CCM-11869: route 53 is broken (#130)

masl2 · web-flow · commit cb7572e7971b · 2025-08-26T11:12:11.000+01:00
* CCM-11869: route 53 is broken * CCM-11586: is it the dynamic names * CCM-11586: wasn't that * CCM-11586: re-enable default endpoint * CCM-11869: move to centrally managed truststore * CCM-11869: move to centrally managed truststore * CCM-11869: fix refs * CCM-11869: fix refs * CCM-11869: fix refs * CCM-11869: ssl module should be conditional
diff --git a/infrastructure/terraform/components/api/README.md b/infrastructure/terraform/components/api/README.md
@@ -10,6 +10,7 @@ No requirements.
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_aws_account_id"></a> [aws\_account\_id](#input\_aws\_account\_id) | The AWS Account ID (numeric) | `string` | n/a | yes |
+| <a name="input_ca_pem_filename"></a> [ca\_pem\_filename](#input\_ca\_pem\_filename) | Filename for the CA truststore file within the s3 bucket | `string` | `null` | no |
 | <a name="input_component"></a> [component](#input\_component) | The variable encapsulating the name of this component | `string` | `"supapi"` | no |
 | <a name="input_default_tags"></a> [default\_tags](#input\_default\_tags) | A map of default tags to apply to all taggable resources within the component | `map(string)` | `{}` | no |
 | <a name="input_enable_backups"></a> [enable\_backups](#input\_enable\_backups) | Enable backups | `bool` | `false` | no |
diff --git a/infrastructure/terraform/components/api/api_gateway_base_path_mapping.tf b/infrastructure/terraform/components/api/api_gateway_base_path_mapping.tf
@@ -1,5 +1,5 @@
 resource "aws_api_gateway_base_path_mapping" "main" {
   api_id      = aws_api_gateway_rest_api.main.id
   stage_name  = aws_api_gateway_stage.main.stage_name
-  domain_name = var.manually_configure_mtls_truststore ? aws_api_gateway_domain_name.main.0.domain_name : aws_api_gateway_domain_name.main_nonprod.0.domain_name
+  domain_name = aws_api_gateway_domain_name.main.domain_name
 }
diff --git a/infrastructure/terraform/components/api/api_gateway_domain.tf b/infrastructure/terraform/components/api/api_gateway_domain.tf
@@ -1,5 +1,4 @@
 resource "aws_api_gateway_domain_name" "main" {
-  count                    = var.manually_configure_mtls_truststore ? 1 :  0
   regional_certificate_arn = aws_acm_certificate_validation.main.certificate_arn
   domain_name              = local.root_domain_name
   security_policy          = "TLS_1_2"
@@ -8,40 +7,15 @@ resource "aws_api_gateway_domain_name" "main" {
     types = ["REGIONAL"]
   }
 
-  depends_on = [
-    module.domain_truststore,
-    aws_s3_object.placeholder_truststore
-  ]
-
   mutual_tls_authentication {
-      truststore_uri     = "s3://${module.domain_truststore.id}/${aws_s3_object.placeholder_truststore[0].key}"
-      truststore_version = aws_s3_object.placeholder_truststore[0].version_id
-  }
-
-  lifecycle {
-    ignore_changes = [
-      mutual_tls_authentication
-    ]
+      truststore_uri     = var.manually_configure_mtls_truststore ? "s3://${local.acct.s3_buckets["truststore"]["id"]}/${var.ca_pem_filename}" : "s3://${local.acct.s3_buckets["truststore"]["id"]}/${aws_s3_object.placeholder_truststore[0].key}"
+      truststore_version = var.manually_configure_mtls_truststore ? data.aws_s3_object.external_ca_cert[0].version_id : aws_s3_object.placeholder_truststore[0].version_id
   }
 }
 
-resource "aws_api_gateway_domain_name" "main_nonprod" {
-  count                    = !var.manually_configure_mtls_truststore ? 1 :  0
-  regional_certificate_arn = aws_acm_certificate_validation.main.certificate_arn
-  domain_name              = local.root_domain_name
-  security_policy          = "TLS_1_2"
+data "aws_s3_object" "external_ca_cert" {
+  count = var.manually_configure_mtls_truststore ? 1 : 0
 
-  endpoint_configuration {
-    types = ["REGIONAL"]
-  }
-
-  depends_on = [
-    module.domain_truststore,
-    aws_s3_object.placeholder_truststore_nonprod
-  ]
-
-  mutual_tls_authentication {
-      truststore_uri     = "s3://${module.domain_truststore.id}/${aws_s3_object.placeholder_truststore_nonprod[0].key}"
-      truststore_version = aws_s3_object.placeholder_truststore_nonprod[0].version_id
-  }
+  bucket = local.acct.s3_buckets["truststore"]["id"]
+  key = "${local.csi}/${var.ca_pem_filename}"
 }
diff --git a/infrastructure/terraform/components/api/module_supplier_ssl.tf b/infrastructure/terraform/components/api/module_supplier_ssl.tf
@@ -1,4 +1,6 @@
 module "supplier_ssl" {
+  count = var.manually_configure_mtls_truststore ? 0 : 1
+
   source = "git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/ssl?ref=v2.0.17"
 
   name           = "sapi_trust"
diff --git a/infrastructure/terraform/components/api/route53_record.tf b/infrastructure/terraform/components/api/route53_record.tf
@@ -1,11 +1,11 @@
 resource "aws_route53_record" "main" {
-  name    = var.manually_configure_mtls_truststore ? aws_api_gateway_domain_name.main.0.regional_domain_name : aws_api_gateway_domain_name.main_nonprod.0.regional_domain_name
+  name    = aws_api_gateway_domain_name.main.domain_name
   type    = "A"
   zone_id = local.root_domain_id
 
   alias {
-    name    = var.manually_configure_mtls_truststore ? aws_api_gateway_domain_name.main.0.regional_domain_name : aws_api_gateway_domain_name.main_nonprod.0.regional_domain_name
-    zone_id = var.manually_configure_mtls_truststore ? aws_api_gateway_domain_name.main.0.regional_zone_id : aws_api_gateway_domain_name.main_nonprod.0.regional_zone_id
+    name    = aws_api_gateway_domain_name.main.regional_domain_name
+    zone_id = aws_api_gateway_domain_name.main.regional_zone_id
 
     evaluate_target_health = true
   }
diff --git a/infrastructure/terraform/components/api/s3_object_placeholder_truststore.tf b/infrastructure/terraform/components/api/s3_object_placeholder_truststore.tf
@@ -1,29 +1,16 @@
 # In manually configured (e.g. dev main, nonprod main, prod main) add lifecycle policy to permit manual management of cert
 resource "aws_s3_object" "placeholder_truststore" {
-  count   = var.manually_configure_mtls_truststore ? 1 : 0
-  bucket  = module.domain_truststore.bucket
-  key     = "truststore.pem"
-  content = module.supplier_ssl.cacert_pem
+  count   = var.manually_configure_mtls_truststore ? 0 : 1
 
-  depends_on = [
-    module.domain_truststore,
-    module.supplier_ssl
-  ]
+  bucket  = local.acct.s3_buckets["truststore"]["id"]
+  key     = "${local.csi}/truststore.pem"
+  content = module.supplier_ssl[0].cacert_pem
 
   lifecycle {
     ignore_changes = [
       content
     ]
   }
-}
-
-# In non-manually configured env (e.g. PR) exclude lifecycle policy so resources are managed
-# Requires duplicate block as lifecycle policies cannot be dynamic
-resource "aws_s3_object" "placeholder_truststore_nonprod" {
-  count   = !var.manually_configure_mtls_truststore ? 1 : 0
-  bucket  = module.domain_truststore.bucket
-  key     = "truststore.pem"
-  content = module.supplier_ssl.cacert_pem
 
   depends_on = [
     module.domain_truststore,
diff --git a/infrastructure/terraform/components/api/variables.tf b/infrastructure/terraform/components/api/variables.tf
@@ -98,3 +98,10 @@ variable "enable_backups" {
   description = "Enable backups"
   default     = false
 }
+
+
+variable "ca_pem_filename" {
+  type        = string
+  description = "Filename for the CA truststore file within the s3 bucket"
+  default     = null
+}

Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,5 @@`
`1`	`1`	`resource "aws_api_gateway_base_path_mapping" "main" {`
`2`	`2`	`api_id = aws_api_gateway_rest_api.main.id`
`3`	`3`	`stage_name = aws_api_gateway_stage.main.stage_name`
`4`		`- domain_name = var.manually_configure_mtls_truststore ? aws_api_gateway_domain_name.main.0.domain_name : aws_api_gateway_domain_name.main_nonprod.0.domain_name`
	`4`	`+ domain_name = aws_api_gateway_domain_name.main.domain_name`
`5`	`5`	`}`