Merge branch 'main' into feature/SR-ELI-784-Calculator-Integration

ayeshalshukri1-nhs · web-flow · commit cf99f37504f5 · 2026-04-20T15:16:17.000+01:00
diff --git a/.github/workflows/cicd-3-test-deploy.yaml b/.github/workflows/cicd-3-test-deploy.yaml
@@ -46,10 +46,132 @@ jobs:
           echo "name=$TAG" >> $GITHUB_OUTPUT
           echo "Resolved tag: $TAG"
 
+  sign-lambda-artifact:
+    name: "Sign lambda artifact for TEST"
+    runs-on: ubuntu-latest
+    needs: [metadata]
+    environment: test
+    timeout-minutes: 45
+    permissions:
+      id-token: write
+      contents: read
+    outputs:
+      bucket_name: ${{ steps.tf_output.outputs.bucket_name }}
+    steps:
+      - name: "Checkout same commit"
+        uses: actions/checkout@v6
+        with:
+          ref: ${{ github.event.workflow_run.head_sha }}
+
+      - name: "Setup Terraform"
+        uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: ${{ needs.metadata.outputs.terraform_version }}
+
+      - name: "Configure AWS Credentials"
+        uses: aws-actions/configure-aws-credentials@v6
+        with:
+          role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/service-roles/github-actions-api-deployment-role
+          aws-region: eu-west-2
+
+      - name: "Download lambda artefact from dev workflow"
+        uses: actions/download-artifact@v7
+        with:
+          name: lambda-${{ needs.metadata.outputs.tag }}
+          path: ./dist
+          run-id: ${{ github.event.workflow_run.id }}
+          github-token: ${{ github.token }}
+
+      - name: "Terraform Init (TEST api-layer)"
+        env:
+          ENVIRONMENT: test
+          WORKSPACE: "default"
+        run: |
+          echo "Running: make terraform env=$ENVIRONMENT workspace=$WORKSPACE stack=api-layer tf-command=init"
+          make terraform env=$ENVIRONMENT stack=api-layer tf-command=init workspace=$WORKSPACE
+        working-directory: ./infrastructure
+
+      - name: "Extract Terraform outputs"
+        id: tf_output
+        run: |
+          BUCKET=$(terraform output -raw lambda_artifact_bucket)
+          PROFILE=$(terraform output -raw signing_profile_name)
+          echo "bucket_name=$BUCKET" >> $GITHUB_OUTPUT
+          echo "signing_profile_name=$PROFILE" >> $GITHUB_OUTPUT
+        working-directory: ./infrastructure/stacks/api-layer
+
+      - name: "Upload unsigned lambda artifact to S3"
+        run: |
+          aws s3 cp ./dist/lambda.zip \
+            s3://${{ steps.tf_output.outputs.bucket_name }}/artifacts/${{ needs.metadata.outputs.tag }}/lambda.zip \
+            --region eu-west-2
+
+      - name: "Get uploaded source object version"
+        id: source_object
+        run: |
+          VERSION_ID=$(aws s3api head-object \
+            --bucket "${{ steps.tf_output.outputs.bucket_name }}" \
+            --key "artifacts/${{ needs.metadata.outputs.tag }}/lambda.zip" \
+            --query 'VersionId' \
+            --output text \
+            --region eu-west-2)
+          echo "version_id=$VERSION_ID" >> $GITHUB_OUTPUT
+
+      - name: "Start signing job"
+        id: signing
+        env:
+          SIGNING_PROFILE_NAME: ${{ steps.tf_output.outputs.signing_profile_name }}
+        run: |
+          JOB_ID=$(aws signer start-signing-job \
+            --source "s3={bucketName=${{ steps.tf_output.outputs.bucket_name }},key=artifacts/${{ needs.metadata.outputs.tag }}/lambda.zip,version=${{ steps.source_object.outputs.version_id }}}" \
+            --destination "s3={bucketName=${{ steps.tf_output.outputs.bucket_name }},prefix=signed-artifacts/${{ needs.metadata.outputs.tag }}/}" \
+            --profile-name "$SIGNING_PROFILE_NAME" \
+            --query 'jobId' \
+            --output text \
+            --region eu-west-2)
+          echo "job_id=$JOB_ID" >> $GITHUB_OUTPUT
+
+      - name: "Wait for signing job"
+        run: |
+          aws signer wait successful-signing-job \
+            --job-id "${{ steps.signing.outputs.job_id }}" \
+            --region eu-west-2
+
+      - name: "Resolve signed artifact location"
+        id: signed_object
+        run: |
+          SIGNED_BUCKET=$(aws signer describe-signing-job \
+            --job-id "${{ steps.signing.outputs.job_id }}" \
+            --region eu-west-2 \
+            --query 'signedObject.s3.bucketName' \
+            --output text)
+
+          SIGNED_KEY=$(aws signer describe-signing-job \
+            --job-id "${{ steps.signing.outputs.job_id }}" \
+            --region eu-west-2 \
+            --query 'signedObject.s3.key' \
+            --output text)
+
+          echo "bucket_name=$SIGNED_BUCKET" >> $GITHUB_OUTPUT
+          echo "object_key=$SIGNED_KEY" >> $GITHUB_OUTPUT
+
+      - name: "Download signed lambda artifact"
+        run: |
+          aws s3 cp \
+            "s3://${{ steps.signed_object.outputs.bucket_name }}/${{ steps.signed_object.outputs.object_key }}" \
+            ./dist/lambda.zip \
+            --region eu-west-2
+
+      - name: "Upload signed lambda artifact for current workflow"
+        uses: actions/upload-artifact@v6
+        with:
+          name: lambda-${{ needs.metadata.outputs.tag }}
+          path: ./dist/lambda.zip
+
   deploy:
     name: "Deploy to TEST (approval required)"
     runs-on: ubuntu-latest
-    needs: [metadata]
+    needs: [metadata, sign-lambda-artifact]
     environment: test
     timeout-minutes: 10080
     permissions:
@@ -83,13 +205,11 @@ jobs:
           role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/service-roles/github-actions-api-deployment-role
           aws-region: eu-west-2
 
-      - name: "Download lambda artefact from dev workflow"
+      - name: "Download signed lambda artefact"
         uses: actions/download-artifact@v7
         with:
           name: lambda-${{ needs.metadata.outputs.tag }}
           path: ./dist
-          run-id: ${{ github.event.workflow_run.id }}
-          github-token: ${{ github.token }}
 
       - name: "Terraform Apply (TEST)"
         env:
@@ -127,12 +247,6 @@ jobs:
           echo "bucket_name=$BUCKET" >> $GITHUB_OUTPUT
         working-directory: ./infrastructure/stacks/api-layer
 
-      - name: "Upload lambda artifact to S3"
-        run: |
-          aws s3 cp ./dist/lambda.zip \
-            s3://${{ steps.tf_output.outputs.bucket_name }}/artifacts/${{ needs.metadata.outputs.tag }}/lambda.zip \
-            --region eu-west-2
-
   regression-tests:
     name: "Regression Tests"
     needs: deploy
diff --git a/.github/workflows/signing_test.yaml b/.github/workflows/signing_test.yaml
@@ -14,15 +14,16 @@ on:
         description: "Workflow run ID that produced the lambda artifact"
         required: true
 
-concurrency:
-  group: test-deployments
-  cancel-in-progress: false
-
 permissions:
   contents: read
   id-token: write
   actions: read
 
+env:
+  SELECTED_REF: feature/ELI-702-code-signing
+  SELECTED_ARTIFACT_TAG: dev-20260414083041
+  SELECTED_ARTIFACT_RUN_ID: 24389064472
+
 jobs:
   metadata:
     name: "Resolve metadata"
@@ -34,18 +35,24 @@ jobs:
       - name: "Checkout selected ref"
         uses: actions/checkout@v6
         with:
-          ref: ${{ inputs.ref }}
+          ref: ${{ env.SELECTED_REF }}
+
+      - name: "Show checked out commit"
+        run: |
+          git branch --show-current || true
+          git rev-parse HEAD
+          git log -1 --oneline
 
       - name: "Set CI/CD variables"
         id: vars
         run: |
           echo "terraform_version=$(grep '^terraform' .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT
 
-      - name: "Use provided artifact tag"
+      - name: "Use static artifact tag"
         id: tag
         run: |
-          echo "name=${{ inputs.artifact_tag }}" >> $GITHUB_OUTPUT
-          echo "Resolved tag: ${{ inputs.artifact_tag }}"
+          echo "name=${{ env.SELECTED_ARTIFACT_TAG }}" >> $GITHUB_OUTPUT
+          echo "Resolved tag: ${{ env.SELECTED_ARTIFACT_TAG }}"
 
   sign-lambda-artifact:
     name: "Sign lambda artifact for TEST"
@@ -62,7 +69,13 @@ jobs:
       - name: "Checkout selected ref"
         uses: actions/checkout@v6
         with:
-          ref: ${{ inputs.ref }}
+          ref: ${{ env.SELECTED_REF }}
+
+      - name: "Show checked out commit"
+        run: |
+          git branch --show-current || true
+          git rev-parse HEAD
+          git log -1 --oneline
 
       - name: "Setup Terraform"
         uses: hashicorp/setup-terraform@v3
@@ -80,7 +93,7 @@ jobs:
         with:
           name: lambda-${{ needs.metadata.outputs.tag }}
           path: ./dist
-          run-id: ${{ inputs.artifact_run_id }}
+          run-id: ${{ env.SELECTED_ARTIFACT_RUN_ID }}
           github-token: ${{ github.token }}
 
       - name: "Terraform Init (TEST api-layer)"
@@ -96,7 +109,7 @@ jobs:
         id: tf_output
         run: |
           BUCKET=$(terraform output -raw lambda_artifact_bucket)
-          PROFILE=$(terraform output -raw lambda_signing_profile_name)
+          PROFILE=$(terraform output -raw signing_profile_name)
           echo "bucket_name=$BUCKET" >> $GITHUB_OUTPUT
           echo "signing_profile_name=$PROFILE" >> $GITHUB_OUTPUT
         working-directory: ./infrastructure/stacks/api-layer
@@ -182,7 +195,13 @@ jobs:
       - name: "Checkout selected ref"
         uses: actions/checkout@v6
         with:
-          ref: ${{ inputs.ref }}
+          ref: ${{ env.SELECTED_REF }}
+
+      - name: "Show checked out commit"
+        run: |
+          git branch --show-current || true
+          git rev-parse HEAD
+          git log -1 --oneline
 
       - name: "Setup Terraform"
         uses: hashicorp/setup-terraform@v3
diff --git a/infrastructure/modules/lambda/signing.tf b/infrastructure/modules/lambda/signing.tf
@@ -1,5 +1,5 @@
 resource "aws_signer_signing_profile" "lambda_signing" {
-  name = "${terraform.workspace == "default" ? "" : "${terraform.workspace}"}EligibilityApiLambdaSigningProfile"
+  name = "${terraform.workspace == "default" ? "" : "${terraform.workspace}"}EligibilityLambdaSigningProfile"
   #aws signer is strict with names, does not like hyphens or underscores
 
   platform_id = "AWSLambda-SHA384-ECDSA"
diff --git a/infrastructure/stacks/iams-developer-roles/locals.tf b/infrastructure/stacks/iams-developer-roles/locals.tf
@@ -1,6 +1,6 @@
 locals {
   stack_name = "iams-developer-roles"
   dev_role_arn = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/aws-reserved/sso.amazonaws.com/${var.default_aws_region}/AWSReservedSSO_vdselid_${var.environment}_d92ae328ac8d84c7"
-  lambda_signing_profile_name = "${terraform.workspace == "default" ? "" : "${terraform.workspace}"}EligibilityApiLambdaSigningProfile"
+  lambda_signing_profile_name = "${terraform.workspace == "default" ? "" : "${terraform.workspace}"}EligibilityLambdaSigningProfile"
   lambda_signing_profile_arn  = "arn:aws:signer:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:/signing-profiles/${local.lambda_signing_profile_name}"
 }

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`locals {`
`2`	`2`	`stack_name = "iams-developer-roles"`
`3`	`3`	`dev_role_arn = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/aws-reserved/sso.amazonaws.com/${var.default_aws_region}/AWSReservedSSO_vdselid_${var.environment}_d92ae328ac8d84c7"`
`4`		`- lambda_signing_profile_name = "${terraform.workspace == "default" ? "" : "${terraform.workspace}"}EligibilityApiLambdaSigningProfile"`
	`4`	`+ lambda_signing_profile_name = "${terraform.workspace == "default" ? "" : "${terraform.workspace}"}EligibilityLambdaSigningProfile"`
`5`	`5`	`lambda_signing_profile_arn = "arn:aws:signer:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:/signing-profiles/${local.lambda_signing_profile_name}"`
`6`	`6`	`}`