Merge branch 'main' into bugfix/eja-eli-579-fixing-non-standard-names

Author: eddalmond1

.github/workflows/release-candidate.yml

@@ -103,9 +103,9 @@ jobs:
       - name: "Get S3 bucket name"
         id: bucket
         run: |
-          cd infrastructure/stacks/api-layer
-          terraform init -backend=true
-          BUCKET=$(terraform output -raw lambda_artifact_bucket)
+          cd infrastructure
+          make terraform env=dev stack=api-layer tf-command=init workspace=default
+          BUCKET=$(terraform -chdir=./stacks/api-layer output -raw lambda_artifact_bucket)
           echo "name=$BUCKET" >> $GITHUB_OUTPUT
           echo "📦 S3 Bucket: $BUCKET"
 
@@ -124,6 +124,25 @@ jobs:
             echo "exists=false" >> $GITHUB_OUTPUT
           fi
 
+      - name: "Download artifact for workflow reuse"
+        if: steps.check.outputs.exists == 'true'
+        run: |
+          TAG="${{ needs.validate.outputs.dev_tag }}"
+          BUCKET="${{ steps.bucket.outputs.name }}"
+          mkdir -p ./dist
+          aws s3 cp \
+            "s3://$BUCKET/artifacts/$TAG/lambda.zip" \
+            ./dist/lambda.zip \
+            --region eu-west-2
+
+      - name: "Upload lambda artifact"
+        if: steps.check.outputs.exists == 'true'
+        uses: actions/upload-artifact@v4
+        with:
+          name: lambda-${{ needs.validate.outputs.dev_tag }}
+          path: dist/lambda.zip
+          if-no-files-found: error
+
   rebuild-artifact:
     name: "Rebuild and upload artifact (if missing)"
     runs-on: ubuntu-latest
@@ -165,6 +184,13 @@ jobs:
             --region eu-west-2
           echo "✅ Uploaded artifact to s3://$BUCKET/artifacts/$TAG/lambda.zip"
 
+      - name: "Upload lambda artifact"
+        uses: actions/upload-artifact@v4
+        with:
+          name: lambda-${{ needs.validate.outputs.dev_tag }}
+          path: dist/lambda.zip
+          if-no-files-found: error
+
   deploy-to-test:
     name: "Deploy to Test (optional)"
     runs-on: ubuntu-latest
@@ -189,21 +215,11 @@ jobs:
         with:
           terraform_version: $(grep '^terraform' .tool-versions | cut -f2 -d' ')
 
-      - name: "Configure AWS Credentials (dev) - to download artifact"
-        uses: aws-actions/configure-aws-credentials@v5
+      - name: "Download lambda artifact"
+        uses: actions/download-artifact@v4
         with:
-          role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/service-roles/github-actions-api-deployment-role
-          aws-region: eu-west-2
-
-      - name: "Download lambda from S3 (dev bucket)"
-        run: |
-          TAG="${{ needs.validate.outputs.dev_tag }}"
-          BUCKET="${{ needs.verify-artifact.outputs.s3_bucket }}"
-          mkdir -p ./dist
-          aws s3 cp \
-            "s3://$BUCKET/artifacts/$TAG/lambda.zip" \
-            ./dist/lambda.zip \
-            --region eu-west-2
+          name: lambda-${{ needs.validate.outputs.dev_tag }}
+          path: dist
 
       - name: "Configure AWS Credentials (test)"
         uses: aws-actions/configure-aws-credentials@v5
@@ -220,6 +236,7 @@ jobs:
           TF_VAR_API_PRIVATE_KEY_CERT: ${{ secrets.API_PRIVATE_KEY_CERT }}
           TF_VAR_SPLUNK_HEC_TOKEN: ${{ secrets.SPLUNK_HEC_TOKEN }}
           TF_VAR_SPLUNK_HEC_ENDPOINT: ${{ secrets.SPLUNK_HEC_ENDPOINT }}
+          TF_VAR_OPERATOR_EMAILS: ${{ vars.SECRET_ROTATION_OPERATOR_EMAILS }}
         run: |
           mkdir -p ./build
           echo "🚀 Deploying ${{ needs.validate.outputs.dev_tag }} to TEST"
@@ -237,8 +254,9 @@ jobs:
       - name: "Get test S3 bucket"
         id: test_bucket
         run: |
-          cd infrastructure/stacks/api-layer
-          BUCKET=$(terraform output -raw lambda_artifact_bucket)
+          cd infrastructure
+          make terraform env=test stack=api-layer tf-command=init workspace=default
+          BUCKET=$(terraform -chdir=./stacks/api-layer output -raw lambda_artifact_bucket)
           echo "name=$BUCKET" >> $GITHUB_OUTPUT
 
       - name: "Upload lambda to test S3"
@@ -295,42 +313,11 @@ jobs:
         with:
           terraform_version: $(grep '^terraform' .tool-versions | cut -f2 -d' ')
 
-      - name: "Determine source bucket (test or dev)"
-        id: source
-        run: |
-          if [[ "${{ inputs.deploy_to_test }}" == "true" ]]; then
-            echo "environment=test" >> $GITHUB_OUTPUT
-          else
-            echo "environment=dev" >> $GITHUB_OUTPUT
-          fi
-
-      - name: "Configure AWS Credentials (source) - to download artifact"
-        uses: aws-actions/configure-aws-credentials@v5
+      - name: "Download lambda artifact"
+        uses: actions/download-artifact@v4
         with:
-          role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/service-roles/github-actions-api-deployment-role
-          aws-region: eu-west-2
-
-      - name: "Get source S3 bucket"
-        id: source_bucket
-        env:
-          ENV: ${{ steps.source.outputs.environment }}
-        run: |
-          cd infrastructure
-          make terraform env=$ENV stack=api-layer tf-command=init workspace=default
-          cd stacks/api-layer
-          BUCKET=$(terraform output -raw lambda_artifact_bucket)
-          echo "name=$BUCKET" >> $GITHUB_OUTPUT
-          echo "📦 Source bucket ($ENV): $BUCKET"
-
-      - name: "Download lambda from source S3"
-        run: |
-          TAG="${{ needs.validate.outputs.dev_tag }}"
-          BUCKET="${{ steps.source_bucket.outputs.name }}"
-          mkdir -p ./dist
-          aws s3 cp \
-            "s3://$BUCKET/artifacts/$TAG/lambda.zip" \
-            ./dist/lambda.zip \
-            --region eu-west-2
+          name: lambda-${{ needs.validate.outputs.dev_tag }}
+          path: dist
 
       - name: "Configure AWS Credentials (preprod)"
         uses: aws-actions/configure-aws-credentials@v5
@@ -347,6 +334,7 @@ jobs:
           TF_VAR_API_PRIVATE_KEY_CERT: ${{ secrets.API_PRIVATE_KEY_CERT }}
           TF_VAR_SPLUNK_HEC_TOKEN: ${{ secrets.SPLUNK_HEC_TOKEN }}
           TF_VAR_SPLUNK_HEC_ENDPOINT: ${{ secrets.SPLUNK_HEC_ENDPOINT }}
+          TF_VAR_OPERATOR_EMAILS: ${{ vars.SECRET_ROTATION_OPERATOR_EMAILS }}
         run: |
           mkdir -p ./build
           echo "🚀 Deploying ${{ needs.validate.outputs.dev_tag }} to PREPROD"
@@ -381,8 +369,9 @@ jobs:
       - name: "Get preprod S3 bucket"
         id: preprod_bucket
         run: |
-          cd infrastructure/stacks/api-layer
-          BUCKET=$(terraform output -raw lambda_artifact_bucket)
+          cd infrastructure
+          make terraform env=preprod stack=api-layer tf-command=init workspace=default
+          BUCKET=$(terraform -chdir=./stacks/api-layer output -raw lambda_artifact_bucket)
           echo "name=$BUCKET" >> $GITHUB_OUTPUT
 
       - name: "Upload lambda to preprod S3"

infrastructure/stacks/networking/ssm.tf

@@ -1,15 +1,19 @@
-# resource "aws_ssm_parameter" "proxygen_private_key" {
-#   count = var.environment == "dev" ? 1 : 0
-#   name  = "/proxygen/private_key"
-#   type  = "SecureString"
-#   value = var.PROXYGEN_PRIVATE_KEY
-#   tier  = "Advanced"
-#
-#   tags = {
-#     Stack = local.stack_name
-#   }
-# }
-#
+resource "aws_ssm_parameter" "proxygen_private_key" {
+  name  = "/${var.environment}/proxygen/private_key"
+  type  = "SecureString"
+  key_id = aws_kms_key.networking_ssm_key.id
+  value = var.PROXYGEN_PRIVATE_KEY
+  tier  = "Advanced"
+
+  tags = {
+    Stack = local.stack_name
+  }
+
+  lifecycle {
+    ignore_changes = [value]
+  }
+}
+
 resource "aws_ssm_parameter" "mtls_api_ca_cert" {
   name   = "/${var.environment}/mtls/api_ca_cert"
   type   = "SecureString"

infrastructure/stacks/networking/variables.tf

@@ -13,3 +13,8 @@ variable "API_PRIVATE_KEY_CERT" {
   description = "The private key for the signed Client Certificate"
   sensitive   = true
 }
+variable "PROXYGEN_PRIVATE_KEY" {
+  type        = string
+  description = "The private key for Proxygen authentication"
+  sensitive   = true
+}