NDR-213 Add mTLS api gateway

Author: megan-bower4

infrastructure/acm_certificate.tf

@@ -0,0 +1,32 @@
+resource "aws_acm_certificate" "mtls_api_gateway_cert" {
+  domain_name       = local.mtls_api_gateway_full_domain_name
+  validation_method = "DNS"
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+
+# Record used by ACM for DNS Validation
+resource "aws_route53_record" "validation" {
+  for_each = {
+    for dvo in aws_acm_certificate.mtls_api_gateway_cert.domain_validation_options : dvo.domain_name => {
+      name   = dvo.resource_record_name
+      record = dvo.resource_record_value
+      type   = dvo.resource_record_type
+    }
+  }
+
+  allow_overwrite = true
+  name            = each.value.name
+  records         = [each.value.record]
+  ttl             = 60
+  type            = each.value.type
+  zone_id         = module.route53_fargate_ui.zone_id #todo change to mtls rute 53
+}
+
+
+resource "aws_acm_certificate_validation" "mtls_api_gateway_cert" {
+  certificate_arn         = aws_acm_certificate.mtls_api_gateway_cert.arn
+  validation_record_fqdns = [for record in aws_route53_record.validation : record.fqdn]
+}

infrastructure/api_mtls.tf

@@ -0,0 +1,120 @@
+# New API Gateway for mTLS
+resource "aws_api_gateway_rest_api" "ndr_doc_store_api_mtls" {
+  name        = "${terraform.workspace}-DocStoreAPI-mTLS"
+  description = "Docuemnt store API with mTLS enabled"
+
+  tags = {
+    Name        = "${terraform.workspace}-docstore-api-mtls"
+    Owner       = var.owner
+    Environment = var.environment
+    Workspace   = terraform.workspace
+  }
+}
+
+resource "aws_api_gateway_domain_name" "custom_api_domain_mtls" {
+  domain_name              = local.mtls_api_gateway_full_domain_name
+  regional_certificate_arn = aws_acm_certificate_validation.mtls_api_gateway_cert.certificate_arn
+  security_policy          = "TLS_1_2"
+
+  endpoint_configuration {
+    types = ["REGIONAL"]
+  }
+
+  mutual_tls_authentication {
+    truststore_uri = "s3://${terraform.workspace}-${var.truststore_bucket_name}/${var.ca_pem_filename}"
+  }
+}
+
+resource "aws_api_gateway_base_path_mapping" "api_mapping_mtls" {
+  api_id      = aws_api_gateway_rest_api.ndr_doc_store_api_mtls.id
+  stage_name  = var.environment
+  domain_name = aws_api_gateway_domain_name.custom_api_domain_mtls.domain_name
+
+  depends_on = [aws_api_gateway_deployment.ndr_api_deploy_mtls]
+}
+
+resource "aws_api_gateway_deployment" "ndr_api_deploy_mtls" {
+  rest_api_id = aws_api_gateway_rest_api.ndr_doc_store_api_mtls.id
+
+  depends_on = [ 
+    aws_api_gateway_rest_api.ndr_doc_store_api_mtls,
+    ]
+
+  lifecycle {
+    create_before_destroy = true
+  }
+
+  variables = {
+    deployed_at = timestamp()
+  }
+}
+
+resource "aws_api_gateway_stage" "ndr_api_mtls" {
+  deployment_id        = aws_api_gateway_deployment.ndr_api_deploy_mtls.id
+  rest_api_id          = aws_api_gateway_rest_api.ndr_doc_store_api_mtls.id
+  stage_name           = var.environment
+  xray_tracing_enabled = var.enable_xray_tracing
+}
+
+resource "aws_cloudwatch_log_group" "mtls_api_gateway_stage" {
+  name              = "API-Gateway-Execution-Logs_${aws_api_gateway_rest_api.ndr_doc_store_api_mtls.id}/${var.environment}"
+  retention_in_days = 0
+  depends_on = [
+    aws_api_gateway_account.logging
+  ]
+}
+
+resource "aws_api_gateway_method_settings" "mtls_api_gateway_stage" {
+  rest_api_id = aws_api_gateway_rest_api.ndr_doc_store_api_mtls.id
+  stage_name  = aws_api_gateway_stage.ndr_api_mtls.stage_name
+  method_path = "*/*"
+
+  settings {
+    logging_level      = "INFO"
+    metrics_enabled    = true
+    data_trace_enabled = true
+  }
+}
+
+resource "aws_api_gateway_gateway_response" "unauthorised_response_mtls" {
+  rest_api_id   = aws_api_gateway_rest_api.ndr_doc_store_api_mtls.id
+  response_type = "DEFAULT_4XX"
+
+  response_templates = {
+    "application/json" = "{\"message\":$context.error.messageString}"
+  }
+
+  response_parameters = {
+    "gatewayresponse.header.Access-Control-Allow-Origin"      = contains(["prod"], terraform.workspace) ? "'https://${var.domain}'" : "'https://${terraform.workspace}.${var.domain}'"
+    "gatewayresponse.header.Access-Control-Allow-Methods"     = "'*'"
+    "gatewayresponse.header.Access-Control-Allow-Headers"     = "'Content-Type,X-Amz-Date,Authorization,X-Auth,X-Api-Key,X-Amz-Security-Token,X-Auth-Cookie,Accept'"
+    "gatewayresponse.header.Access-Control-Allow-Credentials" = "'true'"
+  }
+}
+
+resource "aws_api_gateway_gateway_response" "bad_gateway_response_mtls" {
+  rest_api_id   = aws_api_gateway_rest_api.ndr_doc_store_api_mtls.id
+  response_type = "DEFAULT_5XX"
+
+  response_templates = {
+    "application/json" = "{\"message\":$context.error.messageString}"
+  }
+
+  response_parameters = {
+    "gatewayresponse.header.Access-Control-Allow-Origin"      = contains(["prod"], terraform.workspace) ? "'https://${var.domain}'" : "'https://${terraform.workspace}.${var.domain}'"
+    "gatewayresponse.header.Access-Control-Allow-Methods"     = "'*'"
+    "gatewayresponse.header.Access-Control-Allow-Headers"     = "'Content-Type,X-Amz-Date,Authorization,X-Auth,X-Api-Key,X-Amz-Security-Token,X-Auth-Cookie,Accept'"
+    "gatewayresponse.header.Access-Control-Allow-Credentials" = "'true'"
+  }
+}
+
+module "mtls_api_endpoint_url_ssm_parameter" {
+  source              = "./modules/ssm_parameter"
+  name                = "api_endpoint_mtls"
+  description         = "mTLS api endpoint URL for ${var.environment}"
+  resource_depends_on = aws_api_gateway_deployment.ndr_api_deploy_mtls
+  value               = "https://${aws_api_gateway_base_path_mapping.api_mapping_mtls.domain_name}"
+  type                = "SecureString"
+  owner               = var.owner
+  environment         = var.environment
+}

infrastructure/route53.tf

@@ -10,3 +10,15 @@ module "route53_fargate_ui" {
   api_gateway_full_domain_name = aws_api_gateway_domain_name.custom_api_domain.regional_domain_name
   api_gateway_zone_id          = aws_api_gateway_domain_name.custom_api_domain.regional_zone_id
 }
+
+resource "aws_route53_record" "ndr_mtls_api_record" {
+  name    = local.mtls_api_gateway_full_domain_name
+  type    = "A"
+  zone_id = module.route53_fargate_ui.zone_id
+
+  alias {
+    name                   = aws_api_gateway_domain_name.custom_api_domain_mtls.regional_domain_name
+    zone_id                = aws_api_gateway_domain_name.custom_api_domain_mtls.regional_zone_id
+    evaluate_target_health = true
+  }
+}

infrastructure/variable.tf

@@ -63,6 +63,12 @@ variable "truststore_bucket_name" {
   default     = "ndr-truststore"
 }
 
+variable "ca_pem_filename" {
+  type        = string
+  description = "Filename of the CA Truststore pem file stored in the core Truststore s3 bucket"
+  default     = "ndr-truststore.pem"
+}
+
 # DynamoDB Table Variables
 
 variable "pdm_dynamodb_table_name" {
@@ -219,6 +225,9 @@ locals {
   api_gateway_subdomain_name   = contains(["prod"], terraform.workspace) ? "${var.certificate_subdomain_name_prefix}" : "${var.certificate_subdomain_name_prefix}${terraform.workspace}"
   api_gateway_full_domain_name = contains(["prod"], terraform.workspace) ? "${var.certificate_subdomain_name_prefix}${var.domain}" : "${var.certificate_subdomain_name_prefix}${terraform.workspace}.${var.domain}"
 
+  mtls_api_gateway_subdomain_name   = contains(["prod"], terraform.workspace) ? "mtls.${var.certificate_subdomain_name_prefix}" : "mtls.${var.certificate_subdomain_name_prefix}${terraform.workspace}"
+  mtls_api_gateway_full_domain_name = contains(["prod"], terraform.workspace) ? "mtls.${var.domain}" : "mtls.${terraform.workspace}.${var.domain}"
+
   current_region     = data.aws_region.current.name
   current_account_id = data.aws_caller_identity.current.account_id