v0.1.2

admins.tf

@@ -0,0 +1,51 @@
+# #########################################
+# Admins - group with ability to assume a role with privileged access
+# #########################################
+data "aws_iam_policy_document" "admins_group" {
+  statement {
+    actions   = ["sts:AssumeRole"]
+    resources = [aws_iam_role.admins.arn]
+  }
+}
+
+data "aws_iam_policy_document" "admins_role" {
+  statement {
+    actions = ["sts:AssumeRole"]
+
+    dynamic condition {
+      for_each = var.admins_role_require_mfa ? { 1 : 1 } : {}
+      content {
+        test     = "Bool"
+        variable = "aws:MultiFactorAuthPresent"
+        values   = ["true"]
+      }
+    }
+
+    principals {
+      type        = "AWS"
+      identifiers = [format("arn:aws:iam::%s:root", data.aws_caller_identity.current.account_id)]
+    }
+  }
+}
+
+resource "aws_iam_group" "admins" {
+  name = format("%s-%s", module.labels.id, "admins")
+  path = "/"
+}
+
+resource "aws_iam_group_policy" "admins" {
+  group  = aws_iam_group.admins.id
+  name   = format("%s-%s", module.labels.id, "admins")
+  policy = data.aws_iam_policy_document.admins_group.json
+}
+
+resource "aws_iam_role" "admins" {
+  assume_role_policy = data.aws_iam_policy_document.admins_role.json
+  name               = format("%s-%s", module.labels.id, "admins")
+  tags               = module.labels.tags
+}
+
+resource "aws_iam_role_policy_attachment" "admins" {
+  role       = aws_iam_role.admins.name
+  policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
+}

dns.tf

@@ -3,17 +3,92 @@
 # #########################################
 data "aws_route53_zone" "primary" {
   count        = local.enable_dns_count
-  provider     = aws.root
+  provider     = aws.dns
   name         = var.route53_zone
   private_zone = false
 }
 
+# #########################################
+# Certificate
+# #########################################
+resource "aws_acm_certificate" "wildcard_cert" {
+  count             = local.enable_certificates_count
+  domain_name       = var.wildcard_domain
+  validation_method = "DNS"
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+
+resource "aws_route53_record" "wildcard_cert_validation" {
+  count           = local.enable_certificates_count
+  provider        = aws.dns
+  name            = aws_acm_certificate.wildcard_cert[0].domain_validation_options.0.resource_record_name
+  type            = aws_acm_certificate.wildcard_cert[0].domain_validation_options.0.resource_record_type
+  zone_id         = data.aws_route53_zone.primary[0].id
+  records         = [aws_acm_certificate.wildcard_cert[0].domain_validation_options.0.resource_record_value]
+  ttl             = 60
+  allow_overwrite = true
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+
+resource "aws_acm_certificate_validation" "wildcard_cert" {
+  count                   = local.enable_certificates_count
+  certificate_arn         = aws_acm_certificate.wildcard_cert[0].arn
+  validation_record_fqdns = [aws_route53_record.wildcard_cert_validation[0].fqdn]
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+
+resource "aws_acm_certificate" "wildcard_cert_us" {
+  count             = local.enable_certificates_count
+  provider          = aws.us_east_1
+  domain_name       = var.wildcard_domain
+  validation_method = "DNS"
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+
+resource "aws_route53_record" "wildcard_cert_validation_us" {
+  count           = local.enable_certificates_count
+  provider        = aws.dns
+  name            = aws_acm_certificate.wildcard_cert_us[0].domain_validation_options.0.resource_record_name
+  type            = aws_acm_certificate.wildcard_cert_us[0].domain_validation_options.0.resource_record_type
+  zone_id         = data.aws_route53_zone.primary[0].id
+  records         = [aws_acm_certificate.wildcard_cert_us[0].domain_validation_options.0.resource_record_value]
+  ttl             = 60
+  allow_overwrite = true
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+
+resource "aws_acm_certificate_validation" "wildcard_cert_us" {
+  count                   = local.enable_certificates_count
+  provider                = aws.us_east_1
+  certificate_arn         = aws_acm_certificate.wildcard_cert_us[0].arn
+  validation_record_fqdns = [aws_route53_record.wildcard_cert_validation_us[0].fqdn]
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+
 # #########################################
 # DNS Records
 # #########################################
 resource "aws_route53_record" "interop" {
   count    = local.enable_dns_count
-  provider = aws.root
+  provider = aws.dns
   zone_id  = data.aws_route53_zone.primary[0].id
   name     = var.interop_dns
   type     = "A"

docs/create-new-env.md

@@ -0,0 +1,76 @@
+#How to create new interop environment
+
+
+## Create an AWS profile
+Add a interop-ENV profile to `~/.aws/credentials`,
+where ENV stands for the name of your environment, e.g. `dev`, `qa` or `prod`
+
+## Create the Terraform state backend
+Assuming covid-tracker-infrastructure repo is cloned in the same directory as current project:
+
+See [../../covid-tracker-infrastructure/scripts/create-tf-state-backend.sh] script
+
+```
+# Set your AWS_PROFILE
+export AWS_PROFILE=interop-dev
+export AWS_REGION=eu-west-1
+
+# Create
+./../../covid-tracker-infrastructure/scripts/create-tf-state-backend.sh eu-west-1 interop-dev-terraform-store interop-dev-terraform-lock
+```
+
+
+## Create the AWS SecretsManager secrets
+
+
+### header-x-secret Secret
+The `header-x-secret` secret is used to secure communication between the APIGateway and ALB for the API traffic.
+
+The secret value should be a random alphanumeric string 96 characters in length.
+
+The format of the secret is as follows:
+```json
+{
+  "header-secret":"Some random 96 alpanumeric characters"
+}
+```
+
+### jwt Secret
+The `jwt` secret is used for signing the JSON Web Tokens with the HMAC algorithm. These are issued to users for API authentication,
+and the signature is checked by the service to ensure their legitimacy.
+
+The secret value should be a random string 32 characters in length.
+
+The format of the secret is as follows:
+```json
+{
+  "key": "32 random characters"
+}
+```
+
+### RDS Secrets
+The `rds` secret contains the master RDS credentials.
+
+The format of the secret is as follows:
+```json
+{
+  "password":"A strong password",
+  "username":"rds_admin_user"
+}
+```
+
+The `rds-read-only`, `rds-read-write`, `rds-read-write-create` secrets contains the application RDS credentials.
+The format of the secret is as follows:
+```json
+{
+  "password":"A strong password",
+  "username":"user_name"
+}
+```
+
+## Create the env-vars files
+
+| File                    | Content                                                      |
+| ------------------------| -----------------------------------------------------------  |
+| env-vars/ENV.tfvars     | Contains the Interop values that are specific to the dev env |
+

ecs_interop.tf

@@ -43,6 +43,7 @@ data "aws_iam_policy_document" "interop_ecs_task_policy" {
       aws_ssm_parameter.batch_size.arn,
       aws_ssm_parameter.batch_url.arn,
       data.aws_secretsmanager_secret_version.rds.arn,
+      data.aws_secretsmanager_secret_version.rds_read_write_create.arn,
       data.aws_secretsmanager_secret_version.jwt.arn
     ]
   }

gateway.tf

@@ -13,9 +13,15 @@ resource "aws_api_gateway_rest_api" "main" {
 ## custom domain name
 resource "aws_api_gateway_domain_name" "main" {
   count           = local.enable_dns_count
-  certificate_arn = var.interop_us_certificate_arn
+  certificate_arn = aws_acm_certificate.wildcard_cert_us[0].arn
   domain_name     = var.interop_dns
   security_policy = "TLS_1_2"
+
+
+  depends_on = [
+    aws_acm_certificate.wildcard_cert_us[0],
+    aws_acm_certificate_validation.wildcard_cert_us[0]
+  ]
 }
 
 ## execution role with s3 access

lambda-batch.tf

@@ -12,12 +12,33 @@ data "aws_iam_policy_document" "batch_policy" {
       "ec2:DescribeNetworkInterfaces",
       "ec2:DetachNetworkInterface",
       "ec2:DeleteNetworkInterface",
-      "secretsmanager:GetSecretValue",
-      "ssm:GetParameter",
       "sqs:*"
     ]
     resources = ["*"]
   }
+
+  statement {
+    actions = [
+      "secretsmanager:GetSecretValue"
+    ]
+    resources = [
+      data.aws_secretsmanager_secret_version.rds_read_write.arn,
+      data.aws_secretsmanager_secret_version.rds.arn,
+    ]
+  }
+
+  statement {
+    actions = [
+      "ssm:GetParameter"
+    ]
+    resources = [
+      aws_ssm_parameter.db_host.arn,
+      aws_ssm_parameter.db_port.arn,
+      aws_ssm_parameter.db_database.arn,
+      aws_ssm_parameter.db_ssl.arn,
+      aws_ssm_parameter.batch_size.arn
+    ]
+  }
 }
 
 data "aws_iam_policy_document" "batch_assume_role" {

lambda-token.tf

@@ -11,12 +11,32 @@ data "aws_iam_policy_document" "token_policy" {
       "ec2:CreateNetworkInterface",
       "ec2:DescribeNetworkInterfaces",
       "ec2:DetachNetworkInterface",
-      "ec2:DeleteNetworkInterface",
-      "secretsmanager:GetSecretValue",
-      "ssm:GetParameter"
+      "ec2:DeleteNetworkInterface"
     ]
     resources = ["*"]
   }
+
+  statement {
+    actions = [
+      "secretsmanager:GetSecretValue",
+    ]
+    resources = [
+      data.aws_secretsmanager_secret_version.rds_read_write.arn,
+      data.aws_secretsmanager_secret_version.rds.arn,
+      data.aws_secretsmanager_secret_version.jwt.arn,
+    ]
+  }
+  statement {
+    actions = [
+      "ssm:GetParameter",
+    ]
+    resources = [
+      aws_ssm_parameter.db_host.arn,
+      aws_ssm_parameter.db_port.arn,
+      aws_ssm_parameter.db_database.arn,
+      aws_ssm_parameter.db_ssl.arn
+    ]
+  }
 }
 
 data "aws_iam_policy_document" "token_assume_role" {

locals.tf

@@ -8,6 +8,9 @@ locals {
   # Will be used as a prefix for AWS parameters and secrets
   config_var_prefix = "${module.labels.id}-"
 
+  # Based on flag
+  enable_certificates_count = var.enable_certificates ? 1 : 0
+
   # Based on flag
   enable_dns_count = var.enable_dns ? 1 : 0
 

main.tf

@@ -22,18 +22,21 @@ provider "aws" {
   profile = var.profile
 }
 
+# Provider based on main but using us_east_1 as region
+# Will use this if creating a TLS certificate in us-east-1 region as required by CloudFront Edge used by the APIGateway
 provider "aws" {
-  version = "2.68.0"
-  alias   = "root"
-  region  = var.aws_region
-  profile = var.root_profile
+  alias   = "us_east_1"
+  region  = "us-east-1"
+  profile = var.profile
 }
 
+# DNS provider
+# Will use this if managing DNS, in some cases the Route53 zones are managed on a different account
 provider "aws" {
   version = "2.68.0"
-  alias   = "root-us"
-  region  = "us-east-1"
-  profile = var.root_profile
+  alias   = "dns"
+  region  = var.aws_region
+  profile = var.dns_profile
 }
 
 # #########################################