Merge branch 'main' into PRMT-17

MohammadIqbalAD-NHS · web-flow · commit 8fdbeaf074d7 · 2025-04-30T09:24:13.000+01:00
diff --git a/.github/workflows/terraform-destroy-test-environments-cron.yml b/.github/workflows/terraform-destroy-test-environments-cron.yml
@@ -79,6 +79,22 @@ jobs:
         working-directory: ./infrastructure
         shell: bash
 
+      - name: Pre-cleanup AWS Backup Recovery Points
+        run: |
+          RECOVERY_POINTS=$(aws backup list-recovery-points-by-backup-vault \
+            --backup-vault-name ${{ matrix.sandbox-name }}_backup_vault \
+            --region eu-west-2 \
+            --query 'RecoveryPoints[*].RecoveryPointArn' \
+            --output text)
+      
+          for ARN in $RECOVERY_POINTS; do
+            echo "Deleting recovery point: $ARN"
+            aws backup delete-recovery-point \
+              --backup-vault-name ${{ matrix.sandbox-name }}_backup_vault \
+              --recovery-point-arn $ARN \
+              --region eu-west-2
+          done
+
       - name: Terraform Destroy
         id: destroy
         run: terraform destroy -auto-approve -var-file="${{ vars.TF_VARS_FILE }}"
diff --git a/bootstrap/README.md b/bootstrap/README.md
@@ -9,7 +9,7 @@
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.70.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.0 |
 
 ## Modules
 
diff --git a/infrastructure/README.md b/infrastructure/README.md
@@ -8,7 +8,7 @@
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.86.1 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.95.0 |
 
 ## Modules
 
@@ -39,8 +39,9 @@
 | <a name="module_bulk-upload-report-alarm-topic"></a> [bulk-upload-report-alarm-topic](#module\_bulk-upload-report-alarm-topic) | ./modules/sns | n/a |
 | <a name="module_bulk-upload-report-lambda"></a> [bulk-upload-report-lambda](#module\_bulk-upload-report-lambda) | ./modules/lambda | n/a |
 | <a name="module_bulk_upload_report_dynamodb_table"></a> [bulk\_upload\_report\_dynamodb\_table](#module\_bulk\_upload\_report\_dynamodb\_table) | ./modules/dynamo_db | n/a |
-| <a name="module_cloudfront-distribution-lg"></a> [cloudfront-distribution-lg](#module\_cloudfront-distribution-lg) | ./modules/cloudfront/ | n/a |
+| <a name="module_cloudfront-distribution-lg"></a> [cloudfront-distribution-lg](#module\_cloudfront-distribution-lg) | ./modules/cloudfront | n/a |
 | <a name="module_cloudfront_edge_dynamodb_table"></a> [cloudfront\_edge\_dynamodb\_table](#module\_cloudfront\_edge\_dynamodb\_table) | ./modules/dynamo_db | n/a |
+| <a name="module_cloudfront_firewall_waf_v2"></a> [cloudfront\_firewall\_waf\_v2](#module\_cloudfront\_firewall\_waf\_v2) | ./modules/firewall_waf_v2 | n/a |
 | <a name="module_create-doc-ref-gateway"></a> [create-doc-ref-gateway](#module\_create-doc-ref-gateway) | ./modules/gateway | n/a |
 | <a name="module_create-doc-ref-lambda"></a> [create-doc-ref-lambda](#module\_create-doc-ref-lambda) | ./modules/lambda | n/a |
 | <a name="module_create-token-gateway"></a> [create-token-gateway](#module\_create-token-gateway) | ./modules/gateway | n/a |
@@ -224,6 +225,8 @@
 | [aws_cloudwatch_metric_alarm.stitching_dlq_new_messages](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_metric_alarm) | resource |
 | [aws_cognito_identity_pool.cloudwatch_rum](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cognito_identity_pool) | resource |
 | [aws_cognito_identity_pool_roles_attachment.cloudwatch_rum](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cognito_identity_pool_roles_attachment) | resource |
+| [aws_default_security_group.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_security_group) | resource |
+| [aws_default_vpc.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_vpc) | resource |
 | [aws_iam_policy.cloudwatch_log_query_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.cloudwatch_rum_cognito_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.copy_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
@@ -240,9 +243,7 @@
 | [aws_iam_policy.s3_document_data_policy_put_only](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.ses_send_email_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.ssm_access_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
-| [aws_iam_policy.ssm_policy_authoriser](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
-| [aws_iam_policy.ssm_policy_oidc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
-| [aws_iam_policy.ssm_policy_token](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_policy.ssm_access_policy_authoriser](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_role.cognito_unauthenticated](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role.create_post_presign_url_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role.cross_account_backup_iam_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
diff --git a/infrastructure/cloudfront.tf b/infrastructure/cloudfront.tf
@@ -1,7 +1,18 @@
+module "cloudfront_firewall_waf_v2" {
+  source         = "./modules/firewall_waf_v2"
+  cloudfront_acl = true
+
+  environment = var.environment
+  owner       = var.owner
+  count       = local.is_sandbox ? 0 : 1
+  providers   = { aws = aws.us_east_1 }
+}
+
 module "cloudfront-distribution-lg" {
-  source             = "./modules/cloudfront/"
+  source             = "./modules/cloudfront"
   bucket_domain_name = "${terraform.workspace}-${var.lloyd_george_bucket_name}.s3.eu-west-2.amazonaws.com"
   bucket_id          = module.ndr-lloyd-george-store.bucket_id
   qualifed_arn       = module.edge-presign-lambda.qualified_arn
   depends_on         = [module.edge-presign-lambda.qualified_arn, module.ndr-lloyd-george-store.bucket_id, module.ndr-lloyd-george-store.bucket_domain_name]
-}
+  web_acl_id         = try(module.cloudfront_firewall_waf_v2[0].arn, "")
+}
diff --git a/infrastructure/firewall.tf b/infrastructure/firewall.tf
@@ -1,24 +1,18 @@
 module "firewall_waf_v2" {
-  source = "./modules/firewall_waf_v2"
-
-  environment = var.environment
-  owner       = var.owner
-  count = (terraform.workspace == "ndra" ||
-    terraform.workspace == "ndrb" ||
-    terraform.workspace == "ndrc" ||
-  terraform.workspace == "ndrd") ? 0 : 1
+  source         = "./modules/firewall_waf_v2"
+  cloudfront_acl = false
+  environment    = var.environment
+  owner          = var.owner
+  count          = local.is_sandbox ? 0 : 1
 }
 
 resource "aws_wafv2_web_acl_association" "web_acl_association" {
   resource_arn = module.ndr-ecs-fargate-app.load_balancer_arn
   web_acl_arn  = module.firewall_waf_v2[0].arn
-
-  count = (terraform.workspace == "ndra" ||
-    terraform.workspace == "ndrb" ||
-    terraform.workspace == "ndrc" ||
-  terraform.workspace == "ndrd") ? 0 : 1
+  count        = local.is_sandbox ? 0 : 1
   depends_on = [
     module.ndr-ecs-fargate-app,
     module.firewall_waf_v2[0]
   ]
-}
+}
+
diff --git a/infrastructure/iam.tf b/infrastructure/iam.tf
@@ -46,6 +46,7 @@ resource "aws_iam_policy" "s3_document_data_policy_for_stitch_lambda" {
         "Effect" : "Allow",
         "Action" : [
           "s3:GetObject",
+          "S3:ListBucket",
         ],
         "Resource" : ["${module.ndr-lloyd-george-store.bucket_arn}/combined_files/*"]
       }
@@ -188,4 +189,3 @@ resource "aws_iam_role_policy_attachment" "ods_report_presign_url" {
   role       = aws_iam_role.ods_report_presign_url_role.name
   policy_arn = aws_iam_policy.s3_document_data_policy_for_ods_report_lambda.arn
 }
-
diff --git a/infrastructure/lambda-authoriser.tf b/infrastructure/lambda-authoriser.tf
@@ -3,7 +3,7 @@ module "authoriser-lambda" {
   name    = "AuthoriserLambda"
   handler = "handlers.authoriser_handler.lambda_handler"
   iam_role_policy_documents = [
-    aws_iam_policy.ssm_policy_authoriser.policy,
+    aws_iam_policy.ssm_access_policy_authoriser.policy,
     module.auth_session_dynamodb_table.dynamodb_read_policy_document,
     module.auth_session_dynamodb_table.dynamodb_write_policy_document,
     module.ndr-app-config.app_config_policy
@@ -23,7 +23,7 @@ module "authoriser-lambda" {
   is_invoked_from_gateway       = true
 
   depends_on = [
-    aws_iam_policy.ssm_policy_authoriser,
+    aws_iam_policy.ssm_access_policy_authoriser,
     module.auth_session_dynamodb_table,
     aws_api_gateway_rest_api.ndr_doc_store_api,
     module.ndr-app-config
@@ -82,7 +82,7 @@ resource "aws_api_gateway_authorizer" "repo_authoriser" {
   authorizer_result_ttl_in_seconds = 0
 }
 
-resource "aws_iam_policy" "ssm_policy_authoriser" {
+resource "aws_iam_policy" "ssm_access_policy_authoriser" {
   name = "${terraform.workspace}_ssm_public_token_policy"
   policy = jsonencode({
     Version = "2012-10-17",
diff --git a/infrastructure/lambda-back-channel-logout.tf b/infrastructure/lambda-back-channel-logout.tf
@@ -24,7 +24,7 @@ module "back_channel_logout_lambda" {
   name    = "BackChannelLogoutHandler"
   handler = "handlers.back_channel_logout_handler.lambda_handler"
   iam_role_policy_documents = [
-    aws_iam_policy.ssm_policy_oidc.policy,
+    aws_iam_policy.ssm_access_policy.policy,
     module.auth_session_dynamodb_table.dynamodb_read_policy_document,
     module.auth_session_dynamodb_table.dynamodb_write_policy_document,
     module.ndr-app-config.app_config_policy
@@ -45,7 +45,7 @@ module "back_channel_logout_lambda" {
   }
   depends_on = [
     aws_api_gateway_rest_api.ndr_doc_store_api,
-    aws_iam_policy.ssm_policy_oidc,
+    aws_iam_policy.ssm_access_policy,
     module.auth_session_dynamodb_table,
     module.back-channel-logout-gateway,
     module.ndr-app-config
diff --git a/infrastructure/lambda-edge-presign.tf b/infrastructure/lambda-edge-presign.tf
@@ -73,8 +73,7 @@ module "edge-presign-lambda" {
   handler        = "handlers.edge_presign_handler.lambda_handler"
   iam_role_policies = [
     "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole",
-    aws_iam_policy.ssm_policy_oidc.arn,
-    module.auth_state_dynamodb_table.dynamodb_policy,
+    aws_iam_policy.ssm_access_policy.arn,
     module.ndr-app-config.app_config_policy_arn
   ]
   providers = {
diff --git a/infrastructure/lambda-lloyd-george-record-stitch.tf b/infrastructure/lambda-lloyd-george-record-stitch.tf
@@ -73,7 +73,8 @@ module "lloyd-george-stitch-lambda" {
     module.stitch_metadata_reference_dynamodb_table.dynamodb_read_policy_document,
     module.stitch_metadata_reference_dynamodb_table.dynamodb_write_policy_document,
     module.lloyd_george_reference_dynamodb_table.dynamodb_read_policy_document,
-    module.lloyd_george_reference_dynamodb_table.dynamodb_write_policy_document
+    module.lloyd_george_reference_dynamodb_table.dynamodb_write_policy_document,
+    module.cloudfront_edge_dynamodb_table.dynamodb_write_policy_document
   ]
   rest_api_id       = aws_api_gateway_rest_api.ndr_doc_store_api.id
   resource_id       = module.lloyd-george-stitch-gateway.gateway_resource_id
@@ -91,6 +92,7 @@ module "lloyd-george-stitch-lambda" {
     SPLUNK_SQS_QUEUE_URL          = try(module.sqs-splunk-queue[0].sqs_url, null)
     WORKSPACE                     = terraform.workspace
     PRESIGNED_ASSUME_ROLE         = aws_iam_role.stitch_presign_url_role.arn
+    EDGE_REFERENCE_TABLE          = module.cloudfront_edge_dynamodb_table.table_name
   }
   depends_on = [
     aws_api_gateway_rest_api.ndr_doc_store_api,
diff --git a/infrastructure/lambda-login-redirect.tf b/infrastructure/lambda-login-redirect.tf
@@ -20,7 +20,7 @@ module "login_redirect_lambda" {
   name    = "LoginRedirectHandler"
   handler = "handlers.login_redirect_handler.lambda_handler"
   iam_role_policy_documents = [
-    aws_iam_policy.ssm_policy_oidc.policy,
+    aws_iam_policy.ssm_access_policy.policy,
     module.auth_state_dynamodb_table.dynamodb_read_policy_document,
     module.auth_state_dynamodb_table.dynamodb_write_policy_document,
     module.ndr-app-config.app_config_policy
@@ -40,7 +40,7 @@ module "login_redirect_lambda" {
   depends_on = [
     aws_api_gateway_rest_api.ndr_doc_store_api,
     aws_api_gateway_resource.login_resource,
-    aws_iam_policy.ssm_policy_oidc,
+    aws_iam_policy.ssm_access_policy,
     module.auth_state_dynamodb_table,
     module.ndr-app-config
   ]
@@ -89,22 +89,3 @@ module "login_redirect-alarm_topic" {
   depends_on = [module.login_redirect_lambda, module.sns_encryption_key]
 }
 
-resource "aws_iam_policy" "ssm_policy_oidc" {
-  name = "${terraform.workspace}_ssm_oidc_policy"
-  policy = jsonencode({
-    Version = "2012-10-17",
-    Statement = [
-      {
-        Effect = "Allow",
-        Action = [
-          "ssm:GetParameters",
-          "ssm:GetParameter",
-          "ssm:GetParametersByPath"
-        ],
-        Resource = [
-          "arn:aws:ssm:*:*:parameter/*",
-        ]
-      }
-    ]
-  })
-}
diff --git a/infrastructure/lambda-logout.tf b/infrastructure/lambda-logout.tf
@@ -23,7 +23,7 @@ module "logout_lambda" {
   name    = "LogoutHandler"
   handler = "handlers.logout_handler.lambda_handler"
   iam_role_policy_documents = [
-    aws_iam_policy.ssm_policy_oidc.policy,
+    aws_iam_policy.ssm_access_policy.policy,
     module.auth_session_dynamodb_table.dynamodb_read_policy_document,
     module.auth_session_dynamodb_table.dynamodb_write_policy_document,
     module.ndr-app-config.app_config_policy
@@ -42,7 +42,7 @@ module "logout_lambda" {
   }
   depends_on = [
     aws_api_gateway_rest_api.ndr_doc_store_api,
-    aws_iam_policy.ssm_policy_oidc,
+    aws_iam_policy.ssm_access_policy,
     module.auth_session_dynamodb_table,
     module.logout-gateway,
     module.ndr-app-config
diff --git a/infrastructure/lambda-token.tf b/infrastructure/lambda-token.tf
@@ -24,7 +24,7 @@ module "create-token-lambda" {
   name    = "TokenRequestHandler"
   handler = "handlers.token_handler.lambda_handler"
   iam_role_policy_documents = [
-    aws_iam_policy.ssm_policy_token.policy,
+    aws_iam_policy.ssm_access_policy.policy,
     module.auth_session_dynamodb_table.dynamodb_read_policy_document,
     module.auth_session_dynamodb_table.dynamodb_write_policy_document,
     module.auth_state_dynamodb_table.dynamodb_read_policy_document,
@@ -50,7 +50,7 @@ module "create-token-lambda" {
   }
   depends_on = [
     aws_api_gateway_rest_api.ndr_doc_store_api,
-    aws_iam_policy.ssm_policy_token,
+    aws_iam_policy.ssm_access_policy,
     module.auth_session_dynamodb_table,
     module.auth_state_dynamodb_table,
     module.create-token-gateway,
@@ -103,25 +103,6 @@ module "create_token-alarm_topic" {
   depends_on = [module.create-token-lambda, module.sns_encryption_key]
 }
 
-resource "aws_iam_policy" "ssm_policy_token" {
-  name = "${terraform.workspace}_ssm_token_private_policy"
-  policy = jsonencode({
-    Version = "2012-10-17",
-    Statement = [
-      {
-        Effect = "Allow",
-        Action = [
-          "ssm:GetParameter",
-          "ssm:GetParameters",
-          "ssm:GetParametersByPath"
-        ],
-        Resource = [
-          "arn:aws:ssm:*:*:parameter/*",
-        ]
-      }
-    ]
-  })
-}
 
 resource "aws_iam_role_policy_attachment" "policy_audit_token_lambda" {
   count      = local.is_sandbox ? 0 : 1
diff --git a/infrastructure/modules/app_config/README.md b/infrastructure/modules/app_config/README.md
@@ -6,7 +6,7 @@ No requirements.
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | n/a |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.96.0 |
 
 ## Modules
 
diff --git a/infrastructure/modules/cloudfront/README.md b/infrastructure/modules/cloudfront/README.md
@@ -6,7 +6,7 @@ No requirements.
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | n/a |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.95.0 |
 
 ## Modules
 
@@ -28,6 +28,7 @@ No modules.
 | <a name="input_bucket_domain_name"></a> [bucket\_domain\_name](#input\_bucket\_domain\_name) | Domain name to assign CloudFront distribution to | `string` | n/a | yes |
 | <a name="input_bucket_id"></a> [bucket\_id](#input\_bucket\_id) | Bucket ID to assign CloudFront distribution to | `string` | n/a | yes |
 | <a name="input_qualifed_arn"></a> [qualifed\_arn](#input\_qualifed\_arn) | Lambda@Edge function association | `string` | n/a | yes |
+| <a name="input_web_acl_id"></a> [web\_acl\_id](#input\_web\_acl\_id) | Web ACL to associate this Cloudfront distribution with | `string` | n/a | yes |
 
 ## Outputs
 
diff --git a/infrastructure/modules/cloudfront/main.tf b/infrastructure/modules/cloudfront/main.tf
@@ -36,6 +36,7 @@ resource "aws_cloudfront_distribution" "distribution" {
       locations        = ["GB"]
     }
   }
+  web_acl_id = var.web_acl_id
 }
 
 resource "aws_cloudfront_origin_request_policy" "viewer_policy" {
@@ -90,4 +91,5 @@ resource "aws_cloudfront_cache_policy" "nocache" {
       query_string_behavior = "none"
     }
   }
-}
+}
+
diff --git a/infrastructure/modules/cloudfront/variable.tf b/infrastructure/modules/cloudfront/variable.tf
@@ -11,4 +11,11 @@ variable "bucket_id" {
 variable "qualifed_arn" {
   type        = string
   description = "Lambda@Edge function association"
-}
+}
+
+variable "web_acl_id" {
+  type        = string
+  description = "Web ACL to associate this Cloudfront distribution with"
+  default     = ""
+}
+
diff --git a/infrastructure/modules/firewall_waf_v2/README.md b/infrastructure/modules/firewall_waf_v2/README.md
@@ -6,7 +6,7 @@ No requirements.
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | n/a |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.95.0 |
 
 ## Modules
 
@@ -25,6 +25,7 @@ No modules.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| <a name="input_cloudfront_acl"></a> [cloudfront\_acl](#input\_cloudfront\_acl) | n/a | `bool` | n/a | yes |
 | <a name="input_environment"></a> [environment](#input\_environment) | n/a | `string` | n/a | yes |
 | <a name="input_owner"></a> [owner](#input\_owner) | n/a | `string` | n/a | yes |
 
diff --git a/infrastructure/modules/firewall_waf_v2/main.tf b/infrastructure/modules/firewall_waf_v2/main.tf
diff --git a/infrastructure/modules/firewall_waf_v2/regex.tf b/infrastructure/modules/firewall_waf_v2/regex.tf
diff --git a/infrastructure/modules/firewall_waf_v2/variables.tf b/infrastructure/modules/firewall_waf_v2/variables.tf
diff --git a/infrastructure/modules/vpc/README.md b/infrastructure/modules/vpc/README.md
diff --git a/infrastructure/modules/vpc/main.tf b/infrastructure/modules/vpc/main.tf
diff --git a/infrastructure/vpc.tf b/infrastructure/vpc.tf

Original file line number	Diff line number	Diff line change
`@@ -46,6 +46,7 @@ resource "aws_iam_policy" "s3_document_data_policy_for_stitch_lambda" {`
`46`	`46`	`"Effect" : "Allow",`
`47`	`47`	`"Action" : [`
`48`	`48`	`"s3:GetObject",`
	`49`	`+ "S3:ListBucket",`
`49`	`50`	`],`
`50`	`51`	`"Resource" : ["${module.ndr-lloyd-george-store.bucket_arn}/combined_files/*"]`
`51`	`52`	`}`
`@@ -188,4 +189,3 @@ resource "aws_iam_role_policy_attachment" "ods_report_presign_url" {`
`188`	`189`	`role = aws_iam_role.ods_report_presign_url_role.name`
`189`	`190`	`policy_arn = aws_iam_policy.s3_document_data_policy_for_ods_report_lambda.arn`
`190`	`191`	`}`
`191`		`-`