feat!: DBTP-1395 Add CloudFront and application load balancer origin …

…verification secret for IP Filter spoofing (#273) Co-authored-by: Jayesh Patel <[email protected]> Co-authored-by: Tony Griffin <[email protected]> Co-authored-by: tony griffin <[email protected]> Co-authored-by: John Stainsby <[email protected]> Co-authored-by: Kate Sugden <[email protected]>
uktrade · Jan 9, 2025 · 7c182e0 · 7c182e0
1 parent 86087df
commit 7c182e0
Show file tree

Hide file tree

Showing 23 changed files with 2,795 additions and 22 deletions.
diff --git a/.envrc.sample b/.envrc.sample
@@ -1,3 +1,3 @@
-export AWS_PROFILE=sandbox
+export AWS_PROFILE=platform-sandbox
 export AWS_REGION=eu-west-2
 export AWS_DEFAULT_REGION=eu-west-2
diff --git a/.gitignore b/.gitignore
@@ -8,4 +8,6 @@
 *.DS_Store
 *.env*
 *venv*
+*slack*
+!slack_service.py
 __pycache__
diff --git a/.tool-versions b/.tool-versions
@@ -1,2 +1,3 @@
 terraform 1.9.6
-python 3.12.2
+python 3.12.4
+direnv 2.35.0
diff --git a/.trufflehogignore b/.trufflehogignore
@@ -2,3 +2,7 @@
 .playwright-browsers
 poetry.lock
 .terraform
+slack_sdk
+venv
+.env
+.zip
diff --git a/application-load-balancer/lambda_function/rotate_secret_lambda.py b/application-load-balancer/lambda_function/rotate_secret_lambda.py
@@ -0,0 +1,37 @@
+import boto3
+import logging
+
+from secret_rotator import SecretRotator
+
+logger = logging.getLogger()
+logger.setLevel(logging.INFO)
+
+service_client = boto3.client('secretsmanager')
+
+
+def lambda_handler(event, context):
+    secret_id = event.get('SecretId')
+    step = event.get('Step')
+    token = event.get('ClientRequestToken')
+
+    if not secret_id:
+        logger.error("Unable to determine SecretId.")
+        raise ValueError("Unable to determine SecretId.")
+
+    rotator = SecretRotator(logger=logger)
+
+    if step == "createSecret":
+        logger.info("Entered createSecret step")
+        rotator.create_secret(service_client, secret_id, token)
+    elif step == "setSecret":
+        logger.info("Entered setSecret step")
+        rotator.set_secret(service_client, secret_id, token)
+    elif step == "testSecret":
+        logger.info("Entered testSecret step")
+        rotator.run_test_secret(service_client, secret_id, token, event.get('TestDomains', []))
+    elif step == "finishSecret":
+        logger.info("Entered finishSecret step")
+        rotator.finish_secret(service_client, secret_id, token)
+    else:
+        logger.error(f"Invalid step parameter: {step}")
+        raise ValueError(f"Invalid step parameter: {step}")