Alterations to proxygen set up and workflows

Author: robbailiff2

.github/workflows/publish-specification.yaml

@@ -45,19 +45,12 @@ jobs:
           pip install proxygen-cli
 
       - name: Set up Proxygen credentials
+        env:
+          PROXYGEN_PRIVATE_KEY: ${{ secrets.PROXYGEN_PRIVATE_KEY_PROD }}
         run: |
           mkdir -p ~/.proxygen
-
-          if [ "${{ env.APIM_ENV }}" = "preprod" ]; then
-            ENV_PARAM="ptl"
-            PROXYGEN_PRIVATE_KEY: ${{ secrets.PROXYGEN_PRIVATE_KEY_PTL }}
-          else
-            ENV_PARAM="${{ env.APIM_ENV }}"
-            PROXYGEN_PRIVATE_KEY: ${{ secrets.PROXYGEN_PRIVATE_KEY_PROD }}
-          fi
-
-          echo "$PROXYGEN_PRIVATE_KEY" > ~/.proxygen/eligibility-signposting-api-${ENV_PARAM}.pem
-          make setup-proxygen-credentials ENV=${ENV_PARAM}
+          echo "$PROXYGEN_PRIVATE_KEY" > ~/.proxygen/eligibility-signposting-api.pem
+          make setup-proxygen-credentials ENV=prod
 
       - name: Generate specification
         run: |

.github/workflows/publish_sandbox.yaml

@@ -40,11 +40,11 @@ jobs:
 
       - name: Set up Proxygen credentials
         env:
-          PROXYGEN_PRIVATE_KEY: ${{ secrets.PROXYGEN_PRIVATE_KEY }}
+          PROXYGEN_PRIVATE_KEY: ${{ secrets.PROXYGEN_PRIVATE_KEY_PROD }}
         run: |
           mkdir -p ~/.proxygen
           echo "$PROXYGEN_PRIVATE_KEY" > ~/.proxygen/eligibility-signposting-api.pem
-          make setup-proxygen-credentials
+          make setup-proxygen-credentials ENV=prod
 
       - name: Generate sandbox specification
         run: |

Makefile

@@ -53,47 +53,60 @@ config:: # Configure development environment (main) @Configuration
 #### Proxygen ####
 ##################
 
+# Proxygen key only exists in our 'dev' AWS Parameter Store
+PROXYGEN_ENV ?= dev
+
+# Specs are published in the APIM 'prod' environment
+APIM_ENV ?= prod
+
+# retrieve-proxygen-key: # Obtain the 'machine user' credentials from AWS SSM (Development environment)
+# 	mkdir -p ~/.proxygen && \
+# 	aws ssm get-parameter --name /proxygen/private_key_temp --with-decryption | jq ".Parameter.Value" --raw-output \
+# 	> ~/.proxygen/eligibility-signposting-api.pem
+#
+# setup-proxygen-credentials: # Copy Proxygen templated credentials to where it expected them
+# 	cd specification && cp -r .proxygen ~
+
 # Verify current AWS account login and retrieve the proxygen key
-# from AWS SSM for the specified environment
-retrieve-proxygen-key: guard-ENV
-	@ ./scripts/check-aws-account.sh $(ENV)
+# from AWS SSM Parameter Store
+retrieve-proxygen-key:
+	@ ./scripts/check-aws-account.sh $(PROXYGEN_ENV)
 	mkdir -p ~/.proxygen
-	@ AWS_ENV=$$([ "$(ENV)" = "ptl" ] && echo "preprod" || echo "$(ENV)"); \
-	aws ssm get-parameter --name /$$AWS_ENV/proxygen/private_key --with-decryption \
+	aws ssm get-parameter --name /$$PROXYGEN_ENV/proxygen/private_key --with-decryption \
 	| jq -r ".Parameter.Value" \
-	> ~/.proxygen/eligibility-signposting-api-$(ENV).pem && \
-	echo "Retrieved proxygen key for '$(ENV)' environment"
+	> ~/.proxygen/eligibility-signposting-api-$(APIM_ENV).pem && \
+	echo "Retrieved proxygen key for APIM '$(APIM_ENV)' environment"
 
 # Copy proxygen credentials for the specified environment to `~/.proxygen/`
 # This location required location for local proxygen usage
 setup-proxygen-credentials: guard-ENV
 	@ cd specification && \
 	cp .proxygen/credentials-$(ENV).yaml ~/.proxygen/credentials.yaml && \
 	cp .proxygen/settings-$(ENV).yaml ~/.proxygen/settings.yaml && \
-	echo "Set up proxygen credentials for the '$(ENV)' environment"
+	echo "Set up proxygen credentials for the APIM '$(ENV)' environment"
 
 get-spec: # Get the most recent specification live in proxygen
 	$(MAKE) setup-proxygen-credentials ENV=prod
 	proxygen spec get
 
 get-spec-uat: # Get the most recent specification live in proxygen
-	$(MAKE) setup-proxygen-credentials ENV=ptl
+	$(MAKE) setup-proxygen-credentials ENV=prod
 	proxygen spec get --uat
 
 publish-spec: # Publish the specification to proxygen
 	$(MAKE) setup-proxygen-credentials ENV=prod
 	proxygen spec publish build/specification/prod/eligibility-signposting-api.yaml
 
 publish-spec-uat: # Publish the specification to proxygen
-	$(MAKE) setup-proxygen-credentials ENV=ptl
+	$(MAKE) setup-proxygen-credentials ENV=prod
 	proxygen spec publish build/specification/preprod/eligibility-signposting-api.yaml --uat
 
 delete-spec: # Delete the specification from proxygen
 	$(MAKE) setup-proxygen-credentials ENV=prod
 	proxygen spec delete
 
 delete-spec-uat: # Delete the specification from proxygen
-	$(MAKE) setup-proxygen-credentials ENV=ptl
+	$(MAKE) setup-proxygen-credentials ENV=prod
 	proxygen spec delete --uat
 
 #####################

scripts/check-aws-account.sh

@@ -4,36 +4,19 @@ set -e
 
 APIM_ENV_NAME="$1"
 
-# Map APIM environment names to AWS account ID and environment name
-case "$APIM_ENV_NAME" in
-  dev)
-    AWS_ENV_NAME="dev"
-    EXPECTED_ACCOUNT="448049830832"
-    ;;
-  ptl)
-    AWS_ENV_NAME="preprod" # Called 'preprod' in AWS and `ptl` in APIM
-    EXPECTED_ACCOUNT="203918864209"
-    ;;
-  prod)
-    AWS_ENV_NAME="prod"
-    EXPECTED_ACCOUNT="476114145616"
-    ;;
-  *)
-    echo "Unknown APIM environment: $APIM_ENV_NAME"
-    exit 1
-    ;;
-esac
+# Expected AWS account for dev environment
+EXPECTED_ACCOUNT="448049830832"
 
 # Read the currently authenticated AWS account
 CURRENT_ACCOUNT=$(aws sts get-caller-identity --query "Account" --output text)
 
 # Compare the current account with the expected account
 if [ "$CURRENT_ACCOUNT" != "$EXPECTED_ACCOUNT" ]; then
   echo "AWS account mismatch!"
-  echo "The expected mapping for the argument 'ENV=$APIM_ENV_NAME' is AWS '$AWS_ENV_NAME' account $EXPECTED_ACCOUNT, but the current AWS account is $CURRENT_ACCOUNT."
+  echo "The expected login is AWS '$APIM_ENV_NAME' account $EXPECTED_ACCOUNT, but the current logged in AWS account is $CURRENT_ACCOUNT."
   echo "Please switch to the correct AWS account and try again."
   echo "Exiting script..."
   exit 1
 fi
 
-echo "Active login to AWS '$AWS_ENV_NAME' account $CURRENT_ACCOUNT verified."
+echo "Active login to AWS '$APIM_ENV_NAME' account $CURRENT_ACCOUNT verified."