Merge branch 'develop' into feature/thju1-NRL-679-fixAccessTokenForDevRef

Author: Tomdango

.github/workflows/persistent-environment.yml

@@ -8,14 +8,8 @@ on:
         description: "Environment to deploy to"
         required: true
         default: "dev"
-        type: choice
-        options:
-          - dev
-          - ref
-          - int
-          - dev-sandbox
-          - ref-sandbox
-          - int-sandbox
+        type: environment
+
       branch_name:
         description: Branch to deploy
         required: true
@@ -71,6 +65,7 @@ jobs:
   terraform-plan:
     name: Terraform Plan - ${{ inputs.environment }}
     needs: [build]
+    environment: ${{ inputs.environment }}
     runs-on: [self-hosted, ci]
 
     steps:
@@ -90,23 +85,17 @@ jobs:
       - name: Install asdf
         uses: asdf-vm/actions/[email protected]
 
-      - name: Configure AWS Credentials
+      - name: Configure Management Credentials
         uses: aws-actions/configure-aws-credentials@v4
         with:
           aws-region: eu-west-2
-          role-to-assume: ${{ secrets.CI_ROLE_NAME }}
-          role-session-name: github-actions-ci-${{ inputs.environment }}-${{ github.run_id}}
+          role-to-assume: ${{ secrets.MGMT_ROLE_ARN }}
+          role-session-name: github-actions-ci-${{ inputs.environment }}-${{ github.run_id }}
 
-      - name: Get AWS Account ID
-        id: get_account_id
+      - name: Retrieve Server Certificates
         run: |
           account=$(echo '${{ inputs.environment }}' | cut -d '-' -f1)
-
-          echo "account=${account}" >> "$GITHUB_OUTPUT"
-          echo "aws_account_id=$(aws secretsmanager get-secret-value --secret-id nhsd-nrlf--mgmt--${account}-account-id --query SecretString --output text)" >> "$GITHUB_OUTPUT"
-
-      - name: Retrieve Server Certificates
-        run: aws s3 cp s3://nhsd-nrlf--truststore/server/${{ steps.get_account_id.outputs.account }}.pem truststore/server/${{ steps.get_account_id.outputs.account }}.pem
+          make truststore-pull-server ENV=${account}
 
       - name: Download build artifacts
         uses: actions/download-artifact@v4
@@ -123,11 +112,16 @@ jobs:
       - name: Terraform Plan
         run: |
           terraform -chdir=terraform/infrastructure plan \
-            --var-file=etc/dev.tfvars \
-            --var assume_account=${{ steps.get_account_id.outputs.aws_account_id }} \
-            --var assume_role=terraform \
+            --var-file=etc/${{ vars.ACCOUNT_NAME }}.tfvars \
+            --var assume_role_arn=${{ secrets.DEPLOY_ROLE_ARN }} \
             -out tfplan
 
+      - name: Save Terraform Plan
+        run: |
+          terraform -chdir=terraform/infrastructure show -no-color tfplan > terraform/infrastructure/tfplan.txt
+          aws s3 cp terraform/infrastructure/tfplan s3://nhsd-nrlf--mgmt--github-ci-logging/${{ inputs.environment }}/${{ github.run_id }}/tfplan
+          aws s3 cp terraform/infrastructure/tfplan.txt s3://nhsd-nrlf--mgmt--github-ci-logging/${{ inputs.environment }}/${{ github.run_id }}/tfplan.txt
+
   terraform-apply:
     name: Terraform Apply - ${{ inputs.environment }}
     needs: [terraform-plan]
@@ -157,29 +151,20 @@ jobs:
           name: build-artifacts
           path: dist
 
-      - name: Download Terraform Plan artifact
-        uses: actions/download-artifact@v4
-        with:
-          name: tfplan-output
-          path: terraform/infrastructure
-
-      - name: Configure AWS Credentials
+      - name: Configure Management Credentials
         uses: aws-actions/configure-aws-credentials@v4
         with:
           aws-region: eu-west-2
-          role-to-assume: ${{ secrets.CI_ROLE_NAME }}
+          role-to-assume: ${{ secrets.MGMT_ROLE_ARN }}
           role-session-name: github-actions-ci-${{ inputs.environment }}-${{ github.run_id}}
 
-      - name: Get AWS Account ID
-        id: get_account_id
-        run: |
-          account=$(echo '${{ inputs.environment }}' | cut -d '-' -f1)
-
-          echo "account=${account}" >> "$GITHUB_OUTPUT"
-          echo "aws_account_id=$(aws secretsmanager get-secret-value --secret-id nhsd-nrlf--mgmt--${account}-account-id --query SecretString --output text)" >> "$GITHUB_OUTPUT"
+      - name: Download Terraform Plan artifact
+        run: aws s3 cp s3://nhsd-nrlf--mgmt--github-ci-logging/${{ inputs.environment }}/${{ github.run_id }}/tfplan terraform/infrastructure/tfplan
 
       - name: Retrieve Server Certificates
-        run: aws s3 cp s3://nhsd-nrlf--truststore/server/${{ steps.get_account_id.outputs.account }}.pem truststore/server/${{ steps.get_account_id.outputs.account }}.pem
+        run: |
+          account=$(echo '${{ inputs.environment }}' | cut -d '-' -f1)
+          make truststore-pull-server ENV=${account}
 
       - name: Terraform Init
         run: |

.github/workflows/pr-env-deploy.yml

@@ -99,6 +99,7 @@ jobs:
   deploy:
     name: Deploy PR Environment
     runs-on: [self-hosted, ci]
+    environment: pull-request
     needs: [set-environment-id, build]
 
     steps:
@@ -124,19 +125,15 @@ jobs:
           name: build-artifacts
           path: dist
 
-      - name: Configure AWS Credentials
+      - name: Configure Management Credentials
         uses: aws-actions/configure-aws-credentials@v4
         with:
           aws-region: eu-west-2
-          role-to-assume: ${{ secrets.CI_ROLE_NAME }}
+          role-to-assume: ${{ secrets.MGMT_ROLE_ARN }}
           role-session-name: github-actions-ci-${{ needs.set-environment-id.outputs.environment_id }}
 
       - name: Retrieve Server Certificates
-        run: aws s3 cp s3://nhsd-nrlf--truststore/server/dev.pem truststore/server/dev.pem
-
-      - name: Get AWS Account ID
-        id: get_account_id
-        run: echo "aws_account_id=$(aws secretsmanager get-secret-value --secret-id nhsd-nrlf--mgmt--dev-account-id --query SecretString --output text)" >> "$GITHUB_OUTPUT"
+        run: make truststore-pull-server ENV=dev
 
       - name: Terraform Init
         run: |
@@ -145,17 +142,11 @@ jobs:
           terraform -chdir=terraform/infrastructure workspace select ${{ needs.set-environment-id.outputs.environment_id }}
 
       - name: Terraform Plan
-        run: |
-          terraform -chdir=terraform/infrastructure plan \
-            --var-file=etc/dev.tfvars \
-            --var assume_account=${{ steps.get_account_id.outputs.aws_account_id }} \
-            --var assume_role=terraform \
-            -out tfplan
+        run: terraform -chdir=terraform/infrastructure plan --var-file=etc/dev.tfvars --var assume_role_arn=${{ secrets.DEPLOY_ROLE_ARN }} -out tfplan
 
       - name: Terraform Apply
         id: terraform-apply
-        run: |
-          terraform -chdir=terraform/infrastructure apply tfplan
+        run: terraform -chdir=terraform/infrastructure apply tfplan
 
       - name: Add Success Pull Request Comment
         uses: actions/github-script@v7
@@ -184,6 +175,7 @@ jobs:
   integration-test:
     name: Run Integration Tests
     needs: [set-environment-id, deploy]
+    environment: pull-request
     runs-on: [self-hosted, ci]
 
     steps:
@@ -206,40 +198,31 @@ jobs:
       - name: Python Dependency Install
         run: poetry install --no-root
 
-      - name: Configure AWS Credentials
+      - name: Configure Management Credentials
         uses: aws-actions/configure-aws-credentials@v4
         with:
           aws-region: eu-west-2
-          role-to-assume: ${{ secrets.CI_ROLE_NAME }}
+          role-to-assume: ${{ secrets.MGMT_ROLE_ARN }}
           role-session-name: github-actions-ci-${{ needs.set-environment-id.outputs.environment_id }}
 
       - name: Retrieve Client Certificates
-        run: |
-          aws s3 cp s3://nhsd-nrlf--truststore/client/dev.key truststore/client/dev.key
-          aws s3 cp s3://nhsd-nrlf--truststore/client/dev.crt truststore/client/dev.crt
-
-      - name: Get AWS Account ID
-        id: get_account_id
-        run: echo "aws_account_id=$(aws secretsmanager get-secret-value --secret-id nhsd-nrlf--mgmt--dev-account-id --query SecretString --output text)" >> "$GITHUB_OUTPUT"
+        run: make truststore-pull-client ENV=dev
 
       - name: Configure Dev Account Credentials
-        id: configure-dev-account-credentials
-        run: |
-          aws_credentials=$(aws sts assume-role --role-arn arn:aws:iam::${{ steps.get_account_id.outputs.aws_account_id }}:role/terraform --role-session-name github-actions-ci-${{ needs.set-environment-id.outputs.environment_id }} --output json)
-          echo "aws_access_key_id=$(echo $aws_credentials | jq -r '.Credentials.AccessKeyId')" >> "$GITHUB_OUTPUT"
-          echo "aws_secret_access_key=$(echo $aws_credentials | jq -r '.Credentials.SecretAccessKey')" >> "$GITHUB_OUTPUT"
-          echo "aws_session_token=$(echo $aws_credentials | jq -r '.Credentials.SessionToken')" >> "$GITHUB_OUTPUT"
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-region: eu-west-2
+          role-chaining: true
+          role-to-assume: ${{ secrets.DEPLOY_ROLE_ARN }}
+          role-session-name: github-actions-ci-${{ needs.set-environment-id.outputs.environment_id }}
 
       - name: Run Integration Tests
         run: make test-features-integration TF_WORKSPACE=${{ needs.set-environment-id.outputs.environment_id }}
-        env:
-          AWS_ACCESS_KEY_ID: ${{ steps.configure-dev-account-credentials.outputs.aws_access_key_id }}
-          AWS_SECRET_ACCESS_KEY: ${{ steps.configure-dev-account-credentials.outputs.aws_secret_access_key }}
-          AWS_SESSION_TOKEN: ${{ steps.configure-dev-account-credentials.outputs.aws_session_token }}
 
   performance-test:
     name: Run Performance Tests
     needs: [set-environment-id, integration-test]
+    environment: pull-request
     runs-on: [self-hosted, ci]
 
     steps:
@@ -268,30 +251,22 @@ jobs:
         uses: aws-actions/configure-aws-credentials@v4
         with:
           aws-region: eu-west-2
-          role-to-assume: ${{ secrets.CI_ROLE_NAME }}
+          role-to-assume: ${{ secrets.MGMT_ROLE_ARN }}
           role-session-name: github-actions-ci-${{ needs.set-environment-id.outputs.environment_id }}
 
       - name: Pull Client Certificates
         run: make truststore-pull-client ENV=dev
 
-      - name: Get AWS Account ID
-        id: get_account_id
-        run: echo "aws_account_id=$(aws secretsmanager get-secret-value --secret-id nhsd-nrlf--mgmt--dev-account-id --query SecretString --output text)" >> "$GITHUB_OUTPUT"
-
       - name: Configure Dev Account Credentials
-        id: configure-dev-account-credentials
-        run: |
-          aws_credentials=$(aws sts assume-role --role-arn arn:aws:iam::${{ steps.get_account_id.outputs.aws_account_id }}:role/terraform --role-session-name github-actions-ci-${{ needs.set-environment-id.outputs.environment_id }} --output json)
-          echo "aws_access_key_id=$(echo $aws_credentials | jq -r '.Credentials.AccessKeyId')" >> "$GITHUB_OUTPUT"
-          echo "aws_secret_access_key=$(echo $aws_credentials | jq -r '.Credentials.SecretAccessKey')" >> "$GITHUB_OUTPUT"
-          echo "aws_session_token=$(echo $aws_credentials | jq -r '.Credentials.SessionToken')" >> "$GITHUB_OUTPUT"
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-region: eu-west-2
+          role-chaining: true
+          role-to-assume: ${{ secrets.DEPLOY_ROLE_ARN }}
+          role-session-name: github-actions-ci-${{ needs.set-environment-id.outputs.environment_id }}
 
       - name: Setup Environment Test Data
         run: make test-performance-prepare TF_WORKSPACE=${{ needs.set-environment-id.outputs.environment_id }}
-        env:
-          AWS_ACCESS_KEY_ID: ${{ steps.configure-dev-account-credentials.outputs.aws_access_key_id }}
-          AWS_SECRET_ACCESS_KEY: ${{ steps.configure-dev-account-credentials.outputs.aws_secret_access_key }}
-          AWS_SESSION_TOKEN: ${{ steps.configure-dev-account-credentials.outputs.aws_session_token }}
 
       - name: Run Performance Test - Baseline
         run: make test-performance-baseline HOST=${{ needs.set-environment-id.outputs.environment_id }}.api.record-locator.dev.national.nhs.uk ENV_TYPE=dev
@@ -310,7 +285,3 @@ jobs:
 
       - name: Cleanup Environment Test Data
         run: make test-performance-cleanup TF_WORKSPACE=${{ needs.set-environment-id.outputs.environment_id }}
-        env:
-          AWS_ACCESS_KEY_ID: ${{ steps.configure-dev-account-credentials.outputs.aws_access_key_id }}
-          AWS_SECRET_ACCESS_KEY: ${{ steps.configure-dev-account-credentials.outputs.aws_secret_access_key }}
-          AWS_SESSION_TOKEN: ${{ steps.configure-dev-account-credentials.outputs.aws_session_token }}

.tool-versions

@@ -1,5 +1,5 @@
 awscli 2.15.11
-poetry 1.5.1
+poetry 1.8.2
 jq 1.7.1
 python 3.12.2
 terraform 1.3.4

Makefile

@@ -11,7 +11,8 @@ DIST_PATH ?= ./dist
 TEST_ARGS ?= --cov --cov-report=term-missing
 FEATURE_TEST_ARGS ?= ./tests/features --format progress2
 TF_WORKSPACE ?= $(shell terraform -chdir=terraform/infrastructure workspace show)
-
+ENV ?= dev
+APP_ALIAS ?= default
 
 export PATH := $(PATH):$(PWD)/.venv/bin
 
@@ -125,3 +126,9 @@ truststore-pull-client: check-warn ## Pull a client certificate
 
 truststore-pull-ca: check-warn ## Pull a CA certificate
 	@./scripts/truststore.sh pull-ca "$(ENV)"
+
+swagger-merge: check-warn ## Generate Swagger Documentation
+	@./scripts/swagger.sh merge "$(TYPE)"
+
+generate-model: check-warn ## Generate Pydantic Models
+	@./scripts/swagger.sh generate-model "$(TYPE)"