feature/PI-120-temp_apigee_instance adjusted swagger for proxygen

.github/workflows/_deploy.yml

@@ -12,7 +12,7 @@ on:
       account-wide:
         required: false
         type: string
-        default: ""
+        default: "non_account_wide"
 
 permissions:
   id-token: write

.github/workflows/deploy-account-wide-resources-prod.yml

@@ -0,0 +1,12 @@
+name: "Deploy: Account Wide Resources - Production"
+
+on:
+  workflow_dispatch:
+
+jobs:
+  deploy:
+    uses: ./.github/workflows/_deploy.yml
+    with:
+      workspace: prod
+      account-wide: account_wide
+    secrets: inherit # pragma: allowlist secret

.github/workflows/deploy-account-wide-resources.yml

@@ -0,0 +1,21 @@
+name: "Deploy: Account Wide Resources - Nonprod"
+
+on:
+  workflow_dispatch:
+    inputs:
+      workspace:
+        description: Account to deploy to
+        required: true
+        default: dev
+        type: choice
+        options:
+          - dev
+          - ref
+          - int
+jobs:
+  deploy:
+    uses: ./.github/workflows/_deploy.yml
+    with:
+      workspace: ${{ inputs.workspace }}
+      account-wide: account_wide
+    secrets: inherit # pragma: allowlist secret

.github/workflows/deploy-nonprod-workspace.yml

@@ -1,4 +1,4 @@
-name: "Deploy: Persistent Workspace"
+name: "Deploy: Workspace - Nonprod"
 
 on:
   workflow_dispatch:
@@ -21,4 +21,5 @@ jobs:
     uses: ./.github/workflows/_deploy.yml
     with:
       workspace: ${{ inputs.workspace }}
+      account-wide: non_account_wide
     secrets: inherit # pragma: allowlist secret

.github/workflows/deploy-parameters-nonprod.yml

@@ -1,4 +1,4 @@
-name: "Deploy - parameters: Persistent Workspace"
+name: "Deploy: Parameters - Nonprod"
 
 on:
   workflow_dispatch:

.github/workflows/deploy-parameters-prod.yml

@@ -1,4 +1,4 @@
-name: "Deploy - parameters: Production"
+name: "Deploy: Parameters - Production"
 
 on:
   workflow_dispatch:

.github/workflows/deploy-prod-workspace.yml

@@ -1,4 +1,4 @@
-name: "Deploy: Production"
+name: "Deploy: Workspace - Production"
 
 on:
   workflow_dispatch:
@@ -8,4 +8,5 @@ jobs:
     uses: ./.github/workflows/_deploy.yml
     with:
       workspace: prod
+      account-wide: non_account_wide
     secrets: inherit # pragma: allowlist secret

README.md

@@ -41,6 +41,14 @@ Do `make build` every time you would like to pick up and install new local/proje
 
 The first time it will also set up your pre-commit hooks.
 
+### Proxygen - WIP
+
+If you wish to deploy proxies to Apigee then we use the proxygen-cli which is isntalled as part of the project
+
+There is also some credential setup that is required, at this stage we do not have a standard set of "dev" credentials but when we do then this section will be completed - for now here is the link to the README for the cli
+
+https://github.com/NHSDigital/proxygen-cli
+
 ### AWS SSO Setup
 
 This project uses Single Sign On (SSO) for consuming AWS services.

infrastructure/swagger/04_apim.yaml

@@ -1,17 +1,15 @@
 ---
+openapi: 3.0.3
 x-nhsd-apim:
   access:
-    - title: User Restricted
-      grants:
-        nhs-login-p5: []
     - title: Application Restricted
       grants:
         app-level0: []
   target: # Only one target (omit for NO backend)
     type: external
     healthcheck: /_status
-    url: https://example.external.apikey.secured.backend.com
+    url: https://i38bu8egci.execute-api.eu-west-2.amazonaws.com/production #for now this is the dev gateway
     security:
       type: apikey
-      header: X-API-Key
-      secret: example-apikey-secret-name
+      header: apikey
+      secret: rowan-cpm-test-5

infrastructure/swagger/05_paths.yaml

@@ -55,6 +55,8 @@ paths:
       x-amazon-apigateway-integration:
         <<: *ApiGatewayIntegration
         uri: ${method_status}
+      security: #This should be removed in the future if its problematic, helps proxygen be happy
+        - app-level0: []
 
   /Organization:
     post:
@@ -65,6 +67,8 @@ paths:
       x-amazon-apigateway-integration:
         <<: *ApiGatewayIntegration
         uri: ${method_createProductTeam}
+      security:
+        - app-level0: []
 
   /Organization/{id}:
     get:
@@ -84,3 +88,5 @@ paths:
       x-amazon-apigateway-integration:
         <<: *ApiGatewayIntegration
         uri: ${method_readProductTeam}
+      security:
+        - app-level0: []

infrastructure/swagger/06_components--authorizer.yaml

@@ -12,3 +12,5 @@ components:
         authorizerCredentials: ${authoriser_iam_role}
         identitySource: method.request.header.Authorization
         authorizerResultTtlInSeconds: 0
+    app-level0:
+      $ref: https://proxygen.prod.api.platform.nhs.uk/components/securitySchemes/app-level0

infrastructure/swagger/README.md

@@ -31,3 +31,13 @@ make swagger--merge
 ```
 
 however since this is a dependency of the terraform plan, it is sufficient to run `make terraform--plan` and the OpenAPI 3 specs will be updated accordingly.
+
+## If you have swagger generation issues
+
+If you delete your dist folder when doing work on the swagger you can end up with some odd behaviour, if this is the case then you should do
+
+```
+make swagger--clean
+```
+
+You should try to do this instead of deleting the dist folder to ensure that everything works correctly

infrastructure/terraform/per_account/dev/main.tf

@@ -1,8 +1,8 @@
 resource "aws_resourcegroups_group" "resource_group" {
-  name        = "${local.project}--${replace(terraform.workspace, "", "-")}--account-wide-resource-group"
+  name        = "${local.project}--${replace(terraform.workspace, "_", "-")}--account-wide-resource-group"
   description = "${terraform.workspace} account-wide resource group."
   tags = {
-    Name           = "${local.project}--${replace(terraform.workspace, "", "-")}--account-wide-resource-group"
+    Name           = "${local.project}--${replace(terraform.workspace, "_", "-")}--account-wide-resource-group"
     CreatedOn      = var.updated_date
     LastUpdated    = var.updated_date
     ExpirationDate = var.expiration_date

infrastructure/terraform/per_account/dev/parameters/main.tf

@@ -27,6 +27,6 @@ JSON
   }
 }
 
-resource "aws_secretsmanager_secret" "rowans-test-secret-account" {
-  name = "${terraform.workspace}-rowans-test-secret-account"
+resource "aws_secretsmanager_secret" "dev-apigee-credentials" {
+  name = "${terraform.workspace}-apigee-credentials"
 }

infrastructure/terraform/per_workspace/modules/api_entrypoint/api_gateway/api_gateway.tf

@@ -3,7 +3,7 @@ resource "aws_api_gateway_rest_api" "api_gateway_rest_api" {
   description = "API Gateway Rest API - autogenerated from swagger"
   # UNCOMMENT THIS WHEN ENABLING CUSTOM DOMAINS
   # disable_execute_api_endpoint = true
-  body = sensitive(data.template_file.swagger.rendered)
+  body = sensitive(local.swagger_file)
 }
 
 resource "aws_api_gateway_deployment" "api_gateway_deployment" {

infrastructure/terraform/per_workspace/modules/api_entrypoint/api_gateway/debug.tf

@@ -1,4 +1,4 @@
 resource "local_file" "rendered_swagger" {
-  content  = sensitive(data.template_file.swagger.rendered)
+  content  = sensitive(local.swagger_file)
   filename = "${path.root}/../../swagger/dist/aws/rendered/swagger.yaml"
 }

infrastructure/terraform/per_workspace/modules/api_entrypoint/api_gateway/locals.tf

@@ -3,4 +3,15 @@ locals {
   kms = {
     deletion_window_in_days = 7
   }
+  methods = [
+    for lambda_alias in setsubtract(var.lambdas, ["authoriser"]) :
+    { "method_${lambda_alias}" = "${local.apigateway_lambda_arn_prefix}:${var.assume_account}:function:${var.project}--${replace(terraform.workspace, "_", "-")}--${replace(lambda_alias, "_", "-")}-lambda/invocations" }
+  ]
+  swagger_file = templatefile("${path.root}/../../swagger/dist/aws/swagger.yaml", merge({
+    lambda_invoke_arn   = var.authoriser_metadata.lambda_invoke_arn,
+    authoriser_iam_role = var.authoriser_metadata.authoriser_iam_role,
+    authoriser_name     = var.authoriser_metadata.authoriser_name,
+    },
+    local.methods...
+  ))
 }

infrastructure/terraform/per_workspace/terraform.tf

@@ -13,6 +13,10 @@ terraform {
       source  = "hashicorp/aws"
       version = "~> 5.20.0"
     }
+    #This isnt needed, kept in for build reasons after removing template_file
+    template = {
+      source = "hashicorp/template"
+    }
   }
   # required_version = ">= 1.1.0"
 }

pyproject.toml

@@ -36,6 +36,7 @@ pytest-mock = "^3.12.0"
 moto = "^4.2.7"
 datamodel-code-generator = "^0.23.0"
 pyyaml = "^6.0.1"
+proxygen-cli = "^2.0.15"
 
 [build-system]
 requires = ["poetry-core"]

scripts/infrastructure/swagger.mk

@@ -11,8 +11,9 @@ SWAGGER_DIST = $(CURDIR)/infrastructure/swagger/dist
 SWAGGER_FHIR_BASE = $(SWAGGER_DIST)/fhir-base
 SWAGGER_AWS = $(SWAGGER_DIST)/aws/swagger.yaml
 SWAGGER_PUBLIC = $(SWAGGER_DIST)/public/swagger.yaml
+SWAGGER_APIGEE = $(SWAGGER_DIST)/apigee/swagger.yaml
 
-swagger--merge: $(SWAGGER_AWS) $(SWAGGER_PUBLIC) ## Updates swagger builds from the components in the infrastructure/swagger/ directory.
+swagger--merge: $(SWAGGER_AWS) $(SWAGGER_PUBLIC) $(SWAGGER_APIGEE) ## Updates swagger builds from the components in the infrastructure/swagger/ directory.
 swagger--clean:  ## Removes swagger builds.
 	[[ -f $(FHIR_BASE_TIMESTAMP) ]] && rm $(FHIR_BASE_TIMESTAMP) || :
 	[[ -d $(SWAGGER_DIST) ]] && rm -r $(SWAGGER_DIST) || :
@@ -45,3 +46,8 @@ $(SWAGGER_PUBLIC): $(FHIR_BASE_TIMESTAMP) $(shell find infrastructure/swagger -t
 	@env MERGE_PUBLIC=1 bash $(PATH_TO_INFRASTRUCTURE)/swagger/merge.sh
 	npx --yes @redocly/cli lint $(SWAGGER_PUBLIC) --skip-rule security-defined || ([[ -f $(FHIR_BASE_TIMESTAMP) ]] && rm $(FHIR_BASE_TIMESTAMP) || :; exit 1)
 	touch $(SWAGGER_PUBLIC)
+
+$(SWAGGER_APIGEE): $(FHIR_BASE_TIMESTAMP) $(shell find infrastructure/swagger -type f -name "*.yaml" -not -path "*/dist/*.yaml" )
+	@env MERGE_APIGEE=1 bash $(PATH_TO_INFRASTRUCTURE)/swagger/merge.sh
+	npx --yes @redocly/cli lint $(SWAGGER_APIGEE) --skip-rule security-defined || ([[ -f $(FHIR_BASE_TIMESTAMP) ]] && rm $(FHIR_BASE_TIMESTAMP) || :; exit 1)
+	touch $(SWAGGER_APIGEE)

scripts/infrastructure/swagger/merge.sh

@@ -12,13 +12,16 @@ PATH_TO_SWAGGER_BUILD=${PATH_TO_SWAGGER_DIST}/build
 PATH_TO_SWAGGER_AWS=${PATH_TO_SWAGGER_DIST}/aws
 PATH_TO_SWAGGER_PUBLIC=${PATH_TO_SWAGGER_DIST}/public
 PATH_TO_SWAGGER_FHIR_BASE=${PATH_TO_SWAGGER_DIST}/fhir-base
+PATH_TO_SWAGGER_APIGEE=${PATH_TO_SWAGGER_DIST}/apigee
 
 mkdir -p ${PATH_TO_SWAGGER_AWS}
 mkdir -p ${PATH_TO_SWAGGER_PUBLIC}
 mkdir -p ${PATH_TO_SWAGGER_BUILD}
+mkdir -p ${PATH_TO_SWAGGER_APIGEE}
 
 AWS_SWAGGER_FILE=${PATH_TO_SWAGGER_AWS}/swagger.yaml
 PUBLIC_SWAGGER_FILE=${PATH_TO_SWAGGER_PUBLIC}/swagger.yaml
+APIGEE_SWAGGER_FILE=${PATH_TO_SWAGGER_APIGEE}/swagger.yaml
 _BASE_SWAGGER_FILE=${PATH_TO_SWAGGER_BUILD}/_00_fhir_merge.yaml
 _INITIAL_MERGE_SWAGGER_FILE=${PATH_TO_SWAGGER_BUILD}/_01_initial_merge.yaml
 _CLEANED_SWAGGER_FILE=${PATH_TO_SWAGGER_BUILD}/_02_clean.yaml
@@ -43,13 +46,26 @@ cat ${_INITIAL_MERGE_SWAGGER_FILE} |
     yq 'del(.x-ibm-configuration)' |
     yq 'del(.components.schemas.*.discriminator)' |
     yq 'explode(.)' |
-    yq 'del(.x-*)' |
     yq '(.. | select(style == "single")) style |= "double"' |
     # Remove null dead-ends
     yq 'del(.. | select(. == null))' \
         > ${_CLEANED_SWAGGER_FILE}
 validate_yaml ${_CLEANED_SWAGGER_FILE}
 
+# Remove fields not required for apigee
+if [[ ${MERGE_APIGEE} == "1" ]]; then
+    cat ${_CLEANED_SWAGGER_FILE} |
+        yq 'del(.paths.*.*.x-amazon-apigateway-integration)' |
+        yq 'del(.x-definitions)' |
+        yq 'del(.security)' |
+        yq 'del(.tags)' |
+        yq 'del(.paths.*.*.tags)' |
+        yq 'del(.components.securitySchemes."${authoriser_name}")' \
+            > ${APIGEE_SWAGGER_FILE}
+    echo "Generated ${APIGEE_SWAGGER_FILE}"
+    validate_yaml ${APIGEE_SWAGGER_FILE}
+fi
+
 # Remove fields not required for public docs
 # * AWS specific stuff, including security & lambdas
 # * security tags
@@ -78,7 +94,9 @@ fi
 # * 4XX codes
 if [[ ${MERGE_AWS} == "1" ]]; then
     cat ${_CLEANED_SWAGGER_FILE} |
-        yq 'del(.. | select(has("4XX")).4XX)' > ${AWS_SWAGGER_FILE}
+        yq 'del(.x-*)' |
+        yq 'del(.. | select(has("4XX")).4XX)' \
+            > ${AWS_SWAGGER_FILE}
     echo "Generated ${AWS_SWAGGER_FILE}"
     validate_yaml ${AWS_SWAGGER_FILE}
 fi