From a09c44eae20e17b0252417d526b68fbb18318396 Mon Sep 17 00:00:00 2001
From: aidenvaines-bjss <aiden.vaines@bjss.com>
Date: Thu, 6 Nov 2025 14:37:48 +0000
Subject: [PATCH] CCM-12995 Adding supplier-api urls

---
 .../terraform/components/cdn/README.md        |  1 +
 .../cdn/cloudfront_distribution_cdn.tf        | 52 +++++++++++++++++++
 .../terraform/components/cdn/variables.tf     | 14 +++++
 3 files changed, 67 insertions(+)

diff --git a/infrastructure/terraform/components/cdn/README.md b/infrastructure/terraform/components/cdn/README.md
index 257e776..685e043 100644
--- a/infrastructure/terraform/components/cdn/README.md
+++ b/infrastructure/terraform/components/cdn/README.md
@@ -33,6 +33,7 @@
 | <a name="input_region"></a> [region](#input\_region) | The AWS Region | `string` | n/a | yes |
 | <a name="input_schemas_origin"></a> [schemas\_origin](#input\_schemas\_origin) | Object to specify static domains for Schemas | <pre>object({<br/>    domain_name = string,<br/>    origin_path = string,<br/>    origin_id   = string<br/>  })</pre> | <pre>{<br/>  "domain_name": "nhsdigital.github.io",<br/>  "origin_id": "github-nhs-notify-schemas",<br/>  "origin_path": "/nhs-notify-standards"<br/>}</pre> | no |
 | <a name="input_shared_infra_account_id"></a> [shared\_infra\_account\_id](#input\_shared\_infra\_account\_id) | The AWS Account ID of the shared infrastructure account | `string` | `"000000000000"` | no |
+| <a name="input_supplier_api_origin"></a> [supplier\_api\_origin](#input\_supplier\_api\_origin) | Object to specify static domains for Supplier API Schemas | <pre>object({<br/>    domain_name = string,<br/>    origin_path = string,<br/>    origin_id   = string<br/>  })</pre> | <pre>{<br/>  "domain_name": "nhsdigital.github.io",<br/>  "origin_id": "github-nhs-notify-supplier-api",<br/>  "origin_path": "/nhs-notify-supplier-api"<br/>}</pre> | no |
 | <a name="input_template_files_origin_domain_name"></a> [template\_files\_origin\_domain\_name](#input\_template\_files\_origin\_domain\_name) | Domain name for template file download origin | `string` | n/a | yes |
 | <a name="input_waf_rate_limit_cdn"></a> [waf\_rate\_limit\_cdn](#input\_waf\_rate\_limit\_cdn) | The rate limit is the maximum number of CDN requests from a single IP address that are allowed in a five-minute period | `number` | `20000` | no |
 ## Modules
diff --git a/infrastructure/terraform/components/cdn/cloudfront_distribution_cdn.tf b/infrastructure/terraform/components/cdn/cloudfront_distribution_cdn.tf
index ceb4c76..a282c37 100644
--- a/infrastructure/terraform/components/cdn/cloudfront_distribution_cdn.tf
+++ b/infrastructure/terraform/components/cdn/cloudfront_distribution_cdn.tf
@@ -292,6 +292,58 @@ resource "aws_cloudfront_distribution" "main" {
     response_headers_policy_id = aws_cloudfront_response_headers_policy.security_headers.id
   }
 
+
+  # Supplier-API origin
+  origin {
+    domain_name = var.supplier_api_origin.domain_name
+    origin_path = var.supplier_api_origin.origin_path
+    origin_id   = var.supplier_api_origin.origin_id
+
+    custom_origin_config {
+      http_port              = 80
+      https_port             = 443
+      origin_protocol_policy = "https-only"
+      origin_ssl_protocols = [
+        "TLSv1.2"
+      ]
+    }
+  }
+
+  ordered_cache_behavior {
+    path_pattern = "/cloudevents/schemas/supplier-api/*.schema.json"
+    allowed_methods = [
+      "GET",
+      "HEAD",
+    ]
+    cached_methods = [
+      "GET",
+      "HEAD",
+    ]
+    target_origin_id = "github-nhs-notify-supplier-api"
+
+    forwarded_values {
+      query_string = false
+      headers      = ["Origin"]
+
+      cookies {
+        forward = "none"
+      }
+    }
+
+    lambda_function_association {
+      event_type = "viewer-response"
+      lambda_arn = module.lambda_rewrite_viewer_trailing_slashes.function_qualified_arn
+    }
+
+    viewer_protocol_policy = "redirect-to-https"
+    min_ttl                = 0
+    default_ttl            = 3600
+    max_ttl                = 86400
+    compress               = true
+
+    response_headers_policy_id = aws_cloudfront_response_headers_policy.security_headers.id
+  }
+
   ordered_cache_behavior {
     path_pattern = "/cloudevents/schemas/*.schema.json"
     allowed_methods = [
diff --git a/infrastructure/terraform/components/cdn/variables.tf b/infrastructure/terraform/components/cdn/variables.tf
index 08ff211..923468d 100644
--- a/infrastructure/terraform/components/cdn/variables.tf
+++ b/infrastructure/terraform/components/cdn/variables.tf
@@ -164,6 +164,20 @@ variable "digital_letters_origin" {
   }
 }
 
+variable "supplier_api_origin" {
+  type = object({
+    domain_name = string,
+    origin_path = string,
+    origin_id   = string
+  })
+  description = "Object to specify static domains for Supplier API Schemas"
+  default = {
+    domain_name = "nhsdigital.github.io"
+    origin_path = "/nhs-notify-supplier-api"
+    origin_id   = "github-nhs-notify-supplier-api"
+  }
+}
+
 variable "template_files_origin_domain_name" {
   type        = string
   description = "Domain name for template file download origin"