NHSDigital · aidenvaines-cgi · Aug 15, 2025 · Aug 15, 2025 · Aug 15, 2025 · Aug 15, 2025
@@ -8,8 +8,13 @@ runs:
         components_exit_code=0
         modules_exit_code=0
 
-        ./scripts/terraform/trivy.sh ./infrastructure/terraform/components || components_exit_code=$?
-        ./scripts/terraform/trivy.sh ./infrastructure/terraform/modules || modules_exit_code=$?
+        if [ -d ./infrastructure/terraform/components ]; then
+          ./scripts/terraform/trivy.sh ./infrastructure/terraform/components || components_exit_code=$?
+        fi
+
+        if [ -d ./infrastructure/terraform/modules ]; then
+          ./scripts/terraform/trivy.sh ./infrastructure/terraform/modules || modules_exit_code=$?
+        fi
 
         if [ $components_exit_code -ne 0 ] || [ $modules_exit_code -ne 0 ]; then
           echo "Trivy misconfigurations detected."

@@ -0,0 +1,40 @@
+<!-- BEGIN_TF_DOCS -->
+<!-- markdownlint-disable -->
+<!-- vale off -->
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.10.1 |
+| <a name="requirement_tls"></a> [tls](#requirement\_tls) | 4.1.0 |
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_aws_account_id"></a> [aws\_account\_id](#input\_aws\_account\_id) | The AWS Account ID (numeric) | `string` | n/a | yes |
+| <a name="input_component"></a> [component](#input\_component) | The name of the tfscaffold component | `string` | n/a | yes |
+| <a name="input_default_tags"></a> [default\_tags](#input\_default\_tags) | A map of default tags to apply to all taggable resources within the component | `map(string)` | `{}` | no |
+| <a name="input_environment"></a> [environment](#input\_environment) | The name of the tfscaffold environment | `string` | n/a | yes |
+| <a name="input_name"></a> [name](#input\_name) | A unique name to distinguish this module invocation from others within the same CSI scope | `string` | n/a | yes |
+| <a name="input_project"></a> [project](#input\_project) | The name of the tfscaffold project | `string` | n/a | yes |
+| <a name="input_region"></a> [region](#input\_region) | The AWS Region | `string` | n/a | yes |
+| <a name="input_subject_common_name"></a> [subject\_common\_name](#input\_subject\_common\_name) | Common name for certificate subject | `string` | n/a | yes |
+| <a name="input_subject_country"></a> [subject\_country](#input\_subject\_country) | Country for certificate subject | `string` | `"GB"` | no |
+| <a name="input_subject_locality"></a> [subject\_locality](#input\_subject\_locality) | Locality for certificate subject | `string` | `"Leeds"` | no |
+| <a name="input_subject_organization"></a> [subject\_organization](#input\_subject\_organization) | Organization for certificate subject | `string` | `"NHS England"` | no |
+| <a name="input_subject_organizational_unit"></a> [subject\_organizational\_unit](#input\_subject\_organizational\_unit) | Organizational unit for certificate subject | `string` | `"NHS Notify"` | no |
+| <a name="input_subject_province"></a> [subject\_province](#input\_subject\_province) | Province for certificate subject | `string` | `"West Yorkshire"` | no |
+## Modules
+
+No modules.
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_cacert_pem"></a> [cacert\_pem](#output\_cacert\_pem) | Truststore |
+| <a name="output_server_crt"></a> [server\_crt](#output\_server\_crt) | Server Certificate |
+| <a name="output_server_key"></a> [server\_key](#output\_server\_key) | Server Key |
+<!-- vale on -->
+<!-- markdownlint-enable -->
+<!-- END_TF_DOCS -->
@@ -0,0 +1,24 @@
+locals {
+  module = "ssl"
+
+  # Compound Scope Identifier
+  csi = replace(
+    format(
+      "%s-%s-%s-%s",
+      var.project,
+      var.environment,
+      var.component,
+      var.name
+    ),
+    "_",
+    "",
+  )
+
+  default_tags = merge(
+    var.default_tags,
+    {
+      Module = local.module
+      Name   = local.csi
+    },
+  )
+}
@@ -0,0 +1,17 @@
+output "server_crt" {
+  description = "Server Certificate"
+  value       = tls_locally_signed_cert.integration_testing_client_cert.cert_pem
+  sensitive   = true
+}
+
+output "server_key" {
+  description = "Server Key"
+  value       = tls_private_key.integration_testing_client_key.private_key_pem
+  sensitive   = true
+}
+
+output "cacert_pem" {
+  description = "Truststore"
+  value       = tls_self_signed_cert.ca_cert.cert_pem
+  sensitive   = true
+}
@@ -0,0 +1,11 @@
+terraform {
+  required_providers {
+    aws = {
+      source = "hashicorp/aws"
+    }
+    tls = {
+      source  = "hashicorp/tls"
+      version = "4.1.0"
+    }
+  }
+}
@@ -0,0 +1,9 @@
+resource "aws_ssm_parameter" "ca_crt" {
+  name  = format("/%s/%s/${local.module}/ca-crt", var.project, var.environment)
+  type  = "SecureString"
+  value = tls_self_signed_cert.ca_cert.cert_pem
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}
@@ -0,0 +1,9 @@
+resource "aws_ssm_parameter" "ca_key" {
+  name  = format("/%s/%s/${local.module}/ca-key", var.project, var.environment)
+  type  = "SecureString"
+  value = tls_private_key.ca_key.private_key_pem
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}
@@ -0,0 +1,9 @@
+resource "aws_ssm_parameter" "server_crt" {
+  name  = format("/%s/%s/${local.module}/server-crt", var.project, var.environment)
+  type  = "SecureString"
+  value = tls_locally_signed_cert.integration_testing_client_cert.cert_pem
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}
@@ -0,0 +1,9 @@
+resource "aws_ssm_parameter" "server_key" {
+  name  = format("/%s/%s/${local.module}/server-key", var.project, var.environment)
+  type  = "SecureString"
+  value = tls_private_key.integration_testing_client_key.private_key_pem
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}
@@ -0,0 +1,19 @@
+resource "tls_cert_request" "server_csr" {
+
+  private_key_pem = tls_private_key.integration_testing_client_key.private_key_pem
+
+  dns_names = [var.subject_common_name]
+
+  subject {
+    country             = var.subject_country
+    province            = var.subject_province
+    locality            = var.subject_locality
+    common_name         = var.subject_common_name
+    organization        = var.subject_organization
+    organizational_unit = var.subject_organizational_unit
+  }
+
+  depends_on = [
+    tls_private_key.integration_testing_client_key,
+  ]
+}
@@ -0,0 +1,21 @@
+resource "tls_locally_signed_cert" "integration_testing_client_cert" {
+  cert_request_pem   = tls_cert_request.server_csr.cert_request_pem
+  ca_private_key_pem = tls_private_key.ca_key.private_key_pem
+  ca_cert_pem        = tls_self_signed_cert.ca_cert.cert_pem
+
+  validity_period_hours = 8760
+
+  allowed_uses = [
+    "digital_signature",
+    "key_encipherment",
+    "server_auth",
+    "client_auth",
+  ]
+
+  depends_on = [
+    tls_private_key.ca_key,
+    tls_self_signed_cert.ca_cert,
+    tls_private_key.integration_testing_client_key,
+    tls_cert_request.server_csr
+  ]
+}
@@ -0,0 +1,4 @@
+resource "tls_private_key" "ca_key" {
+  algorithm = "RSA"
+  rsa_bits  = 4096
+}
@@ -0,0 +1,4 @@
+resource "tls_private_key" "integration_testing_client_key" {
+  algorithm = "RSA"
+  rsa_bits  = 4096
+}
@@ -0,0 +1,22 @@
+resource "tls_self_signed_cert" "ca_cert" {
+  private_key_pem = tls_private_key.ca_key.private_key_pem
+
+  is_ca_certificate = true
+
+  subject {
+    country             = var.subject_country
+    province            = var.subject_province
+    locality            = var.subject_locality
+    common_name         = var.subject_common_name
+    organization        = var.subject_organization
+    organizational_unit = var.subject_organizational_unit
+  }
+
+  validity_period_hours = 17520
+
+  allowed_uses = [
+    "digital_signature",
+    "cert_signing",
+    "crl_signing",
+  ]
+}
@@ -0,0 +1,82 @@
+##
+# Basic Required Variables for tfscaffold Modules
+##
+
+variable "project" {
+  type        = string
+  description = "The name of the tfscaffold project"
+}
+
+variable "environment" {
+  type        = string
+  description = "The name of the tfscaffold environment"
+}
+
+variable "component" {
+  type        = string
+  description = "The name of the tfscaffold component"
+}
+
+variable "aws_account_id" {
+  type        = string
+  description = "The AWS Account ID (numeric)"
+}
+
+variable "region" {
+  type        = string
+  description = "The AWS Region"
+}
+
+##
+# tfscaffold variables specific to this module
+##
+
+variable "default_tags" {
+  type        = map(string)
+  description = "A map of default tags to apply to all taggable resources within the component"
+  default     = {}
+}
+
+##
+# Variables specific to this module
+##
+
+variable "name" {
+  type        = string
+  description = "A unique name to distinguish this module invocation from others within the same CSI scope"
+}
+
+variable "subject_country" {
+  type        = string
+  description = "Country for certificate subject"
+  default     = "GB"
+}
+
+variable "subject_province" {
+  type        = string
+  description = "Province for certificate subject"
+  default     = "West Yorkshire"
+}
+
+variable "subject_locality" {
+  type        = string
+  description = "Locality for certificate subject"
+  default     = "Leeds"
+}
+
+variable "subject_common_name" {
+  type        = string
+  description = "Common name for certificate subject"
+}
+
+variable "subject_organization" {
+  type        = string
+  description = "Organization for certificate subject"
+  default     = "NHS England"
+}
+
+variable "subject_organizational_unit" {
+  type        = string
+  description = "Organizational unit for certificate subject"
+  default     = "NHS Notify"
+}
@@ -0,0 +1,3 @@
+terraform {
+  required_version = ">= 1.10.1"
+}