Merge pull request #620 from cabinetoffice/EHD-1518-switch-over-live-service

EHD-1518: Switch over Live service

Author: jamesgriff

terraform/cloudfront__www_domain_redirect.tf

@@ -0,0 +1,85 @@
+
+data "aws_cloudfront_cache_policy" "cache_policy__aws_managed_caching_optimised" {
+    name = "Managed-CachingOptimized"
+}
+
+locals {
+  distribution_for_www_domain_redirect__origin_id = "${var.service_name_hyphens}--${var.environment_hyphens}--www-Domain-Redirect-origin"
+}
+
+resource "aws_cloudfront_distribution" "distribution__www_domain_redirect" {
+  count = (var.create_redirect_from_www_domain) ? 1 : 0  // Only create this CloudFront Distribution if "var.create_redirect_from_www_domain" is true
+
+  // CloudFront distributions have to be created in the us-east-1 region (for some reason!)
+  provider = aws.us-east-1
+
+  comment = "${var.service_name_hyphens}--${var.environment_hyphens}--www-domain-redirect"
+
+  origin {
+    domain_name = "example.com" // The origin domain doesn't matter because we use a CloudFront Function to redirect all traffic.
+                                // We shouldn't use a real domain in case any traffic is forwarded, but example.com is reserved as an unused domain name (https://en.wikipedia.org/wiki/Example.com)
+    origin_id = local.distribution_for_www_domain_redirect__origin_id
+
+    custom_origin_config {
+      http_port = 80
+      https_port = 443
+      origin_protocol_policy = "http-only"
+      origin_ssl_protocols = ["TLSv1.2"]
+    }
+  }
+
+  price_class = "PriceClass_100"
+
+  aliases = ["${var.dns_record_www_domain_including_dot}${data.aws_route53_zone.route_53_zone_for_our_domain.name}"]
+
+  viewer_certificate {
+    acm_certificate_arn = aws_acm_certificate_validation.certificate_validation_waiter__www_domain_redirect[0].certificate_arn
+    cloudfront_default_certificate = false
+    minimum_protocol_version = "TLSv1"
+    ssl_support_method = "sni-only"
+  }
+
+  enabled = true
+  is_ipv6_enabled = true
+
+  default_cache_behavior {
+    cache_policy_id = data.aws_cloudfront_cache_policy.cache_policy__aws_managed_caching_optimised.id
+    allowed_methods = ["GET", "HEAD"]
+    cached_methods = ["GET", "HEAD"]
+    target_origin_id = local.distribution_for_www_domain_redirect__origin_id
+    viewer_protocol_policy = "redirect-to-https"
+    compress = true
+
+    function_association {
+      event_type = "viewer-request"
+      function_arn = aws_cloudfront_function.redirect_www_domain_function[0].arn
+    }
+  }
+
+  restrictions {
+    geo_restriction {
+      restriction_type = "none"
+      locations = []
+    }
+  }
+}
+
+resource "aws_cloudfront_function" "redirect_www_domain_function" {
+  count = (var.create_redirect_from_www_domain) ? 1 : 0  // Only create this CloudFront Function if "var.create_redirect_from_www_domain" is true
+
+  name    = "${var.service_name_hyphens}--${var.environment_hyphens}--redirect-www-domain-function"
+  runtime = "cloudfront-js-1.0"
+  publish = true
+  code    = <<EOT
+function handler(event) {
+    var response = {
+        statusCode: 302,
+        statusDescription: 'Found',
+        headers: {
+            "location": { "value": "https://${var.dns_record_subdomain_including_dot}${data.aws_route53_zone.route_53_zone_for_our_domain.name}" + event.request.uri }
+        }
+    };
+    return response;
+}
+EOT
+}

terraform/dev.tfvars

@@ -5,3 +5,4 @@ environment_hyphens = "Dev"
 create_dns_record = true
 dns_record_subdomain_including_dot = "dev."
 
+create_redirect_from_www_domain = false

terraform/https_certificate.tf

@@ -1,4 +1,7 @@
 
+////////////////////////////////////////////////
+// The HTTPS certificate for the main website
+
 resource "aws_acm_certificate" "https_certificate_for_our_domain" {
   // This certificate is for use by CloudFront, so it has to be created in the us-east-1 region (for some reason!)
   provider = aws.us-east-1
@@ -31,3 +34,54 @@ resource "aws_acm_certificate_validation" "certificate_validation_waiter" {
   certificate_arn = aws_acm_certificate.https_certificate_for_our_domain.arn
   validation_record_fqdns = [for record in aws_route53_record.example : record.fqdn]
 }
+
+
+///////////////////////////////////////////////////////
+// The HTTPS certificate for the www domain redirect
+
+resource "aws_acm_certificate" "https_certificate__www_domain_redirect" {
+  count = (var.create_redirect_from_www_domain) ? 1 : 0  // Only create this HTTPS Certificate if "var.create_redirect_from_www_domain" is true
+
+  // This certificate is for use by CloudFront, so it has to be created in the us-east-1 region (for some reason!)
+  provider = aws.us-east-1
+
+  domain_name = "${var.dns_record_www_domain_including_dot}${data.aws_route53_zone.route_53_zone_for_our_domain.name}"
+  validation_method = "DNS"
+}
+
+locals {
+  dns_records_we_need_to_verify_www_domain__list = flatten([
+    for https_certificate in aws_acm_certificate.https_certificate__www_domain_redirect : [
+      for dvo in https_certificate.domain_validation_options : {
+        domain_name = dvo.domain_name
+        name        = dvo.resource_record_name
+        record      = dvo.resource_record_value
+        type        = dvo.resource_record_type
+      }
+    ]
+  ])
+  dns_records_we_need_to_verify_www_domain__map = {
+    for i, record in local.dns_records_we_need_to_verify_www_domain__list: record.domain_name => record
+  }
+}
+
+resource "aws_route53_record" "dns_records_for_https_certificate_verification__www_domain_redirect" {
+  for_each = local.dns_records_we_need_to_verify_www_domain__map
+
+  allow_overwrite = true
+  name            = each.value.name
+  records         = [each.value.record]
+  ttl             = 60
+  type            = each.value.type
+  zone_id         = data.aws_route53_zone.route_53_zone_for_our_domain.zone_id
+}
+
+resource "aws_acm_certificate_validation" "certificate_validation_waiter__www_domain_redirect" {
+  count = (var.create_redirect_from_www_domain) ? 1 : 0  // Only create this HTTPS Certificate if "var.create_redirect_from_www_domain" is true
+
+  // This certificate is for use by CloudFront, so it has to be created in the us-east-1 region (for some reason!)
+  provider = aws.us-east-1
+
+  certificate_arn = aws_acm_certificate.https_certificate__www_domain_redirect[0].arn
+  validation_record_fqdns = [for record in aws_route53_record.dns_records_for_https_certificate_verification__www_domain_redirect : record.fqdn]
+}

terraform/prod.tfvars

@@ -0,0 +1,9 @@
+
+environment = "Prod"
+environment_hyphens = "Prod"
+
+create_dns_record = true
+dns_record_subdomain_including_dot = ""
+
+create_redirect_from_www_domain = true
+dns_record_www_domain_including_dot = "www."

terraform/variables.tf

@@ -33,6 +33,15 @@ variable "dns_record_subdomain_including_dot" {
   description = "The subdomain (including dot - e.g. 'dev.' or just '' for production) for the Route53 alias record"
 }
 
+variable "create_redirect_from_www_domain" {
+  type = bool
+  description = "Should terraform create a CloudFront distribution to redirect the www. domain to the root domain"
+}
+variable "dns_record_www_domain_including_dot" {
+  type = string
+  description = "The www. domain (including dot - e.g. 'www.dev.' or just 'www.' for production) for the www domain redirect"
+}
+
 // SECRETS
 // These variables are set in GitHub Actions environment-specific secrets
 // Most of these are passed to the application via Elastic Beanstalk environment variables