-
Notifications
You must be signed in to change notification settings - Fork 2
Expand file tree
/
Copy pathdeploy_api.sh
More file actions
executable file
·205 lines (174 loc) · 9.31 KB
/
deploy_api.sh
File metadata and controls
executable file
·205 lines (174 loc) · 9.31 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
#!/usr/bin/env bash
set -eu pipefail
echo "Specification path: ${SPEC_PATH}"
echo "Specification version: ${VERSION_NUMBER}"
echo "Stack name: ${STACK_NAME}"
echo "AWS environment: ${AWS_ENVIRONMENT}"
echo "Apigee environment: ${APIGEE_ENVIRONMENT}"
echo "Proxygen private key name: ${PROXYGEN_PRIVATE_KEY_NAME}"
echo "Proxygen KID: ${PROXYGEN_KID}"
echo "Dry run: ${DRY_RUN}"
echo "ENABLE_MUTUAL_TLS: ${ENABLE_MUTUAL_TLS}"
echo "is_pull_request: ${IS_PULL_REQUEST}"
client_private_key=$(cat ~/.proxygen/tmp/client_private_key)
client_cert=$(cat ~/.proxygen/tmp/client_cert)
if [ -z "${client_private_key}" ]; then
echo "client_private_key is unset or set to the empty string"
exit 1
fi
if [ -z "${client_cert}" ]; then
echo "client_cert is unset or set to the empty string"
exit 1
fi
put_secret_lambda=lambda-resources-ProxygenPTLMTLSSecretPut
instance_put_lambda=lambda-resources-ProxygenPTLInstancePut
spec_publish_lambda=lambda-resources-ProxygenPTLSpecPublish
if [[ "$APIGEE_ENVIRONMENT" =~ ^(int|sandbox|prod)$ ]]; then
put_secret_lambda=lambda-resources-ProxygenProdMTLSSecretPut
instance_put_lambda=lambda-resources-ProxygenProdInstancePut
spec_publish_lambda=lambda-resources-ProxygenProdSpecPublish
fi
instance_suffix=""
if [[ "${IS_PULL_REQUEST}" == "true" ]]; then
# Extracting the PR ID from $STACK_NAME
pr_id=$(echo "$STACK_NAME" | awk -F'-' '{print $NF}')
instance_suffix=-"pr-${pr_id}"
fi
# Determine the proxy instance based on the provided $STACK_NAME
apigee_api=prescriptions-for-patients-v2
apigee_client=prescriptions-for-patients-v2
instance="prescriptions-for-patients-v2${instance_suffix}"
echo "Proxy instance: ${instance}"
echo "Apigee api: ${apigee_api}"
echo "Apigee client: ${apigee_client}"
echo
echo "Fixing the spec"
# Find and replace the title
title=$(jq -r '.info.title' "${SPEC_PATH}")
if [[ "${IS_PULL_REQUEST}" == "true" ]]; then
jq --arg title "[PR-${pr_id}] $title" '.info.title = $title' "${SPEC_PATH}" > temp.json && mv temp.json "${SPEC_PATH}"
echo "disabling monitoring for pull request deployment"
jq '."x-nhsd-apim".monitoring = false' "${SPEC_PATH}" > temp.json && mv temp.json "${SPEC_PATH}"
echo "setting temporary true for pull request deployment"
jq '."x-nhsd-apim".temporary = true' "${SPEC_PATH}" > temp.json && mv temp.json "${SPEC_PATH}"
fi
# Find and replace the specification version number
jq --arg version "${VERSION_NUMBER}" '.info.version = $version' "${SPEC_PATH}" > temp.json && mv temp.json "${SPEC_PATH}"
# Find and replace the x-nhsd-apim.target.url value
jq --arg stack_name "${STACK_NAME}" --arg aws_env "${AWS_ENVIRONMENT}" '.["x-nhsd-apim"].target.url = "https://\($stack_name).\($aws_env).eps.national.nhs.uk"' "${SPEC_PATH}" > temp.json && mv temp.json "${SPEC_PATH}"
# Find and replace the servers object
if [[ "${APIGEE_ENVIRONMENT}" == "prod" ]]; then
jq --arg inst "${instance}" '.servers = [ { "url": "https://api.service.nhs.uk/\($inst)" } ]' "${SPEC_PATH}" > temp.json && mv temp.json "${SPEC_PATH}"
else
jq --arg env "${APIGEE_ENVIRONMENT}" --arg inst "${instance}" '.servers = [ { "url": "https://\($env).api.service.nhs.uk/\($inst)" } ]' "${SPEC_PATH}" > temp.json && mv temp.json "${SPEC_PATH}"
fi
# Find and replace securitySchemes
if [[ "${APIGEE_ENVIRONMENT}" == "prod" ]]; then
jq '.components.securitySchemes."nhs-cis2-aal3" = {"$ref": "https://proxygen.prod.api.platform.nhs.uk/components/securitySchemes/nhs-cis2-aal3"}' "${SPEC_PATH}" > temp.json && mv temp.json "${SPEC_PATH}"
jq '.components.securitySchemes."nhs-login-p9" = {"$ref": "https://proxygen.prod.api.platform.nhs.uk/components/securitySchemes/nhs-login-p9"}' "${SPEC_PATH}" > temp.json && mv temp.json "${SPEC_PATH}"
else
jq '.components.securitySchemes."nhs-cis2-aal3" = {"$ref": "https://proxygen.ptl.api.platform.nhs.uk/components/securitySchemes/nhs-cis2-aal3"}' "${SPEC_PATH}" > temp.json && mv temp.json "${SPEC_PATH}"
jq '.components.securitySchemes."nhs-login-p9" = {"$ref": "https://proxygen.ptl.api.platform.nhs.uk/components/securitySchemes/nhs-login-p9"}' "${SPEC_PATH}" > temp.json && mv temp.json "${SPEC_PATH}"
fi
# Find and replace the x-nhsd-apim.target.secret value
jq --arg mtls_key "${MTLS_KEY}" '.["x-nhsd-apim"].target.security.secret = "\($mtls_key)"' "${SPEC_PATH}" > temp.json && mv temp.json "${SPEC_PATH}"
# Remove target attributes if the environment is sandbox
if [[ "${APIGEE_ENVIRONMENT}" == *"sandbox"* ]]; then
echo "Removing target attributes for sandbox environment"
jq 'del(."x-nhsd-apim"."target-attributes")' "$SPEC_PATH" > temp.json && mv temp.json "${SPEC_PATH}"
fi
echo
echo "Retrieving proxygen credentials"
# Retrieve the proxygen private key and client private key and cert from AWS Secrets Manager
proxygen_private_key_arn=$(aws cloudformation list-exports --query "Exports[?Name=='secrets:${PROXYGEN_PRIVATE_KEY_NAME}'].Value" --output text)
if [[ "${ENABLE_MUTUAL_TLS}" == "true" ]]; then
echo
echo "Store the secret used for mutual TLS to AWS using Proxygen proxy lambda"
if [[ "${DRY_RUN}" == "false" ]]; then
jq -n --arg apiName "${apigee_api}" \
--arg apiClient "${apigee_client}" \
--arg environment "${APIGEE_ENVIRONMENT}" \
--arg secretName "${MTLS_KEY}" \
--arg secretKey "${client_private_key}" \
--arg secretCert "${client_cert}" \
--arg kid "${PROXYGEN_KID}" \
--arg proxygenSecretName "${proxygen_private_key_arn}" \
'{apiName: $apiName, apiClient: $apiClient, environment: $environment, secretName: $secretName, secretKey: $secretKey, secretCert: $secretCert, kid, $kid, proxygenSecretName: $proxygenSecretName}' > payload.json
aws lambda invoke --function-name "${put_secret_lambda}" --cli-binary-format raw-in-base64-out --payload file://payload.json out.txt > response.json
if eval "cat response.json | jq -e '.FunctionError' >/dev/null"; then
echo 'Error calling lambda'
cat out.txt
exit 1
fi
echo "Secret stored successfully"
else
echo "Would call ${put_secret_lambda}"
fi
fi
echo
echo "Deploy the API instance using Proxygen proxy lambda"
if [[ "${DRY_RUN}" == "false" ]]; then
jq -n --argfile spec "${SPEC_PATH}" \
--arg apiName "${apigee_api}" \
--arg apiClient "${apigee_client}" \
--arg environment "${APIGEE_ENVIRONMENT}" \
--arg instance "${instance}" \
--arg kid "${PROXYGEN_KID}" \
--arg proxygenSecretName "${proxygen_private_key_arn}" \
'{apiName: $apiName, apiClient: $apiClient, environment: $environment, specDefinition: $spec, instance: $instance, kid: $kid, proxygenSecretName: $proxygenSecretName}' > payload.json
aws lambda invoke --function-name "${instance_put_lambda}" --cli-binary-format raw-in-base64-out --payload file://payload.json out.txt > response.json
if eval "cat response.json | jq -e '.FunctionError' >/dev/null"; then
echo 'Error calling lambda'
cat out.txt
exit 1
fi
echo "Instance deployed"
else
echo "Would call ${instance_put_lambda}"
fi
if [[ "${APIGEE_ENVIRONMENT}" == "int" ]]; then
echo
echo "Deploy the API spec to prod catalogue as it is int environment"
if [[ "${DRY_RUN}" == "false" ]]; then
jq -n --argfile spec "${SPEC_PATH}" \
--arg apiName "${apigee_api}" \
--arg apiClient "${apigee_client}" \
--arg environment "prod" \
--arg instance "${instance}" \
--arg kid "${PROXYGEN_KID}" \
--arg proxygenSecretName "${proxygen_private_key_arn}" \
'{apiName: $apiName, apiClient: $apiClient, environment: $environment, specDefinition: $spec, instance: $instance, kid: $kid, proxygenSecretName: $proxygenSecretName}' > payload.json
aws lambda invoke --function-name "${spec_publish_lambda}" --cli-binary-format raw-in-base64-out --payload file://payload.json out.txt > response.json
if eval "cat response.json | jq -e '.FunctionError' >/dev/null"; then
echo 'Error calling lambda'
cat out.txt
exit 1
fi
echo "Spec deployed"
else
echo "Would call ${spec_publish_lambda}"
fi
fi
if [[ "${APIGEE_ENVIRONMENT}" == "internal-dev" && "${IS_PULL_REQUEST}" == "false" ]]; then
echo
echo "Deploy the API spec to uat catalogue as it is internal-dev environment"
if [[ "${DRY_RUN}" == "false" ]]; then
jq -n --argfile spec "${SPEC_PATH}" \
--arg apiName "${apigee_api}" \
--arg apiClient "${apigee_client}" \
--arg environment "uat" \
--arg instance "${instance}" \
--arg kid "${PROXYGEN_KID}" \
--arg proxygenSecretName "${proxygen_private_key_arn}" \
'{apiName: $apiName, apiClient: $apiClient, environment: $environment, specDefinition: $spec, instance: $instance, kid: $kid, proxygenSecretName: $proxygenSecretName}' > payload.json
aws lambda invoke --function-name "${spec_publish_lambda}" --cli-binary-format raw-in-base64-out --payload file://payload.json out.txt > response.json
if eval "cat response.json | jq -e '.FunctionError' >/dev/null"; then
echo 'Error calling lambda'
cat out.txt
exit 1
fi
echo "Spec deployed"
else
echo "Would call ${spec_publish_lambda}"
fi
fi