covidgreen · mariusv · Jan 27, 2021 · Jan 27, 2021 · Jan 27, 2021 · Jan 27, 2021
diff --git a/alb.tf b/alb.tf
@@ -272,7 +272,8 @@ resource "aws_lb_listener" "push_https" {
 # #########################################
 module "alb_logs" {
   source  = "trussworks/logs/aws"
-  version = "8.2.0"
+  version = "9.0.0"
+  #version = "8.3.0"
 
   alb_logs_prefixes       = ["admin", "api", "push"]
   allow_alb               = true

diff --git a/cognito.tf b/cognito.tf
@@ -66,3 +66,8 @@ resource "aws_cognito_user_group" "manage_users" {
   name         = "manage-users"
   user_pool_id = aws_cognito_user_pool.admin_user_pool.id
 }
+
+resource "aws_cognito_user_group" "dashboard-read" {
+  name         = "dashboard-read"
+  user_pool_id = aws_cognito_user_pool.admin_user_pool.id
+}
diff --git a/gateway.tf b/gateway.tf
@@ -9,6 +9,8 @@ resource "aws_api_gateway_rest_api" "main" {
   binary_media_types = concat([
     "application/zip",
     "application/octet-stream",
+    "application/pdf",
+    "image/*",
   ], var.api_gateway_customizations_binary_types)
 
   endpoint_configuration {
@@ -446,6 +448,75 @@ resource "aws_api_gateway_integration_response" "admin_proxy_any_integration" {
    ]
 }
 
+
+## /enx/{key+}
+resource "aws_api_gateway_resource" "enx_root" {
+  rest_api_id = aws_api_gateway_rest_api.main.id
+  parent_id   = aws_api_gateway_rest_api.main.root_resource_id
+  path_part   = "enx"
+}
+
+resource "aws_api_gateway_resource" "enx_proxy" {
+  rest_api_id = aws_api_gateway_rest_api.main.id
+  parent_id   = aws_api_gateway_resource.enx_root.id
+  path_part   = "{key+}"
+}
+
+resource "aws_api_gateway_method" "enx_proxy_get" {
+  rest_api_id      = aws_api_gateway_rest_api.main.id
+  resource_id      = aws_api_gateway_resource.enx_proxy.id
+  http_method      = "GET"
+  authorization    = "NONE"
+  api_key_required = false
+  request_parameters = {
+    "method.request.path.key" = true
+  }
+}
+
+resource "aws_api_gateway_integration" "enx_proxy_get_integration" {
+  rest_api_id             = aws_api_gateway_rest_api.main.id
+  resource_id             = aws_api_gateway_resource.enx_proxy.id
+  http_method             = aws_api_gateway_method.enx_proxy_get.http_method
+  timeout_milliseconds    = var.api_gateway_timeout_milliseconds
+  integration_http_method = "GET"
+  type                    = "AWS"
+  uri                     = format("arn:aws:apigateway:%s:s3:path/%s/enx/{key}", var.aws_region, aws_s3_bucket.assets.id)
+  credentials             = aws_iam_role.gateway.arn
+  request_parameters = {
+    "integration.request.path.key" = "method.request.path.key",
+  }
+}
+
+resource "aws_api_gateway_method_response" "enx_proxy_get" {
+  rest_api_id = aws_api_gateway_rest_api.main.id
+  resource_id = aws_api_gateway_resource.enx_proxy.id
+  http_method = aws_api_gateway_method.enx_proxy_get.http_method
+  status_code = "200"
+
+  response_parameters = {
+    "method.response.header.Content-Length"            = false,
+    "method.response.header.Content-Type"              = false,
+    "method.response.header.Cache-Control"             = true,
+    "method.response.header.Pragma"                    = true,
+    "method.response.header.Strict-Transport-Security" = true
+  }
+}
+
+resource "aws_api_gateway_integration_response" "enx_proxy_get_integration" {
+  rest_api_id       = aws_api_gateway_rest_api.main.id
+  resource_id       = aws_api_gateway_resource.enx_proxy.id
+  http_method       = aws_api_gateway_method.enx_proxy_get.http_method
+  selection_pattern = aws_api_gateway_method_response.enx_proxy_get.status_code
+  status_code       = aws_api_gateway_method_response.enx_proxy_get.status_code
+  response_parameters = {
+    "method.response.header.Content-Length"            = "integration.response.header.Content-Length",
+    "method.response.header.Content-Type"              = "integration.response.header.Content-Type",
+    "method.response.header.Cache-Control"             = "'no-store'",
+    "method.response.header.Pragma"                    = "'no-cache'",
+    "method.response.header.Strict-Transport-Security" = format("'max-age=%s; includeSubDomains'", var.hsts_max_age)
+  }
+}
+
 ## /api
 resource "aws_api_gateway_resource" "api" {
   rest_api_id = aws_api_gateway_rest_api.main.id
@@ -986,6 +1057,7 @@ resource "aws_api_gateway_deployment" "live" {
     aws_api_gateway_integration.admin_ui_key_get_integration,
     aws_api_gateway_integration.admin_proxy_options_integration,
     aws_api_gateway_integration.admin_proxy_any_integration,
+    aws_api_gateway_integration.enx_proxy_get_integration,
     aws_api_gateway_integration.api_proxy_options_integration,
     aws_api_gateway_integration.api_proxy_any_integration,
     aws_api_gateway_integration.api_settings_get_integration,
@@ -1013,7 +1085,7 @@ resource "aws_api_gateway_stage" "live" {
   stage_name    = "live"
   access_log_settings {
     destination_arn = aws_cloudwatch_log_group.api_gateway.arn
-    format          = "[$context.requestTime] \"$context.httpMethod $context.resourcePath $context.protocol\" $context.status $context.responseLength $context.requestId"
+    format          = "[$context.requestTime] \"$context.httpMethod $context.path $context.protocol\" $context.status [$context.identity.userAgent] $context.responseLength $context.requestId"
   }
 
   lifecycle {
@@ -1023,6 +1095,61 @@ resource "aws_api_gateway_stage" "live" {
   }
 }
 
+resource "aws_cloudwatch_log_metric_filter" "enx_logo_all_filter" {
+  log_group_name = "${module.labels.id}-gw-access-logs"
+  name = "${module.labels.id}-enxlogoall-filter"
+  pattern = "[time ,method = \"*enx/logo*\", statusCode ,agent=\"*CFNetwork*\"]"
+  metric_transformation {
+    name = "enxlogoall"
+    namespace = "ApiGateway"
+    value = "1"
+  }
+}
+
+resource "aws_cloudwatch_log_metric_filter" "enx_logo_200_filter" {
+  log_group_name = "${module.labels.id}-gw-access-logs"
+  name = "${module.labels.id}-enxlogo200-filter"
+  pattern = "[time ,method = \"*enx/logo*\", statusCode = 200,agent=\"*CFNetwork*\"]"
+  metric_transformation {
+    name = "enxlogo200"
+    namespace = "ApiGateway"
+    value = "1"
+  }
+}
+
+resource "aws_cloudwatch_log_metric_filter" "enx_logo_304_filter" {
+  log_group_name = "${module.labels.id}-gw-access-logs"
+  name = "${module.labels.id}-enxlogo304-filter"
+  pattern = "[time ,method = \"*enx/logo*\", statusCode = 304,agent=\"*CFNetwork*\"]"
+  metric_transformation {
+    name = "enxlogo304"
+    namespace = "ApiGateway"
+    value = "1"
+  }
+}
+
+resource "aws_cloudwatch_log_metric_filter" "enx_logo_settings_filter" {
+  log_group_name = "${module.labels.id}-gw-access-logs"
+  name = "${module.labels.id}-enxlogosettings-filter"
+  pattern = "[time ,method = \"*enx/logo*\", statusCode = 200,agent=\"*Settings*CFNetwork*\"]"
+  metric_transformation {
+    name = "enxlogosettings"
+    namespace = "ApiGateway"
+    value = "1"
+  }
+}
+
+resource "aws_cloudwatch_log_metric_filter" "enx_logo_enbuddy_filter" {
+  log_group_name = "${module.labels.id}-gw-access-logs"
+  name = "${module.labels.id}-enxlogoenbuddy-filter"
+  pattern = "[time ,method = \"*enx/logo*\", statusCode = 200,agent=\"*HealthENBuddy*CFNetwork*\"]"
+  metric_transformation {
+    name = "enxlogoenbuddy"
+    namespace = "ApiGateway"
+    value = "1"
+  }
+}
+
 resource "aws_api_gateway_method_settings" "settings" {
   rest_api_id = aws_api_gateway_rest_api.main.id
   stage_name  = aws_api_gateway_stage.live.stage_name
@@ -1051,6 +1178,7 @@ resource "aws_api_gateway_authorizer" "main" {
   authorizer_credentials = aws_iam_role.authorizer.arn
 }
 
+
 # #########################################
 # Default Responses
 # #########################################

diff --git a/lambda-cleanup.tf b/lambda-cleanup.tf
@@ -18,7 +18,8 @@ module "cleanup" {
     aws_ssm_parameter.db_ssl.arn,
     aws_ssm_parameter.security_code_removal_mins.arn,
     aws_ssm_parameter.upload_token_lifetime_mins.arn,
-    aws_ssm_parameter.self_isolation_notice_lifetime_mins.arn
+    aws_ssm_parameter.self_isolation_notice_lifetime_mins.arn,
+    aws_ssm_parameter.enx_logo_supported.arn
   ]
   aws_secret_arns                = [data.aws_secretsmanager_secret_version.rds_read_write.arn]
   cloudwatch_schedule_expression = var.cleanup_schedule

diff --git a/lambda-download.tf b/lambda-download.tf
@@ -16,7 +16,8 @@ module "download" {
     aws_ssm_parameter.db_port.arn,
     aws_ssm_parameter.db_reader_host.arn,
     aws_ssm_parameter.db_ssl.arn,
-    aws_ssm_parameter.time_zone.arn
+    aws_ssm_parameter.time_zone.arn,
+    aws_ssm_parameter.allowed_test_types.arn
     ],
     aws_ssm_parameter.interop_origin.*.arn
   )

diff --git a/lambda-self-isolation.tf b/lambda-self-isolation.tf
@@ -26,7 +26,7 @@ module "self_isolation_notices" {
   #Memory and timeout
   memory_size = var.lambda_self_isolation_memory_size
   timeout     = var.lambda_self_isolation_timeout
-
+  log_retention_days = var.logs_retention_days
   security_group_ids = [module.lambda_sg.id]
   subnet_ids         = module.vpc.private_subnets
 

diff --git a/networking.tf b/networking.tf
@@ -3,8 +3,9 @@
 #   - check https://github.com/terraform-aws-modules/terraform-aws-vpc
 # #########################################
 module "vpc" {
-  source  = "terraform-aws-modules/vpc/aws"
-  version = "2.48.0"
+  #source  = "git::https://github.com/nearform/terraform-aws-vpc.git?ref=2.48.0-endpoint-fix"
+  source = "terraform-aws-modules/vpc/aws"
+  version             = "2.73.0"
 
   name = module.labels.id
   cidr = var.vpc_cidr

diff --git a/parameters.tf b/parameters.tf
@@ -500,7 +500,19 @@ resource "aws_ssm_parameter" "settings_lambda" {
   tags      = module.labels.tags
 }
 
+# ENX Logo params
+resource "aws_ssm_parameter" "enx_logo_supported" {
+  name  = format("%s-enx_logo_supported", module.labels.id)
+  type  = "String"
+  value = var.enx_logo_supported
+}
 
+# Exposure Test Types
+resource "aws_ssm_parameter" "allowed_test_types" {
+  name  = format("%s-allowed_test_types", module.labels.id)
+  type  = "String"
+  value = var.allowed_test_types
+}
 
 # #########################################
 # Optional parameters - These exist for some instances

diff --git a/rds.tf b/rds.tf
@@ -31,8 +31,7 @@ resource "aws_iam_role_policy_attachment" "rds_enhanced_monitoring" {
 }
 
 module "rds_cluster_aurora_postgres" {
-  source              = "cloudposse/rds-cluster/aws"
-  version             = "0.31.0"
+  source	     = "git::https://github.com/nearform/terraform-aws-rds-cluster.git?ref=0.31.0"
   engine              = "aurora-postgresql"
   cluster_family      = var.rds_cluster_family
   cluster_size        = var.rds_cluster_size

diff --git a/variables.tf b/variables.tf
@@ -878,3 +878,14 @@ variable "self_isolation_notices_enabled" {
   default     = "false"
 }
 
+variable "enx_logo_supported" {
+  type        = string
+  description = "Enable/disable reporting on enx logo metrics"
+  default     = "false"
+}
+
+variable "allowed_test_types" {
+  type        = string
+  description = "The test types to accept"
+  default     = "[1]"
+}
diff --git a/versions.tf b/versions.tf
@@ -1,15 +1,28 @@
 terraform {
-  required_version = ">= 0.12.29, < 0.14"
+  required_version = ">= 0.13"
 
   # Leaving this, even though we have moved towards using this repo as a module - will ignore in that case
   # Also need to cater for git submodule/subtree usage for existing infrastructure
   backend "s3" {}
 
   # Providers
   required_providers {
-    archive = "~> 1.3.0"
-    aws     = "~> 2.70"
-    null    = "~> 2.1"
-    random  = "~> 2.0"
+    archive = {
+      source  = "hashicorp/archive"
+      version = "~> 1.3.0"
+    }
+    #aws     = "~> 2.70"
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 3.10"
+    }
+    null = {
+      source  = "hashicorp/null"
+      version = "~> 2.1"
+    }
+    random = {
+      source  = "hashicorp/random"
+      version = "~> 2.0"
+    }
   }
 }