CCM-14325: Use PDM mock in dev environments#232
Open
gareth-allan wants to merge 9 commits intomainfrom
Open
Conversation
gareth-allan
added
skip-trivy-package
gareth-allan
force-pushed
the
feature/CCM-14325_use_pdm_mock
branch
from
b46d438 to
8099119
Compare
gareth-allan
force-pushed
the
feature/CCM-14325_use_pdm_mock
branch
from
184b17d to
4f007c9
Compare
11 tasks
There was a problem hiding this comment.
Pull request overview
This PR updates Digital Letters to support using the PDM mock (rather than a real INT PDM/APIM instance) in non-production environments, aiming to remove the need for manual APIM credential setup in ephemeral PR environments.
Changes:
- Update the PDM uploader component test to trigger an error via a PDM-mock-specific request identifier.
- Remove request authentication from the
pdm-mock-lambdaand adjust its tests/docs accordingly. - Refactor Terraform to optionally route PDM integrations to the mock and suppress APIM token usage when mock/auth is disabled; plus dependency lockfile updates.
Reviewed changes
Copilot reviewed 31 out of 34 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| tests/playwright/digital-letters-component-tests/pdm-uploader.component.spec.ts | Makes the “error from PDM” scenario deterministic when using the PDM mock by using a mock error scenario ID. |
| src/eventcatalog/package.json | Adds npm overrides (svgo under astro-compress; underscore) alongside existing minimatch override. |
| src/eventcatalog/package-lock.json | Lockfile updates for eventcatalog dependencies (e.g. dompurify/jsonpath/svgo/tar/underscore). |
| package-lock.json | Root lockfile updates (e.g. aws-sdk xml builder / fast-xml-parser and new fast-xml-builder dep). |
| lambdas/pdm-mock-lambda/src/index.ts | Removes authenticator usage so the mock no longer enforces Authorization headers. |
| lambdas/pdm-mock-lambda/src/container.ts | Removes authenticator from the container wiring. |
| lambdas/pdm-mock-lambda/src/authenticator.ts | Deleted (authentication no longer implemented in the PDM mock lambda). |
| lambdas/pdm-mock-lambda/src/tests/index.test.ts | Updates integration-style handler routing tests to remove authenticator expectations. |
| lambdas/pdm-mock-lambda/src/tests/container.test.ts | Updates container tests to reflect removed authenticator dependency. |
| lambdas/pdm-mock-lambda/src/tests/authenticator.test.ts | Deleted (authenticator removed). |
| lambdas/pdm-mock-lambda/README.md | Updates usage docs to no longer require Authorization header examples. |
| infrastructure/terraform/components/dl/variables.tf | Removes old PDM mock token vars; adds enable_core_notify_auth; changes enable_pdm_mock default to false. |
| infrastructure/terraform/components/dl/ssm_parameter_access_token.tf | Changes initial APIM access token SSM parameter value payload. |
| infrastructure/terraform/components/dl/module_lambda_pdm_uploader.tf | Points uploader at local.pdm_url and local.pdm_access_token_ssm_parameter_name. |
| infrastructure/terraform/components/dl/module_lambda_pdm_poll.tf | Points poller at local.pdm_url and local.pdm_access_token_ssm_parameter_name. |
| infrastructure/terraform/components/dl/module_lambda_pdm_mock.tf | Switches mock deployment count to use var.enable_pdm_mock. |
| infrastructure/terraform/components/dl/module_lambda_core_notifier.tf | Allows disabling core-notify auth by passing an empty SSM token parameter name. |
| infrastructure/terraform/components/dl/locals.tf | Introduces local.pdm_url and local.pdm_access_token_ssm_parameter_name derived from enable_pdm_mock. |
| infrastructure/terraform/components/dl/aws_lambda_permission_pdm_mock_gateway.tf | Gates permission resource creation on var.enable_pdm_mock. |
| infrastructure/terraform/components/dl/aws_cloudwatch_log_group_pdm_mock_gateway.tf | Gates log group creation on var.enable_pdm_mock. |
| infrastructure/terraform/components/dl/aws_api_gateway_stage_pdm_mock.tf | Gates stage creation on var.enable_pdm_mock. |
| infrastructure/terraform/components/dl/aws_api_gateway_rest_api_pdm_mock.tf | Gates REST API creation on var.enable_pdm_mock. |
| infrastructure/terraform/components/dl/aws_api_gateway_resource_r4.tf | Gates API Gateway resource creation on var.enable_pdm_mock. |
| infrastructure/terraform/components/dl/aws_api_gateway_resource_patient_data_manager.tf | Gates API Gateway resource creation on var.enable_pdm_mock. |
| infrastructure/terraform/components/dl/aws_api_gateway_resource_fhir.tf | Gates API Gateway resource creation on var.enable_pdm_mock. |
| infrastructure/terraform/components/dl/aws_api_gateway_resource_document_reference_id.tf | Gates API Gateway resource creation on var.enable_pdm_mock. |
| infrastructure/terraform/components/dl/aws_api_gateway_resource_document_reference.tf | Gates API Gateway resource creation on var.enable_pdm_mock. |
| infrastructure/terraform/components/dl/aws_api_gateway_method_get_document_reference.tf | Gates GET method creation on var.enable_pdm_mock. |
| infrastructure/terraform/components/dl/aws_api_gateway_method_create_document_reference.tf | Gates POST method creation on var.enable_pdm_mock. |
| infrastructure/terraform/components/dl/aws_api_gateway_integration_get_document_reference.tf | Gates GET integration creation on var.enable_pdm_mock. |
| infrastructure/terraform/components/dl/aws_api_gateway_integration_create_document_reference.tf | Gates POST integration creation on var.enable_pdm_mock. |
| infrastructure/terraform/components/dl/aws_api_gateway_deployment_pdm_mock.tf | Gates deployment creation on var.enable_pdm_mock. |
| infrastructure/terraform/components/dl/README.md | Updates generated Terraform docs for new/changed variables and defaults. |
| docs/package-lock.json | Docs lockfile updates (e.g. dompurify, immutable). |
Files not reviewed (2)
- docs/package-lock.json: Language not supported
- src/eventcatalog/package-lock.json: Language not supported
tests/playwright/digital-letters-component-tests/pdm-uploader.component.spec.ts
Show resolved
Hide resolved
tests/playwright/digital-letters-component-tests/pdm-uploader.component.spec.ts
Show resolved
Hide resolved
11 tasks
Ian-Hodges
reviewed
Mar 11, 2026
| const resourceKey = `test/${letterId}`; | ||
| const messageUri = `s3://${LETTERS_S3_BUCKET_NAME}/${resourceKey}`; | ||
| const messageReference = uuidv4(); | ||
| const messageReference = 'error-500-internal'; // This reference causes the PDM mock to return an error. |
Contributor
There was a problem hiding this comment.
Moving from the uuid to a constant could make this test flaky as messageReference is used in the assertions below.
Ian-Hodges
reviewed
Mar 11, 2026
| const meshMessageId = '12345'; | ||
| const invalidPdmRequest = { | ||
| ...pdmRequest, | ||
| unexpectedField: 'I should not be here', |
Contributor
There was a problem hiding this comment.
I don't like having two different triggers to cause the error, but I don't have an alternative idea.
Having the real-PDM trigger here and the mock-PDM trigger above on line 121 isn't ideal. It would be good to have them together and a comment that one is for the real-PDM and the other is the mock-PDM.
Contributor
There was a problem hiding this comment.
Although we could make the mock-PDM a bit cleverer and perform it's own validation of the FHIR request.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
This PR ensures that Digital Letters dynamic environments are properly configured to use the PDM mock and that all automated component tests pass without requiring any manual intervention.
Changes:
local.deploy_pdm_mockvariable with direct uses ofvar.enable_pdm_mock, givenlocal.deploy_pdm_mockwas a direct reference to the variablecore_notify_include_auth_header, set in this PR for the internal repo) to determine whether to attempt to load an APIM auth token or not. This is disabled in dev environments, as we use the sandbox instance of Notify so it is not requiredmessageReferencevalue that will cause the PDM mock to return an error, so it's error scenario keeps workingaws_ssm_parameteraccess_tokenresource, as it wasn't a valid format for the code that loaded it. Used an empty object instead, as we now expect that we won't use it unless we're in an environment with a real APIM instance, in which case our token generation lambda will populate a real tokenvariables.tfand set theenable_pdm_mockflag to default to false (so we don't have to explicitly disable the mock in prod/non-prod).Context
The current Digital Letters CI/CD pull request pipeline runs automated component tests against the deployed instances of the various components that make up the Digital Letters application. Currently, some of these components that communicate with PDM are configured to talk to the INT PDM instance and so need the appropriate keys to be manually configured for each dynamic environment before the applications work. However, as we now have a PDM mock available we should be able to use this instead of a real PDM instance in the ephemeral dynamic environments that are created automatically for a pull request.
Validation
Using the Mock
Created a new branch from this one, with no additional changes, and raised a Pull Request for it (#236). Saw that it passed all build checks without any manual intervention required:
Using the Real PDM Instance
I ran the dynamic environment deployment pipeline manually, with overrides set to disable the PDM mock and have the core notify lambda send an auth header: https://github.com/NHSDigital/nhs-notify-internal/actions/runs/22914801641
I copied the XXXX & YYYYY SSM parameter values from
mainto the appropriate parameters for this environment:TODO
I then ran the integration test pipeline manually against this environment:
TODO
Type of changes
Checklist
Sensitive Information Declaration
To ensure the utmost confidentiality and protect your and others privacy, we kindly ask you to NOT including PII (Personal Identifiable Information) / PID (Personal Identifiable Data) or any other sensitive data in this PR (Pull Request) and the codebase changes. We will remove any PR that do contain any sensitive information. We really appreciate your cooperation in this matter.