CCM-9873: toggle CDN. Add logging bucket for CDN access

Author: bhansell1

…nents/app/cloudfront_distribution_cdn.tf …/app/cloudfront_distribution_download.tfinfrastructure/terraform/components/app/cloudfront_distribution_cdn.tf renamed to infrastructure/terraform/components/app/cloudfront_distribution_download.tf infrastructure/terraform/components/app/cloudfront_distribution_cdn.tf renamed to infrastructure/terraform/components/app/cloudfront_distribution_download.tf

@@ -1,8 +1,8 @@
 resource "aws_cloudfront_distribution" "main" {
   provider = aws.us-east-1
 
-  enabled             = true
-  is_ipv6_enabled     = true
+  enabled             = var.enable_file_download
+  is_ipv6_enabled     = var.enable_file_download
   comment             = "NHS Notify Template files CDN (${local.csi})"
   default_root_object = "index.html"
   price_class         = "PriceClass_100" # https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudfront-distribution-distributionconfig.html#cfn-cloudfront-distribution-distributionconfig-priceclass
@@ -24,6 +24,11 @@ resource "aws_cloudfront_distribution" "main" {
     ssl_support_method       = "sni-only"
   }
 
+  logging_config {
+    bucket          = module.s3bucket_cf_logs.bucket_regional_domain_name
+    include_cookies = false
+  }
+
   origin {
     domain_name              = module.backend_api.download_bucket_regional_domain_name
     origin_access_control_id = aws_cloudfront_origin_access_control.main.id

infrastructure/terraform/components/app/module_s3bucket_cf_logs.tf

@@ -0,0 +1,175 @@
+module "s3bucket_cf_logs" {
+  source = "git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/s3bucket?ref=v1.0.9"
+  providers = {
+    aws = aws.us-east-1
+  }
+
+  name = "cf-logs"
+
+  aws_account_id = var.aws_account_id
+  region         = "us-east-1"
+  project        = var.project
+  environment    = var.environment
+  component      = var.component
+
+  acl           = "private"
+  force_destroy = false
+  versioning    = true
+
+  object_ownership = "ObjectWriter"
+
+  lifecycle_rules = [
+    {
+      prefix  = ""
+      enabled = true
+
+      transition = [
+        {
+          days          = "90"
+          storage_class = "STANDARD_IA"
+        },
+        {
+          days          = "180"
+          storage_class = "GLACIER"
+        }
+      ]
+
+      expiration = {
+        days = "365"
+      }
+
+
+      noncurrent_version_transition = [
+        {
+          noncurrent_days = "30"
+          storage_class   = "STANDARD_IA"
+        },
+        {
+          noncurrent_days = "180"
+          storage_class   = "GLACIER"
+        }
+
+      ]
+
+      noncurrent_version_expiration = {
+        noncurrent_days = "365"
+      }
+
+      abort_incomplete_multipart_upload = {
+        days = "1"
+      }
+    }
+  ]
+
+  policy_documents = [
+    data.aws_iam_policy_document.s3bucket_cf_logs.json
+  ]
+
+  bucket_logging_target = {
+    bucket = local.s3_buckets["access_logs"]["id"]
+  }
+
+  public_access = {
+    block_public_acls       = true
+    block_public_policy     = true
+    ignore_public_acls      = true
+    restrict_public_buckets = true
+  }
+
+  default_tags = {
+    Name = "Cloudfront Logs"
+  }
+}
+
+data "aws_iam_policy_document" "s3bucket_cf_logs" {
+  statement {
+    sid    = "DontAllowNonSecureConnection"
+    effect = "Deny"
+
+    actions = [
+      "s3:*",
+    ]
+
+    resources = [
+      module.s3bucket_cf_logs.arn,
+      "${module.s3bucket_cf_logs.arn}/*",
+    ]
+
+    principals {
+      type = "AWS"
+
+      identifiers = [
+        "*",
+      ]
+    }
+
+    condition {
+      test     = "Bool"
+      variable = "aws:SecureTransport"
+
+      values = [
+        "false",
+      ]
+    }
+  }
+
+  statement {
+    effect  = "Allow"
+    actions = ["s3:PutObject"]
+    resources = [
+      "${module.s3bucket_cf_logs.arn}/*",
+    ]
+
+    principals {
+      type        = "Service"
+      identifiers = ["logging.s3.amazonaws.com"]
+    }
+    condition {
+      test     = "StringEquals"
+      variable = "aws:SourceAccount"
+      values = [
+        var.aws_account_id
+      ]
+    }
+  }
+
+  statement {
+    sid    = "AllowManagedAccountsToList"
+    effect = "Allow"
+
+    actions = [
+      "s3:ListBucket",
+    ]
+
+    resources = [
+      module.s3bucket_cf_logs.arn,
+    ]
+
+    principals {
+      type = "AWS"
+      identifiers = [
+        "arn:aws:iam::${var.aws_account_id}:root"
+      ]
+    }
+  }
+
+  statement {
+    sid    = "AllowManagedAccountsToGet"
+    effect = "Allow"
+
+    actions = [
+      "s3:GetObject",
+    ]
+
+    resources = [
+      "${module.s3bucket_cf_logs.arn}/*",
+    ]
+
+    principals {
+      type = "AWS"
+      identifiers = [
+        "arn:aws:iam::${var.aws_account_id}:root"
+      ]
+    }
+  }
+}

infrastructure/terraform/components/app/variables.tf

@@ -194,6 +194,12 @@ variable "enable_proofing" {
   default     = false
 }
 
+variable "enable_file_download" {
+  type        = bool
+  description = "Feature flag for downloading files"
+  default     = true
+}
+
 variable "observability_account_id" {
   type        = string
   description = "The Observability Account ID that needs access"