[PRMP-786] Add CloudFront and Lambda@Edge to Allow Pre-signed URLs

.github/workflows/cleanup-cloudfront-edge-associations.yml

@@ -0,0 +1,91 @@
+name: 'Remove Lambda@Edge Associations'
+
+on:
+  workflow_call:
+    inputs:
+      sandbox_workspace:
+        description: 'The sandbox workspace name'
+        required: true
+        type: string
+      environment:
+        required: true
+        type: string
+      lambda_function_name:
+        description: 'The sandbox workspace name'
+        required: true
+        type: string
+      python_version:
+        description: 'Version of Python to run the cleanup script against'
+        required: true
+        type: 'string'
+      build_branch:
+        description: 'Feature branch to push to sandbox.'
+        required: true
+        type: 'string'
+    secrets:
+      AWS_ASSUME_ROLE:
+        required: true
+
+permissions:
+  pull-requests: write
+  id-token: write # Required for requesting the JWT
+  contents: read # Required for actions/checkout
+
+jobs:
+  remove_edge_associations:
+    name: Remove Lambda@Edge Associations
+    runs-on: ubuntu-latest
+    environment: ${{ inputs.environment }}
+    steps:
+      - name: Display passed variables
+        run: |
+          echo Python Version: ${{ inputs.python_version }}
+          echo Build Branch: ${{ inputs.build_branch }}
+          echo Environment: ${{ inputs.environment }}
+          echo Sandbox: ${{ inputs.sandbox_workspace }}
+          echo Lambda Function Name: ${{ inputs.lambda_function_name }}
+
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          repository: 'nhsconnect/national-document-repository-infrastructure'
+          ref: ${{ inputs.build_branch }}
+          fetch-depth: '0'
+
+      - name: Set up Python ${{ inputs.python_version }}
+        uses: actions/setup-python@v4
+        with:
+          python-version: ${{ inputs.python_version }}
+
+      - name: Configure AWS Credentials for ${{ vars.AWS_REGION }}
+        uses: aws-actions/configure-aws-credentials@v2
+        with:
+          role-to-assume: ${{ secrets.AWS_ASSUME_ROLE }}
+          role-skip-session-tagging: true
+          aws-region: ${{ vars.AWS_REGION }}
+
+      - name: Get CloudFront Distribution ID
+        id: cloudfront
+        run: |
+          aws cloudfront list-distributions > distributions.json
+          distribution_id=$(jq -r --arg origin_id "${{ inputs.sandbox_workspace }}-lloyd-george-store" \
+          '.DistributionList.Items[] | select(.Origins.Items[].Id==$origin_id) | .Id' distributions.json | head -n 1)
+
+          if [ -z "$distribution_id" ]; then
+            echo "No distribution found for origin ID: ${{ inputs.sandbox_workspace }}-lloyd-george-store"
+            exit 1
+          fi
+
+          echo "Distribution ID found: $distribution_id"
+          echo "DISTRIBUTION_ID=$distribution_id" >> $GITHUB_ENV
+
+      - name: Install Python Dependencies
+        run: |
+          python3 -m venv ./venv
+          ./venv/bin/pip3 install --upgrade pip boto3==1.33.11
+
+      - name: Remove Lambda@Edge & CloudFront Associations
+        run: ./venv/bin/python3 -u scripts/remove_edge_associations.py
+        env:
+          DISTRIBUTION_ID: ${{ env.DISTRIBUTION_ID }}
+          LAMBDA_FUNCTION_NAME: ${{ inputs.lambda_function_name }}

.github/workflows/terraform-deploy-feature-to-sandbox.yml

@@ -13,10 +13,10 @@ on:
         required: true
         type: 'string'
       environment:
-        default: "development"
-        description: "Which environment should this run against"
+        default: 'development'
+        description: 'Which environment should this run against'
         required: true
-        type: "string"
+        type: 'string'
 
 permissions:
   pull-requests: write

.github/workflows/terraform-destroy-dev-environments-cron.yml

@@ -7,16 +7,31 @@ on:
 permissions:
   pull-requests: write
   id-token: write # This is required for requesting the JWT
-  contents: read  # This is required for actions/checkout
-    
+  contents: read # This is required for actions/checkout
+
 jobs:
+  remove_edge_associations:
+    name: Remove Lambda@Edge Associations
+    uses: ./.github/workflows/cleanup-cloudfront-edge-associations.yml
+    strategy:
+      matrix:
+        # Update with new sandbox environments here
+        sandbox-name: [ndra, ndrb, ndrc, ndrd]
+    with:
+      sandbox_workspace: ${{ matrix.sandbox-name }}
+      lambda_function_name: '${{ matrix.sandbox-name }}_EdgePresignLambda'
+      python_version: 3.11
+      build_branch: main
+      environment: development
+    secrets:
+      AWS_ASSUME_ROLE: ${{ secrets.AWS_ASSUME_ROLE }}
   cleanup_versions_process:
     name: Cleanup Versions Process
     uses: ./.github/workflows/cleanup-appconfig-and-lambda-layer-versions.yml
     strategy:
       matrix:
         # Update with new sandbox environments here
-        sandbox-name: [ ndra, ndrb, ndrc, ndrd ]
+        sandbox-name: [ndra, ndrb, ndrc, ndrd]
     with:
       build_branch: main
       environment: development
@@ -33,46 +48,70 @@ jobs:
     strategy:
       matrix:
         # Can't use an env var here unfortunately, we will have to update here with new sandbox environments
-        sandbox-name: [ ndra, ndrb, ndrc, ndrd ]
+        sandbox-name: [ndra, ndrb, ndrc, ndrd]
 
     steps:
-    # Checkout the repository to the GitHub Actions runner
-    - name: Checkout
-      uses: actions/checkout@v3
-      with:
-        ref: main
-
-    - name: Configure AWS Credentials
-      uses: aws-actions/configure-aws-credentials@v2
-      with:
-        role-to-assume: ${{ secrets.AWS_ASSUME_ROLE }}
-        role-skip-session-tagging: true
-        aws-region: ${{ vars.AWS_REGION }}
-
-    - name: View AWS Role
-      run: aws sts get-caller-identity
-
-    # Install the latest version of Terraform CLI and configure the Terraform CLI configuration file with a Terraform Cloud user API token
-    - name: Setup Terraform
-      uses: hashicorp/setup-terraform@v2
-      with:
-        terraform_version: 1.5.4
-        terraform_wrapper: false
-
-    - name: Terraform Init
-      id: init
-      run: terraform init -backend-config=backend.conf
-      working-directory: ./infrastructure 
-      shell: bash
-
-    - name: Terraform Set Workspace
-      id: workspace
-      run:  terraform workspace select ${{ matrix.sandbox-name }}
-      working-directory: ./infrastructure 
-      shell: bash
-
-    - name: Terraform Destroy 
-      run: terraform destroy -auto-approve -var-file="${{vars.TF_VARS_FILE}}"
-      working-directory: ./infrastructure
-
-
+      # Checkout the repository to the GitHub Actions runner
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          ref: main
+
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v2
+        with:
+          role-to-assume: ${{ secrets.AWS_ASSUME_ROLE }}
+          role-skip-session-tagging: true
+          aws-region: ${{ vars.AWS_REGION }}
+
+      - name: View AWS Role
+        run: aws sts get-caller-identity
+
+      # Install the latest version of Terraform CLI and configure the Terraform CLI configuration file with a Terraform Cloud user API token
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v2
+        with:
+          terraform_version: 1.5.4
+          terraform_wrapper: false
+
+      - name: Terraform Init
+        id: init
+        run: terraform init -backend-config=backend.conf
+        working-directory: ./infrastructure
+        shell: bash
+
+      - name: Terraform Set Workspace
+        id: workspace
+        run: terraform workspace select ${{ matrix.sandbox-name }}
+        working-directory: ./infrastructure
+        shell: bash
+
+      - name: Get CloudFront Distribution ID
+        id: cloudfront
+        run: |
+          aws cloudfront list-distributions > distributions.json
+          distribution_id=$(jq -r --arg origin_id "${{ matrix.sandbox-name }}-lloyd-george-store" \
+          '.DistributionList.Items[] | select(.Origins.Items[].Id==$origin_id) | .Id' distributions.json | head -n 1)
+
+          echo "Distribution ID found: $distribution_id"
+          echo "DISTRIBUTION_ID=$distribution_id" >> $GITHUB_ENV
+
+      # Install dependencies for Python scripts
+      - name: Install Python and Dependencies
+        id: dependencies
+        run: |
+          python3 -m venv ./venv
+          ./venv/bin/pip3 install --upgrade pip
+          ./venv/bin/pip3 install boto3==1.33.11
+
+      # Run script to remove Lambda@Edge associations
+      - name: Remove Lambda@Edge & CloudFront associations
+        id: lambda
+        run: ./venv/bin/python3 -u scripts/remove_edge_associations.py ${{ matrix.sandbox-name }}
+        env:
+          LAMBDA_FUNCTION_NAME: '$${{ matrix.sandbox-name }}_EdgePresignLambda'
+
+      - name: Terraform Destroy
+        id: destroy
+        run: terraform destroy -auto-approve -var-file="${{ vars.TF_VARS_FILE }}"
+        working-directory: ./infrastructure

.github/workflows/terraform-destroy-environment-manual.yml

@@ -1,97 +1,82 @@
+# .github/workflows/destroy.yml
+
 name: 'Destroy (Select Account) Environment'
 
 on:
   workflow_dispatch:
     inputs:
       build_branch:
-        default: "main"
-        description: "Feature branch to push to sandbox."
+        default: 'main'
+        description: 'Branch to use for the destroy action.'
         required: true
-        type: "string"
       sandbox_workspace:
-        description: "Which Sandbox to push destroy."
+        description: 'The sandbox workspace to destroy.'
         required: true
-        type: "string"
       terraform_vars:
-        default: "dev.tfvars"
-        description: "Which vars file is required? For test, change to test.tfvars"
+        default: 'dev.tfvars'
+        description: 'Terraform vars file to use.'
         required: true
-        type: "string"
       environment:
-        default: "development"
-        description: "Which environment should this run against"
+        default: 'development'
+        description: 'Environment for destruction.'
         required: true
-        type: "string"
       backend:
-        default: "backend.conf"
-        description: "Which backend configuration should be used?"
+        default: 'backend.conf'
+        description: 'Terraform backend configuration.'
         required: true
-        type: "string"
 
 permissions:
   pull-requests: write
-  id-token: write # This is required for requesting the JWT
-  contents: read  # This is required for actions/checkout
-    
+  id-token: write
+  contents: read
+
 jobs:
-  cleanup_versions_process:
-    name: Cleanup Versions Process
-    uses: ./.github/workflows/cleanup-appconfig-and-lambda-layer-versions.yml
+  remove_edge_associations:
+    name: Remove Lambda@Edge Associations
+    uses: ./.github/workflows/cleanup-cloudfront-edge-associations.yml
     with:
-      build_branch: ${{ inputs.build_branch }}
-      sandbox: ${{ inputs.sandbox_workspace }}
-      environment: ${{ inputs.environment }}
+      sandbox_workspace: ${{ inputs.sandbox_workspace }}
+      lambda_function_name: '${{ inputs.sandbox_workspace }}_EdgePresignLambda'
       python_version: 3.11
+      build_branch: ${{ inputs.build_branch }}
+      environment: ${{ inputs.environment}}
     secrets:
       AWS_ASSUME_ROLE: ${{ secrets.AWS_ASSUME_ROLE }}
 
   terraform_destroy_process:
     name: Terraform Destroy Process
     runs-on: ubuntu-latest
+    needs: [remove_edge_associations] # Ensure this runs after Lambda@Edge removal
     environment: ${{ github.event.inputs.environment }}
-    needs: [cleanup_versions_process]
 
     steps:
-    # Checkout the repository to the GitHub Actions runner
-    - name: Checkout
-      uses: actions/checkout@v3
-      with:
-        ref: ${{ github.event.inputs.build_branch}}
-        repository: 'nhsconnect/national-document-repository-infrastructure'
-        fetch-depth: '0'
+      - name: Checkout Repository
+        uses: actions/checkout@v3
+        with:
+          ref: ${{ github.event.inputs.build_branch }}
 
-    - name: Configure AWS Credentials
-      uses: aws-actions/configure-aws-credentials@v2
-      with:
-        role-to-assume: ${{ secrets.AWS_ASSUME_ROLE }}
-        role-skip-session-tagging: true
-        aws-region: ${{ vars.AWS_REGION }}
-
-    - name: View AWS Role
-      run: aws sts get-caller-identity
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v2
+        with:
+          role-to-assume: ${{ secrets.AWS_ASSUME_ROLE }}
+          aws-region: ${{ vars.AWS_REGION }}
 
+      - name: View AWS Role
+        run: aws sts get-caller-identity
 
-    # Install the latest version of Terraform CLI and configure the Terraform CLI configuration file with a Terraform Cloud user API token
-    - name: Setup Terraform
-      uses: hashicorp/setup-terraform@v2
-      with:
-        terraform_version: 1.5.4
-        terraform_wrapper: false
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v2
+        with:
+          terraform_version: 1.5.4
 
-    - name: Terraform Init
-      id: init
-      run: terraform init -backend-config=${{ github.event.inputs.backend }}
-      working-directory: ./infrastructure
-      shell: bash
+      - name: Terraform Init
+        run: terraform init -backend-config=${{ github.event.inputs.backend }}
+        working-directory: ./infrastructure
 
-    - name: Terraform Set Workspace
-      id: workspace
-      run:  terraform workspace select ${{ github.event.inputs.sandbox_workspace}}
-      working-directory: ./infrastructure
-      shell: bash
+      - name: Set Terraform Workspace
+        run: terraform workspace select ${{ inputs.sandbox_workspace }}
+        working-directory: ./infrastructure
 
-    - name: Terraform Destroy
-      run: terraform destroy -auto-approve -var-file="${{ github.event.inputs.terraform_vars }}"
-      working-directory: ./infrastructure
-
-
+      - name: Terraform Destroy
+        run: terraform destroy -auto-approve -var-file="${{ github.event.inputs.terraform_vars }}"
+        working-directory: ./infrastructure