@govuk-pay/cli 0.0.16 → 0.0.18

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@govuk-pay/cli",
-  "version": "0.0.16",
+  "version": "0.0.18",
   "description": "GOV.UK Pay Command Line Interface",
   "bin": {
     "pay": "bin/cli.js",
@@ -11,6 +11,9 @@
   "author": "",
   "license": "MIT",
   "dependencies": {
+    "@aws-sdk/client-ec2": "^3.641.0",
+    "@aws-sdk/client-ecs": "^3.637.0",
+    "@aws-sdk/client-rds": "^3.637.0",
     "openurl": "^1.1.1",
     "ts-standard": "^12.0.2"
   },

package/resources/legacy-ruby-cli/README.md

@@ -7,7 +7,7 @@
 ```
 cd $PRJ_ROOT/cli
 rbenv install
-rbenv exec gem install bundler
+gem install bundler
 bundle install
 ```
 
@@ -19,6 +19,14 @@ gem install nokogiri -v 1.8.4 -- --use-system-libraries=true --with-xml2-include
 
 then re-running `bundle install`)
 
+(if you receive an error relating to `nokogiri` try running:
+
+```
+gem install nokogiri -v 1.8.4 -- --use-system-libraries=true --with-xml2-include="$(xcrun --show-sdk-path)"/usr/include/libxml2
+```
+
+then re-running `bundle install`)
+
 ### add the following to your `.bash_profile`, `.bashrc`, or `.zshrc`
 
 In all of the following examples replace `~/Code/pay-infra` or `$HOME/Code/pay-infra` with the path where you have the
@@ -34,7 +42,7 @@ or if you want to avoid ruby version conflicts then you can instead use the foll
 ```
 function pay {
   pushd "$HOME/Code/pay-infra/cli" >>/dev/null 2>&1 || return
-  rbenv exec bundle exec bin/pay "$@"
+  bundle exec bin/pay "$@"
   popd  >>/dev/null 2>&1 || return
 }
 ```
@@ -140,4 +148,3 @@ You can run a single spec by adding the line number:
 ```
 bundle exec rspec spec/lib/pay_cli/commands/local/image_extractor_spec.rb:11
 ```
-

package/resources/legacy-ruby-cli/config/secrets.yml

@@ -1,40 +1,12 @@
 ---
-# secrets here will be looked up from pay-dev-pass
-# pay-dev-pass[env][service][secretname] = pay-dev-pass path
-pay-dev-pass:
-  deploy:
-    cd-pay-deploy:
-      pact-broker-password:             pact/pact_broker_password
-      pact-broker-username:             pact/pact_broker_username
-      pact-broker/pact-broker-password: pact/pact_broker_password
-      pact-broker/pact-broker-username: pact/pact_broker_username
-    cd-pay-dev:
-      pact-broker-password:         pact/pact_broker_password
-      pact-broker-username:         pact/pact_broker_username
-      pr-ci/pact-broker-username:   pact/pact_broker_username
-      pr-ci/pact-broker-password:   pact/pact_broker_password
-    pact-broker-auth:
-      pact-broker-basic-auth-password: pact/pact_broker_password
-      pact-broker-basic-auth-username: pact/pact_broker_username
-  test-12:
-    connector:
-      SANDBOX_AUTH_TOKEN:                                  notifications/test/sandbox_auth_token
-  test-perf-1:
-    connector:
-      SANDBOX_AUTH_TOKEN:                                  notifications/test/sandbox_auth_token
-  staging-2:
-    connector:
-      SANDBOX_AUTH_TOKEN:                                  notifications/staging/sandbox_auth_token
-  production-2:
-    connector:
-      SANDBOX_AUTH_TOKEN:                                  notifications/production/sandbox_auth_token
-    frontend:
-      GOOGLE_PAY_MERCHANT_ID:                              google_pay/merchant_identifier
-      GOOGLE_PAY_MERCHANT_ID_2:                            google_pay/merchant_identifier_2
 # secrets here will be looked up from pay-low-pass
 # pay-low-pass[env][service][secretname] = pay-low-pass path
 pay-low-pass:
   deploy:
+    worldpay_secure_file_gateway:
+      private-key: worldpay/secure_file_gateway/worldpay_secure_file_gateway.rsa
+      public-key: worldpay/secure_file_gateway/worldpay_secure_file_gateway.rsa.pub
+      passphrase: worldpay/secure_file_gateway/passphrase
     alb_and_s3_logging_pipeline:
       firehose_hec_token: splunk/firehose-hec-token
     amazon-managed-prometheus:
@@ -51,7 +23,13 @@ pay-low-pass:
       end-to-end/docker-access-token:            dockerhub/concourse-access-token
       github-access-token:                       alphagov-pay-ci-concourse/github.com-concourse-github-personal-access-token
       grafana-annotations-password:        concourse/grafana_annotations
+      pact-broker-password:                      pact/pact_broker_password
+      pact-broker-username:                      pact/pact_broker_username
+      pact-broker/pact-broker-password:          pact/pact_broker_password
+      pact-broker/pact-broker-username:          pact/pact_broker_username
       slack-notification-secret:             slack/notification-secret
+      internal-vulnerability-scan/jira-api-username: jira/concourse-ci/username
+      internal-vulnerability-scan/jira-api-token: jira/concourse-ci/internal-vulnerability-scan/api-token
     cd-pay-dev:
       docker-email:                        dockerhub/concourse-email
       docker-username:                     dockerhub/concourse-username
@@ -59,6 +37,8 @@ pay-low-pass:
       docker-access-token:                 dockerhub/concourse-access-token
       github-access-token:                 alphagov-pay-ci-concourse/github.com-concourse-github-personal-access-token
       grafana-annotations-password:        concourse/grafana_annotations
+      pact-broker-password:                pact/pact_broker_password
+      pact-broker-username:                pact/pact_broker_username
       pay-js-commons/github-access-token:  alphagov-pay-ci-concourse/github.com-concourse-github-personal-access-token
       pr-ci/github-access-token:           alphagov-pay-ci-concourse/github.com-concourse-github-personal-access-token
       slack-notification-secret:           slack/notification-secret
@@ -72,6 +52,9 @@ pay-low-pass:
       docker-password:                     dockerhub/concourse-password
       docker-access-token:                 dockerhub/concourse-access-token
       slack-notification-secret:           slack/notification-secret
+    pact-broker-auth:
+      pact-broker-basic-auth-password: pact/pact_broker_password
+      pact-broker-basic-auth-username: pact/pact_broker_username
   deploy-7:
     deploy:
       PAGER_DUTY_CLOUDWATCH_INTEGRATION_URL:          pager-duty/govuk-pay/amazon-cloudwatch-integration-url
@@ -110,17 +93,16 @@ pay-low-pass:
       WORLDPAY_APPLE_PAY_PAYMENT_PROCESSING_CERTIFICATE_SECONDARY:       apple_pay/worldpay/test/payment-processing-certificate-20230906
       WORLDPAY_APPLE_PAY_PAYMENT_PROCESSING_PRIVATE_KEY_SECONDARY:       apple_pay/worldpay/test/payment-processing-private-key-20230906 # pragma: allowlist secret
       SENTRY_DSN:                                                        sentry_io/connector_dsn
-    failwhale:
-      google-analytics-id: google-analytics/failwhale/test/google-analytics-id
+      SANDBOX_AUTH_TOKEN:                                                smoke-test-api-token/notifications/test_sandbox_auth_token
     frontend:
       SESSION_ENCRYPTION_KEY:                         ""
       SESSION_ENCRYPTION_KEY_2:                       ""
       WORLDPAY_APPLE_PAY_MERCHANT_ID:                 apple_pay/worldpay/test/merchant-id
-      WORLDPAY_APPLE_PAY_MERCHANT_ID_CERTIFICATE:     apple_pay/worldpay/test/merchant-id-certificate-20230905
-      WORLDPAY_APPLE_PAY_MERCHANT_ID_CERTIFICATE_KEY: apple_pay/worldpay/test/merchant-id-certificate-key-20230905
+      WORLDPAY_APPLE_PAY_MERCHANT_ID_CERTIFICATE:     apple_pay/worldpay/test/merchant-id-certificate-20240730
+      WORLDPAY_APPLE_PAY_MERCHANT_ID_CERTIFICATE_KEY: apple_pay/worldpay/test/merchant-id-certificate-key-20240730
       STRIPE_APPLE_PAY_MERCHANT_ID:                   apple_pay/stripe/test/merchant-id
-      STRIPE_APPLE_PAY_MERCHANT_ID_CERTIFICATE:       apple_pay/stripe/test/merchant-id-certificate-20230823
-      STRIPE_APPLE_PAY_MERCHANT_ID_CERTIFICATE_KEY:   apple_pay/stripe/test/merchant-id-certificate-key-20230823
+      STRIPE_APPLE_PAY_MERCHANT_ID_CERTIFICATE:       apple_pay/stripe/test/merchant-id-certificate-20240730
+      STRIPE_APPLE_PAY_MERCHANT_ID_CERTIFICATE_KEY:   apple_pay/stripe/test/merchant-id-certificate-key-20240730
       STRIPE_TEST_PUBLISHABLE_API_KEY:                stripe/test/test/publishable-api-key
       STRIPE_LIVE_PUBLISHABLE_API_KEY:                stripe/test/test/publishable-api-key
       SENTRY_DSN:                                     sentry/frontend_dsn
@@ -208,15 +190,16 @@ pay-low-pass:
       WORLDPAY_APPLE_PAY_PAYMENT_PROCESSING_CERTIFICATE_SECONDARY:       apple_pay/worldpay/test/payment-processing-certificate-20230906
       WORLDPAY_APPLE_PAY_PAYMENT_PROCESSING_PRIVATE_KEY_SECONDARY:       apple_pay/worldpay/test/payment-processing-private-key-20230906 # pragma: allowlist secret
       SENTRY_DSN:                                                        sentry_io/connector_dsn
+      SANDBOX_AUTH_TOKEN:                                                smoke-test-api-token/notifications/test_sandbox_auth_token
     frontend:
       SESSION_ENCRYPTION_KEY:                         ""
       SESSION_ENCRYPTION_KEY_2:                       ""
       WORLDPAY_APPLE_PAY_MERCHANT_ID:                 apple_pay/worldpay/test/merchant-id
-      WORLDPAY_APPLE_PAY_MERCHANT_ID_CERTIFICATE:     apple_pay/worldpay/test/merchant-id-certificate-20230905
-      WORLDPAY_APPLE_PAY_MERCHANT_ID_CERTIFICATE_KEY: apple_pay/worldpay/test/merchant-id-certificate-key-20230905
+      WORLDPAY_APPLE_PAY_MERCHANT_ID_CERTIFICATE:     apple_pay/worldpay/test/merchant-id-certificate-20240730
+      WORLDPAY_APPLE_PAY_MERCHANT_ID_CERTIFICATE_KEY: apple_pay/worldpay/test/merchant-id-certificate-key-20240730
       STRIPE_APPLE_PAY_MERCHANT_ID:                   apple_pay/stripe/test/merchant-id
-      STRIPE_APPLE_PAY_MERCHANT_ID_CERTIFICATE:       apple_pay/stripe/test/merchant-id-certificate-20230823
-      STRIPE_APPLE_PAY_MERCHANT_ID_CERTIFICATE_KEY:   apple_pay/stripe/test/merchant-id-certificate-key-20230823
+      STRIPE_APPLE_PAY_MERCHANT_ID_CERTIFICATE:       apple_pay/stripe/test/merchant-id-certificate-20240730
+      STRIPE_APPLE_PAY_MERCHANT_ID_CERTIFICATE_KEY:   apple_pay/stripe/test/merchant-id-certificate-key-20240730
       STRIPE_TEST_PUBLISHABLE_API_KEY:                stripe/test/test/publishable-api-key
       STRIPE_LIVE_PUBLISHABLE_API_KEY:                stripe/test/test/publishable-api-key
       SENTRY_DSN:                                     sentry/frontend_dsn
@@ -292,13 +275,6 @@ pay-low-pass:
       docker-username: dockerhub/concourse-username
       docker-access-token: dockerhub/concourse-access-token
       github-access-token: alphagov-pay-ci-concourse/github.com-concourse-github-personal-access-token
-    worldpay_secure_file_gateway:
-      private-key: worldpay/secure_file_gateway/worldpay_secure_file_gateway.rsa
-      public-key: worldpay/secure_file_gateway/worldpay_secure_file_gateway.rsa.pub
-      passphrase: worldpay/secure_file_gateway/passphrase
-  ci:
-    alb_and_s3_logging_pipeline:
-      firehose_hec_token: splunk/firehose-hec-token
   staging-2:
     adminusers:
       DB_PASSWORD:                                  aws/rds/application_users/staging/adminusers1
@@ -322,8 +298,7 @@ pay-low-pass:
       WORLDPAY_APPLE_PAY_PAYMENT_PROCESSING_CERTIFICATE_SECONDARY:       apple_pay/worldpay/test/payment-processing-certificate-20230906
       WORLDPAY_APPLE_PAY_PAYMENT_PROCESSING_PRIVATE_KEY_SECONDARY:       apple_pay/worldpay/test/payment-processing-private-key-20230906 # pragma: allowlist secret
       SENTRY_DSN:                                                        sentry_io/connector_dsn
-    failwhale:
-      google-analytics-id: google-analytics/failwhale/staging/google-analytics-id
+      SANDBOX_AUTH_TOKEN:                                                smoke-test-api-token/notifications/staging_sandbox_auth_token
     frontend:
       WORLDPAY_APPLE_PAY_MERCHANT_ID:                 apple_pay/worldpay/test/merchant-id
       WORLDPAY_APPLE_PAY_MERCHANT_ID_CERTIFICATE:     apple_pay/worldpay/test/merchant-id-certificate-20230905
@@ -418,19 +393,20 @@ pay-low-pass:
       WORLDPAY_APPLE_PAY_PAYMENT_PROCESSING_CERTIFICATE_SECONDARY:       apple_pay/worldpay/production/payment-processing-certificate-20230906
       WORLDPAY_APPLE_PAY_PAYMENT_PROCESSING_PRIVATE_KEY_SECONDARY:       apple_pay/worldpay/production/payment-processing-private-key-20230906 # pragma: allowlist secret
       SENTRY_DSN:                                                        sentry_io/connector_dsn
-    failwhale:
-      google-analytics-id: google-analytics/failwhale/production/google-analytics-id
+      SANDBOX_AUTH_TOKEN:                                                smoke-test-api-token/notifications/production_sandbox_auth_token
     frontend:
       WORLDPAY_APPLE_PAY_MERCHANT_ID:                 apple_pay/worldpay/production/merchant-id
-      WORLDPAY_APPLE_PAY_MERCHANT_ID_CERTIFICATE:     apple_pay/worldpay/production/merchant-id-certificate-20230906
-      WORLDPAY_APPLE_PAY_MERCHANT_ID_CERTIFICATE_KEY: apple_pay/worldpay/production/merchant-id-certificate-key-20230906
+      WORLDPAY_APPLE_PAY_MERCHANT_ID_CERTIFICATE:     apple_pay/worldpay/production/merchant-id-certificate-20240730
+      WORLDPAY_APPLE_PAY_MERCHANT_ID_CERTIFICATE_KEY: apple_pay/worldpay/production/merchant-id-certificate-key-20240730
       STRIPE_APPLE_PAY_MERCHANT_ID:                   apple_pay/stripe/production/merchant-id
-      STRIPE_APPLE_PAY_MERCHANT_ID_CERTIFICATE:       apple_pay/stripe/production/merchant-id-certificate-20230823
-      STRIPE_APPLE_PAY_MERCHANT_ID_CERTIFICATE_KEY:   apple_pay/stripe/production/merchant-id-certificate-key-20230823
+      STRIPE_APPLE_PAY_MERCHANT_ID_CERTIFICATE:       apple_pay/stripe/production/merchant-id-certificate-20240730
+      STRIPE_APPLE_PAY_MERCHANT_ID_CERTIFICATE_KEY:   apple_pay/stripe/production/merchant-id-certificate-key-20240730
       STRIPE_TEST_PUBLISHABLE_API_KEY:                stripe/production/test/publishable-api-key
       STRIPE_LIVE_PUBLISHABLE_API_KEY:                stripe/production/live/publishable-api-key
       SENTRY_DSN:                                     sentry/frontend_dsn
       SENTRY_CSP_REPORT_URI:                          sentry/frontend_csp_report_uri
+      GOOGLE_PAY_MERCHANT_ID:                         google_pay/merchant_identifier
+      GOOGLE_PAY_MERCHANT_ID_2:                       google_pay/merchant_identifier_2
     ledger:
       DB_PASSWORD:                                  aws/rds/application_users/production/ledger
       DB_SUPPORT_PASSWORD_READONLY:                 aws/rds/support_readonly_users/production/ledger_support_readonly # pragma: allowlist secret
@@ -496,23 +472,20 @@ pay-low-pass:
 # secrets here are just regular values
 # value[env][service][key] = value
 value:
-  ci-5:
-    terraform:
-      CHEF_ROLE: "build"
-      PERF_ENV: "false"
   deploy:
     cd-pay-deploy:
       pay_aws_deploy_account_id:        "424875624006"
       pay_aws_prod_account_id:          "092359438320"
+      pay_aws_production_account_id:    "092359438320"
       pay_aws_staging_account_id:       "888564216586"
       pay_aws_test_account_id:          "223851549868"
       pay-team-manual/github-username:  "alphagov-pay-ci-concourse"
+      internal-vulnerability-scan/jira-base-url: "https://payments-platform.atlassian.net"
     cd-pay-dev:
       pay_aws_deploy_account_id:  "424875624006"
       pay_aws_staging_account_id: "888564216586"
       pay_aws_test_account_id:    "223851549868"
       pay_aws_dev_account_id:     "673337093959"  # pragma: allowlist secret
-      pay_aws_ci_account_id:      "687320788729"  # pragma: allowlist secret
   dev-fg-1:
     terraform:
       PERF_ENV: "false"
@@ -640,8 +613,6 @@ value:
     products:
       DB_USER: "products"
       DB_SUPPORT_USER_READONLY: "products_support_readonly"
-    performance-slack:
-      SLACK_URI: "https://hooks.slack.com/services/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"
     toolbox:
       AUTH_GITHUB_VIEW_ONLY_TEAM_ID: "7196958"
       AUTH_GITHUB_USER_SUPPORT_TEAM_ID: "3304532"

package/resources/legacy-ruby-cli/config/service_secrets.yml

@@ -44,8 +44,6 @@ pact-broker:
 pact-broker-auth:
   - pact-broker-basic-auth-password
   - pact-broker-basic-auth-username
-failwhale:
-  - google-analytics-id
 frontend:
   - GOOGLE_PAY_MERCHANT_ID
   - GOOGLE_PAY_MERCHANT_ID_2
@@ -99,8 +97,6 @@ selfservice:
   - ZENDESK_USER
   - STRIPE_ACCOUNT_API_KEY
   - SENTRY_DSN
-performance-slack:
-  - SLACK_URI
 ledger:
   - DB_PASSWORD
   - DB_USER
@@ -135,12 +131,16 @@ cd-pay-deploy:
   - end-to-end/docker-access-token
   - github-access-token
   - grafana-annotations-password
+  - internal-vulnerability-scan/jira-api-username
+  - internal-vulnerability-scan/jira-api-token
+  - internal-vulnerability-scan/jira-base-url
   - pact-broker-username
   - pact-broker-password
   - pact-broker/pact-broker-password
   - pact-broker/pact-broker-username
   - pay_aws_deploy_account_id
   - pay_aws_prod_account_id
+  - pay_aws_production_account_id
   - pay_aws_staging_account_id
   - pay_aws_test_account_id
   - slack-notification-secret
@@ -156,12 +156,9 @@ cd-pay-dev:
   - pay_aws_deploy_account_id
   - pay_aws_staging_account_id
   - pay_aws_test_account_id
-  - pay_aws_ci_account_id
   - pay_aws_dev_account_id
   - pay-js-commons/github-access-token
   - pr-ci/github-access-token
-  - pr-ci/pact-broker-username
-  - pr-ci/pact-broker-password
   - slack-notification-secret
   - smartpay-expected-password
   - smartpay-expected-user

package/resources/legacy-ruby-cli/lib/pay_cli/commands/aws.rb

@@ -14,20 +14,6 @@ class PayCLI::Commands::Aws < Thor
     exit 0
   end
 
-  desc 'cli <account>', 'opens aws-shell with credentials for <account>'
-  def cli(account)
-    PayCLI::Environment.setup! account
-
-    STDERR.puts
-
-    pid = spawn(
-      'aws-shell',
-      in: STDIN, out: STDOUT, err: STDERR
-    )
-    Process.wait pid
-    exit $CHILD_STATUS.exitstatus
-  end
-
   desc 'cmd <account> <*args>',
        'runs args in aws with credentials for <account>'
   def cmd(account, *args)
@@ -40,12 +26,4 @@ class PayCLI::Commands::Aws < Thor
     Process.wait pid
     exit $CHILD_STATUS.exitstatus
   end
-
-  desc 'document_security_groups <env>',
-       'creates the documentation for the security groups for PCI for <env>'
-  def document_security_groups(account)
-    PayCLI::Environment.setup! account
-    PayCLI::Aws::Document.security_group_rules! account
-  end
-
 end

package/resources/legacy-ruby-cli/lib/pay_cli/commands/doctor.rb

@@ -118,7 +118,6 @@ class PayCLI::Commands::Doctor
 
   def check_aws!
     ensure_executable!("aws")
-    ensure_executable!("aws-shell")
   end
 
   def ensure_executable!(executable, instructions_if_missing = nil)

package/resources/legacy-ruby-cli/lib/pay_cli/commands/local/config.rb

@@ -33,6 +33,10 @@ module PayCLI::Commands::Local::Config
     @apps.select {|app| app[:name] == app_name}.map {|app| app[:proxy_port]}.first
   end
 
+  def self.can_use_egress_proxy(app_name)
+    @apps.select {|app| app[:name] == app_name}.first.fetch(:can_use_egress_proxy, false)
+  end
+
   def self.cluster( cluster, apps)
     apps.select {|app| app[:clusters].include?(cluster)}
   end

package/resources/legacy-ruby-cli/lib/pay_cli/commands/local/config.yaml

@@ -23,6 +23,7 @@ connector:
   port: 9300
   admin_port: 9301
   healthcheck: true
+  can_use_egress_proxy: true
   queues:
     AWS_SQS_CAPTURE_QUEUE_URL: pay_capture_queue
     AWS_SQS_PAYMENT_EVENT_QUEUE_URL: pay_event_queue
@@ -102,6 +103,7 @@ frontend:
   debug_port: 9001
   proxy_port: 29000
   healthcheck: true
+  can_use_egress_proxy: true
   clusters:
     - paymentlinks
     - card

package/resources/legacy-ruby-cli/lib/pay_cli/commands/local/docker.rb

@@ -4,6 +4,36 @@ module PayCLI::Commands::Local::Docker
     STDERR.puts " 💀 #{app}"
   end
 
+  def self.cleanup_old_network
+    if `docker network ls --format json --filter 'name=files_default' | wc -l`.chomp.strip != "0"
+      STDERR.puts "Cleaning up old docker network 'files_default'"
+      STDERR.puts `docker network rm files_default`
+    end
+  end
+
+  def self.remove_network
+    cleanup_old_network
+
+    STDERR.print " 💀 network -- "
+
+    if `docker network ls --format json --filter 'name=pay_local_mimic_aws_vpc' | wc -l`.chomp.strip == "0"
+      STDERR.puts "No networks to remove"
+      return
+    end
+
+    STDERR.puts `docker network rm pay_local_mimic_aws_vpc 2>/dev/null`
+  end
+
+  def self.restart(cluster, app_name)
+    STDERR.puts "😅  restarting #{app_name}"
+
+    puts `docker compose -f #{compose_file cluster} restart #{app_name}`
+  end
+
+  def self.compose_file_exists_for_cluster?(cluster)
+    File.file?(compose_file cluster)
+  end
+
   def self.write_compose_file(cluster, binding)
     compose_file = compose_file cluster
 
@@ -16,15 +46,15 @@ module PayCLI::Commands::Local::Docker
   end
 
   def self.pull(cluster)
-    `docker-compose -f #{compose_file cluster} pull`
+    `docker compose -f #{compose_file cluster} pull`
   end
 
   def self.up(cluster)
-    `docker-compose -f #{compose_file cluster} up --detach`
+    `docker compose -f #{compose_file cluster} up --detach`
   end
 
   def self.down(cluster)
-    `docker-compose --log-level ERROR -f #{compose_file cluster} down`
+    `docker compose -f #{compose_file cluster} down`
   end
 
   def self.compose_file(cluster)