CCM-0005: repointed frontend

.tool-versions

@@ -1,2 +1,3 @@
 python 3.11.8
 poetry 1.5.0
+jq 1.6

proxies/live/apiproxy/targets/target.xml

@@ -18,10 +18,14 @@
         <SSLInfo>
             <Enabled>true</Enabled>
         </SSLInfo>
-        <LoadBalancer>
-            <Server name="{{ TARGET_SERVER_OVERRIDE | default('communications-manager-target') }}"/>
-        </LoadBalancer>
-        <Path>{requestpath}</Path>
+        {% if ENVIRONMENT_TYPE == 'sandbox' %}
+            <LoadBalancer>
+                <Server name="{{ TARGET_SERVER_OVERRIDE | default('communications-manager-target') }}"/>
+            </LoadBalancer>
+            <Path>{requestpath}</Path>
+        {% else %}
+            <URL>https://comms-apim.de-lula2.communications.national.nhs.uk</URL>
+        {% endif %}
         <Properties>
             <Property name="io.timeout.millis">29000</Property>
         </Properties>

proxies/shared/policies/AssignMessage.MessageBatches.Create.Request.xml

@@ -16,10 +16,17 @@
         <Name>target.copy.pathsuffix</Name>
         <Value>false</Value>
     </AssignVariable>
-    <AssignVariable>
-        <Name>requestpath</Name>
-        <Value>/api/v1/send</Value>
-    </AssignVariable>
+    {% if ENVIRONMENT_TYPE == 'sandbox' %}
+       <AssignVariable>
+           <Name>requestpath</Name>
+           <Value>/api/v1/send</Value>
+       </AssignVariable>
+    {% else %}
+        <AssignVariable>
+            <Name>target.url</Name>
+            <Value>https://comms-apim.de-lula2.communications.national.nhs.uk/api/v1/send</Value>
+        </AssignVariable>
+    {% endif %}
     <Set>
         <Payload contentType="application/json" variablePrefix="%" variableSuffix="#">%data.payload#</Payload>
         <Headers>

proxies/shared/policies/AssignMessage.Messages.Create.Request.xml

@@ -16,10 +16,17 @@
         <Name>target.copy.pathsuffix</Name>
         <Value>false</Value>
     </AssignVariable>
-    <AssignVariable>
-        <Name>requestpath</Name>
-        <Value>/api/v1/messages</Value>
-    </AssignVariable>
+    {% if ENVIRONMENT_TYPE == 'sandbox' %}
+       <AssignVariable>
+           <Name>requestpath</Name>
+           <Value>/api/v1/messages</Value>
+       </AssignVariable>
+    {% else %}
+        <AssignVariable>
+            <Name>target.url</Name>
+            <Value>https://comms-apim.de-lula2.communications.national.nhs.uk/api/v1/messages</Value>
+        </AssignVariable>
+    {% endif %}
     <Set>
         <Payload contentType="application/json" variablePrefix="%" variableSuffix="#">%data.payload#</Payload>
         <Headers>

proxies/shared/policies/AssignMessage.Messages.GetSingle.Request.xml

@@ -16,10 +16,17 @@
         <Name>target.copy.pathsuffix</Name>
         <Value>false</Value>
     </AssignVariable>
-    <AssignVariable>
-        <Name>requestpath</Name>
-        <Template>/api/v1/messages/{data.messageId}</Template>
-    </AssignVariable>
+    {% if ENVIRONMENT_TYPE == 'sandbox' %}
+       <AssignVariable>
+           <Name>requestpath</Name>
+           <Template>/api/v1/messages/{data.messageId}</Template>
+       </AssignVariable>
+    {% else %}
+        <AssignVariable>
+            <Name>target.url</Name>
+            <Value>https://comms-apim.de-lula2.communications.national.nhs.uk/api/v1/messages/{data.messageId}</Value>
+        </AssignVariable>
+    {% endif %}
     <Set>
         <Headers>
             <Header name="X-Correlation-Id">{backendCorrelationId}</Header>

proxies/shared/policies/AssignMessage.NhsAppAccounts.Get.Request.xml

@@ -16,10 +16,17 @@
         <Name>target.copy.pathsuffix</Name>
         <Value>false</Value>
     </AssignVariable>
-    <AssignVariable>
-        <Name>requestpath</Name>
-        <Value>/api/channels/nhsapp/accounts</Value>
-    </AssignVariable>
+    {% if ENVIRONMENT_TYPE == 'sandbox' %}
+       <AssignVariable>
+           <Name>requestpath</Name>
+           <Value>/api/channels/nhsapp/accounts</Value>
+       </AssignVariable>
+    {% else %}
+        <AssignVariable>
+            <Name>target.url</Name>
+            <Value>https://comms-apim.de-lula2.communications.national.nhs.uk/api/channels/nhsapp/accounts</Value>
+        </AssignVariable>
+    {% endif %}
     <Set>
         <Headers>
             <Header name="X-Correlation-Id">{backendCorrelationId}</Header>

scripts/mtls/disable_mtls.sh

@@ -0,0 +1,120 @@
+#!/bin/bash
+set -e
+
+help() {
+  echo "This script disables mTLS for a specified environment."
+  echo ""
+  echo "It is primarily called by repoint_frontend.sh as part of the process for reconfiguring"
+  echo "the communications-manager-api APIs to point to a dynamic backend."
+  echo ""
+  echo "Usage: $0 [environment]"
+  echo ""
+  echo "Positional Arguments:"
+  echo "  environment       Environment identifier (e.g., 'de-gith1')"
+  echo ""
+  echo "Options:"
+  echo "  --help            Show this help message and exit."
+  echo ""
+}
+
+if [[ "$1" == "--help" || "$1" == "-h" ]]; then
+  help
+  exit 1
+fi
+
+environment="$1"
+if [ -z "$environment" ]; then
+  echo "missing argument: [environment]. See '$0 --help'"
+  exit 1
+fi
+
+# Check AWS login status
+if ! aws sts get-caller-identity >/dev/null 2>&1; then
+  echo "You must have an active AWS SSO session to run this script."
+  exit 1
+fi
+
+domain_name="comms-apim.$environment.communications.national.nhs.uk"
+
+echo "Starting: remove mTLS (if set) for environment '$environment' on domain '$domain_name'..."
+
+# Fetch domain status
+domain_status=$(aws apigatewayv2 get-domain-name --domain-name "$domain_name" --output json)
+if [ $? -ne 0 ]; then
+  echo "Failed to get domain status for $domain_name."
+  exit 1
+fi
+
+# Check if mtls is active
+mtls_count=$(echo "$domain_status" | jq '(.MutualTlsAuthentication | length) // 0')
+
+if [ "$mtls_count" -gt 0 ]; then
+  mtls_is_enabled=1
+else
+  mtls_is_enabled=0
+fi
+
+# Get domain status message
+domain_status_message=$(echo "$domain_status" | jq -r '.DomainNameConfigurations[0].DomainNameStatus')
+
+if [ "$mtls_is_enabled" -eq 1 ] && [ "$domain_status_message" == "AVAILABLE" ]; then
+  echo "mTLS is enabled and domain is in AVAILABLE state. Removing mTLS from $domain_name..."
+
+  # Remove mTLS
+  if ! aws apigateway update-domain-name \
+    --domain-name "$domain_name" \
+    --patch-operations op=remove,path=/mutualTlsAuthentication/truststoreUri \
+    --no-cli-pager; then
+    echo "Failed to remove mTLS from $domain_name."
+    exit 1
+  fi
+
+  echo "Waiting for mTLS to be completely disabled and status to become AVAILABLE..."
+
+  # Wait for mTLS to be disabled and status to be "AVAILABLE"
+  max_attempts=60
+  attempts=0
+  while [ $attempts -lt $max_attempts ]; do
+    sleep 10
+    echo ""
+    echo -n "Checking..."
+    echo ""
+
+    domain_status=$(aws apigatewayv2 get-domain-name --domain-name "$domain_name")
+    echo $domain_status
+
+    if [ $? -ne 0 ]; then
+      echo "Failed to get domain status for $domain_name."
+      continue
+    fi
+
+    mtls_count=$(echo "$domain_status" | jq '(.MutualTlsAuthentication | length) // 0')
+
+    if [ "$mtls_count" -gt 0 ]; then
+      mtls_is_enabled=1
+    else
+      mtls_is_enabled=0
+    fi
+
+    # Get domain status message
+    domain_status_message=$(echo "$domain_status" | jq -r '.DomainNameConfigurations[0].DomainNameStatus')
+
+    if [ "$mtls_is_enabled" -eq 0 ] && [ "$domain_status_message" == "AVAILABLE" ]; then
+      printf "\n\nmTLS successfully removed and status is AVAILABLE for %s.\n" "$domain_name"
+      break
+    fi
+
+    attempts=$((attempts + 1))
+  done
+
+  if [ $attempts -eq $max_attempts ]; then
+    echo "Timed out waiting for mTLS to be disabled and status to become AVAILABLE."
+    exit 1
+  fi
+
+elif [ "$mtls_is_enabled" -eq 1 ] && [ "$domain_status_message" == "UPDATING" ]; then
+  echo "Domain is in $domain_status_message state for $domain_name. Try again in a few minutes."
+  exit 1
+else
+  echo "mTLS is already disabled for $domain_name. No further action needed."
+fi

scripts/repoint-frontend/README.md

@@ -0,0 +1,48 @@
+# Repoint Frontend
+
+The "Repoint Frontend" script automates the process of reconfiguring the `communications-manager-api` APIs to point to a dynamic backend environment in the `comms-mgr` repository, rather than the default common backend in `internal-dev`.
+
+## Overview
+
+This script is especially useful when engineers are testing changes across both the `communications-manager-api` and `comms-mgr` repositories. By default, the `communications-manager-api` APIs point to a common backend in `internal-dev`, which is convenient when only `communications-manager-api` changes need testing. However, when changes span both `communications-manager-api` and `comms-mgr` and need testing in a specific dynamic environment (e.g. `de-todr3`), manual reconfiguration is required.
+
+The script simplifies this process by automatically:
+
+1. Pointing the APIs to the correct backend environment
+2. Disabling mTLS where necessary
+
+## Prerequisites
+
+Before running the "Repoint Frontend" script, ensure the following prerequisites are met:
+
+- You must be logged into an AWS account using SSO authentication
+- The repository must be named `communications-manager-api` to avoid potential root path issues
+
+## Steps
+
+The script performs the following steps:
+
+1. Remove mTLS if set, ensuring it is disabled if previously configured
+2. Create a new branch to contain changes to the proxy
+3. Update proxy files with the necessary configuration changes
+4. Stage, commit, and push changes to the remote repository
+
+## Usage
+
+```bash
+./scripts/repoint-frontend/repoint_frontend.sh <ticket ID> <environment>
+```
+
+e.g.
+```bash
+./scripts/repoint-frontend/repoint_frontend.sh 0000 de-todr3
+```
+
+Positional Arguments:
+
+- `ticket ID` Numeric ID of the ticket (e.g., '0000')
+- `environment` The environment identifier (e.g., 'de-todr3')
+
+Options:
+
+- `--help` | `-h` Display usage information and exit, outlining all available commands