NHSDigital · Karthikeyannhs · Oct 3, 2025 · Oct 3, 2025 · Oct 3, 2025 · Oct 3, 2025
diff --git a/.github/workflows/cicd-2-publish.yaml b/.github/workflows/cicd-2-publish.yaml
@@ -9,6 +9,7 @@ on:
     branches:
       - main
       - hotfix/*
+      - fix/bring_back_github_artifacts
   workflow_dispatch: {}
 
 concurrency:
@@ -87,35 +88,35 @@ jobs:
           name: lambda-${{ needs.metadata.outputs.version }}
           path: dist/lambda.zip
 
-      - name: "Download Built Lambdas"
-        uses: actions/download-artifact@v5
-        with:
-          name: lambda-${{ needs.metadata.outputs.version }}
-          path: ./build
-
-      - name: "Configure AWS Credentials"
-        uses: aws-actions/configure-aws-credentials@v5
-        with:
-          role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/service-roles/github-actions-api-deployment-role
-          aws-region: eu-west-2
-
-      - name: "Terraform Apply"
-        env:
-          ENVIRONMENT: dev
-          WORKSPACE: "default"
-          TF_VAR_API_CA_CERT: ${{ secrets.API_CA_CERT }}
-          TF_VAR_API_CLIENT_CERT: ${{ secrets.API_CLIENT_CERT }}
-          TF_VAR_API_PRIVATE_KEY_CERT: ${{ secrets.API_PRIVATE_KEY_CERT }}
-          TF_VAR_SPLUNK_HEC_TOKEN: ${{ secrets.SPLUNK_HEC_TOKEN }}
-          TF_VAR_SPLUNK_HEC_ENDPOINT: ${{ secrets.SPLUNK_HEC_ENDPOINT }}
-
-        run: |
-          mkdir -p ./build
-          echo "Running: make terraform env=$ENVIRONMENT workspace=$WORKSPACE stack=networking tf-command=apply"
-          make terraform env=$ENVIRONMENT stack=networking tf-command=apply workspace=$WORKSPACE
-          echo "Running: make terraform env=$ENVIRONMENT workspace=$WORKSPACE stack=api-layer tf-command=apply"
-          make terraform env=$ENVIRONMENT stack=api-layer tf-command=apply workspace=$WORKSPACE
-        working-directory: ./infrastructure
+#      - name: "Download Built Lambdas"
+#        uses: actions/download-artifact@v5
+#        with:
+#          name: lambda-${{ needs.metadata.outputs.version }}
+#          path: ./build
+#
+#      - name: "Configure AWS Credentials"
+#        uses: aws-actions/configure-aws-credentials@v5
+#        with:
+#          role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/service-roles/github-actions-api-deployment-role
+#          aws-region: eu-west-2
+#
+#      - name: "Terraform Apply"
+#        env:
+#          ENVIRONMENT: dev
+#          WORKSPACE: "default"
+#          TF_VAR_API_CA_CERT: ${{ secrets.API_CA_CERT }}
+#          TF_VAR_API_CLIENT_CERT: ${{ secrets.API_CLIENT_CERT }}
+#          TF_VAR_API_PRIVATE_KEY_CERT: ${{ secrets.API_PRIVATE_KEY_CERT }}
+#          TF_VAR_SPLUNK_HEC_TOKEN: ${{ secrets.SPLUNK_HEC_TOKEN }}
+#          TF_VAR_SPLUNK_HEC_ENDPOINT: ${{ secrets.SPLUNK_HEC_ENDPOINT }}
+#
+#        run: |
+#          mkdir -p ./build
+#          echo "Running: make terraform env=$ENVIRONMENT workspace=$WORKSPACE stack=networking tf-command=apply"
+#          make terraform env=$ENVIRONMENT stack=networking tf-command=apply workspace=$WORKSPACE
+#          echo "Running: make terraform env=$ENVIRONMENT workspace=$WORKSPACE stack=api-layer tf-command=apply"
+#          make terraform env=$ENVIRONMENT stack=api-layer tf-command=apply workspace=$WORKSPACE
+#        working-directory: ./infrastructure
 
       - name: "Tag the dev deployment"
         run: |
@@ -124,23 +125,23 @@ jobs:
           git tag ${{ needs.metadata.outputs.version }}
           git push origin ${{ needs.metadata.outputs.version }}
 
-      - name: "Notify Slack on PR merge"
-        uses: slackapi/[email protected]
-        with:
-          webhook: ${{ secrets.SLACK_WEBHOOK_URL }}
-          webhook-type: webhook-trigger
-          payload: |
-            status: "${{ job.status }}"
-            link: "https://github.com/${{ github.repository }}/commit/${{ github.sha }}"
-            Author: "${{ github.actor }}"
-            title: "Pushed to main"
-            version: "${{ needs.metadata.outputs.version }}"
-
-  regression-tests:
-    name: "Regression Tests"
-    needs: publish
-    uses: ./.github/workflows/regression-tests.yml
-    with:
-      ENVIRONMENT: "dev"
-      VERSION_NUMBER: "main"
-    secrets: inherit
+#      - name: "Notify Slack on PR merge"
+#        uses: slackapi/[email protected]
+#        with:
+#          webhook: ${{ secrets.SLACK_WEBHOOK_URL }}
+#          webhook-type: webhook-trigger
+#          payload: |
+#            status: "${{ job.status }}"
+#            link: "https://github.com/${{ github.repository }}/commit/${{ github.sha }}"
+#            Author: "${{ github.actor }}"
+#            title: "Pushed to main"
+#            version: "${{ needs.metadata.outputs.version }}"
+
+#  regression-tests:
+#    name: "Regression Tests"
+#    needs: publish
+#    uses: ./.github/workflows/regression-tests.yml
+#    with:
+#      ENVIRONMENT: "dev"
+#      VERSION_NUMBER: "main"
+#    secrets: inherit
diff --git a/.github/workflows/cicd-3-test-deploy.yaml b/.github/workflows/cicd-3-test-deploy.yaml
@@ -79,6 +79,7 @@ jobs:
           name: lambda-${{ needs.metadata.outputs.tag }}
           path: ./build
           run-id: ${{ github.event.workflow_run.id }}
+          github-token: ${{ github.token }}
 
       - name: "Terraform Apply (TEST)"
         env:
@@ -111,11 +112,11 @@ jobs:
             s3://${{ steps.tf_output.outputs.bucket_name }}/artifacts/${{ needs.metadata.outputs.tag }}/lambda.zip \
             --region eu-west-2
 
-  regression-tests:
-    name: "Regression Tests"
-    needs: deploy
-    uses: ./.github/workflows/regression-tests.yml
-    with:
-      ENVIRONMENT: "test"
-      VERSION_NUMBER: "main"
-    secrets: inherit
+#  regression-tests:
+#    name: "Regression Tests"
+#    needs: deploy
+#    uses: ./.github/workflows/regression-tests.yml
+#    with:
+#      ENVIRONMENT: "test"
+#      VERSION_NUMBER: "main"
+#    secrets: inherit
diff --git a/.github/workflows/mock_deploy.yaml b/.github/workflows/mock_deploy.yaml
@@ -0,0 +1,122 @@
+name: "mock deploy"
+
+on:
+  workflow_run:
+    workflows: ["2. CD | Deploy to Dev"]
+    types: [completed]
+
+permissions:
+  contents: read
+  id-token: write
+  actions: read
+
+jobs:
+  metadata:
+    name: "Resolve metadata from triggering run"
+    runs-on: ubuntu-latest
+    if: ${{ github.event.workflow_run.conclusion == 'success' }}
+    outputs:
+      terraform_version: ${{ steps.vars.outputs.terraform_version }}
+      tag: ${{ steps.tag.outputs.name }}
+    steps:
+      - name: "Checkout exact commit from CI/CD publish"
+        uses: actions/checkout@v5
+        with:
+          ref: ${{ github.event.workflow_run.head_sha }}
+
+      - name: "Set CI/CD variables"
+        id: vars
+        run: |
+          echo "terraform_version=$(grep '^terraform' .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT
+
+      - name: "Resolve the dev-* tag for this commit"
+        id: tag
+        run: |
+          git fetch --tags --force
+          SHA="${{ github.event.workflow_run.head_sha }}"
+          TAG=$(git tag --points-at "$SHA" | grep '^dev-' | head -n1 || true)
+          if [ -z "$TAG" ]; then
+            echo "No dev-* tag found on $SHA" >&2
+            exit 1
+          fi
+          echo "name=$TAG" >> $GITHUB_OUTPUT
+          echo "Resolved tag: $TAG"
+
+  deploy:
+    name: "Deploy to TEST (approval required)"
+    runs-on: ubuntu-latest
+    needs: [metadata]
+    environment: test
+    timeout-minutes: 10080
+    permissions:
+      id-token: write
+      contents: read
+    steps:
+      - name: "Acquire deploy lock"
+        uses: softprops/turnstyle@v3
+        with:
+          poll-interval-seconds: 10
+
+      - name: "Checkout same commit"
+        uses: actions/checkout@v5
+        with:
+          ref: ${{ github.event.workflow_run.head_sha }}
+
+#      - name: "Setup Terraform"
+#        uses: hashicorp/setup-terraform@v3
+#        with:
+#          terraform_version: ${{ needs.metadata.outputs.terraform_version }}
+
+      - name: "Configure AWS Credentials"
+        uses: aws-actions/configure-aws-credentials@v5
+        with:
+          role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/service-roles/github-actions-api-deployment-role
+          aws-region: eu-west-2
+
+      - name: "Download lambda artefact from dev workflow"
+        uses: actions/download-artifact@v5
+        with:
+          name: lambda-${{ needs.metadata.outputs.tag }}
+          path: ./build
+          run-id: ${{ github.event.workflow_run.id }}
+          github-token: ${{ github.token }}
+
+#      - name: "Terraform Apply (TEST)"
+#        env:
+#          ENVIRONMENT: test
+#          WORKSPACE: "default"
+#          TF_VAR_API_CA_CERT: ${{ secrets.API_CA_CERT }}
+#          TF_VAR_API_CLIENT_CERT: ${{ secrets.API_CLIENT_CERT }}
+#          TF_VAR_API_PRIVATE_KEY_CERT: ${{ secrets.API_PRIVATE_KEY_CERT }}
+#          TF_VAR_SPLUNK_HEC_TOKEN: ${{ secrets.SPLUNK_HEC_TOKEN }}
+#          TF_VAR_SPLUNK_HEC_ENDPOINT: ${{ secrets.SPLUNK_HEC_ENDPOINT }}
+#        run: |
+#          mkdir -p ./build
+#          echo "Deploying tag: ${{ needs.metadata.outputs.tag }}"
+#          echo "Running: make terraform env=$ENVIRONMENT workspace=$WORKSPACE stack=networking tf-command=apply"
+#          make terraform env=$ENVIRONMENT stack=networking tf-command=apply workspace=$WORKSPACE
+#          echo "Running: make terraform env=$ENVIRONMENT workspace=$WORKSPACE stack=api-layer tf-command=apply"
+#          make terraform env=$ENVIRONMENT stack=api-layer tf-command=apply workspace=$WORKSPACE
+#        working-directory: ./infrastructure
+#
+#      - name: "Extract S3 bucket name from Terraform output"
+#        id: tf_output
+#        run: |
+#          BUCKET=$(terraform output -raw lambda_artifact_bucket)
+#          echo "bucket_name=$BUCKET" >> $GITHUB_OUTPUT
+#        working-directory: ./infrastructure/stacks/api-layer
+#
+#      - name: "Upload lambda artifact to S3"
+#        run: |
+#          aws s3 cp ./build/lambda.zip \
+#            s3://${{ steps.tf_output.outputs.bucket_name }}/artifacts/${{ needs.metadata.outputs.tag }}/lambda.zip \
+#            --region eu-west-2
+
+#  regression-tests:
+#    name: "Regression Tests"
+#    needs: deploy
+#    uses: ./.github/workflows/regression-tests.yml
+#    with:
+#      ENVIRONMENT: "test"
+#      VERSION_NUMBER: "main"
+#    secrets: inherit
diff --git a/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf b/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf
@@ -331,6 +331,7 @@ resource "aws_iam_policy" "api_infrastructure" {
           "ssm:ListTagsForResource",
           "ssm:PutParameter",
           "ssm:AddTagsToResource",
+          "ssm:DeleteParameter",
 
           # acm
           "acm:ListTagsForCertificate",

diff --git a/infrastructure/stacks/iams-developer-roles/iams_permissions_boundary.tf b/infrastructure/stacks/iams-developer-roles/iams_permissions_boundary.tf
@@ -232,7 +232,8 @@ data "aws_iam_policy_document" "permissions_boundary" {
       "ssm:GetParameters",
       "ssm:ListTagsForResource",
       "ssm:PutParameter",
-      "ssm:AddTagsToResource"
+      "ssm:AddTagsToResource",
+      "ssm:DeleteParameter"
     ]
 
     resources = ["*"]