Merge pull request #77 from NHSDigital/feature/eja-eli-204-add-api-gateway

Feature/eja eli 204 add api gateway

Author: eddalmond1

.github/workflows/github-oidc-test.yaml

@@ -0,0 +1,71 @@
+name: Github OIDC test
+
+on:
+  workflow_dispatch:
+    inputs:
+      environment:
+        description: Target environment
+        required: true
+        type: choice
+        options: [dev, test, preprod]
+
+jobs:
+  plan-stacks:
+    runs-on: ubuntu-latest
+    environment: ${{ inputs.environment }}
+    permissions:
+      id-token: write
+      contents: read
+
+    steps:
+      - name: "Setup Terraform"
+        uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: ${{ vars.TF_VERSION }}
+
+      - name: "Set up Python"
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.13'
+
+      - name: "Checkout Repository"
+        uses: actions/checkout@v4
+
+      - name: "Build lambda artefact"
+        run: |
+          make dependencies install-python
+          make build
+      - name: "Upload lambda artefact"
+        uses: actions/upload-artifact@v4
+        with:
+          name: lambda
+          path: dist/lambda.zip
+
+      - name: "Download Built Lambdas"
+        uses: actions/download-artifact@v4
+        with:
+          name: lambda
+          path: ./build
+
+      - name: "Configure AWS Credentials"
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/service-roles/github-actions-api-deployment-role
+          aws-region: eu-west-2
+
+      - name: "Terraform Plan Stacks"
+        env:
+          ENVIRONMENT: "dev"
+          WORKSPACE: "default"
+          TF_VAR_API_CA_CERT: ${{ secrets.API_CA_CERT }}
+          TF_VAR_API_CLIENT_CERT: ${{ secrets.API_CLIENT_CERT }}
+          TF_VAR_API_PRIVATE_KEY_CERT: ${{ secrets.API_PRIVATE_KEY_CERT }}
+
+        run: |
+          mkdir -p ./build
+          echo "Running: make terraform env=$ENVIRONMENT workspace=$ENVIRONMENT stack=networking tf-command=plan args=\"-auto-approve\""
+          make terraform env=$ENVIRONMENT stack=networking tf-command=plan workspace=$ENVIRONMENT
+          echo "Running: make terraform env=$ENVIRONMENT workspace=$WORKSPACE stack=api-layer tf-command=plan args=\"-auto-approve\""
+          make terraform env=$ENVIRONMENT stack=api-layer tf-command=plan workspace=$WORKSPACE
+
+        working-directory: ./infrastructure

.github/workflows/manual-terraform-plan.yaml

@@ -1,18 +1,31 @@
-# tflint-ignore: terraform_unused_declarations
 variable "project_name" {
   default = "eligibility-signposting-api"
   type    = string
 }
 
-# tflint-ignore: terraform_unused_declarations
 variable "environment" {
   description = "The purpose of the account dev/test/ref/prod or the workspace"
   type        = string
 }
 
-# tflint-ignore: terraform_unused_declarations
 variable "tags" {
   description = "A map of tags to assign to resources."
   type        = map(string)
   default     = {}
 }
+
+variable "workspace" {
+  description = "Usually the developer short code or the name of the environment."
+  type        = string
+}
+
+variable "stack_name" {
+  description = "The name of the stack being deployed"
+  type        = string
+}
+
+variable "region" {
+  type        = string
+  description = "The aws region."
+  default     = "eu-west-2"
+}

infrastructure/modules/_shared/default_variables.tf

@@ -0,0 +1,18 @@
+resource "aws_api_gateway_rest_api" "api_gateway" {
+  name        = var.workspace == "default" ? "${var.api_gateway_name}-rest-api" : "${var.workspace}-${var.api_gateway_name}-rest-api"
+  description = "The API Gateway for ${var.project_name} ${var.environment} environment"
+
+  disable_execute_api_endpoint = var.disable_default_endpoint # We would want to disable this if we are using a custom domain name
+
+  lifecycle {
+    create_before_destroy = true
+  }
+
+  tags = {
+    Stack = var.stack_name
+  }
+}
+
+resource "aws_api_gateway_account" "api_gateway" {
+  cloudwatch_role_arn = aws_iam_role.api_gateway.arn
+}

infrastructure/modules/api_gateway/api_gateway.tf

@@ -0,0 +1,10 @@
+resource "aws_cloudwatch_log_group" "api_gateway" {
+  name              = "/aws/apigateway/${var.workspace}-${var.api_gateway_name}"
+  retention_in_days = 14
+  tags              = var.tags
+  kms_key_id        = aws_kms_key.api_gateway.arn
+
+  lifecycle {
+    prevent_destroy = false
+  }
+}

infrastructure/modules/api_gateway/cloudwatch.tf

@@ -0,0 +1 @@
+data "aws_caller_identity" "current" {}

infrastructure/modules/api_gateway/data.tf

@@ -0,0 +1 @@
+../_shared/default_variables.tf

infrastructure/modules/api_gateway/default_variables.tf

@@ -0,0 +1,43 @@
+data "aws_iam_policy_document" "assume_role" {
+  statement {
+    effect  = "Allow"
+    actions = ["sts:AssumeRole"]
+    principals {
+      type        = "Service"
+      identifiers = ["apigateway.amazonaws.com"]
+    }
+  }
+}
+
+resource "aws_iam_role" "api_gateway" {
+  name               = "${var.workspace}-${var.api_gateway_name}-role"
+  assume_role_policy = data.aws_iam_policy_document.assume_role.json
+}
+
+data "aws_iam_policy_document" "api_gateway_logging" {
+  statement {
+    sid    = "AllowCloudWatchLogging"
+    effect = "Allow"
+    actions = [
+      "logs:CreateLogGroup",
+      "logs:CreateLogStream",
+      "logs:DescribeLogGroups",
+      "logs:DescribeLogStreams",
+      "logs:PutLogEvents",
+      "logs:GetLogEvents",
+      "logs:FilterLogEvents"
+    ]
+    resources = ["*"]
+  }
+}
+
+resource "aws_iam_policy" "api_gateway_logging" {
+  name        = "${var.workspace}-${var.api_gateway_name}-api-gateway-logging-policy"
+  description = "Policy to allow API Gateway push logs to Cloudwatch"
+  policy      = data.aws_iam_policy_document.api_gateway_logging.json
+}
+
+resource "aws_iam_role_policy_attachment" "api_gateway_logging" {
+  role       = aws_iam_role.api_gateway.name
+  policy_arn = aws_iam_policy.api_gateway_logging.arn
+}

infrastructure/modules/api_gateway/iam.tf

@@ -0,0 +1,48 @@
+resource "aws_kms_key" "api_gateway" {
+  description             = "${var.workspace} - KMS Key for ${var.api_gateway_name} API Gateway"
+  deletion_window_in_days = 14
+  enable_key_rotation     = true
+
+  tags = {
+    Stack = var.stack_name
+  }
+}
+
+resource "aws_kms_alias" "api_gateway" {
+  name          = "alias/${var.workspace}-${var.api_gateway_name}-cloudwatch-logs"
+  target_key_id = aws_kms_key.api_gateway.key_id
+}
+
+resource "aws_kms_key_policy" "api_gateway" {
+  key_id = aws_kms_key.api_gateway.id
+  policy = data.aws_iam_policy_document.api_gateway.json
+}
+
+data "aws_iam_policy_document" "api_gateway" {
+  statement {
+    sid    = "Enable IAM User Permissions for ${var.api_gateway_name} API Gateway"
+    effect = "Allow"
+    principals {
+      type        = "AWS"
+      identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
+    }
+    actions   = ["kms:*"]
+    resources = [aws_kms_key.api_gateway.arn]
+  }
+  statement {
+    sid    = "APIGatewayCloudwatchKMSAccess"
+    effect = "Allow"
+    principals {
+      type        = "Service"
+      identifiers = ["logs.${var.region}.amazonaws.com"]
+    }
+    actions = [
+      "kms:Encrypt*",
+      "kms:Decrypt*",
+      "kms:ReEncrypt*",
+      "kms:GenerateDataKey*",
+      "kms:Describe*"
+    ]
+    resources = [aws_kms_key.api_gateway.arn]
+  }
+}

infrastructure/modules/api_gateway/kms.tf

@@ -0,0 +1,27 @@
+output "rest_api_id" {
+  value = aws_api_gateway_rest_api.api_gateway.id
+}
+
+output "root_resource_id" {
+  value = aws_api_gateway_rest_api.api_gateway.root_resource_id
+}
+
+output "execution_arn" {
+  value = aws_api_gateway_rest_api.api_gateway.execution_arn
+}
+
+output "cloudwatch_destination_arn" {
+  value = aws_cloudwatch_log_group.api_gateway.arn
+}
+
+output "api_gateway_account" {
+  value = aws_api_gateway_account.api_gateway
+}
+
+output "logging_policy_attachment" {
+  value = aws_iam_role_policy_attachment.api_gateway_logging
+}
+
+output "iam_role_name" {
+  value = aws_iam_role.api_gateway.name
+}