conditional changes for prod URL (#154)

richbyrne-nhs · web-flow · commit 10fd5d0f9c80 · 2024-03-12T14:40:59.000Z
diff --git a/infrastructure/api.tf b/infrastructure/api.tf
@@ -94,7 +94,7 @@ resource "aws_api_gateway_gateway_response" "unauthorised_response" {
   }
 
   response_parameters = {
-    "gatewayresponse.header.Access-Control-Allow-Origin"      = "'https://${terraform.workspace}.${var.domain}'"
+    "gatewayresponse.header.Access-Control-Allow-Origin"      = contains(["prod"], terraform.workspace) ? "'https://${var.domain}'" : "'https://${terraform.workspace}.${var.domain}'"
     "gatewayresponse.header.Access-Control-Allow-Methods"     = "'*'"
     "gatewayresponse.header.Access-Control-Allow-Headers"     = "'Content-Type,X-Amz-Date,Authorization,X-Auth,X-Api-Key,X-Amz-Security-Token,X-Auth-Cookie,Accept'"
     "gatewayresponse.header.Access-Control-Allow-Credentials" = "'true'"
@@ -110,7 +110,7 @@ resource "aws_api_gateway_gateway_response" "bad_gateway_response" {
   }
 
   response_parameters = {
-    "gatewayresponse.header.Access-Control-Allow-Origin"      = "'https://${terraform.workspace}.${var.domain}'"
+    "gatewayresponse.header.Access-Control-Allow-Origin"      = contains(["prod"], terraform.workspace) ? "'https://${var.domain}'" : "'https://${terraform.workspace}.${var.domain}'"
     "gatewayresponse.header.Access-Control-Allow-Methods"     = "'*'"
     "gatewayresponse.header.Access-Control-Allow-Headers"     = "'Content-Type,X-Amz-Date,Authorization,X-Auth,X-Api-Key,X-Amz-Security-Token,X-Auth-Cookie,Accept'"
     "gatewayresponse.header.Access-Control-Allow-Credentials" = "'true'"
@@ -126,4 +126,4 @@ module "api_endpoint_url_ssm_parameter" {
   type                = "SecureString"
   owner               = var.owner
   environment         = var.environment
-}
+}
diff --git a/infrastructure/buckets.tf b/infrastructure/buckets.tf
@@ -11,13 +11,13 @@ module "ndr-document-store" {
     {
       allowed_headers = ["*"]
       allowed_methods = ["POST", "DELETE"]
-      allowed_origins = ["https://${terraform.workspace}.${var.domain}"]
+      allowed_origins = [contains(["prod"], terraform.workspace) ? "https://${var.domain}" : "https://${terraform.workspace}.${var.domain}"]
       expose_headers  = ["ETag"]
       max_age_seconds = 3000
     },
     {
       allowed_methods = ["GET"]
-      allowed_origins = ["https://${terraform.workspace}.${var.domain}"]
+      allowed_origins = [contains(["prod"], terraform.workspace) ? "https://${var.domain}" : "https://${terraform.workspace}.${var.domain}"]
     }
   ]
 }
@@ -33,7 +33,7 @@ module "ndr-zip-request-store" {
   cors_rules = [
     {
       allowed_methods = ["GET"]
-      allowed_origins = ["https://${terraform.workspace}.${var.domain}"]
+      allowed_origins = [contains(["prod"], terraform.workspace) ? "https://${var.domain}" : "https://${terraform.workspace}.${var.domain}"]
     }
   ]
 }
@@ -51,13 +51,13 @@ module "ndr-lloyd-george-store" {
     {
       allowed_headers = ["*"]
       allowed_methods = ["POST", "PUT", "DELETE"]
-      allowed_origins = ["https://${terraform.workspace}.${var.domain}"]
+      allowed_origins = [contains(["prod"], terraform.workspace) ? "https://${var.domain}" : "https://${terraform.workspace}.${var.domain}"]
       expose_headers  = ["ETag"]
       max_age_seconds = 3000
     },
     {
       allowed_methods = ["GET"]
-      allowed_origins = ["https://${terraform.workspace}.${var.domain}"]
+      allowed_origins = [contains(["prod"], terraform.workspace) ? "https://${var.domain}" : "https://${terraform.workspace}.${var.domain}"]
     }
   ]
 }
diff --git a/infrastructure/lambda-back-channel-logout.tf b/infrastructure/lambda-back-channel-logout.tf
@@ -7,7 +7,7 @@ module "back-channel-logout-gateway" {
   authorization       = "NONE"
   gateway_path        = "BackChannelLogout"
   require_credentials = false
-  origin              = "'https://${terraform.workspace}.${var.domain}'"
+  origin              = contains(["prod"], terraform.workspace) ? "'https://${var.domain}'" : "'https://${terraform.workspace}.${var.domain}'"
   # Lambda Variables
   api_execution_arn = aws_api_gateway_rest_api.ndr_doc_store_api.execution_arn
   owner             = var.owner
@@ -41,7 +41,7 @@ module "back_channel_logout_lambda" {
     ENVIRONMENT                    = var.environment
     AUTH_DYNAMODB_NAME             = "${terraform.workspace}_${var.auth_session_dynamodb_table_name}"
     SSM_PARAM_JWT_TOKEN_PUBLIC_KEY = "jwt_token_public_key"
-    OIDC_CALLBACK_URL              = "https://${terraform.workspace}.${var.domain}/auth-callback"
+    OIDC_CALLBACK_URL              = contains(["prod"], terraform.workspace) ? "https://${var.domain}/auth-callback" : "https://${terraform.workspace}.${var.domain}/auth-callback"
   }
   depends_on = [
     aws_api_gateway_rest_api.ndr_doc_store_api,
diff --git a/infrastructure/lambda-create-doc-ref.tf b/infrastructure/lambda-create-doc-ref.tf
@@ -8,7 +8,7 @@ module "create-doc-ref-gateway" {
   gateway_path        = "DocumentReference"
   authorizer_id       = aws_api_gateway_authorizer.repo_authoriser.id
   require_credentials = true
-  origin              = "'https://${terraform.workspace}.${var.domain}'"
+  origin              = contains(["prod"], terraform.workspace) ? "'https://${var.domain}'" : "'https://${terraform.workspace}.${var.domain}'"
 
   # Lambda Variables
   api_execution_arn = aws_api_gateway_rest_api.ndr_doc_store_api.execution_arn
diff --git a/infrastructure/lambda-delete-doc-ref.tf b/infrastructure/lambda-delete-doc-ref.tf
@@ -8,7 +8,7 @@ module "delete-doc-ref-gateway" {
   gateway_path        = "DocumentDelete"
   authorizer_id       = aws_api_gateway_authorizer.repo_authoriser.id
   require_credentials = true
-  origin              = "'https://${terraform.workspace}.${var.domain}'"
+  origin              = contains(["prod"], terraform.workspace) ? "'https://${var.domain}'" : "'https://${terraform.workspace}.${var.domain}'"
 
   # Lambda Variables
   api_execution_arn = aws_api_gateway_rest_api.ndr_doc_store_api.execution_arn
@@ -92,4 +92,4 @@ module "delete-doc-ref-lambda" {
     module.delete-doc-ref-gateway,
     module.ndr-app-config
   ]
-}
+}
diff --git a/infrastructure/lambda-document-manifest-by-nhs-number.tf b/infrastructure/lambda-document-manifest-by-nhs-number.tf
@@ -8,7 +8,7 @@ module "document-manifest-by-nhs-gateway" {
   gateway_path        = "DocumentManifest"
   authorizer_id       = aws_api_gateway_authorizer.repo_authoriser.id
   require_credentials = true
-  origin              = "'https://${terraform.workspace}.${var.domain}'"
+  origin              = contains(["prod"], terraform.workspace) ? "'https://${var.domain}'" : "'https://${terraform.workspace}.${var.domain}'"
 
   # Lambda Variables
   api_execution_arn = aws_api_gateway_rest_api.ndr_doc_store_api.execution_arn
@@ -108,4 +108,4 @@ resource "aws_iam_role_policy_attachment" "policy_manifest_lambda" {
   count      = local.is_sandbox ? 0 : 1
   role       = module.document-manifest-by-nhs-number-lambda.lambda_execution_role_name
   policy_arn = try(aws_iam_policy.lambda_audit_splunk_sqs_queue_send_policy[0].arn, null)
-}
+}
diff --git a/infrastructure/lambda-lloyd-george-record-stitch.tf b/infrastructure/lambda-lloyd-george-record-stitch.tf
@@ -8,7 +8,7 @@ module "lloyd-george-stitch-gateway" {
   gateway_path        = "LloydGeorgeStitch"
   authorizer_id       = aws_api_gateway_authorizer.repo_authoriser.id
   require_credentials = true
-  origin              = "'https://${terraform.workspace}.${var.domain}'"
+  origin              = contains(["prod"], terraform.workspace) ? "'https://${var.domain}'" : "'https://${terraform.workspace}.${var.domain}'"
 
   # Lambda Variables
   api_execution_arn = aws_api_gateway_rest_api.ndr_doc_store_api.execution_arn
@@ -105,4 +105,4 @@ resource "aws_iam_role_policy_attachment" "lambda_stitch-lambda" {
   count      = local.is_sandbox ? 0 : 1
   role       = module.lloyd-george-stitch-lambda.lambda_execution_role_name
   policy_arn = try(aws_iam_policy.lambda_audit_splunk_sqs_queue_send_policy[0].arn, null)
-}
+}
diff --git a/infrastructure/lambda-login-redirect.tf b/infrastructure/lambda-login-redirect.tf
@@ -31,7 +31,7 @@ module "login_redirect_lambda" {
     APPCONFIG_ENVIRONMENT   = module.ndr-app-config.app_config_environment_id
     APPCONFIG_CONFIGURATION = module.ndr-app-config.app_config_configuration_profile_id
     WORKSPACE               = terraform.workspace
-    OIDC_CALLBACK_URL       = "https://${terraform.workspace}.${var.domain}/auth-callback"
+    OIDC_CALLBACK_URL       = contains(["prod"], terraform.workspace) ? "https://${var.domain}/auth-callback" : "https://${terraform.workspace}.${var.domain}/auth-callback"
     AUTH_DYNAMODB_NAME      = "${terraform.workspace}_${var.auth_state_dynamodb_table_name}"
   }
   depends_on = [
@@ -104,4 +104,4 @@ resource "aws_iam_policy" "ssm_policy_oidc" {
       }
     ]
   })
-}
+}
diff --git a/infrastructure/lambda-logout.tf b/infrastructure/lambda-logout.tf
@@ -7,7 +7,7 @@ module "logout-gateway" {
   authorization       = "NONE"
   gateway_path        = "Logout"
   require_credentials = false
-  origin              = "'https://${terraform.workspace}.${var.domain}'"
+  origin              = contains(["prod"], terraform.workspace) ? "'https://${var.domain}'" : "'https://${terraform.workspace}.${var.domain}'"
   # Lambda Variables
   api_execution_arn = aws_api_gateway_rest_api.ndr_doc_store_api.execution_arn
   owner             = var.owner
diff --git a/infrastructure/lambda-search-doc-references.tf b/infrastructure/lambda-search-doc-references.tf
@@ -8,7 +8,7 @@ module "search-document-references-gateway" {
   gateway_path        = "SearchDocumentReferences"
   authorizer_id       = aws_api_gateway_authorizer.repo_authoriser.id
   require_credentials = true
-  origin              = "'https://${terraform.workspace}.${var.domain}'"
+  origin              = contains(["prod"], terraform.workspace) ? "'https://${var.domain}'" : "'https://${terraform.workspace}.${var.domain}'"
 
   # Lambda Variables
   api_execution_arn = aws_api_gateway_rest_api.ndr_doc_store_api.execution_arn
diff --git a/infrastructure/lambda-search-patient.tf b/infrastructure/lambda-search-patient.tf
@@ -8,7 +8,7 @@ module "search-patient-details-gateway" {
   gateway_path        = "SearchPatient"
   authorizer_id       = aws_api_gateway_authorizer.repo_authoriser.id
   require_credentials = true
-  origin              = "'https://${terraform.workspace}.${var.domain}'"
+  origin              = contains(["prod"], terraform.workspace) ? "'https://${var.domain}'" : "'https://${terraform.workspace}.${var.domain}'"
 
   # Lambda Variables
   api_execution_arn = aws_api_gateway_rest_api.ndr_doc_store_api.execution_arn
@@ -117,4 +117,4 @@ resource "aws_iam_role_policy_attachment" "policy_audit_search-patient-details-l
   count      = local.is_sandbox ? 0 : 1
   role       = module.search-patient-details-lambda.lambda_execution_role_name
   policy_arn = try(aws_iam_policy.lambda_audit_splunk_sqs_queue_send_policy[0].arn, null)
-}
+}
diff --git a/infrastructure/lambda-token.tf b/infrastructure/lambda-token.tf
@@ -7,7 +7,7 @@ module "token-gateway" {
   authorization       = "NONE"
   gateway_path        = "TokenRequest"
   require_credentials = false
-  origin              = "'https://${terraform.workspace}.${var.domain}'"
+  origin              = contains(["prod"], terraform.workspace) ? "'https://${var.domain}'" : "'https://${terraform.workspace}.${var.domain}'"
   # Lambda Variables
   api_execution_arn = aws_api_gateway_rest_api.ndr_doc_store_api.execution_arn
   owner             = var.owner
@@ -41,11 +41,12 @@ module "create-token-lambda" {
     APPCONFIG_CONFIGURATION         = module.ndr-app-config.app_config_configuration_profile_id
     WORKSPACE                       = terraform.workspace
     SSM_PARAM_JWT_TOKEN_PRIVATE_KEY = "jwt_token_private_key"
-    OIDC_CALLBACK_URL               = "https://${terraform.workspace}.${var.domain}/auth-callback"
-    AUTH_STATE_TABLE_NAME           = "${terraform.workspace}_${var.auth_state_dynamodb_table_name}"
-    AUTH_SESSION_TABLE_NAME         = "${terraform.workspace}_${var.auth_session_dynamodb_table_name}"
-    ENVIRONMENT                     = var.environment
-    SPLUNK_SQS_QUEUE_URL            = try(module.sqs-splunk-queue[0].sqs_url, null)
+
+    OIDC_CALLBACK_URL       = contains(["prod"], terraform.workspace) ? "https://${var.domain}/auth-callback" : "https://${terraform.workspace}.${var.domain}/auth-callback"
+    AUTH_STATE_TABLE_NAME   = "${terraform.workspace}_${var.auth_state_dynamodb_table_name}"
+    AUTH_SESSION_TABLE_NAME = "${terraform.workspace}_${var.auth_session_dynamodb_table_name}"
+    ENVIRONMENT             = var.environment
+    SPLUNK_SQS_QUEUE_URL    = try(module.sqs-splunk-queue[0].sqs_url, null)
   }
   depends_on = [
     aws_api_gateway_rest_api.ndr_doc_store_api,
@@ -126,4 +127,4 @@ resource "aws_iam_role_policy_attachment" "policy_audit_token_lambda" {
   count      = local.is_sandbox ? 0 : 1
   role       = module.create-token-lambda.lambda_execution_role_name
   policy_arn = try(aws_iam_policy.lambda_audit_splunk_sqs_queue_send_policy[0].arn, null)
-}
+}
diff --git a/infrastructure/main.tf b/infrastructure/main.tf
@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 4.0"
+      version = ">=5.11"
     }
   }
   backend "s3" {
diff --git a/infrastructure/prod.tfvars b/infrastructure/prod.tfvars
@@ -1,7 +1,7 @@
 environment                       = "prod"
 owner                             = "nhse/ndr-team"
-domain                            = "access-request-fulfilment.patient-deductions.nhs.uk"
-certificate_domain                = "prod.access-request-fulfilment.patient-deductions.nhs.uk"
+domain                            = "national-document-repository.nhs.uk"
+certificate_domain                = "national-document-repository.nhs.uk"
 certificate_subdomain_name_prefix = "api."
 
 cloudwatch_alarm_evaluation_periods = 30
@@ -14,4 +14,4 @@ mesh_password_ssm_param_name    = "/repo/prod/user-input/external/mesh-mailbox-p
 mesh_shared_key_ssm_param_name  = "/repo/prod/user-input/external/mesh-mailbox-shared-secret"
 mesh_client_cert_ssm_param_name = "/repo/prod/user-input/external/mesh-mailbox-client-cert"
 mesh_client_key_ssm_param_name  = "/repo/prod/user-input/external/mesh-mailbox-client-key"
-mesh_ca_cert_ssm_param_name     = "/repo/prod/user-input/external/mesh-mailbox-ca-cert"
+mesh_ca_cert_ssm_param_name     = "/repo/prod/user-input/external/mesh-mailbox-ca-cert"
diff --git a/infrastructure/variable.tf b/infrastructure/variable.tf
@@ -196,8 +196,9 @@ locals {
 
   bulk_upload_lambda_concurrent_limit = 5
 
-  api_gateway_subdomain_name   = "${var.certificate_subdomain_name_prefix}${terraform.workspace}"
-  api_gateway_full_domain_name = "${var.certificate_subdomain_name_prefix}${terraform.workspace}.${var.domain}"
+
+  api_gateway_subdomain_name   = contains(["prod"], terraform.workspace) ? "${var.certificate_subdomain_name_prefix}" : "${var.certificate_subdomain_name_prefix}${terraform.workspace}"
+  api_gateway_full_domain_name = contains(["prod"], terraform.workspace) ? "${var.certificate_subdomain_name_prefix}${var.domain}" : "${var.certificate_subdomain_name_prefix}${terraform.workspace}.${var.domain}"
 
   current_region     = data.aws_region.current.name
   current_account_id = data.aws_caller_identity.current.account_id

Original file line number	Diff line number	Diff line change
`@@ -11,13 +11,13 @@ module "ndr-document-store" {`
`11`	`11`	`{`
`12`	`12`	`allowed_headers = ["*"]`
`13`	`13`	`allowed_methods = ["POST", "DELETE"]`
`14`		`- allowed_origins = ["https://${terraform.workspace}.${var.domain}"]`
	`14`	`+ allowed_origins = [contains(["prod"], terraform.workspace) ? "https://${var.domain}" : "https://${terraform.workspace}.${var.domain}"]`
`15`	`15`	`expose_headers = ["ETag"]`
`16`	`16`	`max_age_seconds = 3000`
`17`	`17`	`},`
`18`	`18`	`{`
`19`	`19`	`allowed_methods = ["GET"]`
`20`		`- allowed_origins = ["https://${terraform.workspace}.${var.domain}"]`
	`20`	`+ allowed_origins = [contains(["prod"], terraform.workspace) ? "https://${var.domain}" : "https://${terraform.workspace}.${var.domain}"]`
`21`	`21`	`}`
`22`	`22`	`]`
`23`	`23`	`}`
`@@ -33,7 +33,7 @@ module "ndr-zip-request-store" {`
`33`	`33`	`cors_rules = [`
`34`	`34`	`{`
`35`	`35`	`allowed_methods = ["GET"]`
`36`		`- allowed_origins = ["https://${terraform.workspace}.${var.domain}"]`
	`36`	`+ allowed_origins = [contains(["prod"], terraform.workspace) ? "https://${var.domain}" : "https://${terraform.workspace}.${var.domain}"]`
`37`	`37`	`}`
`38`	`38`	`]`
`39`	`39`	`}`
`@@ -51,13 +51,13 @@ module "ndr-lloyd-george-store" {`
`51`	`51`	`{`
`52`	`52`	`allowed_headers = ["*"]`
`53`	`53`	`allowed_methods = ["POST", "PUT", "DELETE"]`
`54`		`- allowed_origins = ["https://${terraform.workspace}.${var.domain}"]`
	`54`	`+ allowed_origins = [contains(["prod"], terraform.workspace) ? "https://${var.domain}" : "https://${terraform.workspace}.${var.domain}"]`
`55`	`55`	`expose_headers = ["ETag"]`
`56`	`56`	`max_age_seconds = 3000`
`57`	`57`	`},`
`58`	`58`	`{`
`59`	`59`	`allowed_methods = ["GET"]`
`60`		`- allowed_origins = ["https://${terraform.workspace}.${var.domain}"]`
	`60`	`+ allowed_origins = [contains(["prod"], terraform.workspace) ? "https://${var.domain}" : "https://${terraform.workspace}.${var.domain}"]`
`61`	`61`	`}`
`62`	`62`	`]`
`63`	`63`	`}`
Original file line number	Diff line number	Diff line change
`@@ -31,7 +31,7 @@ module "login_redirect_lambda" {`
`31`	`31`	`APPCONFIG_ENVIRONMENT = module.ndr-app-config.app_config_environment_id`
`32`	`32`	`APPCONFIG_CONFIGURATION = module.ndr-app-config.app_config_configuration_profile_id`
`33`	`33`	`WORKSPACE = terraform.workspace`
`34`		`- OIDC_CALLBACK_URL = "https://${terraform.workspace}.${var.domain}/auth-callback"`
	`34`	`+ OIDC_CALLBACK_URL = contains(["prod"], terraform.workspace) ? "https://${var.domain}/auth-callback" : "https://${terraform.workspace}.${var.domain}/auth-callback"`
`35`	`35`	`AUTH_DYNAMODB_NAME = "${terraform.workspace}_${var.auth_state_dynamodb_table_name}"`
`36`	`36`	`}`
`37`	`37`	`depends_on = [`
`@@ -104,4 +104,4 @@ resource "aws_iam_policy" "ssm_policy_oidc" {`
`104`	`104`	`}`
`105`	`105`	`]`
`106`	`106`	`})`
`107`		`-}`
	`107`	`+}`