Merge pull request #1836 from govuk-one-login/BAU/clean-up-cloudfront

BAU: Clean up after cloudfront implementation

ci/terraform/alb.tf

@@ -25,6 +25,11 @@ resource "aws_lb" "frontend_alb" {
   tags = local.default_tags
 }
 
+resource "aws_wafv2_web_acl_association" "alb_waf_association" {
+  resource_arn = aws_lb.frontend_alb.arn
+  web_acl_arn  = aws_cloudformation_stack.cloudfront.outputs["CloakingOriginWebACLArn"]
+}
+
 resource "aws_alb_target_group" "frontend_alb_target_group" {
   name                 = "${var.environment}-frontend-target"
   port                 = 80
@@ -178,4 +183,4 @@ resource "aws_alb_listener_rule" "service_down_rule" {
       values = ["/service-page-disabled/*"]
     }
   }
-}
+}

ci/terraform/cloudfront.tf

@@ -1,15 +1,14 @@
 resource "aws_cloudformation_stack" "cloudfront" {
-  count = var.cloudfront_auth_frontend_enabled ? 1 : 0
-  name  = "${var.environment}-auth-fe-cloudfront"
-  #using fixed version of cloudfron disturbution template for now 
+  name = "${var.environment}-auth-fe-cloudfront"
+  #using fixed version of cloudfron disturbution template for now
   template_url = "https://template-storage-templatebucket-1upzyw6v9cs42.s3.amazonaws.com/cloudfront-distribution/template.yaml?versionId=._qPLI5sbnZN3T3jHF7fezX8BT6fK3j3"
 
   capabilities = ["CAPABILITY_NAMED_IAM"]
 
   parameters = {
     AddWWWPrefix                 = var.Add_WWWPrefix
-    CloudFrontCertArn            = aws_acm_certificate.cloudfront_frontend_certificate[0].arn
-    CloudFrontWafACL             = aws_wafv2_web_acl.frontend_cloudfront_waf_web_acl[0].arn
+    CloudFrontCertArn            = aws_acm_certificate.cloudfront_frontend_certificate.arn
+    CloudFrontWafACL             = aws_wafv2_web_acl.frontend_cloudfront_waf_web_acl.arn
     DistributionAlias            = local.frontend_fqdn
     FraudHeaderEnabled           = var.Fraud_Header_Enabled
     OriginCloakingHeader         = var.auth_origin_cloakingheader
@@ -20,26 +19,25 @@ resource "aws_cloudformation_stack" "cloudfront" {
   tags = local.default_tags
 
   #ignoring below parameter as these parameter are been read via secret manager and terraform continually detects changes
-  # Note : we need to remove the below lifecycle if the Header are changed in Secret manager to appy new cloainking header value 
+  # Note : we need to remove the below lifecycle if the Header are changed in Secret manager to appy new cloainking header value
   lifecycle {
     ignore_changes = [parameters["OriginCloakingHeader"], parameters["PreviousOriginCloakingHeader"]]
   }
 
 }
 
 resource "aws_cloudformation_stack" "cloudfront-monitoring" {
-  count    = var.cloudfront_auth_frontend_enabled ? 1 : 0
   provider = aws.cloudfront
   name     = "${var.environment}-auth-fe-cloudfront-monitoring"
-  #using fixed version of cloudfront monitoring  disturbution template for now 
+  #using fixed version of cloudfront monitoring  disturbution template for now
   template_url = "https://template-storage-templatebucket-1upzyw6v9cs42.s3.amazonaws.com/cloudfront-monitoring-alarm/template.yaml?versionId=td2KHIlG7KGXl0mkMrRDkgBWxdXPEMZ."
 
   capabilities = ["CAPABILITY_NAMED_IAM"]
 
   parameters = {
-    CacheHitAlarmSNSTopicARN            = aws_sns_topic.slack_events[0].arn
+    CacheHitAlarmSNSTopicARN            = aws_sns_topic.slack_events.arn
     CloudFrontAdditionaldMetricsEnabled = true
-    CloudfrontDistribution              = aws_cloudformation_stack.cloudfront[0].outputs["DistributionId"]
+    CloudfrontDistribution              = aws_cloudformation_stack.cloudfront.outputs["DistributionId"]
   }
   depends_on = [aws_cloudformation_stack.cloudfront]
   tags       = local.default_tags

ci/terraform/route53.tf

@@ -13,8 +13,8 @@ resource "aws_route53_record" "frontend" {
 
   alias {
     evaluate_target_health = false
-    name                   = var.cloudfront_auth_dns_enabled ? aws_cloudformation_stack.cloudfront[0].outputs["DistributionDomain"] : aws_lb.frontend_alb.dns_name
-    zone_id                = var.cloudfront_auth_dns_enabled ? var.cloudfront_zoneid : aws_lb.frontend_alb.zone_id
+    name                   = aws_cloudformation_stack.cloudfront.outputs["DistributionDomain"]
+    zone_id                = var.cloudfront_zoneid
   }
 }
 
@@ -25,8 +25,8 @@ resource "aws_route53_record" "frontend_record" {
 
   alias {
     evaluate_target_health = false
-    name                   = var.cloudfront_auth_dns_enabled ? aws_cloudformation_stack.cloudfront[0].outputs["DistributionDomain"] : aws_lb.frontend_alb.dns_name
-    zone_id                = var.cloudfront_auth_dns_enabled ? var.cloudfront_zoneid : aws_lb.frontend_alb.zone_id
+    name                   = aws_cloudformation_stack.cloudfront.outputs["DistributionDomain"]
+    zone_id                = var.cloudfront_zoneid
   }
 }
 
@@ -87,7 +87,6 @@ output "signin_nameservers" {
 #DNS Record for cloufront origin Domain & TLS certificate
 
 resource "aws_route53_record" "Cloudfront_frontend_record" {
-  count   = var.cloudfront_auth_frontend_enabled ? 1 : 0
   name    = local.frontend_fqdn_origin
   type    = "A"
   zone_id = aws_route53_zone.zone.zone_id
@@ -101,7 +100,6 @@ resource "aws_route53_record" "Cloudfront_frontend_record" {
 
 resource "aws_acm_certificate" "cloudfront_frontend_certificate" {
   provider          = aws.cloudfront
-  count             = var.cloudfront_auth_frontend_enabled ? 1 : 0
   domain_name       = local.frontend_fqdn
   validation_method = "DNS"
 
@@ -114,13 +112,13 @@ resource "aws_acm_certificate" "cloudfront_frontend_certificate" {
 
 resource "aws_route53_record" "cloudfront_frontend_certificate_validation" {
   provider = aws.cloudfront
-  for_each = var.cloudfront_auth_frontend_enabled ? {
-    for dvo in aws_acm_certificate.cloudfront_frontend_certificate[0].domain_validation_options : dvo.domain_name => {
+  for_each = {
+    for dvo in aws_acm_certificate.cloudfront_frontend_certificate.domain_validation_options : dvo.domain_name => {
       name   = dvo.resource_record_name
       record = dvo.resource_record_value
       type   = dvo.resource_record_type
     }
-  } : {}
+  }
 
   allow_overwrite = true
   name            = each.value.name
@@ -133,8 +131,7 @@ resource "aws_route53_record" "cloudfront_frontend_certificate_validation" {
 
 resource "aws_acm_certificate_validation" "frontend_acm_cloudfront_certificate_validation" {
   provider                = aws.cloudfront
-  count                   = var.cloudfront_auth_frontend_enabled ? 1 : 0
-  certificate_arn         = aws_acm_certificate.cloudfront_frontend_certificate[0].arn
+  certificate_arn         = aws_acm_certificate.cloudfront_frontend_certificate.arn
   validation_record_fqdns = [for record in aws_route53_record.cloudfront_frontend_certificate_validation : record.fqdn]
   depends_on              = [aws_route53_record.cloudfront_frontend_certificate_validation]
 }

ci/terraform/sns.tf

@@ -2,17 +2,15 @@
 
 resource "aws_sns_topic" "slack_events" {
   provider                         = aws.cloudfront
-  count                            = var.cloudfront_auth_frontend_enabled ? 1 : 0
   name                             = "${var.environment}-cloudfront-alerts"
-  lambda_failure_feedback_role_arn = aws_iam_role.sns_logging_iam_role[0].arn
+  lambda_failure_feedback_role_arn = aws_iam_role.sns_logging_iam_role.arn
 
   tags = local.default_tags
 }
 
 data "aws_iam_policy_document" "sns_topic_policy" {
   version  = "2012-10-17"
   provider = aws.cloudfront
-  count    = var.cloudfront_auth_frontend_enabled ? 1 : 0
 
   statement {
     actions = [
@@ -41,33 +39,30 @@ data "aws_iam_policy_document" "sns_topic_policy" {
     }
 
     resources = [
-      aws_sns_topic.slack_events[0].arn,
+      aws_sns_topic.slack_events.arn,
     ]
   }
 }
 
 resource "aws_sns_topic_policy" "sns_alert_policy" {
   provider = aws.cloudfront
-  count    = var.cloudfront_auth_frontend_enabled ? 1 : 0
-  arn      = aws_sns_topic.slack_events[0].arn
+  arn      = aws_sns_topic.slack_events.arn
 
-  policy = data.aws_iam_policy_document.sns_topic_policy[0].json
+  policy = data.aws_iam_policy_document.sns_topic_policy.json
 }
 
 resource "aws_iam_role" "sns_logging_iam_role" {
   provider           = aws.cloudfront
-  count              = var.cloudfront_auth_frontend_enabled ? 1 : 0
   name_prefix        = "sns-failed-slack-alerts-role"
   path               = "/${var.environment}/"
-  assume_role_policy = data.aws_iam_policy_document.sns_can_assume_policy[0].json
+  assume_role_policy = data.aws_iam_policy_document.sns_can_assume_policy.json
 
   tags = local.default_tags
 }
 
 data "aws_iam_policy_document" "sns_can_assume_policy" {
   version  = "2012-10-17"
   provider = aws.cloudfront
-  count    = var.cloudfront_auth_frontend_enabled ? 1 : 0
 
   statement {
     effect = "Allow"
@@ -87,7 +82,6 @@ data "aws_iam_policy_document" "sns_can_assume_policy" {
 data "aws_iam_policy_document" "sns_logging_policy" {
   version  = "2012-10-17"
   provider = aws.cloudfront
-  count    = var.cloudfront_auth_frontend_enabled ? 1 : 0
 
   statement {
     effect = "Allow"
@@ -108,13 +102,12 @@ data "aws_iam_policy_document" "sns_logging_policy" {
 }
 
 resource "aws_iam_policy" "api_gateway_logging_policy" {
-  count       = var.cloudfront_auth_frontend_enabled ? 1 : 0
   provider    = aws.cloudfront
   name_prefix = "sns-failed-alert-logging"
   path        = "/${var.environment}/"
   description = "IAM policy for logging failed SNS alerts"
 
-  policy = data.aws_iam_policy_document.sns_logging_policy[0].json
+  policy = data.aws_iam_policy_document.sns_logging_policy.json
 
   lifecycle {
     create_before_destroy = true
@@ -125,7 +118,6 @@ resource "aws_iam_policy" "api_gateway_logging_policy" {
 
 resource "aws_iam_role_policy_attachment" "api_gateway_logging_logs" {
   provider   = aws.cloudfront
-  count      = var.cloudfront_auth_frontend_enabled ? 1 : 0
-  role       = aws_iam_role.sns_logging_iam_role[0].name
-  policy_arn = aws_iam_policy.api_gateway_logging_policy[0].arn
+  role       = aws_iam_role.sns_logging_iam_role.name
+  policy_arn = aws_iam_policy.api_gateway_logging_policy.arn
 }

ci/terraform/variables.tf

@@ -317,19 +317,6 @@ variable "service_down_page" {
   description = "Feature flag to control deployment of service down page "
 }
 
-#cloudfront variable
-variable "cloudfront_auth_frontend_enabled" {
-  type        = bool
-  default     = false
-  description = "Feature flag to control the creation cloudfront DNS record origin & Cloudfront Certificate"
-}
-
-variable "cloudfront_auth_dns_enabled" {
-  type        = bool
-  default     = false
-  description = "Feature flag to control the switch of DNS record to  cloudfront"
-}
-
 variable "cloudfront_zoneid" {
   type        = string
   default     = "Z2FDTNDATAQYW2"
@@ -408,4 +395,4 @@ variable "analytics_cookie_domain" {
   type        = string
   default     = ""
   description = "Analytics cookie domain where cookie is set"
-}
+}