New: [AEA-3616] - Create the Clinical Prescription Tracker API endpoint on Apigee

.github/scripts/delete_proxygen_deployments.sh

@@ -0,0 +1,71 @@
+#!/usr/bin/env bash
+
+# Generic script for removing proxygen deployed APIs where the pull request is closed
+
+# Set the repo name to be the name of the repo this is running in
+REPO_NAME=electronic-prescription-service-clinical-prescription-tracker
+
+# Main function to delete relevant proxygen deployments
+main() {
+  echo "Checking clinical tracker deployments"
+  PULL_REQUEST_PROXYGEN_REGEX=clinical-prescription-tracker-pr-
+  delete_apigee_deployments "internal-dev" "clinical-prescription-tracker" "ClinicalTrackerProxygenPrivateKey" "eps-clinical-tracker"
+  delete_apigee_deployments "internal-dev-sandbox" "clinical-prescription-tracker" "ClinicalTrackerProxygenPrivateKey" "eps-clinical-tracker"
+}
+
+# Function to delete Apigee deployments
+delete_apigee_deployments() {
+  APIGEE_ENVIRONMENT=$1
+  APIGEE_API=$2
+  PROXYGEN_PRIVATE_KEY_NAME=$3
+  PROXYGEN_KID=$4
+  proxygen_private_key_arn=$(aws cloudformation list-exports --query "Exports[?Name=='account-resources:${PROXYGEN_PRIVATE_KEY_NAME}'].Value" --output text)
+
+  echo
+  echo "Checking Apigee deployments on ${APIGEE_ENVIRONMENT}"
+  echo
+
+  jq -n --arg apiName "${APIGEE_API}" \
+        --arg environment "${APIGEE_ENVIRONMENT}" \
+        --arg kid "${PROXYGEN_KID}" \
+        --arg proxygenSecretName "${proxygen_private_key_arn}" \
+        '{apiName: $apiName, environment: $environment, kid, $kid, proxygenSecretName: $proxygenSecretName}' > payload.json
+
+  aws lambda invoke --function-name "lambda-resources-ProxygenPTLInstanceGet" --cli-binary-format raw-in-base64-out --payload file://payload.json out.json > response.json
+
+  if eval "cat response.json | jq -e '.FunctionError' >/dev/null"; then
+      echo 'Error calling lambda'
+      cat out.json
+      exit 1
+  fi
+
+  jq -r '.[].name' "out.json" | while read -r i; do
+    echo "Checking if Apigee deployment $i has open pull request"
+    PULL_REQUEST=${i//${PULL_REQUEST_PROXYGEN_REGEX}/}
+    echo "Checking pull request ID ${PULL_REQUEST}"
+    URL="https://api.github.com/repos/NHSDigital/${REPO_NAME}/pulls/${PULL_REQUEST}"
+    RESPONSE=$(curl "${URL}" 2>/dev/null)
+    STATE=$(echo "${RESPONSE}" | jq -r .state)
+    if [ "$STATE" == "closed" ]; then
+      echo "** Going to delete Apigee deployment $i as state is ${STATE} **"
+      jq -n --arg apiName "${APIGEE_API}" \
+            --arg environment "${APIGEE_ENVIRONMENT}" \
+            --arg instance "${i}" \
+            --arg kid "${PROXYGEN_KID}" \
+            --arg proxygenSecretName "${proxygen_private_key_arn}" \
+            '{apiName: $apiName, environment: $environment, kid, $kid, proxygenSecretName: $proxygenSecretName, instance: $instance}' > payload.json
+
+      aws lambda invoke --function-name "lambda-resources-ProxygenPTLInstanceDelete" --cli-binary-format raw-in-base64-out --payload file://payload.json out.txt > response.json
+      if eval "cat response.json | jq -e '.FunctionError' >/dev/null"; then
+          echo 'Error calling lambda'
+          cat out.txt
+          exit 1
+      fi
+
+    else
+      echo "Not going to delete Apigee deployment $i as state is ${STATE}"
+    fi
+  done
+}
+
+main

.github/scripts/delete_stacks.sh

@@ -6,17 +6,14 @@
 REPO_NAME=electronic-prescription-service-clinical-prescription-tracker
 
 # this should be a regex used in jq command that parses the output from aws cloudformation list-stacks and just captures stacks we are interested in
-CAPTURE_REGEX="^cpt-(sandbox-)?pr-(\\d+)$"
+CAPTURE_REGEX="^cpt-pr-(\\d+)(-sandbox)?$"
 
 # this should be a regex that is used to get the pull request id from the cloud formation stack name
 # this is used in a replace command to replace the stack name so what is left is just the pull request id
 PULL_REQUEST_STACK_REGEX=cpt-pr-
-SANDBOX_PULL_REQUEST_STACK_REGEX=cpt-sandbox-pr-
 
-CNAME_QUERY=cpt-pr
-CNAME_SANDBOX_QUERY=cpt-sandbox-pr
+CNAME_QUERY=cpt-pr-
 
-# this should be customised to delete cloudformation stacks and proxygen deployments if they are used
 main() {
   delete_cloudformation_stacks
   delete_cname_records
@@ -33,10 +30,10 @@ delete_cloudformation_stacks() {
   do 
     echo "Checking if stack $i has open pull request"
     PULL_REQUEST=${i//${PULL_REQUEST_STACK_REGEX}/}
-    PULL_REQUEST=${PULL_REQUEST//${SANDBOX_PULL_REQUEST_STACK_REGEX}/}
+    PULL_REQUEST=${PULL_REQUEST//-sandbox/}
     echo "Checking pull request id ${PULL_REQUEST}"
     URL="https://api.github.com/repos/NHSDigital/${REPO_NAME}/pulls/${PULL_REQUEST}"
-    RESPONSE=$(curl --url "${URL}" --header "Authorization: Bearer ${GITHUB_TOKEN}" 2>/dev/null)
+    RESPONSE=$(curl "${URL}" 2>/dev/null)
     STATE=$(echo "${RESPONSE}" | jq -r .state)
     if [ "$STATE" == "closed" ]; then
       echo "** going to delete stack $i as state is ${STATE} **"
@@ -52,7 +49,7 @@ delete_cloudformation_stacks() {
 delete_cname_records() {
   HOSTED_ZONE_ID=$(aws route53 list-hosted-zones-by-name --dns-name dev.eps.national.nhs.uk. | jq -r ".HostedZones[0] | .Id")
   CNAME_RECORDS=$(aws route53 list-resource-record-sets --hosted-zone-id "${HOSTED_ZONE_ID}" \
-    --query "ResourceRecordSets[?Type == 'CNAME' && (contains(Name, '${CNAME_QUERY}') || contains(Name, '${CNAME_SANDBOX_QUERY}'))]" \
+    --query "ResourceRecordSets[?Type == 'CNAME' && contains(Name, '${CNAME_QUERY}')]" \
     | jq -r " .[] | .Name")
 
   mapfile -t CNAME_RECORDS_ARRAY <<< "$CNAME_RECORDS"

.github/scripts/deploy_api.sh

@@ -0,0 +1,197 @@
+#!/usr/bin/env bash
+set -eu pipefail
+
+echo "Specification path: ${SPEC_PATH}"
+echo "Specification version: ${VERSION_NUMBER}"
+echo "Stack name: ${STACK_NAME}"
+echo "AWS environment: ${TARGET_ENVIRONMENT}"
+echo "Apigee environment: ${APIGEE_ENVIRONMENT}"
+echo "Proxygen private key name: ${PROXYGEN_PRIVATE_KEY_NAME}"
+echo "Proxygen KID: ${PROXYGEN_KID}"
+echo "Dry run: ${DRY_RUN}"
+
+client_private_key=$(cat ~/.proxygen/tmp/client_private_key)
+client_cert=$(cat ~/.proxygen/tmp/client_cert)
+
+if [ -z "${client_private_key}" ]; then
+    echo "client_private_key is unset or set to the empty string"
+    exit 1
+fi
+if [ -z "${client_cert}" ]; then
+    echo "client_cert is unset or set to the empty string"
+    exit 1
+fi
+
+put_secret_lambda=lambda-resources-ProxygenPTLMTLSSecretPut
+instance_put_lambda=lambda-resources-ProxygenPTLInstancePut
+spec_publish_lambda=lambda-resources-ProxygenPTLSpecPublish
+
+if [[ "$APIGEE_ENVIRONMENT" =~ ^(int|sandbox|prod)$ ]]; then 
+    put_secret_lambda=lambda-resources-ProxygenProdMTLSSecretPut
+    instance_put_lambda=lambda-resources-ProxygenProdInstancePut
+    spec_publish_lambda=lambda-resources-ProxygenProdSpecPublish
+fi
+
+is_pull_request=false
+instance_suffix=""
+if [[ ${STACK_NAME} == cpt-pr-* ]]; then
+    is_pull_request=true
+    # Extracting the PR ID from $STACK_NAME
+    pr_id=$(echo "${STACK_NAME}" | cut -d'-' -f3)
+    instance_suffix=-"pr-${pr_id}"
+fi
+
+# Determine the proxy instance based on the provided $STACK_NAME
+apigee_api=clinical-prescription-tracker
+instance="clinical-prescription-tracker${instance_suffix}"
+
+echo "Is pull request: ${is_pull_request}"
+echo "Proxy instance: ${instance}"
+echo "Apigee api: ${apigee_api}"
+
+echo
+
+echo "Fixing the spec"
+# Find and replace the title
+title=$(jq -r '.info.title' "${SPEC_PATH}")
+if [[ "${is_pull_request}" == "true" ]]; then
+    jq --arg title "[PR-${pr_id}] $title" '.info.title = $title' "${SPEC_PATH}" > temp.json && mv temp.json "${SPEC_PATH}"
+fi
+
+# Find and replace the specification version number 
+jq --arg version "${VERSION_NUMBER}" '.info.version = $version' "${SPEC_PATH}" > temp.json && mv temp.json "${SPEC_PATH}"
+
+# Find and replace the x-nhsd-apim.target.url value
+jq --arg stack_name "${STACK_NAME}" --arg aws_env "${TARGET_ENVIRONMENT}" '.["x-nhsd-apim"].target.url = "https://\($stack_name).\($aws_env).eps.national.nhs.uk"' "${SPEC_PATH}" > temp.json && mv temp.json "${SPEC_PATH}"
+
+# Find and replace the servers object
+if [[ "${APIGEE_ENVIRONMENT}" == "prod" ]]; then
+    jq --arg inst "${instance}" '.servers = [ { "url": "https://api.service.nhs.uk/\($inst)" } ]' "${SPEC_PATH}" > temp.json && mv temp.json "${SPEC_PATH}"
+else
+    jq --arg env "${APIGEE_ENVIRONMENT}" --arg inst "${instance}" '.servers = [ { "url": "https://\($env).api.service.nhs.uk/\($inst)" } ]' "${SPEC_PATH}" > temp.json && mv temp.json "${SPEC_PATH}"
+fi
+
+# Find and replace securitySchemes
+if [[ "${APIGEE_ENVIRONMENT}" == "prod" ]]; then
+    jq '.components.securitySchemes."app-level0" = {"$ref": "https://proxygen.prod.api.platform.nhs.uk/components/securitySchemes/app-level0"}' "${SPEC_PATH}" > temp.json && mv temp.json "${SPEC_PATH}"
+else
+    jq '.components.securitySchemes."app-level0" = {"$ref": "https://proxygen.ptl.api.platform.nhs.uk/components/securitySchemes/app-level0"}' "${SPEC_PATH}" > temp.json && mv temp.json "${SPEC_PATH}"
+fi
+
+if [[ "${APIGEE_ENVIRONMENT}" == "prod" ]]; then
+    jq '.components.securitySchemes."app-level3" = {"$ref": "https://proxygen.prod.api.platform.nhs.uk/components/securitySchemes/app-level3"}' "${SPEC_PATH}" > temp.json && mv temp.json "${SPEC_PATH}"
+else
+    jq '.components.securitySchemes."app-level3" = {"$ref": "https://proxygen.ptl.api.platform.nhs.uk/components/securitySchemes/app-level3"}' "${SPEC_PATH}" > temp.json && mv temp.json "${SPEC_PATH}"
+fi
+
+# Remove target attributes if the environment is sandbox
+if [[ "${APIGEE_ENVIRONMENT}" == *"sandbox"* ]]; then
+    echo "Removing target attributes for sandbox environment"
+    jq 'del(."x-nhsd-apim"."target-attributes")' "$SPEC_PATH" > temp.json && mv temp.json "${SPEC_PATH}"
+fi
+
+echo
+
+echo "Retrieving proxygen credentials"
+
+# Retrieve the proxygen private key and client private key and cert from AWS Secrets Manager
+proxygen_private_key_arn=$(aws cloudformation list-exports --query "Exports[?Name=='account-resources:${PROXYGEN_PRIVATE_KEY_NAME}'].Value" --output text)
+
+if [[ "${is_pull_request}" == "false" ]]; then
+    echo
+    echo "Store the secret used for mutual TLS to AWS using Proxygen proxy lambda"
+    if [[ "${DRY_RUN}" == "false" ]]; then
+        jq -n --arg apiName "${apigee_api}" \
+            --arg environment "${APIGEE_ENVIRONMENT}" \
+            --arg secretName "clinical-tracker-mtls-1" \
+            --arg secretKey "${client_private_key}" \
+            --arg secretCert "${client_cert}" \
+            --arg kid "${PROXYGEN_KID}" \
+            --arg proxygenSecretName "${proxygen_private_key_arn}" \
+            '{apiName: $apiName, environment: $environment, secretName: $secretName, secretKey: $secretKey, secretCert: $secretCert, kid, $kid, proxygenSecretName: $proxygenSecretName}' > payload.json
+
+        aws lambda invoke --function-name "${put_secret_lambda}" --cli-binary-format raw-in-base64-out --payload file://payload.json out.txt > response.json
+        if eval "cat response.json | jq -e '.FunctionError' >/dev/null"; then
+            echo 'Error calling lambda'
+            cat out.txt
+            exit 1
+        fi
+        echo "Secret stored successfully"
+    else
+        echo "Would call ${put_secret_lambda}"
+    fi
+fi
+
+echo
+echo "Deploy the API instance using Proxygen proxy lambda"
+if [[ "${DRY_RUN}" == "false" ]]; then
+
+    jq -n --argfile spec "${SPEC_PATH}" \
+        --arg apiName "${apigee_api}" \
+        --arg environment "${APIGEE_ENVIRONMENT}" \
+        --arg instance "${instance}" \
+        --arg kid "${PROXYGEN_KID}" \
+        --arg proxygenSecretName "${proxygen_private_key_arn}" \
+        '{apiName: $apiName, environment: $environment, specDefinition: $spec, instance: $instance, kid: $kid, proxygenSecretName: $proxygenSecretName}' > payload.json
+
+    aws lambda invoke --function-name "${instance_put_lambda}" --cli-binary-format raw-in-base64-out --payload file://payload.json out.txt > response.json
+
+    if eval "cat response.json | jq -e '.FunctionError' >/dev/null"; then
+        echo 'Error calling lambda'
+        cat out.txt
+        exit 1
+    fi
+    echo "Instance deployed"
+else
+    echo "Would call ${instance_put_lambda}"
+fi
+
+if [[ "${APIGEE_ENVIRONMENT}" == "int" ]]; then
+    echo
+    echo "Deploy the API spec to prod catalogue as it is int environment"
+    if [[ "${DRY_RUN}" == "false" ]]; then
+        jq -n --argfile spec "${SPEC_PATH}" \
+            --arg apiName "${apigee_api}" \
+            --arg environment "prod" \
+            --arg instance "${instance}" \
+            --arg kid "${PROXYGEN_KID}" \
+            --arg proxygenSecretName "${proxygen_private_key_arn}" \
+            '{apiName: $apiName, environment: $environment, specDefinition: $spec, instance: $instance, kid: $kid, proxygenSecretName: $proxygenSecretName}' > payload.json
+
+        aws lambda invoke --function-name "${spec_publish_lambda}" --cli-binary-format raw-in-base64-out --payload file://payload.json out.txt > response.json
+
+        if eval "cat response.json | jq -e '.FunctionError' >/dev/null"; then
+            echo 'Error calling lambda'
+            cat out.txt
+            exit 1
+        fi
+        echo "Spec deployed"
+    else
+        echo "Would call ${spec_publish_lambda}"
+    fi
+fi
+
+if [[ "${APIGEE_ENVIRONMENT}" == "internal-dev" && "${is_pull_request}" == "false" ]]; then
+    echo
+    echo "Deploy the API spec to uat catalogue as it is internal-dev environment"
+    if [[ "${DRY_RUN}" == "false" ]]; then
+        jq -n --argfile spec "${SPEC_PATH}" \
+            --arg apiName "${apigee_api}" \
+            --arg environment "uat" \
+            --arg instance "${instance}" \
+            --arg kid "${PROXYGEN_KID}" \
+            --arg proxygenSecretName "${proxygen_private_key_arn}" \
+            '{apiName: $apiName, environment: $environment, specDefinition: $spec, instance: $instance, kid: $kid, proxygenSecretName: $proxygenSecretName}' > payload.json
+
+        aws lambda invoke --function-name "${spec_publish_lambda}" --cli-binary-format raw-in-base64-out --payload file://payload.json out.txt > response.json
+
+        if eval "cat response.json | jq -e '.FunctionError' >/dev/null"; then
+            echo 'Error calling lambda'
+            cat out.txt
+            exit 1
+        fi
+        echo "Spec deployed"
+    else
+        echo "Would call ${spec_publish_lambda}"
+    fi
+fi

.github/workflows/ci.yml

@@ -96,18 +96,17 @@ jobs:
 
   package_code:
     needs: tag_release
-    uses: ./.github/workflows/sam_package_code.yml
+    uses: ./.github/workflows/run_package_code_and_api.yml
 
   release_dev:
     needs: [tag_release, package_code, get_commit_id]
-    uses: ./.github/workflows/sam_release_code.yml
+    uses: ./.github/workflows/run_release_code_and_api.yml
     with:
       ARTIFACT_BUCKET_PREFIX: ${{needs.tag_release.outputs.version_tag}}
       STACK_NAME: cpt
       TARGET_ENVIRONMENT: dev
       APIGEE_ENVIRONMENT: internal-dev
       ENABLE_MUTUAL_TLS: true
-      DEPLOY_SANDBOX: false
       BUILD_ARTIFACT: packaged_code
       TRUSTSTORE_FILE: clinical-tracker-truststore.pem
       VERSION_NUMBER: ${{needs.tag_release.outputs.version_tag}}
@@ -118,22 +117,22 @@ jobs:
       CREATE_PROD_RELEASE_NOTES: true
     secrets:
       CLOUD_FORMATION_DEPLOY_ROLE: ${{ secrets.DEV_CLOUD_FORMATION_DEPLOY_ROLE }}
-      TARGET_SPINE_SERVER: ${{ secrets.DEV_TARGET_SPINE_SERVER }}
+      # TARGET_SPINE_SERVER: ${{ secrets.DEV_TARGET_SPINE_SERVER }}
       DEV_CLOUD_FORMATION_CHECK_VERSION_ROLE: ${{ secrets.DEV_CLOUD_FORMATION_CHECK_VERSION_ROLE }}
       INT_CLOUD_FORMATION_CHECK_VERSION_ROLE: ${{ secrets.INT_CLOUD_FORMATION_CHECK_VERSION_ROLE }}
       PROD_CLOUD_FORMATION_CHECK_VERSION_ROLE: ${{ secrets.PROD_CLOUD_FORMATION_CHECK_VERSION_ROLE }}
       DEV_CLOUD_FORMATION_EXECUTE_LAMBDA_ROLE: ${{ secrets.DEV_CLOUD_FORMATION_EXECUTE_LAMBDA_ROLE }}
+      PROXYGEN_ROLE: ${{ secrets.PROXYGEN_PTL_ROLE }}
 
   release_dev_sandbox:
     needs: [tag_release, package_code, get_commit_id]
-    uses: ./.github/workflows/sam_release_code.yml
+    uses: ./.github/workflows/run_release_code_and_api.yml
     with:
       ARTIFACT_BUCKET_PREFIX: ${{needs.tag_release.outputs.version_tag}}
       STACK_NAME: cpt-sandbox
       TARGET_ENVIRONMENT: dev
       APIGEE_ENVIRONMENT: internal-dev-sandbox
       ENABLE_MUTUAL_TLS: true
-      DEPLOY_SANDBOX: true
       BUILD_ARTIFACT: packaged_sandbox_code
       TRUSTSTORE_FILE: clinical-tracker-sandbox-truststore.pem
       VERSION_NUMBER: ${{needs.tag_release.outputs.version_tag}}
@@ -142,18 +141,18 @@ jobs:
       LOG_RETENTION_DAYS: 30
     secrets:
       CLOUD_FORMATION_DEPLOY_ROLE: ${{ secrets.DEV_CLOUD_FORMATION_DEPLOY_ROLE }}
-      TARGET_SPINE_SERVER: sandbox
+      PROXYGEN_ROLE: ${{ secrets.PROXYGEN_PTL_ROLE }}
+      # TARGET_SPINE_SERVER: sandbox
 
   release_qa:
     needs: [tag_release, release_dev, release_dev_sandbox, package_code, get_commit_id]
-    uses: ./.github/workflows/sam_release_code.yml
+    uses: ./.github/workflows/run_release_code_and_api.yml
     with:
       ARTIFACT_BUCKET_PREFIX: ${{needs.tag_release.outputs.version_tag}}
       STACK_NAME: cpt
       TARGET_ENVIRONMENT: qa
       APIGEE_ENVIRONMENT: internal-qa
       ENABLE_MUTUAL_TLS: true
-      DEPLOY_SANDBOX: false
       BUILD_ARTIFACT: packaged_code
       TRUSTSTORE_FILE: clinical-tracker-truststore.pem
       VERSION_NUMBER: ${{needs.tag_release.outputs.version_tag}}
@@ -162,4 +161,5 @@ jobs:
       LOG_RETENTION_DAYS: 30
     secrets:
       CLOUD_FORMATION_DEPLOY_ROLE: ${{ secrets.QA_CLOUD_FORMATION_DEPLOY_ROLE }}
-      TARGET_SPINE_SERVER: ${{ secrets.QA_TARGET_SPINE_SERVER }}
+      PROXYGEN_ROLE: ${{ secrets.PROXYGEN_PTL_ROLE }}
+      # TARGET_SPINE_SERVER: ${{ secrets.QA_TARGET_SPINE_SERVER }}