From f22baad2b3a0311d956bd0ac387d0deb15a06d16 Mon Sep 17 00:00:00 2001
From: Rob Bailiff <rob.bailiff1@nhs.net>
Date: Mon, 2 Feb 2026 11:26:40 +0000
Subject: [PATCH 1/2] Updated ssm param terraform and tf vars in github
 workflows

---
 .github/workflows/base-deploy.yml         | 2 ++
 .github/workflows/cicd-2-publish.yaml     | 1 +
 .github/workflows/cicd-3-test-deploy.yaml | 1 +
 .github/workflows/release-candidate.yml   | 1 +
 infrastructure/stacks/networking/ssm.tf   | 1 +
 5 files changed, 6 insertions(+)

diff --git a/.github/workflows/base-deploy.yml b/.github/workflows/base-deploy.yml
index 26a31b4c2..38e64b3cb 100644
--- a/.github/workflows/base-deploy.yml
+++ b/.github/workflows/base-deploy.yml
@@ -203,6 +203,8 @@ jobs:
           TF_VAR_SPLUNK_HEC_TOKEN: ${{ secrets.SPLUNK_HEC_TOKEN }}
           TF_VAR_SPLUNK_HEC_ENDPOINT: ${{ secrets.SPLUNK_HEC_ENDPOINT }}
           TF_VAR_OPERATOR_EMAILS: ${{ vars.SECRET_ROTATION_OPERATOR_EMAILS }}
+          TF_VAR_PROXYGEN_PRIVATE_KEY: ${{ (needs.metadata.outputs.environment == 'preprod' || needs.metadata.outputs.environment == 'prod') && secrets.PROXYGEN_PRIVATE_KEY || '' }}
+
 
         working-directory: ./infrastructure
         shell: bash
diff --git a/.github/workflows/cicd-2-publish.yaml b/.github/workflows/cicd-2-publish.yaml
index f3f0ad688..d13ff2e36 100644
--- a/.github/workflows/cicd-2-publish.yaml
+++ b/.github/workflows/cicd-2-publish.yaml
@@ -103,6 +103,7 @@ jobs:
           TF_VAR_SPLUNK_HEC_TOKEN: ${{ secrets.SPLUNK_HEC_TOKEN }}
           TF_VAR_SPLUNK_HEC_ENDPOINT: ${{ secrets.SPLUNK_HEC_ENDPOINT }}
           TF_VAR_OPERATOR_EMAILS: ${{ vars.SECRET_ROTATION_OPERATOR_EMAILS }}
+          TF_VAR_PROXYGEN_PRIVATE_KEY: ""
 
         run: |
           mkdir -p ./build
diff --git a/.github/workflows/cicd-3-test-deploy.yaml b/.github/workflows/cicd-3-test-deploy.yaml
index 46c0c6d81..8df227a21 100644
--- a/.github/workflows/cicd-3-test-deploy.yaml
+++ b/.github/workflows/cicd-3-test-deploy.yaml
@@ -90,6 +90,7 @@ jobs:
           TF_VAR_SPLUNK_HEC_TOKEN: ${{ secrets.SPLUNK_HEC_TOKEN }}
           TF_VAR_SPLUNK_HEC_ENDPOINT: ${{ secrets.SPLUNK_HEC_ENDPOINT }}
           TF_VAR_OPERATOR_EMAILS: ${{ vars.SECRET_ROTATION_OPERATOR_EMAILS }}
+          TF_VAR_PROXYGEN_PRIVATE_KEY: ""
 
         run: |
           mkdir -p ./build
diff --git a/.github/workflows/release-candidate.yml b/.github/workflows/release-candidate.yml
index 5457e842c..2a9098e72 100644
--- a/.github/workflows/release-candidate.yml
+++ b/.github/workflows/release-candidate.yml
@@ -237,6 +237,7 @@ jobs:
           TF_VAR_SPLUNK_HEC_TOKEN: ${{ secrets.SPLUNK_HEC_TOKEN }}
           TF_VAR_SPLUNK_HEC_ENDPOINT: ${{ secrets.SPLUNK_HEC_ENDPOINT }}
           TF_VAR_OPERATOR_EMAILS: ${{ vars.SECRET_ROTATION_OPERATOR_EMAILS }}
+          TF_VAR_PROXYGEN_PRIVATE_KEY: ${{ (needs.metadata.outputs.environment == 'preprod' || needs.metadata.outputs.environment == 'prod') && secrets.PROXYGEN_PRIVATE_KEY || '' }}
         run: |
           mkdir -p ./build
           echo "🚀 Deploying ${{ needs.validate.outputs.dev_tag }} to TEST"
diff --git a/infrastructure/stacks/networking/ssm.tf b/infrastructure/stacks/networking/ssm.tf
index 8d7b8ed35..25b826bfe 100644
--- a/infrastructure/stacks/networking/ssm.tf
+++ b/infrastructure/stacks/networking/ssm.tf
@@ -1,4 +1,5 @@
 resource "aws_ssm_parameter" "proxygen_private_key" {
+  count = var.environment == "prod" || var.environment == "preprod" ? 1 : 0
   name  = "/${var.environment}/proxygen/private_key"
   type  = "SecureString"
   key_id = aws_kms_key.networking_ssm_key.id

From 0c8aa9235d27c50c675f7ba730067961568b2674 Mon Sep 17 00:00:00 2001
From: Rob Bailiff <rob.bailiff1@nhs.net>
Date: Mon, 2 Feb 2026 12:07:19 +0000
Subject: [PATCH 2/2] Updated vars and workflows

---
 .github/workflows/base-deploy.yml         | 3 +--
 .github/workflows/cicd-2-publish.yaml     | 2 +-
 .github/workflows/cicd-3-test-deploy.yaml | 2 +-
 .github/workflows/release-candidate.yml   | 3 ++-
 infrastructure/stacks/networking/ssm.tf   | 2 +-
 5 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/base-deploy.yml b/.github/workflows/base-deploy.yml
index 38e64b3cb..ea9710e27 100644
--- a/.github/workflows/base-deploy.yml
+++ b/.github/workflows/base-deploy.yml
@@ -203,8 +203,7 @@ jobs:
           TF_VAR_SPLUNK_HEC_TOKEN: ${{ secrets.SPLUNK_HEC_TOKEN }}
           TF_VAR_SPLUNK_HEC_ENDPOINT: ${{ secrets.SPLUNK_HEC_ENDPOINT }}
           TF_VAR_OPERATOR_EMAILS: ${{ vars.SECRET_ROTATION_OPERATOR_EMAILS }}
-          TF_VAR_PROXYGEN_PRIVATE_KEY: ${{ (needs.metadata.outputs.environment == 'preprod' || needs.metadata.outputs.environment == 'prod') && secrets.PROXYGEN_PRIVATE_KEY || '' }}
-
+          TF_VAR_PROXYGEN_PRIVATE_KEY: ${{ secrets.PROXYGEN_PRIVATE_KEY_PROD }}
 
         working-directory: ./infrastructure
         shell: bash
diff --git a/.github/workflows/cicd-2-publish.yaml b/.github/workflows/cicd-2-publish.yaml
index d13ff2e36..7e9b008e3 100644
--- a/.github/workflows/cicd-2-publish.yaml
+++ b/.github/workflows/cicd-2-publish.yaml
@@ -103,7 +103,7 @@ jobs:
           TF_VAR_SPLUNK_HEC_TOKEN: ${{ secrets.SPLUNK_HEC_TOKEN }}
           TF_VAR_SPLUNK_HEC_ENDPOINT: ${{ secrets.SPLUNK_HEC_ENDPOINT }}
           TF_VAR_OPERATOR_EMAILS: ${{ vars.SECRET_ROTATION_OPERATOR_EMAILS }}
-          TF_VAR_PROXYGEN_PRIVATE_KEY: ""
+          TF_VAR_PROXYGEN_PRIVATE_KEY: ${{ secrets.PROXYGEN_PRIVATE_KEY_PROD }}
 
         run: |
           mkdir -p ./build
diff --git a/.github/workflows/cicd-3-test-deploy.yaml b/.github/workflows/cicd-3-test-deploy.yaml
index 8df227a21..09b8def17 100644
--- a/.github/workflows/cicd-3-test-deploy.yaml
+++ b/.github/workflows/cicd-3-test-deploy.yaml
@@ -90,7 +90,7 @@ jobs:
           TF_VAR_SPLUNK_HEC_TOKEN: ${{ secrets.SPLUNK_HEC_TOKEN }}
           TF_VAR_SPLUNK_HEC_ENDPOINT: ${{ secrets.SPLUNK_HEC_ENDPOINT }}
           TF_VAR_OPERATOR_EMAILS: ${{ vars.SECRET_ROTATION_OPERATOR_EMAILS }}
-          TF_VAR_PROXYGEN_PRIVATE_KEY: ""
+          TF_VAR_PROXYGEN_PRIVATE_KEY: ${{ secrets.PROXYGEN_PRIVATE_KEY_PROD }}
 
         run: |
           mkdir -p ./build
diff --git a/.github/workflows/release-candidate.yml b/.github/workflows/release-candidate.yml
index 2a9098e72..435d72885 100644
--- a/.github/workflows/release-candidate.yml
+++ b/.github/workflows/release-candidate.yml
@@ -237,7 +237,8 @@ jobs:
           TF_VAR_SPLUNK_HEC_TOKEN: ${{ secrets.SPLUNK_HEC_TOKEN }}
           TF_VAR_SPLUNK_HEC_ENDPOINT: ${{ secrets.SPLUNK_HEC_ENDPOINT }}
           TF_VAR_OPERATOR_EMAILS: ${{ vars.SECRET_ROTATION_OPERATOR_EMAILS }}
-          TF_VAR_PROXYGEN_PRIVATE_KEY: ${{ (needs.metadata.outputs.environment == 'preprod' || needs.metadata.outputs.environment == 'prod') && secrets.PROXYGEN_PRIVATE_KEY || '' }}
+          TF_VAR_PROXYGEN_PRIVATE_KEY: ${{ secrets.PROXYGEN_PRIVATE_KEY_PROD }}
+
         run: |
           mkdir -p ./build
           echo "🚀 Deploying ${{ needs.validate.outputs.dev_tag }} to TEST"
diff --git a/infrastructure/stacks/networking/ssm.tf b/infrastructure/stacks/networking/ssm.tf
index 25b826bfe..ba18b0d98 100644
--- a/infrastructure/stacks/networking/ssm.tf
+++ b/infrastructure/stacks/networking/ssm.tf
@@ -1,5 +1,5 @@
 resource "aws_ssm_parameter" "proxygen_private_key" {
-  count = var.environment == "prod" || var.environment == "preprod" ? 1 : 0
+  count = var.environment == "dev" ? 1 : 0
   name  = "/${var.environment}/proxygen/private_key"
   type  = "SecureString"
   key_id = aws_kms_key.networking_ssm_key.id