Add API Gateway

Use OpenAPI schema to define REST API, then add logging and IAM execution permissions. Add an account-level IAM role for logging to CloudWatch. Remove lambda function URLs. Test against REST API base URL. Fixes VEGA-2014 #minor
ministryofjustice · Oct 20, 2023 · 1711202 · 1711202
1 parent 1a80069
commit 1711202
Show file tree

Hide file tree

Showing 22 changed files with 495 additions and 13 deletions.
diff --git a/.github/workflows/account-deploy.yml b/.github/workflows/account-deploy.yml
@@ -0,0 +1,65 @@
+name: "[Job] Plan/Deploy to Account"
+
+on:
+  workflow_call:
+    inputs:
+      workspace_name:
+        description: "The terraform workspace to target for account actions"
+        required: true
+        type: string
+    secrets:
+      aws_access_key_id:
+        description: "AWS Access Key ID"
+        required: true
+      aws_secret_access_key:
+        description: "AWS Secret Access Key"
+        required: true
+
+jobs:
+  terraform_account_workflow:
+    runs-on: ubuntu-latest
+    environment:
+      name: ${{ inputs.workspace_name }} account
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: "0"
+      - uses: unfor19/install-aws-cli-action@v1
+      - uses: hashicorp/setup-terraform@v2
+        with:
+          terraform_version: 1.4.6
+          terraform_wrapper: false
+      - name: Configure AWS Credentials For Terraform
+        uses: aws-actions/configure-aws-credentials@v2
+        with:
+          aws-access-key-id: ${{ secrets.aws_access_key_id }}
+          aws-secret-access-key: ${{ secrets.aws_secret_access_key }}
+          aws-region: eu-west-1
+          role-duration-seconds: 3600
+          role-session-name: OPGLpaStoreGithubAction
+
+      - name: Lint Terraform
+        run: terraform fmt -check -recursive
+        working-directory: ./terraform/account
+        continue-on-error: true
+
+      - name: Terraform Init
+        run: terraform init -input=false
+        working-directory: ./terraform/account
+
+      - name: Terraform Plan
+        env:
+          TF_WORKSPACE: ${{ inputs.workspace_name }}
+        run: |
+          terraform workspace show
+          echo "plan_summary=$(terraform plan -no-color -lock-timeout=300s -input=false -parallelism=30 | grep -ioE 'Plan: [[:digit:]]+ to add, [[:digit:]]+ to change, [[:digit:]]+ to destroy|No changes. Your infrastructure matches the configuration.')" >> $GITHUB_OUTPUT
+          terraform plan -lock-timeout=300s -input=false -parallelism=30
+        working-directory: ./terraform/account
+
+      - name: Terraform Apply
+        if: github.ref == 'refs/heads/main'
+        env:
+          TF_WORKSPACE: ${{ inputs.workspace_name }}
+        run: |
+          terraform apply -lock-timeout=300s -input=false -auto-approve -parallelism=30
+        working-directory: ./terraform/account
diff --git a/.github/workflows/env-deploy.yml b/.github/workflows/env-deploy.yml
@@ -22,8 +22,8 @@ on:
         description: "Github Token"
         required: true
     outputs:
-      create_url:
-        description: "URL of the create endpoint"
+      base_url:
+        description: "Base URL of API"
         value: ${{ jobs.terraform_environment_workflow.outputs.url }}
 
 jobs:
@@ -85,5 +85,5 @@ jobs:
           TF_WORKSPACE: ${{ inputs.workspace_name }}
           TF_VAR_app_version: ${{ inputs.version_tag }}
         run: |
-          echo "url=$(terraform output -raw lambda_url)" >> $GITHUB_OUTPUT
+          echo "url=$(terraform output -raw base_url)" >> $GITHUB_OUTPUT
         working-directory: ./terraform/environment
diff --git a/.github/workflows/env-destroy.yml b/.github/workflows/env-destroy.yml
@@ -54,6 +54,8 @@ jobs:
         working-directory: ./terraform/environment
 
       - name: Destroy deployment environment
+        env:
+          GH_TOKEN: ${{ github.token }}
         run: |
           gh api \
             --method DELETE \

diff --git a/.github/workflows/env-test.yml b/.github/workflows/env-test.yml
@@ -3,8 +3,8 @@ name: "[Job] Test environment"
 on:
   workflow_call:
     inputs:
-      create_url:
-        description: "URL of the create endpoint"
+      base_url:
+        description: "Base URL of API"
         required: true
         type: string
     secrets:
@@ -48,5 +48,5 @@ jobs:
           role-session-name: GitHubActions
       - name: POST to server
         env:
-          URL: ${{ inputs.create_url }}
+          URL: ${{ inputs.base_url }}
         run: make test-api
diff --git a/.github/workflows/workflow-pr.yml b/.github/workflows/workflow-pr.yml
@@ -71,6 +71,15 @@ jobs:
       aws_access_key_id: ${{ secrets.AWS_ACCESS_KEY_ID }}
       aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
 
+  plan-dev-account:
+    name: TF Plan Dev Account
+    uses: ./.github/workflows/account-deploy.yml
+    with:
+      workspace_name: development
+    secrets:
+      aws_access_key_id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+      aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+
   deploy-pr-env:
     name: Deploy PR Environment
     needs: [build, generate-tags, generate-environment-workspace-name]
@@ -88,7 +97,7 @@ jobs:
     needs: [deploy-pr-env]
     uses: ./.github/workflows/env-test.yml
     with:
-      create_url: ${{ needs.deploy-pr-env.outputs.create_url }}
+      base_url: ${{ needs.deploy-pr-env.outputs.base_url }}
     secrets:
       aws_access_key_id: ${{ secrets.AWS_ACCESS_KEY_ID }}
       aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
diff --git a/Makefile b/Makefile
@@ -12,11 +12,11 @@ up:
 down:
 	docker compose down
 
-test-api: URL ?= http://localhost:9000/create
+test-api: URL ?= http://localhost:9000/
 test-api:
 	go build -o ./signer/test-api ./signer && \
 	chmod +x ./signer/test-api && \
-	./signer/test-api POST $(URL) '{"uid":"M-AL9A-7EY3-075D","version":"1"}'
+	./signer/test-api PUT $(URL)/lpas/M-AL9A-7EY3-075D '{"uid":"M-AL9A-7EY3-075D","version":"1"}'
 
 create-tables:
 	docker compose run --rm aws dynamodb describe-table --table-name deeds || \

diff --git a/docs/openapi/openapi.yaml b/docs/openapi/openapi.yaml
@@ -14,4 +14,114 @@ servers:
     description: Development
 security:
   - {}
-paths: {}
+paths:
+  /lpas/{uid}:
+    parameters:
+      - name: uid
+        in: path
+        required: true
+        description: The UID of the complaint
+        schema:
+          type: string
+          pattern: "M-([A-Z0-9]{4})-([A-Z0-9]{4})-([A-Z0-9]{4})"
+          example: M-789Q-P4DF-4UX3
+    put:
+      operationId: putLpa
+      summary: Store an LPA
+      requestBody:
+        content:
+          application/json:
+            schema:
+              type: object
+              additionalProperties: false
+      responses:
+        "201":
+          description: Case created
+        "400":
+          description: Invalid request
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/BadRequestError"
+      x-amazon-apigateway-auth:
+        type: "AWS_IAM"
+      x-amazon-apigateway-integration:
+        uri: ${lambda_create_invoke_arn}
+        httpMethod: "POST"
+        type: "aws_proxy"
+        contentHandling: "CONVERT_TO_TEXT"
+  /health:
+    get:
+      operationId: healthCheck
+      summary: Health check endpoint for external services to consume
+      responses:
+        200:
+          description: Healthy
+          content:
+            application/json:
+              schema:
+                type: object
+                properties:
+                  status:
+                    type: string
+                    example: OK
+                additionalProperties: false
+        503:
+          description: Service unavailable
+          content:
+            application/json:
+              schema:
+                type: object
+                properties:
+                  status:
+                    type: string
+                    example: Unhealthy
+                additionalProperties: false
+      x-amazon-apigateway-auth:
+        type: "AWS_IAM"
+      x-amazon-apigateway-integration:
+        type: "mock"
+        responses:
+          default:
+            statusCode: 200
+            responseTemplates:
+              application/json: '{"status":"ok", "statusCode":200}'
+        requestTemplates:
+          application/json: '{"statusCode": 200}'
+        passthroughBehavior: "when_no_templates"
+
+components:
+  schemas:
+    AbstractError:
+      type: object
+      required:
+        - code
+        - detail
+      properties:
+        code:
+          type: string
+        detail:
+          type: string
+    BadRequestError:
+      allOf:
+        - $ref: "#/components/schemas/AbstractError"
+        - type: object
+          properties:
+            code:
+              enum: ["INVALID_REQUEST"]
+            errors:
+              type: array
+              items:
+                type: object
+                required:
+                  - source
+                  - detail
+                properties:
+                  source:
+                    type: string
+                    format: jsonpointer
+                  detail:
+                    type: string
+              example:
+                - source: "/uid"
+                  detail: "invalid uid format"
diff --git a/signer/main.go b/signer/main.go
@@ -28,7 +28,7 @@ func main() {
 
 	req.Header.Add("Content-type", "application/json")
 
-	signer.Sign(req, body, "lambda", "eu-west-1", time.Now())
+	signer.Sign(req, body, "execute-api", "eu-west-1", time.Now())
 
 	client := http.Client{}
 	resp, err := client.Do(req)

diff --git a/terraform/account/.envrc b/terraform/account/.envrc
@@ -0,0 +1,6 @@
+# Terraform
+export TF_WORKSPACE=development
+export TF_VAR_default_role=operator
+export TF_VAR_management_role=operator
+
+export TF_CLI_ARGS_init="-backend-config=role_arn=arn:aws:iam::311462405659:role/operator"
diff --git a/terraform/account/.terraform.lock.hcl b/terraform/account/.terraform.lock.hcl
diff --git a/terraform/account/apigateway.tf b/terraform/account/apigateway.tf
@@ -0,0 +1,20 @@
+resource "aws_iam_role" "api_gateway_cloudwatch" {
+  name               = "api-gateway-cloudwatch-global"
+  assume_role_policy = data.aws_iam_policy_document.api_gateway_assume_role.json
+}
+
+data "aws_iam_policy_document" "api_gateway_assume_role" {
+  statement {
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      type        = "Service"
+      identifiers = ["apigateway.amazonaws.com"]
+    }
+  }
+}
+
+resource "aws_iam_role_policy_attachment" "api_gateway_log_to_cloudwatch" {
+  role       = aws_iam_role.api_gateway_cloudwatch.id
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonAPIGatewayPushToCloudWatchLogs"
+}
diff --git a/terraform/account/terraform.tf b/terraform/account/terraform.tf
@@ -0,0 +1,31 @@
+terraform {
+  backend "s3" {
+    bucket         = "opg.terraform.state"
+    key            = "opg-data-lpa-deed-account/terraform.tfstate"
+    encrypt        = true
+    region         = "eu-west-1"
+    role_arn       = "arn:aws:iam::311462405659:role/lpa-store-ci"
+    dynamodb_table = "remote_lock"
+  }
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 5.8.0"
+    }
+  }
+  required_version = ">= 1.4.0"
+}
+
+provider "aws" {
+  region = "eu-west-1"
+
+  assume_role {
+    role_arn     = "arn:aws:iam::${local.account.account_id}:role/${var.default_role}"
+    session_name = "terraform-session"
+  }
+
+  default_tags {
+    tags = local.default_tags
+  }
+}
diff --git a/terraform/account/terraform.tfvars.json b/terraform/account/terraform.tfvars.json
@@ -0,0 +1,9 @@
+{
+  "accounts": {
+    "development": {
+      "account_id": "493907465011",
+      "account_name": "development",
+      "is_production": false
+    }
+  }
+}