theopensystemslab · jessicamcinchak · Oct 15, 2024 · Oct 14, 2024 · Oct 14, 2024 · Oct 15, 2024
diff --git a/api.planx.uk/package.json b/api.planx.uk/package.json
@@ -11,7 +11,7 @@
   },
   "dependencies": {
     "@airbrake/node": "^2.1.8",
-    "@opensystemslab/planx-core": "git+https://github.com/theopensystemslab/planx-core#6a83682",
+    "@opensystemslab/planx-core": "git+https://github.com/theopensystemslab/planx-core#e73d702",
     "@types/isomorphic-fetch": "^0.0.36",
     "adm-zip": "^0.5.10",
     "aws-sdk": "^2.1467.0",

diff --git a/api.planx.uk/pnpm-lock.yaml b/api.planx.uk/pnpm-lock.yaml
diff --git a/doc/how-to/how-to-add-a-secret.md b/doc/how-to/how-to-add-a-secret.md
@@ -9,13 +9,13 @@ This guide will demonstrate how to -
 
 ## Process
 
-**Setup**
+### Setup
 1. Generate a secret [using the existing process](how-to-generate-a-secret.md), or obtain one from a third-party integration
 2. Add to your local `.env` file for local development
    - Note: This file is never checked into our public repository and is listed in our `.gitignore` config
 3. Document the secret in `.env.example`
 
-**Docker Environments (Local development + Pizza environments)**
+### Docker Environments (Local development + Pizza environments)
 To pass a secret into our Docker Compose setup you will need to map it into the relevant container in `docker-compose.yml`. For example - 
 
 ```yml
@@ -35,7 +35,7 @@ When building Pizza environments for testing, GitHub actions access secrets via
 > Please be aware that if you are rotating secrets this may affect existing Pizzas which will need to be rebuilt. This can be done manually in GitHub by re-running the latest action associated with affected PRs.
 
 
-**AWS / Pulumi Environments (Staging + Production environments)**
+### AWS / Pulumi Environments (Staging + Production environments)
 Secrets for Staging and Production environment are not handled in `.env` files, and are set directly in Pulumi, our Infrastruture as Code (IaC) platform.
 
 These values are set using the [Pulumi CLI](https://www.pulumi.com/docs/reference/cli/)

diff --git a/doc/how-to/how-to-add-a-team-secret.md b/doc/how-to/how-to-add-a-team-secret.md
@@ -0,0 +1,30 @@
+# How to add a team secret
+This document describes our processes for adding a new team secret to the PlanX application, e.g. Gov Pay API keys.
+
+This guide will demonstrate how to - 
+ - Encrypt a secret
+ - Store the encrypted secret in our database
+ - Verify that the encrypted secret matches the decrypted/raw version
+
+## Process
+
+### Obtain the secret
+1. Get the raw secret, e.g. you might have been sent it in an email from a council officer.
+
+### Get the encryption key
+1. In `/infrastructure/application`, run `pulumi config get encryption-key --stack production`.
+2. This should output the encryption key in the terminal.
+
+### Encrypt the secret
+1. In `/scripts/encrypt`, run the encryption script using the encryption key and raw secret that you obtained in the previous steps: `pnpm encrypt <encryption-key> <secret>`.
+2. This should output the encrypted secret in the terminal.
+3. It is useful to double check that the encryption was successful by running the decryption script and checking you get the same secret back: `pnpm decrypt <encryption-key> <encrypted_secret>`.
+
+### Update the database with the encrypted secret
+1. Go to our [production Hasura instance](hasura.editor.planx.uk).
+2. In the `team_integrations` table, find the row for the relevant team and paste the encrypted secret into the correct field (e.g. `production_govpay_secret`). 
+3. Press save!
+
+### Test
+
+You should now prompt the team representative (e.g. council officer) to test that the secret has been successfully updated, e.g. test a flow with GovPay.
diff --git a/e2e/tests/api-driven/package.json b/e2e/tests/api-driven/package.json
@@ -7,7 +7,7 @@
   "packageManager": "[email protected]",
   "dependencies": {
     "@cucumber/cucumber": "^9.3.0",
-    "@opensystemslab/planx-core": "git+https://github.com/theopensystemslab/planx-core#6a83682",
+    "@opensystemslab/planx-core": "git+https://github.com/theopensystemslab/planx-core#e73d702",
     "axios": "^1.7.4",
     "dotenv": "^16.3.1",
     "dotenv-expand": "^10.0.0",

diff --git a/e2e/tests/api-driven/pnpm-lock.yaml b/e2e/tests/api-driven/pnpm-lock.yaml
diff --git a/e2e/tests/ui-driven/package.json b/e2e/tests/ui-driven/package.json
@@ -8,7 +8,7 @@
     "postinstall": "./install-dependencies.sh"
   },
   "dependencies": {
-    "@opensystemslab/planx-core": "git+https://github.com/theopensystemslab/planx-core#6a83682",
+    "@opensystemslab/planx-core": "git+https://github.com/theopensystemslab/planx-core#e73d702",
     "axios": "^1.7.4",
     "dotenv": "^16.3.1",
     "eslint": "^8.56.0",