NDR-164 Configure route 53 for mtls

megan-bower4 · megan-bower4 · commit 1ebd3093eb04 · 2025-08-12T11:36:26.000+01:00
diff --git a/infrastructure/acm_certificate.tf b/infrastructure/acm_certificate.tf
@@ -0,0 +1,32 @@
+resource "aws_acm_certificate" "main" {
+  domain_name       = local.mtls_api_gateway_full_domain_name
+  validation_method = "DNS"
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+
+# Record used by ACM for DNS Validation
+resource "aws_route53_record" "validation" {
+  for_each = {
+    for dvo in aws_acm_certificate.main.domain_validation_options : dvo.domain_name => {
+      name   = dvo.resource_record_name
+      record = dvo.resource_record_value
+      type   = dvo.resource_record_type
+    }
+  }
+
+  allow_overwrite = true
+  name            = each.value.name
+  records         = [each.value.record]
+  ttl             = 60
+  type            = each.value.type
+  zone_id         = module.route53_mtls_api.zone_id
+}
+
+
+resource "aws_acm_certificate_validation" "main" {
+  certificate_arn         = aws_acm_certificate.main.arn
+  validation_record_fqdns = [for record in aws_route53_record.validation : record.fqdn]
+}
diff --git a/infrastructure/api-mtls.tf b/infrastructure/api-mtls.tf
@@ -13,15 +13,15 @@ resource "aws_api_gateway_rest_api" "mtls_doc_store_api" {
 
 resource "aws_api_gateway_domain_name" "mtls_custom_api_domain" {
   domain_name              = local.mtls_api_gateway_full_domain_name
-  regional_certificate_arn = module.ndr-ecs-fargate-app.certificate_arn
+  regional_certificate_arn = aws_acm_certificate_validation.main.certificate_arn
   security_policy          = "TLS_1_2"
 
   endpoint_configuration {
     types = ["REGIONAL"]
   }
 
   mutual_tls_authentication {
-    truststore_uri = "s3://${module.s3bucket_truststore.bucket_id}"
+    truststore_uri = "s3://${module.s3bucket_truststore.bucket_id}/${var.ca_pem_filename}"
   }
 }
 
diff --git a/infrastructure/buckets.tf b/infrastructure/buckets.tf
@@ -126,6 +126,12 @@ module "s3bucket_truststore" {
   owner                 = var.owner
 }
 
+# Certificate for MTLS
+data "aws_s3_object" "truststore_ext_cert" {
+  bucket = module.s3bucket_truststore.bucket_id
+  key    = var.ca_pem_filename
+}
+
 # Lifecycle Rules
 resource "aws_s3_bucket_lifecycle_configuration" "lg-lifecycle-rules" {
   bucket = module.ndr-lloyd-george-store.bucket_id
diff --git a/infrastructure/route53.tf b/infrastructure/route53.tf
@@ -10,3 +10,15 @@ module "route53_fargate_ui" {
   api_gateway_full_domain_name = aws_api_gateway_domain_name.custom_api_domain.regional_domain_name
   api_gateway_zone_id          = aws_api_gateway_domain_name.custom_api_domain.regional_zone_id
 }
+
+module "route53_mtls_api" {
+  source                        = "./modules/route53"
+  environment                   = var.environment
+  owner                         = var.owner
+  domain                        = var.domain
+  using_arf_hosted_zone         = true
+  dns_name                      = local.mtls_api_gateway_subdomain_name
+  api_gateway_subdomain_name    = local.mtls_api_gateway_subdomain_name
+  api_gateway_full_domain_name  = aws_api_gateway_domain_name.mtls_custom_api_domain.regional_domain_name
+  api_gateway_zone_id           = aws_api_gateway_domain_name.mtls_custom_api_domain.regional_zone_id
+}
diff --git a/infrastructure/route53_records.tf b/infrastructure/route53_records.tf
@@ -0,0 +1,12 @@
+# A record for API Gateway Custom Domain Name
+resource "aws_route53_record" "pdm_api" {
+  name    = aws_api_gateway_domain_name.mtls_custom_api_domain.domain_name
+  type    = "A"
+  zone_id = module.route53_mtls_api.zone_id
+
+  alias {
+    name                   = aws_api_gateway_domain_name.mtls_custom_api_domain.regional_domain_name
+    zone_id                = aws_api_gateway_domain_name.mtls_custom_api_domain.regional_zone_id
+    evaluate_target_health = true
+  }
+}
diff --git a/infrastructure/variable.tf b/infrastructure/variable.tf
@@ -63,6 +63,12 @@ variable "trustore_bucket_name" {
   default     = "truststore"
 }
 
+variable "ca_pem_filename" {
+  type        = string
+  description = "Filename of the CA Truststore pem file stored in the core Truststore s3 bucket"
+  default     = "nhs-main-ndr-truststore.pem"
+}
+
 # DynamoDB Table Variables
 
 variable "pdm_dynamodb_table_name" {
@@ -218,6 +224,7 @@ locals {
 
   api_gateway_subdomain_name        = contains(["prod"], terraform.workspace) ? "${var.certificate_subdomain_name_prefix}" : "${var.certificate_subdomain_name_prefix}${terraform.workspace}"
   api_gateway_full_domain_name      = contains(["prod"], terraform.workspace) ? "${var.certificate_subdomain_name_prefix}${var.domain}" : "${var.certificate_subdomain_name_prefix}${terraform.workspace}.${var.domain}"
+  mtls_api_gateway_subdomain_name   = contains(["prod"], terraform.workspace) ? "mtls.${var.certificate_subdomain_name_prefix}" : "mtls.${var.certificate_subdomain_name_prefix}${terraform.workspace}"
   mtls_api_gateway_full_domain_name = contains(["prod"], terraform.workspace) ? "mtls.${var.domain}" : "mtls.${terraform.workspace}.${var.domain}"
 
 

Original file line number	Diff line number	Diff line change
`@@ -13,15 +13,15 @@ resource "aws_api_gateway_rest_api" "mtls_doc_store_api" {`
`13`	`13`
`14`	`14`	`resource "aws_api_gateway_domain_name" "mtls_custom_api_domain" {`
`15`	`15`	`domain_name = local.mtls_api_gateway_full_domain_name`
`16`		`- regional_certificate_arn = module.ndr-ecs-fargate-app.certificate_arn`
	`16`	`+ regional_certificate_arn = aws_acm_certificate_validation.main.certificate_arn`
`17`	`17`	`security_policy = "TLS_1_2"`
`18`	`18`
`19`	`19`	`endpoint_configuration {`
`20`	`20`	`types = ["REGIONAL"]`
`21`	`21`	`}`
`22`	`22`
`23`	`23`	`mutual_tls_authentication {`
`24`		`- truststore_uri = "s3://${module.s3bucket_truststore.bucket_id}"`
	`24`	`+ truststore_uri = "s3://${module.s3bucket_truststore.bucket_id}/${var.ca_pem_filename}"`
`25`	`25`	`}`
`26`	`26`	`}`
`27`	`27`