HMRC KBV Credential Issuer
Build with ./gradlew
See onboarding guide for instructions on how to setup the following command line interfaces (CLI)
- aws cli
- aws-vault
- sam cli
Any time you wish to deploy, run:
aws-vault exec hmrc-kbv-dev -- ./deploy.sh <unique-stack-name>
The stack name must be unique to you and created by you in the deploy stage above. Type
yeswhen prompted to delete the stack and the folders in S3 bucket
The command to run is:
aws-vault exec hmrc-kbv-dev -- sam delete --config-env dev --stack-name <unique-stack-name>
npm run test
From with the integration-tests directory
AWS_REGION="eu-west-2" PARAMETER_PREFIX="kbv-hmrc-cri-api" STACK_NAME="<unique-stack-name>" aws-vault exec hmrc-kbv-dev npm run unit:aws
From with the feature-tests directory
Configure the .env file as required for your stack
tagFilter=@pre-merge npm test
Completely optional, there is a .pre-commit-config.yaml configuration setup in this repo, this uses pre-commit to verify your commit before actually commiting, it runs the following checks:
- Check Json files for formatting issues
- Fixes end of file issues (it will auto correct if it spots an issue - you will need to run the git commit again after it has fixed the issue)
- It automatically removes trailing whitespaces (again will need to run commit again after it detects and fixes the issue)
- Detects aws credentials or private keys accidentally added to the repo
- runs cloud formation linter and detects issues
- runs checkov and checks for any issues.
To use this locally you will first need to install the dependencies, this can be done in 2 ways:
Run the following in a terminal:
sudo -H pip3 install checkov pre-commit cfn-lint
this should work across platforms
If you have brew installed please run the following:
brew install pre-commit ;\
brew install cfn-lint ;\
brew install checkov
once installed run:
pre-commit install
To update the various versions of the pre-commit plugins, this can be done by running:
pre-commit autoupdate && pre-commit install
This will install / configure the pre-commit git hooks, if it detects an issue while committing it will produce an output like the following:
git commit -a
check json...........................................(no files to check)Skipped
fix end of files.........................................................Passed
trim trailing whitespace.................................................Passed
detect aws credentials...................................................Passed
detect private key.......................................................Passed
AWS CloudFormation Linter................................................Failed
- hook id: cfn-python-lint
- exit code: 4
W3011 Both UpdateReplacePolicy and DeletionPolicy are needed to protect Resources/PublicHostedZone from deletion
core/deploy/dns-zones/template.yaml:20:3
Checkov..............................................(no files to check)Skipped
- hook id: checkov
To remove the pre-commit hooks should there be an issue
pre-commit uninstall
Run detect-secrets scan --baseline .secrets.baseline to check for potential leaked secrets.
Use the keyword and secret exclusion lists in the baseline file to prevent the utility from flagging up specific strings.