Merge branch 'main' into PRM-134-v2

Author: steph-torres-nhs

.github/workflows/terraform-deploy-feature-to-sandbox.yml

@@ -1,22 +1,22 @@
 # .github/workflows/terraform-dev
-name: 'Deploy Feature Branch to Sandbox'
+name: "Deploy Feature Branch to Sandbox"
 
 on:
   workflow_dispatch:
     inputs:
       buildBranch:
-        description: 'Feature branch to push to sandbox.'
+        description: "Feature branch to push to sandbox."
         required: true
-        type: 'string'
+        type: "string"
       sandboxWorkspace:
-        description: 'Which Sandbox to push to.'
+        description: "Which Sandbox to push to."
         required: true
-        type: 'string'
+        type: "string"
       environment:
-        default: 'development'
-        description: 'Which environment should this run against'
+        default: "development"
+        description: "Which environment should this run against"
         required: true
-        type: 'string'
+        type: "string"
 
 permissions:
   pull-requests: write
@@ -29,11 +29,10 @@ jobs:
     environment: ${{ github.event.inputs.environment }}
 
     steps:
-      # Checkout the repository to the GitHub Actions runner
-      - name: Checkout
+      - name: Checkout Base
         uses: actions/checkout@v4
         with:
-          ref: ${{ github.event.inputs.buildBranch}}
+          ref: main
 
       - name: Configure AWS Credentials
         uses: aws-actions/configure-aws-credentials@v4
@@ -53,23 +52,51 @@ jobs:
           terraform_version: 1.11.4
           terraform_wrapper: false
 
-      - name: Terraform Init
-        id: init
+      - name: Terraform Init Base
+        id: base_init
         run: terraform init -backend-config=backend.conf
         working-directory: ./infrastructure
         shell: bash
 
-      - name: Terraform Set Workspace
-        id: workspace
+      - name: Terraform Set Workspace Base
+        id: base_workspace
         run: terraform workspace select -or-create ${{ github.event.inputs.sandboxWorkspace}}
         working-directory: ./infrastructure
         shell: bash
 
-        # Checks that all Terraform configuration files adhere to a canonical format
+      - name: Terraform Plan Base
+        id: base_plan
+        run: |
+          terraform plan -input=false -no-color -var-file="${{vars.TF_VARS_FILE}}" -out tf-base.plan
+        working-directory: ./infrastructure
+        shell: bash
+
+      - name: Terraform Apply Base
+        run: terraform apply -auto-approve -input=false tf-base.plan
+        working-directory: ./infrastructure
+
+      - name: Checkout Branch
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.inputs.buildBranch}}
+
+        # Checks that all Terraform configuration files adhere to a canonical format.
       - name: Terraform Format
         run: terraform fmt -check
         working-directory: ./infrastructure
 
+      - name: Terraform Init
+        id: init
+        run: terraform init -backend-config=backend.conf
+        working-directory: ./infrastructure
+        shell: bash
+
+      - name: Terraform Set Workspace
+        id: workspace
+        run: terraform workspace select ${{ github.event.inputs.sandboxWorkspace}}
+        working-directory: ./infrastructure
+        shell: bash
+
       - name: Terraform Plan
         id: plan
         run: |

infrastructure/README.md

@@ -179,6 +179,7 @@
 
 | Name | Type |
 |------|------|
+| [aws_api_gateway_account.logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_account) | resource |
 | [aws_api_gateway_api_key.api_key_pdm](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_api_key) | resource |
 | [aws_api_gateway_api_key.apim](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_api_key) | resource |
 | [aws_api_gateway_authorizer.repo_authoriser](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_authorizer) | resource |
@@ -262,6 +263,7 @@
 | [aws_iam_policy.ses_send_email_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.ssm_access_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.ssm_access_policy_authoriser](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_role.api_gateway_cloudwatch](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role.cognito_unauthenticated](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role.create_post_presign_url_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role.cross_account_backup_iam_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
@@ -274,6 +276,7 @@
 | [aws_iam_role.splunk_sqs_forwarder](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role.stitch_presign_url_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role_policy.splunk_access_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
+| [aws_iam_role_policy_attachment.api_gateway_logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.backup_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.cloudwatch_rum_cognito_unauth](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.create_post_presign_url](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |

infrastructure/api.tf

@@ -93,14 +93,19 @@ resource "aws_api_gateway_stage" "ndr_api" {
   stage_name           = var.environment
   xray_tracing_enabled = var.enable_xray_tracing
 
-  depends_on = [aws_cloudwatch_log_group.api_gateway_stage]
+  depends_on = [
+    aws_cloudwatch_log_group.api_gateway_stage
+  ]
 }
 
 resource "aws_cloudwatch_log_group" "api_gateway_stage" {
   # Name must follow this format to allow execution logging 
   # https://docs.aws.amazon.com/apigateway/latest/developerguide/set-up-logging.html
   name              = "API-Gateway-Execution-Logs_${aws_api_gateway_rest_api.ndr_doc_store_api.id}/${var.environment}"
   retention_in_days = 0
+  depends_on = [
+    aws_api_gateway_account.logging
+  ]
 }
 
 resource "aws_api_gateway_method_settings" "api_gateway_stage" {

infrastructure/firewall.tf

@@ -6,6 +6,15 @@ module "firewall_waf_v2" {
   count          = local.is_sandbox ? 0 : 1
 }
 
+module "firewall_waf_v2_api" {
+  source         = "./modules/firewall_waf_v2"
+  cloudfront_acl = false
+  environment    = var.environment
+  owner          = var.owner
+  count          = local.is_sandbox ? 0 : 1
+  api            = true
+}
+
 resource "aws_wafv2_web_acl_association" "web_acl_association" {
   resource_arn = module.ndr-ecs-fargate-app.load_balancer_arn
   web_acl_arn  = module.firewall_waf_v2[0].arn
@@ -18,10 +27,10 @@ resource "aws_wafv2_web_acl_association" "web_acl_association" {
 
 resource "aws_wafv2_web_acl_association" "api_gateway" {
   resource_arn = aws_api_gateway_stage.ndr_api.arn
-  web_acl_arn  = module.firewall_waf_v2[0].arn
+  web_acl_arn  = module.firewall_waf_v2_api[0].arn
   count        = local.is_sandbox ? 0 : 1
   depends_on = [
     aws_api_gateway_stage.ndr_api,
-    module.firewall_waf_v2[0]
+    module.firewall_waf_v2_api[0]
   ]
 }

infrastructure/iam.tf

@@ -193,3 +193,32 @@ resource "aws_iam_role_policy_attachment" "ods_report_presign_url" {
   role       = aws_iam_role.ods_report_presign_url_role.name
   policy_arn = aws_iam_policy.s3_document_data_policy_for_ods_report_lambda.arn
 }
+
+resource "aws_iam_role" "api_gateway_cloudwatch" {
+  count = local.is_sandbox ? 0 : 1
+  name  = "${terraform.workspace}_NdrAPIGatewayLogs"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Action = "sts:AssumeRole"
+        Effect = "Allow"
+        Principal = {
+          Service = "apigateway.amazonaws.com"
+        }
+      },
+    ]
+  })
+}
+
+resource "aws_iam_role_policy_attachment" "api_gateway_logs" {
+  count      = local.is_sandbox ? 0 : 1
+  role       = aws_iam_role.api_gateway_cloudwatch[0].name
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonAPIGatewayPushToCloudWatchLogs"
+}
+
+resource "aws_api_gateway_account" "logging" {
+  count               = local.is_sandbox ? 0 : 1
+  cloudwatch_role_arn = aws_iam_role.api_gateway_cloudwatch[0].arn
+}

infrastructure/modules/firewall_waf_v2/local.tf

@@ -2,7 +2,7 @@ locals {
 
   image_regex = "^\\/images(\\/\\w+)+\\/$"
 
-  waf_rules = [
+  waf_rules_raw = [
     {
       name                    = "AWSCoreRuleSet"
       managed_rule_name       = "AWSManagedRulesCommonRuleSet"
@@ -47,8 +47,14 @@ locals {
     }
   ]
 
+  # Filter out AWSBotControl if var.api is true
+  waf_rules = [
+    for rule in local.waf_rules_raw : rule
+    if !(var.api && rule.name == "AWSBotControl")
+  ]
+
   waf_rules_map = zipmap(
     range(0, length(local.waf_rules)),
     local.waf_rules
   )
-}
+}

infrastructure/modules/firewall_waf_v2/main.tf

@@ -1,5 +1,5 @@
 resource "aws_wafv2_web_acl" "waf_v2_acl" {
-  name        = "${terraform.workspace}-${var.cloudfront_acl ? "cloudfront" : ""}-fw-waf-v2"
+  name        = "${terraform.workspace}${var.api ? "-api" : var.cloudfront_acl ? "-cloudfront" : ""}-fw-waf-v2"
   description = "A WAF to secure the Repo application."
   scope       = var.cloudfront_acl ? "CLOUDFRONT" : "REGIONAL"
 

infrastructure/modules/firewall_waf_v2/regex.tf

@@ -1,5 +1,5 @@
 resource "aws_wafv2_regex_pattern_set" "large_body_uri" {
-  name        = "${terraform.workspace}-fw-waf-body-size"
+  name        = "${terraform.workspace}-fw-waf-body-size${var.api ? "-api" : ""}"
   description = "A set of regex to allow specific pages to bypass the large body check"
   scope       = var.cloudfront_acl ? "CLOUDFRONT" : "REGIONAL"
 
@@ -22,7 +22,7 @@ resource "aws_wafv2_regex_pattern_set" "large_body_uri" {
 }
 
 resource "aws_wafv2_regex_pattern_set" "xss_body_uri" {
-  name        = "${terraform.workspace}-fw-waf-body-xss"
+  name        = "${terraform.workspace}-fw-waf-body-xss${var.api ? "-api" : ""}"
   description = "A regex to allow specific pages to bypass XSS checks on body"
   scope       = var.cloudfront_acl ? "CLOUDFRONT" : "REGIONAL"
 
@@ -40,7 +40,7 @@ resource "aws_wafv2_regex_pattern_set" "xss_body_uri" {
 }
 
 resource "aws_wafv2_regex_pattern_set" "exclude_cms_uri" {
-  name        = "${terraform.workspace}-fw-waf-cms-exclude"
+  name        = "${terraform.workspace}-fw-waf-cms-exclude${var.api ? "-api" : ""}"
   description = "A regex to allow CMS calls to bypass firewalls"
   scope       = var.cloudfront_acl ? "CLOUDFRONT" : "REGIONAL"
 
@@ -55,4 +55,4 @@ resource "aws_wafv2_regex_pattern_set" "exclude_cms_uri" {
     Environment = var.environment
     Workspace   = terraform.workspace
   }
-}
+}

infrastructure/modules/firewall_waf_v2/variables.tf

@@ -10,3 +10,9 @@ variable "cloudfront_acl" {
   type = bool
 }
 
+variable "api" {
+  type        = bool
+  description = "True if using the firewall for an api - removes AWSBotControl"
+  default     = false
+}
+