From a71744878275c69e60cc3ece5a39d2d0c02dd783 Mon Sep 17 00:00:00 2001 From: Laurence Pakenham-Smith Date: Fri, 10 Sep 2021 12:57:08 +0100 Subject: [PATCH 1/9] APM-2348 Change how access token is set based on org --- azure/common/deploy-stage.yml | 1 + azure/components/get-access-token.yml | 35 +++++++++++++++++++-------- azure/components/set-facts.yml | 3 +++ 3 files changed, 29 insertions(+), 10 deletions(-) diff --git a/azure/common/deploy-stage.yml b/azure/common/deploy-stage.yml index cd0896ede..720ac4158 100644 --- a/azure/common/deploy-stage.yml +++ b/azure/common/deploy-stage.yml @@ -149,6 +149,7 @@ stages: - ${{ each config_id in parameters.config_ids }}: - ${{ config_id }} aws_account: ${{ parameters.aws_account }} + apigee_organization: ${{ parameters.apigee_organization }} - ${{ if parameters.notify }}: - bash: | diff --git a/azure/components/get-access-token.yml b/azure/components/get-access-token.yml index 36166bacc..3f99401c1 100644 --- a/azure/components/get-access-token.yml +++ b/azure/components/get-access-token.yml @@ -3,15 +3,30 @@ parameters: type: string - name: apigee_password type: string + - name: apigee_organization + type: string steps: - - bash: | - curl -X POST https://login.apigee.com/oauth/token \ - -H "Content-Type: application/x-www-form-urlencoded" \ - -H "Accept: application/json;charset=utf-8" \ - -H "Authorization: Basic ZWRnZWNsaTplZGdlY2xpc2VjcmV0" \ - -d "username=${{ parameters.apigee_username }}&password=${{ parameters.apigee_password }}&mfa_token=$(secret.MFACode)&grant_type=password" | jq .access_token > .token - - # Set token into variable - echo "##vso[task.setvariable variable=secret.AccessToken;issecret=true]`cat .token`" - displayName: 'Get Apigee Access Token' + - ${{ if eq(parameters.apigee_organization, "nhsd-prod") }}: + - bash: | + curl -X POST https://nhs-digital-prod.login.apigee.com/oauth/token \ + -H "Content-Type: application/x-www-form-urlencoded" \ + -H "Accept: application/json;charset=utf-8" \ + -H "Authorization: Basic ZWRnZWNsaTplZGdlY2xpc2VjcmV0" \ + -d "username=${{ parameters.apigee_username }}&password=${{ parameters.apigee_password }}&grant_type=password" | jq .access_token > .token + + # Set token into variable + echo "##vso[task.setvariable variable=secret.AccessToken;issecret=true]`cat .token`" + displayName: 'Get Apigee Access Token' + + - ${{ if eq(parameters.apigee_organization, "nhsd-nonprod") }}: + - bash: | + curl -X POST https://login.apigee.com/oauth/token \ + -H "Content-Type: application/x-www-form-urlencoded" \ + -H "Accept: application/json;charset=utf-8" \ + -H "Authorization: Basic ZWRnZWNsaTplZGdlY2xpc2VjcmV0" \ + -d "username=${{ parameters.apigee_username }}&password=${{ parameters.apigee_password }}&mfa_token=$(secret.MFACode)&grant_type=password" | jq .access_token > .token + + # Set token into variable + echo "##vso[task.setvariable variable=secret.AccessToken;issecret=true]`cat .token`" + displayName: 'Get Apigee Access Token' diff --git a/azure/components/set-facts.yml b/azure/components/set-facts.yml index a3d51e91e..af13de45f 100644 --- a/azure/components/set-facts.yml +++ b/azure/components/set-facts.yml @@ -13,6 +13,8 @@ parameters: - name: aws_account type: string default: 'ptl' + - name: apigee_organization + type: string steps: - bash: | @@ -57,3 +59,4 @@ steps: parameters: apigee_username: $(APIGEE_USERNAME) apigee_password: $(APIGEE_PASSWORD) + apigee_organization: ${{ parameters.apigee_organization }} From 52c8ee464ba6781b07a2f537383869a31027253f Mon Sep 17 00:00:00 2001 From: Laurence Pakenham-Smith Date: Fri, 10 Sep 2021 12:59:33 +0100 Subject: [PATCH 2/9] APM-2348 Update to use lookup --- azure/components/get-access-token.yml | 36 +++++++++++---------------- 1 file changed, 14 insertions(+), 22 deletions(-) diff --git a/azure/components/get-access-token.yml b/azure/components/get-access-token.yml index 3f99401c1..8f2777729 100644 --- a/azure/components/get-access-token.yml +++ b/azure/components/get-access-token.yml @@ -5,28 +5,20 @@ parameters: type: string - name: apigee_organization type: string + - name: _auth_server + type: object + default: + nhsd-nonprod: login.apigee.com + nhsd-prod: nhs-digital-prod.login.apigee.com steps: - - ${{ if eq(parameters.apigee_organization, "nhsd-prod") }}: - - bash: | - curl -X POST https://nhs-digital-prod.login.apigee.com/oauth/token \ - -H "Content-Type: application/x-www-form-urlencoded" \ - -H "Accept: application/json;charset=utf-8" \ - -H "Authorization: Basic ZWRnZWNsaTplZGdlY2xpc2VjcmV0" \ - -d "username=${{ parameters.apigee_username }}&password=${{ parameters.apigee_password }}&grant_type=password" | jq .access_token > .token + - bash: | + curl -X POST https://${{ parameters._auth_server[parameters.apigee_organization] }}/oauth/token \ + -H "Content-Type: application/x-www-form-urlencoded" \ + -H "Accept: application/json;charset=utf-8" \ + -H "Authorization: Basic ZWRnZWNsaTplZGdlY2xpc2VjcmV0" \ + -d "username=${{ parameters.apigee_username }}&password=${{ parameters.apigee_password }}&mfa_token=$(secret.MFACode)&grant_type=password" | jq .access_token > .token - # Set token into variable - echo "##vso[task.setvariable variable=secret.AccessToken;issecret=true]`cat .token`" - displayName: 'Get Apigee Access Token' - - - ${{ if eq(parameters.apigee_organization, "nhsd-nonprod") }}: - - bash: | - curl -X POST https://login.apigee.com/oauth/token \ - -H "Content-Type: application/x-www-form-urlencoded" \ - -H "Accept: application/json;charset=utf-8" \ - -H "Authorization: Basic ZWRnZWNsaTplZGdlY2xpc2VjcmV0" \ - -d "username=${{ parameters.apigee_username }}&password=${{ parameters.apigee_password }}&mfa_token=$(secret.MFACode)&grant_type=password" | jq .access_token > .token - - # Set token into variable - echo "##vso[task.setvariable variable=secret.AccessToken;issecret=true]`cat .token`" - displayName: 'Get Apigee Access Token' + # Set token into variable + echo "##vso[task.setvariable variable=secret.AccessToken;issecret=true]`cat .token`" + displayName: 'Get Apigee Access Token' From 8f8fe150fe153ae065e29fe06c32b5e12919a7e5 Mon Sep 17 00:00:00 2001 From: Ben Strutt Date: Fri, 10 Sep 2021 13:04:48 +0100 Subject: [PATCH 3/9] APM-2348 Set default to non-prod --- azure/components/get-access-token.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/azure/components/get-access-token.yml b/azure/components/get-access-token.yml index 8f2777729..76a0a2954 100644 --- a/azure/components/get-access-token.yml +++ b/azure/components/get-access-token.yml @@ -5,6 +5,7 @@ parameters: type: string - name: apigee_organization type: string + default: nhsd-nonprod - name: _auth_server type: object default: From b702ab7a5ebfee0af6cab7aa166d745c81a24a4c Mon Sep 17 00:00:00 2001 From: Laurence Pakenham-Smith Date: Fri, 10 Sep 2021 13:20:27 +0100 Subject: [PATCH 4/9] APM-2348 Fix keys on map --- azure/components/get-access-token.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/azure/components/get-access-token.yml b/azure/components/get-access-token.yml index 76a0a2954..1871ef195 100644 --- a/azure/components/get-access-token.yml +++ b/azure/components/get-access-token.yml @@ -9,8 +9,8 @@ parameters: - name: _auth_server type: object default: - nhsd-nonprod: login.apigee.com - nhsd-prod: nhs-digital-prod.login.apigee.com + nonprod: login.apigee.com + prod: nhs-digital-prod.login.apigee.com steps: - bash: | From 58b4738dbff191d936a7214aac8cb8d2cc053d22 Mon Sep 17 00:00:00 2001 From: Laurence Pakenham-Smith Date: Fri, 10 Sep 2021 13:21:19 +0100 Subject: [PATCH 5/9] APM-2348 Bash strict mode --- azure/components/get-access-token.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/azure/components/get-access-token.yml b/azure/components/get-access-token.yml index 1871ef195..27167c12f 100644 --- a/azure/components/get-access-token.yml +++ b/azure/components/get-access-token.yml @@ -14,6 +14,7 @@ parameters: steps: - bash: | + set -euo pipefail curl -X POST https://${{ parameters._auth_server[parameters.apigee_organization] }}/oauth/token \ -H "Content-Type: application/x-www-form-urlencoded" \ -H "Accept: application/json;charset=utf-8" \ From cae921317c28fa8e1941f8528d494fe1503d0add Mon Sep 17 00:00:00 2001 From: Laurence Pakenham-Smith Date: Fri, 10 Sep 2021 15:39:42 +0100 Subject: [PATCH 6/9] APM-2348 Fix tagging resources --- .../templates/terraform/iam.tf | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/ansible/roles/create-api-deployment-pre-reqs/templates/terraform/iam.tf b/ansible/roles/create-api-deployment-pre-reqs/templates/terraform/iam.tf index ba11b763c..723824cd2 100644 --- a/ansible/roles/create-api-deployment-pre-reqs/templates/terraform/iam.tf +++ b/ansible/roles/create-api-deployment-pre-reqs/templates/terraform/iam.tf @@ -245,16 +245,16 @@ data "aws_iam_policy_document" "deploy-user" { } statement { - actions = [ "ecs:TagResource", "ecs:UntagResource" ] - resources = [ - local.ecs_cluster.arn - ] - + resources = concat( + [local.ecs_cluster.arn], + [for ns in local.short_env_service_namespaces : "arn:aws:elasticloadbalancing:${local.region}:${local.account_id}:targetgroup/${ns}/*"], + [for ns in local.service_namespaces : "arn:aws:ecs:${local.region}:${local.account_id}:service/apis-${var.apigee_environment}/${ns}"] + ) } statement { From 5251ef90e4703b797345df6469c0655e64431f32 Mon Sep 17 00:00:00 2001 From: Laurence Pakenham-Smith Date: Fri, 10 Sep 2021 16:43:43 +0100 Subject: [PATCH 7/9] APM-2348 Output some debug info --- azure/components/get-access-token.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/azure/components/get-access-token.yml b/azure/components/get-access-token.yml index 27167c12f..00584ab71 100644 --- a/azure/components/get-access-token.yml +++ b/azure/components/get-access-token.yml @@ -13,6 +13,13 @@ parameters: prod: nhs-digital-prod.login.apigee.com steps: + - bash: | + set -euo pipefail + echo 'apigee_username: ${{ parameters.apigee_username }}' + echo 'apigee_organization: ${{ parameters.apigee_organization }}' + echo 'auth_url: ${{ parameters._auth_server[parameters.apigee_organization] }}' + displayName: 'Print access token debug info' + - bash: | set -euo pipefail curl -X POST https://${{ parameters._auth_server[parameters.apigee_organization] }}/oauth/token \ From b6889efec004fbee9c77a5ee17405cd3d07f9a7a Mon Sep 17 00:00:00 2001 From: Laurence Pakenham-Smith Date: Fri, 10 Sep 2021 16:44:16 +0100 Subject: [PATCH 8/9] APM-2348 Fix default apigee org --- azure/components/get-access-token.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/azure/components/get-access-token.yml b/azure/components/get-access-token.yml index 00584ab71..67bc36c4d 100644 --- a/azure/components/get-access-token.yml +++ b/azure/components/get-access-token.yml @@ -5,7 +5,7 @@ parameters: type: string - name: apigee_organization type: string - default: nhsd-nonprod + default: nonprod - name: _auth_server type: object default: From 7bc1f81b1c4738439c4013f64db9a34212878a99 Mon Sep 17 00:00:00 2001 From: Laurence Pakenham-Smith Date: Fri, 10 Sep 2021 17:16:38 +0100 Subject: [PATCH 9/9] APM-2348 Remove unneeded resources --- .../create-api-deployment-pre-reqs/templates/terraform/iam.tf | 1 - 1 file changed, 1 deletion(-) diff --git a/ansible/roles/create-api-deployment-pre-reqs/templates/terraform/iam.tf b/ansible/roles/create-api-deployment-pre-reqs/templates/terraform/iam.tf index 723824cd2..29eb55a3e 100644 --- a/ansible/roles/create-api-deployment-pre-reqs/templates/terraform/iam.tf +++ b/ansible/roles/create-api-deployment-pre-reqs/templates/terraform/iam.tf @@ -252,7 +252,6 @@ data "aws_iam_policy_document" "deploy-user" { resources = concat( [local.ecs_cluster.arn], - [for ns in local.short_env_service_namespaces : "arn:aws:elasticloadbalancing:${local.region}:${local.account_id}:targetgroup/${ns}/*"], [for ns in local.service_namespaces : "arn:aws:ecs:${local.region}:${local.account_id}:service/apis-${var.apigee_environment}/${ns}"] ) }