From 180dc9f964c3490095119b9a6d381abaf08ee616 Mon Sep 17 00:00:00 2001 From: anttorre Date: Mon, 15 Nov 2021 20:57:38 +0100 Subject: [PATCH 1/3] added web storage secrets created dashboard secret --- src/core/cdn.tf | 28 ++- src/k8s/secrets.tf | 3 +- src/k8s/selc_secrets.tf | 13 ++ src/modules/cdn/README.md | 61 +++++++ src/modules/cdn/main.tf | 342 +++++++++++++++++++++++++++++++++++ src/modules/cdn/outputs.tf | 34 ++++ src/modules/cdn/variables.tf | 189 +++++++++++++++++++ 7 files changed, 668 insertions(+), 2 deletions(-) create mode 100644 src/modules/cdn/README.md create mode 100644 src/modules/cdn/main.tf create mode 100644 src/modules/cdn/outputs.tf create mode 100644 src/modules/cdn/variables.tf diff --git a/src/core/cdn.tf b/src/core/cdn.tf index 0f8edd59e..fb8668db6 100644 --- a/src/core/cdn.tf +++ b/src/core/cdn.tf @@ -45,7 +45,8 @@ locals { // public storage used to serve FE #tfsec:ignore:azure-storage-default-action-deny module "checkout_cdn" { - source = "git::https://github.com/pagopa/azurerm.git//cdn?ref=v1.0.81" +// source = "git::https://github.com/pagopa/azurerm.git//cdn?ref=v1.0.81" + source = "../modules/cdn" name = "checkout" prefix = local.project @@ -102,3 +103,28 @@ module "checkout_cdn" { tags = var.tags } + +#tfsec:ignore:AZU023 +resource "azurerm_key_vault_secret" "selc_web_storage_access_key" { + name = "web-storage-access-key" + value = module.checkout_cdn.storage_primary_access_key + content_type = "text/plain" + + key_vault_id = module.key_vault.id +} + +resource "azurerm_key_vault_secret" "selc_web_storage_connection_string" { + name = "web-storage-connection-string" + value = module.checkout_cdn.storage_primary_connection_string + content_type = "text/plain" + + key_vault_id = module.key_vault.id +} + +resource "azurerm_key_vault_secret" "selc_web_storage_blob_connection_string" { + name = "web-storage-blob-connection-string" + value = module.checkout_cdn.storage_primary_blob_connection_string + content_type = "text/plain" + + key_vault_id = module.key_vault.id +} \ No newline at end of file diff --git a/src/k8s/secrets.tf b/src/k8s/secrets.tf index 7ce5a65f9..6ccf3fa12 100644 --- a/src/k8s/secrets.tf +++ b/src/k8s/secrets.tf @@ -16,6 +16,7 @@ module "key_vault_secrets_query" { "postgres-selc-user-password", "smtp-usr", "smtp-psw", - "contracts-storage-access-key" + "contracts-storage-access-key", + "web-storage-connection-string" ] } diff --git a/src/k8s/selc_secrets.tf b/src/k8s/selc_secrets.tf index adf48cb38..17aa94d2e 100644 --- a/src/k8s/selc_secrets.tf +++ b/src/k8s/selc_secrets.tf @@ -125,5 +125,18 @@ resource "kubernetes_secret" "storage" { STORAGE_PSW = module.key_vault_secrets_query.values["contracts-storage-access-key"].value } + type = "Opaque" +} + +resource "kubernetes_secret" "b4f-dashboard" { + metadata { + name = "b4f-dashboard" + namespace = kubernetes_namespace.selc.metadata[0].name + } + + data = { + BLOB_STORAGE_CONN_STRING = module.key_vault_secrets_query.values["web-storage-connection-string"].value + } + type = "Opaque" } \ No newline at end of file diff --git a/src/modules/cdn/README.md b/src/modules/cdn/README.md new file mode 100644 index 000000000..a63274bac --- /dev/null +++ b/src/modules/cdn/README.md @@ -0,0 +1,61 @@ +Storage account +**/ + +## Requirements + +No requirements. + +## Providers + +| Name | Version | +|------|---------| +| [azurerm](#provider\_azurerm) | n/a | +| [null](#provider\_null) | n/a | + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| [cdn\_storage\_account](#module\_cdn\_storage\_account) | git::https://github.com/pagopa/azurerm.git//storage_account | v1.0.7 | + +## Resources + +| Name | Type | +|------|------| +| [azurerm_cdn_endpoint.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/cdn_endpoint) | resource | +| [azurerm_cdn_profile.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/cdn_profile) | resource | +| [azurerm_dns_a_record.hostname](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/dns_a_record) | resource | +| [azurerm_dns_cname_record.cdnverify](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/dns_cname_record) | resource | +| [null_resource.custom_domain](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [dns\_zone\_name](#input\_dns\_zone\_name) | n/a | `string` | n/a | yes | +| [dns\_zone\_resource\_group\_name](#input\_dns\_zone\_resource\_group\_name) | n/a | `string` | n/a | yes | +| [hostname](#input\_hostname) | n/a | `string` | n/a | yes | +| [location](#input\_location) | n/a | `string` | n/a | yes | +| [lock\_enabled](#input\_lock\_enabled) | n/a | `bool` | n/a | yes | +| [name](#input\_name) | n/a | `string` | n/a | yes | +| [prefix](#input\_prefix) | n/a | `string` | n/a | yes | +| [resource\_group\_name](#input\_resource\_group\_name) | n/a | `string` | n/a | yes | +| [tags](#input\_tags) | n/a | `map(string)` | n/a | yes | +| [delivery\_rule\_redirect](#input\_delivery\_rule\_redirect) | n/a | 
list(object({
    name         = string
    order        = number
    operator     = string
    match_values = list(string)
    url_redirect_action = object({
      redirect_type = string
      protocol      = string
      hostname      = string
      path          = string
      fragment      = string
      query_string  = string
    })
  }))
| `[]` | no | +| [delivery\_rule\_request\_scheme\_condition](#input\_delivery\_rule\_request\_scheme\_condition) | n/a | 
list(object({
    name         = string
    order        = number
    operator     = string
    match_values = list(string)
    url_redirect_action = object({
      redirect_type = string
      protocol      = string
      hostname      = string
      path          = string
      fragment      = string
      query_string  = string
    })
  }))
| `[]` | no | +| [delivery\_rule\_url\_path\_condition\_cache\_expiration\_action](#input\_delivery\_rule\_url\_path\_condition\_cache\_expiration\_action) | n/a | 
list(object({
    name            = string
    order           = number
    operator        = string
    match_values    = list(string)
    behavior        = string
    duration        = string
    response_action = string
    response_name   = string
    response_value  = string
  }))
| `[]` | no | +| [global\_delivery\_rule](#input\_global\_delivery\_rule) | n/a | 
object({
    cache_expiration_action = list(object({
      behavior = string
      duration = string
    }))
    cache_key_query_string_action = list(object({
      behavior   = string
      parameters = string
    }))
    modify_request_header_action = list(object({
      action = string
      name   = string
      value  = string
    }))
    modify_response_header_action = list(object({
      action = string
      name   = string
      value  = string
    }))
  })
| `null` | no | +| [https\_rewrite\_enabled](#input\_https\_rewrite\_enabled) | n/a | `bool` | `true` | no | +| [querystring\_caching\_behaviour](#input\_querystring\_caching\_behaviour) | n/a | `string` | `"IgnoreQueryString"` | no | +| [storage\_access\_tier](#input\_storage\_access\_tier) | n/a | `string` | `"Hot"` | no | +| [storage\_account\_kind](#input\_storage\_account\_kind) | n/a | `string` | `"StorageV2"` | no | +| [storage\_account\_replication\_type](#input\_storage\_account\_replication\_type) | n/a | `string` | `"GRS"` | no | +| [storage\_account\_tier](#input\_storage\_account\_tier) | n/a | `string` | `"Standard"` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [hostname](#output\_hostname) | n/a | +| [id](#output\_id) | n/a | +| [name](#output\_name) | n/a | diff --git a/src/modules/cdn/main.tf b/src/modules/cdn/main.tf new file mode 100644 index 000000000..ac06404dd --- /dev/null +++ b/src/modules/cdn/main.tf @@ -0,0 +1,342 @@ +/** + * Storage account + **/ +module "cdn_storage_account" { + + source = "git::https://github.com/pagopa/azurerm.git//storage_account?ref=v1.0.71" + + name = replace(format("%s-%s-sa", var.prefix, var.name), "-", "") + versioning_name = format("%s-%s-sa-versioning", var.prefix, var.name) + + account_kind = var.storage_account_kind + account_tier = var.storage_account_tier + account_replication_type = var.storage_account_replication_type + access_tier = var.storage_access_tier + enable_versioning = true + resource_group_name = var.resource_group_name + location = var.location + allow_blob_public_access = true + + index_document = var.index_document + error_404_document = var.error_404_document + + lock_enabled = var.lock_enabled + lock_name = format("%s-%s-sa-lock", var.prefix, var.name) + lock_level = "CanNotDelete" + lock_notes = null + + tags = var.tags +} + +/** + * cdn profile + **/ +resource "azurerm_cdn_profile" "this" { + name = format("%s-%s-cdn-profile", var.prefix, var.name) + resource_group_name = var.resource_group_name + location = var.location + sku = "Standard_Microsoft" + + tags = var.tags +} + +resource "azurerm_cdn_endpoint" "this" { + name = format("%s-%s-cdn-endpoint", var.prefix, var.name) + resource_group_name = var.resource_group_name + location = var.location + profile_name = azurerm_cdn_profile.this.name + is_https_allowed = true + is_http_allowed = true + querystring_caching_behaviour = var.querystring_caching_behaviour + origin_host_header = module.cdn_storage_account.primary_web_host + + origin { + name = "primary" + host_name = module.cdn_storage_account.primary_web_host + } + + dynamic "global_delivery_rule" { + for_each = var.global_delivery_rule == null ? [] : [var.global_delivery_rule] + iterator = gdr + content { + + dynamic "cache_expiration_action" { + for_each = gdr.value.cache_expiration_action + iterator = cea + content { + behavior = cea.value.behavior + duration = cea.value.duration + } + } + + dynamic "modify_request_header_action" { + for_each = gdr.value.modify_request_header_action + iterator = mrha + content { + action = mrha.value.action + name = mrha.value.name + value = mrha.value.value + } + } + + dynamic "modify_response_header_action" { + for_each = gdr.value.modify_response_header_action + iterator = mrha + content { + action = mrha.value.action + name = mrha.value.name + value = mrha.value.value + } + } + } + } + + dynamic "delivery_rule" { + for_each = { for d in var.delivery_rule_url_path_condition_cache_expiration_action : d.order => d } + content { + order = delivery_rule.key + name = delivery_rule.value.name + url_path_condition { + operator = delivery_rule.value.operator + match_values = delivery_rule.value.match_values + } + cache_expiration_action { + behavior = delivery_rule.value.behavior + duration = delivery_rule.value.duration + } + modify_response_header_action { + action = delivery_rule.value.response_action + name = delivery_rule.value.response_name + value = delivery_rule.value.response_value + } + } + } + + dynamic "delivery_rule" { + for_each = { for d in var.delivery_rule_request_scheme_condition : d.order => d } + content { + name = delivery_rule.value.name + order = delivery_rule.value.order + + request_scheme_condition { + operator = delivery_rule.value.operator + match_values = delivery_rule.value.match_values + } + + url_redirect_action { + redirect_type = delivery_rule.value.url_redirect_action.redirect_type + protocol = delivery_rule.value.url_redirect_action.protocol + hostname = delivery_rule.value.url_redirect_action.hostname + path = delivery_rule.value.url_redirect_action.path + fragment = delivery_rule.value.url_redirect_action.fragment + query_string = delivery_rule.value.url_redirect_action.query_string + } + + } + } + + dynamic "delivery_rule" { + for_each = { for d in var.delivery_rule_redirect : d.order => d } + content { + name = delivery_rule.value.name + order = delivery_rule.value.order + + request_uri_condition { + operator = delivery_rule.value.operator + match_values = delivery_rule.value.match_values + } + + url_redirect_action { + redirect_type = delivery_rule.value.url_redirect_action.redirect_type + protocol = delivery_rule.value.url_redirect_action.protocol + hostname = delivery_rule.value.url_redirect_action.hostname + path = delivery_rule.value.url_redirect_action.path + fragment = delivery_rule.value.url_redirect_action.fragment + query_string = delivery_rule.value.url_redirect_action.query_string + } + + } + } + + # rewrite HTTP to HTTPS + dynamic "delivery_rule" { + for_each = var.https_rewrite_enabled ? [1] : [] + + content { + name = "EnforceHTTPS" + order = 1 + + request_scheme_condition { + operator = "Equal" + match_values = ["HTTP"] + } + + url_redirect_action { + redirect_type = "Found" + protocol = "Https" + hostname = null + path = null + fragment = null + query_string = null + } + } + } + + dynamic "delivery_rule" { + for_each = { for d in var.delivery_rule_rewrite : d.order => d } + content { + name = delivery_rule.value.name + order = delivery_rule.value.order + + dynamic "request_uri_condition" { + for_each = [ for c in delivery_rule.value.conditions : c if c.condition_type=="request_uri_condition"] + iterator = c + + content { + operator = c.value.operator + match_values = c.value.match_values + negate_condition = c.value.negate_condition + transforms = c.value.transforms + } + } + + dynamic "url_path_condition" { + for_each = [ for c in delivery_rule.value.conditions : c if c.condition_type=="url_path_condition"] + iterator = c + + content { + operator = c.value.operator + match_values = c.value.match_values + negate_condition = c.value.negate_condition + transforms = c.value.transforms + } + } + + dynamic "url_file_extension_condition" { + for_each = [ for c in delivery_rule.value.conditions : c if c.condition_type=="url_file_extension_condition"] + iterator = c + + content { + operator = c.value.operator + match_values = c.value.match_values + negate_condition = c.value.negate_condition + transforms = c.value.transforms + } + } + + url_rewrite_action { + source_pattern = delivery_rule.value.url_rewrite_action.source_pattern + destination = delivery_rule.value.url_rewrite_action.destination + preserve_unmatched_path = delivery_rule.value.url_rewrite_action.preserve_unmatched_path + } + + } + } + + tags = var.tags +} + +/* +* Custom Domain +*/ +resource "null_resource" "custom_domain" { + depends_on = [ + azurerm_dns_a_record.hostname[0], + azurerm_dns_cname_record.cdnverify[0], + azurerm_dns_cname_record.custom_subdomain[0], + azurerm_cdn_endpoint.this, + ] + # needs az cli > 2.0.81 + # see https://github.com/Azure/azure-cli/issues/12152 + triggers = { + resource_group_name = var.resource_group_name + endpoint_name = azurerm_cdn_endpoint.this.name + profile_name = azurerm_cdn_profile.this.name + name = var.hostname + hostname = var.hostname + + keyvault_resource_group_name = var.keyvault_resource_group_name + keyvault_subscription_id = var.keyvault_subscription_id + keyvault_vault_name = var.keyvault_vault_name + } + + # https://docs.microsoft.com/it-it/cli/azure/cdn/custom-domain?view=azure-cli-latest + provisioner "local-exec" { + command = < Date: Mon, 15 Nov 2021 21:13:31 +0100 Subject: [PATCH 2/3] using cdn azurerm module on separate branch --- src/core/cdn.tf | 2 +- src/modules/cdn/README.md | 61 ------- src/modules/cdn/main.tf | 342 ----------------------------------- src/modules/cdn/outputs.tf | 34 ---- src/modules/cdn/variables.tf | 189 ------------------- 5 files changed, 1 insertion(+), 627 deletions(-) delete mode 100644 src/modules/cdn/README.md delete mode 100644 src/modules/cdn/main.tf delete mode 100644 src/modules/cdn/outputs.tf delete mode 100644 src/modules/cdn/variables.tf diff --git a/src/core/cdn.tf b/src/core/cdn.tf index fb8668db6..66429e70c 100644 --- a/src/core/cdn.tf +++ b/src/core/cdn.tf @@ -46,7 +46,7 @@ locals { #tfsec:ignore:azure-storage-default-action-deny module "checkout_cdn" { // source = "git::https://github.com/pagopa/azurerm.git//cdn?ref=v1.0.81" - source = "../modules/cdn" + source = "git::https://github.com/pagopa/azurerm.git//cdn?ref=cdn-output-storage-info" name = "checkout" prefix = local.project diff --git a/src/modules/cdn/README.md b/src/modules/cdn/README.md deleted file mode 100644 index a63274bac..000000000 --- a/src/modules/cdn/README.md +++ /dev/null @@ -1,61 +0,0 @@ -Storage account -**/ - -## Requirements - -No requirements. - -## Providers - -| Name | Version | -|------|---------| -| [azurerm](#provider\_azurerm) | n/a | -| [null](#provider\_null) | n/a | - -## Modules - -| Name | Source | Version | -|------|--------|---------| -| [cdn\_storage\_account](#module\_cdn\_storage\_account) | git::https://github.com/pagopa/azurerm.git//storage_account | v1.0.7 | - -## Resources - -| Name | Type | -|------|------| -| [azurerm_cdn_endpoint.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/cdn_endpoint) | resource | -| [azurerm_cdn_profile.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/cdn_profile) | resource | -| [azurerm_dns_a_record.hostname](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/dns_a_record) | resource | -| [azurerm_dns_cname_record.cdnverify](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/dns_cname_record) | resource | -| [null_resource.custom_domain](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource | - -## Inputs - -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| [dns\_zone\_name](#input\_dns\_zone\_name) | n/a | `string` | n/a | yes | -| [dns\_zone\_resource\_group\_name](#input\_dns\_zone\_resource\_group\_name) | n/a | `string` | n/a | yes | -| [hostname](#input\_hostname) | n/a | `string` | n/a | yes | -| [location](#input\_location) | n/a | `string` | n/a | yes | -| [lock\_enabled](#input\_lock\_enabled) | n/a | `bool` | n/a | yes | -| [name](#input\_name) | n/a | `string` | n/a | yes | -| [prefix](#input\_prefix) | n/a | `string` | n/a | yes | -| [resource\_group\_name](#input\_resource\_group\_name) | n/a | `string` | n/a | yes | -| [tags](#input\_tags) | n/a | `map(string)` | n/a | yes | -| [delivery\_rule\_redirect](#input\_delivery\_rule\_redirect) | n/a | 
list(object({
    name         = string
    order        = number
    operator     = string
    match_values = list(string)
    url_redirect_action = object({
      redirect_type = string
      protocol      = string
      hostname      = string
      path          = string
      fragment      = string
      query_string  = string
    })
  }))
| `[]` | no | -| [delivery\_rule\_request\_scheme\_condition](#input\_delivery\_rule\_request\_scheme\_condition) | n/a | 
list(object({
    name         = string
    order        = number
    operator     = string
    match_values = list(string)
    url_redirect_action = object({
      redirect_type = string
      protocol      = string
      hostname      = string
      path          = string
      fragment      = string
      query_string  = string
    })
  }))
| `[]` | no | -| [delivery\_rule\_url\_path\_condition\_cache\_expiration\_action](#input\_delivery\_rule\_url\_path\_condition\_cache\_expiration\_action) | n/a | 
list(object({
    name            = string
    order           = number
    operator        = string
    match_values    = list(string)
    behavior        = string
    duration        = string
    response_action = string
    response_name   = string
    response_value  = string
  }))
| `[]` | no | -| [global\_delivery\_rule](#input\_global\_delivery\_rule) | n/a | 
object({
    cache_expiration_action = list(object({
      behavior = string
      duration = string
    }))
    cache_key_query_string_action = list(object({
      behavior   = string
      parameters = string
    }))
    modify_request_header_action = list(object({
      action = string
      name   = string
      value  = string
    }))
    modify_response_header_action = list(object({
      action = string
      name   = string
      value  = string
    }))
  })
| `null` | no | -| [https\_rewrite\_enabled](#input\_https\_rewrite\_enabled) | n/a | `bool` | `true` | no | -| [querystring\_caching\_behaviour](#input\_querystring\_caching\_behaviour) | n/a | `string` | `"IgnoreQueryString"` | no | -| [storage\_access\_tier](#input\_storage\_access\_tier) | n/a | `string` | `"Hot"` | no | -| [storage\_account\_kind](#input\_storage\_account\_kind) | n/a | `string` | `"StorageV2"` | no | -| [storage\_account\_replication\_type](#input\_storage\_account\_replication\_type) | n/a | `string` | `"GRS"` | no | -| [storage\_account\_tier](#input\_storage\_account\_tier) | n/a | `string` | `"Standard"` | no | - -## Outputs - -| Name | Description | -|------|-------------| -| [hostname](#output\_hostname) | n/a | -| [id](#output\_id) | n/a | -| [name](#output\_name) | n/a | diff --git a/src/modules/cdn/main.tf b/src/modules/cdn/main.tf deleted file mode 100644 index ac06404dd..000000000 --- a/src/modules/cdn/main.tf +++ /dev/null @@ -1,342 +0,0 @@ -/** - * Storage account - **/ -module "cdn_storage_account" { - - source = "git::https://github.com/pagopa/azurerm.git//storage_account?ref=v1.0.71" - - name = replace(format("%s-%s-sa", var.prefix, var.name), "-", "") - versioning_name = format("%s-%s-sa-versioning", var.prefix, var.name) - - account_kind = var.storage_account_kind - account_tier = var.storage_account_tier - account_replication_type = var.storage_account_replication_type - access_tier = var.storage_access_tier - enable_versioning = true - resource_group_name = var.resource_group_name - location = var.location - allow_blob_public_access = true - - index_document = var.index_document - error_404_document = var.error_404_document - - lock_enabled = var.lock_enabled - lock_name = format("%s-%s-sa-lock", var.prefix, var.name) - lock_level = "CanNotDelete" - lock_notes = null - - tags = var.tags -} - -/** - * cdn profile - **/ -resource "azurerm_cdn_profile" "this" { - name = format("%s-%s-cdn-profile", var.prefix, var.name) - resource_group_name = var.resource_group_name - location = var.location - sku = "Standard_Microsoft" - - tags = var.tags -} - -resource "azurerm_cdn_endpoint" "this" { - name = format("%s-%s-cdn-endpoint", var.prefix, var.name) - resource_group_name = var.resource_group_name - location = var.location - profile_name = azurerm_cdn_profile.this.name - is_https_allowed = true - is_http_allowed = true - querystring_caching_behaviour = var.querystring_caching_behaviour - origin_host_header = module.cdn_storage_account.primary_web_host - - origin { - name = "primary" - host_name = module.cdn_storage_account.primary_web_host - } - - dynamic "global_delivery_rule" { - for_each = var.global_delivery_rule == null ? [] : [var.global_delivery_rule] - iterator = gdr - content { - - dynamic "cache_expiration_action" { - for_each = gdr.value.cache_expiration_action - iterator = cea - content { - behavior = cea.value.behavior - duration = cea.value.duration - } - } - - dynamic "modify_request_header_action" { - for_each = gdr.value.modify_request_header_action - iterator = mrha - content { - action = mrha.value.action - name = mrha.value.name - value = mrha.value.value - } - } - - dynamic "modify_response_header_action" { - for_each = gdr.value.modify_response_header_action - iterator = mrha - content { - action = mrha.value.action - name = mrha.value.name - value = mrha.value.value - } - } - } - } - - dynamic "delivery_rule" { - for_each = { for d in var.delivery_rule_url_path_condition_cache_expiration_action : d.order => d } - content { - order = delivery_rule.key - name = delivery_rule.value.name - url_path_condition { - operator = delivery_rule.value.operator - match_values = delivery_rule.value.match_values - } - cache_expiration_action { - behavior = delivery_rule.value.behavior - duration = delivery_rule.value.duration - } - modify_response_header_action { - action = delivery_rule.value.response_action - name = delivery_rule.value.response_name - value = delivery_rule.value.response_value - } - } - } - - dynamic "delivery_rule" { - for_each = { for d in var.delivery_rule_request_scheme_condition : d.order => d } - content { - name = delivery_rule.value.name - order = delivery_rule.value.order - - request_scheme_condition { - operator = delivery_rule.value.operator - match_values = delivery_rule.value.match_values - } - - url_redirect_action { - redirect_type = delivery_rule.value.url_redirect_action.redirect_type - protocol = delivery_rule.value.url_redirect_action.protocol - hostname = delivery_rule.value.url_redirect_action.hostname - path = delivery_rule.value.url_redirect_action.path - fragment = delivery_rule.value.url_redirect_action.fragment - query_string = delivery_rule.value.url_redirect_action.query_string - } - - } - } - - dynamic "delivery_rule" { - for_each = { for d in var.delivery_rule_redirect : d.order => d } - content { - name = delivery_rule.value.name - order = delivery_rule.value.order - - request_uri_condition { - operator = delivery_rule.value.operator - match_values = delivery_rule.value.match_values - } - - url_redirect_action { - redirect_type = delivery_rule.value.url_redirect_action.redirect_type - protocol = delivery_rule.value.url_redirect_action.protocol - hostname = delivery_rule.value.url_redirect_action.hostname - path = delivery_rule.value.url_redirect_action.path - fragment = delivery_rule.value.url_redirect_action.fragment - query_string = delivery_rule.value.url_redirect_action.query_string - } - - } - } - - # rewrite HTTP to HTTPS - dynamic "delivery_rule" { - for_each = var.https_rewrite_enabled ? [1] : [] - - content { - name = "EnforceHTTPS" - order = 1 - - request_scheme_condition { - operator = "Equal" - match_values = ["HTTP"] - } - - url_redirect_action { - redirect_type = "Found" - protocol = "Https" - hostname = null - path = null - fragment = null - query_string = null - } - } - } - - dynamic "delivery_rule" { - for_each = { for d in var.delivery_rule_rewrite : d.order => d } - content { - name = delivery_rule.value.name - order = delivery_rule.value.order - - dynamic "request_uri_condition" { - for_each = [ for c in delivery_rule.value.conditions : c if c.condition_type=="request_uri_condition"] - iterator = c - - content { - operator = c.value.operator - match_values = c.value.match_values - negate_condition = c.value.negate_condition - transforms = c.value.transforms - } - } - - dynamic "url_path_condition" { - for_each = [ for c in delivery_rule.value.conditions : c if c.condition_type=="url_path_condition"] - iterator = c - - content { - operator = c.value.operator - match_values = c.value.match_values - negate_condition = c.value.negate_condition - transforms = c.value.transforms - } - } - - dynamic "url_file_extension_condition" { - for_each = [ for c in delivery_rule.value.conditions : c if c.condition_type=="url_file_extension_condition"] - iterator = c - - content { - operator = c.value.operator - match_values = c.value.match_values - negate_condition = c.value.negate_condition - transforms = c.value.transforms - } - } - - url_rewrite_action { - source_pattern = delivery_rule.value.url_rewrite_action.source_pattern - destination = delivery_rule.value.url_rewrite_action.destination - preserve_unmatched_path = delivery_rule.value.url_rewrite_action.preserve_unmatched_path - } - - } - } - - tags = var.tags -} - -/* -* Custom Domain -*/ -resource "null_resource" "custom_domain" { - depends_on = [ - azurerm_dns_a_record.hostname[0], - azurerm_dns_cname_record.cdnverify[0], - azurerm_dns_cname_record.custom_subdomain[0], - azurerm_cdn_endpoint.this, - ] - # needs az cli > 2.0.81 - # see https://github.com/Azure/azure-cli/issues/12152 - triggers = { - resource_group_name = var.resource_group_name - endpoint_name = azurerm_cdn_endpoint.this.name - profile_name = azurerm_cdn_profile.this.name - name = var.hostname - hostname = var.hostname - - keyvault_resource_group_name = var.keyvault_resource_group_name - keyvault_subscription_id = var.keyvault_subscription_id - keyvault_vault_name = var.keyvault_vault_name - } - - # https://docs.microsoft.com/it-it/cli/azure/cdn/custom-domain?view=azure-cli-latest - provisioner "local-exec" { - command = < Date: Tue, 16 Nov 2021 09:26:34 +0100 Subject: [PATCH 3/3] Update src/core/cdn.tf Co-authored-by: Pasquale De Vita <59291437+pasqualedevita@users.noreply.github.com> --- src/core/cdn.tf | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/src/core/cdn.tf b/src/core/cdn.tf index 66429e70c..099380714 100644 --- a/src/core/cdn.tf +++ b/src/core/cdn.tf @@ -45,8 +45,7 @@ locals { // public storage used to serve FE #tfsec:ignore:azure-storage-default-action-deny module "checkout_cdn" { -// source = "git::https://github.com/pagopa/azurerm.git//cdn?ref=v1.0.81" - source = "git::https://github.com/pagopa/azurerm.git//cdn?ref=cdn-output-storage-info" + source = "git::https://github.com/pagopa/azurerm.git//cdn?ref=v1.0.85" name = "checkout" prefix = local.project