From 3c9dfb39d0a4b2494d10af2e32bbd5cbaa3afe61 Mon Sep 17 00:00:00 2001
From: juliareynolds-nava <juliareynolds@navapbc.com>
Date: Fri, 1 Aug 2025 09:28:16 -0600
Subject: [PATCH 1/3] Revert "change lambda code location due to move from repo
 ab2d-lambda to ab2d"

This reverts commit 3eec5fbfbabfc1f2be4ef6b0eb7699649ec97610.
---
 ops/services/30-lambda/optout-export.tf | 2 +-
 ops/services/30-lambda/optout-import.tf | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/ops/services/30-lambda/optout-export.tf b/ops/services/30-lambda/optout-export.tf
index 7d4dc15d54..5de90c6650 100644
--- a/ops/services/30-lambda/optout-export.tf
+++ b/ops/services/30-lambda/optout-export.tf
@@ -142,7 +142,7 @@ resource "aws_lambda_function" "export" {
   runtime                        = "java17"
   skip_destroy                   = false
   tags = {
-    code = "https://github.com/CMSgov/ab2d/tree/main/lambdas/optout"
+    code = "https://github.com/CMSgov/ab2d-lambdas/tree/main/optout"
   }
 
   environment {
diff --git a/ops/services/30-lambda/optout-import.tf b/ops/services/30-lambda/optout-import.tf
index 6035fcafa0..da8f8ecea3 100644
--- a/ops/services/30-lambda/optout-import.tf
+++ b/ops/services/30-lambda/optout-import.tf
@@ -138,7 +138,7 @@ resource "aws_lambda_function" "import" {
   skip_destroy                   = false
 
   tags = {
-    code = "https://github.com/CMSgov/ab2d/tree/main/lambdas/optout"
+    code = "https://github.com/CMSgov/ab2d-lambdas/tree/main/optout"
   }
   timeout = 900
 

From 0ea396af4467a8c201b439b295c324cef0afcad7 Mon Sep 17 00:00:00 2001
From: juliareynolds-nava <juliareynolds@navapbc.com>
Date: Thu, 5 Feb 2026 13:53:47 -0700
Subject: [PATCH 2/3] updated to support passwords per env.  Updated bash
 version to 4+ to support associative arrays.

---
 .../tls-certificates/make-ab2d-keystore.sh    | 213 ++++++++++++------
 1 file changed, 149 insertions(+), 64 deletions(-)

diff --git a/scripts/tls-certificates/make-ab2d-keystore.sh b/scripts/tls-certificates/make-ab2d-keystore.sh
index 980d00a742..616c95df0d 100644
--- a/scripts/tls-certificates/make-ab2d-keystore.sh
+++ b/scripts/tls-certificates/make-ab2d-keystore.sh
@@ -1,69 +1,154 @@
-#!/bin/bash
-set -e
-
-# verify base64 encoded PKCS#12 file
-#
-function verify_encoded_p12 {
-  rm -f foo.p12
-  base64 --decode >foo.p12 <"$1"
-  echo " "
-  echo "verifying $1 keystore file..."
-  openssl pkcs12 -in foo.p12 -password pass:changeit -nodes | openssl x509 -noout -enddate
-  rm -f foo.p12
-  echo "-------------------------------"
-  echo " "
+#!/opt/homebrew/bin/bash
+#above, shell location for BASH version 4+
+
+# Environment Password Prompt Script
+# Securely prompts for passwords for multiple environments
+
+set -euo pipefail  # Exit on error, undefined vars, pipe failures
+
+# Color codes for output
+readonly RED='\033[0;31m'
+readonly GREEN='\033[0;32m'
+readonly YELLOW='\033[1;33m'
+readonly NC='\033[0m'
+
+# Environments
+readonly ENVIRONMENTS=("dev" "test" "sandbox" "prod")
+
+# Declare associative array to store passwords
+declare -A PASSWORDS
+
+# Display header
+print_header() {
+    echo "================================================"
+    echo "  Environment Password Configuration"
+    echo "================================================"
+    echo ""
+}
+
+# Prompt for password with validation
+prompt_password() {
+    local env="$1"
+    local password password_confirm
+
+    echo -e "${YELLOW}Enter password for ${env^^} environment:${NC}"
+    read -rs -p "Password: " password
+    echo ""
+
+    read -rs -p "Confirm password: " password_confirm
+    echo ""
+
+    # Validate passwords match
+    if [[ "$password" != "$password_confirm" ]]; then
+        echo -e "${RED}Error: Passwords do not match for ${env}. Exiting.${NC}" >&2
+        exit 1
+    fi
+
+    # Validate password is not empty
+    if [[ -z "$password" ]]; then
+        echo -e "${RED}Error: Password cannot be empty for ${env}. Exiting.${NC}" >&2
+        exit 1
+    fi
+
+    PASSWORDS[$env]="$password"
+    echo -e "${GREEN}✓ Password for ${env} set successfully${NC}"
+    echo ""
+}
+
+# Verify base64 encoded PKCS#12 file
+verify_encoded_p12() {
+    local encoded_file="$1"
+    local env="$2"
+    local temp_file
+
+    temp_file=$(mktemp)
+    trap "rm -f '$temp_file'" RETURN
+
+    base64 --decode < "$encoded_file" > "$temp_file"
+
+    echo ""
+    echo "Verifying $encoded_file keystore file..."
+    if openssl pkcs12 -in "$temp_file" -password "pass:${PASSWORDS[$env]}" -nodes 2>/dev/null | \
+       openssl x509 -noout -enddate; then
+        echo "-------------------------------"
+        echo ""
+    else
+        echo -e "${RED}Error: Failed to verify keystore for $env${NC}" >&2
+        return 1
+    fi
 }
 
 # Generate a keystore and a public key pem file
-#
-function gen_keystore {
-  echo "begin processing of $3 environment...."
-  rm -f "$3-keystore.pfx"
-  rm -f "$3-keystore.pfx.b64"
-  rm -f "$3-public-cert.pem"
-
-  echo "Generating $3 keystore..."
-  keytool -genkeypair \
-    -alias server \
-    -keyalg RSA \
-    -keysize 4096 \
-    -dname "$1" \
-    -ext "$2" \
-    -validity 730 \
-    -keypass changeit \
-    -keystore "$3-keystore.pfx" \
-    -storepass changeit
-
-  echo "Extracting public cert..."
-  keytool -export -keystore "$3-keystore.pfx" -alias server -storepass changeit -file "$3-public-cert.pem" -rfc
-
-  echo "creating base64 encoded version of PKCS#12 file..."
-  cat "$3-keystore.pfx" | base64 >"$3-keystore.pfx.b64"
-
-  verify_encoded_p12 "$3-keystore.pfx.b64"
+gen_keystore() {
+    local dname="$1"
+    local san="$2"
+    local env="$3"
+    local password="${PASSWORDS[$env]}"
+
+    echo "Begin processing of $env environment..."
+
+    # Clean up existing files
+    rm -f "${env}-keystore.pfx" "${env}-keystore.pfx.b64" "${env}-public-cert.pem"
+
+    echo "Generating $env keystore..."
+    keytool -genkeypair \
+        -alias server \
+        -keyalg RSA \
+        -keysize 4096 \
+        -dname "$dname" \
+        -ext "$san" \
+        -validity 730 \
+        -keypass "$password" \
+        -keystore "${env}-keystore.pfx" \
+        -storepass "$password"
+
+    echo "Extracting public cert..."
+    keytool -export \
+        -keystore "${env}-keystore.pfx" \
+        -alias server \
+        -storepass "$password" \
+        -file "${env}-public-cert.pem" \
+        -rfc
+
+    echo "Creating base64 encoded version of PKCS#12 file..."
+    base64 < "${env}-keystore.pfx" > "${env}-keystore.pfx.b64"
+
+    verify_encoded_p12 "${env}-keystore.pfx.b64" "$env"
+}
+
+# Main execution
+main() {
+    print_header
+
+    # Prompt for all passwords
+    for env in "${ENVIRONMENTS[@]}"; do
+        prompt_password "$env"
+    done
+
+    # Generate keystores for each environment
+    gen_keystore "cn=ab2d.cms.gov.local" \
+        "san=dns:ab2d.cms.gov.local,dns:ab2d.cms.gov" \
+        "prod"
+
+    gen_keystore "cn=sandbox.ab2d.cms.gov.local" \
+        "san=dns:sandbox.ab2d.cms.gov.local,dns:sandbox.ab2d.cms.gov" \
+        "sandbox"
+
+    gen_keystore "cn=test.ab2d.cms.gov.local" \
+        "san=dns:test.ab2d.cms.gov.local,dns:test.ab2d.cms.gov" \
+        "test"
+
+    gen_keystore "cn=dev.ab2d.cms.gov.local" \
+        "san=dns:dev.ab2d.cms.gov.local,dns:dev.ab2d.cms.gov" \
+        "dev"
+
+    # Display instructions
+    cat <<EOF
+
+REMEMBER:
+* Store the contents of each <env>-keystore.pfx.b64 in SSM configuration under the /ab2d/${env}/worker/sensitive/mtls_keystore_base64 path
+* Store the contents of each <env>-public-cert.pem in SSM configuration under the /ab2d/${env}/common/nonsensitive/bfd-client/mtls-public-cert path
+EOF
 }
 
-# Prod
-gen_keystore "cn=ab2d.cms.gov.local" \
-  "san=dns:ab2d.cms.gov.local,dns:ab2d.cms.gov" \
-  "prod"
-
-# Prod-SBX
-gen_keystore "cn=sandbox.ab2d.cms.gov.local" \
-  "san=dns:sandbox.ab2d.cms.gov.local,dns:sandbox.ab2d.cms.gov" \
-  "sandbox"
-
-# Test
-gen_keystore "cn=test.ab2d.cms.gov.local" \
-  "san=dns:test.ab2d.cms.gov.local,dns:test.ab2d.cms.gov" \
-  "test"
-
-# Dev
-gen_keystore "cn=dev.ab2d.cms.gov.local" \
-  "san=dns:dev.ab2d.cms.gov.local,dns:dev.ab2d.cms.gov" \
-  "dev"
-
-echo
-echo "REMEMBER: "
-echo "* Store the contents of each <env>-keystore.pfx.b64 in SSM configuration under the /ab2d/<env>/worker/sensitive/mtls_keystore_base64 path"
-echo "* Store the contents of each <env>-public-cert.pem in SSM configuration under the /ab2d/<env>/worker/sensitive/mtls_keystore_public_cert path"
+main "$@"

From d8295bcbdfcdf79cb5eb70315d1240b7006c7e41 Mon Sep 17 00:00:00 2001
From: juliareynolds-nava <juliareynolds@navapbc.com>
Date: Thu, 5 Feb 2026 14:12:38 -0700
Subject: [PATCH 3/3] updated to support passwords per env.  Updated bash
 version to 4+ to support associative arrays.

---
 ops/services/30-lambda/optout-export.tf | 2 +-
 ops/services/30-lambda/optout-import.tf | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/ops/services/30-lambda/optout-export.tf b/ops/services/30-lambda/optout-export.tf
index 5de90c6650..7d4dc15d54 100644
--- a/ops/services/30-lambda/optout-export.tf
+++ b/ops/services/30-lambda/optout-export.tf
@@ -142,7 +142,7 @@ resource "aws_lambda_function" "export" {
   runtime                        = "java17"
   skip_destroy                   = false
   tags = {
-    code = "https://github.com/CMSgov/ab2d-lambdas/tree/main/optout"
+    code = "https://github.com/CMSgov/ab2d/tree/main/lambdas/optout"
   }
 
   environment {
diff --git a/ops/services/30-lambda/optout-import.tf b/ops/services/30-lambda/optout-import.tf
index da8f8ecea3..6035fcafa0 100644
--- a/ops/services/30-lambda/optout-import.tf
+++ b/ops/services/30-lambda/optout-import.tf
@@ -138,7 +138,7 @@ resource "aws_lambda_function" "import" {
   skip_destroy                   = false
 
   tags = {
-    code = "https://github.com/CMSgov/ab2d-lambdas/tree/main/optout"
+    code = "https://github.com/CMSgov/ab2d/tree/main/lambdas/optout"
   }
   timeout = 900