Function
+    Properties:
+      FunctionName: !Sub "${AWS::StackName}-FHIRValidatorNHSDigitalCurrent"
+      CodeUri: ../
+      Handler: software.nhs.fhirvalidator.handler.HandlerStream::handleRequest
+      Role: !GetAtt FHIRValidatorNHSDigitalCurrentResources.Outputs.LambdaRoleArn
+      SnapStart:
+        ApplyOn: PublishedVersions
+      AutoPublishAlias: snap
+      Timeout: 600
+      MemorySize: 4096
+      Architectures:
+        - x86_64
+      Runtime: java21
+      Layers:
+        - !Sub "arn:aws:lambda:${AWS::Region}:580247275435:layer:LambdaInsightsExtension:56"
+      VpcConfig:
+        SecurityGroupIds:
+          - !Ref SecurityGroupWithoutEgress
+        SubnetIds:
+          - !ImportValue vpc-resources:PrivateSubnetA
+          - !ImportValue vpc-resources:PrivateSubnetB
+          - !ImportValue vpc-resources:PrivateSubnetC
+      Environment:
+        Variables:
+          AWS_LAMBDA_LOG_LEVEL: !Ref LogLevel
+          POWERTOOLS_LOG_LEVEL: !Ref LogLevel
+          PROFILE_MANIFEST_FILE: nhs_digital.manifest.json
+    Metadata:
+      BuildMethod: makefile
+      guard:
+        SuppressedRules:
+          - LAMBDA_DLQ_CHECK
+          - LAMBDA_CONCURRENCY_CHECK
+
   Alarms:
     Type: AWS::Serverless::Application
     Properties:
@@ -104,8 +238,59 @@ Outputs:
     Export:
       Name:
         !Join [":", [!Ref "AWS::StackName", "FHIRValidatorUKCoreLambdaName"]]
+
   FHIRValidatorUKCoreLambdaArn:
     Description: Arn of the FHIR validator UK Core lambda
     Value: !GetAtt FHIRValidatorUKCore.Arn
     Export:
       Name: !Join [":", [!Ref "AWS::StackName", "FHIRValidatorUKCoreLambdaArn"]]
+
+  FHIRValidatorNHSDigitalLegacyLambdaName:
+    Description: Name of the FHIR validator NHS Digital lambda using legacy hapi fhir
+    Value: !Ref FHIRValidatorNHSDigitalLegacy
+    Export:
+      Name:
+        !Join [
+          ":",
+          [
+            !Ref "AWS::StackName",
+            "functions:FHIRValidatorNHSDigitalLegacy:Name",
+          ],
+        ]
+  FHIRValidatorNHSDigitalLegacyLambdaArn:
+    Description: Arn of the FHIR validator NHS Digital lambda using legacy hapi fhir
+    Value: !GetAtt FHIRValidatorNHSDigitalLegacy.Arn
+    Export:
+      Name:
+        !Join [
+          ":",
+          [
+            !Ref "AWS::StackName",
+            "functions:FHIRValidatorNHSDigitalLegacy:Arn",
+          ],
+        ]
+
+  FHIRValidatorNHSDigitalCurrentLambdaName:
+    Description: Name of the FHIR validator NHS Digital lambda using current hapi fhir
+    Value: !Ref FHIRValidatorNHSDigitalCurrent
+    Export:
+      Name:
+        !Join [
+          ":",
+          [
+            !Ref "AWS::StackName",
+            "functions:FHIRValidatorNHSDigitalCurrent:Name",
+          ],
+        ]
+  FHIRValidatorNHSDigitalCurrentLambdaArn:
+    Description: Arn of the FHIR validator NHS Digital lambda using current hapi fhir
+    Value: !GetAtt FHIRValidatorNHSDigitalCurrent.Arn
+    Export:
+      Name:
+        !Join [
+          ":",
+          [
+            !Ref "AWS::StackName",
+            "functions:FHIRValidatorNHSDigitalCurrent:Arn",
+          ],
+        ]