Merge branch 'main' into DFC-319-add-analytics-package

ci/terraform/authdev1.tfvars

@@ -22,6 +22,10 @@ frontend_auto_scaling_min_count  = 1
 frontend_auto_scaling_max_count  = 2
 ecs_desired_count                = 1
 
+#cloudfront  flag 
+cloudfront_auth_frontend_enabled = true
+cloudfront_auth_dns_enabled      = true
+
 alb_idle_timeout = 30
 
 url_for_support_links = "https://home.build.account.gov.uk/contact-gov-uk-one-login"

ci/terraform/authdev2.tfvars

@@ -22,6 +22,10 @@ frontend_auto_scaling_min_count  = 1
 frontend_auto_scaling_max_count  = 2
 ecs_desired_count                = 1
 
+#cloudfront  flag 
+cloudfront_auth_frontend_enabled = true
+cloudfront_auth_dns_enabled      = true
+
 alb_idle_timeout = 30
 
 url_for_support_links = "https://home.build.account.gov.uk/contact-gov-uk-one-login"

ci/terraform/build.tfvars

@@ -5,6 +5,9 @@ frontend_auto_scaling_v2_enabled = true
 
 frontend_task_definition_cpu    = 512
 frontend_task_definition_memory = 1024
+frontend_auto_scaling_min_count = 4
+frontend_auto_scaling_max_count = 6
+ecs_desired_count               = 4
 
 alb_idle_timeout = 30
 
@@ -32,3 +35,7 @@ orch_to_auth_client_id          = "orchestrationAuth"
 orch_to_auth_audience           = "https://signin.build.account.gov.uk/"
 
 dynatrace_secret_arn = "arn:aws:secretsmanager:eu-west-2:216552277552:secret:DynatraceNonProductionVariables"
+
+#cloudfront enabled flag 
+cloudfront_auth_frontend_enabled = true
+cloudfront_auth_dns_enabled      = true

ci/terraform/cloudfront.tf

@@ -1,32 +1,37 @@
 resource "aws_cloudformation_stack" "cloudfront" {
   count = var.cloudfront_auth_frontend_enabled ? 1 : 0
   name  = "${var.environment}-auth-fe-cloudfront"
-  #using fixed version of template for now 
-  template_url = "https://template-storage-templatebucket-1upzyw6v9cs42.s3.amazonaws.com/cloudfront-distribution/template.yaml?versionId=EKk9m9vMv10qF5vHzWZogFLnQQw6_Yjc"
+  #using fixed version of cloudfron disturbution template for now 
+  template_url = "https://template-storage-templatebucket-1upzyw6v9cs42.s3.amazonaws.com/cloudfront-distribution/template.yaml?versionId=r_TJE_Uw3BHA0FFMX7WE84B39D9ucuG8"
 
   capabilities = ["CAPABILITY_NAMED_IAM"]
 
   parameters = {
-    AddWWWPrefix                   = var.Add_WWWPrefix
-    ApplyCloakingHeaderWAFToOrigin = var.Apply_CloakingHeader_WAFToOrigin
-    CloudFrontCertArn              = aws_acm_certificate.cloudfront_frontend_certificate[0].arn
-    CloudfrontWafAcl               = aws_wafv2_web_acl.frontend_cloudfront_waf_web_acl[0].arn
-    DistributionAlias              = local.frontend_fqdn
-    FraudHeaderEnabled             = var.Fraud_Header_Enabled
-    OriginCloakingHeader           = var.auth_origin_cloakingheader
-    OriginResourceArn              = aws_lb.frontend_alb.id
-    OriginWafAcl                   = "none"
-    PreviousOriginCloakingHeader   = var.previous_auth_origin_cloakingheader
-    StandardLoggingEnabled         = true
+    AddWWWPrefix                 = var.Add_WWWPrefix
+    CloudFrontCertArn            = aws_acm_certificate.cloudfront_frontend_certificate[0].arn
+    CloudfrontWafAcl             = aws_wafv2_web_acl.frontend_cloudfront_waf_web_acl[0].arn
+    DistributionAlias            = local.frontend_fqdn
+    FraudHeaderEnabled           = var.Fraud_Header_Enabled
+    OriginCloakingHeader         = var.auth_origin_cloakingheader
+    PreviousOriginCloakingHeader = var.previous_auth_origin_cloakingheader
+    StandardLoggingEnabled       = true
   }
   tags = local.default_tags
+
+  #ignoring below parameter as these parameter are been read via secret manager and terraform continually detects changes
+  # Note : we need to remove the below lifecycle if the Header are changed in Secret manager to appy new cloainking header value 
+  lifecycle {
+    ignore_changes = [parameters["OriginCloakingHeader"], parameters["PreviousOriginCloakingHeader"]]
+  }
+
 }
 
 resource "aws_cloudformation_stack" "cloudfront-monitoring" {
-  count        = var.cloudfront_auth_frontend_enabled ? 1 : 0
-  provider     = aws.cloudfront
-  name         = "${var.environment}-auth-fe-cloudfront-monitoring"
-  template_url = "https://template-storage-templatebucket-1upzyw6v9cs42.s3.amazonaws.com/cloudfront-monitoring-alarm/template.yaml?z=${timestamp()}"
+  count    = var.cloudfront_auth_frontend_enabled ? 1 : 0
+  provider = aws.cloudfront
+  name     = "${var.environment}-auth-fe-cloudfront-monitoring"
+  #using fixed version of cloudfront monitoring  disturbution template for now 
+  template_url = "https://template-storage-templatebucket-1upzyw6v9cs42.s3.amazonaws.com/cloudfront-monitoring-alarm/template.yaml?versionId=td2KHIlG7KGXl0mkMrRDkgBWxdXPEMZ."
 
   capabilities = ["CAPABILITY_NAMED_IAM"]
 

ci/terraform/integration.tfvars

@@ -5,10 +5,17 @@ frontend_auto_scaling_v2_enabled = true
 frontend_task_definition_cpu     = 512
 frontend_task_definition_memory  = 1024
 
-support_account_recovery      = "1"
-support_account_interventions = "1"
-support_authorize_controller  = "1"
-support_2fa_b4_password_reset = "1"
+support_account_recovery                            = "1"
+support_account_interventions                       = "1"
+support_authorize_controller                        = "1"
+support_2fa_b4_password_reset                       = "1"
+support_2hr_lockout                                 = "1"
+code_request_blocked_minutes                        = "120"
+account_recovery_code_entered_wrong_blocked_minutes = "120"
+code_entered_wrong_blocked_minutes                  = "120"
+email_entered_wrong_blocked_minutes                 = "120"
+password_reset_code_entered_wrong_blocked_minutes   = "120"
+reduced_code_block_duration_minutes                 = "15"
 
 url_for_support_links = "https://home.integration.account.gov.uk/contact-gov-uk-one-login"
 

ci/terraform/production.tfvars

@@ -2,16 +2,23 @@ environment         = "production"
 common_state_bucket = "digital-identity-prod-tfstate"
 redis_node_size     = "cache.m4.xlarge"
 
-frontend_auto_scaling_v2_enabled = true
-frontend_task_definition_cpu     = 512
-frontend_task_definition_memory  = 1024
-frontend_auto_scaling_min_count  = 4
-frontend_auto_scaling_max_count  = 240
-ecs_desired_count                = 4
-support_account_recovery         = "1"
-support_account_interventions    = "1"
-support_authorize_controller     = "1"
-support_2fa_b4_password_reset    = "1"
+frontend_auto_scaling_v2_enabled                    = true
+frontend_task_definition_cpu                        = 512
+frontend_task_definition_memory                     = 1024
+frontend_auto_scaling_min_count                     = 4
+frontend_auto_scaling_max_count                     = 240
+ecs_desired_count                                   = 4
+support_account_recovery                            = "1"
+support_account_interventions                       = "1"
+support_authorize_controller                        = "1"
+support_2fa_b4_password_reset                       = "1"
+support_2hr_lockout                                 = "1"
+code_request_blocked_minutes                        = "120"
+account_recovery_code_entered_wrong_blocked_minutes = "120"
+code_entered_wrong_blocked_minutes                  = "120"
+email_entered_wrong_blocked_minutes                 = "120"
+password_reset_code_entered_wrong_blocked_minutes   = "120"
+reduced_code_block_duration_minutes                 = "15"
 
 url_for_support_links = "https://home.account.gov.uk/contact-gov-uk-one-login"
 

ci/terraform/route53.tf

@@ -13,8 +13,8 @@ resource "aws_route53_record" "frontend" {
 
   alias {
     evaluate_target_health = false
-    name                   = aws_lb.frontend_alb.dns_name
-    zone_id                = aws_lb.frontend_alb.zone_id
+    name                   = var.cloudfront_auth_dns_enabled ? aws_cloudformation_stack.cloudfront[0].outputs["DistributionDomain"] : aws_lb.frontend_alb.dns_name
+    zone_id                = var.cloudfront_auth_dns_enabled ? var.cloudfront_zoneid : aws_lb.frontend_alb.zone_id
   }
 }
 
@@ -25,8 +25,8 @@ resource "aws_route53_record" "frontend_record" {
 
   alias {
     evaluate_target_health = false
-    name                   = aws_lb.frontend_alb.dns_name
-    zone_id                = aws_lb.frontend_alb.zone_id
+    name                   = var.cloudfront_auth_dns_enabled ? aws_cloudformation_stack.cloudfront[0].outputs["DistributionDomain"] : aws_lb.frontend_alb.dns_name
+    zone_id                = var.cloudfront_auth_dns_enabled ? var.cloudfront_zoneid : aws_lb.frontend_alb.zone_id
   }
 }
 
@@ -102,7 +102,7 @@ resource "aws_route53_record" "Cloudfront_frontend_record" {
 resource "aws_acm_certificate" "cloudfront_frontend_certificate" {
   provider          = aws.cloudfront
   count             = var.cloudfront_auth_frontend_enabled ? 1 : 0
-  domain_name       = aws_route53_record.frontend.name
+  domain_name       = local.frontend_fqdn
   validation_method = "DNS"
 
   tags = local.default_tags

ci/terraform/sandpit.tfvars

@@ -27,6 +27,7 @@ ecs_desired_count                = 1
 
 #cloudfront enabled flag 
 cloudfront_auth_frontend_enabled = true
+cloudfront_auth_dns_enabled      = true
 
 alb_idle_timeout = 30
 

ci/terraform/staging.tfvars

@@ -2,8 +2,9 @@ environment         = "staging"
 common_state_bucket = "di-auth-staging-tfstate"
 redis_node_size     = "cache.m4.xlarge"
 
-
+#cloudfront enabled flag 
 cloudfront_auth_frontend_enabled = true
+cloudfront_auth_dns_enabled      = true
 
 frontend_auto_scaling_v2_enabled                    = true
 frontend_task_definition_cpu                        = 1024

ci/terraform/variables.tf

@@ -286,6 +286,18 @@ variable "cloudfront_auth_frontend_enabled" {
   description = "Feature flag to control the creation cloudfront DNS record origin & Cloudfront Certificate"
 }
 
+variable "cloudfront_auth_dns_enabled" {
+  type        = bool
+  default     = false
+  description = "Feature flag to control the switch of DNS record to  cloudfront"
+}
+
+variable "cloudfront_zoneid" {
+  type        = string
+  default     = "Z2FDTNDATAQYW2"
+  description = "This global zone id of  CloudFront distribution "
+}
+
 variable "auth_origin_cloakingheader" {
   type        = string
   sensitive   = true
@@ -304,12 +316,6 @@ variable "Add_WWWPrefix" {
   description = "flag to to add subdomain (www) to the frontend url eg www.signin.sandpit.account.gov.uk"
 }
 
-variable "Apply_CloakingHeader_WAFToOrigin" {
-  type        = bool
-  default     = false
-  description = "flag to add a cloacking header WAf to ALB so only requiest comming from cloudfront are allowed "
-}
-
 variable "Fraud_Header_Enabled" {
   type        = bool
   default     = false

ci/terraform/waf-cf.tf

@@ -477,7 +477,7 @@ resource "aws_wafv2_web_acl_logging_configuration" "frontend_cloudfront_waf_logg
   resource_arn            = aws_wafv2_web_acl.frontend_cloudfront_waf_web_acl[0].arn
 
   logging_filter {
-    default_behavior = "DROP"
+    default_behavior = "KEEP"
 
     filter {
       behavior = "KEEP"
@@ -497,7 +497,7 @@ resource "aws_wafv2_web_acl_logging_configuration" "frontend_cloudfront_waf_logg
 resource "aws_cloudwatch_log_subscription_filter" "frontend_cloudfront_waf_subscription" {
   provider = aws.cloudfront
 
-  count           = var.cloudfront_auth_frontend_enabled ? 1 : 0
+  count           = var.cloudfront_auth_frontend_enabled && var.environment == "production" || var.environment == "staging" ? 1 : 0
   name            = "${aws_cloudwatch_log_group.frontend_cloudfront_waf_log_group[0].name}-splunk-subscription-${count.index}"
   log_group_name  = aws_cloudwatch_log_group.frontend_cloudfront_waf_log_group[0].name
   filter_pattern  = ""

ci/terraform/waf.tf

@@ -34,6 +34,10 @@ resource "aws_wafv2_ip_set" "gds_ip_set" {
   tags = local.default_tags
 }
 
+locals {
+  cloudfront_origin_cloaking_header_name = "origin-cloaking-secret"
+}
+
 resource "aws_wafv2_web_acl" "frontend_alb_waf_regional_web_acl" {
   name  = "${var.environment}-frontend-alb-waf-web-acl"
   scope = "REGIONAL"
@@ -82,6 +86,49 @@ resource "aws_wafv2_web_acl" "frontend_alb_waf_regional_web_acl" {
       rate_based_statement {
         limit              = var.environment == "staging" ? 20000000 : 25000
         aggregate_key_type = "IP"
+        scope_down_statement {
+          and_statement {
+            statement {
+              not_statement {
+                statement {
+                  byte_match_statement {
+                    field_to_match {
+                      single_header {
+                        name = local.cloudfront_origin_cloaking_header_name
+                      }
+                    }
+                    positional_constraint = "EXACTLY"
+                    search_string         = var.auth_origin_cloakingheader
+                    text_transformation {
+                      priority = 0
+                      type     = "NONE"
+                    }
+                  }
+                }
+              }
+            }
+
+            statement {
+              not_statement {
+                statement {
+                  byte_match_statement {
+                    field_to_match {
+                      single_header {
+                        name = local.cloudfront_origin_cloaking_header_name
+                      }
+                    }
+                    positional_constraint = "EXACTLY"
+                    search_string         = var.previous_auth_origin_cloakingheader
+                    text_transformation {
+                      priority = 0
+                      type     = "NONE"
+                    }
+                  }
+                }
+              }
+            }
+          }
+        }
       }
     }
     visibility_config {
@@ -404,7 +451,7 @@ resource "aws_wafv2_web_acl_logging_configuration" "frontend_alb_waf_logging_con
   resource_arn            = aws_wafv2_web_acl.frontend_alb_waf_regional_web_acl.arn
 
   logging_filter {
-    default_behavior = "DROP"
+    default_behavior = "KEEP"
 
     filter {
       behavior    = "KEEP"

docker-compose.frontend.yml

@@ -9,24 +9,18 @@ services:
       - "${DOCKER_FRONTEND_NODEMON_PORT:-9230}:${DOCKER_FRONTEND_NODEMON_PORT:-9230}"
     volumes:
       - ./:/app
+    env_file:
+      - .env
     environment:
-      ENVIRONMENT: ${ENVIRONMENT:?this should be set in your .env file.}
-
-      SESSION_EXPIRY: ${SESSION_EXPIRY:?this should be set in your .env file.}
-      SESSION_SECRET: ${SESSION_SECRET:?this should be set in your .env file.}
-
-      API_BASE_URL: ${API_BASE_URL:?this should be set in your .env file.}
-      API_KEY: ${API_KEY:?this should be set in your .env file.}
-      FRONTEND_API_BASE_URL: ${FRONTEND_API_BASE_URL:?this should be set in your .env file.}
-
       ANALYTICS_COOKIE_DOMAIN: localhost
 
-      SUPPORT_ACCOUNT_RECOVERY: ${SUPPORT_ACCOUNT_RECOVERY:?this should be set in your .env file.}
-
       AWS_ACCESS_KEY_ID: ${AWS_ACCESS_KEY_ID:?AWS_ACCESS_KEY_ID is required. This should be set by `startup.sh` so there may be an issue with the startup script.}
       AWS_SECRET_ACCESS_KEY: ${AWS_SECRET_ACCESS_KEY:?AWS_SECRET_ACCESS_KEY is required. This should be set by `startup.sh` so there may be an issue with the startup script.}
 
-      REDIS_PORT: ${DOCKER_REDIS_PORT:-6379}
+      # We ignore `.env` values here, as we're using the docker network for redis.
+      REDIS_PORT: 6379 # This is the default port for Redis
+      REDIS_HOST: redis # This is the name of the service in `docker-compose.yml`
+
       PORT: ${DOCKER_FRONTEND_PORT:-3000}
     restart: on-failure
     networks:

docker-compose.yml

@@ -6,7 +6,7 @@ services:
   redis:
     image: redis:6.0.5-alpine
     ports:
-      - "${DOCKER_REDIS_PORT:-6379}:6379"
+      - "${REDIS_PORT:-6379}:6379"
     networks:
       - di-net
 

local.Dockerfile

@@ -8,4 +8,4 @@ WORKDIR /app
 
 EXPOSE $PORT
 
-CMD yarn install && yarn copy-assets && yarn dev
+CMD yarn install && yarn test:dev-evironment-variables && yarn copy-assets && yarn dev