Merge branch 'main' into feature/dp-247-user-management-approve-user

cabinetoffice · Oct 17, 2024 · f0bf967 · f0bf967
2 parents 4f869cb + f0fd195
commit f0bf967
Show file tree

Hide file tree

Showing 46 changed files with 221 additions and 234 deletions.
diff --git a/terragrunt/components/service/api-gateway/terragrunt.hcl b/terragrunt/components/service/api-gateway/terragrunt.hcl
@@ -1,5 +1,5 @@
 terraform {
-  source = local.global_vars.locals.environment != "orchestrator" ? "../../../modules//api-gateway" : null
+  source = contains(["development", "staging", "integration"], local.global_vars.locals.environment) ? "../../../modules//api-gateway" : null
 }
 
 include {

diff --git a/terragrunt/components/service/auth/terragrunt.hcl b/terragrunt/components/service/auth/terragrunt.hcl
@@ -23,13 +23,13 @@ locals {
 dependency core_networking {
   config_path = "../../core/networking"
   mock_outputs = {
-    public_hosted_zone_fqdn = "mock"
+    public_domain = "mock"
   }
 }
 
 
 inputs = {
   tags = local.tags
 
-  public_hosted_zone_fqdn = dependency.core_networking.outputs.public_hosted_zone_fqdn
+  public_domain = dependency.core_networking.outputs.public_domain
 }
diff --git a/terragrunt/components/service/ecs/terragrunt.hcl b/terragrunt/components/service/ecs/terragrunt.hcl
@@ -41,7 +41,7 @@ dependency core_networking {
   mock_outputs = {
     private_subnet_ids          = "mock"
     private_subnets_cidr_blocks = "mock"
-    public_hosted_zone_fqdn     = "mock"
+    public_domain               = "mock"
     public_hosted_zone_id       = "mock"
     public_subnet_ids           = "mock"
     public_subnets_cidr_blocks  = "mock"
@@ -125,7 +125,7 @@ inputs = {
 
   private_subnet_ids          = dependency.core_networking.outputs.private_subnet_ids
   private_subnets_cidr_blocks = dependency.core_networking.outputs.private_subnets_cidr_blocks
-  public_hosted_zone_fqdn     = dependency.core_networking.outputs.public_hosted_zone_fqdn
+  public_domain               = dependency.core_networking.outputs.public_domain
   public_hosted_zone_id       = dependency.core_networking.outputs.public_hosted_zone_id
   public_subnet_ids           = dependency.core_networking.outputs.public_subnet_ids
   public_subnets_cidr_blocks  = dependency.core_networking.outputs.public_subnets_cidr_blocks

diff --git a/terragrunt/components/service/telemetry/terragrunt.hcl b/terragrunt/components/service/telemetry/terragrunt.hcl
@@ -33,10 +33,10 @@ dependency core_iam {
 dependency core_networking {
   config_path = "../../core/networking"
   mock_outputs = {
-    private_subnet_ids      = "mock"
-    public_hosted_zone_fqdn = "mock"
-    public_hosted_zone_id   = "mock"
-    vpc_id                  = "mock"
+    private_subnet_ids    = "mock"
+    public_domain         = "mock"
+    public_hosted_zone_id = "mock"
+    vpc_id                = "mock"
   }
 }
 
@@ -68,10 +68,10 @@ inputs = {
   role_ecs_task_exec_arn = dependency.core_iam.outputs.ecs_task_exec_arn
   role_telemetry_arn     = dependency.core_iam.outputs.telemetry_arn
 
-  private_subnet_ids      = dependency.core_networking.outputs.private_subnet_ids
-  public_hosted_zone_fqdn = dependency.core_networking.outputs.public_hosted_zone_fqdn
-  public_hosted_zone_id   = dependency.core_networking.outputs.public_hosted_zone_id
-  vpc_id                  = dependency.core_networking.outputs.vpc_id
+  private_subnet_ids    = dependency.core_networking.outputs.private_subnet_ids
+  public_domain         = dependency.core_networking.outputs.public_domain
+  public_hosted_zone_id = dependency.core_networking.outputs.public_hosted_zone_id
+  vpc_id                = dependency.core_networking.outputs.vpc_id
 
   ecs_alb_sg_id = dependency.core_security_groups.outputs.alb_sg_id
   ecs_sg_id     = dependency.core_security_groups.outputs.ecs_sg_id

diff --git a/terragrunt/components/service/tools/terragrunt.hcl b/terragrunt/components/service/tools/terragrunt.hcl
@@ -32,10 +32,10 @@ dependency core_iam {
 dependency core_networking {
   config_path = "../../core/networking"
   mock_outputs = {
-    private_subnet_ids      = "mock"
-    public_hosted_zone_fqdn = "mock"
-    public_hosted_zone_id   = "mock"
-    vpc_id                  = "mock"
+    private_subnet_ids    = "mock"
+    public_domain         = "mock"
+    public_hosted_zone_id = "mock"
+    vpc_id                = "mock"
   }
 }
 
@@ -99,10 +99,10 @@ inputs = {
   role_ecs_task_name     = dependency.core_iam.outputs.ecs_task_name
   role_ecs_task_exec_arn = dependency.core_iam.outputs.ecs_task_exec_arn
 
-  private_subnet_ids      = dependency.core_networking.outputs.private_subnet_ids
-  public_hosted_zone_fqdn = dependency.core_networking.outputs.public_hosted_zone_fqdn
-  public_hosted_zone_id   = dependency.core_networking.outputs.public_hosted_zone_id
-  vpc_id                  = dependency.core_networking.outputs.vpc_id
+  private_subnet_ids    = dependency.core_networking.outputs.private_subnet_ids
+  public_domain         = dependency.core_networking.outputs.public_domain
+  public_hosted_zone_id = dependency.core_networking.outputs.public_hosted_zone_id
+  vpc_id                = dependency.core_networking.outputs.vpc_id
 
   ecs_alb_sg_id = dependency.core_security_groups.outputs.alb_sg_id
   ecs_sg_id     = dependency.core_security_groups.outputs.ecs_sg_id

diff --git a/terragrunt/components/terragrunt.hcl b/terragrunt/components/terragrunt.hcl
@@ -12,7 +12,7 @@ locals {
 
   environment = get_env("TG_ENVIRONMENT", "development")
 
-  is_production = contains(["production", "integration"], local.environment)
+  is_production = contains(["production"], local.environment)
 
   environments = {
     orchestrator = {
@@ -94,7 +94,7 @@ locals {
       account_id                 = 471112843276
       canary_schedule_expression = "rate(15 minutes)"
       name                       = "production"
-      pinned_service_version     = null
+      pinned_service_version     = "0.6.0"
       postgres_instance_type     = "db.t4g.micro"
       private_subnets = [
         "10.${local.cidr_b_production}.101.0/24",

diff --git a/terragrunt/modules/auth/locals.tf b/terragrunt/modules/auth/locals.tf
@@ -2,7 +2,7 @@ locals {
   name_prefix             = var.product.resource_name
   auth_domain             = "${local.name_prefix}-${var.environment}"
   organisation_app_domain = "${local.name_prefix}-${var.environment}-organisatino-app"
-  organisation_app_url    = "https://${var.public_hosted_zone_fqdn}"
+  organisation_app_url    = "https://${var.public_domain}"
   healthcheck_domain      = "${local.name_prefix}-${var.environment}-healthcheck"
-  healthcheck_url         = "https://healthcheck.${var.public_hosted_zone_fqdn}"
+  healthcheck_url         = "https://healthcheck.${var.public_domain}"
 }
diff --git a/terragrunt/modules/auth/main.tf b/terragrunt/modules/auth/main.tf
@@ -6,11 +6,12 @@ resource "aws_cognito_user_pool" "auth" {
   }
 
   password_policy {
-    minimum_length    = 8
-    require_lowercase = true
-    require_numbers   = true
-    require_symbols   = true
-    require_uppercase = true
+    minimum_length                   = 8
+    require_lowercase                = true
+    require_numbers                  = true
+    require_symbols                  = true
+    require_uppercase                = true
+    temporary_password_validity_days = 1
   }
 
   username_configuration {

diff --git a/terragrunt/modules/auth/variables.tf b/terragrunt/modules/auth/variables.tf
@@ -13,12 +13,11 @@ variable "product" {
   })
 }
 
-variable "public_hosted_zone_fqdn" {
-  description = "Fully qualified domain name of the public hosted zone"
+variable "public_domain" {
+  description = "The fully qualified domain name (FQDN) that may differ from the main delegated domain specified by 'public_hosted_zone_fqdn'. This domain represents the public-facing endpoint."
   type        = string
 }
 
-
 variable "tags" {
   description = "Tags to apply to all resources in this module"
   type        = map(string)

diff --git a/terragrunt/modules/core-networking/locals.tf b/terragrunt/modules/core-networking/locals.tf
@@ -1,3 +1,4 @@
 locals {
-  tags = merge(var.tags, { Name = var.product.resource_name })
+  production_subdomain = "supplier-information"
+  tags                 = merge(var.tags, { Name = var.product.resource_name })
 }
diff --git a/terragrunt/modules/core-networking/outputs.tf b/terragrunt/modules/core-networking/outputs.tf
@@ -21,6 +21,10 @@ output "private_subnets_cidr_blocks" {
   value       = aws_subnet.private.*.cidr_block
 }
 
+output "public_domain" {
+  value = var.is_production ? "${local.production_subdomain}.${aws_route53_zone.public.name}" : aws_route53_zone.public.name
+}
+
 output "public_hosted_zone_fqdn" {
   value = aws_route53_zone.public.name
 }

diff --git a/terragrunt/modules/core-networking/variables.tf b/terragrunt/modules/core-networking/variables.tf
@@ -1,3 +1,8 @@
+variable "is_production" {
+  description = "Indicates whether the target account is configured with production-level settings"
+  type        = bool
+}
+
 variable "product" {
   description = "product's common attributes"
   type = object({

diff --git a/terragrunt/modules/ecs-service/locals.tf b/terragrunt/modules/ecs-service/locals.tf
@@ -1,4 +1,4 @@
 locals {
-  tg_host_header            = ["${var.name}.${var.product.public_hosted_zone}"]
-  tg_host_header_with_alias = ["${var.name}.${var.product.public_hosted_zone}", var.product.public_hosted_zone]
+  tg_host_header            = ["${var.name}.${var.public_domain}"]
+  tg_host_header_with_alias = ["${var.name}.${var.public_domain}", var.public_domain]
 }
diff --git a/terragrunt/modules/ecs-service/variables.tf b/terragrunt/modules/ecs-service/variables.tf
@@ -111,6 +111,11 @@ variable "product" {
   })
 }
 
+variable "public_domain" {
+  description = "The fully qualified domain name (FQDN) that may differ from the main delegated domain specified by 'public_hosted_zone_fqdn'. This domain represents the public-facing endpoint."
+  type        = string
+}
+
 variable "role_ecs_task_arn" {
   description = "Task IAM role ARN"
   type        = string

diff --git a/terragrunt/modules/ecs/acm.tf b/terragrunt/modules/ecs/acm.tf
@@ -1,9 +1,9 @@
 resource "aws_acm_certificate" "this" {
-  domain_name               = var.public_hosted_zone_fqdn
-  subject_alternative_names = ["*.${var.public_hosted_zone_fqdn}"] # @todo (ABN) Restrict to service sub-domains
+  domain_name               = var.public_domain
+  subject_alternative_names = ["*.${var.public_domain}"]
   validation_method         = "DNS"
 
-  tags = merge(var.tags, { Name = var.public_hosted_zone_fqdn })
+  tags = merge(var.tags, { Name = var.public_domain })
 
   lifecycle {
     create_before_destroy = true

diff --git a/terragrunt/modules/ecs/locals.tf b/terragrunt/modules/ecs/locals.tf
@@ -20,6 +20,8 @@ locals {
 
   orchestrator_service_version = data.aws_ssm_parameter.orchestrator_service_version.value
 
+  production_subdomain = "supplier-information"
+
   service_version = var.pinned_service_version == null ? data.aws_ssm_parameter.orchestrator_service_version.value : var.pinned_service_version
 
   migrations = ["organisation-information-migrations", "entity-verification-migrations"]

diff --git a/terragrunt/modules/ecs/route53.tf b/terragrunt/modules/ecs/route53.tf
@@ -1,17 +1,17 @@
-resource "aws_route53_record" "ecs_alb" {
+resource "aws_route53_record" "service_to_entrypoint_alias" {
   for_each = local.service_configs
 
   zone_id = var.public_hosted_zone_id
-  name    = each.value.name
+  name    = var.environment == "production" ? "${each.value.name}.${local.production_subdomain}" : each.value.name
   type    = "CNAME"
   ttl     = 60
 
-  records = [aws_lb.ecs.dns_name]
+  records = [aws_route53_record.entrypoint_alias.name]
 }
 
-resource "aws_route53_record" "ecs_alb_frontend_alias" {
+resource "aws_route53_record" "entrypoint_alias" {
 
-  name    = var.product.public_hosted_zone
+  name    = var.public_domain
   type    = "A"
   zone_id = var.public_hosted_zone_id
 

diff --git a/terragrunt/modules/ecs/service-authority.tf b/terragrunt/modules/ecs/service-authority.tf
@@ -4,27 +4,27 @@ module "ecs_service_authority" {
   container_definitions = templatefile(
     "${path.module}/templates/task-definitions/${var.service_configs.authority.name}.json.tftpl",
     {
-      aspcore_environment     = local.aspcore_environment
-      authority_private_key   = "${data.aws_secretsmanager_secret.authority_keys.arn}:PRIVATE::"
-      container_port          = var.service_configs.authority.port
-      cpu                     = var.service_configs.authority.cpu
-      host_port               = var.service_configs.authority.port
-      image                   = local.ecr_urls[var.service_configs.authority.name]
-      lg_name                 = aws_cloudwatch_log_group.tasks[var.service_configs.authority.name].name
-      lg_prefix               = "app"
-      lg_region               = data.aws_region.current.name
-      memory                  = var.service_configs.authority.memory
-      name                    = var.service_configs.authority.name
-      oi_db_address           = var.db_sirsi_address
-      oi_db_name              = var.db_sirsi_name
-      oi_db_password          = "${var.db_sirsi_credentials_arn}:username::"
-      oi_db_username          = "${var.db_sirsi_credentials_arn}:password::"
-      onelogin_authority      = local.one_loging.credential_locations.authority
-      onelogin_client_id      = local.one_loging.credential_locations.client_id
-      onelogin_private_key    = local.one_loging.credential_locations.private_key
-      public_hosted_zone_fqdn = var.public_hosted_zone_fqdn
-      service_version         = local.service_version
-      vpc_cidr                = var.vpc_cider
+      aspcore_environment   = local.aspcore_environment
+      authority_private_key = "${data.aws_secretsmanager_secret.authority_keys.arn}:PRIVATE::"
+      container_port        = var.service_configs.authority.port
+      cpu                   = var.service_configs.authority.cpu
+      host_port             = var.service_configs.authority.port
+      image                 = local.ecr_urls[var.service_configs.authority.name]
+      lg_name               = aws_cloudwatch_log_group.tasks[var.service_configs.authority.name].name
+      lg_prefix             = "app"
+      lg_region             = data.aws_region.current.name
+      memory                = var.service_configs.authority.memory
+      name                  = var.service_configs.authority.name
+      oi_db_address         = var.db_sirsi_address
+      oi_db_name            = var.db_sirsi_name
+      oi_db_password        = "${var.db_sirsi_credentials_arn}:username::"
+      oi_db_username        = "${var.db_sirsi_credentials_arn}:password::"
+      onelogin_authority    = local.one_loging.credential_locations.authority
+      onelogin_client_id    = local.one_loging.credential_locations.client_id
+      onelogin_private_key  = local.one_loging.credential_locations.private_key
+      public_domain         = var.public_domain
+      service_version       = local.service_version
+      vpc_cidr              = var.vpc_cider
     }
   )
 
@@ -41,6 +41,7 @@ module "ecs_service_authority" {
   name                   = var.service_configs.authority.name
   private_subnet_ids     = var.private_subnet_ids
   product                = var.product
+  public_domain          = var.public_domain
   role_ecs_task_arn      = var.role_ecs_task_arn
   role_ecs_task_exec_arn = var.role_ecs_task_exec_arn
   tags                   = var.tags

diff --git a/terragrunt/modules/ecs/service-data-sharing.tf b/terragrunt/modules/ecs/service-data-sharing.tf
@@ -4,25 +4,25 @@ module "ecs_service_data_sharing" {
   container_definitions = templatefile(
     "${path.module}/templates/task-definitions/${var.service_configs.data_sharing.name}.json.tftpl",
     {
-      aspcore_environment     = local.aspcore_environment
-      container_port          = var.service_configs.data_sharing.port
-      cpu                     = var.service_configs.data_sharing.cpu
-      host_port               = var.service_configs.data_sharing.port
-      image                   = local.ecr_urls[var.service_configs.data_sharing.name]
-      lg_name                 = aws_cloudwatch_log_group.tasks[var.service_configs.data_sharing.name].name
-      lg_prefix               = "app"
-      lg_region               = data.aws_region.current.name
-      memory                  = var.service_configs.data_sharing.memory
-      name                    = var.service_configs.data_sharing.name
-      oi_db_address           = var.db_sirsi_address
-      oi_db_name              = var.db_sirsi_name
-      oi_db_password          = "${var.db_sirsi_credentials_arn}:username::"
-      oi_db_username          = "${var.db_sirsi_credentials_arn}:password::"
-      public_hosted_zone_fqdn = var.public_hosted_zone_fqdn
-      s3_permanent_bucket     = module.s3_bucket_permanent.bucket
-      s3_staging_bucket       = module.s3_bucket_staging.bucket
-      service_version         = local.service_version
-      vpc_cidr                = var.vpc_cider
+      aspcore_environment = local.aspcore_environment
+      container_port      = var.service_configs.data_sharing.port
+      cpu                 = var.service_configs.data_sharing.cpu
+      host_port           = var.service_configs.data_sharing.port
+      image               = local.ecr_urls[var.service_configs.data_sharing.name]
+      lg_name             = aws_cloudwatch_log_group.tasks[var.service_configs.data_sharing.name].name
+      lg_prefix           = "app"
+      lg_region           = data.aws_region.current.name
+      memory              = var.service_configs.data_sharing.memory
+      name                = var.service_configs.data_sharing.name
+      oi_db_address       = var.db_sirsi_address
+      oi_db_name          = var.db_sirsi_name
+      oi_db_password      = "${var.db_sirsi_credentials_arn}:username::"
+      oi_db_username      = "${var.db_sirsi_credentials_arn}:password::"
+      public_domain       = var.public_domain
+      s3_permanent_bucket = module.s3_bucket_permanent.bucket
+      s3_staging_bucket   = module.s3_bucket_staging.bucket
+      service_version     = local.service_version
+      vpc_cidr            = var.vpc_cider
     }
   )
 
@@ -39,6 +39,7 @@ module "ecs_service_data_sharing" {
   name                   = var.service_configs.data_sharing.name
   private_subnet_ids     = var.private_subnet_ids
   product                = var.product
+  public_domain          = var.public_domain
   role_ecs_task_arn      = var.role_ecs_task_arn
   role_ecs_task_exec_arn = var.role_ecs_task_exec_arn
   tags                   = var.tags

diff --git a/terragrunt/modules/ecs/service-entity-verification.tf b/terragrunt/modules/ecs/service-entity-verification.tf
@@ -18,7 +18,7 @@ module "ecs_service_entity_verification" {
       ev_db_name                          = var.db_entity_verification_name
       ev_db_password                      = "${var.db_entity_verification_credentials_arn}:username::"
       ev_db_username                      = "${var.db_entity_verification_credentials_arn}:password::"
-      public_hosted_zone_fqdn             = var.public_hosted_zone_fqdn
+      public_domain                       = var.public_domain
       queue_entity_verification_queue_url = var.queue_entity_verification_queue_url
       queue_organisation_queue_url        = var.queue_organisation_queue_url
       service_version                     = local.service_version
@@ -39,6 +39,7 @@ module "ecs_service_entity_verification" {
   name                   = var.service_configs.entity_verification.name
   private_subnet_ids     = var.private_subnet_ids
   product                = var.product
+  public_domain          = var.public_domain
   role_ecs_task_arn      = var.role_ecs_task_arn
   role_ecs_task_exec_arn = var.role_ecs_task_exec_arn
   tags                   = var.tags