[NDR-235] Certificate generation for mTLS (#437)

* NDR-235 Certificate generation script

* NDR-235 Remove local .tool-versions

* NDR-235 add ssm params for certs and keys

* NDR-235 tf fmt

* DR-235 Ignore value field changes to smm param

* DR-235 Fix reference

* NDR-235 Use PDM kms key for param encryption

* NDR-235 Update comment

* NDR-235 Only create SSM params for persistent workspaces

Author: megan-bower4

infrastructure/kms_pdm.tf

@@ -0,0 +1,9 @@
+module "pdm_encryption_key" {
+  source              = "./modules/kms"
+  kms_key_name        = "alias/pdm-encryption-key-kms-${terraform.workspace}"
+  kms_key_description = "Custom KMS Key to enable server side encryption for PDM resources"
+  environment         = var.environment
+  owner               = var.owner
+  service_identifiers = ["ssm.amazonaws.com"]
+  kms_deletion_window = var.kms_deletion_window
+}

infrastructure/modules/ssm_parameter/main.tf

@@ -1,11 +1,34 @@
 resource "aws_ssm_parameter" "secret" {
+  count       = var.ignore_value_changes ? 0 : 1
   name        = "/ndr/${terraform.workspace}/${var.name}"
   type        = var.type
   description = var.description
   value       = var.value
+  key_id      = var.key_id
   depends_on  = [var.resource_depends_on]
   tags = {
     Name = "${terraform.workspace}-ssm"
   }
+
+}
+
+
+resource "aws_ssm_parameter" "secret_ignore_value_changes" {
+  count       = var.ignore_value_changes ? 1 : 0
+  name        = "/ndr/${terraform.workspace}/${var.name}"
+  type        = var.type
+  description = var.description
+  value       = var.value
+  key_id      = var.key_id
+  depends_on  = [var.resource_depends_on]
+  tags = {
+    Name = "${terraform.workspace}-ssm"
+  }
+
+  lifecycle {
+    ignore_changes = [
+      value,
+    ]
+  }
 }
 

infrastructure/modules/ssm_parameter/variable.tf

@@ -37,3 +37,15 @@ variable "owner" {
   description = "Owner tag used to identify the team or individual responsible for the resource."
   type        = string
 }
+
+variable "key_id" {
+  type        = string
+  default     = null
+  description = "KMS Key ID or ARN to encrypt the SecureString parameter"
+}
+
+variable "ignore_value_changes" {
+  type        = bool
+  default     = false
+  description = "Whether to ignore changes to the value field"
+}

infrastructure/ssm_parameters_externally_signed_mtls.tf

@@ -0,0 +1,26 @@
+# Creating Params to hold a copy of externally signed client cert and key
+module "ssm_param_external_client_cert" {
+  count                = local.is_sandbox ? 0 : 1
+  source               = "./modules/ssm_parameter"
+  environment          = var.environment
+  owner                = var.owner
+  name                 = "external_client_cert"
+  type                 = "SecureString"
+  description          = "Externally signed client certificate for mTLS"
+  value                = "REPLACE_ME"
+  key_id               = module.pdm_encryption_key.id
+  ignore_value_changes = true
+}
+
+module "ssm_param_external_client_key" {
+  count                = local.is_sandbox ? 0 : 1
+  source               = "./modules/ssm_parameter"
+  environment          = var.environment
+  owner                = var.owner
+  name                 = "external_client_key"
+  type                 = "SecureString"
+  description          = "Externally signed client certificate for mTLS"
+  value                = "REPLACE_ME"
+  key_id               = module.pdm_encryption_key.id
+  ignore_value_changes = true
+}

scripts/confs/dev.conf

@@ -0,0 +1,17 @@
+[req]
+default_bits = 4096
+distinguished_name = req_distinguished_name
+req_extensions = v3_req
+prompt = no
+
+[req_distinguished_name]
+C = GB
+ST = West Yorkshire
+L = Leeds
+O = NHS England
+OU = National Document Repository
+CN = client.dev.ndr.national.nhs.uk
+
+[v3_req]
+keyUsage = keyEncipherment, dataEncipherment
+extendedKeyUsage = serverAuth

scripts/confs/preprod.conf

@@ -0,0 +1,17 @@
+[req]
+default_bits = 4096
+distinguished_name = req_distinguished_name
+req_extensions = v3_req
+prompt = no
+
+[req_distinguished_name]
+C = GB
+ST = West Yorkshire
+L = Leeds
+O = NHS England
+OU = National Document Repository
+CN = client.dev.preprod.national.nhs.uk
+
+[v3_req]
+keyUsage = keyEncipherment, dataEncipherment
+extendedKeyUsage = serverAuth

scripts/confs/prod.conf

@@ -0,0 +1,17 @@
+[req]
+default_bits = 4096
+distinguished_name = req_distinguished_name
+req_extensions = v3_req
+prompt = no
+
+[req_distinguished_name]
+C = GB
+ST = West Yorkshire
+L = Leeds
+O = NHS England
+OU = National Document Repository
+CN = client.prod.ndr.national.nhs.uk
+
+[v3_req]
+keyUsage = keyEncipherment, dataEncipherment
+extendedKeyUsage = serverAuth

scripts/confs/test.conf

@@ -0,0 +1,17 @@
+[req]
+default_bits = 4096
+distinguished_name = req_distinguished_name
+req_extensions = v3_req
+prompt = no
+
+[req_distinguished_name]
+C = GB
+ST = West Yorkshire
+L = Leeds
+O = NHS England
+OU = National Document Repository
+CN = client.test.ndr.national.nhs.uk
+
+[v3_req]
+keyUsage = keyEncipherment, dataEncipherment
+extendedKeyUsage = serverAuth

scripts/create_csrs.sh

@@ -0,0 +1,18 @@
+#!/bin/bash
+
+# This is for generating certs used during mTLS authentication.
+# Taken from https://github.com/NHSDigital/api-management-cert-generation/blob/master/README.md
+# This script is likely needed if certificates need to be regenerated due to expiry or if new environments are added etc.
+# Run create_csrs.sh to generate keys into keys/ and CSRs into csrs/ to send to a trusted CA.
+# Usage:
+# ./create_csrs.sh
+
+set -euo pipefail
+
+mkdir -p csrs
+mkdir -p keys
+
+openssl req -new -newkey rsa:4096 -nodes -sha256 -keyout keys/dev.api.service.nhs.uk.key -out csrs/dev.api.service.nhs.uk.csr -config confs/dev.conf -extensions v3_req
+openssl req -new -newkey rsa:4096 -nodes -sha256 -keyout keys/test.api.service.nhs.uk.key -out csrs/test.api.service.nhs.uk.csr -config confs/test.conf -extensions v3_req
+openssl req -new -newkey rsa:4096 -nodes -sha256 -keyout keys/preprod.api.service.nhs.uk.key -out csrs/preprod.api.service.nhs.uk.csr -config confs/preprod.conf -extensions v3_req
+openssl req -new -newkey rsa:4096 -nodes -sha256 -keyout keys/api.service.nhs.uk.key -out csrs/api.service.nhs.uk.csr -config confs/prod.conf -extensions v3_req