Merge pull request #148 from NHSDigital/bugfix/eja-deployment-pipeline

eddalmond1 · web-flow · commit 4d5b7fee6207 · 2025-06-17T15:10:23.000+01:00
Bugfix/eja deployment pipeline
diff --git a/.github/workflows/cicd-3-deploy.yaml b/.github/workflows/cicd-3-deploy.yaml
@@ -79,7 +79,8 @@ jobs:
   deploy:
     name: "Deploy to an environment"
     runs-on: ubuntu-latest
-    needs: [ metadata ]
+    needs: [metadata]
+    environment: ${{ inputs.environment }}
     timeout-minutes: 10
     permissions:
       id-token: write
@@ -93,7 +94,21 @@ jobs:
       - name: "Set up Python"
         uses: actions/setup-python@v5
         with:
-          python-version: '3.13'
+          python-version: "3.13"
+
+      - name: "Checkout Repository"
+        uses: actions/checkout@v4
+
+      - name: "Build lambda artefact"
+        run: |
+          make dependencies install-python
+          make build
+
+      - name: "Upload lambda artefact"
+        uses: actions/upload-artifact@v4
+        with:
+          name: lambda
+          path: dist/lambda.zip
 
       - name: "Download Built Lambdas"
         uses: actions/download-artifact@v4
@@ -118,10 +133,10 @@ jobs:
         # just planning for now for safety and until review
         run: |
           mkdir -p ./build
-          echo "Running: make terraform env=$ENVIRONMENT workspace=$WORKSPACE stack=networking tf-command=plan"
-          make terraform env=$ENVIRONMENT stack=networking tf-command=plan workspace=$WORKSPACE
-          echo "Running: make terraform env=$ENVIRONMENT workspace=$WORKSPACE stack=api-layer tf-command=plan"
-          make terraform env=$ENVIRONMENT stack=api-layer tf-command=plan workspace=$WORKSPACE
+          echo "Running: make terraform env=$ENVIRONMENT workspace=$WORKSPACE stack=networking tf-command=apply"
+          make terraform env=$ENVIRONMENT stack=networking tf-command=apply workspace=$WORKSPACE
+          echo "Running: make terraform env=$ENVIRONMENT workspace=$WORKSPACE stack=api-layer tf-command=apply"
+          make terraform env=$ENVIRONMENT stack=api-layer tf-command=apply workspace=$WORKSPACE
         working-directory: ./infrastructure
 
       - name: "Tag the deployment using incremental semantic versioning"
@@ -168,8 +183,7 @@ jobs:
           body: |
             Auto-release created during deployment.
           draft: false
-          prerelease: ${{ inputs.environment == 'ref' }}
-
+          prerelease: ${{ inputs.environment == 'preprod' }}
 
   # TODO: complete notify step
   # success:
diff --git a/infrastructure/modules/api_gateway/iam.tf b/infrastructure/modules/api_gateway/iam.tf
@@ -15,19 +15,38 @@ resource "aws_iam_role" "api_gateway" {
 }
 
 data "aws_iam_policy_document" "api_gateway_logging" {
+  #checkov:skip=CKV_AWS_356: Wildcard permissions needed for global log event reads
   statement {
-    sid    = "AllowCloudWatchLogging"
+    sid    = "AllowCreateLogGroup"
+    effect = "Allow"
+    actions = [
+      "logs:CreateLogGroup"
+    ]
+    resources = [
+      "arn:aws:logs:${var.region}:${data.aws_caller_identity.current.account_id}:*"
+    ]
+  }
+  statement {
+    sid    = "AllowLogStreamAndEvents"
     effect = "Allow"
     actions = [
-      "logs:CreateLogGroup",
       "logs:CreateLogStream",
+      "logs:PutLogEvents"
+    ]
+    resources = [
+      "arn:aws:logs:${var.region}:${data.aws_caller_identity.current.account_id}:log-group:/aws/apigateway/*"
+    ]
+  }
+  statement {
+    sid    = "AllowDescribeAndGet"
+    effect = "Allow"
+    actions = [
       "logs:DescribeLogGroups",
       "logs:DescribeLogStreams",
-      "logs:PutLogEvents",
       "logs:GetLogEvents",
       "logs:FilterLogEvents"
     ]
-    resources = [aws_cloudwatch_log_group.api_gateway.arn]
+    resources = ["*"]
   }
 }
 
diff --git a/infrastructure/stacks/api-layer/api_gateway.tf b/infrastructure/stacks/api-layer/api_gateway.tf
@@ -99,6 +99,14 @@ resource "aws_api_gateway_domain_name" "check_eligibility" {
   lifecycle {
     create_before_destroy = true
   }
+
+  depends_on = [
+    aws_s3_object.pem_file,
+    data.aws_acm_certificate.imported_cert,
+    data.aws_acm_certificate.validation_cert,
+    module.s3_truststore_bucket,
+    module.eligibility_signposting_api_gateway
+  ]
 }
 
 resource "aws_api_gateway_base_path_mapping" "eligibility-signposting-api" {
diff --git a/infrastructure/stacks/api-layer/data.tf b/infrastructure/stacks/api-layer/data.tf
@@ -16,7 +16,7 @@ data "aws_acm_certificate" "validation_cert" {
 }
 
 data "aws_kms_alias" "networking_ssm_key" {
-  name = "alias/dev-Networking-ssm-parameters"
+  name = "alias/${var.environment}-Networking-ssm-parameters"
 }
 
 data "aws_ssm_parameter" "mtls_api_client_cert" {

Original file line number	Diff line number	Diff line change
`@@ -99,6 +99,14 @@ resource "aws_api_gateway_domain_name" "check_eligibility" {`
`99`	`99`	`lifecycle {`
`100`	`100`	`create_before_destroy = true`
`101`	`101`	`}`
	`102`	`+`
	`103`	`+ depends_on = [`
	`104`	`+ aws_s3_object.pem_file,`
	`105`	`+ data.aws_acm_certificate.imported_cert,`
	`106`	`+ data.aws_acm_certificate.validation_cert,`
	`107`	`+ module.s3_truststore_bucket,`
	`108`	`+ module.eligibility_signposting_api_gateway`
	`109`	`+ ]`
`102`	`110`	`}`
`103`	`111`
`104`	`112`	`resource "aws_api_gateway_base_path_mapping" "eligibility-signposting-api" {`
Original file line number	Diff line number	Diff line change
`@@ -16,7 +16,7 @@ data "aws_acm_certificate" "validation_cert" {`
`16`	`16`	`}`
`17`	`17`
`18`	`18`	`data "aws_kms_alias" "networking_ssm_key" {`
`19`		`- name = "alias/dev-Networking-ssm-parameters"`
	`19`	`+ name = "alias/${var.environment}-Networking-ssm-parameters"`
`20`	`20`	`}`
`21`	`21`
`22`	`22`	`data "aws_ssm_parameter" "mtls_api_client_cert" {`