- Use x-origin-verify header and pass to http client

- Terraform cleanup
bcgov · Nov 15, 2024 · 74ec8c9 · 74ec8c9
1 parent 1810680
commit 74ec8c9
Show file tree

Hide file tree

Showing 7 changed files with 47 additions and 26 deletions.
diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json
@@ -29,7 +29,10 @@
           "source.organizeImports": "explicit"
         },
         "editor.formatOnSave": true,
-        "editor.defaultFormatter": "esbenp.prettier-vscode"
+        "editor.defaultFormatter": "esbenp.prettier-vscode",
+        "[csharp]": {
+          "editor.defaultFormatter": "ms-dotnettools.csharp"
+        }
       }
     }
   },

diff --git a/api/Infrastructure/ServiceCollectionExtensions.cs b/api/Infrastructure/ServiceCollectionExtensions.cs
@@ -22,6 +22,9 @@ namespace Scv.Api.Infrastructure
 {
     public static class ServiceCollectionExtensions
     {
+        const string X_APIGW_KEY_HEADER = "x-api-key";
+        const string X_ORIGIN_VERIFY_HEADER = "x-origin-verify";
+
         public static IServiceCollection AddMapster(this IServiceCollection services, Action<TypeAdapterConfig> options = null)
         {
             var config = TypeAdapterConfig.GlobalSettings;
@@ -37,6 +40,9 @@ public static IServiceCollection AddMapster(this IServiceCollection services, Ac
 
         public static IServiceCollection AddHttpClientsAndScvServices(this IServiceCollection services, IConfiguration configuration)
         {
+            var apigwKey = configuration.GetNonEmptyValue("AWS_API_GATEWAY_API_KEY");
+            var authorizerKey = configuration.GetNonEmptyValue("AuthorizerKey");
+
             services.AddTransient<TimingHandler>();
             services.AddHttpClient<FileServicesClient>(client =>
             {
@@ -61,8 +67,8 @@ public static IServiceCollection AddHttpClientsAndScvServices(this IServiceColle
                 //     configuration.GetNonEmptyValue("LocationServicesClient:Username"),
                 //     configuration.GetNonEmptyValue("LocationServicesClient:Password"));
                 client.BaseAddress = new Uri(configuration.GetNonEmptyValue("LocationServicesClient:Url").EnsureEndingForwardSlash());
-                var apiKey = configuration.GetNonEmptyValue("AWS_API_GATEWAY_API_KEY");
-                client.DefaultRequestHeaders.Add("x-api-key", apiKey);
+                client.DefaultRequestHeaders.Add(X_APIGW_KEY_HEADER, apigwKey);
+                client.DefaultRequestHeaders.Add(X_ORIGIN_VERIFY_HEADER, authorizerKey);
             }).AddHttpMessageHandler<TimingHandler>();
 
             services.AddHttpClient<UserServiceClient>(client =>

diff --git a/infrastructure/cloud/environments/dev/webapp.tf b/infrastructure/cloud/environments/dev/webapp.tf
@@ -76,8 +76,6 @@ module "iam" {
   openshift_iam_user  = var.openshift_iam_user
   iam_user_table_name = var.iam_user_table_name
   secrets_arn_list    = module.secrets_manager.secrets_arn_list
-  ecr_repo_arn_list   = [data.aws_ecr_repository.app_ecr_repo.arn, data.aws_ecr_repository.lambda_ecr_repo.arn]
-  ecs_arn_list        = [module.ecs_web_service.ecs_service_arn, module.ecs_api_service.ecs_service_arn, module.ecs_cluster.ecs_cluster.arn]
 }
 
 # Parse Subnets
@@ -137,9 +135,7 @@ module "lambda" {
       http_method   = "*"
       resource_path = "/*"
       env_variables = {
-        VERIFY_SECRET_NAME          = module.secrets_manager.api_authorizer_secret.name
-        POWERTOOLS_SERVICE_NAME     = "api-authorizer"
-        POWERTOOLS_LOGGER_LOG_EVENT = "DEBUG"
+        VERIFY_SECRET_NAME = module.secrets_manager.api_authorizer_secret.name
       }
     },
     "rotate-key" = {
@@ -150,6 +146,7 @@ module "lambda" {
       principal           = "secretsmanager.amazonaws.com"
       env_variables = {
         VERIFY_SECRET_NAME = module.secrets_manager.api_authorizer_secret.name
+        CLUSTER_NAME       = module.ecs_cluster.ecs_cluster.name
       }
     }
   }
@@ -166,6 +163,25 @@ module "apigw" {
   ecs_execution_role_arn = module.iam.ecs_execution_role_arn
 }
 
+# Create Cloudwatch LogGroups
+module "ecs_api_td_log_group" {
+  source        = "../../modules/Cloudwatch/LogGroup"
+  environment   = var.environment
+  app_name      = var.app_name
+  kms_key_arn   = data.aws_kms_key.kms_key.arn
+  resource_name = "ecs"
+  name          = "api-td"
+}
+
+module "ecs_web_td_log_group" {
+  source        = "../../modules/Cloudwatch/LogGroup"
+  environment   = var.environment
+  app_name      = var.app_name
+  kms_key_arn   = data.aws_kms_key.kms_key.arn
+  resource_name = "ecs"
+  name          = "web-td"
+}
+
 # Create ECS Cluster
 module "ecs_cluster" {
   source      = "../../modules/ECS/Cluster"
@@ -186,6 +202,7 @@ module "ecs_web_td" {
   port                   = 8080
   secret_env_variables   = module.secrets_manager.web_secrets
   kms_key_arn            = data.aws_kms_key.kms_key.arn
+  log_group_name         = module.ecs_web_td_log_group.log_group_name
 }
 
 # Create API ECS Task Definition
@@ -210,6 +227,7 @@ module "ecs_api_td" {
   ]
   secret_env_variables = module.secrets_manager.api_secrets
   kms_key_arn          = data.aws_kms_key.kms_key.arn
+  log_group_name       = module.ecs_api_td_log_group.log_group_name
 }
 
 # Create Web ECS Service

diff --git a/infrastructure/cloud/modules/ECS/TaskDefinition/main.tf b/infrastructure/cloud/modules/ECS/TaskDefinition/main.tf
@@ -28,7 +28,7 @@ resource "aws_ecs_task_definition" "ecs_td" {
       logConfiguration = {
         logDriver = "awslogs"
         options = {
-          "awslogs-group"         = "/aws/ecs/${var.name}-td"
+          "awslogs-group"         = var.log_group_name
           "awslogs-region"        = var.region
           "awslogs-stream-prefix" = "ecs"
         }

diff --git a/infrastructure/cloud/modules/ECS/TaskDefinition/variables.tf b/infrastructure/cloud/modules/ECS/TaskDefinition/variables.tf
@@ -68,3 +68,8 @@ variable "image_name" {
   type        = string
   default     = "dummy-image"
 }
+
+variable "log_group_name" {
+  description = "The Cloudwatch Log Group Name"
+  type        = string
+}
diff --git a/infrastructure/cloud/modules/IAM/main.tf b/infrastructure/cloud/modules/IAM/main.tf
@@ -66,10 +66,8 @@ resource "aws_iam_role_policy" "ecs_execution_policy" {
         Action = [
           "secretsmanager:GetSecretValue"
         ],
-        Effect = "Allow",
-        Resource = [
-          "arn:aws:secretsmanager:*:*:secret:external/*"
-        ]
+        Effect   = "Allow",
+        Resource = var.secrets_arn_list
       },
       {
         Action = [
@@ -289,9 +287,10 @@ resource "aws_iam_policy" "lambda_role_policy" {
         "Effect" : "Allow",
         "Action" : [
           "ecs:UpdateService",
-          "ecs:DescribeServices"
+          "ecs:DescribeServices",
+          "ecs:ListServices"
         ],
-        "Resource" : var.ecs_arn_list
+        "Resource" : "*"
       },
       {
         "Effect" : "Allow",
@@ -300,7 +299,7 @@ resource "aws_iam_policy" "lambda_role_policy" {
           "ecr:BatchGetImage",
           "ecr:BatchCheckLayerAvailability"
         ],
-        "Resource" : var.ecr_repo_arn_list
+        "Resource" : "*"
       }
     ]
   })

diff --git a/infrastructure/cloud/modules/IAM/variables.tf b/infrastructure/cloud/modules/IAM/variables.tf
@@ -32,13 +32,3 @@ variable "secrets_arn_list" {
   description = "List of Secrets ARN"
   type        = list(string)
 }
-
-variable "ecr_repo_arn_list" {
-  description = "List of ECR Repo ARN"
-  type        = list(string)
-}
-
-variable "ecs_arn_list" {
-  description = "List of ECS Cluster and Service"
-  type        = list(string)
-}