Feature/eli 702 code signing#647
Conversation
There was a problem hiding this comment.
Pull request overview
This PR introduces Lambda code-signing configuration and updates the deployment workflow to support signing during promotions, with the aim of enforcing code signing in lower environments.
Changes:
- Add conditional attachment of an AWS Lambda Code Signing Config based on environment.
- Pass an
environments_with_signinglist from the api-layer stack into the Lambda module. - Extend the base deploy GitHub Actions workflow to sign artifacts during preprod deployments and adjust job structure (separate preprod/prod deploy jobs).
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| infrastructure/stacks/api-layer/lambda.tf | Wires environments_with_signing into the lambda module and exposes signing profile output for workflows. |
| infrastructure/modules/lambda/variables.tf | Adds environments_with_signing module input to control when code signing config is attached. |
| infrastructure/modules/lambda/lambda.tf | Conditionally attaches code_signing_config_arn to the Lambda function. |
| .github/workflows/base-deploy.yml | Adds a preprod signing job and splits deploy into preprod/prod flows; updates dependencies accordingly. |
| stack_name = local.stack_name | ||
| provisioned_concurrency_count = 5 | ||
| api_domain_name = local.api_domain_name | ||
| environments_with_signing = ["test", "preprod"] | ||
| } |
There was a problem hiding this comment.
environments_with_signing includes preprod, which will attach a code signing config to the Lambda in preprod. Given this PR’s description says preprod should sign but not enforce, this appears to enable enforcement in preprod as well (the module’s signing policy is set to Enforce). Consider removing preprod from this list, or introducing a separate flag/setting to sign in preprod without enforcing untrusted artifacts.
There was a problem hiding this comment.
I decided to enforce preprod at the same time as this PR, as the pre-requisite step of deploying the signing infrastructure has already been done
|
|
||
| code_signing_config_arn = contains(var.environments_with_signing, var.environment) ? aws_lambda_code_signing_config.signing_config.arn : null | ||
|
|
There was a problem hiding this comment.
code_signing_config_arn is conditionally set based on environments_with_signing, but the code signing config created by this module uses untrusted_artifact_on_deployment = "Enforce". With the current stack passing preprod into environments_with_signing, this will enforce signing in preprod too, which conflicts with the PR description (“sign but do not enforce”). A common approach is to either (a) only attach the config in enforced environments, or (b) make the signing policy configurable per environment (e.g., Warn vs Enforce).
There was a problem hiding this comment.
I decided to enforce preprod at the same time as this PR, as the pre-requisite step of deploying the signing infrastructure has already been done
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
ayeshalshukri1-nhs
left a comment
ayeshalshukri1-nhs
left a comment
There was a problem hiding this comment.
This looks good to me.
I just want to check, will this be deployed for prod once preprod is tested/working etc?
|
Yep, there'll be another ticket to merge in the prod workflow change (PR already created, but need to think of timing!)
…________________________________
From: ayeshalshukri1-nhs ***@***.***>
Sent: 28 April 2026 14:27
To: NHSDigital/eligibility-signposting-api ***@***.***>
Cc: ALMOND, Edd (NHS ENGLAND) ***@***.***>; Review requested ***@***.***>
Subject: Re: [NHSDigital/eligibility-signposting-api] Feature/eli 702 code signing (PR #647)
This message originated from outside of NHS.net Connect. Please do not click links or open attachments unless you recognise the sender and know the content is safe.
@ayeshalshukri1-nhs approved this pull request.
This looks good to me.
I just want to check, will this be deployed for prod once preprod is tested/working etc?
—
Reply to this email directly, view it on GitHub<#647 (review)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AYPLJKCAL4C7TBHKNRSYX5D4YCWT5AVCNFSM6AAAAACYAYLPX6VHI2DSMVQWIX3LMV43YUDVNRWFEZLROVSXG5CSMV3GSZLXHM2DCOBZGE4DENRZGE>.
You are receiving this because your review was requested.Message ID: ***@***.***>
************************************************************************************** ******************************
This message may contain confidential information. If you are not the intended recipient please:
i) inform the sender that you have received the message in error before deleting it; and
ii) do not disclose, copy or distribute information in this e-mail or take any action in relation to its content (to do so is strictly prohibited and may be unlawful).
Thank you for your co-operation.
NHS.net Connect is the secure email, collaboration and directory service available for all NHS staff in England. NHS.net Connect is approved for exchanging patient data and other sensitive information with NHS.net Connect and other accredited email services.
For more information and to find out how you can switch visit Joining NHS.net Connect – NHS.net Connect Support<https://support.nhs.net/article-categories/joining-nhsmail/>
|
Description
This pr will enforce code signing on the test environment but no others at the moment.
It will also alter the base deploy script such that for preprod deployments we do the signing but we do not enforce it and we do not do it for prod
Before this workflow change can be tested we need to do a preprod deployment so that the signing resources are available.
Context
Type of changes
Checklist
Sensitive Information Declaration
To ensure the utmost confidentiality and protect your and others privacy, we kindly ask you to NOT including PII (Personal Identifiable Information) / PID (Personal Identifiable Data) or any other sensitive data in this PR (Pull Request) and the codebase changes. We will remove any PR that do contain any sensitive information. We really appreciate your cooperation in this matter.