CDN UrlRewrite action (#31)

* CDN UrlRewrite action Using postgres/cdn module updated fixed cdn permission for keyvault * CSP header fixed * using multiple cdn rule conditions Co-authored-by: anttorre <[email protected]>
pagopa · Nov 4, 2021 · 1b499ca · 1b499ca
1 parent 04e2b50
commit 1b499ca
Show file tree

Hide file tree

Showing 12 changed files with 655 additions and 706 deletions.
diff --git a/src/core/cdn.tf b/src/core/cdn.tf
@@ -8,13 +8,45 @@ resource "azurerm_resource_group" "checkout_fe_rg" {
   tags = var.tags
 }
 
+locals {
+  spa = [
+    for i, spa in var.spa:
+      {
+        name                      = replace(format("SPA-%s", spa), "-", "")
+        order                     = i+2 // +2 required because the order start from 1 and 1 is reserved for the https rewrite
+        conditions = [
+          {
+            condition_type   = "url_path_condition"
+            operator         = "BeginsWith"
+            match_values     = [format("/%s/", spa)]
+            negate_condition = false
+            transforms       = null
+          },
+          {
+            condition_type   = "url_file_extension_condition"
+            operator         = "LessThanOrEqual"
+            match_values     = ["0"]
+            negate_condition = false
+            transforms       = null
+          },
+          ]
+        url_rewrite_action        = {
+          source_pattern          = format("/%s/", spa)
+          destination             = format("/%s/index.html", spa)
+          preserve_unmatched_path = false
+        }
+      }
+  ]
+}
+
 /**
  * CDN
  */
 // public storage used to serve FE
 #tfsec:ignore:azure-storage-default-action-deny
 module "checkout_cdn" {
-  source                = "git::https://github.com/pagopa/azurerm.git//cdn?ref=v1.0.73"
+//  source                = "git::https://github.com/pagopa/azurerm.git//cdn?ref=v1.0.79"
+  source                = "../modules/cdn"
   name                  = "checkout"
   prefix                = local.project
   resource_group_name   = azurerm_resource_group.checkout_fe_rg.name
@@ -50,30 +82,23 @@ module "checkout_cdn" {
       {
         action = "Overwrite"
         name   = "Content-Security-Policy-Report-Only"
-        value  = "default-src 'self'; connect-src 'self' https://api.io.italia.it https://api-eu.mixpanel.com https://wisp2.pagopa.gov.it"
-      },
-      {
-        action = "Append"
-        name   = "Content-Security-Policy-Report-Only"
-        value  = " https://acardste.vaservices.eu;"
+        value  = format("default-src 'self'; connect-src 'self' https://api.%s.%s/spid/v1/metadata; "
+        , var.dns_zone_prefix, var.external_domain)
       },
       {
         action = "Append"
-        name   = "Content-Security-Policy-Report-Only"
-        value  = "frame-ancestors 'none'; object-src 'none'; frame-src 'self' https://www.google.com;"
+        name = "Content-Security-Policy-Report-Only"
+        value = "script-src 'self' https://www.google.com https://www.gstatic.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; worker-src 'none'; font-src 'self' https://fonts.googleapis.com https://fonts.gstatic.com; "
       },
       {
         action = "Append"
         name   = "Content-Security-Policy-Report-Only"
-        value  = "img-src 'self' https://acardste.vaservices.eu https://wisp2.pagopa.gov.it data:;"
-      },
-      {
-        action = "Append"
-        name   = "Content-Security-Policy-Report-Only"
-        value  = "script-src 'self' https://www.google.com https://www.gstatic.com; style-src 'self'  'unsafe-inline'; worker-src 'none';"
+        value  = "img-src 'self' https://assets.cdn.io.italia.it data:; "
       }
     ]
   }
 
+  delivery_rule_rewrite = local.spa
+
   tags = var.tags
 }
diff --git a/src/core/postgres.tf b/src/core/postgres.tf
@@ -31,8 +31,7 @@ module "postgres_snet" {
 #tfsec:ignore:azure-database-postgres-configuration-log-connection-throttling
 #tfsec:ignore:azure-database-postgres-configuration-log-connections
 module "postgresql" {
-//  source = "git::https://github.com/pagopa/azurerm.git//postgresql_server?ref=v1.0.60" # TODO after apply of https://github.com/pagopa/azurerm/pull/104, use new version and remove local copy of the module
-  source = "../modules/postgresql_server"
+  source = "git::https://github.com/pagopa/azurerm.git//postgresql_server?ref=v1.0.79"
 
   name                             = format("%s-postgresql", local.project)
   location                         = azurerm_resource_group.postgres_rg.location

diff --git a/src/core/security.tf b/src/core/security.tf
@@ -133,6 +133,20 @@ resource "azurerm_key_vault_access_policy" "azdo_sp_tls_cert" {
   ]
 }
 
+resource "azurerm_key_vault_access_policy" "azure_cdn_frontdoor_policy" {
+  key_vault_id = module.key_vault.id
+  tenant_id    = data.azurerm_client_config.current.tenant_id
+  object_id    = var.azuread_service_principal_azure_cdn_frontdoor_id
+
+  secret_permissions = [
+    "Get",
+  ]
+
+  certificate_permissions = [
+    "Get",
+  ]
+}
+
 resource "azurerm_user_assigned_identity" "appgateway" {
   resource_group_name = azurerm_resource_group.sec_rg.name
   location            = azurerm_resource_group.sec_rg.location

diff --git a/src/core/variables.tf b/src/core/variables.tf
@@ -438,6 +438,14 @@ variable "apim_sku" {
   type = string
 }
 
+# cdn
+variable "azuread_service_principal_azure_cdn_frontdoor_id" {
+  type        = string
+  description = "Azure CDN Front Door Principal ID"
+  # this is the deafult value for tenant pagopa.it
+  default = "f3b3f72f-4770-47a5-8c1e-aa298003be12"
+}
+
 ## Redis cache
 variable "redis_capacity" {
   type    = number
@@ -725,3 +733,14 @@ variable "enable_spid_test" {
   description = "to provision italia/spid-testenv2:1.1.0"
   default     = false
 }
+
+# Single Page Applications
+variable "spa" {
+  type        = list(string)
+  description = "spa root dirs"
+  default     = [
+    "auth",
+    "onboarding",
+    "dashboard"
+  ]
+}
diff --git a/src/modules/cdn/README.md b/src/modules/cdn/README.md
@@ -0,0 +1,61 @@
+Storage account
+**/
+
+## Requirements
+
+No requirements.
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | n/a |
+| <a name="provider_null"></a> [null](#provider\_null) | n/a |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_cdn_storage_account"></a> [cdn\_storage\_account](#module\_cdn\_storage\_account) | git::https://github.com/pagopa/azurerm.git//storage_account | v1.0.7 |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [azurerm_cdn_endpoint.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/cdn_endpoint) | resource |
+| [azurerm_cdn_profile.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/cdn_profile) | resource |
+| [azurerm_dns_a_record.hostname](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/dns_a_record) | resource |
+| [azurerm_dns_cname_record.cdnverify](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/dns_cname_record) | resource |
+| [null_resource.custom_domain](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_dns_zone_name"></a> [dns\_zone\_name](#input\_dns\_zone\_name) | n/a | `string` | n/a | yes |
+| <a name="input_dns_zone_resource_group_name"></a> [dns\_zone\_resource\_group\_name](#input\_dns\_zone\_resource\_group\_name) | n/a | `string` | n/a | yes |
+| <a name="input_hostname"></a> [hostname](#input\_hostname) | n/a | `string` | n/a | yes |
+| <a name="input_location"></a> [location](#input\_location) | n/a | `string` | n/a | yes |
+| <a name="input_lock_enabled"></a> [lock\_enabled](#input\_lock\_enabled) | n/a | `bool` | n/a | yes |
+| <a name="input_name"></a> [name](#input\_name) | n/a | `string` | n/a | yes |
+| <a name="input_prefix"></a> [prefix](#input\_prefix) | n/a | `string` | n/a | yes |
+| <a name="input_resource_group_name"></a> [resource\_group\_name](#input\_resource\_group\_name) | n/a | `string` | n/a | yes |
+| <a name="input_tags"></a> [tags](#input\_tags) | n/a | `map(string)` | n/a | yes |
+| <a name="input_delivery_rule_redirect"></a> [delivery\_rule\_redirect](#input\_delivery\_rule\_redirect) | n/a | <pre>list(object({<br>    name         = string<br>    order        = number<br>    operator     = string<br>    match_values = list(string)<br>    url_redirect_action = object({<br>      redirect_type = string<br>      protocol      = string<br>      hostname      = string<br>      path          = string<br>      fragment      = string<br>      query_string  = string<br>    })<br>  }))</pre> | `[]` | no |
+| <a name="input_delivery_rule_request_scheme_condition"></a> [delivery\_rule\_request\_scheme\_condition](#input\_delivery\_rule\_request\_scheme\_condition) | n/a | <pre>list(object({<br>    name         = string<br>    order        = number<br>    operator     = string<br>    match_values = list(string)<br>    url_redirect_action = object({<br>      redirect_type = string<br>      protocol      = string<br>      hostname      = string<br>      path          = string<br>      fragment      = string<br>      query_string  = string<br>    })<br>  }))</pre> | `[]` | no |
+| <a name="input_delivery_rule_url_path_condition_cache_expiration_action"></a> [delivery\_rule\_url\_path\_condition\_cache\_expiration\_action](#input\_delivery\_rule\_url\_path\_condition\_cache\_expiration\_action) | n/a | <pre>list(object({<br>    name            = string<br>    order           = number<br>    operator        = string<br>    match_values    = list(string)<br>    behavior        = string<br>    duration        = string<br>    response_action = string<br>    response_name   = string<br>    response_value  = string<br>  }))</pre> | `[]` | no |
+| <a name="input_global_delivery_rule"></a> [global\_delivery\_rule](#input\_global\_delivery\_rule) | n/a | <pre>object({<br>    cache_expiration_action = list(object({<br>      behavior = string<br>      duration = string<br>    }))<br>    cache_key_query_string_action = list(object({<br>      behavior   = string<br>      parameters = string<br>    }))<br>    modify_request_header_action = list(object({<br>      action = string<br>      name   = string<br>      value  = string<br>    }))<br>    modify_response_header_action = list(object({<br>      action = string<br>      name   = string<br>      value  = string<br>    }))<br>  })</pre> | `null` | no |
+| <a name="input_https_rewrite_enabled"></a> [https\_rewrite\_enabled](#input\_https\_rewrite\_enabled) | n/a | `bool` | `true` | no |
+| <a name="input_querystring_caching_behaviour"></a> [querystring\_caching\_behaviour](#input\_querystring\_caching\_behaviour) | n/a | `string` | `"IgnoreQueryString"` | no |
+| <a name="input_storage_access_tier"></a> [storage\_access\_tier](#input\_storage\_access\_tier) | n/a | `string` | `"Hot"` | no |
+| <a name="input_storage_account_kind"></a> [storage\_account\_kind](#input\_storage\_account\_kind) | n/a | `string` | `"StorageV2"` | no |
+| <a name="input_storage_account_replication_type"></a> [storage\_account\_replication\_type](#input\_storage\_account\_replication\_type) | n/a | `string` | `"GRS"` | no |
+| <a name="input_storage_account_tier"></a> [storage\_account\_tier](#input\_storage\_account\_tier) | n/a | `string` | `"Standard"` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_hostname"></a> [hostname](#output\_hostname) | n/a |
+| <a name="output_id"></a> [id](#output\_id) | n/a |
+| <a name="output_name"></a> [name](#output\_name) | n/a |