diff --git a/.github/scripts/delete_proxygen_deployments.sh b/.github/scripts/delete_proxygen_deployments.sh index adda69d25b..9f159c144c 100755 --- a/.github/scripts/delete_proxygen_deployments.sh +++ b/.github/scripts/delete_proxygen_deployments.sh @@ -23,8 +23,8 @@ delete_apigee_deployments() { APIGEE_API=$2 PROXYGEN_PRIVATE_KEY_NAME=$3 PROXYGEN_KID=$4 - proxygen_private_key_arn=$(aws cloudformation list-exports --query "Exports[?Name=='account-resources:${PROXYGEN_PRIVATE_KEY_NAME}'].Value" --output text) - + proxygen_private_key_arn=$(aws cloudformation list-exports --query "Exports[?Name=='secrets-cdk:Secrets:${PROXYGEN_PRIVATE_KEY_NAME}:Arn'].Value" --output text) + echo echo "checking apigee deployments on ${APIGEE_ENVIRONMENT}" echo diff --git a/.github/scripts/deploy_api.sh b/.github/scripts/deploy_api.sh index a03d2490f2..f5c3bc17ab 100755 --- a/.github/scripts/deploy_api.sh +++ b/.github/scripts/deploy_api.sh @@ -123,7 +123,7 @@ echo echo "Retrieving proxygen credentials" # Retrieve the proxygen private key and client private key and cert from AWS Secrets Manager -proxygen_private_key_arn=$(aws cloudformation list-exports --query "Exports[?Name=='account-resources:${PROXYGEN_PRIVATE_KEY_NAME}'].Value" --output text) +proxygen_private_key_arn=$(aws cloudformation list-exports --query "Exports[?Name=='secrets-cdk:Secrets:${PROXYGEN_PRIVATE_KEY_NAME}:Arn'].Value" --output text) if [[ "${ENABLE_MUTUAL_TLS}" == "true" ]]; then echo diff --git a/.github/scripts/release_code.sh b/.github/scripts/release_code.sh index 47a7e5813b..f5435834bc 100755 --- a/.github/scripts/release_code.sh +++ b/.github/scripts/release_code.sh @@ -6,27 +6,43 @@ export AWS_MAX_ATTEMPTS echo "$COMMIT_ID" CF_LONDON_EXPORTS=$(aws cloudformation list-exports --region eu-west-2 --output json) -artifact_bucket_arn=$(echo "$CF_LONDON_EXPORTS" | \ + +ARTIFACT_BUCKET_ARN=$(echo "$CF_LONDON_EXPORTS" | \ jq \ - --arg EXPORT_NAME "account-resources:ArtifactsBucket" \ + --arg EXPORT_NAME "account-resources-cdk-uk:Bucket:ArtifactsBucket:Arn" \ -r '.Exports[] | select(.Name == $EXPORT_NAME) | .Value') -artifact_bucket=$(echo "$artifact_bucket_arn" | cut -d: -f6 | cut -d/ -f1) -export artifact_bucket +ARTIFACT_BUCKET_NAME=$(echo "${ARTIFACT_BUCKET_ARN}" | cut -d ":" -f 6) + +if [ -z "${ARTIFACT_BUCKET_NAME}" ]; then + echo "could not retrieve ARTIFACT_BUCKET_NAME from aws cloudformation list-exports" + exit 1 +fi -cloud_formation_execution_role=$(echo "$CF_LONDON_EXPORTS" | \ +CLOUD_FORMATION_EXECUTION_ROLE=$(echo "$CF_LONDON_EXPORTS" | \ jq \ - --arg EXPORT_NAME "ci-resources:CloudFormationExecutionRole" \ + --arg EXPORT_NAME "iam-cdk:IAM:CloudFormationExecutionRole:Arn" \ -r '.Exports[] | select(.Name == $EXPORT_NAME) | .Value') -if [ -z "${cloud_formation_execution_role}" ]; then - echo "could not retrieve ROLE from aws cloudformation list-exports" +if [ -z "${CLOUD_FORMATION_EXECUTION_ROLE}" ]; then + echo "could not retrieve CLOUD_FORMATION_EXECUTION_ROLE from aws cloudformation list-exports" exit 1 fi -export cloud_formation_execution_role -TRUSTSTORE_BUCKET_ARN=$(aws cloudformation describe-stacks --stack-name account-resources --query "Stacks[0].Outputs[?OutputKey=='TrustStoreBucket'].OutputValue" --output text) +TRUSTSTORE_BUCKET_ARN=$(echo "$CF_LONDON_EXPORTS" | \ + jq \ + --arg EXPORT_NAME "account-resources-cdk-uk:Bucket:TrustStoreBucket:Arn" \ + -r '.Exports[] | select(.Name == $EXPORT_NAME) | .Value') TRUSTSTORE_BUCKET_NAME=$(echo "${TRUSTSTORE_BUCKET_ARN}" | cut -d ":" -f 6) + +if [ -z "${TRUSTSTORE_BUCKET_NAME}" ]; then + echo "could not retrieve TRUSTSTORE_BUCKET_NAME from aws cloudformation list-exports" + exit 1 +fi + LATEST_TRUSTSTORE_VERSION=$(aws s3api list-object-versions --bucket "${TRUSTSTORE_BUCKET_NAME}" --prefix "${TRUSTSTORE_FILE}" --query 'Versions[?IsLatest].[VersionId]' --output text) + +export ARTIFACT_BUCKET_NAME +export CLOUD_FORMATION_EXECUTION_ROLE export LATEST_TRUSTSTORE_VERSION cd ../../.aws-sam/build || exit @@ -42,11 +58,11 @@ sam deploy \ --stack-name "$STACK_NAME" \ --capabilities CAPABILITY_NAMED_IAM CAPABILITY_AUTO_EXPAND \ --region eu-west-2 \ - --s3-bucket "$artifact_bucket" \ + --s3-bucket "$ARTIFACT_BUCKET_NAME" \ --s3-prefix "$ARTIFACT_BUCKET_PREFIX" \ --config-file samconfig_package_and_deploy.toml \ --no-fail-on-empty-changeset \ - --role-arn "$cloud_formation_execution_role" \ + --role-arn "$CLOUD_FORMATION_EXECUTION_ROLE" \ --no-confirm-changeset \ --force-upload \ --tags "version=$VERSION_NUMBER stack=$STACK_NAME repo=$REPO cfnDriftDetectionGroup=$CFN_DRIFT_DETECTION_GROUP" \ diff --git a/.github/workflows/run_regression_tests.yml b/.github/workflows/run_regression_tests.yml index 3b658de35f..125d2153e0 100644 --- a/.github/workflows/run_regression_tests.yml +++ b/.github/workflows/run_regression_tests.yml @@ -60,11 +60,11 @@ jobs: run: | if [[ "$TARGET_ENVIRONMENT" != "prod" && "$TARGET_ENVIRONMENT" != "ref" ]]; then # this should be the tag of the tests you want to run - REGRESSION_TEST_REPO_TAG=v3.10.9 + REGRESSION_TEST_REPO_TAG=v3.12.36 # this should be the tag of the regression test workflow you want to run # This will normally be the same as REGRESSION_TEST_REPO_TAG - REGRESSION_TEST_WORKFLOW_TAG=v3.10.9 + REGRESSION_TEST_WORKFLOW_TAG=v3.12.36 curl https://raw.githubusercontent.com/NHSDigital/electronic-prescription-service-api-regression-tests/refs/tags/${REGRESSION_TEST_WORKFLOW_TAG}/scripts/run_regression_tests.py -o run_regression_tests.py poetry install diff --git a/.github/workflows/run_release_code_and_api.yml b/.github/workflows/run_release_code_and_api.yml index c0901393e0..01b216a459 100644 --- a/.github/workflows/run_release_code_and_api.yml +++ b/.github/workflows/run_release_code_and_api.yml @@ -247,8 +247,15 @@ jobs: shell: bash run: | mkdir -p ~/.proxygen/tmp - client_private_key_arn=$(aws cloudformation list-exports --query "Exports[?Name=='account-resources:PsuClientKeySecret'].Value" --output text) - client_cert_arn=$(aws cloudformation list-exports --query "Exports[?Name=='account-resources:PsuClientCertSecret'].Value" --output text) + CF_LONDON_EXPORTS=$(aws cloudformation list-exports --region eu-west-2 --output json) + client_private_key_arn=$(echo "$CF_LONDON_EXPORTS" | \ + jq \ + --arg EXPORT_NAME "secrets-cdk:Secrets:PsuClientKeySecret:Arn" \ + -r '.Exports[] | select(.Name == $EXPORT_NAME) | .Value') + client_cert_arn=$(echo "$CF_LONDON_EXPORTS" | \ + jq \ + --arg EXPORT_NAME "secrets-cdk:Secrets:PsuClientCertSecret:Arn" \ + -r '.Exports[] | select(.Name == $EXPORT_NAME) | .Value') aws secretsmanager get-secret-value --secret-id "${client_private_key_arn}" --query SecretString --output text > ~/.proxygen/tmp/client_private_key aws secretsmanager get-secret-value --secret-id "${client_cert_arn}" --query SecretString --output text > ~/.proxygen/tmp/client_cert env: diff --git a/SAMtemplates/alarms/main.yaml b/SAMtemplates/alarms/main.yaml index 40a5eb0af9..0d9fc74eb6 100644 --- a/SAMtemplates/alarms/main.yaml +++ b/SAMtemplates/alarms/main.yaml @@ -66,11 +66,11 @@ Resources: TreatMissingData: notBreaching ActionsEnabled: !Ref EnableAlerts AlarmActions: - - !ImportValue lambda-resources:SlackAlertsSnsTopicArn + - !ImportValue account-resources-cdk-uk:SNS:SlackAlertsSnsTopicArn:Arn InsufficientDataActions: - - !ImportValue lambda-resources:SlackAlertsSnsTopicArn + - !ImportValue account-resources-cdk-uk:SNS:SlackAlertsSnsTopicArn:Arn OKActions: - - !ImportValue lambda-resources:SlackAlertsSnsTopicArn + - !ImportValue account-resources-cdk-uk:SNS:SlackAlertsSnsTopicArn:Arn GetStatusUpdatesUnhandledErrorsAlarm: Type: AWS::CloudWatch::Alarm @@ -91,11 +91,11 @@ Resources: TreatMissingData: notBreaching ActionsEnabled: !Ref EnableAlerts AlarmActions: - - !ImportValue lambda-resources:SlackAlertsSnsTopicArn + - !ImportValue account-resources-cdk-uk:SNS:SlackAlertsSnsTopicArn:Arn InsufficientDataActions: - - !ImportValue lambda-resources:SlackAlertsSnsTopicArn + - !ImportValue account-resources-cdk-uk:SNS:SlackAlertsSnsTopicArn:Arn OKActions: - - !ImportValue lambda-resources:SlackAlertsSnsTopicArn + - !ImportValue account-resources-cdk-uk:SNS:SlackAlertsSnsTopicArn:Arn PrescriptionStatusUpdateErrorsLogsMetricFilter: Type: AWS::Logs::MetricFilter @@ -172,11 +172,11 @@ Resources: TreatMissingData: notBreaching ActionsEnabled: !Ref EnableAlerts AlarmActions: - - !ImportValue lambda-resources:SlackAlertsSnsTopicArn + - !ImportValue account-resources-cdk-uk:SNS:SlackAlertsSnsTopicArn:Arn InsufficientDataActions: - - !ImportValue lambda-resources:SlackAlertsSnsTopicArn + - !ImportValue account-resources-cdk-uk:SNS:SlackAlertsSnsTopicArn:Arn OKActions: - - !ImportValue lambda-resources:SlackAlertsSnsTopicArn + - !ImportValue account-resources-cdk-uk:SNS:SlackAlertsSnsTopicArn:Arn PrescriptionStatusUpdateUnhandledErrorsAlarm: Type: AWS::CloudWatch::Alarm @@ -197,11 +197,11 @@ Resources: TreatMissingData: notBreaching ActionsEnabled: !Ref EnableAlerts AlarmActions: - - !ImportValue lambda-resources:SlackAlertsSnsTopicArn + - !ImportValue account-resources-cdk-uk:SNS:SlackAlertsSnsTopicArn:Arn InsufficientDataActions: - - !ImportValue lambda-resources:SlackAlertsSnsTopicArn + - !ImportValue account-resources-cdk-uk:SNS:SlackAlertsSnsTopicArn:Arn OKActions: - - !ImportValue lambda-resources:SlackAlertsSnsTopicArn + - !ImportValue account-resources-cdk-uk:SNS:SlackAlertsSnsTopicArn:Arn DynamoDBSystemErrorsAlarm: Type: AWS::CloudWatch::Alarm @@ -222,11 +222,11 @@ Resources: TreatMissingData: notBreaching ActionsEnabled: !Ref EnableAlerts AlarmActions: - - !ImportValue lambda-resources:SlackAlertsSnsTopicArn + - !ImportValue account-resources-cdk-uk:SNS:SlackAlertsSnsTopicArn:Arn InsufficientDataActions: - - !ImportValue lambda-resources:SlackAlertsSnsTopicArn + - !ImportValue account-resources-cdk-uk:SNS:SlackAlertsSnsTopicArn:Arn OKActions: - - !ImportValue lambda-resources:SlackAlertsSnsTopicArn + - !ImportValue account-resources-cdk-uk:SNS:SlackAlertsSnsTopicArn:Arn DynamoDBWriteConsumptionAlarm: Type: AWS::CloudWatch::Alarm @@ -235,11 +235,11 @@ Resources: AlarmName: !Sub "${AWS::StackName}_DynamoDB_ConsumedWriteCapacity" ActionsEnabled: !Ref EnableAlerts AlarmActions: - - !ImportValue lambda-resources:SlackAlertsSnsTopicArn + - !ImportValue account-resources-cdk-uk:SNS:SlackAlertsSnsTopicArn:Arn InsufficientDataActions: - - !ImportValue lambda-resources:SlackAlertsSnsTopicArn + - !ImportValue account-resources-cdk-uk:SNS:SlackAlertsSnsTopicArn:Arn OKActions: - - !ImportValue lambda-resources:SlackAlertsSnsTopicArn + - !ImportValue account-resources-cdk-uk:SNS:SlackAlertsSnsTopicArn:Arn EvaluationPeriods: 1 Threshold: !Ref DynamoDBUtilizationPercentageThreshold ComparisonOperator: GreaterThanOrEqualToThreshold @@ -307,11 +307,11 @@ Resources: TreatMissingData: notBreaching ActionsEnabled: !Ref EnableAlerts AlarmActions: - - !ImportValue lambda-resources:SlackAlertsSnsTopicArn + - !ImportValue account-resources-cdk-uk:SNS:SlackAlertsSnsTopicArn:Arn InsufficientDataActions: - - !ImportValue lambda-resources:SlackAlertsSnsTopicArn + - !ImportValue account-resources-cdk-uk:SNS:SlackAlertsSnsTopicArn:Arn OKActions: - - !ImportValue lambda-resources:SlackAlertsSnsTopicArn + - !ImportValue account-resources-cdk-uk:SNS:SlackAlertsSnsTopicArn:Arn NotifyProcessorTimeoutsMetricFilter: Type: AWS::Logs::MetricFilter @@ -344,11 +344,11 @@ Resources: TreatMissingData: notBreaching ActionsEnabled: !Ref EnableAlerts AlarmActions: - - !ImportValue lambda-resources:SlackAlertsSnsTopicArn + - !ImportValue account-resources-cdk-uk:SNS:SlackAlertsSnsTopicArn:Arn InsufficientDataActions: - - !ImportValue lambda-resources:SlackAlertsSnsTopicArn + - !ImportValue account-resources-cdk-uk:SNS:SlackAlertsSnsTopicArn:Arn OKActions: - - !ImportValue lambda-resources:SlackAlertsSnsTopicArn + - !ImportValue account-resources-cdk-uk:SNS:SlackAlertsSnsTopicArn:Arn NHSNotifyPrescriptionsDeadLetterQueueMessagesAlarm: Type: AWS::CloudWatch::Alarm @@ -370,8 +370,8 @@ Resources: TreatMissingData: notBreaching ActionsEnabled: !Ref EnableAlerts AlarmActions: - - !ImportValue lambda-resources:SlackAlertsSnsTopicArn + - !ImportValue account-resources-cdk-uk:SNS:SlackAlertsSnsTopicArn:Arn InsufficientDataActions: - - !ImportValue lambda-resources:SlackAlertsSnsTopicArn + - !ImportValue account-resources-cdk-uk:SNS:SlackAlertsSnsTopicArn:Arn OKActions: - - !ImportValue lambda-resources:SlackAlertsSnsTopicArn + - !ImportValue account-resources-cdk-uk:SNS:SlackAlertsSnsTopicArn:Arn diff --git a/SAMtemplates/apis/api_resources.yaml b/SAMtemplates/apis/api_resources.yaml index 7e5de74ed6..942b925aa4 100644 --- a/SAMtemplates/apis/api_resources.yaml +++ b/SAMtemplates/apis/api_resources.yaml @@ -68,22 +68,22 @@ Resources: Properties: LogGroupName: !Sub /aws/apigateway/${ApiName} RetentionInDays: !Ref LogRetentionInDays - KmsKeyId: !ImportValue account-resources:CloudwatchLogsKmsKeyArn + KmsKeyId: !ImportValue account-resources-cdk-uk:KMS:CloudwatchLogsKmsKey:Arn ApiGwAccessLogsSplunkSubscriptionFilter: Condition: ShouldUseSplunk Type: AWS::Logs::SubscriptionFilter Properties: - RoleArn: !ImportValue lambda-resources:SplunkSubscriptionFilterRole + RoleArn: !ImportValue account-resources-cdk-uk:IAM:SplunkSubscriptionFilterRole:Arn LogGroupName: !Ref ApiGwAccessLogs FilterPattern: "" - DestinationArn: !ImportValue lambda-resources:SplunkDeliveryStream + DestinationArn: !ImportValue account-resources-cdk-uk:Firehose:SplunkDeliveryStream:Arn ApiGwAccessLogsCsocSubscriptionFilter: Condition: ShouldForwardCsocLogs Type: AWS::Logs::SubscriptionFilter Properties: - RoleArn: !ImportValue lambda-resources:SplunkSubscriptionFilterRole + RoleArn: !ImportValue account-resources-cdk-uk:IAM:SplunkSubscriptionFilterRole:Arn LogGroupName: !Ref ApiGwAccessLogs FilterPattern: "" DestinationArn: "arn:aws:logs:eu-west-2:693466633220:destination:api_gateway_log_destination" diff --git a/SAMtemplates/apis/main.yaml b/SAMtemplates/apis/main.yaml index f1c45f0ac9..b7eaf5f9cf 100644 --- a/SAMtemplates/apis/main.yaml +++ b/SAMtemplates/apis/main.yaml @@ -147,7 +147,7 @@ Resources: - 5 - !Split - ":" - - !ImportValue account-resources:TrustStoreBucket + - !ImportValue account-resources-cdk-uk:Bucket:TrustStoreBucket:Arn - psu-truststore.pem - !Ref AWS::NoValue TruststoreVersion: !If diff --git a/SAMtemplates/functions/lambda_resources.yaml b/SAMtemplates/functions/lambda_resources.yaml index bef8fc4154..35e36ade13 100644 --- a/SAMtemplates/functions/lambda_resources.yaml +++ b/SAMtemplates/functions/lambda_resources.yaml @@ -80,9 +80,9 @@ Resources: - !Join - "," - - !Ref LambdaManagedPolicy - - !ImportValue lambda-resources:LambdaInsightsLogGroupPolicy - - !ImportValue account-resources:CloudwatchEncryptionKMSPolicyArn - - !ImportValue account-resources:LambdaDecryptSecretsKMSPolicy + - !ImportValue account-resources-cdk-uk:IAM:LambdaInsightsLogGroupPolicy:Arn + - !ImportValue account-resources-cdk-uk:IAM:CloudwatchEncryptionKMSPolicy:Arn + - !ImportValue secrets-cdk:IAM:LambdaDecryptSecretsKMSPolicy:Arn - !If - ShouldIncludeAdditionalPolicies - !Join diff --git a/SAMtemplates/functions/main.yaml b/SAMtemplates/functions/main.yaml index 7f79415f29..ba7c051a66 100644 --- a/SAMtemplates/functions/main.yaml +++ b/SAMtemplates/functions/main.yaml @@ -187,10 +187,10 @@ Resources: - Fn::ImportValue: !Sub ${StackName}-GetSQSSaltSecretPolicy - Fn::ImportValue: !Sub ${StackName}-GetNotificationsParameterPolicy LogRetentionInDays: !Ref LogRetentionInDays - CloudWatchKMSKeyId: !ImportValue account-resources:CloudwatchLogsKmsKeyArn + CloudWatchKMSKeyId: !ImportValue account-resources-cdk-uk:KMS:CloudwatchLogsKmsKey:Arn EnableSplunk: !Ref EnableSplunk - SplunkSubscriptionFilterRole: !ImportValue lambda-resources:SplunkSubscriptionFilterRole - SplunkDeliveryStreamArn: !ImportValue lambda-resources:SplunkDeliveryStream + SplunkSubscriptionFilterRole: !ImportValue account-resources-cdk-uk:IAM:SplunkSubscriptionFilterRole:Arn + SplunkDeliveryStreamArn: !ImportValue account-resources-cdk-uk:Firehose:SplunkDeliveryStream:Arn ConvertRequestToFhirFormat: Type: AWS::Serverless::Function @@ -228,10 +228,10 @@ Resources: LambdaArn: !Sub arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:${StackName}-ConvertRequestToFhirFormat IncludeAdditionalPolicies: false LogRetentionInDays: !Ref LogRetentionInDays - CloudWatchKMSKeyId: !ImportValue account-resources:CloudwatchLogsKmsKeyArn + CloudWatchKMSKeyId: !ImportValue account-resources-cdk-uk:KMS:CloudwatchLogsKmsKey:Arn EnableSplunk: !Ref EnableSplunk - SplunkSubscriptionFilterRole: !ImportValue lambda-resources:SplunkSubscriptionFilterRole - SplunkDeliveryStreamArn: !ImportValue lambda-resources:SplunkDeliveryStream + SplunkSubscriptionFilterRole: !ImportValue account-resources-cdk-uk:IAM:SplunkSubscriptionFilterRole:Arn + SplunkDeliveryStreamArn: !ImportValue account-resources-cdk-uk:Firehose:SplunkDeliveryStream:Arn GetStatusUpdates: Type: AWS::Serverless::Function @@ -274,10 +274,10 @@ Resources: - - Fn::ImportValue: !Sub ${StackName}:tables:${PrescriptionStatusUpdatesTableName}:TableReadPolicyArn - Fn::ImportValue: !Sub ${StackName}:tables:UsePrescriptionStatusUpdatesKMSKeyPolicyArn LogRetentionInDays: !Ref LogRetentionInDays - CloudWatchKMSKeyId: !ImportValue account-resources:CloudwatchLogsKmsKeyArn + CloudWatchKMSKeyId: !ImportValue account-resources-cdk-uk:KMS:CloudwatchLogsKmsKey:Arn EnableSplunk: !Ref EnableSplunk - SplunkSubscriptionFilterRole: !ImportValue lambda-resources:SplunkSubscriptionFilterRole - SplunkDeliveryStreamArn: !ImportValue lambda-resources:SplunkDeliveryStream + SplunkSubscriptionFilterRole: !ImportValue account-resources-cdk-uk:IAM:SplunkSubscriptionFilterRole:Arn + SplunkDeliveryStreamArn: !ImportValue account-resources-cdk-uk:Firehose:SplunkDeliveryStream:Arn Status: Type: AWS::Serverless::Function @@ -317,12 +317,12 @@ Resources: IncludeAdditionalPolicies: true AdditionalPolicies: !Join - "," - - - !ImportValue account-resources:LambdaAccessSecretsPolicy + - - !ImportValue secrets-cdk:IAM:LambdaAccessSecretsPolicy:Arn LogRetentionInDays: !Ref LogRetentionInDays - CloudWatchKMSKeyId: !ImportValue account-resources:CloudwatchLogsKmsKeyArn + CloudWatchKMSKeyId: !ImportValue account-resources-cdk-uk:KMS:CloudwatchLogsKmsKey:Arn EnableSplunk: !Ref EnableSplunk - SplunkSubscriptionFilterRole: !ImportValue lambda-resources:SplunkSubscriptionFilterRole - SplunkDeliveryStreamArn: !ImportValue lambda-resources:SplunkDeliveryStream + SplunkSubscriptionFilterRole: !ImportValue account-resources-cdk-uk:IAM:SplunkSubscriptionFilterRole:Arn + SplunkDeliveryStreamArn: !ImportValue account-resources-cdk-uk:Firehose:SplunkDeliveryStream:Arn CapabilityStatement: Type: AWS::Serverless::Function @@ -356,10 +356,10 @@ Resources: LambdaName: !Sub ${StackName}-CapabilityStatement LambdaArn: !Sub arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:${StackName}-CapabilityStatement LogRetentionInDays: !Ref LogRetentionInDays - CloudWatchKMSKeyId: !ImportValue account-resources:CloudwatchLogsKmsKeyArn + CloudWatchKMSKeyId: !ImportValue account-resources-cdk-uk:KMS:CloudwatchLogsKmsKey:Arn EnableSplunk: !Ref EnableSplunk - SplunkSubscriptionFilterRole: !ImportValue lambda-resources:SplunkSubscriptionFilterRole - SplunkDeliveryStreamArn: !ImportValue lambda-resources:SplunkDeliveryStream + SplunkSubscriptionFilterRole: !ImportValue account-resources-cdk-uk:IAM:SplunkSubscriptionFilterRole:Arn + SplunkDeliveryStreamArn: !ImportValue account-resources-cdk-uk:Firehose:SplunkDeliveryStream:Arn CheckPrescriptionStatusUpdates: Condition: ShouldDeployCheckPrescriptionStatusUpdate @@ -405,10 +405,10 @@ Resources: - - Fn::ImportValue: !Sub ${StackName}:tables:${PrescriptionStatusUpdatesTableName}:TableReadPolicyArn - Fn::ImportValue: !Sub ${StackName}:tables:UsePrescriptionStatusUpdatesKMSKeyPolicyArn LogRetentionInDays: !Ref LogRetentionInDays - CloudWatchKMSKeyId: !ImportValue account-resources:CloudwatchLogsKmsKeyArn + CloudWatchKMSKeyId: !ImportValue account-resources-cdk-uk:KMS:CloudwatchLogsKmsKey:Arn EnableSplunk: !Ref EnableSplunk - SplunkSubscriptionFilterRole: !ImportValue lambda-resources:SplunkSubscriptionFilterRole - SplunkDeliveryStreamArn: !ImportValue lambda-resources:SplunkDeliveryStream + SplunkSubscriptionFilterRole: !ImportValue account-resources-cdk-uk:IAM:SplunkSubscriptionFilterRole:Arn + SplunkDeliveryStreamArn: !ImportValue account-resources-cdk-uk:Firehose:SplunkDeliveryStream:Arn NotifyProcessorScheduleEventRole: Type: AWS::IAM::Role @@ -491,10 +491,10 @@ Resources: LambdaName: !Sub ${StackName}-NotifyProcessor LambdaArn: !Sub arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:${StackName}-NotifyProcessor LogRetentionInDays: !Ref LogRetentionInDays - CloudWatchKMSKeyId: !ImportValue account-resources:CloudwatchLogsKmsKeyArn + CloudWatchKMSKeyId: !ImportValue account-resources-cdk-uk:KMS:CloudwatchLogsKmsKey:Arn EnableSplunk: !Ref EnableSplunk - SplunkSubscriptionFilterRole: !ImportValue lambda-resources:SplunkSubscriptionFilterRole - SplunkDeliveryStreamArn: !ImportValue lambda-resources:SplunkDeliveryStream + SplunkSubscriptionFilterRole: !ImportValue account-resources-cdk-uk:IAM:SplunkSubscriptionFilterRole:Arn + SplunkDeliveryStreamArn: !ImportValue account-resources-cdk-uk:Firehose:SplunkDeliveryStream:Arn IncludeAdditionalPolicies: true AdditionalPolicies: !Join - "," @@ -583,10 +583,10 @@ Resources: LambdaName: !Sub ${StackName}-postDatedNotifyLambda LambdaArn: !Sub arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:${StackName}-postDatedNotifyLambda LogRetentionInDays: !Ref LogRetentionInDays - CloudWatchKMSKeyId: !ImportValue account-resources:CloudwatchLogsKmsKeyArn + CloudWatchKMSKeyId: !ImportValue account-resources-cdk-uk:KMS:CloudwatchLogsKmsKey:Arn EnableSplunk: !Ref EnableSplunk - SplunkSubscriptionFilterRole: !ImportValue lambda-resources:SplunkSubscriptionFilterRole - SplunkDeliveryStreamArn: !ImportValue lambda-resources:SplunkDeliveryStream + SplunkSubscriptionFilterRole: !ImportValue account-resources-cdk-uk:IAM:SplunkSubscriptionFilterRole:Arn + SplunkDeliveryStreamArn: !ImportValue account-resources-cdk-uk:Firehose:SplunkDeliveryStream:Arn IncludeAdditionalPolicies: true AdditionalPolicies: !Join - "," @@ -648,10 +648,10 @@ Resources: - Fn::ImportValue: !Sub ${StackName}-GetPSUSecretPolicy - Fn::ImportValue: !Sub ${StackName}-UsePSUSecretsKMSKeyPolicyArn LogRetentionInDays: !Ref LogRetentionInDays - CloudWatchKMSKeyId: !ImportValue account-resources:CloudwatchLogsKmsKeyArn + CloudWatchKMSKeyId: !ImportValue account-resources-cdk-uk:KMS:CloudwatchLogsKmsKey:Arn EnableSplunk: !Ref EnableSplunk - SplunkSubscriptionFilterRole: !ImportValue lambda-resources:SplunkSubscriptionFilterRole - SplunkDeliveryStreamArn: !ImportValue lambda-resources:SplunkDeliveryStream + SplunkSubscriptionFilterRole: !ImportValue account-resources-cdk-uk:IAM:SplunkSubscriptionFilterRole:Arn + SplunkDeliveryStreamArn: !ImportValue account-resources-cdk-uk:Firehose:SplunkDeliveryStream:Arn PsuRestoreValidationPolicy: Condition: EnableBackupCondition @@ -712,10 +712,10 @@ Resources: LambdaName: !Sub ${StackName}-PsuRestoreValidation LambdaArn: !Sub arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:${StackName}-PsuRestoreValidation LogRetentionInDays: !Ref LogRetentionInDays - CloudWatchKMSKeyId: !ImportValue account-resources:CloudwatchLogsKmsKeyArn + CloudWatchKMSKeyId: !ImportValue account-resources-cdk-uk:KMS:CloudwatchLogsKmsKey:Arn EnableSplunk: !Ref EnableSplunk - SplunkSubscriptionFilterRole: !ImportValue lambda-resources:SplunkSubscriptionFilterRole - SplunkDeliveryStreamArn: !ImportValue lambda-resources:SplunkDeliveryStream + SplunkSubscriptionFilterRole: !ImportValue account-resources-cdk-uk:IAM:SplunkSubscriptionFilterRole:Arn + SplunkDeliveryStreamArn: !ImportValue account-resources-cdk-uk:Firehose:SplunkDeliveryStream:Arn IncludeAdditionalPolicies: true AdditionalPolicies: !Join - "," diff --git a/SAMtemplates/sandbox_template.yaml b/SAMtemplates/sandbox_template.yaml index cda5c5e335..0e547aa04f 100644 --- a/SAMtemplates/sandbox_template.yaml +++ b/SAMtemplates/sandbox_template.yaml @@ -85,10 +85,10 @@ Resources: LambdaName: !Sub ${AWS::StackName}-UpdatePrescriptionStatusSandbox LambdaArn: !Sub arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:${AWS::StackName}-UpdatePrescriptionStatusSandbox LogRetentionInDays: !Ref LogRetentionInDays - CloudWatchKMSKeyId: !ImportValue account-resources:CloudwatchLogsKmsKeyArn + CloudWatchKMSKeyId: !ImportValue account-resources-cdk-uk:KMS:CloudwatchLogsKmsKey:Arn EnableSplunk: !Ref EnableSplunk - SplunkSubscriptionFilterRole: !ImportValue lambda-resources:SplunkSubscriptionFilterRole - SplunkDeliveryStreamArn: !ImportValue lambda-resources:SplunkDeliveryStream + SplunkSubscriptionFilterRole: !ImportValue account-resources-cdk-uk:IAM:SplunkSubscriptionFilterRole:Arn + SplunkDeliveryStreamArn: !ImportValue account-resources-cdk-uk:Firehose:SplunkDeliveryStream:Arn Sandbox: Type: AWS::Serverless::Function @@ -164,12 +164,12 @@ Resources: IncludeAdditionalPolicies: true AdditionalPolicies: !Join - "," - - - !ImportValue account-resources:LambdaAccessSecretsPolicy + - - !ImportValue secrets-cdk:IAM:LambdaAccessSecretsPolicy:Arn LogRetentionInDays: !Ref LogRetentionInDays - CloudWatchKMSKeyId: !ImportValue account-resources:CloudwatchLogsKmsKeyArn + CloudWatchKMSKeyId: !ImportValue account-resources-cdk-uk:KMS:CloudwatchLogsKmsKey:Arn EnableSplunk: !Ref EnableSplunk - SplunkSubscriptionFilterRole: !ImportValue lambda-resources:SplunkSubscriptionFilterRole - SplunkDeliveryStreamArn: !ImportValue lambda-resources:SplunkDeliveryStream + SplunkSubscriptionFilterRole: !ImportValue account-resources-cdk-uk:IAM:SplunkSubscriptionFilterRole:Arn + SplunkDeliveryStreamArn: !ImportValue account-resources-cdk-uk:Firehose:SplunkDeliveryStream:Arn CapabilityStatement: Type: AWS::Serverless::Function @@ -208,9 +208,9 @@ Resources: StackName: !Ref AWS::StackName LambdaName: !Sub ${AWS::StackName}-CapabilityStatement LambdaArn: !Sub arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:${AWS::StackName}-CapabilityStatement - CloudWatchKMSKeyId: !ImportValue account-resources:CloudwatchLogsKmsKeyArn - SplunkSubscriptionFilterRole: !ImportValue lambda-resources:SplunkSubscriptionFilterRole - SplunkDeliveryStreamArn: !ImportValue lambda-resources:SplunkDeliveryStream + CloudWatchKMSKeyId: !ImportValue account-resources-cdk-uk:KMS:CloudwatchLogsKmsKey:Arn + SplunkSubscriptionFilterRole: !ImportValue account-resources-cdk-uk:IAM:SplunkSubscriptionFilterRole:Arn + SplunkDeliveryStreamArn: !ImportValue account-resources-cdk-uk:Firehose:SplunkDeliveryStream:Arn EnableSplunk: !Ref EnableSplunk LogRetentionInDays: !Ref LogRetentionInDays @@ -326,13 +326,13 @@ Resources: ["/aws/apigateway", !Ref "AWS::StackName", !Sub "${HttpApiGateway}"], ] RetentionInDays: !Ref LogRetentionInDays - KmsKeyId: !ImportValue account-resources:CloudwatchLogsKmsKeyArn + KmsKeyId: !ImportValue account-resources-cdk-uk:KMS:CloudwatchLogsKmsKey:Arn ApiGwAccessLogsSplunkSubscriptionFilter: Condition: ShouldUseSplunk Type: AWS::Logs::SubscriptionFilter Properties: - RoleArn: !ImportValue lambda-resources:SplunkSubscriptionFilterRole + RoleArn: !ImportValue account-resources-cdk-uk:IAM:SplunkSubscriptionFilterRole:Arn LogGroupName: !Ref ApiGwAccessLogs FilterPattern: "" # All logs - DestinationArn: !ImportValue lambda-resources:SplunkDeliveryStream + DestinationArn: !ImportValue account-resources-cdk-uk:Firehose:SplunkDeliveryStream:Arn diff --git a/SAMtemplates/state_machines/main.yaml b/SAMtemplates/state_machines/main.yaml index 73091f7a49..5e4abe0a6b 100644 --- a/SAMtemplates/state_machines/main.yaml +++ b/SAMtemplates/state_machines/main.yaml @@ -73,10 +73,10 @@ Resources: - - Fn::ImportValue: !Sub ${StackName}:functions:${UpdatePrescriptionStatusFunctionName}:ExecuteLambdaPolicyArn - Fn::ImportValue: !Sub ${FhirValidatorStackName}:FHIRValidatorUKCoreExecuteLambdaPolicyArn LogRetentionInDays: !Ref LogRetentionInDays - CloudWatchKMSKeyId: !ImportValue account-resources:CloudwatchLogsKmsKeyArn + CloudWatchKMSKeyId: !ImportValue account-resources-cdk-uk:KMS:CloudwatchLogsKmsKey:Arn EnableSplunk: !Ref EnableSplunk - SplunkSubscriptionFilterRole: !ImportValue lambda-resources:SplunkSubscriptionFilterRole - SplunkDeliveryStreamArn: !ImportValue lambda-resources:SplunkDeliveryStream + SplunkSubscriptionFilterRole: !ImportValue account-resources-cdk-uk:IAM:SplunkSubscriptionFilterRole:Arn + SplunkDeliveryStreamArn: !ImportValue account-resources-cdk-uk:Firehose:SplunkDeliveryStream:Arn Format1UpdatePrescriptionsStatusStateMachine: Type: AWS::Serverless::StateMachine @@ -110,10 +110,10 @@ Resources: - - Fn::ImportValue: !Sub ${StackName}:functions:${ConvertRequestToFhirFormatFunctionName}:ExecuteLambdaPolicyArn - Fn::ImportValue: !Sub ${StackName}:functions:${UpdatePrescriptionStatusFunctionName}:ExecuteLambdaPolicyArn LogRetentionInDays: !Ref LogRetentionInDays - CloudWatchKMSKeyId: !ImportValue account-resources:CloudwatchLogsKmsKeyArn + CloudWatchKMSKeyId: !ImportValue account-resources-cdk-uk:KMS:CloudwatchLogsKmsKey:Arn EnableSplunk: !Ref EnableSplunk - SplunkSubscriptionFilterRole: !ImportValue lambda-resources:SplunkSubscriptionFilterRole - SplunkDeliveryStreamArn: !ImportValue lambda-resources:SplunkDeliveryStream + SplunkSubscriptionFilterRole: !ImportValue account-resources-cdk-uk:IAM:SplunkSubscriptionFilterRole:Arn + SplunkDeliveryStreamArn: !ImportValue account-resources-cdk-uk:Firehose:SplunkDeliveryStream:Arn Outputs: UpdatePrescriptionStatusStateMachineArn: diff --git a/SAMtemplates/state_machines/state_machine_resources.yaml b/SAMtemplates/state_machines/state_machine_resources.yaml index ed54faf1d9..cd6bb302c5 100644 --- a/SAMtemplates/state_machines/state_machine_resources.yaml +++ b/SAMtemplates/state_machines/state_machine_resources.yaml @@ -79,7 +79,7 @@ Resources: - !Join - "," - - !Ref StateMachineManagedPolicy - - !ImportValue account-resources:CloudwatchEncryptionKMSPolicyArn + - !ImportValue account-resources-cdk-uk:IAM:CloudwatchEncryptionKMSPolicy:Arn - !Join - "," - !Ref AdditionalPolicies