[#IOPID-2401] created cdn profile and endpoint with rules (#1341)

pagopa · Dec 6, 2024 · 67ac907 · 67ac907
1 parent 337d3d9
commit 67ac907
Show file tree

Hide file tree

Showing 4 changed files with 170 additions and 14 deletions.
diff --git a/src/domains/ioweb-common/05_resource_group.tf b/src/domains/ioweb-common/05_resource_group.tf
@@ -22,3 +22,8 @@ resource "azurerm_resource_group" "storage_rg" {
 data "azurerm_resource_group" "common_rg_weu" {
   name = "${local.product}-rg-common"
 }
+
+# core domain external rg
+data "azurerm_resource_group" "core_ext" {
+  name = format("%s-rg-external", local.product)
+}
diff --git a/src/domains/ioweb-common/06_cdn.tf b/src/domains/ioweb-common/06_cdn.tf
@@ -1,13 +1,3 @@
-# core domain external rg
-data "azurerm_resource_group" "core_ext" {
-  name = format("%s-rg-external", local.product)
-}
-
-data "azurerm_dns_zone" "ioapp_it" {
-  name                = "ioapp.it"
-  resource_group_name = data.azurerm_resource_group.core_ext.name
-}
-
 module "landing_cdn" {
   source = "github.com/pagopa/terraform-azurerm-v3.git//cdn?ref=v8.56.0"
 

diff --git a/src/domains/ioweb-common/06_cdn_itn.tf b/src/domains/ioweb-common/06_cdn_itn.tf
@@ -1,6 +1,13 @@
+data "azurerm_dns_zone" "ioapp_it" {
+  name                = "ioapp.it"
+  resource_group_name = data.azurerm_resource_group.core_ext.name
+}
+
 resource "azurerm_resource_group" "io_web_profile_itn_fe_rg" {
-  name     = format("%s-ioweb-fe-rg-01", local.project_itn)
+  name     = format("%s-fe-rg-01", local.project_itn)
   location = local.itn_location
+
+  tags = var.tags
 }
 
 module "io_web_profile_itn_fe_st" {
@@ -24,9 +31,7 @@ module "io_web_profile_itn_fe_st" {
   subnet_pep_id                        = data.azurerm_subnet.private_endpoints_subnet_itn.id
   private_dns_zone_resource_group_name = data.azurerm_resource_group.common_rg_weu.name
 
-  # storage should be accessible by CDN via private endpoint
-  # see https://learn.microsoft.com/en-us/azure/frontdoor/standard-premium/how-to-enable-private-link-storage-account
-  force_public_network_access_enabled = false
+  force_public_network_access_enabled = true
   subservices_enabled = {
     blob = true
   }
@@ -41,9 +46,155 @@ module "io_web_profile_itn_fe_st" {
   }
 
   static_website = {
+    enabled            = true
     index_document     = "index.html"
     error_404_document = "it/404/index.html"
   }
 
   tags = var.tags
 }
+
+#####################
+# CDN
+#####################
+resource "azurerm_cdn_frontdoor_profile" "portal_profile" {
+  name                = format("%s-%s-profile-portal-afd-01", local.product, var.domain)
+  resource_group_name = azurerm_resource_group.io_web_profile_itn_fe_rg.name
+  sku_name            = "Standard_AzureFrontDoor"
+
+  tags = var.tags
+}
+
+resource "azurerm_cdn_frontdoor_endpoint" "portal_cdn_endpoint" {
+  name                     = format("%s-profile-fde-01", local.project_itn)
+  cdn_frontdoor_profile_id = azurerm_cdn_frontdoor_profile.portal_profile.id
+
+  tags = var.tags
+}
+
+resource "azurerm_cdn_frontdoor_origin_group" "portal_cdn_origin_group" {
+  name                     = format("%s-profile-fdog-01", local.project_itn)
+  cdn_frontdoor_profile_id = azurerm_cdn_frontdoor_profile.portal_profile.id
+
+  load_balancing {
+    # latency in milliseconds for probes to fall into the lowest latency bucket.
+    # defaults to 50
+    additional_latency_in_milliseconds = 5
+  }
+}
+
+resource "azurerm_cdn_frontdoor_origin" "portal_cdn_origin" {
+  name                           = format("%s-profile-fdo-01", local.project_itn)
+  enabled                        = true
+  cdn_frontdoor_origin_group_id  = azurerm_cdn_frontdoor_origin_group.portal_cdn_origin_group.id
+  host_name                      = module.io_web_profile_itn_fe_st.primary_web_host
+  certificate_name_check_enabled = true
+  origin_host_header             = module.io_web_profile_itn_fe_st.primary_web_host
+}
+
+resource "azurerm_cdn_frontdoor_rule_set" "portal_cdn_rule_set" {
+  name                     = "Ruleset"
+  cdn_frontdoor_profile_id = azurerm_cdn_frontdoor_profile.portal_profile.id
+}
+
+resource "azurerm_cdn_frontdoor_rule" "portal_cdn_rule_global" {
+  depends_on = [azurerm_cdn_frontdoor_origin_group.portal_cdn_origin_group, azurerm_cdn_frontdoor_origin.portal_cdn_origin]
+
+  name                      = "Global"
+  cdn_frontdoor_rule_set_id = azurerm_cdn_frontdoor_rule_set.portal_cdn_rule_set.id
+
+  # NOTE: A Front Door Rule with a lesser order value will be applied before a rule with a greater order value.
+  # If the Front Door Rule has an order value of 0 they do not require any conditions and the actions will always be applied.
+  order = 0
+
+  actions {
+    response_header_action {
+      header_name   = "Strict-Transport-Security"
+      header_action = "Overwrite"
+      value         = "max-age=31536000" # 1 year
+    }
+    response_header_action {
+      header_name   = "Content-Security-Policy"
+      header_action = "Append"
+      value         = "script-src 'self' 'unsafe-inline'; worker-src 'none'; font-src data: 'self'; object-src 'none';"
+    }
+    response_header_action {
+      header_name   = "Cache-Control"
+      header_action = "Overwrite"
+      value         = "no-cache"
+    }
+  }
+}
+
+# This rule ensures that root files are always taken from the blob storage, therefore
+# surpassing the caching internal capabilities of the CDN profile.
+resource "azurerm_cdn_frontdoor_rule" "portal_cdn_rule_rootfiles" {
+  depends_on                = [azurerm_cdn_frontdoor_origin_group.portal_cdn_origin_group, azurerm_cdn_frontdoor_origin.portal_cdn_origin]
+  name                      = "TakeRootFilesFromStorage"
+  cdn_frontdoor_rule_set_id = azurerm_cdn_frontdoor_rule_set.portal_cdn_rule_set.id
+
+  # NOTE: A Front Door Rule with a lesser order value will be applied before a rule with a greater order value.
+  # If the Front Door Rule has an order value of 0 they do not require any conditions and the actions will always be applied.
+  order = 1
+
+  # IF
+  conditions {
+    request_uri_condition {
+      operator     = "EndsWith"
+      match_values = ["/"]
+    }
+
+  }
+  # THEN
+  actions {
+    route_configuration_override_action {
+      cache_behavior = "Disabled"
+    }
+  }
+}
+
+resource "azurerm_cdn_frontdoor_route" "portal_cdn_route" {
+  depends_on = [
+    azurerm_cdn_frontdoor_origin_group.portal_cdn_origin_group,
+    azurerm_cdn_frontdoor_origin.portal_cdn_origin,
+    azurerm_cdn_frontdoor_endpoint.portal_cdn_endpoint,
+    azurerm_cdn_frontdoor_rule_set.portal_cdn_rule_set
+  ]
+
+  name    = format("%s-profile-fdr-01", local.project_itn)
+  enabled = true
+
+  cdn_frontdoor_origin_group_id   = azurerm_cdn_frontdoor_origin_group.portal_cdn_origin_group.id
+  cdn_frontdoor_origin_ids        = [azurerm_cdn_frontdoor_origin.portal_cdn_origin.id]
+  cdn_frontdoor_endpoint_id       = azurerm_cdn_frontdoor_endpoint.portal_cdn_endpoint.id
+  cdn_frontdoor_rule_set_ids      = [azurerm_cdn_frontdoor_rule_set.portal_cdn_rule_set.id]
+  cdn_frontdoor_custom_domain_ids = [azurerm_cdn_frontdoor_custom_domain.portal_custom_domain.id]
+
+  supported_protocols    = ["Http", "Https"]
+  https_redirect_enabled = true
+  patterns_to_match      = ["/*"]
+
+  cache {
+    query_string_caching_behavior = "IgnoreQueryString"
+    compression_enabled           = false
+  }
+}
+
+resource "azurerm_cdn_frontdoor_custom_domain" "portal_custom_domain" {
+  name                     = "account-ioapp-it"
+  cdn_frontdoor_profile_id = azurerm_cdn_frontdoor_profile.portal_profile.id
+
+  dns_zone_id = data.azurerm_dns_zone.ioapp_it.id
+  host_name   = "account.ioapp.it"
+
+  tls {
+    certificate_type    = "ManagedCertificate"
+    minimum_tls_version = "TLS12"
+  }
+}
+
+resource "azurerm_cdn_frontdoor_custom_domain_association" "portal_cdn_domain_association" {
+  cdn_frontdoor_custom_domain_id = azurerm_cdn_frontdoor_custom_domain.portal_custom_domain.id
+  cdn_frontdoor_route_ids        = [azurerm_cdn_frontdoor_route.portal_cdn_route.id]
+}
+#####################
diff --git a/src/domains/ioweb-common/README.md b/src/domains/ioweb-common/README.md
@@ -40,6 +40,16 @@
 |------|------|
 | [azurerm_api_management_api_operation_policy.spid_acs](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/api_management_api_operation_policy) | resource |
 | [azurerm_api_management_api_operation_policy.spid_acs_itn](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/api_management_api_operation_policy) | resource |
+| [azurerm_cdn_frontdoor_custom_domain.portal_custom_domain](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/cdn_frontdoor_custom_domain) | resource |
+| [azurerm_cdn_frontdoor_custom_domain_association.portal_cdn_domain_association](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/cdn_frontdoor_custom_domain_association) | resource |
+| [azurerm_cdn_frontdoor_endpoint.portal_cdn_endpoint](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/cdn_frontdoor_endpoint) | resource |
+| [azurerm_cdn_frontdoor_origin.portal_cdn_origin](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/cdn_frontdoor_origin) | resource |
+| [azurerm_cdn_frontdoor_origin_group.portal_cdn_origin_group](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/cdn_frontdoor_origin_group) | resource |
+| [azurerm_cdn_frontdoor_profile.portal_profile](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/cdn_frontdoor_profile) | resource |
+| [azurerm_cdn_frontdoor_route.portal_cdn_route](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/cdn_frontdoor_route) | resource |
+| [azurerm_cdn_frontdoor_rule.portal_cdn_rule_global](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/cdn_frontdoor_rule) | resource |
+| [azurerm_cdn_frontdoor_rule.portal_cdn_rule_rootfiles](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/cdn_frontdoor_rule) | resource |
+| [azurerm_cdn_frontdoor_rule_set.portal_cdn_rule_set](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/cdn_frontdoor_rule_set) | resource |
 | [azurerm_key_vault_access_policy.access_policy_auth_n_identity_infra_cd](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource |
 | [azurerm_key_vault_access_policy.access_policy_auth_n_identity_infra_ci](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource |
 | [azurerm_key_vault_access_policy.access_policy_io_infra_cd](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource |