NHSDigital · mark-r-bjss · Mar 18, 2025 · Mar 21, 2025 · Mar 28, 2025 · Apr 1, 2025
@@ -51,7 +51,14 @@ runs:
       uses: actions/upload-artifact@v4
       with:
         name: UI test report
-        path: "tests/test-team/playwright-report"
+        path: "tests/test-team/playwright-report-component-tests"
+
+    - name: Archive backend test results
+      if: ${{ inputs.testType == 'backend' }}
+      uses: actions/upload-artifact@v4
+      with:
+        name: Backend test report
+        path: "tests/test-team/playwright-report-backend-tests"
 
     - name: Archive accessibility results
       if: ${{ inputs.testType == 'accessibility' }}

@@ -0,0 +1,3 @@
+[
+    "backend"
+]
@@ -35,6 +35,10 @@ on:
         type: string
         description: The Terraform action to run
         default: ""
+      internalRef:
+        type: string
+        description: Internal repo reference (branch or tag)
+        default: "feature/CCM-9554_optional-backend-tests"
 
 permissions:
   id-token: write
@@ -62,7 +66,7 @@ jobs:
             --arg targetComponent ${{ inputs.targetComponent }} \
             --arg terraformAction "${{ inputs.terraformAction }}" \
             '{
-              "ref": "main",
+              "ref": "${{ inputs.internalRef }}",
               "inputs": (
                 (if $infraRepoName != "" then { "infraRepoName": $infraRepoName } else {} end) +
                 (if $terraformAction != "" then { "terraformAction": $terraformAction } else {} end) +

@@ -59,6 +59,8 @@ next-env.d.ts
 # playwright
 tests/test-team/test-results/
 tests/test-team/playwright-report/
+tests/test-team/playwright-report-component-tests/
+tests/test-team/playwright-report-backend-tests/
 tests/test-team/blob-report/
 tests/test-team/playwright/.cache/
 *.webm

@@ -39,3 +39,23 @@ output "csrf_secret" {
 
   sensitive = true
 }
+
+output "name_tag" {
+  value = local.default_tags["Name"]
+}
+
+output "group_tag" {
+  value = local.default_tags["Group"]
+}
+
+output "key_directory_ssm_parameter_name" {
+  value = module.public_signing_keys.key_directory_ssm_parameter_name
+}
+
+output "key_rotation_lambda_name" {
+  value = module.public_signing_keys.key_rotation_lambda_name
+}
+
+output "public_keys_s3_bucket_name" {
+  value = module.public_signing_keys.public_keys_s3_bucket_name
+}
@@ -39,7 +39,7 @@ module "s3bucket_public_signing_keys" {
   ]
 
   policy_documents = [
-    data.aws_iam_policy_document.s3bucket_public_keys.json
+    data.aws_iam_policy_document.bucket_policy_public_signing_keys.json
   ]
 
   public_access = {
@@ -55,79 +55,6 @@ module "s3bucket_public_signing_keys" {
   }
 }
 
-data "aws_iam_policy_document" "s3bucket_public_keys" {
-  statement {
-    sid    = "DontAllowNonSecureConnection"
-    effect = "Deny"
-
-    actions = [
-      "s3:*",
-    ]
-
-    resources = [
-      module.s3bucket_public_signing_keys.arn,
-      "${module.s3bucket_public_signing_keys.arn}/*",
-    ]
-
-    principals {
-      type = "AWS"
-
-      identifiers = [
-        "*",
-      ]
-    }
-
-    condition {
-      test     = "Bool"
-      variable = "aws:SecureTransport"
-
-      values = [
-        "false",
-      ]
-    }
-  }
-
-  statement {
-    sid    = "AllowManagedAccountsToList"
-    effect = "Allow"
-
-    actions = [
-      "s3:ListBucket",
-    ]
-
-    resources = [
-      module.s3bucket_public_signing_keys.arn,
-    ]
-
-    principals {
-      type = "AWS"
-      identifiers = [
-        "arn:aws:iam::${var.aws_account_id}:root"
-      ]
-    }
-  }
-
-  statement {
-    sid    = "AllowManagedAccountsToGet"
-    effect = "Allow"
-
-    actions = [
-      "s3:GetObject",
-    ]
-
-    resources = [
-      "${module.s3bucket_public_signing_keys.arn}/*",
-    ]
-
-    principals {
-      type = "AWS"
-      identifiers = [
-        "arn:aws:iam::${var.aws_account_id}:root"
-      ]
-    }
-  }
-}
-
 resource "aws_s3_bucket_cors_configuration" "public_public_keys" {
   bucket = module.s3bucket_public_signing_keys.bucket
 

@@ -0,0 +1,11 @@
+output "key_directory_ssm_parameter_name" {
+  value = local.ssm_key_directory_name
+}
+
+output "key_rotation_lambda_name" {
+  value = module.lambda_jwks_key_rotation.function_name
+}
+
+output "public_keys_s3_bucket_name" {
+  value = module.s3bucket_public_signing_keys.bucket
+}
@@ -1,10 +1,6 @@
-resource "aws_s3_bucket_policy" "public_signing_keys" {
-  bucket = module.s3bucket_public_signing_keys.id
-  policy = data.aws_iam_policy_document.bucket_policy_public_signing_keys.json
-}
-
 data "aws_iam_policy_document" "bucket_policy_public_signing_keys" {
   statement {
+    sid     = "AllowManagedAccountsToRead"
     actions = ["s3:GetObject", "s3:ListBucket"]
     resources = [
       module.s3bucket_public_signing_keys.arn,
@@ -20,6 +16,7 @@ data "aws_iam_policy_document" "bucket_policy_public_signing_keys" {
   dynamic "statement" {
     for_each = var.deploy_cdn ? [1] : []
     content {
+      sid     = "AllowCDNAccess"
       actions = ["s3:GetObject", "s3:ListBucket"]
       resources = [
         module.s3bucket_public_signing_keys.arn,
@@ -34,6 +31,7 @@ data "aws_iam_policy_document" "bucket_policy_public_signing_keys" {
   }
 
   statement {
+    sid     = "DontAllowNonSecureConnection"
     effect  = "Deny"
     actions = ["s3:*"]
     resources = [

@@ -1,6 +1,7 @@
 import { handler } from '@/src/handler';
 import { Context, EventBridgeEvent, Callback } from 'aws-lambda';
 import {
+  filterKeyDirectoryToActiveKeys,
   getKeyDirectory,
   SigningKeyDirectory,
   writeKeyDirectory,
@@ -12,6 +13,7 @@ import { deleteKey } from '@/src/utils/aws/kms-util';
 jest.mock('@/src/utils/key-directory-repository', () => ({
   ...jest.requireActual('@/src/utils/key-directory-repository'),
   getKeyDirectory: jest.fn(),
+  filterKeyDirectoryToActiveKeys: jest.fn(),
   writeKeyDirectory: jest.fn(),
 }));
 jest.mock('@/src/utils/key-util');
@@ -30,13 +32,19 @@ describe('handler', () => {
       const todayFormatted = new Date().toISOString().split('T')[0];
 
       const mockedGetKeyDirectory = jest.mocked(getKeyDirectory);
+      const mockedFilterKeyDirectoryToActiveKeys = jest.mocked(
+        filterKeyDirectoryToActiveKeys
+      );
       const mockedGenerateKey = jest.mocked(generateKey);
       const mockedGetPublicKey = jest.mocked(getPublicKey);
       const mockedWriteKeyDirectory = jest.mocked(writeKeyDirectory);
 
       mockedGetKeyDirectory.mockImplementation(() =>
         Promise.resolve(mockKeyDirectory)
       );
+      mockedFilterKeyDirectoryToActiveKeys.mockImplementation(() =>
+        Promise.resolve(mockKeyDirectory)
+      );
       mockedGenerateKey.mockImplementation(() =>
         Promise.resolve('new-test-key-id')
       );
@@ -48,6 +56,9 @@ describe('handler', () => {
       await handler(mockEvent, mockContext, mockCallback);
 
       // assert
+      expect(mockedFilterKeyDirectoryToActiveKeys).toHaveBeenCalledWith(
+        mockKeyDirectory
+      );
       expect(mockedGenerateKey).toHaveBeenCalled();
       expect(updateJwksFile).toHaveBeenCalledWith([
         { keyId: 'new-test-key-id', publicKey: mockPublicKey },
@@ -78,13 +89,19 @@ describe('handler', () => {
       const mockPublicKey = Uint8Array.from([1, 2, 3]);
 
       const mockedGetKeyDirectory = jest.mocked(getKeyDirectory);
+      const mockedFilterKeyDirectoryToActiveKeys = jest.mocked(
+        filterKeyDirectoryToActiveKeys
+      );
       const mockedGenerateKey = jest.mocked(generateKey);
       const mockedGetPublicKey = jest.mocked(getPublicKey);
       const mockedWriteKeyDirectory = jest.mocked(writeKeyDirectory);
 
       mockedGetKeyDirectory.mockImplementation(() =>
         Promise.resolve(mockKeyDirectory)
       );
+      mockedFilterKeyDirectoryToActiveKeys.mockImplementation(() =>
+        Promise.resolve(mockKeyDirectory)
+      );
       mockedGenerateKey.mockImplementation(() =>
         Promise.resolve('new-test-key-id')
       );
@@ -96,6 +113,9 @@ describe('handler', () => {
       await handler(mockEvent, mockContext, mockCallback);
 
       // assert
+      expect(mockedFilterKeyDirectoryToActiveKeys).toHaveBeenCalledWith(
+        mockKeyDirectory
+      );
       expect(mockedGenerateKey).toHaveBeenCalled();
       expect(updateJwksFile).toHaveBeenCalledWith([
         {
@@ -146,13 +166,19 @@ describe('handler', () => {
       const mockPublicKey = Uint8Array.from([1, 2, 3]);
 
       const mockedGetKeyDirectory = jest.mocked(getKeyDirectory);
+      const mockedFilterKeyDirectoryToActiveKeys = jest.mocked(
+        filterKeyDirectoryToActiveKeys
+      );
       const mockedGenerateKey = jest.mocked(generateKey);
       const mockedGetPublicKey = jest.mocked(getPublicKey);
       const mockedWriteKeyDirectory = jest.mocked(writeKeyDirectory);
 
       mockedGetKeyDirectory.mockImplementation(() =>
         Promise.resolve(mockKeyDirectory)
       );
+      mockedFilterKeyDirectoryToActiveKeys.mockImplementation(() =>
+        Promise.resolve(mockKeyDirectory)
+      );
       mockedGenerateKey.mockImplementation(() =>
         Promise.resolve('new-test-key-id')
       );
@@ -164,6 +190,9 @@ describe('handler', () => {
       await handler(mockEvent, mockContext, mockCallback);
 
       // assert
+      expect(mockedFilterKeyDirectoryToActiveKeys).toHaveBeenCalledWith(
+        mockKeyDirectory
+      );
       expect(mockedGenerateKey).toHaveBeenCalled();
       expect(updateJwksFile).toHaveBeenCalledWith([
         {
@@ -208,13 +237,19 @@ describe('handler', () => {
       const mockPublicKey = Uint8Array.from([1, 2, 3]);
 
       const mockedGetKeyDirectory = jest.mocked(getKeyDirectory);
+      const mockedFilterKeyDirectoryToActiveKeys = jest.mocked(
+        filterKeyDirectoryToActiveKeys
+      );
       const mockedGenerateKey = jest.mocked(generateKey);
       const mockedGetPublicKey = jest.mocked(getPublicKey);
       const mockedWriteKeyDirectory = jest.mocked(writeKeyDirectory);
 
       mockedGetKeyDirectory.mockImplementation(() =>
         Promise.resolve(mockKeyDirectory)
       );
+      mockedFilterKeyDirectoryToActiveKeys.mockImplementation(() =>
+        Promise.resolve(mockKeyDirectory)
+      );
       mockedGenerateKey.mockImplementation(() =>
         Promise.resolve('new-test-key-id')
       );
@@ -226,6 +261,9 @@ describe('handler', () => {
       await handler(mockEvent, mockContext, mockCallback);
 
       // assert
+      expect(mockedFilterKeyDirectoryToActiveKeys).toHaveBeenCalledWith(
+        mockKeyDirectory
+      );
       expect(mockedGenerateKey).toHaveBeenCalled();
       expect(updateJwksFile).toHaveBeenCalledWith([
         {