Skip to content

Commit 75fb6b4

Browse files
tstephen-nhsCopilotCopilot
authored
New: [AEA-6257] - scaffold app with CDK (#2494)
## Summary - 🤖 Operational or Infrastructure Change ### Details Deploy functionally equivalent PfP using CDK. NOTE: Proxygen deployment is not included so regression tests for CDK-based stack only pass for the PfP-AWS product. #### Local testing ```bash . .env # source your own version of template.env make aws-login make deploy curl --header "nhsd-nhslogin-user: P9:9446041481" --header "x-request-id: $(cat /proc/sys/kernel/random/uuid)" https://${stack_name}.dev.eps.national.nhs.uk/Bundle ``` my example returned ```bash {"resourceType":"Bundle","id":"a7e8f6a6-c20f-4a79-8e0d-6d6c0832d944","meta":{"lastUpdated":"2026-03-24T18:52:13+00:00"},"type":"searchset","total":0,"entry":[]} ``` To run regression tests prefix PULL_REQUEST_ID with 'cdk-', as in: ```bash product=pfp-aws env=internal-dev PULL_REQUEST_ID=cdk-pr-2494 tags=smoke make run-tests ``` --------- Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
1 parent 893c64b commit 75fb6b4

42 files changed

Lines changed: 3640 additions & 1505 deletions

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

.devcontainer/devcontainer.json

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -41,7 +41,8 @@
4141
"mkhl.direnv",
4242
"github.vscode-github-actions",
4343
"Orta.vscode-jest",
44-
"jebbs.plantuml"
44+
"jebbs.plantuml",
45+
"sonarsource.sonarlint-vscode"
4546
],
4647
"settings": {
4748
"python.defaultInterpreterPath": "/workspaces/prescriptionsforpatients/.venv/bin/python",

.github/workflows/cdk_package_code.yml

Lines changed: 67 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,67 @@
1+
name: cdk package code
2+
3+
on:
4+
workflow_call:
5+
inputs:
6+
pinned_image:
7+
type: string
8+
required: true
9+
10+
permissions: {}
11+
12+
jobs:
13+
package_code:
14+
runs-on: ubuntu-22.04
15+
container:
16+
image: ${{ inputs.pinned_image }}
17+
options: --user 1001:1001 --group-add 128
18+
defaults:
19+
run:
20+
shell: bash
21+
permissions:
22+
id-token: write
23+
contents: read
24+
packages: read
25+
steps:
26+
- name: copy .tool-versions
27+
run: |
28+
cp /home/vscode/.tool-versions "$HOME/.tool-versions"
29+
30+
- name: Checkout code
31+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
32+
with:
33+
persist-credentials: false
34+
35+
- name: Setting up .npmrc
36+
env:
37+
NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
38+
run: |
39+
echo "//npm.pkg.github.com/:_authToken=${NODE_AUTH_TOKEN}" >> ~/.npmrc
40+
echo "@nhsdigital:registry=https://npm.pkg.github.com" >> ~/.npmrc
41+
42+
- name: make install and compile
43+
run: |
44+
make install
45+
make compile
46+
47+
- name: download the get secrets lambda layer
48+
run: |
49+
make download-get-secrets-layer
50+
51+
- name: Tar files
52+
run: |
53+
tar -cf artifact.tar \
54+
.github \
55+
packages \
56+
node_modules \
57+
package.json \
58+
package-lock.json \
59+
tsconfig.defaults.json \
60+
tsconfig.build.json \
61+
Makefile
62+
63+
- uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f
64+
name: upload build artifact
65+
with:
66+
name: build_artifact
67+
path: artifact.tar

.github/workflows/cdk_release_code.yml

Lines changed: 266 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,266 @@
1+
name: cdk release code
2+
3+
on:
4+
workflow_call:
5+
inputs:
6+
IS_PULL_REQUEST:
7+
type: boolean
8+
default: false
9+
STACK_NAME:
10+
required: true
11+
type: string
12+
TARGET_ENVIRONMENT:
13+
required: true
14+
type: string
15+
APIGEE_ENVIRONMENT:
16+
required: true
17+
type: string
18+
ENABLE_MUTUAL_TLS:
19+
required: true
20+
type: boolean
21+
BUILD_ARTIFACT:
22+
required: true
23+
type: string
24+
TRUSTSTORE_FILE:
25+
required: true
26+
type: string
27+
VERSION_NUMBER:
28+
required: true
29+
type: string
30+
COMMIT_ID:
31+
required: true
32+
type: string
33+
CDK_APP_NAME:
34+
type: string
35+
default: PfPApiApp
36+
LOG_LEVEL:
37+
required: true
38+
type: string
39+
LOG_RETENTION_DAYS:
40+
required: true
41+
type: string
42+
CREATE_INT_RELEASE_NOTES:
43+
type: boolean
44+
default: false
45+
CREATE_INT_RC_RELEASE_NOTES:
46+
type: boolean
47+
default: false
48+
CREATE_PROD_RELEASE_NOTES:
49+
type: boolean
50+
default: false
51+
MARK_JIRA_RELEASED:
52+
type: boolean
53+
default: false
54+
TOGGLE_GET_STATUS_UPDATES:
55+
type: boolean
56+
default: false
57+
RUN_REGRESSION_TESTS:
58+
type: boolean
59+
default: true
60+
ENABLE_ALERTS:
61+
type: boolean
62+
default: true
63+
STATE_MACHINE_LOG_LEVEL:
64+
type: string
65+
REGRESSION_TEST_PRODUCT:
66+
type: string
67+
FORWARD_CSOC_LOGS:
68+
required: true
69+
type: boolean
70+
TC007_NHS_NUMBERS:
71+
required: false
72+
type: string
73+
TC008_NHS_NUMBERS:
74+
required: false
75+
type: string
76+
TC009_NHS_NUMBERS:
77+
required: false
78+
type: string
79+
DEPLOY_APIGEE:
80+
type: boolean
81+
default: true
82+
MTLS_KEY:
83+
type: string
84+
required: true
85+
ALLOW_NHS_NUMBER_OVERRIDE:
86+
required: true
87+
type: boolean
88+
REGRESSION_TEST_NON_PROXYGEN:
89+
type: boolean
90+
pinned_image:
91+
type: string
92+
required: true
93+
secrets:
94+
CLOUD_FORMATION_DEPLOY_ROLE:
95+
required: true
96+
APIM_STATUS_API_KEY:
97+
required: true
98+
TARGET_SPINE_SERVER:
99+
required: true
100+
TARGET_SERVICE_SEARCH_SERVER:
101+
required: true
102+
DEV_CLOUD_FORMATION_CHECK_VERSION_ROLE:
103+
required: false
104+
INT_CLOUD_FORMATION_CHECK_VERSION_ROLE:
105+
required: false
106+
PROD_CLOUD_FORMATION_CHECK_VERSION_ROLE:
107+
required: false
108+
DEV_CLOUD_FORMATION_EXECUTE_LAMBDA_ROLE:
109+
required: false
110+
REGRESSION_TESTS_PEM:
111+
required: false
112+
PROXYGEN_ROLE:
113+
required: false
114+
115+
permissions: {}
116+
117+
jobs:
118+
release_code_and_api:
119+
runs-on: ubuntu-22.04
120+
environment: ${{ inputs.TARGET_ENVIRONMENT }}
121+
container:
122+
image: ${{ inputs.pinned_image }}
123+
options: --user 1001:1001 --group-add 128
124+
defaults:
125+
run:
126+
shell: bash
127+
name: deploy cdk app ${{ inputs.CDK_APP_NAME }}
128+
permissions:
129+
id-token: write
130+
contents: write
131+
env:
132+
AWS_MAX_RETRY: 20
133+
134+
steps:
135+
- name: copy .tool-versions
136+
run: |
137+
cp /home/vscode/.tool-versions "$HOME/.tool-versions"
138+
139+
- name: Configure AWS Credentials
140+
uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7
141+
with:
142+
aws-region: eu-west-2
143+
role-to-assume: ${{ secrets.CLOUD_FORMATION_DEPLOY_ROLE }}
144+
role-session-name: aws-pfp-release-code
145+
146+
- name: delete old CDK stacks
147+
if: ${{ inputs.IS_PULL_REQUEST != true }}
148+
run: npm run delete-main-stacks --workspace packages/cdk
149+
shell: bash
150+
env:
151+
AWS_ENVIRONMENT: "${{ inputs.TARGET_ENVIRONMENT }}"
152+
APIGEE_ENVIRONMENT: "${{ inputs.APIGEE_ENVIRONMENT }}"
153+
APIM_STATUS_API_KEY: "${{ secrets.APIM_STATUS_API_KEY }}"
154+
155+
- name: download build artifact
156+
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c
157+
with:
158+
name: ${{ inputs.BUILD_ARTIFACT }}
159+
path: .
160+
161+
- name: extract build artifact
162+
run: tar -xf artifact.tar
163+
164+
- name: Deploy code
165+
env:
166+
CDK_APP_NAME: ${{ inputs.CDK_APP_NAME }}
167+
REQUIRE_APPROVAL: never
168+
CDK_CONFIG_stackName: ${{ inputs.STACK_NAME }}
169+
CDK_CONFIG_versionNumber: ${{ inputs.VERSION_NUMBER }}
170+
CDK_CONFIG_commitId: ${{ inputs.COMMIT_ID }}
171+
CDK_CONFIG_isPullRequest: ${{ inputs.IS_PULL_REQUEST }}
172+
CDK_CONFIG_environment: ${{ inputs.TARGET_ENVIRONMENT }}
173+
CDK_CONFIG_logRetentionInDays: ${{ inputs.LOG_RETENTION_DAYS }}
174+
CDK_CONFIG_logLevel: ${{ inputs.LOG_LEVEL }}
175+
CDK_CONFIG_targetSpineServer: ${{ secrets.TARGET_SPINE_SERVER }}
176+
CDK_CONFIG_targetServiceSearchServer: ${{ secrets.TARGET_SERVICE_SEARCH_SERVER }}
177+
CDK_CONFIG_toggleGetStatusUpdates: ${{ inputs.TOGGLE_GET_STATUS_UPDATES }}
178+
CDK_CONFIG_allowNhsNumberOverride: ${{ inputs.ALLOW_NHS_NUMBER_OVERRIDE }}
179+
CDK_CONFIG_tc007NhsNumberValue: ${{ inputs.TC007_NHS_NUMBERS }}
180+
CDK_CONFIG_tc008NhsNumberValue: ${{ inputs.TC008_NHS_NUMBERS }}
181+
CDK_CONFIG_tc009NhsNumberValue: ${{ inputs.TC009_NHS_NUMBERS }}
182+
CDK_CONFIG_trustStoreFile: ${{ inputs.TRUSTSTORE_FILE }}
183+
CDK_CONFIG_forwardCsocLogs: ${{ inputs.FORWARD_CSOC_LOGS }}
184+
run: npm run cdk-deploy --workspace packages/cdk
185+
186+
- name: get mtls secrets
187+
shell: bash
188+
run: |
189+
mkdir -p ~/.proxygen/tmp
190+
client_private_key_arn=$(aws cloudformation list-exports --query "Exports[?Name=='account-resources:PfpClientKeySecret'].Value" --output text)
191+
client_cert_arn=$(aws cloudformation list-exports --query "Exports[?Name=='account-resources:PfpClientCertSecret'].Value" --output text)
192+
aws secretsmanager get-secret-value --secret-id "${client_private_key_arn}" --query SecretString --output text > ~/.proxygen/tmp/client_private_key
193+
aws secretsmanager get-secret-value --secret-id "${client_cert_arn}" --query SecretString --output text > ~/.proxygen/tmp/client_cert
194+
195+
- name: Configure AWS Credentials for api release
196+
if: ${{ inputs.DEPLOY_APIGEE == true }}
197+
uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7
198+
with:
199+
aws-region: eu-west-2
200+
role-to-assume: ${{ secrets.PROXYGEN_ROLE }}
201+
role-session-name: pfp-api-proxygen
202+
203+
- name: Deploy PFP API to Apigee
204+
shell: bash
205+
if: ${{ inputs.DEPLOY_APIGEE == true }}
206+
env:
207+
API_TYPE: standard
208+
VERSION_NUMBER: ${{ inputs.VERSION_NUMBER }}
209+
SPEC_PATH: ./packages/specification/dist/prescriptions-for-patients.resolved.json
210+
STACK_NAME: ${{ inputs.STACK_NAME }}
211+
AWS_ENVIRONMENT: ${{ inputs.TARGET_ENVIRONMENT }}
212+
APIGEE_ENVIRONMENT: ${{ inputs.APIGEE_ENVIRONMENT }}
213+
PROXYGEN_PRIVATE_KEY_NAME: PrescriptionsForPatientsProxygenPrivateKey
214+
PROXYGEN_KID: "2026-01-22-PROD-prescriptions-for-patients-v2"
215+
DRY_RUN: false
216+
ENABLE_MUTUAL_TLS: ${{ inputs.ENABLE_MUTUAL_TLS }}
217+
MTLS_KEY: ${{ inputs.MTLS_KEY }}
218+
IS_PULL_REQUEST: ${{ inputs.IS_PULL_REQUEST }}
219+
run: ./.github/scripts/deploy_api.sh
220+
221+
- uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f
222+
name: Upload specs
223+
with:
224+
name: ${{ inputs.APIGEE_ENVIRONMENT }}-specs
225+
path: |
226+
./packages/specification/dist/prescriptions-for-patients.resolved.json
227+
228+
- name: Checkout gh-pages
229+
if: ${{ inputs.IS_PULL_REQUEST == false }}
230+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
231+
with:
232+
ref: gh-pages
233+
path: gh-pages
234+
persist-credentials: false
235+
236+
- name: Update release tag in github pages
237+
if: ${{ inputs.IS_PULL_REQUEST == false }}
238+
run: |
239+
cd gh-pages
240+
NOW=$(date +'%Y-%m-%dT%H:%M:%S')
241+
echo "tag,release_datetime" > "_data/${APIGEE_ENVIRONMENT}_latest.csv"
242+
echo "${VERSION_NUMBER},${NOW}" >> "_data/${APIGEE_ENVIRONMENT}_latest.csv"
243+
echo "${VERSION_NUMBER},${NOW}" >> "_data/${APIGEE_ENVIRONMENT}_deployments.csv"
244+
git config user.name github-actions
245+
git config user.email github-actions@github.com
246+
git add "_data/${APIGEE_ENVIRONMENT}_latest.csv"
247+
git add "_data/${APIGEE_ENVIRONMENT}_deployments.csv"
248+
git commit -m "update releases for ${APIGEE_ENVIRONMENT}"
249+
parallel --retries 10 --delay 3 ::: "git pull --rebase && git push"
250+
251+
regression_tests:
252+
name: Regression Tests
253+
uses: ./.github/workflows/run_regression_tests.yml
254+
if: ${{ inputs.RUN_REGRESSION_TESTS == true }}
255+
needs: [release_code_and_api]
256+
permissions:
257+
contents: write
258+
id-token: write
259+
with:
260+
ENVIRONMENT: "${{ inputs.APIGEE_ENVIRONMENT }}"
261+
VERSION_NUMBER: "${{ inputs.VERSION_NUMBER }}"
262+
REGRESSION_TEST_PRODUCT: "${{ inputs.REGRESSION_TEST_PRODUCT }}"
263+
REGRESSION_TEST_NON_PROXYGEN: "${{ inputs.REGRESSION_TEST_NON_PROXYGEN }}"
264+
pinned_image: "${{ inputs.pinned_image }}"
265+
secrets:
266+
REGRESSION_TESTS_PEM: ${{ secrets.REGRESSION_TESTS_PEM }}

0 commit comments

Comments
 (0)