From 3b31922c29f4e91b67b9dbea31b55c3cf0e9fcee Mon Sep 17 00:00:00 2001 From: TOEL2 Date: Wed, 25 Mar 2026 19:58:59 +0000 Subject: [PATCH 01/21] [ELI-702] - adding the new signing resources and attaching to lambda --- infrastructure/modules/lambda/lambda.tf | 2 ++ infrastructure/modules/lambda/signing.tf | 24 ++++++++++++++++++++++++ 2 files changed, 26 insertions(+) create mode 100644 infrastructure/modules/lambda/signing.tf diff --git a/infrastructure/modules/lambda/lambda.tf b/infrastructure/modules/lambda/lambda.tf index db67f93a..a0202a09 100644 --- a/infrastructure/modules/lambda/lambda.tf +++ b/infrastructure/modules/lambda/lambda.tf @@ -11,6 +11,8 @@ resource "aws_lambda_function" "eligibility_signposting_lambda" { source_code_hash = filebase64sha256(var.file_name) + code_signing_config_arn = aws_lambda_code_signing_config.signing_config.arn + runtime = var.runtime timeout = 30 memory_size = 2048 diff --git a/infrastructure/modules/lambda/signing.tf b/infrastructure/modules/lambda/signing.tf new file mode 100644 index 00000000..81b08206 --- /dev/null +++ b/infrastructure/modules/lambda/signing.tf @@ -0,0 +1,24 @@ +resource "aws_signer_signing_profile" "lambda_signing" { + name_prefix = "eligibility-signing-" + + platform_id = "AWSLambda-SHA384-ECDSA" + + signature_validity_period { + value = 365 + type = "DAYS" + } +} + +resource "aws_lambda_code_signing_config" "signing_config" { + allowed_publishers { + signing_profile_version_arns = [ + aws_signer_signing_profile.lambda_signing.version_arn + ] + } + + policies { + untrusted_artifact_on_deployment = "Enforce" + } + + description = "Only allow Lambda bundles signed by our trusted signer profile" +} From 272126c549543dcae4c58bdcfc2af00d082c91fa Mon Sep 17 00:00:00 2001 From: TOEL2 Date: Wed, 25 Mar 2026 20:38:25 +0000 Subject: [PATCH 02/21] [ELI-702] - changing workflow to sign and upload first before deployment --- .github/workflows/cicd-3-test-deploy.yaml | 139 +++++++++++++++++++--- infrastructure/modules/lambda/signing.tf | 4 + 2 files changed, 129 insertions(+), 14 deletions(-) diff --git a/.github/workflows/cicd-3-test-deploy.yaml b/.github/workflows/cicd-3-test-deploy.yaml index 22dc1437..8cfad5f1 100644 --- a/.github/workflows/cicd-3-test-deploy.yaml +++ b/.github/workflows/cicd-3-test-deploy.yaml @@ -46,15 +46,17 @@ jobs: echo "name=$TAG" >> $GITHUB_OUTPUT echo "Resolved tag: $TAG" - deploy: - name: "Deploy to TEST (approval required)" + sign-lambda-artifact: + name: "Sign lambda artifact for TEST" runs-on: ubuntu-latest needs: [metadata] environment: test - timeout-minutes: 10080 + timeout-minutes: 45 permissions: id-token: write contents: read + outputs: + bucket_name: ${{ steps.tf_output.outputs.bucket_name }} steps: - name: "Checkout same commit" uses: actions/checkout@v6 @@ -80,6 +82,124 @@ jobs: run-id: ${{ github.event.workflow_run.id }} github-token: ${{ github.token }} + - name: "Terraform Init (TEST api-layer)" + env: + ENVIRONMENT: test + WORKSPACE: "default" + run: | + echo "Running: make terraform env=$ENVIRONMENT workspace=$WORKSPACE stack=api-layer tf-command=init" + make terraform env=$ENVIRONMENT stack=api-layer tf-command=init workspace=$WORKSPACE + working-directory: ./infrastructure + + - name: "Extract S3 bucket name from Terraform output" + id: tf_output + run: | + BUCKET=$(terraform output -raw lambda_artifact_bucket) + PROFILE=$(terraform output -raw lambda_signing_profile_name) + echo "bucket_name=$BUCKET" >> $GITHUB_OUTPUT + echo "signing_profile_name=$PROFILE" >> $GITHUB_OUTPUT + working-directory: ./infrastructure/stacks/api-layer + + - name: "Upload unsigned lambda artifact to S3" + run: | + aws s3 cp ./dist/lambda.zip \ + s3://${{ steps.tf_output.outputs.bucket_name }}/unsigned/${{ needs.metadata.outputs.tag }}/lambda.zip \ + --region eu-west-2 + + - name: "Get uploaded source object version" + id: source_object + run: | + VERSION_ID=$(aws s3api head-object \ + --bucket "${{ steps.tf_output.outputs.bucket_name }}" \ + --key "unsigned/${{ needs.metadata.outputs.tag }}/lambda.zip" \ + --query 'VersionId' \ + --output text \ + --region eu-west-2) + echo "version_id=$VERSION_ID" >> $GITHUB_OUTPUT + + - name: "Start signing job" + id: signing + env: + SIGNING_PROFILE_NAME: ${{ steps.tf_output.outputs.signing_profile_name }} + run: | + JOB_ID=$(aws signer start-signing-job \ + --source "s3={bucketName=${{ steps.tf_output.outputs.bucket_name }},key=unsigned/${{ needs.metadata.outputs.tag }}/lambda.zip,version=${{ steps.source_object.outputs.version_id }}}" \ + --destination "s3={bucketName=${{ steps.tf_output.outputs.bucket_name }},prefix=signed/${{ needs.metadata.outputs.tag }}/}" \ + --profile-name "$SIGNING_PROFILE_NAME" \ + --query 'jobId' \ + --output text \ + --region eu-west-2) + echo "job_id=$JOB_ID" >> $GITHUB_OUTPUT + + - name: "Wait for signing job" + run: | + aws signer wait successful-signing-job \ + --job-id "${{ steps.signing.outputs.job_id }}" \ + --region eu-west-2 + + - name: "Resolve signed artifact location" + id: signed_object + run: | + SIGNED_BUCKET=$(aws signer describe-signing-job \ + --job-id "${{ steps.signing.outputs.job_id }}" \ + --region eu-west-2 \ + --query 'signedObject.s3.bucketName' \ + --output text) + + SIGNED_KEY=$(aws signer describe-signing-job \ + --job-id "${{ steps.signing.outputs.job_id }}" \ + --region eu-west-2 \ + --query 'signedObject.s3.key' \ + --output text) + + echo "bucket_name=$SIGNED_BUCKET" >> $GITHUB_OUTPUT + echo "object_key=$SIGNED_KEY" >> $GITHUB_OUTPUT + + - name: "Download signed lambda artifact" + run: | + aws s3 cp \ + "s3://${{ steps.signed_object.outputs.bucket_name }}/${{ steps.signed_object.outputs.object_key }}" \ + ./dist/lambda.zip \ + --region eu-west-2 + + - name: "Upload signed lambda artifact for current workflow" + uses: actions/upload-artifact@v6 + with: + name: lambda-${{ needs.metadata.outputs.tag }} + path: ./dist/lambda.zip + + deploy: + name: "Deploy to TEST (approval required)" + runs-on: ubuntu-latest + needs: [metadata, sign-lambda-artifact] + environment: test + timeout-minutes: 10080 + permissions: + id-token: write + contents: read + steps: + - name: "Checkout same commit" + uses: actions/checkout@v6 + with: + ref: ${{ github.event.workflow_run.head_sha }} + + - name: "Setup Terraform" + uses: hashicorp/setup-terraform@v3 + with: + terraform_version: ${{ needs.metadata.outputs.terraform_version }} + + - name: "Download signed lambda artefact" + uses: actions/download-artifact@v7 + with: + name: lambda-${{ needs.metadata.outputs.tag }} + path: ./dist + + - name: "Configure AWS Credentials" + uses: aws-actions/configure-aws-credentials@v6 + with: + role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/service-roles/github-actions-api-deployment-role + aws-region: eu-west-2 + - name: "Terraform Apply (TEST)" env: ENVIRONMENT: test @@ -92,7 +212,6 @@ jobs: TF_VAR_OPERATOR_EMAILS: ${{ vars.SECRET_ROTATION_OPERATOR_EMAILS }} TF_VAR_PROXYGEN_PRIVATE_KEY_PTL: ${{ secrets.PROXYGEN_PRIVATE_KEY_PTL }} TF_VAR_PROXYGEN_PRIVATE_KEY_PROD: ${{ secrets.PROXYGEN_PRIVATE_KEY_PROD }} - run: | mkdir -p ./build echo "Deploying tag: ${{ needs.metadata.outputs.tag }}" @@ -109,17 +228,10 @@ jobs: pip install boto3 python scripts/feature_toggle/validate_toggles.py - - name: "Extract S3 bucket name from Terraform output" - id: tf_output - run: | - BUCKET=$(terraform output -raw lambda_artifact_bucket) - echo "bucket_name=$BUCKET" >> $GITHUB_OUTPUT - working-directory: ./infrastructure/stacks/api-layer - - - name: "Upload lambda artifact to S3" + - name: "Upload signed lambda artifact to S3" run: | aws s3 cp ./dist/lambda.zip \ - s3://${{ steps.tf_output.outputs.bucket_name }}/artifacts/${{ needs.metadata.outputs.tag }}/lambda.zip \ + s3://${{ needs.sign-lambda-artifact.outputs.bucket_name }}/artifacts/${{ needs.metadata.outputs.tag }}/lambda.zip \ --region eu-west-2 regression-tests: @@ -130,4 +242,3 @@ jobs: ENVIRONMENT: "test" VERSION_NUMBER: "main" secrets: inherit - diff --git a/infrastructure/modules/lambda/signing.tf b/infrastructure/modules/lambda/signing.tf index 81b08206..d274dc4f 100644 --- a/infrastructure/modules/lambda/signing.tf +++ b/infrastructure/modules/lambda/signing.tf @@ -22,3 +22,7 @@ resource "aws_lambda_code_signing_config" "signing_config" { description = "Only allow Lambda bundles signed by our trusted signer profile" } + +output "lambda_signing_profile_name" { + value = aws_signer_signing_profile.lambda_signing.name +} From f4e19248131547e6363bdc71954a4a2134fb4cce Mon Sep 17 00:00:00 2001 From: TOEL2 Date: Wed, 25 Mar 2026 20:53:13 +0000 Subject: [PATCH 03/21] [ELI-702] - expanding github role permissions with new policy --- .../github_actions_policies.tf | 56 +++++++++++++++++++ 1 file changed, 56 insertions(+) diff --git a/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf b/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf index d67f197c..e799a7fb 100644 --- a/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf +++ b/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf @@ -709,6 +709,57 @@ resource "aws_iam_policy" "kinesis_management" { tags = merge(local.tags, { Name = "kinesis-management" }) } +resource "aws_iam_policy" "code_signing_management" { + name = "code-signing-management" + description = "Allow GitHub Actions to manage Lambda code signing and start Signer jobs" + path = "/service-policies/" + + policy = jsonencode({ + Version = "2012-10-17", + Statement = [ + { + Sid = "LambdaCodeSigningConfigManagement", + Effect = "Allow", + Action = [ + "lambda:CreateCodeSigningConfig", + "lambda:UpdateCodeSigningConfig", + "lambda:DeleteCodeSigningConfig", + "lambda:GetCodeSigningConfig", + "lambda:ListCodeSigningConfigs", + "lambda:GetFunctionCodeSigningConfig" + ], + Resource = "*" + }, + { + Sid = "SignerJobUsage", + Effect = "Allow", + Action = [ + "signer:StartSigningJob", + "signer:DescribeSigningJob" + ], + Resource = "*" + }, + { + Sid = "SignerProfileManagement", + Effect = "Allow", + Action = [ + "signer:PutSigningProfile", + "signer:GetSigningProfile", + "signer:ListSigningProfiles", + "signer:ListTagsForResource", + "signer:TagResource", + "signer:UntagResource", + "signer:CancelSigningProfile", + "signer:RevokeSignature" + ], + Resource = "*" + } + ] + }) + + tags = merge(local.tags, { Name = "code-signing-management" }) +} + resource "aws_iam_policy" "cloudwatch_management" { #checkov:skip=CKV_AWS_355: GetMetricWidgetImage requires wildcard resource #checkov:skip=CKV_AWS_290: GetMetricWidgetImage requires wildcard resource @@ -828,3 +879,8 @@ resource "aws_iam_role_policy_attachment" "kinesis_management_attach" { role = aws_iam_role.github_actions.name policy_arn = aws_iam_policy.kinesis_management.arn } + +resource "aws_iam_role_policy_attachment" "code_signing_management" { + role = aws_iam_role.github_actions.name + policy_arn = aws_iam_policy.code_signing_management.arn +} From 21531031dfec78a263d240bc1a9474ef0bf36020 Mon Sep 17 00:00:00 2001 From: TOEL2 Date: Wed, 25 Mar 2026 21:05:57 +0000 Subject: [PATCH 04/21] [ELI-702] - changing name to something valid --- infrastructure/modules/lambda/signing.tf | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/infrastructure/modules/lambda/signing.tf b/infrastructure/modules/lambda/signing.tf index d274dc4f..8aa6469d 100644 --- a/infrastructure/modules/lambda/signing.tf +++ b/infrastructure/modules/lambda/signing.tf @@ -1,5 +1,6 @@ resource "aws_signer_signing_profile" "lambda_signing" { - name_prefix = "eligibility-signing-" + name = "eligibilityapi${var.environment}lambdasigningprofile" + #aws signer is strict with names, does not like hyphens or underscores platform_id = "AWSLambda-SHA384-ECDSA" From d55e99204740a903dff941c6f4f8126c60a1239a Mon Sep 17 00:00:00 2001 From: TOEL2 Date: Wed, 25 Mar 2026 22:01:53 +0000 Subject: [PATCH 05/21] [ELI-702] - excepting for dev --- infrastructure/modules/lambda/lambda.tf | 2 +- infrastructure/modules/lambda/locals.tf | 3 +++ 2 files changed, 4 insertions(+), 1 deletion(-) create mode 100644 infrastructure/modules/lambda/locals.tf diff --git a/infrastructure/modules/lambda/lambda.tf b/infrastructure/modules/lambda/lambda.tf index a0202a09..7b3d2faf 100644 --- a/infrastructure/modules/lambda/lambda.tf +++ b/infrastructure/modules/lambda/lambda.tf @@ -11,7 +11,7 @@ resource "aws_lambda_function" "eligibility_signposting_lambda" { source_code_hash = filebase64sha256(var.file_name) - code_signing_config_arn = aws_lambda_code_signing_config.signing_config.arn + code_signing_config_arn = local.enable_lambda_code_signing ? aws_lambda_code_signing_config.signing_config.arn : null runtime = var.runtime timeout = 30 diff --git a/infrastructure/modules/lambda/locals.tf b/infrastructure/modules/lambda/locals.tf new file mode 100644 index 00000000..3790b275 --- /dev/null +++ b/infrastructure/modules/lambda/locals.tf @@ -0,0 +1,3 @@ +locals { + enable_lambda_code_signing = contains(["test", "preprod", "prod"], var.environment) +} From 0fda3714f5a70e130c241724cec4fb8b2f54eedf Mon Sep 17 00:00:00 2001 From: TOEL2 Date: Wed, 25 Mar 2026 22:45:47 +0000 Subject: [PATCH 06/21] [ELI-702] - adding permissions --- .../stacks/iams-developer-roles/github_actions_policies.tf | 4 +++- .../iams-developer-roles/iams_permissions_boundary.tf | 7 +++++++ 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf b/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf index e799a7fb..99815348 100644 --- a/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf +++ b/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf @@ -726,7 +726,9 @@ resource "aws_iam_policy" "code_signing_management" { "lambda:DeleteCodeSigningConfig", "lambda:GetCodeSigningConfig", "lambda:ListCodeSigningConfigs", - "lambda:GetFunctionCodeSigningConfig" + "lambda:GetFunctionCodeSigningConfig", + "lambda:ListTags", + "lambda:DeleteFunctionCodeSigningConfig" ], Resource = "*" }, diff --git a/infrastructure/stacks/iams-developer-roles/iams_permissions_boundary.tf b/infrastructure/stacks/iams-developer-roles/iams_permissions_boundary.tf index 26a239b2..e6a3ac71 100644 --- a/infrastructure/stacks/iams-developer-roles/iams_permissions_boundary.tf +++ b/infrastructure/stacks/iams-developer-roles/iams_permissions_boundary.tf @@ -89,6 +89,9 @@ data "aws_iam_policy_document" "permissions_boundary" { # Kinesis Stream - audit log streaming "kinesis:*", + # CodeSigning + "signer:*", + # IAM - specific role and policy management "iam:GetRole*", "iam:GetPolicy*", @@ -156,6 +159,10 @@ data "aws_iam_policy_document" "permissions_boundary" { "lambda:DeleteProvisionedConcurrencyConfig", "lambda:ListProvisionedConcurrencyConfigs", "lambda:PutFunctionConcurrency", + "lambda:GetCodeSigningConfig", + "lambda:DeleteFunctionCodeSigningConfig", + "lambda:PutFunctionCodeSigningConfig", + "lambda:DeleteCodeSigningConfig", # CloudWatch Logs - log management "logs:*", From 358dc0ccb08006e99df0a27f71452c42490248a0 Mon Sep 17 00:00:00 2001 From: TOEL2 Date: Wed, 25 Mar 2026 22:48:15 +0000 Subject: [PATCH 07/21] [ELI-702] - adding permissions --- .../stacks/iams-developer-roles/github_actions_policies.tf | 3 ++- .../stacks/iams-developer-roles/iams_permissions_boundary.tf | 1 + 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf b/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf index 99815348..363ce501 100644 --- a/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf +++ b/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf @@ -728,7 +728,8 @@ resource "aws_iam_policy" "code_signing_management" { "lambda:ListCodeSigningConfigs", "lambda:GetFunctionCodeSigningConfig", "lambda:ListTags", - "lambda:DeleteFunctionCodeSigningConfig" + "lambda:DeleteFunctionCodeSigningConfig", + "lambda:PutFunctionCodeSigningConfig" ], Resource = "*" }, diff --git a/infrastructure/stacks/iams-developer-roles/iams_permissions_boundary.tf b/infrastructure/stacks/iams-developer-roles/iams_permissions_boundary.tf index e6a3ac71..af22ad43 100644 --- a/infrastructure/stacks/iams-developer-roles/iams_permissions_boundary.tf +++ b/infrastructure/stacks/iams-developer-roles/iams_permissions_boundary.tf @@ -163,6 +163,7 @@ data "aws_iam_policy_document" "permissions_boundary" { "lambda:DeleteFunctionCodeSigningConfig", "lambda:PutFunctionCodeSigningConfig", "lambda:DeleteCodeSigningConfig", + "lambda:CreateCodeSigningConfig", # CloudWatch Logs - log management "logs:*", From 3ad3203bbbf64653d715b0cfcc71224208ad2d22 Mon Sep 17 00:00:00 2001 From: TOEL2 Date: Wed, 25 Mar 2026 22:55:29 +0000 Subject: [PATCH 08/21] [ELI-702] - restricting permissions --- .../stacks/iams-developer-roles/github_actions_policies.tf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf b/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf index 363ce501..afc2bd9d 100644 --- a/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf +++ b/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf @@ -731,7 +731,7 @@ resource "aws_iam_policy" "code_signing_management" { "lambda:DeleteFunctionCodeSigningConfig", "lambda:PutFunctionCodeSigningConfig" ], - Resource = "*" + Resource = "arn:aws:lambda:*:${data.aws_caller_identity.current.account_id}:function:eligibility_signposting_api:*", }, { Sid = "SignerJobUsage", @@ -740,7 +740,7 @@ resource "aws_iam_policy" "code_signing_management" { "signer:StartSigningJob", "signer:DescribeSigningJob" ], - Resource = "*" + Resource = "arn:aws:signer:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:/signing-jobs/*" }, { Sid = "SignerProfileManagement", @@ -755,7 +755,7 @@ resource "aws_iam_policy" "code_signing_management" { "signer:CancelSigningProfile", "signer:RevokeSignature" ], - Resource = "*" + Resource = "arn:aws:signer:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:/signing-profiles/eligibility-signposting-api-*" } ] }) From 5fb9a3b727c299f99b5451a70ca58189994d20a1 Mon Sep 17 00:00:00 2001 From: TOEL2 Date: Thu, 26 Mar 2026 16:22:06 +0000 Subject: [PATCH 09/21] [ELI-702] - removing suppression --- infrastructure/modules/lambda/lambda.tf | 1 - 1 file changed, 1 deletion(-) diff --git a/infrastructure/modules/lambda/lambda.tf b/infrastructure/modules/lambda/lambda.tf index 7b3d2faf..01fb4256 100644 --- a/infrastructure/modules/lambda/lambda.tf +++ b/infrastructure/modules/lambda/lambda.tf @@ -1,7 +1,6 @@ resource "aws_lambda_function" "eligibility_signposting_lambda" { #checkov:skip=CKV_AWS_116: No deadletter queue is configured for this Lambda function, as the requests are synchronous #checkov:skip=CKV_AWS_115: Concurrent execution limit will be set at APIM level, not at Lambda level - #checkov:skip=CKV_AWS_272: Skipping code signing but flagged to create ticket to investigate on ELI-238 # If the file is not in the current working directory you will need to include a # path.module in the filename. filename = var.file_name From 41eca6d6f21c6f51f6dad0f723d51826633568d1 Mon Sep 17 00:00:00 2001 From: TOEL2 Date: Thu, 26 Mar 2026 16:27:51 +0000 Subject: [PATCH 10/21] [ELI-702] - swapping env for workspace --- infrastructure/modules/lambda/signing.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infrastructure/modules/lambda/signing.tf b/infrastructure/modules/lambda/signing.tf index 8aa6469d..6f2eba8c 100644 --- a/infrastructure/modules/lambda/signing.tf +++ b/infrastructure/modules/lambda/signing.tf @@ -1,5 +1,5 @@ resource "aws_signer_signing_profile" "lambda_signing" { - name = "eligibilityapi${var.environment}lambdasigningprofile" + name = "${terraform.workspace == "default" ? "" : "${terraform.workspace}"}EligibilityApiLambdaSigningProfile" #aws signer is strict with names, does not like hyphens or underscores platform_id = "AWSLambda-SHA384-ECDSA" From afa6788b43c8ae63f93420ee08b695397b7bb926 Mon Sep 17 00:00:00 2001 From: TOEL2 Date: Fri, 27 Mar 2026 09:35:52 +0000 Subject: [PATCH 11/21] [ELI-702] - swapping arn to all for config actions --- .../stacks/iams-developer-roles/github_actions_policies.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf b/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf index afc2bd9d..747e6129 100644 --- a/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf +++ b/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf @@ -731,7 +731,7 @@ resource "aws_iam_policy" "code_signing_management" { "lambda:DeleteFunctionCodeSigningConfig", "lambda:PutFunctionCodeSigningConfig" ], - Resource = "arn:aws:lambda:*:${data.aws_caller_identity.current.account_id}:function:eligibility_signposting_api:*", + Resource = "*" }, { Sid = "SignerJobUsage", From a383695a7766ce5fba47307a9b7854fb889510c5 Mon Sep 17 00:00:00 2001 From: TOEL2 Date: Mon, 30 Mar 2026 11:54:01 +0100 Subject: [PATCH 12/21] [ELI-702] - disabling signing enforcement for now --- infrastructure/modules/lambda/locals.tf | 4 +++- .../stacks/iams-developer-roles/github_actions_policies.tf | 2 ++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/infrastructure/modules/lambda/locals.tf b/infrastructure/modules/lambda/locals.tf index 3790b275..12044817 100644 --- a/infrastructure/modules/lambda/locals.tf +++ b/infrastructure/modules/lambda/locals.tf @@ -1,3 +1,5 @@ locals { - enable_lambda_code_signing = contains(["test", "preprod", "prod"], var.environment) + enable_lambda_code_signing = false + # enable_lambda_code_signing = contains(["test", "preprod", "prod"], var.environment) + # For the next deployment ^ } diff --git a/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf b/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf index 747e6129..a38938e3 100644 --- a/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf +++ b/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf @@ -710,6 +710,8 @@ resource "aws_iam_policy" "kinesis_management" { } resource "aws_iam_policy" "code_signing_management" { + #checkov:skip=CKV_AWS_290: Actions require wildcard resource for Lambda code signing configs and Signer jobs + #checkov:skip=CKV_AWS_235: Actions require wildcard resource for Lambda code signing configs and Signer jobs name = "code-signing-management" description = "Allow GitHub Actions to manage Lambda code signing and start Signer jobs" path = "/service-policies/" From c9d8c2ab1890ee074854983ecce2d0b040658111 Mon Sep 17 00:00:00 2001 From: TOEL2 Date: Mon, 30 Mar 2026 12:01:56 +0100 Subject: [PATCH 13/21] [ELI-702] - checkov suppression --- .../stacks/iams-developer-roles/github_actions_policies.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf b/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf index a38938e3..14e8b77b 100644 --- a/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf +++ b/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf @@ -712,6 +712,7 @@ resource "aws_iam_policy" "kinesis_management" { resource "aws_iam_policy" "code_signing_management" { #checkov:skip=CKV_AWS_290: Actions require wildcard resource for Lambda code signing configs and Signer jobs #checkov:skip=CKV_AWS_235: Actions require wildcard resource for Lambda code signing configs and Signer jobs + #checkov:skip=CKV_AWS_355: Actions require wildcard resource for Lambda code signing configs and Signer jobs name = "code-signing-management" description = "Allow GitHub Actions to manage Lambda code signing and start Signer jobs" path = "/service-policies/" From 4e61c0cb442ad7120138725a8bb6480ddfe2f3c1 Mon Sep 17 00:00:00 2001 From: TOEL2 Date: Mon, 30 Mar 2026 12:29:05 +0100 Subject: [PATCH 14/21] [ELI-702] - removing workflow changes for now --- .../workflows/cicd-3-test-deploy-updated.yaml | 244 ++++++++++++++++++ .github/workflows/cicd-3-test-deploy.yaml | 138 +--------- 2 files changed, 257 insertions(+), 125 deletions(-) create mode 100644 .github/workflows/cicd-3-test-deploy-updated.yaml diff --git a/.github/workflows/cicd-3-test-deploy-updated.yaml b/.github/workflows/cicd-3-test-deploy-updated.yaml new file mode 100644 index 00000000..e707ff78 --- /dev/null +++ b/.github/workflows/cicd-3-test-deploy-updated.yaml @@ -0,0 +1,244 @@ +name: "Updated - 3. CD | Deploy to Test" + +#on: +# workflow_run: +# workflows: ["2. CD | Deploy to Dev"] +# types: [completed] + +concurrency: + group: test-deployments + cancel-in-progress: false + +permissions: + contents: read + id-token: write + actions: read + +jobs: + metadata: + name: "Resolve metadata from triggering run" + runs-on: ubuntu-latest + if: ${{ github.event.workflow_run.conclusion == 'success' }} + outputs: + terraform_version: ${{ steps.vars.outputs.terraform_version }} + tag: ${{ steps.tag.outputs.name }} + steps: + - name: "Checkout exact commit from CI/CD publish" + uses: actions/checkout@v6 + with: + ref: ${{ github.event.workflow_run.head_sha }} + + - name: "Set CI/CD variables" + id: vars + run: | + echo "terraform_version=$(grep '^terraform' .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT + + - name: "Resolve the dev-* tag for this commit" + id: tag + run: | + git fetch --tags --force + SHA="${{ github.event.workflow_run.head_sha }}" + TAG=$(git tag --points-at "$SHA" | grep '^dev-' | sort -r | head -n1 || true) + if [ -z "$TAG" ]; then + echo "No dev-* tag found on $SHA" >&2 + exit 1 + fi + echo "name=$TAG" >> $GITHUB_OUTPUT + echo "Resolved tag: $TAG" + + sign-lambda-artifact: + name: "Sign lambda artifact for TEST" + runs-on: ubuntu-latest + needs: [metadata] + environment: test + timeout-minutes: 45 + permissions: + id-token: write + contents: read + outputs: + bucket_name: ${{ steps.tf_output.outputs.bucket_name }} + steps: + - name: "Checkout same commit" + uses: actions/checkout@v6 + with: + ref: ${{ github.event.workflow_run.head_sha }} + + - name: "Setup Terraform" + uses: hashicorp/setup-terraform@v3 + with: + terraform_version: ${{ needs.metadata.outputs.terraform_version }} + + - name: "Configure AWS Credentials" + uses: aws-actions/configure-aws-credentials@v6 + with: + role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/service-roles/github-actions-api-deployment-role + aws-region: eu-west-2 + + - name: "Download lambda artefact from dev workflow" + uses: actions/download-artifact@v7 + with: + name: lambda-${{ needs.metadata.outputs.tag }} + path: ./dist + run-id: ${{ github.event.workflow_run.id }} + github-token: ${{ github.token }} + + - name: "Terraform Init (TEST api-layer)" + env: + ENVIRONMENT: test + WORKSPACE: "default" + run: | + echo "Running: make terraform env=$ENVIRONMENT workspace=$WORKSPACE stack=api-layer tf-command=init" + make terraform env=$ENVIRONMENT stack=api-layer tf-command=init workspace=$WORKSPACE + working-directory: ./infrastructure + + - name: "Extract S3 bucket name from Terraform output" + id: tf_output + run: | + BUCKET=$(terraform output -raw lambda_artifact_bucket) + PROFILE=$(terraform output -raw lambda_signing_profile_name) + echo "bucket_name=$BUCKET" >> $GITHUB_OUTPUT + echo "signing_profile_name=$PROFILE" >> $GITHUB_OUTPUT + working-directory: ./infrastructure/stacks/api-layer + + - name: "Upload unsigned lambda artifact to S3" + run: | + aws s3 cp ./dist/lambda.zip \ + s3://${{ steps.tf_output.outputs.bucket_name }}/unsigned/${{ needs.metadata.outputs.tag }}/lambda.zip \ + --region eu-west-2 + + - name: "Get uploaded source object version" + id: source_object + run: | + VERSION_ID=$(aws s3api head-object \ + --bucket "${{ steps.tf_output.outputs.bucket_name }}" \ + --key "unsigned/${{ needs.metadata.outputs.tag }}/lambda.zip" \ + --query 'VersionId' \ + --output text \ + --region eu-west-2) + echo "version_id=$VERSION_ID" >> $GITHUB_OUTPUT + + - name: "Start signing job" + id: signing + env: + SIGNING_PROFILE_NAME: ${{ steps.tf_output.outputs.signing_profile_name }} + run: | + JOB_ID=$(aws signer start-signing-job \ + --source "s3={bucketName=${{ steps.tf_output.outputs.bucket_name }},key=unsigned/${{ needs.metadata.outputs.tag }}/lambda.zip,version=${{ steps.source_object.outputs.version_id }}}" \ + --destination "s3={bucketName=${{ steps.tf_output.outputs.bucket_name }},prefix=signed/${{ needs.metadata.outputs.tag }}/}" \ + --profile-name "$SIGNING_PROFILE_NAME" \ + --query 'jobId' \ + --output text \ + --region eu-west-2) + echo "job_id=$JOB_ID" >> $GITHUB_OUTPUT + + - name: "Wait for signing job" + run: | + aws signer wait successful-signing-job \ + --job-id "${{ steps.signing.outputs.job_id }}" \ + --region eu-west-2 + + - name: "Resolve signed artifact location" + id: signed_object + run: | + SIGNED_BUCKET=$(aws signer describe-signing-job \ + --job-id "${{ steps.signing.outputs.job_id }}" \ + --region eu-west-2 \ + --query 'signedObject.s3.bucketName' \ + --output text) + + SIGNED_KEY=$(aws signer describe-signing-job \ + --job-id "${{ steps.signing.outputs.job_id }}" \ + --region eu-west-2 \ + --query 'signedObject.s3.key' \ + --output text) + + echo "bucket_name=$SIGNED_BUCKET" >> $GITHUB_OUTPUT + echo "object_key=$SIGNED_KEY" >> $GITHUB_OUTPUT + + - name: "Download signed lambda artifact" + run: | + aws s3 cp \ + "s3://${{ steps.signed_object.outputs.bucket_name }}/${{ steps.signed_object.outputs.object_key }}" \ + ./dist/lambda.zip \ + --region eu-west-2 + + - name: "Upload signed lambda artifact for current workflow" + uses: actions/upload-artifact@v6 + with: + name: lambda-${{ needs.metadata.outputs.tag }} + path: ./dist/lambda.zip + + deploy: + name: "Deploy to TEST (approval required)" + runs-on: ubuntu-latest + needs: [metadata, sign-lambda-artifact] + environment: test + timeout-minutes: 10080 + permissions: + id-token: write + contents: read + steps: + - name: "Checkout same commit" + uses: actions/checkout@v6 + with: + ref: ${{ github.event.workflow_run.head_sha }} + + - name: "Setup Terraform" + uses: hashicorp/setup-terraform@v3 + with: + terraform_version: ${{ needs.metadata.outputs.terraform_version }} + + - name: "Download signed lambda artefact" + uses: actions/download-artifact@v7 + with: + name: lambda-${{ needs.metadata.outputs.tag }} + path: ./dist + + - name: "Configure AWS Credentials" + uses: aws-actions/configure-aws-credentials@v6 + with: + role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/service-roles/github-actions-api-deployment-role + aws-region: eu-west-2 + + - name: "Terraform Apply (TEST)" + env: + ENVIRONMENT: test + WORKSPACE: "default" + TF_VAR_API_CA_CERT: ${{ secrets.API_CA_CERT }} + TF_VAR_API_CLIENT_CERT: ${{ secrets.API_CLIENT_CERT }} + TF_VAR_API_PRIVATE_KEY_CERT: ${{ secrets.API_PRIVATE_KEY_CERT }} + TF_VAR_SPLUNK_HEC_TOKEN: ${{ secrets.SPLUNK_HEC_TOKEN }} + TF_VAR_SPLUNK_HEC_ENDPOINT: ${{ secrets.SPLUNK_HEC_ENDPOINT }} + TF_VAR_OPERATOR_EMAILS: ${{ vars.SECRET_ROTATION_OPERATOR_EMAILS }} + TF_VAR_PROXYGEN_PRIVATE_KEY_PTL: ${{ secrets.PROXYGEN_PRIVATE_KEY_PTL }} + TF_VAR_PROXYGEN_PRIVATE_KEY_PROD: ${{ secrets.PROXYGEN_PRIVATE_KEY_PROD }} + run: | + mkdir -p ./build + echo "Deploying tag: ${{ needs.metadata.outputs.tag }}" + echo "Running: make terraform env=$ENVIRONMENT workspace=$WORKSPACE stack=networking tf-command=apply" + make terraform env=$ENVIRONMENT stack=networking tf-command=apply workspace=$WORKSPACE + echo "Running: make terraform env=$ENVIRONMENT workspace=$WORKSPACE stack=api-layer tf-command=apply" + make terraform env=$ENVIRONMENT stack=api-layer tf-command=apply workspace=$WORKSPACE + working-directory: ./infrastructure + + - name: "Validate Feature Toggles" + env: + ENV: test + run: | + pip install boto3 + python scripts/feature_toggle/validate_toggles.py + + - name: "Upload signed lambda artifact to S3" + run: | + aws s3 cp ./dist/lambda.zip \ + s3://${{ needs.sign-lambda-artifact.outputs.bucket_name }}/artifacts/${{ needs.metadata.outputs.tag }}/lambda.zip \ + --region eu-west-2 + + regression-tests: + name: "Regression Tests" + needs: deploy + uses: ./.github/workflows/regression-tests.yml + with: + ENVIRONMENT: "test" + VERSION_NUMBER: "main" + secrets: inherit diff --git a/.github/workflows/cicd-3-test-deploy.yaml b/.github/workflows/cicd-3-test-deploy.yaml index 8cfad5f1..a9ffeb7c 100644 --- a/.github/workflows/cicd-3-test-deploy.yaml +++ b/.github/workflows/cicd-3-test-deploy.yaml @@ -46,17 +46,15 @@ jobs: echo "name=$TAG" >> $GITHUB_OUTPUT echo "Resolved tag: $TAG" - sign-lambda-artifact: - name: "Sign lambda artifact for TEST" + deploy: + name: "Deploy to TEST (approval required)" runs-on: ubuntu-latest needs: [metadata] environment: test - timeout-minutes: 45 + timeout-minutes: 10080 permissions: id-token: write contents: read - outputs: - bucket_name: ${{ steps.tf_output.outputs.bucket_name }} steps: - name: "Checkout same commit" uses: actions/checkout@v6 @@ -82,124 +80,6 @@ jobs: run-id: ${{ github.event.workflow_run.id }} github-token: ${{ github.token }} - - name: "Terraform Init (TEST api-layer)" - env: - ENVIRONMENT: test - WORKSPACE: "default" - run: | - echo "Running: make terraform env=$ENVIRONMENT workspace=$WORKSPACE stack=api-layer tf-command=init" - make terraform env=$ENVIRONMENT stack=api-layer tf-command=init workspace=$WORKSPACE - working-directory: ./infrastructure - - - name: "Extract S3 bucket name from Terraform output" - id: tf_output - run: | - BUCKET=$(terraform output -raw lambda_artifact_bucket) - PROFILE=$(terraform output -raw lambda_signing_profile_name) - echo "bucket_name=$BUCKET" >> $GITHUB_OUTPUT - echo "signing_profile_name=$PROFILE" >> $GITHUB_OUTPUT - working-directory: ./infrastructure/stacks/api-layer - - - name: "Upload unsigned lambda artifact to S3" - run: | - aws s3 cp ./dist/lambda.zip \ - s3://${{ steps.tf_output.outputs.bucket_name }}/unsigned/${{ needs.metadata.outputs.tag }}/lambda.zip \ - --region eu-west-2 - - - name: "Get uploaded source object version" - id: source_object - run: | - VERSION_ID=$(aws s3api head-object \ - --bucket "${{ steps.tf_output.outputs.bucket_name }}" \ - --key "unsigned/${{ needs.metadata.outputs.tag }}/lambda.zip" \ - --query 'VersionId' \ - --output text \ - --region eu-west-2) - echo "version_id=$VERSION_ID" >> $GITHUB_OUTPUT - - - name: "Start signing job" - id: signing - env: - SIGNING_PROFILE_NAME: ${{ steps.tf_output.outputs.signing_profile_name }} - run: | - JOB_ID=$(aws signer start-signing-job \ - --source "s3={bucketName=${{ steps.tf_output.outputs.bucket_name }},key=unsigned/${{ needs.metadata.outputs.tag }}/lambda.zip,version=${{ steps.source_object.outputs.version_id }}}" \ - --destination "s3={bucketName=${{ steps.tf_output.outputs.bucket_name }},prefix=signed/${{ needs.metadata.outputs.tag }}/}" \ - --profile-name "$SIGNING_PROFILE_NAME" \ - --query 'jobId' \ - --output text \ - --region eu-west-2) - echo "job_id=$JOB_ID" >> $GITHUB_OUTPUT - - - name: "Wait for signing job" - run: | - aws signer wait successful-signing-job \ - --job-id "${{ steps.signing.outputs.job_id }}" \ - --region eu-west-2 - - - name: "Resolve signed artifact location" - id: signed_object - run: | - SIGNED_BUCKET=$(aws signer describe-signing-job \ - --job-id "${{ steps.signing.outputs.job_id }}" \ - --region eu-west-2 \ - --query 'signedObject.s3.bucketName' \ - --output text) - - SIGNED_KEY=$(aws signer describe-signing-job \ - --job-id "${{ steps.signing.outputs.job_id }}" \ - --region eu-west-2 \ - --query 'signedObject.s3.key' \ - --output text) - - echo "bucket_name=$SIGNED_BUCKET" >> $GITHUB_OUTPUT - echo "object_key=$SIGNED_KEY" >> $GITHUB_OUTPUT - - - name: "Download signed lambda artifact" - run: | - aws s3 cp \ - "s3://${{ steps.signed_object.outputs.bucket_name }}/${{ steps.signed_object.outputs.object_key }}" \ - ./dist/lambda.zip \ - --region eu-west-2 - - - name: "Upload signed lambda artifact for current workflow" - uses: actions/upload-artifact@v6 - with: - name: lambda-${{ needs.metadata.outputs.tag }} - path: ./dist/lambda.zip - - deploy: - name: "Deploy to TEST (approval required)" - runs-on: ubuntu-latest - needs: [metadata, sign-lambda-artifact] - environment: test - timeout-minutes: 10080 - permissions: - id-token: write - contents: read - steps: - - name: "Checkout same commit" - uses: actions/checkout@v6 - with: - ref: ${{ github.event.workflow_run.head_sha }} - - - name: "Setup Terraform" - uses: hashicorp/setup-terraform@v3 - with: - terraform_version: ${{ needs.metadata.outputs.terraform_version }} - - - name: "Download signed lambda artefact" - uses: actions/download-artifact@v7 - with: - name: lambda-${{ needs.metadata.outputs.tag }} - path: ./dist - - - name: "Configure AWS Credentials" - uses: aws-actions/configure-aws-credentials@v6 - with: - role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/service-roles/github-actions-api-deployment-role - aws-region: eu-west-2 - - name: "Terraform Apply (TEST)" env: ENVIRONMENT: test @@ -212,6 +92,7 @@ jobs: TF_VAR_OPERATOR_EMAILS: ${{ vars.SECRET_ROTATION_OPERATOR_EMAILS }} TF_VAR_PROXYGEN_PRIVATE_KEY_PTL: ${{ secrets.PROXYGEN_PRIVATE_KEY_PTL }} TF_VAR_PROXYGEN_PRIVATE_KEY_PROD: ${{ secrets.PROXYGEN_PRIVATE_KEY_PROD }} + run: | mkdir -p ./build echo "Deploying tag: ${{ needs.metadata.outputs.tag }}" @@ -228,10 +109,17 @@ jobs: pip install boto3 python scripts/feature_toggle/validate_toggles.py - - name: "Upload signed lambda artifact to S3" + - name: "Extract S3 bucket name from Terraform output" + id: tf_output + run: | + BUCKET=$(terraform output -raw lambda_artifact_bucket) + echo "bucket_name=$BUCKET" >> $GITHUB_OUTPUT + working-directory: ./infrastructure/stacks/api-layer + + - name: "Upload lambda artifact to S3" run: | aws s3 cp ./dist/lambda.zip \ - s3://${{ needs.sign-lambda-artifact.outputs.bucket_name }}/artifacts/${{ needs.metadata.outputs.tag }}/lambda.zip \ + s3://${{ steps.tf_output.outputs.bucket_name }}/artifacts/${{ needs.metadata.outputs.tag }}/lambda.zip \ --region eu-west-2 regression-tests: From 547344d52ffe1a7ff07c375db2548538054a2191 Mon Sep 17 00:00:00 2001 From: TOEL2 Date: Thu, 9 Apr 2026 11:21:49 +0100 Subject: [PATCH 15/21] [ELI-702] Update resource name --- .../stacks/iams-developer-roles/github_actions_policies.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf b/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf index 67f6f16b..818889e8 100644 --- a/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf +++ b/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf @@ -789,7 +789,7 @@ resource "aws_iam_policy" "code_signing_management" { "signer:CancelSigningProfile", "signer:RevokeSignature" ], - Resource = "arn:aws:signer:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:/signing-profiles/eligibility-signposting-api-*" + Resource = "${terraform.workspace == "default" ? "" : "${terraform.workspace}"}EligibilityApiLambdaSigningProfile" } ] }) From 59b54ca1f330b79c240fc45e914e0649dd744c58 Mon Sep 17 00:00:00 2001 From: TOEL2 Date: Sat, 11 Apr 2026 11:19:58 +0100 Subject: [PATCH 16/21] [ELI-702] removing duplicate signer perm --- .../stacks/iams-developer-roles/iams_permissions_boundary.tf | 3 --- 1 file changed, 3 deletions(-) diff --git a/infrastructure/stacks/iams-developer-roles/iams_permissions_boundary.tf b/infrastructure/stacks/iams-developer-roles/iams_permissions_boundary.tf index d6f787a3..bda6443f 100644 --- a/infrastructure/stacks/iams-developer-roles/iams_permissions_boundary.tf +++ b/infrastructure/stacks/iams-developer-roles/iams_permissions_boundary.tf @@ -94,9 +94,6 @@ data "aws_iam_policy_document" "permissions_boundary" { # signing - code signing for Lambda functions "signer:*", - # CodeSigning - "signer:*", - # IAM - specific role and policy management "iam:GetRole*", "iam:GetPolicy*", From f888da34787997494770dcf368d3385699678a3a Mon Sep 17 00:00:00 2001 From: TOEL2 Date: Mon, 13 Apr 2026 08:36:40 +0100 Subject: [PATCH 17/21] [ELI-702] slight name change --- .github/workflows/cicd-3-test-deploy-updated.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/cicd-3-test-deploy-updated.yaml b/.github/workflows/cicd-3-test-deploy-updated.yaml index e707ff78..812af912 100644 --- a/.github/workflows/cicd-3-test-deploy-updated.yaml +++ b/.github/workflows/cicd-3-test-deploy-updated.yaml @@ -91,7 +91,7 @@ jobs: make terraform env=$ENVIRONMENT stack=api-layer tf-command=init workspace=$WORKSPACE working-directory: ./infrastructure - - name: "Extract S3 bucket name from Terraform output" + - name: "Extract Terraform outputs" id: tf_output run: | BUCKET=$(terraform output -raw lambda_artifact_bucket) @@ -103,7 +103,7 @@ jobs: - name: "Upload unsigned lambda artifact to S3" run: | aws s3 cp ./dist/lambda.zip \ - s3://${{ steps.tf_output.outputs.bucket_name }}/unsigned/${{ needs.metadata.outputs.tag }}/lambda.zip \ + s3://${{ steps.tf_output.outputs.bucket_name }}/artifacts/${{ needs.metadata.outputs.tag }}/lambda.zip \ --region eu-west-2 - name: "Get uploaded source object version" @@ -123,8 +123,8 @@ jobs: SIGNING_PROFILE_NAME: ${{ steps.tf_output.outputs.signing_profile_name }} run: | JOB_ID=$(aws signer start-signing-job \ - --source "s3={bucketName=${{ steps.tf_output.outputs.bucket_name }},key=unsigned/${{ needs.metadata.outputs.tag }}/lambda.zip,version=${{ steps.source_object.outputs.version_id }}}" \ - --destination "s3={bucketName=${{ steps.tf_output.outputs.bucket_name }},prefix=signed/${{ needs.metadata.outputs.tag }}/}" \ + --source "s3={bucketName=${{ steps.tf_output.outputs.bucket_name }},key=artifacts/${{ needs.metadata.outputs.tag }}/lambda.zip,version=${{ steps.source_object.outputs.version_id }}}" \ + --destination "s3={bucketName=${{ steps.tf_output.outputs.bucket_name }},prefix=signed-artifacts/${{ needs.metadata.outputs.tag }}/}" \ --profile-name "$SIGNING_PROFILE_NAME" \ --query 'jobId' \ --output text \ From 05685f5b0c3b7bb335337aeaeb35cad39ec12ccf Mon Sep 17 00:00:00 2001 From: TOEL2 Date: Mon, 13 Apr 2026 08:52:18 +0100 Subject: [PATCH 18/21] [ELI-702] converting to manual to test --- .../workflows/cicd-3-test-deploy-updated.yaml | 57 +++++++++---------- 1 file changed, 26 insertions(+), 31 deletions(-) diff --git a/.github/workflows/cicd-3-test-deploy-updated.yaml b/.github/workflows/cicd-3-test-deploy-updated.yaml index 812af912..22e4e2c8 100644 --- a/.github/workflows/cicd-3-test-deploy-updated.yaml +++ b/.github/workflows/cicd-3-test-deploy-updated.yaml @@ -1,9 +1,18 @@ name: "Updated - 3. CD | Deploy to Test" -#on: -# workflow_run: -# workflows: ["2. CD | Deploy to Dev"] -# types: [completed] +on: + workflow_dispatch: + inputs: + ref: + description: "Branch, tag, or commit SHA to check out" + required: true + default: "main" + artifact_tag: + description: "Artifact tag to deploy, for example dev-20260410120000" + required: true + artifact_run_id: + description: "Workflow run ID that produced the lambda artifact" + required: true concurrency: group: test-deployments @@ -16,35 +25,27 @@ permissions: jobs: metadata: - name: "Resolve metadata from triggering run" + name: "Resolve metadata" runs-on: ubuntu-latest - if: ${{ github.event.workflow_run.conclusion == 'success' }} outputs: terraform_version: ${{ steps.vars.outputs.terraform_version }} tag: ${{ steps.tag.outputs.name }} steps: - - name: "Checkout exact commit from CI/CD publish" + - name: "Checkout selected ref" uses: actions/checkout@v6 with: - ref: ${{ github.event.workflow_run.head_sha }} + ref: ${{ inputs.ref }} - name: "Set CI/CD variables" id: vars run: | echo "terraform_version=$(grep '^terraform' .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT - - name: "Resolve the dev-* tag for this commit" + - name: "Use provided artifact tag" id: tag run: | - git fetch --tags --force - SHA="${{ github.event.workflow_run.head_sha }}" - TAG=$(git tag --points-at "$SHA" | grep '^dev-' | sort -r | head -n1 || true) - if [ -z "$TAG" ]; then - echo "No dev-* tag found on $SHA" >&2 - exit 1 - fi - echo "name=$TAG" >> $GITHUB_OUTPUT - echo "Resolved tag: $TAG" + echo "name=${{ inputs.artifact_tag }}" >> $GITHUB_OUTPUT + echo "Resolved tag: ${{ inputs.artifact_tag }}" sign-lambda-artifact: name: "Sign lambda artifact for TEST" @@ -58,10 +59,10 @@ jobs: outputs: bucket_name: ${{ steps.tf_output.outputs.bucket_name }} steps: - - name: "Checkout same commit" + - name: "Checkout selected ref" uses: actions/checkout@v6 with: - ref: ${{ github.event.workflow_run.head_sha }} + ref: ${{ inputs.ref }} - name: "Setup Terraform" uses: hashicorp/setup-terraform@v3 @@ -74,12 +75,12 @@ jobs: role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/service-roles/github-actions-api-deployment-role aws-region: eu-west-2 - - name: "Download lambda artefact from dev workflow" + - name: "Download lambda artefact from chosen workflow run" uses: actions/download-artifact@v7 with: name: lambda-${{ needs.metadata.outputs.tag }} path: ./dist - run-id: ${{ github.event.workflow_run.id }} + run-id: ${{ inputs.artifact_run_id }} github-token: ${{ github.token }} - name: "Terraform Init (TEST api-layer)" @@ -111,7 +112,7 @@ jobs: run: | VERSION_ID=$(aws s3api head-object \ --bucket "${{ steps.tf_output.outputs.bucket_name }}" \ - --key "unsigned/${{ needs.metadata.outputs.tag }}/lambda.zip" \ + --key "artifacts/${{ needs.metadata.outputs.tag }}/lambda.zip" \ --query 'VersionId' \ --output text \ --region eu-west-2) @@ -178,10 +179,10 @@ jobs: id-token: write contents: read steps: - - name: "Checkout same commit" + - name: "Checkout selected ref" uses: actions/checkout@v6 with: - ref: ${{ github.event.workflow_run.head_sha }} + ref: ${{ inputs.ref }} - name: "Setup Terraform" uses: hashicorp/setup-terraform@v3 @@ -228,12 +229,6 @@ jobs: pip install boto3 python scripts/feature_toggle/validate_toggles.py - - name: "Upload signed lambda artifact to S3" - run: | - aws s3 cp ./dist/lambda.zip \ - s3://${{ needs.sign-lambda-artifact.outputs.bucket_name }}/artifacts/${{ needs.metadata.outputs.tag }}/lambda.zip \ - --region eu-west-2 - regression-tests: name: "Regression Tests" needs: deploy From de5413bac4fb1e83c441b14420902f93c3350393 Mon Sep 17 00:00:00 2001 From: TOEL2 Date: Mon, 13 Apr 2026 08:59:09 +0100 Subject: [PATCH 19/21] [ELI-702] workflow name change --- .../{cicd-3-test-deploy-updated.yaml => signing_test.yaml} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename .github/workflows/{cicd-3-test-deploy-updated.yaml => signing_test.yaml} (99%) diff --git a/.github/workflows/cicd-3-test-deploy-updated.yaml b/.github/workflows/signing_test.yaml similarity index 99% rename from .github/workflows/cicd-3-test-deploy-updated.yaml rename to .github/workflows/signing_test.yaml index 22e4e2c8..cb7d1432 100644 --- a/.github/workflows/cicd-3-test-deploy-updated.yaml +++ b/.github/workflows/signing_test.yaml @@ -1,4 +1,4 @@ -name: "Updated - 3. CD | Deploy to Test" +name: "signing-test" on: workflow_dispatch: From 339738e48ffd4fcbd6778e1275742474ab5fdca8 Mon Sep 17 00:00:00 2001 From: TOEL2 Date: Tue, 14 Apr 2026 09:05:51 +0100 Subject: [PATCH 20/21] [ELI] formatting --- .github/workflows/cicd-3-test-deploy.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/cicd-3-test-deploy.yaml b/.github/workflows/cicd-3-test-deploy.yaml index 90442aad..d2b4d040 100644 --- a/.github/workflows/cicd-3-test-deploy.yaml +++ b/.github/workflows/cicd-3-test-deploy.yaml @@ -141,3 +141,4 @@ jobs: ENVIRONMENT: "test" VERSION_NUMBER: "main" secrets: inherit + From 153f63cfc35e96671d68fd26064f9d73b842365a Mon Sep 17 00:00:00 2001 From: TOEL2 Date: Tue, 14 Apr 2026 09:12:07 +0100 Subject: [PATCH 21/21] [ELI-702] removing unnecessary deployment --- .github/workflows/signing_test.yaml | 39 +---------------------------- 1 file changed, 1 insertion(+), 38 deletions(-) diff --git a/.github/workflows/signing_test.yaml b/.github/workflows/signing_test.yaml index cb7d1432..d888652d 100644 --- a/.github/workflows/signing_test.yaml +++ b/.github/workflows/signing_test.yaml @@ -6,7 +6,7 @@ on: ref: description: "Branch, tag, or commit SHA to check out" required: true - default: "main" + default: "feature/ELI-702-code-signing" artifact_tag: description: "Artifact tag to deploy, for example dev-20260410120000" required: true @@ -200,40 +200,3 @@ jobs: with: role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/service-roles/github-actions-api-deployment-role aws-region: eu-west-2 - - - name: "Terraform Apply (TEST)" - env: - ENVIRONMENT: test - WORKSPACE: "default" - TF_VAR_API_CA_CERT: ${{ secrets.API_CA_CERT }} - TF_VAR_API_CLIENT_CERT: ${{ secrets.API_CLIENT_CERT }} - TF_VAR_API_PRIVATE_KEY_CERT: ${{ secrets.API_PRIVATE_KEY_CERT }} - TF_VAR_SPLUNK_HEC_TOKEN: ${{ secrets.SPLUNK_HEC_TOKEN }} - TF_VAR_SPLUNK_HEC_ENDPOINT: ${{ secrets.SPLUNK_HEC_ENDPOINT }} - TF_VAR_OPERATOR_EMAILS: ${{ vars.SECRET_ROTATION_OPERATOR_EMAILS }} - TF_VAR_PROXYGEN_PRIVATE_KEY_PTL: ${{ secrets.PROXYGEN_PRIVATE_KEY_PTL }} - TF_VAR_PROXYGEN_PRIVATE_KEY_PROD: ${{ secrets.PROXYGEN_PRIVATE_KEY_PROD }} - run: | - mkdir -p ./build - echo "Deploying tag: ${{ needs.metadata.outputs.tag }}" - echo "Running: make terraform env=$ENVIRONMENT workspace=$WORKSPACE stack=networking tf-command=apply" - make terraform env=$ENVIRONMENT stack=networking tf-command=apply workspace=$WORKSPACE - echo "Running: make terraform env=$ENVIRONMENT workspace=$WORKSPACE stack=api-layer tf-command=apply" - make terraform env=$ENVIRONMENT stack=api-layer tf-command=apply workspace=$WORKSPACE - working-directory: ./infrastructure - - - name: "Validate Feature Toggles" - env: - ENV: test - run: | - pip install boto3 - python scripts/feature_toggle/validate_toggles.py - - regression-tests: - name: "Regression Tests" - needs: deploy - uses: ./.github/workflows/regression-tests.yml - with: - ENVIRONMENT: "test" - VERSION_NUMBER: "main" - secrets: inherit