Merge pull request #1834 from govuk-one-login/AUT-2968

AUT-2968 - Frontend DNS for secure pipeline migrated build account

.github/workflows/deploy-frontend-sp.yml

@@ -3,7 +3,7 @@ name: Deploy frontend (with SAM Deploy Pipeline)
 on:
   push:
     branches:
-      - AUT-2930
+      - AUT-2968
   workflow_dispatch:
 
 jobs:
@@ -36,6 +36,7 @@ jobs:
           artifact-bucket-name: ${{ secrets.ARTIFACT_SOURCE_BUCKET_NAME }}
           ecr-repo-name: ${{ secrets.FRONTEND_ECR_REPOSITORY }}
           checkout-repo: false
+          template-file: cloudformation/template.yaml
           private-docker-registry: khw46367.live.dynatrace.com
           private-docker-login-username: khw46367
           private-docker-login-password: ${{ secrets.DYNATRACE_PAAS_TOKEN }}

cloudformation/domains.yaml

@@ -0,0 +1,148 @@
+AWSTemplateFormatVersion: "2010-09-09"
+
+Description: >-
+  Creates the necessary components for Authentication Frontend application secure pipeline migration testing
+
+Parameters:
+  Environment:
+    Description: The name of the environment to deploy to
+    Type: String
+    AllowedValues:
+      - build
+      - staging
+
+Resources:
+  #
+  # auth
+  #
+  AccountsAuthHostedZone:
+    Type: AWS::Route53::HostedZone
+    DeletionPolicy: Retain
+    UpdateReplacePolicy: Retain
+    Properties:
+      Name: !Sub auth-sp.${Environment}.account.gov.uk
+
+  AccountsAuthCertificate:
+    Type: AWS::CertificateManager::Certificate
+    Properties:
+      DomainName: !Sub auth-sp.${Environment}.account.gov.uk
+      DomainValidationOptions:
+        - DomainName: !Sub auth-sp.${Environment}.account.gov.uk
+          HostedZoneId: !GetAtt AccountsAuthHostedZone.Id
+      ValidationMethod: DNS
+
+  AccountsAuthCertificateArnSSM:
+    Type: AWS::SSM::Parameter
+    Properties:
+      Description: The Auth subdomain Certificate ARN
+      Name: !Sub "/${Environment}/Infra/ACM/Certificate/Auth/ARN"
+      Type: String
+      Value: !Ref AccountsAuthCertificate
+      Tags:
+        Environment: !Ref Environment
+        Application: "auth-frontend"
+        Source: govuk-one-login/authentication-frontend/cloudformation/domains.yaml
+
+  #
+  # managed
+  #
+  AccountsManageHostedZone:
+    Type: AWS::Route53::HostedZone
+    DeletionPolicy: Retain
+    UpdateReplacePolicy: Retain
+    Properties:
+      Name: !Sub manage-sp.${Environment}.account.gov.uk
+
+  AccountsManageCertificate:
+    Type: AWS::CertificateManager::Certificate
+    Properties:
+      DomainName: !Sub manage-sp.${Environment}.account.gov.uk
+      DomainValidationOptions:
+        - DomainName: !Sub manage-sp.${Environment}.account.gov.uk
+          HostedZoneId: !GetAtt AccountsManageHostedZone.Id
+      ValidationMethod: DNS
+
+  AccountsManageCertificateArnSSM:
+    Type: AWS::SSM::Parameter
+    Properties:
+      Description: The Manage Subdomain Certificate ARN
+      Name: !Sub "/${Environment}/Infra/ACM/Certificate/Manage/ARN"
+      Type: String
+      Value: !Ref AccountsManageCertificate
+      Tags:
+        Environment: !Ref Environment
+        Application: "auth-frontend"
+        Source: govuk-one-login/authentication-frontend/cloudformation/domains.yaml
+  #
+  # oidc
+  #
+  AccountsOidcHostedZone:
+    Type: AWS::Route53::HostedZone
+    DeletionPolicy: Retain
+    UpdateReplacePolicy: Retain
+    Properties:
+      Name: !Sub oidc-sp.${Environment}.account.gov.uk
+
+  AccountsOidcCertificate:
+    Type: AWS::CertificateManager::Certificate
+    Properties:
+      DomainName: !Sub oidc-sp.${Environment}.account.gov.uk
+      DomainValidationOptions:
+        - DomainName: !Sub oidc-sp.${Environment}.account.gov.uk
+          HostedZoneId: !GetAtt AccountsOidcHostedZone.Id
+      ValidationMethod: DNS
+
+  AccountsOidcCertificateArnSSM:
+    Type: AWS::SSM::Parameter
+    Properties:
+      Description: The Oidc subdomain Certificate ARN
+      Name: !Sub "/${Environment}/Infra/ACM/Certificate/Oidc/ARN"
+      Type: String
+      Value: !Ref AccountsOidcCertificate
+      Tags:
+        Environment: !Ref Environment
+        Application: "auth-frontend"
+        Source: govuk-one-login/authentication-frontend/cloudformation/domains.yaml
+
+  #
+  # signin
+  #
+  AccountsSigninHostedZone:
+    Type: AWS::Route53::HostedZone
+    DeletionPolicy: Retain
+    UpdateReplacePolicy: Retain
+    Properties:
+      Name: !Sub signin-sp.${Environment}.account.gov.uk
+
+  AccountsSigninHostedZoneSSM:
+    Type: AWS::SSM::Parameter
+    Properties:
+      Description: The SignIn Public Hosted Zone Id
+      Name: !Sub "/${Environment}/Infra/Route53/HostedZone/SignIn/Id"
+      Type: String
+      Value: !Ref AccountsSigninHostedZone
+      Tags:
+        Environment: !Ref Environment
+        Application: "auth-frontend"
+        Source: govuk-one-login/authentication-frontend/cloudformation/domains.yaml
+
+  AccountsSignInCertificate:
+    Type: AWS::CertificateManager::Certificate
+    Properties:
+      DomainName: !Sub signin-sp.${Environment}.account.gov.uk
+      DomainValidationOptions:
+        - DomainName: !Sub signin-sp.${Environment}.account.gov.uk
+          HostedZoneId: !GetAtt AccountsSigninHostedZone.Id
+      ValidationMethod: DNS
+
+  AccountsSignInCertificateArnSSM:
+    Type: AWS::SSM::Parameter
+    Properties:
+      Description: The SignIn Domain Certificate ARN
+      Name: !Sub "/${Environment}/Infra/ACM/Certificate/SignIn/ARN"
+      Type: String
+      Value: !Ref AccountsSignInCertificate
+      Tags:
+        Environment: !Ref Environment
+        Application: "auth-frontend"
+        Source: govuk-one-login/authentication-frontend/cloudformation/domains.yaml

cloudformation/readme.md

@@ -0,0 +1,35 @@
+# Migrate Authentication Frontend to secure pipelines
+
+## Dependencies
+
+### Secrets
+
+The following table lists secrets required at startup, and sourced from AWS Secrets Manager
+
+| Secret name                                 | Description                                                                                                                                                    | Source           |
+| ------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------- |
+| /deploy/\${Environment}/basic_auth_username | Credentials used by the nginx proxy server sidecar enforcing HTTP basic authentication on every request, when the origin is not in the ipAllowList CIDR ranges | Manually created |
+| /deploy/\${Environment}/basic_auth_password | Same as above                                                                                                                                                  | Manually created |
+
+The following table lists secretStrings sourced from AWS Systems Manager Parameter Store, and required at startup
+
+| Parameter name                   | Description                                                                                                                                                               | Source                                                                                            |
+| -------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------- |
+| build-frontend-redis-master-host | Redis cluster for storing user session data for the frontend. Proposed change to remove these dependencies: [AUT-3374](https://govukverify.atlassian.net/browse/AUT-3374) | Manually created after the ApplicationReplicationGroup in [template.yaml](./template.yaml) exists |
+| build-frontend-redis-password    | Same as above                                                                                                                                                             | Manually created after the ApplicationAuthPass in [template.yaml](./template.yaml) exists         |
+| build-frontend-redis-port        | Same as above                                                                                                                                                             | Manually created, uses default port                                                               |
+
+### Parameters
+
+The following table lists configurations required at startup, and sourced from AWS Systems Manager Parameter Store
+
+| Parameter name                                      | Description                                          | Source                         |
+| --------------------------------------------------- | ---------------------------------------------------- | ------------------------------ |
+| /\${Environment}/Infra/Route53/HostedZone/SignIn/Id | Route53 Public hosted zone id of signin.\* subdomain | [domains.yaml](./domains.yaml) |
+| /\${Environment}/Infra/ACM/Certificate/SignIn/ARN   | signin.\* subdomain certificate issued by AWS ACM    | [domains.yaml](./domains.yaml) |
+
+## Startup sequence
+
+1. Bootstrap target account with the Stack Orchestration tool. Configurations and instruction can be found in the [authentication-infrastructure](https://github.com/govuk-one-login/authentication-infrastructure) GitHub repository
+2. Setup domains using Cloudformation template: [domains.yaml](./domains.yaml). At the time of writing this document on 17/07/2024, it is deployed via AWS console or cli tool
+3. Deploy frontend. The bootstrap step 1 sets up required dependencies and the frontend pipeline stack in the target account. GitHub workflow [deploy-frontend-sp](../.github/workflows/deploy-frontend-sp.yml) packages and uploads the artifacts, which then triggers deployment via AWS CodePipeline in the target account