Merge pull request #321 from NHSDigital/feature/rgjb-eli-604-rotate_proxygen_key_in_ptl_and_prod

Feature/rgjb eli 604 rotate proxygen key in ptl and prod

Author: TOEL2

.github/workflows/dev_sandbox_publish_deploy.yaml

@@ -27,6 +27,7 @@ jobs:
     name: "Publish spec & deploy to dev"
     needs: metadata
     runs-on: ubuntu-latest
+    if: false  # Temporarily skip this job
     steps:
       - name: Checkout repository
         uses: actions/checkout@v6
@@ -54,11 +55,11 @@ jobs:
 
       - name: Set up Proxygen credentials
         env:
-          PROXYGEN_PRIVATE_KEY: ${{ secrets.PROXYGEN_PRIVATE_KEY }}
+          PROXYGEN_PRIVATE_KEY: ${{ secrets.PROXYGEN_PRIVATE_KEY_PTL }}
         run: |
           mkdir -p ~/.proxygen
           echo "$PROXYGEN_PRIVATE_KEY" > ~/.proxygen/eligibility-signposting-api.pem
-          make setup-proxygen-credentials
+          make setup-proxygen-credentials ENV=ptl
       - name: Generate specification
         run: |
           make construct-spec APIM_ENV=internal-dev
@@ -98,11 +99,11 @@ jobs:
 
       - name: Set up Proxygen credentials
         env:
-          PROXYGEN_PRIVATE_KEY: ${{ secrets.PROXYGEN_PRIVATE_KEY }}
+          PROXYGEN_PRIVATE_KEY: ${{ secrets.PROXYGEN_PRIVATE_KEY_PROD }}
         run: |
           mkdir -p ~/.proxygen
           echo "$PROXYGEN_PRIVATE_KEY" > ~/.proxygen/eligibility-signposting-api.pem
-          make setup-proxygen-credentials
+          make setup-proxygen-credentials ENV=prod
       - name: Generate specification
         run: |
           make construct-spec APIM_ENV=sandbox

.github/workflows/preprod_publish_deploy.yaml

@@ -46,11 +46,11 @@ jobs:
           pip install proxygen-cli
       - name: Set up Proxygen credentials
         env:
-          PROXYGEN_PRIVATE_KEY: ${{ secrets.PROXYGEN_PRIVATE_KEY }}
+          PROXYGEN_PRIVATE_KEY: ${{ secrets.PROXYGEN_PRIVATE_KEY_PROD }}
         run: |
           mkdir -p ~/.proxygen
           echo "$PROXYGEN_PRIVATE_KEY" > ~/.proxygen/eligibility-signposting-api.pem
-          make setup-proxygen-credentials
+          make setup-proxygen-credentials ENV=prod
       - name: Generate specification
         run: |
           make construct-spec APIM_ENV=preprod

.github/workflows/prod_publish_deploy.yaml

@@ -45,11 +45,11 @@ jobs:
           pip install proxygen-cli
       - name: Set up Proxygen credentials
         env:
-          PROXYGEN_PRIVATE_KEY: ${{ secrets.PROXYGEN_PRIVATE_KEY }}
+          PROXYGEN_PRIVATE_KEY: ${{ secrets.PROXYGEN_PRIVATE_KEY_PROD }}
         run: |
           mkdir -p ~/.proxygen
           echo "$PROXYGEN_PRIVATE_KEY" > ~/.proxygen/eligibility-signposting-api.pem
-          make setup-proxygen-credentials
+          make setup-proxygen-credentials ENV=prod
       - name: Generate specification
         run: |
           make construct-spec APIM_ENV=prod

.github/workflows/publish-specification.yaml

@@ -46,11 +46,11 @@ jobs:
 
       - name: Set up Proxygen credentials
         env:
-          PROXYGEN_PRIVATE_KEY: ${{ secrets.PROXYGEN_PRIVATE_KEY }}
+          PROXYGEN_PRIVATE_KEY: ${{ secrets.PROXYGEN_PRIVATE_KEY_PROD }}
         run: |
           mkdir -p ~/.proxygen
           echo "$PROXYGEN_PRIVATE_KEY" > ~/.proxygen/eligibility-signposting-api.pem
-          make setup-proxygen-credentials
+          make setup-proxygen-credentials ENV=prod
 
       - name: Generate specification
         run: |

.github/workflows/publish_sandbox.yaml

@@ -37,11 +37,11 @@ jobs:
 
       - name: Set up Proxygen credentials
         env:
-          PROXYGEN_PRIVATE_KEY: ${{ secrets.PROXYGEN_PRIVATE_KEY }}
+          PROXYGEN_PRIVATE_KEY: ${{ secrets.PROXYGEN_PRIVATE_KEY_PROD }}
         run: |
           mkdir -p ~/.proxygen
           echo "$PROXYGEN_PRIVATE_KEY" > ~/.proxygen/eligibility-signposting-api.pem
-          make setup-proxygen-credentials
+          make setup-proxygen-credentials ENV=prod
 
       - name: Generate sandbox specification
         run: |

Makefile

@@ -53,39 +53,51 @@ config:: # Configure development environment (main) @Configuration
 #### Proxygen ####
 ##################
 
-retrieve-proxygen-key: # Obtain the 'machine user' credentials from AWS SSM (Development environment)
-	mkdir -p ~/.proxygen && \
-	aws ssm get-parameter --name /proxygen/private_key_temp --with-decryption | jq ".Parameter.Value" --raw-output \
-	> ~/.proxygen/eligibility-signposting-api.pem
-
-setup-proxygen-credentials: # Copy Proxygen templated credentials to where it expected them
-	cd specification && cp -r .proxygen ~
+# Verify current AWS account login and retrieve the proxygen key
+# from AWS SSM Parameter Store
+retrieve-proxygen-key: guard-ENV
+	@ ./scripts/check-aws-account.sh
+	mkdir -p ~/.proxygen
+	aws ssm get-parameter --name /$$ENV/proxygen/private_key --with-decryption \
+	| jq -r ".Parameter.Value" \
+	> ~/.proxygen/eligibility-signposting-api-$(ENV).pem && \
+	echo "Retrieved proxygen key for APIM '$(ENV)' environment"
+
+# Copy proxygen credentials for the specified environment to `~/.proxygen/`
+# This location required location for local proxygen usage
+setup-proxygen-credentials: guard-ENV
+	@ cd specification && \
+	cp .proxygen/credentials-$(ENV).yaml ~/.proxygen/credentials.yaml && \
+	cp .proxygen/settings-$(ENV).yaml ~/.proxygen/settings.yaml && \
+	echo "Set up proxygen credentials for the APIM '$(ENV)' environment"
 
 get-spec: # Get the most recent specification live in proxygen
-	$(MAKE) setup-proxygen-credentials
+	$(MAKE) setup-proxygen-credentials ENV=prod
 	proxygen spec get
 
 get-spec-uat: # Get the most recent specification live in proxygen
-	$(MAKE) setup-proxygen-credentials
+	$(MAKE) setup-proxygen-credentials ENV=prod
 	proxygen spec get --uat
 
 publish-spec: # Publish the specification to proxygen
-	$(MAKE) setup-proxygen-credentials
+	$(MAKE) setup-proxygen-credentials ENV=prod
 	proxygen spec publish build/specification/prod/eligibility-signposting-api.yaml
 
 publish-spec-uat: # Publish the specification to proxygen
-	$(MAKE) setup-proxygen-credentials
+	$(MAKE) setup-proxygen-credentials ENV=prod
 	proxygen spec publish build/specification/preprod/eligibility-signposting-api.yaml --uat
 
 delete-spec: # Delete the specification from proxygen
-	$(MAKE) setup-proxygen-credentials
+	$(MAKE) setup-proxygen-credentials ENV=prod
 	proxygen spec delete
 
 delete-spec-uat: # Delete the specification from proxygen
-	$(MAKE) setup-proxygen-credentials
+	$(MAKE) setup-proxygen-credentials ENV=prod
 	proxygen spec delete --uat
 
-# Specification
+#####################
+### Specification ###
+#####################
 
 guard-%:
 	@ if [ "${${*}}" = "" ]; then \

pyproject.toml

@@ -10,7 +10,9 @@ requires-python = ">=3.11"
 repository = "https://github.com/NHSDigital/eligibility-signposting-api-specification"
 homepage = "https://digital.nhs.uk/developer/api-catalogue"
 keywords = ["healthcare", "uk", "nhs", "vaccination", "api"] #TODO add additional keywords
-package_mode = false
+
+[tool.poetry]
+package-mode = false
 
 [build-system]
 requires = ["poetry-core>=2.0.0,<3.0.0"]

scripts/check-aws-account.sh

@@ -0,0 +1,21 @@
+
+#!/usr/bin/env bash
+set -e
+
+# Expected AWS account details for dev environment
+EXPECTED_ENV_NAME="dev"
+EXPECTED_ACCOUNT="448049830832"
+
+# Read the currently authenticated AWS account
+CURRENT_ACCOUNT=$(aws sts get-caller-identity --query "Account" --output text)
+
+# Compare the current account with the expected account
+if [ "$CURRENT_ACCOUNT" != "$EXPECTED_ACCOUNT" ]; then
+  echo "AWS account mismatch!"
+  echo "The expected login is AWS '$EXPECTED_ENV_NAME' account $EXPECTED_ACCOUNT, but the current logged in AWS account is $CURRENT_ACCOUNT."
+  echo "Please switch to the correct AWS account and try again."
+  echo "Exiting script..."
+  exit 1
+fi
+
+echo "Active login to AWS '$EXPECTED_ENV_NAME' account $CURRENT_ACCOUNT verified."

specification/.proxygen/credentials-prod.yaml

@@ -0,0 +1,5 @@
+client_id: eligibility-signposting-api-client
+private_key_path: eligibility-signposting-api-prod.pem
+key_id: 2027-01-21-Prod-eligibility-signposting-api
+base_url: https://identity.prod.api.platform.nhs.uk/realms/api-producers
+

specification/.proxygen/credentials-ptl.yaml

@@ -0,0 +1,4 @@
+client_id: eligibility-signposting-api-client
+private_key_path: eligibility-signposting-api-ptl.pem
+key_id: 2027-01-21-PTL-eligibility-signposting-api
+base_url: https://identity.ptl.api.platform.nhs.uk/realms/api-producers