Merge pull request #2327 from govuk-one-login/AUT-3690

AUT-3690: Domain hosted zone and certificates deployed in two stages
govuk-one-login · Nov 20, 2024 · c95ad97 · c95ad97
2 parents 2fc9632 + 07fa592
commit c95ad97
Showing 1 changed file with 110 additions and 85 deletions.
diff --git a/cloudformation/domains/template.yaml b/cloudformation/domains/template.yaml
@@ -25,6 +25,24 @@ Parameters:
     ConstraintDescription: >
       must be a valid domain name, consists of lowercase letters, numbers and hyphens OR blank
 
+  DeployHostedZone:
+    Description: >
+      Deploy the Route53 hosted zone and associated SSM parameter
+    Type: String
+    Default: "Yes"
+    AllowedValues:
+      - "Yes"
+      - "No"
+
+  DeployCertificate:
+    Description: >
+      Deploy domain certificate and associated SSM parameter
+    Type: String
+    Default: "No"
+    AllowedValues:
+      - "Yes"
+      - "No"
+
 Conditions:
   CreateDevEnvironmentResources:
     Fn::Equals:
@@ -48,6 +66,57 @@ Conditions:
       - !Ref Environment
       - "production"
 
+  CreateDevHostedZone:
+    Fn::And:
+      - !Condition CreateDevEnvironmentResources
+      - Fn::Equals:
+        - !Ref DeployHostedZone
+        - "Yes"
+
+  CreateDevCertificate:
+    Fn::And:
+      - !Condition CreateDevEnvironmentResources
+      - Fn::Equals:
+        - !Ref DeployHostedZone
+        - "Yes"
+      - Fn::Equals:
+        - !Ref DeployCertificate
+        - "Yes"
+
+  CreateNonProdHostedZone:
+    Fn::And:
+      - !Condition CreateNonProdEnvironmentResources
+      - Fn::Equals:
+        - !Ref DeployHostedZone
+        - "Yes"
+
+  CreateNonProdCertificate:
+    Fn::And:
+      - !Condition CreateNonProdEnvironmentResources
+      - Fn::Equals:
+        - !Ref DeployHostedZone
+        - "Yes"
+      - Fn::Equals:
+        - !Ref DeployCertificate
+        - "Yes"
+
+  CreateProductionHostedZone:
+    Fn::And:
+      - !Condition CreateProductionEnvironmentResources
+      - Fn::Equals:
+        - !Ref DeployHostedZone
+        - "Yes"
+
+  CreateProductionCertificate:
+    Fn::And:
+      - !Condition CreateProductionEnvironmentResources
+      - Fn::Equals:
+        - !Ref DeployHostedZone
+        - "Yes"
+      - Fn::Equals:
+        - !Ref DeployCertificate
+        - "Yes"
+
 Mappings:
   EndpointConfigs:
     Auth:
@@ -71,29 +140,29 @@ Resources:
       - authdev2
     - ${EnvName}HostedZone:
         Type: AWS::Route53::HostedZone
-        Condition: CreateDevEnvironmentResources
+        Condition: CreateDevHostedZone
         DeletionPolicy: Retain
         UpdateReplacePolicy: Retain
         Properties:
           Name: !Sub ${EnvName}.${Environment}.account.gov.uk
 
       'Fn::ForEach::Endpoints':
         - Endpoint
-        - - auth
-          - manage
-          - oidc
-          - signin
+        - - signin
+          # - auth
+          # - manage
+          # - oidc
         - ${EnvName}${Endpoint}HostedZone:
             Type: AWS::Route53::HostedZone
-            Condition: CreateDevEnvironmentResources
+            Condition: CreateDevHostedZone
             DeletionPolicy: Retain
             UpdateReplacePolicy: Retain
             Properties:
               Name: !Sub ${Endpoint}.${EnvName}.${Environment}.account.gov.uk
 
           ${EnvName}${Endpoint}DevDelegation:
             Type: AWS::Route53::RecordSet
-            Condition: CreateDevEnvironmentResources
+            Condition: CreateDevHostedZone
             Properties:
               Name: !Sub ${Endpoint}.${EnvName}.${Environment}.account.gov.uk
               Type: NS
@@ -106,10 +175,10 @@ Resources:
 
           ${EnvName}${Endpoint}HostedZoneSSM:
             Type: AWS::SSM::Parameter
-            Condition: CreateDevEnvironmentResources
+            Condition: CreateDevHostedZone
             Properties:
               Description: !Sub "The ${Endpoint} subdomain Public Hosted Zone Id"
-              Name: !Sub "/deploy/${EnvName}/${Endpoint}_route53_hostedzone_id"
+              Name: !Sub "/deploy/${EnvName}/${Endpoint}${EndpointSuffix}_route53_hostedzone_id"
               Type: String
               Value: !Ref
                 'Fn::Sub': ${EnvName}${Endpoint}HostedZone
@@ -120,7 +189,7 @@ Resources:
 
           ${EnvName}${Endpoint}Certificate:
             Type: AWS::CertificateManager::Certificate
-            Condition: CreateDevEnvironmentResources
+            Condition: CreateDevCertificate
             Properties:
               DomainName: !Sub ${Endpoint}.${EnvName}.${Environment}.account.gov.uk
               DomainValidationOptions:
@@ -132,10 +201,10 @@ Resources:
 
           ${EnvName}${Endpoint}CertificateArnSSM:
             Type: AWS::SSM::Parameter
-            Condition: CreateDevEnvironmentResources
+            Condition: CreateDevCertificate
             Properties:
               Description: !Sub "The ${Endpoint} subdomain Certificate ARN"
-              Name: !Sub "/deploy/${EnvName}/${Endpoint}_certificate_arn"
+              Name: !Sub "/deploy/${EnvName}/${Endpoint}${EndpointSuffix}_certificate_arn"
               Type: String
               Value: !Ref
                 'Fn::Sub': ${EnvName}${Endpoint}Certificate
@@ -148,76 +217,32 @@ Resources:
   # Non-prod hosted zones and resources
   # ===================================
 
-  #
-  # auth
-  #
-  # TODO remove this when we retire and replace the -sp domains with the standard ones
-  AccountsAuthHostedZone:
-    Type: AWS::Route53::HostedZone
-    Condition: CreateNonProdEnvironmentResources
-    DeletionPolicy: Retain
-    UpdateReplacePolicy: Retain
-    Properties:
-      Name: !Sub auth${EndpointSuffix}.${Environment}.account.gov.uk
-
-  #
-  # managed
-  #
-  # TODO remove this when we retire and replace the -sp domains with the standard ones
-  AccountsManageHostedZone:
-    Type: AWS::Route53::HostedZone
-    Condition: CreateNonProdEnvironmentResources
-    DeletionPolicy: Retain
-    UpdateReplacePolicy: Retain
-    Properties:
-      Name: !Sub manage${EndpointSuffix}.${Environment}.account.gov.uk
-
-  #
-  # oidc
-  #
-  # TODO remove this when we retire and replace the -sp domains with the standard ones
-  AccountsOidcHostedZone:
-    Type: AWS::Route53::HostedZone
-    Condition: CreateNonProdEnvironmentResources
-    DeletionPolicy: Retain
-    UpdateReplacePolicy: Retain
-    Properties:
-      Name: !Sub oidc${EndpointSuffix}.${Environment}.account.gov.uk
-
-  #
-  # signin
-  #
-  # TODO remove this when we retire and replace the -sp domains with the standard ones
-  AccountsSigninHostedZone:
-    Type: AWS::Route53::HostedZone
-    Condition: CreateNonProdEnvironmentResources
-    DeletionPolicy: Retain
-    UpdateReplacePolicy: Retain
-    Properties:
-      Name: !Sub signin${EndpointSuffix}.${Environment}.account.gov.uk
-
   'Fn::ForEach::Endpoints':
     - Endpoint
-    - - Auth
-      - Manage
-      - Oidc
-      - Signin
-    # TODO uncomment this when we retire and replace the -sp domains with the standard ones
-    # - Accounts${Endpoint}HostedZone:
-    #     Type: AWS::Route53::HostedZone
-    #     Condition: CreateNonProdEnvironmentResources
-    #     DeletionPolicy: Retain
-    #     UpdateReplacePolicy: Retain
-    #     Properties:
-    #       Name: !Sub ${Endpoint}${EndpointSuffix}.${Environment}.account.gov.uk
-
-    - Accounts${Endpoint}HostedZoneSSM:
+    - - Signin
+      # - Auth
+      # - Manage
+      # - Oidc
+    - Accounts${Endpoint}HostedZone:
+        Type: AWS::Route53::HostedZone
+        Condition: CreateNonProdHostedZone
+        DeletionPolicy: Retain
+        UpdateReplacePolicy: Retain
+        Properties:
+          Name: !Sub
+            - ${lowercaseEndpoint}${EndpointSuffix}.${Environment}.account.gov.uk
+            - lowercaseEndpoint: !FindInMap
+              - EndpointConfigs
+              - !Ref Endpoint
+              - lowercaseName
+
+      Accounts${Endpoint}HostedZoneSSM:
         Type: AWS::SSM::Parameter
-        Condition: CreateNonProdEnvironmentResources
+        Condition: CreateNonProdHostedZone
         Properties:
           Description: !Sub "The ${Endpoint} subdomain Public Hosted Zone Id"
           Name: !Sub
-            - "/deploy/${Environment}/${lowercaseEndpoint}_route53_hostedzone_id"
+            - "/deploy/${Environment}/${lowercaseEndpoint}${EndpointSuffix}_route53_hostedzone_id"
             - lowercaseEndpoint: !FindInMap
               - EndpointConfigs
               - !Ref Endpoint
@@ -232,7 +257,7 @@ Resources:
 
       Accounts${Endpoint}Certificate:
         Type: AWS::CertificateManager::Certificate
-        Condition: CreateNonProdEnvironmentResources
+        Condition: CreateNonProdCertificate
         Properties:
           DomainName: !Sub ${Endpoint}${EndpointSuffix}.${Environment}.account.gov.uk
           DomainValidationOptions:
@@ -244,11 +269,11 @@ Resources:
 
       Accounts${Endpoint}CertificateArnSSM:
         Type: AWS::SSM::Parameter
-        Condition: CreateNonProdEnvironmentResources
+        Condition: CreateNonProdCertificate
         Properties:
           Description: !Sub "The ${Endpoint} subdomain Certificate ARN"
           Name: !Sub
-            - "/deploy/${Environment}/${lowercaseEndpoint}_certificate_arn"
+            - "/deploy/${Environment}/${lowercaseEndpoint}${EndpointSuffix}_certificate_arn"
             - lowercaseEndpoint: !FindInMap
               - EndpointConfigs
               - !Ref Endpoint
@@ -274,19 +299,19 @@ Resources:
       # - Oidc
     - Accounts${Endpoint}ProdHostedZone:
         Type: AWS::Route53::HostedZone
-        Condition: CreateProductionEnvironmentResources
+        Condition: CreateProductionHostedZone
         DeletionPolicy: Retain
         UpdateReplacePolicy: Retain
         Properties:
           Name: !Sub ${Endpoint}${EndpointSuffix}.account.gov.uk
 
       Accounts${Endpoint}ProdHostedZoneSSM:
         Type: AWS::SSM::Parameter
-        Condition: CreateProductionEnvironmentResources
+        Condition: CreateProductionHostedZone
         Properties:
           Description: !Sub "The ${Endpoint} subdomain Public Hosted Zone Id"
           Name: !Sub
-            - "/deploy/${Environment}/${lowercaseEndpoint}_route53_hostedzone_id"
+            - "/deploy/${Environment}/${lowercaseEndpoint}${EndpointSuffix}_route53_hostedzone_id"
             - lowercaseEndpoint: !FindInMap
               - EndpointConfigs
               - !Ref Endpoint
@@ -301,7 +326,7 @@ Resources:
 
       Accounts${Endpoint}ProdCertificate:
         Type: AWS::CertificateManager::Certificate
-        Condition: CreateProductionEnvironmentResources
+        Condition: CreateProductionCertificate
         Properties:
           DomainName: !Sub ${Endpoint}${EndpointSuffix}.account.gov.uk
           DomainValidationOptions:
@@ -313,11 +338,11 @@ Resources:
 
       Accounts${Endpoint}ProdCertificateArnSSM:
         Type: AWS::SSM::Parameter
-        Condition: CreateProductionEnvironmentResources
+        Condition: CreateProductionCertificate
         Properties:
           Description: !Sub "The ${Endpoint} subdomain Certificate ARN"
           Name: !Sub
-            - "/deploy/${Environment}/${lowercaseEndpoint}_certificate_arn"
+            - "/deploy/${Environment}/${lowercaseEndpoint}${EndpointSuffix}_certificate_arn"
             - lowercaseEndpoint: !FindInMap
               - EndpointConfigs
               - !Ref Endpoint