Skip to content

Commit 09b3b12

Browse files
steph-torres-nhssteph-torres-nhs
authored
Merge branch 'main' into PRMP-1445
2 parents f8012a6 + c4e1d10 commit 09b3b12

11 files changed

Lines changed: 128 additions & 24 deletions

File tree

infrastructure/ssm_parameters_externally_signed_mtls.tf

Lines changed: 28 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -19,7 +19,7 @@ module "ssm_param_external_client_key" {
1919
owner = var.owner
2020
name = "external_client_key"
2121
type = "SecureString"
22-
description = "Externally signed client certificate for mTLS"
22+
description = "Client key for mTLS"
2323
value = "REPLACE_ME"
2424
key_id = module.pdm_encryption_key.id
2525
ignore_value_changes = true
@@ -45,7 +45,33 @@ module "ssm_param_unauthorised_client_key" {
4545
owner = var.owner
4646
name = "unauthorised_client_key"
4747
type = "SecureString"
48-
description = "Externally signed foobar client certificate for test purposes"
48+
description = "Foobar client key for test purposes"
49+
value = "REPLACE_ME"
50+
key_id = module.pdm_encryption_key.id
51+
ignore_value_changes = true
52+
}
53+
54+
module "ssm_param_lg_client_cert" {
55+
count = local.is_sandbox ? 0 : 1
56+
source = "./modules/ssm_parameter"
57+
environment = var.environment
58+
owner = var.owner
59+
name = "lg_client_cert"
60+
type = "SecureString"
61+
description = "Externally signed LG client certificate for mTLS"
62+
value = "REPLACE_ME"
63+
key_id = module.pdm_encryption_key.id
64+
ignore_value_changes = true
65+
}
66+
67+
module "ssm_param_lg_client_key" {
68+
count = local.is_sandbox ? 0 : 1
69+
source = "./modules/ssm_parameter"
70+
environment = var.environment
71+
owner = var.owner
72+
name = "lg_client_key"
73+
type = "SecureString"
74+
description = "LG client key for mTLS"
4975
value = "REPLACE_ME"
5076
key_id = module.pdm_encryption_key.id
5177
ignore_value_changes = true

makefile

Lines changed: 19 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -3,53 +3,56 @@ default: help
33
help: ## This help message
44
@grep -E --no-filename '^[a-zA-Z-]+:.*?## .*$$' $(MAKEFILE_LIST) | sort | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-42s\033[0m %s\n", $$1, $$2}'
55

6-
.PHONY: Install
6+
.PHONY: \
7+
Install
8+
format-all
9+
generate-terraform-docs
10+
build-sandbox
11+
init-bootstrap
12+
apply-bootstrap
13+
export-dev-github-role
14+
export-pre-prod-github-role
15+
export-prod-github-role
16+
export-test-github-role
17+
create-csrs
18+
719
install: ## Run NPM install
820
cd ./infrastructure && npm install
921

1022
# Formatting
11-
.PHONY:format-all
1223
format-all: ## Format all terraform
1324
terraform fmt -recursive .
1425

1526
# Documentation
16-
.PHONY:generate-terraform-docs
1727
generate-terraform-docs: ## Generate terraform documentation
1828
./scripts/run_terraform_docs.py
1929

2030
# Installing
21-
.PHONY:build-sandbox
2231
build-sandbox: ## Build a sandbox using either the branch as the workspace name, sanitised, or pass in a name for the workspace e.g. make build-sandbox WORKSPACE=my-workspace . By default only a plan will run unless APPLY=true is used.
2332
WORKSPACE=$(WORKSPACE) APPLY=$(APPLY) ./scripts/build_sandbox.sh
24-
# Linting
25-
26-
# Testing
2733

2834
# Bootstrap
29-
.PHONY: init-bootstrap
3035
init-bootstrap: ## Run Bootstrap terraform
3136
cd ./bootstrap && terraform init
3237

33-
.PHONY: apply-bootstrap
3438
apply-bootstrap: ## Apply Bootstrap terraform
3539
cd ./bootstrap && terraform apply
3640

37-
3841
# Export current github role permissions
3942
# Pass in an aliases variable containing account IDs you need to mask.
4043
# e.g. make export-dev-github-role aliases="123456789012=account 555555555555=other_account"
41-
.PHONY: export-dev-github-role
4244
export-dev-github-role: ## Export DEV github role permissions. Account IDs can be masked by passing in a list of aliases. E.g. make export-dev-github-role aliases="123456789012=account 555555555555=other_account"
4345
python ./scripts/export_role_policies.py dev github-actions-dev-role ${aliases}
4446

45-
.PHONY: export-pre-prod-github-role
4647
export-pre-prod-github-role: ## See above
4748
python ./scripts/export_role_policies.py pre-prod Github-Actions-pre-prod-role ${aliases}
48-
49-
.PHONY: export-prod-github-role
49+
5050
export-prod-github-role: ## See above
5151
python ./scripts/export_role_policies.py prod github-access-role ${aliases}
5252

53-
.PHONY: export-test-github-role
5453
export-test-github-role: ## See above
55-
python ./scripts/export_role_policies.py test github-action-role ${aliases}
54+
python ./scripts/export_role_policies.py test github-action-role ${aliases}`
55+
56+
# Create Certificate Signing Requests
57+
create-csrs: ## Create CSRs for all environments. This will create a key and CSR for each environment and place them in the keys and csrs folders respectively.
58+
cd ./scripts && ./create_csrs.sh

scripts/confs/dev.conf renamed to scripts/confs/core/dev.conf

File renamed without changes.

scripts/confs/preprod.conf renamed to scripts/confs/core/preprod.conf

File renamed without changes.

scripts/confs/prod.conf renamed to scripts/confs/core/prod.conf

File renamed without changes.

scripts/confs/test.conf renamed to scripts/confs/core/test.conf

File renamed without changes.

scripts/confs/lloyd_george/dev.conf

Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,17 @@
1+
[req]
2+
default_bits = 4096
3+
distinguished_name = req_distinguished_name
4+
req_extensions = v3_req
5+
prompt = no
6+
7+
[req_distinguished_name]
8+
C = GB
9+
ST = West Yorkshire
10+
L = Leeds
11+
O = NHS England
12+
OU = National Document Repository
13+
CN = lgclient.dev.ndr.national.nhs.uk
14+
15+
[v3_req]
16+
keyUsage = keyEncipherment, dataEncipherment
17+
extendedKeyUsage = serverAuth

scripts/confs/lloyd_george/preprod.conf

Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,17 @@
1+
[req]
2+
default_bits = 4096
3+
distinguished_name = req_distinguished_name
4+
req_extensions = v3_req
5+
prompt = no
6+
7+
[req_distinguished_name]
8+
C = GB
9+
ST = West Yorkshire
10+
L = Leeds
11+
O = NHS England
12+
OU = National Document Repository
13+
CN = lgclient.preprod.ndr.national.nhs.uk
14+
15+
[v3_req]
16+
keyUsage = keyEncipherment, dataEncipherment
17+
extendedKeyUsage = serverAuth

scripts/confs/lloyd_george/prod.conf

Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,17 @@
1+
[req]
2+
default_bits = 4096
3+
distinguished_name = req_distinguished_name
4+
req_extensions = v3_req
5+
prompt = no
6+
7+
[req_distinguished_name]
8+
C = GB
9+
ST = West Yorkshire
10+
L = Leeds
11+
O = NHS England
12+
OU = National Document Repository
13+
CN = lgclient.prod.ndr.national.nhs.uk
14+
15+
[v3_req]
16+
keyUsage = keyEncipherment, dataEncipherment
17+
extendedKeyUsage = serverAuth

scripts/confs/lloyd_george/test.conf

Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,17 @@
1+
[req]
2+
default_bits = 4096
3+
distinguished_name = req_distinguished_name
4+
req_extensions = v3_req
5+
prompt = no
6+
7+
[req_distinguished_name]
8+
C = GB
9+
ST = West Yorkshire
10+
L = Leeds
11+
O = NHS England
12+
OU = National Document Repository
13+
CN = lgclient.test.ndr.national.nhs.uk
14+
15+
[v3_req]
16+
keyUsage = keyEncipherment, dataEncipherment
17+
extendedKeyUsage = serverAuth

0 commit comments

Comments
 (0)