ATO-1144: Add config to redirect traffic to orch ipv jwks endpoint

ci/terraform/oidc/api-gateway.tf

@@ -164,6 +164,8 @@ resource "aws_api_gateway_deployment" "deployment" {
       var.orch_auth_code_enabled,
       var.orch_userinfo_enabled,
       var.orch_storage_token_jwk_enabled,
+      jsonencode(aws_api_gateway_integration.orch_ipv_jwks_integration),
+      jsonencode(aws_api_gateway_method.orch_ipv_jwks_method)
     ]))
   }
 
@@ -198,7 +200,9 @@ resource "aws_api_gateway_deployment" "deployment" {
     aws_api_gateway_integration.orch_auth_code_integration,
     aws_api_gateway_integration.orch_userinfo_integration,
     aws_api_gateway_integration.orch_update_client_integration,
-    aws_api_gateway_integration.orch_storage_token_jwk_integration
+    aws_api_gateway_integration.orch_storage_token_jwk_integration,
+    aws_api_gateway_integration.orch_ipv_jwks_integration,
+    aws_api_gateway_method.orch_ipv_jwks_method
   ]
 }
 
@@ -1381,3 +1385,38 @@ resource "aws_api_gateway_integration" "orch_storage_token_jwk_integration" {
   integration_http_method = "POST"
   uri                     = "arn:aws:apigateway:eu-west-2:lambda:path/2015-03-31/functions/arn:aws:lambda:eu-west-2:${var.orch_account_id}:function:${local.secure_pipelines_environment}-StorageTokenJwkFunction:latest/invocations"
 }
+
+resource "aws_api_gateway_resource" "orch_ipv_jwks_resource" {
+  count       = var.orch_ipv_jwks_enabled ? 1 : 0
+  rest_api_id = aws_api_gateway_rest_api.di_authentication_api.id
+  parent_id   = aws_api_gateway_resource.wellknown_resource.id
+  path_part   = "ipv-jwks.json"
+  depends_on = [
+    aws_api_gateway_resource.wellknown_resource
+  ]
+}
+
+resource "aws_api_gateway_method" "orch_ipv_jwks_method" {
+  count       = var.orch_ipv_jwks_enabled ? 1 : 0
+  rest_api_id = aws_api_gateway_rest_api.di_authentication_api.id
+  resource_id = aws_api_gateway_resource.orch_ipv_jwks_resource[0].id
+  http_method = "GET"
+
+  depends_on = [
+    aws_api_gateway_resource.orch_ipv_jwks_resource
+  ]
+  authorization = "NONE"
+}
+
+resource "aws_api_gateway_integration" "orch_ipv_jwks_integration" {
+  count       = var.orch_ipv_jwks_enabled ? 1 : 0
+  rest_api_id = aws_api_gateway_rest_api.di_authentication_api.id
+  resource_id = aws_api_gateway_resource.orch_ipv_jwks_resource[0].id
+  http_method = aws_api_gateway_method.orch_ipv_jwks_method[0].http_method
+  depends_on = [
+    aws_api_gateway_resource.orch_ipv_jwks_resource
+  ]
+  type                    = "AWS_PROXY"
+  integration_http_method = "POST"
+  uri                     = "arn:aws:apigateway:eu-west-2:lambda:path/2015-03-31/functions/arn:aws:lambda:eu-west-2:${var.orch_account_id}:function:${local.secure_pipelines_environment}-IpvJwksFunction:latest/invocations"
+}

ci/terraform/oidc/build.tfvars

@@ -65,3 +65,4 @@ orch_authentication_callback_enabled = true
 orch_doc_app_callback_enabled        = true
 orch_ipv_callback_enabled            = true
 auth_spot_response_disabled          = true
+orch_ipv_jwks_enabled                = true

ci/terraform/oidc/sandpit.tfvars

@@ -71,6 +71,7 @@ auth_spot_response_disabled          = true
 orch_auth_code_enabled               = true
 orch_userinfo_enabled                = true
 orch_storage_token_jwk_enabled       = true
+orch_ipv_jwks_enabled                = true
 
 orch_account_id                       = "816047645251"
 is_orch_stubbed                       = false

ci/terraform/oidc/variables.tf

@@ -630,6 +630,12 @@ variable "orch_frontend_enabled" {
   default     = false
 }
 
+variable "orch_ipv_jwks_enabled" {
+  description = "Flag to enable routing IPV jwk traffic to the orchestration account"
+  type        = bool
+  default     = false
+}
+
 variable "account_intervention_service_action_enabled" {
   default = false
   type    = bool