From 5946b4ca699be76dd93123c01bc5301714f9dae6 Mon Sep 17 00:00:00 2001
From: megan-bower4 <megan.bower4@nhs.net>
Date: Wed, 17 Apr 2024 11:00:59 +0100
Subject: [PATCH] feature/PI-315-update_trigger updated update trigger with
 ldap bind & added ldap user creds to all environments

---
 .../per_account/int/parameters/main.tf         | 16 ++++++++++++++++
 .../per_account/prod/parameters/main.tf        | 16 ++++++++++++++++
 .../per_account/qa/parameters/main.tf          | 16 ++++++++++++++++
 .../per_account/ref/parameters/main.tf         |  8 ++++++++
 .../per_workspace/modules/etl/sds/main.tf      | 18 +++++++++++++-----
 src/etl/sds/trigger/update/operations.py       | 17 +++++++++++++----
 src/etl/sds/trigger/update/steps.py            |  2 ++
 src/etl/sds/trigger/update/update.py           |  4 ++++
 8 files changed, 88 insertions(+), 9 deletions(-)

diff --git a/infrastructure/terraform/per_account/int/parameters/main.tf b/infrastructure/terraform/per_account/int/parameters/main.tf
index 87993ff42..f92f53056 100644
--- a/infrastructure/terraform/per_account/int/parameters/main.tf
+++ b/infrastructure/terraform/per_account/int/parameters/main.tf
@@ -38,3 +38,19 @@ resource "aws_secretsmanager_secret" "apigee-cpm-apikey" {
 resource "aws_secretsmanager_secret" "apigee-app-key" {
   name = "${terraform.workspace}-apigee-app-key"
 }
+
+resource "aws_secretsmanager_secret" "sds-hscn-endpoint" {
+  name = "${terraform.workspace}-sds-hscn-endpoint"
+}
+
+resource "aws_secretsmanager_secret" "ldap-host" {
+  name = "${terraform.workspace}-ldap-host"
+}
+
+resource "aws_secretsmanager_secret" "ldap-changelog-user" {
+  name = "${terraform.workspace}-ldap-changelog-user"
+}
+
+resource "aws_secretsmanager_secret" "ldap-changelog-password" {
+  name = "${terraform.workspace}-ldap-changelog-password"
+}
diff --git a/infrastructure/terraform/per_account/prod/parameters/main.tf b/infrastructure/terraform/per_account/prod/parameters/main.tf
index 87993ff42..f92f53056 100644
--- a/infrastructure/terraform/per_account/prod/parameters/main.tf
+++ b/infrastructure/terraform/per_account/prod/parameters/main.tf
@@ -38,3 +38,19 @@ resource "aws_secretsmanager_secret" "apigee-cpm-apikey" {
 resource "aws_secretsmanager_secret" "apigee-app-key" {
   name = "${terraform.workspace}-apigee-app-key"
 }
+
+resource "aws_secretsmanager_secret" "sds-hscn-endpoint" {
+  name = "${terraform.workspace}-sds-hscn-endpoint"
+}
+
+resource "aws_secretsmanager_secret" "ldap-host" {
+  name = "${terraform.workspace}-ldap-host"
+}
+
+resource "aws_secretsmanager_secret" "ldap-changelog-user" {
+  name = "${terraform.workspace}-ldap-changelog-user"
+}
+
+resource "aws_secretsmanager_secret" "ldap-changelog-password" {
+  name = "${terraform.workspace}-ldap-changelog-password"
+}
diff --git a/infrastructure/terraform/per_account/qa/parameters/main.tf b/infrastructure/terraform/per_account/qa/parameters/main.tf
index 87993ff42..f92f53056 100644
--- a/infrastructure/terraform/per_account/qa/parameters/main.tf
+++ b/infrastructure/terraform/per_account/qa/parameters/main.tf
@@ -38,3 +38,19 @@ resource "aws_secretsmanager_secret" "apigee-cpm-apikey" {
 resource "aws_secretsmanager_secret" "apigee-app-key" {
   name = "${terraform.workspace}-apigee-app-key"
 }
+
+resource "aws_secretsmanager_secret" "sds-hscn-endpoint" {
+  name = "${terraform.workspace}-sds-hscn-endpoint"
+}
+
+resource "aws_secretsmanager_secret" "ldap-host" {
+  name = "${terraform.workspace}-ldap-host"
+}
+
+resource "aws_secretsmanager_secret" "ldap-changelog-user" {
+  name = "${terraform.workspace}-ldap-changelog-user"
+}
+
+resource "aws_secretsmanager_secret" "ldap-changelog-password" {
+  name = "${terraform.workspace}-ldap-changelog-password"
+}
diff --git a/infrastructure/terraform/per_account/ref/parameters/main.tf b/infrastructure/terraform/per_account/ref/parameters/main.tf
index af4a5ae8d..f92f53056 100644
--- a/infrastructure/terraform/per_account/ref/parameters/main.tf
+++ b/infrastructure/terraform/per_account/ref/parameters/main.tf
@@ -46,3 +46,11 @@ resource "aws_secretsmanager_secret" "sds-hscn-endpoint" {
 resource "aws_secretsmanager_secret" "ldap-host" {
   name = "${terraform.workspace}-ldap-host"
 }
+
+resource "aws_secretsmanager_secret" "ldap-changelog-user" {
+  name = "${terraform.workspace}-ldap-changelog-user"
+}
+
+resource "aws_secretsmanager_secret" "ldap-changelog-password" {
+  name = "${terraform.workspace}-ldap-changelog-password"
+}
diff --git a/infrastructure/terraform/per_workspace/modules/etl/sds/main.tf b/infrastructure/terraform/per_workspace/modules/etl/sds/main.tf
index 3a7079785..b6c5ae656 100644
--- a/infrastructure/terraform/per_workspace/modules/etl/sds/main.tf
+++ b/infrastructure/terraform/per_workspace/modules/etl/sds/main.tf
@@ -319,6 +319,12 @@ data "aws_security_groups" "sds-ldap" {
 data "aws_secretsmanager_secret_version" "ldap_host" {
   secret_id = "${var.environment}-ldap-host"
 }
+data "aws_secretsmanager_secret_version" "ldap_changelog_user" {
+  secret_id = "${var.environment}-ldap-changelog-user"
+}
+data "aws_secretsmanager_secret_version" "ldap_changelog_password" {
+  secret_id = "${var.environment}-ldap-changelog-password"
+}
 
 module "trigger_update" {
   source = "./trigger/"
@@ -341,11 +347,13 @@ module "trigger_update" {
     # all compiled dependencies can find each other. Note: this is a hack - and
     # may result in version mismatches between system libs on the lambda. The stable
     # alternative is to run or deploy the service from a container.
-    LD_LIBRARY_PATH   = "/opt/python:/var/lang/lib:/lib64:/usr/lib64:/var/runtime:/var/runtime/lib:/var/task:/var/task/lib:/opt/lib"
-    TRUSTSTORE_BUCKET = var.truststore_bucket.id
-    CPM_FQDN          = "cpm.thirdparty.nhs.uk"
-    LDAP_HOST         = data.aws_secretsmanager_secret_version.ldap_host.secret_string
-    ETL_BUCKET        = module.bucket.s3_bucket_id
+    LD_LIBRARY_PATH         = "/opt/python:/var/lang/lib:/lib64:/usr/lib64:/var/runtime:/var/runtime/lib:/var/task:/var/task/lib:/opt/lib"
+    TRUSTSTORE_BUCKET       = var.truststore_bucket.id
+    CPM_FQDN                = "cpm.thirdparty.nhs.uk"
+    LDAP_HOST               = data.aws_secretsmanager_secret_version.ldap_host.secret_string
+    LDAP_CHANGELOG_USER     = data.aws_secretsmanager_secret_version.ldap_changelog_user.secret_string
+    LDAP_CHANGELOG_PASSWORD = data.aws_secretsmanager_secret_version.ldap_changelog_password.secret_string
+    ETL_BUCKET              = module.bucket.s3_bucket_id
   }
 
   vpc_subnet_ids         = data.aws_subnets.lambda-connectivity-private.ids
diff --git a/src/etl/sds/trigger/update/operations.py b/src/etl/sds/trigger/update/operations.py
index 7c48c4ac4..3abb65382 100644
--- a/src/etl/sds/trigger/update/operations.py
+++ b/src/etl/sds/trigger/update/operations.py
@@ -28,14 +28,19 @@ def get_certs_from_s3_truststore(
 
 
 def prepare_ldap_client(
-    ldap: LdapModuleProtocol, ldap_host: str, cert_file: str, key_file: str
+    ldap: LdapModuleProtocol,
+    ldap_host: str,
+    cert_file: str,
+    key_file: str,
+    ldap_changelog_user: str,
+    ldap_changelog_password: str,
 ) -> LdapClientProtocol:
     ldap_client = ldap.initialize(ldap_host)
     ldap_client.set_option(ldap.OPT_X_TLS_CERTFILE, cert_file)
     ldap_client.set_option(ldap.OPT_X_TLS_KEYFILE, key_file)
     ldap_client.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_ALLOW)
     ldap_client.set_option(ldap.OPT_X_TLS_NEWCTX, 0)
-    ldap_client.simple_bind_s()
+    ldap_client.simple_bind_s(ldap_changelog_user, ldap_changelog_password)
     return ldap_client
 
 
@@ -78,8 +83,12 @@ def get_latest_changelog_number_from_ldap(
         filterstr="(objectClass=*)",
         attrlist=["firstchangenumber", "lastchangenumber"],
     )
-    # return record["lastchangenumber"]  <-- think this is what we need to return, but currently empty
-    return 0
+
+    _, (unpack_record) = record
+
+    lastChangeNumber = int(unpack_record["lastchangenumber"][0].decode("utf-8"))
+
+    return lastChangeNumber
 
 
 def get_changelog_entries_from_ldap(
diff --git a/src/etl/sds/trigger/update/steps.py b/src/etl/sds/trigger/update/steps.py
index d5e7c3c10..9f4a588d8 100644
--- a/src/etl/sds/trigger/update/steps.py
+++ b/src/etl/sds/trigger/update/steps.py
@@ -53,6 +53,8 @@ def _prepare_ldap_client(data, cache: Cache):
         ldap_host=cache["ldap_host"],
         cert_file=str(cache["cert_file"]),
         key_file=str(cache["key_file"]),
+        ldap_changelog_user=cache["ldap_changelog_user"],
+        ldap_changelog_password=cache["ldap_changelog_password"],
     )
 
 
diff --git a/src/etl/sds/trigger/update/update.py b/src/etl/sds/trigger/update/update.py
index 5352b1b6f..195ca2f8a 100644
--- a/src/etl/sds/trigger/update/update.py
+++ b/src/etl/sds/trigger/update/update.py
@@ -17,6 +17,8 @@ class ChangelogTriggerEnvironment(BaseEnvironment):
     CPM_FQDN: str
     LDAP_HOST: str
     ETL_BUCKET: str
+    LDAP_CHANGELOG_USER: str
+    LDAP_CHANGELOG_PASSWORD: str
 
 
 S3_CLIENT = boto3.client("s3")
@@ -34,6 +36,8 @@ class ChangelogTriggerEnvironment(BaseEnvironment):
     "key_file": Path(f"/tmp/{ENVIRONMENT.CPM_FQDN}.key"),
     "etl_bucket": ENVIRONMENT.ETL_BUCKET,
     "ldap_host": ENVIRONMENT.LDAP_HOST,
+    "ldap_changelog_user": ENVIRONMENT.LDAP_CHANGELOG_USER,
+    "ldap_changelog_password": ENVIRONMENT.LDAP_CHANGELOG_PASSWORD,
 }