diff --git a/.github/scripts/release_code.sh b/.github/scripts/release_code.sh index c2242935..830fbf1f 100755 --- a/.github/scripts/release_code.sh +++ b/.github/scripts/release_code.sh @@ -1,17 +1,40 @@ #!/usr/bin/env bash echo "$COMMIT_ID" +CF_LONDON_EXPORTS=$(aws cloudformation list-exports --region eu-west-2 --output json) +ARTIFACT_BUCKET_ARN=$(echo "$CF_LONDON_EXPORTS" | \ + jq \ + --arg EXPORT_NAME "account-resources-cdk-uk:Bucket:ArtifactsBucket:Arn" \ + -r '.Exports[] | select(.Name == $EXPORT_NAME) | .Value') +ARTIFACT_BUCKET_NAME=$(echo "$ARTIFACT_BUCKET_ARN" | cut -d: -f6 | cut -d/ -f1) +if [ -z "${ARTIFACT_BUCKET_NAME}" ]; then + echo "could not retrieve artifact_bucket from aws cloudformation list-exports" + exit 1 +fi -artifact_bucket=$(aws cloudformation list-exports --output json | jq -r '.Exports[] | select(.Name == "account-resources:ArtifactsBucket") | .Value' | grep -o '[^:]*$') -export artifact_bucket - -cloud_formation_execution_role=$(aws cloudformation list-exports --output json | jq -r '.Exports[] | select(.Name == "ci-resources:CloudFormationExecutionRole") | .Value' ) -export cloud_formation_execution_role +CLOUD_FORMATION_EXECUTION_ROLE=$(echo "$CF_LONDON_EXPORTS" | \ + jq \ + --arg EXPORT_NAME "iam-cdk:IAM:CloudFormationExecutionRole:Arn" \ + -r '.Exports[] | select(.Name == $EXPORT_NAME) | .Value') +if [ -z "${CLOUD_FORMATION_EXECUTION_ROLE}" ]; then + echo "could not retrieve cloud_formation_execution_role from aws cloudformation list-exports" + exit 1 +fi -TRUSTSTORE_BUCKET_ARN=$(aws cloudformation describe-stacks --stack-name account-resources --query "Stacks[0].Outputs[?OutputKey=='TrustStoreBucket'].OutputValue" --output text) +TRUSTSTORE_BUCKET_ARN=$(echo "$CF_LONDON_EXPORTS" | \ + jq \ + --arg EXPORT_NAME "account-resources-cdk-uk:Bucket:TrustStoreBucket:Arn" \ + -r '.Exports[] | select(.Name == $EXPORT_NAME) | .Value') TRUSTSTORE_BUCKET_NAME=$(echo "${TRUSTSTORE_BUCKET_ARN}" | cut -d ":" -f 6) +if [ -z "${TRUSTSTORE_BUCKET_NAME}" ]; then + echo "could not retrieve truststore_bucket from aws cloudformation list-exports" + exit 1 +fi LATEST_TRUSTSTORE_VERSION=$(aws s3api list-object-versions --bucket "${TRUSTSTORE_BUCKET_NAME}" --prefix "${TRUSTSTORE_FILE}" --query 'Versions[?IsLatest].[VersionId]' --output text) + export LATEST_TRUSTSTORE_VERSION +export ARTIFACT_BUCKET_NAME +export CLOUD_FORMATION_EXECUTION_ROLE cd ../../ || exit @@ -27,11 +50,11 @@ sam deploy \ --stack-name "$STACK_NAME" \ --capabilities CAPABILITY_NAMED_IAM CAPABILITY_AUTO_EXPAND \ --region eu-west-2 \ - --s3-bucket "$artifact_bucket" \ + --s3-bucket "$ARTIFACT_BUCKET_NAME" \ --s3-prefix "$ARTIFACT_BUCKET_PREFIX" \ --config-file samconfig_package_and_deploy.toml \ --no-fail-on-empty-changeset \ - --role-arn "$cloud_formation_execution_role" \ + --role-arn "$CLOUD_FORMATION_EXECUTION_ROLE" \ --no-confirm-changeset \ --force-upload \ --tags "version=$VERSION_NUMBER stack=$STACK_NAME repo=$REPO cfnDriftDetectionGroup=$CFN_DRIFT_DETECTION_GROUP" \ diff --git a/SAMtemplates/alarms/main.yaml b/SAMtemplates/alarms/main.yaml index 3403ce78..4be834c9 100644 --- a/SAMtemplates/alarms/main.yaml +++ b/SAMtemplates/alarms/main.yaml @@ -44,8 +44,8 @@ Resources: TreatMissingData: notBreaching ActionsEnabled: !Ref EnableAlerts AlarmActions: - - !ImportValue lambda-resources:SlackAlertsSnsTopicArn + - !ImportValue account-resources-cdk-uk:SNS:SlackAlertsSnsTopicArn:Arn InsufficientDataActions: - - !ImportValue lambda-resources:SlackAlertsSnsTopicArn + - !ImportValue account-resources-cdk-uk:SNS:SlackAlertsSnsTopicArn:Arn OKActions: - - !ImportValue lambda-resources:SlackAlertsSnsTopicArn + - !ImportValue account-resources-cdk-uk:SNS:SlackAlertsSnsTopicArn:Arn diff --git a/SAMtemplates/lambda_resources.yaml b/SAMtemplates/lambda_resources.yaml index 18a16675..f512fb68 100644 --- a/SAMtemplates/lambda_resources.yaml +++ b/SAMtemplates/lambda_resources.yaml @@ -87,8 +87,8 @@ Resources: Service: "lambda.amazonaws.com" Action: "sts:AssumeRole" ManagedPolicyArns: - - !ImportValue lambda-resources:LambdaInsightsLogGroupPolicy - - !ImportValue account-resources:LambdaEncryptCloudwatchKMSPolicy + - !ImportValue account-resources-cdk-uk:IAM:LambdaInsightsLogGroupPolicy:Arn + - !ImportValue account-resources-cdk-uk:IAM:LambdaEncryptCloudwatchKMSPolicy:Arn LambdaManagedPolicy: Type: AWS::IAM::ManagedPolicy diff --git a/SAMtemplates/main_template.yaml b/SAMtemplates/main_template.yaml index 8dfe76d8..02831fa5 100644 --- a/SAMtemplates/main_template.yaml +++ b/SAMtemplates/main_template.yaml @@ -51,9 +51,9 @@ Resources: Location: lambda_resources.yaml Parameters: StackName: !Ref AWS::StackName - CloudWatchKMSKey: !ImportValue account-resources:CloudwatchLogsKmsKeyArn - SplunkSubscriptionFilterRole: !ImportValue lambda-resources:SplunkSubscriptionFilterRole - SplunkDeliveryStream: !ImportValue lambda-resources:SplunkDeliveryStream + CloudWatchKMSKey: !ImportValue account-resources-cdk-uk:KMS:CloudwatchLogsKmsKey:Arn + SplunkSubscriptionFilterRole: !ImportValue account-resources-cdk-uk:IAM:SplunkSubscriptionFilterRole:Arn + SplunkDeliveryStream: !ImportValue account-resources-cdk-uk:Firehose:SplunkDeliveryStream:Arn EnableSplunk: "true" LambdaName: !Sub "${AWS::StackName}-FHIRValidatorUKCore" LambdaArn: !Sub arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:${AWS::StackName}-FHIRValidatorUKCore