Merge remote-tracking branch 'origin/main' into PRMT-466

Author: PedroSoaresNHS

infrastructure/README.md

@@ -178,6 +178,7 @@
 
 | Name | Type |
 |------|------|
+| [aws_api_gateway_account.logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_account) | resource |
 | [aws_api_gateway_api_key.api_key_pdm](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_api_key) | resource |
 | [aws_api_gateway_api_key.apim](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_api_key) | resource |
 | [aws_api_gateway_authorizer.repo_authoriser](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_authorizer) | resource |
@@ -260,6 +261,7 @@
 | [aws_iam_policy.ses_send_email_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.ssm_access_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.ssm_access_policy_authoriser](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_role.api_gateway_cloudwatch](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role.cognito_unauthenticated](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role.create_post_presign_url_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role.cross_account_backup_iam_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
@@ -272,6 +274,7 @@
 | [aws_iam_role.splunk_sqs_forwarder](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role.stitch_presign_url_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role_policy.splunk_access_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
+| [aws_iam_role_policy_attachment.api_gateway_logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.backup_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.cloudwatch_rum_cognito_unauth](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.create_post_presign_url](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |

infrastructure/api.tf

@@ -93,14 +93,19 @@ resource "aws_api_gateway_stage" "ndr_api" {
   stage_name           = var.environment
   xray_tracing_enabled = var.enable_xray_tracing
 
-  depends_on = [aws_cloudwatch_log_group.api_gateway_stage]
+  depends_on = [
+    aws_cloudwatch_log_group.api_gateway_stage
+  ]
 }
 
 resource "aws_cloudwatch_log_group" "api_gateway_stage" {
   # Name must follow this format to allow execution logging 
   # https://docs.aws.amazon.com/apigateway/latest/developerguide/set-up-logging.html
   name              = "API-Gateway-Execution-Logs_${aws_api_gateway_rest_api.ndr_doc_store_api.id}/${var.environment}"
   retention_in_days = 0
+  depends_on = [
+    aws_api_gateway_account.logging
+  ]
 }
 
 resource "aws_api_gateway_method_settings" "api_gateway_stage" {

infrastructure/firewall.tf

@@ -6,6 +6,15 @@ module "firewall_waf_v2" {
   count          = local.is_sandbox ? 0 : 1
 }
 
+module "firewall_waf_v2_api" {
+  source         = "./modules/firewall_waf_v2"
+  cloudfront_acl = false
+  environment    = var.environment
+  owner          = var.owner
+  count          = local.is_sandbox ? 0 : 1
+  api            = true
+}
+
 resource "aws_wafv2_web_acl_association" "web_acl_association" {
   resource_arn = module.ndr-ecs-fargate-app.load_balancer_arn
   web_acl_arn  = module.firewall_waf_v2[0].arn
@@ -18,10 +27,10 @@ resource "aws_wafv2_web_acl_association" "web_acl_association" {
 
 resource "aws_wafv2_web_acl_association" "api_gateway" {
   resource_arn = aws_api_gateway_stage.ndr_api.arn
-  web_acl_arn  = module.firewall_waf_v2[0].arn
+  web_acl_arn  = module.firewall_waf_v2_api[0].arn
   count        = local.is_sandbox ? 0 : 1
   depends_on = [
     aws_api_gateway_stage.ndr_api,
-    module.firewall_waf_v2[0]
+    module.firewall_waf_v2_api[0]
   ]
 }

infrastructure/iam.tf

@@ -193,3 +193,32 @@ resource "aws_iam_role_policy_attachment" "ods_report_presign_url" {
   role       = aws_iam_role.ods_report_presign_url_role.name
   policy_arn = aws_iam_policy.s3_document_data_policy_for_ods_report_lambda.arn
 }
+
+resource "aws_iam_role" "api_gateway_cloudwatch" {
+  count = local.is_sandbox ? 0 : 1
+  name  = "${terraform.workspace}_NdrAPIGatewayLogs"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Action = "sts:AssumeRole"
+        Effect = "Allow"
+        Principal = {
+          Service = "apigateway.amazonaws.com"
+        }
+      },
+    ]
+  })
+}
+
+resource "aws_iam_role_policy_attachment" "api_gateway_logs" {
+  count      = local.is_sandbox ? 0 : 1
+  role       = aws_iam_role.api_gateway_cloudwatch[0].name
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonAPIGatewayPushToCloudWatchLogs"
+}
+
+resource "aws_api_gateway_account" "logging" {
+  count               = local.is_sandbox ? 0 : 1
+  cloudwatch_role_arn = aws_iam_role.api_gateway_cloudwatch[0].arn
+}

infrastructure/modules/firewall_waf_v2/local.tf

@@ -2,7 +2,7 @@ locals {
 
   image_regex = "^\\/images(\\/\\w+)+\\/$"
 
-  waf_rules = [
+  waf_rules_raw = [
     {
       name                    = "AWSCoreRuleSet"
       managed_rule_name       = "AWSManagedRulesCommonRuleSet"
@@ -47,8 +47,14 @@ locals {
     }
   ]
 
+  # Filter out AWSBotControl if var.api is true
+  waf_rules = [
+    for rule in local.waf_rules_raw : rule
+    if !(var.api && rule.name == "AWSBotControl")
+  ]
+
   waf_rules_map = zipmap(
     range(0, length(local.waf_rules)),
     local.waf_rules
   )
-}
+}

infrastructure/modules/firewall_waf_v2/main.tf

@@ -1,5 +1,5 @@
 resource "aws_wafv2_web_acl" "waf_v2_acl" {
-  name        = "${terraform.workspace}-${var.cloudfront_acl ? "cloudfront" : ""}-fw-waf-v2"
+  name        = "${terraform.workspace}${var.api ? "-api" : var.cloudfront_acl ? "-cloudfront" : ""}-fw-waf-v2"
   description = "A WAF to secure the Repo application."
   scope       = var.cloudfront_acl ? "CLOUDFRONT" : "REGIONAL"
 

infrastructure/modules/firewall_waf_v2/regex.tf

@@ -1,5 +1,5 @@
 resource "aws_wafv2_regex_pattern_set" "large_body_uri" {
-  name        = "${terraform.workspace}-fw-waf-body-size"
+  name        = "${terraform.workspace}-fw-waf-body-size${var.api ? "-api" : ""}"
   description = "A set of regex to allow specific pages to bypass the large body check"
   scope       = var.cloudfront_acl ? "CLOUDFRONT" : "REGIONAL"
 
@@ -22,7 +22,7 @@ resource "aws_wafv2_regex_pattern_set" "large_body_uri" {
 }
 
 resource "aws_wafv2_regex_pattern_set" "xss_body_uri" {
-  name        = "${terraform.workspace}-fw-waf-body-xss"
+  name        = "${terraform.workspace}-fw-waf-body-xss${var.api ? "-api" : ""}"
   description = "A regex to allow specific pages to bypass XSS checks on body"
   scope       = var.cloudfront_acl ? "CLOUDFRONT" : "REGIONAL"
 
@@ -40,7 +40,7 @@ resource "aws_wafv2_regex_pattern_set" "xss_body_uri" {
 }
 
 resource "aws_wafv2_regex_pattern_set" "exclude_cms_uri" {
-  name        = "${terraform.workspace}-fw-waf-cms-exclude"
+  name        = "${terraform.workspace}-fw-waf-cms-exclude${var.api ? "-api" : ""}"
   description = "A regex to allow CMS calls to bypass firewalls"
   scope       = var.cloudfront_acl ? "CLOUDFRONT" : "REGIONAL"
 
@@ -55,4 +55,4 @@ resource "aws_wafv2_regex_pattern_set" "exclude_cms_uri" {
     Environment = var.environment
     Workspace   = terraform.workspace
   }
-}
+}

infrastructure/modules/firewall_waf_v2/variables.tf

@@ -10,3 +10,9 @@ variable "cloudfront_acl" {
   type = bool
 }
 
+variable "api" {
+  type        = bool
+  description = "True if using the firewall for an api - removes AWSBotControl"
+  default     = false
+}
+