Skip to content

Commit a51077e

Browse files
nhsd-david-wassnhsd-david-wass
committed
CCM-11171 Implement mTLS on proxy
1 parent fe63c53 commit a51077e

File tree

12 files changed

+44
-16
lines changed

12 files changed

+44
-16
lines changed

.github/actions/build-proxies/action.yml

Lines changed: 34 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -19,6 +19,16 @@ runs:
1919
run: npm ci
2020
shell: bash
2121

22+
- name: Configure AWS Credentials
23+
uses: aws-actions/configure-aws-credentials@v4
24+
with:
25+
role-to-assume: arn:aws:iam::820178564574:role/nhs-main-acct-supplier-api-github-deploy
26+
role-session-name: ${{ github.run_id }}
27+
aws-region: eu-west-2
28+
role-skip-session-tagging: true
29+
30+
31+
2232
- name: Setup Proxy Name and target
2333
shell: bash
2434
run: |
@@ -28,12 +38,27 @@ runs:
2838
echo "INSTANCE=$PROXYGEN_API_NAME" >> $GITHUB_ENV
2939
echo "TARGET=https://suppliers.dev.nhsnotify.national.nhs.uk" >> $GITHUB_ENV
3040
echo "SANDBOX_TAG=latest" >> $GITHUB_ENV
41+
echo "MTLS_CRT=/nhs/ssl/ca-crt" >> $GITHUB_ENV
42+
echo "MTLS_KEY=/nhs/ssl/ca-key" >> $GITHUB_ENV
43+
echo "MTLS_NAME=notify-supplier-mtls" >> $GITHUB_ENV
3144
else
3245
echo "TARGET=https://pr$PR_NUMBER.suppliers.dev.nhsnotify.national.nhs.uk" >> $GITHUB_ENV
3346
echo "INSTANCE=$PROXYGEN_API_NAME-PR-$PR_NUMBER" >> $GITHUB_ENV
3447
echo "SANDBOX_TAG=pr$PR_NUMBER" >> $GITHUB_ENV
48+
echo "MTLS_CRT=/nhs/pr$PR_NUMBER/ssl/ca-crt" >> $GITHUB_ENV
49+
echo "MTLS_KEY=/nhs/pr$PR_NUMBER/ssl/ca-key" >> $GITHUB_ENV
50+
echo "MTLS_NAME=notify-supplier-mtls-pr$PR_NUMBER" >> $GITHUB_ENV
51+
3552
fi
3653
54+
- name: Download MTLS Credentials
55+
shell: bash
56+
run: |
57+
mkdir -p ${HOME}/.proxygen
58+
aws ssm get-parameter --name $MTLS_CRT --with-decryption --query "Parameter.Value" --output text > ${HOME}/.proxygen/mtls.crt
59+
aws ssm get-parameter --name $MTLS_KEY --with-decryption --query "Parameter.Value" --output text > ${HOME}/.proxygen/mtls.key
60+
61+
3762
3863
- name: Install Proxygen client
3964
shell: bash
@@ -50,22 +75,27 @@ runs:
5075
envsubst < ./.github/proxygen-settings.yaml > ${HOME}/.proxygen/settings.yaml
5176
envsubst < ./.github/proxygen-settings.yaml | cat
5277
78+
- name: Register MTLS cert with proxygen
79+
shell: bash
80+
run: |
81+
proxygen secret put --mtls-cert ${HOME}/.proxygen/mtls.crt --mtls-key ${HOME}/.proxygen/mtls.key internal-dev $MTLS_NAME
82+
5383
- name: Build internal dev oas
5484
working-directory: .
5585
shell: bash
5686
run: |
5787
if [ -z $PR_NUMBER ]
5888
then
59-
make build-json-oas-spec APIM_ENV=dev
89+
make build-json-oas-spec APIM_ENV=internal-dev
6090
else
61-
make build-json-oas-spec APIM_ENV=dev-pr
91+
make build-json-oas-spec APIM_ENV=internal-dev-pr
6292
fi
6393
64-
- name: Set target
94+
- name: Set target and cert
6595
shell: bash
6696
run: |
6797
jq --arg newurl "$TARGET" '.["x-nhsd-apim"].target.url = $newurl' build/notify-supplier.json > build/notify-supplier_target.json && mv build/notify-supplier_target.json build/notify-supplier.json
68-
98+
jq --arg newmtls "$MTLS_NAME" '.["x-nhsd-apim"].target.security.secret = $newmtls' build/notify-supplier.json > build/notify-supplier_target.json && mv build/notify-supplier_target.json build/notify-supplier.json
6999
70100
- name: Deploy to Internal Dev
71101
shell: bash

.github/workflows/stage-3-build.yaml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -36,6 +36,9 @@ on:
3636
required: false
3737
type: string
3838

39+
permissions:
40+
id-token: write # This is required for requesting the JWT
41+
contents: read # This is required for actions/checkout
3942
jobs:
4043
artefact-jekyll-docs:
4144
name: "Build Docs"

.gitignore

Lines changed: 0 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -25,6 +25,3 @@ dist
2525
.reports
2626
/sandbox/*.log
2727
/sandbox-staging
28-
/specification/components/x-nhsd-apim/access.yml
29-
/specification/components/x-nhsd-apim/target.yml
30-
/specification/components/security/security.yml

specification/api/components/security/security-dev-pr.yml renamed to specification/api/components/security/security-internal-dev-pr.yml

File renamed without changes.

specification/api/components/security/security-dev.yml renamed to specification/api/components/security/security-internal-dev.yml

File renamed without changes.

specification/api/components/security/security.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1 +1 @@
1-
$ref: security-dev-pr.yml
1+
$ref: security-sandbox.yml

specification/api/components/x-nhsd-apim/access-dev-pr.yml renamed to specification/api/components/x-nhsd-apim/access-internal-dev-pr.yml

File renamed without changes.

specification/api/components/x-nhsd-apim/access-dev.yml renamed to specification/api/components/x-nhsd-apim/access-internal-dev.yml

File renamed without changes.

specification/api/components/x-nhsd-apim/access.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1 +1 @@
1-
$ref: access-dev-pr.yml
1+
$ref: access-sandbox.yml

specification/api/components/x-nhsd-apim/target-dev-pr.yml renamed to specification/api/components/x-nhsd-apim/target-internal-dev-pr.yml

Lines changed: 2 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -2,6 +2,5 @@ type: external
22
healthcheck: /_status
33
url: https://suppliers.dev.nhsnotify.national.nhs.uk
44
security:
5-
type: apikey
6-
header: Authorization
7-
secret: nhs-notify-supplier-key
5+
type: mtls
6+
secret: nhs-notify-supplier-mtls

0 commit comments

Comments
 (0)