Merge branch 'main' into NDR-97

Author: NogaNHS

.github/workflows/terraform-dev-to-main-ci.yml

@@ -72,6 +72,16 @@ jobs:
       run: |
         terraform plan -input=false -no-color -var-file="${{vars.TF_VARS_FILE}}" -out tf.plan > plan_output.txt 2>&1
         terraform show -no-color tf.plan > tfplan.txt 2>&1
+
+        # Mask PEM certificates (BEGIN...END CERTIFICATE)
+        awk 'BEGIN{cert=""}
+        /-----BEGIN CERTIFICATE-----/{cert=$0; in_cert=1; next}
+        /-----END CERTIFICATE-----/{cert=cert"\n"$0; print cert; cert=""; in_cert=0; next}
+        in_cert{cert=cert"\n"$0}' tfplan.txt | while IFS= read -r cert_block; do
+          if [ -n "$cert_block" ]; then
+            echo "::add-mask::$cert_block"
+          fi
+        done || echo "No certificate blocks found to mask."
         
         # Mask sensitive URLs in the Terraform Plan output
         grep -Eo 'https://[a-zA-Z0-9.-]+\.execute-api\.[a-zA-Z0-9.-]+\.amazonaws\.com/[a-zA-Z0-9/._-]*' tfplan.txt | while read -r api_url; do
@@ -125,6 +135,7 @@ jobs:
         PLAN_FULL=$(echo "$PLAN_FULL" | sed -E 's/[0-9]{12}/[REDACTED_AWS_ACCOUNT_ID]/g')
         PLAN_FULL=$(echo "$PLAN_FULL" | sed -E 's#https://[a-zA-Z0-9.-]+\.lambda\.amazonaws\.com/[a-zA-Z0-9/._-]+#[REDACTED_LAMBDA_URL]#g')
         PLAN_FULL=$(echo "$PLAN_FULL" | sed -E 's#https://[a-zA-Z0-9.-]+\.execute-api\.[a-zA-Z0-9.-]+\.amazonaws\.com/[a-zA-Z0-9/._-]*#[REDACTED_API_GATEWAY_URL]#g')
+        PLAN_FULL=$(echo "$PLAN_FULL" | sed -E '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/s/.*/[REDACTED_PEM_CERT]/')
 
         echo "PLAN<<EOF" >> $GITHUB_ENV
         echo "${PLAN_FULL::$LENGTH}" >> $GITHUB_ENV

infrastructure/api.tf

@@ -93,7 +93,28 @@ resource "aws_api_gateway_stage" "ndr_api" {
   deployment_id        = aws_api_gateway_deployment.ndr_api_deploy.id
   rest_api_id          = aws_api_gateway_rest_api.ndr_doc_store_api.id
   stage_name           = var.environment
-  xray_tracing_enabled = false
+  xray_tracing_enabled = var.enable_xray_tracing
+
+  depends_on = [aws_cloudwatch_log_group.api_gateway_stage]
+}
+
+resource "aws_cloudwatch_log_group" "api_gateway_stage" {
+  # Name must follow this format to allow execution logging 
+  # https://docs.aws.amazon.com/apigateway/latest/developerguide/set-up-logging.html
+  name              = "API-Gateway-Execution-Logs_${aws_api_gateway_rest_api.ndr_doc_store_api.id}/${var.environment}"
+  retention_in_days = 0
+}
+
+resource "aws_api_gateway_method_settings" "api_gateway_stage" {
+  rest_api_id = aws_api_gateway_rest_api.ndr_doc_store_api.id
+  stage_name  = aws_api_gateway_stage.ndr_api.stage_name
+  method_path = "*/*"
+
+  settings {
+    logging_level      = "INFO"
+    metrics_enabled    = true
+    data_trace_enabled = true
+  }
 }
 
 resource "aws_api_gateway_gateway_response" "unauthorised_response" {
@@ -112,6 +133,10 @@ resource "aws_api_gateway_gateway_response" "unauthorised_response" {
   }
 }
 
+resource "aws_api_gateway_client_certificate" "ndr_api" {
+  description = "Client certificate used for backend authentication in HTTP integrations with the NDR API Gateway (${var.environment})"
+}
+
 resource "aws_api_gateway_gateway_response" "bad_gateway_response" {
   rest_api_id   = aws_api_gateway_rest_api.ndr_doc_store_api.id
   response_type = "DEFAULT_5XX"

infrastructure/modules/cloudwatch/README.md

@@ -217,4 +217,10 @@ variable "cloud_security_console_public_address" {
   type        = string
   default     = "0.0.0.0/0"
   description = "Using public address to make sure CloudStorageSecurity console is available"
+}
+
+variable "enable_xray_tracing" {
+  description = "Enable AWS X-Ray tracing for the API Gateway stage"
+  type        = bool
+  default     = false
 }