From 932c09a75feb005b5dd64545784c92bcb918812f Mon Sep 17 00:00:00 2001 From: "Axel Garcia K." Date: Tue, 4 Nov 2025 16:47:05 +0000 Subject: [PATCH 01/13] NRL-1664 New NFT/Performance/Load terraform environment --- .../mgmt/route53.tf | 13 ++++++++++++ .../test/domain.tf | 8 +++++++ .../test/dynamodb__pointers-table.tf | 8 +++++++ .../test/route53.tf | 4 ++++ .../account-wide-infrastructure/test/s3.tf | 11 ++++++++++ .../test/secrets.tf | 15 +++++++++++++ .../account-wide-infrastructure/test/vars.tf | 5 +++++ terraform/infrastructure/README.md | 21 ++++++++++--------- terraform/infrastructure/etc/perftest.tfvars | 9 ++++++++ 9 files changed, 84 insertions(+), 10 deletions(-) create mode 100644 terraform/infrastructure/etc/perftest.tfvars diff --git a/terraform/account-wide-infrastructure/mgmt/route53.tf b/terraform/account-wide-infrastructure/mgmt/route53.tf index 999fc0fa7..3a12876cf 100644 --- a/terraform/account-wide-infrastructure/mgmt/route53.tf +++ b/terraform/account-wide-infrastructure/mgmt/route53.tf @@ -136,3 +136,16 @@ resource "aws_route53_record" "NEW_qa_zone_delegation" { ttl = 300 type = "NS" } + +resource "aws_route53_record" "perftest_zone_delegation" { + zone_id = aws_route53_zone.prod_zone.zone_id + name = "perftest.record-locator.national.nhs.uk" + records = [ + "ns-1821.awsdns-35.co.uk.", + "ns-1449.awsdns-53.org.", + "ns-933.awsdns-52.net.", + "ns-500.awsdns-62.com." + ] + ttl = 300 + type = "NS" +} diff --git a/terraform/account-wide-infrastructure/test/domain.tf b/terraform/account-wide-infrastructure/test/domain.tf index 59907d0f3..4534df403 100644 --- a/terraform/account-wide-infrastructure/test/domain.tf +++ b/terraform/account-wide-infrastructure/test/domain.tf @@ -38,3 +38,11 @@ module "ref-custom-domain-name" { mtls_certificate_file = "s3://${module.ref-truststore-bucket.bucket_name}/${module.ref-truststore-bucket.certificates_object_key}" mtls_certificate_file_version = module.ref-truststore-bucket.certificates_object_version } + +module "perftest-custom-domain-name" { + source = "../modules/env-custom-domain-name" + domain_name = var.perftest_api_domain_name + domain_zone = aws_route53_zone.test-perftest-api-ns.name + mtls_certificate_file = "s3://${module.perftest-truststore-bucket.bucket_name}/${module.perftest-truststore-bucket.certificates_object_key}" + mtls_certificate_file_version = module.perftest-truststore-bucket.certificates_object_version +} diff --git a/terraform/account-wide-infrastructure/test/dynamodb__pointers-table.tf b/terraform/account-wide-infrastructure/test/dynamodb__pointers-table.tf index 037e6d266..edfd782ed 100644 --- a/terraform/account-wide-infrastructure/test/dynamodb__pointers-table.tf +++ b/terraform/account-wide-infrastructure/test/dynamodb__pointers-table.tf @@ -30,3 +30,11 @@ module "ref-pointers-table" { enable_pitr = true kms_deletion_window_in_days = 30 } + +module "perftest-pointers-table" { + source = "../modules/pointers-table" + name_prefix = "nhsd-nrlf--perftest" + enable_deletion_protection = true + enable_pitr = true + kms_deletion_window_in_days = 30 +} diff --git a/terraform/account-wide-infrastructure/test/route53.tf b/terraform/account-wide-infrastructure/test/route53.tf index b4cb4208e..3fa303751 100644 --- a/terraform/account-wide-infrastructure/test/route53.tf +++ b/terraform/account-wide-infrastructure/test/route53.tf @@ -17,3 +17,7 @@ resource "aws_route53_zone" "NEW_test-ref-ns" { resource "aws_route53_zone" "test-ref-ns" { name = "api.record-locator.ref.national.nhs.uk" } + +resource "aws_route53_zone" "test-perftest-ns" { + name = "perftest.record-locator.national.nhs.uk" +} diff --git a/terraform/account-wide-infrastructure/test/s3.tf b/terraform/account-wide-infrastructure/test/s3.tf index 6ce067aad..57c51ebf6 100644 --- a/terraform/account-wide-infrastructure/test/s3.tf +++ b/terraform/account-wide-infrastructure/test/s3.tf @@ -24,6 +24,11 @@ module "ref-permissions-store-bucket" { name_prefix = "nhsd-nrlf--ref" } +module "perftest-permissions-store-bucket" { + source = "../modules/permissions-store-bucket" + name_prefix = "nhsd-nrlf--perftest" +} + module "qa-truststore-bucket" { source = "../modules/truststore-bucket" name_prefix = "nhsd-nrlf--qa" @@ -53,3 +58,9 @@ module "ref-truststore-bucket" { name_prefix = "nhsd-nrlf--ref" server_certificate_file = "../../../truststore/server/ref.pem" } + +module "perftest-truststore-bucket" { + source = "../modules/truststore-bucket" + name_prefix = "nhsd-nrlf--perftest" + server_certificate_file = "../../../truststore/server/perftest.pem" +} diff --git a/terraform/account-wide-infrastructure/test/secrets.tf b/terraform/account-wide-infrastructure/test/secrets.tf index 903628d84..173154ef1 100644 --- a/terraform/account-wide-infrastructure/test/secrets.tf +++ b/terraform/account-wide-infrastructure/test/secrets.tf @@ -17,6 +17,11 @@ resource "aws_secretsmanager_secret" "ref_smoke_test_apigee_app" { description = "APIGEE App used to run Smoke Tests against the REF environment" } +resource "aws_secretsmanager_secret" "perftest_smoke_test_apigee_app" { + name = "${local.prefix}--perftest--apigee-app--smoke-test" + description = "APIGEE App used to run Smoke Tests against the perftest environment" +} + resource "aws_secretsmanager_secret" "backup_destination_parameters" { name = "${local.prefix}--backup-destination-parameters" description = "Parameters used to configure the backup destination" @@ -50,6 +55,11 @@ resource "aws_secretsmanager_secret" "ref_smoke_test_parameters" { description = "Parameters used to run Smoke Tests against the ref environment" } +resource "aws_secretsmanager_secret" "perftest_smoke_test_parameters" { + name = "${local.project}--perftest--smoke-test-parameters" + description = "Parameters used to run Smoke Tests against the perftest environment" +} + # # Splunk Configuration secrets @@ -107,6 +117,11 @@ resource "aws_secretsmanager_secret" "ref_environment_configuration" { description = "The environment configuration for the Ref environment" } +resource "aws_secretsmanager_secret" "perftest_environment_configuration" { + name = "${local.project}--perftest--env-config" + description = "The environment configuration for the Perftest environment" +} + # # PowerBI secrets # diff --git a/terraform/account-wide-infrastructure/test/vars.tf b/terraform/account-wide-infrastructure/test/vars.tf index 1eb05be54..12ebee107 100644 --- a/terraform/account-wide-infrastructure/test/vars.tf +++ b/terraform/account-wide-infrastructure/test/vars.tf @@ -29,6 +29,11 @@ variable "ref_api_domain_name" { default = "ref.api.record-locator.ref.national.nhs.uk" } +variable "perftest_api_domain_name" { + description = "The internal DNS name of the API Gateway for the perftest environment" + default = "api.perftest.record-locator.national.nhs.uk" +} + variable "enable_reporting" { type = bool description = "Enable account-wide reporting processes in the test account" diff --git a/terraform/infrastructure/README.md b/terraform/infrastructure/README.md index ad3a213da..a78ac05b8 100644 --- a/terraform/infrastructure/README.md +++ b/terraform/infrastructure/README.md @@ -8,16 +8,17 @@ Each developer/QA can create their own ephemeral instance of the NRLF infrastruc This project has a number of "persistent environments", similar to traditional dev, ref and prod environments. Each of these environments will typically contain multiple NRLF stacks, allowing for blue/green style deployment, and have shared storage infrastructure like DynamoDB tables and S3 buckets. The persistent environments are deployed as follows: -| Environment | TF Workspace | TF Config | AWS Account | Internal Domain | Public Domain | -| ------------ | ------------- | ----------------- | ----------- | ------------------------------------ | ----------------------------------------- | -| internal-dev | dev-N | `etc/dev.tfvars` | dev | `record-locator.dev.national.nhs.uk` | `internal-dev.api.service.nhs.uk` | -| dev-sandbox | dev-sandbox-N | `etc/dev.tfvars` | dev | `record-locator.dev.national.nhs.uk` | `internal-dev-sandbox.api.service.nhs.uk` | -| internal-qa | qa-N | `etc/qa.tfvars` | test | `qa.record-locator.national.nhs.uk` | `internal-qa.api.service.nhs.uk` | -| qa-sandbox | qa-sandbox-N | `etc/qa.tfvars` | test | `qa.record-locator.national.nhs.uk` | `internal-qa-sandbox.api.service.nhs.uk` | -| int | int-N | `etc/int.tfvars` | test | `record-locator.int.national.nhs.uk` | `int.api.service.nhs.uk` | -| sandbox | int-sandbox-N | `etc/int.tfvars` | test | `record-locator.int.national.nhs.uk` | `sandbox.api.service.nhs.uk` | -| ref | ref-N | `etc/ref.tfvars` | test | `record-locator.ref.national.nhs.uk` | `ref.api.service.nhs.uk` | -| prod | prod-N | `etc/prod.tfvars` | prod | `record-locator.national.nhs.uk` | `api.service.nhs.uk` | +| Environment | TF Workspace | TF Config | AWS Account | Internal Domain | Public Domain | +| ------------ | ------------- | --------------------- | ----------- | ----------------------------------------- | ----------------------------------------- | +| internal-dev | dev-N | `etc/dev.tfvars` | dev | `record-locator.dev.national.nhs.uk` | `internal-dev.api.service.nhs.uk` | +| dev-sandbox | dev-sandbox-N | `etc/dev.tfvars` | dev | `record-locator.dev.national.nhs.uk` | `internal-dev-sandbox.api.service.nhs.uk` | +| internal-qa | qa-N | `etc/qa.tfvars` | test | `qa.record-locator.national.nhs.uk` | `internal-qa.api.service.nhs.uk` | +| qa-sandbox | qa-sandbox-N | `etc/qa.tfvars` | test | `qa.record-locator.national.nhs.uk` | `internal-qa-sandbox.api.service.nhs.uk` | +| int | int-N | `etc/int.tfvars` | test | `record-locator.int.national.nhs.uk` | `int.api.service.nhs.uk` | +| sandbox | int-sandbox-N | `etc/int.tfvars` | test | `record-locator.int.national.nhs.uk` | `sandbox.api.service.nhs.uk` | +| perftest | perftest-N | `etc/perftest.tfvars` | test | `perftest.record-locator.national.nhs.uk` | `perftest.api.service.nhs.uk` | +| ref | ref-N | `etc/ref.tfvars` | test | `record-locator.ref.national.nhs.uk` | `ref.api.service.nhs.uk` | +| prod | prod-N | `etc/prod.tfvars` | prod | `record-locator.national.nhs.uk` | `api.service.nhs.uk` | The `N` in the TF workspace name repesents the stack id in that environment. So, for example, the internal-dev environment might have two stacks, `dev-1` and `dev-2` with TF workspace names matching their stack names. All resources for the `dev-1` stack will be contained within the `dev-1` TF workspace. diff --git a/terraform/infrastructure/etc/perftest.tfvars b/terraform/infrastructure/etc/perftest.tfvars new file mode 100644 index 000000000..5199c155f --- /dev/null +++ b/terraform/infrastructure/etc/perftest.tfvars @@ -0,0 +1,9 @@ +account_name = "perftest" +aws_account_name = "test" + +domain = "api.perftest.record-locator.national.nhs.uk" +deletion_protection = true + +public_domain = "perftest.api.service.nhs.uk" +log_retention_period = 30 +enable_reporting = false From ca250c710f6fe3d69df03119953ade5b1c6a0214 Mon Sep 17 00:00:00 2001 From: "Axel Garcia K." Date: Wed, 5 Nov 2025 11:30:34 +0000 Subject: [PATCH 02/13] NRL-1664 Fixes to terraform and add to truststore script --- README.md | 2 +- scripts/truststore.sh | 24 ++++++++++--------- .../test/domain.tf | 2 +- 3 files changed, 15 insertions(+), 13 deletions(-) diff --git a/README.md b/README.md index bcaf612e3..46528bedc 100644 --- a/README.md +++ b/README.md @@ -65,7 +65,7 @@ In order to do this, make sure you have AWS CLI installed and configured, then r make ENV=env truststore-pull-all ``` -Where `env` is one of `dev`, `qa` , `int`, `ref` or `prod`. +Where `env` is one of `dev`, `qa` , `int`, `perftest`, `ref` or `prod`. ## Getting Started diff --git a/scripts/truststore.sh b/scripts/truststore.sh index 21795088e..5f209c9e7 100755 --- a/scripts/truststore.sh +++ b/scripts/truststore.sh @@ -246,17 +246,19 @@ function _restore_archived_cert() { } function _truststore_build_all() { - _truststore_build_ca "prod" "record-locator.national.nhs.uk_CA2" - _truststore_build_ca "int" "record-locator.int.national.nhs.uk_CA2" - _truststore_build_ca "ref" "record-locator.ref.national.nhs.uk_CA2" - _truststore_build_ca "qa" "qa.record-locator.national.nhs.uk_CA2" - _truststore_build_ca "dev" "record-locator.dev.national.nhs.uk_CA2" - - _truststore_build_cert "prod" "prod" "api.record-locator.national.nhs.uk" - _truststore_build_cert "int" "int" "int.api.record-locator.int.national.nhs.uk" - _truststore_build_cert "ref" "ref" "ref.api.record-locator.ref.national.nhs.uk" - _truststore_build_cert "qa" "qa" "api.qa.record-locator.national.nhs.uk" - _truststore_build_cert "dev" "dev" "dev.api.record-locator.dev.national.nhs.uk" + _truststore_build_ca "prod" "record-locator.national.nhs.uk_CA2" + _truststore_build_ca "int" "record-locator.int.national.nhs.uk_CA2" + _truststore_build_ca "ref" "record-locator.ref.national.nhs.uk_CA2" + _truststore_build_ca "perftest" "perftest.record-locator.national.nhs.uk_CA2" + _truststore_build_ca "qa" "qa.record-locator.national.nhs.uk_CA2" + _truststore_build_ca "dev" "record-locator.dev.national.nhs.uk_CA2" + + _truststore_build_cert "prod" "prod" "api.record-locator.national.nhs.uk" + _truststore_build_cert "int" "int" "int.api.record-locator.int.national.nhs.uk" + _truststore_build_cert "ref" "ref" "ref.api.record-locator.ref.national.nhs.uk" + _truststore_build_cert "perftest" "perftest" "api.perftest.record-locator.national.nhs.uk" + _truststore_build_cert "qa" "qa" "api.qa.record-locator.national.nhs.uk" + _truststore_build_cert "dev" "dev" "dev.api.record-locator.dev.national.nhs.uk" echo -e "✅ Successfully built all truststore files" return 0 diff --git a/terraform/account-wide-infrastructure/test/domain.tf b/terraform/account-wide-infrastructure/test/domain.tf index 4534df403..156b9c32e 100644 --- a/terraform/account-wide-infrastructure/test/domain.tf +++ b/terraform/account-wide-infrastructure/test/domain.tf @@ -42,7 +42,7 @@ module "ref-custom-domain-name" { module "perftest-custom-domain-name" { source = "../modules/env-custom-domain-name" domain_name = var.perftest_api_domain_name - domain_zone = aws_route53_zone.test-perftest-api-ns.name + domain_zone = aws_route53_zone.test-perftest-ns.name mtls_certificate_file = "s3://${module.perftest-truststore-bucket.bucket_name}/${module.perftest-truststore-bucket.certificates_object_key}" mtls_certificate_file_version = module.perftest-truststore-bucket.certificates_object_version } From b864d7f62b57c6f80987e47cbfc5cb2cc3d80a20 Mon Sep 17 00:00:00 2001 From: "Axel Garcia K." Date: Wed, 5 Nov 2025 15:53:34 +0000 Subject: [PATCH 03/13] NRL-1664 Add perftest nameservers and fix dependency order terraform --- terraform/account-wide-infrastructure/mgmt/route53.tf | 8 ++++---- terraform/account-wide-infrastructure/test/domain.tf | 1 + 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/terraform/account-wide-infrastructure/mgmt/route53.tf b/terraform/account-wide-infrastructure/mgmt/route53.tf index 3a12876cf..603eb57d0 100644 --- a/terraform/account-wide-infrastructure/mgmt/route53.tf +++ b/terraform/account-wide-infrastructure/mgmt/route53.tf @@ -141,10 +141,10 @@ resource "aws_route53_record" "perftest_zone_delegation" { zone_id = aws_route53_zone.prod_zone.zone_id name = "perftest.record-locator.national.nhs.uk" records = [ - "ns-1821.awsdns-35.co.uk.", - "ns-1449.awsdns-53.org.", - "ns-933.awsdns-52.net.", - "ns-500.awsdns-62.com." + "ns-885.awsdns-46.net.", + "ns-1995.awsdns-57.co.uk.", + "ns-239.awsdns-29.com.", + "ns-1424.awsdns-50.org." ] ttl = 300 type = "NS" diff --git a/terraform/account-wide-infrastructure/test/domain.tf b/terraform/account-wide-infrastructure/test/domain.tf index 156b9c32e..b7bef605e 100644 --- a/terraform/account-wide-infrastructure/test/domain.tf +++ b/terraform/account-wide-infrastructure/test/domain.tf @@ -45,4 +45,5 @@ module "perftest-custom-domain-name" { domain_zone = aws_route53_zone.test-perftest-ns.name mtls_certificate_file = "s3://${module.perftest-truststore-bucket.bucket_name}/${module.perftest-truststore-bucket.certificates_object_key}" mtls_certificate_file_version = module.perftest-truststore-bucket.certificates_object_version + depends_on = [aws_route53_zone.test-perftest-ns] } From fd52d9c28faf5295983b7f2c3bd6751b5c2ef447 Mon Sep 17 00:00:00 2001 From: "Axel Garcia K." Date: Wed, 5 Nov 2025 16:52:33 +0000 Subject: [PATCH 04/13] NRL-1793 Add terraform dependency and aws restore account to mgmt policy --- terraform/account-wide-infrastructure/mgmt/data.tf | 8 ++++++++ .../mgmt/iam__developer-role.tf | 3 ++- terraform/account-wide-infrastructure/test/domain.tf | 5 +++++ 3 files changed, 15 insertions(+), 1 deletion(-) diff --git a/terraform/account-wide-infrastructure/mgmt/data.tf b/terraform/account-wide-infrastructure/mgmt/data.tf index 4aecc75cf..a7306907d 100644 --- a/terraform/account-wide-infrastructure/mgmt/data.tf +++ b/terraform/account-wide-infrastructure/mgmt/data.tf @@ -38,6 +38,10 @@ data "aws_secretsmanager_secret" "test_backup_account_id" { name = "${local.project}--mgmt--test-backup-account-id" } +data "aws_secretsmanager_secret" "test_restore_account_id" { + name = "${local.project}--mgmt--test-restore-account-id" +} + data "aws_secretsmanager_secret_version" "dev_account_id" { secret_id = data.aws_secretsmanager_secret.dev_account_id.name } @@ -49,3 +53,7 @@ data "aws_secretsmanager_secret_version" "test_account_id" { data "aws_secretsmanager_secret_version" "test_backup_account_id" { secret_id = data.aws_secretsmanager_secret.test_backup_account_id.name } + +data "aws_secretsmanager_secret_version" "test_restore_account_id" { + secret_id = data.aws_secretsmanager_secret.test_restore_account_id.name +} diff --git a/terraform/account-wide-infrastructure/mgmt/iam__developer-role.tf b/terraform/account-wide-infrastructure/mgmt/iam__developer-role.tf index 3bfcb2bb1..9496eddee 100644 --- a/terraform/account-wide-infrastructure/mgmt/iam__developer-role.tf +++ b/terraform/account-wide-infrastructure/mgmt/iam__developer-role.tf @@ -63,7 +63,8 @@ module "developer_policy" { Resource = [ "arn:aws:iam::${data.aws_secretsmanager_secret_version.dev_account_id.secret_string}:role/terraform", "arn:aws:iam::${data.aws_secretsmanager_secret_version.test_account_id.secret_string}:role/terraform", - "arn:aws:iam::${data.aws_secretsmanager_secret_version.test_backup_account_id.secret_string}:role/terraform" + "arn:aws:iam::${data.aws_secretsmanager_secret_version.test_backup_account_id.secret_string}:role/terraform", + "arn:aws:iam::${data.aws_secretsmanager_secret_version.test_restore_account_id.secret_string}:role/terraform" ] }, { diff --git a/terraform/account-wide-infrastructure/test/domain.tf b/terraform/account-wide-infrastructure/test/domain.tf index b7bef605e..b33cc6ff9 100644 --- a/terraform/account-wide-infrastructure/test/domain.tf +++ b/terraform/account-wide-infrastructure/test/domain.tf @@ -5,6 +5,7 @@ module "qa-custom-domain-name" { domain_zone = aws_route53_zone.test-qa-ns.name mtls_certificate_file = "s3://${module.qa-truststore-bucket.bucket_name}/${module.qa-truststore-bucket.certificates_object_key}" mtls_certificate_file_version = module.qa-truststore-bucket.certificates_object_version + depends_on = [aws_route53_zone.test-qa-ns] } module "qasandbox-custom-domain-name" { @@ -13,6 +14,7 @@ module "qasandbox-custom-domain-name" { domain_zone = aws_route53_zone.test-qa-ns.name mtls_certificate_file = "s3://${module.qa-truststore-bucket.bucket_name}/${module.qa-truststore-bucket.certificates_object_key}" mtls_certificate_file_version = module.qa-truststore-bucket.certificates_object_version + depends_on = [aws_route53_zone.test-qa-ns] } module "int-custom-domain-name" { @@ -21,6 +23,7 @@ module "int-custom-domain-name" { domain_zone = aws_route53_zone.test-int-ns.name mtls_certificate_file = "s3://${module.int-truststore-bucket.bucket_name}/${module.int-truststore-bucket.certificates_object_key}" mtls_certificate_file_version = module.int-truststore-bucket.certificates_object_version + depends_on = [aws_route53_zone.test-int-ns] } module "intsandbox-custom-domain-name" { @@ -29,6 +32,7 @@ module "intsandbox-custom-domain-name" { domain_zone = aws_route53_zone.test-int-ns.name mtls_certificate_file = "s3://${module.int-truststore-bucket.bucket_name}/${module.int-truststore-bucket.certificates_object_key}" mtls_certificate_file_version = module.int-truststore-bucket.certificates_object_version + depends_on = [aws_route53_zone.test-int-ns] } module "ref-custom-domain-name" { @@ -37,6 +41,7 @@ module "ref-custom-domain-name" { domain_zone = aws_route53_zone.test-ref-ns.name mtls_certificate_file = "s3://${module.ref-truststore-bucket.bucket_name}/${module.ref-truststore-bucket.certificates_object_key}" mtls_certificate_file_version = module.ref-truststore-bucket.certificates_object_version + depends_on = [aws_route53_zone.test-ref-ns] } module "perftest-custom-domain-name" { From 4db4321525de6fd364e38b3563798dc0acadb0df Mon Sep 17 00:00:00 2001 From: Kate Bobyn Date: Wed, 5 Nov 2025 17:38:52 +0000 Subject: [PATCH 05/13] NRL-1793 align tf for developer role with current in aws --- .../mgmt/iam__developer-role.tf | 16 +++------------- 1 file changed, 3 insertions(+), 13 deletions(-) diff --git a/terraform/account-wide-infrastructure/mgmt/iam__developer-role.tf b/terraform/account-wide-infrastructure/mgmt/iam__developer-role.tf index 9496eddee..a58913bc2 100644 --- a/terraform/account-wide-infrastructure/mgmt/iam__developer-role.tf +++ b/terraform/account-wide-infrastructure/mgmt/iam__developer-role.tf @@ -46,6 +46,9 @@ module "developer_policy" { Resource = [ "${data.aws_s3_bucket.terraform_state.arn}/${local.project}/prod/*", "${data.aws_s3_bucket.terraform_state.arn}/${local.project}/mgmt/*", + "${data.aws_s3_bucket.truststore.arn}/ca/prod.*", + "${data.aws_s3_bucket.truststore.arn}/client/prod.*", + "${data.aws_s3_bucket.truststore.arn}/server/prod.*" ] }, { @@ -100,19 +103,6 @@ module "developer_policy" { "${data.aws_s3_bucket.ci_logging.arn}/*" ] }, - { - Action = [ - "s3:PutObject", - "s3:GetObject", - "s3:DeleteObject" - ] - Effect = "Deny" - Resource = [ - "${data.aws_s3_bucket.truststore.arn}/ca/prod*", - "${data.aws_s3_bucket.truststore.arn}/client/prod*", - "${data.aws_s3_bucket.truststore.arn}/server/prod*" - ] - }, { Action = [ "s3:GetObject" From e3d15ab6661478348a638237d8f39d6baa4e7c9d Mon Sep 17 00:00:00 2001 From: "Axel Garcia K." Date: Thu, 6 Nov 2025 16:43:50 +0000 Subject: [PATCH 06/13] NRL-1664 More changes for the perftest environment --- README.md | 2 +- scripts/are_resources_shared_for_stack.py | 2 ++ scripts/aws_session_assume.py | 1 + scripts/get-account-name-for-env.sh | 2 +- tests/utilities/get_access_token.py | 2 ++ 5 files changed, 7 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 46528bedc..1ebb41ab9 100644 --- a/README.md +++ b/README.md @@ -414,7 +414,7 @@ If the Producer API has changed, or the documentation for that API has changed, Once you have a new release version ready, you can deploy it through our environments as follows: -1. Use the "Persistent Environment Deploy" Github Action workflow to deploy the release tag to `dev`, `dev-sandbox`, `qa`, `qa-sandbox`, `int` and `int-sandbox` environments. +1. Use the "Persistent Environment Deploy" Github Action workflow to deploy the release tag to `dev`, `dev-sandbox`, `qa`, `qa-sandbox`, `int`, `int-sandbox` and `perftest` environments. 2. If any issues arise in the deployment, fix the issues, create a new release version and start this process again. 3. Once the deployments are complete, use the "Persistent Environment Deploy" Github Action workflow to deploy the release version to `ref`. 4. Once that is complete, use the "Persistent Environment Deploy" workflow to deploy the release version to `prod`. diff --git a/scripts/are_resources_shared_for_stack.py b/scripts/are_resources_shared_for_stack.py index 0bf891d12..a9d2b1ea9 100644 --- a/scripts/are_resources_shared_for_stack.py +++ b/scripts/are_resources_shared_for_stack.py @@ -13,6 +13,8 @@ "qa-sandbox-2", "ref-1", "ref-2", + "perftest-1", + "perftest-2", "int-1", "int-2", "int-sandbox-1", diff --git a/scripts/aws_session_assume.py b/scripts/aws_session_assume.py index 6a3e28ea0..bec8fa8e7 100644 --- a/scripts/aws_session_assume.py +++ b/scripts/aws_session_assume.py @@ -7,6 +7,7 @@ "qa": "test", "qa-sandbox": "test", "ref": "test", + "perftest": "test", "int": "test", "int-sandbox": "test", "prod": "prod", diff --git a/scripts/get-account-name-for-env.sh b/scripts/get-account-name-for-env.sh index 49765b659..2c377b6ae 100755 --- a/scripts/get-account-name-for-env.sh +++ b/scripts/get-account-name-for-env.sh @@ -13,7 +13,7 @@ case "${env}" in dev|dev-sandbox) echo "dev" ;; - qa|qa-sandbox|ref|int|int-sandbox) + qa|qa-sandbox|perftest|ref|int|int-sandbox) echo "test" ;; prod) diff --git a/tests/utilities/get_access_token.py b/tests/utilities/get_access_token.py index d4580a0d1..d6a1e03ec 100644 --- a/tests/utilities/get_access_token.py +++ b/tests/utilities/get_access_token.py @@ -37,6 +37,7 @@ "qa": "test", "ref": "test", "int": "test", + "perftest": "test", "prod": "prod", } APIGEE_ENV_FOR_ENV = { @@ -47,6 +48,7 @@ "ref": "ref", "int": "int", "int-sandbox": "sandbox", + "perftest": "internal-qa", # TODO: Hijacking qa to not create a new APIGEE proxy environment. Once we have proxygen, rethink this "prod": "prod", } APP_FOR_ALIAS = { From 08bde0fed4ada96e65bc0488fa9ecffd3c5b5d5b Mon Sep 17 00:00:00 2001 From: "Axel Garcia K." Date: Fri, 7 Nov 2025 10:25:43 +0000 Subject: [PATCH 07/13] NRL-1664 Fix domain name of perftest --- terraform/infrastructure/etc/perftest.tfvars | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/terraform/infrastructure/etc/perftest.tfvars b/terraform/infrastructure/etc/perftest.tfvars index 5199c155f..2ed1fc6ac 100644 --- a/terraform/infrastructure/etc/perftest.tfvars +++ b/terraform/infrastructure/etc/perftest.tfvars @@ -1,9 +1,8 @@ account_name = "perftest" aws_account_name = "test" -domain = "api.perftest.record-locator.national.nhs.uk" -deletion_protection = true - +domain = "perftest.record-locator.national.nhs.uk" public_domain = "perftest.api.service.nhs.uk" +deletion_protection = true log_retention_period = 30 enable_reporting = false From 3ac18e0abb8c84a23c804cef489ae5d0612cf260 Mon Sep 17 00:00:00 2001 From: "Axel Garcia K." Date: Fri, 7 Nov 2025 11:28:24 +0000 Subject: [PATCH 08/13] NRL-1664 Add terraform variable to disable all firehose lambda subscriptions --- terraform/infrastructure/etc/perftest.tfvars | 11 ++++++----- terraform/infrastructure/locals.tf | 2 +- terraform/infrastructure/vars.tf | 6 ++++++ 3 files changed, 13 insertions(+), 6 deletions(-) diff --git a/terraform/infrastructure/etc/perftest.tfvars b/terraform/infrastructure/etc/perftest.tfvars index 2ed1fc6ac..377fbbfd5 100644 --- a/terraform/infrastructure/etc/perftest.tfvars +++ b/terraform/infrastructure/etc/perftest.tfvars @@ -1,8 +1,9 @@ account_name = "perftest" aws_account_name = "test" -domain = "perftest.record-locator.national.nhs.uk" -public_domain = "perftest.api.service.nhs.uk" -deletion_protection = true -log_retention_period = 30 -enable_reporting = false +domain = "perftest.record-locator.national.nhs.uk" +public_domain = "perftest.api.service.nhs.uk" +deletion_protection = true +log_retention_period = 30 +enable_reporting = false +disable_firehose_lambda_subscriptions = true diff --git a/terraform/infrastructure/locals.tf b/terraform/infrastructure/locals.tf index 8f96c9137..ebe720093 100644 --- a/terraform/infrastructure/locals.tf +++ b/terraform/infrastructure/locals.tf @@ -32,7 +32,7 @@ locals { reporting_bucket_arn = data.aws_s3_bucket.source-data-bucket.arn reporting_kms_arn = data.aws_kms_key.glue.arn - firehose_lambda_subscriptions = var.use_shared_resources ? ( + firehose_lambda_subscriptions = var.use_shared_resources && !var.disable_firehose_lambda_subscriptions ? ( var.enable_reporting ? { "splunk_subscription" = module.firehose__processor[0].firehose_subscription, "reports_subscription" = module.firehose__processor[0].firehose_reporting_subscription diff --git a/terraform/infrastructure/vars.tf b/terraform/infrastructure/vars.tf index e6ca502fd..07c901d1a 100644 --- a/terraform/infrastructure/vars.tf +++ b/terraform/infrastructure/vars.tf @@ -61,3 +61,9 @@ variable "enable_reporting" { description = "Enable reporting for this environment" default = false } + +variable "disable_firehose_lambda_subscriptions" { + description = "Disable firehose lambda subscriptions (e.g: splunk, reporting) for shared environments (e.g: perftest). This doesn't affect ephemeral environments as the firehose subscriptions are disabled regardless of this setting" + type = bool + default = false +} From 170e74c43acb7a0e2a24125e0d75b45b71ca6a4b Mon Sep 17 00:00:00 2001 From: "Axel Garcia K." Date: Fri, 7 Nov 2025 12:37:46 +0000 Subject: [PATCH 09/13] NRL-1664 Disable all firehose processor infrastructure for perftest --- terraform/infrastructure/firehose.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/infrastructure/firehose.tf b/terraform/infrastructure/firehose.tf index b7a9dd370..bfccccd21 100644 --- a/terraform/infrastructure/firehose.tf +++ b/terraform/infrastructure/firehose.tf @@ -1,5 +1,5 @@ module "firehose__processor" { - count = var.use_shared_resources ? 1 : 0 + count = var.use_shared_resources && !var.disable_firehose_lambda_subscriptions ? 1 : 0 source = "./modules/firehose" assume_account = local.aws_account_id prefix = local.prefix From 4eefe57d7cb870b5f9a0e4624fd18bfc16d59eaf Mon Sep 17 00:00:00 2001 From: "Axel Garcia K." Date: Fri, 7 Nov 2025 16:48:07 +0000 Subject: [PATCH 10/13] NRL-1664 Add another location to disable firehose processor --- terraform/infrastructure/locals.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/infrastructure/locals.tf b/terraform/infrastructure/locals.tf index ebe720093..de4e6327a 100644 --- a/terraform/infrastructure/locals.tf +++ b/terraform/infrastructure/locals.tf @@ -40,7 +40,7 @@ locals { "splunk_subscription" = module.firehose__processor[0].firehose_subscription } ) : {} - firehost_lambda_splunk_only_subscription = var.use_shared_resources ? { + firehost_lambda_splunk_only_subscription = var.use_shared_resources && !var.disable_firehose_lambda_subscriptions ? { "splunk_subscription" : module.firehose__processor[0].firehose_subscription } : {} splunk_environment = local.is_sandbox_env ? "${var.account_name}sandbox" : var.account_name From ab7462896611f92e18613b58015f512fb5115db1 Mon Sep 17 00:00:00 2001 From: "Axel Garcia K." Date: Fri, 7 Nov 2025 22:04:10 +0000 Subject: [PATCH 11/13] Revert "NRL-1793 align tf for developer role with current in aws" This reverts commit 0266ddac5b77810cfd6964fe05b513ce418b69ff. This change was useful to avoid releasing unreleased changes to the test environments, but it is no longer needed as those will be released shortly on the release cut. --- .../mgmt/iam__developer-role.tf | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/terraform/account-wide-infrastructure/mgmt/iam__developer-role.tf b/terraform/account-wide-infrastructure/mgmt/iam__developer-role.tf index a58913bc2..9496eddee 100644 --- a/terraform/account-wide-infrastructure/mgmt/iam__developer-role.tf +++ b/terraform/account-wide-infrastructure/mgmt/iam__developer-role.tf @@ -46,9 +46,6 @@ module "developer_policy" { Resource = [ "${data.aws_s3_bucket.terraform_state.arn}/${local.project}/prod/*", "${data.aws_s3_bucket.terraform_state.arn}/${local.project}/mgmt/*", - "${data.aws_s3_bucket.truststore.arn}/ca/prod.*", - "${data.aws_s3_bucket.truststore.arn}/client/prod.*", - "${data.aws_s3_bucket.truststore.arn}/server/prod.*" ] }, { @@ -103,6 +100,19 @@ module "developer_policy" { "${data.aws_s3_bucket.ci_logging.arn}/*" ] }, + { + Action = [ + "s3:PutObject", + "s3:GetObject", + "s3:DeleteObject" + ] + Effect = "Deny" + Resource = [ + "${data.aws_s3_bucket.truststore.arn}/ca/prod*", + "${data.aws_s3_bucket.truststore.arn}/client/prod*", + "${data.aws_s3_bucket.truststore.arn}/server/prod*" + ] + }, { Action = [ "s3:GetObject" From 332cdba6238997daf799902e7543328afda1481b Mon Sep 17 00:00:00 2001 From: "Axel Garcia K." Date: Fri, 7 Nov 2025 22:08:49 +0000 Subject: [PATCH 12/13] NRL-1793 Add route53 dependencies to dev and prod --- terraform/account-wide-infrastructure/dev/domain.tf | 2 ++ terraform/account-wide-infrastructure/prod/domain.tf | 1 + 2 files changed, 3 insertions(+) diff --git a/terraform/account-wide-infrastructure/dev/domain.tf b/terraform/account-wide-infrastructure/dev/domain.tf index 2a4085ecd..6ea19b3a6 100644 --- a/terraform/account-wide-infrastructure/dev/domain.tf +++ b/terraform/account-wide-infrastructure/dev/domain.tf @@ -5,6 +5,7 @@ module "dev-custom-domain-name" { domain_zone = aws_route53_zone.dev-ns.name mtls_certificate_file = "s3://${module.dev-truststore-bucket.bucket_name}/${module.dev-truststore-bucket.certificates_object_key}" mtls_certificate_file_version = module.dev-truststore-bucket.certificates_object_version + depends_on = [aws_route53_zone.dev-ns] } module "devsandbox-custom-domain-name" { @@ -13,4 +14,5 @@ module "devsandbox-custom-domain-name" { domain_zone = aws_route53_zone.dev-ns.name mtls_certificate_file = "s3://${module.dev-truststore-bucket.bucket_name}/${module.dev-truststore-bucket.certificates_object_key}" mtls_certificate_file_version = module.dev-truststore-bucket.certificates_object_version + depends_on = [aws_route53_zone.dev-ns] } diff --git a/terraform/account-wide-infrastructure/prod/domain.tf b/terraform/account-wide-infrastructure/prod/domain.tf index e2426325d..3af1c6765 100644 --- a/terraform/account-wide-infrastructure/prod/domain.tf +++ b/terraform/account-wide-infrastructure/prod/domain.tf @@ -6,4 +6,5 @@ module "dev-custom-domain-name" { domain_zone = aws_route53_zone.prod-ns.name mtls_certificate_file = "s3://${module.prod-truststore-bucket.bucket_name}/${module.prod-truststore-bucket.certificates_object_key}" mtls_certificate_file_version = module.prod-truststore-bucket.certificates_object_version + depends_on = [aws_route53_zone.prod-ns] } From 71cbbc44ded7d13a93dcca692244e355251066b7 Mon Sep 17 00:00:00 2001 From: "Axel Garcia K." Date: Tue, 11 Nov 2025 10:46:21 +0000 Subject: [PATCH 13/13] NRL-1664 Remove TODO and add ticket reference to change --- tests/utilities/get_access_token.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/utilities/get_access_token.py b/tests/utilities/get_access_token.py index d6a1e03ec..d76926ebe 100644 --- a/tests/utilities/get_access_token.py +++ b/tests/utilities/get_access_token.py @@ -48,7 +48,7 @@ "ref": "ref", "int": "int", "int-sandbox": "sandbox", - "perftest": "internal-qa", # TODO: Hijacking qa to not create a new APIGEE proxy environment. Once we have proxygen, rethink this + "perftest": "internal-qa", # NRL-1802: Hijacking qa to not create a new APIGEE proxy environment. "prod": "prod", } APP_FOR_ALIAS = {