From 7e83ca26024eac6634b5895a4576ef59b34f2939 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Mon, 27 Apr 2026 13:12:23 +0000 Subject: [PATCH 1/4] move to new import names --- packages/cdkConstructs/src/constants.ts | 30 +++++++++---------- .../tests/constructs/RestApiGateway.test.ts | 8 ++--- .../pythonLambdaFunctionConstruct.test.ts | 14 ++++----- .../constructs/stateMachineConstruct.test.ts | 4 +-- .../typescriptFunctionConstruct.test.ts | 14 ++++----- 5 files changed, 35 insertions(+), 35 deletions(-) diff --git a/packages/cdkConstructs/src/constants.ts b/packages/cdkConstructs/src/constants.ts index 03edbd6c..7d159891 100644 --- a/packages/cdkConstructs/src/constants.ts +++ b/packages/cdkConstructs/src/constants.ts @@ -5,27 +5,27 @@ export const CDK_ENV_PREFIX = "CDK_CONFIG_" /** Imported cross-stack account resource values used by constructs in this package. */ export const ACCOUNT_RESOURCES = { - CloudwatchEncryptionKMSPolicyArn: Fn.importValue("account-resources:CloudwatchEncryptionKMSPolicyArn"), - CloudwatchLogsKmsKeyArn: Fn.importValue("account-resources:CloudwatchLogsKmsKeyArn"), + CloudwatchEncryptionKMSPolicyArn: Fn.importValue("account-resources-cdk-uk:IAM:CloudwatchEncryptionKMSPolicy:Arn"), + CloudwatchLogsKmsKeyArn: Fn.importValue("account-resources-cdk-uk:KMS:CloudwatchLogsKmsKey:Arn"), EpsDomainName: Fn.importValue("eps-route53-resources:EPS-domain"), EpsZoneId: Fn.importValue("eps-route53-resources:EPS-ZoneID"), - LambdaAccessSecretsPolicy: Fn.importValue("account-resources:LambdaAccessSecretsPolicy"), - LambdaDecryptSecretsKMSPolicy: Fn.importValue("account-resources:LambdaDecryptSecretsKMSPolicy"), - SpinePrivateKeyARN: Fn.importValue("account-resources:SpinePrivateKey"), - SpinePublicCertificateARN: Fn.importValue("account-resources:SpinePublicCertificate"), - SpineASIDARN: Fn.importValue("account-resources:SpineASID"), - SpinePartyKeyARN: Fn.importValue("account-resources:SpinePartyKey"), - SpineCAChainARN: Fn.importValue("account-resources:SpineCAChain"), - TrustStoreBucket: Fn.importValue("account-resources:TrustStoreBucket"), - TrustStoreBucketKMSKey: Fn.importValue("account-resources:TrustStoreBucketKMSKey"), - TrustStoreDeploymentBucket: Fn.importValue("account-resources:TrustStoreDeploymentBucket") + LambdaAccessSecretsPolicy: Fn.importValue("secrets-cdk:IAM:LambdaAccessSecretsPolicy:Arn"), + LambdaDecryptSecretsKMSPolicy: Fn.importValue("secrets-cdk:IAM:LambdaDecryptSecretsKMSPolicy:Arn"), + SpinePrivateKeyARN: Fn.importValue("secrets-cdk:Secrets:SpinePrivateKey:Arn"), + SpinePublicCertificateARN: Fn.importValue("secrets-cdk:Secrets:SpinePublicCertificate:Arn"), + SpineASIDARN: Fn.importValue("secrets-cdk:Secrets:SpineASID:Arn"), + SpinePartyKeyARN: Fn.importValue("secrets-cdk:Secrets:SpinePartyKey:Arn"), + SpineCAChainARN: Fn.importValue("secrets-cdk:Secrets:SpineCAChain:Arn"), + TrustStoreBucket: Fn.importValue("account-resources-cdk-uk:Bucket:TrustStoreBucket:Arn"), + TrustStoreBucketKMSKey: Fn.importValue("account-resources-cdk-uk:KMS:TrustStoreBucketKMSKey:Arn"), + TrustStoreDeploymentBucket: Fn.importValue("account-resources-cdk-uk:Bucket:TrustStoreDeploymentBucket:Arn") } /** Imported shared Lambda resource values used by Lambda and API Gateway constructs. */ export const LAMBDA_RESOURCES = { - LambdaInsightsLogGroupPolicy: Fn.importValue("lambda-resources:LambdaInsightsLogGroupPolicy"), - SplunkDeliveryStream: Fn.importValue("lambda-resources:SplunkDeliveryStream"), - SplunkSubscriptionFilterRole: Fn.importValue("lambda-resources:SplunkSubscriptionFilterRole") + LambdaInsightsLogGroupPolicy: Fn.importValue("account-resources-cdk-uk:IAM:LambdaInsightsLogGroupPolicy:Arn"), + SplunkDeliveryStream: Fn.importValue("account-resources-cdk-uk:Firehose:SplunkDeliveryStream:Arn"), + SplunkSubscriptionFilterRole: Fn.importValue("account-resources-cdk-uk:IAM:SplunkSubscriptionFilterRole:Arn") } /** Shared cfn-guard rule identifiers used for metadata suppressions. */ diff --git a/packages/cdkConstructs/tests/constructs/RestApiGateway.test.ts b/packages/cdkConstructs/tests/constructs/RestApiGateway.test.ts index a0e96499..df5c10c9 100644 --- a/packages/cdkConstructs/tests/constructs/RestApiGateway.test.ts +++ b/packages/cdkConstructs/tests/constructs/RestApiGateway.test.ts @@ -48,7 +48,7 @@ describe("RestApiGateway without mTLS", () => { test("creates CloudWatch log group with correct properties", () => { template.hasResourceProperties("AWS::Logs::LogGroup", { LogGroupName: "/aws/apigateway/test-stack-apigw", - KmsKeyId: {"Fn::ImportValue": "account-resources:CloudwatchLogsKmsKeyArn"}, + KmsKeyId: {"Fn::ImportValue": "account-resources-cdk-uk:KMS:CloudwatchLogsKmsKey:Arn"}, RetentionInDays: 30 }) }) @@ -56,8 +56,8 @@ describe("RestApiGateway without mTLS", () => { test("creates Splunk subscription filter", () => { template.hasResourceProperties("AWS::Logs::SubscriptionFilter", { FilterPattern: "", - RoleArn: {"Fn::ImportValue": "lambda-resources:SplunkSubscriptionFilterRole"}, - DestinationArn: {"Fn::ImportValue": "lambda-resources:SplunkDeliveryStream"} + RoleArn: {"Fn::ImportValue": "account-resources-cdk-uk:IAM:SplunkSubscriptionFilterRole:Arn"}, + DestinationArn: {"Fn::ImportValue": "account-resources-cdk-uk:Firehose:SplunkDeliveryStream:Arn"} }) }) @@ -269,7 +269,7 @@ describe("RestApiGateway with mTLS", () => { test("creates trust store deployment log group", () => { template.hasResourceProperties("AWS::Logs::LogGroup", { LogGroupName: "/aws/lambda/test-stack-truststore-deployment", - KmsKeyId: {"Fn::ImportValue": "account-resources:CloudwatchLogsKmsKeyArn"}, + KmsKeyId: {"Fn::ImportValue": "account-resources-cdk-uk:KMS:CloudwatchLogsKmsKey:Arn"}, RetentionInDays: 30 }) }) diff --git a/packages/cdkConstructs/tests/constructs/pythonLambdaFunctionConstruct.test.ts b/packages/cdkConstructs/tests/constructs/pythonLambdaFunctionConstruct.test.ts index 7f618713..d2709433 100644 --- a/packages/cdkConstructs/tests/constructs/pythonLambdaFunctionConstruct.test.ts +++ b/packages/cdkConstructs/tests/constructs/pythonLambdaFunctionConstruct.test.ts @@ -66,7 +66,7 @@ describe("pythonFunctionConstruct works correctly", () => { test("it has the correct log group", () => { template.hasResourceProperties("AWS::Logs::LogGroup", { LogGroupName: "/aws/lambda/testPythonLambda", - KmsKeyId: {"Fn::ImportValue": "account-resources:CloudwatchLogsKmsKeyArn"}, + KmsKeyId: {"Fn::ImportValue": "account-resources-cdk-uk:KMS:CloudwatchLogsKmsKey:Arn"}, RetentionInDays: 30 }) }) @@ -92,8 +92,8 @@ describe("pythonFunctionConstruct works correctly", () => { template.hasResourceProperties("AWS::Logs::SubscriptionFilter", { LogGroupName: {"Ref": lambdaLogGroupResource.Ref}, FilterPattern: "", - RoleArn: {"Fn::ImportValue": "lambda-resources:SplunkSubscriptionFilterRole"}, - DestinationArn: {"Fn::ImportValue": "lambda-resources:SplunkDeliveryStream"} + RoleArn: {"Fn::ImportValue": "account-resources-cdk-uk:IAM:SplunkSubscriptionFilterRole:Arn"}, + DestinationArn: {"Fn::ImportValue": "account-resources-cdk-uk:Firehose:SplunkDeliveryStream:Arn"} }) }) @@ -108,8 +108,8 @@ describe("pythonFunctionConstruct works correctly", () => { }] }, ManagedPolicyArns: Match.arrayWith([ - {"Fn::ImportValue": "lambda-resources:LambdaInsightsLogGroupPolicy"}, - {"Fn::ImportValue": "account-resources:CloudwatchEncryptionKMSPolicyArn"} + {"Fn::ImportValue": "account-resources-cdk-uk:IAM:LambdaInsightsLogGroupPolicy:Arn"}, + {"Fn::ImportValue": "account-resources-cdk-uk:IAM:CloudwatchEncryptionKMSPolicy:Arn"} ]) }) }) @@ -215,8 +215,8 @@ describe("pythonFunctionConstruct works correctly with additional policies", () test("it has the correct policies in the role", () => { template.hasResourceProperties("AWS::IAM::Role", { ManagedPolicyArns: Match.arrayWith([ - {"Fn::ImportValue": "lambda-resources:LambdaInsightsLogGroupPolicy"}, - {"Fn::ImportValue": "account-resources:CloudwatchEncryptionKMSPolicyArn"}, + {"Fn::ImportValue": "account-resources-cdk-uk:IAM:LambdaInsightsLogGroupPolicy:Arn"}, + {"Fn::ImportValue": "account-resources-cdk-uk:IAM:CloudwatchEncryptionKMSPolicy:Arn"}, {Ref: testPolicyResource.Ref} ]) }) diff --git a/packages/cdkConstructs/tests/constructs/stateMachineConstruct.test.ts b/packages/cdkConstructs/tests/constructs/stateMachineConstruct.test.ts index 3d4d6387..19fb1285 100644 --- a/packages/cdkConstructs/tests/constructs/stateMachineConstruct.test.ts +++ b/packages/cdkConstructs/tests/constructs/stateMachineConstruct.test.ts @@ -36,7 +36,7 @@ describe("ExpressStateMachine construct", () => { test("creates CloudWatch log group with correct name and KMS key", () => { template.hasResourceProperties("AWS::Logs::LogGroup", { LogGroupName: "/aws/stepfunctions/test-state-machine", - KmsKeyId: {"Fn::ImportValue": "account-resources:CloudwatchLogsKmsKeyArn"}, + KmsKeyId: {"Fn::ImportValue": "account-resources-cdk-uk:KMS:CloudwatchLogsKmsKey:Arn"}, RetentionInDays: 30 }) }) @@ -44,7 +44,7 @@ describe("ExpressStateMachine construct", () => { test("creates Splunk subscription filter by default", () => { template.hasResourceProperties("AWS::Logs::SubscriptionFilter", { FilterPattern: "", - RoleArn: {"Fn::ImportValue": "lambda-resources:SplunkSubscriptionFilterRole"} + RoleArn: {"Fn::ImportValue": "account-resources-cdk-uk:IAM:SplunkSubscriptionFilterRole:Arn"} }) }) diff --git a/packages/cdkConstructs/tests/constructs/typescriptFunctionConstruct.test.ts b/packages/cdkConstructs/tests/constructs/typescriptFunctionConstruct.test.ts index b640048c..3ec99273 100644 --- a/packages/cdkConstructs/tests/constructs/typescriptFunctionConstruct.test.ts +++ b/packages/cdkConstructs/tests/constructs/typescriptFunctionConstruct.test.ts @@ -71,7 +71,7 @@ describe("TypescriptLambdaFunctionConstruct works correctly", () => { test("it has the correct log group", () => { template.hasResourceProperties("AWS::Logs::LogGroup", { LogGroupName: "/aws/lambda/testLambda", - KmsKeyId: {"Fn::ImportValue": "account-resources:CloudwatchLogsKmsKeyArn"}, + KmsKeyId: {"Fn::ImportValue": "account-resources-cdk-uk:KMS:CloudwatchLogsKmsKey:Arn"}, RetentionInDays: 30 }) }) @@ -97,8 +97,8 @@ describe("TypescriptLambdaFunctionConstruct works correctly", () => { template.hasResourceProperties("AWS::Logs::SubscriptionFilter", { LogGroupName: {"Ref": lambdaLogGroupResource.Ref}, FilterPattern: "", - RoleArn: {"Fn::ImportValue": "lambda-resources:SplunkSubscriptionFilterRole"}, - DestinationArn: {"Fn::ImportValue": "lambda-resources:SplunkDeliveryStream"} + RoleArn: {"Fn::ImportValue": "account-resources-cdk-uk:IAM:SplunkSubscriptionFilterRole:Arn"}, + DestinationArn: {"Fn::ImportValue": "account-resources-cdk-uk:Firehose:SplunkDeliveryStream:Arn"} }) }) @@ -117,8 +117,8 @@ describe("TypescriptLambdaFunctionConstruct works correctly", () => { "Version": "2012-10-17" }, "ManagedPolicyArns": Match.arrayWith([ - {"Fn::ImportValue": "lambda-resources:LambdaInsightsLogGroupPolicy"}, - {"Fn::ImportValue": "account-resources:CloudwatchEncryptionKMSPolicyArn"} + {"Fn::ImportValue": "account-resources-cdk-uk:IAM:LambdaInsightsLogGroupPolicy:Arn"}, + {"Fn::ImportValue": "account-resources-cdk-uk:IAM:CloudwatchEncryptionKMSPolicy:Arn"} ]) }) }) @@ -223,8 +223,8 @@ describe("functionConstruct works correctly with additional policies", () => { test("it has the correct policies in the role", () => { template.hasResourceProperties("AWS::IAM::Role", { "ManagedPolicyArns": Match.arrayWith([ - {"Fn::ImportValue": "lambda-resources:LambdaInsightsLogGroupPolicy"}, - {"Fn::ImportValue": "account-resources:CloudwatchEncryptionKMSPolicyArn"}, + {"Fn::ImportValue": "account-resources-cdk-uk:IAM:LambdaInsightsLogGroupPolicy:Arn"}, + {"Fn::ImportValue": "account-resources-cdk-uk:IAM:CloudwatchEncryptionKMSPolicy:Arn"}, {Ref: testPolicyResource.Ref} ]) }) From 08bae6dca590fe8922bde6a859720a033d64a61f Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Tue, 28 Apr 2026 06:33:04 +0000 Subject: [PATCH 2/4] fix deploymentUtils --- .../src/specifications/deleteProxygenDeployments.ts | 2 +- packages/deploymentUtils/src/specifications/deployApi.ts | 2 +- .../tests/specifications/deleteProxygenDeployments.test.ts | 2 +- packages/deploymentUtils/tests/specifications/deployApi.test.ts | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/packages/deploymentUtils/src/specifications/deleteProxygenDeployments.ts b/packages/deploymentUtils/src/specifications/deleteProxygenDeployments.ts index 0d91aaa5..fe81f39e 100644 --- a/packages/deploymentUtils/src/specifications/deleteProxygenDeployments.ts +++ b/packages/deploymentUtils/src/specifications/deleteProxygenDeployments.ts @@ -47,7 +47,7 @@ async function deleteEnvProxygenDeployments( const lambda = new LambdaClient({}) const exports = await getCloudFormationExports() - const proxygenPrivateKeyArn = getCFConfigValue(exports, `account-resources:${proxygenPrivateKeyName}`) + const proxygenPrivateKeyArn = getCFConfigValue(exports, `secrets-cdk:Secrets:${proxygenPrivateKeyName}:Arn`) console.log(`Checking Apigee deployments of ${apigeeApi} on ${apigeeEnvironment}`) const instances = JSON.parse(await invokeLambda( diff --git a/packages/deploymentUtils/src/specifications/deployApi.ts b/packages/deploymentUtils/src/specifications/deployApi.ts index f746d6a7..435e51b2 100644 --- a/packages/deploymentUtils/src/specifications/deployApi.ts +++ b/packages/deploymentUtils/src/specifications/deployApi.ts @@ -53,7 +53,7 @@ export async function deployApi( }) const exports = await getCloudFormationExports() - const proxygenPrivateKeyArn = getCFConfigValue(exports, `account-resources:${proxygenPrivateKeyExportName}`) + const proxygenPrivateKeyArn = getCFConfigValue(exports, `secrets-cdk:Secrets:${proxygenPrivateKeyExportName}:Arn`) let put_secret_lambda = "lambda-resources-ProxygenPTLMTLSSecretPut" let instance_put_lambda = "lambda-resources-ProxygenPTLInstancePut" diff --git a/packages/deploymentUtils/tests/specifications/deleteProxygenDeployments.test.ts b/packages/deploymentUtils/tests/specifications/deleteProxygenDeployments.test.ts index 02b981ac..fc3fd8b4 100644 --- a/packages/deploymentUtils/tests/specifications/deleteProxygenDeployments.test.ts +++ b/packages/deploymentUtils/tests/specifications/deleteProxygenDeployments.test.ts @@ -39,7 +39,7 @@ function createFetchResponse(state: string, ok = true, status = 200, textBody = describe("deleteProxygenDeployments", () => { beforeEach(() => { getCloudFormationExportsMock.mockReset().mockResolvedValue({ - "account-resources:proxygenKey": "arn:proxygen-key" + "secrets-cdk:Secrets:proxygenKey:Arn": "arn:proxygen-key" }) invokeLambdaMock.mockReset() diff --git a/packages/deploymentUtils/tests/specifications/deployApi.test.ts b/packages/deploymentUtils/tests/specifications/deployApi.test.ts index 5d981396..afb32772 100644 --- a/packages/deploymentUtils/tests/specifications/deployApi.test.ts +++ b/packages/deploymentUtils/tests/specifications/deployApi.test.ts @@ -65,7 +65,7 @@ function createSpec(overrides: SpecOverrides = {}) { } const defaultExportsMap = { - "account-resources:proxygenKey": "arn:proxygen-key" + "secrets-cdk:Secrets:proxygenKey:Arn": "arn:proxygen-key" } function buildConfig(overrides: Partial = {}): ApiConfig { From 61a529c7f5c3ab922f45c281ecb8d46b3d48c7fe Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Tue, 28 Apr 2026 08:01:50 +0000 Subject: [PATCH 3/4] fix readme --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index e08b5fa5..3cf41107 100644 --- a/README.md +++ b/README.md @@ -172,7 +172,7 @@ In the project you want to test in, run the following as appropriate: npm install --save nhsdigital-eps-cdk-constructs-1.0.0.tgz --workspace packages/cdk/ # Install the deploymentUtils library -npm install --save nhsdigital-eps-deployment-utils-1.0.0.tgz --workspace packages/specifications/ +npm install --save nhsdigital-eps-deployment-utils-1.0.0.tgz --workspace packages/specification/ ``` You will then be able to use them - for example: From cd587644b0ccba8d9eedde681bd2f89657f9411a Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Wed, 29 Apr 2026 09:15:21 +0000 Subject: [PATCH 4/4] change export names --- packages/cdkConstructs/src/constants.ts | 34 ++++++++++--------- .../src/constructs/RestApiGateway.ts | 16 ++++----- .../src/constructs/StateMachine.ts | 6 ++-- .../src/constructs/lambdaSharedResources.ts | 8 ++--- 4 files changed, 33 insertions(+), 31 deletions(-) diff --git a/packages/cdkConstructs/src/constants.ts b/packages/cdkConstructs/src/constants.ts index 7d159891..7581e4ad 100644 --- a/packages/cdkConstructs/src/constants.ts +++ b/packages/cdkConstructs/src/constants.ts @@ -7,25 +7,27 @@ export const CDK_ENV_PREFIX = "CDK_CONFIG_" export const ACCOUNT_RESOURCES = { CloudwatchEncryptionKMSPolicyArn: Fn.importValue("account-resources-cdk-uk:IAM:CloudwatchEncryptionKMSPolicy:Arn"), CloudwatchLogsKmsKeyArn: Fn.importValue("account-resources-cdk-uk:KMS:CloudwatchLogsKmsKey:Arn"), + TrustStoreBucketArn: Fn.importValue("account-resources-cdk-uk:Bucket:TrustStoreBucket:Arn"), + TrustStoreBucketKMSKeyArn: Fn.importValue("account-resources-cdk-uk:KMS:TrustStoreBucketKMSKey:Arn"), + TrustStoreDeploymentBucketArn: Fn.importValue("account-resources-cdk-uk:Bucket:TrustStoreDeploymentBucket:Arn"), + LambdaInsightsLogGroupPolicyArn: Fn.importValue("account-resources-cdk-uk:IAM:LambdaInsightsLogGroupPolicy:Arn"), + SplunkDeliveryStreamArn: Fn.importValue("account-resources-cdk-uk:Firehose:SplunkDeliveryStream:Arn"), + SplunkSubscriptionFilterRoleArn: Fn.importValue("account-resources-cdk-uk:IAM:SplunkSubscriptionFilterRole:Arn") +} + +export const ROUTE53_RESOURCES = { EpsDomainName: Fn.importValue("eps-route53-resources:EPS-domain"), - EpsZoneId: Fn.importValue("eps-route53-resources:EPS-ZoneID"), - LambdaAccessSecretsPolicy: Fn.importValue("secrets-cdk:IAM:LambdaAccessSecretsPolicy:Arn"), - LambdaDecryptSecretsKMSPolicy: Fn.importValue("secrets-cdk:IAM:LambdaDecryptSecretsKMSPolicy:Arn"), - SpinePrivateKeyARN: Fn.importValue("secrets-cdk:Secrets:SpinePrivateKey:Arn"), - SpinePublicCertificateARN: Fn.importValue("secrets-cdk:Secrets:SpinePublicCertificate:Arn"), - SpineASIDARN: Fn.importValue("secrets-cdk:Secrets:SpineASID:Arn"), - SpinePartyKeyARN: Fn.importValue("secrets-cdk:Secrets:SpinePartyKey:Arn"), - SpineCAChainARN: Fn.importValue("secrets-cdk:Secrets:SpineCAChain:Arn"), - TrustStoreBucket: Fn.importValue("account-resources-cdk-uk:Bucket:TrustStoreBucket:Arn"), - TrustStoreBucketKMSKey: Fn.importValue("account-resources-cdk-uk:KMS:TrustStoreBucketKMSKey:Arn"), - TrustStoreDeploymentBucket: Fn.importValue("account-resources-cdk-uk:Bucket:TrustStoreDeploymentBucket:Arn") + EpsZoneId: Fn.importValue("eps-route53-resources:EPS-ZoneID") } -/** Imported shared Lambda resource values used by Lambda and API Gateway constructs. */ -export const LAMBDA_RESOURCES = { - LambdaInsightsLogGroupPolicy: Fn.importValue("account-resources-cdk-uk:IAM:LambdaInsightsLogGroupPolicy:Arn"), - SplunkDeliveryStream: Fn.importValue("account-resources-cdk-uk:Firehose:SplunkDeliveryStream:Arn"), - SplunkSubscriptionFilterRole: Fn.importValue("account-resources-cdk-uk:IAM:SplunkSubscriptionFilterRole:Arn") +export const SECRETS_RESOURCES = { + LambdaAccessSecretsPolicyArn: Fn.importValue("secrets-cdk:IAM:LambdaAccessSecretsPolicy:Arn"), + LambdaDecryptSecretsKMSPolicyArn: Fn.importValue("secrets-cdk:IAM:LambdaDecryptSecretsKMSPolicy:Arn"), + SpinePrivateKeyArn: Fn.importValue("secrets-cdk:Secrets:SpinePrivateKey:Arn"), + SpinePublicCertificateArn: Fn.importValue("secrets-cdk:Secrets:SpinePublicCertificate:Arn"), + SpineASIDArn: Fn.importValue("secrets-cdk:Secrets:SpineASID:Arn"), + SpinePartyKeyArn: Fn.importValue("secrets-cdk:Secrets:SpinePartyKey:Arn"), + SpineCAChainArn: Fn.importValue("secrets-cdk:Secrets:SpineCAChain:Arn") } /** Shared cfn-guard rule identifiers used for metadata suppressions. */ diff --git a/packages/cdkConstructs/src/constructs/RestApiGateway.ts b/packages/cdkConstructs/src/constructs/RestApiGateway.ts index 0b7df284..9dc1b9de 100644 --- a/packages/cdkConstructs/src/constructs/RestApiGateway.ts +++ b/packages/cdkConstructs/src/constructs/RestApiGateway.ts @@ -33,7 +33,7 @@ import { } from "aws-cdk-lib/aws-route53" import {ApiGateway as ApiGatewayTarget} from "aws-cdk-lib/aws-route53-targets" import {NagSuppressions} from "cdk-nag" -import {ACCOUNT_RESOURCES, LAMBDA_RESOURCES} from "../constants" +import {ACCOUNT_RESOURCES, ROUTE53_RESOURCES} from "../constants" import {addSuppressions} from "../utils/helpers" /** Configuration for creating a REST API with optional mTLS and log forwarding integrations. */ @@ -119,27 +119,27 @@ export class RestApiGateway extends Construct { this, "cloudWatchLogsKmsKey", ACCOUNT_RESOURCES.CloudwatchLogsKmsKeyArn) const splunkDeliveryStream = Stream.fromStreamArn( - this, "SplunkDeliveryStream", LAMBDA_RESOURCES.SplunkDeliveryStream) + this, "SplunkDeliveryStream", ACCOUNT_RESOURCES.SplunkDeliveryStreamArn) const splunkSubscriptionFilterRole = Role.fromRoleArn( - this, "splunkSubscriptionFilterRole", LAMBDA_RESOURCES.SplunkSubscriptionFilterRole) + this, "splunkSubscriptionFilterRole", ACCOUNT_RESOURCES.SplunkSubscriptionFilterRoleArn) const trustStoreBucket = Bucket.fromBucketArn( - this, "TrustStoreBucket", ACCOUNT_RESOURCES.TrustStoreBucket) + this, "TrustStoreBucket", ACCOUNT_RESOURCES.TrustStoreBucketArn) const trustStoreDeploymentBucket = Bucket.fromBucketArn( - this, "TrustStoreDeploymentBucket", ACCOUNT_RESOURCES.TrustStoreDeploymentBucket) + this, "TrustStoreDeploymentBucket", ACCOUNT_RESOURCES.TrustStoreDeploymentBucketArn) const trustStoreBucketKmsKey = Key.fromKeyArn( - this, "TrustStoreBucketKmsKey", ACCOUNT_RESOURCES.TrustStoreBucketKMSKey) + this, "TrustStoreBucketKmsKey", ACCOUNT_RESOURCES.TrustStoreBucketKMSKeyArn) let hostedZone: IHostedZone | undefined let serviceDomainName: string | undefined if (enableServiceDomain) { - const epsDomainName: string = ACCOUNT_RESOURCES.EpsDomainName + const epsDomainName: string = ROUTE53_RESOURCES.EpsDomainName hostedZone = HostedZone.fromHostedZoneAttributes(this, "HostedZone", { - hostedZoneId: ACCOUNT_RESOURCES.EpsZoneId, + hostedZoneId: ROUTE53_RESOURCES.EpsZoneId, zoneName: epsDomainName }) serviceDomainName = `${props.stackName}.${epsDomainName}` diff --git a/packages/cdkConstructs/src/constructs/StateMachine.ts b/packages/cdkConstructs/src/constructs/StateMachine.ts index bbcdeea6..7df91b45 100644 --- a/packages/cdkConstructs/src/constructs/StateMachine.ts +++ b/packages/cdkConstructs/src/constructs/StateMachine.ts @@ -20,7 +20,7 @@ import { } from "aws-cdk-lib/aws-stepfunctions" import {Construct} from "constructs" import {CfnDeliveryStream} from "aws-cdk-lib/aws-kinesisfirehose" -import {ACCOUNT_RESOURCES, CFN_GUARD_RULES, LAMBDA_RESOURCES} from "../constants" +import {ACCOUNT_RESOURCES, CFN_GUARD_RULES} from "../constants" import {addSuppressions} from "../utils/helpers" /** @@ -98,7 +98,7 @@ export class ExpressStateMachine extends Construct { this, "cloudwatchEncryptionKMSPolicy", ACCOUNT_RESOURCES.CloudwatchEncryptionKMSPolicyArn), splunkDeliveryStream, splunkSubscriptionFilterRole = Role.fromRoleArn( - this, "splunkSubscriptionFilterRole", LAMBDA_RESOURCES.SplunkSubscriptionFilterRole), + this, "splunkSubscriptionFilterRole", ACCOUNT_RESOURCES.SplunkSubscriptionFilterRoleArn), addSplunkSubscriptionFilter = true } = props @@ -122,7 +122,7 @@ export class ExpressStateMachine extends Construct { }) } else { const splunkDeliveryStreamImport = Stream.fromStreamArn( - this, "SplunkDeliveryStream", LAMBDA_RESOURCES.SplunkDeliveryStream) + this, "SplunkDeliveryStream", ACCOUNT_RESOURCES.SplunkDeliveryStreamArn) new CfnSubscriptionFilter(this, "StateMachineLogsSplunkSubscriptionFilter", { destinationArn: splunkDeliveryStreamImport.streamArn, filterPattern: "", diff --git a/packages/cdkConstructs/src/constructs/lambdaSharedResources.ts b/packages/cdkConstructs/src/constructs/lambdaSharedResources.ts index 72177781..ba6ed293 100644 --- a/packages/cdkConstructs/src/constructs/lambdaSharedResources.ts +++ b/packages/cdkConstructs/src/constructs/lambdaSharedResources.ts @@ -13,7 +13,7 @@ import { } from "aws-cdk-lib/aws-iam" import {NagSuppressions} from "cdk-nag" import {LAMBDA_INSIGHTS_LAYER_ARNS} from "../config" -import {ACCOUNT_RESOURCES, CFN_GUARD_RULES, LAMBDA_RESOURCES} from "../constants" +import {ACCOUNT_RESOURCES, CFN_GUARD_RULES} from "../constants" import {addSuppressions} from "../utils/helpers" import {CfnDeliveryStream} from "aws-cdk-lib/aws-kinesisfirehose" import {Stream} from "aws-cdk-lib/aws-kinesis" @@ -55,9 +55,9 @@ export const createSharedLambdaResources = ( ), splunkDeliveryStream, splunkSubscriptionFilterRole = Role.fromRoleArn( - scope, "splunkSubscriptionFilterRole", LAMBDA_RESOURCES.SplunkSubscriptionFilterRole), + scope, "splunkSubscriptionFilterRole", ACCOUNT_RESOURCES.SplunkSubscriptionFilterRoleArn), lambdaInsightsLogGroupPolicy = ManagedPolicy.fromManagedPolicyArn( - scope, "lambdaInsightsLogGroupPolicy", LAMBDA_RESOURCES.LambdaInsightsLogGroupPolicy), + scope, "lambdaInsightsLogGroupPolicy", ACCOUNT_RESOURCES.LambdaInsightsLogGroupPolicyArn), addSplunkSubscriptionFilter = true } = props const insightsLambdaLayerArn = architecture === Architecture.ARM_64 @@ -88,7 +88,7 @@ export const createSharedLambdaResources = ( }) } else { const splunkDeliveryStreamImport = Stream.fromStreamArn( - scope, "SplunkDeliveryStream", LAMBDA_RESOURCES.SplunkDeliveryStream) + scope, "SplunkDeliveryStream", ACCOUNT_RESOURCES.SplunkDeliveryStreamArn) new CfnSubscriptionFilter(scope, "LambdaLogsSplunkSubscriptionFilter", { destinationArn: splunkDeliveryStreamImport.streamArn, filterPattern: "",