diff --git a/.github/workflows/dev_sandbox_publish_deploy.yaml b/.github/workflows/dev_sandbox_publish_deploy.yaml index ea39ac5..dee772d 100644 --- a/.github/workflows/dev_sandbox_publish_deploy.yaml +++ b/.github/workflows/dev_sandbox_publish_deploy.yaml @@ -27,6 +27,7 @@ jobs: name: "Publish spec & deploy to dev" needs: metadata runs-on: ubuntu-latest + if: false # Temporarily skip this job steps: - name: Checkout repository uses: actions/checkout@v6 @@ -54,11 +55,11 @@ jobs: - name: Set up Proxygen credentials env: - PROXYGEN_PRIVATE_KEY: ${{ secrets.PROXYGEN_PRIVATE_KEY }} + PROXYGEN_PRIVATE_KEY: ${{ secrets.PROXYGEN_PRIVATE_KEY_PTL }} run: | mkdir -p ~/.proxygen echo "$PROXYGEN_PRIVATE_KEY" > ~/.proxygen/eligibility-signposting-api.pem - make setup-proxygen-credentials + make setup-proxygen-credentials ENV=ptl - name: Generate specification run: | make construct-spec APIM_ENV=internal-dev @@ -98,11 +99,11 @@ jobs: - name: Set up Proxygen credentials env: - PROXYGEN_PRIVATE_KEY: ${{ secrets.PROXYGEN_PRIVATE_KEY }} + PROXYGEN_PRIVATE_KEY: ${{ secrets.PROXYGEN_PRIVATE_KEY_PROD }} run: | mkdir -p ~/.proxygen echo "$PROXYGEN_PRIVATE_KEY" > ~/.proxygen/eligibility-signposting-api.pem - make setup-proxygen-credentials + make setup-proxygen-credentials ENV=prod - name: Generate specification run: | make construct-spec APIM_ENV=sandbox diff --git a/.github/workflows/preprod_publish_deploy.yaml b/.github/workflows/preprod_publish_deploy.yaml index d0215ed..198c175 100644 --- a/.github/workflows/preprod_publish_deploy.yaml +++ b/.github/workflows/preprod_publish_deploy.yaml @@ -46,11 +46,11 @@ jobs: pip install proxygen-cli - name: Set up Proxygen credentials env: - PROXYGEN_PRIVATE_KEY: ${{ secrets.PROXYGEN_PRIVATE_KEY }} + PROXYGEN_PRIVATE_KEY: ${{ secrets.PROXYGEN_PRIVATE_KEY_PROD }} run: | mkdir -p ~/.proxygen echo "$PROXYGEN_PRIVATE_KEY" > ~/.proxygen/eligibility-signposting-api.pem - make setup-proxygen-credentials + make setup-proxygen-credentials ENV=prod - name: Generate specification run: | make construct-spec APIM_ENV=preprod diff --git a/.github/workflows/prod_publish_deploy.yaml b/.github/workflows/prod_publish_deploy.yaml index be46b65..ece2b52 100644 --- a/.github/workflows/prod_publish_deploy.yaml +++ b/.github/workflows/prod_publish_deploy.yaml @@ -45,11 +45,11 @@ jobs: pip install proxygen-cli - name: Set up Proxygen credentials env: - PROXYGEN_PRIVATE_KEY: ${{ secrets.PROXYGEN_PRIVATE_KEY }} + PROXYGEN_PRIVATE_KEY: ${{ secrets.PROXYGEN_PRIVATE_KEY_PROD }} run: | mkdir -p ~/.proxygen echo "$PROXYGEN_PRIVATE_KEY" > ~/.proxygen/eligibility-signposting-api.pem - make setup-proxygen-credentials + make setup-proxygen-credentials ENV=prod - name: Generate specification run: | make construct-spec APIM_ENV=prod diff --git a/.github/workflows/publish-specification.yaml b/.github/workflows/publish-specification.yaml index abf60ff..bf6b599 100644 --- a/.github/workflows/publish-specification.yaml +++ b/.github/workflows/publish-specification.yaml @@ -46,11 +46,11 @@ jobs: - name: Set up Proxygen credentials env: - PROXYGEN_PRIVATE_KEY: ${{ secrets.PROXYGEN_PRIVATE_KEY }} + PROXYGEN_PRIVATE_KEY: ${{ secrets.PROXYGEN_PRIVATE_KEY_PROD }} run: | mkdir -p ~/.proxygen echo "$PROXYGEN_PRIVATE_KEY" > ~/.proxygen/eligibility-signposting-api.pem - make setup-proxygen-credentials + make setup-proxygen-credentials ENV=prod - name: Generate specification run: | diff --git a/.github/workflows/publish_sandbox.yaml b/.github/workflows/publish_sandbox.yaml index 9ee5742..93245b3 100644 --- a/.github/workflows/publish_sandbox.yaml +++ b/.github/workflows/publish_sandbox.yaml @@ -37,11 +37,11 @@ jobs: - name: Set up Proxygen credentials env: - PROXYGEN_PRIVATE_KEY: ${{ secrets.PROXYGEN_PRIVATE_KEY }} + PROXYGEN_PRIVATE_KEY: ${{ secrets.PROXYGEN_PRIVATE_KEY_PROD }} run: | mkdir -p ~/.proxygen echo "$PROXYGEN_PRIVATE_KEY" > ~/.proxygen/eligibility-signposting-api.pem - make setup-proxygen-credentials + make setup-proxygen-credentials ENV=prod - name: Generate sandbox specification run: | diff --git a/Makefile b/Makefile index a6ba2ce..4444ced 100644 --- a/Makefile +++ b/Makefile @@ -53,39 +53,51 @@ config:: # Configure development environment (main) @Configuration #### Proxygen #### ################## -retrieve-proxygen-key: # Obtain the 'machine user' credentials from AWS SSM (Development environment) - mkdir -p ~/.proxygen && \ - aws ssm get-parameter --name /proxygen/private_key_temp --with-decryption | jq ".Parameter.Value" --raw-output \ - > ~/.proxygen/eligibility-signposting-api.pem - -setup-proxygen-credentials: # Copy Proxygen templated credentials to where it expected them - cd specification && cp -r .proxygen ~ +# Verify current AWS account login and retrieve the proxygen key +# from AWS SSM Parameter Store +retrieve-proxygen-key: guard-ENV + @ ./scripts/check-aws-account.sh + mkdir -p ~/.proxygen + aws ssm get-parameter --name /$$ENV/proxygen/private_key --with-decryption \ + | jq -r ".Parameter.Value" \ + > ~/.proxygen/eligibility-signposting-api-$(ENV).pem && \ + echo "Retrieved proxygen key for APIM '$(ENV)' environment" + +# Copy proxygen credentials for the specified environment to `~/.proxygen/` +# This location required location for local proxygen usage +setup-proxygen-credentials: guard-ENV + @ cd specification && \ + cp .proxygen/credentials-$(ENV).yaml ~/.proxygen/credentials.yaml && \ + cp .proxygen/settings-$(ENV).yaml ~/.proxygen/settings.yaml && \ + echo "Set up proxygen credentials for the APIM '$(ENV)' environment" get-spec: # Get the most recent specification live in proxygen - $(MAKE) setup-proxygen-credentials + $(MAKE) setup-proxygen-credentials ENV=prod proxygen spec get get-spec-uat: # Get the most recent specification live in proxygen - $(MAKE) setup-proxygen-credentials + $(MAKE) setup-proxygen-credentials ENV=prod proxygen spec get --uat publish-spec: # Publish the specification to proxygen - $(MAKE) setup-proxygen-credentials + $(MAKE) setup-proxygen-credentials ENV=prod proxygen spec publish build/specification/prod/eligibility-signposting-api.yaml publish-spec-uat: # Publish the specification to proxygen - $(MAKE) setup-proxygen-credentials + $(MAKE) setup-proxygen-credentials ENV=prod proxygen spec publish build/specification/preprod/eligibility-signposting-api.yaml --uat delete-spec: # Delete the specification from proxygen - $(MAKE) setup-proxygen-credentials + $(MAKE) setup-proxygen-credentials ENV=prod proxygen spec delete delete-spec-uat: # Delete the specification from proxygen - $(MAKE) setup-proxygen-credentials + $(MAKE) setup-proxygen-credentials ENV=prod proxygen spec delete --uat -# Specification +##################### +### Specification ### +##################### guard-%: @ if [ "${${*}}" = "" ]; then \ diff --git a/pyproject.toml b/pyproject.toml index 4227641..5ae3af2 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -10,7 +10,9 @@ requires-python = ">=3.11" repository = "https://github.com/NHSDigital/eligibility-signposting-api-specification" homepage = "https://digital.nhs.uk/developer/api-catalogue" keywords = ["healthcare", "uk", "nhs", "vaccination", "api"] #TODO add additional keywords -package_mode = false + +[tool.poetry] +package-mode = false [build-system] requires = ["poetry-core>=2.0.0,<3.0.0"] diff --git a/scripts/check-aws-account.sh b/scripts/check-aws-account.sh new file mode 100755 index 0000000..410a386 --- /dev/null +++ b/scripts/check-aws-account.sh @@ -0,0 +1,21 @@ + +#!/usr/bin/env bash +set -e + +# Expected AWS account details for dev environment +EXPECTED_ENV_NAME="dev" +EXPECTED_ACCOUNT="448049830832" + +# Read the currently authenticated AWS account +CURRENT_ACCOUNT=$(aws sts get-caller-identity --query "Account" --output text) + +# Compare the current account with the expected account +if [ "$CURRENT_ACCOUNT" != "$EXPECTED_ACCOUNT" ]; then + echo "AWS account mismatch!" + echo "The expected login is AWS '$EXPECTED_ENV_NAME' account $EXPECTED_ACCOUNT, but the current logged in AWS account is $CURRENT_ACCOUNT." + echo "Please switch to the correct AWS account and try again." + echo "Exiting script..." + exit 1 +fi + +echo "Active login to AWS '$EXPECTED_ENV_NAME' account $CURRENT_ACCOUNT verified." diff --git a/specification/.proxygen/credentials-prod.yaml b/specification/.proxygen/credentials-prod.yaml new file mode 100644 index 0000000..a108dad --- /dev/null +++ b/specification/.proxygen/credentials-prod.yaml @@ -0,0 +1,5 @@ +client_id: eligibility-signposting-api-client +private_key_path: eligibility-signposting-api-prod.pem +key_id: 2027-01-21-Prod-eligibility-signposting-api +base_url: https://identity.prod.api.platform.nhs.uk/realms/api-producers + diff --git a/specification/.proxygen/credentials-ptl.yaml b/specification/.proxygen/credentials-ptl.yaml new file mode 100644 index 0000000..5bd54a3 --- /dev/null +++ b/specification/.proxygen/credentials-ptl.yaml @@ -0,0 +1,4 @@ +client_id: eligibility-signposting-api-client +private_key_path: eligibility-signposting-api-ptl.pem +key_id: 2027-01-21-PTL-eligibility-signposting-api +base_url: https://identity.ptl.api.platform.nhs.uk/realms/api-producers diff --git a/specification/.proxygen/settings-prod.yaml b/specification/.proxygen/settings-prod.yaml new file mode 100644 index 0000000..cf4436c --- /dev/null +++ b/specification/.proxygen/settings-prod.yaml @@ -0,0 +1,3 @@ +api: eligibility-signposting-api +endpoint_url: https://proxygen.prod.api.platform.nhs.uk +spec_output_format: yaml diff --git a/specification/.proxygen/settings-ptl.yaml b/specification/.proxygen/settings-ptl.yaml new file mode 100644 index 0000000..c9a0ac2 --- /dev/null +++ b/specification/.proxygen/settings-ptl.yaml @@ -0,0 +1,3 @@ +api: eligibility-signposting-api +endpoint_url: https://proxygen.ptl.api.platform.nhs.uk +spec_output_format: yaml