Chore: [AEA-5986] - create infra for svc search 3

README.md

@@ -121,6 +121,32 @@ This can be obtained from [SonarCloud](https://sonarcloud.io/)
 as described [here](https://docs.sonarsource.com/sonarqube/latest/user-guide/user-account/generating-and-using-tokens/).
 You will need the "Execute Analysis" permission for the project (NHSDigital_prescriptionsforpatients) in order for the token to work.
 
+### Upstream dependencies
+
+#### Directory of Healthcare Services API (aka Service Search) - version 3 
+
+[Service Search v3](https://digital.nhs.uk/developer/api-catalogue/directory-of-healthcare-services/version-3) uses
+[application-restricted RESTful API - API key authentication](https://digital.nhs.uk/developer/guides-and-documentation/security-and-authorisation/application-restricted-restful-apis-api-key-authentication).
+To achieve this the following applications have been created on the
+[Int/Prod onboarding portal](https://onboarding.prod.api.platform.nhs.uk/):
+
+* `PFP-INTERNAL-DEV-DOHS` - managed by [EPS_team](https://onboarding.prod.api.platform.nhs.uk/MyApplications/Teams/TeamDetails?id=060896ea-ba43-4df8-a011-7cb0f45fd8ed) - connected to [Service Search - REST API (Integration Testing Environment)](https://int.api.service.nhs.uk/service-search-api/search)
+* `PFP-QA-DOHS` - managed by [EPS_team](https://onboarding.prod.api.platform.nhs.uk/MyApplications/Teams/TeamDetails?id=060896ea-ba43-4df8-a011-7cb0f45fd8ed) - connected to [Service Search - REST API (Integration Testing Environment)](https://int.api.service.nhs.uk/service-search-api/search)
+* `PFP-REF-DOHS` - managed by [EPS_team](https://onboarding.prod.api.platform.nhs.uk/MyApplications/Teams/TeamDetails?id=060896ea-ba43-4df8-a011-7cb0f45fd8ed) - connected to [Service Search - REST API (Integration Testing Environment)](https://int.api.service.nhs.uk/service-search-api/search)
+* `PFP-INT-DOHS` - managed by EPS_Team_Prod - connected to [Service Search - REST API (Production Environment)](https://api.service.nhs.uk/service-search-api/search)
+* `PFP-PROD-DOHS` - managed by EPS_Team_Prod - connected to [Service Search - REST API (Production Environment)](https://api.service.nhs.uk/service-search-api/search)
+
+After `IaC` creates the secret `pfp-PfP-ServiceSearch-API-Key`
+its value must be set manually to the API key from the appropriate app.
+
+In addition the Service Search URL must be set as a GitHub secret:
+
+* DEV_TARGET_SERVICE_SEARCH_V3_SERVER: <https://int.api.service.nhs.uk/service-search-api/search>
+* QA_TARGET_SERVICE_SEARCH_V3_SERVER: <https://int.api.service.nhs.uk/service-search-api/search>
+* REF_TARGET_SERVICE_SEARCH_V3_SERVER: <https://int.api.service.nhs.uk/service-search-api/search>
+* INT_TARGET_SERVICE_SEARCH_V3_SERVER: <https://api.service.nhs.uk/service-search-api/search>
+* PROD_TARGET_SERVICE_SEARCH_V3_SERVER: <https://api.service.nhs.uk/service-search-api/search>
+
 ### GitHub Packages Setup
 
 To work with the GitHub Package Registry, you need to generate a [personal access token (classic)](https://docs.github.com/en/enterprise-cloud@latest/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens#personal-access-tokens-classic) with appropriate permissions.

SAMtemplates/functions/main.yaml

@@ -22,6 +22,7 @@ Globals:
         SpinePartyKeyARN: !ImportValue account-resources:SpinePartyKey
         SpineCAChainARN: !ImportValue account-resources:SpineCAChain
         ServiceSearchApiKeyARN: !ImportValue account-resources:ServiceSearchApiKey
+        ServiceSearch3ApiKeyARN: !Ref ServiceSearch3ApiKeyARN
     Layers:
       - !Sub arn:aws:lambda:${AWS::Region}:580247275435:layer:LambdaInsightsExtension:52
 
@@ -30,6 +31,10 @@ Parameters:
     Type: String
     Default: none
 
+  ServiceSearch3ApiKeyARN:
+    Type: String
+    Description: ARN of the Service Search API v3 Key Secret
+
   Env:
     Type: String
     Default: dev
@@ -68,6 +73,14 @@ Parameters:
   SSMParameterPolicy:
     Type: String
 
+  SecretsPolicy:
+    Type: String
+    Description: ARN of the policy to read secrets
+
+  KMSPolicy:
+    Type: String
+    Description: ARN of the policy to use KMS key
+
 Resources:
   GetSecretsLayer:
     Type: AWS::Serverless::LayerVersion
@@ -121,6 +134,8 @@ Resources:
           - ","
           - - !ImportValue account-resources:LambdaAccessSecretsPolicy
             - !Ref SSMParameterPolicy
+            - !Ref SecretsPolicy
+            - !Ref KMSPolicy
         LogRetentionInDays: !Ref LogRetentionInDays
         CloudWatchKMSKeyId: !ImportValue account-resources:CloudwatchLogsKmsKeyArn
         EnableSplunk: !Ref EnableSplunk

SAMtemplates/main_template.yaml

@@ -168,6 +168,16 @@ Resources:
         CommitId: !Ref CommitId
         ToggleGetStatusUpdates: !Ref ToggleGetStatusUpdates
         SSMParameterPolicy: !GetAtt Parameters.Outputs.GetPfPParameterPolicy
+        ServiceSearch3ApiKeyARN: !GetAtt Secrets.Outputs.PfPServiceSearchApiKeySecret
+        SecretsPolicy: !GetAtt Secrets.Outputs.GetPfPSecretPolicy
+        KMSPolicy: !GetAtt Secrets.Outputs.UsePfPSecretsKMSKeyPolicyArn
+
+  Secrets:
+    Type: AWS::Serverless::Application
+    Properties:
+      Location: secrets/main.yaml
+      Parameters:
+        StackName: !Ref AWS::StackName
 
   StateMachines:
     Type: AWS::Serverless::Application

SAMtemplates/secrets/main.yaml

@@ -0,0 +1,96 @@
+AWSTemplateFormatVersion: "2010-09-09"
+
+Parameters:
+  StackName:
+    Type: String
+    Default: none
+
+Resources:
+  PfPSecretsKMSKey:
+    Type: AWS::KMS::Key
+    Properties:
+      EnableKeyRotation: true
+      KeyPolicy:
+        Version: 2012-10-17
+        Id: PfPSecretsKeyPolicy
+        Statement:
+          - Sid: EnableIAMUserPermissions
+            Effect: Allow
+            Principal:
+              AWS: !Sub "arn:aws:iam::${AWS::AccountId}:root"
+            Action: kms:*
+            Resource: "*"
+          - Sid: Enable read only decrypt
+            Effect: Allow
+            Principal:
+              AWS: "*"
+            Action:
+              - kms:DescribeKey
+              - kms:Decrypt
+            Resource: "*"
+            Condition:
+              ArnLike:
+                aws:PrincipalArn: !Sub "arn:aws:iam::${AWS::AccountId}:role/aws-reserved/sso.amazonaws.com/${AWS::Region}/AWSReservedSSO_ReadOnly*"
+
+  PfPSecretsKMSKeyAlias:
+    Type: AWS::KMS::Alias
+    Properties:
+      AliasName: !Sub alias/${StackName}-PfPSecretsKMSKey
+      TargetKeyId: !Ref PfPSecretsKMSKey
+
+  UsePfPSecretsKMSKeyPolicy:
+    Type: AWS::IAM::ManagedPolicy
+    Properties:
+      ManagedPolicyName: !Sub ${StackName}-UsePfPSecretsKMSKey
+      PolicyDocument:
+        Version: "2012-10-17"
+        Statement:
+          - Sid: AllowKmsForSecretsEncryption
+            Effect: Allow
+            Action:
+              - kms:DescribeKey
+              - kms:GenerateDataKey*
+              - kms:Encrypt
+              - kms:ReEncrypt*
+              - kms:Decrypt
+            Resource: !GetAtt PfPSecretsKMSKey.Arn
+
+  PfPServiceSearchApiKeySecret:
+    Type: AWS::SecretsManager::Secret
+    Properties:
+      Name: !Sub ${StackName}-PfP-ServiceSearch-API-Key
+      Description: API Key for Service Search
+      KmsKeyId: !Ref PfPSecretsKMSKey
+
+  GetPfPSecretPolicy:
+    Type: AWS::IAM::ManagedPolicy
+    Properties:
+      Description: "Allows reading PfP secret parameters"
+      PolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Action:
+              - secretsmanager:GetSecretValue
+              - secretsmanager:DescribeSecret
+            Resource:
+              - !Ref PfPServiceSearchApiKeySecret
+
+Outputs:
+  PfPServiceSearchApiKeySecret:
+    Description: The name of the PfP Service Search API Key secret
+    Value: !Ref PfPServiceSearchApiKeySecret
+    Export:
+      Name: !Sub ${StackName}-PfP-ServiceSearch-API-Key
+
+  GetPfPSecretPolicy:
+    Description: ARN of policy granting permission to read secrets
+    Value: !Ref GetPfPSecretPolicy
+    Export:
+      Name: !Sub ${StackName}-GetPfPSecretPolicy
+
+  UsePfPSecretsKMSKeyPolicyArn:
+    Description: ARN of managed policy granting PfP secrets KMS usage
+    Value: !Ref UsePfPSecretsKMSKeyPolicy
+    Export:
+      Name: !Sub ${StackName}-UsePfPSecretsKMSKeyPolicyArn