BAU: Clean up after cloudfront implementation

The old WAF rule was left in the codebase in case cloudfront wasn't used for an environment. It's now always enabled, so this configuration is no longer needed. I've also removed the feature flag completely.
govuk-one-login · Jul 17, 2024 · 575ddc9 · 575ddc9
1 parent 1976181
commit 575ddc9
Show file tree

Hide file tree

Showing 7 changed files with 141 additions and 684 deletions.
diff --git a/ci/terraform/alb.tf b/ci/terraform/alb.tf
@@ -25,6 +25,11 @@ resource "aws_lb" "frontend_alb" {
   tags = local.default_tags
 }
 
+resource "aws_wafv2_web_acl_association" "alb_waf_association" {
+  resource_arn = aws_lb.frontend_alb.arn
+  web_acl_arn  = aws_cloudformation_stack.cloudfront.outputs["CloakingOriginWebACLArn"]
+}
+
 resource "aws_alb_target_group" "frontend_alb_target_group" {
   name                 = "${var.environment}-frontend-target"
   port                 = 80
@@ -178,4 +183,4 @@ resource "aws_alb_listener_rule" "service_down_rule" {
       values = ["/service-page-disabled/*"]
     }
   }
-}
+}
diff --git a/ci/terraform/cloudfront.tf b/ci/terraform/cloudfront.tf
@@ -1,15 +1,14 @@
 resource "aws_cloudformation_stack" "cloudfront" {
-  count = var.cloudfront_auth_frontend_enabled ? 1 : 0
-  name  = "${var.environment}-auth-fe-cloudfront"
-  #using fixed version of cloudfron disturbution template for now 
+  name = "${var.environment}-auth-fe-cloudfront"
+  #using fixed version of cloudfron disturbution template for now
   template_url = "https://template-storage-templatebucket-1upzyw6v9cs42.s3.amazonaws.com/cloudfront-distribution/template.yaml?versionId=._qPLI5sbnZN3T3jHF7fezX8BT6fK3j3"
 
   capabilities = ["CAPABILITY_NAMED_IAM"]
 
   parameters = {
     AddWWWPrefix                 = var.Add_WWWPrefix
-    CloudFrontCertArn            = aws_acm_certificate.cloudfront_frontend_certificate[0].arn
-    CloudFrontWafACL             = aws_wafv2_web_acl.frontend_cloudfront_waf_web_acl[0].arn
+    CloudFrontCertArn            = aws_acm_certificate.cloudfront_frontend_certificate.arn
+    CloudFrontWafACL             = aws_wafv2_web_acl.frontend_cloudfront_waf_web_acl.arn
     DistributionAlias            = local.frontend_fqdn
     FraudHeaderEnabled           = var.Fraud_Header_Enabled
     OriginCloakingHeader         = var.auth_origin_cloakingheader
@@ -20,26 +19,25 @@ resource "aws_cloudformation_stack" "cloudfront" {
   tags = local.default_tags
 
   #ignoring below parameter as these parameter are been read via secret manager and terraform continually detects changes
-  # Note : we need to remove the below lifecycle if the Header are changed in Secret manager to appy new cloainking header value 
+  # Note : we need to remove the below lifecycle if the Header are changed in Secret manager to appy new cloainking header value
   lifecycle {
     ignore_changes = [parameters["OriginCloakingHeader"], parameters["PreviousOriginCloakingHeader"]]
   }
 
 }
 
 resource "aws_cloudformation_stack" "cloudfront-monitoring" {
-  count    = var.cloudfront_auth_frontend_enabled ? 1 : 0
   provider = aws.cloudfront
   name     = "${var.environment}-auth-fe-cloudfront-monitoring"
-  #using fixed version of cloudfront monitoring  disturbution template for now 
+  #using fixed version of cloudfront monitoring  disturbution template for now
   template_url = "https://template-storage-templatebucket-1upzyw6v9cs42.s3.amazonaws.com/cloudfront-monitoring-alarm/template.yaml?versionId=td2KHIlG7KGXl0mkMrRDkgBWxdXPEMZ."
 
   capabilities = ["CAPABILITY_NAMED_IAM"]
 
   parameters = {
-    CacheHitAlarmSNSTopicARN            = aws_sns_topic.slack_events[0].arn
+    CacheHitAlarmSNSTopicARN            = aws_sns_topic.slack_events.arn
     CloudFrontAdditionaldMetricsEnabled = true
-    CloudfrontDistribution              = aws_cloudformation_stack.cloudfront[0].outputs["DistributionId"]
+    CloudfrontDistribution              = aws_cloudformation_stack.cloudfront.outputs["DistributionId"]
   }
   depends_on = [aws_cloudformation_stack.cloudfront]
   tags       = local.default_tags

diff --git a/ci/terraform/route53.tf b/ci/terraform/route53.tf
@@ -13,8 +13,8 @@ resource "aws_route53_record" "frontend" {
 
   alias {
     evaluate_target_health = false
-    name                   = var.cloudfront_auth_dns_enabled ? aws_cloudformation_stack.cloudfront[0].outputs["DistributionDomain"] : aws_lb.frontend_alb.dns_name
-    zone_id                = var.cloudfront_auth_dns_enabled ? var.cloudfront_zoneid : aws_lb.frontend_alb.zone_id
+    name                   = aws_cloudformation_stack.cloudfront.outputs["DistributionDomain"]
+    zone_id                = var.cloudfront_zoneid
   }
 }
 
@@ -25,8 +25,8 @@ resource "aws_route53_record" "frontend_record" {
 
   alias {
     evaluate_target_health = false
-    name                   = var.cloudfront_auth_dns_enabled ? aws_cloudformation_stack.cloudfront[0].outputs["DistributionDomain"] : aws_lb.frontend_alb.dns_name
-    zone_id                = var.cloudfront_auth_dns_enabled ? var.cloudfront_zoneid : aws_lb.frontend_alb.zone_id
+    name                   = aws_cloudformation_stack.cloudfront.outputs["DistributionDomain"]
+    zone_id                = var.cloudfront_zoneid
   }
 }
 
@@ -87,7 +87,6 @@ output "signin_nameservers" {
 #DNS Record for cloufront origin Domain & TLS certificate
 
 resource "aws_route53_record" "Cloudfront_frontend_record" {
-  count   = var.cloudfront_auth_frontend_enabled ? 1 : 0
   name    = local.frontend_fqdn_origin
   type    = "A"
   zone_id = aws_route53_zone.zone.zone_id
@@ -101,7 +100,6 @@ resource "aws_route53_record" "Cloudfront_frontend_record" {
 
 resource "aws_acm_certificate" "cloudfront_frontend_certificate" {
   provider          = aws.cloudfront
-  count             = var.cloudfront_auth_frontend_enabled ? 1 : 0
   domain_name       = local.frontend_fqdn
   validation_method = "DNS"
 
@@ -114,13 +112,13 @@ resource "aws_acm_certificate" "cloudfront_frontend_certificate" {
 
 resource "aws_route53_record" "cloudfront_frontend_certificate_validation" {
   provider = aws.cloudfront
-  for_each = var.cloudfront_auth_frontend_enabled ? {
-    for dvo in aws_acm_certificate.cloudfront_frontend_certificate[0].domain_validation_options : dvo.domain_name => {
+  for_each = {
+    for dvo in aws_acm_certificate.cloudfront_frontend_certificate.domain_validation_options : dvo.domain_name => {
       name   = dvo.resource_record_name
       record = dvo.resource_record_value
       type   = dvo.resource_record_type
     }
-  } : {}
+  }
 
   allow_overwrite = true
   name            = each.value.name
@@ -133,8 +131,7 @@ resource "aws_route53_record" "cloudfront_frontend_certificate_validation" {
 
 resource "aws_acm_certificate_validation" "frontend_acm_cloudfront_certificate_validation" {
   provider                = aws.cloudfront
-  count                   = var.cloudfront_auth_frontend_enabled ? 1 : 0
-  certificate_arn         = aws_acm_certificate.cloudfront_frontend_certificate[0].arn
+  certificate_arn         = aws_acm_certificate.cloudfront_frontend_certificate.arn
   validation_record_fqdns = [for record in aws_route53_record.cloudfront_frontend_certificate_validation : record.fqdn]
   depends_on              = [aws_route53_record.cloudfront_frontend_certificate_validation]
 }
diff --git a/ci/terraform/sns.tf b/ci/terraform/sns.tf
@@ -2,17 +2,15 @@
 
 resource "aws_sns_topic" "slack_events" {
   provider                         = aws.cloudfront
-  count                            = var.cloudfront_auth_frontend_enabled ? 1 : 0
   name                             = "${var.environment}-cloudfront-alerts"
-  lambda_failure_feedback_role_arn = aws_iam_role.sns_logging_iam_role[0].arn
+  lambda_failure_feedback_role_arn = aws_iam_role.sns_logging_iam_role.arn
 
   tags = local.default_tags
 }
 
 data "aws_iam_policy_document" "sns_topic_policy" {
   version  = "2012-10-17"
   provider = aws.cloudfront
-  count    = var.cloudfront_auth_frontend_enabled ? 1 : 0
 
   statement {
     actions = [
@@ -41,33 +39,30 @@ data "aws_iam_policy_document" "sns_topic_policy" {
     }
 
     resources = [
-      aws_sns_topic.slack_events[0].arn,
+      aws_sns_topic.slack_events.arn,
     ]
   }
 }
 
 resource "aws_sns_topic_policy" "sns_alert_policy" {
   provider = aws.cloudfront
-  count    = var.cloudfront_auth_frontend_enabled ? 1 : 0
-  arn      = aws_sns_topic.slack_events[0].arn
+  arn      = aws_sns_topic.slack_events.arn
 
-  policy = data.aws_iam_policy_document.sns_topic_policy[0].json
+  policy = data.aws_iam_policy_document.sns_topic_policy.json
 }
 
 resource "aws_iam_role" "sns_logging_iam_role" {
   provider           = aws.cloudfront
-  count              = var.cloudfront_auth_frontend_enabled ? 1 : 0
   name_prefix        = "sns-failed-slack-alerts-role"
   path               = "/${var.environment}/"
-  assume_role_policy = data.aws_iam_policy_document.sns_can_assume_policy[0].json
+  assume_role_policy = data.aws_iam_policy_document.sns_can_assume_policy.json
 
   tags = local.default_tags
 }
 
 data "aws_iam_policy_document" "sns_can_assume_policy" {
   version  = "2012-10-17"
   provider = aws.cloudfront
-  count    = var.cloudfront_auth_frontend_enabled ? 1 : 0
 
   statement {
     effect = "Allow"
@@ -87,7 +82,6 @@ data "aws_iam_policy_document" "sns_can_assume_policy" {
 data "aws_iam_policy_document" "sns_logging_policy" {
   version  = "2012-10-17"
   provider = aws.cloudfront
-  count    = var.cloudfront_auth_frontend_enabled ? 1 : 0
 
   statement {
     effect = "Allow"
@@ -108,13 +102,12 @@ data "aws_iam_policy_document" "sns_logging_policy" {
 }
 
 resource "aws_iam_policy" "api_gateway_logging_policy" {
-  count       = var.cloudfront_auth_frontend_enabled ? 1 : 0
   provider    = aws.cloudfront
   name_prefix = "sns-failed-alert-logging"
   path        = "/${var.environment}/"
   description = "IAM policy for logging failed SNS alerts"
 
-  policy = data.aws_iam_policy_document.sns_logging_policy[0].json
+  policy = data.aws_iam_policy_document.sns_logging_policy.json
 
   lifecycle {
     create_before_destroy = true
@@ -125,7 +118,6 @@ resource "aws_iam_policy" "api_gateway_logging_policy" {
 
 resource "aws_iam_role_policy_attachment" "api_gateway_logging_logs" {
   provider   = aws.cloudfront
-  count      = var.cloudfront_auth_frontend_enabled ? 1 : 0
-  role       = aws_iam_role.sns_logging_iam_role[0].name
-  policy_arn = aws_iam_policy.api_gateway_logging_policy[0].arn
+  role       = aws_iam_role.sns_logging_iam_role.name
+  policy_arn = aws_iam_policy.api_gateway_logging_policy.arn
 }
diff --git a/ci/terraform/variables.tf b/ci/terraform/variables.tf
@@ -317,19 +317,6 @@ variable "service_down_page" {
   description = "Feature flag to control deployment of service down page "
 }
 
-#cloudfront variable
-variable "cloudfront_auth_frontend_enabled" {
-  type        = bool
-  default     = false
-  description = "Feature flag to control the creation cloudfront DNS record origin & Cloudfront Certificate"
-}
-
-variable "cloudfront_auth_dns_enabled" {
-  type        = bool
-  default     = false
-  description = "Feature flag to control the switch of DNS record to  cloudfront"
-}
-
 variable "cloudfront_zoneid" {
   type        = string
   default     = "Z2FDTNDATAQYW2"
@@ -408,4 +395,4 @@ variable "analytics_cookie_domain" {
   type        = string
   default     = ""
   description = "Analytics cookie domain where cookie is set"
-}
+}