AEA-3509: Sensitive logging (#152)

- Sensitive response log changed to be a debug rather than info log - Env var added to control the log level of the lambda - Env var value is set per env, with it defaulting to info. - All envs bar prod are set to debug, prod is set to info --------- Co-authored-by: anthony-nhs <[email protected]>
NHSDigital · Sep 6, 2023 · 0a225f6 · 0a225f6
1 parent 701f771
commit 0a225f6
Show file tree

Hide file tree

Showing 6 changed files with 29 additions and 4 deletions.
diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml
@@ -67,6 +67,7 @@ jobs:
       TRUSTSTORE_FILE: truststore.pem
       VERSION_NUMBER: PR-${{ needs.get_issue_number.outputs.issue_number }}
       COMMIT_ID: ${{ needs.get_commit_id.outputs.commit_id }}
+      LOG_LEVEL: DEBUG
     secrets:
       CLOUD_FORMATION_DEPLOY_ROLE: ${{ secrets.DEV_CLOUD_FORMATION_DEPLOY_ROLE }}
       SPLUNK_HEC_TOKEN: ${{ secrets.DEV_SPLUNK_HEC_TOKEN }}
@@ -85,6 +86,7 @@ jobs:
       TRUSTSTORE_FILE: sandbox-truststore.pem
       VERSION_NUMBER: PR-${{ needs.get_issue_number.outputs.issue_number }}
       COMMIT_ID: ${{ needs.get_commit_id.outputs.commit_id }}
+      LOG_LEVEL: DEBUG
     secrets:
       CLOUD_FORMATION_DEPLOY_ROLE: ${{ secrets.DEV_CLOUD_FORMATION_DEPLOY_ROLE }}
       SPLUNK_HEC_TOKEN: ${{ secrets.DEV_SPLUNK_HEC_TOKEN }}

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -100,6 +100,7 @@ jobs:
       TRUSTSTORE_FILE: truststore.pem
       VERSION_NUMBER: ${{needs.tag_release.outputs.spec_version}}
       COMMIT_ID: ${{needs.get_commit_id.outputs.commit_id}}
+      LOG_LEVEL: DEBUG
     secrets:
       CLOUD_FORMATION_DEPLOY_ROLE: ${{ secrets.DEV_CLOUD_FORMATION_DEPLOY_ROLE }}
       SPLUNK_HEC_TOKEN: ${{ secrets.DEV_SPLUNK_HEC_TOKEN }}
@@ -118,6 +119,7 @@ jobs:
       TRUSTSTORE_FILE: sandbox-truststore.pem
       VERSION_NUMBER: ${{needs.tag_release.outputs.spec_version}}
       COMMIT_ID: ${{needs.get_commit_id.outputs.commit_id}}
+      LOG_LEVEL: DEBUG
     secrets:
       CLOUD_FORMATION_DEPLOY_ROLE: ${{ secrets.DEV_CLOUD_FORMATION_DEPLOY_ROLE }}
       SPLUNK_HEC_TOKEN: ${{ secrets.DEV_SPLUNK_HEC_TOKEN }}
@@ -136,6 +138,7 @@ jobs:
       TRUSTSTORE_FILE: truststore.pem
       VERSION_NUMBER: ${{needs.tag_release.outputs.spec_version}}
       COMMIT_ID: ${{needs.get_commit_id.outputs.commit_id}}
+      LOG_LEVEL: DEBUG
     secrets:
       CLOUD_FORMATION_DEPLOY_ROLE: ${{ secrets.REF_CLOUD_FORMATION_DEPLOY_ROLE }}
       SPLUNK_HEC_TOKEN: ${{ secrets.REF_SPLUNK_HEC_TOKEN }}
@@ -154,6 +157,7 @@ jobs:
       TRUSTSTORE_FILE: truststore.pem
       VERSION_NUMBER: ${{needs.tag_release.outputs.spec_version}}
       COMMIT_ID: ${{needs.get_commit_id.outputs.commit_id}}
+      LOG_LEVEL: DEBUG
     secrets:
       CLOUD_FORMATION_DEPLOY_ROLE: ${{ secrets.QA_CLOUD_FORMATION_DEPLOY_ROLE }}
       SPLUNK_HEC_TOKEN: ${{ secrets.QA_SPLUNK_HEC_TOKEN }}
@@ -172,6 +176,7 @@ jobs:
       TRUSTSTORE_FILE: truststore.pem
       VERSION_NUMBER: ${{needs.tag_release.outputs.spec_version}}
       COMMIT_ID: ${{needs.get_commit_id.outputs.commit_id}}
+      LOG_LEVEL: DEBUG
     secrets:
       CLOUD_FORMATION_DEPLOY_ROLE: ${{ secrets.INT_CLOUD_FORMATION_DEPLOY_ROLE }}
       SPLUNK_HEC_TOKEN: ${{ secrets.INT_SPLUNK_HEC_TOKEN }}
@@ -190,6 +195,7 @@ jobs:
       TRUSTSTORE_FILE: sandbox-truststore.pem
       VERSION_NUMBER: ${{needs.tag_release.outputs.spec_version}}
       COMMIT_ID: ${{needs.get_commit_id.outputs.commit_id}}
+      LOG_LEVEL: DEBUG
     secrets:
       CLOUD_FORMATION_DEPLOY_ROLE: ${{ secrets.INT_CLOUD_FORMATION_DEPLOY_ROLE }}
       SPLUNK_HEC_TOKEN: ${{ secrets.INT_SPLUNK_HEC_TOKEN }}
@@ -208,6 +214,7 @@ jobs:
       TRUSTSTORE_FILE: truststore.pem
       VERSION_NUMBER: ${{needs.tag_release.outputs.spec_version}}
       COMMIT_ID: ${{needs.get_commit_id.outputs.commit_id}}
+      LOG_LEVEL: INFO
     secrets:
       CLOUD_FORMATION_DEPLOY_ROLE: ${{ secrets.PROD_CLOUD_FORMATION_DEPLOY_ROLE }}
       SPLUNK_HEC_TOKEN: ${{ secrets.PROD_SPLUNK_HEC_TOKEN }}

diff --git a/.github/workflows/sam_release_code.yml b/.github/workflows/sam_release_code.yml
@@ -30,6 +30,9 @@ on:
       COMMIT_ID:
         required: true
         type: string
+      LOG_LEVEL:
+        required: true
+        type: string
     secrets:
       CLOUD_FORMATION_DEPLOY_ROLE:
         required: true
@@ -84,6 +87,7 @@ jobs:
           --prefix ${{ inputs.TRUSTSTORE_FILE }} \
           --query 'Versions[?IsLatest].[VersionId]' --output text)
           export enable_mutual_tls=${{ inputs.ENABLE_MUTUAL_TLS }}
+          export LOG_LEVEL=${{inputs.LOG_LEVEL}}
           export deploy_sandbox=${{ inputs.DEPLOY_SANDBOX }}
           cd .aws-sam/build
           make sam-deploy-package
diff --git a/Makefile b/Makefile
@@ -66,7 +66,7 @@ sam-validate:
 sam-validate-sandbox: 
 	sam validate --template-file sandbox_template.yaml
 
-sam-deploy-package: guard-artifact_bucket guard-artifact_bucket_prefix guard-stack_name guard-template_file guard-cloud_formation_execution_role guard-LATEST_TRUSTSTORE_VERSION guard-enable_mutual_tls guard-SPLUNK_HEC_TOKEN guard-SPLUNK_HEC_ENDPOINT guard-VERSION_NUMBER guard-COMMIT_ID
+sam-deploy-package: guard-artifact_bucket guard-artifact_bucket_prefix guard-stack_name guard-template_file guard-cloud_formation_execution_role guard-LATEST_TRUSTSTORE_VERSION guard-enable_mutual_tls guard-SPLUNK_HEC_TOKEN guard-SPLUNK_HEC_ENDPOINT guard-VERSION_NUMBER guard-COMMIT_ID guard-LOG_LEVEL
 	sam deploy \
 		--template-file $$template_file \
 		--stack-name $$stack_name \
@@ -87,7 +87,8 @@ sam-deploy-package: guard-artifact_bucket guard-artifact_bucket_prefix guard-sta
 			  TargetSpineServer=$$target_spine_server \
 			  EnableSplunk=true \
 			  VersionNumber=$$VERSION_NUMBER \
-			  CommitId=$$COMMIT_ID
+			  CommitId=$$COMMIT_ID \
+			  LogLevel=$$LOG_LEVEL
 
 compile-node:
 	npx tsc --build tsconfig.build.json

diff --git a/packages/getMyPrescriptions/src/getMyPrescriptions.ts b/packages/getMyPrescriptions/src/getMyPrescriptions.ts
@@ -4,8 +4,10 @@ import middy from "@middy/core"
 import inputOutputLogger from "@middy/input-output-logger"
 import errorHandler from "@prescriptionsforpatients/middleware"
 import {createSpineClient, NHSNumberValidationError} from "@prescriptionsforpatients/spineClient"
+import {LogLevel} from "@aws-lambda-powertools/logger/lib/types"
 
-const logger = new Logger({serviceName: "getMyPrescriptions"})
+const LOG_LEVEL = process.env.LOG_LEVEL as LogLevel
+const logger = new Logger({serviceName: "getMyPrescriptions", logLevel: LOG_LEVEL})
 
 /* eslint-disable  max-len */
 
@@ -81,7 +83,11 @@ export const handler = middy(lambdaHandler)
   .use(
     inputOutputLogger({
       logger: (request) => {
-        logger.info(request)
+        if (request.response) {
+          logger.debug(request)
+        } else {
+          logger.info(request)
+        }
       }
     })
   )

diff --git a/template.yaml b/template.yaml
@@ -56,6 +56,10 @@ Parameters:
     Type: String
     Description: Most recent commit hash
     Default: "xxx"
+  LogLevel:
+    Type: String
+    Description: The log level to set in the lambda
+    Default: "INFO"
 
 Conditions:
   ShouldUseMutualTLS: !Equals [true, !Ref EnableMutualTLS]
@@ -178,6 +182,7 @@ Resources:
       Environment:
         Variables:
           AWS_LAMBDA_EXEC_WRAPPER: /opt/get-secrets-layer
+          LOG_LEVEL: !Ref LogLevel
       Layers:
         - !Ref GetSecretsLayer
       Events: