Merge branch 'main' into feature/CCM-15185-List-Letters-Queue

Author: stevebux

infrastructure/terraform/components/api/README.md

@@ -15,6 +15,8 @@ No requirements.
 | <a name="input_component"></a> [component](#input\_component) | The variable encapsulating the name of this component | `string` | `"supapi"` | no |
 | <a name="input_core_account_id"></a> [core\_account\_id](#input\_core\_account\_id) | AWS Account ID for Core | `string` | `"000000000000"` | no |
 | <a name="input_core_environment"></a> [core\_environment](#input\_core\_environment) | Environment of Core | `string` | `"prod"` | no |
+| <a name="input_csoc_destination_account"></a> [csoc\_destination\_account](#input\_csoc\_destination\_account) | value of the CSOC destination account, if applicable. If null, CSOC destination account will not be added as a resource in the logging policy | `string` | `"000000000000"` | no |
+| <a name="input_csoc_log_forwarding"></a> [csoc\_log\_forwarding](#input\_csoc\_log\_forwarding) | Enable forwarding of API Gateway logs to CSOC | `bool` | `true` | no |
 | <a name="input_default_tags"></a> [default\_tags](#input\_default\_tags) | A map of default tags to apply to all taggable resources within the component | `map(string)` | `{}` | no |
 | <a name="input_disable_gateway_execute_endpoint"></a> [disable\_gateway\_execute\_endpoint](#input\_disable\_gateway\_execute\_endpoint) | Disable the execution endpoint for the API Gateway | `bool` | `true` | no |
 | <a name="input_enable_alarms"></a> [enable\_alarms](#input\_enable\_alarms) | Enable CloudWatch alarms for this deployed environment | `bool` | `true` | no |

infrastructure/terraform/components/api/api_gateway_rest_api.tf

@@ -3,4 +3,8 @@ resource "aws_api_gateway_rest_api" "main" {
   body                         = local.openapi_spec
   description                  = "Suppliers API"
   disable_execute_api_endpoint = var.disable_gateway_execute_endpoint
+
+  lifecycle {
+    replace_triggered_by = [terraform_data.rest_api_security_policy]
+  }
 }

infrastructure/terraform/components/api/api_gateway_rest_api_tls.tf

@@ -0,0 +1,11 @@
+locals {
+  rest_api_security_policy      = "SecurityPolicy_TLS12_PFS_2025_EDGE"
+  rest_api_endpoint_access_mode = "STRICT"
+}
+
+resource "terraform_data" "rest_api_security_policy" {
+  input = {
+    security_policy      = local.rest_api_security_policy
+    endpoint_access_mode = local.rest_api_endpoint_access_mode
+  }
+}

infrastructure/terraform/components/api/cloudwatch_log_group_api_gateway_access.tf

@@ -10,3 +10,12 @@ resource "aws_cloudwatch_log_subscription_filter" "api_gateway_access" {
   filter_pattern  = ""
   destination_arn = local.destination_arn
 }
+
+resource "aws_cloudwatch_log_subscription_filter" "api_gateway" {
+  count           = var.csoc_log_forwarding ? 1 : 0
+  name            = replace(aws_cloudwatch_log_group.api_gateway_access.name, "/", "-")
+  log_group_name  = aws_cloudwatch_log_group.api_gateway_access.name
+  role_arn        = data.aws_iam_role.csoc_subscription[0].arn
+  filter_pattern  = ""
+  destination_arn = local.csoc_api_gw_log_destination_arn
+}

infrastructure/terraform/components/api/data_iam_role_csoc_subscription.tf

@@ -0,0 +1,4 @@
+data "aws_iam_role" "csoc_subscription" {
+  count = var.csoc_log_forwarding ? 1 : 0
+  name  = "nhs-main-acct-api-log-subscription-role"
+}

infrastructure/terraform/components/api/locals.tf

@@ -7,6 +7,8 @@ locals {
   openapi_spec = templatefile("${path.module}/resources/spec.tmpl.json", {
     APIG_EXECUTION_ROLE_ARN    = aws_iam_role.api_gateway_execution_role.arn
     AWS_REGION                 = var.region
+    SECURITY_POLICY            = local.rest_api_security_policy
+    ENDPOINT_ACCESS_MODE       = local.rest_api_endpoint_access_mode
     AUTHORIZER_LAMBDA_ARN      = module.authorizer_lambda.function_arn
     GET_LETTER_LAMBDA_ARN      = module.get_letter.function_arn
     GET_LETTERS_LAMBDA_ARN     = module.get_letters.function_arn
@@ -40,4 +42,9 @@ locals {
 
   event_cache_bucket_name          = lookup(module.eventpub.s3_bucket_event_cache, "bucket", null)
   eventsub_event_cache_bucket_name = lookup(module.eventsub.s3_bucket_event_cache, "bucket", null)
+
+  csoc_api_gw_log_destination_arn = format("arn:aws:logs:%s:%s:destination:api_gateway_log_destination",
+    var.region,
+    var.csoc_destination_account
+  )
 }

infrastructure/terraform/components/api/resources/spec.tmpl.json

@@ -307,5 +307,7 @@
         }
       }
     }
-  }
+  },
+  "x-amazon-apigateway-endpoint-access-mode": "${ENDPOINT_ACCESS_MODE}",
+  "x-amazon-apigateway-security-policy": "${SECURITY_POLICY}"
 }

infrastructure/terraform/components/api/variables.tf

@@ -229,3 +229,15 @@ variable "event_anomaly_band_width" {
   description = "The width of the anomaly detection band. Higher values (e.g. 4-6) reduce sensitivity and noise, lower values (e.g. 2-3) increase sensitivity. Recommended: 2-4."
   default     = 4
 }
+
+variable "csoc_log_forwarding" {
+  type        = bool
+  description = "Enable forwarding of API Gateway logs to CSOC"
+  default     = true
+}
+
+variable "csoc_destination_account" {
+  type        = string
+  description = "value of the CSOC destination account, if applicable. If null, CSOC destination account will not be added as a resource in the logging policy"
+  default     = "000000000000"
+}

scripts/config/markdownlint.yaml

@@ -0,0 +1,11 @@
+# SEE: https://github.com/DavidAnson/markdownlint/blob/main/schema/.markdownlint.yaml
+
+# https://github.com/DavidAnson/markdownlint/blob/main/doc/md013.md
+MD013: false
+
+# https://github.com/DavidAnson/markdownlint/blob/main/doc/md024.md
+MD024:
+  siblings_only: true
+
+# https://github.com/DavidAnson/markdownlint/blob/main/doc/md033.md
+MD033: false