CCM-11586: initial truststore

Author: masl2

infrastructure/terraform/components/api/README.md

@@ -12,16 +12,19 @@ No requirements.
 | <a name="input_aws_account_id"></a> [aws\_account\_id](#input\_aws\_account\_id) | The AWS Account ID (numeric) | `string` | n/a | yes |
 | <a name="input_component"></a> [component](#input\_component) | The variable encapsulating the name of this component | `string` | `"supapi"` | no |
 | <a name="input_default_tags"></a> [default\_tags](#input\_default\_tags) | A map of default tags to apply to all taggable resources within the component | `map(string)` | `{}` | no |
+| <a name="input_enable_backups"></a> [enable\_backups](#input\_enable\_backups) | Enable backups | `bool` | `false` | no |
 | <a name="input_environment"></a> [environment](#input\_environment) | The name of the tfscaffold environment | `string` | n/a | yes |
 | <a name="input_force_lambda_code_deploy"></a> [force\_lambda\_code\_deploy](#input\_force\_lambda\_code\_deploy) | If the lambda package in s3 has the same commit id tag as the terraform build branch, the lambda will not update automatically. Set to True if making changes to Lambda code from on the same commit for example during development | `bool` | `false` | no |
 | <a name="input_group"></a> [group](#input\_group) | The group variables are being inherited from (often synonmous with account short-name) | `string` | n/a | yes |
 | <a name="input_kms_deletion_window"></a> [kms\_deletion\_window](#input\_kms\_deletion\_window) | When a kms key is deleted, how long should it wait in the pending deletion state? | `string` | `"30"` | no |
 | <a name="input_log_level"></a> [log\_level](#input\_log\_level) | The log level to be used in lambda functions within the component. Any log with a lower severity than the configured value will not be logged: https://docs.python.org/3/library/logging.html#levels | `string` | `"INFO"` | no |
 | <a name="input_log_retention_in_days"></a> [log\_retention\_in\_days](#input\_log\_retention\_in\_days) | The retention period in days for the Cloudwatch Logs events to be retained, default of 0 is indefinite | `number` | `0` | no |
+| <a name="input_manually_configure_mtls_truststore"></a> [manually\_configure\_mtls\_truststore](#input\_manually\_configure\_mtls\_truststore) | Manually manage the truststore used for API Gateway mTLS (e.g. for prod environment) | `bool` | `false` | no |
 | <a name="input_parent_acct_environment"></a> [parent\_acct\_environment](#input\_parent\_acct\_environment) | Name of the environment responsible for the acct resources used, affects things like DNS zone. Useful for named dev environments | `string` | `"main"` | no |
 | <a name="input_project"></a> [project](#input\_project) | The name of the tfscaffold project | `string` | n/a | yes |
 | <a name="input_region"></a> [region](#input\_region) | The AWS Region | `string` | n/a | yes |
 | <a name="input_shared_infra_account_id"></a> [shared\_infra\_account\_id](#input\_shared\_infra\_account\_id) | The AWS Account ID of the shared infrastructure account | `string` | `"000000000000"` | no |
+| <a name="input_truststore_s3_bucket_config"></a> [truststore\_s3\_bucket\_config](#input\_truststore\_s3\_bucket\_config) | Parameters for configuring the Notify Supplier API truststore bucket | <pre>object({<br/>    kms_key_id              = string<br/>    kms_key_arn             = string<br/>    bucket_logs_bucket_name = string<br/>  })</pre> | <pre>{<br/>  "bucket_logs_bucket_name": "",<br/>  "kms_key_arn": "",<br/>  "kms_key_id": ""<br/>}</pre> | no |
 ## Modules
 
 | Name | Source | Version |
@@ -31,6 +34,7 @@ No requirements.
 | <a name="module_hello_world"></a> [hello\_world](#module\_hello\_world) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/lambda | v2.0.10 |
 | <a name="module_kms"></a> [kms](#module\_kms) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/kms | v2.0.10 |
 | <a name="module_patch_letters"></a> [patch\_letters](#module\_patch\_letters) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/lambda | v2.0.10 |
+| <a name="module_supplier_ssl"></a> [supplier\_ssl](#module\_supplier\_ssl) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/ssl | v2.0.17 |
 ## Outputs
 
 | Name | Description |

infrastructure/terraform/components/api/api_gateway_domain.tf

@@ -6,4 +6,19 @@ resource "aws_api_gateway_domain_name" "main" {
   endpoint_configuration {
     types = ["REGIONAL"]
   }
+
+  depends_on = [
+    aws_s3_bucket.truststore
+  ]
+
+  mutual_tls_authentication {
+      truststore_uri     = "s3://${aws_s3_bucket.truststore[0].id}/${aws_s3_object.placeholder_truststore[0].id}"
+      truststore_version = aws_s3_object.placeholder_truststore[0].version_id
+  }
+
+  lifecycle {
+    ignore_changes = [
+      mutual_tls_authentication
+    ]
+  }
 }

infrastructure/terraform/components/api/locals.tf

@@ -14,4 +14,15 @@ locals {
   })
 
   destination_arn = "arn:aws:logs:${var.region}:${var.shared_infra_account_id}:destination:nhs-main-obs-firehose-logs"
+
+  csi_s3 = replace(
+    format(
+      "%s-%s-%s-%s",
+      var.project,
+      var.aws_account_id,
+      var.environment
+    ),
+    "_",
+    "",
+  )
 }

infrastructure/terraform/components/api/module_supplier_ssl.tf

@@ -0,0 +1,14 @@
+module "supplier_ssl" {
+  source = "git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/ssl?ref=v2.0.17"
+
+  count = var.manually_configure_mtls_truststore ? 0 : 1
+
+  aws_account_id = var.aws_account_id
+  default_tags   = local.default_tags
+  component      = var.component
+  environment    = var.environment
+  project        = var.project
+  region         = var.region
+  group          = var.group
+  subject_common_name = local.root_domain_name
+}

infrastructure/terraform/components/api/s3_bucket_policy_truststore.tf

@@ -0,0 +1,28 @@
+resource "aws_s3_bucket_policy" "truststore" {
+  bucket = aws_s3_bucket.truststore[0].id
+  policy = data.aws_iam_policy_document.truststore[0].json
+}
+
+data "aws_iam_policy_document" "truststore" {
+  statement {
+    effect  = "Deny"
+    actions = ["s3:*"]
+    resources = [
+      aws_s3_bucket.truststore[0].arn,
+      "${aws_s3_bucket.truststore[0].arn}/*",
+    ]
+
+    principals {
+      type        = "AWS"
+      identifiers = ["*"]
+    }
+
+    condition {
+      test     = "Bool"
+      variable = "aws:SecureTransport"
+      values = [
+        false
+      ]
+    }
+  }
+}

infrastructure/terraform/components/api/s3_bucket_truststore.tf

@@ -0,0 +1,85 @@
+resource "aws_s3_bucket" "truststore" {
+  bucket = "${local.csi_s3}-truststore"
+  tags   = merge(local.default_tags, { "Enable-Backup" = var.enable_backups }, { "Enable-S3-Continuous-Backup" = var.enable_backups }, { "SKIP_S3_AUDIT" = "true" })
+}
+
+resource "aws_s3_bucket_ownership_controls" "truststore" {
+  bucket = aws_s3_bucket.truststore[0].id
+
+  rule {
+    object_ownership = "BucketOwnerPreferred"
+  }
+}
+
+resource "aws_s3_bucket_server_side_encryption_configuration" "truststore" {
+  bucket = aws_s3_bucket.truststore[0].id
+
+  rule {
+    apply_server_side_encryption_by_default {
+      sse_algorithm     = "aws:kms"
+      kms_master_key_id = var.truststore_s3_bucket_config.kms_key_id
+    }
+    bucket_key_enabled = true
+  }
+}
+
+resource "aws_s3_bucket_versioning" "truststore" {
+  bucket = aws_s3_bucket.truststore[0].id
+
+  versioning_configuration {
+    status = "Enabled"
+  }
+}
+
+resource "aws_s3_bucket_public_access_block" "truststore" {
+  depends_on = [
+    aws_s3_bucket_policy.truststore
+  ]
+
+  bucket = aws_s3_bucket.truststore[0].id
+
+  block_public_acls       = true
+  block_public_policy     = true
+  ignore_public_acls      = true
+  restrict_public_buckets = true
+}
+
+resource "aws_s3_bucket_logging" "truststore" {
+  bucket = aws_s3_bucket.truststore[0].id
+
+  target_bucket = var.truststore_s3_bucket_config.bucket_logs_bucket_name
+  target_prefix = "truststore/${aws_s3_bucket.truststore[0].bucket}/"
+}
+
+# If Environment is to be Manually configured, need to create a placeholder truststore file for mtls
+resource "aws_s3_object" "placeholder_truststore" {
+  count   = var.manually_configure_mtls_truststore ? 1 : 0
+  bucket  = aws_s3_bucket.truststore[0].bucket
+  key     = "truststore.pem"
+  content = tls_self_signed_cert.placeholder_cert[0].cert_pem
+
+  depends_on = [
+    aws_s3_bucket_versioning.truststore
+  ]
+
+  lifecycle {
+    ignore_changes = [
+      content
+    ]
+  }
+}
+
+# If env is not manually configured, use the certs generated from the ssl module
+# Having a duplicate resource here as lifcycle rules can't be dynamic or variable
+# We don't want to ignore content in nonprod, but we do for prod as we will manually update certs and not via ssl module
+resource "aws_s3_object" "placeholder_truststore_nonprod" {
+  count   = var.manually_configure_mtls_truststore ? 0 : 1
+  bucket  = aws_s3_bucket.truststore[0].bucket
+  key     = "truststore.pem"
+  content = module.supplier_ssl.cacert_pem
+
+  depends_on = [
+    aws_s3_bucket_versioning.truststore,
+    module.supplier_ssl
+  ]
+}

infrastructure/terraform/components/api/variables.tf

@@ -86,3 +86,29 @@ variable "shared_infra_account_id" {
   description = "The AWS Account ID of the shared infrastructure account"
   default     = "000000000000"
 }
+
+variable "manually_configure_mtls_truststore" {
+  type        = bool
+  description = "Manually manage the truststore used for API Gateway mTLS (e.g. for prod environment)"
+  default     = false
+}
+
+variable "enable_backups" {
+  type        = bool
+  description = "Enable backups"
+  default     = false
+}
+
+variable "truststore_s3_bucket_config" {
+  type = object({
+    kms_key_id              = string
+    kms_key_arn             = string
+    bucket_logs_bucket_name = string
+  })
+  description = "Parameters for configuring the Notify Supplier API truststore bucket"
+  default = {
+    bucket_logs_bucket_name = ""
+    kms_key_arn             = ""
+    kms_key_id              = ""
+  }
+}