[PRMP-579] add secondary bucket to distribution

Author: steph-torres-nhs

infrastructure/cloudfront.tf

@@ -9,19 +9,23 @@ module "cloudfront_firewall_waf_v2" {
 }
 
 module "cloudfront-distribution-lg" {
-  source             = "./modules/cloudfront"
-  bucket_domain_name = "${terraform.workspace}-${var.lloyd_george_bucket_name}.s3.eu-west-2.amazonaws.com"
-  bucket_id          = module.ndr-lloyd-george-store.bucket_id
-  qualifed_arn       = module.edge-presign-lambda.qualified_arn
-  depends_on         = [module.edge-presign-lambda.qualified_arn, module.ndr-lloyd-george-store.bucket_id, module.ndr-lloyd-george-store.bucket_domain_name]
-  web_acl_id         = try(module.cloudfront_firewall_waf_v2[0].arn, "")
+  has_secondary_bucket          = true
+  secondary_bucket_domain_name  = "${terraform.workspace}-${var.document_review_bucket_name}.s3.eu-west-2.amazonaws.com"
+  secondary_bucket_id           = module.ndr-document-pending-review-store.bucket_id
+  secondary_bucket_path_pattern = "test/*"
+  source                        = "./modules/cloudfront"
+  bucket_domain_name            = "${terraform.workspace}-${var.lloyd_george_bucket_name}.s3.eu-west-2.amazonaws.com"
+  bucket_id                     = module.ndr-lloyd-george-store.bucket_id
+  qualifed_arn                  = module.edge-presign-lambda.qualified_arn
+  depends_on                    = [module.edge-presign-lambda.qualified_arn, module.ndr-lloyd-george-store.bucket_id, module.ndr-lloyd-george-store.bucket_domain_name, module.ndr-document-pending-review-store]
+  web_acl_id                    = try(module.cloudfront_firewall_waf_v2[0].arn, "")
 }
 
-module "cloudfront-distribution-document-pending-review" {
-  source             = "./modules/cloudfront"
-  bucket_domain_name = "${terraform.workspace}-${var.document_review_bucket_name}.s3.eu-west-2.amazonaws.com"
-  bucket_id          = module.ndr-document-pending-review-store.bucket_id
-  qualifed_arn       = module.edge-presign-lambda.qualified_arn
-  depends_on         = [module.edge-presign-lambda.qualified_arn, module.ndr-document-pending-review-store]
-  web_acl_id         = try(module.cloudfront_firewall_waf_v2[0].arn, "")
-}
+# module "cloudfront-distribution-document-pending-review" {
+#   source             = "./modules/cloudfront"
+#   bucket_domain_name = "${terraform.workspace}-${var.document_review_bucket_name}.s3.eu-west-2.amazonaws.com"
+#   bucket_id          = module.ndr-document-pending-review-store.bucket_id
+#   qualifed_arn       = module.edge-presign-lambda.qualified_arn
+#   depends_on         = [module.edge-presign-lambda.qualified_arn, module.ndr-document-pending-review-store]
+#   web_acl_id         = try(module.cloudfront_firewall_waf_v2[0].arn, "")
+# }

infrastructure/lambda-get-document-fhir.tf

@@ -59,7 +59,7 @@ module "get-doc-fhir-lambda" {
     LLOYD_GEORGE_DYNAMODB_NAME = module.lloyd_george_reference_dynamodb_table.table_name
     PDM_DYNAMODB_NAME          = module.pdm_dynamodb_table.table_name
     OIDC_CALLBACK_URL          = contains(["prod"], terraform.workspace) ? "https://${var.domain}/auth-callback" : "https://${terraform.workspace}.${var.domain}/auth-callback"
-    CLOUDFRONT_URL             = module.cloudfront-distribution-lg.cloudfront_url
+    CLOUDFRONT_URL             = module.cloudfront-distribution-lg[0].cloudfront_url
     PDS_FHIR_IS_STUBBED        = local.is_sandbox
   }
   depends_on = [

infrastructure/lambda-lloyd-george-record-stitch.tf

@@ -78,7 +78,7 @@ module "lloyd-george-stitch-lambda" {
     LLOYD_GEORGE_BUCKET_NAME      = "${terraform.workspace}-${var.lloyd_george_bucket_name}"
     LLOYD_GEORGE_DYNAMODB_NAME    = "${terraform.workspace}_${var.lloyd_george_dynamodb_table_name}"
     STITCH_METADATA_DYNAMODB_NAME = "${terraform.workspace}_${var.stitch_metadata_dynamodb_table_name}"
-    CLOUDFRONT_URL                = module.cloudfront-distribution-lg.cloudfront_url
+    CLOUDFRONT_URL                = module.cloudfront-distribution-lg[0].cloudfront_url
     WORKSPACE                     = terraform.workspace
     PRESIGNED_ASSUME_ROLE         = aws_iam_role.stitch_presign_url_role.arn
     EDGE_REFERENCE_TABLE          = module.cloudfront_edge_dynamodb_table.table_name

infrastructure/modules/cloudfront/main.tf

@@ -12,6 +12,7 @@ resource "aws_cloudfront_origin_access_control" "cloudfront_s3_oac" {
 }
 
 resource "aws_cloudfront_distribution" "distribution" {
+  count = var.has_secondary_bucket ? 0 : 1
   origin {
     domain_name              = var.bucket_domain_name
     origin_id                = var.bucket_id
@@ -32,6 +33,7 @@ resource "aws_cloudfront_distribution" "distribution" {
       lambda_arn = var.qualifed_arn
     }
   }
+
   viewer_certificate {
     cloudfront_default_certificate = true
   }
@@ -44,6 +46,65 @@ resource "aws_cloudfront_distribution" "distribution" {
   web_acl_id = var.web_acl_id
 }
 
+resource "aws_cloudfront_distribution" "distribution_with_secondary_bucket" {
+  count           = var.has_secondary_bucket ? 1 : 0
+  enabled         = true
+  is_ipv6_enabled = true
+
+  origin {
+    domain_name              = var.bucket_domain_name
+    origin_id                = var.bucket_id
+    origin_access_control_id = aws_cloudfront_origin_access_control.cloudfront_s3_oac.id
+  }
+
+  default_cache_behavior {
+    allowed_methods          = ["HEAD", "GET", "OPTIONS"]
+    cached_methods           = ["HEAD", "GET", "OPTIONS"]
+    target_origin_id         = var.bucket_id
+    viewer_protocol_policy   = "redirect-to-https"
+    cache_policy_id          = aws_cloudfront_cache_policy.nocache.id
+    origin_request_policy_id = aws_cloudfront_origin_request_policy.viewer_policy.id
+
+    lambda_function_association {
+      event_type = "origin-request"
+      lambda_arn = var.qualifed_arn
+    }
+  }
+
+  origin {
+    domain_name              = var.secondary_bucket_domain_name
+    origin_id                = var.secondary_bucket_id
+    origin_access_control_id = aws_cloudfront_origin_access_control.cloudfront_s3_oac.id
+  }
+
+  ordered_cache_behavior {
+    allowed_methods          = ["HEAD", "GET", "OPTIONS"]
+    cached_methods           = ["HEAD", "GET", "OPTIONS"]
+    path_pattern             = var.secondary_bucket_path_pattern
+    target_origin_id         = var.secondary_bucket_id
+    viewer_protocol_policy   = "redirect-to-https"
+    cache_policy_id          = aws_cloudfront_cache_policy.nocache.id
+    origin_request_policy_id = aws_cloudfront_origin_request_policy.viewer_policy.id
+
+    lambda_function_association {
+      event_type = "origin-request"
+      lambda_arn = var.qualifed_arn
+    }
+  }
+
+  viewer_certificate {
+    cloudfront_default_certificate = true
+  }
+  restrictions {
+    geo_restriction {
+      restriction_type = "whitelist"
+      locations        = local.allow_us_comms ? ["GB", "US"] : ["GB"]
+    }
+  }
+  web_acl_id = var.web_acl_id
+}
+
+
 resource "aws_cloudfront_origin_request_policy" "viewer_policy" {
   name = "${terraform.workspace}_BlockQueriesAndAllowViewer"
 

infrastructure/modules/cloudfront/variable.tf

@@ -19,3 +19,22 @@ variable "web_acl_id" {
   default     = ""
 }
 
+variable "has_secondary_bucket" {
+  description = "Whether distribution is associated with a secondary buckets"
+  type        = bool
+}
+
+variable "secondary_bucket_id" {
+  description = "Secondary bucket IDs"
+  type        = string
+}
+
+variable "secondary_bucket_domain_name" {
+  description = "Secondary bucket domain names"
+  type        = string
+}
+
+variable "secondary_bucket_path_pattern" {
+  description = "Path patter for secondary bucket"
+  type        = string
+}