Fix: [AEA-4902] - use different apigee app per env

.devcontainer/devcontainer.json

@@ -21,7 +21,8 @@
         "version": "latest",
         "moby": "true",
         "installDockerBuildx": "true"
-      }
+      },
+      "ghcr.io/devcontainers/features/github-cli:1": {}
     },
     "customizations": {
       "vscode": {

.github/workflows/ci.yml

@@ -129,7 +129,7 @@ jobs:
       mockOidClientSecret: ${{ secrets.PTL_MOCK_CLIENT_SECRET }}
       CIS2_PRIVATE_KEY: ${{ secrets.PTL_CIS2_PRIVATE_KEY }}
       REGRESSION_TESTS_PEM: ${{ secrets.REGRESSION_TESTS_PEM }}
-      APIGEE_API_KEY: ${{ secrets.APIGEE_API_KEY }}
+      APIGEE_API_KEY: ${{ secrets.APIGEE_DEV_API_KEY }}
 
   create_release_notes:
     needs: [tag_release, package_code, get_commit_id, release_dev]
@@ -182,4 +182,4 @@ jobs:
       mockOidClientSecret: ${{ secrets.PTL_MOCK_CLIENT_SECRET }}
       CIS2_PRIVATE_KEY: ${{ secrets.PTL_CIS2_PRIVATE_KEY }}
       REGRESSION_TESTS_PEM: ${{ secrets.REGRESSION_TESTS_PEM }}
-      APIGEE_API_KEY: ${{ secrets.APIGEE_API_KEY }}
+      APIGEE_API_KEY: ${{ secrets.APIGEE_QA_API_KEY }}

.github/workflows/pull_request.yml

@@ -94,7 +94,7 @@ jobs:
       mockOidClientSecret: ${{ secrets.PTL_MOCK_CLIENT_SECRET }}
       CIS2_PRIVATE_KEY: ${{ secrets.PTL_CIS2_PRIVATE_KEY }}
       REGRESSION_TESTS_PEM: ${{ secrets.REGRESSION_TESTS_PEM }}
-      APIGEE_API_KEY: ${{ secrets.APIGEE_API_KEY }}
+      APIGEE_API_KEY: ${{ secrets.APIGEE_DEV_API_KEY }}
 
   report_deployed_url:
     needs: [release_code, get_issue_number]

.github/workflows/release.yml

@@ -148,7 +148,7 @@ jobs:
       mockOidClientSecret: ${{ secrets.PTL_MOCK_CLIENT_SECRET }}
       CIS2_PRIVATE_KEY: ${{ secrets.PTL_CIS2_PRIVATE_KEY }}
       REGRESSION_TESTS_PEM: ${{ secrets.REGRESSION_TESTS_PEM }}
-      APIGEE_API_KEY: ${{ secrets.APIGEE_API_KEY }}
+      APIGEE_API_KEY: ${{ secrets.APIGEE_DEV_API_KEY }}
 
   create_release_notes:
     needs: [tag_release, package_code, get_commit_id, release_dev]
@@ -200,7 +200,7 @@ jobs:
       mockOidClientSecret: ${{ secrets.PTL_MOCK_CLIENT_SECRET }}
       CIS2_PRIVATE_KEY: ${{ secrets.PTL_CIS2_PRIVATE_KEY }}
       REGRESSION_TESTS_PEM: ${{ secrets.REGRESSION_TESTS_PEM }}
-      APIGEE_API_KEY: ${{ secrets.APIGEE_API_KEY }}
+      APIGEE_API_KEY: ${{ secrets.APIGEE_REF_API_KEY }}
 
   release_qa:
     needs: [tag_release, package_code, get_commit_id, release_dev]
@@ -237,7 +237,7 @@ jobs:
       mockOidClientSecret: ${{ secrets.PTL_MOCK_CLIENT_SECRET }}
       CIS2_PRIVATE_KEY: ${{ secrets.PTL_CIS2_PRIVATE_KEY }}
       REGRESSION_TESTS_PEM: ${{ secrets.REGRESSION_TESTS_PEM }}
-      APIGEE_API_KEY: ${{ secrets.APIGEE_API_KEY }}
+      APIGEE_API_KEY: ${{ secrets.APIGEE_QA_API_KEY }}
 
   release_int:
     needs: [tag_release, package_code, get_commit_id, release_qa]
@@ -274,7 +274,7 @@ jobs:
       mockOidClientSecret: ${{ secrets.PTL_MOCK_CLIENT_SECRET }}
       CIS2_PRIVATE_KEY: ${{ secrets.PTL_CIS2_PRIVATE_KEY }}
       REGRESSION_TESTS_PEM: ${{ secrets.REGRESSION_TESTS_PEM }}
-      APIGEE_API_KEY: ${{ secrets.APIGEE_API_KEY }}
+      APIGEE_API_KEY: ${{ secrets.APIGEE_INT_API_KEY }}
 
   # release_prod:
   #   needs: [tag_release, package_code, get_commit_id, release_int]

scripts/set_secrets.sh

@@ -7,81 +7,59 @@ check_gh_logged_in() {
     fi
 }
 
-set_secrets() {
-    gh secret set PTL_PRIMARY_OIDC_CLIENT_ID \
-        --repo NHSDigital/eps-prescription-tracker-ui \
-        --app actions \
-        --body "${Cis2PTLClientID}"
-
-    gh secret set PTL_PRIMARY_OIDC_CLIENT_SECRET \
-        --repo NHSDigital/eps-prescription-tracker-ui \
-        --app actions \
-        --body "$Cis2PTLClientSecret"
-
-    gh secret set PTL_CIS2_PRIVATE_KEY \
-        --repo NHSDigital/eps-prescription-tracker-ui \
-        --app actions \
-        --body "$private_key"
-
-    gh secret set PTL_PRIMARY_OIDC_CLIENT_ID \
-        --repo NHSDigital/eps-prescription-tracker-ui \
-        --app dependabot \
-        --body "${Cis2PTLClientID}"
-
-    gh secret set PTL_PRIMARY_OIDC_CLIENT_SECRET \
-        --repo NHSDigital/eps-prescription-tracker-ui \
-        --app dependabot \
-        --body "$Cis2PTLClientSecret"
-
-    gh secret set PTL_CIS2_PRIVATE_KEY \
-        --repo NHSDigital/eps-prescription-tracker-ui \
-        --app dependabot \
-        --body "$private_key"
-
-    # mock secrets
-
-    gh secret set PTL_MOCK_CLIENT_ID \
-        --repo NHSDigital/eps-prescription-tracker-ui \
-        --app actions \
-        --body "$mockClientID"
-
-    gh secret set PTL_MOCK_CLIENT_SECRET \
-        --repo NHSDigital/eps-prescription-tracker-ui \
-        --app actions \
-        --body "$mockClientSecret"
-
-    gh secret set PTL_MOCK_CLIENT_ID \
-        --repo NHSDigital/eps-prescription-tracker-ui \
-        --app dependabot \
-        --body "$mockClientID"
-
-    gh secret set PTL_MOCK_CLIENT_SECRET \
+set_repository_secret() {
+    secret_name=$1
+    secret_value=$2
+    app=$3
+    if [ -z "${secret_value}" ]; then
+        echo "value passed for secret ${secret_name} is unset or set to the empty string. Not setting"
+        return 0
+    fi
+    echo
+    echo "*****************************************"
+    echo
+    echo "setting value for ${secret_name}"
+    echo "secret_value: ${secret_value}"
+    read -r -p "Press Enter to set secret or ctrl+c to exit"
+    gh secret set "${secret_name}" \
         --repo NHSDigital/eps-prescription-tracker-ui \
-        --app dependabot \
-        --body "$mockClientSecret"
+        --app "${app}" \
+        --body "${secret_value}"
 }
 
-if [ -z "${Cis2PTLClientID}" ]; then
-    echo "Cis2PTLClientID is unset or set to the empty string"
-    exit 1
-fi
-if [ -z "${Cis2PTLClientSecret}" ]; then
-    echo "Cis2PTLClientSecret is unset or set to the empty string"
-    exit 1
-fi
-if [ -z "${mockClientID}" ]; then
-    echo "mockClientID is unset or set to the empty string"
-    exit 1
-fi
-if [ -z "${mockClientSecret}" ]; then
-    echo "mockClientSecret is unset or set to the empty string"
-    exit 1
-fi
 
+# this is a locally generated private key
+# the public part of this keypair should be put in packages/staticContent/jwks/jwks.json
 private_key=$(cat .secrets/eps-cpt-ui-test.pem)
 if [ -z "${private_key}" ]; then
     echo "private_key is unset or set to the empty string"
     exit 1
 fi
 check_gh_logged_in
 set_secrets
+
+# these are from cis2 client set up
+set_repository_secret PTL_PRIMARY_OIDC_CLIENT_ID "${PTL_PRIMARY_OIDC_CLIENT_ID}" "actions"
+set_repository_secret PTL_PRIMARY_OIDC_CLIENT_SECRET "${PTL_PRIMARY_OIDC_CLIENT_SECRET}" "actions"
+
+# this is a locally generated private key
+# the public part of this keypair should be put in packages/staticContent/jwks/jwks.json
+set_repository_secret PTL_CIS2_PRIVATE_KEY "${private_key}" "actions"
+
+# need to set these for dependabot as well
+set_repository_secret PTL_PRIMARY_OIDC_CLIENT_ID "${PTL_PRIMARY_OIDC_CLIENT_ID}" "dependabot"
+set_repository_secret PTL_PRIMARY_OIDC_CLIENT_SECRET "${PTL_PRIMARY_OIDC_CLIENT_SECRET}" "dependabot"
+set_repository_secret PTL_CIS2_PRIVATE_KEY "${private_key}" "dependabot"
+
+# these are from the keycloak setup of the mock client
+set_repository_secret PTL_MOCK_CLIENT_ID "${PTL_MOCK_CLIENT_ID}" "actions"
+set_repository_secret PTL_MOCK_CLIENT_SECRET "${PTL_MOCK_CLIENT_SECRET}" "actions"
+set_repository_secret PTL_MOCK_CLIENT_ID "${PTL_MOCK_CLIENT_ID}" "dependabot"
+set_repository_secret PTL_MOCK_CLIENT_SECRET "${PTL_MOCK_CLIENT_SECRET}" "dependabot"
+
+# these are from the apigee client set up
+set_repository_secret APIGEE_DEV_API_KEY "${APIGEE_DEV_API_KEY}" "actions"
+set_repository_secret APIGEE_DEV_API_KEY "${APIGEE_DEV_API_KEY}" "dependabot"
+set_repository_secret APIGEE_REF_API_KEY "${APIGEE_REF_API_KEY}" "actions"
+set_repository_secret APIGEE_QA_API_KEY "${APIGEE_QA_API_KEY}" "actions"
+set_repository_secret APIGEE_INT_API_KEY "${APIGEE_INT_API_KEY}" "actions"