From cbd9a3b038f80257179464aa4ecb12d3a0e0eed0 Mon Sep 17 00:00:00 2001 From: David Hamill <109090521+davidhamill1-nhs@users.noreply.github.com> Date: Thu, 29 Jan 2026 11:23:33 +0000 Subject: [PATCH 01/15] [GPCAPIM-278]: Use template to populate PR-specifc details during preview-env build. --- .github/workflows/preview-env.yml | 12 ++ gateway-api/openapi.template.yaml | 175 ++++++++++++++++++++++++++++++ 2 files changed, 187 insertions(+) create mode 100644 gateway-api/openapi.template.yaml diff --git a/.github/workflows/preview-env.yml b/.github/workflows/preview-env.yml index 4c6f1151..cc3c3a6b 100644 --- a/.github/workflows/preview-env.yml +++ b/.github/workflows/preview-env.yml @@ -155,6 +155,18 @@ jobs: ECS_CLUSTER=$(jq -r '.ecs_cluster_name.value' tf-output.json) echo "ecs_cluster=$ECS_CLUSTER" >> $GITHUB_OUTPUT + - name: Install yq for YAML template processing + run: | + sudo wget -qO /usr/local/bin/yq https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64 + sudo chmod +x /usr/local/bin/yq + + - name: Inject secrets into openapi.yaml for deploying proxy + working-directory: gateway-api + run: | + cp openapi.template.yaml openapi.yaml + + yq eval '.x-nhsd-apim.target.url = ${{ steps.tf-output.output.preview_url }} | .x-nhsd-apim.target.security.secret = ${{ secrets.MTLS_SECRET_KEY }}' -i openapi.yaml + # ---------- Ensure re-deployment (PR updated) ---------- - name: Force ECS service redeployment if: github.event.action == 'synchronize' diff --git a/gateway-api/openapi.template.yaml b/gateway-api/openapi.template.yaml new file mode 100644 index 00000000..7aca7a81 --- /dev/null +++ b/gateway-api/openapi.template.yaml @@ -0,0 +1,175 @@ +openapi: 3.0.3 +info: + title: Gateway API + description: Clinical Data Gateway API + version: 0.1.0 + contact: + name: API Support +servers: + - url: http://localhost:5000 + description: Local development server +paths: + /patient/$gpc.getstructuredrecord: + post: + summary: Get structured record + description: Returns a FHIR Bundle containing patient structured record + operationId: getStructuredRecord + parameters: + - in: header + name: Content-Type + schema: + type: string + enum: [application/fhir+json] + required: true + requestBody: + required: true + content: + application/fhir+json: + schema: + type: object + properties: + resourceType: + type: string + example: "Parameters" + parameter: + type: array + items: + type: object + properties: + name: + type: string + example: "patientNHSNumber" + valueIdentifier: + type: object + properties: + system: + type: string + example: "https://fhir.nhs.uk/Id/nhs-number" + value: + type: string + example: "9999999999" + responses: + '200': + description: Successful response + parameters: + - in: header + name: Content-Type + schema: + type: string + enum: [application/fhir+json] + required: true + content: + application/fhir+json: + schema: + type: object + properties: + statusCode: + type: integer + description: Status code of the interaction + example: 200 + headers: + type: object + properties: + Content-Type: + type: string + example: "application/fhir+json" + body: + type: object + description: FHIR Bundle containing patient data + properties: + resourceType: + type: string + example: "Bundle" + id: + type: string + example: "example-patient-bundle" + type: + type: string + example: "collection" + timestamp: + type: string + format: date-time + example: "2026-01-12T10:00:00Z" + entry: + type: array + items: + type: object + properties: + fullUrl: + type: string + example: "urn:uuid:123e4567-e89b-12d3-a456-426614174000" + resource: + type: object + properties: + resourceType: + type: string + example: "Patient" + id: + type: string + example: "9999999999" + identifier: + type: array + items: + type: object + properties: + system: + type: string + example: "https://fhir.nhs.uk/Id/nhs-number" + value: + type: string + example: "9999999999" + name: + type: array + items: + type: object + properties: + use: + type: string + example: "official" + family: + type: string + example: "Doe" + given: + type: array + items: + type: string + example: ["John"] + gender: + type: string + example: "male" + birthDate: + type: string + format: date + example: "1985-04-12" + /health: + get: + summary: Health check + description: Returns the health status of the API + operationId: healthCheck + responses: + '200': + description: Service is healthy + content: + application/json: + schema: + type: object + properties: + status: + type: string + example: "healthy" + required: + - status + +x-nhsd-apim: + monitoring: false + access: + - title: Application Restricted + grants: + app-level0: [] + target: + type: external + healthcheck: /health + url: + security: + type: mtls + secret: From 742a78fdc60b4ce9146beb55ad0221b348111ab0 Mon Sep 17 00:00:00 2001 From: David Hamill <109090521+davidhamill1-nhs@users.noreply.github.com> Date: Thu, 29 Jan 2026 12:45:12 +0000 Subject: [PATCH 02/15] [GPCAPIM-278]: Obfuscate secrets by not expanding them in the run block. --- .github/workflows/preview-env.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/preview-env.yml b/.github/workflows/preview-env.yml index cc3c3a6b..3c33e4b4 100644 --- a/.github/workflows/preview-env.yml +++ b/.github/workflows/preview-env.yml @@ -162,10 +162,13 @@ jobs: - name: Inject secrets into openapi.yaml for deploying proxy working-directory: gateway-api + env: + MTLS_SECRET_KEY: ${{ secrets.MTLS_SECRET_KEY }} + PREVIEW_URL: ${{ steps.tf-output.outputs.preview_url }} run: | cp openapi.template.yaml openapi.yaml - yq eval '.x-nhsd-apim.target.url = ${{ steps.tf-output.output.preview_url }} | .x-nhsd-apim.target.security.secret = ${{ secrets.MTLS_SECRET_KEY }}' -i openapi.yaml + yq eval '.x-nhsd-apim.target.url = env(PREVIEW_URL) | .x-nhsd-apim.target.security.secret = env(MTLS_SECRET_KEY)' -i openapi.yaml # ---------- Ensure re-deployment (PR updated) ---------- - name: Force ECS service redeployment From d4ef4f1f8adc5f57c53f465b2da75d7cc6019e1e Mon Sep 17 00:00:00 2001 From: David Hamill <109090521+davidhamill1-nhs@users.noreply.github.com> Date: Thu, 29 Jan 2026 14:02:04 +0000 Subject: [PATCH 03/15] [GPCAPIM-278]: Remove smoke tests while mTLS are being sorted. --- .github/workflows/preview-env.yml | 70 +++++++++++++++---------------- 1 file changed, 35 insertions(+), 35 deletions(-) diff --git a/.github/workflows/preview-env.yml b/.github/workflows/preview-env.yml index 3c33e4b4..c29b2e84 100644 --- a/.github/workflows/preview-env.yml +++ b/.github/workflows/preview-env.yml @@ -210,41 +210,41 @@ jobs: --services ${{ steps.tf-output.outputs.ecs_service }} \ --region ${{ env.AWS_REGION }} - - name: Smoke test preview URL - if: github.event.action != 'closed' - id: smoke-test - env: - PREVIEW_URL: ${{ steps.tf-output.outputs.preview_url }} - run: | - if [ -z "$PREVIEW_URL" ] || [ "$PREVIEW_URL" = "null" ]; then - echo "Preview URL missing" - echo "http_status=missing" >> "$GITHUB_OUTPUT" - echo "http_result=missing-url" >> "$GITHUB_OUTPUT" - exit 0 - fi - - # Reachability check: allow 404 (app routes might not exist yet) but fail otherwise - STATUS=$(curl --silent --output /tmp/preview.headers --write-out '%{http_code}' --head --max-time 30 "$PREVIEW_URL" || true) - - if [ "$STATUS" = "404" ]; then - echo "Preview responded with expected 404" - echo "http_status=404" >> "$GITHUB_OUTPUT" - echo "http_result=allowed-404" >> "$GITHUB_OUTPUT" - exit 0 - fi - - if [[ "$STATUS" =~ ^[0-9]{3}$ ]] && [ "$STATUS" -ge 200 ] && [ "$STATUS" -lt 400 ]; then - echo "Preview responded with status $STATUS" - echo "http_status=$STATUS" >> "$GITHUB_OUTPUT" - echo "http_result=success" >> "$GITHUB_OUTPUT" - exit 0 - fi - - echo "Preview responded with unexpected status $STATUS" - cat /tmp/preview.headers - echo "http_status=$STATUS" >> "$GITHUB_OUTPUT" - echo "http_result=unexpected-status" >> "$GITHUB_OUTPUT" - exit 0 + # - name: Smoke test preview URL + # if: github.event.action != 'closed' + # id: smoke-test + # env: + # PREVIEW_URL: ${{ steps.tf-output.outputs.preview_url }} + # run: | + # if [ -z "$PREVIEW_URL" ] || [ "$PREVIEW_URL" = "null" ]; then + # echo "Preview URL missing" + # echo "http_status=missing" >> "$GITHUB_OUTPUT" + # echo "http_result=missing-url" >> "$GITHUB_OUTPUT" + # exit 0 + # fi + + # # Reachability check: allow 404 (app routes might not exist yet) but fail otherwise + # STATUS=$(curl --silent --output /tmp/preview.headers --write-out '%{http_code}' --head --max-time 30 "$PREVIEW_URL" || true) + + # if [ "$STATUS" = "404" ]; then + # echo "Preview responded with expected 404" + # echo "http_status=404" >> "$GITHUB_OUTPUT" + # echo "http_result=allowed-404" >> "$GITHUB_OUTPUT" + # exit 0 + # fi + + # if [[ "$STATUS" =~ ^[0-9]{3}$ ]] && [ "$STATUS" -ge 200 ] && [ "$STATUS" -lt 400 ]; then + # echo "Preview responded with status $STATUS" + # echo "http_status=$STATUS" >> "$GITHUB_OUTPUT" + # echo "http_result=success" >> "$GITHUB_OUTPUT" + # exit 0 + # fi + + # echo "Preview responded with unexpected status $STATUS" + # cat /tmp/preview.headers + # echo "http_status=$STATUS" >> "$GITHUB_OUTPUT" + # echo "http_result=unexpected-status" >> "$GITHUB_OUTPUT" + # exit 0 - name: Comment function name on PR if: github.event_name == 'pull_request' && github.event.action != 'closed' From cb33e98b95daa12a7ea5355506c1f11909bb7f87 Mon Sep 17 00:00:00 2001 From: David Hamill <109090521+davidhamill1-nhs@users.noreply.github.com> Date: Thu, 29 Jan 2026 14:08:44 +0000 Subject: [PATCH 04/15] [GPCAPIM-278]: Install proxygen-cli so that we can deploy an instance of the proxy during from pipeline. --- .github/workflows/preview-env.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/workflows/preview-env.yml b/.github/workflows/preview-env.yml index c29b2e84..af92ee78 100644 --- a/.github/workflows/preview-env.yml +++ b/.github/workflows/preview-env.yml @@ -170,6 +170,12 @@ jobs: yq eval '.x-nhsd-apim.target.url = env(PREVIEW_URL) | .x-nhsd-apim.target.security.secret = env(MTLS_SECRET_KEY)' -i openapi.yaml + - name: Install proxygen-cli + if: github.event.action != 'closed' + run: | + pip install proxygen-cli + proxygen --version + # ---------- Ensure re-deployment (PR updated) ---------- - name: Force ECS service redeployment if: github.event.action == 'synchronize' From a5871ff21e06ff349fbeb117b19de0ec7566b478 Mon Sep 17 00:00:00 2001 From: David Hamill <109090521+davidhamill1-nhs@users.noreply.github.com> Date: Thu, 29 Jan 2026 15:15:48 +0000 Subject: [PATCH 05/15] [GPCAPIM-278]: Set up action to run proxygen as a machine-user, in preparation for dpeloying an instance of the proxy. --- .github/workflows/preview-env.yml | 30 +++++++++++++++++++++++++++++- 1 file changed, 29 insertions(+), 1 deletion(-) diff --git a/.github/workflows/preview-env.yml b/.github/workflows/preview-env.yml index af92ee78..52718508 100644 --- a/.github/workflows/preview-env.yml +++ b/.github/workflows/preview-env.yml @@ -156,17 +156,19 @@ jobs: echo "ecs_cluster=$ECS_CLUSTER" >> $GITHUB_OUTPUT - name: Install yq for YAML template processing + if: github.event.action != 'closed' run: | sudo wget -qO /usr/local/bin/yq https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64 sudo chmod +x /usr/local/bin/yq - name: Inject secrets into openapi.yaml for deploying proxy + if: github.event.action != 'closed' working-directory: gateway-api env: MTLS_SECRET_KEY: ${{ secrets.MTLS_SECRET_KEY }} PREVIEW_URL: ${{ steps.tf-output.outputs.preview_url }} run: | - cp openapi.template.yaml openapi.yaml + cp openapi.template.yaml openapi.proxygen.yaml yq eval '.x-nhsd-apim.target.url = env(PREVIEW_URL) | .x-nhsd-apim.target.security.secret = env(MTLS_SECRET_KEY)' -i openapi.yaml @@ -176,6 +178,32 @@ jobs: pip install proxygen-cli proxygen --version + - name: Get proxygen machine user details + if: github.event.action != 'closed' + id: proxygen-machine-user + uses: aws-actions/aws-secretsmanager-get-secrets@a9a7eb4e2f2871d30dc5b892576fde60a2ecc802 + with: + secret-ids: | + /cds/gateway/dev/proxygen/proxygen-key-secret + name-transformation: lowercase + + - name: Deploy preview API proxy + if: github.event.action != 'closed' + run: | + printf "%s" "$_cds_gateway_dev_proxygen_proxygen_key_secret" > /tmp/proxygen_private_key.pem + + proxygen credentials set private_key_path /tmp/proxygen_private_key.pem key_id "$PROXYGEN_KEY_ID" client_id clinical-data-gateway-api-poc-client + + rm -f /tmp/proxygen_private_key.pem + + proxygen instance list + + + - name: Tear fown preview API proxy + if: github.event.action == 'closed' + run: | + # TODO + # ---------- Ensure re-deployment (PR updated) ---------- - name: Force ECS service redeployment if: github.event.action == 'synchronize' From d46febb12316afadc73199fe26d59c8ac62ce805 Mon Sep 17 00:00:00 2001 From: David Hamill <109090521+davidhamill1-nhs@users.noreply.github.com> Date: Thu, 29 Jan 2026 15:25:18 +0000 Subject: [PATCH 06/15] [GPCAPIM-278]: Provide empty defaults for proxygens inputs, username and password, as specified in their docs, https://nhsd-confluence.digital.nhs.uk/spaces/APM/pages/804495095/Proxygen+CLI+user+guide\#ProxygenCLIuserguide-Settingupformachine-useraccess --- .github/workflows/preview-env.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/preview-env.yml b/.github/workflows/preview-env.yml index 52718508..0d3b4319 100644 --- a/.github/workflows/preview-env.yml +++ b/.github/workflows/preview-env.yml @@ -192,7 +192,7 @@ jobs: run: | printf "%s" "$_cds_gateway_dev_proxygen_proxygen_key_secret" > /tmp/proxygen_private_key.pem - proxygen credentials set private_key_path /tmp/proxygen_private_key.pem key_id "$PROXYGEN_KEY_ID" client_id clinical-data-gateway-api-poc-client + yes "" | proxygen credentials set private_key_path /tmp/proxygen_private_key.pem key_id "$PROXYGEN_KEY_ID" client_id clinical-data-gateway-api-poc-client rm -f /tmp/proxygen_private_key.pem From 1e96334d3119a729a1a53f422e17565817e9fac1 Mon Sep 17 00:00:00 2001 From: David Hamill <109090521+davidhamill1-nhs@users.noreply.github.com> Date: Thu, 29 Jan 2026 15:39:26 +0000 Subject: [PATCH 07/15] [GPCAPIM-278]: Provide empty defaults - retry --- .github/workflows/preview-env.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/preview-env.yml b/.github/workflows/preview-env.yml index 0d3b4319..dd5dc25c 100644 --- a/.github/workflows/preview-env.yml +++ b/.github/workflows/preview-env.yml @@ -192,7 +192,8 @@ jobs: run: | printf "%s" "$_cds_gateway_dev_proxygen_proxygen_key_secret" > /tmp/proxygen_private_key.pem - yes "" | proxygen credentials set private_key_path /tmp/proxygen_private_key.pem key_id "$PROXYGEN_KEY_ID" client_id clinical-data-gateway-api-poc-client + yes "" | proxygen credentials set + proxygen credentials set private_key_path /tmp/proxygen_private_key.pem key_id "$PROXYGEN_KEY_ID" client_id clinical-data-gateway-api-poc-client rm -f /tmp/proxygen_private_key.pem From c303fe56fd5aea012ce79b63952550cd77dfb301 Mon Sep 17 00:00:00 2001 From: David Hamill <109090521+davidhamill1-nhs@users.noreply.github.com> Date: Thu, 29 Jan 2026 15:41:13 +0000 Subject: [PATCH 08/15] [GPCAPIM-278]: Provide empty defaults - retry --- .github/workflows/preview-env.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/.github/workflows/preview-env.yml b/.github/workflows/preview-env.yml index dd5dc25c..367c61ab 100644 --- a/.github/workflows/preview-env.yml +++ b/.github/workflows/preview-env.yml @@ -190,9 +190,13 @@ jobs: - name: Deploy preview API proxy if: github.event.action != 'closed' run: | + yes "" | proxygen credentials set + proxygen settings set api "clinical-data-gateway-api-poc" + proxygen settings set endpoint_url "https://proxygen.prod.api.platform.nhs.uk" + proxygen settings set spec_output_format "yaml" + printf "%s" "$_cds_gateway_dev_proxygen_proxygen_key_secret" > /tmp/proxygen_private_key.pem - yes "" | proxygen credentials set proxygen credentials set private_key_path /tmp/proxygen_private_key.pem key_id "$PROXYGEN_KEY_ID" client_id clinical-data-gateway-api-poc-client rm -f /tmp/proxygen_private_key.pem From 9f989ddfba161eb5b44fc135f2e3a738cb9fc6cc Mon Sep 17 00:00:00 2001 From: David Hamill <109090521+davidhamill1-nhs@users.noreply.github.com> Date: Thu, 29 Jan 2026 15:42:06 +0000 Subject: [PATCH 09/15] [GPCAPIM-278]: Typo. --- .github/workflows/preview-env.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/preview-env.yml b/.github/workflows/preview-env.yml index 367c61ab..79282c6b 100644 --- a/.github/workflows/preview-env.yml +++ b/.github/workflows/preview-env.yml @@ -204,7 +204,7 @@ jobs: proxygen instance list - - name: Tear fown preview API proxy + - name: Tear down preview API proxy if: github.event.action == 'closed' run: | # TODO From 51c063610f8a283acc07908099d5f0d33f2323e0 Mon Sep 17 00:00:00 2001 From: David Hamill <109090521+davidhamill1-nhs@users.noreply.github.com> Date: Thu, 29 Jan 2026 19:31:54 +0000 Subject: [PATCH 10/15] [GPCAPIM-278]: Setup proxygen credentials and settings through overwriiting proxygen's yaml files --- .github/workflows/preview-env.yml | 18 +++++++++--------- gateway-api/openapi.template.yaml | 8 ++++++++ proxygen/credentials.template.yaml | 7 +++++++ proxygen/settings.yaml | 3 +++ 4 files changed, 27 insertions(+), 9 deletions(-) create mode 100644 proxygen/credentials.template.yaml create mode 100644 proxygen/settings.yaml diff --git a/.github/workflows/preview-env.yml b/.github/workflows/preview-env.yml index 79282c6b..44f0429c 100644 --- a/.github/workflows/preview-env.yml +++ b/.github/workflows/preview-env.yml @@ -187,22 +187,22 @@ jobs: /cds/gateway/dev/proxygen/proxygen-key-secret name-transformation: lowercase - - name: Deploy preview API proxy + - name: Apply proxygen details if: github.event.action != 'closed' run: | - yes "" | proxygen credentials set - proxygen settings set api "clinical-data-gateway-api-poc" - proxygen settings set endpoint_url "https://proxygen.prod.api.platform.nhs.uk" - proxygen settings set spec_output_format "yaml" + cp settings.yaml $HOME/.proxygen/settings.yaml printf "%s" "$_cds_gateway_dev_proxygen_proxygen_key_secret" > /tmp/proxygen_private_key.pem - - proxygen credentials set private_key_path /tmp/proxygen_private_key.pem key_id "$PROXYGEN_KEY_ID" client_id clinical-data-gateway-api-poc-client - - rm -f /tmp/proxygen_private_key.pem + cp credentials.template.yaml $HOME/.proxygen/credentials.yaml + yq eval '.private_key_path = "/tmp/proxygen_private_key.pem"' -i $HOME/.proxygen/credentials.yaml proxygen instance list + - name: Deploy preview API proxy + if: github.event.action != 'closed' + run: | + # TODO + - name: Tear down preview API proxy if: github.event.action == 'closed' diff --git a/gateway-api/openapi.template.yaml b/gateway-api/openapi.template.yaml index 7aca7a81..e34347cd 100644 --- a/gateway-api/openapi.template.yaml +++ b/gateway-api/openapi.template.yaml @@ -8,11 +8,17 @@ info: servers: - url: http://localhost:5000 description: Local development server +components: + securitySchemes: + app-level0: + $ref: https://proxygen.ptl.api.platform.nhs.uk/components/securitySchemes/app-level0 paths: /patient/$gpc.getstructuredrecord: post: summary: Get structured record description: Returns a FHIR Bundle containing patient structured record + security: + - app-level0: [] operationId: getStructuredRecord parameters: - in: header @@ -145,6 +151,8 @@ paths: get: summary: Health check description: Returns the health status of the API + security: + - app-level0: [] operationId: healthCheck responses: '200': diff --git a/proxygen/credentials.template.yaml b/proxygen/credentials.template.yaml new file mode 100644 index 00000000..3a607e83 --- /dev/null +++ b/proxygen/credentials.template.yaml @@ -0,0 +1,7 @@ +base_url: https://identity.prod.api.platform.nhs.uk/realms/api-producers +client_id: clinical-data-gateway-api-poc-client +client_secret: '' +key_id: poc-cli-key-1 +password: '' +private_key_path: +username: '' diff --git a/proxygen/settings.yaml b/proxygen/settings.yaml new file mode 100644 index 00000000..b3d0b3b7 --- /dev/null +++ b/proxygen/settings.yaml @@ -0,0 +1,3 @@ +api: clinical-data-gateway-api-poc +endpoint_url: https://proxygen.prod.api.platform.nhs.uk +spec_output_format: yaml From 8c4d616ccdaec32a7794645a7bfb24a328f1432d Mon Sep 17 00:00:00 2001 From: David Hamill <109090521+davidhamill1-nhs@users.noreply.github.com> Date: Thu, 29 Jan 2026 19:41:42 +0000 Subject: [PATCH 11/15] [GPCAPIM-278]: Ensure paths are correct --- .github/workflows/preview-env.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/preview-env.yml b/.github/workflows/preview-env.yml index fee13538..7d7fb31a 100644 --- a/.github/workflows/preview-env.yml +++ b/.github/workflows/preview-env.yml @@ -189,6 +189,7 @@ jobs: - name: Apply proxygen details if: github.event.action != 'closed' + working-directory: proxygen run: | cp settings.yaml $HOME/.proxygen/settings.yaml From 33ebd5081ed55cc3ff5a3d9e5673667521ef8680 Mon Sep 17 00:00:00 2001 From: David Hamill <109090521+davidhamill1-nhs@users.noreply.github.com> Date: Thu, 29 Jan 2026 19:50:55 +0000 Subject: [PATCH 12/15] [GPCAPIM-278]: Deploy and delete proxy instance for PR --- .github/workflows/preview-env.yml | 11 +++-------- 1 file changed, 3 insertions(+), 8 deletions(-) diff --git a/.github/workflows/preview-env.yml b/.github/workflows/preview-env.yml index 7d7fb31a..e905712f 100644 --- a/.github/workflows/preview-env.yml +++ b/.github/workflows/preview-env.yml @@ -156,7 +156,6 @@ jobs: echo "ecs_cluster=$ECS_CLUSTER" >> $GITHUB_OUTPUT - name: Install yq for YAML template processing - if: github.event.action != 'closed' run: | sudo wget -qO /usr/local/bin/yq https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64 sudo chmod +x /usr/local/bin/yq @@ -173,13 +172,11 @@ jobs: yq eval '.x-nhsd-apim.target.url = env(PREVIEW_URL) | .x-nhsd-apim.target.security.secret = env(MTLS_SECRET_KEY)' -i openapi.yaml - name: Install proxygen-cli - if: github.event.action != 'closed' run: | pip install proxygen-cli proxygen --version - name: Get proxygen machine user details - if: github.event.action != 'closed' id: proxygen-machine-user uses: aws-actions/aws-secretsmanager-get-secrets@a9a7eb4e2f2871d30dc5b892576fde60a2ecc802 with: @@ -188,7 +185,6 @@ jobs: name-transformation: lowercase - name: Apply proxygen details - if: github.event.action != 'closed' working-directory: proxygen run: | cp settings.yaml $HOME/.proxygen/settings.yaml @@ -197,18 +193,17 @@ jobs: cp credentials.template.yaml $HOME/.proxygen/credentials.yaml yq eval '.private_key_path = "/tmp/proxygen_private_key.pem"' -i $HOME/.proxygen/credentials.yaml - proxygen instance list - - name: Deploy preview API proxy if: github.event.action != 'closed' + working-directory: gateway-api run: | - # TODO + proxygen instance deploy internal-dev "clinical-data-gateway-api-poc-pr-${{ github.event.pull_request.number }}" gateway-api/openapi.template.yaml --no-confirm - name: Tear down preview API proxy if: github.event.action == 'closed' run: | - # TODO + proxygen instance delete internal-dev clinical-data-gateway-api-poc-pr-${{ github.event.pull_request.number }} --no-confirm # ---------- Ensure re-deployment (PR updated) ---------- - name: Force ECS service redeployment From 62a44eba98bb8347e108c64e64929c4b140abb85 Mon Sep 17 00:00:00 2001 From: David Hamill <109090521+davidhamill1-nhs@users.noreply.github.com> Date: Thu, 29 Jan 2026 19:55:17 +0000 Subject: [PATCH 13/15] [GPCAPIM-278]: Ensure paths are correct --- .github/workflows/preview-env.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/preview-env.yml b/.github/workflows/preview-env.yml index e905712f..b3572da1 100644 --- a/.github/workflows/preview-env.yml +++ b/.github/workflows/preview-env.yml @@ -197,7 +197,7 @@ jobs: if: github.event.action != 'closed' working-directory: gateway-api run: | - proxygen instance deploy internal-dev "clinical-data-gateway-api-poc-pr-${{ github.event.pull_request.number }}" gateway-api/openapi.template.yaml --no-confirm + proxygen instance deploy internal-dev "clinical-data-gateway-api-poc-pr-${{ github.event.pull_request.number }}" openapi.yaml --no-confirm - name: Tear down preview API proxy From ce88bddfd2319aaec14ea380383244d6e006bd83 Mon Sep 17 00:00:00 2001 From: David Hamill <109090521+davidhamill1-nhs@users.noreply.github.com> Date: Thu, 29 Jan 2026 19:58:23 +0000 Subject: [PATCH 14/15] [GPCAPIM-278]: Ensure paths are correct --- .github/workflows/preview-env.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/preview-env.yml b/.github/workflows/preview-env.yml index b3572da1..c6f1fa81 100644 --- a/.github/workflows/preview-env.yml +++ b/.github/workflows/preview-env.yml @@ -167,7 +167,7 @@ jobs: MTLS_SECRET_KEY: ${{ secrets.MTLS_SECRET_KEY }} PREVIEW_URL: ${{ steps.tf-output.outputs.preview_url }} run: | - cp openapi.template.yaml openapi.proxygen.yaml + cp openapi.template.yaml openapi.yaml yq eval '.x-nhsd-apim.target.url = env(PREVIEW_URL) | .x-nhsd-apim.target.security.secret = env(MTLS_SECRET_KEY)' -i openapi.yaml From 924776f7cc79595fb88ad30a7aee7355e7c97f29 Mon Sep 17 00:00:00 2001 From: David Hamill <109090521+davidhamill1-nhs@users.noreply.github.com> Date: Thu, 29 Jan 2026 22:49:51 +0000 Subject: [PATCH 15/15] [GPCAPIM-278]: Print out proxy path --- .github/workflows/preview-env.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/preview-env.yml b/.github/workflows/preview-env.yml index c6f1fa81..d3a4febd 100644 --- a/.github/workflows/preview-env.yml +++ b/.github/workflows/preview-env.yml @@ -313,6 +313,7 @@ jobs: script: | const alb = '${{ steps.tf-output.outputs.target_group }}'; const url = '${{ steps.tf-output.outputs.preview_url }}'; + const proxy_url = 'https://internal-dev.api.service.nhs.uk/clinical-data-gateway-api-poc-pr-${{ github.event.pull_request.number }}'; const cluster = '${{ steps.tf-output.outputs.ecs_cluster }}'; const service = '${{ steps.tf-output.outputs.ecs_service }}'; const owner = context.repo.owner; @@ -353,6 +354,7 @@ jobs: const lines = [ '**Deployment Complete**', `- Preview URL: [${url}](${url}) — [Health endpoint](${url}/health)`, + `- Proxy URL: [${proxy_url}](${proxy_url})`, `- Smoke Test: ${smokeReadable} (HTTP ${smokeStatus})`, `- ECS Cluster: \`${cluster}\``, `- ECS Service: \`${service}\``,