Electronic Prescriptions Service Get Secrets

This repository hosts the Lambda layer responsible for securely managing and processing secrets used across various EPS-related applications.
It is called by an Apigee proxy that is defined at https://github.com/NHSDigital/prescriptions-for-patients

Functionality

This repository is designed to create a Lambda layer that can be invoked during Lambda startup. Its primary purpose is to inject secret values into environment variables. Specifically, it should be used by any Lambda that utilizes the spineClient or serviceSearchClient, to set connectivity variables.

Usage

To integrate this Lambda layer into your SAM template, add the following configuration to the Properties section of the AWS::Serverless::Function definition:

Environment:
    Variables:
        AWS_LAMBDA_EXEC_WRAPPER: /opt/get-secrets-layer
Layers:
    - !Ref GetSecretsLayer

The src folder contains

• a go program that retrieves a secret from an ARN and outputs the value
• a shell script that calls the compiled go program and sets environment variables to the values of the secrets

The code is modified from the article at https://aws.amazon.com/blogs/compute/creating-aws-lambda-environmental-variables-from-aws-secrets-manager/

Project Structure

• .devcontainer Contains a dockerfile and vscode devcontainer definition
• .github Contains github workflows that are used for building and deploying from pull requests and releases

Contributing

Contributions to this project are welcome from anyone, providing that they conform to the guidelines for contribution and the community code of conduct.

Licensing

This code is dual licensed under the MIT license and the OGL (Open Government License). Any new work added to this repository must conform to the conditions of these licenses. In particular this means that this project may not depend on GPL-licensed or AGPL-licensed libraries, as these would violate the terms of those libraries' licenses.

The contents of this repository are protected by Crown Copyright (C).

Development

It is recommended that you use visual studio code and a devcontainer as this will install all necessary components and correct versions of tools and languages.
See https://code.visualstudio.com/docs/devcontainers/containers for details on how to set this up on your host machine.
There is also a workspace file in .vscode that should be opened once you have started the devcontainer. The workspace file can also be opened outside of a devcontainer if you wish.

All commits must be made using signed commits

Once the steps at the link above have been completed. Add to your ~/.gnupg/gpg.conf as below:

use-agent
pinentry-mode loopback

and to your ~/.gnupg/gpg-agent.conf as below:

allow-loopback-pinentry

As described here: https://stackoverflow.com/a/59170001

You will need to create the files, if they do not already exist. This will ensure that your VSCode bash terminal prompts you for your GPG key password.

You can cache the gpg key passphrase by following instructions at https://superuser.com/questions/624343/keep-gnupg-credentials-cached-for-entire-user-session

CI Setup

The GitHub Actions require a secret to exist on the repo called "SONAR_TOKEN". This can be obtained from SonarCloud as described here. You will need the "Execute Analysis" permission for the project (NHSDigital_electronic-prescription-service-get-secrets) in order for the token to work.

Pre-commit hooks

Some pre-commit hooks are installed as part of the install above, to run basic lint checks and ensure you can't accidentally commit invalid changes. The pre-commit hook uses python package pre-commit and is configured in the file .pre-commit-config.yaml. A combination of these checks are also run in CI.

Make commands

There are make commands that are run as part of the CI pipeline and help alias some functionality during development.

Install targets

• install-python installs python dependencies
• install-hooks installs git pre commit hooks
• install runs all install targets

Clean and deep-clean targets

• clean clears up any files that have been generated by building or testing locally.
• deep-clean runs clean target and also removes any node_modules and python libraries installed locally.

Linting and testing

• lint runs lint for all code
• lint-go runs lint for go code

Compiling

• compile compiles all code
• compile-go runs build.sh to compile go code

Check licenses

• check-licenses checks licenses for all packages used - calls check-licenses-python, check-licenses-go
• check-licenses-python checks licenses for all python code
• check-licenses-go checks licenses for all go code

CLI Login to AWS

• aws-configure configures a connection to AWS
• aws-login reconnects to AWS from a previously configured connection

GitHub folder

This .github folder contains workflows and templates related to github

• pull_request_template.yml: Template for pull requests.
• dependabot.yml: Dependabot definition file

Workflows are in the .github/workflows folder

• build.yml: Runs check-licenses, lint, test and sonarcloud scan against the repo. Called from pull_request.yml and release.yml
• combine-dependabot-prs.yml: Workflow for combining dependabot pull requests. Runs on demand
• pr-link.yaml: This workflow template links Pull Requests to Jira tickets and runs when a pull request is opened.
• pull_request.yml: Called when pull request is opened or updated. Calls sam_package_code and sam_release_code to build and deploy the code. Deploys to dev AWS account. The main and sandbox stacks deployed have PR-<PULL_REQUEST_ID> in the name
• release.yml: Run when code is merged to main branch or a tag starting v is pushed. Calls sam_package_code and sam_release_code to build and deploy the code.
• dependabot_auto_approve_and_merge.yml: Workflow to auto merge dependabot updates