diff --git a/.azuredevops/pipelines/hub-infrastructure-dev.yaml b/.azuredevops/pipelines/hub-infrastructure-dev.yaml index e5fed0ca..0c54f7a5 100644 --- a/.azuredevops/pipelines/hub-infrastructure-dev.yaml +++ b/.azuredevops/pipelines/hub-infrastructure-dev.yaml @@ -12,7 +12,7 @@ resources: - repository: dtos-devops-templates type: github name: NHSDigital/dtos-devops-templates - ref: e268cfebf98a1769d929cf59ea6d278a686e9b97 + ref: b7a19150add5bc4945958c180cc4cb7eca72696f endpoint: NHSDigital variables: diff --git a/.azuredevops/pipelines/hub-infrastructure-prod.yaml b/.azuredevops/pipelines/hub-infrastructure-prod.yaml index b1d699b3..df200f10 100644 --- a/.azuredevops/pipelines/hub-infrastructure-prod.yaml +++ b/.azuredevops/pipelines/hub-infrastructure-prod.yaml @@ -13,7 +13,7 @@ resources: - repository: dtos-devops-templates type: github name: NHSDigital/dtos-devops-templates - ref: e268cfebf98a1769d929cf59ea6d278a686e9b97 + ref: b7a19150add5bc4945958c180cc4cb7eca72696f endpoint: NHSDigital variables: diff --git a/.azuredevops/pipelines/taint-avd-hosts-dev.yaml b/.azuredevops/pipelines/taint-avd-hosts-dev.yaml index b9db2e34..abb54b3a 100644 --- a/.azuredevops/pipelines/taint-avd-hosts-dev.yaml +++ b/.azuredevops/pipelines/taint-avd-hosts-dev.yaml @@ -9,7 +9,7 @@ resources: - repository: dtos-devops-templates type: github name: NHSDigital/dtos-devops-templates - ref: 0d9c325e45b6e90c7849b957f11d41f7f58316d2 + ref: b7a19150add5bc4945958c180cc4cb7eca72696f endpoint: NHSDigital variables: diff --git a/.azuredevops/pipelines/taint-avd-hosts-prod.yaml b/.azuredevops/pipelines/taint-avd-hosts-prod.yaml index 15c06af8..aff905d9 100644 --- a/.azuredevops/pipelines/taint-avd-hosts-prod.yaml +++ b/.azuredevops/pipelines/taint-avd-hosts-prod.yaml @@ -9,7 +9,7 @@ resources: - repository: dtos-devops-templates type: github name: NHSDigital/dtos-devops-templates - ref: 0d9c325e45b6e90c7849b957f11d41f7f58316d2 + ref: b7a19150add5bc4945958c180cc4cb7eca72696f endpoint: NHSDigital variables: diff --git a/.azuredevops/pipelines/update-acr-public-ips.yaml b/.azuredevops/pipelines/update-acr-public-ips.yaml index 4b71fcca..796e3b4c 100644 --- a/.azuredevops/pipelines/update-acr-public-ips.yaml +++ b/.azuredevops/pipelines/update-acr-public-ips.yaml @@ -17,7 +17,7 @@ resources: - repository: dtos-devops-templates type: github name: NHSDigital/dtos-devops-templates - ref: e268cfebf98a1769d929cf59ea6d278a686e9b97 + ref: b7a19150add5bc4945958c180cc4cb7eca72696f endpoint: NHSDigital variables: diff --git a/infrastructure/application_gateway.tf b/infrastructure/application_gateway.tf index 26255d6c..73693302 100644 --- a/infrastructure/application_gateway.tf +++ b/infrastructure/application_gateway.tf @@ -104,6 +104,22 @@ locals { }, try(var.application_gateway_additional.request_routing_rule, {}) ) + + # Insert an identifying header so APIM policy can use it to filter incoming requests + # This is analogous to the "X-Azure-FDID" header added by Azure Front Door + rewrite_rule_set = { + migration_test = { + rewrite_rule = { + add_custom_header = { + rule_sequence = 100 + request_header_configuration = { + # We cannot use any real resource ID here since it would become a circular dependency + ("X-Azure-AGID") = random_uuid.appgw_header_id[region].result + } + } + } + } + } } } } @@ -125,6 +141,10 @@ module "application-gateway-pip" { tags = var.tags } +resource "random_uuid" "appgw_header_id" { + for_each = var.regions +} + module "application-gateway" { for_each = local.appgw_config @@ -144,6 +164,7 @@ module "application-gateway" { gateway_subnet = module.subnets_hub["${module.config[each.key].names.subnet}-app-gateway"] probe = each.value.probe request_routing_rule = each.value.request_routing_rule + rewrite_rule_set = each.value.rewrite_rule_set sku = "WAF_v2" ssl_certificate = each.value.ssl_certificate zones = var.regions[each.key].is_primary_region ? ["1", "2", "3"] : null diff --git a/infrastructure/environments/development.tfvars b/infrastructure/environments/development.tfvars index 7c04ef05..fd12f59d 100644 --- a/infrastructure/environments/development.tfvars +++ b/infrastructure/environments/development.tfvars @@ -104,58 +104,60 @@ regions = { } } -# application_gateway_additional = { -# probe = { -# parman_www_dev = { -# host = "www-dev.non-live.screening.nhs.uk" # the hostname which will be passed to the backend pool, not used for connectivity -# interval = 30 -# path = "/" -# protocol = "Https" -# timeout = 30 -# unhealthy_threshold = 3 -# match = { -# status_code = ["200-399"] # not strictly needed, but this stops Terraform detecting a change every time -# } -# } -# } -# backend_http_settings = { -# parman_www_dev = { -# cookie_based_affinity = "Disabled" -# port = 443 -# probe_key = "parman_www_dev" -# protocol = "Https" -# request_timeout = 20 -# } -# } -# http_listener = { -# parman_www_dev_public = { -# frontend_ip_configuration_key = "public" -# frontend_port_key = "https" -# host_name = "www-dev.non-live.screening.nhs.uk" -# protocol = "Https" -# require_sni = true -# ssl_certificate_key = "screening_wildcard" -# firewall_policy_id = "/subscriptions/ecef17e1-613b-40b6-83d8-b93e8b5556bf/resourceGroups/rg-hub-dev-uks-hub-networking/providers/Microsoft.Network/applicationGatewayWebApplicationFirewallPolicies/waf-hub-nonlive-uks-agw-parman-www" -# } -# } -# request_routing_rule = { -# parman_www_dev_public = { -# backend_address_pool_key = "parman_www_dev" -# backend_http_settings_key = "parman_www_dev" -# http_listener_key = "parman_www_dev_public" -# priority = 950 -# rule_type = "Basic" -# } -# } -# } +application_gateway_additional = { + probe = { + migration_test = { + interval = 30 + path = "/" + pick_host_name_from_backend_http_settings = true + protocol = "Https" + timeout = 30 + unhealthy_threshold = 3 + match = { + status_code = ["200-399"] # not strictly needed, but this stops Terraform detecting a change every time + } + } + } + backend_http_settings = { + migration_test = { + cookie_based_affinity = "Disabled" + pick_host_name_from_backend_address = true + port = 443 + probe_key = "migration_test" + protocol = "Https" + request_timeout = 20 + } + } + http_listener = { + migration_test_public = { + frontend_ip_configuration_key = "public" + frontend_port_key = "https" + host_name = "migration-test.non-live.nationalscreening.nhs.uk" + protocol = "Https" + require_sni = true + ssl_certificate_key = "nationalscreening_wildcard" + # firewall_policy_id = null + } + } + request_routing_rule = { + migration_test_public = { + backend_address_pool_key = "migration_test" + backend_http_settings_key = "migration_test" + http_listener_key = "migration_test_public" + priority = 950 + rewrite_rule_set_key = "migration_test" + rule_type = "Basic" + } + } +} -# application_gateway_additional_backend_address_pool_by_region = { -# uksouth = { -# parman_www_dev = { -# fqdns = ["dev-uks-nextjs-frontend.azurewebsites.net"] -# } -# } -# } +application_gateway_additional_backend_address_pool_by_region = { + uksouth = { + migration_test = { + fqdns = ["apim-pamo16test.developer.azure-api.net"] + } + } +} apim_config = { sku_name = "Developer" @@ -287,6 +289,17 @@ network_security_group_rules = { source_address_prefix = "ApiManagement" destination_address_prefix = "VirtualNetwork" }, + # { + # name = "AllowAzureFrontDoor" + # priority = 1500 + # direction = "Inbound" + # access = "Allow" + # protocol = "Tcp" + # source_port_range = "*" + # destination_port_range = "443" + # source_address_prefix = "AzureFrontDoor.Backend" + # destination_address_prefix = "VirtualNetwork" + # }, { name = "AzureInfrastructureLoadBalancer" priority = 1400 diff --git a/infrastructure/environments/production.tfvars b/infrastructure/environments/production.tfvars index ca7defe1..b81e7fbc 100644 --- a/infrastructure/environments/production.tfvars +++ b/infrastructure/environments/production.tfvars @@ -305,6 +305,17 @@ network_security_group_rules = { source_address_prefix = "ApiManagement" destination_address_prefix = "VirtualNetwork" }, + # { + # name = "AllowAzureFrontDoor" + # priority = 1500 + # direction = "Inbound" + # access = "Allow" + # protocol = "Tcp" + # source_port_range = "*" + # destination_port_range = "443" + # source_address_prefix = "AzureFrontDoor.Backend" + # destination_address_prefix = "VirtualNetwork" + # }, { name = "AzureInfrastructureLoadBalancer" priority = 1400 diff --git a/infrastructure/variables.tf b/infrastructure/variables.tf index 5cd2b191..68b75a25 100644 --- a/infrastructure/variables.tf +++ b/infrastructure/variables.tf @@ -123,6 +123,7 @@ variable "application_gateway_additional" { backend_http_settings_key = string http_listener_key = string priority = number + rewrite_rule_set_key = optional(string) rule_type = string }))) })