Merge pull request #107 from NHSDigital/feature/CCM-11701_SSL_Module

CCM-11701: SSL Module

Author: aidenvaines-cgi

.github/actions/trivy/action.yaml

@@ -8,8 +8,13 @@ runs:
         components_exit_code=0
         modules_exit_code=0
 
-        ./scripts/terraform/trivy.sh ./infrastructure/terraform/components || components_exit_code=$?
-        ./scripts/terraform/trivy.sh ./infrastructure/terraform/modules || modules_exit_code=$?
+        if [ -d ./infrastructure/terraform/components ]; then
+          ./scripts/terraform/trivy.sh ./infrastructure/terraform/components || components_exit_code=$?
+        fi
+
+        if [ -d ./infrastructure/terraform/modules ]; then
+          ./scripts/terraform/trivy.sh ./infrastructure/terraform/modules || modules_exit_code=$?
+        fi
 
         if [ $components_exit_code -ne 0 ] || [ $modules_exit_code -ne 0 ]; then
           echo "Trivy misconfigurations detected."

infrastructure/modules/ssl/README.md

@@ -0,0 +1,40 @@
+<!-- BEGIN_TF_DOCS -->
+<!-- markdownlint-disable -->
+<!-- vale off -->
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.10.1 |
+| <a name="requirement_tls"></a> [tls](#requirement\_tls) | 4.1.0 |
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_aws_account_id"></a> [aws\_account\_id](#input\_aws\_account\_id) | The AWS Account ID (numeric) | `string` | n/a | yes |
+| <a name="input_component"></a> [component](#input\_component) | The name of the tfscaffold component | `string` | n/a | yes |
+| <a name="input_default_tags"></a> [default\_tags](#input\_default\_tags) | A map of default tags to apply to all taggable resources within the component | `map(string)` | `{}` | no |
+| <a name="input_environment"></a> [environment](#input\_environment) | The name of the tfscaffold environment | `string` | n/a | yes |
+| <a name="input_name"></a> [name](#input\_name) | A unique name to distinguish this module invocation from others within the same CSI scope | `string` | n/a | yes |
+| <a name="input_project"></a> [project](#input\_project) | The name of the tfscaffold project | `string` | n/a | yes |
+| <a name="input_region"></a> [region](#input\_region) | The AWS Region | `string` | n/a | yes |
+| <a name="input_subject_common_name"></a> [subject\_common\_name](#input\_subject\_common\_name) | Common name for certificate subject | `string` | n/a | yes |
+| <a name="input_subject_country"></a> [subject\_country](#input\_subject\_country) | Country for certificate subject | `string` | `"GB"` | no |
+| <a name="input_subject_locality"></a> [subject\_locality](#input\_subject\_locality) | Locality for certificate subject | `string` | `"Leeds"` | no |
+| <a name="input_subject_organization"></a> [subject\_organization](#input\_subject\_organization) | Organization for certificate subject | `string` | `"NHS England"` | no |
+| <a name="input_subject_organizational_unit"></a> [subject\_organizational\_unit](#input\_subject\_organizational\_unit) | Organizational unit for certificate subject | `string` | `"NHS Notify"` | no |
+| <a name="input_subject_province"></a> [subject\_province](#input\_subject\_province) | Province for certificate subject | `string` | `"West Yorkshire"` | no |
+## Modules
+
+No modules.
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_cacert_pem"></a> [cacert\_pem](#output\_cacert\_pem) | Truststore |
+| <a name="output_server_crt"></a> [server\_crt](#output\_server\_crt) | Server Certificate |
+| <a name="output_server_key"></a> [server\_key](#output\_server\_key) | Server Key |
+<!-- vale on -->
+<!-- markdownlint-enable -->
+<!-- END_TF_DOCS -->

infrastructure/modules/ssl/locals.tf

@@ -0,0 +1,24 @@
+locals {
+  module = "ssl"
+
+  # Compound Scope Identifier
+  csi = replace(
+    format(
+      "%s-%s-%s-%s",
+      var.project,
+      var.environment,
+      var.component,
+      var.name
+    ),
+    "_",
+    "",
+  )
+
+  default_tags = merge(
+    var.default_tags,
+    {
+      Module = local.module
+      Name   = local.csi
+    },
+  )
+}

infrastructure/modules/ssl/outputs.tf

@@ -0,0 +1,17 @@
+output "server_crt" {
+  description = "Server Certificate"
+  value       = tls_locally_signed_cert.integration_testing_client_cert.cert_pem
+  sensitive   = true
+}
+
+output "server_key" {
+  description = "Server Key"
+  value       = tls_private_key.integration_testing_client_key.private_key_pem
+  sensitive   = true
+}
+
+output "cacert_pem" {
+  description = "Truststore"
+  value       = tls_self_signed_cert.ca_cert.cert_pem
+  sensitive   = true
+}

infrastructure/modules/ssl/providers.tf

@@ -0,0 +1,11 @@
+terraform {
+  required_providers {
+    aws = {
+      source = "hashicorp/aws"
+    }
+    tls = {
+      source  = "hashicorp/tls"
+      version = "4.1.0"
+    }
+  }
+}

infrastructure/modules/ssl/ssm_parameter_ca_crt.tf

@@ -0,0 +1,9 @@
+resource "aws_ssm_parameter" "ca_crt" {
+  name  = format("/%s/%s/${local.module}/ca-crt", var.project, var.environment)
+  type  = "SecureString"
+  value = tls_self_signed_cert.ca_cert.cert_pem
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}

infrastructure/modules/ssl/ssm_parameter_ca_key.tf

@@ -0,0 +1,9 @@
+resource "aws_ssm_parameter" "ca_key" {
+  name  = format("/%s/%s/${local.module}/ca-key", var.project, var.environment)
+  type  = "SecureString"
+  value = tls_private_key.ca_key.private_key_pem
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}

infrastructure/modules/ssl/ssm_parameter_server_crt.tf

@@ -0,0 +1,9 @@
+resource "aws_ssm_parameter" "server_crt" {
+  name  = format("/%s/%s/${local.module}/server-crt", var.project, var.environment)
+  type  = "SecureString"
+  value = tls_locally_signed_cert.integration_testing_client_cert.cert_pem
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}

infrastructure/modules/ssl/ssm_parameter_server_key.tf

@@ -0,0 +1,9 @@
+resource "aws_ssm_parameter" "server_key" {
+  name  = format("/%s/%s/${local.module}/server-key", var.project, var.environment)
+  type  = "SecureString"
+  value = tls_private_key.integration_testing_client_key.private_key_pem
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}

infrastructure/modules/ssl/tls_cert_request_server_csr.tf

@@ -0,0 +1,19 @@
+resource "tls_cert_request" "server_csr" {
+
+  private_key_pem = tls_private_key.integration_testing_client_key.private_key_pem
+
+  dns_names = [var.subject_common_name]
+
+  subject {
+    country             = var.subject_country
+    province            = var.subject_province
+    locality            = var.subject_locality
+    common_name         = var.subject_common_name
+    organization        = var.subject_organization
+    organizational_unit = var.subject_organizational_unit
+  }
+
+  depends_on = [
+    tls_private_key.integration_testing_client_key,
+  ]
+}