OJ-3227 - Define issue credential infrastructure

barnabycollins · barnabycollins · commit 5b783040bc57 · 2025-07-09T17:01:36.000+01:00
diff --git a/infrastructure/public-api.yaml b/infrastructure/public-api.yaml
@@ -75,7 +75,7 @@ paths:
       x-amazon-apigateway-integration:
         httpMethod: "GET"
         credentials:
-          Fn::GetAtt: [ "JWKSBucketRole", "Arn" ]
+          Fn::GetAtt: ["JWKSBucketRole", "Arn"]
         uri:
           Fn::Sub:
             - "arn:aws:apigateway:${AWS::Region}:s3:path/govuk-one-login-hmrc-check-published-keys-${env}/jwks.json"
@@ -264,6 +264,57 @@ paths:
                 #set($context.responseOverride.header.Content-Type = "application/jwt")
                 $output.jwt
 
+  /credential/issue-test:
+    summary: Resource for the HMRC KBV API
+    description: >-
+      This API is expected to be called by the IPV core backend directly as the
+      final part of the OpenId/Oauth Flow
+    parameters:
+      - name: Authorization
+        in: header
+        required: true
+        description: "A valid access_token (e.g.: Authorization: Bearer <access-token-value>)."
+        schema:
+          type: string
+    post:
+      summary: POST request using a valid access token
+      responses:
+        "200":
+          description: 200 Ok
+          content:
+            application/jwt:
+              schema:
+                $ref: "#/components/schemas/VcResponse"
+        "400":
+          description: 400 Bad Response
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/Error"
+        "500":
+          description: 500 Internal server error
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/Error"
+      security:
+        - api_key:
+            Fn::If:
+              - IsLocalDevEnvironment
+              - Ref: AWS::NoValue
+              - []
+      x-amazon-apigateway-request-validator: "Validate both"
+      x-amazon-apigateway-integration:
+        httpMethod: "POST"
+        uri:
+          Fn::Sub: arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${IssueCredentialFunction.Arn}:live/invocations
+        responses:
+          default:
+            statusCode: "200"
+        passthroughBehavior: "when_no_match"
+        contentHandling: "CONVERT_TO_TEXT"
+        type: "aws_proxy"
+
 components:
   schemas:
     JWKSFile:
diff --git a/infrastructure/template.yaml b/infrastructure/template.yaml
@@ -1441,6 +1441,68 @@ Resources:
       FunctionName: !Ref NinoCheckFunction.Alias
       Principal: apigateway.amazonaws.com
 
+  IssueCredentialFunction:
+    Type: AWS::Serverless::Function
+    Metadata:
+      BuildMethod: esbuild
+      BuildProperties:
+        Sourcemap: true
+    Properties:
+      DeploymentPreference:
+        Type: !Ref LambdaDeploymentPreference
+        Alarms: !If
+          - UseCanaryDeploymentAlarms
+          - [!Ref NinoCheckFunctionCanaryErrors]
+          - [!Ref AWS::NoValue]
+        Role: !GetAtt CodeDeployServiceRole.Arn
+      Handler: lambdas/issue-credential/src/handler.handler
+      LoggingConfig:
+        LogGroup: !Sub /aws/lambda/${AWS::StackName}/IssueCredentialFunction
+      CodeSigningConfigArn: !If [EnforceCodeSigning, !Ref CodeSigningConfigArn, !Ref AWS::NoValue]
+      Policies:
+        - DynamoDBReadPolicy:
+            TableName: !Sub "{{resolve:ssm:/${CommonStackName}/SessionTableName}}"
+        - DynamoDBReadPolicy:
+            TableName: !Sub "{{resolve:ssm:/${CommonStackName}/PersonIdentityTableName}}"
+        - DynamoDBReadPolicy:
+            TableName: !Ref UserAttemptsTable
+        - DynamoDBReadPolicy:
+            TableName: !Ref NinoUsersTable
+        - EventBridgePutEventsPolicy:
+            EventBusName: !Ref CheckHmrcEventBus
+      Environment:
+        Variables:
+          POWERTOOLS_SERVICE_NAME: !Sub "${CriIdentifier}-IssueCredentialFunction"
+          SESSION_TABLE: !Sub "{{resolve:ssm:/${CommonStackName}/SessionTableName}}"
+          PERSON_IDENTITY_TABLE: !Sub "{{resolve:ssm:/${CommonStackName}/PersonIdentityTableName}}"
+          ATTEMPT_TABLE: !Ref UserAttemptsTable
+          NINO_USER_TABLE: !Ref NinoUsersTable
+          AUDIT_EVENT_BUS: !Ref CheckHmrcEventBus
+          AUDIT_SOURCE: !FindInMap [EnvironmentConfiguration, !Ref Environment, DOMAINNAME]
+          AUDIT_ISSUER: !Sub "{{resolve:ssm:/${CommonStackName}/verifiable-credential/issuer}}"
+          LOG_FULL_ERRORS: !If [IsProdEnvironment, "false", "true"]
+
+  IssueCredentialFunctionLogGroup:
+    Type: AWS::Logs::LogGroup
+    Properties:
+      LogGroupName: !Sub /aws/lambda/${AWS::StackName}/IssueCredentialFunction
+      RetentionInDays: 30
+
+  IssueCredentialFunctionLogsSubscriptionFilterCSLS:
+    Type: AWS::Logs::SubscriptionFilter
+    Condition: IsNotDevLikeEnvironment
+    Properties:
+      DestinationArn: !FindInMap [PlatformConfiguration, !Ref Environment, CSLSEGRESS]
+      FilterPattern: ""
+      LogGroupName: !Ref IssueCredentialFunctionLogGroup
+
+  IssueCredentialFunctionPermission:
+    Type: AWS::Lambda::Permission
+    Properties:
+      Action: lambda:InvokeFunction
+      FunctionName: !Ref IssueCredentialFunction.Alias
+      Principal: apigateway.amazonaws.com
+
   NinoCheckStateMachine:
     Type: AWS::Serverless::StateMachine
     Properties:
