CCM-11701: SSL Module

Author: jamesthompson26-nhs

infrastructure/modules/ssl/README.md

@@ -0,0 +1,30 @@
+<!-- BEGIN_TF_DOCS -->
+<!-- markdownlint-disable -->
+<!-- vale off -->
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.10.1 |
+| <a name="requirement_tls"></a> [tls](#requirement\_tls) | 4.0.5 |
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_module"></a> [module](#input\_module) | The variable encapsulating the name of this module | `string` | `"fe"` | no |
+| <a name="input_parameter_bundle"></a> [parameter\_bundle](#input\_parameter\_bundle) | Contains all of the default parameters needed by any module in this project | <pre>object(<br/>    {<br/>      project                             = string<br/>      environment                         = string<br/>      component                           = string<br/>      group                               = string<br/>      region                              = string<br/>      account_ids                         = map(string)<br/>      account_name                        = string<br/>      default_kms_deletion_window_in_days = number<br/>      default_tags                        = map(string)<br/>      iam_resource_arns                   = map(string)<br/>      target_env                          = map(any)<br/>      cicd_bucket_name                    = string<br/>      pipeline_overrides                  = map(any)<br/>      cloudwatch_options                  = map(bool)<br/>      cloudwatch_metric_thresholds        = map(map(string))<br/>      terraform_root_dir                  = string<br/>    }<br/>  )</pre> | n/a | yes |
+| <a name="input_truststore_s3_bucket"></a> [truststore\_s3\_bucket](#input\_truststore\_s3\_bucket) | The id of the mgmt truststore s3 bucket | `string` | n/a | yes |
+## Modules
+
+No modules.
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_cacert_pem"></a> [cacert\_pem](#output\_cacert\_pem) | Truststore |
+| <a name="output_server_crt"></a> [server\_crt](#output\_server\_crt) | Server Certificate |
+| <a name="output_server_key"></a> [server\_key](#output\_server\_key) | Server Key |
+<!-- vale on -->
+<!-- markdownlint-enable -->
+<!-- END_TF_DOCS -->

infrastructure/modules/ssl/locals.tf

@@ -0,0 +1,35 @@
+locals {
+  # Compound Scope Identifier
+  csi = replace(
+    format(
+      "%s-%s-%s-%s",
+      var.parameter_bundle.project,
+      var.parameter_bundle.environment,
+      var.parameter_bundle.component,
+      var.module,
+    ),
+    "_",
+    "",
+  )
+
+  # CSI for use in resources with a global namespace, i.e. S3 Buckets
+  csi_global = replace(
+    format(
+      "%s-%s-%s-%s-%s-%s",
+      var.parameter_bundle.project,
+      local.this_account,
+      var.parameter_bundle.region,
+      var.parameter_bundle.environment,
+      var.parameter_bundle.component,
+      var.module,
+    ),
+    "_",
+    "",
+  )
+
+  default_tags = {
+    Module = var.module,
+  }
+
+  this_account = var.parameter_bundle.account_ids[var.parameter_bundle.account_name]
+}

infrastructure/modules/ssl/module_ssm_parameters.tf

@@ -0,0 +1,39 @@
+resource "aws_ssm_parameter" "server_key" {
+  name  = format("/%s/%s/${var.module}/server-key", var.parameter_bundle.project, var.parameter_bundle.environment)
+  type  = "SecureString"
+  value = tls_private_key.integration_testing_client_key.private_key_pem
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+
+resource "aws_ssm_parameter" "server_crt" {
+  name  = format("/%s/%s/${var.module}/server-crt", var.parameter_bundle.project, var.parameter_bundle.environment)
+  type  = "SecureString"
+  value = tls_locally_signed_cert.integration_testing_client_cert.cert_pem
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+
+resource "aws_ssm_parameter" "ca_crt" {
+  name  = format("/%s/%s/${var.module}/ca-crt", var.parameter_bundle.project, var.parameter_bundle.environment)
+  type  = "SecureString"
+  value = tls_self_signed_cert.ca_cert.cert_pem
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+
+resource "aws_ssm_parameter" "ca_key" {
+  name  = format("/%s/%s/${var.module}/ca-key", var.parameter_bundle.project, var.parameter_bundle.environment)
+  type  = "SecureString"
+  value = tls_private_key.ca_key.private_key_pem
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}

infrastructure/modules/ssl/outputs.tf

@@ -0,0 +1,17 @@
+output "server_crt" {
+  description = "Server Certificate"
+  value       = tls_locally_signed_cert.integration_testing_client_cert.cert_pem
+  sensitive   = true
+}
+
+output "server_key" {
+  description = "Server Key"
+  value       = tls_private_key.integration_testing_client_key.private_key_pem
+  sensitive   = true
+}
+
+output "cacert_pem" {
+  description = "Truststore"
+  value       = tls_self_signed_cert.ca_cert.cert_pem
+  sensitive   = true
+}

infrastructure/modules/ssl/providers.tf

@@ -0,0 +1,11 @@
+terraform {
+  required_providers {
+    aws = {
+      source = "hashicorp/aws"
+    }
+    tls = {
+      source  = "hashicorp/tls"
+      version = "4.0.5"
+    }
+  }
+}

infrastructure/modules/ssl/tls_cert_request_server_csr.tf

@@ -0,0 +1,19 @@
+resource "tls_cert_request" "server_csr" {
+
+  private_key_pem = tls_private_key.integration_testing_client_key.private_key_pem
+
+  dns_names = ["${var.module}.${var.parameter_bundle.environment}.communications.national.nhs.uk"]
+
+  subject {
+    country             = "GB"
+    province            = "West Yorkshire"
+    locality            = "Leeds"
+    common_name         = "${var.module}.${var.parameter_bundle.environment}.communications.national.nhs.uk"
+    organization        = "NHS England"
+    organizational_unit = "NHS Notify"
+  }
+
+  depends_on = [
+    tls_private_key.integration_testing_client_key,
+  ]
+}

infrastructure/modules/ssl/tls_locally_signed_cert_server_cert.tf

@@ -0,0 +1,21 @@
+resource "tls_locally_signed_cert" "integration_testing_client_cert" {
+  cert_request_pem   = tls_cert_request.server_csr.cert_request_pem
+  ca_private_key_pem = tls_private_key.ca_key.private_key_pem
+  ca_cert_pem        = tls_self_signed_cert.ca_cert.cert_pem
+
+  validity_period_hours = 8760
+
+  allowed_uses = [
+    "digital_signature",
+    "key_encipherment",
+    "server_auth",
+    "client_auth",
+  ]
+
+  depends_on = [
+    tls_private_key.ca_key,
+    tls_self_signed_cert.ca_cert,
+    tls_private_key.integration_testing_client_key,
+    tls_cert_request.server_csr
+  ]
+}

infrastructure/modules/ssl/tls_private_key_ca_key.tf

@@ -0,0 +1,4 @@
+resource "tls_private_key" "ca_key" {
+  algorithm = "RSA"
+  rsa_bits  = 4096
+}

infrastructure/modules/ssl/tls_private_key_server_key.tf

@@ -0,0 +1,4 @@
+resource "tls_private_key" "integration_testing_client_key" {
+  algorithm = "RSA"
+  rsa_bits  = 4096
+}

infrastructure/modules/ssl/tls_self_signed_cert_ca_cert.tf

@@ -0,0 +1,22 @@
+resource "tls_self_signed_cert" "ca_cert" {
+  private_key_pem = tls_private_key.ca_key.private_key_pem
+
+  is_ca_certificate = true
+
+  subject {
+    country             = "GB"
+    province            = "West Yorkshire"
+    locality            = "Leeds"
+    common_name         = "${var.module}.${var.parameter_bundle.environment}-ca.communications.national.nhs.uk"
+    organization        = "NHS England"
+    organizational_unit = "NHS Notify"
+  }
+
+  validity_period_hours = 17520
+
+  allowed_uses = [
+    "digital_signature",
+    "cert_signing",
+    "crl_signing",
+  ]
+}