Merge branch 'main' into aea-6571-remove-app-name-filtring

Author: wildjames

.github/scripts/delete_proxygen_deployments.sh

@@ -23,8 +23,8 @@ delete_apigee_deployments() {
   APIGEE_API=$2
   PROXYGEN_PRIVATE_KEY_NAME=$3
   PROXYGEN_KID=$4
-  proxygen_private_key_arn=$(aws cloudformation list-exports --query "Exports[?Name=='account-resources:${PROXYGEN_PRIVATE_KEY_NAME}'].Value" --output text)
-
+  proxygen_private_key_arn=$(aws cloudformation list-exports --query "Exports[?Name=='secrets-cdk:Secrets:${PROXYGEN_PRIVATE_KEY_NAME}:Arn'].Value" --output text)
+ 
   echo
   echo "checking apigee deployments on ${APIGEE_ENVIRONMENT}"
   echo

.github/scripts/deploy_api.sh

@@ -123,7 +123,7 @@ echo
 echo "Retrieving proxygen credentials"
 
 # Retrieve the proxygen private key and client private key and cert from AWS Secrets Manager
-proxygen_private_key_arn=$(aws cloudformation list-exports --query "Exports[?Name=='account-resources:${PROXYGEN_PRIVATE_KEY_NAME}'].Value" --output text)
+proxygen_private_key_arn=$(aws cloudformation list-exports --query "Exports[?Name=='secrets-cdk:Secrets:${PROXYGEN_PRIVATE_KEY_NAME}:Arn'].Value" --output text)
 
 if [[ "${ENABLE_MUTUAL_TLS}" == "true" ]]; then
     echo

.github/scripts/release_code.sh

@@ -6,27 +6,43 @@ export AWS_MAX_ATTEMPTS
 echo "$COMMIT_ID"
 
 CF_LONDON_EXPORTS=$(aws cloudformation list-exports --region eu-west-2 --output json)
-artifact_bucket_arn=$(echo "$CF_LONDON_EXPORTS" | \
+
+ARTIFACT_BUCKET_ARN=$(echo "$CF_LONDON_EXPORTS" | \
     jq \
-    --arg EXPORT_NAME "account-resources:ArtifactsBucket" \
+    --arg EXPORT_NAME "account-resources-cdk-uk:Bucket:ArtifactsBucket:Arn" \
     -r '.Exports[] | select(.Name == $EXPORT_NAME) | .Value')
-artifact_bucket=$(echo "$artifact_bucket_arn" | cut -d: -f6 | cut -d/ -f1)
-export artifact_bucket
+ARTIFACT_BUCKET_NAME=$(echo "${ARTIFACT_BUCKET_ARN}" | cut -d ":" -f 6)
+
+if [ -z "${ARTIFACT_BUCKET_NAME}" ]; then
+    echo "could not retrieve ARTIFACT_BUCKET_NAME from aws cloudformation list-exports"
+    exit 1
+fi
 
-cloud_formation_execution_role=$(echo "$CF_LONDON_EXPORTS" | \
+CLOUD_FORMATION_EXECUTION_ROLE=$(echo "$CF_LONDON_EXPORTS" | \
     jq \
-    --arg EXPORT_NAME "ci-resources:CloudFormationExecutionRole" \
+    --arg EXPORT_NAME "iam-cdk:IAM:CloudFormationExecutionRole:Arn" \
     -r '.Exports[] | select(.Name == $EXPORT_NAME) | .Value')
 
-if [ -z "${cloud_formation_execution_role}" ]; then
-    echo "could not retrieve ROLE from aws cloudformation list-exports"
+if [ -z "${CLOUD_FORMATION_EXECUTION_ROLE}" ]; then
+    echo "could not retrieve CLOUD_FORMATION_EXECUTION_ROLE from aws cloudformation list-exports"
     exit 1
 fi
-export cloud_formation_execution_role
 
-TRUSTSTORE_BUCKET_ARN=$(aws cloudformation describe-stacks --stack-name account-resources --query "Stacks[0].Outputs[?OutputKey=='TrustStoreBucket'].OutputValue" --output text)
+TRUSTSTORE_BUCKET_ARN=$(echo "$CF_LONDON_EXPORTS" | \
+    jq \
+    --arg EXPORT_NAME "account-resources-cdk-uk:Bucket:TrustStoreBucket:Arn" \
+    -r '.Exports[] | select(.Name == $EXPORT_NAME) | .Value')
 TRUSTSTORE_BUCKET_NAME=$(echo "${TRUSTSTORE_BUCKET_ARN}" | cut -d ":" -f 6)
+
+if [ -z "${TRUSTSTORE_BUCKET_NAME}" ]; then
+    echo "could not retrieve TRUSTSTORE_BUCKET_NAME from aws cloudformation list-exports"
+    exit 1
+fi
+
 LATEST_TRUSTSTORE_VERSION=$(aws s3api list-object-versions --bucket "${TRUSTSTORE_BUCKET_NAME}" --prefix "${TRUSTSTORE_FILE}" --query 'Versions[?IsLatest].[VersionId]' --output text)
+
+export ARTIFACT_BUCKET_NAME
+export CLOUD_FORMATION_EXECUTION_ROLE
 export LATEST_TRUSTSTORE_VERSION
 
 cd ../../.aws-sam/build || exit
@@ -42,11 +58,11 @@ sam deploy \
     --stack-name "$STACK_NAME" \
     --capabilities CAPABILITY_NAMED_IAM CAPABILITY_AUTO_EXPAND \
     --region eu-west-2 \
-    --s3-bucket "$artifact_bucket" \
+    --s3-bucket "$ARTIFACT_BUCKET_NAME" \
     --s3-prefix "$ARTIFACT_BUCKET_PREFIX" \
     --config-file samconfig_package_and_deploy.toml \
     --no-fail-on-empty-changeset \
-    --role-arn "$cloud_formation_execution_role" \
+    --role-arn "$CLOUD_FORMATION_EXECUTION_ROLE" \
     --no-confirm-changeset \
     --force-upload \
     --tags "version=$VERSION_NUMBER stack=$STACK_NAME repo=$REPO cfnDriftDetectionGroup=$CFN_DRIFT_DETECTION_GROUP" \

.github/workflows/run_release_code_and_api.yml

@@ -243,8 +243,15 @@ jobs:
         shell: bash
         run: |
           mkdir -p ~/.proxygen/tmp
-          client_private_key_arn=$(aws cloudformation list-exports --query "Exports[?Name=='account-resources:PsuClientKeySecret'].Value" --output text)
-          client_cert_arn=$(aws cloudformation list-exports --query "Exports[?Name=='account-resources:PsuClientCertSecret'].Value" --output text)
+          CF_LONDON_EXPORTS=$(aws cloudformation list-exports --region eu-west-2 --output json)
+          client_private_key_arn=$(echo "$CF_LONDON_EXPORTS" | \
+              jq \
+              --arg EXPORT_NAME "secrets-cdk:Secrets:PsuClientKeySecret:Arn" \
+              -r '.Exports[] | select(.Name == $EXPORT_NAME) | .Value')
+          client_cert_arn=$(echo "$CF_LONDON_EXPORTS" | \
+              jq \
+              --arg EXPORT_NAME "secrets-cdk:Secrets:PsuClientCertSecret:Arn" \
+              -r '.Exports[] | select(.Name == $EXPORT_NAME) | .Value')
           aws secretsmanager get-secret-value --secret-id "${client_private_key_arn}" --query SecretString --output text > ~/.proxygen/tmp/client_private_key
           aws secretsmanager get-secret-value --secret-id "${client_cert_arn}" --query SecretString --output text > ~/.proxygen/tmp/client_cert
         env:

SAMtemplates/alarms/main.yaml

@@ -66,11 +66,11 @@ Resources:
       TreatMissingData: notBreaching
       ActionsEnabled: !Ref EnableAlerts
       AlarmActions:
-        - !ImportValue lambda-resources:SlackAlertsSnsTopicArn
+        - !ImportValue account-resources-cdk-uk:SNS:SlackAlertsSnsTopicArn:Arn
       InsufficientDataActions:
-        - !ImportValue lambda-resources:SlackAlertsSnsTopicArn
+        - !ImportValue account-resources-cdk-uk:SNS:SlackAlertsSnsTopicArn:Arn
       OKActions:
-        - !ImportValue lambda-resources:SlackAlertsSnsTopicArn
+        - !ImportValue account-resources-cdk-uk:SNS:SlackAlertsSnsTopicArn:Arn
 
   GetStatusUpdatesUnhandledErrorsAlarm:
     Type: AWS::CloudWatch::Alarm
@@ -91,11 +91,11 @@ Resources:
       TreatMissingData: notBreaching
       ActionsEnabled: !Ref EnableAlerts
       AlarmActions:
-        - !ImportValue lambda-resources:SlackAlertsSnsTopicArn
+        - !ImportValue account-resources-cdk-uk:SNS:SlackAlertsSnsTopicArn:Arn
       InsufficientDataActions:
-        - !ImportValue lambda-resources:SlackAlertsSnsTopicArn
+        - !ImportValue account-resources-cdk-uk:SNS:SlackAlertsSnsTopicArn:Arn
       OKActions:
-        - !ImportValue lambda-resources:SlackAlertsSnsTopicArn
+        - !ImportValue account-resources-cdk-uk:SNS:SlackAlertsSnsTopicArn:Arn
 
   PrescriptionStatusUpdateErrorsLogsMetricFilter:
     Type: AWS::Logs::MetricFilter
@@ -172,11 +172,11 @@ Resources:
       TreatMissingData: notBreaching
       ActionsEnabled: !Ref EnableAlerts
       AlarmActions:
-        - !ImportValue lambda-resources:SlackAlertsSnsTopicArn
+        - !ImportValue account-resources-cdk-uk:SNS:SlackAlertsSnsTopicArn:Arn
       InsufficientDataActions:
-        - !ImportValue lambda-resources:SlackAlertsSnsTopicArn
+        - !ImportValue account-resources-cdk-uk:SNS:SlackAlertsSnsTopicArn:Arn
       OKActions:
-        - !ImportValue lambda-resources:SlackAlertsSnsTopicArn
+        - !ImportValue account-resources-cdk-uk:SNS:SlackAlertsSnsTopicArn:Arn
 
   PrescriptionStatusUpdateUnhandledErrorsAlarm:
     Type: AWS::CloudWatch::Alarm
@@ -197,11 +197,11 @@ Resources:
       TreatMissingData: notBreaching
       ActionsEnabled: !Ref EnableAlerts
       AlarmActions:
-        - !ImportValue lambda-resources:SlackAlertsSnsTopicArn
+        - !ImportValue account-resources-cdk-uk:SNS:SlackAlertsSnsTopicArn:Arn
       InsufficientDataActions:
-        - !ImportValue lambda-resources:SlackAlertsSnsTopicArn
+        - !ImportValue account-resources-cdk-uk:SNS:SlackAlertsSnsTopicArn:Arn
       OKActions:
-        - !ImportValue lambda-resources:SlackAlertsSnsTopicArn
+        - !ImportValue account-resources-cdk-uk:SNS:SlackAlertsSnsTopicArn:Arn
 
   DynamoDBSystemErrorsAlarm:
     Type: AWS::CloudWatch::Alarm
@@ -222,11 +222,11 @@ Resources:
       TreatMissingData: notBreaching
       ActionsEnabled: !Ref EnableAlerts
       AlarmActions:
-        - !ImportValue lambda-resources:SlackAlertsSnsTopicArn
+        - !ImportValue account-resources-cdk-uk:SNS:SlackAlertsSnsTopicArn:Arn
       InsufficientDataActions:
-        - !ImportValue lambda-resources:SlackAlertsSnsTopicArn
+        - !ImportValue account-resources-cdk-uk:SNS:SlackAlertsSnsTopicArn:Arn
       OKActions:
-        - !ImportValue lambda-resources:SlackAlertsSnsTopicArn
+        - !ImportValue account-resources-cdk-uk:SNS:SlackAlertsSnsTopicArn:Arn
 
   DynamoDBWriteConsumptionAlarm:
     Type: AWS::CloudWatch::Alarm
@@ -235,11 +235,11 @@ Resources:
       AlarmName: !Sub "${AWS::StackName}_DynamoDB_ConsumedWriteCapacity"
       ActionsEnabled: !Ref EnableAlerts
       AlarmActions:
-        - !ImportValue lambda-resources:SlackAlertsSnsTopicArn
+        - !ImportValue account-resources-cdk-uk:SNS:SlackAlertsSnsTopicArn:Arn
       InsufficientDataActions:
-        - !ImportValue lambda-resources:SlackAlertsSnsTopicArn
+        - !ImportValue account-resources-cdk-uk:SNS:SlackAlertsSnsTopicArn:Arn
       OKActions:
-        - !ImportValue lambda-resources:SlackAlertsSnsTopicArn
+        - !ImportValue account-resources-cdk-uk:SNS:SlackAlertsSnsTopicArn:Arn
       EvaluationPeriods: 1
       Threshold: !Ref DynamoDBUtilizationPercentageThreshold
       ComparisonOperator: GreaterThanOrEqualToThreshold
@@ -307,11 +307,11 @@ Resources:
       TreatMissingData: notBreaching
       ActionsEnabled: !Ref EnableAlerts
       AlarmActions:
-        - !ImportValue lambda-resources:SlackAlertsSnsTopicArn
+        - !ImportValue account-resources-cdk-uk:SNS:SlackAlertsSnsTopicArn:Arn
       InsufficientDataActions:
-        - !ImportValue lambda-resources:SlackAlertsSnsTopicArn
+        - !ImportValue account-resources-cdk-uk:SNS:SlackAlertsSnsTopicArn:Arn
       OKActions:
-        - !ImportValue lambda-resources:SlackAlertsSnsTopicArn
+        - !ImportValue account-resources-cdk-uk:SNS:SlackAlertsSnsTopicArn:Arn
 
   NotifyProcessorTimeoutsMetricFilter:
     Type: AWS::Logs::MetricFilter
@@ -344,11 +344,11 @@ Resources:
       TreatMissingData: notBreaching
       ActionsEnabled: !Ref EnableAlerts
       AlarmActions:
-        - !ImportValue lambda-resources:SlackAlertsSnsTopicArn
+        - !ImportValue account-resources-cdk-uk:SNS:SlackAlertsSnsTopicArn:Arn
       InsufficientDataActions:
-        - !ImportValue lambda-resources:SlackAlertsSnsTopicArn
+        - !ImportValue account-resources-cdk-uk:SNS:SlackAlertsSnsTopicArn:Arn
       OKActions:
-        - !ImportValue lambda-resources:SlackAlertsSnsTopicArn
+        - !ImportValue account-resources-cdk-uk:SNS:SlackAlertsSnsTopicArn:Arn
 
   NHSNotifyPrescriptionsDeadLetterQueueMessagesAlarm:
     Type: AWS::CloudWatch::Alarm
@@ -370,8 +370,8 @@ Resources:
       TreatMissingData: notBreaching
       ActionsEnabled: !Ref EnableAlerts
       AlarmActions:
-        - !ImportValue lambda-resources:SlackAlertsSnsTopicArn
+        - !ImportValue account-resources-cdk-uk:SNS:SlackAlertsSnsTopicArn:Arn
       InsufficientDataActions:
-        - !ImportValue lambda-resources:SlackAlertsSnsTopicArn
+        - !ImportValue account-resources-cdk-uk:SNS:SlackAlertsSnsTopicArn:Arn
       OKActions:
-        - !ImportValue lambda-resources:SlackAlertsSnsTopicArn
+        - !ImportValue account-resources-cdk-uk:SNS:SlackAlertsSnsTopicArn:Arn

SAMtemplates/apis/api_resources.yaml

@@ -68,22 +68,22 @@ Resources:
     Properties:
       LogGroupName: !Sub /aws/apigateway/${ApiName}
       RetentionInDays: !Ref LogRetentionInDays
-      KmsKeyId: !ImportValue account-resources:CloudwatchLogsKmsKeyArn
+      KmsKeyId: !ImportValue account-resources-cdk-uk:KMS:CloudwatchLogsKmsKey:Arn
 
   ApiGwAccessLogsSplunkSubscriptionFilter:
     Condition: ShouldUseSplunk
     Type: AWS::Logs::SubscriptionFilter
     Properties:
-      RoleArn: !ImportValue lambda-resources:SplunkSubscriptionFilterRole
+      RoleArn: !ImportValue account-resources-cdk-uk:IAM:SplunkSubscriptionFilterRole:Arn
       LogGroupName: !Ref ApiGwAccessLogs
       FilterPattern: ""
-      DestinationArn: !ImportValue lambda-resources:SplunkDeliveryStream
+      DestinationArn: !ImportValue account-resources-cdk-uk:Firehose:SplunkDeliveryStream:Arn
 
   ApiGwAccessLogsCsocSubscriptionFilter:
     Condition: ShouldForwardCsocLogs
     Type: AWS::Logs::SubscriptionFilter
     Properties:
-      RoleArn: !ImportValue lambda-resources:SplunkSubscriptionFilterRole
+      RoleArn: !ImportValue account-resources-cdk-uk:IAM:SplunkSubscriptionFilterRole:Arn
       LogGroupName: !Ref ApiGwAccessLogs
       FilterPattern: ""
       DestinationArn: "arn:aws:logs:eu-west-2:693466633220:destination:api_gateway_log_destination"

SAMtemplates/apis/main.yaml

@@ -147,7 +147,7 @@ Resources:
                 - 5
                 - !Split
                   - ":"
-                  - !ImportValue account-resources:TrustStoreBucket
+                  - !ImportValue account-resources-cdk-uk:Bucket:TrustStoreBucket:Arn
               - psu-truststore.pem
           - !Ref AWS::NoValue
         TruststoreVersion: !If

SAMtemplates/functions/lambda_resources.yaml

@@ -80,9 +80,9 @@ Resources:
         - !Join
           - ","
           - - !Ref LambdaManagedPolicy
-            - !ImportValue lambda-resources:LambdaInsightsLogGroupPolicy
-            - !ImportValue account-resources:CloudwatchEncryptionKMSPolicyArn
-            - !ImportValue account-resources:LambdaDecryptSecretsKMSPolicy
+            - !ImportValue account-resources-cdk-uk:IAM:LambdaInsightsLogGroupPolicy:Arn
+            - !ImportValue account-resources-cdk-uk:IAM:CloudwatchEncryptionKMSPolicy:Arn
+            - !ImportValue secrets-cdk:IAM:LambdaDecryptSecretsKMSPolicy:Arn
             - !If
               - ShouldIncludeAdditionalPolicies
               - !Join