Merge branch 'main' into aea-5714-update-history-on-cancelled-prescriptions

Author: jonathanwelch1-nhs

.github/scripts/fix_cdk_json.sh

@@ -131,6 +131,27 @@ if [ -z "${RUM_APP_NAME}" ]; then
         -r '.Exports[] | select(.Name == $EXPORT_NAME) | .Value')
 fi
 
+if [ -z "${SPLUNK_DELIVERY_STREAM}" ]; then
+    SPLUNK_DELIVERY_STREAM=$(echo "$CF_LONDON_EXPORTS" | \
+        jq \
+        --arg EXPORT_NAME "lambda-resources:SplunkDeliveryStream" \
+        -r '.Exports[] | select(.Name == $EXPORT_NAME) | .Value')
+fi
+
+if [ -z "${SPLUNK_SUBSCRIPTION_FILTER_ROLE}" ]; then
+    SPLUNK_SUBSCRIPTION_FILTER_ROLE=$(echo "$CF_LONDON_EXPORTS" | \
+        jq \
+        --arg EXPORT_NAME "lambda-resources:SplunkSubscriptionFilterRole" \
+        -r '.Exports[] | select(.Name == $EXPORT_NAME) | .Value')
+fi
+if [ -z "${CLOUDFRONT_DISTRIBUTION_ARN}" ]; then
+    CLOUDFRONT_DISTRIBUTION_ARN=$(echo "$CF_LONDON_EXPORTS" | \
+        jq \
+        --arg EXPORT_NAME "${SERVICE_NAME}-stateless-resources:cloudfrontDistribution:Arn" \
+        -r '.Exports[] | select(.Name == $EXPORT_NAME) | .Value')
+fi
+
+
 # Acquire values externally
 ## Get GitHub Actions runner IPs for use against WAF
 if [ -z "${GITHUB_ACTIONS_RUNNER_IPV4}" ]; then
@@ -166,6 +187,8 @@ if [ "$CDK_APP_NAME" == "StatefulResourcesApp" ]; then
     fix_list_key githubAllowListIpv4 "${GITHUB_ACTIONS_RUNNER_IPV4}"
     fix_list_key githubAllowListIpv6 "${GITHUB_ACTIONS_RUNNER_IPV6}"
     fix_boolean_number_key wafAllowGaRunnerConnectivity "${WAF_ALLOW_GA_RUNNER_CONNECTIVITY}"
+    fix_string_key splunkDeliveryStream "${SPLUNK_DELIVERY_STREAM}"
+    fix_string_key splunkSubscriptionFilterRole "${SPLUNK_SUBSCRIPTION_FILTER_ROLE}"
 
     fix_boolean_number_key useMockOidc "${USE_MOCK_OIDC}"
     if [ "$USE_MOCK_OIDC" == "true" ]; then
@@ -183,10 +206,13 @@ if [ "$CDK_APP_NAME" == "StatefulResourcesApp" ]; then
     fix_string_key epsHostedZoneId "${EPS_HOSTED_ZONE_ID}"
 
     fix_boolean_number_key allowAutoDeleteObjects "${AUTO_DELETE_OBJECTS}"
-    # we may not have cloudfront distribution id if its a first deployment
+    # we may not have cloudfront distribution details if its a first deployment
     if [ -n "${CLOUDFRONT_DISTRIBUTION_ID}" ]; then
         fix_string_key cloudfrontDistributionId "${CLOUDFRONT_DISTRIBUTION_ID}"
     fi
+    if [ -n "${CLOUDFRONT_DISTRIBUTION_ARN}" ]; then
+        fix_string_key cloudfrontDistributionArn "${CLOUDFRONT_DISTRIBUTION_ARN}"
+    fi
     # if we have a rum log group arn, then we can set cwLogEnabled on the rum app
     if [ -n "${RUM_LOG_GROUP_ARN}" ]; then
         fix_boolean_number_key rumCloudwatchLogEnabled "true"

.github/workflows/release_all_stacks.yml

@@ -154,19 +154,50 @@ jobs:
           role-session-name: prescription-clinical-tracker-ui-deployment
           output-credentials: true
 
-      - name: check first deployment
-        id: check_first_deployment
+      - name: check redeploy stateful stack
+        id: check_redeploy_stateful_stack
         run: |
-          # shellcheck disable=SC2140
-          cloudfrontDistributionId=$(aws cloudformation list-exports --region eu-west-2 --query "Exports[?Name=='"${{ inputs.SERVICE_NAME }}-stateless-resources:cloudfrontDistribution:Id"'].Value" --output text)
-          if [ -z "${cloudfrontDistributionId}" ]; then
-            FIRST_DEPLOYMENT="true"
-            echo "This is the first deployment"
-          else
-            FIRST_DEPLOYMENT="false"
-            echo "This is not the first deployment"
+          CF_LONDON_EXPORTS=$(aws cloudformation list-exports --region eu-west-2 --output json)
+          CLOUDFRONT_DISTRIBUTION_ID=$(echo "$CF_LONDON_EXPORTS" | \
+              jq \
+              --arg EXPORT_NAME "${{ inputs.SERVICE_NAME }}-stateless-resources:cloudfrontDistribution:Id" \
+              -r '.Exports[] | select(.Name == $EXPORT_NAME) | .Value')
+          CLOUDFRONT_DISTRIBUTION_ARN=$(echo "$CF_LONDON_EXPORTS" | \
+              jq \
+              --arg EXPORT_NAME "${{ inputs.SERVICE_NAME }}-stateless-resources:cloudfrontDistribution:Arn" \
+              -r '.Exports[] | select(.Name == $EXPORT_NAME) | .Value')
+          RUM_LOG_GROUP_ARN=$(echo "$CF_LONDON_EXPORTS" | \
+              jq \
+              --arg EXPORT_NAME "${{ inputs.SERVICE_NAME }}-stateful-resources:rum:logGroup:arn" \
+              -r '.Exports[] | select(.Name == $EXPORT_NAME) | .Value')
+          RUM_APP_NAME=$(echo "$CF_LONDON_EXPORTS" | \
+              jq \
+              --arg EXPORT_NAME "${{ inputs.SERVICE_NAME }}-stateful-resources:rum:rumApp:Name" \
+              -r '.Exports[] | select(.Name == $EXPORT_NAME) | .Value')
+          REDEPLOY_STATEFUL_STACK="false"
+
+          if [ -z "${CLOUDFRONT_DISTRIBUTION_ID}" ]; then
+            echo "CLOUDFRONT_DISTRIBUTION_ID not found - setting redeploy stateful stack to true"
+            REDEPLOY_STATEFUL_STACK="true"
+          fi
+          if [ -z "${CLOUDFRONT_DISTRIBUTION_ARN}" ]; then
+            echo "CLOUDFRONT_DISTRIBUTION_ARN not found - setting redeploy stateful stack to true"
+            REDEPLOY_STATEFUL_STACK="true"
           fi
-          echo "FIRST_DEPLOYMENT=$FIRST_DEPLOYMENT" >> "$GITHUB_OUTPUT"
+          if [ -z "${RUM_LOG_GROUP_ARN}" ]; then
+            echo "RUM_LOG_GROUP_ARN not found - setting redeploy stateful stack to true"
+            REDEPLOY_STATEFUL_STACK="true"
+          fi
+          if [ -z "${RUM_APP_NAME}" ]; then
+            echo "RUM_APP_NAME not found - setting redeploy stateful stack to true"
+            REDEPLOY_STATEFUL_STACK="true"
+          fi
+
+          if [ "${REDEPLOY_STATEFUL_STACK}" == "false" ]; then
+            echo "Everything already set - setting redeploy stateful stack to false"
+          fi
+
+          echo "REDEPLOY_STATEFUL_STACK=$REDEPLOY_STATEFUL_STACK" >> "$GITHUB_OUTPUT"
         shell: bash
 
       - name: fix cdk.json for deployment stateful stack
@@ -430,7 +461,7 @@ jobs:
           fi
 
       - name: fix cdk.json for deployment for stateful stack redeployment
-        if: ${{ steps.check_first_deployment.outputs.FIRST_DEPLOYMENT == 'true' }}
+        if: ${{ steps.check_redeploy_stateful_stack.outputs.REDEPLOY_STATEFUL_STACK == 'true' }}
         run: |
           ./.github/scripts/fix_cdk_json.sh .build/stateful_resources.json
         env:
@@ -472,7 +503,7 @@ jobs:
           CLOUDFRONT_ORIGIN_CUSTOM_HEADER: ${{secrets.CLOUDFRONT_ORIGIN_CUSTOM_HEADER }}
 
       - name: Show diff for stateful stack redeployment
-        if: ${{ steps.check_first_deployment.outputs.FIRST_DEPLOYMENT == 'true' }}
+        if: ${{ steps.check_redeploy_stateful_stack.outputs.REDEPLOY_STATEFUL_STACK == 'true' }}
         run: |
           docker run \
           -v "$(pwd)/.build":/home/cdkuser/workspace/ \
@@ -488,7 +519,7 @@ jobs:
         shell: bash
 
       - name: Deploy code for stateful stack redeployment
-        if: ${{ steps.check_first_deployment.outputs.FIRST_DEPLOYMENT == 'true' }}
+        if: ${{ steps.check_redeploy_stateful_stack.outputs.REDEPLOY_STATEFUL_STACK == 'true' }}
         run: |
           docker run \
           -v "$(pwd)/.build":/home/cdkuser/workspace/ \

Makefile

@@ -213,6 +213,8 @@ cdk-synth-stateful-resources-no-mock:
 	ALLOW_LOCALHOST_ACCESS=false \
 	WAF_ALLOW_GA_RUNNER_CONNECTIVITY=true \
 	CLOUDFRONT_ORIGIN_CUSTOM_HEADER=foo \
+	SPLUNK_DELIVERY_STREAM=foo \
+	SPLUNK_SUBSCRIPTION_FILTER_ROLE=foo \
 	DO_NOT_GET_AWS_EXPORT=true \
 	USE_ZONE_APEX=false \
 		 ./.github/scripts/fix_cdk_json.sh .local_config/stateful_app.config.json
@@ -304,6 +306,8 @@ cdk-synth-stateful-resources-mock:
 	ALLOW_LOCALHOST_ACCESS=false \
 	WAF_ALLOW_GA_RUNNER_CONNECTIVITY=true \
 	CLOUDFRONT_ORIGIN_CUSTOM_HEADER=foo \
+	SPLUNK_DELIVERY_STREAM=foo \
+	SPLUNK_SUBSCRIPTION_FILTER_ROLE=foo \
 	DO_NOT_GET_AWS_EXPORT=true \
 	USE_ZONE_APEX=false \
 		 ./.github/scripts/fix_cdk_json.sh .local_config/stateful_app.config.json

packages/cdk/nagSuppressions.ts

@@ -246,7 +246,20 @@ export const nagSuppressions = (stack: Stack) => {
         }
       ]
     )
+
+    safeAddNagSuppression(
+      stack,
+      "/StatelessStack/CloudfrontDistribution/CloudfrontDistribution/Resource",
+      [
+        {
+          id: "AwsSolutions-CFR3",
+          reason: "Suppress error for not having access logging. We send logs to cloudwatch instead of S3"
+        }
+      ]
+    )
+
   }
+
 }
 
 const safeAddNagSuppression = (stack: Stack, path: string, suppressions: Array<NagPackSuppression>) => {

packages/cdk/resources/CloudfrontDistribution.ts

@@ -14,7 +14,6 @@ import {
   RecordTarget
 } from "aws-cdk-lib/aws-route53"
 import {CloudFrontTarget} from "aws-cdk-lib/aws-route53-targets"
-import {IBucket} from "aws-cdk-lib/aws-s3"
 import {Construct} from "constructs"
 
 /**
@@ -31,7 +30,6 @@ export interface CloudfrontDistributionProps {
   readonly hostedZone: IHostedZone
   readonly shortCloudfrontDomain: string
   readonly fullCloudfrontDomain: string
-  readonly cloudfrontLoggingBucket: IBucket
   readonly cloudfrontCert: ICertificate
   readonly webAclAttributeArn: string
   readonly wafAllowGaRunnerConnectivity: boolean
@@ -56,17 +54,16 @@ export class CloudfrontDistribution extends Construct {
       minimumProtocolVersion: SecurityPolicyProtocol.TLS_V1_2_2021,
       sslSupportMethod: SSLMethod.SNI,
       publishAdditionalMetrics: true,
-      enableLogging: true,
-      logBucket: props.cloudfrontLoggingBucket,
-      logFilePrefix: `${props.stackName}/`,
+      enableLogging: false,
       logIncludesCookies: true, // may actually want to be false, don't know if it includes names of cookies or contents
       defaultBehavior: props.defaultBehavior,
       additionalBehaviors: props.additionalBehaviors,
       errorResponses: props.errorResponses,
       geoRestriction: {
         locations: props.wafAllowGaRunnerConnectivity ? ["GB", "JE", "GG", "IM", "US"] : ["GB", "JE", "GG", "IM"],
         restrictionType: "whitelist"
-      }
+      },
+      webAclId: props.webAclAttributeArn
     })
 
     if (props.shortCloudfrontDomain === "APEX_DOMAIN") {

packages/cdk/resources/CloudfrontLogDelivery.ts

@@ -0,0 +1,45 @@
+import {Names} from "aws-cdk-lib"
+import {
+  CfnDelivery,
+  CfnDeliveryDestination,
+  CfnDeliverySource,
+  ILogGroup,
+  LogGroup
+} from "aws-cdk-lib/aws-logs"
+import {Construct} from "constructs"
+
+export interface CloudfrontLogDeliveryProps {
+  readonly cloudfrontLogGroup: ILogGroup
+  readonly cloudfrontDistributionArn: string
+}
+
+export class CloudfrontLogDelivery extends Construct {
+  public readonly logGroup: LogGroup
+
+  constructor(scope: Construct, id: string, props: CloudfrontLogDeliveryProps) {
+    super(scope, id)
+    const distDeliveryDestination = new CfnDeliveryDestination(this, "DistributionDeliveryDestination", {
+      name: `${Names.uniqueResourceName(this, {maxLength:55})}-dest`,
+      destinationResourceArn: props.cloudfrontLogGroup.logGroupArn,
+      outputFormat: "json"
+    })
+
+    // add the delivery source and delivery for cloudfront logs
+    // this can only be done once the cloudfront distribution is created in the stateless stack
+    if (props.cloudfrontDistributionArn) {
+      const distDeliverySource = new CfnDeliverySource(this, "DistributionDeliverySource", {
+          name: `${Names.uniqueResourceName(this, {maxLength:55})}-src`,
+          logType: "ACCESS_LOGS",
+          resourceArn: props.cloudfrontDistributionArn
+      })
+
+      const delivery = new CfnDelivery(this, "DistributionDelivery", {
+          deliverySourceName: distDeliverySource.name,
+          deliveryDestinationArn: distDeliveryDestination.attrArn
+      })
+      delivery.node.addDependency(distDeliverySource)
+
+    }
+  }
+
+}

packages/cdk/resources/WebApplicationFirewall.ts

@@ -1,5 +1,5 @@
 import {Construct} from "constructs"
-import * as wafv2 from "aws-cdk-lib/aws-wafv2"
+import {CfnIPSet, CfnLoggingConfiguration, CfnWebACL} from "aws-cdk-lib/aws-wafv2"
 
 /**
  * WAF ACL and supporting resources
@@ -11,35 +11,28 @@ export interface WebACLProps {
   readonly githubAllowListIpv4: Array<string>
   readonly githubAllowListIpv6: Array<string>
   readonly wafAllowGaRunnerConnectivity: boolean
+  readonly allowedHeaders?: Map<string, string>
   readonly scope: string
+  readonly wafLogGroupName: string
 }
 
 export class WebACL extends Construct {
-  public readonly githubAllowListIpv4: wafv2.CfnIPSet
-  public readonly githubAllowListIpv6: wafv2.CfnIPSet
+  public readonly githubAllowListIpv4: CfnIPSet
+  public readonly githubAllowListIpv6: CfnIPSet
   public readonly wafAllowGaRunnerConnectivity: boolean
-  public readonly webAcl: wafv2.CfnWebACL
+  public readonly webAcl: CfnWebACL
   public readonly attrArn: string
   public readonly allowedHeaders?: Map<string, string>
 
   public constructor(
     scope: Construct,
     id: string,
-    props: {
-      serviceName: string
-      rateLimitTransactions: number
-      rateLimitWindowSeconds: number
-      githubAllowListIpv4: Array<string>
-      githubAllowListIpv6: Array<string>
-      wafAllowGaRunnerConnectivity: boolean
-      allowedHeaders?: Map<string, string>
-      scope: string
-    }
+    props: WebACLProps
   ) {
     super(scope, id)
 
     if (props.wafAllowGaRunnerConnectivity && props.githubAllowListIpv4.length > 0) {
-      this.githubAllowListIpv4 = new wafv2.CfnIPSet(this, "githubAllowListIpv4", {
+      this.githubAllowListIpv4 = new CfnIPSet(this, "githubAllowListIpv4", {
         addresses: props.githubAllowListIpv4,
         ipAddressVersion: "IPV4",
         scope: props.scope,
@@ -49,7 +42,7 @@ export class WebACL extends Construct {
     }
 
     if (props.wafAllowGaRunnerConnectivity && props.githubAllowListIpv6.length > 0) {
-      this.githubAllowListIpv6 = new wafv2.CfnIPSet(this, "githubAllowListIpv6", {
+      this.githubAllowListIpv6 = new CfnIPSet(this, "githubAllowListIpv6", {
         addresses: props.githubAllowListIpv6,
         ipAddressVersion: "IPV6",
         scope: props.scope,
@@ -58,7 +51,7 @@ export class WebACL extends Construct {
       })
     }
 
-    const rules: Array<wafv2.CfnWebACL.RuleProperty> = []
+    const rules: Array<CfnWebACL.RuleProperty> = []
     let nextPriority = 0
 
     if (props.wafAllowGaRunnerConnectivity && props.githubAllowListIpv4.length > 0) {
@@ -214,7 +207,7 @@ export class WebACL extends Construct {
       }
     })
 
-    const webAcl = new wafv2.CfnWebACL(this, "CloudfrontWebAcl", {
+    const webAcl = new CfnWebACL(this, "CloudfrontWebAcl", {
       name: `${props.serviceName}-WebAcl`,
       defaultAction: {allow: {}},
       scope: props.scope,
@@ -232,6 +225,11 @@ export class WebACL extends Construct {
       ]
     })
 
+    new CfnLoggingConfiguration(scope, "webAclLoggingConfiguration", {
+      logDestinationConfigs: [ props.wafLogGroupName ],
+      resourceArn: webAcl.attrArn // Arn of Acl
+    })
+
     this.webAcl = webAcl
     this.attrArn = webAcl.attrArn
   }