[#IOPLT-1012] Policy fragment for token instrospection io-proxy #1475
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
BurnedMarshal
force-pushed
the
IOPLT-1012-token-introspection-fragment
branch
from
da857dd to
29b55e0
Compare
|
📖 Terraform Plan ('src/common/dev') - successTerraform PlanNo changes. Your infrastructure matches the configuration.
Terraform has compared your real infrastructure against your configuration
and found no differences, so no changes are needed. |
📖 Terraform Plan ('src/common/prod') - successTerraform Planmodule.apim_itn.data.azurerm_linux_web_app.cgn_pe_backend_app_01: Still reading... [10s elapsed]
data.azurerm_linux_function_app.lollipop_function: Still reading... [10s elapsed]
module.application_gateway_weu.data.azurerm_linux_web_app.fims_op_app: Still reading... [10s elapsed]
data.azurerm_linux_function_app.services_app_backend_function_app: Still reading... [10s elapsed]
data.azurerm_linux_function_app.eucovidcert: Still reading... [10s elapsed]
module.application_gateway_weu.data.azurerm_linux_web_app.cms_backoffice_app_itn: Still reading... [10s elapsed]
data.azurerm_linux_function_app.wallet_user: Still reading... [10s elapsed]
module.application_gateway_weu.data.azurerm_linux_web_app.ipatente_practices_app_itn: Still reading... [10s elapsed]
module.application_gateway_weu.data.azurerm_linux_web_app.ipatente_vehicles_app_itn: Still reading... [10s elapsed]
module.application_gateway_weu.data.azurerm_linux_web_app.ipatente_payments_app_itn: Still reading... [10s elapsed]
module.application_gateway_weu.data.azurerm_linux_web_app.fims_op_app: Still reading... [20s elapsed]
data.azurerm_linux_function_app.eucovidcert: Still reading... [20s elapsed]
module.application_gateway_weu.data.azurerm_linux_web_app.ipatente_licences_app_itn: Still reading... [10s elapsed]
module.application_gateway_weu.data.azurerm_linux_web_app.appservice_selfcare_be: Still reading... [10s elapsed]
module.application_gateway_weu.data.azurerm_linux_web_app.appservice_devportal_be: Still reading... [10s elapsed]
data.azurerm_linux_function_app.io_sign_user: Still reading... [10s elapsed]
data.azurerm_linux_web_app.firmaconio_selfcare_web_app: Still reading... [10s elapsed]
data.azurerm_linux_function_app.com_citizen_func: Still reading... [10s elapsed]
data.azurerm_linux_function_app.function_profile: Still reading... [10s elapsed]
data.azurerm_linux_function_app.io_fims_user: Still reading... [10s elapsed]
module.application_gateway_weu.data.azurerm_linux_web_app.session_manager_03: Still reading... [10s elapsed]
module.application_gateway_weu.data.azurerm_linux_web_app.appservice_selfcare_be: Still reading... [20s elapsed]
module.application_gateway_weu.data.azurerm_linux_web_app.appservice_continua: Still reading... [10s elapsed]
module.application_gateway_weu.data.azurerm_linux_web_app.appservice_devportal_be: Still reading... [20s elapsed]
data.azurerm_linux_function_app.io_sign_user: Still reading... [20s elapsed]
data.azurerm_linux_web_app.firmaconio_selfcare_web_app: Still reading... [20s elapsed]
data.azurerm_linux_function_app.function_assets_cdn: Still reading... [10s elapsed]
module.application_gateway_weu.data.azurerm_linux_web_app.session_manager_03: Still reading... [20s elapsed]
module.application_gateway_weu.data.azurerm_linux_web_app.appservice_continua: Still reading... [20s elapsed]
data.azurerm_linux_function_app.function_assets_cdn: Still reading... [20s elapsed]
module.apim_itn.data.azurerm_linux_web_app.session_manager_app_weu: Still reading... [10s elapsed]
module.apim_itn.data.azurerm_linux_web_app.session_manager_app_weu: Still reading... [20s elapsed]
Note: Objects have changed outside of Terraform
Terraform detected the following changes made outside of Terraform since the
last "terraform apply" which may have affected this plan:
# module.global.module.dns.azurerm_private_dns_zone.privatelink_postgres_database_azure_com has changed
~ resource "azurerm_private_dns_zone" "privatelink_postgres_database_azure_com" {
id = "/subscriptions/ec285037-c673-4f58-b594-d7c480da4e8b/resourceGroups/io-p-rg-common/providers/Microsoft.Network/privateDnsZones/privatelink.postgres.database.azure.com"
name = "privatelink.postgres.database.azure.com"
~ number_of_record_sets = 8 -> 7
tags = {
"BusinessUnit" = "App IO"
"CostCenter" = "TS000 - Tecnologia e Servizi"
"CreatedBy" = "Terraform"
"Environment" = "Prod"
"ManagementTeam" = "IO Platform"
"Source" = "https://github.com/pagopa/io-infra/blob/main/src/common/prod"
}
# (4 unchanged attributes hidden)
# (1 unchanged block hidden)
}
Unless you have made equivalent changes to your configuration, or ignored the
relevant attributes using ignore_changes, the following plan may include
actions to undo or respond to these changes.
─────────────────────────────────────────────────────────────────────────────
Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
+ create
~ update in-place
Terraform will perform the following actions:
# module.apim_itn.azurerm_api_management_named_value.session_manager_baseurl will be created
+ resource "azurerm_api_management_named_value" "session_manager_baseurl" {
+ api_management_name = "io-p-itn-apim-01"
+ display_name = "session-manager-baseurl"
+ id = (known after apply)
+ name = "session-manager-baseurl"
+ resource_group_name = "io-p-itn-common-rg-01"
+ secret = false
+ value = (sensitive value)
}
# module.apim_itn.azurerm_api_management_named_value.session_manager_introspection_url will be created
+ resource "azurerm_api_management_named_value" "session_manager_introspection_url" {
+ api_management_name = "io-p-itn-apim-01"
+ display_name = "session-manager-introspection-url"
+ id = (known after apply)
+ name = "session-manager-introspection-url"
+ resource_group_name = "io-p-itn-common-rg-01"
+ secret = false
+ value = (sensitive value)
}
# module.apim_itn.azurerm_api_management_policy_fragment.auth will be created
+ resource "azurerm_api_management_policy_fragment" "auth" {
+ api_management_id = "/subscriptions/ec285037-c673-4f58-b594-d7c480da4e8b/resourceGroups/io-p-itn-common-rg-01/providers/Microsoft.ApiManagement/service/io-p-itn-apim-01"
+ format = "xml"
+ id = (known after apply)
+ name = "ioapp-authenticated"
+ value = <<-EOT
<fragment>
<!-- Extract the token from the Authorization Header -->
<set-variable name="token" value="@(context.Request.Headers.GetValueOrDefault("Authorization","").Substring(7))" />
<send-request mode="new" response-variable-name="introspectionResponse" timeout="10" ignore-error="false">
<set-url>{{session-manager-baseurl}}{{introspection-endpoint}}</set-url>
<set-method>GET</set-method>
<set-header name="Content-Type" exists-action="override">
<value>application/json</value>
</set-header>
</send-request>
<choose>
<when condition="@(context.Variables["introspectionResponse"].StatusCode == 200)">
<!-- Parse the introspectionResponse -->
<set-variable name="userData" value="@context.Variables["introspectionResponse"].Body.As<JObject>()" />
<!-- Remove the Authorization Header -->
<set-headert name="Authorization" exists-action="delete"/>
<!-- Set the x-user header with the user data -->
<set-header name="x-user" exists-action="override">
<value>@(Convert.ToBase64String(System.Text.Encoding.UTF8.GetBytes(context.Variables["userData"].ToString())))</value>
</set-header>
</when>
<when condition="@(context.Variables["introspectionResponse"].StatusCode == 401)">
<return-response response-variable-name="introspectionErrorResponse">
<set-status code="401" reason="Unauthorized" />
</return-response>
</when>
<otherwise>
<return-response response-variable-name="introspectionErrorResponse">
<set-status code="500" reason="Internal Server Error" />
<set-body>{"title": "Proxy Error", "status": 500, "detail": "The the token introspection-endpoint returns an error"}</set-body>
<set-header name="Content-Type" exists-action="override">
<value>application/json</value>
</set-header>
</return-response>
</otherwise>
</choose>
</fragment>
EOT
}
# module.application_gateway_weu.azurerm_web_application_firewall_policy.api_app will be updated in-place
~ resource "azurerm_web_application_firewall_policy" "api_app" {
id = "/subscriptions/ec285037-c673-4f58-b594-d7c480da4e8b/resourceGroups/io-p-rg-external/providers/Microsoft.Network/applicationGatewayWebApplicationFirewallPolicies/io-p-waf-appgateway-api-app-policy"
name = "io-p-waf-appgateway-api-app-policy"
tags = {
"BusinessUnit" = "App IO"
"CostCenter" = "TS000 - Tecnologia e Servizi"
"CreatedBy" = "Terraform"
"Environment" = "Prod"
"ManagementTeam" = "IO Platform"
"Source" = "https://github.com/pagopa/io-infra/blob/main/src/common/prod"
}
# (4 unchanged attributes hidden)
~ policy_settings {
~ request_body_inspect_limit_in_kb = 0 -> 128
# (6 unchanged attributes hidden)
}
# (1 unchanged block hidden)
}
Plan: 3 to add, 1 to change, 0 to destroy.
Warning: Argument is deprecated
with module.application_gateway_weu.azurerm_web_application_firewall_policy.api_app,
on ../_modules/application_gateway/firewall.tf line 62, in resource "azurerm_web_application_firewall_policy" "api_app":
62: disabled_rules = [
63: "942100",
64: "942120",
65: "942190",
66: "942200",
67: "942210",
68: "942240",
69: "942250",
70: "942260",
71: "942330",
72: "942340",
73: "942370",
74: "942380",
75: "942430",
76: "942440",
77: "942450",
78: ]
`disabled_rules` will be removed in favour of the `rule` property in version
4.0 of the AzureRM Provider.
(and 50 more similar warnings elsewhere)
─────────────────────────────────────────────────────────────────────────────
Note: You didn't use the -out option to save this plan, so Terraform can't
guarantee to take exactly these actions if you run "terraform apply" now. |
|
🎉 All dependencies have been resolved ! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Motivation and Context
Add a new fragment for testing
io-proxyintegration in authenticated requests with token introspection for IO app API calls.Major Changes
Add a new APIM policy fragment
Dependencies
depends on pagopa/io-auth-n-identity-domain#251
Testing
not yet
Documentation
Other Considerations