CCM-15215 - Sign callback payloads

[rhyscoxnhs]

Description

Context

Type of changes

• Refactoring (non-breaking change)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would change existing functionality)
• Bug fix (non-breaking change which fixes an issue)

Checklist

• I am familiar with the contributing guidelines
• I have followed the code style of the project
• I have added tests to cover my changes
• I have updated the documentation accordingly
• This PR is a result of pair or mob programming
• If I have used the 'skip-trivy-package' label I have done so responsibly and in the knowledge that this is being fixed as part of a separate ticket/PR.

---

Sensitive Information Declaration

To ensure the utmost confidentiality and protect your and others privacy, we kindly ask you to NOT including PII (Personal Identifiable Information) / PID (Personal Identifiable Data) or any other sensitive data in this PR (Pull Request) and the codebase changes. We will remove any PR that do contain any sensitive information. We really appreciate your cooperation in this matter.

• I confirm that neither PII/PID nor sensitive data are included in this PR and the codebase changes.

[Copilot]

Pull request overview

Adds HMAC signing for callback payloads by enriching transformed events with a signature header derived from an applicationId (SSM map) and client API key, then wiring infrastructure to forward that signature to HTTP destinations.

Changes:

• Add SSM-backed ApplicationsMapService with caching, plus tests.
• Add payload signing (signPayload) and integrate signing into the transform/filter handler pipeline.
• Update Terraform to provision the applications-map SSM parameter and forward a signature header to API destinations.

Reviewed changes

Copilot reviewed 15 out of 16 changed files in this pull request and generated 8 comments.

Show a summary per file

File	Description
package-lock.json	Adds lockfile entries for SSM client + crypto-js and related transitive updates.
lambdas/client-transform-filter-lambda/src/services/ssm-applications-map.ts	New service to load/decrypt and cache a clientId→applicationId map from SSM.
lambdas/client-transform-filter-lambda/src/services/payload-signer.ts	New function to compute HMAC-SHA256 signature for callback payloads.
lambdas/client-transform-filter-lambda/src/index.ts	Wires SSM client + ApplicationsMapService into the handler dependencies.
lambdas/client-transform-filter-lambda/src/handler.ts	Adds signing stage and includes signature header in returned transformed events.
lambdas/client-transform-filter-lambda/src/tests/services/ssm-applications-map.test.ts	Unit tests for SSM map loading, caching, and reset behavior.
lambdas/client-transform-filter-lambda/src/tests/services/payload-signer.test.ts	Unit tests asserting signature output and variation across inputs.
lambdas/client-transform-filter-lambda/src/tests/index.test.ts	Updates handler wiring tests to include ApplicationsMapService and target API key.
lambdas/client-transform-filter-lambda/src/tests/index.component.test.ts	Component tests updated to mock SSM + assert signature header presence.
lambdas/client-transform-filter-lambda/package.json	Adds @aws-sdk/client-ssm, crypto-js, and @types/crypto-js.
infrastructure/terraform/modules/client-destination/cloudwatch_event_rule_main.tf	Adds HTTP target header parameter for the HMAC signature.
infrastructure/terraform/components/callbacks/variables.tf	Adds configurable applications_map_parameter_name input.
infrastructure/terraform/components/callbacks/ssm_parameter_applications_map.tf	Creates SecureString SSM parameter to hold the clientId→applicationId map.
infrastructure/terraform/components/callbacks/module_transform_filter_lambda.tf	Passes SSM parameter name to lambda env and grants ssm:GetParameter.
infrastructure/terraform/components/callbacks/locals.tf	Defines default SSM parameter path for the applications map.
infrastructure/terraform/components/callbacks/README.md	Documents the new Terraform input variable.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[mjewildnhs]

Submitting review feedback
Review still in progress

[mjewildnhs]

@cgitim
Do you think we should use the parameter store extension on the lambda for handling the custom SSM caching code we've written here?

https://docs.aws.amazon.com/systems-manager/latest/userguide/ps-integration-lambda-extensions.html

The only thing I don't really like is the terraform will need to specify the ARNs of the extension layers (and i don't know what process we'll have to update these)
e.g.

parameters_and_secrets_layer_arns = {
    "eu-west-1" = "arn:aws:lambda:eu-west-1:015030872274:layer:AWS-Parameters-and-Secrets-Lambda-Extension:63"
    "eu-west-2" = "arn:aws:lambda:eu-west-2:133256977650:layer:AWS-Parameters-and-Secrets-Lambda-Extension:59"
  }

[cgitim]

I think it's fine to cache it ourselves. The library will cache the value which is a JSON blob and we would have to parse it each time we accessed it. But also, we are not using layer at the moment.