From 807d498c9462bce6deaa28844ec77afa4153d749 Mon Sep 17 00:00:00 2001
From: Rob Bailiff <rob.bailiff1@nhs.net>
Date: Tue, 3 Feb 2026 12:03:39 +0000
Subject: [PATCH] Added ptl version to current proxygen key ssm

---
 .github/workflows/base-deploy.yml             |  3 ++-
 .github/workflows/cicd-2-publish.yaml         |  3 ++-
 .github/workflows/cicd-3-test-deploy.yaml     |  3 ++-
 .github/workflows/release-candidate.yml       |  3 ++-
 infrastructure/stacks/networking/ssm.tf       | 13 +++++++++----
 infrastructure/stacks/networking/variables.tf |  9 +++++++--
 6 files changed, 24 insertions(+), 10 deletions(-)

diff --git a/.github/workflows/base-deploy.yml b/.github/workflows/base-deploy.yml
index ea9710e27..c0bdc1367 100644
--- a/.github/workflows/base-deploy.yml
+++ b/.github/workflows/base-deploy.yml
@@ -203,7 +203,8 @@ jobs:
           TF_VAR_SPLUNK_HEC_TOKEN: ${{ secrets.SPLUNK_HEC_TOKEN }}
           TF_VAR_SPLUNK_HEC_ENDPOINT: ${{ secrets.SPLUNK_HEC_ENDPOINT }}
           TF_VAR_OPERATOR_EMAILS: ${{ vars.SECRET_ROTATION_OPERATOR_EMAILS }}
-          TF_VAR_PROXYGEN_PRIVATE_KEY: ${{ secrets.PROXYGEN_PRIVATE_KEY_PROD }}
+          TF_VAR_PROXYGEN_PRIVATE_KEY_PTL: ${{ secrets.PROXYGEN_PRIVATE_KEY_PTL }}
+          TF_VAR_PROXYGEN_PRIVATE_KEY_PROD: ${{ secrets.PROXYGEN_PRIVATE_KEY_PROD }}
 
         working-directory: ./infrastructure
         shell: bash
diff --git a/.github/workflows/cicd-2-publish.yaml b/.github/workflows/cicd-2-publish.yaml
index 7e9b008e3..50a2a919a 100644
--- a/.github/workflows/cicd-2-publish.yaml
+++ b/.github/workflows/cicd-2-publish.yaml
@@ -103,7 +103,8 @@ jobs:
           TF_VAR_SPLUNK_HEC_TOKEN: ${{ secrets.SPLUNK_HEC_TOKEN }}
           TF_VAR_SPLUNK_HEC_ENDPOINT: ${{ secrets.SPLUNK_HEC_ENDPOINT }}
           TF_VAR_OPERATOR_EMAILS: ${{ vars.SECRET_ROTATION_OPERATOR_EMAILS }}
-          TF_VAR_PROXYGEN_PRIVATE_KEY: ${{ secrets.PROXYGEN_PRIVATE_KEY_PROD }}
+          TF_VAR_PROXYGEN_PRIVATE_KEY_PTL: ${{ secrets.PROXYGEN_PRIVATE_KEY_PTL }}
+          TF_VAR_PROXYGEN_PRIVATE_KEY_PROD: ${{ secrets.PROXYGEN_PRIVATE_KEY_PROD }}
 
         run: |
           mkdir -p ./build
diff --git a/.github/workflows/cicd-3-test-deploy.yaml b/.github/workflows/cicd-3-test-deploy.yaml
index 09b8def17..6b264c497 100644
--- a/.github/workflows/cicd-3-test-deploy.yaml
+++ b/.github/workflows/cicd-3-test-deploy.yaml
@@ -90,7 +90,8 @@ jobs:
           TF_VAR_SPLUNK_HEC_TOKEN: ${{ secrets.SPLUNK_HEC_TOKEN }}
           TF_VAR_SPLUNK_HEC_ENDPOINT: ${{ secrets.SPLUNK_HEC_ENDPOINT }}
           TF_VAR_OPERATOR_EMAILS: ${{ vars.SECRET_ROTATION_OPERATOR_EMAILS }}
-          TF_VAR_PROXYGEN_PRIVATE_KEY: ${{ secrets.PROXYGEN_PRIVATE_KEY_PROD }}
+          TF_VAR_PROXYGEN_PRIVATE_KEY_PTL: ${{ secrets.PROXYGEN_PRIVATE_KEY_PTL }}
+          TF_VAR_PROXYGEN_PRIVATE_KEY_PROD: ${{ secrets.PROXYGEN_PRIVATE_KEY_PROD }}
 
         run: |
           mkdir -p ./build
diff --git a/.github/workflows/release-candidate.yml b/.github/workflows/release-candidate.yml
index 7b133c22e..bc1dab14f 100644
--- a/.github/workflows/release-candidate.yml
+++ b/.github/workflows/release-candidate.yml
@@ -237,7 +237,8 @@ jobs:
           TF_VAR_SPLUNK_HEC_TOKEN: ${{ secrets.SPLUNK_HEC_TOKEN }}
           TF_VAR_SPLUNK_HEC_ENDPOINT: ${{ secrets.SPLUNK_HEC_ENDPOINT }}
           TF_VAR_OPERATOR_EMAILS: ${{ vars.SECRET_ROTATION_OPERATOR_EMAILS }}
-          TF_VAR_PROXYGEN_PRIVATE_KEY: ${{ secrets.PROXYGEN_PRIVATE_KEY_PROD }}
+          TF_VAR_PROXYGEN_PRIVATE_KEY_PTL: ${{ secrets.PROXYGEN_PRIVATE_KEY_PTL }}
+          TF_VAR_PROXYGEN_PRIVATE_KEY_PROD: ${{ secrets.PROXYGEN_PRIVATE_KEY_PROD }}
 
         run: |
           mkdir -p ./build
diff --git a/infrastructure/stacks/networking/ssm.tf b/infrastructure/stacks/networking/ssm.tf
index ba18b0d98..6b2a7e310 100644
--- a/infrastructure/stacks/networking/ssm.tf
+++ b/infrastructure/stacks/networking/ssm.tf
@@ -1,9 +1,14 @@
 resource "aws_ssm_parameter" "proxygen_private_key" {
-  count = var.environment == "dev" ? 1 : 0
-  name  = "/${var.environment}/proxygen/private_key"
-  type  = "SecureString"
+  for_each = var.environment == "dev" ? {
+    ptl  = { path = "/ptl/proxygen/private_key", value = var.PROXYGEN_PRIVATE_KEY_PTL }
+    prod = { path = "/prod/proxygen/private_key", value = var.PROXYGEN_PRIVATE_KEY_PROD }
+  } : {}
+
+  name   = each.value.path
+  type   = "SecureString"
   key_id = aws_kms_key.networking_ssm_key.id
-  value = var.PROXYGEN_PRIVATE_KEY
+  value  = each.value.value
+
   tier  = "Advanced"
 
   tags = {
diff --git a/infrastructure/stacks/networking/variables.tf b/infrastructure/stacks/networking/variables.tf
index 806508eac..c2ea84fc6 100644
--- a/infrastructure/stacks/networking/variables.tf
+++ b/infrastructure/stacks/networking/variables.tf
@@ -13,8 +13,13 @@ variable "API_PRIVATE_KEY_CERT" {
   description = "The private key for the signed Client Certificate"
   sensitive   = true
 }
-variable "PROXYGEN_PRIVATE_KEY" {
+variable "PROXYGEN_PRIVATE_KEY_PTL" {
   type        = string
-  description = "The private key for Proxygen authentication"
+  description = "The private key for Proxygen `PTL` environment authentication"
+  sensitive   = true
+}
+variable "PROXYGEN_PRIVATE_KEY_PROD" {
+  type        = string
+  description = "The private key for Proxygen `Prod` environment authentication"
   sensitive   = true
 }