From 348c5cf75321deb3f7d63147d2437607e70203a2 Mon Sep 17 00:00:00 2001 From: Robert Date: Fri, 23 Jan 2026 10:02:14 +0000 Subject: [PATCH 1/5] WIP --- Makefile | 25 +++++++++++++++++-- pyproject.toml | 4 ++- specification/.proxygen/credentials-prod.yaml | 4 +++ specification/.proxygen/credentials-ptl.yaml | 4 +++ specification/.proxygen/settings-prod.yaml | 3 +++ specification/.proxygen/settings-ptl.yaml | 3 +++ 6 files changed, 40 insertions(+), 3 deletions(-) create mode 100644 specification/.proxygen/credentials-prod.yaml create mode 100644 specification/.proxygen/credentials-ptl.yaml create mode 100644 specification/.proxygen/settings-prod.yaml create mode 100644 specification/.proxygen/settings-ptl.yaml diff --git a/Makefile b/Makefile index eb55436..307d31e 100644 --- a/Makefile +++ b/Makefile @@ -58,8 +58,29 @@ retrieve-proxygen-key: # Obtain the 'machine user' credentials from AWS SSM (Dev aws ssm get-parameter --name /proxygen/private_key_temp --with-decryption | jq ".Parameter.Value" --raw-output \ > ~/.proxygen/eligibility-signposting-api.pem -setup-proxygen-credentials: # Copy Proxygen templated credentials to where it expected them - cd specification && cp -r .proxygen ~ +# setup-proxygen-credentials: # Copy Proxygen templated credentials to where it expected them +# cd specification && cp -r .proxygen ~ +# +# setup-proxygen-credentials-ptl: # Copy Proxygen templated credentials to where it expected them +# cd specification && cp -r .proxygen/credentials-ptl.yaml ~/.proxygen/credentials.yaml && \ +# cp .proxygen/settings-ptl.yaml ~/.proxygen/settings.yaml +# proxygen credentials list +# +# setup-proxygen-credentials-prod: # Copy Proxygen templated credentials to where it expected them +# cd specification && cp -r .proxygen/credentials-prod.yaml ~/.proxygen/credentials.yaml && \ +# cp .proxygen/settings-ptl.yaml ~/.proxygen/settings.yaml +# proxygen credentials list + +setup-proxygen-credentials: + cd specification && \ + cp .proxygen/credentials-$(ENV).yaml ~/.proxygen/credentials.yaml && \ + cp .proxygen/settings-$(ENV).yaml ~/.proxygen/settings.yaml + +setup-proxygen-credentials-ptl: + $(MAKE) setup-proxygen-credentials ENV=ptl + +setup-proxygen-credentials-prod: + $(MAKE) setup-proxygen-credentials ENV=prod get-spec: # Get the most recent specification live in proxygen $(MAKE) setup-proxygen-credentials diff --git a/pyproject.toml b/pyproject.toml index 4227641..5ae3af2 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -10,7 +10,9 @@ requires-python = ">=3.11" repository = "https://github.com/NHSDigital/eligibility-signposting-api-specification" homepage = "https://digital.nhs.uk/developer/api-catalogue" keywords = ["healthcare", "uk", "nhs", "vaccination", "api"] #TODO add additional keywords -package_mode = false + +[tool.poetry] +package-mode = false [build-system] requires = ["poetry-core>=2.0.0,<3.0.0"] diff --git a/specification/.proxygen/credentials-prod.yaml b/specification/.proxygen/credentials-prod.yaml new file mode 100644 index 0000000..2fececb --- /dev/null +++ b/specification/.proxygen/credentials-prod.yaml @@ -0,0 +1,4 @@ +client_id: eligibility-signposting-api-prod-client +#private_key_path: eligibility-signposting-api-prod.pem +private_key_path: eligibility-signposting-api.pem +key_id: eligibility-signposting-api-prod diff --git a/specification/.proxygen/credentials-ptl.yaml b/specification/.proxygen/credentials-ptl.yaml new file mode 100644 index 0000000..d8038a3 --- /dev/null +++ b/specification/.proxygen/credentials-ptl.yaml @@ -0,0 +1,4 @@ +client_id: eligibility-signposting-api-ptl-client +#private_key_path: eligibility-signposting-api-ptl.pem +private_key_path: eligibility-signposting-api.pem +key_id: eligibility-signposting-api-ptl diff --git a/specification/.proxygen/settings-prod.yaml b/specification/.proxygen/settings-prod.yaml new file mode 100644 index 0000000..cf4436c --- /dev/null +++ b/specification/.proxygen/settings-prod.yaml @@ -0,0 +1,3 @@ +api: eligibility-signposting-api +endpoint_url: https://proxygen.prod.api.platform.nhs.uk +spec_output_format: yaml diff --git a/specification/.proxygen/settings-ptl.yaml b/specification/.proxygen/settings-ptl.yaml new file mode 100644 index 0000000..c9a0ac2 --- /dev/null +++ b/specification/.proxygen/settings-ptl.yaml @@ -0,0 +1,3 @@ +api: eligibility-signposting-api +endpoint_url: https://proxygen.ptl.api.platform.nhs.uk +spec_output_format: yaml From 7f3031b16cfb95bc9fd7b7e788d9130d90de442f Mon Sep 17 00:00:00 2001 From: Robert Date: Fri, 23 Jan 2026 10:59:08 +0000 Subject: [PATCH 2/5] WIP: Updates to make file --- Makefile | 34 ++++++++++++++++------------------ 1 file changed, 16 insertions(+), 18 deletions(-) diff --git a/Makefile b/Makefile index 307d31e..8e997d8 100644 --- a/Makefile +++ b/Makefile @@ -58,18 +58,16 @@ retrieve-proxygen-key: # Obtain the 'machine user' credentials from AWS SSM (Dev aws ssm get-parameter --name /proxygen/private_key_temp --with-decryption | jq ".Parameter.Value" --raw-output \ > ~/.proxygen/eligibility-signposting-api.pem -# setup-proxygen-credentials: # Copy Proxygen templated credentials to where it expected them -# cd specification && cp -r .proxygen ~ -# -# setup-proxygen-credentials-ptl: # Copy Proxygen templated credentials to where it expected them -# cd specification && cp -r .proxygen/credentials-ptl.yaml ~/.proxygen/credentials.yaml && \ -# cp .proxygen/settings-ptl.yaml ~/.proxygen/settings.yaml -# proxygen credentials list -# -# setup-proxygen-credentials-prod: # Copy Proxygen templated credentials to where it expected them -# cd specification && cp -r .proxygen/credentials-prod.yaml ~/.proxygen/credentials.yaml && \ -# cp .proxygen/settings-ptl.yaml ~/.proxygen/settings.yaml -# proxygen credentials list +# retrieve-proxygen-key: # Obtain the 'machine user' credentials from AWS SSM (Development environment) +# mkdir -p ~/.proxygen && \ +# aws ssm get-parameter --name /proxygen/private_key_temp_$(ENV) --with-decryption | jq ".Parameter.Value" --raw-output \ +# > ~/.proxygen/eligibility-signposting-api-$(ENV).pem + +retrieve-proxygen-key-ptl: + $(MAKE) retrieve-proxygen-key ENV=ptl + +retrieve-proxygen-key-prod: + $(MAKE) retrieve-proxygen-key ENV=prod setup-proxygen-credentials: cd specification && \ @@ -83,27 +81,27 @@ setup-proxygen-credentials-prod: $(MAKE) setup-proxygen-credentials ENV=prod get-spec: # Get the most recent specification live in proxygen - $(MAKE) setup-proxygen-credentials + $(MAKE) setup-proxygen-credentials-prod proxygen spec get get-spec-uat: # Get the most recent specification live in proxygen - $(MAKE) setup-proxygen-credentials + $(MAKE) setup-proxygen-credentials-ptl proxygen spec get --uat publish-spec: # Publish the specification to proxygen - $(MAKE) setup-proxygen-credentials + $(MAKE) setup-proxygen-credentials-prod proxygen spec publish build/specification/prod/eligibility-signposting-api.yaml publish-spec-uat: # Publish the specification to proxygen - $(MAKE) setup-proxygen-credentials + $(MAKE) setup-proxygen-credentials-ptl proxygen spec publish build/specification/preprod/eligibility-signposting-api.yaml --uat delete-spec: # Delete the specification from proxygen - $(MAKE) setup-proxygen-credentials + $(MAKE) setup-proxygen-credentials-prod proxygen spec delete delete-spec-uat: # Delete the specification from proxygen - $(MAKE) setup-proxygen-credentials + $(MAKE) setup-proxygen-credentials-ptl proxygen spec delete --uat # Specification From cf5003f7257f64b47e09809cd7ece981d8f66a56 Mon Sep 17 00:00:00 2001 From: Rob Bailiff Date: Mon, 26 Jan 2026 16:36:04 +0000 Subject: [PATCH 3/5] WIP: Added AWS account check and updated make commands --- Makefile | 63 ++++++++++++++++++++---------------- scripts/check-aws-account.sh | 47 +++++++++++++++++++++++++++ 2 files changed, 83 insertions(+), 27 deletions(-) create mode 100755 scripts/check-aws-account.sh diff --git a/Makefile b/Makefile index 8e997d8..20c68f6 100644 --- a/Makefile +++ b/Makefile @@ -53,58 +53,67 @@ config:: # Configure development environment (main) @Configuration #### Proxygen #### ################## -retrieve-proxygen-key: # Obtain the 'machine user' credentials from AWS SSM (Development environment) - mkdir -p ~/.proxygen && \ - aws ssm get-parameter --name /proxygen/private_key_temp --with-decryption | jq ".Parameter.Value" --raw-output \ - > ~/.proxygen/eligibility-signposting-api.pem +# retrieve-proxygen-key: # Obtain the 'machine user' credentials from AWS SSM (Development environment) +# mkdir -p ~/.proxygen && \ +# aws ssm get-parameter --name /proxygen/private_key_temp --with-decryption | jq ".Parameter.Value" --raw-output \ +# > ~/.proxygen/eligibility-signposting-api.pem # retrieve-proxygen-key: # Obtain the 'machine user' credentials from AWS SSM (Development environment) # mkdir -p ~/.proxygen && \ # aws ssm get-parameter --name /proxygen/private_key_temp_$(ENV) --with-decryption | jq ".Parameter.Value" --raw-output \ # > ~/.proxygen/eligibility-signposting-api-$(ENV).pem - -retrieve-proxygen-key-ptl: - $(MAKE) retrieve-proxygen-key ENV=ptl - -retrieve-proxygen-key-prod: - $(MAKE) retrieve-proxygen-key ENV=prod - -setup-proxygen-credentials: - cd specification && \ +# +# retrieve-proxygen-key-ptl: +# $(MAKE) retrieve-proxygen-key ENV=ptl +# +# retrieve-proxygen-key-prod: +# $(MAKE) retrieve-proxygen-key ENV=prod + +# Verify current AWS account login and retrieve the proxygen key +# from AWS SSM for the specified environment +retrieve-proxygen-key: guard-ENV + @ ./scripts/check-aws-account.sh $(ENV) + mkdir -p ~/.proxygen + aws ssm get-parameter --name /proxygen/private_key_temp --with-decryption \ + | jq -r ".Parameter.Value" \ + > ~/.proxygen/eligibility-signposting-api-$(ENV).pem && \ + echo "Retrieved proxygen key for '$(ENV)' environment" + +# Copy proxygen credentials for the specified environment to `~/.proxygen/` +# This location required location for local proxygen usage +setup-proxygen-credentials: guard-ENV + @ cd specification && \ cp .proxygen/credentials-$(ENV).yaml ~/.proxygen/credentials.yaml && \ - cp .proxygen/settings-$(ENV).yaml ~/.proxygen/settings.yaml - -setup-proxygen-credentials-ptl: - $(MAKE) setup-proxygen-credentials ENV=ptl - -setup-proxygen-credentials-prod: - $(MAKE) setup-proxygen-credentials ENV=prod + cp .proxygen/settings-$(ENV).yaml ~/.proxygen/settings.yaml && \ + echo "Set up proxygen credentials for the '$(ENV)' environment" get-spec: # Get the most recent specification live in proxygen - $(MAKE) setup-proxygen-credentials-prod + $(MAKE) setup-proxygen-credentials ENV=prod proxygen spec get get-spec-uat: # Get the most recent specification live in proxygen - $(MAKE) setup-proxygen-credentials-ptl + $(MAKE) setup-proxygen-credentials ENV=ptl proxygen spec get --uat publish-spec: # Publish the specification to proxygen - $(MAKE) setup-proxygen-credentials-prod + $(MAKE) setup-proxygen-credentials ENV=prod proxygen spec publish build/specification/prod/eligibility-signposting-api.yaml publish-spec-uat: # Publish the specification to proxygen - $(MAKE) setup-proxygen-credentials-ptl + $(MAKE) setup-proxygen-credentials ENV=ptl proxygen spec publish build/specification/preprod/eligibility-signposting-api.yaml --uat delete-spec: # Delete the specification from proxygen - $(MAKE) setup-proxygen-credentials-prod + $(MAKE) setup-proxygen-credentials ENV=prod proxygen spec delete delete-spec-uat: # Delete the specification from proxygen - $(MAKE) setup-proxygen-credentials-ptl + $(MAKE) setup-proxygen-credentials ENV=ptl proxygen spec delete --uat -# Specification +##################### +### Specification ### +##################### guard-%: @ if [ "${${*}}" = "" ]; then \ diff --git a/scripts/check-aws-account.sh b/scripts/check-aws-account.sh new file mode 100755 index 0000000..6207c41 --- /dev/null +++ b/scripts/check-aws-account.sh @@ -0,0 +1,47 @@ + +#!/usr/bin/env bash +set -e + +APIM_ENV_NAME="$1" + +# Map APIM environment names to AWS account ID and environment name +case "$APIM_ENV_NAME" in + dev) + AWS_ENV_NAME="dev" + EXPECTED_ACCOUNT="448049830832" + ;; + ptl) + AWS_ENV_NAME="preprod" # Called 'preprod' in AWS and `ptl` in APIM + EXPECTED_ACCOUNT="203918864209" + ;; + prod) + AWS_ENV_NAME="prod" + EXPECTED_ACCOUNT="333333333333" + ;; + *) + echo "Unknown APIM environment: $APIM_ENV_NAME" + exit 1 + ;; +esac + +# Read the currently authenticated AWS account +CURRENT_ACCOUNT=$(aws sts get-caller-identity --query "Account" --output text) + +# Compare the current account with the expected account +if [ "$CURRENT_ACCOUNT" != "$EXPECTED_ACCOUNT" ]; then + echo "AWS account mismatch!" +# MSG="The 'ENV' arg '$APIM_ENV_NAME' for APIM maps to the AWS env '$AWS_ENV_NAME' and account $EXPECTED_ACCOUNT, but the current AWS account is $CURRENT_ACCOUNT." +# echo "$MSG" +# echo "The 'ENV' arg $APIM_ENV_NAME for APIM maps to the AWS env $AWS_ENV_NAME and account $EXPECTED_ACCOUNT, but the current AWS account is $CURRENT_ACCOUNT." +# echo "APIM environment : $APIM_ENV_NAME" +# echo "Expected AWS environment: $AWS_ENV_NAME" +# echo "Expected account: $EXPECTED_ACCOUNT" +# echo "Actual account : $CURRENT_ACCOUNT" +# echo "The APIM '$APIM_ENV_NAME' environment is mapped to the AWS '$AWS_ENV_NAME' environment and account $EXPECTED_ACCOUNT, but the current AWS account is $CURRENT_ACCOUNT." + echo "The expected mapping for the argument 'ENV=$APIM_ENV_NAME' is AWS '$AWS_ENV_NAME' account $EXPECTED_ACCOUNT, but the current AWS account is $CURRENT_ACCOUNT." + echo "Please switch to the correct AWS account and try again." + echo "Exiting script..." + exit 1 +fi + +echo "Active login to AWS '$AWS_ENV_NAME' account $CURRENT_ACCOUNT verified." From 693c6f5de8029d83ab823c229199fc16387c3630 Mon Sep 17 00:00:00 2001 From: Rob Bailiff Date: Tue, 27 Jan 2026 16:57:41 +0000 Subject: [PATCH 4/5] Tidying make file and aws script --- Makefile | 16 ---------------- scripts/check-aws-account.sh | 10 +--------- 2 files changed, 1 insertion(+), 25 deletions(-) diff --git a/Makefile b/Makefile index 20c68f6..e1fdaa8 100644 --- a/Makefile +++ b/Makefile @@ -53,22 +53,6 @@ config:: # Configure development environment (main) @Configuration #### Proxygen #### ################## -# retrieve-proxygen-key: # Obtain the 'machine user' credentials from AWS SSM (Development environment) -# mkdir -p ~/.proxygen && \ -# aws ssm get-parameter --name /proxygen/private_key_temp --with-decryption | jq ".Parameter.Value" --raw-output \ -# > ~/.proxygen/eligibility-signposting-api.pem - -# retrieve-proxygen-key: # Obtain the 'machine user' credentials from AWS SSM (Development environment) -# mkdir -p ~/.proxygen && \ -# aws ssm get-parameter --name /proxygen/private_key_temp_$(ENV) --with-decryption | jq ".Parameter.Value" --raw-output \ -# > ~/.proxygen/eligibility-signposting-api-$(ENV).pem -# -# retrieve-proxygen-key-ptl: -# $(MAKE) retrieve-proxygen-key ENV=ptl -# -# retrieve-proxygen-key-prod: -# $(MAKE) retrieve-proxygen-key ENV=prod - # Verify current AWS account login and retrieve the proxygen key # from AWS SSM for the specified environment retrieve-proxygen-key: guard-ENV diff --git a/scripts/check-aws-account.sh b/scripts/check-aws-account.sh index 6207c41..a289d62 100755 --- a/scripts/check-aws-account.sh +++ b/scripts/check-aws-account.sh @@ -16,7 +16,7 @@ case "$APIM_ENV_NAME" in ;; prod) AWS_ENV_NAME="prod" - EXPECTED_ACCOUNT="333333333333" + EXPECTED_ACCOUNT="476114145616" ;; *) echo "Unknown APIM environment: $APIM_ENV_NAME" @@ -30,14 +30,6 @@ CURRENT_ACCOUNT=$(aws sts get-caller-identity --query "Account" --output text) # Compare the current account with the expected account if [ "$CURRENT_ACCOUNT" != "$EXPECTED_ACCOUNT" ]; then echo "AWS account mismatch!" -# MSG="The 'ENV' arg '$APIM_ENV_NAME' for APIM maps to the AWS env '$AWS_ENV_NAME' and account $EXPECTED_ACCOUNT, but the current AWS account is $CURRENT_ACCOUNT." -# echo "$MSG" -# echo "The 'ENV' arg $APIM_ENV_NAME for APIM maps to the AWS env $AWS_ENV_NAME and account $EXPECTED_ACCOUNT, but the current AWS account is $CURRENT_ACCOUNT." -# echo "APIM environment : $APIM_ENV_NAME" -# echo "Expected AWS environment: $AWS_ENV_NAME" -# echo "Expected account: $EXPECTED_ACCOUNT" -# echo "Actual account : $CURRENT_ACCOUNT" -# echo "The APIM '$APIM_ENV_NAME' environment is mapped to the AWS '$AWS_ENV_NAME' environment and account $EXPECTED_ACCOUNT, but the current AWS account is $CURRENT_ACCOUNT." echo "The expected mapping for the argument 'ENV=$APIM_ENV_NAME' is AWS '$AWS_ENV_NAME' account $EXPECTED_ACCOUNT, but the current AWS account is $CURRENT_ACCOUNT." echo "Please switch to the correct AWS account and try again." echo "Exiting script..." From b554b3225a0d6dbc5759a9d30d6ffcefda1b06d1 Mon Sep 17 00:00:00 2001 From: Rob Bailiff Date: Wed, 28 Jan 2026 09:06:27 +0000 Subject: [PATCH 5/5] Updated publish spec workflow --- .github/workflows/publish-specification.yaml | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/.github/workflows/publish-specification.yaml b/.github/workflows/publish-specification.yaml index 396df80..e4b975e 100644 --- a/.github/workflows/publish-specification.yaml +++ b/.github/workflows/publish-specification.yaml @@ -49,8 +49,15 @@ jobs: PROXYGEN_PRIVATE_KEY: ${{ secrets.PROXYGEN_PRIVATE_KEY }} run: | mkdir -p ~/.proxygen - echo "$PROXYGEN_PRIVATE_KEY" > ~/.proxygen/eligibility-signposting-api.pem - make setup-proxygen-credentials + + if [ "${{ env.APIM_ENV }}" = "preprod" ]; then + ENV_PARAM="ptl" + else + ENV_PARAM="${{ env.APIM_ENV }}" + fi + + echo "$PROXYGEN_PRIVATE_KEY" > ~/.proxygen/eligibility-signposting-api-${ENV_PARAM}.pem + make setup-proxygen-credentials ENV=${ENV_PARAM} - name: Generate specification run: | @@ -60,7 +67,10 @@ jobs: run: | if [ "${{ env.APIM_ENV }}" = "preprod" ]; then proxygen spec publish build/specification/preprod/eligibility-signposting-api.yaml --uat --no-confirm - else + elif [ "${{ env.APIM_ENV }}" = "prod" ]; then proxygen spec publish build/specification/prod/eligibility-signposting-api.yaml --no-confirm + else + echo "Error: Environment '${{ env.APIM_ENV }}' is not supported for publishing. Only 'preprod' and 'prod' are allowed." + exit 1 fi