feat: setup AWS Shield Advanced (#607)

Add configuration to setup AWS Shield Advanced protection for the
CloudFront distribution and Route53 hosted zone.

Author: patheard

terragrunt/aws/alarms/inputs.tf

@@ -8,6 +8,11 @@ variable "route53_health_check_api_id" {
   type        = string
 }
 
+variable "route53_hosted_zone_id" {
+  description = "ID of the Route53 hosted zone"
+  type        = string
+}
+
 variable "s3_scan_object_log_group_name" {
   description = "CloudWatch log group name for the S3 scan object lambda function"
   type        = string
@@ -50,7 +55,6 @@ variable "sentinel_shared_key" {
   description = "Sentinel customer ID"
 }
 
-
 variable "slack_webhook_url" {
   description = "Slack webhook URL that will be used to send notifications"
   type        = string

terragrunt/aws/alarms/shield_advanced.tf

@@ -0,0 +1,24 @@
+resource "aws_shield_protection" "cloudfront_api" {
+  name         = "CloudFrontAPI"
+  resource_arn = "arn:aws:cloudfront::${var.account_id}:distribution/${var.api_cloudfront_distribution_id}"
+
+  tags = {
+    CostCentre = var.billing_code
+    Terraform  = true
+  }
+}
+
+resource "aws_shield_protection" "route53_hosted_zone" {
+  name         = "Route53HostedZone"
+  resource_arn = "arn:aws:route53:::hostedzone/${var.route53_hosted_zone_id}"
+
+  tags = {
+    CostCentre = var.billing_code
+    Terraform  = true
+  }
+}
+
+resource "aws_shield_protection_health_check_association" "cloudfront_api" {
+  health_check_arn     = "arn:aws:route53:::healthcheck/${var.route53_health_check_api_id}"
+  shield_protection_id = aws_shield_protection.cloudfront_api.id
+}

terragrunt/env/production/alarms/terragrunt.hcl

@@ -3,7 +3,17 @@ terraform {
 }
 
 dependencies {
-  paths = ["../api", "../s3_scan_object"]
+  paths = ["../hosted_zone", "../api", "../s3_scan_object"]
+}
+
+dependency "hosted_zone" {
+  config_path = "../hosted_zone"
+
+  mock_outputs_allowed_terraform_commands = ["init", "fmt", "validate", "plan", "show"]
+  mock_outputs_merge_strategy_with_state  = "shallow"
+  mock_outputs = {
+    hosted_zone_id = ""
+  }
 }
 
 dependency "api" {
@@ -29,6 +39,8 @@ dependency "s3_scan_object" {
 }
 
 inputs = {
+  route53_hosted_zone_id = dependency.hosted_zone.outputs.hosted_zone_id
+
   s3_scan_object_log_group_name  = dependency.s3_scan_object.outputs.function_log_group_name
   scan_files_api_log_group_name  = dependency.api.outputs.function_log_group_name
   route53_health_check_api_id    = dependency.api.outputs.route53_health_check_api_id

terragrunt/env/staging/alarms/terragrunt.hcl

@@ -3,7 +3,17 @@ terraform {
 }
 
 dependencies {
-  paths = ["../api", "../s3_scan_object"]
+  paths = ["../hosted_zone", "../api", "../s3_scan_object"]
+}
+
+dependency "hosted_zone" {
+  config_path = "../hosted_zone"
+
+  mock_outputs_allowed_terraform_commands = ["init", "fmt", "validate", "plan", "show"]
+  mock_outputs_merge_strategy_with_state  = "shallow"
+  mock_outputs = {
+    hosted_zone_id = ""
+  }
 }
 
 dependency "api" {
@@ -29,6 +39,8 @@ dependency "s3_scan_object" {
 }
 
 inputs = {
+  route53_hosted_zone_id = dependency.hosted_zone.outputs.hosted_zone_id
+
   s3_scan_object_log_group_name  = dependency.s3_scan_object.outputs.function_log_group_name
   scan_files_api_log_group_name  = dependency.api.outputs.function_log_group_name
   route53_health_check_api_id    = dependency.api.outputs.route53_health_check_api_id