diff --git a/infrastructure/api.tf b/infrastructure/api.tf index 0b4f5e17..f4b9db33 100644 --- a/infrastructure/api.tf +++ b/infrastructure/api.tf @@ -94,7 +94,7 @@ resource "aws_api_gateway_gateway_response" "unauthorised_response" { } response_parameters = { - "gatewayresponse.header.Access-Control-Allow-Origin" = "'https://${terraform.workspace}.${var.domain}'" + "gatewayresponse.header.Access-Control-Allow-Origin" = contains(["prod"], terraform.workspace) ? "'https://${var.domain}'" : "'https://${terraform.workspace}.${var.domain}'" "gatewayresponse.header.Access-Control-Allow-Methods" = "'*'" "gatewayresponse.header.Access-Control-Allow-Headers" = "'Content-Type,X-Amz-Date,Authorization,X-Auth,X-Api-Key,X-Amz-Security-Token,X-Auth-Cookie,Accept'" "gatewayresponse.header.Access-Control-Allow-Credentials" = "'true'" @@ -110,7 +110,7 @@ resource "aws_api_gateway_gateway_response" "bad_gateway_response" { } response_parameters = { - "gatewayresponse.header.Access-Control-Allow-Origin" = "'https://${terraform.workspace}.${var.domain}'" + "gatewayresponse.header.Access-Control-Allow-Origin" = contains(["prod"], terraform.workspace) ? "'https://${var.domain}'" : "'https://${terraform.workspace}.${var.domain}'" "gatewayresponse.header.Access-Control-Allow-Methods" = "'*'" "gatewayresponse.header.Access-Control-Allow-Headers" = "'Content-Type,X-Amz-Date,Authorization,X-Auth,X-Api-Key,X-Amz-Security-Token,X-Auth-Cookie,Accept'" "gatewayresponse.header.Access-Control-Allow-Credentials" = "'true'" @@ -126,4 +126,4 @@ module "api_endpoint_url_ssm_parameter" { type = "SecureString" owner = var.owner environment = var.environment -} \ No newline at end of file +} diff --git a/infrastructure/buckets.tf b/infrastructure/buckets.tf index a63df7ca..ca003a75 100644 --- a/infrastructure/buckets.tf +++ b/infrastructure/buckets.tf @@ -11,13 +11,13 @@ module "ndr-document-store" { { allowed_headers = ["*"] allowed_methods = ["POST", "DELETE"] - allowed_origins = ["https://${terraform.workspace}.${var.domain}"] + allowed_origins = [contains(["prod"], terraform.workspace) ? "https://${var.domain}" : "https://${terraform.workspace}.${var.domain}"] expose_headers = ["ETag"] max_age_seconds = 3000 }, { allowed_methods = ["GET"] - allowed_origins = ["https://${terraform.workspace}.${var.domain}"] + allowed_origins = [contains(["prod"], terraform.workspace) ? "https://${var.domain}" : "https://${terraform.workspace}.${var.domain}"] } ] } @@ -33,7 +33,7 @@ module "ndr-zip-request-store" { cors_rules = [ { allowed_methods = ["GET"] - allowed_origins = ["https://${terraform.workspace}.${var.domain}"] + allowed_origins = [contains(["prod"], terraform.workspace) ? "https://${var.domain}" : "https://${terraform.workspace}.${var.domain}"] } ] } @@ -51,13 +51,13 @@ module "ndr-lloyd-george-store" { { allowed_headers = ["*"] allowed_methods = ["POST", "PUT", "DELETE"] - allowed_origins = ["https://${terraform.workspace}.${var.domain}"] + allowed_origins = [contains(["prod"], terraform.workspace) ? "https://${var.domain}" : "https://${terraform.workspace}.${var.domain}"] expose_headers = ["ETag"] max_age_seconds = 3000 }, { allowed_methods = ["GET"] - allowed_origins = ["https://${terraform.workspace}.${var.domain}"] + allowed_origins = [contains(["prod"], terraform.workspace) ? "https://${var.domain}" : "https://${terraform.workspace}.${var.domain}"] } ] } diff --git a/infrastructure/lambda-back-channel-logout.tf b/infrastructure/lambda-back-channel-logout.tf index 3f73ecae..0714b921 100644 --- a/infrastructure/lambda-back-channel-logout.tf +++ b/infrastructure/lambda-back-channel-logout.tf @@ -7,7 +7,7 @@ module "back-channel-logout-gateway" { authorization = "NONE" gateway_path = "BackChannelLogout" require_credentials = false - origin = "'https://${terraform.workspace}.${var.domain}'" + origin = contains(["prod"], terraform.workspace) ? "'https://${var.domain}'" : "'https://${terraform.workspace}.${var.domain}'" # Lambda Variables api_execution_arn = aws_api_gateway_rest_api.ndr_doc_store_api.execution_arn owner = var.owner @@ -41,7 +41,7 @@ module "back_channel_logout_lambda" { ENVIRONMENT = var.environment AUTH_DYNAMODB_NAME = "${terraform.workspace}_${var.auth_session_dynamodb_table_name}" SSM_PARAM_JWT_TOKEN_PUBLIC_KEY = "jwt_token_public_key" - OIDC_CALLBACK_URL = "https://${terraform.workspace}.${var.domain}/auth-callback" + OIDC_CALLBACK_URL = contains(["prod"], terraform.workspace) ? "https://${var.domain}/auth-callback" : "https://${terraform.workspace}.${var.domain}/auth-callback" } depends_on = [ aws_api_gateway_rest_api.ndr_doc_store_api, diff --git a/infrastructure/lambda-create-doc-ref.tf b/infrastructure/lambda-create-doc-ref.tf index c99cba9f..bab58cb7 100644 --- a/infrastructure/lambda-create-doc-ref.tf +++ b/infrastructure/lambda-create-doc-ref.tf @@ -8,7 +8,7 @@ module "create-doc-ref-gateway" { gateway_path = "DocumentReference" authorizer_id = aws_api_gateway_authorizer.repo_authoriser.id require_credentials = true - origin = "'https://${terraform.workspace}.${var.domain}'" + origin = contains(["prod"], terraform.workspace) ? "'https://${var.domain}'" : "'https://${terraform.workspace}.${var.domain}'" # Lambda Variables api_execution_arn = aws_api_gateway_rest_api.ndr_doc_store_api.execution_arn diff --git a/infrastructure/lambda-delete-doc-ref.tf b/infrastructure/lambda-delete-doc-ref.tf index 88b63b53..b10b30a3 100644 --- a/infrastructure/lambda-delete-doc-ref.tf +++ b/infrastructure/lambda-delete-doc-ref.tf @@ -8,7 +8,7 @@ module "delete-doc-ref-gateway" { gateway_path = "DocumentDelete" authorizer_id = aws_api_gateway_authorizer.repo_authoriser.id require_credentials = true - origin = "'https://${terraform.workspace}.${var.domain}'" + origin = contains(["prod"], terraform.workspace) ? "'https://${var.domain}'" : "'https://${terraform.workspace}.${var.domain}'" # Lambda Variables api_execution_arn = aws_api_gateway_rest_api.ndr_doc_store_api.execution_arn @@ -92,4 +92,4 @@ module "delete-doc-ref-lambda" { module.delete-doc-ref-gateway, module.ndr-app-config ] -} \ No newline at end of file +} diff --git a/infrastructure/lambda-document-manifest-by-nhs-number.tf b/infrastructure/lambda-document-manifest-by-nhs-number.tf index b8138931..d7727fa4 100644 --- a/infrastructure/lambda-document-manifest-by-nhs-number.tf +++ b/infrastructure/lambda-document-manifest-by-nhs-number.tf @@ -8,7 +8,7 @@ module "document-manifest-by-nhs-gateway" { gateway_path = "DocumentManifest" authorizer_id = aws_api_gateway_authorizer.repo_authoriser.id require_credentials = true - origin = "'https://${terraform.workspace}.${var.domain}'" + origin = contains(["prod"], terraform.workspace) ? "'https://${var.domain}'" : "'https://${terraform.workspace}.${var.domain}'" # Lambda Variables api_execution_arn = aws_api_gateway_rest_api.ndr_doc_store_api.execution_arn @@ -108,4 +108,4 @@ resource "aws_iam_role_policy_attachment" "policy_manifest_lambda" { count = local.is_sandbox ? 0 : 1 role = module.document-manifest-by-nhs-number-lambda.lambda_execution_role_name policy_arn = try(aws_iam_policy.lambda_audit_splunk_sqs_queue_send_policy[0].arn, null) -} \ No newline at end of file +} diff --git a/infrastructure/lambda-lloyd-george-record-stitch.tf b/infrastructure/lambda-lloyd-george-record-stitch.tf index 0b8f44f0..20455e31 100644 --- a/infrastructure/lambda-lloyd-george-record-stitch.tf +++ b/infrastructure/lambda-lloyd-george-record-stitch.tf @@ -8,7 +8,7 @@ module "lloyd-george-stitch-gateway" { gateway_path = "LloydGeorgeStitch" authorizer_id = aws_api_gateway_authorizer.repo_authoriser.id require_credentials = true - origin = "'https://${terraform.workspace}.${var.domain}'" + origin = contains(["prod"], terraform.workspace) ? "'https://${var.domain}'" : "'https://${terraform.workspace}.${var.domain}'" # Lambda Variables api_execution_arn = aws_api_gateway_rest_api.ndr_doc_store_api.execution_arn @@ -105,4 +105,4 @@ resource "aws_iam_role_policy_attachment" "lambda_stitch-lambda" { count = local.is_sandbox ? 0 : 1 role = module.lloyd-george-stitch-lambda.lambda_execution_role_name policy_arn = try(aws_iam_policy.lambda_audit_splunk_sqs_queue_send_policy[0].arn, null) -} \ No newline at end of file +} diff --git a/infrastructure/lambda-login-redirect.tf b/infrastructure/lambda-login-redirect.tf index f4a977ab..5bdf089c 100644 --- a/infrastructure/lambda-login-redirect.tf +++ b/infrastructure/lambda-login-redirect.tf @@ -31,7 +31,7 @@ module "login_redirect_lambda" { APPCONFIG_ENVIRONMENT = module.ndr-app-config.app_config_environment_id APPCONFIG_CONFIGURATION = module.ndr-app-config.app_config_configuration_profile_id WORKSPACE = terraform.workspace - OIDC_CALLBACK_URL = "https://${terraform.workspace}.${var.domain}/auth-callback" + OIDC_CALLBACK_URL = contains(["prod"], terraform.workspace) ? "https://${var.domain}/auth-callback" : "https://${terraform.workspace}.${var.domain}/auth-callback" AUTH_DYNAMODB_NAME = "${terraform.workspace}_${var.auth_state_dynamodb_table_name}" } depends_on = [ @@ -104,4 +104,4 @@ resource "aws_iam_policy" "ssm_policy_oidc" { } ] }) -} \ No newline at end of file +} diff --git a/infrastructure/lambda-logout.tf b/infrastructure/lambda-logout.tf index ecb1284a..4aa54ef5 100644 --- a/infrastructure/lambda-logout.tf +++ b/infrastructure/lambda-logout.tf @@ -7,7 +7,7 @@ module "logout-gateway" { authorization = "NONE" gateway_path = "Logout" require_credentials = false - origin = "'https://${terraform.workspace}.${var.domain}'" + origin = contains(["prod"], terraform.workspace) ? "'https://${var.domain}'" : "'https://${terraform.workspace}.${var.domain}'" # Lambda Variables api_execution_arn = aws_api_gateway_rest_api.ndr_doc_store_api.execution_arn owner = var.owner diff --git a/infrastructure/lambda-search-doc-references.tf b/infrastructure/lambda-search-doc-references.tf index fcf41ddc..8bd89c82 100644 --- a/infrastructure/lambda-search-doc-references.tf +++ b/infrastructure/lambda-search-doc-references.tf @@ -8,7 +8,7 @@ module "search-document-references-gateway" { gateway_path = "SearchDocumentReferences" authorizer_id = aws_api_gateway_authorizer.repo_authoriser.id require_credentials = true - origin = "'https://${terraform.workspace}.${var.domain}'" + origin = contains(["prod"], terraform.workspace) ? "'https://${var.domain}'" : "'https://${terraform.workspace}.${var.domain}'" # Lambda Variables api_execution_arn = aws_api_gateway_rest_api.ndr_doc_store_api.execution_arn diff --git a/infrastructure/lambda-search-patient.tf b/infrastructure/lambda-search-patient.tf index 5ba5441a..2851cdea 100644 --- a/infrastructure/lambda-search-patient.tf +++ b/infrastructure/lambda-search-patient.tf @@ -8,7 +8,7 @@ module "search-patient-details-gateway" { gateway_path = "SearchPatient" authorizer_id = aws_api_gateway_authorizer.repo_authoriser.id require_credentials = true - origin = "'https://${terraform.workspace}.${var.domain}'" + origin = contains(["prod"], terraform.workspace) ? "'https://${var.domain}'" : "'https://${terraform.workspace}.${var.domain}'" # Lambda Variables api_execution_arn = aws_api_gateway_rest_api.ndr_doc_store_api.execution_arn @@ -117,4 +117,4 @@ resource "aws_iam_role_policy_attachment" "policy_audit_search-patient-details-l count = local.is_sandbox ? 0 : 1 role = module.search-patient-details-lambda.lambda_execution_role_name policy_arn = try(aws_iam_policy.lambda_audit_splunk_sqs_queue_send_policy[0].arn, null) -} \ No newline at end of file +} diff --git a/infrastructure/lambda-token.tf b/infrastructure/lambda-token.tf index 01cfd82c..800645d5 100644 --- a/infrastructure/lambda-token.tf +++ b/infrastructure/lambda-token.tf @@ -7,7 +7,7 @@ module "token-gateway" { authorization = "NONE" gateway_path = "TokenRequest" require_credentials = false - origin = "'https://${terraform.workspace}.${var.domain}'" + origin = contains(["prod"], terraform.workspace) ? "'https://${var.domain}'" : "'https://${terraform.workspace}.${var.domain}'" # Lambda Variables api_execution_arn = aws_api_gateway_rest_api.ndr_doc_store_api.execution_arn owner = var.owner @@ -41,11 +41,12 @@ module "create-token-lambda" { APPCONFIG_CONFIGURATION = module.ndr-app-config.app_config_configuration_profile_id WORKSPACE = terraform.workspace SSM_PARAM_JWT_TOKEN_PRIVATE_KEY = "jwt_token_private_key" - OIDC_CALLBACK_URL = "https://${terraform.workspace}.${var.domain}/auth-callback" - AUTH_STATE_TABLE_NAME = "${terraform.workspace}_${var.auth_state_dynamodb_table_name}" - AUTH_SESSION_TABLE_NAME = "${terraform.workspace}_${var.auth_session_dynamodb_table_name}" - ENVIRONMENT = var.environment - SPLUNK_SQS_QUEUE_URL = try(module.sqs-splunk-queue[0].sqs_url, null) + + OIDC_CALLBACK_URL = contains(["prod"], terraform.workspace) ? "https://${var.domain}/auth-callback" : "https://${terraform.workspace}.${var.domain}/auth-callback" + AUTH_STATE_TABLE_NAME = "${terraform.workspace}_${var.auth_state_dynamodb_table_name}" + AUTH_SESSION_TABLE_NAME = "${terraform.workspace}_${var.auth_session_dynamodb_table_name}" + ENVIRONMENT = var.environment + SPLUNK_SQS_QUEUE_URL = try(module.sqs-splunk-queue[0].sqs_url, null) } depends_on = [ aws_api_gateway_rest_api.ndr_doc_store_api, @@ -126,4 +127,4 @@ resource "aws_iam_role_policy_attachment" "policy_audit_token_lambda" { count = local.is_sandbox ? 0 : 1 role = module.create-token-lambda.lambda_execution_role_name policy_arn = try(aws_iam_policy.lambda_audit_splunk_sqs_queue_send_policy[0].arn, null) -} \ No newline at end of file +} diff --git a/infrastructure/main.tf b/infrastructure/main.tf index 6d622f65..e352e3d5 100644 --- a/infrastructure/main.tf +++ b/infrastructure/main.tf @@ -4,7 +4,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 4.0" + version = ">=5.11" } } backend "s3" { diff --git a/infrastructure/prod.tfvars b/infrastructure/prod.tfvars index 6af05d4d..87207c8c 100644 --- a/infrastructure/prod.tfvars +++ b/infrastructure/prod.tfvars @@ -1,7 +1,7 @@ environment = "prod" owner = "nhse/ndr-team" -domain = "access-request-fulfilment.patient-deductions.nhs.uk" -certificate_domain = "prod.access-request-fulfilment.patient-deductions.nhs.uk" +domain = "national-document-repository.nhs.uk" +certificate_domain = "national-document-repository.nhs.uk" certificate_subdomain_name_prefix = "api." cloudwatch_alarm_evaluation_periods = 30 @@ -14,4 +14,4 @@ mesh_password_ssm_param_name = "/repo/prod/user-input/external/mesh-mailbox-p mesh_shared_key_ssm_param_name = "/repo/prod/user-input/external/mesh-mailbox-shared-secret" mesh_client_cert_ssm_param_name = "/repo/prod/user-input/external/mesh-mailbox-client-cert" mesh_client_key_ssm_param_name = "/repo/prod/user-input/external/mesh-mailbox-client-key" -mesh_ca_cert_ssm_param_name = "/repo/prod/user-input/external/mesh-mailbox-ca-cert" \ No newline at end of file +mesh_ca_cert_ssm_param_name = "/repo/prod/user-input/external/mesh-mailbox-ca-cert" diff --git a/infrastructure/variable.tf b/infrastructure/variable.tf index 2ba45338..689ea3d5 100644 --- a/infrastructure/variable.tf +++ b/infrastructure/variable.tf @@ -196,8 +196,9 @@ locals { bulk_upload_lambda_concurrent_limit = 5 - api_gateway_subdomain_name = "${var.certificate_subdomain_name_prefix}${terraform.workspace}" - api_gateway_full_domain_name = "${var.certificate_subdomain_name_prefix}${terraform.workspace}.${var.domain}" + + api_gateway_subdomain_name = contains(["prod"], terraform.workspace) ? "${var.certificate_subdomain_name_prefix}" : "${var.certificate_subdomain_name_prefix}${terraform.workspace}" + api_gateway_full_domain_name = contains(["prod"], terraform.workspace) ? "${var.certificate_subdomain_name_prefix}${var.domain}" : "${var.certificate_subdomain_name_prefix}${terraform.workspace}.${var.domain}" current_region = data.aws_region.current.name current_account_id = data.aws_caller_identity.current.account_id