Merge pull request #1069 from NHSDigital/feature/made14-NRL-1700-versioned-truststore

mattdean3-nhs · web-flow · commit 18196ea8f91c · 2025-10-15T14:24:58.000+01:00
[NRL-1700] Use S3 versioning for truststore file
diff --git a/terraform/account-wide-infrastructure/dev/domain.tf b/terraform/account-wide-infrastructure/dev/domain.tf
@@ -1,14 +1,16 @@
 
 module "dev-custom-domain-name" {
-  source                = "../modules/env-custom-domain-name"
-  domain_name           = var.dev_api_domain_name
-  domain_zone           = aws_route53_zone.dev-ns.name
-  mtls_certificate_file = "s3://${module.dev-truststore-bucket.bucket_name}/${module.dev-truststore-bucket.certificates_object_key}"
+  source                        = "../modules/env-custom-domain-name"
+  domain_name                   = var.dev_api_domain_name
+  domain_zone                   = aws_route53_zone.dev-ns.name
+  mtls_certificate_file         = "s3://${module.dev-truststore-bucket.bucket_name}/${module.dev-truststore-bucket.certificates_object_key}"
+  mtls_certificate_file_version = module.dev-truststore-bucket.certificates_object_version
 }
 
 module "devsandbox-custom-domain-name" {
-  source                = "../modules/env-custom-domain-name"
-  domain_name           = var.devsandbox_api_domain_name
-  domain_zone           = aws_route53_zone.dev-ns.name
-  mtls_certificate_file = "s3://${module.dev-truststore-bucket.bucket_name}/${module.dev-truststore-bucket.certificates_object_key}"
+  source                        = "../modules/env-custom-domain-name"
+  domain_name                   = var.devsandbox_api_domain_name
+  domain_zone                   = aws_route53_zone.dev-ns.name
+  mtls_certificate_file         = "s3://${module.dev-truststore-bucket.bucket_name}/${module.dev-truststore-bucket.certificates_object_key}"
+  mtls_certificate_file_version = module.dev-truststore-bucket.certificates_object_version
 }
diff --git a/terraform/account-wide-infrastructure/mgmt/iam__developer-role.tf b/terraform/account-wide-infrastructure/mgmt/iam__developer-role.tf
@@ -99,6 +99,19 @@ module "developer_policy" {
         "${data.aws_s3_bucket.ci_logging.arn}/*"
       ]
     },
+    {
+      Action = [
+        "s3:PutObject",
+        "s3:GetObject",
+        "s3:DeleteObject"
+      ]
+      Effect = "Deny"
+      Resource = [
+        "${data.aws_s3_bucket.truststore.arn}/ca/prod*",
+        "${data.aws_s3_bucket.truststore.arn}/client/prod*",
+        "${data.aws_s3_bucket.truststore.arn}/server/prod*"
+      ]
+    },
     {
       Action = [
         "s3:GetObject"
diff --git a/terraform/account-wide-infrastructure/modules/env-custom-domain-name/apigateway.tf b/terraform/account-wide-infrastructure/modules/env-custom-domain-name/apigateway.tf
@@ -7,7 +7,8 @@ resource "aws_api_gateway_domain_name" "domain" {
   }
 
   mutual_tls_authentication {
-    truststore_uri = var.mtls_certificate_file
+    truststore_uri     = var.mtls_certificate_file
+    truststore_version = var.mtls_certificate_file_version
   }
 
   depends_on = [
diff --git a/terraform/account-wide-infrastructure/modules/env-custom-domain-name/vars.tf b/terraform/account-wide-infrastructure/modules/env-custom-domain-name/vars.tf
@@ -19,3 +19,8 @@ variable "mtls_certificate_file" {
   description = "The path to the mtls certificate file"
   type        = string
 }
+
+variable "mtls_certificate_file_version" {
+  description = "The S3 version of the mtls certificate file"
+  type        = string
+}
diff --git a/terraform/account-wide-infrastructure/modules/truststore-bucket/output.tf b/terraform/account-wide-infrastructure/modules/truststore-bucket/output.tf
@@ -7,3 +7,8 @@ output "certificates_object_key" {
   description = "Key of the truststore certificates object"
   value       = aws_s3_object.api_truststore_certificate.key
 }
+
+output "certificates_object_version" {
+  description = "Version of the truststore certificates object"
+  value       = aws_s3_object.api_truststore_certificate.version_id
+}
diff --git a/terraform/account-wide-infrastructure/prod/domain.tf b/terraform/account-wide-infrastructure/prod/domain.tf
@@ -1,8 +1,9 @@
 
 
 module "dev-custom-domain-name" {
-  source                = "../modules/env-custom-domain-name"
-  domain_name           = var.prod_api_domain_name
-  domain_zone           = aws_route53_zone.prod-ns.name
-  mtls_certificate_file = "s3://${module.prod-truststore-bucket.bucket_name}/${module.prod-truststore-bucket.certificates_object_key}"
+  source                        = "../modules/env-custom-domain-name"
+  domain_name                   = var.prod_api_domain_name
+  domain_zone                   = aws_route53_zone.prod-ns.name
+  mtls_certificate_file         = "s3://${module.prod-truststore-bucket.bucket_name}/${module.prod-truststore-bucket.certificates_object_key}"
+  mtls_certificate_file_version = module.prod-truststore-bucket.certificates_object_version
 }
diff --git a/terraform/account-wide-infrastructure/test/domain.tf b/terraform/account-wide-infrastructure/test/domain.tf
@@ -1,35 +1,40 @@
 
 module "qa-custom-domain-name" {
-  source                = "../modules/env-custom-domain-name"
-  domain_name           = var.qa_api_domain_name
-  domain_zone           = aws_route53_zone.test-qa-ns.name
-  mtls_certificate_file = "s3://${module.qa-truststore-bucket.bucket_name}/${module.qa-truststore-bucket.certificates_object_key}"
+  source                        = "../modules/env-custom-domain-name"
+  domain_name                   = var.qa_api_domain_name
+  domain_zone                   = aws_route53_zone.test-qa-ns.name
+  mtls_certificate_file         = "s3://${module.qa-truststore-bucket.bucket_name}/${module.qa-truststore-bucket.certificates_object_key}"
+  mtls_certificate_file_version = module.qa-truststore-bucket.certificates_object_version
 }
 
 module "qasandbox-custom-domain-name" {
-  source                = "../modules/env-custom-domain-name"
-  domain_name           = var.qasandbox_api_domain_name
-  domain_zone           = aws_route53_zone.test-qa-ns.name
-  mtls_certificate_file = "s3://${module.qa-truststore-bucket.bucket_name}/${module.qa-truststore-bucket.certificates_object_key}"
+  source                        = "../modules/env-custom-domain-name"
+  domain_name                   = var.qasandbox_api_domain_name
+  domain_zone                   = aws_route53_zone.test-qa-ns.name
+  mtls_certificate_file         = "s3://${module.qa-truststore-bucket.bucket_name}/${module.qa-truststore-bucket.certificates_object_key}"
+  mtls_certificate_file_version = module.qa-truststore-bucket.certificates_object_version
 }
 
 module "int-custom-domain-name" {
-  source                = "../modules/env-custom-domain-name"
-  domain_name           = var.int_api_domain_name
-  domain_zone           = aws_route53_zone.test-int-ns.name
-  mtls_certificate_file = "s3://${module.int-truststore-bucket.bucket_name}/${module.int-truststore-bucket.certificates_object_key}"
+  source                        = "../modules/env-custom-domain-name"
+  domain_name                   = var.int_api_domain_name
+  domain_zone                   = aws_route53_zone.test-int-ns.name
+  mtls_certificate_file         = "s3://${module.int-truststore-bucket.bucket_name}/${module.int-truststore-bucket.certificates_object_key}"
+  mtls_certificate_file_version = module.int-truststore-bucket.certificates_object_version
 }
 
 module "intsandbox-custom-domain-name" {
-  source                = "../modules/env-custom-domain-name"
-  domain_name           = var.intsandbox_api_domain_name
-  domain_zone           = aws_route53_zone.test-int-ns.name
-  mtls_certificate_file = "s3://${module.int-truststore-bucket.bucket_name}/${module.int-truststore-bucket.certificates_object_key}"
+  source                        = "../modules/env-custom-domain-name"
+  domain_name                   = var.intsandbox_api_domain_name
+  domain_zone                   = aws_route53_zone.test-int-ns.name
+  mtls_certificate_file         = "s3://${module.int-truststore-bucket.bucket_name}/${module.int-truststore-bucket.certificates_object_key}"
+  mtls_certificate_file_version = module.int-truststore-bucket.certificates_object_version
 }
 
 module "ref-custom-domain-name" {
-  source                = "../modules/env-custom-domain-name"
-  domain_name           = var.ref_api_domain_name
-  domain_zone           = aws_route53_zone.test-ref-ns.name
-  mtls_certificate_file = "s3://${module.ref-truststore-bucket.bucket_name}/${module.ref-truststore-bucket.certificates_object_key}"
+  source                        = "../modules/env-custom-domain-name"
+  domain_name                   = var.ref_api_domain_name
+  domain_zone                   = aws_route53_zone.test-ref-ns.name
+  mtls_certificate_file         = "s3://${module.ref-truststore-bucket.bucket_name}/${module.ref-truststore-bucket.certificates_object_key}"
+  mtls_certificate_file_version = module.ref-truststore-bucket.certificates_object_version
 }
diff --git a/terraform/infrastructure/domain.tf b/terraform/infrastructure/domain.tf
@@ -46,7 +46,8 @@ resource "aws_api_gateway_domain_name" "domain" {
   }
 
   mutual_tls_authentication {
-    truststore_uri = "s3://${data.aws_s3_object.api-truststore-certificate.bucket}/${data.aws_s3_object.api-truststore-certificate.key}"
+    truststore_uri     = "s3://${data.aws_s3_object.api-truststore-certificate.bucket}/${data.aws_s3_object.api-truststore-certificate.key}"
+    truststore_version = data.aws_s3_object.api-truststore-certificate.version_id
   }
 
   depends_on = [

Original file line number	Diff line number	Diff line change
`@@ -7,7 +7,8 @@ resource "aws_api_gateway_domain_name" "domain" {`
`7`	`7`	`}`
`8`	`8`
`9`	`9`	`mutual_tls_authentication {`
`10`		`- truststore_uri = var.mtls_certificate_file`
	`10`	`+ truststore_uri = var.mtls_certificate_file`
	`11`	`+ truststore_version = var.mtls_certificate_file_version`
`11`	`12`	`}`
`12`	`13`
`13`	`14`	`depends_on = [`
Original file line number	Diff line number	Diff line change
`@@ -19,3 +19,8 @@ variable "mtls_certificate_file" {`
`19`	`19`	`description = "The path to the mtls certificate file"`
`20`	`20`	`type = string`
`21`	`21`	`}`
	`22`	`+`
	`23`	`+variable "mtls_certificate_file_version" {`
	`24`	`+ description = "The S3 version of the mtls certificate file"`
	`25`	`+ type = string`
	`26`	`+}`
Original file line number	Diff line number	Diff line change
`@@ -7,3 +7,8 @@ output "certificates_object_key" {`
`7`	`7`	`description = "Key of the truststore certificates object"`
`8`	`8`	`value = aws_s3_object.api_truststore_certificate.key`
`9`	`9`	`}`
	`10`	`+`
	`11`	`+output "certificates_object_version" {`
	`12`	`+ description = "Version of the truststore certificates object"`
	`13`	`+ value = aws_s3_object.api_truststore_certificate.version_id`
	`14`	`+}`
Original file line number	Diff line number	Diff line change
`@@ -46,7 +46,8 @@ resource "aws_api_gateway_domain_name" "domain" {`
`46`	`46`	`}`
`47`	`47`
`48`	`48`	`mutual_tls_authentication {`
`49`		`- truststore_uri = "s3://${data.aws_s3_object.api-truststore-certificate.bucket}/${data.aws_s3_object.api-truststore-certificate.key}"`
	`49`	`+ truststore_uri = "s3://${data.aws_s3_object.api-truststore-certificate.bucket}/${data.aws_s3_object.api-truststore-certificate.key}"`
	`50`	`+ truststore_version = data.aws_s3_object.api-truststore-certificate.version_id`
`50`	`51`	`}`
`51`	`52`
`52`	`53`	`depends_on = [`