From 007e69316940f3a6b77f123714fd0c921f95055f Mon Sep 17 00:00:00 2001
From: Andrew Pepler <andrew.pepler@digital.justice.gov.uk>
Date: Fri, 26 Jan 2024 17:07:14 +0000
Subject: [PATCH] Chaps - Remove certificate (#4703)

---
 .../environments/cdpt-chaps/loadbalancer.tf   |  4 +-
 terraform/environments/cdpt-chaps/locals.tf   |  2 +-
 terraform/environments/cdpt-chaps/route53.tf  | 64 ++++++++++++++++++-
 3 files changed, 66 insertions(+), 4 deletions(-)

diff --git a/terraform/environments/cdpt-chaps/loadbalancer.tf b/terraform/environments/cdpt-chaps/loadbalancer.tf
index 5baf1eeb51d..d42350a81d0 100644
--- a/terraform/environments/cdpt-chaps/loadbalancer.tf
+++ b/terraform/environments/cdpt-chaps/loadbalancer.tf
@@ -50,12 +50,12 @@ resource "aws_lb_target_group" "chaps_target_group" {
 
 resource "aws_lb_listener" "https_listener" {
   #checkov:skip=CKV_AWS_103
-  depends_on = [aws_acm_certificate_validation.external]
+  depends_on = [aws_acm_certificate_validation.external_cert]
 
   load_balancer_arn = aws_lb.chaps_lb.arn
   port              = 443
   protocol          = "HTTPS"
-  certificate_arn   = aws_acm_certificate.external.arn
+  certificate_arn   = aws_acm_certificate.external_cert.arn
 
   default_action {
     target_group_arn = aws_lb_target_group.chaps_target_group.id
diff --git a/terraform/environments/cdpt-chaps/locals.tf b/terraform/environments/cdpt-chaps/locals.tf
index dc27961f21b..cde6359203d 100644
--- a/terraform/environments/cdpt-chaps/locals.tf
+++ b/terraform/environments/cdpt-chaps/locals.tf
@@ -1,5 +1,5 @@
 locals {
-  domain_types = { for dvo in aws_acm_certificate.external.domain_validation_options : dvo.domain_name => {
+  domain_types = { for dvo in aws_acm_certificate.external_cert.domain_validation_options : dvo.domain_name => {
     name   = dvo.resource_record_name
     record = dvo.resource_record_value
     type   = dvo.resource_record_type
diff --git a/terraform/environments/cdpt-chaps/route53.tf b/terraform/environments/cdpt-chaps/route53.tf
index 1419fbea170..4a134201afd 100644
--- a/terraform/environments/cdpt-chaps/route53.tf
+++ b/terraform/environments/cdpt-chaps/route53.tf
@@ -5,7 +5,7 @@ resource "aws_acm_certificate" "external" {
   domain_name       = "modernisation-platform.service.justice.gov.uk"
   validation_method = "DNS"
 
-  subject_alternative_names = ["${var.networking[0].application}.${var.networking[0].business-unit}-${local.application_data.accounts[local.environment].environment_name}.modernisation-platform.service.justice.gov.uk"]
+  subject_alternative_names = ["${var.networking[0].application}.${local.environment}.modernisation-platform.service.justice.gov.uk"]
   tags = {
     Environment = local.environment
   }
@@ -47,6 +47,68 @@ resource "aws_route53_record" "external_validation_subdomain" {
 resource "aws_route53_record" "external" {
   provider = aws.core-vpc
 
+  zone_id = data.aws_route53_zone.external.zone_id
+  name    = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}.modernisation-platform.service.justice.gov.uk"
+  type    = "A"
+
+  alias {
+    name                   = aws_lb.chaps_lb.dns_name
+    zone_id                = aws_lb.chaps_lb.zone_id
+    evaluate_target_health = true
+  }
+}
+
+
+
+
+
+
+resource "aws_acm_certificate" "external_cert" {
+  domain_name       = "modernisation-platform.service.justice.gov.uk"
+  validation_method = "DNS"
+
+  subject_alternative_names = ["${var.networking[0].application}.${var.networking[0].business-unit}-${local.application_data.accounts[local.environment].environment_name}.modernisation-platform.service.justice.gov.uk"]
+  tags = {
+    Environment = local.environment
+  }
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+
+resource "aws_acm_certificate_validation" "external_cert" {
+  certificate_arn         = aws_acm_certificate.external_cert.arn
+  validation_record_fqdns = [local.domain_name_main[0], local.domain_name_sub[0]]
+}
+
+// Route53 DNS records for certificate validation
+resource "aws_route53_record" "external_cert_validation" {
+  provider = aws.core-network-services
+
+  allow_overwrite = true
+  name            = local.domain_name_main[0]
+  records         = local.domain_record_main
+  ttl             = 60
+  type            = local.domain_type_main[0]
+  zone_id         = data.aws_route53_zone.network-services.zone_id
+}
+
+resource "aws_route53_record" "external_cert_validation_subdomain" {
+  provider = aws.core-vpc
+
+  allow_overwrite = true
+  name            = local.domain_name_sub[0]
+  records         = local.domain_record_sub
+  ttl             = 60
+  type            = local.domain_type_sub[0]
+  zone_id         = data.aws_route53_zone.external.zone_id
+}
+
+// Route53 DNS record for directing traffic to the service
+resource "aws_route53_record" "external_cert" {
+  provider = aws.core-vpc
+
   zone_id = data.aws_route53_zone.external.zone_id
   name    = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.application_data.accounts[local.environment].environment_name}.modernisation-platform.service.justice.gov.uk"
   type    = "A"