Chore: [AEA-6520] - Adopt CDK deployment

.github/workflows/cdk_release_code.yml

@@ -39,15 +39,6 @@ on:
       LOG_RETENTION_DAYS:
         required: true
         type: string
-      CREATE_INT_RELEASE_NOTES:
-        type: boolean
-        default: false
-      CREATE_INT_RC_RELEASE_NOTES:
-        type: boolean
-        default: false
-      CREATE_PROD_RELEASE_NOTES:
-        type: boolean
-        default: false
       MARK_JIRA_RELEASED:
         type: boolean
         default: false

.github/workflows/ci.yml

@@ -50,7 +50,7 @@ jobs:
 
   package_code:
     needs: [tag_release, get_config_values]
-    uses: ./.github/workflows/sam_package_code.yml
+    uses: ./.github/workflows/cdk_package_code.yml
     with:
       pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}
     permissions:
@@ -60,25 +60,22 @@ jobs:
 
   release_dev:
     needs: [tag_release, package_code, get_commit_id, get_config_values]
-    uses: ./.github/workflows/sam_release_code.yml
+    uses: ./.github/workflows/cdk_release_code.yml
     permissions:
       contents: write
       id-token: write
     with:
-      ARTIFACT_BUCKET_PREFIX: ${{needs.tag_release.outputs.version_tag}}
-      STACK_NAME: pfp
+      STACK_NAME: pfp-api
       TARGET_ENVIRONMENT: dev
       APIGEE_ENVIRONMENT: internal-dev
       ENABLE_MUTUAL_TLS: true
       MTLS_KEY: prescriptions-for-patients-mtls-1
-      BUILD_ARTIFACT: packaged_code
+      BUILD_ARTIFACT: build_artifact
       TRUSTSTORE_FILE: pfp-truststore.pem
       VERSION_NUMBER: ${{needs.tag_release.outputs.version_tag}}
       COMMIT_ID: ${{needs.get_commit_id.outputs.commit_id}}
       LOG_LEVEL: DEBUG
       LOG_RETENTION_DAYS: 30
-      CREATE_INT_RELEASE_NOTES: true
-      CREATE_PROD_RELEASE_NOTES: true
       TOGGLE_GET_STATUS_UPDATES: true
       ENABLE_ALERTS: true
       STATE_MACHINE_LOG_LEVEL: ALL
@@ -98,21 +95,22 @@ jobs:
       PROD_CLOUD_FORMATION_CHECK_VERSION_ROLE: ${{ secrets.PROD_CLOUD_FORMATION_CHECK_VERSION_ROLE }}
       DEV_CLOUD_FORMATION_EXECUTE_LAMBDA_ROLE: ${{ secrets.DEV_CLOUD_FORMATION_EXECUTE_LAMBDA_ROLE }}
       PROXYGEN_ROLE: ${{ secrets.PROXYGEN_PTL_ROLE }}
+      APIM_STATUS_API_KEY: ${{ secrets.APIM_STATUS_API_KEY }}
 
   release_dev_sandbox:
     needs: [tag_release, package_code, get_commit_id, get_config_values]
-    uses: ./.github/workflows/sam_release_code.yml
+    uses: ./.github/workflows/cdk_release_code.yml
     permissions:
       contents: write
       id-token: write
     with:
-      ARTIFACT_BUCKET_PREFIX: ${{needs.tag_release.outputs.version_tag}}
-      STACK_NAME: pfp-sandbox
+      STACK_NAME: pfp-api-sandbox
+      CDK_APP_NAME: PfPApiSandboxApp
       TARGET_ENVIRONMENT: dev
       APIGEE_ENVIRONMENT: internal-dev-sandbox
       ENABLE_MUTUAL_TLS: true
       MTLS_KEY: prescriptions-for-patients-mtls-1
-      BUILD_ARTIFACT: packaged_sandbox_code
+      BUILD_ARTIFACT: build_artifact
       TRUSTSTORE_FILE: pfp-sandbox-truststore.pem
       VERSION_NUMBER: ${{needs.tag_release.outputs.version_tag}}
       COMMIT_ID: ${{needs.get_commit_id.outputs.commit_id}}
@@ -129,6 +127,7 @@ jobs:
       TARGET_SPINE_SERVER: sandbox
       TARGET_SERVICE_SEARCH_SERVER: sandbox
       PROXYGEN_ROLE: ${{ secrets.PROXYGEN_PTL_ROLE }}
+      APIM_STATUS_API_KEY: ${{ secrets.APIM_STATUS_API_KEY }}
 
   release_qa:
     needs:
@@ -140,18 +139,17 @@ jobs:
         package_code,
         get_commit_id,
       ]
-    uses: ./.github/workflows/sam_release_code.yml
+    uses: ./.github/workflows/cdk_release_code.yml
     permissions:
       contents: write
       id-token: write
     with:
-      ARTIFACT_BUCKET_PREFIX: ${{needs.tag_release.outputs.version_tag}}
-      STACK_NAME: pfp
+      STACK_NAME: pfp-api
       TARGET_ENVIRONMENT: qa
       APIGEE_ENVIRONMENT: internal-qa
       ENABLE_MUTUAL_TLS: true
       MTLS_KEY: prescriptions-for-patients-mtls-1
-      BUILD_ARTIFACT: packaged_code
+      BUILD_ARTIFACT: build_artifact
       TRUSTSTORE_FILE: pfp-truststore.pem
       VERSION_NUMBER: ${{needs.tag_release.outputs.version_tag}}
       COMMIT_ID: ${{needs.get_commit_id.outputs.commit_id}}
@@ -172,3 +170,4 @@ jobs:
       TARGET_SPINE_SERVER: ${{ secrets.QA_TARGET_SPINE_SERVER }}
       TARGET_SERVICE_SEARCH_SERVER: ${{ secrets.QA_TARGET_SERVICE_SEARCH_SERVER }}
       PROXYGEN_ROLE: ${{ secrets.PROXYGEN_PTL_ROLE }}
+      APIM_STATUS_API_KEY: ${{ secrets.APIM_STATUS_API_KEY }}

.github/workflows/delete_old_cloudformation_stacks.yml

@@ -1,72 +1,88 @@
-name: "Delete old cloudformation stacks"
+name: "Delete old pull request deployments"
 
 on:
   workflow_dispatch:
-    inputs:
-      branch_name:
-        description: "Branch to run against, defaults to main"
-        required: false
-        default: "main"
   schedule:
     - cron: "0 0,12 * * *"
-  push:
-    branches: [main]
-permissions: {}
 
+permissions: {}
 jobs:
+  get_config_values:
+    uses: NHSDigital/eps-common-workflows/.github/workflows/get-repo-config.yml@889349f9d93e4846a642f7973b7c26b180bec5aa
+    with:
+      verify_published_from_main_image: false
+    permissions:
+      attestations: read
+      contents: read
+      packages: read
   delete-old-cloudformation-stacks:
+    needs: [get_config_values]
     runs-on: ubuntu-22.04
-    permissions:
+    container:
+      image: ${{ needs.get_config_values.outputs.pinned_image }}
+      options: --user 1001:1001 --group-add 128
+    defaults:
+      run:
+        shell: bash
+    permissions: &common_permissions
       id-token: write
       contents: read
+      packages: read
 
     steps:
-      - name: Checkout local github scripts
+      - name: copy .tool-versions
+        run: |
+          cp /home/vscode/.tool-versions "$HOME/.tool-versions"
+      - &checkout
+        name: Checkout local github scripts
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
         with:
-          ref: ${{ github.event.inputs.branch_name || github.ref_name }}
+          fetch-depth: 0
           persist-credentials: false
-          sparse-checkout: |
-            .github/scripts
+      - &install_dependencies
+        name: install dependencies
+        uses: ./.github/actions/install_dependencies
+        with:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Configure AWS Credentials
         uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37
         with:
           aws-region: eu-west-2
           role-to-assume: ${{ secrets.DEV_CLOUD_FORMATION_DEPLOY_ROLE }}
-          role-session-name: aws-pfp-delete-old-stacks
 
       - name: delete stacks
         shell: bash
-        working-directory: .github/scripts
-        run: ./delete_stacks.sh
+        run: npm run delete-old-pr-stacks --workspace packages/cdk
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
   delete-old-proxygen-deployments:
+    needs: [get_config_values]
     runs-on: ubuntu-22.04
-    permissions:
-      id-token: write
-      contents: read
+    container:
+      image: ${{ needs.get_config_values.outputs.pinned_image }}
+      options: --user 1001:1001 --group-add 128
+    defaults:
+      run:
+        shell: bash
+    permissions: *common_permissions
 
     steps:
-      - name: Checkout local code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
-        with:
-          ref: ${{ github.event.inputs.branch_name || github.ref_name }}
-          persist-credentials: false
-          fetch-depth: 0
+      - name: copy .tool-versions
+        run: |
+          cp /home/vscode/.tool-versions "$HOME/.tool-versions"
+      - *checkout
+      - *install_dependencies
 
       - name: Configure AWS Credentials
         uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37
         with:
           aws-region: eu-west-2
           role-to-assume: ${{ secrets.PROXYGEN_PTL_ROLE }}
-          role-session-name: pfp-delete-old-proxygen
 
       - name: delete proxygen deployments
         shell: bash
-        working-directory: .github/scripts
-        run: ./delete_proxygen_deployments.sh
+        run: npm run delete-old-pr-deployments --workspace packages/specification
         env:
-          GITHUB_TOKEN: ${{ github.token }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}