govuk-one-login · whi-tw · Dec 9, 2024 · Dec 9, 2024 · Dec 9, 2024 · Dec 9, 2024
@@ -9,39 +9,45 @@ on:
       - synchronize
 
 jobs:
-  terraform-checks:
-    name: Terraform Validate
+  terraform-fmt:
+    name: Terraform fmt
     runs-on: ubuntu-latest
     steps:
       - name: Check out repository code
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
-      - name: Get Terraform version
-        id: get-terraform-version
-        run: echo "version=$(cat ci/terraform/.terraform-version)" >> "${GITHUB_OUTPUT}"
-
-      - uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
-        with:
-          terraform_version: ${{ steps.get-terraform-version.outputs.version }}
+      - name: Set up Terraform
+        uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
 
       - name: Terraform Format Check
         working-directory: ci/terraform/
         run: terraform fmt -check -recursive
 
-      - name: Terraform Validate (account-management)
-        working-directory: ci/terraform/account-management
-        run: |
-          terraform init -input=false -backend=false
-          terraform validate
+  terraform-validate:
+    name: Terraform Validate (${{ matrix.module }})
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        module:
+          - account-management
+          - auth-external-api
+          - delivery-receipts
+          - interventions-api-stub
+          - oidc
+          - shared
+          - test-services
+          - ticf-cri-stub
+          - utils
+    steps:
+      - name: Check out repository code
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
-      - name: Terraform Validate (oidc)
-        working-directory: ci/terraform/oidc
-        run: |
-          terraform init -input=false -backend=false
-          terraform validate
+      - name: Set up Terraform
+        uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
 
-      - name: Terraform Validate (utils)
-        working-directory: ci/terraform/utils
+      - name: Terraform Validate
+        working-directory: ci/terraform/${{ matrix.module }}
         run: |
           terraform init -input=false -backend=false
           terraform validate
@@ -50,8 +50,9 @@ repos:
         types_or:
           - hcl
           - terraform
+          - yaml
         types: []
-        files: ^ci/terraform/modules/
+        files: ^ci/terraform/modules/|ci/terraform/.terraform-docs.yml$
         args:
           - ci/terraform
 

@@ -31,7 +31,7 @@ settings:
   default: true
   description: false
   escape: true
-  hide-empty: false
+  hide-empty: true
   html: true
   indent: 2
   lockfile: true

@@ -16,12 +16,6 @@ data "aws_iam_policy_document" "api_gateway_can_assume_policy" {
   }
 }
 
-resource "aws_iam_role" "api_gateway_logging_iam_role" {
-  name = "${var.environment}-account-management-api-gateway-logging-lambda-role"
-
-  assume_role_policy = data.aws_iam_policy_document.api_gateway_can_assume_policy.json
-}
-
 data "aws_iam_policy_document" "api_gateway_logging_policy" {
   version = "2012-10-17"
 
@@ -101,7 +95,7 @@ resource "aws_iam_policy" "api_gateway_logging_policy" {
 }
 
 resource "aws_iam_role_policy_attachment" "api_gateway_logging_logs" {
-  role       = aws_iam_role.api_gateway_logging_iam_role.name
+  role       = local.api_gateway_logging_role_name
   policy_arn = aws_iam_policy.api_gateway_logging_policy.arn
 }
 
@@ -220,10 +214,6 @@ resource "aws_api_gateway_stage" "stage" {
   ]
 }
 
-resource "aws_api_gateway_account" "api_gateway_logging_role" {
-  cloudwatch_role_arn = aws_iam_role.api_gateway_logging_iam_role.arn
-}
-
 resource "aws_api_gateway_method_settings" "api_gateway_logging_settings" {
 
   count = var.enable_api_gateway_execution_logging ? 1 : 0

@@ -95,6 +95,10 @@ resource "aws_appautoscaling_target" "lambda_target" {
   resource_id        = "function:${aws_lambda_function.authorizer.function_name}:${aws_lambda_alias.authorizer_alias.name}"
   scalable_dimension = "lambda:function:ProvisionedConcurrency"
   service_namespace  = "lambda"
+
+  tags = {
+    Service = "authorizer"
+  }
 }
 
 resource "aws_appautoscaling_policy" "provisioned-concurrency-policy" {
@@ -137,6 +141,10 @@ resource "aws_cloudwatch_metric_alarm" "lambda_authorizer_error_cloudwatch_alarm
   threshold           = local.alert_error_threshold
   alarm_description   = "${local.alert_error_threshold} or more errors have occurred in the ${var.environment} ${aws_lambda_function.authorizer.function_name} lambda. ACCOUNT: ${data.aws_iam_account_alias.current.account_alias}"
   alarm_actions       = [data.aws_sns_topic.slack_events.arn]
+
+  tags = {
+    Service = "authorizer"
+  }
 }
 
 resource "aws_cloudwatch_metric_alarm" "lambda_authorizer_error_rate_cloudwatch_alarm" {
@@ -182,4 +190,8 @@ resource "aws_cloudwatch_metric_alarm" "lambda_authorizer_error_rate_cloudwatch_
     }
   }
   alarm_actions = [data.aws_sns_topic.slack_events.arn]
+
+  tags = {
+    Service = "authorizer"
+  }
 }
@@ -19,4 +19,5 @@ locals {
   client_registry_encryption_key_arn          = data.terraform_remote_state.shared.outputs.client_registry_encryption_key_arn
   user_profile_kms_key_arn                    = data.terraform_remote_state.shared.outputs.user_profile_kms_key_arn
   email_check_results_encryption_policy_arn   = data.terraform_remote_state.shared.outputs.email_check_results_encryption_policy_arn
+  api_gateway_logging_role_name               = data.terraform_remote_state.shared.outputs.api_gateway_logging_role_name
 }
@@ -21,8 +21,7 @@ data "aws_vpc_endpoint" "auth_api_vpc_endpoint" {
 }
 
 resource "aws_api_gateway_rest_api" "di_auth_ext_api" {
-  name   = "${var.environment}-di-auth-ext-api"
-  policy = data.aws_iam_policy_document.di_auth_ext_api_policy_document.json
+  name = "${var.environment}-di-auth-ext-api"
 
   endpoint_configuration {
     types            = ["PRIVATE"]
@@ -34,6 +33,11 @@ resource "aws_api_gateway_rest_api" "di_auth_ext_api" {
   }
 }
 
+resource "aws_api_gateway_rest_api_policy" "di_auth_ext_api_policy" {
+  rest_api_id = aws_api_gateway_rest_api.di_auth_ext_api.id
+  policy      = data.aws_iam_policy_document.di_auth_ext_api_policy_document.json
+}
+
 data "aws_iam_policy_document" "di_auth_ext_api_policy_document" {
   statement {
     effect = "Allow"
@@ -44,7 +48,7 @@ data "aws_iam_policy_document" "di_auth_ext_api_policy_document" {
     }
 
     actions   = ["execute-api:Invoke"]
-    resources = ["execute-api:/*"]
+    resources = ["${aws_api_gateway_rest_api.di_auth_ext_api.execution_arn}/*"]
   }
 
   statement {
@@ -56,7 +60,7 @@ data "aws_iam_policy_document" "di_auth_ext_api_policy_document" {
     }
 
     actions   = ["execute-api:Invoke"]
-    resources = ["execute-api:/*"]
+    resources = ["${aws_api_gateway_rest_api.di_auth_ext_api.execution_arn}/*"]
 
     condition {
       test     = "StringNotEquals"

@@ -23,10 +23,6 @@ This module is intended to be used alongside multiple [endpoint-lambdas](../endp
 |------|---------|
 | <a name="provider_aws"></a> [aws](#provider\_aws) | 5.75.1 |
 
-## Modules
-
-No modules.
-
 ## Resources
 
 | Name | Type |

@@ -15,10 +15,6 @@
 |------|---------|
 | <a name="provider_aws"></a> [aws](#provider\_aws) | 5.75.1 |
 
-## Modules
-
-No modules.
-
 ## Resources
 
 | Name | Type |
@@ -30,8 +26,4 @@ No modules.
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_api_gateway_name"></a> [api\_gateway\_name](#input\_api\_gateway\_name) | The endpoint that will be monitored by the dashboard | `string` | n/a | yes |
-
-## Outputs
-
-No outputs.
 <!-- END_TF_DOCS -->
@@ -15,10 +15,6 @@
 |------|---------|
 | <a name="provider_terraform"></a> [terraform](#provider\_terraform) | n/a |
 
-## Modules
-
-No modules.
-
 ## Resources
 
 | Name | Type |

@@ -25,10 +25,6 @@ Eventually, this module will be consumed by [endpoint-module](../endpoint-module
 | <a name="provider_aws"></a> [aws](#provider\_aws) | 5.75.1 |
 | <a name="provider_terraform"></a> [terraform](#provider\_terraform) | n/a |
 
-## Modules
-
-No modules.
-
 ## Resources
 
 | Name | Type |
@@ -54,7 +50,7 @@ No modules.
 | <a name="input_cloudwatch_key_arn"></a> [cloudwatch\_key\_arn](#input\_cloudwatch\_key\_arn) | The ARN of the KMS key to use log encryption | `string` | n/a | yes |
 | <a name="input_cloudwatch_log_retention"></a> [cloudwatch\_log\_retention](#input\_cloudwatch\_log\_retention) | The number of day to retain Cloudwatch logs for | `number` | n/a | yes |
 | <a name="input_dynatrace_secret"></a> [dynatrace\_secret](#input\_dynatrace\_secret) | JSON decoded dynatrace secret | <pre>object({<br/>    JAVA_LAYER = string<br/><br/>    DT_CONNECTION_AUTH_TOKEN     = string<br/>    DT_CONNECTION_BASE_URL       = string<br/>    DT_CLUSTER_ID                = string<br/>    DT_TENANT                    = string<br/>    DT_LOG_COLLECTION_AUTH_TOKEN = string<br/>  })</pre> | n/a | yes |
-| <a name="input_endpoint_name"></a> [endpoint\_name](#input\_endpoint\_name) | n/a | `string` | n/a | yes |
+| <a name="input_endpoint_name"></a> [endpoint\_name](#input\_endpoint\_name) | The name of the endpoint, used for naming resources | `string` | n/a | yes |
 | <a name="input_environment"></a> [environment](#input\_environment) | n/a | `string` | n/a | yes |
 | <a name="input_handler_environment_variables"></a> [handler\_environment\_variables](#input\_handler\_environment\_variables) | n/a | `map(string)` | n/a | yes |
 | <a name="input_handler_function_name"></a> [handler\_function\_name](#input\_handler\_function\_name) | n/a | `string` | n/a | yes |
@@ -69,6 +65,7 @@ No modules.
 | <a name="input_subnet_id"></a> [subnet\_id](#input\_subnet\_id) | The id of the subnets for the lambda | `list(string)` | n/a | yes |
 | <a name="input_architectures"></a> [architectures](#input\_architectures) | n/a | `list(string)` | <pre>[<br/>  "x86_64"<br/>]</pre> | no |
 | <a name="input_code_signing_config_arn"></a> [code\_signing\_config\_arn](#input\_code\_signing\_config\_arn) | n/a | `any` | `null` | no |
+| <a name="input_endpoint_name_sanitized"></a> [endpoint\_name\_sanitized](#input\_endpoint\_name\_sanitized) | The name of the endpoint, required if endpoint\_name contains a period | `string` | `""` | no |
 | <a name="input_extra_tags"></a> [extra\_tags](#input\_extra\_tags) | Extra tags to apply to resources | `map(string)` | `{}` | no |
 | <a name="input_handler_runtime"></a> [handler\_runtime](#input\_handler\_runtime) | n/a | `string` | `"java17"` | no |
 | <a name="input_lambda_error_rate_alarm_disabled"></a> [lambda\_error\_rate\_alarm\_disabled](#input\_lambda\_error\_rate\_alarm\_disabled) | n/a | `bool` | `false` | no |

@@ -6,19 +6,19 @@ locals {
 }
 
 resource "aws_cloudwatch_log_metric_filter" "lambda_error_metric_filter" {
-  name           = replace("${var.environment}-${var.endpoint_name}-errors", ".", "")
+  name           = "${var.environment}-${local.endpoint_name_sanitized}-errors"
   pattern        = "{($.level = \"ERROR\")}"
   log_group_name = aws_cloudwatch_log_group.lambda_log_group.name
 
   metric_transformation {
-    name      = replace("${var.environment}-${var.endpoint_name}-error-count", ".", "")
+    name      = "${var.environment}-${local.endpoint_name_sanitized}-error-count"
     namespace = "LambdaErrorsNamespace"
     value     = "1"
   }
 }
 
 resource "aws_cloudwatch_metric_alarm" "lambda_error_cloudwatch_alarm" {
-  alarm_name          = replace("${var.environment}-${var.endpoint_name}-alarm", ".", "")
+  alarm_name          = "${var.environment}-${local.endpoint_name_sanitized}-alarm"
   comparison_operator = "GreaterThanOrEqualToThreshold"
   evaluation_periods  = "1"
   metric_name         = aws_cloudwatch_log_metric_filter.lambda_error_metric_filter.metric_transformation[0].name
@@ -34,7 +34,7 @@ resource "aws_cloudwatch_metric_alarm" "lambda_error_cloudwatch_alarm" {
 
 resource "aws_cloudwatch_metric_alarm" "lambda_error_rate_cloudwatch_alarm" {
   count               = var.lambda_error_rate_alarm_disabled ? 0 : 1
-  alarm_name          = replace("${var.environment}-${var.endpoint_name}-error-rate-alarm", ".", "")
+  alarm_name          = "${var.environment}-${local.endpoint_name_sanitized}-error-rate-alarm"
   comparison_operator = "GreaterThanOrEqualToThreshold"
   evaluation_periods  = "1"
   threshold           = var.lambda_log_alarm_error_rate_threshold

@@ -1,5 +1,5 @@
 resource "aws_lambda_function" "endpoint_lambda" {
-  function_name = replace("${var.environment}-${var.endpoint_name}-lambda", ".", "")
+  function_name = "${var.environment}-${local.endpoint_name_sanitized}-lambda"
   role          = var.lambda_role_arn
   handler       = var.handler_function_name
   timeout       = 30
@@ -69,7 +69,7 @@ resource "aws_cloudwatch_log_subscription_filter" "log_subscription" {
 }
 
 resource "aws_lambda_alias" "endpoint_lambda" {
-  name             = replace("${var.environment}-${var.endpoint_name}-lambda-active", ".", "")
+  name             = "${var.environment}-${local.endpoint_name_sanitized}-lambda-active"
   description      = "Alias pointing at active version of Lambda"
   function_name    = aws_lambda_function.endpoint_lambda.arn
   function_version = aws_lambda_function.endpoint_lambda.version

@@ -1,5 +1,30 @@
 variable "endpoint_name" {
-  type = string
+  description = "The name of the endpoint, used for naming resources"
+  type        = string
+}
+
+variable "endpoint_name_sanitized" {
+  // This allows us to remove some 'replace' directives, which will reduce 'known after apply' false triggers
+  description = "The name of the endpoint, required if endpoint_name contains a period"
+  type        = string
+  default     = ""
+  validation {
+    condition     = var.endpoint_name_sanitized != "" && strcontains(var.endpoint_name, ".")
+    error_message = "endpoint_name_sanitized is required if endpoint_name contains a period"
+  }
+  validation {
+    condition     = var.endpoint_name_sanitized == "" && !strcontains(var.endpoint_name, ".")
+    error_message = "endpoint_name_sanitized must not be set if endpoint_name does not contain a period"
+  }
+  validation {
+    condition     = !strcontains(var.endpoint_name_sanitized, ".")
+    error_message = "endpoint_name_sanitized must not contain a period"
+  }
+}
+
+locals {
+  // If endpoint_name_sanitized is not set, use endpoint_name, otherwise use endpoint_name_sanitized
+  endpoint_name_sanitized = var.endpoint_name_sanitized != "" ? var.endpoint_name_sanitized : var.endpoint_name
 }
 
 variable "source_bucket" {

@@ -43,7 +43,7 @@ When we fully switch over to using OpenAPI for all API Gateways, lambdas current
 | <a name="input_authentication_vpc_arn"></a> [authentication\_vpc\_arn](#input\_authentication\_vpc\_arn) | n/a | `string` | n/a | yes |
 | <a name="input_cloudwatch_key_arn"></a> [cloudwatch\_key\_arn](#input\_cloudwatch\_key\_arn) | The ARN of the KMS key to use log encryption | `string` | n/a | yes |
 | <a name="input_endpoint_method"></a> [endpoint\_method](#input\_endpoint\_method) | n/a | `list(string)` | n/a | yes |
-| <a name="input_endpoint_name"></a> [endpoint\_name](#input\_endpoint\_name) | n/a | `string` | n/a | yes |
+| <a name="input_endpoint_name"></a> [endpoint\_name](#input\_endpoint\_name) | The name of the endpoint, used for naming resources | `string` | n/a | yes |
 | <a name="input_environment"></a> [environment](#input\_environment) | n/a | `string` | n/a | yes |
 | <a name="input_execution_arn"></a> [execution\_arn](#input\_execution\_arn) | n/a | `string` | n/a | yes |
 | <a name="input_handler_environment_variables"></a> [handler\_environment\_variables](#input\_handler\_environment\_variables) | n/a | `map(string)` | n/a | yes |
@@ -66,6 +66,7 @@ When we fully switch over to using OpenAPI for all API Gateways, lambdas current
 | <a name="input_code_signing_config_arn"></a> [code\_signing\_config\_arn](#input\_code\_signing\_config\_arn) | n/a | `any` | `null` | no |
 | <a name="input_create_endpoint"></a> [create\_endpoint](#input\_create\_endpoint) | n/a | `bool` | `true` | no |
 | <a name="input_dynatrace_secret"></a> [dynatrace\_secret](#input\_dynatrace\_secret) | JSON decoded dynatrace secret | <pre>object({<br/>    JAVA_LAYER = string<br/><br/>    DT_CONNECTION_AUTH_TOKEN     = string<br/>    DT_CONNECTION_BASE_URL       = string<br/>    DT_CLUSTER_ID                = string<br/>    DT_TENANT                    = string<br/>    DT_LOG_COLLECTION_AUTH_TOKEN = string<br/>  })</pre> | `null` | no |
+| <a name="input_endpoint_name_sanitized"></a> [endpoint\_name\_sanitized](#input\_endpoint\_name\_sanitized) | The name of the endpoint, required if endpoint\_name contains a period | `string` | `""` | no |
 | <a name="input_extra_tags"></a> [extra\_tags](#input\_extra\_tags) | Extra tags to apply to resources | `map(string)` | `{}` | no |
 | <a name="input_handler_runtime"></a> [handler\_runtime](#input\_handler\_runtime) | n/a | `string` | `"java17"` | no |
 | <a name="input_integration_request_parameters"></a> [integration\_request\_parameters](#input\_integration\_request\_parameters) | n/a | `map(string)` | `{}` | no |

@@ -2,6 +2,7 @@ module "endpoint_lambda" {
   source = "../endpoint-lambda"
 
   endpoint_name                          = var.endpoint_name
+  endpoint_name_sanitized                = var.endpoint_name_sanitized
   source_bucket                          = var.source_bucket
   lambda_zip_file                        = var.lambda_zip_file
   lambda_zip_file_version                = var.lambda_zip_file_version

@@ -1,7 +1,16 @@
 variable "endpoint_name" {
-  type = string
+  description = "The name of the endpoint, used for naming resources"
+  type        = string
+}
+
+
+variable "endpoint_name_sanitized" {
+  description = "The name of the endpoint, required if endpoint_name contains a period"
+  type        = string
+  default     = ""
 }
 
+
 variable "path_part" {
   type = string
 }