Chore add common hmrc resource sar #244
Draft
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
CriIdentifier parameter is used to find out with HMRC CRI stack is about
to use the common resources. The following conditions will be true depending
on whether the Check Api or HMRC Kbv Api stack used the common stack
IsCriHmrcCheckApi - This condition will be used to check
if a resource can be deployed for
check Hmrc Api Check HMRC CRI Api
IsCriHmrcKbvApi - This condition will be used to check
if a resource can be deployed for
HMRC KBV Api CRI
IsAnyCriHmrcApi - This condition will be used to check if either the check
or KBV HMRC is deployed against common allowing those
resources for which the condition is true to be deployed
for either the Check or KBV HMRC Api
IsCSLSDisabled - is re-written to use IsCriHmrcCheckApi and IsCriHmrcKbvApi
to minimize repetition
The issue credential builder step function generates the VC structure.
This would be called by the HMRC credential issuers with the following:
parameters:
type: An Optional parameter when not passed defaults to IdentityCheckCredential
sessionId: required the sessionId for the request
subject: required the value for the `sub` claim on the VC
credentialSubject": required CredentialSubject usually different among CRI
evidence: evidence is calculated by CRI usually varies depending
on CRI's
Issue credential builder requires a lambda to calculate expiryDate (exp)
and not before (nbf) claim of the VC.
The Max JWT TTL and the JWT TTL Unit AWS parameters are CRI specific, these
parameters are created by the HMRC CRI stacks however the parameter paths
have been altered. see the name section
MaxJwtTtlParameter:
Type: AWS::SSM::Parameter
Properties:
Name: !Sub "/${CriIdentifier}/${CommonStackName}/MaxJwtTtl"
Type: String
Value: !FindInMap [MaxJwtTtlMapping, Environment, !Ref "Environment"]
Description: default time to live for an JWT in (seconds)
JwtTtlUnitParameter:
Type: AWS::SSM::Parameter
Properties:
Name: !Sub "/${CriIdentifier}/${CommonStackName}/JwtTtlUnit"
Type: String
Value: !FindInMap [JwtTtlUnitMapping, Environment, !Ref Environment]
Description: The unit for the time-to-live for an JWT e.g. (MONTHS)
CURRENT NEW
MaxJwtTtlParameter: !Sub "/${AWS::StackName}/MaxJwtTtl" !Sub "/${CriIdentifier}/${AWS::StackName}/MaxJwtTtl"
JwtTtlUnitParameter: !Sub "/${AWS::StackName}/JwtTtlUnit" !Sub "/${CriIdentifier}/${AWS::StackName}/JwtTtlUnit"
Note: CURRENT is how the paths are specific in the CRI template.yaml as it is not possible
to know the stack name of the CRI stack before the common stack is deployed. The NEW way
uses `CriIdentifier` in combination with the common stack name.
For instance if common stack is ola-common-cri-api. The new paths would be
For HMRC KBV
MaxJwtTtlParameter: /di-ipv-cri-kbv-hmrc-api/ola-common-cri-api/MaxJwtTtl
JwtTtlUnitParameter: /di-ipv-cri-kbv-hmrc-api/ola-common-cri-api/JwtTtlUnit
For CHECK HMRC
MaxJwtTtlParameter: /di-ipv-cri-hmrc-check-api/ola-common-cri-api/MaxJwtTtl
JwtTtlUnitParameter: /di-ipv-cri-hmrc-check-api/ola-common-cri-api/JwtTtlUnit
Finally the value of the ARN of the builder step function is exported
!Sub ${AWS::StackName}-IssueCredentialBuilderArn
This value would be imported the HMRC CRI's parent stepfunction as follows:
IssueCredentialBuilderStateMachine: !ImportValue
Fn::Sub: ${CommonStackName}-IssueCredentialBuilderArn
jkunle
had a problem deploying
to
di-ipv-cri-dev
GitHub Actions
Failure
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is an example of using AWS Serverless Application Repository as mechanism of sharing AWS serverless resources to specific accounts there are other sharing modes.
Privately shared – Applications that the publisher has explicitly shared with a specific set of AWS accounts, or with AWS accounts in an AWS organization. Consumers have permission to deploy applications that have been shared with their AWS account or AWS organization. For more information about AWS organizations
Consumers implement this a nested resource in their template:
The definition below can be copied from the copy as SAM resource button under applications