LIME-1864 BE skeleton by SarahHillGDS · Pull Request #1 · govuk-one-login/ipv-cri-ob-api

SarahHillGDS · 2026-03-04T11:09:16Z

Proposed changes

What changed

Added basic project structure and configuration files
Set up initial TypeScript/Lambda function scaffolding
Created placeholder files for:
quality-gate.manifest.json
acceptance-tests/Dockerfile
Added minimal implementation to establish architecture
Added check PR github action, sonar and dependabot configuration

Why did it change

Establishing foundational structure for Open Banking API

Issue tracking

LIME-1864

Other considerations

This is skeleton/scaffolding work - full implementation to follow
No functional changes yet, tests are placeholders
README updated with setup instructions
parameters added to dev will need to be added to all accounts as part of the deployment plan
/common-cri-parameters/CriIdentifier
/common-cri-parameters/AuditEventNamePrefix

JessWinterborne

Looking really good :)

JessWinterborne · 2026-03-09T10:31:41Z

One more thing - I agree with not adding all the GHAs since thats for another future ticket - but having check PR could be worth including here.

JessWinterborne

LGTM - might be worth getting another tick though

gds-jbentham · 2026-03-12T14:52:37Z

+          path: coverage/
+      - name: Run SonarCloud Analysis
+        if: ${{ github.actor != 'dependabot[bot]' }}
+        uses: SonarSource/sonarcloud-github-action@master


Could be picked up when we do github actions but there is a shared action for sonar we could reuse

I've explicitly added this to the scope of the actions ticket https://govukverify.atlassian.net/browse/LIME-2030

gds-jbentham · 2026-03-12T15:22:49Z

+  version: "0.1"
+  title: "Open Banking Credential Issuer Private API"
+paths:
+  /basic-function:


Can we add things we know will exist session and authorization

@DavidIndiongcoGDS has added this as part of LIME-1867

gds-jbentham · 2026-03-12T15:23:20Z

+  version: "0.1"
+  title: "Open Banking Credential Issuer Public API"
+paths:
+  /health:


Can we add things we know will exist token credential issue and jwks

same as above

gds-jbentham · 2026-03-12T15:36:49Z

+
+Globals:
+  Function:
+    CodeSigningConfigArn: !If


I think were missing the global timeout here for lambdas

Setting to 40 seconds until we know more about response times

gds-jbentham · 2026-03-12T15:42:09Z

+        - ProvisionedConcurrentExecutions: !FindInMap [ ProvisionedConcurrency, Environment, !Ref 'Environment' ]
+        - !Ref AWS::NoValue
+    Metadata:
+      BuildMethod: makefile


Should this be esbuild rather than makefile?

vite is doing the building so the makefile was a convenient way to handle that from the template

we could remove vite and rely only on esbuild but as that's what the FE is using we aligned them, given we've got a working stable vite build config it's probably not worth the additional churn to remove it

gds-jbentham · 2026-03-12T15:43:29Z

+  PublicAPIUsagePlan:
+    Type: AWS::ApiGateway::UsagePlan
+    Condition: IsDeployedFromPipeline
+#    DependsOn:


These are needed otherwise assets get created out of order but stage is created alongside the api

gds-jbentham · 2026-03-12T15:45:02Z

+  #                                                                  #
+  # Parameters                                                       #
+  #                                                                  #
+  ####################################################################


Under parameters one we know we will need will be VerifiableCredentialKmsSigningKeyParameter

gds-jbentham · 2026-03-12T15:49:14Z

@@ -0,0 +1,15 @@
+import type { APIGatewayProxyEvent, Context } from 'aws-lambda'


Do we have a basic infra test? Should be able to lift this from the work @ChrisBates1 has done

Raised this with Chris last sprint, his preference is to handle this in a separate ticket

gds-jbentham · 2026-03-12T15:56:33Z

@@ -0,0 +1 @@
+{}


Is there nothing that could be populated here based on what we have?

gds-jbentham · 2026-03-12T16:02:13Z

+    minify: false,
+    outDir: 'dist',
+    rollupOptions: {
+      external: [/^@aws-sdk\/.*/, /^node:.*/, /^@aws-lambda-powertools\/.*/], //dependencies that should not be bundled


Can we add a little detail on why these shouldnt be bundled. Best assuming people coming after us may not know as much about vite. Or we might need to change or add to this in future so context is important

they are excluded because they're already available in the lambda runtime

node also throws up some issues as some of it is installed OS specific

nlsteers · 2026-03-12T16:24:01Z

@@ -0,0 +1,5 @@
+build-BasicFunction:


when we add more functions we could dry this up a bit like so:

.PHONY: bundle bundle: npm ci npm run build build-BasicFunction: bundle cp -r dist/* $(ARTIFACTS_DIR)/ build-AnotherFunction: bundle cp -r dist/* $(ARTIFACTS_DIR)/

we're still running npm ci for each function build though so we might want to look into externalising that bit somehow

- add example metrics - add example logging - remove vite config - remove makefile - enable experimental decorators in tsconfig - update deploy template to use `esbuild` build method - align GHA with FE

sonarqubecloud · 2026-03-16T16:40:36Z

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
100.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

SarahHillGDS requested a review from a team as a code owner March 4, 2026 11:09

SarahHillGDS force-pushed the LIME-1864 branch from cf29862 to 2751654 Compare March 5, 2026 11:28