From 51f21a250e5944d0842c11ad639e47af01eb834e Mon Sep 17 00:00:00 2001
From: Sam Ainsworth <samuel.ainsworth@digital.justice.gov.uk>
Date: Thu, 9 Nov 2023 16:18:33 +0000
Subject: [PATCH] UML-3175 Move certificates to region (#2421)

---
 terraform/account/refactor.tf                 | 75 +++++++++++++++++++
 terraform/account/{ => region}/certificate.tf | 23 ++++++
 2 files changed, 98 insertions(+)
 rename terraform/account/{ => region}/certificate.tf (94%)

diff --git a/terraform/account/refactor.tf b/terraform/account/refactor.tf
index 49cf3757a0..923b320065 100644
--- a/terraform/account/refactor.tf
+++ b/terraform/account/refactor.tf
@@ -397,3 +397,78 @@ moved {
   from = aws_cloudwatch_log_group.workspace_cleanup_log
   to   = module.workspace_cleanup_mrk.aws_cloudwatch_log_group.workspace_cleanup_log
 }
+
+moved {
+  from = aws_acm_certificate.certificate_admin
+  to   = module.eu_west_1.aws_acm_certificate.certificate_admin
+}
+
+moved {
+  from = aws_acm_certificate.certificate_public_facing_use
+  to   = module.eu_west_1.aws_acm_certificate.certificate_public_facing_use
+}
+
+moved {
+  from = aws_acm_certificate.certificate_public_facing_view
+  to   = module.eu_west_1.aws_acm_certificate.certificate_public_facing_view
+}
+
+moved {
+  from = aws_acm_certificate.certificate_use
+  to   = module.eu_west_1.aws_acm_certificate.certificate_use
+}
+
+moved {
+  from = aws_acm_certificate.certificate_view
+  to   = module.eu_west_1.aws_acm_certificate.certificate_view
+}
+
+moved {
+  from = aws_acm_certificate_validation.certificate_public_facing_use
+  to   = module.eu_west_1.aws_acm_certificate_validation.certificate_public_facing_use
+}
+
+moved {
+  from = aws_acm_certificate_validation.certificate_public_facing_view
+  to   = module.eu_west_1.aws_acm_certificate_validation.certificate_public_facing_view
+}
+
+moved {
+  from = aws_acm_certificate_validation.certificate_validation_admin
+  to   = module.eu_west_1.aws_acm_certificate_validation.certificate_validation_admin
+}
+
+moved {
+  from = aws_acm_certificate_validation.certificate_validation_use
+  to   = module.eu_west_1.aws_acm_certificate_validation.certificate_validation_use
+}
+
+moved {
+  from = aws_acm_certificate_validation.certificate_view
+  to   = module.eu_west_1.aws_acm_certificate_validation.certificate_view
+}
+
+moved {
+  from = aws_route53_record.certificate_validation_admin["*.admin.lastingpowerofattorney.opg.service.justice.gov.uk"]
+  to   = module.eu_west_1.aws_route53_record.certificate_validation_admin["*.admin.lastingpowerofattorney.opg.service.justice.gov.uk"]
+}
+
+moved {
+  from = aws_route53_record.certificate_validation_public_facing_use["*.use-lasting-power-of-attorney.service.gov.uk"]
+  to   = module.eu_west_1.aws_route53_record.certificate_validation_public_facing_use["*.use-lasting-power-of-attorney.service.gov.uk"]
+}
+
+moved {
+  from = aws_route53_record.certificate_validation_public_facing_view["*.view-lasting-power-of-attorney.service.gov.uk"]
+  to   = module.eu_west_1.aws_route53_record.certificate_validation_public_facing_view["*.view-lasting-power-of-attorney.service.gov.uk"]
+}
+
+moved {
+  from = aws_route53_record.certificate_validation_use["*.use.lastingpowerofattorney.opg.service.justice.gov.uk"]
+  to   = module.eu_west_1.aws_route53_record.certificate_validation_use["*.use.lastingpowerofattorney.opg.service.justice.gov.uk"]
+}
+
+moved {
+  from = aws_route53_record.certificate_validation_view["*.view.lastingpowerofattorney.opg.service.justice.gov.uk"]
+  to   = module.eu_west_1.aws_route53_record.certificate_validation_view["*.view.lastingpowerofattorney.opg.service.justice.gov.uk"]
+}
diff --git a/terraform/account/certificate.tf b/terraform/account/region/certificate.tf
similarity index 94%
rename from terraform/account/certificate.tf
rename to terraform/account/region/certificate.tf
index c1aa815da7..b6f9a51709 100644
--- a/terraform/account/certificate.tf
+++ b/terraform/account/region/certificate.tf
@@ -1,3 +1,6 @@
+locals {
+  dev_wildcard = var.account_name == "production" ? "" : "*."
+}
 data "aws_route53_zone" "opg_service_justice_gov_uk" {
   provider = aws.management
   name     = "opg.service.justice.gov.uk"
@@ -37,11 +40,15 @@ resource "aws_route53_record" "certificate_validation_view" {
 resource "aws_acm_certificate_validation" "certificate_view" {
   certificate_arn         = aws_acm_certificate.certificate_view.arn
   validation_record_fqdns = [for record in aws_route53_record.certificate_validation_view : record.fqdn]
+
+  provider = aws.region
 }
 
 resource "aws_acm_certificate" "certificate_view" {
   domain_name       = "${local.dev_wildcard}view.lastingpowerofattorney.opg.service.justice.gov.uk"
   validation_method = "DNS"
+
+  provider = aws.region
 }
 
 resource "aws_route53_record" "certificate_validation_public_facing_view" {
@@ -65,11 +72,15 @@ resource "aws_route53_record" "certificate_validation_public_facing_view" {
 resource "aws_acm_certificate_validation" "certificate_public_facing_view" {
   certificate_arn         = aws_acm_certificate.certificate_public_facing_view.arn
   validation_record_fqdns = [for record in aws_route53_record.certificate_validation_public_facing_view : record.fqdn]
+
+  provider = aws.region
 }
 
 resource "aws_acm_certificate" "certificate_public_facing_view" {
   domain_name       = "${local.dev_wildcard}${data.aws_route53_zone.live_service_view_lasting_power_of_attorney.name}"
   validation_method = "DNS"
+
+  provider = aws.region
 }
 
 //------------------------
@@ -96,11 +107,15 @@ resource "aws_route53_record" "certificate_validation_use" {
 resource "aws_acm_certificate_validation" "certificate_validation_use" {
   certificate_arn         = aws_acm_certificate.certificate_use.arn
   validation_record_fqdns = [for record in aws_route53_record.certificate_validation_use : record.fqdn]
+
+  provider = aws.region
 }
 
 resource "aws_acm_certificate" "certificate_use" {
   domain_name       = "${local.dev_wildcard}use.lastingpowerofattorney.opg.service.justice.gov.uk"
   validation_method = "DNS"
+
+  provider = aws.region
 }
 
 resource "aws_route53_record" "certificate_validation_public_facing_use" {
@@ -124,11 +139,15 @@ resource "aws_route53_record" "certificate_validation_public_facing_use" {
 resource "aws_acm_certificate_validation" "certificate_public_facing_use" {
   certificate_arn         = aws_acm_certificate.certificate_public_facing_use.arn
   validation_record_fqdns = [for record in aws_route53_record.certificate_validation_public_facing_use : record.fqdn]
+
+  provider = aws.region
 }
 
 resource "aws_acm_certificate" "certificate_public_facing_use" {
   domain_name       = "${local.dev_wildcard}${data.aws_route53_zone.live_service_use_lasting_power_of_attorney.name}"
   validation_method = "DNS"
+
+  provider = aws.region
 }
 
 
@@ -156,9 +175,13 @@ resource "aws_route53_record" "certificate_validation_admin" {
 resource "aws_acm_certificate_validation" "certificate_validation_admin" {
   certificate_arn         = aws_acm_certificate.certificate_admin.arn
   validation_record_fqdns = [for record in aws_route53_record.certificate_validation_admin : record.fqdn]
+
+  provider = aws.region
 }
 
 resource "aws_acm_certificate" "certificate_admin" {
   domain_name       = "${local.dev_wildcard}admin.lastingpowerofattorney.opg.service.justice.gov.uk"
   validation_method = "DNS"
+
+  provider = aws.region
 }