CCM-12615: APIM Authentication

Author: simonlabarere

infrastructure/terraform/components/dl/README.md

@@ -40,6 +40,7 @@ No requirements.
 | <a name="module_lambda_lambda_apim_refresh_token"></a> [lambda\_lambda\_apim\_refresh\_token](#module\_lambda\_lambda\_apim\_refresh\_token) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.20/terraform-lambda.zip | n/a |
 | <a name="module_mesh_poll"></a> [mesh\_poll](#module\_mesh\_poll) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.24/terraform-lambda.zip | n/a |
 | <a name="module_s3bucket_letters"></a> [s3bucket\_letters](#module\_s3bucket\_letters) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.24/terraform-s3bucket.zip | n/a |
+| <a name="module_s3bucket_static_assets"></a> [s3bucket\_static\_assets](#module\_s3bucket\_static\_assets) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.20/terraform-s3bucket.zip | n/a |
 | <a name="module_sqs_event_publisher_errors"></a> [sqs\_event\_publisher\_errors](#module\_sqs\_event\_publisher\_errors) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.24/terraform-sqs.zip | n/a |
 | <a name="module_sqs_ttl"></a> [sqs\_ttl](#module\_sqs\_ttl) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.24/terraform-sqs.zip | n/a |
 | <a name="module_sqs_ttl_handle_expiry_errors"></a> [sqs\_ttl\_handle\_expiry\_errors](#module\_sqs\_ttl\_handle\_expiry\_errors) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.24/terraform-sqs.zip | n/a |

infrastructure/terraform/components/dl/acm_certificate_static_assets_hosting.tf

@@ -0,0 +1,14 @@
+resource "aws_acm_certificate" "static_assets_hosting" {
+  provider          = aws.us-east-1
+  domain_name       = local.root_domain_name
+  validation_method = "DNS"
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+
+resource "aws_acm_certificate_validation" "static_assets_hosting" {
+  provider        = aws.us-east-1
+  certificate_arn = aws_acm_certificate.static_assets_hosting.arn
+}

infrastructure/terraform/components/dl/cloudfront_distribution_static_assets_hosting.tf

@@ -0,0 +1,55 @@
+resource "aws_cloudfront_distribution" "static_assets_hosting" {
+  enabled         = true
+  is_ipv6_enabled = true
+  comment         = "Static asset hosting for Digital Letters"
+  price_class     = "PriceClass_100"
+
+  restrictions {
+    geo_restriction {
+      restriction_type = "whitelist"
+      locations        = ["GB"]
+    }
+  }
+
+  aliases = [local.root_domain_name]
+
+  viewer_certificate {
+    cloudfront_default_certificate = false
+    acm_certificate_arn            = aws_acm_certificate.static_assets_hosting.arn
+    minimum_protocol_version       = "TLSv1.2_2021"
+    ssl_support_method             = "sni-only"
+  }
+
+  logging_config {
+    include_cookies = false
+    bucket          = module.s3bucket_cf_logs.bucket_regional_domain_name
+  }
+
+  origin {
+    domain_name = module.s3bucket_static_assets.bucket_regional_domain_name
+    origin_id   = "${local.csi}-origin-static-assets"
+    s3_origin_config {
+      origin_access_identity = aws_cloudfront_origin_access_identity.static_assets.cloudfront_access_identity_path
+    }
+  }
+
+  default_cache_behavior {
+    allowed_methods  = ["GET", "HEAD"]
+    cached_methods   = ["GET", "HEAD"]
+    target_origin_id = "${local.csi}-origin-static-assets"
+
+    forwarded_values {
+      query_string = false
+      headers      = ["Origin"]
+      cookies {
+        forward = "none"
+      }
+    }
+
+    viewer_protocol_policy = "redirect-to-https"
+    min_ttl                = 0
+    default_ttl            = 0
+    max_ttl                = 86400
+    compress               = true
+  }
+}

infrastructure/terraform/components/dl/module_s3_bucket_static_assets.tf

@@ -0,0 +1,120 @@
+module "s3bucket_static_assets" {
+  source = "https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.20/terraform-s3bucket.zip"
+
+  name = "static-assets"
+
+  aws_account_id = var.aws_account_id
+  region         = "eu-west-2"
+  project        = var.project
+  environment    = var.environment
+  component      = var.component
+
+  acl           = "private"
+  force_destroy = var.force_destroy
+  versioning    = true
+
+  lifecycle_rules = [
+    {
+      enabled = true
+
+      noncurrent_version_transition = [
+        {
+          noncurrent_days = "30"
+          storage_class   = "STANDARD_IA"
+        }
+      ]
+
+      noncurrent_version_expiration = {
+        noncurrent_days = "90"
+      }
+
+      abort_incomplete_multipart_upload = {
+        days = "1"
+      }
+    }
+  ]
+
+  bucket_logging_target = {
+    bucket = local.acct.s3_buckets["access_logs"]["id"]
+  }
+
+  policy_documents = [
+    data.aws_iam_policy_document.static_assets_bucket_policy.json
+  ]
+
+  public_access = {
+    block_public_acls       = true
+    block_public_policy     = true
+    ignore_public_acls      = true
+    restrict_public_buckets = true
+  }
+
+
+  default_tags = {
+    Name = "Digital Letters static assets bucket"
+  }
+}
+
+data "aws_iam_policy_document" "static_assets_bucket_policy" {
+  statement {
+    actions = ["s3:GetObject"]
+    resources = [
+      "${module.s3bucket_static_assets.arn}/*"
+    ]
+
+    principals {
+      type        = "AWS"
+      identifiers = [aws_cloudfront_origin_access_identity.static_assets.iam_arn]
+    }
+  }
+
+  statement {
+    actions = ["s3:ListBucket"]
+    resources = [
+      module.s3bucket_static_assets.arn
+    ]
+
+    principals {
+      type        = "AWS"
+      identifiers = [aws_cloudfront_origin_access_identity.static_assets.iam_arn]
+    }
+  }
+
+  statement {
+    effect  = "Deny"
+    actions = ["s3:*"]
+    resources = [
+      module.s3bucket_static_assets.arn,
+      "${module.s3bucket_static_assets.arn}/*",
+    ]
+
+    principals {
+      type        = "AWS"
+      identifiers = ["*"]
+    }
+
+    condition {
+      test     = "Bool"
+      variable = "aws:SecureTransport"
+      values = [
+        false
+      ]
+    }
+  }
+}
+
+resource "aws_s3_bucket_cors_configuration" "static_assets" {
+  bucket = module.s3bucket_static_assets.bucket
+
+  cors_rule {
+    allowed_headers = ["Authorization"]
+    allowed_methods = ["GET"]
+    allowed_origins = ["*"]
+    expose_headers  = ["ETag"]
+    max_age_seconds = 300
+  }
+}
+
+resource "aws_cloudfront_origin_access_identity" "static_assets" {
+  comment = "Used to access the s3 content for the ${module.s3bucket_static_assets.bucket} bucket"
+}

infrastructure/terraform/components/dl/route53_record_acm_validation.tf

@@ -0,0 +1,17 @@
+resource "aws_route53_record" "acm_validation" {
+  for_each = {
+    for dvo in aws_acm_certificate.static_assets_hosting.domain_validation_options :
+    dvo.domain_name => {
+      name   = dvo.resource_record_name
+      record = dvo.resource_record_value
+      type   = dvo.resource_record_type
+    } if dvo.domain_name == local.root_domain_name
+  }
+
+  allow_overwrite = true
+  name            = each.value.name
+  records         = [each.value.record]
+  type            = each.value.type
+  zone_id         = local.root_domain_id
+  ttl             = 60
+}

infrastructure/terraform/components/dl/route53_record_static_assets_hosting.tf

@@ -0,0 +1,7 @@
+resource "aws_route53_record" "static_assets_hosting" {
+  name    = local.root_domain_name
+  zone_id = local.root_domain_id
+  type    = "CNAME"
+  ttl     = 5
+  records = [aws_cloudfront_distribution.static_assets_hosting.domain_name]
+}