OJ-3625: Add OAuthCommon but not use yet

We need to add OAuthCommon and the suppport OAuthCommon SSM parameters to ready us migrating from common-lambdas.

This will ensure the tables exist, and the table names and CMK ID can be retrieved by common-lambdas so we can then enable the stream.

Note: The SSM parameters have hardcoded paths so they can only be deployed once per account, hence the IsNotLocalDevEnvironment condition.

Author: mikebeeby

.github/workflows/deploy-branch.yml

@@ -19,18 +19,18 @@ jobs:
     outputs:
       cache-key: ${{ steps.build.outputs.cache-key }}
       cache-restore-keys: ${{ steps.build.outputs.cache-restore-keys }}
+    environment:
+      name: development
     steps:
-      - name: Install latest SAM
-        uses: aws-actions/setup-sam@d78e1a4a9656d3b223e59b80676a797f20093133
-
       - name: Build SAM application
-        uses: govuk-one-login/github-actions/sam/build-application@e6b6ed890b35904e1be79f7f35ffec983fa4d9db
+        uses: govuk-one-login/github-actions/sam/build-application@4c76410195b5fcb1804fc7c183ed20704252830f
         id: build
         with:
           template: infrastructure/template.yaml
           cache-name: check-hmrc-api
           pull-repository: true
           source-dir: lambdas
+          aws-role-arn: ${{ vars.DEPLOYMENT_ROLE_ARN }}
 
   deploy:
     name: Deploy stack
@@ -50,7 +50,7 @@ jobs:
       stack-name: ${{ steps.deploy.outputs.stack-name }}
     steps:
       - name: Deploy stack
-        uses: govuk-one-login/github-actions/sam/deploy-stack@e6b6ed890b35904e1be79f7f35ffec983fa4d9db
+        uses: govuk-one-login/github-actions/sam/deploy-stack@4c76410195b5fcb1804fc7c183ed20704252830f
         id: deploy
         with:
           sam-deployment-bucket: ${{ vars.DEPLOYMENT_ARTIFACTS_BUCKET }}

deploy.sh

@@ -23,7 +23,7 @@ sam deploy --stack-name "$stack_name" \
   --resolve-s3 \
   --s3-prefix "$stack_name" \
   --region "${AWS_REGION:-eu-west-2}" \
-  --capabilities CAPABILITY_IAM \
+  --capabilities CAPABILITY_IAM CAPABILITY_AUTO_EXPAND \
   --tags \
   cri:component=ipv-cri-check-hmrc-api \
   cri:stack-type=localdev \

infrastructure/template.yaml

@@ -50,6 +50,8 @@ Conditions:
   UsePermissionsBoundary: !Not [!Equals [!Ref PermissionsBoundary, ""]]
   IsDevEnvironment: !Equals [!Ref Environment, dev]
   IsLocalDevEnvironment: !Equals [!Ref Environment, localdev]
+  IsNotLocalDevEnvironment: !Not
+   - !Condition IsLocalDevEnvironment
   IsIntEnvironment: !Equals [!Ref Environment, integration]
   IsProdEnvironment: !Equals [!Ref Environment, production]
   IsDevLikeEnvironment: !Or [!Condition IsLocalDevEnvironment, !Condition IsDevEnvironment]
@@ -128,21 +130,33 @@ Mappings:
   EnvironmentConfiguration:
     localdev:
       DOMAINNAME: review-hc.localdev.account.gov.uk
+      VcDomain: review-hc.dev.account.gov.uk
+      ServiceDomain: review-hc.localdev.account.gov.uk
       HealthcheckSSMClientId: ipv-core-stub-aws-prod
     dev:
       DOMAINNAME: review-hc.dev.account.gov.uk
+      VcDomain: review-hc.dev.account.gov.uk
+      ServiceDomain: review-hc.dev.account.gov.uk
       HealthcheckSSMClientId: ipv-core-stub-aws-prod
     build:
       DOMAINNAME: review-hc.build.account.gov.uk
+      VcDomain: review-hc.build.account.gov.uk
+      ServiceDomain: review-hc.build.account.gov.uk
       HealthcheckSSMClientId: ipv-core-stub-aws-prod
     staging:
       DOMAINNAME: review-hc.staging.account.gov.uk
+      VcDomain: review-hc.staging.account.gov.uk
+      ServiceDomain: review-hc.staging.account.gov.uk
       HealthcheckSSMClientId: ipv-core-stub-aws-prod
     integration:
       DOMAINNAME: review-hc.integration.account.gov.uk
+      VcDomain: review-hc.integration.account.gov.uk
+      ServiceDomain: review-hc.integration.account.gov.uk
       HealthcheckSSMClientId: ipv-core
     production:
       DOMAINNAME: review-hc.production.account.gov.uk
+      VcDomain: review-hc.production.account.gov.uk
+      ServiceDomain: review-hc.production.account.gov.uk
       HealthcheckSSMClientId: ipv-core
 
 Globals:
@@ -192,6 +206,31 @@ Globals:
       - !Ref AWS::NoValue
 
 Resources:
+  OAuth:
+    Type: AWS::Serverless::Application
+    Properties:
+      Location:
+        ApplicationId: arn:aws:serverlessrepo:eu-west-2:667736788427:applications/di-ipv-cri-oauth-common
+        SemanticVersion: 0.4.0
+      Parameters:
+        AuditEventNamePrefix: IPV_HMRC_RECORD_CHECK_CRI
+        CriIdentifier: di-ipv-cri-check-hmrc-api
+        CriAudience: !Sub
+          - "https://${domain}"
+          - domain: !FindInMap [EnvironmentConfiguration, !Ref Environment, VcDomain]
+        CriVcIssuer: !Sub
+          - "https://${domain}"
+          - domain: !FindInMap [EnvironmentConfiguration, !Ref Environment, VcDomain]
+        CriPrivateApiGwName: !Sub ${AWS::StackName}-private
+        CriPublicApiGwName: !Sub ${AWS::StackName}-public
+        Environment: !If
+          - IsLocalDevEnvironment
+          - dev
+          - !Ref Environment
+        IPVCoreRedirectURI: https://identity.staging.account.gov.uk/credential-issuer/callback?id=nino
+        IPVCoreStubJwksEndpoint: https://test-resources.review-hc.dev.account.gov.uk/.well-known/jwks.json
+        LambdaVpcConfiguration: di-devplatform-deploy
+
   JWKSBucketRole:
     Type: "AWS::IAM::Role"
     Properties:
@@ -1535,6 +1574,33 @@ Resources:
       Value: !Ref CommonStackName
       Description: The stack currently used for OAuth (common-lambdas or oauth-common). Only required for test-resources.
 
+  OAuthSessionTableName:
+    Type: AWS::SSM::Parameter
+    Condition: IsNotLocalDevEnvironment
+    Properties:
+      Name: !Sub "/common-cri/oauth-common/OAuthSessionTableName"
+      Value: !GetAtt OAuth.Outputs.DbSessionTableName
+      Type: String
+      Description: The OAuthSessionTableName for configuring the DynamoDB Stream table from common-lambdas
+
+  OAuthPersonIdentityTableName:
+    Type: AWS::SSM::Parameter
+    Condition: IsNotLocalDevEnvironment
+    Properties:
+      Name: !Sub "/common-cri/oauth-common/OAuthPersonIdentityTableName"
+      Value: !GetAtt OAuth.Outputs.DbPersonIdentityTableName
+      Type: String
+      Description: The OAuthPersonIdentityTableName for configuring the DynamoDB Stream table from common-lambdas
+
+  OAuthCustomerManagedKeyId:
+    Type: AWS::SSM::Parameter
+    Condition: IsNotLocalDevEnvironment
+    Properties:
+      Name: !Sub "/common-cri/oauth-common/OAuthCustomerManagedKeyId"
+      Value: !GetAtt OAuth.Outputs.DbCustomerManagedKeyID
+      Type: String
+      Description: The OAuthCustomerManagedKeyId for configuring the DynamoDB Stream table from common-lambdas
+
 
 ##################################################################
 #                                                                  #