-
Notifications
You must be signed in to change notification settings - Fork 1
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Chore add common hmrc resource sar #244
Draft
jkunle
wants to merge
5
commits into
main
Choose a base branch
from
chore-add-common-hmrc-resource-sar
base: main
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Draft
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
CriIdentifier parameter is used to find out with HMRC CRI stack is about to use the common resources. The following conditions will be true depending on whether the Check Api or HMRC Kbv Api stack used the common stack IsCriHmrcCheckApi - This condition will be used to check if a resource can be deployed for check Hmrc Api Check HMRC CRI Api IsCriHmrcKbvApi - This condition will be used to check if a resource can be deployed for HMRC KBV Api CRI IsAnyCriHmrcApi - This condition will be used to check if either the check or KBV HMRC is deployed against common allowing those resources for which the condition is true to be deployed for either the Check or KBV HMRC Api IsCSLSDisabled - is re-written to use IsCriHmrcCheckApi and IsCriHmrcKbvApi to minimize repetition
The issue credential builder step function generates the VC structure. This would be called by the HMRC credential issuers with the following: parameters: type: An Optional parameter when not passed defaults to IdentityCheckCredential sessionId: required the sessionId for the request subject: required the value for the `sub` claim on the VC credentialSubject": required CredentialSubject usually different among CRI evidence: evidence is calculated by CRI usually varies depending on CRI's Issue credential builder requires a lambda to calculate expiryDate (exp) and not before (nbf) claim of the VC. The Max JWT TTL and the JWT TTL Unit AWS parameters are CRI specific, these parameters are created by the HMRC CRI stacks however the parameter paths have been altered. see the name section MaxJwtTtlParameter: Type: AWS::SSM::Parameter Properties: Name: !Sub "/${CriIdentifier}/${CommonStackName}/MaxJwtTtl" Type: String Value: !FindInMap [MaxJwtTtlMapping, Environment, !Ref "Environment"] Description: default time to live for an JWT in (seconds) JwtTtlUnitParameter: Type: AWS::SSM::Parameter Properties: Name: !Sub "/${CriIdentifier}/${CommonStackName}/JwtTtlUnit" Type: String Value: !FindInMap [JwtTtlUnitMapping, Environment, !Ref Environment] Description: The unit for the time-to-live for an JWT e.g. (MONTHS) CURRENT NEW MaxJwtTtlParameter: !Sub "/${AWS::StackName}/MaxJwtTtl" !Sub "/${CriIdentifier}/${AWS::StackName}/MaxJwtTtl" JwtTtlUnitParameter: !Sub "/${AWS::StackName}/JwtTtlUnit" !Sub "/${CriIdentifier}/${AWS::StackName}/JwtTtlUnit" Note: CURRENT is how the paths are specific in the CRI template.yaml as it is not possible to know the stack name of the CRI stack before the common stack is deployed. The NEW way uses `CriIdentifier` in combination with the common stack name. For instance if common stack is ola-common-cri-api. The new paths would be For HMRC KBV MaxJwtTtlParameter: /di-ipv-cri-kbv-hmrc-api/ola-common-cri-api/MaxJwtTtl JwtTtlUnitParameter: /di-ipv-cri-kbv-hmrc-api/ola-common-cri-api/JwtTtlUnit For CHECK HMRC MaxJwtTtlParameter: /di-ipv-cri-hmrc-check-api/ola-common-cri-api/MaxJwtTtl JwtTtlUnitParameter: /di-ipv-cri-hmrc-check-api/ola-common-cri-api/JwtTtlUnit Finally the value of the ARN of the builder step function is exported !Sub ${AWS::StackName}-IssueCredentialBuilderArn This value would be imported the HMRC CRI's parent stepfunction as follows: IssueCredentialBuilderStateMachine: !ImportValue Fn::Sub: ${CommonStackName}-IssueCredentialBuilderArn
jkunle
had a problem deploying
to
di-ipv-cri-dev
November 10, 2023 09:15
— with
GitHub Actions
Failure
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is an example of using AWS Serverless Application Repository as mechanism of sharing AWS serverless resources to specific accounts there are other sharing modes.
Privately shared – Applications that the publisher has explicitly shared with a specific set of AWS accounts, or with AWS accounts in an AWS organization. Consumers have permission to deploy applications that have been shared with their AWS account or AWS organization. For more information about AWS organizations
Consumers implement this a nested resource in their template:
The definition below can be copied from the copy as SAM resource button under applications