CCM-11701: SSL Module

jamesthompson26-nhs · jamesthompson26-nhs · commit 4fed600e5ea6 · 2025-08-15T12:15:35.000+01:00
diff --git a/infrastructure/modules/ssl/README.md b/infrastructure/modules/ssl/README.md
@@ -12,8 +12,19 @@
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_module"></a> [module](#input\_module) | The variable encapsulating the name of this module | `string` | `"fe"` | no |
-| <a name="input_parameter_bundle"></a> [parameter\_bundle](#input\_parameter\_bundle) | Contains all of the default parameters needed by any module in this project | <pre>object(<br/>    {<br/>      project                             = string<br/>      environment                         = string<br/>      component                           = string<br/>      group                               = string<br/>      region                              = string<br/>      account_ids                         = map(string)<br/>      account_name                        = string<br/>      default_kms_deletion_window_in_days = number<br/>      default_tags                        = map(string)<br/>      iam_resource_arns                   = map(string)<br/>      target_env                          = map(any)<br/>      cicd_bucket_name                    = string<br/>      pipeline_overrides                  = map(any)<br/>      cloudwatch_options                  = map(bool)<br/>      cloudwatch_metric_thresholds        = map(map(string))<br/>      terraform_root_dir                  = string<br/>    }<br/>  )</pre> | n/a | yes |
+| <a name="input_aws_account_id"></a> [aws\_account\_id](#input\_aws\_account\_id) | The AWS Account ID (numeric) | `string` | n/a | yes |
+| <a name="input_component"></a> [component](#input\_component) | The name of the tfscaffold component | `string` | n/a | yes |
+| <a name="input_default_tags"></a> [default\_tags](#input\_default\_tags) | A map of default tags to apply to all taggable resources within the component | `map(string)` | `{}` | no |
+| <a name="input_environment"></a> [environment](#input\_environment) | The name of the tfscaffold environment | `string` | n/a | yes |
+| <a name="input_name"></a> [name](#input\_name) | A unique name to distinguish this module invocation from others within the same CSI scope | `string` | n/a | yes |
+| <a name="input_project"></a> [project](#input\_project) | The name of the tfscaffold project | `string` | n/a | yes |
+| <a name="input_region"></a> [region](#input\_region) | The AWS Region | `string` | n/a | yes |
+| <a name="input_subject_common_name"></a> [subject\_common\_name](#input\_subject\_common\_name) | Common name for certificate subject | `string` | n/a | yes |
+| <a name="input_subject_country"></a> [subject\_country](#input\_subject\_country) | Country for certificate subject | `string` | `"GB"` | no |
+| <a name="input_subject_locality"></a> [subject\_locality](#input\_subject\_locality) | Locality for certificate subject | `string` | `"Leeds"` | no |
+| <a name="input_subject_organization"></a> [subject\_organization](#input\_subject\_organization) | Organization for certificate subject | `string` | `"NHS England"` | no |
+| <a name="input_subject_organizational_unit"></a> [subject\_organizational\_unit](#input\_subject\_organizational\_unit) | Organizational unit for certificate subject | `string` | `"NHS Notify"` | no |
+| <a name="input_subject_province"></a> [subject\_province](#input\_subject\_province) | Province for certificate subject | `string` | `"West Yorkshire"` | no |
 | <a name="input_truststore_s3_bucket"></a> [truststore\_s3\_bucket](#input\_truststore\_s3\_bucket) | The id of the mgmt truststore s3 bucket | `string` | n/a | yes |
 ## Modules
 
@@ -27,4 +38,4 @@ No modules.
 | <a name="output_server_key"></a> [server\_key](#output\_server\_key) | Server Key |
 <!-- vale on -->
 <!-- markdownlint-enable -->
-<!-- END_TF_DOCS -->
+<!-- END_TF_DOCS -->
diff --git a/infrastructure/modules/ssl/locals.tf b/infrastructure/modules/ssl/locals.tf
@@ -1,35 +1,24 @@
 locals {
+  module = "ssl"
+
   # Compound Scope Identifier
   csi = replace(
     format(
       "%s-%s-%s-%s",
-      var.parameter_bundle.project,
-      var.parameter_bundle.environment,
-      var.parameter_bundle.component,
-      var.module,
+      var.project,
+      var.environment,
+      var.component,
+      var.name
     ),
     "_",
     "",
   )
 
-  # CSI for use in resources with a global namespace, i.e. S3 Buckets
-  csi_global = replace(
-    format(
-      "%s-%s-%s-%s-%s-%s",
-      var.parameter_bundle.project,
-      local.this_account,
-      var.parameter_bundle.region,
-      var.parameter_bundle.environment,
-      var.parameter_bundle.component,
-      var.module,
-    ),
-    "_",
-    "",
+  default_tags = merge(
+    var.default_tags,
+    {
+      Module = local.module
+      Name   = local.csi
+    },
   )
-
-  default_tags = {
-    Module = var.module,
-  }
-
-  this_account = var.parameter_bundle.account_ids[var.parameter_bundle.account_name]
 }
diff --git a/infrastructure/modules/ssl/module_ssm_parameters.tf b/infrastructure/modules/ssl/module_ssm_parameters.tf
@@ -1,5 +1,5 @@
 resource "aws_ssm_parameter" "server_key" {
-  name  = format("/%s/%s/${var.module}/server-key", var.parameter_bundle.project, var.parameter_bundle.environment)
+  name  = format("/%s/%s/${local.module}/server-key", var.project, var.environment)
   type  = "SecureString"
   value = tls_private_key.integration_testing_client_key.private_key_pem
 
@@ -9,7 +9,7 @@ resource "aws_ssm_parameter" "server_key" {
 }
 
 resource "aws_ssm_parameter" "server_crt" {
-  name  = format("/%s/%s/${var.module}/server-crt", var.parameter_bundle.project, var.parameter_bundle.environment)
+  name  = format("/%s/%s/${local.module}/server-crt", var.project, var.environment)
   type  = "SecureString"
   value = tls_locally_signed_cert.integration_testing_client_cert.cert_pem
 
@@ -19,7 +19,7 @@ resource "aws_ssm_parameter" "server_crt" {
 }
 
 resource "aws_ssm_parameter" "ca_crt" {
-  name  = format("/%s/%s/${var.module}/ca-crt", var.parameter_bundle.project, var.parameter_bundle.environment)
+  name  = format("/%s/%s/${local.module}/ca-crt", var.project, var.environment)
   type  = "SecureString"
   value = tls_self_signed_cert.ca_cert.cert_pem
 
@@ -29,7 +29,7 @@ resource "aws_ssm_parameter" "ca_crt" {
 }
 
 resource "aws_ssm_parameter" "ca_key" {
-  name  = format("/%s/%s/${var.module}/ca-key", var.parameter_bundle.project, var.parameter_bundle.environment)
+  name  = format("/%s/%s/${local.module}/ca-key", var.project, var.environment)
   type  = "SecureString"
   value = tls_private_key.ca_key.private_key_pem
 
diff --git a/infrastructure/modules/ssl/tls_cert_request_server_csr.tf b/infrastructure/modules/ssl/tls_cert_request_server_csr.tf
@@ -2,15 +2,15 @@ resource "tls_cert_request" "server_csr" {
 
   private_key_pem = tls_private_key.integration_testing_client_key.private_key_pem
 
-  dns_names = ["${var.module}.${var.parameter_bundle.environment}.communications.national.nhs.uk"]
+  dns_names = [var.subject_common_name]
 
   subject {
-    country             = "GB"
-    province            = "West Yorkshire"
-    locality            = "Leeds"
-    common_name         = "${var.module}.${var.parameter_bundle.environment}.communications.national.nhs.uk"
-    organization        = "NHS England"
-    organizational_unit = "NHS Notify"
+    country             = var.subject_country
+    province            = var.subject_province
+    locality            = var.subject_locality
+    common_name         = var.subject_common_name
+    organization        = var.subject_organization
+    organizational_unit = var.subject_organizational_unit
   }
 
   depends_on = [
diff --git a/infrastructure/modules/ssl/tls_self_signed_cert_ca_cert.tf b/infrastructure/modules/ssl/tls_self_signed_cert_ca_cert.tf
@@ -4,12 +4,12 @@ resource "tls_self_signed_cert" "ca_cert" {
   is_ca_certificate = true
 
   subject {
-    country             = "GB"
-    province            = "West Yorkshire"
-    locality            = "Leeds"
-    common_name         = "${var.module}.${var.parameter_bundle.environment}-ca.communications.national.nhs.uk"
-    organization        = "NHS England"
-    organizational_unit = "NHS Notify"
+    country             = var.subject_country
+    province            = var.subject_province
+    locality            = var.subject_locality
+    common_name         = var.subject_common_name
+    organization        = var.subject_organization
+    organizational_unit = var.subject_organizational_unit
   }
 
   validity_period_hours = 17520
diff --git a/infrastructure/modules/ssl/variables.tf b/infrastructure/modules/ssl/variables.tf
@@ -1,34 +1,87 @@
-variable "module" {
-  type        = string
-  description = "The variable encapsulating the name of this module"
-  default     = "fe"
-}
-
-variable "parameter_bundle" {
-  type = object(
-    {
-      project                             = string
-      environment                         = string
-      component                           = string
-      group                               = string
-      region                              = string
-      account_ids                         = map(string)
-      account_name                        = string
-      default_kms_deletion_window_in_days = number
-      default_tags                        = map(string)
-      iam_resource_arns                   = map(string)
-      target_env                          = map(any)
-      cicd_bucket_name                    = string
-      pipeline_overrides                  = map(any)
-      cloudwatch_options                  = map(bool)
-      cloudwatch_metric_thresholds        = map(map(string))
-      terraform_root_dir                  = string
-    }
-  )
-  description = "Contains all of the default parameters needed by any module in this project"
+##
+# Basic Required Variables for tfscaffold Modules
+##
+
+variable "project" {
+  type        = string
+  description = "The name of the tfscaffold project"
+}
+
+variable "environment" {
+  type        = string
+  description = "The name of the tfscaffold environment"
+}
+
+variable "component" {
+  type        = string
+  description = "The name of the tfscaffold component"
+}
+
+variable "aws_account_id" {
+  type        = string
+  description = "The AWS Account ID (numeric)"
+}
+
+variable "region" {
+  type        = string
+  description = "The AWS Region"
+}
+
+##
+# tfscaffold variables specific to this module
+##
+
+variable "default_tags" {
+  type        = map(string)
+  description = "A map of default tags to apply to all taggable resources within the component"
+  default     = {}
 }
 
+##
+# Variables specific to this module
+##
+
 variable "truststore_s3_bucket" {
   type        = string
   description = "The id of the mgmt truststore s3 bucket"
 }
+
+variable "name" {
+  type        = string
+  description = "A unique name to distinguish this module invocation from others within the same CSI scope"
+}
+
+variable "subject_country" {
+  type        = string
+  description = "Country for certificate subject"
+  default     = "GB"
+}
+
+variable "subject_province" {
+  type        = string
+  description = "Province for certificate subject"
+  default     = "West Yorkshire"
+}
+
+variable "subject_locality" {
+  type        = string
+  description = "Locality for certificate subject"
+  default     = "Leeds"
+}
+
+variable "subject_common_name" {
+  type        = string
+  description = "Common name for certificate subject"
+}
+
+variable "subject_organization" {
+  type        = string
+  description = "Organization for certificate subject"
+  default     = "NHS England"
+}
+
+variable "subject_organizational_unit" {
+  type        = string
+  description = "Organizational unit for certificate subject"
+  default     = "NHS Notify"
+}
