Chore: [AEA-6593] - move to new exports

[anthony-nhs]

Summary

• Routine Change

Details

• move to new exports
• use latest regression tests

[Copilot]

Pull request overview

Updates infrastructure templates and CI/CD scripts to consume the new CloudFormation export names (primarily moving from legacy account-resources / lambda-resources exports to CDK-provided exports).

Changes:

• Updated SAM templates to import KMS, Splunk, Secrets and related IAM policy ARNs from the new export namespaces.
• Updated alarms to use the new Slack SNS topic export.
• Updated release/deploy automation to look up the new export names (including adding jq-based export selection in the release workflow).

Reviewed changes

Copilot reviewed 12 out of 12 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
SAMtemplates/state_machines/state_machine_resources.yaml	Switch state machine role managed policy import to new CloudWatch encryption KMS policy export.
SAMtemplates/state_machines/main.yaml	Update KMS key + Splunk role/stream imports to new export names for state machines.
SAMtemplates/sandbox_template.yaml	Update KMS/Splunk imports and secrets access policy import to new export names.
SAMtemplates/functions/main.yaml	Update KMS/Splunk imports and secrets access policy import to new export names for Lambda apps.
SAMtemplates/functions/lambda_resources.yaml	Update managed policy imports (Insights, CW encryption, secrets decrypt) to new export names.
SAMtemplates/apis/main.yaml	Update truststore bucket import to new export name used to build the S3 truststore URI.
SAMtemplates/apis/api_resources.yaml	Update API Gateway log group KMS key + Splunk role/stream imports to new export names.
SAMtemplates/alarms/main.yaml	Update Slack SNS topic imports to new export name.
.github/workflows/run_release_code_and_api.yml	Update workflow to fetch mTLS secret ARNs via new export names using jq.
.github/scripts/release_code.sh	Update export lookups for artifact bucket / execution role / truststore bucket to new export names.
.github/scripts/deploy_api.sh	Update proxygen private key export lookup to new export name.
.github/scripts/delete_proxygen_deployments.sh	Update proxygen private key export lookup to new export name.

[Copilot]

artifact_bucket is now set to the CloudFormation export value for ...:ArtifactsBucket:Arn, but it’s passed to sam deploy --s3-bucket, which expects an S3 bucket name (not an ARN). This will cause sam deploy to fail. Parse the bucket name from the ARN (as was done previously) or change the export used here to one that returns the bucket name.

Suggested change

	artifact_bucket=$(echo "$CF_LONDON_EXPORTS" | \
	jq \
	--arg EXPORT_NAME "account-resources-cdk-uk:Bucket:ArtifactsBucket:Arn" \
	-r '.Exports[] | select(.Name == $EXPORT_NAME) | .Value')
	ARTIFACT_BUCKET_ARN=$(echo "$CF_LONDON_EXPORTS" | \
	jq \
	--arg EXPORT_NAME "account-resources-cdk-uk:Bucket:ArtifactsBucket:Arn" \
	-r '.Exports[] | select(.Name == $EXPORT_NAME) | .Value')
	artifact_bucket=$(echo "${ARTIFACT_BUCKET_ARN}" | cut -d ":" -f 6)
	if [ -z "${artifact_bucket}" ]; then
	echo "could not retrieve artifact bucket name from aws cloudformation list-exports"
	exit 1
	fi

[Copilot]

These jq selections will return an empty string if the export name isn’t found, and the subsequent aws secretsmanager get-secret-value will fail with a confusing error (invalid/empty secret id). Add explicit checks that client_private_key_arn and client_cert_arn are non-empty and fail early with a clear message if the exports are missing.

Suggested change

	-r '.Exports[] | select(.Name == $EXPORT_NAME) | .Value')
	-r '.Exports[] | select(.Name == $EXPORT_NAME) | .Value')
	if [[ -z "${client_private_key_arn}" ]]; then
	echo "Error: required CloudFormation export 'secrets-cdk:Secrets:PsuClientKeySecret:Arn' was not found in eu-west-2." >&2
	exit 1
	fi
	if [[ -z "${client_cert_arn}" ]]; then
	echo "Error: required CloudFormation export 'secrets-cdk:Secrets:PsuClientCertSecret:Arn' was not found in eu-west-2." >&2
	exit 1
	fi

[Copilot]

If the CloudFormation export isn’t present, this list-exports query will return an empty string and later payloads will use an invalid proxygenSecretName. Add a check after this assignment to ensure proxygen_private_key_arn is non-empty and exit with a clear error if it can’t be resolved.

Suggested change

	if [[ -z "${proxygen_private_key_arn}" || "${proxygen_private_key_arn}" == "None" ]]; then
	echo "Error: Could not resolve CloudFormation export 'secrets-cdk:Secrets:${PROXYGEN_PRIVATE_KEY_NAME}:Arn' for PROXYGEN_PRIVATE_KEY_NAME='${PROXYGEN_PRIVATE_KEY_NAME}'." >&2
	exit 1
	fi

[Copilot]

If the CloudFormation export isn’t present, this list-exports query will return an empty string and the subsequent Lambda payloads will be built with an invalid proxygenSecretName. Add a check after this assignment to ensure proxygen_private_key_arn is non-empty and exit with a clear error if it can’t be resolved.

Suggested change

	if [ -z "${proxygen_private_key_arn}" ]; then
	echo "Error: Unable to resolve CloudFormation export secrets-cdk:Secrets:${PROXYGEN_PRIVATE_KEY_NAME}:Arn for ${APIGEE_ENVIRONMENT}. Cannot continue without a valid proxygen private key ARN."
	exit 1
	fi

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud