CCM-9873: Add cloudfront distribution to download bucket (#464)

Co-authored-by: Alex Nuttall <[email protected]>

Author: bhansell1

infrastructure/terraform/components/acct/module_sandbox_kms.tf

@@ -14,4 +14,3 @@ module "kms_sandbox" {
   alias           = "alias/${local.csi}-sandbox"
   iam_delegation  = true
 }
-

infrastructure/terraform/components/acct/outputs.tf

@@ -12,16 +12,11 @@ output "github_pat_ssm_param_name" {
 
 output "s3_buckets" {
   value = {
-    access_logs = {
-      arn    = module.s3bucket_access_logs.arn
-      bucket = module.s3bucket_access_logs.bucket
-      id     = module.s3bucket_access_logs.id
-    }
     backup_reports = {
       arn    = module.s3bucket_backup_reports.arn
       bucket = module.s3bucket_backup_reports.bucket
       id     = module.s3bucket_backup_reports.id
-    },
+    }
   }
 }
 

infrastructure/terraform/components/app/README.md

@@ -54,6 +54,7 @@
 | <a name="module_eventpub"></a> [eventpub](#module\_eventpub) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/eventpub | v1.0.13 |
 | <a name="module_kms"></a> [kms](#module\_kms) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/kms | v1.0.8 |
 | <a name="module_nhse_backup_vault"></a> [nhse\_backup\_vault](#module\_nhse\_backup\_vault) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/aws-backup-source | v1.0.8 |
+| <a name="module_s3bucket_cf_logs"></a> [s3bucket\_cf\_logs](#module\_s3bucket\_cf\_logs) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/s3bucket | v2.0.2 |
 ## Outputs
 
 | Name | Description |

infrastructure/terraform/components/app/acm_certificate_files.tf

@@ -0,0 +1,18 @@
+resource "aws_acm_certificate" "files" {
+  provider = aws.us-east-1
+
+  domain_name       = local.cloudfront_files_domain_name
+  validation_method = "DNS"
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+
+resource "aws_acm_certificate_validation" "files" {
+  provider = aws.us-east-1
+
+  certificate_arn = aws_acm_certificate.files.arn
+
+  validation_record_fqdns = [for record in aws_route53_record.acm_validation_files : record.fqdn]
+}

infrastructure/terraform/components/app/cloudfront_distribution_main.tf

@@ -0,0 +1,67 @@
+resource "aws_cloudfront_distribution" "main" {
+  provider = aws.us-east-1
+
+  enabled             = true
+  is_ipv6_enabled     = true
+  comment             = "NHS Notify templates files CDN (${local.csi})"
+  # https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudfront-distribution-distributionconfig.html#cfn-cloudfront-distribution-distributionconfig-priceclass
+  price_class = "PriceClass_100"
+
+  restrictions {
+    geo_restriction {
+      restriction_type = "none"
+      locations        = []
+    }
+  }
+
+  aliases = [
+    local.cloudfront_files_domain_name
+  ]
+
+  viewer_certificate {
+    acm_certificate_arn = aws_acm_certificate_validation.files.certificate_arn
+    # Supports 1.2 & 1.3 - https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/secure-connections-supported-viewer-protocols-ciphers.html
+    minimum_protocol_version = "TLSv1.2_2021"
+    ssl_support_method       = "sni-only"
+  }
+
+  logging_config {
+    bucket          = module.s3bucket_cf_logs.bucket_regional_domain_name
+    include_cookies = false
+  }
+
+  origin {
+    domain_name              = module.backend_api.download_bucket_regional_domain_name
+    origin_access_control_id = aws_cloudfront_origin_access_control.s3.id
+    origin_id                = "S3-${local.csi}-download"
+  }
+
+  default_cache_behavior {
+    allowed_methods = [
+      "GET",
+      "HEAD",
+      "OPTIONS",
+    ]
+    cached_methods = [
+      "GET",
+      "HEAD",
+    ]
+    target_origin_id = "S3-${local.csi}-download"
+
+    forwarded_values {
+      query_string = true
+      headers      = ["Origin"]
+
+      cookies {
+        forward = "all"
+      }
+    }
+
+    viewer_protocol_policy = "redirect-to-https"
+    min_ttl                = 0
+    default_ttl            = 3600
+    max_ttl                = 86400
+    compress               = true
+  }
+}
+

infrastructure/terraform/components/app/cloudfront_origin_access_control_s3.tf

@@ -0,0 +1,9 @@
+resource "aws_cloudfront_origin_access_control" "s3" {
+  provider = aws.us-east-1
+
+  name                              = "${local.csi}-s3bucket-download"
+  description                       = "Origin Access Control for ${module.backend_api.download_bucket_name}"
+  origin_access_control_origin_type = "s3"
+  signing_behavior                  = "always"
+  signing_protocol                  = "sigv4"
+}

infrastructure/terraform/components/app/locals.tf

@@ -1,3 +1,4 @@
 locals {
-  root_domain_name = "${var.environment}.${local.acct.dns_zone["name"]}"
+  cloudfront_files_domain_name = "files.${local.root_domain_name}"
+  root_domain_name             = "${var.environment}.${local.acct.dns_zone["name"]}"
 }

infrastructure/terraform/components/app/module_backend_api.tf

@@ -14,6 +14,8 @@ module "backend_api" {
   kms_key_arn             = module.kms.key_arn
   parent_acct_environment = var.parent_acct_environment
 
+  cloudfront_distribution_arn = aws_cloudfront_distribution.main.arn
+
   cognito_config = jsondecode(aws_ssm_parameter.cognito_config.value)
 
   enable_backup = var.destination_vault_arn != null ? true : false

infrastructure/terraform/components/app/module_kms.tf

@@ -43,4 +43,36 @@ data "aws_iam_policy_document" "kms" {
       "*",
     ]
   }
+
+  statement {
+    sid    = "AllowCloudFrontServicePrincipalSSE-KMS"
+    effect = "Allow"
+
+    principals {
+      type = "Service"
+
+      identifiers = [
+        "cloudfront.amazonaws.com",
+      ]
+    }
+
+    actions = [
+      "kms:Decrypt",
+      "kms:Encrypt",
+      "kms:GenerateDataKey*"
+    ]
+
+    resources = [
+      "*",
+    ]
+
+    condition {
+      test     = "StringEquals"
+      variable = "AWS:SourceArn"
+
+      values = [
+        aws_cloudfront_distribution.main.arn,
+      ]
+    }
+  }
 }

infrastructure/terraform/components/app/module_s3bucket_cf_logs.tf

@@ -0,0 +1,171 @@
+module "s3bucket_cf_logs" {
+  source = "git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/s3bucket?ref=v2.0.2"
+  providers = {
+    aws = aws.us-east-1
+  }
+
+  name = "cf-logs"
+
+  aws_account_id = var.aws_account_id
+  region         = "us-east-1"
+  project        = var.project
+  environment    = var.environment
+  component      = var.component
+
+  acl           = "private"
+  force_destroy = false
+  versioning    = true
+
+  object_ownership = "ObjectWriter"
+
+  lifecycle_rules = [
+    {
+      prefix  = ""
+      enabled = true
+
+      transition = [
+        {
+          days          = "90"
+          storage_class = "STANDARD_IA"
+        },
+        {
+          days          = "180"
+          storage_class = "GLACIER"
+        }
+      ]
+
+      expiration = {
+        days = "365"
+      }
+
+
+      noncurrent_version_transition = [
+        {
+          noncurrent_days = "30"
+          storage_class   = "STANDARD_IA"
+        },
+        {
+          noncurrent_days = "180"
+          storage_class   = "GLACIER"
+        }
+
+      ]
+
+      noncurrent_version_expiration = {
+        noncurrent_days = "365"
+      }
+
+      abort_incomplete_multipart_upload = {
+        days = "1"
+      }
+    }
+  ]
+
+  policy_documents = [
+    data.aws_iam_policy_document.s3bucket_cf_logs.json
+  ]
+
+  public_access = {
+    block_public_acls       = true
+    block_public_policy     = true
+    ignore_public_acls      = true
+    restrict_public_buckets = true
+  }
+
+  default_tags = {
+    Name = "Cloudfront Logs"
+  }
+}
+
+data "aws_iam_policy_document" "s3bucket_cf_logs" {
+  statement {
+    sid    = "DontAllowNonSecureConnection"
+    effect = "Deny"
+
+    actions = [
+      "s3:*",
+    ]
+
+    resources = [
+      module.s3bucket_cf_logs.arn,
+      "${module.s3bucket_cf_logs.arn}/*",
+    ]
+
+    principals {
+      type = "AWS"
+
+      identifiers = [
+        "*",
+      ]
+    }
+
+    condition {
+      test     = "Bool"
+      variable = "aws:SecureTransport"
+
+      values = [
+        "false",
+      ]
+    }
+  }
+
+  statement {
+    effect  = "Allow"
+    actions = ["s3:PutObject"]
+    resources = [
+      "${module.s3bucket_cf_logs.arn}/*",
+    ]
+
+    principals {
+      type        = "Service"
+      identifiers = ["logging.s3.amazonaws.com"]
+    }
+    condition {
+      test     = "StringEquals"
+      variable = "aws:SourceAccount"
+      values = [
+        var.aws_account_id
+      ]
+    }
+  }
+
+  statement {
+    sid    = "AllowManagedAccountsToList"
+    effect = "Allow"
+
+    actions = [
+      "s3:ListBucket",
+    ]
+
+    resources = [
+      module.s3bucket_cf_logs.arn,
+    ]
+
+    principals {
+      type = "AWS"
+      identifiers = [
+        "arn:aws:iam::${var.aws_account_id}:root"
+      ]
+    }
+  }
+
+  statement {
+    sid    = "AllowManagedAccountsToGet"
+    effect = "Allow"
+
+    actions = [
+      "s3:GetObject",
+    ]
+
+    resources = [
+      "${module.s3bucket_cf_logs.arn}/*",
+    ]
+
+    principals {
+      type = "AWS"
+      identifiers = [
+        "arn:aws:iam::${var.aws_account_id}:root"
+      ]
+    }
+  }
+}