Merge pull request #3083 from ministryofjustice/create-SSL-cert-LAWS-…

…3314 new acm-cert for dev.legal.service
ministryofjustice · Aug 17, 2023 · d16f610 · d16f610
2 parents bb480bf + 70b9067
commit d16f610
Show file tree

Hide file tree

Showing 5 changed files with 230 additions and 52 deletions.
diff --git a/terraform/environments/portal/acm_certificate.tf b/terraform/environments/portal/acm_certificate.tf
@@ -0,0 +1,51 @@
+resource "aws_acm_certificate" "legalservices_cert" {
+  domain_name = "${local.application_data.accounts[local.environment].acm_domain_name}"
+  subject_alternative_names = ["${local.application_data.accounts[local.environment].acm_alt_domain_name}"]
+  validation_method = "DNS"
+
+
+   tags = merge(
+    local.tags,
+    { Name = "laa-${local.application_name}-${local.environment}" }
+  )
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+
+resource "aws_route53_record" "external_lb_validation_core_network_services" {
+  provider = aws.core-network-services
+  for_each = {
+    for key, value in local.external_lb_validation_records : key => value if value.zone.provider == "core-network-services"
+  }
+
+  allow_overwrite = true
+  name            = each.value.name
+  records         = [each.value.record]
+  ttl             = 60
+  type            = each.value.type
+
+  # NOTE: value.zone is null indicates the validation zone could not be found
+  # Ensure route53_zones variable contains the given validation zone or
+  # explicitly provide the zone details in the validation variable.
+  zone_id = each.value.zone.zone_id
+
+  depends_on = [
+    aws_acm_certificate.legalservices_cert
+  ]
+}
+
+
+resource "aws_acm_certificate_validation" "external_lb_certificate_validation" {
+  count           = (length(local.validation_records_external_lb) == 0 || local.external_validation_records_created) ? 1 : 0
+  certificate_arn = aws_acm_certificate.legalservices_cert.arn
+  validation_record_fqdns = [
+    for key, value in local.validation_records_external_lb : replace(value.name, "/\\.$/", "")
+  ]
+  depends_on = [
+    aws_route53_record.external_lb_validation_core_network_services
+    # aws_route53_record.external_lb_validation_core_vpc,
+    # aws_route53_record.external_lb_validation_self
+  ]
+}
diff --git a/terraform/environments/portal/application_variables.json b/terraform/environments/portal/application_variables.json
@@ -33,8 +33,9 @@
       "lb_access_logs_existing_bucket_name": "",
       "url": "s3://laa-portal-development-archive-mp",
       "maintenance_window_name": "diagnostics-log-archive-poc",
-      "hosted_zone": "aws.dev.legalservices.gov.uk"
-
+      "hosted_zone": "aws.dev.legalservices.gov.uk",
+      "acm_domain_name": "dev.legalservices.gov.uk",
+      "acm_alt_domain_name": "*.dev.legalservices.gov.uk"
 
     },
     "test": {
@@ -53,7 +54,8 @@
       "ohs_instance_type": "m5.xlarge",
       "url": "s3://laa-portal-production-archive-mp",
       "maintenance_window_name": "diagnostics-log-archive-production",
-      "hosted_zone": "aws.prd.legalservices.gov.uk"
+      "hosted_zone": "aws.prd.legalservices.gov.uk",
+      "acm_domain_name": "legalservices.gov.uk"
     }
   }
 }
diff --git a/terraform/environments/portal/data.tf b/terraform/environments/portal/data.tf
@@ -1,9 +1,32 @@
 data "aws_route53_zone" "portal-dev-private" {
+  for_each = local.core_network_services_domains_private
   provider = aws.core-network-services
 
   name         = "dev.legalservices.gov.uk."
   private_zone = true
 }
 
+data "aws_route53_zone" "core_network_services" {
+  for_each = local.core_network_services_domains
 
+  provider = aws.core-network-services
+
+  name         = each.value.zone_name
+  private_zone = false
+}
+
+data "aws_route53_zone" "core_vpc" {
+  for_each = local.core_vpc_domains
+
+  provider = aws.core-vpc
 
+  name         = each.value.zone_name
+  private_zone = false
+}
+
+data "aws_route53_zone" "self" {
+  for_each = local.self_domains
+
+  name         = each.value.zone_name
+  private_zone = false
+}
diff --git a/terraform/environments/portal/locals.tf b/terraform/environments/portal/locals.tf
@@ -15,4 +15,90 @@ locals {
   # Temp local variable for environments where we wish to build out the EBS to be transfered to EFS
   ebs_conditional = ["testing", "preproduction", "production"]
 
+  external_lb_validation_records = {
+    for dvo in aws_acm_certificate.legalservices_cert.domain_validation_options : dvo.domain_name => {
+      name   = dvo.resource_record_name
+      record = dvo.resource_record_value
+      type   = dvo.resource_record_type
+      zone = lookup(
+        local.route53_zones,
+        dvo.domain_name,
+        lookup(
+          local.route53_zones,
+          replace(dvo.domain_name, "/^[^.]*./", ""),
+          lookup(
+            local.route53_zones,
+            replace(dvo.domain_name, "/^[^.]*.[^.]*./", ""),
+            { provider = "external" }
+      )))
+    }
+  }
+
+
+   route53_zones = merge({
+    for key, value in data.aws_route53_zone.core_network_services : key => merge(value, {
+      provider = "core-network-services"
+    })
+    }, {
+    for key, value in data.aws_route53_zone.core_vpc : key => merge(value, {
+      provider = "core-vpc"
+    })
+    }, {
+    for key, value in data.aws_route53_zone.self : key => merge(value, {
+      provider = "self"
+    })
+    }, {
+    for key, value in data.aws_route53_zone.portal-dev-private : key => merge(value, {
+      provider = "core-network-services"
+    })
+    })
+
+   validation_records_external_lb = {
+    for key, value in local.external_lb_validation_records : key => {
+      name   = value.name
+      record = value.record
+      type   = value.type
+    } if value.zone.provider == "external"
+  }
+
+    external_validation_records_created = false
+
+   core_network_services_domains = {
+    for domain, value in local.validation : domain => value if value.account == "core-network-services"
+  }
+  core_network_services_domains_private = {
+   for domain, value in local.validation : domain => value if value.account == "core-network-services-private"
+ }
+  core_vpc_domains = {
+    for domain, value in local.validation : domain => value if value.account == "core-vpc"
+  }
+  self_domains = {
+    for domain, value in local.validation : domain => value if value.account == "self"
+  }
+
+    non_prod_validation = {
+    "modernisation-platform.service.justice.gov.uk" = {
+      account   = "core-network-services"
+      zone_name = "modernisation-platform.service.justice.gov.uk."
+    }
+    "${local.application_name}.${var.networking[0].business-unit}-${local.environment}.${local.application_data.accounts[local.environment].acm_domain_name}" = {
+      account   = "core-vpc"
+      zone_name = "${local.vpc_name}-${local.environment}.modernisation-platform.service.justice.gov.uk."
+    }
+   "${local.application_data.accounts[local.environment].acm_domain_name}" = {
+      account   = "core-network-services-private"
+      zone_name = "${local.application_data.accounts[local.environment].acm_domain_name}"
+    }
+
+  }
+
+  prod_validation = {
+    "${local.application_data.accounts[local.environment].acm_domain_name}" = {
+      account   = "core-network-services"
+      zone_name = "${local.application_data.accounts[local.environment].acm_domain_name}"
+    }
+  }
+
+validation = local.environment == "production" ? local.prod_validation : local.non_prod_validation
+
 }