[AEA-3537] Cloudformation Resources Refactor (#173)

## Summary Stage 1 of CF resource refactor: - Updates ci and account resources files to final desired state - Adds ci resources 1&2 per env for deploying intermediary states - Adds resources_to_import for the import into account_resources step - Routine Change - ❗ Breaking Change - 🤖 Operational or Infrastructure Change - ✨ New Feature - ⚠️ Potential issues that might be caused by this change ### Details Add any summary information of what is in the change. **Remove this line if you have nothing to add.** ## Reviews Required **Check who should review this. Remove this line once this has been done** - [x] Dev - [ ] Test - [ ] Tech Author - [ ] Product Owner ## Review Checklist ℹ️ This section is to be filled in by the **reviewer**. - [ ] I have reviewed the changes in this PR and they fill all or part of the acceptance criteria of the ticket, and the code is in a mergeable state. - [ ] If there were infrastructure, operational, or build changes, I have made sure there is sufficient evidence that the changes will work. - [ ] I have ensured the jira ticket has been updated with the github pull request link --------- Co-authored-by: anthony-nhs <[email protected]>
NHSDigital · Oct 13, 2023 · aec87fd · aec87fd
1 parent 07db13f
commit aec87fd
Show file tree

Hide file tree

Showing 25 changed files with 8,772 additions and 603 deletions.
diff --git a/.github/workflows/sam_release_code.yml b/.github/workflows/sam_release_code.yml
@@ -70,7 +70,7 @@ jobs:
         run: |
           echo ${{ inputs.COMMIT_ID }}
           export artifact_bucket=$(aws cloudformation list-exports --output json | \
-            jq -r '.Exports[] | select(.Name == "ci-resources:ArtifactsBucket") | .Value' |grep -o '[^:]*$')
+            jq -r '.Exports[] | select(.Name == "account-resources:ArtifactsBucket") | .Value' |grep -o '[^:]*$')
           export artifact_bucket_prefix=${{ inputs.ARTIFACT_BUCKET_PREFIX }}
           export template_file=template.yaml
           export stack_name=${{ inputs.STACK_NAME }}
@@ -82,7 +82,7 @@ jobs:
           export cloud_formation_execution_role=$(aws cloudformation list-exports --output json | \
               jq -r '.Exports[] | select(.Name == "ci-resources:CloudFormationExecutionRole") | .Value' )
           TRUSTSTORE_BUCKET_ARN=$(aws cloudformation describe-stacks \
-              --stack-name ci-resources \
+              --stack-name account-resources \
               --query 'Stacks[0].Outputs[?OutputKey==`TrustStoreBucket`].OutputValue' --output text)
           TRUSTSTORE_BUCKET_NAME=$(echo ${TRUSTSTORE_BUCKET_ARN} | cut -d ":" -f 6)
           export LATEST_TRUSTSTORE_VERSION=$(aws s3api list-object-versions \

diff --git a/SAMtemplates/lambda_resources.yaml b/SAMtemplates/lambda_resources.yaml
@@ -118,7 +118,7 @@ Resources:
             Action:
               - kms:Decrypt
             Resource:
-              - !ImportValue ci-resources:SecretsKMSKey
+              - !ImportValue account-resources:SecretsKMSKey
       Roles:
         - !Ref LambdaRole
   LambdaSecretsPolicy:
@@ -133,11 +133,11 @@ Resources:
             Action:
               - secretsmanager:GetSecretValue
             Resource:
-              - !ImportValue ci-resources:SpinePrivateKey
-              - !ImportValue ci-resources:SpinePublicCertificate
-              - !ImportValue ci-resources:SpineASID
-              - !ImportValue ci-resources:SpinePartyKey
-              - !ImportValue ci-resources:SpineCAChain
+              - !ImportValue account-resources:SpinePrivateKey
+              - !ImportValue account-resources:SpinePublicCertificate
+              - !ImportValue account-resources:SpineASID
+              - !ImportValue account-resources:SpinePartyKey
+              - !ImportValue account-resources:SpineCAChain
       Roles:
         - !Ref LambdaRole
   LambdaLogGroup:

diff --git a/SAMtemplates/main_template.yaml b/SAMtemplates/main_template.yaml
@@ -15,11 +15,11 @@ Globals:
       Variables:
         TargetSpineServer: !Ref TargetSpineServer
         NODE_OPTIONS: --enable-source-maps
-        SpinePrivateKeyARN: !ImportValue ci-resources:SpinePrivateKey
-        SpinePublicCertificateARN: !ImportValue ci-resources:SpinePublicCertificate
-        SpineASIDARN: !ImportValue ci-resources:SpineASID
-        SpinePartyKeyARN: !ImportValue ci-resources:SpinePartyKey
-        SpineCAChainARN: !ImportValue ci-resources:SpineCAChain
+        SpinePrivateKeyARN: !ImportValue account-resources:SpinePrivateKey
+        SpinePublicCertificateARN: !ImportValue account-resources:SpinePublicCertificate
+        SpineASIDARN: !ImportValue account-resources:SpineASID
+        SpinePartyKeyARN: !ImportValue account-resources:SpinePartyKey
+        SpineCAChainARN: !ImportValue account-resources:SpineCAChain
 
 Parameters:
   TargetSpineServer:
@@ -283,7 +283,7 @@ Resources:
                         5,
                         !Split [
                           ":",
-                          Fn::ImportValue: ci-resources:TrustStoreBucket,
+                          Fn::ImportValue: account-resources:TrustStoreBucket,
                         ],
                       ]
                     - "truststore.pem"

diff --git a/SAMtemplates/sandbox_template.yaml b/SAMtemplates/sandbox_template.yaml
@@ -254,7 +254,7 @@ Resources:
                         5,
                         !Split [
                           ":",
-                          Fn::ImportValue: ci-resources:TrustStoreBucket,
+                          Fn::ImportValue: account-resources:TrustStoreBucket,
                         ],
                       ]
                     - "sandbox-truststore.pem"

diff --git a/SAMtemplates/splunk_firehose_resources.yaml b/SAMtemplates/splunk_firehose_resources.yaml
@@ -164,12 +164,12 @@ Resources:
                 - ParameterName: RoleArn
                   ParameterValue: !GetAtt SplunkDeliveryStreamProcessorInvokeRole.Arn
         S3Configuration:
-          BucketARN: !ImportValue ci-resources:SplunkDeliveryStreamBackupBucket
-          RoleARN: !ImportValue ci-resources:SplunkDeliveryStreamBackupBucketRoleArn
+          BucketARN: !ImportValue account-resources:SplunkDeliveryStreamBackupBucket
+          RoleARN: !ImportValue account-resources:SplunkDeliveryStreamBackupBucketRoleArn
           Prefix: !Ref "AWS::StackName"
           EncryptionConfiguration:
             KMSEncryptionConfig:
-              AWSKMSKeyARN: !ImportValue ci-resources:SplunkDeliveryStreamBackupKMSKey
+              AWSKMSKeyARN: !ImportValue account-resources:SplunkDeliveryStreamBackupKMSKey
         CloudWatchLoggingOptions:
           Enabled: true
           LogGroupName: !Ref SplunkDeliveryStreamLogGroup
@@ -200,7 +200,7 @@ Resources:
               - !Sub "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:${SplunkDeliveryStreamLogGroup}"
               - !Sub "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:${SplunkDeliveryStreamLogGroup}:log-stream:*"
       Roles:
-        - !ImportValue ci-resources:SplunkDeliveryStreamBackupBucketRole
+        - !ImportValue account-resources:SplunkDeliveryStreamBackupBucketRole
   SplunkDeliveryStreamKMSPolicy:
     Type: "AWS::IAM::Policy"
     Properties:
@@ -217,7 +217,7 @@ Resources:
             Resource:
               - !GetAtt CloudWatchKMSKey.Arn
       Roles:
-        - !ImportValue ci-resources:SplunkDeliveryStreamBackupBucketRole
+        - !ImportValue account-resources:SplunkDeliveryStreamBackupBucketRole
 
   # Stream processor, roles,  policies and log groups
   SplunkDeliveryStreamProcessor: