NDR-213 Add mTLS api gateway

Author: megan-bower4

infrastructure/acm_certificate.tf

@@ -0,0 +1,32 @@
+resource "aws_acm_certificate" "mtls_api_gateway_cert" {
+  domain_name       = local.mtls_api_gateway_full_domain_name
+  validation_method = "DNS"
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+
+# Record used by ACM for DNS Validation
+resource "aws_route53_record" "validation" {
+  for_each = {
+    for dvo in aws_acm_certificate.mtls_api_gateway_cert.domain_validation_options : dvo.domain_name => {
+      name   = dvo.resource_record_name
+      record = dvo.resource_record_value
+      type   = dvo.resource_record_type
+    }
+  }
+
+  allow_overwrite = true
+  name            = each.value.name
+  records         = [each.value.record]
+  ttl             = 60
+  type            = each.value.type
+  zone_id         = module.route53_fargate_ui.zone_id #todo change to mtls rute 53
+}
+
+
+resource "aws_acm_certificate_validation" "mtls_api_gateway_cert" {
+  certificate_arn         = aws_acm_certificate.mtls_api_gateway_cert.arn
+  validation_record_fqdns = [for record in aws_route53_record.validation : record.fqdn]
+}

infrastructure/api-key-pdm.tf

@@ -1,8 +1,8 @@
 resource "aws_api_gateway_usage_plan" "api_key_pdm" {
   name = "${terraform.workspace}_pdm-usage-plan"
   api_stages {
-    api_id = aws_api_gateway_rest_api.ndr_doc_store_api.id
-    stage  = aws_api_gateway_stage.ndr_api.stage_name
+    api_id = aws_api_gateway_rest_api.ndr_doc_store_api_mtls.id
+    stage  = aws_api_gateway_stage.ndr_api_mtls.stage_name
   }
 }
 

infrastructure/api_mtls.tf

@@ -0,0 +1,127 @@
+# New API Gateway for mTLS
+resource "aws_api_gateway_rest_api" "ndr_doc_store_api_mtls" {
+  name        = "${terraform.workspace}_DocStoreApiMtls"
+  description = "Document store API with mTLS enabled"
+
+  tags = {
+    Name = "${terraform.workspace}_DocStoreApiMtls"
+  }
+}
+
+resource "aws_api_gateway_domain_name" "custom_api_domain_mtls" {
+  domain_name              = local.mtls_api_gateway_full_domain_name
+  regional_certificate_arn = aws_acm_certificate_validation.mtls_api_gateway_cert.certificate_arn
+  security_policy          = "TLS_1_2"
+
+  endpoint_configuration {
+    types = ["REGIONAL"]
+  }
+
+  mutual_tls_authentication {
+    truststore_uri = "s3://${terraform.workspace}-${var.truststore_bucket_name}/${var.ca_pem_filename}"
+  }
+}
+
+resource "aws_api_gateway_base_path_mapping" "api_mapping_mtls" {
+  api_id      = aws_api_gateway_rest_api.ndr_doc_store_api_mtls.id
+  stage_name  = var.environment
+  domain_name = aws_api_gateway_domain_name.custom_api_domain_mtls.domain_name
+
+  depends_on = [aws_api_gateway_deployment.ndr_api_deploy_mtls]
+}
+
+resource "aws_api_gateway_deployment" "ndr_api_deploy_mtls" {
+  rest_api_id = aws_api_gateway_rest_api.ndr_doc_store_api_mtls.id
+
+  depends_on = [
+    aws_api_gateway_rest_api.ndr_doc_store_api_mtls,
+    aws_api_gateway_resource.get_document_reference_mtls,
+    module.get-doc-fhir-lambda,
+    aws_api_gateway_integration.get_doc_fhir_lambda_integration,
+    aws_lambda_permission.lambda_permission_get_mtls_api,
+    module.post-document-references-fhir-lambda,
+    aws_api_gateway_integration.post_doc_fhir_lambda_integration,
+    aws_lambda_permission.lambda_permission_post_mtls_api,
+    module.search-document-references-fhir-lambda,
+    aws_api_gateway_integration.search_doc_fhir_lambda_integration,
+    aws_lambda_permission.lambda_permission_search_mtls_api,
+  ]
+
+  lifecycle {
+    create_before_destroy = true
+  }
+
+  variables = {
+    deployed_at = timestamp()
+  }
+}
+
+resource "aws_api_gateway_stage" "ndr_api_mtls" {
+  deployment_id        = aws_api_gateway_deployment.ndr_api_deploy_mtls.id
+  rest_api_id          = aws_api_gateway_rest_api.ndr_doc_store_api_mtls.id
+  stage_name           = var.environment
+  xray_tracing_enabled = var.enable_xray_tracing
+}
+
+resource "aws_cloudwatch_log_group" "mtls_api_gateway_stage" {
+  name              = "API-Gateway-Execution-Logs_${aws_api_gateway_rest_api.ndr_doc_store_api_mtls.id}/${var.environment}"
+  retention_in_days = 0
+  depends_on = [
+    aws_api_gateway_account.logging
+  ]
+}
+
+resource "aws_api_gateway_method_settings" "mtls_api_gateway_stage" {
+  rest_api_id = aws_api_gateway_rest_api.ndr_doc_store_api_mtls.id
+  stage_name  = aws_api_gateway_stage.ndr_api_mtls.stage_name
+  method_path = "*/*"
+
+  settings {
+    logging_level      = "INFO"
+    metrics_enabled    = true
+    data_trace_enabled = true
+  }
+}
+
+resource "aws_api_gateway_gateway_response" "unauthorised_response_mtls" {
+  rest_api_id   = aws_api_gateway_rest_api.ndr_doc_store_api_mtls.id
+  response_type = "DEFAULT_4XX"
+
+  response_templates = {
+    "application/json" = "{\"message\":$context.error.messageString}"
+  }
+
+  response_parameters = {
+    "gatewayresponse.header.Access-Control-Allow-Origin"      = contains(["prod"], terraform.workspace) ? "'https://${var.domain}'" : "'https://${terraform.workspace}.${var.domain}'"
+    "gatewayresponse.header.Access-Control-Allow-Methods"     = "'*'"
+    "gatewayresponse.header.Access-Control-Allow-Headers"     = "'Content-Type,X-Amz-Date,Authorization,X-Auth,X-Api-Key,X-Amz-Security-Token,X-Auth-Cookie,Accept'"
+    "gatewayresponse.header.Access-Control-Allow-Credentials" = "'true'"
+  }
+}
+
+resource "aws_api_gateway_gateway_response" "bad_gateway_response_mtls" {
+  rest_api_id   = aws_api_gateway_rest_api.ndr_doc_store_api_mtls.id
+  response_type = "DEFAULT_5XX"
+
+  response_templates = {
+    "application/json" = "{\"message\":$context.error.messageString}"
+  }
+
+  response_parameters = {
+    "gatewayresponse.header.Access-Control-Allow-Origin"      = contains(["prod"], terraform.workspace) ? "'https://${var.domain}'" : "'https://${terraform.workspace}.${var.domain}'"
+    "gatewayresponse.header.Access-Control-Allow-Methods"     = "'*'"
+    "gatewayresponse.header.Access-Control-Allow-Headers"     = "'Content-Type,X-Amz-Date,Authorization,X-Auth,X-Api-Key,X-Amz-Security-Token,X-Auth-Cookie,Accept'"
+    "gatewayresponse.header.Access-Control-Allow-Credentials" = "'true'"
+  }
+}
+
+module "mtls_api_endpoint_url_ssm_parameter" {
+  source              = "./modules/ssm_parameter"
+  name                = "${terraform.workspace}_ApiEndpointMtls"
+  description         = "mTLS api endpoint URL for ${var.environment}"
+  resource_depends_on = aws_api_gateway_deployment.ndr_api_deploy_mtls
+  value               = "https://${aws_api_gateway_base_path_mapping.api_mapping_mtls.domain_name}"
+  type                = "SecureString"
+  owner               = var.owner
+  environment         = var.environment
+}

infrastructure/dev.tfvars

@@ -1,8 +1,9 @@
-environment                       = "dev"
-owner                             = "nhse/ndr-team"
-domain                            = "access-request-fulfilment.patient-deductions.nhs.uk"
-certificate_domain                = "access-request-fulfilment.patient-deductions.nhs.uk"
-certificate_subdomain_name_prefix = "api-"
+environment                            = "dev"
+owner                                  = "nhse/ndr-team"
+domain                                 = "access-request-fulfilment.patient-deductions.nhs.uk"
+certificate_domain                     = "access-request-fulfilment.patient-deductions.nhs.uk"
+certificate_subdomain_name_prefix      = "api-"
+certificate_subdomain_name_prefix_mtls = "mtls-"
 
 standalone_vpc_tag    = "ndr-dev"
 standalone_vpc_ig_tag = "ndr-dev"

infrastructure/gateway-document-reference-mtls.tf

@@ -0,0 +1,10 @@
+module "fhir_document_reference_mtls_gateway" {
+  source              = "./modules/gateway"
+  api_gateway_id      = aws_api_gateway_rest_api.ndr_doc_store_api_mtls.id
+  parent_id           = aws_api_gateway_rest_api.ndr_doc_store_api_mtls.root_resource_id
+  http_methods        = ["POST", "GET"]
+  authorization       = "NONE"
+  api_key_required    = true
+  gateway_path        = "DocumentReference"
+  require_credentials = true
+}

infrastructure/lambda-get-document-fhir.tf

@@ -4,6 +4,12 @@ resource "aws_api_gateway_resource" "get_document_reference" {
   path_part   = "{id}"
 }
 
+resource "aws_api_gateway_resource" "get_document_reference_mtls" {
+  rest_api_id = aws_api_gateway_rest_api.ndr_doc_store_api_mtls.id
+  parent_id   = module.fhir_document_reference_mtls_gateway.gateway_resource_id
+  path_part   = "{id}"
+}
+
 resource "aws_api_gateway_method" "get_document_reference" {
   rest_api_id      = aws_api_gateway_rest_api.ndr_doc_store_api.id
   resource_id      = aws_api_gateway_resource.get_document_reference.id
@@ -15,6 +21,17 @@ resource "aws_api_gateway_method" "get_document_reference" {
   }
 }
 
+resource "aws_api_gateway_method" "get_document_reference_mtls" {
+  rest_api_id      = aws_api_gateway_rest_api.ndr_doc_store_api_mtls.id
+  resource_id      = aws_api_gateway_resource.get_document_reference_mtls.id
+  http_method      = "GET"
+  authorization    = "NONE"
+  api_key_required = true
+  request_parameters = {
+    "method.request.path.id" = true
+  }
+}
+
 
 module "get-doc-fhir-lambda" {
   source  = "./modules/lambda"
@@ -46,3 +63,21 @@ module "get-doc-fhir-lambda" {
   depends_on = [aws_api_gateway_method.get_document_reference]
 }
 
+resource "aws_api_gateway_integration" "get_doc_fhir_lambda_integration" {
+  rest_api_id             = aws_api_gateway_rest_api.ndr_doc_store_api_mtls.id
+  resource_id             = aws_api_gateway_resource.get_document_reference_mtls.id
+  http_method             = "GET"
+  integration_http_method = "POST"
+  type                    = "AWS_PROXY"
+  uri                     = module.get-doc-fhir-lambda[0].invoke_arn
+}
+
+resource "aws_lambda_permission" "lambda_permission_get_mtls_api" {
+  statement_id  = "AllowAPImTLSGatewayInvoke"
+  action        = "lambda:InvokeFunction"
+  function_name = module.get-doc-fhir-lambda[0].lambda_arn
+  principal     = "apigateway.amazonaws.com"
+  # The "/*/*" portion grants access from any method on any resource
+  # within the API Gateway REST API.
+  source_arn = "${aws_api_gateway_rest_api.ndr_doc_store_api_mtls.execution_arn}/*/*"
+}

infrastructure/lambda-post-document-fhir.tf

@@ -27,3 +27,22 @@ module "post-document-references-fhir-lambda" {
     PRESIGNED_ASSUME_ROLE           = aws_iam_role.create_post_presign_url_role.arn
   }
 }
+
+resource "aws_api_gateway_integration" "post_doc_fhir_lambda_integration" {
+  rest_api_id             = aws_api_gateway_rest_api.ndr_doc_store_api_mtls.id
+  resource_id             = module.fhir_document_reference_mtls_gateway.gateway_resource_id
+  http_method             = "POST"
+  integration_http_method = "POST"
+  type                    = "AWS_PROXY"
+  uri                     = module.post-document-references-fhir-lambda[0].invoke_arn
+}
+
+resource "aws_lambda_permission" "lambda_permission_post_mtls_api" {
+  statement_id  = "AllowAPImTLSGatewayInvoke"
+  action        = "lambda:InvokeFunction"
+  function_name = module.post-document-references-fhir-lambda[0].lambda_arn
+  principal     = "apigateway.amazonaws.com"
+  # The "/*/*" portion grants access from any method on any resource
+  # within the API Gateway REST API.
+  source_arn = "${aws_api_gateway_rest_api.ndr_doc_store_api_mtls.execution_arn}/*/*"
+}

infrastructure/lambda-search-document-references-fhir.tf

@@ -30,3 +30,22 @@ module "search-document-references-fhir-lambda" {
     module.ndr-app-config
   ]
 }
+
+resource "aws_api_gateway_integration" "search_doc_fhir_lambda_integration" {
+  rest_api_id             = aws_api_gateway_rest_api.ndr_doc_store_api_mtls.id
+  resource_id             = module.fhir_document_reference_mtls_gateway.gateway_resource_id
+  http_method             = "GET"
+  integration_http_method = "POST"
+  type                    = "AWS_PROXY"
+  uri                     = module.search-document-references-fhir-lambda[0].invoke_arn
+}
+
+resource "aws_lambda_permission" "lambda_permission_search_mtls_api" {
+  statement_id  = "AllowMtlsApiGatewayInvoke"
+  action        = "lambda:InvokeFunction"
+  function_name = module.search-document-references-fhir-lambda[0].lambda_arn
+  principal     = "apigateway.amazonaws.com"
+  # The "/*/*" portion grants access from any method on any resource
+  # within the API Gateway REST API.
+  source_arn = "${aws_api_gateway_rest_api.ndr_doc_store_api_mtls.execution_arn}/*/*"
+}

infrastructure/preprod.tfvars

@@ -1,8 +1,9 @@
-environment                       = "pre-prod"
-owner                             = "nhse/ndr-team"
-domain                            = "national-document-repository.nhs.uk"
-certificate_domain                = "pre-prod.national-document-repository.nhs.uk"
-certificate_subdomain_name_prefix = "api."
+environment                            = "pre-prod"
+owner                                  = "nhse/ndr-team"
+domain                                 = "national-document-repository.nhs.uk"
+certificate_domain                     = "pre-prod.national-document-repository.nhs.uk"
+certificate_subdomain_name_prefix      = "api."
+certificate_subdomain_name_prefix_mtls = "mtls."
 
 standalone_vpc_tag    = "ndr-pre-prod"
 standalone_vpc_ig_tag = "ndr-pre-prod"

infrastructure/prod.tfvars

@@ -1,8 +1,9 @@
-environment                       = "prod"
-owner                             = "nhse/ndr-team"
-domain                            = "national-document-repository.nhs.uk"
-certificate_domain                = "national-document-repository.nhs.uk"
-certificate_subdomain_name_prefix = "api."
+environment                            = "prod"
+owner                                  = "nhse/ndr-team"
+domain                                 = "national-document-repository.nhs.uk"
+certificate_domain                     = "national-document-repository.nhs.uk"
+certificate_subdomain_name_prefix      = "api."
+certificate_subdomain_name_prefix_mtls = "mtls."
 
 standalone_vpc_tag    = "ndr-prod"
 standalone_vpc_ig_tag = "ndr-prod"