New: [AEA-4497] - deploy cognito

.github/workflows/cdk_package_code.yml

@@ -49,6 +49,7 @@ jobs:
       - name: make install
         run: |
           make install
+          make compile-node
 
       - name: 'Tar files'
         run: |
@@ -67,6 +68,3 @@ jobs:
         with:
           name: build_artifact
           path: artifact.tar
-
-
-

.github/workflows/cdk_release_code.yml

@@ -21,12 +21,42 @@ on:
       LOG_RETENTION_IN_DAYS:
         required: true
         type: string
+      useMockOidc:
+        type: boolean
+        default: false
+      primaryOidcIssuer:
+        type: string
+      primaryOidcAuthorizeEndpoint:
+        type: string
+      primaryOidcTokenEndpoint:
+        type: string
+      primaryOidcUserInfoEndpoint:
+        type: string
+      primaryOidcjwksEndpoint:
+        type: string
+      mockOidcIssuer:
+        type: string
+      mockOidcAuthorizeEndpoint:
+        type: string
+      mockOidcTokenEndpoint:
+        type: string
+      mockOidcUserInfoEndpoint:
+        type: string
+      mockOidcjwksEndpoint:
+        type: string
     secrets:
       CLOUD_FORMATION_DEPLOY_ROLE:
         required: true
       CDK_PULL_IMAGE_ROLE:
         required: true
-
+      primaryOidcClientId:
+        required: false
+      primaryOidClientSecret:
+        required: false
+      mockOidcClientId:
+        required: false
+      mockOidClientSecret:
+        required: false
 jobs:
   release_code:
     runs-on: ubuntu-latest
@@ -96,6 +126,10 @@ jobs:
           cloudfrontDistributionId=$(aws cloudformation list-exports --region eu-west-2 --query "Exports[?Name=='"${{ inputs.SERVICE_NAME }}-stateless-resources:cloudfrontDistribution:Id"'].Value" --output text)
           # shellcheck disable=SC2140
           cloudfrontCertArn=$(aws cloudformation list-exports --region us-east-1 --query "Exports[?Name=='"${{ inputs.SERVICE_NAME }}-us-certs:cloudfrontCertificate:Arn"'].Value" --output text)
+          # shellcheck disable=SC2140
+          shortCloudfrontDomain=$(aws cloudformation list-exports --region us-east-1 --query "Exports[?Name=='"${{ inputs.SERVICE_NAME }}-us-certs:shortCloudfrontDomain:Name"'].Value" --output text)
+          # shellcheck disable=SC2140
+          fullCloudfrontDomain=$(aws cloudformation list-exports --region us-east-1 --query "Exports[?Name=='"${{ inputs.SERVICE_NAME }}-us-certs:fullCloudfrontDomain:Name"'].Value" --output text)
           jq \
           --arg serviceName "${{ inputs.SERVICE_NAME }}" \
           --arg VERSION_NUMBER "${{ inputs.VERSION_NUMBER }}" \
@@ -106,6 +140,23 @@ jobs:
           --arg allowAutoDeleteObjects "true" \
           --arg cloudfrontDistributionId "${cloudfrontDistributionId}" \
           --arg cloudfrontCertArn "${cloudfrontCertArn}" \
+          --arg useMockOidc "${{ inputs.useMockOidc }}" \
+          --arg primaryOidcClientId "${{ secrets.primaryOidcClientId }}" \
+          --arg primaryOidClientSecret "${{ secrets.primaryOidClientSecret }}" \
+          --arg primaryOidcIssuer "${{ inputs.primaryOidcIssuer }}" \
+          --arg primaryOidcAuthorizeEndpoint "${{ inputs.primaryOidcAuthorizeEndpoint }}" \
+          --arg primaryOidcTokenEndpoint "${{ inputs.primaryOidcTokenEndpoint }}" \
+          --arg primaryOidcUserInfoEndpoint "${{ inputs.primaryOidcUserInfoEndpoint }}" \
+          --arg primaryOidcjwksEndpoint "${{ inputs.primaryOidcjwksEndpoint }}" \
+          --arg mockOidcClientId "${{ secrets.mockOidcClientId }}" \
+          --arg mockOidClientSecret "${{ secrets.mockOidClientSecret }}" \
+          --arg mockOidcIssuer "${{ inputs.mockOidcIssuer }}" \
+          --arg mockOidcAuthorizeEndpoint "${{ inputs.mockOidcAuthorizeEndpoint }}" \
+          --arg mockOidcTokenEndpoint "${{ inputs.mockOidcTokenEndpoint }}" \
+          --arg mockOidcUserInfoEndpoint "${{ inputs.mockOidcUserInfoEndpoint }}" \
+          --arg mockOidcjwksEndpoint "${{ inputs.mockOidcjwksEndpoint }}" \
+          --arg shortCloudfrontDomain "${shortCloudfrontDomain}" \
+          --arg fullCloudfrontDomain "${fullCloudfrontDomain}" \
           '.context += {
             "serviceName": $serviceName,
             "VERSION_NUMBER": $VERSION_NUMBER,
@@ -115,7 +166,24 @@ jobs:
             "epsHostedZoneId": $epsHostedZoneId,
             "allowAutoDeleteObjects": $allowAutoDeleteObjects,
             "cloudfrontDistributionId": $cloudfrontDistributionId,
-            "cloudfrontCertArn": $cloudfrontCertArn}' \
+            "cloudfrontCertArn": $cloudfrontCertArn,
+            "shortCloudfrontDomain": $shortCloudfrontDomain,
+            "fullCloudfrontDomain": $fullCloudfrontDomain,
+            "useMockOidc": $useMockOidc,
+            "primaryOidcClientId": $primaryOidcClientId,
+            "primaryOidClientSecret": $primaryOidClientSecret,
+            "primaryOidcIssuer": $primaryOidcIssuer,
+            "primaryOidcAuthorizeEndpoint": $primaryOidcAuthorizeEndpoint,
+            "primaryOidcTokenEndpoint": $primaryOidcTokenEndpoint,
+            "primaryOidcUserInfoEndpoint": $primaryOidcUserInfoEndpoint,
+            "primaryOidcjwksEndpoint": $primaryOidcjwksEndpoint,
+            "mockOidcClientId": $mockOidcClientId,
+            "mockOidClientSecret": $mockOidClientSecret,
+            "mockOidcIssuer": $mockOidcIssuer,
+            "mockOidcAuthorizeEndpoint": $mockOidcAuthorizeEndpoint,
+            "mockOidcTokenEndpoint": $mockOidcTokenEndpoint,
+            "mockOidcUserInfoEndpoint": $mockOidcUserInfoEndpoint,
+            "mockOidcjwksEndpoint": $mockOidcjwksEndpoint}' \
           .build/cdk.json > .build/cdk.new.json
           mv .build/cdk.new.json .build/cdk.json
 

.github/workflows/ci.yml

@@ -102,10 +102,26 @@ jobs:
       TARGET_ENVIRONMENT: dev
       VERSION_NUMBER: ${{needs.tag_release.outputs.version_tag}}
       COMMIT_ID: ${{needs.get_commit_id.outputs.commit_id}}
+      useMockOidc: true
+      primaryOidcIssuer: "https://am.nhsint.auth-ptl.cis2.spineservices.nhs.uk:443/openam/oauth2/realms/root/realms/NHSIdentity/realms/Healthcare"
+      primaryOidcAuthorizeEndpoint: "https://am.nhsint.auth-ptl.cis2.spineservices.nhs.uk:443/openam/oauth2/realms/root/realms/NHSIdentity/realms/Healthcare/authorize"
+      primaryOidcTokenEndpoint: "https://am.nhsint.auth-ptl.cis2.spineservices.nhs.uk:443/openam/oauth2/realms/root/realms/NHSIdentity/realms/Healthcare/access_token"
+      primaryOidcUserInfoEndpoint: "https://am.nhsint.auth-ptl.cis2.spineservices.nhs.uk:443/openam/oauth2/realms/root/realms/NHSIdentity/realms/Healthcare/userinfo"
+      primaryOidcjwksEndpoint: "https://am.nhsint.auth-ptl.cis2.spineservices.nhs.uk:443/openam/oauth2/realms/root/realms/NHSIdentity/realms/Healthcare/connect/jwk_uri"
+      mockOidcIssuer: "https://identity.ptl.api.platform.nhs.uk/realms/Cis2-mock-internal-dev"
+      mockOidcAuthorizeEndpoint: "https://identity.ptl.api.platform.nhs.uk/realms/Cis2-mock-internal-dev/protocol/openid-connect/auth"
+      mockOidcTokenEndpoint: "https://identity.ptl.api.platform.nhs.uk/realms/Cis2-mock-internal-dev/protocol/openid-connect/token"
+      mockOidcUserInfoEndpoint: "https://identity.ptl.api.platform.nhs.uk/realms/Cis2-mock-internal-dev/protocol/openid-connect/userinfo"
+      mockOidcjwksEndpoint: "https://identity.ptl.api.platform.nhs.uk/realms/Cis2-mock-internal-dev/protocol/openid-connect/certs"
     secrets:
       CDK_PULL_IMAGE_ROLE: ${{ secrets.DEV_CDK_PULL_IMAGE_ROLE }}
       CLOUD_FORMATION_DEPLOY_ROLE: ${{ secrets.DEV_CLOUD_FORMATION_DEPLOY_ROLE }}
-
+      primaryOidcClientId: ${{ secrets.PTL_PRIMARY_OIDC_CLIENT_ID }}
+      primaryOidClientSecret: ${{ secrets.PTL_PRIMARY_OIDC_CLIENT_SECRET }}
+      mockOidcClientId: ${{ secrets.PTL_MOCK_CLIENT_ID }}
+      mockOidClientSecret: ${{ secrets.PTL_MOCK_CLIENT_SECRET }}
+      CIS2_PRIVATE_KEY: ${{ secrets.PTL_CIS2_PRIVATE_KEY }}
+
   create_release_notes:
     needs: [tag_release, package_code, get_commit_id, release_dev]
     uses: ./.github/workflows/create_release_notes.yml
@@ -130,6 +146,23 @@ jobs:
       TARGET_ENVIRONMENT: qa
       VERSION_NUMBER: ${{needs.tag_release.outputs.version_tag}}
       COMMIT_ID: ${{needs.get_commit_id.outputs.commit_id}}
+      useMockOidc: true
+      primaryOidcIssuer: "https://am.nhsint.auth-ptl.cis2.spineservices.nhs.uk:443/openam/oauth2/realms/root/realms/NHSIdentity/realms/Healthcare"
+      primaryOidcAuthorizeEndpoint: "https://am.nhsint.auth-ptl.cis2.spineservices.nhs.uk:443/openam/oauth2/realms/root/realms/NHSIdentity/realms/Healthcare/authorize"
+      primaryOidcTokenEndpoint: "https://am.nhsint.auth-ptl.cis2.spineservices.nhs.uk:443/openam/oauth2/realms/root/realms/NHSIdentity/realms/Healthcare/access_token"
+      primaryOidcUserInfoEndpoint: "https://am.nhsint.auth-ptl.cis2.spineservices.nhs.uk:443/openam/oauth2/realms/root/realms/NHSIdentity/realms/Healthcare/userinfo"
+      primaryOidcjwksEndpoint: "https://am.nhsint.auth-ptl.cis2.spineservices.nhs.uk:443/openam/oauth2/realms/root/realms/NHSIdentity/realms/Healthcare/connect/jwk_uri"
+      mockOidcIssuer: "https://identity.ptl.api.platform.nhs.uk/realms/Cis2-mock-internal-dev"
+      mockOidcAuthorizeEndpoint: "https://identity.ptl.api.platform.nhs.uk/realms/Cis2-mock-internal-dev/protocol/openid-connect/auth"
+      mockOidcTokenEndpoint: "https://identity.ptl.api.platform.nhs.uk/realms/Cis2-mock-internal-dev/protocol/openid-connect/token"
+      mockOidcUserInfoEndpoint: "https://identity.ptl.api.platform.nhs.uk/realms/Cis2-mock-internal-dev/protocol/openid-connect/userinfo"
+      mockOidcjwksEndpoint: "https://identity.ptl.api.platform.nhs.uk/realms/Cis2-mock-internal-dev/protocol/openid-connect/certs"
     secrets:
       CDK_PULL_IMAGE_ROLE: ${{ secrets.QA_CDK_PULL_IMAGE_ROLE }}
       CLOUD_FORMATION_DEPLOY_ROLE: ${{ secrets.QA_CLOUD_FORMATION_DEPLOY_ROLE }}
+      primaryOidcClientId: ${{ secrets.PTL_PRIMARY_OIDC_CLIENT_ID }}
+      primaryOidClientSecret: ${{ secrets.PTL_PRIMARY_OIDC_CLIENT_SECRET }}
+      mockOidcClientId: ${{ secrets.PTL_MOCK_CLIENT_ID }}
+      mockOidClientSecret: ${{ secrets.PTL_MOCK_CLIENT_SECRET }}
+      CIS2_PRIVATE_KEY: ${{ secrets.PTL_CIS2_PRIVATE_KEY }}
+

.github/workflows/deploy_website_content.yml

@@ -60,10 +60,30 @@ jobs:
           cd .build
           make react-build
 
+      - name: build auth_demo react app (temp step for testing)
+        run: |
+          REACT_APP_hostedLoginDomain=$(aws cloudformation list-exports --region us-east-1 --query "Exports[?Name=='${{ inputs.SERVICE_NAME }}-us-certs:fullCognitoDomain:Name'].Value" --output text)
+          REACT_APP_userPoolClientId=$(aws cloudformation list-exports --region eu-west-2 --query "Exports[?Name=='${{ inputs.SERVICE_NAME }}-stateful-resources:userPoolClient:userPoolClientId'].Value" --output text)
+          REACT_APP_userPoolId=$(aws cloudformation list-exports --region eu-west-2 --query "Exports[?Name=='${{ inputs.SERVICE_NAME }}-stateful-resources:userPool:Id'].Value" --output text)
+          fullCloudfrontDomain=$(aws cloudformation list-exports --region us-east-1 --query "Exports[?Name=='${{ inputs.SERVICE_NAME }}-us-certs:fullCloudfrontDomain:Name'].Value" --output text)
+          REACT_APP_redirectSignIn="https://${fullCloudfrontDomain}/auth_demo/"
+
+          export REACT_APP_hostedLoginDomain
+          export REACT_APP_userPoolClientId
+          export REACT_APP_userPoolId
+          export REACT_APP_redirectSignIn
+          cd .build
+          make auth_demo_build
+
       - name: deploy website
         run: |
           staticBucketName=$(aws cloudformation list-exports --query "Exports[?Name=='${{ inputs.SERVICE_NAME }}-stateful-resources:StaticContentBucket:Name'].Value" --output text)
           aws s3 cp ".build/packages/staticContent/404.html" "s3://${staticBucketName}/404.html"
           aws s3 cp ".build/packages/staticContent/500.html" "s3://${staticBucketName}/500.html"
           aws s3 cp ".build/packages/staticContent/jwks/dev/jwks.json" "s3://${staticBucketName}/jwks.json"
           aws s3 cp --recursive ".build/packages/cpt-ui/out/" "s3://${staticBucketName}/${{ inputs.VERSION_NUMBER }}/"
+
+      - name: deploy auth_demo website (temp for testing)
+        run: |
+          staticBucketName=$(aws cloudformation list-exports --query "Exports[?Name=='${{ inputs.SERVICE_NAME }}-stateful-resources:StaticContentBucket:Name'].Value" --output text)
+          aws s3 cp --recursive ".build/packages/auth_demo/build/" "s3://${staticBucketName}/auth_demo/"

.github/workflows/pull_request.yml

@@ -67,7 +67,22 @@ jobs:
       TARGET_ENVIRONMENT: dev-pr
       VERSION_NUMBER: PR-${{ needs.get_issue_number.outputs.issue_number }}
       COMMIT_ID: ${{ needs.get_commit_id.outputs.commit_id }}
+      useMockOidc: true
+      primaryOidcIssuer: "https://am.nhsint.auth-ptl.cis2.spineservices.nhs.uk:443/openam/oauth2/realms/root/realms/NHSIdentity/realms/Healthcare"
+      primaryOidcAuthorizeEndpoint: "https://am.nhsint.auth-ptl.cis2.spineservices.nhs.uk:443/openam/oauth2/realms/root/realms/NHSIdentity/realms/Healthcare/authorize"
+      primaryOidcTokenEndpoint: "https://am.nhsint.auth-ptl.cis2.spineservices.nhs.uk:443/openam/oauth2/realms/root/realms/NHSIdentity/realms/Healthcare/access_token"
+      primaryOidcUserInfoEndpoint: "https://am.nhsint.auth-ptl.cis2.spineservices.nhs.uk:443/openam/oauth2/realms/root/realms/NHSIdentity/realms/Healthcare/userinfo"
+      primaryOidcjwksEndpoint: "https://am.nhsint.auth-ptl.cis2.spineservices.nhs.uk:443/openam/oauth2/realms/root/realms/NHSIdentity/realms/Healthcare/connect/jwk_uri"
+      mockOidcIssuer: "https://identity.ptl.api.platform.nhs.uk/realms/Cis2-mock-internal-dev"
+      mockOidcAuthorizeEndpoint: "https://identity.ptl.api.platform.nhs.uk/realms/Cis2-mock-internal-dev/protocol/openid-connect/auth"
+      mockOidcTokenEndpoint: "https://identity.ptl.api.platform.nhs.uk/realms/Cis2-mock-internal-dev/protocol/openid-connect/token"
+      mockOidcUserInfoEndpoint: "https://identity.ptl.api.platform.nhs.uk/realms/Cis2-mock-internal-dev/protocol/openid-connect/userinfo"
+      mockOidcjwksEndpoint: "https://identity.ptl.api.platform.nhs.uk/realms/Cis2-mock-internal-dev/protocol/openid-connect/certs"
     secrets:
       CDK_PULL_IMAGE_ROLE: ${{ secrets.DEV_CDK_PULL_IMAGE_ROLE }}
       CLOUD_FORMATION_DEPLOY_ROLE: ${{ secrets.DEV_CLOUD_FORMATION_DEPLOY_ROLE }}
-
+      primaryOidcClientId: ${{ secrets.PTL_PRIMARY_OIDC_CLIENT_ID }}
+      primaryOidClientSecret: ${{ secrets.PTL_PRIMARY_OIDC_CLIENT_SECRET }}
+      mockOidcClientId: ${{ secrets.PTL_MOCK_CLIENT_ID }}
+      mockOidClientSecret: ${{ secrets.PTL_MOCK_CLIENT_SECRET }}
+      CIS2_PRIVATE_KEY: ${{ secrets.PTL_CIS2_PRIVATE_KEY }}