diff --git a/README.md b/README.md index 3a13e56ae..718b328e2 100644 --- a/README.md +++ b/README.md @@ -121,6 +121,32 @@ This can be obtained from [SonarCloud](https://sonarcloud.io/) as described [here](https://docs.sonarsource.com/sonarqube/latest/user-guide/user-account/generating-and-using-tokens/). You will need the "Execute Analysis" permission for the project (NHSDigital_prescriptionsforpatients) in order for the token to work. +### Upstream dependencies + +#### Directory of Healthcare Services API (aka Service Search) - version 3 + +[Service Search v3](https://digital.nhs.uk/developer/api-catalogue/directory-of-healthcare-services/version-3) uses +[application-restricted RESTful API - API key authentication](https://digital.nhs.uk/developer/guides-and-documentation/security-and-authorisation/application-restricted-restful-apis-api-key-authentication). +To achieve this the following applications have been created on the +[Int/Prod onboarding portal](https://onboarding.prod.api.platform.nhs.uk/): + +* `PFP-INTERNAL-DEV-DOHS` - managed by [EPS_team](https://onboarding.prod.api.platform.nhs.uk/MyApplications/Teams/TeamDetails?id=060896ea-ba43-4df8-a011-7cb0f45fd8ed) - connected to [Service Search - REST API (Integration Testing Environment)](https://int.api.service.nhs.uk/service-search-api/search) +* `PFP-QA-DOHS` - managed by [EPS_team](https://onboarding.prod.api.platform.nhs.uk/MyApplications/Teams/TeamDetails?id=060896ea-ba43-4df8-a011-7cb0f45fd8ed) - connected to [Service Search - REST API (Integration Testing Environment)](https://int.api.service.nhs.uk/service-search-api/search) +* `PFP-REF-DOHS` - managed by [EPS_team](https://onboarding.prod.api.platform.nhs.uk/MyApplications/Teams/TeamDetails?id=060896ea-ba43-4df8-a011-7cb0f45fd8ed) - connected to [Service Search - REST API (Integration Testing Environment)](https://int.api.service.nhs.uk/service-search-api/search) +* `PFP-INT-DOHS` - managed by EPS_Team_Prod - connected to [Service Search - REST API (Production Environment)](https://api.service.nhs.uk/service-search-api/search) +* `PFP-PROD-DOHS` - managed by EPS_Team_Prod - connected to [Service Search - REST API (Production Environment)](https://api.service.nhs.uk/service-search-api/search) + +After `IaC` creates the secret `pfp-PfP-ServiceSearch-API-Key` +its value must be set manually to the API key from the appropriate app. + +In addition the Service Search URL must be set as a GitHub secret: + +* DEV_TARGET_SERVICE_SEARCH_V3_SERVER: +* QA_TARGET_SERVICE_SEARCH_V3_SERVER: +* REF_TARGET_SERVICE_SEARCH_V3_SERVER: +* INT_TARGET_SERVICE_SEARCH_V3_SERVER: +* PROD_TARGET_SERVICE_SEARCH_V3_SERVER: + ### GitHub Packages Setup To work with the GitHub Package Registry, you need to generate a [personal access token (classic)](https://docs.github.com/en/enterprise-cloud@latest/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens#personal-access-tokens-classic) with appropriate permissions. diff --git a/SAMtemplates/functions/main.yaml b/SAMtemplates/functions/main.yaml index 62a9973ce..b848c5ff7 100644 --- a/SAMtemplates/functions/main.yaml +++ b/SAMtemplates/functions/main.yaml @@ -22,6 +22,7 @@ Globals: SpinePartyKeyARN: !ImportValue account-resources:SpinePartyKey SpineCAChainARN: !ImportValue account-resources:SpineCAChain ServiceSearchApiKeyARN: !ImportValue account-resources:ServiceSearchApiKey + ServiceSearch3ApiKeyARN: !Ref ServiceSearch3ApiKeyARN Layers: - !Sub arn:aws:lambda:${AWS::Region}:580247275435:layer:LambdaInsightsExtension:52 @@ -30,6 +31,10 @@ Parameters: Type: String Default: none + ServiceSearch3ApiKeyARN: + Type: String + Description: ARN of the Service Search API v3 Key Secret + Env: Type: String Default: dev @@ -68,6 +73,14 @@ Parameters: SSMParameterPolicy: Type: String + SecretsPolicy: + Type: String + Description: ARN of the policy to read secrets + + KMSPolicy: + Type: String + Description: ARN of the policy to use KMS key + Resources: GetSecretsLayer: Type: AWS::Serverless::LayerVersion @@ -121,6 +134,8 @@ Resources: - "," - - !ImportValue account-resources:LambdaAccessSecretsPolicy - !Ref SSMParameterPolicy + - !Ref SecretsPolicy + - !Ref KMSPolicy LogRetentionInDays: !Ref LogRetentionInDays CloudWatchKMSKeyId: !ImportValue account-resources:CloudwatchLogsKmsKeyArn EnableSplunk: !Ref EnableSplunk diff --git a/SAMtemplates/main_template.yaml b/SAMtemplates/main_template.yaml index 4ff9be11e..f7b4bf12c 100644 --- a/SAMtemplates/main_template.yaml +++ b/SAMtemplates/main_template.yaml @@ -168,6 +168,16 @@ Resources: CommitId: !Ref CommitId ToggleGetStatusUpdates: !Ref ToggleGetStatusUpdates SSMParameterPolicy: !GetAtt Parameters.Outputs.GetPfPParameterPolicy + ServiceSearch3ApiKeyARN: !GetAtt Secrets.Outputs.PfPServiceSearchApiKeySecret + SecretsPolicy: !GetAtt Secrets.Outputs.GetPfPSecretPolicy + KMSPolicy: !GetAtt Secrets.Outputs.UsePfPSecretsKMSKeyPolicyArn + + Secrets: + Type: AWS::Serverless::Application + Properties: + Location: secrets/main.yaml + Parameters: + StackName: !Ref AWS::StackName StateMachines: Type: AWS::Serverless::Application diff --git a/SAMtemplates/secrets/main.yaml b/SAMtemplates/secrets/main.yaml new file mode 100644 index 000000000..de0c18651 --- /dev/null +++ b/SAMtemplates/secrets/main.yaml @@ -0,0 +1,96 @@ +AWSTemplateFormatVersion: "2010-09-09" + +Parameters: + StackName: + Type: String + Default: none + +Resources: + PfPSecretsKMSKey: + Type: AWS::KMS::Key + Properties: + EnableKeyRotation: true + KeyPolicy: + Version: 2012-10-17 + Id: PfPSecretsKeyPolicy + Statement: + - Sid: EnableIAMUserPermissions + Effect: Allow + Principal: + AWS: !Sub "arn:aws:iam::${AWS::AccountId}:root" + Action: kms:* + Resource: "*" + - Sid: Enable read only decrypt + Effect: Allow + Principal: + AWS: "*" + Action: + - kms:DescribeKey + - kms:Decrypt + Resource: "*" + Condition: + ArnLike: + aws:PrincipalArn: !Sub "arn:aws:iam::${AWS::AccountId}:role/aws-reserved/sso.amazonaws.com/${AWS::Region}/AWSReservedSSO_ReadOnly*" + + PfPSecretsKMSKeyAlias: + Type: AWS::KMS::Alias + Properties: + AliasName: !Sub alias/${StackName}-PfPSecretsKMSKey + TargetKeyId: !Ref PfPSecretsKMSKey + + UsePfPSecretsKMSKeyPolicy: + Type: AWS::IAM::ManagedPolicy + Properties: + ManagedPolicyName: !Sub ${StackName}-UsePfPSecretsKMSKey + PolicyDocument: + Version: "2012-10-17" + Statement: + - Sid: AllowKmsForSecretsEncryption + Effect: Allow + Action: + - kms:DescribeKey + - kms:GenerateDataKey* + - kms:Encrypt + - kms:ReEncrypt* + - kms:Decrypt + Resource: !GetAtt PfPSecretsKMSKey.Arn + + PfPServiceSearchApiKeySecret: + Type: AWS::SecretsManager::Secret + Properties: + Name: !Sub ${StackName}-PfP-ServiceSearch-API-Key + Description: API Key for Service Search + KmsKeyId: !Ref PfPSecretsKMSKey + + GetPfPSecretPolicy: + Type: AWS::IAM::ManagedPolicy + Properties: + Description: "Allows reading PfP secret parameters" + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: + - secretsmanager:GetSecretValue + - secretsmanager:DescribeSecret + Resource: + - !Ref PfPServiceSearchApiKeySecret + +Outputs: + PfPServiceSearchApiKeySecret: + Description: The name of the PfP Service Search API Key secret + Value: !Ref PfPServiceSearchApiKeySecret + Export: + Name: !Sub ${StackName}-PfP-ServiceSearch-API-Key + + GetPfPSecretPolicy: + Description: ARN of policy granting permission to read secrets + Value: !Ref GetPfPSecretPolicy + Export: + Name: !Sub ${StackName}-GetPfPSecretPolicy + + UsePfPSecretsKMSKeyPolicyArn: + Description: ARN of managed policy granting PfP secrets KMS usage + Value: !Ref UsePfPSecretsKMSKeyPolicy + Export: + Name: !Sub ${StackName}-UsePfPSecretsKMSKeyPolicyArn