Merge branch 'main' into feature/add-cognito-for-etna

nationalarchives · Jan 24, 2025 · 221ed47 · 221ed47
2 parents 33e19a8 + a7380e9
commit 221ed47
Show file tree

Hide file tree

Showing 71 changed files with 1,977 additions and 55 deletions.
diff --git a/.github/workflows/deploy-feature.yml b/.github/workflows/deploy-feature.yml
@@ -40,8 +40,12 @@ jobs:
       - env-name
     steps:
       - uses: actions/checkout@v4
+      - name: Read the config file
+        run: cat config/${{ inputs.config }}
+        shell: bash
       - name: Deploy
         uses: ./.github/actions/deploy
         with:
           config: ${{ inputs.config }}
           environment: ${{ needs.env-name.outputs.environment }}
+
diff --git a/components/terraform/cloudfront/cloudfront.tf b/components/terraform/cloudfront/cloudfront.tf
@@ -0,0 +1,72 @@
+resource "aws_cloudfront_distribution" "web" {
+    origin {
+        domain_name = var.lb_dns_name
+        origin_id   = lookup(var.cf_dist, "cfd_origin_id", "")
+
+        custom_origin_config {
+            http_port              = 80
+            https_port             = 443
+            origin_protocol_policy = "https-only"
+            origin_ssl_protocols   = ["TLSv1.2"]
+        }
+
+        custom_header {
+            name  = var.custom_header_name
+            value = var.custom_header_value
+        }
+    }
+
+    http_version = "http2"
+    price_class  = lookup(var.cf_dist, "cfd_price_class", "")
+    enabled      = lookup(var.cf_dist, "cfd_enabled", "")
+
+    aliases = lookup(var.cf_dist, "cfd_aliases", "")
+
+    default_cache_behavior {
+        target_origin_id = lookup(var.cf_dist, "cfd_origin_id", "")
+        allowed_methods  = lookup(var.cf_dist, "cfd_default_behaviour_allowed_methods", "")
+        cached_methods   = lookup(var.cf_dist, "cfd_default_behaviour_cached_methods", "")
+
+        cache_policy_id          = lookup(var.cf_dist, "cfd_Managed_CachingOptimized_cache_policy_id", "")
+        origin_request_policy_id = lookup(var.cf_dist, "cfd_Managed_AllViewer_origin_request_policy_id", "")
+
+        viewer_protocol_policy = lookup(var.cf_dist, "cfd_behaviour_default_viewer_protocol_policy", "")
+        compress               = lookup(var.cf_dist, "cfd_behaviour_compress", "")
+    }
+
+    # Managed Caching Disabled and Managed All Viewer policies
+    dynamic "ordered_cache_behavior" {
+        for_each = lookup(var.cf_dist, "cfd_cache_disabled_path_patterns", "")
+        iterator = b
+        content {
+            path_pattern     = b.value
+            target_origin_id = lookup(var.cf_dist, "cfd_origin_id", "")
+            allowed_methods  = lookup(var.cf_dist, "cfd_default_behaviour_allowed_methods", "")
+            cached_methods   = lookup(var.cf_dist, "cfd_default_behaviour_cached_methods", "")
+
+            cache_policy_id          = lookup(var.cf_dist, "cfd_Managed_CachingDisabled_cache_policy_id", "")
+            origin_request_policy_id = lookup(var.cf_dist, "cfd_Managed_AllViewer_origin_request_policy_id", "")
+
+            viewer_protocol_policy = lookup(var.cf_dist, "cfd_behaviour_viewer_protocol_policy", "")
+            compress               = lookup(var.cf_dist, "cfd_behaviour_compress", "")
+        }
+    }
+
+    restrictions {
+        geo_restriction {
+            restriction_type = "none"
+        }
+    }
+
+    tags = var.tags
+
+    viewer_certificate {
+        cloudfront_default_certificate = false
+        acm_certificate_arn            = var.wildcard_certificate_arn
+        ssl_support_method             = "sni-only"
+        minimum_protocol_version       = "TLSv1.2_2021"
+    }
+
+    # get arn to indicate WAFv2
+    web_acl_id = element(split(",", var.web_waf_info), 1)
+}
diff --git a/components/terraform/cloudfront/outputs.tf b/components/terraform/cloudfront/outputs.tf
@@ -0,0 +1,7 @@
+output "cloudfront_dns" {
+  value = aws_cloudfront_distribution.web.domain_name
+}
+
+output "cloudfront_zone_id" {
+  value = aws_cloudfront_distribution.web.hosted_zone_id
+}
diff --git a/components/terraform/cloudfront/vars.tf b/components/terraform/cloudfront/vars.tf
@@ -0,0 +1,22 @@
+## -----------------------------------------------------------------------------
+## variable definitions
+
+variable "cf_dist" {}
+variable "lb_dns_name" {}
+
+variable "wildcard_certificate_arn" {}
+
+# customer header used to limit traffic to load balancers
+variable "custom_header_name" {}
+variable "custom_header_value" {}
+
+variable "tags" {}
+
+variable "web_waf_info" {
+  description = "Taken from aws ssm parameter store data"
+  default     = {}
+}
+
+# ======================================================================================================================
+# Local Values - Sets Default Tags
+# ======================================================================================================================
diff --git a/components/terraform/data.tf b/components/terraform/data.tf
@@ -76,3 +76,8 @@ data "aws_ssm_parameter" "zone_id" {
     name = "/infrastructure/zone_id"
 }
 
+# cloudfront
+#
+data "aws_ssm_parameter" "cf_waf_ip_set" {
+    name = "/application/web/frontend/waf/ip_set"
+}
diff --git a/components/terraform/iam.tf b/components/terraform/iam.tf
@@ -0,0 +1,23 @@
+module "policies" {
+    source = "./iam/policies"
+
+    deployment_s3_bucket = var.deployment_s3_bucket
+    logfile_s3_bucket    = var.logfile_s3_bucket
+
+    rp_deployment_s3_root = var.rp_deployment_s3_root
+    rp_logfile_s3_root    = var.rp_logfile_s3_root
+
+    service = var.service
+
+    account_id = data.aws_caller_identity.current.account_id
+}
+
+module "roles" {
+    source = "./iam/roles"
+
+    deployment_s3_policy                     = module.policies.deployment_s3_policy_arn
+    rp_config_s3_policy_arn                  = module.policies.rp_config_s3_policy_arn
+    lambda_web_docker_deployment_policy_arn = module.policies.lambda_web_docker_deployment_policy_arn
+
+    tags = local.tags
+}
diff --git a/components/terraform/iam/policies/outputs.tf b/components/terraform/iam/policies/outputs.tf
@@ -0,0 +1,11 @@
+output "deployment_s3_policy_arn" {
+    value = aws_iam_policy.deployment_s3.arn
+}
+
+output "rp_config_s3_policy_arn" {
+    value = aws_iam_policy.deployment_s3.arn
+}
+
+output "lambda_web_docker_deployment_policy_arn" {
+    value = aws_iam_policy.lambda_web_docker_deployment_policy.arn
+}
diff --git a/components/terraform/iam/policies/policies.tf b/components/terraform/iam/policies/policies.tf
@@ -0,0 +1,33 @@
+resource "aws_iam_policy" "deployment_s3" {
+    name        = "web-deployment-source-s3-policy"
+    description = "deployment S3 access for web"
+
+    policy = templatefile("${path.module}/templates/deployment-source-s3-access.json", {
+        deployment_s3_bucket = var.deployment_s3_bucket,
+        service              = var.service
+    })
+}
+
+resource "aws_iam_policy" "rp_config_s3" {
+    name        = "web-rp-s3-policy"
+    description = "S3 access to nginx configuration files and log files"
+
+    policy = templatefile("${path.module}/templates/instance-s3-policy.json", {
+        deployment_s3_bucket = var.deployment_s3_bucket,
+        logfile_s3_bucket    = var.logfile_s3_bucket,
+        deployment_root      = var.rp_deployment_s3_root,
+        logfile_root         = var.rp_logfile_s3_root
+    })
+}
+
+# web-docker-deployment
+#
+resource "aws_iam_policy" "lambda_web_docker_deployment_policy" {
+    name        = "lambda-web-docker-deployment-policy"
+    description = "receive instance data and manipulate status"
+
+    policy = templatefile("${path.module}/templates/lambda-web-docker-deployment-policy.json", {
+        account_id = var.account_id
+    })
+}
+
diff --git a/components/terraform/iam/policies/templates/deployment-source-s3-access.json b/components/terraform/iam/policies/templates/deployment-source-s3-access.json
@@ -0,0 +1,25 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+        "s3:ListBucket"
+      ],
+     "Resource": [
+        "arn:aws:s3:::${deployment_s3_bucket}"
+      ]
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "s3:GetObject",
+        "s3:PutObject",
+        "s3:PutObjectAcl"
+      ],
+      "Resource": [
+         "arn:aws:s3:::${deployment_s3_bucket}/${service}/*"
+      ]
+    }
+  ]
+}
diff --git a/components/terraform/iam/policies/templates/instance-s3-policy.json b/components/terraform/iam/policies/templates/instance-s3-policy.json
@@ -0,0 +1,33 @@
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": [
+                "s3:ListBucket"
+            ],
+            "Resource": [
+                "arn:aws:s3:::${deployment_s3_bucket}",
+                "arn:aws:s3:::${logfile_s3_bucket}"
+            ]
+        },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "s3:GetObject"
+            ],
+            "Resource": [
+                "arn:aws:s3:::${deployment_s3_bucket}/${deployment_root}/*"
+            ]
+        },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "s3:*Object"
+            ],
+            "Resource": [
+                "arn:aws:s3:::${logfile_s3_bucket}/${logfile_root}/*"
+            ]
+        }
+    ]
+}
diff --git a/components/terraform/iam/policies/templates/lambda-web-docker-deployment-policy.json b/components/terraform/iam/policies/templates/lambda-web-docker-deployment-policy.json
@@ -0,0 +1,96 @@
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "Ec2Resources",
+            "Effect": "Allow",
+            "Action": [
+                "ec2:AttachNetworkInterface",
+                "ec2:CreateNetworkInterface",
+                "ec2:DeleteNetworkInterface",
+                "ec2:DescribeInstances",
+                "ec2:DescribeInstanceStatus",
+                "ec2:DescribeNetworkInterfaces",
+                "ec2:Start*",
+                "ec2:Stop*"
+            ],
+            "Resource": "*"
+        },
+        {
+            "Sid": "SwitchAsg",
+            "Effect": "Allow",
+            "Action": [
+                "autoscaling:ResumeProcesses",
+                "autoscaling:SuspendProcesses"
+            ],
+            "Resource": [
+                "arn:aws:autoscaling:*:*:autoScalingGroup:*:autoScalingGroupName/*",
+                "arn:aws:autoscaling:*:*:launchConfiguration:*:launchConfigurationName/*"
+            ]
+        },
+        {
+            "Sid": "ManipulateAsg",
+            "Effect": "Allow",
+            "Action": [
+                "autoscaling:DescribeAutoScalingNotificationTypes",
+                "autoscaling:DescribeAutoScalingInstances",
+                "autoscaling:DescribeScalingProcessTypes",
+                "autoscaling:DescribeTerminationPolicyTypes",
+                "autoscaling:DescribePolicies",
+                "autoscaling:DescribeLaunchConfigurations",
+                "autoscaling:DescribeAdjustmentTypes",
+                "autoscaling:DescribeScalingActivities",
+                "autoscaling:DescribeAccountLimits",
+                "autoscaling:DescribeAutoScalingGroups",
+                "autoscaling:DescribeScheduledActions",
+                "autoscaling:DescribeLoadBalancerTargetGroups",
+                "autoscaling:DescribeNotificationConfigurations",
+                "autoscaling:DescribeLifecycleHookTypes",
+                "autoscaling:DescribeTags",
+                "autoscaling:DescribeMetricCollectionTypes",
+                "autoscaling:DescribeLoadBalancers",
+                "autoscaling:DescribeLifecycleHooks"
+            ],
+            "Resource": "*"
+        },
+        {
+            "Sid": "LogFiles",
+            "Effect": "Allow",
+            "Action": [
+                "logs:CreateLogStream",
+                "logs:PutLogEvents"
+            ],
+            "Resource": "arn:aws:logs:*:*:*"
+        },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "ssm:*"
+            ],
+            "Resource": [
+                "arn:aws:ssm:eu-west-2:${account_id}:document/*"
+            ]
+        },
+        {
+            "Effect": "Allow",
+            "Action": "ssm:*",
+            "Resource": [
+                "arn:aws:ssm:eu-west-2:${account_id}:instance/*"
+            ],
+            "Condition": {
+                "StringEquals": {
+                    "ec2:ResourceTag/Name": "web-frontend"
+                }
+            }
+        },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "ssm:*"
+            ],
+            "Resource": [
+                "arn:aws:ssm:eu-west-2:${account_id}:*"
+            ]
+        }
+    ]
+}
diff --git a/components/terraform/iam/policies/vars.tf b/components/terraform/iam/policies/vars.tf
@@ -0,0 +1,9 @@
+variable "deployment_s3_bucket" {}
+variable "logfile_s3_bucket" {}
+
+variable "rp_deployment_s3_root" {}
+variable "rp_logfile_s3_root" {}
+
+variable "service" {}
+
+variable "account_id" {}
diff --git a/components/terraform/iam/roles/efs-backup-roles.tf b/components/terraform/iam/roles/efs-backup-roles.tf
@@ -0,0 +1,9 @@
+resource "aws_iam_role" "media_efs_backup" {
+    name = "web-media-efs-backup-role"
+
+    assume_role_policy  = file("${path.root}/shared-templates/efs_backup_assume_role.json")
+}
+resource "aws_iam_role_policy_attachment" "media_efs_backup_policy_attachment" {
+  role       = aws_iam_role.media_efs_backup.name
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForBackup"
+}