Add environment variables for One Login

infra/deployments/forms/forms-runner/main.tf

@@ -55,6 +55,7 @@ module "forms_runner" {
   ses_submission_email_from_email_address     = var.forms_runner_settings.ses_submission_email_from_email_address
   ses_submission_email_reply_to_email_address = var.forms_runner_settings.ses_submission_email_reply_to_email_address
   ses_submission_configuration_set_name       = data.terraform_remote_state.forms_ses.outputs.form_submissions_configuration_set_name
+  govuk_one_login_base_url                    = var.forms_runner_settings.govuk_one_login_base_url
   additional_submissions_to_s3_role_assumers  = local.allowed_submissions_to_s3_role_assumers
   additional_forms_runner_role_assumers       = local.allowed_forms_runner_role_assumers
   elasticache_port                            = data.terraform_remote_state.redis.outputs.elasticache_port

infra/deployments/forms/inputs.tf

@@ -175,6 +175,7 @@ variable "forms_runner_settings" {
     allow_human_readonly_roles_to_assume_submissions_to_runner_role = bool
     ses_submission_email_from_email_address                         = string
     ses_submission_email_reply_to_email_address                     = string
+    govuk_one_login_base_url                                        = string
     queue_worker_capacity                                           = string
     disable_builtin_solidqueue_worker                               = bool
     filler_answer_email_enabled                                     = bool

infra/deployments/forms/tfvars/dev.tfvars

@@ -105,6 +105,7 @@ forms_runner_settings = {
   allow_human_readonly_roles_to_assume_submissions_to_runner_role = true
   ses_submission_email_from_email_address                         = "no-reply@dev.forms.service.gov.uk"
   ses_submission_email_reply_to_email_address                     = "no-reply@dev.forms.service.gov.uk"
+  govuk_one_login_base_url                                        = "https://oidc.integration.account.gov.uk/"
   queue_worker_capacity                                           = 1
   disable_builtin_solidqueue_worker                               = true
   filler_answer_email_enabled                                     = false

infra/deployments/forms/tfvars/production.tfvars

@@ -161,6 +161,7 @@ forms_runner_settings = {
   allow_human_readonly_roles_to_assume_submissions_to_runner_role = false
   ses_submission_email_from_email_address                         = "no-reply@forms.service.gov.uk"
   ses_submission_email_reply_to_email_address                     = "no-reply@forms.service.gov.uk"
+  govuk_one_login_base_url                                        = "https://oidc.account.gov.uk/"
   queue_worker_capacity                                           = 6
   disable_builtin_solidqueue_worker                               = true
   filler_answer_email_enabled                                     = false

infra/deployments/forms/tfvars/staging.tfvars

@@ -70,6 +70,7 @@ forms_runner_settings = {
   allow_human_readonly_roles_to_assume_submissions_to_runner_role = false
   ses_submission_email_from_email_address                         = "no-reply@staging.forms.service.gov.uk"
   ses_submission_email_reply_to_email_address                     = "no-reply@staging.forms.service.gov.uk"
+  govuk_one_login_base_url                                        = "https://oidc.integration.account.gov.uk/"
   queue_worker_capacity                                           = 1
   disable_builtin_solidqueue_worker                               = true
   filler_answer_email_enabled                                     = false

infra/deployments/forms/tfvars/user-research.tfvars

@@ -66,6 +66,7 @@ forms_runner_settings = {
   opentelemetry_head_sampler_ratio                                = "0.1"
   ses_submission_email_from_email_address                         = "no-reply@research.forms.service.gov.uk"
   ses_submission_email_reply_to_email_address                     = "no-reply@research.forms.service.gov.uk"
+  govuk_one_login_base_url                                        = "https://oidc.integration.account.gov.uk/"
   allow_human_readonly_roles_to_assume_submissions_to_s3_role     = false
   allow_human_readonly_roles_to_assume_submissions_to_runner_role = false
   queue_worker_capacity                                           = 0

infra/modules/forms-runner/main.tf

@@ -211,6 +211,10 @@ module "ecs_service" {
       name  = "SETTINGS__SES_SUBMISSION_EMAIL__REPLY_TO_EMAIL_ADDRESS",
       value = var.ses_submission_email_reply_to_email_address
     },
+    {
+      name  = "SETTINGS__GOVUK_ONE_LOGIN_BASE_URL",
+      value = var.govuk_one_login_base_url
+    },
     {
       name  = "KMS_KEY_ID",
       value = aws_kms_alias.active_record_alias.name
@@ -250,6 +254,14 @@ module "ecs_service" {
     {
       name      = "SETTINGS__SUBMISSION_STATUS_API__SECRET"
       valueFrom = "arn:aws:ssm:eu-west-2:${data.aws_caller_identity.current.account_id}:parameter/forms-runner-${var.env_name}/submission_status_api_shared_secret"
+    },
+    {
+      name      = "SETTINGS__GOVUK_ONE_LOGIN__CLIENT_ID"
+      valueFrom = "arn:aws:ssm:eu-west-2:${data.aws_caller_identity.current.account_id}:parameter/forms-runner-${var.env_name}/govuk_one_login/client_id"
+    },
+    {
+      name      = "SETTINGS__GOVUK_ONE_LOGIN__PRIVATE_KEY"
+      valueFrom = "arn:aws:ssm:eu-west-2:${data.aws_caller_identity.current.account_id}:parameter/forms-runner-${var.env_name}/govuk_one_login/private_key"
     }
   ]
 }

infra/modules/forms-runner/parameters.tf

@@ -47,3 +47,37 @@ resource "aws_ssm_parameter" "sentry_dsn" {
     ]
   }
 }
+
+# GOV.UK One Login client ID
+# The client ID for the GOV.UK One Login service
+resource "aws_ssm_parameter" "govuk_one_login_client_id" {
+  #checkov:skip=CKV_AWS_337:KMS managed key is fine
+
+  name        = "/forms-runner-${var.env_name}/govuk_one_login/client_id"
+  description = "The GOV.UK One Login client ID for forms-runner in the ${var.env_name} environment"
+  type        = "SecureString"
+  value       = "dummy-value"
+
+  lifecycle {
+    ignore_changes = [
+      value
+    ]
+  }
+}
+
+# GOV.UK One Login private key
+# The base64 encoded private key for the GOV.UK One Login service
+resource "aws_ssm_parameter" "govuk_one_login_private_key" {
+  #checkov:skip=CKV_AWS_337:KMS managed key is fine
+
+  name        = "/forms-runner-${var.env_name}/govuk_one_login/private_key"
+  description = "The base64 encoded GOV.UK One Login private key for forms-runner in the ${var.env_name} environment"
+  type        = "SecureString"
+  value       = ""
+
+  lifecycle {
+    ignore_changes = [
+      value
+    ]
+  }
+}

infra/modules/forms-runner/variables.tf

@@ -110,6 +110,11 @@ variable "ses_submission_configuration_set_name" {
   description = "The name of the configuration set to use when sending form submissions"
 }
 
+variable "govuk_one_login_base_url" {
+  type        = string
+  description = "The base URL for GOV.UK One Login authentication requests"
+}
+
 variable "elasticache_port" {
   type        = number
   description = "The port number for the Redis ElastiCache cluster"