Merge branch 'main' of https://github.com/bcgov/nr-bcws-wfprev into feature/WFPREV-403

Author: ssylver93

.github/workflows/terragrunt-deploy.yml

@@ -134,7 +134,7 @@ jobs:
 
       - uses: peter-murray/terragrunt-github-action@v1.0.0
         with:
-          terragrunt_version: ${{ env.TG_VERSION }}  
+          terragrunt_version: ${{ env.TG_VERSION }}
 
       - name: Terragrunt Apply
         working-directory: ${{env.TG_SRC_PATH}}
@@ -179,6 +179,9 @@ jobs:
           # GDB Extractor Lambda Image
           WFPREV_GDB_EXTRACTOR_DIGEST: ${{ steps.getDigestGDB.outputs.GDB_EXTRACTOR_IMAGE }}
 
+          # AWS
+          AWS_ALERT_EMAIL_LIST: ${{ vars.AWS_ALERT_EMAIL_LIST }}
+
           #liquibase
           COMMAND: ${{ steps.liquibaseCommand.outputs.LIQUIBASE_COMMAND }}
           PROXY_COUNT: ${{ steps.changeLogCount.outputs.PROXY_COUNT }}

terraform/alarms.tf

@@ -0,0 +1,54 @@
+resource "aws_cloudwatch_metric_alarm" "high_latency" {
+  alarm_name          = "ALB-High-Latency"
+  comparison_operator = "GreaterThanThreshold"
+  evaluation_periods  = 1
+  metric_name         = "TargetResponseTime"
+  namespace           = "AWS/ApplicationELB"
+  period              = 60  # 1 min
+  statistic           = "Average"
+  threshold           = 1  # 1 second
+
+  dimensions = {
+    LoadBalancer = aws_lb.wfprev_main.arn_suffix
+  }
+
+  alarm_description = "ALB target response time is high"
+  alarm_actions     = [aws_sns_topic.alb_alerts.arn]
+}
+
+resource "aws_cloudwatch_metric_alarm" "unhealthy_targets" {
+  alarm_name          = "ALB-Unhealthy-Targets"
+  comparison_operator = "GreaterThanThreshold"
+  evaluation_periods  = 1
+  metric_name         = "UnHealthyHostCount"
+  namespace           = "AWS/ApplicationELB"
+  period              = 60
+  statistic           = "Average"
+  threshold           = 0
+
+  dimensions = {
+    TargetGroup  = aws_alb_target_group.wfprev_api.arn_suffix
+    LoadBalancer = aws_lb.wfprev_main.arn_suffix
+  }
+
+  alarm_description = "ALB has unhealthy targets"
+  alarm_actions     = [aws_sns_topic.alb_alerts.arn]
+}
+
+resource "aws_sns_topic" "alb_alerts" {
+  name = "wfprev-alb-alerts"
+}
+
+# List of emails
+locals {
+  alert_emails = split(",", var.AWS_ALERT_EMAIL_LIST)
+}
+
+# Create subscriptions for each email
+resource "aws_sns_topic_subscription" "alb_alerts_emails" {
+  for_each = toset(local.alert_emails)
+
+  topic_arn = aws_sns_topic.alb_alerts.arn
+  protocol  = "email"
+  endpoint  = trim(each.key, " ") 
+}

terraform/alb.tf

@@ -34,6 +34,12 @@ resource "aws_lb" "wfprev_main" {
     Environment = "${var.TARGET_ENV}"
   }
 
+  access_logs {
+    bucket  = aws_s3_bucket.alb_logs.bucket
+    prefix  = "wfprev-${var.TARGET_ENV}"
+    enabled = true
+  }
+
 }
 
 //////////////////////////
@@ -45,10 +51,27 @@ resource "aws_lb_listener" "wfprev_main" {
   protocol          = "HTTP"
 
   default_action {
-    type             = "fixed-response"
+    type = "redirect"
+    redirect {
+      port        = "443"
+      protocol    = "HTTPS"
+      status_code = "HTTP_301" # Any HTTP request gets a 301 redirect to HTTPS
+    }
+  }
+}
+
+resource "aws_lb_listener" "wfprev_main_https" {
+  load_balancer_arn = aws_lb.wfprev_main.arn
+  port              = "443"
+  protocol          = "HTTPS"
+  ssl_policy        = "ELBSecurityPolicy-2016-08"
+  certificate_arn   = aws_acm_certificate_validation.domain_certificate_validation_ca.certificate_arn
+
+  default_action {
+    type = "fixed-response"
     fixed_response {
       content_type = "text/plain"
-      status_code = 404
+      status_code  = 404
     }
   }
 }
@@ -81,14 +104,22 @@ resource "aws_alb_target_group" "wfprev_api" {
   target_type          = "ip"
   deregistration_delay = 30
 
+  stickiness {
+    enabled         = true
+    type            = "lb_cookie"
+    cookie_duration = 3600  # 1 hour session persistence
+  }
+
   health_check {
     healthy_threshold   = "2"
-    interval            = "300"
+    interval            = "30"
     protocol            = "HTTP"
     matcher             = "200"
-    timeout             = "3"
+    timeout             = "5"
     path                = "/${aws_apigatewayv2_stage.wfprev_stage.name}/actuator/health"
     unhealthy_threshold = "2"
   }
 }
 
+
+

terraform/certificate_manager.tf

@@ -16,3 +16,20 @@ resource "aws_acm_certificate_validation" "domain_certificate_validation" {
 
   provider = aws.aws-us
 }
+
+//NOTE: CA certificate is needed for ALB listener
+resource "aws_acm_certificate" "wfprev_domain_certificate_ca" {
+  domain_name       = data.aws_route53_zone.wfprev_route53_zone.name
+  validation_method = "DNS"
+
+  lifecycle {
+    create_before_destroy = true
+  }
+
+  provider = aws  # The default provider (ca-central-1)
+}
+
+resource "aws_acm_certificate_validation" "domain_certificate_validation_ca" {
+  certificate_arn         = aws_acm_certificate.wfprev_domain_certificate_ca.arn
+  validation_record_fqdns = [for record in aws_route53_record.cert_validation_record_ca : record.fqdn]
+}

terraform/cloudfront.tf

@@ -107,6 +107,12 @@ resource "aws_cloudfront_distribution" "wfprev_app_distribution" {
       restriction_type = "none"
     }
   }
+
+  logging_config {
+    bucket = data.aws_s3_bucket.cloudfront_logs.bucket_domain_name
+    include_cookies = false
+    prefix = "cloudfront-logs/"
+  }
 }
 
 resource "aws_cloudfront_function" "rewrite_uri" {
@@ -123,6 +129,10 @@ resource "aws_cloudfront_function" "rewrite_uri" {
 EOF
 }
 
+data "aws_s3_bucket" "cloudfront_logs" {
+  bucket = "wfprev-${var.TARGET_ENV}-cloudfront-logs"
+}
+
 output "cloudfront_distribution_id" {
   value = aws_cloudfront_distribution.wfprev_app_distribution.id
 }

terraform/route53_dns.tf

@@ -18,6 +18,24 @@ resource "aws_route53_record" "cert_validation_record" {
   ttl = 300
 }
 
+// ca-central-1 cert validation for ALB listener
+resource "aws_route53_record" "cert_validation_record_ca" {
+  for_each = {
+    for dvo in aws_acm_certificate.wfprev_domain_certificate_ca.domain_validation_options : dvo.domain_name => {
+      name   = dvo.resource_record_name
+      record = dvo.resource_record_value
+      type   = dvo.resource_record_type
+    }
+  }
+
+  name    = each.value.name
+  type    = each.value.type
+  records = [each.value.record]
+  ttl     = 300
+  zone_id = data.aws_route53_zone.wfprev_route53_zone.zone_id
+  allow_overwrite = true
+}
+
 resource "aws_route53_record" "wfprev_vanity_url" {
   zone_id = data.aws_route53_zone.wfprev_route53_zone.id
   name    = "wfprev-${var.TARGET_ENV}.${var.gov_domain}"

terraform/s3.tf

@@ -13,6 +13,35 @@ resource "aws_s3_bucket" "wfprev_site_bucket" {
   }
 }
 
+resource "aws_s3_bucket" "alb_logs" {
+  bucket = "wfprev-${var.TARGET_ENV}-alb-logs-bucket"
+
+  force_destroy = true
+
+  tags = {
+    Environment = var.TARGET_ENV
+  }
+}
+
+resource "aws_s3_bucket_lifecycle_configuration" "alb_logs_lifecycle" {
+  bucket = aws_s3_bucket.alb_logs.id
+
+  rule {
+    id     = "expire-alb-logs"
+    status = "Enabled"
+
+    filter {}  # Empty filter means apply to all objects
+
+    expiration {
+      days = 90
+    }
+
+    noncurrent_version_expiration {
+      noncurrent_days = 30
+    }
+  }
+}
+
 # Uploading assets. This shouldn't be needed because we'll push them up from the 
 # github action, vs having terraform fetch them
 #resource "aws_s3_object" "upload-assets" {
@@ -58,6 +87,31 @@ resource "aws_s3_bucket_policy" "wfprev_site_bucket_policy" {
   })
 }
 
+resource "aws_s3_bucket_policy" "alb_logs_policy" {
+  bucket = aws_s3_bucket.alb_logs.id
+
+  policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [
+      {
+        Sid    = "AWSALBLoggingPermissions"
+        Effect = "Allow"
+        Principal = {
+          Service = [
+            "logdelivery.elasticloadbalancing.amazonaws.com",
+            "elasticloadbalancing.amazonaws.com"
+          ],
+          AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"
+        }
+        Action = "s3:PutObject"
+        Resource = "${aws_s3_bucket.alb_logs.arn}/*"
+      }
+    ]
+  })
+}
+
+data "aws_caller_identity" "current" {}
+
 output "s3_bucket_name" {
   value = aws_s3_bucket.wfprev_site_bucket.bucket
 }

terraform/terragrunt.hcl

@@ -45,7 +45,9 @@ WFPREV_GDB_FUNCTION_NAME = "${get_env("WFPREV_GDB_FUNCTION_NAME")}"
 OPENMAPS_URL = "${get_env("OPENMAPS_URL")}"
 server_count = "${get_env("server_count")}"
 
+# AWS
 TARGET_AWS_ACCOUNT_ID = "${get_env("TARGET_AWS_ACCOUNT_ID")}"
+AWS_ALERT_EMAIL_LIST = "${get_env("AWS_ALERT_EMAIL_LIST")}"
 
 # client
 WEBADE_OAUTH2_WFPREV_UI_CLIENT_SECRET = "${get_env("WEBADE_OAUTH2_WFPREV_UI_CLIENT_SECRET")}"

terraform/variables.tf

@@ -82,6 +82,11 @@ variable "AWS_REGION" {
   default     = "ca-central-1"
 }
 
+variable "AWS_ALERT_EMAIL_LIST" {
+  type = string
+  description = "Comma-separated list of email addresses for AWS alerts"
+}
+
 variable "WEBADE_OAUTH2_REST_CLIENT_ID" {
   type    = string
   default = ""