Added missed files

Author: MatthewPopat-NHS

packages/cdkConstructs/src/apps/createApp.ts

@@ -0,0 +1,55 @@
+import {
+  App,
+  Aspects,
+  Tags,
+  StackProps
+} from "aws-cdk-lib"
+import {AwsSolutionsChecks} from "cdk-nag"
+import {getConfigFromEnvVar, getBooleanConfigFromEnvVar} from "../config"
+
+export interface StandardStackProps extends StackProps {
+  readonly stackName: string
+  readonly version: string
+  readonly commitId: string
+  readonly isPullRequest: boolean
+}
+
+export function createApp(
+  appName: string,
+  repoName: string,
+  driftDetectionGroup: string,
+  region: string = "eu-west-2"
+): {app: App, props: StandardStackProps} {
+  const stackName = getConfigFromEnvVar("stackName")
+  const versionNumber = getConfigFromEnvVar("versionNumber")
+  const commitId = getConfigFromEnvVar("commitId")
+  const isPullRequest = getBooleanConfigFromEnvVar("isPullRequest")
+  let cfnDriftDetectionGroup = driftDetectionGroup
+  if (isPullRequest) {
+    cfnDriftDetectionGroup += "-pull-request"
+  }
+
+  const app = new App()
+
+  Aspects.of(app).add(new AwsSolutionsChecks({verbose: true}))
+
+  Tags.of(app).add("version", versionNumber)
+  Tags.of(app).add("commit", commitId)
+  Tags.of(app).add("stackName", stackName)
+  Tags.of(app).add("cdkApp", appName)
+  Tags.of(app).add("repo", repoName)
+  Tags.of(app).add("cfnDriftDetectionGroup", cfnDriftDetectionGroup)
+
+  return {
+    app,
+    props: {
+      env: {
+        region
+      },
+      stackName,
+      version: versionNumber,
+      commitId,
+      isPullRequest
+    }
+  }
+}

packages/cdkConstructs/src/config/index.ts

@@ -0,0 +1,66 @@
+import {CloudFormationClient, ListExportsCommand, DescribeStacksCommand} from "@aws-sdk/client-cloudformation"
+import {S3Client, HeadObjectCommand} from "@aws-sdk/client-s3"
+
+export function getConfigFromEnvVar(varName: string, prefix: string = "CDK_CONFIG_"): string {
+  const value = process.env[prefix + varName]
+  if (!value) {
+    throw new Error(`Environment variable ${prefix}${varName} is not set`)
+  }
+  return value
+}
+
+export function getBooleanConfigFromEnvVar(varName: string, prefix: string = "CDK_CONFIG_"): boolean {
+  const value = getConfigFromEnvVar(varName, prefix)
+  return value.toLowerCase() === "true"
+}
+
+export function getNumberConfigFromEnvVar(varName: string, prefix: string = "CDK_CONFIG_"): number {
+  const value = getConfigFromEnvVar(varName, prefix)
+  return Number(value)
+}
+
+export async function getTrustStoreVersion(trustStoreFile: string, region: string = "eu-west-2"): Promise<string> {
+  const cfnClient = new CloudFormationClient({region})
+  const s3Client = new S3Client({region})
+  const describeStacksCommand = new DescribeStacksCommand({StackName: "account-resources"})
+  const response = await cfnClient.send(describeStacksCommand)
+  const trustStoreBucketArn = response.Stacks![0].Outputs!
+    .find(output => output.OutputKey === "TrustStoreBucket")!.OutputValue
+  const bucketName = trustStoreBucketArn!.split(":")[5]
+  const headObjectCommand = new HeadObjectCommand({Bucket: bucketName, Key: trustStoreFile})
+  const headObjectResponse = await s3Client.send(headObjectCommand)
+  return headObjectResponse.VersionId!
+}
+
+export async function getCloudFormationExports(region: string = "eu-west-2"): Promise<Record<string, string>> {
+  const cfnClient = new CloudFormationClient({region})
+  const listExportsCommand = new ListExportsCommand({})
+  const exports: Record<string, string> = {}
+  let nextToken: string | undefined = undefined
+
+  do {
+    const response = await cfnClient.send(listExportsCommand)
+    response.Exports?.forEach((exp) => {
+      if (exp.Name && exp.Value) {
+        exports[exp.Name] = exp.Value
+      }
+    })
+    nextToken = response.NextToken
+    listExportsCommand.input.NextToken = nextToken
+  } while (nextToken)
+
+  return exports
+}
+
+export function getCFConfigValue(exports: Record<string, string>, exportName: string): string {
+  const value = exports[exportName]
+  if (!value) {
+    throw new Error(`CloudFormation export ${exportName} not found`)
+  }
+  return value
+}
+
+export function getBooleanCFConfigValue(exports: Record<string, string>, exportName: string): boolean {
+  const value = getCFConfigValue(exports, exportName)
+  return value.toLowerCase() === "true"
+}

packages/cdkConstructs/src/specifications/deployApi.ts

@@ -0,0 +1,125 @@
+
+import {LambdaClient, InvokeCommand} from "@aws-sdk/client-lambda"
+import {getCFConfigValue, getCloudFormationExports} from "../config"
+
+export async function deployApi(
+  specification: string,
+  apiName: string,
+  version: string,
+  apigeeEnvironment: string,
+  isPullRequest: boolean,
+  awsEnvironment: string,
+  stackName: string,
+  mtlsSecretName: string,
+  clientCertExportName: string,
+  clientPrivateKeyExportName: string,
+  proxygenPrivateKeyExportName: string,
+  proxygenKid: string,
+  dryRun: boolean
+): Promise<void> {
+  const lambda = new LambdaClient({})
+  async function invokeLambda(functionName: string, payload: unknown): Promise<void> {
+    if (!dryRun) {
+      const invokeResult = await lambda.send(new InvokeCommand({
+        FunctionName: functionName,
+        Payload: Buffer.from(JSON.stringify(payload))
+      }))
+      const responsePayload = Buffer.from(invokeResult.Payload!).toString()
+      if (invokeResult.FunctionError) {
+        throw new Error(`Error calling lambda ${functionName}: ${responsePayload}`)
+      }
+      console.log(`Lambda ${functionName} invoked successfully. Response:`, responsePayload)
+    } else {
+      console.log(`Would invoke lambda ${functionName}`)
+    }
+  }
+
+  let instance = apiName
+  const spec = JSON.parse(specification)
+  if (isPullRequest) {
+    const pr_id = stackName.split("-").pop()
+    instance = `${apiName}-pr-${pr_id}`
+    spec.info.title = `[PR-${pr_id}] ${spec.info.title}`
+    spec["x-nhsd-apim"].monitoring = false
+    delete spec["x-nhsd-apim"].target.security.secret
+  } else {
+    spec["x-nhsd-apim"].target.security.secret = mtlsSecretName
+  }
+  spec.info.version = version
+  spec["x-nhsd-apim"].target.url = `https://${stackName}.${awsEnvironment}.eps.national.nhs.uk`
+  if (apigeeEnvironment === "prod") {
+    spec.servers = [ {url: `https://api.service.nhs.uk/${instance}`} ]
+    spec.components.securitySchemes["nhs-cis2-aal3"] = {
+      "$ref": "https://proxygen.prod.api.platform.nhs.uk/components/securitySchemes/nhs-cis2-aal3"
+    }
+  } else {
+    spec.servers = [ {url: `https://${apigeeEnvironment}.api.service.nhs.uk/${instance}`} ]
+    spec.components.securitySchemes["nhs-cis2-aal3"] = {
+      "$ref": "https://proxygen.ptl.api.platform.nhs.uk/components/securitySchemes/nhs-cis2-aal3"
+    }
+  }
+  if (apigeeEnvironment.includes("sandbox")) {
+    delete spec["x-nhsd-apim"]["target-attributes"] // Resolve issue with sandbox trying to look up app name
+  }
+
+  const exports = await getCloudFormationExports()
+  const clientCertArn = getCFConfigValue(exports, `account-resources:${clientCertExportName}`)
+  const clientPrivateKeyArn = getCFConfigValue(exports, `account-resources:${clientPrivateKeyExportName}`)
+  const proxygenPrivateKeyArn = getCFConfigValue(exports, `account-resources:${proxygenPrivateKeyExportName}`)
+
+  let put_secret_lambda = "lambda-resources-ProxygenPTLMTLSSecretPut"
+  let instance_put_lambda = "lambda-resources-ProxygenPTLInstancePut"
+  let spec_publish_lambda = "lambda-resources-ProxygenPTLSpecPublish"
+  if (/^(int|sandbox|prod)$/.test(apigeeEnvironment)) {
+    put_secret_lambda = "lambda-resources-ProxygenProdMTLSSecretPut"
+    instance_put_lambda = "lambda-resources-ProxygenProdInstancePut"
+    spec_publish_lambda = "lambda-resources-ProxygenProdSpecPublish"
+  }
+
+  // --- Store the secret used for mutual TLS ---
+  if (!isPullRequest) {
+    console.log("Store the secret used for mutual TLS to AWS using Proxygen proxy lambda")
+    await invokeLambda(put_secret_lambda, {
+      apiName,
+      environment: apigeeEnvironment,
+      secretName: mtlsSecretName,
+      secretKeyName: clientPrivateKeyArn,
+      secretCertName: clientCertArn,
+      kid: proxygenKid,
+      proxygenSecretName: proxygenPrivateKeyArn
+    })
+  }
+
+  // --- Deploy the API instance ---
+  console.log("Deploy the API instance using Proxygen proxy lambda")
+  await invokeLambda(instance_put_lambda, {
+    apiName,
+    environment: apigeeEnvironment,
+    specDefinition: spec,
+    instance,
+    kid: proxygenKid,
+    proxygenSecretName: proxygenPrivateKeyArn
+  })
+
+  // --- Publish the API spec to the catalogue ---
+  let spec_publish_env
+  if (apigeeEnvironment === "int") {
+    console.log("Deploy the API spec to prod catalogue as it is int environment")
+    spec.servers = [ {url: `https://sandbox.api.service.nhs.uk/${instance}`} ]
+    spec_publish_env = "prod"
+  } else if (apigeeEnvironment === "internal-dev" && !isPullRequest) {
+    console.log("Deploy the API spec to uat catalogue as it is internal-dev environment")
+    spec.servers = [ {url: `https://internal-dev-sandbox.api.service.nhs.uk/${instance}`} ]
+    spec_publish_env = "uat"
+  }
+  if (spec_publish_env) {
+    await invokeLambda(spec_publish_lambda, {
+      apiName,
+      environment: spec_publish_env,
+      specDefinition: spec,
+      instance,
+      kid: proxygenKid,
+      proxygenSecretName: proxygenPrivateKeyArn
+    })
+  }
+}

packages/cdkConstructs/src/specifications/writeSchemas.ts

@@ -0,0 +1,64 @@
+import fs from "fs"
+import path from "path"
+import {JSONSchema} from "json-schema-to-ts"
+
+function isNotJSONSchemaArray(schema: JSONSchema | ReadonlyArray<JSONSchema>): schema is JSONSchema {
+  return !Array.isArray(schema)
+}
+
+function collapseExamples(schema: JSONSchema): JSONSchema {
+  if (typeof schema !== "object" || schema === null) {
+    return schema
+  }
+
+  // eslint-disable-next-line @typescript-eslint/no-explicit-any
+  const result: any = {...schema}
+
+  if (Array.isArray(schema.examples) && schema.examples.length > 0) {
+    result.example = schema.examples[0]
+    delete result.examples
+  }
+
+  if (schema.items) {
+    if (isNotJSONSchemaArray(schema.items)) {
+      result.items = collapseExamples(schema.items)
+    } else {
+      result.items = schema.items.map(collapseExamples)
+    }
+  }
+
+  if (schema.properties) {
+    const properties: Record<string, JSONSchema> = {}
+    for (const key in schema.properties) {
+      if (Object.prototype.hasOwnProperty.call(schema.properties, key)) {
+        properties[key] = collapseExamples(schema.properties[key])
+      }
+    }
+    result.properties = properties
+  }
+
+  return result
+}
+
+export function writeSchemas(
+  schemas: Record<string, JSONSchema>,
+  outputDir: string
+): void {
+  if (!fs.existsSync(outputDir)) {
+    fs.mkdirSync(outputDir, {recursive: true})
+  }
+  for (const name in schemas) {
+    if (Object.prototype.hasOwnProperty.call(schemas, name)) {
+      const schema = schemas[name]
+      const fileName = `${name}.json`
+      const filePath = path.join(outputDir, fileName)
+
+      try {
+        fs.writeFileSync(filePath, JSON.stringify(collapseExamples(schema), null, 2))
+        console.log(`Schema ${fileName} written successfully.`)
+      } catch (error) {
+        console.error(`Error writing schema ${fileName}:`, error)
+      }
+    }
+  }
+}