-
Notifications
You must be signed in to change notification settings - Fork 1
New: [AEA-6037] - Introduce Proxygen API for PFP #2207
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Open
connoravo-nhs
wants to merge
54
commits into
main
Choose a base branch
from
AEA-6037
base: main
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
Changes from all commits
Commits
Show all changes
54 commits
Select commit
Hold shift + click to select a range
712b864
Chore: devcontainer fail fast, posix equality, force docker gid
tstephen-nhs b2ebc80
chore: provide docker gid from env
tstephen-nhs c330f5c
Merge branches 'aea-0000-devcontainer-docker' and 'main' of github.co…
connoravo-nhs 60d7d77
Merge branch 'main' of github.com-nhs:NHSDigital/prescriptionsforpati…
connoravo-nhs 7c85ef3
Merge branch 'main' of github.com-nhs:NHSDigital/prescriptionsforpati…
connoravo-nhs 2ffc014
WIP - Modify pipeline & include full spec
connoravo-nhs 4c10f79
Remove specification as TS package
connoravo-nhs 398771c
Pipeline kickoff
connoravo-nhs 44ab332
Merge branch 'main' into AEA-6037
connoravo-nhs 519d0c5
Pipeline kickoff
connoravo-nhs 0382173
Pipeline kickoff
connoravo-nhs 590d8f6
Merge branch 'AEA-6037' of github.com-nhs:NHSDigital/prescriptionsfor…
connoravo-nhs ad0dbf4
Pipeline kickoff2
connoravo-nhs 8af4e50
NPM run redocly #skip-qc
connoravo-nhs 08e1e78
Remove unneccessary dependencies
connoravo-nhs 09df7a0
Fix build #skip-qc
connoravo-nhs b4b3461
Modify path
connoravo-nhs ccbbf0c
Compile then upload
connoravo-nhs 5fa4728
Add in compile stage on makefile
connoravo-nhs a95ac8c
Correct proxygen secret name
connoravo-nhs e1af0ed
Modify apigee client
connoravo-nhs fea4c42
Kick off pipelines
connoravo-nhs aa755bb
Include apiclient in payload JSON #skip-qc
connoravo-nhs ed0307e
Set internal dev server & modify when mtls is set
connoravo-nhs d3715c2
Adjust API to be p-f-p
connoravo-nhs d4e6dab
Set MTLS first
connoravo-nhs 4890c36
Kick off pipeline
connoravo-nhs 7f13f21
Switch naming to pfp-proxygen
connoravo-nhs 9800d9a
Set security schemas
connoravo-nhs eb591e2
Spec adjustments - Output spec always
connoravo-nhs 052c4ab
temp disable enablement of mtls
connoravo-nhs db692f9
Modify target environment
connoravo-nhs 98383c1
Stop release tag update from PRs
connoravo-nhs f8077b9
enable tls
connoravo-nhs bd9ccdb
Kick off pipeline
connoravo-nhs 633e4e6
Modify header given to pfp
connoravo-nhs b7b70ee
Adjust to nhsd-nhslogin-user
connoravo-nhs 7224f63
Introduce proofing level check
connoravo-nhs 22789ea
Duh
connoravo-nhs 5c7f4e0
Application name attribute output as header to origin
connoravo-nhs a72ddc2
dont require it
connoravo-nhs dab4654
Fix reg tests and uts
connoravo-nhs 9a8918e
Disable MTLS
connoravo-nhs 90d6711
Use the branch for proxygen tests to use correct workflow
connoravo-nhs 6f61460
Both use branch?
connoravo-nhs 1821e3e
Kick off pipeline
connoravo-nhs 07c3e8b
Kick off pipeline2
connoravo-nhs ec0d37f
Merge branch 'main' of github.com-nhs:NHSDigital/prescriptionsforpati…
connoravo-nhs 3888863
Merge branch 'main' into AEA-6037
connoravo-nhs f9ecf4b
fix target environment
connoravo-nhs d632fcb
Remove sandbox environment on PRs
connoravo-nhs ea1dfba
Merge branch 'main' of github.com-nhs:NHSDigital/prescriptionsforpati…
connoravo-nhs 55fae2c
Merge branch 'main' into AEA-6037
connoravo-nhs 260f597
Set latest regression test version for PFP Proxygen changes
connoravo-nhs File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,203 @@ | ||
| #!/usr/bin/env bash | ||
| set -eu pipefail | ||
|
|
||
| echo "Specification path: ${SPEC_PATH}" | ||
| echo "Specification version: ${VERSION_NUMBER}" | ||
| echo "Stack name: ${STACK_NAME}" | ||
| echo "AWS environment: ${AWS_ENVIRONMENT}" | ||
| echo "Apigee environment: ${APIGEE_ENVIRONMENT}" | ||
| echo "Proxygen private key name: ${PROXYGEN_PRIVATE_KEY_NAME}" | ||
| echo "Proxygen KID: ${PROXYGEN_KID}" | ||
| echo "Dry run: ${DRY_RUN}" | ||
| echo "ENABLE_MUTUAL_TLS: ${ENABLE_MUTUAL_TLS}" | ||
| echo "is_pull_request: ${IS_PULL_REQUEST}" | ||
|
|
||
| client_private_key=$(cat ~/.proxygen/tmp/client_private_key) | ||
| client_cert=$(cat ~/.proxygen/tmp/client_cert) | ||
|
|
||
| if [ -z "${client_private_key}" ]; then | ||
| echo "client_private_key is unset or set to the empty string" | ||
| exit 1 | ||
| fi | ||
| if [ -z "${client_cert}" ]; then | ||
| echo "client_cert is unset or set to the empty string" | ||
| exit 1 | ||
| fi | ||
|
|
||
| put_secret_lambda=lambda-resources-ProxygenPTLMTLSSecretPut | ||
| instance_put_lambda=lambda-resources-ProxygenPTLInstancePut | ||
| spec_publish_lambda=lambda-resources-ProxygenPTLSpecPublish | ||
|
|
||
| if [[ "$APIGEE_ENVIRONMENT" =~ ^(int|sandbox|prod)$ ]]; then | ||
| put_secret_lambda=lambda-resources-ProxygenProdMTLSSecretPut | ||
| instance_put_lambda=lambda-resources-ProxygenProdInstancePut | ||
| spec_publish_lambda=lambda-resources-ProxygenProdSpecPublish | ||
| fi | ||
|
|
||
| instance_suffix="" | ||
| if [[ "${IS_PULL_REQUEST}" == "true" ]]; then | ||
| # Extracting the PR ID from $STACK_NAME | ||
| pr_id=$(echo "$STACK_NAME" | awk -F'-' '{print $NF}') | ||
| instance_suffix=-"pr-${pr_id}" | ||
| fi | ||
|
|
||
| # Determine the proxy instance based on the provided $STACK_NAME | ||
| apigee_api=prescriptions-for-patients-proxygen | ||
| apigee_client=prescriptions-for-patients-proxygen | ||
| instance="pfp-proxygen${instance_suffix}" | ||
|
|
||
| echo "Proxy instance: ${instance}" | ||
| echo "Apigee api: ${apigee_api}" | ||
| echo "Apigee client: ${apigee_client}" | ||
|
|
||
| echo | ||
|
|
||
| echo "Fixing the spec" | ||
| # Find and replace the title | ||
| title=$(jq -r '.info.title' "${SPEC_PATH}") | ||
| if [[ "${IS_PULL_REQUEST}" == "true" ]]; then | ||
| jq --arg title "[PR-${pr_id}] $title" '.info.title = $title' "${SPEC_PATH}" > temp.json && mv temp.json "${SPEC_PATH}" | ||
| echo "disabling monitoring for pull request deployment" | ||
| jq '."x-nhsd-apim".monitoring = false' "${SPEC_PATH}" > temp.json && mv temp.json "${SPEC_PATH}" | ||
| fi | ||
|
|
||
| # Find and replace the specification version number | ||
| jq --arg version "${VERSION_NUMBER}" '.info.version = $version' "${SPEC_PATH}" > temp.json && mv temp.json "${SPEC_PATH}" | ||
|
|
||
| # Find and replace the x-nhsd-apim.target.url value | ||
| jq --arg stack_name "${STACK_NAME}" --arg aws_env "${AWS_ENVIRONMENT}" '.["x-nhsd-apim"].target.url = "https://\($stack_name).\($aws_env).eps.national.nhs.uk"' "${SPEC_PATH}" > temp.json && mv temp.json "${SPEC_PATH}" | ||
|
|
||
| # Find and replace the servers object | ||
| if [[ "${APIGEE_ENVIRONMENT}" == "prod" ]]; then | ||
| jq --arg inst "${instance}" '.servers = [ { "url": "https://api.service.nhs.uk/\($inst)" } ]' "${SPEC_PATH}" > temp.json && mv temp.json "${SPEC_PATH}" | ||
| else | ||
| jq --arg env "${APIGEE_ENVIRONMENT}" --arg inst "${instance}" '.servers = [ { "url": "https://\($env).api.service.nhs.uk/\($inst)" } ]' "${SPEC_PATH}" > temp.json && mv temp.json "${SPEC_PATH}" | ||
| fi | ||
|
|
||
| # Find and replace securitySchemes | ||
| if [[ "${APIGEE_ENVIRONMENT}" == "prod" ]]; then | ||
| jq '.components.securitySchemes."nhs-cis2-aal3" = {"$ref": "https://proxygen.prod.api.platform.nhs.uk/components/securitySchemes/nhs-cis2-aal3"}' "${SPEC_PATH}" > temp.json && mv temp.json "${SPEC_PATH}" | ||
| jq '.components.securitySchemes."nhs-login-p9" = {"$ref": "https://proxygen.prod.api.platform.nhs.uk/components/securitySchemes/nhs-login-p9"}' "${SPEC_PATH}" > temp.json && mv temp.json "${SPEC_PATH}" | ||
| else | ||
| jq '.components.securitySchemes."nhs-cis2-aal3" = {"$ref": "https://proxygen.ptl.api.platform.nhs.uk/components/securitySchemes/nhs-cis2-aal3"}' "${SPEC_PATH}" > temp.json && mv temp.json "${SPEC_PATH}" | ||
| jq '.components.securitySchemes."nhs-login-p9" = {"$ref": "https://proxygen.ptl.api.platform.nhs.uk/components/securitySchemes/nhs-login-p9"}' "${SPEC_PATH}" > temp.json && mv temp.json "${SPEC_PATH}" | ||
| fi | ||
|
|
||
| # Find and replace the x-nhsd-apim.target.secret value | ||
| jq --arg mtls_key "${MTLS_KEY}" '.["x-nhsd-apim"].target.security.secret = "\($mtls_key)"' "${SPEC_PATH}" > temp.json && mv temp.json "${SPEC_PATH}" | ||
|
|
||
| # Remove target attributes if the environment is sandbox | ||
| if [[ "${APIGEE_ENVIRONMENT}" == *"sandbox"* ]]; then | ||
| echo "Removing target attributes for sandbox environment" | ||
| jq 'del(."x-nhsd-apim"."target-attributes")' "$SPEC_PATH" > temp.json && mv temp.json "${SPEC_PATH}" | ||
| fi | ||
|
|
||
| echo | ||
|
|
||
| echo "Retrieving proxygen credentials" | ||
|
|
||
| # Retrieve the proxygen private key and client private key and cert from AWS Secrets Manager | ||
| proxygen_private_key_arn=$(aws cloudformation list-exports --query "Exports[?Name=='secrets:${PROXYGEN_PRIVATE_KEY_NAME}'].Value" --output text) | ||
|
|
||
| if [[ "${ENABLE_MUTUAL_TLS}" == "true" ]]; then | ||
| echo | ||
| echo "Store the secret used for mutual TLS to AWS using Proxygen proxy lambda" | ||
| if [[ "${DRY_RUN}" == "false" ]]; then | ||
| jq -n --arg apiName "${apigee_api}" \ | ||
| --arg apiClient "${apigee_client}" \ | ||
| --arg environment "${APIGEE_ENVIRONMENT}" \ | ||
| --arg secretName "${MTLS_KEY}" \ | ||
| --arg secretKey "${client_private_key}" \ | ||
| --arg secretCert "${client_cert}" \ | ||
| --arg kid "${PROXYGEN_KID}" \ | ||
| --arg proxygenSecretName "${proxygen_private_key_arn}" \ | ||
| '{apiName: $apiName, apiClient: $apiClient, environment: $environment, secretName: $secretName, secretKey: $secretKey, secretCert: $secretCert, kid, $kid, proxygenSecretName: $proxygenSecretName}' > payload.json | ||
|
|
||
| aws lambda invoke --function-name "${put_secret_lambda}" --cli-binary-format raw-in-base64-out --payload file://payload.json out.txt > response.json | ||
| if eval "cat response.json | jq -e '.FunctionError' >/dev/null"; then | ||
| echo 'Error calling lambda' | ||
| cat out.txt | ||
| exit 1 | ||
| fi | ||
| echo "Secret stored successfully" | ||
| else | ||
| echo "Would call ${put_secret_lambda}" | ||
| fi | ||
| fi | ||
|
|
||
| echo | ||
| echo "Deploy the API instance using Proxygen proxy lambda" | ||
| if [[ "${DRY_RUN}" == "false" ]]; then | ||
|
|
||
| jq -n --argfile spec "${SPEC_PATH}" \ | ||
| --arg apiName "${apigee_api}" \ | ||
| --arg apiClient "${apigee_client}" \ | ||
| --arg environment "${APIGEE_ENVIRONMENT}" \ | ||
| --arg instance "${instance}" \ | ||
| --arg kid "${PROXYGEN_KID}" \ | ||
| --arg proxygenSecretName "${proxygen_private_key_arn}" \ | ||
| '{apiName: $apiName, apiClient: $apiClient, environment: $environment, specDefinition: $spec, instance: $instance, kid: $kid, proxygenSecretName: $proxygenSecretName}' > payload.json | ||
|
|
||
| aws lambda invoke --function-name "${instance_put_lambda}" --cli-binary-format raw-in-base64-out --payload file://payload.json out.txt > response.json | ||
|
|
||
| if eval "cat response.json | jq -e '.FunctionError' >/dev/null"; then | ||
| echo 'Error calling lambda' | ||
| cat out.txt | ||
| exit 1 | ||
| fi | ||
| echo "Instance deployed" | ||
| else | ||
| echo "Would call ${instance_put_lambda}" | ||
| fi | ||
|
|
||
| # if [[ "${APIGEE_ENVIRONMENT}" == "int" ]]; then | ||
| # echo | ||
| # echo "Deploy the API spec to prod catalogue as it is int environment" | ||
| # if [[ "${DRY_RUN}" == "false" ]]; then | ||
| # jq -n --argfile spec "${SPEC_PATH}" \ | ||
| # --arg apiName "${apigee_api}" \ | ||
| # --arg apiClient "${apigee_client}" \ | ||
| # --arg environment "prod" \ | ||
| # --arg instance "${instance}" \ | ||
| # --arg kid "${PROXYGEN_KID}" \ | ||
| # --arg proxygenSecretName "${proxygen_private_key_arn}" \ | ||
| # '{apiName: $apiName, apiClient: $apiClient, environment: $environment, specDefinition: $spec, instance: $instance, kid: $kid, proxygenSecretName: $proxygenSecretName}' > payload.json | ||
|
|
||
| # aws lambda invoke --function-name "${spec_publish_lambda}" --cli-binary-format raw-in-base64-out --payload file://payload.json out.txt > response.json | ||
|
|
||
| # if eval "cat response.json | jq -e '.FunctionError' >/dev/null"; then | ||
| # echo 'Error calling lambda' | ||
| # cat out.txt | ||
| # exit 1 | ||
| # fi | ||
| # echo "Spec deployed" | ||
| # else | ||
| # echo "Would call ${spec_publish_lambda}" | ||
| # fi | ||
| # fi | ||
|
|
||
| if [[ "${APIGEE_ENVIRONMENT}" == "internal-dev" && "${IS_PULL_REQUEST}" == "false" ]]; then | ||
| echo | ||
| echo "Deploy the API spec to uat catalogue as it is internal-dev environment" | ||
| if [[ "${DRY_RUN}" == "false" ]]; then | ||
| jq -n --argfile spec "${SPEC_PATH}" \ | ||
| --arg apiName "${apigee_api}" \ | ||
| --arg apiClient "${apigee_client}" \ | ||
| --arg environment "uat" \ | ||
| --arg instance "${instance}" \ | ||
| --arg kid "${PROXYGEN_KID}" \ | ||
| --arg proxygenSecretName "${proxygen_private_key_arn}" \ | ||
| '{apiName: $apiName, apiClient: $apiClient, environment: $environment, specDefinition: $spec, instance: $instance, kid: $kid, proxygenSecretName: $proxygenSecretName}' > payload.json | ||
|
|
||
| aws lambda invoke --function-name "${spec_publish_lambda}" --cli-binary-format raw-in-base64-out --payload file://payload.json out.txt > response.json | ||
|
|
||
| if eval "cat response.json | jq -e '.FunctionError' >/dev/null"; then | ||
| echo 'Error calling lambda' | ||
| cat out.txt | ||
| exit 1 | ||
| fi | ||
| echo "Spec deployed" | ||
| else | ||
| echo "Would call ${spec_publish_lambda}" | ||
| fi | ||
| fi |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
can we just deploy it with DEPLOY_APIGEE: false?
also if we do comment it out, should do the same in ci.yml and release.yml