From 40cf11850a18884208d567a0c699e9fd9b1116dd Mon Sep 17 00:00:00 2001 From: Matt Dean Date: Wed, 15 Oct 2025 13:01:18 +0100 Subject: [PATCH] [NRL-1700] Use S3 versioning for truststore file --- .../account-wide-infrastructure/dev/domain.tf | 18 ++++---- .../mgmt/iam__developer-role.tf | 13 ++++++ .../env-custom-domain-name/apigateway.tf | 3 +- .../modules/env-custom-domain-name/vars.tf | 5 +++ .../modules/truststore-bucket/output.tf | 5 +++ .../prod/domain.tf | 9 ++-- .../test/domain.tf | 45 ++++++++++--------- terraform/infrastructure/domain.tf | 3 +- 8 files changed, 67 insertions(+), 34 deletions(-) diff --git a/terraform/account-wide-infrastructure/dev/domain.tf b/terraform/account-wide-infrastructure/dev/domain.tf index 798f93d90..2a4085ecd 100644 --- a/terraform/account-wide-infrastructure/dev/domain.tf +++ b/terraform/account-wide-infrastructure/dev/domain.tf @@ -1,14 +1,16 @@ module "dev-custom-domain-name" { - source = "../modules/env-custom-domain-name" - domain_name = var.dev_api_domain_name - domain_zone = aws_route53_zone.dev-ns.name - mtls_certificate_file = "s3://${module.dev-truststore-bucket.bucket_name}/${module.dev-truststore-bucket.certificates_object_key}" + source = "../modules/env-custom-domain-name" + domain_name = var.dev_api_domain_name + domain_zone = aws_route53_zone.dev-ns.name + mtls_certificate_file = "s3://${module.dev-truststore-bucket.bucket_name}/${module.dev-truststore-bucket.certificates_object_key}" + mtls_certificate_file_version = module.dev-truststore-bucket.certificates_object_version } module "devsandbox-custom-domain-name" { - source = "../modules/env-custom-domain-name" - domain_name = var.devsandbox_api_domain_name - domain_zone = aws_route53_zone.dev-ns.name - mtls_certificate_file = "s3://${module.dev-truststore-bucket.bucket_name}/${module.dev-truststore-bucket.certificates_object_key}" + source = "../modules/env-custom-domain-name" + domain_name = var.devsandbox_api_domain_name + domain_zone = aws_route53_zone.dev-ns.name + mtls_certificate_file = "s3://${module.dev-truststore-bucket.bucket_name}/${module.dev-truststore-bucket.certificates_object_key}" + mtls_certificate_file_version = module.dev-truststore-bucket.certificates_object_version } diff --git a/terraform/account-wide-infrastructure/mgmt/iam__developer-role.tf b/terraform/account-wide-infrastructure/mgmt/iam__developer-role.tf index 32f042014..3bfcb2bb1 100644 --- a/terraform/account-wide-infrastructure/mgmt/iam__developer-role.tf +++ b/terraform/account-wide-infrastructure/mgmt/iam__developer-role.tf @@ -99,6 +99,19 @@ module "developer_policy" { "${data.aws_s3_bucket.ci_logging.arn}/*" ] }, + { + Action = [ + "s3:PutObject", + "s3:GetObject", + "s3:DeleteObject" + ] + Effect = "Deny" + Resource = [ + "${data.aws_s3_bucket.truststore.arn}/ca/prod*", + "${data.aws_s3_bucket.truststore.arn}/client/prod*", + "${data.aws_s3_bucket.truststore.arn}/server/prod*" + ] + }, { Action = [ "s3:GetObject" diff --git a/terraform/account-wide-infrastructure/modules/env-custom-domain-name/apigateway.tf b/terraform/account-wide-infrastructure/modules/env-custom-domain-name/apigateway.tf index 24d4f11e5..78ff8db62 100644 --- a/terraform/account-wide-infrastructure/modules/env-custom-domain-name/apigateway.tf +++ b/terraform/account-wide-infrastructure/modules/env-custom-domain-name/apigateway.tf @@ -7,7 +7,8 @@ resource "aws_api_gateway_domain_name" "domain" { } mutual_tls_authentication { - truststore_uri = var.mtls_certificate_file + truststore_uri = var.mtls_certificate_file + truststore_version = var.mtls_certificate_file_version } depends_on = [ diff --git a/terraform/account-wide-infrastructure/modules/env-custom-domain-name/vars.tf b/terraform/account-wide-infrastructure/modules/env-custom-domain-name/vars.tf index 18268b02b..dc8579153 100644 --- a/terraform/account-wide-infrastructure/modules/env-custom-domain-name/vars.tf +++ b/terraform/account-wide-infrastructure/modules/env-custom-domain-name/vars.tf @@ -19,3 +19,8 @@ variable "mtls_certificate_file" { description = "The path to the mtls certificate file" type = string } + +variable "mtls_certificate_file_version" { + description = "The S3 version of the mtls certificate file" + type = string +} diff --git a/terraform/account-wide-infrastructure/modules/truststore-bucket/output.tf b/terraform/account-wide-infrastructure/modules/truststore-bucket/output.tf index b8cd08057..38a4d0368 100644 --- a/terraform/account-wide-infrastructure/modules/truststore-bucket/output.tf +++ b/terraform/account-wide-infrastructure/modules/truststore-bucket/output.tf @@ -7,3 +7,8 @@ output "certificates_object_key" { description = "Key of the truststore certificates object" value = aws_s3_object.api_truststore_certificate.key } + +output "certificates_object_version" { + description = "Version of the truststore certificates object" + value = aws_s3_object.api_truststore_certificate.version_id +} diff --git a/terraform/account-wide-infrastructure/prod/domain.tf b/terraform/account-wide-infrastructure/prod/domain.tf index 1e54208df..e2426325d 100644 --- a/terraform/account-wide-infrastructure/prod/domain.tf +++ b/terraform/account-wide-infrastructure/prod/domain.tf @@ -1,8 +1,9 @@ module "dev-custom-domain-name" { - source = "../modules/env-custom-domain-name" - domain_name = var.prod_api_domain_name - domain_zone = aws_route53_zone.prod-ns.name - mtls_certificate_file = "s3://${module.prod-truststore-bucket.bucket_name}/${module.prod-truststore-bucket.certificates_object_key}" + source = "../modules/env-custom-domain-name" + domain_name = var.prod_api_domain_name + domain_zone = aws_route53_zone.prod-ns.name + mtls_certificate_file = "s3://${module.prod-truststore-bucket.bucket_name}/${module.prod-truststore-bucket.certificates_object_key}" + mtls_certificate_file_version = module.prod-truststore-bucket.certificates_object_version } diff --git a/terraform/account-wide-infrastructure/test/domain.tf b/terraform/account-wide-infrastructure/test/domain.tf index 5866f53c2..59907d0f3 100644 --- a/terraform/account-wide-infrastructure/test/domain.tf +++ b/terraform/account-wide-infrastructure/test/domain.tf @@ -1,35 +1,40 @@ module "qa-custom-domain-name" { - source = "../modules/env-custom-domain-name" - domain_name = var.qa_api_domain_name - domain_zone = aws_route53_zone.test-qa-ns.name - mtls_certificate_file = "s3://${module.qa-truststore-bucket.bucket_name}/${module.qa-truststore-bucket.certificates_object_key}" + source = "../modules/env-custom-domain-name" + domain_name = var.qa_api_domain_name + domain_zone = aws_route53_zone.test-qa-ns.name + mtls_certificate_file = "s3://${module.qa-truststore-bucket.bucket_name}/${module.qa-truststore-bucket.certificates_object_key}" + mtls_certificate_file_version = module.qa-truststore-bucket.certificates_object_version } module "qasandbox-custom-domain-name" { - source = "../modules/env-custom-domain-name" - domain_name = var.qasandbox_api_domain_name - domain_zone = aws_route53_zone.test-qa-ns.name - mtls_certificate_file = "s3://${module.qa-truststore-bucket.bucket_name}/${module.qa-truststore-bucket.certificates_object_key}" + source = "../modules/env-custom-domain-name" + domain_name = var.qasandbox_api_domain_name + domain_zone = aws_route53_zone.test-qa-ns.name + mtls_certificate_file = "s3://${module.qa-truststore-bucket.bucket_name}/${module.qa-truststore-bucket.certificates_object_key}" + mtls_certificate_file_version = module.qa-truststore-bucket.certificates_object_version } module "int-custom-domain-name" { - source = "../modules/env-custom-domain-name" - domain_name = var.int_api_domain_name - domain_zone = aws_route53_zone.test-int-ns.name - mtls_certificate_file = "s3://${module.int-truststore-bucket.bucket_name}/${module.int-truststore-bucket.certificates_object_key}" + source = "../modules/env-custom-domain-name" + domain_name = var.int_api_domain_name + domain_zone = aws_route53_zone.test-int-ns.name + mtls_certificate_file = "s3://${module.int-truststore-bucket.bucket_name}/${module.int-truststore-bucket.certificates_object_key}" + mtls_certificate_file_version = module.int-truststore-bucket.certificates_object_version } module "intsandbox-custom-domain-name" { - source = "../modules/env-custom-domain-name" - domain_name = var.intsandbox_api_domain_name - domain_zone = aws_route53_zone.test-int-ns.name - mtls_certificate_file = "s3://${module.int-truststore-bucket.bucket_name}/${module.int-truststore-bucket.certificates_object_key}" + source = "../modules/env-custom-domain-name" + domain_name = var.intsandbox_api_domain_name + domain_zone = aws_route53_zone.test-int-ns.name + mtls_certificate_file = "s3://${module.int-truststore-bucket.bucket_name}/${module.int-truststore-bucket.certificates_object_key}" + mtls_certificate_file_version = module.int-truststore-bucket.certificates_object_version } module "ref-custom-domain-name" { - source = "../modules/env-custom-domain-name" - domain_name = var.ref_api_domain_name - domain_zone = aws_route53_zone.test-ref-ns.name - mtls_certificate_file = "s3://${module.ref-truststore-bucket.bucket_name}/${module.ref-truststore-bucket.certificates_object_key}" + source = "../modules/env-custom-domain-name" + domain_name = var.ref_api_domain_name + domain_zone = aws_route53_zone.test-ref-ns.name + mtls_certificate_file = "s3://${module.ref-truststore-bucket.bucket_name}/${module.ref-truststore-bucket.certificates_object_key}" + mtls_certificate_file_version = module.ref-truststore-bucket.certificates_object_version } diff --git a/terraform/infrastructure/domain.tf b/terraform/infrastructure/domain.tf index 91839071a..99f8c2cd3 100644 --- a/terraform/infrastructure/domain.tf +++ b/terraform/infrastructure/domain.tf @@ -46,7 +46,8 @@ resource "aws_api_gateway_domain_name" "domain" { } mutual_tls_authentication { - truststore_uri = "s3://${data.aws_s3_object.api-truststore-certificate.bucket}/${data.aws_s3_object.api-truststore-certificate.key}" + truststore_uri = "s3://${data.aws_s3_object.api-truststore-certificate.bucket}/${data.aws_s3_object.api-truststore-certificate.key}" + truststore_version = data.aws_s3_object.api-truststore-certificate.version_id } depends_on = [