Split out fixSpec from deployApi

Author: MatthewPopat-NHS

.vscode/eps-cdk-utils.code-workspace

@@ -11,9 +11,9 @@
 	],
 	"settings": {
 		"files.exclude": {
-		"packages/": true,
+			"packages/": true,
 		},
-        "cSpell.words": [
+		"cSpell.words": [
 			"apigw",
 			"ASID",
 			"AWSKMS",
@@ -49,6 +49,7 @@
 			"pollable",
 			"powertools",
 			"Prosthetist",
+			"proxygen",
 			"querystring",
 			"reingest",
 			"reingested",

packages/cdkConstructs/src/specifications/deployApi.ts

@@ -1,9 +1,10 @@
-
 import {LambdaClient, InvokeCommand} from "@aws-sdk/client-lambda"
-import {getCFConfigValue, getCloudFormationExports, calculateVersionedStackName} from "../config"
+import {getCFConfigValue, getCloudFormationExports} from "../config"
+import {fixSpec} from "./fixSpec"
 
 export type ApiConfig = {
-  specification: string
+  // eslint-disable-next-line @typescript-eslint/no-explicit-any
+  spec: any
   apiName: string
   version: string
   apigeeEnvironment: string
@@ -18,9 +19,31 @@ export type ApiConfig = {
   hiddenPaths: Array<string>
 }
 
+const lambda = new LambdaClient({})
+
+async function invokeLambda(
+  dryRun: boolean,
+  functionName: string,
+  payload: unknown
+): Promise<void> {
+  if (dryRun) {
+    console.log(`Would invoke lambda ${functionName}`)
+    return
+  }
+  const invokeResult = await lambda.send(new InvokeCommand({
+    FunctionName: functionName,
+    Payload: Buffer.from(JSON.stringify(payload))
+  }))
+  const responsePayload = Buffer.from(invokeResult.Payload!).toString()
+  if (invokeResult.FunctionError) {
+    throw new Error(`Error calling lambda ${functionName}: ${responsePayload}`)
+  }
+  console.log(`Lambda ${functionName} invoked successfully. Response:`, responsePayload)
+}
+
 export async function deployApi(
   {
-    specification,
+    spec,
     apiName,
     version,
     apigeeEnvironment,
@@ -36,59 +59,16 @@ export async function deployApi(
   }: ApiConfig,
   dryRun: boolean
 ): Promise<void> {
-  const lambda = new LambdaClient({})
-  async function invokeLambda(functionName: string, payload: unknown): Promise<void> {
-    if (dryRun) {
-      console.log(`Would invoke lambda ${functionName}`)
-      return
-    }
-
-    const invokeResult = await lambda.send(new InvokeCommand({
-      FunctionName: functionName,
-      Payload: Buffer.from(JSON.stringify(payload))
-    }))
-    const responsePayload = Buffer.from(invokeResult.Payload!).toString()
-    if (invokeResult.FunctionError) {
-      throw new Error(`Error calling lambda ${functionName}: ${responsePayload}`)
-    }
-    console.log(`Lambda ${functionName} invoked successfully. Response:`, responsePayload)
-  }
-
-  let instance = apiName
-  const spec = JSON.parse(specification)
-  if (isPullRequest) {
-    const pr_id = stackName.split("-").pop()
-    instance = `${apiName}-pr-${pr_id}`
-    spec.info.title = `[PR-${pr_id}] ${spec.info.title}`
-    spec["x-nhsd-apim"].monitoring = false
-    delete spec["x-nhsd-apim"].target.security.secret
-  } else {
-    stackName = calculateVersionedStackName(stackName, version)
-    spec["x-nhsd-apim"].target.security.secret = mtlsSecretName
-  }
-  spec.info.version = version
-  spec["x-nhsd-apim"].target.url = `https://${stackName}.${awsEnvironment}.eps.national.nhs.uk`
-
-  function replaceSchemeRefs(domain: string) {
-    const schemes = ["nhs-cis2-aal3", "nhs-login-p9", "app-level3", "app-level0"]
-    for (const scheme of schemes) {
-      if (spec.components.securitySchemes[scheme]) {
-        spec.components.securitySchemes[scheme] = {
-          "$ref": `https://${domain}/components/securitySchemes/${scheme}`
-        }
-      }
-    }
-  }
-  if (apigeeEnvironment === "prod") {
-    spec.servers = [ {url: `https://api.service.nhs.uk/${instance}`} ]
-    replaceSchemeRefs("proxygen.prod.api.platform.nhs.uk")
-  } else {
-    spec.servers = [ {url: `https://${apigeeEnvironment}.api.service.nhs.uk/${instance}`} ]
-    replaceSchemeRefs("proxygen.ptl.api.platform.nhs.uk")
-  }
-  if (apigeeEnvironment.includes("sandbox")) {
-    delete spec["x-nhsd-apim"]["target-attributes"] // Resolve issue with sandbox trying to look up app name
-  }
+  const instance = fixSpec(
+    spec,
+    apiName,
+    version,
+    apigeeEnvironment,
+    isPullRequest,
+    awsEnvironment,
+    stackName,
+    mtlsSecretName
+  )
 
   const exports = await getCloudFormationExports()
   const clientCertArn = getCFConfigValue(exports, `account-resources:${clientCertExportName}`)
@@ -104,32 +84,37 @@ export async function deployApi(
     spec_publish_lambda = "lambda-resources-ProxygenProdSpecPublish"
   }
 
-  // --- Store the secret used for mutual TLS ---
   if (!isPullRequest) {
     console.log("Store the secret used for mutual TLS to AWS using Proxygen proxy lambda")
-    await invokeLambda(put_secret_lambda, {
+    await invokeLambda(
+      dryRun,
+      put_secret_lambda,
+      {
+        apiName,
+        environment: apigeeEnvironment,
+        secretName: mtlsSecretName,
+        secretKeyName: clientPrivateKeyArn,
+        secretCertName: clientCertArn,
+        kid: proxygenKid,
+        proxygenSecretName: proxygenPrivateKeyArn
+      }
+    )
+  }
+
+  console.log("Deploy the API instance using Proxygen proxy lambda")
+  await invokeLambda(
+    dryRun,
+    instance_put_lambda,
+    {
       apiName,
       environment: apigeeEnvironment,
-      secretName: mtlsSecretName,
-      secretKeyName: clientPrivateKeyArn,
-      secretCertName: clientCertArn,
+      specDefinition: spec,
+      instance,
       kid: proxygenKid,
       proxygenSecretName: proxygenPrivateKeyArn
-    })
-  }
-
-  // --- Deploy the API instance ---
-  console.log("Deploy the API instance using Proxygen proxy lambda")
-  await invokeLambda(instance_put_lambda, {
-    apiName,
-    environment: apigeeEnvironment,
-    specDefinition: spec,
-    instance,
-    kid: proxygenKid,
-    proxygenSecretName: proxygenPrivateKeyArn
-  })
+    }
+  )
 
-  // --- Publish the API spec to the catalogue ---
   let spec_publish_env
   if (apigeeEnvironment === "int") {
     console.log("Deploy the API spec to prod catalogue as it is int environment")
@@ -142,17 +127,19 @@ export async function deployApi(
   }
   if (spec_publish_env) {
     for (const path of hiddenPaths) {
-      if (spec.paths[path]) {
-        delete spec.paths[path]
-      }
+      delete spec.paths[path]
     }
-    await invokeLambda(spec_publish_lambda, {
-      apiName,
-      environment: spec_publish_env,
-      specDefinition: spec,
-      instance,
-      kid: proxygenKid,
-      proxygenSecretName: proxygenPrivateKeyArn
-    })
+    await invokeLambda(
+      dryRun,
+      spec_publish_lambda,
+      {
+        apiName,
+        environment: spec_publish_env,
+        specDefinition: spec,
+        instance,
+        kid: proxygenKid,
+        proxygenSecretName: proxygenPrivateKeyArn
+      }
+    )
   }
 }

packages/cdkConstructs/src/specifications/fixSpec.ts

@@ -0,0 +1,54 @@
+import {calculateVersionedStackName} from "../config"
+
+function replaceSchemeRefs(
+  // eslint-disable-next-line @typescript-eslint/no-explicit-any
+  spec: any,
+  domain: string
+) {
+  const schemes = ["nhs-cis2-aal3", "nhs-login-p9", "app-level3", "app-level0"]
+  for (const scheme of schemes) {
+    if (spec.components.securitySchemes[scheme]) {
+      spec.components.securitySchemes[scheme] = {
+        "$ref": `https://${domain}/components/securitySchemes/${scheme}`
+      }
+    }
+  }
+}
+
+export function fixSpec(
+  // eslint-disable-next-line @typescript-eslint/no-explicit-any
+  spec: any,
+  apiName: string,
+  version: string,
+  apigeeEnvironment: string,
+  isPullRequest: boolean,
+  awsEnvironment: string,
+  stackName: string,
+  mtlsSecretName: string
+): string {
+  let instance = apiName
+  let stack = stackName
+  if (isPullRequest) {
+    const pr_id = stackName.split("-").pop()
+    instance = `${apiName}-pr-${pr_id}`
+    spec.info.title = `[PR-${pr_id}] ${spec.info.title}`
+    spec["x-nhsd-apim"].monitoring = false
+    delete spec["x-nhsd-apim"].target.security.secret
+  } else {
+    stack = calculateVersionedStackName(stackName, version)
+    spec["x-nhsd-apim"].target.security.secret = mtlsSecretName
+  }
+  spec.info.version = version
+  spec["x-nhsd-apim"].target.url = `https://${stack}.${awsEnvironment}.eps.national.nhs.uk`
+  if (apigeeEnvironment === "prod") {
+    spec.servers = [ {url: `https://api.service.nhs.uk/${instance}`} ]
+    replaceSchemeRefs(spec, "proxygen.prod.api.platform.nhs.uk")
+  } else {
+    spec.servers = [ {url: `https://${apigeeEnvironment}.api.service.nhs.uk/${instance}`} ]
+    replaceSchemeRefs(spec, "proxygen.ptl.api.platform.nhs.uk")
+  }
+  if (apigeeEnvironment.includes("sandbox")) {
+    delete spec["x-nhsd-apim"]["target-attributes"] // Resolve issue with sandbox trying to look up app name
+  }
+  return instance
+}

packages/cdkConstructs/tests/specifications/deployApi.test.ts

@@ -72,7 +72,7 @@ const defaultExportsMap = {
 
 function buildConfig(overrides: Partial<ApiConfig> = {}): ApiConfig {
   return {
-    specification: JSON.stringify(createSpec()),
+    spec: createSpec(),
     apiName: "eps",
     version: "1.0.0",
     apigeeEnvironment: "internal-dev",
@@ -133,14 +133,6 @@ describe("deployApi", () => {
     expect(functionNameFromCall(1)).toBe("lambda-resources-ProxygenPTLInstancePut")
     const instancePayload = payloadFromCall(1)
     expect(instancePayload.instance).toBe("eps")
-    expect(instancePayload.specDefinition.info.version).toBe("2.0.0")
-    expect(instancePayload.specDefinition["x-nhsd-apim"].target.security.secret).toBe("mtls/secret")
-    expect(instancePayload.specDefinition["x-nhsd-apim"].target.url)
-      .toBe("https://eps-stack-2-0-0.nonprod.eps.national.nhs.uk")
-    expect(instancePayload.specDefinition.components.securitySchemes["nhs-cis2-aal3"].$ref)
-      .toBe("https://proxygen.ptl.api.platform.nhs.uk/components/securitySchemes/nhs-cis2-aal3")
-    expect(instancePayload.specDefinition.servers[0].url)
-      .toBe("https://internal-dev.api.service.nhs.uk/eps")
 
     expect(functionNameFromCall(2)).toBe("lambda-resources-ProxygenPTLSpecPublish")
     const publishPayload = payloadFromCall(2)
@@ -166,15 +158,9 @@ describe("deployApi", () => {
 
     const instancePayload = payloadFromCall(0)
     expect(instancePayload.instance).toBe("eps-pr-456")
-    expect(instancePayload.specDefinition.info.title).toBe("[PR-456] EPS API")
-    expect(instancePayload.specDefinition["x-nhsd-apim"].monitoring).toBe(false)
-    expect(instancePayload.specDefinition["x-nhsd-apim"].target.security.secret).toBeUndefined()
-    expect(instancePayload.specDefinition["x-nhsd-apim"]["target-attributes"]).toBeUndefined()
-    expect(instancePayload.specDefinition.servers[0].url)
-      .toBe("https://sandbox.api.service.nhs.uk/eps-pr-456")
   })
 
-  test("uses prod lambdas and prod security scheme refs", async () => {
+  test("uses prod lambdas for prod environment", async () => {
     await deployApi(
       buildConfig({
         version: "4.0.0",
@@ -189,12 +175,6 @@ describe("deployApi", () => {
     expect(lambdaSendMock).toHaveBeenCalledTimes(2)
     expect(functionNameFromCall(0)).toBe("lambda-resources-ProxygenProdMTLSSecretPut")
     expect(functionNameFromCall(1)).toBe("lambda-resources-ProxygenProdInstancePut")
-
-    const specPayload = payloadFromCall(1)
-    expect(specPayload.specDefinition.servers[0].url)
-      .toBe("https://api.service.nhs.uk/eps")
-    expect(specPayload.specDefinition.components.securitySchemes["nhs-cis2-aal3"].$ref)
-      .toBe("https://proxygen.prod.api.platform.nhs.uk/components/securitySchemes/nhs-cis2-aal3")
   })
 
   test("publishes spec to prod catalogue for int environment", async () => {
@@ -216,38 +196,6 @@ describe("deployApi", () => {
       .toBe("https://sandbox.api.service.nhs.uk/eps")
   })
 
-  test("replaces all supported security scheme refs", async () => {
-    const spec = createSpec({
-      securitySchemes: {
-        "nhs-cis2-aal3": {},
-        "nhs-login-p9": {},
-        "app-level3": {},
-        "app-level0": {}
-      }
-    })
-    await deployApi(
-      buildConfig({
-        specification: JSON.stringify(spec),
-        apigeeEnvironment: "prod",
-        awsEnvironment: "prod",
-        stackName: "eps-prod-stack",
-        proxygenKid: "kid-prod"
-      }),
-      false
-    )
-    const specPayload = payloadFromCall(1)
-    const schemes = [
-      "nhs-cis2-aal3",
-      "nhs-login-p9",
-      "app-level3",
-      "app-level0"
-    ]
-    for (const scheme of schemes) {
-      expect(specPayload.specDefinition.components.securitySchemes[scheme].$ref)
-        .toBe(`https://proxygen.prod.api.platform.nhs.uk/components/securitySchemes/${scheme}`)
-    }
-  })
-
   test("removes hidden paths from published spec", async () => {
     const spec = createSpec({
       paths: {
@@ -257,7 +205,7 @@ describe("deployApi", () => {
     })
     await deployApi(
       buildConfig({
-        specification: JSON.stringify(spec),
+        spec,
         apigeeEnvironment: "int",
         stackName: "eps-int-stack",
         proxygenKid: "kid-int",