NHSDigital
diff --git a/‎.github/actions/install_dependencies/action.yml‎
Lines changed: 28 additions & 0 deletions b/‎.github/actions/install_dependencies/action.yml‎
Lines changed: 28 additions & 0 deletions
diff --git a/‎.github/workflows/cdk_package_code.yml‎
Lines changed: 66 additions & 0 deletions b/‎.github/workflows/cdk_package_code.yml‎
Lines changed: 66 additions & 0 deletions
diff --git a/‎.github/workflows/cdk_release_code.yml‎
Lines changed: 128 additions & 0 deletions b/‎.github/workflows/cdk_release_code.yml‎
Lines changed: 128 additions & 0 deletions
diff --git a/‎.github/workflows/ci.yml‎
Lines changed: 51 additions & 4 deletions b/‎.github/workflows/ci.yml‎
Lines changed: 51 additions & 4 deletions
diff --git a/‎.github/workflows/pull_request.yml‎
Lines changed: 48 additions & 4 deletions b/‎.github/workflows/pull_request.yml‎
Lines changed: 48 additions & 4 deletions
@@ -0,0 +1,28 @@
+name: "Install dependencies"
+description: "Install dependencies defined in .tool-versions using asdf and npm packages"
+
+inputs:
+  npm-required:
+    description: "Set to true if npm dependencies are already installed"
+    required: false
+    default: "true"
+  GITHUB_TOKEN:
+    description: "GitHub token to access private npm packages"
+    required: true
+
+runs:
+  using: "composite"
+  steps:
+    - name: Setting up .npmrc
+      shell: bash
+      env:
+        NODE_AUTH_TOKEN: ${{ inputs.GITHUB_TOKEN }}
+      run: |
+        echo "//npm.pkg.github.com/:_authToken=${NODE_AUTH_TOKEN}" >> ~/.npmrc
+        echo "@nhsdigital:registry=https://npm.pkg.github.com" >> ~/.npmrc
+
+    - name: Run make install
+      if: inputs.npm-required == 'true'
+      shell: bash
+      run: |
+        make install-node
@@ -0,0 +1,66 @@
+name: cdk package code
+
+on:
+  workflow_call:
+    inputs:
+      BRANCH_NAME:
+        required: true
+        type: string
+      VERSION_NUMBER:
+        required: true
+        type: string
+      COMMIT_ID:
+        required: true
+        type: string
+      pinned_image:
+        required: true
+        type: string
+
+permissions: {}
+
+jobs:
+  package_code:
+    runs-on: ubuntu-22.04
+    container:
+      image: ${{ inputs.pinned_image }}
+      options: --user 1001:1001 --group-add 128
+    defaults:
+      run:
+        shell: bash
+    permissions:
+      id-token: write
+      contents: read
+      packages: read
+    steps:
+      - name: copy .tool-versions
+        run: |
+          cp /home/vscode/.tool-versions "$HOME/.tool-versions"
+      - name: Checkout code
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        with:
+          ref: ${{ inputs.BRANCH_NAME }}
+          persist-credentials: false
+
+      - name: install dependencies
+        uses: ./.github/actions/install_dependencies
+        with:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: make compile
+        run: make compile
+
+      - name: "Tar files"
+        run: |
+          tar -rf artifact.tar \
+            .github \
+            packages \
+            node_modules \
+            package.json \
+            package-lock.json \
+            tsconfig.defaults.json
+
+      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f
+        name: upload build artifact
+        with:
+          name: build_artifact
+          path: artifact.tar
@@ -0,0 +1,128 @@
+name: cdk release code
+
+on:
+  workflow_call:
+    inputs:
+      BRANCH_NAME:
+        required: true
+        type: string
+      STACK_NAME:
+        required: true
+        type: string
+      AWS_ENVIRONMENT:
+        required: true
+        type: string
+      VERSION_NUMBER:
+        required: true
+        type: string
+      COMMIT_ID:
+        required: true
+        type: string
+      CDK_APP_NAME:
+        required: true
+        type: string
+      LOG_RETENTION_IN_DAYS:
+        required: true
+        type: string
+      LOG_LEVEL:
+        type: string
+      IS_PULL_REQUEST:
+        type: boolean
+        required: true
+      TRUSTSTORE_FILE:
+        type: string
+        required: true
+      FORWARD_CSOC_LOGS:
+        type: boolean
+        required: true
+      DEPLOY_CHECK_PRESCRIPTION_STATUS_UPDATE:
+        type: boolean
+        required: true
+      EXPOSE_GET_STATUS_UPDATES:
+        type: boolean
+        required: true
+      SAM_STACK_NAME:
+        type: string
+        required: true
+      ENABLE_POST_DATED_NOTIFICATIONS:
+        type: boolean
+        required: true
+      REQUIRE_APPLICATION_NAME:
+        type: boolean
+        required: true
+      ENABLE_BACKUP:
+        type: boolean
+        required: true
+      pinned_image:
+        required: true
+        type: string
+    secrets:
+      CLOUD_FORMATION_DEPLOY_ROLE:
+        required: true
+permissions: {}
+
+jobs:
+  release_code:
+    runs-on: ubuntu-22.04
+    environment: ${{ inputs.AWS_ENVIRONMENT }}
+    container:
+      image: ${{ inputs.pinned_image }}
+      options: --user 1001:1001 --group-add 128
+    defaults:
+      run:
+        shell: bash
+    name: deploy cdk app ${{ inputs.CDK_APP_NAME }}
+    permissions:
+      id-token: write
+      contents: read
+
+    steps:
+      - name: copy .tool-versions
+        run: |
+          cp /home/vscode/.tool-versions "$HOME/.tool-versions"
+
+      - name: build_artifact download
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c
+        with:
+          name: build_artifact
+
+      - name: extract build_artifact
+        run: tar -xf artifact.tar
+
+      - name: install dependencies
+        uses: ./.github/actions/install_dependencies
+        with:
+          npm-required: false
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Configure AWS Credentials
+        id: connect-aws-deploy
+        uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7
+        with:
+          aws-region: eu-west-2
+          role-to-assume: ${{ secrets.CLOUD_FORMATION_DEPLOY_ROLE }}
+          role-session-name: psu-deployment
+
+      - name: Deploy AWS infrastructure and code
+        run: npm run cdk-deploy --workspace packages/cdk
+        shell: bash
+        env:
+          CDK_APP_NAME: "${{ inputs.CDK_APP_NAME }}"
+          CDK_CONFIG_stackName: "${{ inputs.STACK_NAME }}"
+          CDK_CONFIG_versionNumber: "${{ inputs.VERSION_NUMBER }}"
+          CDK_CONFIG_commitId: "${{ inputs.COMMIT_ID }}"
+          CDK_CONFIG_isPullRequest: "${{ inputs.IS_PULL_REQUEST }}"
+          CDK_CONFIG_environment: "${{ inputs.AWS_ENVIRONMENT }}"
+          CDK_CONFIG_logRetentionInDays: "${{ inputs.LOG_RETENTION_IN_DAYS }}"
+          CDK_CONFIG_logLevel: "${{ inputs.LOG_LEVEL }}"
+          CDK_CONFIG_trustStoreFile: "${{ inputs.TRUSTSTORE_FILE }}"
+          CDK_CONFIG_forwardCsocLogs: "${{ inputs.FORWARD_CSOC_LOGS }}"
+          CDK_CONFIG_deployCheckPrescriptionStatusUpdate: "${{ inputs.DEPLOY_CHECK_PRESCRIPTION_STATUS_UPDATE }}"
+          CDK_CONFIG_exposeGetStatusUpdates: "${{ inputs.EXPOSE_GET_STATUS_UPDATES }}"
+          CDK_CONFIG_samStackName: "${{ inputs.SAM_STACK_NAME }}"
+          CDK_CONFIG_enablePostDatedNotifications: "${{ inputs.ENABLE_POST_DATED_NOTIFICATIONS }}"
+          CDK_CONFIG_requireApplicationName: "${{ inputs.REQUIRE_APPLICATION_NAME }}"
+          CDK_CONFIG_enableBackup: "${{ inputs.ENABLE_BACKUP }}"
+          REQUIRE_APPROVAL: "never"
+
+# later, there will be API deployment steps c.f. https://github.com/NHSDigital/electronic-prescription-service-clinical-prescription-tracker/blob/main/.github/workflows/cdk_release_code.yml
@@ -51,7 +51,48 @@ jobs:
       branch_name: main
       tag_format: ${{ needs.get_config_values.outputs.tag_format }}
 
-  package_code:
+  cdk_package_code:
+    needs: [get_commit_id, tag_release, get_config_values]
+    uses: ./.github/workflows/cdk_package_code.yml
+    permissions:
+      contents: read
+      packages: read
+      id-token: write
+    with:
+      BRANCH_NAME: main
+      VERSION_NUMBER: ${{ needs.tag_release.outputs.version_tag }}
+      COMMIT_ID: ${{ needs.get_commit_id.outputs.commit_id }}
+      pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}
+
+  cdk_release_dev:
+    needs: [cdk_package_code, get_commit_id, tag_release, get_config_values]
+    uses: ./.github/workflows/cdk_release_code.yml
+    permissions:
+      contents: write
+      id-token: write
+    with:
+      pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}
+      BRANCH_NAME: main
+      STACK_NAME: psu-cdk
+      AWS_ENVIRONMENT: dev
+      VERSION_NUMBER: ${{ needs.tag_release.outputs.version_tag }}
+      COMMIT_ID: ${{ needs.get_commit_id.outputs.commit_id }}
+      CDK_APP_NAME: PsuStatelessApp
+      LOG_RETENTION_IN_DAYS: "30"
+      LOG_LEVEL: DEBUG
+      IS_PULL_REQUEST: false
+      TRUSTSTORE_FILE: psu-truststore.pem
+      FORWARD_CSOC_LOGS: false
+      DEPLOY_CHECK_PRESCRIPTION_STATUS_UPDATE: true
+      EXPOSE_GET_STATUS_UPDATES: false
+      SAM_STACK_NAME: psu
+      ENABLE_POST_DATED_NOTIFICATIONS: true
+      REQUIRE_APPLICATION_NAME: false
+      ENABLE_BACKUP: true
+    secrets:
+      CLOUD_FORMATION_DEPLOY_ROLE: ${{ secrets.DEV_CLOUD_FORMATION_DEPLOY_ROLE }}
+
+  sam_package_code:
     needs: [tag_release, get_config_values]
     uses: ./.github/workflows/run_package_code_and_api.yml
     permissions:
@@ -62,7 +103,7 @@ jobs:
       pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}
 
   release_dev:
-    needs: [tag_release, package_code, get_commit_id, get_config_values]
+    needs: [tag_release, sam_package_code, get_commit_id, get_config_values]
     uses: ./.github/workflows/run_release_code_and_api.yml
     permissions:
       contents: write
@@ -111,7 +152,7 @@ jobs:
       REGRESSION_TESTS_PEM: ${{ secrets.REGRESSION_TESTS_PEM }}
 
   release_sandbox_dev:
-    needs: [tag_release, package_code, get_commit_id, get_config_values]
+    needs: [tag_release, sam_package_code, get_commit_id, get_config_values]
     uses: ./.github/workflows/run_release_code_and_api.yml
     permissions:
       contents: write
@@ -155,7 +196,13 @@ jobs:
 
   release_qa:
     needs:
-      [tag_release, release_dev, package_code, get_commit_id, get_config_values]
+      [
+        tag_release,
+        release_dev,
+        sam_package_code,
+        get_commit_id,
+        get_config_values,
+      ]
     uses: ./.github/workflows/run_release_code_and_api.yml
     permissions:
       contents: write
 
@@ -93,7 +93,49 @@ jobs:
         run: |
           echo "commit_id=${{ github.sha }}" >> "$GITHUB_OUTPUT"
 
-  package_code:
+  cdk_package_code:
+    needs: [get_issue_number, get_commit_id, get_config_values]
+    uses: ./.github/workflows/cdk_package_code.yml
+    permissions:
+      contents: read
+      packages: read
+      id-token: write
+    with:
+      pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}
+      BRANCH_NAME: ${{ github.event.pull_request.head.ref }}
+      VERSION_NUMBER: PR-${{ needs.get_issue_number.outputs.issue_number }}
+      COMMIT_ID: ${{ needs.get_commit_id.outputs.commit_id }}
+
+  cdk_release_code:
+    needs:
+      [get_issue_number, cdk_package_code, get_commit_id, get_config_values]
+    uses: ./.github/workflows/cdk_release_code.yml
+    permissions:
+      contents: write
+      id-token: write
+    with:
+      pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}
+      BRANCH_NAME: ${{ github.event.pull_request.head.ref }}
+      STACK_NAME: psu-cdk-pr-${{needs.get_issue_number.outputs.issue_number}}
+      AWS_ENVIRONMENT: dev
+      VERSION_NUMBER: PR-${{ needs.get_issue_number.outputs.issue_number }}
+      COMMIT_ID: ${{ needs.get_commit_id.outputs.commit_id }}
+      CDK_APP_NAME: PsuStatelessApp
+      LOG_RETENTION_IN_DAYS: "30"
+      LOG_LEVEL: DEBUG
+      IS_PULL_REQUEST: true
+      TRUSTSTORE_FILE: psu-truststore.pem
+      FORWARD_CSOC_LOGS: false
+      DEPLOY_CHECK_PRESCRIPTION_STATUS_UPDATE: true
+      EXPOSE_GET_STATUS_UPDATES: false
+      SAM_STACK_NAME: psu-pr-${{needs.get_issue_number.outputs.issue_number}}
+      ENABLE_POST_DATED_NOTIFICATIONS: true
+      REQUIRE_APPLICATION_NAME: false
+      ENABLE_BACKUP: false
+    secrets:
+      CLOUD_FORMATION_DEPLOY_ROLE: ${{ secrets.DEV_CLOUD_FORMATION_DEPLOY_ROLE }}
+
+  sam_package_code:
     needs: [get_issue_number, get_config_values]
     uses: ./.github/workflows/run_package_code_and_api.yml
     permissions:
@@ -103,8 +145,9 @@ jobs:
     with:
       pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}
 
-  release_code:
-    needs: [get_issue_number, package_code, get_commit_id, get_config_values]
+  sam_release_code:
+    needs:
+      [get_issue_number, sam_package_code, get_commit_id, get_config_values]
     uses: ./.github/workflows/run_release_code_and_api.yml
     permissions:
       contents: write
@@ -153,7 +196,8 @@ jobs:
       REGRESSION_TESTS_PEM: ${{ secrets.REGRESSION_TESTS_PEM }}
 
   release_sandbox_code:
-    needs: [get_issue_number, package_code, get_commit_id, get_config_values]
+    needs:
+      [get_issue_number, sam_package_code, get_commit_id, get_config_values]
     uses: ./.github/workflows/run_release_code_and_api.yml
     permissions:
       contents: write