New: [AEA-6037] - Introduce Proxygen API for PFP (#2254)

## Summary

- ✨ New Feature

### Details

- Introduce PFP Proxygen API by utilising OAS specification from
https://github.com/NHSDigital/prescriptions-for-patients
- Build out deployment pipeline to automatically deploy to Apigee
- Introduce required change to PFP to work with new proxygen headers

---------

Signed-off-by: Connor Avery <[email protected]>
Co-authored-by: Tim Stephenson <[email protected]>

Author: connoravo-nhs

.devcontainer/Dockerfile

@@ -44,9 +44,16 @@ RUN if [ "$TARGETARCH" = "arm64" ] || [ "$TARGETARCH" = "aarch64" ]; then \
 
 # Install ASDF
 RUN ASDF_VERSION=$(awk '!/^#/ && NF {print $1; exit}' /tmp/.tool-versions.asdf) && \
-    wget -O /tmp/asdf.tar.gz https://github.com/asdf-vm/asdf/releases/download/v${ASDF_VERSION}/asdf-v${ASDF_VERSION}-linux-amd64.tar.gz; \
-    tar -xvzf /tmp/asdf.tar.gz; \
-    mv asdf /usr/bin
+    if [ "$TARGETARCH" = "arm64" ] || [ "$TARGETARCH" == "aarch64" ]; then \
+      wget -O /tmp/asdf.tar.gz "https://github.com/asdf-vm/asdf/releases/download/v${ASDF_VERSION}/asdf-v${ASDF_VERSION}-linux-arm64.tar.gz"; \
+    else \
+      wget -O /tmp/asdf.tar.gz "https://github.com/asdf-vm/asdf/releases/download/v${ASDF_VERSION}/asdf-v${ASDF_VERSION}-linux-amd64.tar.gz"; \
+    fi && \
+    tar -xzf /tmp/asdf.tar.gz -C /tmp && \
+    mkdir -p /usr/bin && \
+    mv /tmp/asdf /usr/bin/asdf && \
+    chmod +x /usr/bin/asdf && \
+    rm -rf /tmp/asdf.tar.gz 
 
 # specify DOCKER_GID to force container docker group id to match host
 RUN if [ -n "${DOCKER_GID}" ]; then \

.github/scripts/deploy_api.sh

@@ -0,0 +1,203 @@
+#!/usr/bin/env bash
+set -eu pipefail
+
+echo "Specification path: ${SPEC_PATH}"
+echo "Specification version: ${VERSION_NUMBER}"
+echo "Stack name: ${STACK_NAME}"
+echo "AWS environment: ${AWS_ENVIRONMENT}"
+echo "Apigee environment: ${APIGEE_ENVIRONMENT}"
+echo "Proxygen private key name: ${PROXYGEN_PRIVATE_KEY_NAME}"
+echo "Proxygen KID: ${PROXYGEN_KID}"
+echo "Dry run: ${DRY_RUN}"
+echo "ENABLE_MUTUAL_TLS: ${ENABLE_MUTUAL_TLS}"
+echo "is_pull_request: ${IS_PULL_REQUEST}"
+
+client_private_key=$(cat ~/.proxygen/tmp/client_private_key)
+client_cert=$(cat ~/.proxygen/tmp/client_cert)
+
+if [ -z "${client_private_key}" ]; then
+    echo "client_private_key is unset or set to the empty string"
+    exit 1
+fi
+if [ -z "${client_cert}" ]; then
+    echo "client_cert is unset or set to the empty string"
+    exit 1
+fi
+
+put_secret_lambda=lambda-resources-ProxygenPTLMTLSSecretPut
+instance_put_lambda=lambda-resources-ProxygenPTLInstancePut
+spec_publish_lambda=lambda-resources-ProxygenPTLSpecPublish
+
+if [[ "$APIGEE_ENVIRONMENT" =~ ^(int|sandbox|prod)$ ]]; then 
+    put_secret_lambda=lambda-resources-ProxygenProdMTLSSecretPut
+    instance_put_lambda=lambda-resources-ProxygenProdInstancePut
+    spec_publish_lambda=lambda-resources-ProxygenProdSpecPublish
+fi
+
+instance_suffix=""
+if [[ "${IS_PULL_REQUEST}" == "true" ]]; then
+    # Extracting the PR ID from $STACK_NAME
+    pr_id=$(echo "$STACK_NAME" | awk -F'-' '{print $NF}')
+    instance_suffix=-"pr-${pr_id}"
+fi
+
+# Determine the proxy instance based on the provided $STACK_NAME
+apigee_api=prescriptions-for-patients-proxygen
+apigee_client=prescriptions-for-patients-proxygen
+instance="pfp-proxygen${instance_suffix}"
+
+echo "Proxy instance: ${instance}"
+echo "Apigee api: ${apigee_api}"
+echo "Apigee client: ${apigee_client}"
+
+echo
+
+echo "Fixing the spec"
+# Find and replace the title
+title=$(jq -r '.info.title' "${SPEC_PATH}")
+if [[ "${IS_PULL_REQUEST}" == "true" ]]; then
+    jq --arg title "[PR-${pr_id}] $title" '.info.title = $title' "${SPEC_PATH}" > temp.json && mv temp.json "${SPEC_PATH}"
+    echo "disabling monitoring for pull request deployment"
+    jq '."x-nhsd-apim".monitoring = false' "${SPEC_PATH}" > temp.json && mv temp.json "${SPEC_PATH}"
+fi
+
+# Find and replace the specification version number 
+jq --arg version "${VERSION_NUMBER}" '.info.version = $version' "${SPEC_PATH}" > temp.json && mv temp.json "${SPEC_PATH}"
+
+# Find and replace the x-nhsd-apim.target.url value
+jq --arg stack_name "${STACK_NAME}" --arg aws_env "${AWS_ENVIRONMENT}" '.["x-nhsd-apim"].target.url = "https://\($stack_name).\($aws_env).eps.national.nhs.uk"' "${SPEC_PATH}" > temp.json && mv temp.json "${SPEC_PATH}"
+
+# Find and replace the servers object
+if [[ "${APIGEE_ENVIRONMENT}" == "prod" ]]; then
+    jq --arg inst "${instance}" '.servers = [ { "url": "https://api.service.nhs.uk/\($inst)" } ]' "${SPEC_PATH}" > temp.json && mv temp.json "${SPEC_PATH}"
+else
+    jq --arg env "${APIGEE_ENVIRONMENT}" --arg inst "${instance}" '.servers = [ { "url": "https://\($env).api.service.nhs.uk/\($inst)" } ]' "${SPEC_PATH}" > temp.json && mv temp.json "${SPEC_PATH}"
+fi
+
+# Find and replace securitySchemes
+if [[ "${APIGEE_ENVIRONMENT}" == "prod" ]]; then
+    jq '.components.securitySchemes."nhs-cis2-aal3" = {"$ref": "https://proxygen.prod.api.platform.nhs.uk/components/securitySchemes/nhs-cis2-aal3"}' "${SPEC_PATH}" > temp.json && mv temp.json "${SPEC_PATH}"
+    jq '.components.securitySchemes."nhs-login-p9" = {"$ref": "https://proxygen.prod.api.platform.nhs.uk/components/securitySchemes/nhs-login-p9"}' "${SPEC_PATH}" > temp.json && mv temp.json "${SPEC_PATH}"
+else
+    jq '.components.securitySchemes."nhs-cis2-aal3" = {"$ref": "https://proxygen.ptl.api.platform.nhs.uk/components/securitySchemes/nhs-cis2-aal3"}' "${SPEC_PATH}" > temp.json && mv temp.json "${SPEC_PATH}"
+    jq '.components.securitySchemes."nhs-login-p9" = {"$ref": "https://proxygen.ptl.api.platform.nhs.uk/components/securitySchemes/nhs-login-p9"}' "${SPEC_PATH}" > temp.json && mv temp.json "${SPEC_PATH}"
+fi
+
+# Find and replace the x-nhsd-apim.target.secret value
+jq --arg mtls_key "${MTLS_KEY}"  '.["x-nhsd-apim"].target.security.secret = "\($mtls_key)"' "${SPEC_PATH}" > temp.json && mv temp.json "${SPEC_PATH}"
+
+# Remove target attributes if the environment is sandbox
+if [[ "${APIGEE_ENVIRONMENT}" == *"sandbox"* ]]; then
+    echo "Removing target attributes for sandbox environment"
+    jq 'del(."x-nhsd-apim"."target-attributes")' "$SPEC_PATH" > temp.json && mv temp.json "${SPEC_PATH}"
+fi
+
+echo
+
+echo "Retrieving proxygen credentials"
+
+# Retrieve the proxygen private key and client private key and cert from AWS Secrets Manager
+proxygen_private_key_arn=$(aws cloudformation list-exports --query "Exports[?Name=='secrets:${PROXYGEN_PRIVATE_KEY_NAME}'].Value" --output text)
+
+if [[ "${ENABLE_MUTUAL_TLS}" == "true" ]]; then
+    echo
+    echo "Store the secret used for mutual TLS to AWS using Proxygen proxy lambda"
+    if [[ "${DRY_RUN}" == "false" ]]; then
+        jq -n --arg apiName "${apigee_api}" \
+            --arg apiClient "${apigee_client}" \
+            --arg environment "${APIGEE_ENVIRONMENT}" \
+            --arg secretName "${MTLS_KEY}" \
+            --arg secretKey "${client_private_key}" \
+            --arg secretCert "${client_cert}" \
+            --arg kid "${PROXYGEN_KID}" \
+            --arg proxygenSecretName "${proxygen_private_key_arn}" \
+            '{apiName: $apiName, apiClient: $apiClient, environment: $environment, secretName: $secretName, secretKey: $secretKey, secretCert: $secretCert, kid, $kid, proxygenSecretName: $proxygenSecretName}' > payload.json
+
+        aws lambda invoke --function-name "${put_secret_lambda}" --cli-binary-format raw-in-base64-out --payload file://payload.json out.txt > response.json
+        if eval "cat response.json | jq -e '.FunctionError' >/dev/null"; then
+            echo 'Error calling lambda'
+            cat out.txt
+            exit 1
+        fi
+        echo "Secret stored successfully"
+    else
+        echo "Would call ${put_secret_lambda}"
+    fi
+fi
+
+echo
+echo "Deploy the API instance using Proxygen proxy lambda"
+if [[ "${DRY_RUN}" == "false" ]]; then
+
+    jq -n --argfile spec "${SPEC_PATH}" \
+        --arg apiName "${apigee_api}" \
+        --arg apiClient "${apigee_client}" \
+        --arg environment "${APIGEE_ENVIRONMENT}" \
+        --arg instance "${instance}" \
+        --arg kid "${PROXYGEN_KID}" \
+        --arg proxygenSecretName "${proxygen_private_key_arn}" \
+        '{apiName: $apiName, apiClient: $apiClient, environment: $environment, specDefinition: $spec, instance: $instance, kid: $kid, proxygenSecretName: $proxygenSecretName}' > payload.json
+
+    aws lambda invoke --function-name "${instance_put_lambda}" --cli-binary-format raw-in-base64-out --payload file://payload.json out.txt > response.json
+
+    if eval "cat response.json | jq -e '.FunctionError' >/dev/null"; then
+        echo 'Error calling lambda'
+        cat out.txt
+        exit 1
+    fi
+    echo "Instance deployed"
+else
+    echo "Would call ${instance_put_lambda}"
+fi
+
+# if [[ "${APIGEE_ENVIRONMENT}" == "int" ]]; then
+#     echo
+#     echo "Deploy the API spec to prod catalogue as it is int environment"
+#     if [[ "${DRY_RUN}" == "false" ]]; then
+#         jq -n --argfile spec "${SPEC_PATH}" \
+#             --arg apiName "${apigee_api}" \
+#             --arg apiClient "${apigee_client}" \
+#             --arg environment "prod" \
+#             --arg instance "${instance}" \
+#             --arg kid "${PROXYGEN_KID}" \
+#             --arg proxygenSecretName "${proxygen_private_key_arn}" \
+#             '{apiName: $apiName, apiClient: $apiClient, environment: $environment, specDefinition: $spec, instance: $instance, kid: $kid, proxygenSecretName: $proxygenSecretName}' > payload.json
+
+#         aws lambda invoke --function-name "${spec_publish_lambda}" --cli-binary-format raw-in-base64-out --payload file://payload.json out.txt > response.json
+
+#         if eval "cat response.json | jq -e '.FunctionError' >/dev/null"; then
+#             echo 'Error calling lambda'
+#             cat out.txt
+#             exit 1
+#         fi
+#         echo "Spec deployed"
+#     else
+#         echo "Would call ${spec_publish_lambda}"
+#     fi
+# fi
+
+if [[ "${APIGEE_ENVIRONMENT}" == "internal-dev" && "${IS_PULL_REQUEST}" == "false" ]]; then
+    echo
+    echo "Deploy the API spec to uat catalogue as it is internal-dev environment"
+    if [[ "${DRY_RUN}" == "false" ]]; then
+        jq -n --argfile spec "${SPEC_PATH}" \
+            --arg apiName "${apigee_api}" \
+            --arg apiClient "${apigee_client}" \
+            --arg environment "uat" \
+            --arg instance "${instance}" \
+            --arg kid "${PROXYGEN_KID}" \
+            --arg proxygenSecretName "${proxygen_private_key_arn}" \
+            '{apiName: $apiName, apiClient: $apiClient, environment: $environment, specDefinition: $spec, instance: $instance, kid: $kid, proxygenSecretName: $proxygenSecretName}' > payload.json
+
+        aws lambda invoke --function-name "${spec_publish_lambda}" --cli-binary-format raw-in-base64-out --payload file://payload.json out.txt > response.json
+
+        if eval "cat response.json | jq -e '.FunctionError' >/dev/null"; then
+            echo 'Error calling lambda'
+            cat out.txt
+            exit 1
+        fi
+        echo "Spec deployed"
+    else
+        echo "Would call ${spec_publish_lambda}"
+    fi
+fi

.github/scripts/release_code.sh

@@ -52,4 +52,5 @@ sam deploy \
       ForwardCsocLogs="$FORWARD_CSOC_LOGS" \
       TC007NHSNumberValue="$TC007_NHS_NUMBERS" \
       TC008NHSNumberValue="$TC008_NHS_NUMBERS" \
-      TC009NHSNumberValue="$TC009_NHS_NUMBERS"
+      TC009NHSNumberValue="$TC009_NHS_NUMBERS" \
+      AllowNHSNumberOverride="$ALLOW_NHS_NUMBER_OVERRIDE"

.github/workflows/ci.yml

@@ -67,6 +67,7 @@ jobs:
       TARGET_ENVIRONMENT: dev
       APIGEE_ENVIRONMENT: internal-dev
       ENABLE_MUTUAL_TLS: true
+      MTLS_KEY: prescriptions-for-patients-mtls-1
       BUILD_ARTIFACT: packaged_code
       TRUSTSTORE_FILE: pfp-truststore.pem
       VERSION_NUMBER: ${{needs.tag_release.outputs.version_tag}}
@@ -81,6 +82,8 @@ jobs:
       RUN_REGRESSION_TESTS: true
       REGRESSION_TEST_PRODUCT: PFP-APIGEE
       FORWARD_CSOC_LOGS: false
+      ALLOW_NHS_NUMBER_OVERRIDE: true
+      REGRESSION_TEST_NON_PROXYGEN: true
     secrets:
       REGRESSION_TESTS_PEM: ${{ secrets.REGRESSION_TESTS_PEM }}
       CLOUD_FORMATION_DEPLOY_ROLE: ${{ secrets.DEV_CLOUD_FORMATION_DEPLOY_ROLE }}
@@ -90,6 +93,7 @@ jobs:
       INT_CLOUD_FORMATION_CHECK_VERSION_ROLE: ${{ secrets.INT_CLOUD_FORMATION_CHECK_VERSION_ROLE }}
       PROD_CLOUD_FORMATION_CHECK_VERSION_ROLE: ${{ secrets.PROD_CLOUD_FORMATION_CHECK_VERSION_ROLE }}
       DEV_CLOUD_FORMATION_EXECUTE_LAMBDA_ROLE: ${{ secrets.DEV_CLOUD_FORMATION_EXECUTE_LAMBDA_ROLE }}
+      PROXYGEN_ROLE: ${{ secrets.PROXYGEN_PTL_ROLE }}
 
   release_dev_sandbox:
     needs: [tag_release, package_code, get_commit_id]
@@ -100,6 +104,7 @@ jobs:
       TARGET_ENVIRONMENT: dev
       APIGEE_ENVIRONMENT: internal-dev-sandbox
       ENABLE_MUTUAL_TLS: true
+      MTLS_KEY: prescriptions-for-patients-mtls-1
       BUILD_ARTIFACT: packaged_sandbox_code
       TRUSTSTORE_FILE: pfp-sandbox-truststore.pem
       VERSION_NUMBER: ${{needs.tag_release.outputs.version_tag}}
@@ -109,11 +114,13 @@ jobs:
       STATE_MACHINE_LOG_LEVEL: ALL
       RUN_REGRESSION_TESTS: false
       FORWARD_CSOC_LOGS: false
+      ALLOW_NHS_NUMBER_OVERRIDE: true
     secrets:
       REGRESSION_TESTS_PEM: ${{ secrets.REGRESSION_TESTS_PEM }}
       CLOUD_FORMATION_DEPLOY_ROLE: ${{ secrets.DEV_CLOUD_FORMATION_DEPLOY_ROLE }}
       TARGET_SPINE_SERVER: sandbox
       TARGET_SERVICE_SEARCH_SERVER: sandbox
+      PROXYGEN_ROLE: ${{ secrets.PROXYGEN_PTL_ROLE }}
 
   release_qa:
     needs:
@@ -131,6 +138,7 @@ jobs:
       TARGET_ENVIRONMENT: qa
       APIGEE_ENVIRONMENT: internal-qa
       ENABLE_MUTUAL_TLS: true
+      MTLS_KEY: prescriptions-for-patients-mtls-1
       BUILD_ARTIFACT: packaged_code
       TRUSTSTORE_FILE: pfp-truststore.pem
       VERSION_NUMBER: ${{needs.tag_release.outputs.version_tag}}
@@ -143,8 +151,11 @@ jobs:
       RUN_REGRESSION_TESTS: true
       REGRESSION_TEST_PRODUCT: PFP-APIGEE
       FORWARD_CSOC_LOGS: false
+      ALLOW_NHS_NUMBER_OVERRIDE: true
+      REGRESSION_TEST_NON_PROXYGEN: true
     secrets:
       REGRESSION_TESTS_PEM: ${{ secrets.REGRESSION_TESTS_PEM }}
       CLOUD_FORMATION_DEPLOY_ROLE: ${{ secrets.QA_CLOUD_FORMATION_DEPLOY_ROLE }}
       TARGET_SPINE_SERVER: ${{ secrets.QA_TARGET_SPINE_SERVER }}
       TARGET_SERVICE_SEARCH_SERVER: ${{ secrets.QA_TARGET_SERVICE_SEARCH_SERVER }}
+      PROXYGEN_ROLE: ${{ secrets.PROXYGEN_PTL_ROLE }}

.github/workflows/pull_request.yml

@@ -100,13 +100,15 @@ jobs:
     needs: [get_issue_number, package_code, get_commit_id]
     uses: ./.github/workflows/sam_release_code.yml
     with:
+      IS_PULL_REQUEST: true
       STACK_NAME: pfp-pr-${{needs.get_issue_number.outputs.issue_number}}
       ARTIFACT_BUCKET_PREFIX: PR-${{needs.get_issue_number.outputs.issue_number}}
-      TARGET_ENVIRONMENT: dev-pr
+      TARGET_ENVIRONMENT: dev
       APIGEE_ENVIRONMENT: internal-dev
       ENABLE_MUTUAL_TLS: false
+      MTLS_KEY: prescriptions-for-patients-mtls-1
       BUILD_ARTIFACT: packaged_code
-      TRUSTSTORE_FILE: pfp-truststore.pem
+      TRUSTSTORE_FILE: pfp-truststore-pr.pem
       VERSION_NUMBER: PR-${{ needs.get_issue_number.outputs.issue_number }}
       COMMIT_ID: ${{ needs.get_commit_id.outputs.commit_id }}
       LOG_LEVEL: DEBUG
@@ -117,21 +119,24 @@ jobs:
       RUN_REGRESSION_TESTS: true
       REGRESSION_TEST_PRODUCT: PFP-AWS
       FORWARD_CSOC_LOGS: false
+      DEPLOY_APIGEE: true
+      ALLOW_NHS_NUMBER_OVERRIDE: true
     secrets:
       REGRESSION_TESTS_PEM: ${{ secrets.REGRESSION_TESTS_PEM }}
       CLOUD_FORMATION_DEPLOY_ROLE: ${{ secrets.DEV_CLOUD_FORMATION_DEPLOY_ROLE }}
       TARGET_SPINE_SERVER: ${{ secrets.DEV_TARGET_SPINE_SERVER }}
       TARGET_SERVICE_SEARCH_SERVER: ${{ secrets.DEV_TARGET_SERVICE_SEARCH_SERVER }}
-
+      PROXYGEN_ROLE: ${{ secrets.PROXYGEN_PTL_ROLE }}
   release_sandbox_code:
     needs: [get_issue_number, package_code, get_commit_id]
     uses: ./.github/workflows/sam_release_code.yml
     with:
       STACK_NAME: pfp-pr-${{needs.get_issue_number.outputs.issue_number}}-sandbox
       ARTIFACT_BUCKET_PREFIX: PR-sandbox-${{needs.get_issue_number.outputs.issue_number}}
-      TARGET_ENVIRONMENT: dev-pr
+      TARGET_ENVIRONMENT: dev
       APIGEE_ENVIRONMENT: internal-dev-sandbox
       ENABLE_MUTUAL_TLS: false
+      MTLS_KEY: prescriptions-for-patients-mtls-1
       BUILD_ARTIFACT: packaged_sandbox_code
       TRUSTSTORE_FILE: pfp-sandbox-truststore.pem
       VERSION_NUMBER: PR-${{ needs.get_issue_number.outputs.issue_number }}
@@ -141,8 +146,11 @@ jobs:
       STATE_MACHINE_LOG_LEVEL: ALL
       RUN_REGRESSION_TESTS: false
       FORWARD_CSOC_LOGS: false
+      DEPLOY_APIGEE: false
+      ALLOW_NHS_NUMBER_OVERRIDE: true
     secrets:
       REGRESSION_TESTS_PEM: ${{ secrets.REGRESSION_TESTS_PEM }}
       CLOUD_FORMATION_DEPLOY_ROLE: ${{ secrets.DEV_CLOUD_FORMATION_DEPLOY_ROLE }}
       TARGET_SPINE_SERVER: sandbox
       TARGET_SERVICE_SEARCH_SERVER: sandbox
+      PROXYGEN_ROLE: ${{ secrets.PROXYGEN_PTL_ROLE }}