conditional changes for prod URL (#154)

infrastructure/api.tf

@@ -94,7 +94,7 @@ resource "aws_api_gateway_gateway_response" "unauthorised_response" {
   }
 
   response_parameters = {
-    "gatewayresponse.header.Access-Control-Allow-Origin"      = "'https://${terraform.workspace}.${var.domain}'"
+    "gatewayresponse.header.Access-Control-Allow-Origin"      = contains(["prod"], terraform.workspace) ? "'https://${var.domain}'" : "'https://${terraform.workspace}.${var.domain}'"
     "gatewayresponse.header.Access-Control-Allow-Methods"     = "'*'"
     "gatewayresponse.header.Access-Control-Allow-Headers"     = "'Content-Type,X-Amz-Date,Authorization,X-Auth,X-Api-Key,X-Amz-Security-Token,X-Auth-Cookie,Accept'"
     "gatewayresponse.header.Access-Control-Allow-Credentials" = "'true'"
@@ -110,7 +110,7 @@ resource "aws_api_gateway_gateway_response" "bad_gateway_response" {
   }
 
   response_parameters = {
-    "gatewayresponse.header.Access-Control-Allow-Origin"      = "'https://${terraform.workspace}.${var.domain}'"
+    "gatewayresponse.header.Access-Control-Allow-Origin"      = contains(["prod"], terraform.workspace) ? "'https://${var.domain}'" : "'https://${terraform.workspace}.${var.domain}'"
     "gatewayresponse.header.Access-Control-Allow-Methods"     = "'*'"
     "gatewayresponse.header.Access-Control-Allow-Headers"     = "'Content-Type,X-Amz-Date,Authorization,X-Auth,X-Api-Key,X-Amz-Security-Token,X-Auth-Cookie,Accept'"
     "gatewayresponse.header.Access-Control-Allow-Credentials" = "'true'"
@@ -126,4 +126,4 @@ module "api_endpoint_url_ssm_parameter" {
   type                = "SecureString"
   owner               = var.owner
   environment         = var.environment
-}
+}

infrastructure/buckets.tf

@@ -11,13 +11,13 @@ module "ndr-document-store" {
     {
       allowed_headers = ["*"]
       allowed_methods = ["POST", "DELETE"]
-      allowed_origins = ["https://${terraform.workspace}.${var.domain}"]
+      allowed_origins = [contains(["prod"], terraform.workspace) ? "https://${var.domain}" : "https://${terraform.workspace}.${var.domain}"]
       expose_headers  = ["ETag"]
       max_age_seconds = 3000
     },
     {
       allowed_methods = ["GET"]
-      allowed_origins = ["https://${terraform.workspace}.${var.domain}"]
+      allowed_origins = [contains(["prod"], terraform.workspace) ? "https://${var.domain}" : "https://${terraform.workspace}.${var.domain}"]
     }
   ]
 }
@@ -33,7 +33,7 @@ module "ndr-zip-request-store" {
   cors_rules = [
     {
       allowed_methods = ["GET"]
-      allowed_origins = ["https://${terraform.workspace}.${var.domain}"]
+      allowed_origins = [contains(["prod"], terraform.workspace) ? "https://${var.domain}" : "https://${terraform.workspace}.${var.domain}"]
     }
   ]
 }
@@ -51,13 +51,13 @@ module "ndr-lloyd-george-store" {
     {
       allowed_headers = ["*"]
       allowed_methods = ["POST", "PUT", "DELETE"]
-      allowed_origins = ["https://${terraform.workspace}.${var.domain}"]
+      allowed_origins = [contains(["prod"], terraform.workspace) ? "https://${var.domain}" : "https://${terraform.workspace}.${var.domain}"]
       expose_headers  = ["ETag"]
       max_age_seconds = 3000
     },
     {
       allowed_methods = ["GET"]
-      allowed_origins = ["https://${terraform.workspace}.${var.domain}"]
+      allowed_origins = [contains(["prod"], terraform.workspace) ? "https://${var.domain}" : "https://${terraform.workspace}.${var.domain}"]
     }
   ]
 }

infrastructure/lambda-back-channel-logout.tf

@@ -7,7 +7,7 @@ module "back-channel-logout-gateway" {
   authorization       = "NONE"
   gateway_path        = "BackChannelLogout"
   require_credentials = false
-  origin              = "'https://${terraform.workspace}.${var.domain}'"
+  origin              = contains(["prod"], terraform.workspace) ? "'https://${var.domain}'" : "'https://${terraform.workspace}.${var.domain}'"
   # Lambda Variables
   api_execution_arn = aws_api_gateway_rest_api.ndr_doc_store_api.execution_arn
   owner             = var.owner
@@ -41,7 +41,7 @@ module "back_channel_logout_lambda" {
     ENVIRONMENT                    = var.environment
     AUTH_DYNAMODB_NAME             = "${terraform.workspace}_${var.auth_session_dynamodb_table_name}"
     SSM_PARAM_JWT_TOKEN_PUBLIC_KEY = "jwt_token_public_key"
-    OIDC_CALLBACK_URL              = "https://${terraform.workspace}.${var.domain}/auth-callback"
+    OIDC_CALLBACK_URL              = contains(["prod"], terraform.workspace) ? "https://${var.domain}/auth-callback" : "https://${terraform.workspace}.${var.domain}/auth-callback"
   }
   depends_on = [
     aws_api_gateway_rest_api.ndr_doc_store_api,

infrastructure/lambda-create-doc-ref.tf

@@ -8,7 +8,7 @@ module "create-doc-ref-gateway" {
   gateway_path        = "DocumentReference"
   authorizer_id       = aws_api_gateway_authorizer.repo_authoriser.id
   require_credentials = true
-  origin              = "'https://${terraform.workspace}.${var.domain}'"
+  origin              = contains(["prod"], terraform.workspace) ? "'https://${var.domain}'" : "'https://${terraform.workspace}.${var.domain}'"
 
   # Lambda Variables
   api_execution_arn = aws_api_gateway_rest_api.ndr_doc_store_api.execution_arn

infrastructure/lambda-delete-doc-ref.tf

@@ -8,7 +8,7 @@ module "delete-doc-ref-gateway" {
   gateway_path        = "DocumentDelete"
   authorizer_id       = aws_api_gateway_authorizer.repo_authoriser.id
   require_credentials = true
-  origin              = "'https://${terraform.workspace}.${var.domain}'"
+  origin              = contains(["prod"], terraform.workspace) ? "'https://${var.domain}'" : "'https://${terraform.workspace}.${var.domain}'"
 
   # Lambda Variables
   api_execution_arn = aws_api_gateway_rest_api.ndr_doc_store_api.execution_arn
@@ -92,4 +92,4 @@ module "delete-doc-ref-lambda" {
     module.delete-doc-ref-gateway,
     module.ndr-app-config
   ]
-}
+}

infrastructure/lambda-document-manifest-by-nhs-number.tf

@@ -8,7 +8,7 @@ module "document-manifest-by-nhs-gateway" {
   gateway_path        = "DocumentManifest"
   authorizer_id       = aws_api_gateway_authorizer.repo_authoriser.id
   require_credentials = true
-  origin              = "'https://${terraform.workspace}.${var.domain}'"
+  origin              = contains(["prod"], terraform.workspace) ? "'https://${var.domain}'" : "'https://${terraform.workspace}.${var.domain}'"
 
   # Lambda Variables
   api_execution_arn = aws_api_gateway_rest_api.ndr_doc_store_api.execution_arn
@@ -108,4 +108,4 @@ resource "aws_iam_role_policy_attachment" "policy_manifest_lambda" {
   count      = local.is_sandbox ? 0 : 1
   role       = module.document-manifest-by-nhs-number-lambda.lambda_execution_role_name
   policy_arn = try(aws_iam_policy.lambda_audit_splunk_sqs_queue_send_policy[0].arn, null)
-}
+}

infrastructure/lambda-lloyd-george-record-stitch.tf

@@ -8,7 +8,7 @@ module "lloyd-george-stitch-gateway" {
   gateway_path        = "LloydGeorgeStitch"
   authorizer_id       = aws_api_gateway_authorizer.repo_authoriser.id
   require_credentials = true
-  origin              = "'https://${terraform.workspace}.${var.domain}'"
+  origin              = contains(["prod"], terraform.workspace) ? "'https://${var.domain}'" : "'https://${terraform.workspace}.${var.domain}'"
 
   # Lambda Variables
   api_execution_arn = aws_api_gateway_rest_api.ndr_doc_store_api.execution_arn
@@ -105,4 +105,4 @@ resource "aws_iam_role_policy_attachment" "lambda_stitch-lambda" {
   count      = local.is_sandbox ? 0 : 1
   role       = module.lloyd-george-stitch-lambda.lambda_execution_role_name
   policy_arn = try(aws_iam_policy.lambda_audit_splunk_sqs_queue_send_policy[0].arn, null)
-}
+}

infrastructure/lambda-login-redirect.tf

@@ -31,7 +31,7 @@ module "login_redirect_lambda" {
     APPCONFIG_ENVIRONMENT   = module.ndr-app-config.app_config_environment_id
     APPCONFIG_CONFIGURATION = module.ndr-app-config.app_config_configuration_profile_id
     WORKSPACE               = terraform.workspace
-    OIDC_CALLBACK_URL       = "https://${terraform.workspace}.${var.domain}/auth-callback"
+    OIDC_CALLBACK_URL       = contains(["prod"], terraform.workspace) ? "https://${var.domain}/auth-callback" : "https://${terraform.workspace}.${var.domain}/auth-callback"
     AUTH_DYNAMODB_NAME      = "${terraform.workspace}_${var.auth_state_dynamodb_table_name}"
   }
   depends_on = [
@@ -104,4 +104,4 @@ resource "aws_iam_policy" "ssm_policy_oidc" {
       }
     ]
   })
-}
+}

infrastructure/lambda-logout.tf

@@ -7,7 +7,7 @@ module "logout-gateway" {
   authorization       = "NONE"
   gateway_path        = "Logout"
   require_credentials = false
-  origin              = "'https://${terraform.workspace}.${var.domain}'"
+  origin              = contains(["prod"], terraform.workspace) ? "'https://${var.domain}'" : "'https://${terraform.workspace}.${var.domain}'"
   # Lambda Variables
   api_execution_arn = aws_api_gateway_rest_api.ndr_doc_store_api.execution_arn
   owner             = var.owner

infrastructure/lambda-search-doc-references.tf

@@ -8,7 +8,7 @@ module "search-document-references-gateway" {
   gateway_path        = "SearchDocumentReferences"
   authorizer_id       = aws_api_gateway_authorizer.repo_authoriser.id
   require_credentials = true
-  origin              = "'https://${terraform.workspace}.${var.domain}'"
+  origin              = contains(["prod"], terraform.workspace) ? "'https://${var.domain}'" : "'https://${terraform.workspace}.${var.domain}'"
 
   # Lambda Variables
   api_execution_arn = aws_api_gateway_rest_api.ndr_doc_store_api.execution_arn

infrastructure/lambda-search-patient.tf

@@ -8,7 +8,7 @@ module "search-patient-details-gateway" {
   gateway_path        = "SearchPatient"
   authorizer_id       = aws_api_gateway_authorizer.repo_authoriser.id
   require_credentials = true
-  origin              = "'https://${terraform.workspace}.${var.domain}'"
+  origin              = contains(["prod"], terraform.workspace) ? "'https://${var.domain}'" : "'https://${terraform.workspace}.${var.domain}'"
 
   # Lambda Variables
   api_execution_arn = aws_api_gateway_rest_api.ndr_doc_store_api.execution_arn
@@ -117,4 +117,4 @@ resource "aws_iam_role_policy_attachment" "policy_audit_search-patient-details-l
   count      = local.is_sandbox ? 0 : 1
   role       = module.search-patient-details-lambda.lambda_execution_role_name
   policy_arn = try(aws_iam_policy.lambda_audit_splunk_sqs_queue_send_policy[0].arn, null)
-}
+}

infrastructure/lambda-token.tf

@@ -7,7 +7,7 @@ module "token-gateway" {
   authorization       = "NONE"
   gateway_path        = "TokenRequest"
   require_credentials = false
-  origin              = "'https://${terraform.workspace}.${var.domain}'"
+  origin              = contains(["prod"], terraform.workspace) ? "'https://${var.domain}'" : "'https://${terraform.workspace}.${var.domain}'"
   # Lambda Variables
   api_execution_arn = aws_api_gateway_rest_api.ndr_doc_store_api.execution_arn
   owner             = var.owner
@@ -41,11 +41,12 @@ module "create-token-lambda" {
     APPCONFIG_CONFIGURATION         = module.ndr-app-config.app_config_configuration_profile_id
     WORKSPACE                       = terraform.workspace
     SSM_PARAM_JWT_TOKEN_PRIVATE_KEY = "jwt_token_private_key"
-    OIDC_CALLBACK_URL               = "https://${terraform.workspace}.${var.domain}/auth-callback"
-    AUTH_STATE_TABLE_NAME           = "${terraform.workspace}_${var.auth_state_dynamodb_table_name}"
-    AUTH_SESSION_TABLE_NAME         = "${terraform.workspace}_${var.auth_session_dynamodb_table_name}"
-    ENVIRONMENT                     = var.environment
-    SPLUNK_SQS_QUEUE_URL            = try(module.sqs-splunk-queue[0].sqs_url, null)
+
+    OIDC_CALLBACK_URL       = contains(["prod"], terraform.workspace) ? "https://${var.domain}/auth-callback" : "https://${terraform.workspace}.${var.domain}/auth-callback"
+    AUTH_STATE_TABLE_NAME   = "${terraform.workspace}_${var.auth_state_dynamodb_table_name}"
+    AUTH_SESSION_TABLE_NAME = "${terraform.workspace}_${var.auth_session_dynamodb_table_name}"
+    ENVIRONMENT             = var.environment
+    SPLUNK_SQS_QUEUE_URL    = try(module.sqs-splunk-queue[0].sqs_url, null)
   }
   depends_on = [
     aws_api_gateway_rest_api.ndr_doc_store_api,
@@ -126,4 +127,4 @@ resource "aws_iam_role_policy_attachment" "policy_audit_token_lambda" {
   count      = local.is_sandbox ? 0 : 1
   role       = module.create-token-lambda.lambda_execution_role_name
   policy_arn = try(aws_iam_policy.lambda_audit_splunk_sqs_queue_send_policy[0].arn, null)
-}
+}

infrastructure/main.tf

@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 4.0"
+      version = ">=5.11"
     }
   }
   backend "s3" {

infrastructure/prod.tfvars

@@ -1,7 +1,7 @@
 environment                       = "prod"
 owner                             = "nhse/ndr-team"
-domain                            = "access-request-fulfilment.patient-deductions.nhs.uk"
-certificate_domain                = "prod.access-request-fulfilment.patient-deductions.nhs.uk"
+domain                            = "national-document-repository.nhs.uk"
+certificate_domain                = "national-document-repository.nhs.uk"
 certificate_subdomain_name_prefix = "api."
 
 cloudwatch_alarm_evaluation_periods = 30
@@ -14,4 +14,4 @@ mesh_password_ssm_param_name    = "/repo/prod/user-input/external/mesh-mailbox-p
 mesh_shared_key_ssm_param_name  = "/repo/prod/user-input/external/mesh-mailbox-shared-secret"
 mesh_client_cert_ssm_param_name = "/repo/prod/user-input/external/mesh-mailbox-client-cert"
 mesh_client_key_ssm_param_name  = "/repo/prod/user-input/external/mesh-mailbox-client-key"
-mesh_ca_cert_ssm_param_name     = "/repo/prod/user-input/external/mesh-mailbox-ca-cert"
+mesh_ca_cert_ssm_param_name     = "/repo/prod/user-input/external/mesh-mailbox-ca-cert"

infrastructure/variable.tf

@@ -196,8 +196,9 @@ locals {
 
   bulk_upload_lambda_concurrent_limit = 5
 
-  api_gateway_subdomain_name   = "${var.certificate_subdomain_name_prefix}${terraform.workspace}"
-  api_gateway_full_domain_name = "${var.certificate_subdomain_name_prefix}${terraform.workspace}.${var.domain}"
+
+  api_gateway_subdomain_name   = contains(["prod"], terraform.workspace) ? "${var.certificate_subdomain_name_prefix}" : "${var.certificate_subdomain_name_prefix}${terraform.workspace}"
+  api_gateway_full_domain_name = contains(["prod"], terraform.workspace) ? "${var.certificate_subdomain_name_prefix}${var.domain}" : "${var.certificate_subdomain_name_prefix}${terraform.workspace}.${var.domain}"
 
   current_region     = data.aws_region.current.name
   current_account_id = data.aws_caller_identity.current.account_id