Merge branch 'main' into PRMP-627

Author: robg-test

.github/PULL_REQUEST_TEMPLATE.md

@@ -0,0 +1,32 @@
+<!-- markdownlint-disable-next-line first-line-heading -->
+## Overview
+
+**Jira ticket**: [TBC](https://nhsd-jira.digital.nhs.uk/browse/XXX)
+
+### Description
+
+<!-- Describe your changes in detail. -->
+
+### Context
+
+<!-- Why is this change required? What problem does it solve? -->
+
+## Checklist
+
+<!--
+
+  Put an `x` in the completed tasks.
+
+  If a task is not relevant, `x` it, then strike through the text e.g.:
+  - [x] ~~This task is not relevant.~~
+
+-->
+
+Tasks for all changes:
+
+- [ ] 1. I have linked this PR to its Jira ticket.
+- [ ] 2. I have run git pre-commits.
+- [ ] 3. I have updated relevant documentation.
+- [ ] 4. I have considered the cross-team impact (and have PR approval from both Core & Demographics if necessary).
+- [ ] 5. I have successfully [deployed this change to a sandbox](https://github.com/NHSDigital/national-document-repository-infrastructure/actions/workflows/deploy-sandbox.yml) and witnessed it build: [Workflow run: TBC](https://github.com/NHSDigital/national-document-repository-infrastructure/actions/runs/XXX)
+- [ ] 6. I have checked the Terraform Plan from this PR against `ndr-dev`.

.github/workflows/automated-pr-validator.yml

@@ -2,7 +2,9 @@ name: "Z-AUTOMATED: PR Validator"
 
 on:
   pull_request:
-    types: [opened, synchronize, reopened]
+    types: [opened, synchronize, reopened, edited]
+
+permissions: {}
 
 jobs:
   sbom_scan:
@@ -120,3 +122,23 @@ jobs:
           BRANCH_NAME=${{ github.event.repository.default_branch }}
           chmod +x scripts/markdown-validator.sh
           scripts/markdown-validator.sh
+
+  checklist_validator:
+    name: Checklist Validation
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v5
+
+    - name: Set up Python 3.11
+      uses: actions/setup-python@v6
+      with:
+        python-version: 3.11
+
+    - name: Run checklist validator
+      run: |
+        python3 scripts/github/checklist_validator/main.py
+      env:
+        PR_BODY: ${{ github.event.pull_request.body }}

.github/workflows/cron-daily-health-check.yml

@@ -119,6 +119,10 @@ jobs:
           runTests: false
           build: npm run build
           working-directory: ./app
+
+      - name: Copy main.html to index.html for serve compatibility
+        run: cp ./dist/main.html ./dist/index.html
+        working-directory: ./app
 
       - name: npm install serve -g
         run: npm install serve -g

.gitignore

@@ -36,3 +36,7 @@ tfplan
 .idea/
 .vscode/
 venv/
+
+#Ignore certificates
+scripts/csrs
+scripts/keys

README.md

@@ -29,4 +29,4 @@ As this repository is a standalone infrastructure there is no python/node based
 git config core.hooksPath .githooks
 ```
 
-Pre-commits will run on any commit. This will build docs and format the terraform.
+Pre-commits will run on all commits. This will build docs and format the terraform.

infrastructure/backup-cross-account.tf

@@ -60,7 +60,8 @@ resource "aws_backup_selection" "cross_account_backup_selection" {
     module.bulk_upload_report_dynamodb_table.dynamodb_table_arn,
     module.statistical-reports-store.bucket_arn,
     module.pdm_dynamodb_table.dynamodb_table_arn,
-    module.pdm-document-store.bucket_arn
+    module.pdm-document-store.bucket_arn,
+    module.core_dynamodb_table.dynamodb_table_arn,
   ]
 }
 

infrastructure/buckets.tf

@@ -51,7 +51,7 @@ module "ndr-lloyd-george-store" {
   access_logs_enabled       = local.is_production
   access_logs_bucket_id     = local.access_logs_bucket_id
   cloudfront_enabled        = true
-  cloudfront_arn            = module.cloudfront-distribution-lg.cloudfront_arn
+  cloudfront_arn            = aws_cloudfront_distribution.s3_presign_mask.arn
   bucket_name               = var.lloyd_george_bucket_name
   enable_bucket_versioning  = true
   environment               = var.environment
@@ -122,6 +122,8 @@ module "ndr-bulk-staging-store" {
   bucket_name               = var.staging_store_bucket_name
   enable_cors_configuration = true
   enable_bucket_versioning  = true
+  cloudfront_arn            = aws_cloudfront_distribution.s3_presign_mask.arn
+  cloudfront_enabled        = true
   environment               = var.environment
   owner                     = var.owner
   force_destroy             = local.is_force_destroy
@@ -167,7 +169,7 @@ module "ndr-document-pending-review-store" {
   enable_bucket_versioning  = true
   force_destroy             = local.is_force_destroy
   cloudfront_enabled        = true
-  cloudfront_arn            = module.cloudfront-distribution-lg.cloudfront_arn
+  cloudfront_arn            = aws_cloudfront_distribution.s3_presign_mask.arn
   enable_cors_configuration = true
   cors_rules = [
     {
@@ -233,6 +235,18 @@ resource "aws_s3_bucket_lifecycle_configuration" "staging-store-lifecycle-rules"
       prefix = "user_upload/"
     }
   }
+  rule {
+    id     = "Delete objects in review folder that have existed for 24 hours"
+    status = "Enabled"
+
+    expiration {
+      days = 1
+    }
+
+    filter {
+      prefix = "review/"
+    }
+  }
   rule {
     id     = "default-to-intelligent-tiering"
     status = "Enabled"
@@ -281,6 +295,17 @@ resource "aws_s3_bucket_lifecycle_configuration" "ndr_document_pending_review_st
     }
     filter {}
   }
+  rule {
+    id     = "remove-delete-markers-after-42-days"
+    status = "Enabled"
+    expiration {
+      expired_object_delete_marker = true
+    }
+    noncurrent_version_expiration {
+      noncurrent_days = 42
+    }
+    filter {}
+  }
 }
 
 # Logging Buckets

infrastructure/cloudfront.tf

@@ -1,3 +1,16 @@
+locals {
+  # required by USA-based CI pipeline runners to run smoke tests
+  allow_us_comms = !local.is_production
+}
+
+resource "aws_cloudfront_origin_access_control" "s3" {
+  name                              = "${terraform.workspace}_cloudfront_s3_oac_policy"
+  description                       = "CloudFront S3 OAC"
+  origin_access_control_origin_type = "s3"
+  signing_behavior                  = "never"
+  signing_protocol                  = "sigv4"
+}
+
 module "cloudfront_firewall_waf_v2" {
   source         = "./modules/firewall_waf_v2"
   cloudfront_acl = true
@@ -8,16 +21,136 @@ module "cloudfront_firewall_waf_v2" {
   providers   = { aws = aws.us_east_1 }
 }
 
-module "cloudfront-distribution-lg" {
-  source                        = "./modules/cloudfront"
-  bucket_domain_name            = module.ndr-lloyd-george-store.bucket_regional_domain_name
-  bucket_id                     = module.ndr-lloyd-george-store.bucket_id
-  qualifed_arn                  = module.edge-presign-lambda.qualified_arn
-  depends_on                    = [module.edge-presign-lambda.qualified_arn, module.ndr-lloyd-george-store.bucket_id, module.ndr-lloyd-george-store.bucket_domain_name, module.ndr-document-pending-review-store.bucket_id, module.ndr-document-pending-review-store.bucket_domain_name]
-  web_acl_id                    = try(module.cloudfront_firewall_waf_v2[0].arn, "")
-  has_secondary_bucket          = local.is_production ? false : true
-  secondary_bucket_domain_name  = module.ndr-document-pending-review-store.bucket_regional_domain_name
-  secondary_bucket_id           = module.ndr-document-pending-review-store.bucket_id
-  secondary_bucket_path_pattern = "/review/*"
-  log_bucket_id                 = local.access_logs_bucket_id
-}
+resource "aws_cloudfront_distribution" "s3_presign_mask" {
+  price_class = "PriceClass_100"
+
+  origin {
+    domain_name              = module.ndr-lloyd-george-store.bucket_regional_domain_name
+    origin_id                = module.ndr-lloyd-george-store.bucket_id
+    origin_access_control_id = aws_cloudfront_origin_access_control.s3.id
+  }
+  enabled         = true
+  is_ipv6_enabled = true
+
+  default_cache_behavior {
+    allowed_methods          = ["HEAD", "GET", "OPTIONS"]
+    cached_methods           = ["HEAD", "GET", "OPTIONS"]
+    target_origin_id         = module.ndr-lloyd-george-store.bucket_id
+    viewer_protocol_policy   = "redirect-to-https"
+    cache_policy_id          = aws_cloudfront_cache_policy.nocache.id
+    origin_request_policy_id = aws_cloudfront_origin_request_policy.viewer.id
+
+    lambda_function_association {
+      event_type = "origin-request"
+      lambda_arn = module.edge-presign-lambda.qualified_arn
+    }
+  }
+
+  origin {
+    domain_name              = module.ndr-document-pending-review-store.bucket_regional_domain_name
+    origin_id                = module.ndr-document-pending-review-store.bucket_id
+    origin_access_control_id = aws_cloudfront_origin_access_control.s3.id
+  }
+
+  ordered_cache_behavior {
+    allowed_methods          = ["HEAD", "GET", "OPTIONS"]
+    cached_methods           = ["HEAD", "GET", "OPTIONS"]
+    path_pattern             = "/review/*"
+    target_origin_id         = module.ndr-document-pending-review-store.bucket_id
+    viewer_protocol_policy   = "redirect-to-https"
+    cache_policy_id          = aws_cloudfront_cache_policy.nocache.id
+    origin_request_policy_id = aws_cloudfront_origin_request_policy.viewer.id
+
+    lambda_function_association {
+      event_type = "origin-request"
+      lambda_arn = module.edge-presign-lambda.qualified_arn
+    }
+  }
+
+  origin {
+    domain_name              = module.ndr-bulk-staging-store.bucket_regional_domain_name
+    origin_id                = module.ndr-bulk-staging-store.bucket_id
+    origin_access_control_id = aws_cloudfront_origin_access_control.s3.id
+  }
+
+  ordered_cache_behavior {
+    allowed_methods          = ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"]
+    cached_methods           = ["HEAD", "GET", "OPTIONS"]
+    path_pattern             = "/upload/*"
+    target_origin_id         = module.ndr-bulk-staging-store.bucket_id
+    viewer_protocol_policy   = "redirect-to-https"
+    cache_policy_id          = aws_cloudfront_cache_policy.nocache.id
+    origin_request_policy_id = aws_cloudfront_origin_request_policy.viewer.id
+
+    lambda_function_association {
+      event_type = "origin-request"
+      lambda_arn = module.edge-presign-lambda.qualified_arn
+    }
+  }
+
+  viewer_certificate {
+    cloudfront_default_certificate = true
+  }
+
+  restrictions {
+    geo_restriction {
+      restriction_type = "whitelist"
+      locations        = local.allow_us_comms ? ["GB", "US"] : ["GB"]
+    }
+  }
+
+  web_acl_id = try(module.cloudfront_firewall_waf_v2[0].arn, "")
+}
+
+resource "aws_cloudfront_origin_request_policy" "viewer" {
+  name = "${terraform.workspace}_BlockQueriesAndAllowViewer"
+
+  query_strings_config {
+    query_string_behavior = "whitelist"
+    query_strings {
+      items = [
+        "X-Amz-Algorithm",
+        "X-Amz-Credential",
+        "X-Amz-Date",
+        "X-Amz-Expires",
+        "X-Amz-SignedHeaders",
+        "X-Amz-Signature",
+        "X-Amz-Security-Token"
+      ]
+    }
+  }
+
+  headers_config {
+    header_behavior = "whitelist"
+    headers {
+      items = [
+        "Host",
+        "CloudFront-Viewer-Country",
+        "X-Forwarded-For"
+      ]
+    }
+  }
+
+  cookies_config {
+    cookie_behavior = "none"
+  }
+}
+
+resource "aws_cloudfront_cache_policy" "nocache" {
+  name        = "${terraform.workspace}_nocache_policy"
+  default_ttl = 0
+  max_ttl     = 0
+  min_ttl     = 0
+
+  parameters_in_cache_key_and_forwarded_to_origin {
+    cookies_config {
+      cookie_behavior = "none"
+    }
+    headers_config {
+      header_behavior = "none"
+    }
+    query_strings_config {
+      query_string_behavior = "none"
+    }
+  }
+}

infrastructure/dev.tfvars

@@ -12,3 +12,5 @@ cloud_security_email_param_environment = "dev"
 apim_environment = "internal-dev."
 
 kms_deletion_window = 7
+
+ssh_key_management_dry_run = true

infrastructure/dynamo_db_review.tf

@@ -1,12 +1,11 @@
-module "document_review_dynamodb_table" {
-  count                          = local.is_production ? 0 : 1
+module "document_upload_review_dynamodb_table" {
   source                         = "./modules/dynamo_db"
   table_name                     = var.document_review_table_name
   hash_key                       = "ID"
+  sort_key                       = "Version"
   deletion_protection_enabled    = local.is_production
   stream_enabled                 = false
-  ttl_enabled                    = true
-  ttl_attribute_name             = "TTL"
+  ttl_enabled                    = false
   point_in_time_recovery_enabled = !local.is_sandbox
 
   attributes = [
@@ -36,11 +35,15 @@ module "document_review_dynamodb_table" {
     },
     {
       name = "ReviewDate"
-      type = "S"
+      type = "N"
     },
     {
       name = "UploadDate"
       type = "N"
+    },
+    {
+      name = "Version"
+      type = "N"
     }
 
   ]