add lambda

Author: alexnuttall

VERSION

@@ -29,6 +29,16 @@ resource "aws_cloudfront_distribution" "main" {
     domain_name              = module.backend_api.download_bucket_regional_domain_name
     origin_access_control_id = aws_cloudfront_origin_access_control.main.id
     origin_id                = "S3-${local.csi}-download"
+    
+    custom_header {
+      name  = "x-user-pool-id"
+      value = jsondecode(aws_ssm_parameter.cognito_config.value)["USER_POOL_ID"]
+    }
+
+    custom_header {
+      name  = "x-user-pool-client-id"
+      value = jsondecode(aws_ssm_parameter.cognito_config.value)["USER_POOL_CLIENT_ID"]
+    }
   }
 
   default_cache_behavior {
@@ -43,20 +53,31 @@ resource "aws_cloudfront_distribution" "main" {
     ]
     target_origin_id = "S3-${local.csi}-download"
 
-    forwarded_values {
-      query_string = true
-      headers      = ["Origin"]
-
-      cookies {
-        forward = "all"
-      }
-    }
+    cache_policy_id          = aws_cloudfront_cache_policy.no_cache.id
+    origin_request_policy_id = aws_cloudfront_origin_request_policy.forward_cookies.id
 
     viewer_protocol_policy = "redirect-to-https"
-    min_ttl                = 0
-    default_ttl            = 3600
-    max_ttl                = 86400
     compress               = true
   }
 }
 
+resource "aws_cloudfront_cache_policy" "no_cache" {
+  name = "no-cache-policy"
+
+  default_ttl = 0
+  max_ttl     = 0
+  min_ttl     = 0
+
+  parameters_in_cache_key_and_forwarded_to_origin {
+    cookies_config { cookie_behavior = "none" }
+    headers_config { header_behavior = "none" }
+    query_strings_config { query_string_behavior = "none" }
+  }
+}
+
+resource "aws_cloudfront_origin_request_policy" "forward_cookies" {
+  name = "forward-cookies"
+  cookies_config { cookie_behavior = "all" }
+  headers_config { header_behavior = "none" }
+  query_strings_config { query_string_behavior = "none" }
+}

infrastructure/terraform/components/app/cloudfront_distribution_cdn.tf

@@ -1,4 +1,7 @@
 locals {
   cloudfront_domain_name = "files.${local.root_domain_name}"
   root_domain_name       = "${var.environment}.${local.acct.dns_zone["name"]}"
+
+  repo_root               = abspath("${path.module}/../../../..")
+  lambdas_source_code_dir = abspath("${local.repo_root}/lambdas")
 }

infrastructure/terraform/components/app/locals.tf

@@ -0,0 +1,54 @@
+module "download_authorizer_lambda" {
+  source = "git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/lambda?ref=v2.0.2"
+
+  providers = {
+    aws = aws.us-east-1
+  }
+
+  function_name = "download-authorizer"
+  description   = "Download authorizer for s3 origin"
+
+  aws_account_id = var.aws_account_id
+  component      = var.component
+  environment    = var.environment
+  project        = var.project
+  region         = "us-east-1"
+  group          = var.group
+
+  log_retention_in_days = var.log_retention_in_days
+  kms_key_arn           = module.kms.key_arn
+
+  iam_policy_document = {
+    body = data.aws_iam_policy_document.authorizer.json
+  }
+
+  function_s3_bucket      = local.acct.s3_buckets["lambda_function_artefacts"]["id"]
+  function_code_base_path = local.aws_lambda_functions_dir_path
+  function_code_dir       = "${lambdas_source_code_dir}/download-authorizer/dist"
+  function_include_common = true
+  function_module_name    = "handler"
+  runtime                 = "nodejs20.x"
+  memory                  = 128
+  timeout                 = 5
+  log_level               = var.log_level
+  lambda_at_edge          = true
+
+  force_lambda_code_deploy = var.force_lambda_code_deploy
+  enable_lambda_insights   = false
+}
+
+data "aws_iam_policy_document" "authorizer" {
+  statement {
+    sid    = "KMSPermissions"
+    effect = "Allow"
+
+    actions = [
+      "kms:Decrypt",
+      "kms:GenerateDataKey",
+    ]
+
+    resources = [
+      module.kms.key_arn,
+    ]
+  }
+}

infrastructure/terraform/components/app/module_download_authorizer_lambda.tf

@@ -0,0 +1 @@
+dist

lambdas/download-authorizer/.eslintignore

@@ -0,0 +1,4 @@
+.build
+coverage
+node_modules
+dist

lambdas/download-authorizer/.gitignore

@@ -0,0 +1 @@
+export { baseJestConfig as default } from 'nhs-notify-web-template-management-utils'; // eslint-disable-line no-restricted-exports

lambdas/download-authorizer/jest.config.ts

@@ -0,0 +1,32 @@
+{
+  "name": "nhs-notify-download-authorizer",
+  "version": "0.0.1",
+  "private": true,
+  "scripts": {
+    "test:unit": "jest",
+    "lint": "eslint .",
+    "lint:fix": "eslint . --fix",
+    "typecheck": "tsc --noEmit"
+  },
+  "devDependencies": {
+    "@swc/core": "^1.11.13",
+    "@swc/jest": "^0.2.37",
+    "@tsconfig/node20": "^20.1.5",
+    "@types/aws-lambda": "^8.10.148",
+    "@types/jest": "^29.5.14",
+    "@types/jsonwebtoken": "^9.0.9",
+    "esbuild": "^0.24.0",
+    "jest": "^29.7.0",
+    "jest-mock-extended": "^3.0.7",
+    "typescript": "^5.8.2"
+  },
+  "dependencies": {
+    "@aws-sdk/client-cognito-identity-provider": "3.775.0",
+    "jsonwebtoken": "^9.0.2",
+    "jwks-rsa": "^3.2.0",
+    "jwt-decode": "^4.0.0",
+    "nhs-notify-web-template-management-utils": "^0.0.1",
+    "zod": "^3.24.2"
+  }
+}
+s