Breaking: [AEA-6593] - use new exports from cdk stacks

README.md

@@ -172,7 +172,7 @@ In the project you want to test in, run the following as appropriate:
 npm install --save nhsdigital-eps-cdk-constructs-1.0.0.tgz --workspace packages/cdk/
 
 # Install the deploymentUtils library
-npm install --save nhsdigital-eps-deployment-utils-1.0.0.tgz --workspace packages/specifications/
+npm install --save nhsdigital-eps-deployment-utils-1.0.0.tgz --workspace packages/specification/
 ```
 
 You will then be able to use them - for example:

packages/cdkConstructs/src/constants.ts

@@ -5,27 +5,29 @@ export const CDK_ENV_PREFIX = "CDK_CONFIG_"
 
 /** Imported cross-stack account resource values used by constructs in this package. */
 export const ACCOUNT_RESOURCES = {
-  CloudwatchEncryptionKMSPolicyArn: Fn.importValue("account-resources:CloudwatchEncryptionKMSPolicyArn"),
-  CloudwatchLogsKmsKeyArn: Fn.importValue("account-resources:CloudwatchLogsKmsKeyArn"),
+  CloudwatchEncryptionKMSPolicyArn: Fn.importValue("account-resources-cdk-uk:IAM:CloudwatchEncryptionKMSPolicy:Arn"),
+  CloudwatchLogsKmsKeyArn: Fn.importValue("account-resources-cdk-uk:KMS:CloudwatchLogsKmsKey:Arn"),
+  TrustStoreBucketArn: Fn.importValue("account-resources-cdk-uk:Bucket:TrustStoreBucket:Arn"),
+  TrustStoreBucketKMSKeyArn: Fn.importValue("account-resources-cdk-uk:KMS:TrustStoreBucketKMSKey:Arn"),
+  TrustStoreDeploymentBucketArn: Fn.importValue("account-resources-cdk-uk:Bucket:TrustStoreDeploymentBucket:Arn"),
+  LambdaInsightsLogGroupPolicyArn: Fn.importValue("account-resources-cdk-uk:IAM:LambdaInsightsLogGroupPolicy:Arn"),
+  SplunkDeliveryStreamArn: Fn.importValue("account-resources-cdk-uk:Firehose:SplunkDeliveryStream:Arn"),
+  SplunkSubscriptionFilterRoleArn: Fn.importValue("account-resources-cdk-uk:IAM:SplunkSubscriptionFilterRole:Arn")
+}
+
+export const ROUTE53_RESOURCES = {
   EpsDomainName: Fn.importValue("eps-route53-resources:EPS-domain"),
-  EpsZoneId: Fn.importValue("eps-route53-resources:EPS-ZoneID"),
-  LambdaAccessSecretsPolicy: Fn.importValue("account-resources:LambdaAccessSecretsPolicy"),
-  LambdaDecryptSecretsKMSPolicy: Fn.importValue("account-resources:LambdaDecryptSecretsKMSPolicy"),
-  SpinePrivateKeyARN: Fn.importValue("account-resources:SpinePrivateKey"),
-  SpinePublicCertificateARN: Fn.importValue("account-resources:SpinePublicCertificate"),
-  SpineASIDARN: Fn.importValue("account-resources:SpineASID"),
-  SpinePartyKeyARN: Fn.importValue("account-resources:SpinePartyKey"),
-  SpineCAChainARN: Fn.importValue("account-resources:SpineCAChain"),
-  TrustStoreBucket: Fn.importValue("account-resources:TrustStoreBucket"),
-  TrustStoreBucketKMSKey: Fn.importValue("account-resources:TrustStoreBucketKMSKey"),
-  TrustStoreDeploymentBucket: Fn.importValue("account-resources:TrustStoreDeploymentBucket")
+  EpsZoneId: Fn.importValue("eps-route53-resources:EPS-ZoneID")
 }
 
-/** Imported shared Lambda resource values used by Lambda and API Gateway constructs. */
-export const LAMBDA_RESOURCES = {
-  LambdaInsightsLogGroupPolicy: Fn.importValue("lambda-resources:LambdaInsightsLogGroupPolicy"),
-  SplunkDeliveryStream: Fn.importValue("lambda-resources:SplunkDeliveryStream"),
-  SplunkSubscriptionFilterRole: Fn.importValue("lambda-resources:SplunkSubscriptionFilterRole")
+export const SECRETS_RESOURCES = {
+  LambdaAccessSecretsPolicyArn: Fn.importValue("secrets-cdk:IAM:LambdaAccessSecretsPolicy:Arn"),
+  LambdaDecryptSecretsKMSPolicyArn: Fn.importValue("secrets-cdk:IAM:LambdaDecryptSecretsKMSPolicy:Arn"),
+  SpinePrivateKeyArn: Fn.importValue("secrets-cdk:Secrets:SpinePrivateKey:Arn"),
+  SpinePublicCertificateArn: Fn.importValue("secrets-cdk:Secrets:SpinePublicCertificate:Arn"),
+  SpineASIDArn: Fn.importValue("secrets-cdk:Secrets:SpineASID:Arn"),
+  SpinePartyKeyArn: Fn.importValue("secrets-cdk:Secrets:SpinePartyKey:Arn"),
+  SpineCAChainArn: Fn.importValue("secrets-cdk:Secrets:SpineCAChain:Arn")
 }
 
 /** Shared cfn-guard rule identifiers used for metadata suppressions. */

packages/cdkConstructs/src/constructs/RestApiGateway.ts

@@ -33,7 +33,7 @@ import {
 } from "aws-cdk-lib/aws-route53"
 import {ApiGateway as ApiGatewayTarget} from "aws-cdk-lib/aws-route53-targets"
 import {NagSuppressions} from "cdk-nag"
-import {ACCOUNT_RESOURCES, LAMBDA_RESOURCES} from "../constants"
+import {ACCOUNT_RESOURCES, ROUTE53_RESOURCES} from "../constants"
 import {addSuppressions} from "../utils/helpers"
 
 /** Configuration for creating a REST API with optional mTLS and log forwarding integrations. */
@@ -119,27 +119,27 @@ export class RestApiGateway extends Construct {
       this, "cloudWatchLogsKmsKey", ACCOUNT_RESOURCES.CloudwatchLogsKmsKeyArn)
 
     const splunkDeliveryStream = Stream.fromStreamArn(
-      this, "SplunkDeliveryStream", LAMBDA_RESOURCES.SplunkDeliveryStream)
+      this, "SplunkDeliveryStream", ACCOUNT_RESOURCES.SplunkDeliveryStreamArn)
 
     const splunkSubscriptionFilterRole = Role.fromRoleArn(
-      this, "splunkSubscriptionFilterRole", LAMBDA_RESOURCES.SplunkSubscriptionFilterRole)
+      this, "splunkSubscriptionFilterRole", ACCOUNT_RESOURCES.SplunkSubscriptionFilterRoleArn)
 
     const trustStoreBucket = Bucket.fromBucketArn(
-      this, "TrustStoreBucket", ACCOUNT_RESOURCES.TrustStoreBucket)
+      this, "TrustStoreBucket", ACCOUNT_RESOURCES.TrustStoreBucketArn)
 
     const trustStoreDeploymentBucket = Bucket.fromBucketArn(
-      this, "TrustStoreDeploymentBucket", ACCOUNT_RESOURCES.TrustStoreDeploymentBucket)
+      this, "TrustStoreDeploymentBucket", ACCOUNT_RESOURCES.TrustStoreDeploymentBucketArn)
 
     const trustStoreBucketKmsKey = Key.fromKeyArn(
-      this, "TrustStoreBucketKmsKey", ACCOUNT_RESOURCES.TrustStoreBucketKMSKey)
+      this, "TrustStoreBucketKmsKey", ACCOUNT_RESOURCES.TrustStoreBucketKMSKeyArn)
 
     let hostedZone: IHostedZone | undefined
     let serviceDomainName: string | undefined
 
     if (enableServiceDomain) {
-      const epsDomainName: string = ACCOUNT_RESOURCES.EpsDomainName
+      const epsDomainName: string = ROUTE53_RESOURCES.EpsDomainName
       hostedZone = HostedZone.fromHostedZoneAttributes(this, "HostedZone", {
-        hostedZoneId: ACCOUNT_RESOURCES.EpsZoneId,
+        hostedZoneId: ROUTE53_RESOURCES.EpsZoneId,
         zoneName: epsDomainName
       })
       serviceDomainName = `${props.stackName}.${epsDomainName}`

packages/cdkConstructs/src/constructs/StateMachine.ts

@@ -20,7 +20,7 @@ import {
 } from "aws-cdk-lib/aws-stepfunctions"
 import {Construct} from "constructs"
 import {CfnDeliveryStream} from "aws-cdk-lib/aws-kinesisfirehose"
-import {ACCOUNT_RESOURCES, CFN_GUARD_RULES, LAMBDA_RESOURCES} from "../constants"
+import {ACCOUNT_RESOURCES, CFN_GUARD_RULES} from "../constants"
 import {addSuppressions} from "../utils/helpers"
 
 /**
@@ -98,7 +98,7 @@ export class ExpressStateMachine extends Construct {
         this, "cloudwatchEncryptionKMSPolicy", ACCOUNT_RESOURCES.CloudwatchEncryptionKMSPolicyArn),
       splunkDeliveryStream,
       splunkSubscriptionFilterRole = Role.fromRoleArn(
-        this, "splunkSubscriptionFilterRole", LAMBDA_RESOURCES.SplunkSubscriptionFilterRole),
+        this, "splunkSubscriptionFilterRole", ACCOUNT_RESOURCES.SplunkSubscriptionFilterRoleArn),
       addSplunkSubscriptionFilter = true
     } = props
 
@@ -122,7 +122,7 @@ export class ExpressStateMachine extends Construct {
         })
       } else {
         const splunkDeliveryStreamImport = Stream.fromStreamArn(
-          this, "SplunkDeliveryStream", LAMBDA_RESOURCES.SplunkDeliveryStream)
+          this, "SplunkDeliveryStream", ACCOUNT_RESOURCES.SplunkDeliveryStreamArn)
         new CfnSubscriptionFilter(this, "StateMachineLogsSplunkSubscriptionFilter", {
           destinationArn: splunkDeliveryStreamImport.streamArn,
           filterPattern: "",

packages/cdkConstructs/src/constructs/lambdaSharedResources.ts

@@ -13,7 +13,7 @@ import {
 } from "aws-cdk-lib/aws-iam"
 import {NagSuppressions} from "cdk-nag"
 import {LAMBDA_INSIGHTS_LAYER_ARNS} from "../config"
-import {ACCOUNT_RESOURCES, CFN_GUARD_RULES, LAMBDA_RESOURCES} from "../constants"
+import {ACCOUNT_RESOURCES, CFN_GUARD_RULES} from "../constants"
 import {addSuppressions} from "../utils/helpers"
 import {CfnDeliveryStream} from "aws-cdk-lib/aws-kinesisfirehose"
 import {Stream} from "aws-cdk-lib/aws-kinesis"
@@ -55,9 +55,9 @@ export const createSharedLambdaResources = (
     ),
     splunkDeliveryStream,
     splunkSubscriptionFilterRole = Role.fromRoleArn(
-      scope, "splunkSubscriptionFilterRole", LAMBDA_RESOURCES.SplunkSubscriptionFilterRole),
+      scope, "splunkSubscriptionFilterRole", ACCOUNT_RESOURCES.SplunkSubscriptionFilterRoleArn),
     lambdaInsightsLogGroupPolicy = ManagedPolicy.fromManagedPolicyArn(
-      scope, "lambdaInsightsLogGroupPolicy", LAMBDA_RESOURCES.LambdaInsightsLogGroupPolicy),
+      scope, "lambdaInsightsLogGroupPolicy", ACCOUNT_RESOURCES.LambdaInsightsLogGroupPolicyArn),
     addSplunkSubscriptionFilter = true
   } = props
   const insightsLambdaLayerArn = architecture === Architecture.ARM_64
@@ -88,7 +88,7 @@ export const createSharedLambdaResources = (
       })
     } else {
       const splunkDeliveryStreamImport = Stream.fromStreamArn(
-        scope, "SplunkDeliveryStream", LAMBDA_RESOURCES.SplunkDeliveryStream)
+        scope, "SplunkDeliveryStream", ACCOUNT_RESOURCES.SplunkDeliveryStreamArn)
       new CfnSubscriptionFilter(scope, "LambdaLogsSplunkSubscriptionFilter", {
         destinationArn: splunkDeliveryStreamImport.streamArn,
         filterPattern: "",

packages/cdkConstructs/tests/constructs/RestApiGateway.test.ts

@@ -48,16 +48,16 @@ describe("RestApiGateway without mTLS", () => {
   test("creates CloudWatch log group with correct properties", () => {
     template.hasResourceProperties("AWS::Logs::LogGroup", {
       LogGroupName: "/aws/apigateway/test-stack-apigw",
-      KmsKeyId: {"Fn::ImportValue": "account-resources:CloudwatchLogsKmsKeyArn"},
+      KmsKeyId: {"Fn::ImportValue": "account-resources-cdk-uk:KMS:CloudwatchLogsKmsKey:Arn"},
       RetentionInDays: 30
     })
   })
 
   test("creates Splunk subscription filter", () => {
     template.hasResourceProperties("AWS::Logs::SubscriptionFilter", {
       FilterPattern: "",
-      RoleArn: {"Fn::ImportValue": "lambda-resources:SplunkSubscriptionFilterRole"},
-      DestinationArn: {"Fn::ImportValue": "lambda-resources:SplunkDeliveryStream"}
+      RoleArn: {"Fn::ImportValue": "account-resources-cdk-uk:IAM:SplunkSubscriptionFilterRole:Arn"},
+      DestinationArn: {"Fn::ImportValue": "account-resources-cdk-uk:Firehose:SplunkDeliveryStream:Arn"}
     })
   })
 
@@ -269,7 +269,7 @@ describe("RestApiGateway with mTLS", () => {
   test("creates trust store deployment log group", () => {
     template.hasResourceProperties("AWS::Logs::LogGroup", {
       LogGroupName: "/aws/lambda/test-stack-truststore-deployment",
-      KmsKeyId: {"Fn::ImportValue": "account-resources:CloudwatchLogsKmsKeyArn"},
+      KmsKeyId: {"Fn::ImportValue": "account-resources-cdk-uk:KMS:CloudwatchLogsKmsKey:Arn"},
       RetentionInDays: 30
     })
   })

packages/cdkConstructs/tests/constructs/pythonLambdaFunctionConstruct.test.ts

@@ -66,7 +66,7 @@ describe("pythonFunctionConstruct works correctly", () => {
   test("it has the correct log group", () => {
     template.hasResourceProperties("AWS::Logs::LogGroup", {
       LogGroupName: "/aws/lambda/testPythonLambda",
-      KmsKeyId: {"Fn::ImportValue": "account-resources:CloudwatchLogsKmsKeyArn"},
+      KmsKeyId: {"Fn::ImportValue": "account-resources-cdk-uk:KMS:CloudwatchLogsKmsKey:Arn"},
       RetentionInDays: 30
     })
   })
@@ -92,8 +92,8 @@ describe("pythonFunctionConstruct works correctly", () => {
     template.hasResourceProperties("AWS::Logs::SubscriptionFilter", {
       LogGroupName: {"Ref": lambdaLogGroupResource.Ref},
       FilterPattern: "",
-      RoleArn: {"Fn::ImportValue": "lambda-resources:SplunkSubscriptionFilterRole"},
-      DestinationArn: {"Fn::ImportValue": "lambda-resources:SplunkDeliveryStream"}
+      RoleArn: {"Fn::ImportValue": "account-resources-cdk-uk:IAM:SplunkSubscriptionFilterRole:Arn"},
+      DestinationArn: {"Fn::ImportValue": "account-resources-cdk-uk:Firehose:SplunkDeliveryStream:Arn"}
     })
   })
 
@@ -108,8 +108,8 @@ describe("pythonFunctionConstruct works correctly", () => {
         }]
       },
       ManagedPolicyArns: Match.arrayWith([
-        {"Fn::ImportValue": "lambda-resources:LambdaInsightsLogGroupPolicy"},
-        {"Fn::ImportValue": "account-resources:CloudwatchEncryptionKMSPolicyArn"}
+        {"Fn::ImportValue": "account-resources-cdk-uk:IAM:LambdaInsightsLogGroupPolicy:Arn"},
+        {"Fn::ImportValue": "account-resources-cdk-uk:IAM:CloudwatchEncryptionKMSPolicy:Arn"}
       ])
     })
   })
@@ -215,8 +215,8 @@ describe("pythonFunctionConstruct works correctly with additional policies", ()
   test("it has the correct policies in the role", () => {
     template.hasResourceProperties("AWS::IAM::Role", {
       ManagedPolicyArns: Match.arrayWith([
-        {"Fn::ImportValue": "lambda-resources:LambdaInsightsLogGroupPolicy"},
-        {"Fn::ImportValue": "account-resources:CloudwatchEncryptionKMSPolicyArn"},
+        {"Fn::ImportValue": "account-resources-cdk-uk:IAM:LambdaInsightsLogGroupPolicy:Arn"},
+        {"Fn::ImportValue": "account-resources-cdk-uk:IAM:CloudwatchEncryptionKMSPolicy:Arn"},
         {Ref: testPolicyResource.Ref}
       ])
     })

packages/cdkConstructs/tests/constructs/stateMachineConstruct.test.ts

@@ -36,15 +36,15 @@ describe("ExpressStateMachine construct", () => {
   test("creates CloudWatch log group with correct name and KMS key", () => {
     template.hasResourceProperties("AWS::Logs::LogGroup", {
       LogGroupName: "/aws/stepfunctions/test-state-machine",
-      KmsKeyId: {"Fn::ImportValue": "account-resources:CloudwatchLogsKmsKeyArn"},
+      KmsKeyId: {"Fn::ImportValue": "account-resources-cdk-uk:KMS:CloudwatchLogsKmsKey:Arn"},
       RetentionInDays: 30
     })
   })
 
   test("creates Splunk subscription filter by default", () => {
     template.hasResourceProperties("AWS::Logs::SubscriptionFilter", {
       FilterPattern: "",
-      RoleArn: {"Fn::ImportValue": "lambda-resources:SplunkSubscriptionFilterRole"}
+      RoleArn: {"Fn::ImportValue": "account-resources-cdk-uk:IAM:SplunkSubscriptionFilterRole:Arn"}
     })
   })
 

packages/cdkConstructs/tests/constructs/typescriptFunctionConstruct.test.ts

@@ -71,7 +71,7 @@ describe("TypescriptLambdaFunctionConstruct works correctly", () => {
   test("it has the correct log group", () => {
     template.hasResourceProperties("AWS::Logs::LogGroup", {
       LogGroupName: "/aws/lambda/testLambda",
-      KmsKeyId: {"Fn::ImportValue": "account-resources:CloudwatchLogsKmsKeyArn"},
+      KmsKeyId: {"Fn::ImportValue": "account-resources-cdk-uk:KMS:CloudwatchLogsKmsKey:Arn"},
       RetentionInDays: 30
     })
   })
@@ -97,8 +97,8 @@ describe("TypescriptLambdaFunctionConstruct works correctly", () => {
     template.hasResourceProperties("AWS::Logs::SubscriptionFilter", {
       LogGroupName: {"Ref": lambdaLogGroupResource.Ref},
       FilterPattern: "",
-      RoleArn: {"Fn::ImportValue": "lambda-resources:SplunkSubscriptionFilterRole"},
-      DestinationArn: {"Fn::ImportValue": "lambda-resources:SplunkDeliveryStream"}
+      RoleArn: {"Fn::ImportValue": "account-resources-cdk-uk:IAM:SplunkSubscriptionFilterRole:Arn"},
+      DestinationArn: {"Fn::ImportValue": "account-resources-cdk-uk:Firehose:SplunkDeliveryStream:Arn"}
     })
   })
 
@@ -117,8 +117,8 @@ describe("TypescriptLambdaFunctionConstruct works correctly", () => {
         "Version": "2012-10-17"
       },
       "ManagedPolicyArns": Match.arrayWith([
-        {"Fn::ImportValue": "lambda-resources:LambdaInsightsLogGroupPolicy"},
-        {"Fn::ImportValue": "account-resources:CloudwatchEncryptionKMSPolicyArn"}
+        {"Fn::ImportValue": "account-resources-cdk-uk:IAM:LambdaInsightsLogGroupPolicy:Arn"},
+        {"Fn::ImportValue": "account-resources-cdk-uk:IAM:CloudwatchEncryptionKMSPolicy:Arn"}
       ])
     })
   })
@@ -223,8 +223,8 @@ describe("functionConstruct works correctly with additional policies", () => {
   test("it has the correct policies in the role", () => {
     template.hasResourceProperties("AWS::IAM::Role", {
       "ManagedPolicyArns": Match.arrayWith([
-        {"Fn::ImportValue": "lambda-resources:LambdaInsightsLogGroupPolicy"},
-        {"Fn::ImportValue": "account-resources:CloudwatchEncryptionKMSPolicyArn"},
+        {"Fn::ImportValue": "account-resources-cdk-uk:IAM:LambdaInsightsLogGroupPolicy:Arn"},
+        {"Fn::ImportValue": "account-resources-cdk-uk:IAM:CloudwatchEncryptionKMSPolicy:Arn"},
         {Ref: testPolicyResource.Ref}
       ])
     })

packages/deploymentUtils/src/specifications/deleteProxygenDeployments.ts

@@ -47,7 +47,7 @@ async function deleteEnvProxygenDeployments(
   const lambda = new LambdaClient({})
 
   const exports = await getCloudFormationExports()
-  const proxygenPrivateKeyArn = getCFConfigValue(exports, `account-resources:${proxygenPrivateKeyName}`)
+  const proxygenPrivateKeyArn = getCFConfigValue(exports, `secrets-cdk:Secrets:${proxygenPrivateKeyName}:Arn`)
 
   console.log(`Checking Apigee deployments of ${apigeeApi} on ${apigeeEnvironment}`)
   const instances = JSON.parse(await invokeLambda(

packages/deploymentUtils/src/specifications/deployApi.ts

@@ -53,7 +53,7 @@ export async function deployApi(
   })
 
   const exports = await getCloudFormationExports()
-  const proxygenPrivateKeyArn = getCFConfigValue(exports, `account-resources:${proxygenPrivateKeyExportName}`)
+  const proxygenPrivateKeyArn = getCFConfigValue(exports, `secrets-cdk:Secrets:${proxygenPrivateKeyExportName}:Arn`)
 
   let put_secret_lambda = "lambda-resources-ProxygenPTLMTLSSecretPut"
   let instance_put_lambda = "lambda-resources-ProxygenPTLInstancePut"

packages/deploymentUtils/tests/specifications/deleteProxygenDeployments.test.ts

@@ -39,7 +39,7 @@ function createFetchResponse(state: string, ok = true, status = 200, textBody =
 describe("deleteProxygenDeployments", () => {
   beforeEach(() => {
     getCloudFormationExportsMock.mockReset().mockResolvedValue({
-      "account-resources:proxygenKey": "arn:proxygen-key"
+      "secrets-cdk:Secrets:proxygenKey:Arn": "arn:proxygen-key"
     })
     invokeLambdaMock.mockReset()
 

packages/deploymentUtils/tests/specifications/deployApi.test.ts

@@ -65,7 +65,7 @@ function createSpec(overrides: SpecOverrides = {}) {
 }
 
 const defaultExportsMap = {
-  "account-resources:proxygenKey": "arn:proxygen-key"
+  "secrets-cdk:Secrets:proxygenKey:Arn": "arn:proxygen-key"
 }
 
 function buildConfig(overrides: Partial<ApiConfig> = {}): ApiConfig {