|
| 1 | +#!/usr/bin/env bash |
| 2 | +set -eu pipefail |
| 3 | + |
| 4 | +echo "Specification path: ${SPEC_PATH}" |
| 5 | +echo "Specification version: ${VERSION_NUMBER}" |
| 6 | +echo "Stack name: ${STACK_NAME}" |
| 7 | +echo "AWS environment: ${AWS_ENVIRONMENT}" |
| 8 | +echo "Apigee environment: ${APIGEE_ENVIRONMENT}" |
| 9 | +echo "Proxygen private key name: ${PROXYGEN_PRIVATE_KEY_NAME}" |
| 10 | +echo "Proxygen KID: ${PROXYGEN_KID}" |
| 11 | +echo "Dry run: ${DRY_RUN}" |
| 12 | +echo "ENABLE_MUTUAL_TLS: ${ENABLE_MUTUAL_TLS}" |
| 13 | +echo "is_pull_request: ${IS_PULL_REQUEST}" |
| 14 | + |
| 15 | +client_private_key=$(cat ~/.proxygen/tmp/client_private_key) |
| 16 | +client_cert=$(cat ~/.proxygen/tmp/client_cert) |
| 17 | + |
| 18 | +if [ -z "${client_private_key}" ]; then |
| 19 | + echo "client_private_key is unset or set to the empty string" |
| 20 | + exit 1 |
| 21 | +fi |
| 22 | +if [ -z "${client_cert}" ]; then |
| 23 | + echo "client_cert is unset or set to the empty string" |
| 24 | + exit 1 |
| 25 | +fi |
| 26 | + |
| 27 | +put_secret_lambda=lambda-resources-ProxygenPTLMTLSSecretPut |
| 28 | +instance_put_lambda=lambda-resources-ProxygenPTLInstancePut |
| 29 | +spec_publish_lambda=lambda-resources-ProxygenPTLSpecPublish |
| 30 | + |
| 31 | +if [[ "$APIGEE_ENVIRONMENT" =~ ^(int|sandbox|prod)$ ]]; then |
| 32 | + put_secret_lambda=lambda-resources-ProxygenProdMTLSSecretPut |
| 33 | + instance_put_lambda=lambda-resources-ProxygenProdInstancePut |
| 34 | + spec_publish_lambda=lambda-resources-ProxygenProdSpecPublish |
| 35 | +fi |
| 36 | + |
| 37 | +instance_suffix="" |
| 38 | +if [[ "${IS_PULL_REQUEST}" == "true" ]]; then |
| 39 | + # Extracting the PR ID from $STACK_NAME |
| 40 | + pr_id=$(echo "$STACK_NAME" | awk -F'-' '{print $NF}') |
| 41 | + instance_suffix=-"pr-${pr_id}" |
| 42 | +fi |
| 43 | + |
| 44 | +# Determine the proxy instance based on the provided $STACK_NAME |
| 45 | +apigee_api=pfp-proxygen |
| 46 | +instance="pfp-proxygen${instance_suffix}" |
| 47 | + |
| 48 | +echo "Proxy instance: ${instance}" |
| 49 | +echo "Apigee api: ${apigee_api}" |
| 50 | + |
| 51 | +echo |
| 52 | + |
| 53 | +echo "Fixing the spec" |
| 54 | +# Find and replace the title |
| 55 | +title=$(jq -r '.info.title' "${SPEC_PATH}") |
| 56 | +if [[ "${IS_PULL_REQUEST}" == "true" ]]; then |
| 57 | + jq --arg title "[PR-${pr_id}] $title" '.info.title = $title' "${SPEC_PATH}" > temp.json && mv temp.json "${SPEC_PATH}" |
| 58 | + echo "disabling monitoring for pull request deployment" |
| 59 | + jq '."x-nhsd-apim".monitoring = false' "${SPEC_PATH}" > temp.json && mv temp.json "${SPEC_PATH}" |
| 60 | +fi |
| 61 | + |
| 62 | +# Find and replace the specification version number |
| 63 | +jq --arg version "${VERSION_NUMBER}" '.info.version = $version' "${SPEC_PATH}" > temp.json && mv temp.json "${SPEC_PATH}" |
| 64 | + |
| 65 | +# Find and replace the x-nhsd-apim.target.url value |
| 66 | +jq --arg stack_name "${STACK_NAME}" --arg aws_env "${AWS_ENVIRONMENT}" '.["x-nhsd-apim"].target.url = "https://\($stack_name).\($aws_env).eps.national.nhs.uk"' "${SPEC_PATH}" > temp.json && mv temp.json "${SPEC_PATH}" |
| 67 | + |
| 68 | +# Find and replace the servers object |
| 69 | +if [[ "${APIGEE_ENVIRONMENT}" == "prod" ]]; then |
| 70 | + jq --arg inst "${instance}" '.servers = [ { "url": "https://api.service.nhs.uk/\($inst)" } ]' "${SPEC_PATH}" > temp.json && mv temp.json "${SPEC_PATH}" |
| 71 | +else |
| 72 | + jq --arg env "${APIGEE_ENVIRONMENT}" --arg inst "${instance}" '.servers = [ { "url": "https://\($env).api.service.nhs.uk/\($inst)" } ]' "${SPEC_PATH}" > temp.json && mv temp.json "${SPEC_PATH}" |
| 73 | +fi |
| 74 | + |
| 75 | +# Find and replace securitySchemes |
| 76 | +if [[ "${APIGEE_ENVIRONMENT}" == "prod" ]]; then |
| 77 | + jq '.components.securitySchemes."nhs-cis2-aal3" = {"$ref": "https://proxygen.prod.api.platform.nhs.uk/components/securitySchemes/nhs-cis2-aal3"}' "${SPEC_PATH}" > temp.json && mv temp.json "${SPEC_PATH}" |
| 78 | +else |
| 79 | + jq '.components.securitySchemes."nhs-cis2-aal3" = {"$ref": "https://proxygen.ptl.api.platform.nhs.uk/components/securitySchemes/nhs-cis2-aal3"}' "${SPEC_PATH}" > temp.json && mv temp.json "${SPEC_PATH}" |
| 80 | +fi |
| 81 | + |
| 82 | +# Find and replace the x-nhsd-apim.target.secret value |
| 83 | +jq --arg mtls_key "${MTLS_KEY}" '.["x-nhsd-apim"].target.security.secret = "\($mtls_key)"' "${SPEC_PATH}" > temp.json && mv temp.json "${SPEC_PATH}" |
| 84 | + |
| 85 | +# Remove target attributes if the environment is sandbox |
| 86 | +if [[ "${APIGEE_ENVIRONMENT}" == *"sandbox"* ]]; then |
| 87 | + echo "Removing target attributes for sandbox environment" |
| 88 | + jq 'del(."x-nhsd-apim"."target-attributes")' "$SPEC_PATH" > temp.json && mv temp.json "${SPEC_PATH}" |
| 89 | +fi |
| 90 | + |
| 91 | +echo |
| 92 | + |
| 93 | +echo "Retrieving proxygen credentials" |
| 94 | + |
| 95 | +# Retrieve the proxygen private key and client private key and cert from AWS Secrets Manager |
| 96 | +proxygen_private_key_arn=$(aws cloudformation list-exports --query "Exports[?Name=='account-resources:${PROXYGEN_PRIVATE_KEY_NAME}'].Value" --output text) |
| 97 | + |
| 98 | +if [[ "${ENABLE_MUTUAL_TLS}" == "true" ]]; then |
| 99 | + echo |
| 100 | + echo "Store the secret used for mutual TLS to AWS using Proxygen proxy lambda" |
| 101 | + if [[ "${DRY_RUN}" == "false" ]]; then |
| 102 | + jq -n --arg apiName "${apigee_api}" \ |
| 103 | + --arg environment "${APIGEE_ENVIRONMENT}" \ |
| 104 | + --arg secretName "${MTLS_KEY}" \ |
| 105 | + --arg secretKey "${client_private_key}" \ |
| 106 | + --arg secretCert "${client_cert}" \ |
| 107 | + --arg kid "${PROXYGEN_KID}" \ |
| 108 | + --arg proxygenSecretName "${proxygen_private_key_arn}" \ |
| 109 | + '{apiName: $apiName, environment: $environment, secretName: $secretName, secretKey: $secretKey, secretCert: $secretCert, kid, $kid, proxygenSecretName: $proxygenSecretName}' > payload.json |
| 110 | + |
| 111 | + aws lambda invoke --function-name "${put_secret_lambda}" --cli-binary-format raw-in-base64-out --payload file://payload.json out.txt > response.json |
| 112 | + if eval "cat response.json | jq -e '.FunctionError' >/dev/null"; then |
| 113 | + echo 'Error calling lambda' |
| 114 | + cat out.txt |
| 115 | + exit 1 |
| 116 | + fi |
| 117 | + echo "Secret stored successfully" |
| 118 | + else |
| 119 | + echo "Would call ${put_secret_lambda}" |
| 120 | + fi |
| 121 | +fi |
| 122 | + |
| 123 | +echo |
| 124 | +echo "Deploy the API instance using Proxygen proxy lambda" |
| 125 | +if [[ "${DRY_RUN}" == "false" ]]; then |
| 126 | + |
| 127 | + jq -n --argfile spec "${SPEC_PATH}" \ |
| 128 | + --arg apiName "${apigee_api}" \ |
| 129 | + --arg environment "${APIGEE_ENVIRONMENT}" \ |
| 130 | + --arg instance "${instance}" \ |
| 131 | + --arg kid "${PROXYGEN_KID}" \ |
| 132 | + --arg proxygenSecretName "${proxygen_private_key_arn}" \ |
| 133 | + '{apiName: $apiName, environment: $environment, specDefinition: $spec, instance: $instance, kid: $kid, proxygenSecretName: $proxygenSecretName}' > payload.json |
| 134 | + |
| 135 | + aws lambda invoke --function-name "${instance_put_lambda}" --cli-binary-format raw-in-base64-out --payload file://payload.json out.txt > response.json |
| 136 | + |
| 137 | + if eval "cat response.json | jq -e '.FunctionError' >/dev/null"; then |
| 138 | + echo 'Error calling lambda' |
| 139 | + cat out.txt |
| 140 | + exit 1 |
| 141 | + fi |
| 142 | + echo "Instance deployed" |
| 143 | +else |
| 144 | + echo "Would call ${instance_put_lambda}" |
| 145 | +fi |
| 146 | + |
| 147 | +# if [[ "${APIGEE_ENVIRONMENT}" == "int" ]]; then |
| 148 | +# echo |
| 149 | +# echo "Deploy the API spec to prod catalogue as it is int environment" |
| 150 | +# if [[ "${DRY_RUN}" == "false" ]]; then |
| 151 | +# jq -n --argfile spec "${SPEC_PATH}" \ |
| 152 | +# --arg apiName "${apigee_api}" \ |
| 153 | +# --arg environment "prod" \ |
| 154 | +# --arg instance "${instance}" \ |
| 155 | +# --arg kid "${PROXYGEN_KID}" \ |
| 156 | +# --arg proxygenSecretName "${proxygen_private_key_arn}" \ |
| 157 | +# '{apiName: $apiName, environment: $environment, specDefinition: $spec, instance: $instance, kid: $kid, proxygenSecretName: $proxygenSecretName}' > payload.json |
| 158 | + |
| 159 | +# aws lambda invoke --function-name "${spec_publish_lambda}" --cli-binary-format raw-in-base64-out --payload file://payload.json out.txt > response.json |
| 160 | + |
| 161 | +# if eval "cat response.json | jq -e '.FunctionError' >/dev/null"; then |
| 162 | +# echo 'Error calling lambda' |
| 163 | +# cat out.txt |
| 164 | +# exit 1 |
| 165 | +# fi |
| 166 | +# echo "Spec deployed" |
| 167 | +# else |
| 168 | +# echo "Would call ${spec_publish_lambda}" |
| 169 | +# fi |
| 170 | +# fi |
| 171 | + |
| 172 | +if [[ "${APIGEE_ENVIRONMENT}" == "internal-dev" && "${IS_PULL_REQUEST}" == "false" ]]; then |
| 173 | + echo |
| 174 | + echo "Deploy the API spec to uat catalogue as it is internal-dev environment" |
| 175 | + if [[ "${DRY_RUN}" == "false" ]]; then |
| 176 | + jq -n --argfile spec "${SPEC_PATH}" \ |
| 177 | + --arg apiName "${apigee_api}" \ |
| 178 | + --arg environment "uat" \ |
| 179 | + --arg instance "${instance}" \ |
| 180 | + --arg kid "${PROXYGEN_KID}" \ |
| 181 | + --arg proxygenSecretName "${proxygen_private_key_arn}" \ |
| 182 | + '{apiName: $apiName, environment: $environment, specDefinition: $spec, instance: $instance, kid: $kid, proxygenSecretName: $proxygenSecretName}' > payload.json |
| 183 | + |
| 184 | + aws lambda invoke --function-name "${spec_publish_lambda}" --cli-binary-format raw-in-base64-out --payload file://payload.json out.txt > response.json |
| 185 | + |
| 186 | + if eval "cat response.json | jq -e '.FunctionError' >/dev/null"; then |
| 187 | + echo 'Error calling lambda' |
| 188 | + cat out.txt |
| 189 | + exit 1 |
| 190 | + fi |
| 191 | + echo "Spec deployed" |
| 192 | + else |
| 193 | + echo "Would call ${spec_publish_lambda}" |
| 194 | + fi |
| 195 | +fi |
0 commit comments