NHSDigital · jameslinnell · Mar 10, 2025 · Mar 5, 2025 · Mar 5, 2025 · Mar 6, 2025
@@ -1,5 +1,9 @@
 # Changelog
 
+## 2025-03-07
+- [PI-383] External ID
+- [PI-838] product_team includes product_team_id
+
 ## 2025-03-05
 - [PI-833] Read product by productID
 - [PI-832] product_team_id as a key in product_team

@@ -1 +1 @@
-2025.03.05
+2025.03.07
@@ -0,0 +1,2 @@
+- [PI-383] External ID
+- [PI-838] product_team includes product_team_id
@@ -83,6 +83,8 @@ components:
           type: string
         cpm_product_team_id:
           type: string
+        product_team_id:
+          type: string
         ods_code:
           type: string
         status:
@@ -107,7 +109,8 @@ components:
       example:
         id: "P.1X3-XXX"
         name: "Sample Product"
-        cpm_product_team_id: "55e86121-3826-468c-a6f0-dd0f1fbc0259"
+        product_team_id: "55e86121-3826-468c-a6f0-dd0f1fbc0259"
+        cpm_product_team_id: "a9a9694d-001b-45ce-9f2a-6c9bf80ae0d0"
         ods_code: "F5H1R"
         keys: []
         status: "active"

@@ -66,3 +66,7 @@ resource "aws_secretsmanager_secret" "apigee-app-client-info" {
 resource "aws_secretsmanager_secret" "apigee-sds-app-key" {
   name = "${terraform.workspace}-apigee-sds-app-key"
 }
+
+resource "aws_secretsmanager_secret" "external-id" {
+  name = "${terraform.workspace}-external-id"
+}
@@ -2,7 +2,8 @@ provider "aws" {
   region = local.region
 
   assume_role {
-    role_arn = "arn:aws:iam::${var.assume_account}:role/${var.assume_role}"
+    role_arn    = "arn:aws:iam::${var.assume_account}:role/${var.assume_role}"
+    external_id = var.external_id
   }
 
   default_tags {

@@ -8,6 +8,8 @@ variable "assume_account" {
 
 variable "assume_role" {}
 
+variable "external_id" {}
+
 variable "environment" {}
 
 variable "deletion_protection_enabled" {

@@ -2,7 +2,8 @@ provider "aws" {
   region = local.region
 
   assume_role {
-    role_arn = "arn:aws:iam::${var.assume_account}:role/${var.assume_role}"
+    role_arn    = "arn:aws:iam::${var.assume_account}:role/${var.assume_role}"
+    external_id = var.external_id
   }
 
   default_tags {

@@ -8,6 +8,8 @@ variable "assume_account" {
 
 variable "assume_role" {}
 
+variable "external_id" {}
+
 variable "environment" {}
 
 variable "expiration_date" {

@@ -61,3 +61,7 @@ resource "aws_secretsmanager_secret" "etl_notify_slack_webhook_url" {
 resource "aws_secretsmanager_secret" "apigee-sds-app-key" {
   name = "${terraform.workspace}-apigee-sds-app-key"
 }
+
+resource "aws_secretsmanager_secret" "external-id" {
+  name = "${terraform.workspace}-external-id"
+}
@@ -2,7 +2,8 @@ provider "aws" {
   region = local.region
 
   assume_role {
-    role_arn = "arn:aws:iam::${var.assume_account}:role/${var.assume_role}"
+    role_arn    = "arn:aws:iam::${var.assume_account}:role/${var.assume_role}"
+    external_id = var.external_id
   }
 
   default_tags {

@@ -8,6 +8,8 @@ variable "assume_account" {
 
 variable "assume_role" {}
 
+variable "external_id" {}
+
 variable "environment" {}
 
 variable "deletion_protection_enabled" {

@@ -2,7 +2,8 @@ provider "aws" {
   region = local.region
 
   assume_role {
-    role_arn = "arn:aws:iam::${var.assume_account}:role/${var.assume_role}"
+    role_arn    = "arn:aws:iam::${var.assume_account}:role/${var.assume_role}"
+    external_id = var.external_id
   }
 
   default_tags {

@@ -8,6 +8,8 @@ variable "assume_account" {
 
 variable "assume_role" {}
 
+variable "external_id" {}
+
 variable "environment" {}
 
 variable "expiration_date" {

@@ -62,3 +62,7 @@ resource "aws_secretsmanager_secret" "etl_notify_slack_webhook_url" {
 resource "aws_secretsmanager_secret" "apigee-sds-app-key" {
   name = "${terraform.workspace}-apigee-sds-app-key"
 }
+
+resource "aws_secretsmanager_secret" "external-id" {
+  name = "${terraform.workspace}-external-id"
+}
@@ -2,7 +2,8 @@ provider "aws" {
   region = local.region
 
   assume_role {
-    role_arn = "arn:aws:iam::${var.assume_account}:role/${var.assume_role}"
+    role_arn    = "arn:aws:iam::${var.assume_account}:role/${var.assume_role}"
+    external_id = var.external_id
   }
 
   default_tags {

@@ -8,6 +8,8 @@ variable "assume_account" {
 
 variable "assume_role" {}
 
+variable "external_id" {}
+
 variable "environment" {}
 
 variable "deletion_protection_enabled" {

@@ -2,7 +2,8 @@ provider "aws" {
   region = local.region
 
   assume_role {
-    role_arn = "arn:aws:iam::${var.assume_account}:role/${var.assume_role}"
+    role_arn    = "arn:aws:iam::${var.assume_account}:role/${var.assume_role}"
+    external_id = var.external_id
   }
 
   default_tags {

@@ -8,6 +8,8 @@ variable "assume_account" {
 
 variable "assume_role" {}
 
+variable "external_id" {}
+
 variable "environment" {}
 
 variable "expiration_date" {

@@ -62,3 +62,7 @@ resource "aws_secretsmanager_secret" "etl_notify_slack_webhook_url" {
 resource "aws_secretsmanager_secret" "apigee-sds-app-key" {
   name = "${terraform.workspace}-apigee-sds-app-key"
 }
+
+resource "aws_secretsmanager_secret" "external-id" {
+  name = "${terraform.workspace}-external-id"
+}
@@ -2,7 +2,8 @@ provider "aws" {
   region = local.region
 
   assume_role {
-    role_arn = "arn:aws:iam::${var.assume_account}:role/${var.assume_role}"
+    role_arn    = "arn:aws:iam::${var.assume_account}:role/${var.assume_role}"
+    external_id = var.external_id
   }
 
   default_tags {

@@ -8,6 +8,8 @@ variable "assume_account" {
 
 variable "assume_role" {}
 
+variable "external_id" {}
+
 variable "environment" {}
 
 variable "deletion_protection_enabled" {

@@ -2,7 +2,8 @@ provider "aws" {
   region = local.region
 
   assume_role {
-    role_arn = "arn:aws:iam::${var.assume_account}:role/${var.assume_role}"
+    role_arn    = "arn:aws:iam::${var.assume_account}:role/${var.assume_role}"
+    external_id = var.external_id
   }
 
   default_tags {

@@ -8,6 +8,8 @@ variable "assume_account" {
 
 variable "assume_role" {}
 
+variable "external_id" {}
+
 variable "environment" {}
 
 variable "expiration_date" {

@@ -66,3 +66,7 @@ resource "aws_secretsmanager_secret" "apigee-app-client-info" {
 resource "aws_secretsmanager_secret" "apigee-sds-app-key" {
   name = "${terraform.workspace}-apigee-sds-app-key"
 }
+
+resource "aws_secretsmanager_secret" "external-id" {
+  name = "${terraform.workspace}-external-id"
+}
@@ -2,7 +2,8 @@ provider "aws" {
   region = local.region
 
   assume_role {
-    role_arn = "arn:aws:iam::${var.assume_account}:role/${var.assume_role}"
+    role_arn    = "arn:aws:iam::${var.assume_account}:role/${var.assume_role}"
+    external_id = var.external_id
   }
 
   default_tags {

@@ -8,6 +8,8 @@ variable "assume_account" {
 
 variable "assume_role" {}
 
+variable "external_id" {}
+
 variable "environment" {}
 
 variable "deletion_protection_enabled" {

@@ -2,7 +2,8 @@ provider "aws" {
   region = local.region
 
   assume_role {
-    role_arn = "arn:aws:iam::${var.assume_account}:role/${var.assume_role}"
+    role_arn    = "arn:aws:iam::${var.assume_account}:role/${var.assume_role}"
+    external_id = var.external_id
   }
 
   default_tags {

@@ -8,6 +8,8 @@ variable "assume_account" {
 
 variable "assume_role" {}
 
+variable "external_id" {}
+
 variable "environment" {}
 
 variable "expiration_date" {

@@ -2,7 +2,8 @@ provider "aws" {
   region = local.region
 
   assume_role {
-    role_arn = "arn:aws:iam::${var.assume_account}:role/${var.assume_role}"
+    role_arn    = "arn:aws:iam::${var.assume_account}:role/${var.assume_role}"
+    external_id = var.external_id
   }
 
   default_tags {

@@ -8,6 +8,8 @@ variable "assume_account" {
 
 variable "assume_role" {}
 
+variable "external_id" {}
+
 variable "environment" {}
 
 variable "deletion_protection_enabled" {

@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "connecting-party-manager"
-version = "2025.03.05"
+version = "2025.03.07"
 description = "Repository for the Connecting Party Manager API and related services"
 authors = ["NHS England"]
 license = "LICENSE.md"
@@ -61,7 +61,7 @@ click = "^8.1.7"
 optional = true
 
 [tool.poetry.group.local.dependencies]
-ipython = "^8.17.2"
+ipython = "^9.0.1"
 
 # [tool.poetry.group.sds_update]
 # optional = true

@@ -7,7 +7,11 @@
         "AWS": "arn:aws:iam::${MGMT_ACCOUNT_ID}:root"
       },
       "Action": "sts:AssumeRole",
-      "Condition": {}
+      "Condition": {
+        "StringEquals": {
+          "sts:ExternalId": "${EXTERNAL_ID}"
+        }
+      }
     }
   ]
 }
@@ -8,3 +8,6 @@ manage--non-mgmt-policies: aws--login ## Create or update IAM Policies
 
 manage--non-mgmt-test-policies: aws--login ## Create or update IAM Policies
 	@AWS_ACCESS_KEY_ID=$(AWS_ACCESS_KEY_ID) AWS_SECRET_ACCESS_KEY=$(AWS_SECRET_ACCESS_KEY) AWS_SESSION_TOKEN=$(AWS_SESSION_TOKEN) bash $(PATH_TO_INFRASTRUCTURE)/roles/manage-non-mgmt-aws-support-integration-policies.sh
+
+manage--non-mgmt-trust-policies: aws--login ## Create or update IAM Policies
+	@AWS_ACCESS_KEY_ID=$(AWS_ACCESS_KEY_ID) AWS_SECRET_ACCESS_KEY=$(AWS_SECRET_ACCESS_KEY) AWS_SESSION_TOKEN=$(AWS_SESSION_TOKEN) bash $(PATH_TO_INFRASTRUCTURE)/roles/manage-non-mgmt-aws-trust-policy.sh
@@ -32,11 +32,11 @@ else
   fi
 fi
 MGMT_ID_PARAMETER_STORE="nhse-cpm--${ENV}--mgmt-account-id-v1.0.0"
-
+EXTERNAL_ID_PARAMETER_STORE="${ENV}-external-id"
 if aws secretsmanager describe-secret --secret-id "$MGMT_ID_PARAMETER_STORE" --region "$AWS_REGION_NAME" &> /dev/null; then
   # Secret exists, retrieve its value
   MGMT_ACCOUNT_ID=$(aws secretsmanager get-secret-value --secret-id "$MGMT_ID_PARAMETER_STORE" --region "$AWS_REGION_NAME" --query 'SecretString' --output text)
-
+  EXTERNAL_ID=$(aws secretsmanager get-secret-value --secret-id "$EXTERNAL_ID_PARAMETER_STORE" --region "$AWS_REGION_NAME" --query 'SecretString' --output text)
   #
   # Create the NHSDeploymentRole that will be used for deployment and CI/CD in All Deployment environments
   #

@@ -0,0 +1,47 @@
+#!/bin/bash
+
+function _substitute_environment_variables() {
+  eval "cat << EOF
+$(cat $1)
+EOF"
+}
+
+AWS_REGION_NAME="eu-west-2"
+ACCOUNT_ID=$(aws sts get-caller-identity | jq -r .Account)
+
+ENV="dev"
+
+#
+# Check we're not running this against MGMT
+#
+. "./scripts/aws/helpers.sh"
+if _validate_current_account "MGMT"; then
+  echo "Please login to non-mgmt profile before running this script"
+  exit 1
+else
+  if _validate_current_account "PROD"; then
+    ENV="prod"
+  elif _validate_current_account "INT"; then
+    ENV="int"
+  elif _validate_current_account "QA"; then
+    ENV="qa"
+  elif _validate_current_account "INT"; then
+    ENV="int"
+  elif _validate_current_account "REF"; then
+    ENV="ref"
+  fi
+fi
+EXTERNAL_ID_PARAMETER_STORE="${ENV}-external-id"
+MGMT_ID_PARAMETER_STORE="nhse-cpm--${ENV}--mgmt-account-id-v1.0.0"
+
+EXTERNAL_ID=$(aws secretsmanager get-secret-value --secret-id "$EXTERNAL_ID_PARAMETER_STORE" --region "$AWS_REGION_NAME" --query 'SecretString' --output text)
+MGMT_ACCOUNT_ID=$(aws secretsmanager get-secret-value --secret-id "$MGMT_ID_PARAMETER_STORE" --region "$AWS_REGION_NAME" --query 'SecretString' --output text)
+
+tf_assume_role_policy=$(_substitute_environment_variables ./scripts/infrastructure/policies/role-trust-policy.json)
+aws iam update-assume-role-policy --role-name NHSDeploymentRole --policy-document "${tf_assume_role_policy}"
+aws iam update-assume-role-policy --role-name NHSSmokeTestRole --policy-document "${tf_assume_role_policy}"
+
+if [ "$ENV" != "prod" ]; then
+  aws iam update-assume-role-policy --role-name NHSDevelopmentRole --policy-document "${tf_assume_role_policy}"
+  aws iam update-assume-role-policy --role-name NHSTestCIRole --policy-document "${tf_assume_role_policy}"
+fi
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		- [PI-383] External ID
		- [PI-838] product_team includes product_team_id