Chore: [AEA-0000] - add Proxygen cleanup (#2445)

tstephen-nhs · web-flow · commit 253de5097052 · 2026-03-03T17:30:48.000Z
## Summary

- 🤖 Operational or Infrastructure Change

### Details

Add Proxygen cleanup of PRs.
diff --git a/.github/scripts/delete_proxygen_deployments.sh b/.github/scripts/delete_proxygen_deployments.sh
@@ -0,0 +1,71 @@
+#!/usr/bin/env bash
+
+# generic script for removing proxygen deployed apis where the pull request is closed
+
+# set the repo name to be the name of the repo this is running in
+REPO_NAME=prescriptionsforpatients
+
+# this should be customised to delete relevant proxygen deployments if they are used
+main() {
+  echo "Checking prescriptions for patients deployments"
+  PULL_REQUEST_PROXYGEN_REGEX="prescriptions-for-patients-v2-pr-"
+  delete_apigee_deployments "internal-dev" "prescriptions-for-patients-v2" "PrescriptionsForPatientsProxygenPrivateKey" "2026-01-22-PROD-prescriptions-for-patients-v2"
+  delete_apigee_deployments "internal-dev-sandbox" "prescriptions-for-patients-v2" "PrescriptionsForPatientsProxygenPrivateKey" "2026-01-22-PROD-prescriptions-for-patients-v2"
+}
+
+delete_apigee_deployments() {
+  APIGEE_ENVIRONMENT=$1
+  APIGEE_API=$2
+  PROXYGEN_PRIVATE_KEY_NAME=$3
+  PROXYGEN_KID=$4
+  proxygen_private_key_arn=$(aws cloudformation list-exports --query "Exports[?Name=='secrets:${PROXYGEN_PRIVATE_KEY_NAME}'].Value" --output text)
+
+  echo
+  echo "checking apigee deployments on ${APIGEE_ENVIRONMENT}"
+  echo
+
+  jq -n --arg apiName "${APIGEE_API}" \
+            --arg environment "${APIGEE_ENVIRONMENT}" \
+            --arg kid "${PROXYGEN_KID}" \
+            --arg proxygenSecretName "${proxygen_private_key_arn}" \
+            '{apiName: $apiName, environment: $environment, kid, $kid, proxygenSecretName: $proxygenSecretName}' > payload.json
+
+  aws lambda invoke --function-name "lambda-resources-ProxygenPTLInstanceGet" --cli-binary-format raw-in-base64-out --payload file://payload.json out.json > response.json
+
+  if eval "cat response.json | jq -e '.FunctionError' >/dev/null"; then
+      echo 'Error calling lambda'
+      cat out.json
+      exit 1
+  fi
+
+  jq -r '.[].name' "out.json" | while read -r i; do
+    echo "Checking if apigee deployment $i has open pull request"
+    PULL_REQUEST=${i//${PULL_REQUEST_PROXYGEN_REGEX}/}
+    echo "Checking pull request id ${PULL_REQUEST}"
+    URL="https://api.github.com/repos/NHSDigital/${REPO_NAME}/pulls/${PULL_REQUEST}"
+    RESPONSE=$(curl "${URL}" -H "Authorization: token ${GITHUB_TOKEN}" 2>/dev/null)
+    STATE=$(echo "${RESPONSE}" | jq -r .state)
+    if [ "$STATE" == "closed" ]; then
+      echo "** going to delete apigee deployment $i as state is ${STATE} **"
+      jq -n --arg apiName "${APIGEE_API}" \
+                --arg environment "${APIGEE_ENVIRONMENT}" \
+                --arg instance "${i}" \
+                --arg kid "${PROXYGEN_KID}" \
+                --arg proxygenSecretName "${proxygen_private_key_arn}" \
+                '{apiName: $apiName, environment: $environment, kid, $kid, proxygenSecretName: $proxygenSecretName, instance: $instance}' > payload.json
+
+      aws lambda invoke --function-name "lambda-resources-ProxygenPTLInstanceDelete" --cli-binary-format raw-in-base64-out --payload file://payload.json out.txt > response.json
+        if eval "cat response.json | jq -e '.FunctionError' >/dev/null"; then
+            echo 'Error calling lambda'
+            cat out.txt
+            exit 1
+        fi
+
+
+    else
+      echo "not going to delete apigee deployment $i as state is ${STATE}"
+    fi
+  done
+}
+
+main
diff --git a/.github/workflows/delete_old_cloudformation_stacks.yml b/.github/workflows/delete_old_cloudformation_stacks.yml
@@ -1,29 +1,29 @@
 name: "Delete old cloudformation stacks"
 
-# Controls when the action will run - in this case triggered manually
 on:
   workflow_dispatch:
+    inputs:
+      branch_name:
+        description: "Branch to run against, defaults to main"
+        required: false
+        default: "main"
   schedule:
     - cron: "0 0,12 * * *"
   push:
     branches: [main]
 
-# A workflow run is made up of one or more jobs that can run sequentially or in parallel
 jobs:
-  # This workflow contains a single job called "combine-prs"
   delete-old-cloudformation-stacks:
-    # The type of runner that the job will run on
     runs-on: ubuntu-22.04
     permissions:
       id-token: write
       contents: read
 
-    # Steps represent a sequence of tasks that will be executed as part of the job
     steps:
       - name: Checkout local github scripts
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
         with:
-          ref: ${{ env.BRANCH_NAME }}
+          ref: ${{ github.event.inputs.branch_name || github.ref_name }}
           sparse-checkout: |
             .github/scripts
 
@@ -40,3 +40,30 @@ jobs:
         run: ./delete_stacks.sh
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+  delete-old-proxygen-deployments:
+    runs-on: ubuntu-22.04
+    permissions:
+      id-token: write
+      contents: read
+
+    steps:
+      - name: Checkout local code
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        with:
+          ref: ${{ github.event.inputs.branch_name || github.ref_name }}
+          fetch-depth: 0
+
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7
+        with:
+          aws-region: eu-west-2
+          role-to-assume: ${{ secrets.PROXYGEN_PTL_ROLE }}
+          role-session-name: pfp-delete-old-proxygen
+
+      - name: delete proxygen deployments
+        shell: bash
+        working-directory: .github/scripts
+        run: ./delete_proxygen_deployments.sh
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
