Skip to content

Build: [AEA-6516] - Move the stateless stack to a CDK deployment #2952

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
wildjames wants to merge 11 commits into
base: main
Choose a base branch
from
Draft

Build: [AEA-6516] - Move the stateless stack to a CDK deployment #2952

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
7a52947
Attempt to deploy an empty stack
wildjames Apr 9, 2026
93ae8cf
Merge branch 'main' into aea-6516-stateless-cdk
wildjames Apr 9, 2026
b0b7aa6
Zizimor ignore
wildjames Apr 9, 2026
4e8db26
Reenable the grype scan
wildjames Apr 9, 2026
1a42b7f
dont download get secrets layer yet
wildjames Apr 9, 2026
0728630
move API gateway to stateless stack
wildjames Apr 9, 2026
8d15827
Migrate lambda functions. There is a required reference to the SAM st…
wildjames Apr 9, 2026
9ef5994
Migrate over state machine
wildjames Apr 9, 2026
f568a10
Fix permission issue
wildjames Apr 10, 2026
0b4fbaa
Merge in main
wildjames Apr 10, 2026
983cd09
Commit todo file for posterity
wildjames Apr 10, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 28 additions & 0 deletions .github/actions/install_dependencies/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
name: "Install dependencies"
description: "Install dependencies defined in .tool-versions using asdf and npm packages"

inputs:
npm-required:
description: "Set to true if npm dependencies are already installed"
Copy link

Copilot AI Apr 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The npm-required input description is inverted relative to how it’s used. The action runs make install-node when npm-required == 'true', so the description should indicate that setting it to true installs npm dependencies (or the condition should be flipped). As written, callers are likely to pass the wrong value.

Suggested change
description: "Set to true if npm dependencies are already installed"
description: "Set to true to install npm dependencies"

Copilot uses AI. Check for mistakes.
required: false
default: "true"
GITHUB_TOKEN:
description: "GitHub token to access private npm packages"
required: true

runs:
using: "composite"
steps:
- name: Setting up .npmrc
shell: bash
env:
NODE_AUTH_TOKEN: ${{ inputs.GITHUB_TOKEN }}
run: |
echo "//npm.pkg.github.com/:_authToken=${NODE_AUTH_TOKEN}" >> ~/.npmrc
echo "@nhsdigital:registry=https://npm.pkg.github.com" >> ~/.npmrc

- name: Run make install
if: inputs.npm-required == 'true'
shell: bash
run: |
make install-node
70 changes: 70 additions & 0 deletions .github/workflows/cdk_package_code.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,70 @@
name: cdk package code

on:
workflow_call:
inputs:
BRANCH_NAME:
required: true
type: string
VERSION_NUMBER:
required: true
type: string
COMMIT_ID:
required: true
type: string
pinned_image:
required: true
type: string

permissions: {}

jobs:
package_code:
runs-on: ubuntu-22.04
container:
image: ${{ inputs.pinned_image }}
options: --user 1001:1001 --group-add 128
defaults:
run:
shell: bash
permissions:
id-token: write
contents: read
packages: read
steps:
- name: copy .tool-versions
run: |
cp /home/vscode/.tool-versions "$HOME/.tool-versions"
- name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
with:
ref: ${{ inputs.BRANCH_NAME }}
persist-credentials: false

- name: install dependencies
uses: ./.github/actions/install_dependencies
with:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

- name: make compile
run: make compile

- name: download the get secrets lambda layer
run: |
make download-get-secrets-layer

- name: "Tar files"
run: |
tar -rf artifact.tar \
.github \
packages \
node_modules \
package.json \
package-lock.json \
tsconfig.defaults.json
Comment thread
wildjames marked this conversation as resolved.

- uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f
name: upload build artifact
with:
name: build_artifact
path: artifact.tar
96 changes: 96 additions & 0 deletions .github/workflows/cdk_release_code.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,96 @@
name: cdk release code

on:
workflow_call:
inputs:
BRANCH_NAME:
required: true
type: string
STACK_NAME:
required: true
type: string
AWS_ENVIRONMENT:
required: true
type: string
VERSION_NUMBER:
required: true
type: string
COMMIT_ID:
required: true
type: string
CDK_APP_NAME:
required: true
type: string
LOG_RETENTION_IN_DAYS:
required: true
type: string
LOG_LEVEL:
type: string
IS_PULL_REQUEST:
type: boolean
required: true
pinned_image:
required: true
type: string
secrets:
CLOUD_FORMATION_DEPLOY_ROLE:
required: true
permissions: {}

jobs:
release_code:
runs-on: ubuntu-22.04
environment: ${{ inputs.AWS_ENVIRONMENT }}
container:
image: ${{ inputs.pinned_image }}
options: --user 1001:1001 --group-add 128
defaults:
run:
shell: bash
name: deploy cdk app ${{ inputs.CDK_APP_NAME }}
permissions:
id-token: write
contents: read

steps:
- name: copy .tool-versions
run: |
cp /home/vscode/.tool-versions "$HOME/.tool-versions"

- name: build_artifact download
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c
with:
name: build_artifact

- name: extract build_artifact
run: tar -xf artifact.tar

- name: install dependencies
uses: ./.github/actions/install_dependencies
with:
npm-required: false
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

- name: Configure AWS Credentials
id: connect-aws-deploy
uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7
with:
aws-region: eu-west-2
role-to-assume: ${{ secrets.CLOUD_FORMATION_DEPLOY_ROLE }}
role-session-name: psu-deployment

- name: Deploy AWS infrastructure and code
run: npm run cdk-deploy --workspace packages/cdk
shell: bash
env:
CDK_APP_NAME: "${{ inputs.CDK_APP_NAME }}"
CDK_CONFIG_stackName: "${{ inputs.STACK_NAME }}"
CDK_CONFIG_versionNumber: "${{ inputs.VERSION_NUMBER }}"
CDK_CONFIG_commitId: "${{ inputs.COMMIT_ID }}"
CDK_CONFIG_isPullRequest: "${{ inputs.IS_PULL_REQUEST }}"
CDK_CONFIG_environment: "${{ inputs.AWS_ENVIRONMENT }}"
CDK_CONFIG_logRetentionInDays: "${{ inputs.LOG_RETENTION_IN_DAYS }}"
CDK_CONFIG_logLevel: "${{ inputs.LOG_LEVEL }}"
REQUIRE_APPROVAL: "never"

# later, there will be API deployment steps c.f. https://github.com/NHSDigital/electronic-prescription-service-clinical-prescription-tracker/blob/main/.github/workflows/cdk_release_code.yml
47 changes: 43 additions & 4 deletions .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,40 @@ jobs:
branch_name: main
tag_format: ${{ needs.get_config_values.outputs.tag_format }}

package_code:
cdk_package_code:
needs: [get_commit_id, tag_release, get_config_values]
uses: ./.github/workflows/cdk_package_code.yml
permissions:
contents: read
packages: read
id-token: write
with:
BRANCH_NAME: main
VERSION_NUMBER: ${{ needs.tag_release.outputs.version_tag }}
COMMIT_ID: ${{ needs.get_commit_id.outputs.commit_id }}
pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}

cdk_release_dev:
needs: [cdk_package_code, get_commit_id, tag_release, get_config_values]
uses: ./.github/workflows/cdk_release_code.yml
permissions:
contents: write
id-token: write
with:
pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}
BRANCH_NAME: main
STACK_NAME: psu-cdk
AWS_ENVIRONMENT: dev
VERSION_NUMBER: ${{ needs.tag_release.outputs.version_tag }}
COMMIT_ID: ${{ needs.get_commit_id.outputs.commit_id }}
CDK_APP_NAME: PsuStatelessApp
LOG_RETENTION_IN_DAYS: "30"
LOG_LEVEL: DEBUG
IS_PULL_REQUEST: false
secrets:
CLOUD_FORMATION_DEPLOY_ROLE: ${{ secrets.DEV_CLOUD_FORMATION_DEPLOY_ROLE }}

sam_package_code:
needs: [tag_release, get_config_values]
uses: ./.github/workflows/run_package_code_and_api.yml
permissions:
Expand All @@ -62,7 +95,7 @@ jobs:
pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}

release_dev:
needs: [tag_release, package_code, get_commit_id, get_config_values]
needs: [tag_release, sam_package_code, get_commit_id, get_config_values]
uses: ./.github/workflows/run_release_code_and_api.yml
permissions:
contents: write
Expand Down Expand Up @@ -111,7 +144,7 @@ jobs:
REGRESSION_TESTS_PEM: ${{ secrets.REGRESSION_TESTS_PEM }}

release_sandbox_dev:
needs: [tag_release, package_code, get_commit_id, get_config_values]
needs: [tag_release, sam_package_code, get_commit_id, get_config_values]
uses: ./.github/workflows/run_release_code_and_api.yml
permissions:
contents: write
Expand Down Expand Up @@ -155,7 +188,13 @@ jobs:

release_qa:
needs:
[tag_release, release_dev, package_code, get_commit_id, get_config_values]
[
tag_release,
release_dev,
sam_package_code,
get_commit_id,
get_config_values,
]
uses: ./.github/workflows/run_release_code_and_api.yml
permissions:
contents: write
Expand Down
44 changes: 40 additions & 4 deletions .github/workflows/pull_request.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -93,7 +93,41 @@ jobs:
run: |
echo "commit_id=${{ github.sha }}" >> "$GITHUB_OUTPUT"

package_code:
cdk_package_code:
needs: [get_issue_number, get_commit_id, get_config_values]
uses: ./.github/workflows/cdk_package_code.yml
permissions:
contents: read
packages: read
id-token: write
with:
pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}
BRANCH_NAME: ${{ github.event.pull_request.head.ref }}
VERSION_NUMBER: PR-${{ needs.get_issue_number.outputs.issue_number }}
COMMIT_ID: ${{ needs.get_commit_id.outputs.commit_id }}

cdk_release_code:
needs:
[get_issue_number, cdk_package_code, get_commit_id, get_config_values]
uses: ./.github/workflows/cdk_release_code.yml
permissions:
contents: write
id-token: write
with:
pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}
BRANCH_NAME: ${{ github.event.pull_request.head.ref }}
STACK_NAME: psu-cdk-pr-${{needs.get_issue_number.outputs.issue_number}}
AWS_ENVIRONMENT: dev
VERSION_NUMBER: PR-${{ needs.get_issue_number.outputs.issue_number }}
COMMIT_ID: ${{ needs.get_commit_id.outputs.commit_id }}
CDK_APP_NAME: PsuStatelessApp
LOG_RETENTION_IN_DAYS: "30"
LOG_LEVEL: DEBUG
IS_PULL_REQUEST: true
secrets:
CLOUD_FORMATION_DEPLOY_ROLE: ${{ secrets.DEV_CLOUD_FORMATION_DEPLOY_ROLE }}

sam_package_code:
needs: [get_issue_number, get_config_values]
uses: ./.github/workflows/run_package_code_and_api.yml
permissions:
Expand All @@ -103,8 +137,9 @@ jobs:
with:
pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}

release_code:
needs: [get_issue_number, package_code, get_commit_id, get_config_values]
sam_release_code:
needs:
[get_issue_number, sam_package_code, get_commit_id, get_config_values]
uses: ./.github/workflows/run_release_code_and_api.yml
permissions:
contents: write
Expand Down Expand Up @@ -153,7 +188,8 @@ jobs:
REGRESSION_TESTS_PEM: ${{ secrets.REGRESSION_TESTS_PEM }}

release_sandbox_code:
needs: [get_issue_number, package_code, get_commit_id, get_config_values]
needs:
[get_issue_number, sam_package_code, get_commit_id, get_config_values]
uses: ./.github/workflows/run_release_code_and_api.yml
permissions:
contents: write
Expand Down
Loading
Loading