[GPCAPIM-359] Sort out env vars

.github/actions/run-test-suite/action.yaml

@@ -9,33 +9,25 @@ inputs:
   test-type:
     description: "Type of test to run"
     required: true
-  apigee-access-token:
-    description: "Apigee access token"
-    required: false
-  base-url:
-    description: "The URL of the environment to test"
-    required: false
   env:
-    description: "Environment: local or remote"
+    description: "Environment to run tests against: ci, alpha-int, pr-<number> - see env.mk"
     required: false
-    default: "remote"
+    default: "ci"
 
 runs:
   using: composite
   steps:
-    - name: "Run ${{ inputs.test-type }} tests"
+    - name: Set up environment
       shell: bash
       env:
-        APIGEE_ACCESS_TOKEN: ${{ inputs.apigee-access-token }}
-        BASE_URL: ${{ inputs.base-url }}
         ENV: ${{ inputs.env }}
+      run: make env-test-"${ENV}"
+
+    - name: "Run ${{ inputs.test-type }} tests"
+      shell: bash
+      env:
         TEST_TYPE: ${{ inputs.test-type }}
       run: |
-        if [[ -n "${APIGEE_ACCESS_TOKEN}" ]]; then
-          echo "::add-mask::${APIGEE_ACCESS_TOKEN}"
-        fi
-
-        # Clean test artefacts so each suite uploads only its own results
         rm -rf gateway-api/test-artefacts/* || true
         mkdir -p gateway-api/test-artefacts
         make test-"${TEST_TYPE}"

.github/actions/start-app/action.yaml

@@ -4,7 +4,7 @@ inputs:
   deploy-command:
     description: "Command to start app"
     required: false
-    default: "make deploy"
+    default: "make deploy-ci"
   health-path:
     description: "Health check path"
     required: false

.github/instructions/copilot-instructions.md

@@ -8,7 +8,7 @@ This repository is for handling HTTP requests from "Consumer systems" and forwar
 
 We use other NHSE services to assist in the validation and processing of the requests including PDS FHIR API for obtaining GP practice codes for the patient, SDS FHIR API for obtaining the "Provider system" details of that GP practice and Healthcare Worker FHIR API for obtaining details of the requesting practitioner using the "Consumer System" that will then be added to the forwarded request.
 
-`make deploy` will build and start a container running Gateway API at `localhost:5000`.
+`make deploy-dev` will build and start a container running Gateway API at `localhost:5000`.
 
 After deploying the container locally, `make test` will run all tests and capture their coverage. Note: env variables control the use of stubs for the PDS FHIR API, SDS FHIR API, Healthcare Worker FHIR API and Provider system services.
 

.github/workflows/alpha-integration-env.yml

@@ -14,7 +14,6 @@ env:
   TF_STATE_KEY: "dev/preview/alpha-integration.tfstate"
   BRANCH_NAME: "alpha-integration"
   ALB_RULE_PRIORITY: "900"
-  BASE_URL: "https://internal-dev.api.service.nhs.uk/clinical-data-gateway-api-poc-alpha-integration"
   python_version: "3.14"
   PROXYGEN_API_NAME: ${{ vars.PROXYGEN_API_NAME }}
 
@@ -196,63 +195,34 @@ jobs:
           echo "http_result=unexpected-status" >> "$GITHUB_OUTPUT"
           exit 0
 
-      - name: Retrieve Apigee Token
-        id: apigee-token
-        shell: bash
-        run: |
-          set -euo pipefail
-
-          APIGEE_TOKEN="$(proxygen pytest-nhsd-apim get-token | jq -r '.pytest_nhsd_apim_token' 2>/dev/null)"
-          if [ -z "$APIGEE_TOKEN" ] || [ "$APIGEE_TOKEN" = "null" ]; then
-            echo "::error::Failed to retrieve Apigee token"
-            exit 1
-          fi
-
-          echo "::add-mask::$APIGEE_TOKEN"
-          printf 'apigee-access-token=%s\n' "$APIGEE_TOKEN" >> "$GITHUB_OUTPUT"
-          echo "Token retrieved successfully (length: ${#APIGEE_TOKEN})"
-
       - name: Run unit tests
         uses: ./.github/actions/run-test-suite
         with:
           test-type: unit
-          env: local
 
       - name: Run contract tests
         uses: ./.github/actions/run-test-suite
-        env:
-          PROXY_BASE_PATH: "clinical-data-gateway-api-poc-alpha-integration"
         with:
           test-type: contract
-          apigee-access-token: ${{ steps.apigee-token.outputs.apigee-access-token }}
-          base-url: ${{ env.BASE_URL }}
+          env: alpha-int
 
       - name: Run schema validation tests
         uses: ./.github/actions/run-test-suite
-        env:
-          PROXY_BASE_PATH: "clinical-data-gateway-api-poc-alpha-integration"
         with:
           test-type: schema
-          apigee-access-token: ${{ steps.apigee-token.outputs.apigee-access-token }}
-          base-url: ${{ env.BASE_URL }}
+          env: alpha-int
 
       - name: Run integration tests
         uses: ./.github/actions/run-test-suite
-        env:
-          PROXY_BASE_PATH: "clinical-data-gateway-api-poc-alpha-integration"
         with:
           test-type: integration
-          apigee-access-token: ${{ steps.apigee-token.outputs.apigee-access-token }}
-          base-url: ${{ env.BASE_URL }}
+          env: alpha-int
 
       - name: Run acceptance tests
         uses: ./.github/actions/run-test-suite
-        env:
-          PROXY_BASE_PATH: "clinical-data-gateway-api-poc-alpha-integration"
         with:
           test-type: acceptance
-          apigee-access-token: ${{ steps.apigee-token.outputs.apigee-access-token }}
-          base-url: ${{ env.BASE_URL }}
+          env: alpha-int
 
       - name: Remove mTLS temp files
         run: rm -f /tmp/client1-key.pem /tmp/client1-cert.pem

.github/workflows/preview-env.yml

@@ -10,7 +10,6 @@ env:
   ECR_REPOSITORY_NAME: "whoami"
   TF_STATE_BUCKET: "cds-cdg-dev-tfstate-900119715266"
   PREVIEW_STATE_PREFIX: "dev/preview/"
-  BASE_URL: "https://internal-dev.api.service.nhs.uk/clinical-data-gateway-api-poc-pr-${{ github.event.pull_request.number }}"
   python_version: "3.14"
   PROXYGEN_API_NAME: ${{ vars.PROXYGEN_API_NAME }}
   PR_NUMBER: ${{ github.event.pull_request.number }}
@@ -314,28 +313,11 @@ jobs:
 
       # ---------- QUALITY CHECKS (Test Suites) ----------
 
-      - name: Retrieve Apigee Token
-        id: apigee-token
-        shell: bash
-        run: |
-          set -euo pipefail
-
-          APIGEE_TOKEN="$(proxygen pytest-nhsd-apim get-token | jq -r '.pytest_nhsd_apim_token' 2>/dev/null)"
-          if [ -z "$APIGEE_TOKEN" ] || [ "$APIGEE_TOKEN" = "null" ]; then
-            echo "::error::Failed to retrieve Apigee token"
-            exit 1
-          fi
-
-          echo "::add-mask::$APIGEE_TOKEN"
-          printf 'apigee-access-token=%s\n' "$APIGEE_TOKEN" >> "$GITHUB_OUTPUT"
-          echo "Token retrieved successfully (length: ${#APIGEE_TOKEN})"
-
       - name: "Run unit tests"
         if: github.event.action != 'closed'
         uses: ./.github/actions/run-test-suite
         with:
           test-type: unit
-          env: local
 
       - name: "Run load tests"
         if: github.event.action != 'closed' && steps.smoke-test.outputs.http_result != 'unexpected-status'
@@ -349,42 +331,30 @@ jobs:
       - name: "Run contract tests"
         if: github.event.action != 'closed'
         uses: ./.github/actions/run-test-suite
-        env:
-          PROXY_BASE_PATH: "clinical-data-gateway-api-poc-pr-${{ github.event.pull_request.number }}"
         with:
           test-type: contract
-          apigee-access-token: ${{ steps.apigee-token.outputs.apigee-access-token }}
-          base-url: ${{ env.BASE_URL }}
+          env: pr-${{ github.event.pull_request.number }}
 
       - name: "Run schema validation tests"
         if: github.event.action != 'closed'
         uses: ./.github/actions/run-test-suite
-        env:
-          PROXY_BASE_PATH: "clinical-data-gateway-api-poc-pr-${{ github.event.pull_request.number }}"
         with:
           test-type: schema
-          apigee-access-token: ${{ steps.apigee-token.outputs.apigee-access-token }}
-          base-url: ${{ env.BASE_URL }}
+          env: pr-${{ github.event.pull_request.number }}
 
       - name: "Run integration tests"
         if: github.event.action != 'closed'
         uses: ./.github/actions/run-test-suite
-        env:
-          PROXY_BASE_PATH: "clinical-data-gateway-api-poc-pr-${{ github.event.pull_request.number }}"
         with:
           test-type: integration
-          apigee-access-token: ${{ steps.apigee-token.outputs.apigee-access-token }}
-          base-url: ${{ env.BASE_URL }}
+          env: pr-${{ github.event.pull_request.number }}
 
       - name: "Run acceptance tests"
         if: github.event.action != 'closed'
         uses: ./.github/actions/run-test-suite
-        env:
-          PROXY_BASE_PATH: "clinical-data-gateway-api-poc-pr-${{ github.event.pull_request.number }}"
         with:
           test-type: acceptance
-          apigee-access-token: ${{ steps.apigee-token.outputs.apigee-access-token }}
-          base-url: ${{ env.BASE_URL }}
+          env: pr-${{ github.event.pull_request.number }}
 
       # Cleanup after tests
       - name: Remove mTLS temp files

.github/workflows/stage-2-test.yaml

@@ -1,12 +1,5 @@
 name: "Test stage"
 
-env:
-  BASE_URL: "http://localhost:5000"
-  HOST: "localhost"
-  STUB_SDS: "true"
-  STUB_PDS: "true"
-  STUB_PROVIDER: "true"
-
 on:
   workflow_call:
     inputs:
@@ -45,6 +38,8 @@ jobs:
         uses: ./.github/actions/setup-python-project
         with:
           python-version: ${{ inputs.python_version }}
+      - name: Set environment variables
+        run: make env-test-ci
       - name: "Run unit test suite"
         run: make test-unit
       - name: "Upload unit test results"
@@ -75,6 +70,8 @@ jobs:
         uses: ./.github/actions/start-app
         with:
           python-version: ${{ inputs.python_version }}
+      - name: Set environment variables
+        run: make env-test-ci
       - name: "Run contract tests"
         run: make test-contract
       - name: "Upload contract test results"
@@ -105,6 +102,8 @@ jobs:
         uses: ./.github/actions/start-app
         with:
           python-version: ${{ inputs.python_version }}
+      - name: Set environment variables
+        run: make env-test-ci
       - name: "Run schema validation tests"
         run: make test-schema
       - name: "Upload schema test results"
@@ -135,6 +134,8 @@ jobs:
         uses: ./.github/actions/start-app
         with:
           python-version: ${{ inputs.python_version }}
+      - name: Set environment variables
+        run: make env-test-ci
       - name: "Run integration test"
         run: make test-integration
       - name: "Upload integration test results"
@@ -166,6 +167,8 @@ jobs:
         with:
           python-version: ${{ inputs.python_version }}
           max-seconds: 90
+      - name: Set environment variables
+        run: make env-test-ci
       - name: "Run acceptance test"
         run: make test-acceptance
       - name: "Upload acceptance test results"

.gitignore

@@ -26,3 +26,7 @@ gateway-api/test-artefacts/
 **/.env.*
 **/.DS_Store
 **/.terraform.lock.hcl
+
+# Any file within .secrets
+.secrets/**
+!.secrets/README.md

.secrets/README.md

@@ -0,0 +1,19 @@
+# Secrets
+
+This directory is used to store secrets.
+
+The secrets are accessed through `make env-<int|int-pds|int-sds>` which sets the secrets required for PDS FHIR API and SDS FHIR API to `.env` file, which is then fed in to the locally deployed application through `make deploy`.
+
+## PDS
+
+PDS FHIR API requires [signed JWT for application-resrtictecd access](https://digital.nhs.uk/developer/guides-and-documentation/security-and-authorisation/application-restricted-restful-apis-signed-jwt-authentication). As such, the following three secrets enable the Gateway API to authenticate:
+
+* `.secrets/pds/api_token` - the API key of the application through which the Gateway API will consume NHSE APIs.
+* `.secrets/pds/api_secret` - the private key of the public/private key pair created for application identified by `api_token`
+* `.secrets/pds/api_kid` - the key identifier for the private/public key pair used for the `api_secret`.
+
+## SDS
+
+SDS FHIR API requires [API key authentication](https://digital.nhs.uk/developer/guides-and-documentation/security-and-authorisation/application-restricted-restful-apis-api-key-authentication) for application-restricted access. As such, the only secret required is
+
+* `.secrets/sds/api_token` - the API key of the application through which the Gateway API will consume NHSE APIs.

.vscode/cspell-dictionary.txt

@@ -36,6 +36,7 @@ eamodio
 errstr
 Farsley
 fhir
+getfixturevalue
 getstructuredrecord
 gocloc
 GPCAPIM
@@ -73,6 +74,7 @@ NOSONAR
 NPFIT
 ONESHELL
 opencollection
+orangebox
 pipefail
 PIPX
 pkce

Makefile

@@ -53,27 +53,13 @@ build: build-gateway-api # Build the project artefact @Pipeline
 publish: # Publish the project artefact @Pipeline
 	# TODO [GPCAPIM-283]:  Implement the artefact publishing step
 
-deploy: clean build # Deploy the project artefact to the target environment @Pipeline
+deploy: clean build # Build project artefact and deploy locally @Pipeline
 	@$(docker) network inspect gateway-local >/dev/null 2>&1 || $(docker) network create gateway-local
-	# Build up list of environment variables to pass to the container
-	@ENVIRONMENT_STRING="" ; \
-	if [[ -n "$${STUB_PROVIDER}" ]]; then \
-		ENVIRONMENT_STRING="$${ENVIRONMENT_STRING} -e STUB_PROVIDER=$${STUB_PROVIDER}" ; \
-	fi ; \
-	if [[ -n "$${STUB_PDS}" ]]; then \
-		ENVIRONMENT_STRING="$${ENVIRONMENT_STRING} -e STUB_PDS=$${STUB_PDS}" ; \
-	fi ; \
-	if [[ -n "$${STUB_SDS}" ]]; then \
-		ENVIRONMENT_STRING="$${ENVIRONMENT_STRING} -e STUB_SDS=$${STUB_SDS}" ; \
-	fi ; \
-	if [[ -n "$${CDG_DEBUG}" ]]; then \
-		ENVIRONMENT_STRING="$${ENVIRONMENT_STRING} -e CDG_DEBUG=$${CDG_DEBUG}" ; \
-	fi ; \
 	if [[ -n "$${IN_BUILD_CONTAINER}" ]]; then \
 		echo "Starting using local docker network ..." ; \
-		$(docker) run --platform linux/amd64 --name gateway-api -p 5000:8080 --network gateway-local $${ENVIRONMENT_STRING} -d ${IMAGE_NAME} ; \
+		$(docker) run --platform linux/amd64 --name gateway-api -p 5000:8080 --network gateway-local --env-file .env -d ${IMAGE_NAME} ; \
 	else \
-		$(docker) run --platform linux/amd64 --name gateway-api -p 5000:8080 $${ENVIRONMENT_STRING} -d ${IMAGE_NAME} ; \
+		$(docker) run --platform linux/amd64 --name gateway-api -p 5000:8080 --env-file .env -d ${IMAGE_NAME} ; \
 	fi
 	@max_attempts=5 ; \
 	attempt=1 ; \
@@ -88,6 +74,9 @@ deploy: clean build # Deploy the project artefact to the target environment @Pip
 	$(docker) logs gateway-api ; \
 	exit 1
 
+deploy-%: # Build project artefact and deploy locally as specified environment - mandatory: name=[name of the environment, e.g. 'dev'] @Pipeline
+	make env-$* deploy
+
 clean:: stop # Clean-up project resources (main) @Operations
 	@echo "Removing Gateway API container..."
 	@$(docker) rm gateway-api || echo "No Gateway API container currently exists."