NHSDigital · mark-r-bjss · Mar 12, 2025 · Mar 12, 2025 · Mar 18, 2025 · Mar 18, 2025
@@ -6,5 +6,5 @@ terraform {
     }
   }
 
-  required_version = ">= 1.9.0"
+  required_version = ">= 1.9.2"
 }
@@ -0,0 +1,9 @@
+module "public_signing_keys" {
+  source         = "../../modules/public-signing-keys"
+  aws_account_id = var.aws_account_id
+  environment    = var.environment
+  region         = var.region
+  project        = var.project
+  csi            = local.csi
+  acct           = local.acct
+}
@@ -4,7 +4,11 @@ terraform {
       source  = "hashicorp/aws"
       version = "~> 5.50"
     }
+    github = {
+      source  = "integrations/github"
+      version = "~> 6.0"
+    }
   }
 
-  required_version = ">= 1.9.0"
+  required_version = ">= 1.9.2"
 }
@@ -6,5 +6,5 @@ terraform {
     }
   }
 
-  required_version = ">= 1.9.0"
+  required_version = ">= 1.9.2"
 }
@@ -0,0 +1,40 @@
+locals {
+  bootstrap = data.terraform_remote_state.bootstrap.outputs
+  acct      = data.terraform_remote_state.acct.outputs
+}
+
+data "terraform_remote_state" "bootstrap" {
+  backend = "s3"
+
+  config = {
+    bucket = local.terraform_state_bucket
+
+    key = format(
+      "%s/%s/%s/%s/bootstrap.tfstate",
+      var.project,
+      var.aws_account_id,
+      "eu-west-2",
+      "bootstrap"
+    )
+
+    region = "eu-west-2"
+  }
+}
+
+data "terraform_remote_state" "acct" {
+  backend = "s3"
+
+  config = {
+    bucket = local.terraform_state_bucket
+
+    key = format(
+      "%s/%s/%s/%s/acct.tfstate",
+      var.project,
+      var.aws_account_id,
+      "eu-west-2",
+      "main"
+    )
+
+    region = "eu-west-2"
+  }
+}
@@ -0,0 +1,9 @@
+module "public_signing_keys" {
+  source         = "../../modules/public-signing-keys"
+  aws_account_id = var.aws_account_id
+  environment    = var.environment
+  region         = var.region
+  project        = var.project
+  csi            = local.csi
+  acct           = local.acct
+}
@@ -0,0 +1,14 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.50"
+    }
+    github = {
+      source  = "integrations/github"
+      version = "~> 6.0"
+    }
+  }
+
+  required_version = ">= 1.9.2"
+}
@@ -0,0 +1,80 @@
+resource "aws_cloudfront_distribution" "signing_keys" {
+  provider = aws.us-east-1
+
+  enabled             = true
+  is_ipv6_enabled     = true
+  comment             = "Public Signing Keys (${local.csi})"
+  default_root_object = "index.html"
+  price_class         = "PriceClass_100" # https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudfront-distribution-distributionconfig.html#cfn-cloudfront-distribution-distributionconfig-priceclass
+  web_acl_id          = aws_wafv2_web_acl.public_signing_keys.arn
+
+  restrictions {
+    geo_restriction {
+      restriction_type = "none" # Moved to WAF
+      locations        = []     # Moved to WAF
+    }
+  }
+
+  # TODO
+  #   aliases = flatten([
+  #     [
+  #       local.root_domain_name,
+  #     ],
+  #     var.cdn_sans
+  #   ])
+
+  # TODO
+  #   viewer_certificate {
+  #     acm_certificate_arn      = aws_acm_certificate.main.arn
+  #     minimum_protocol_version = "TLSv1.2_2021" # Supports 1.2 & 1.3 - https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/secure-connections-supported-viewer-protocols-ciphers.html
+  #     ssl_support_method       = "sni-only"
+  #   }
+  viewer_certificate {
+    cloudfront_default_certificate = true
+  }
+
+  logging_config {
+    bucket          = module.s3bucket_cf_logs.bucket_regional_domain_name
+    include_cookies = false
+  }
+
+  origin {
+    domain_name = module.s3bucket_public_keys.bucket_regional_domain_name
+    origin_id   = "${local.csi}-public-keys"
+    s3_origin_config {
+      origin_access_identity = aws_cloudfront_origin_access_identity.signing_keys.cloudfront_access_identity_path
+    }
+  }
+
+  # Github Web-CMS behaviour
+  default_cache_behavior {
+    allowed_methods = [
+      "GET",
+      "HEAD",
+    ]
+    cached_methods = [
+      "GET",
+      "HEAD",
+    ]
+    target_origin_id = "${local.csi}-public-keys"
+
+    forwarded_values {
+      query_string = false
+      headers      = ["Origin"]
+
+      cookies {
+        forward = "none"
+      }
+    }
+
+    viewer_protocol_policy = "redirect-to-https"
+    min_ttl                = 0
+    default_ttl            = 3600
+    max_ttl                = 86400
+    compress               = true
+  }
+}
+
+resource "aws_cloudfront_origin_access_identity" "signing_keys" {
+  comment = "Used to access the S3 content for the public signing keys bucket"
+}
@@ -0,0 +1 @@
+data "github_ip_ranges" "main" {}
@@ -0,0 +1,23 @@
+resource "aws_iam_policy" "public_signing_keys" {
+  name        = "${local.csi}-public-signing-keys"
+  description = "Access policy to allow access to public signing keys in S3"
+  path        = "/"
+  policy      = data.aws_iam_policy_document.public_signing_keys.json
+}
+
+data "aws_iam_policy_document" "public_signing_keys" {
+  statement {
+    sid    = "AllowS3Read"
+    effect = "Allow"
+
+    actions = [
+      "s3:List*",
+      "s3:Get*",
+    ]
+
+    resources = [
+      module.s3bucket_public_keys.arn,
+      "${module.s3bucket_public_keys.arn}/*",
+    ]
+  }
+}
@@ -0,0 +1,3 @@
+locals {
+  csi  = "${var.csi}-${var.component}"
+}
@@ -0,0 +1,171 @@
+module "s3bucket_cf_logs" {
+  source = "git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/s3bucket?ref=v1.0.9"
+  providers = {
+    aws = aws.us-east-1
+  }
+
+  name = "cf-logs"
+
+  aws_account_id = var.aws_account_id
+  region         = "us-east-1"
+  project        = var.project
+  environment    = var.environment
+  component      = var.component
+
+  acl           = "private"
+  force_destroy = false
+  versioning    = true
+
+  object_ownership = "ObjectWriter"
+
+  lifecycle_rules = [
+    {
+      prefix  = ""
+      enabled = true
+
+      transition = [
+        {
+          days          = "90"
+          storage_class = "STANDARD_IA"
+        },
+        {
+          days          = "180"
+          storage_class = "GLACIER"
+        }
+      ]
+
+      expiration = {
+        days = "365"
+      }
+
+
+      noncurrent_version_transition = [
+        {
+          noncurrent_days = "30"
+          storage_class   = "STANDARD_IA"
+        },
+        {
+          noncurrent_days = "180"
+          storage_class   = "GLACIER"
+        }
+
+      ]
+
+      noncurrent_version_expiration = {
+        noncurrent_days = "365"
+      }
+
+      abort_incomplete_multipart_upload = {
+        days = "1"
+      }
+    }
+  ]
+
+  policy_documents = [
+    data.aws_iam_policy_document.s3bucket_cf_logs.json
+  ]
+
+  public_access = {
+    block_public_acls       = true
+    block_public_policy     = true
+    ignore_public_acls      = true
+    restrict_public_buckets = true
+  }
+
+  default_tags = {
+    Name = "Lambda function artefact bucket"
+  }
+}
+
+data "aws_iam_policy_document" "s3bucket_cf_logs" {
+  statement {
+    sid    = "DontAllowNonSecureConnection"
+    effect = "Deny"
+
+    actions = [
+      "s3:*",
+    ]
+
+    resources = [
+      module.s3bucket_cf_logs.arn,
+      "${module.s3bucket_cf_logs.arn}/*",
+    ]
+
+    principals {
+      type = "AWS"
+
+      identifiers = [
+        "*",
+      ]
+    }
+
+    condition {
+      test     = "Bool"
+      variable = "aws:SecureTransport"
+
+      values = [
+        "false",
+      ]
+    }
+  }
+
+  statement {
+    effect  = "Allow"
+    actions = ["s3:PutObject"]
+    resources = [
+      "${module.s3bucket_cf_logs.arn}/*",
+    ]
+
+    principals {
+      type        = "Service"
+      identifiers = ["logging.s3.amazonaws.com"]
+    }
+    condition {
+      test     = "StringEquals"
+      variable = "aws:SourceAccount"
+      values = [
+        var.aws_account_id
+      ]
+    }
+  }
+
+  statement {
+    sid    = "AllowManagedAccountsToList"
+    effect = "Allow"
+
+    actions = [
+      "s3:ListBucket",
+    ]
+
+    resources = [
+      module.s3bucket_cf_logs.arn,
+    ]
+
+    principals {
+      type = "AWS"
+      identifiers = [
+        "arn:aws:iam::${var.aws_account_id}:root"
+      ]
+    }
+  }
+
+  statement {
+    sid    = "AllowManagedAccountsToGet"
+    effect = "Allow"
+
+    actions = [
+      "s3:GetObject",
+    ]
+
+    resources = [
+      "${module.s3bucket_cf_logs.arn}/*",
+    ]
+
+    principals {
+      type = "AWS"
+      identifiers = [
+        "arn:aws:iam::${var.aws_account_id}:root"
+      ]
+    }
+  }
+}
-Original file line number
+Diff line change
@@ Expand Up / @@ -6,5 +6,5 @@ terraform { @@
         }
       }
-      required_version = ">= 1.9.0"
+      required_version = ">= 1.9.2"
     }