Skip to content

Commit

Permalink
Add Key Vault Data Protection to dotnet (#1076)
Browse files Browse the repository at this point in the history
* Add Data Protection to dotnet

* Add Data Protection Terraform module to deploy a Key Vault Key

* Deploy a File Share that can be mounted to all the containers

* [sonarcloud] Remove nullable annotation

* Updated Azure.Identity to 1.12.1 to fix build

* Update DataProtection.Keys package to v1.3.0

* Abstract DP service to it's own file
  • Loading branch information
DrizzlyOwl authored Dec 9, 2024
1 parent 7525760 commit e09afa3
Show file tree
Hide file tree
Showing 8 changed files with 56 additions and 0 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,8 @@

<ItemGroup>
<PackageReference Include="AngleSharp" Version="1.1.2" />
<PackageReference Include="Azure.Extensions.AspNetCore.DataProtection.Keys" Version="1.3.0" />
<PackageReference Include="Azure.Identity" Version="1.12.1" />
<PackageReference Include="Dfe.Academies.Contracts" Version="1.0.10" />
<PackageReference Include="Dfe.Academisation.CorrelationIdMiddleware" Version="2.0.2" />
<PackageReference Include="Dfe.Academisation.ExtensionMethods" Version="2.0.0" />
Expand Down
2 changes: 2 additions & 0 deletions Dfe.PrepareConversions/Dfe.PrepareConversions/Startup.cs
Original file line number Diff line number Diff line change
Expand Up @@ -95,6 +95,8 @@ public void ConfigureServices(IServiceCollection services)
options.MaxAge = TimeSpan.FromDays(365);
});

services.AddDataProtectionService(Configuration);

services.AddScoped(sp => sp.GetService<IHttpContextAccessor>()?.HttpContext?.Session);
services.AddSession(options =>
{
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
using Azure.Identity;
using Microsoft.Extensions.Configuration;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.AspNetCore.DataProtection;
using System;
using System.IO;

namespace Dfe.PrepareConversions.Utils
{
internal static class DataProtectionService
{
public static void AddDataProtectionService(this IServiceCollection services, IConfiguration configuration)
{
var dp = services.AddDataProtection();
var dpTargetPath = "@/srv/app/storage";

if (Directory.Exists(dpTargetPath)) {
// If a Key Vault Key URI is defined, expect to encrypt the keys.xml
string kvProtectionKeyUri = configuration.GetValue<string>("DataProtection:KeyVaultKey");

if (!string.IsNullOrWhiteSpace(kvProtectionKeyUri))
{
throw new InvalidOperationException("DataProtection:Path is undefined or empty");
}

dp.PersistKeysToFileSystem(new DirectoryInfo(dpTargetPath));
dp.ProtectKeysWithAzureKeyVault(new Uri(kvProtectionKeyUri), new DefaultAzureCredential());
}
}
}
}
2 changes: 2 additions & 0 deletions terraform/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -139,6 +139,7 @@ No providers.
|------|--------|---------|
| <a name="module_azure_container_apps_hosting"></a> [azure\_container\_apps\_hosting](#module\_azure\_container\_apps\_hosting) | github.com/DFE-Digital/terraform-azurerm-container-apps-hosting | v1.15.0 |
| <a name="module_azurerm_key_vault"></a> [azurerm\_key\_vault](#module\_azurerm\_key\_vault) | github.com/DFE-Digital/terraform-azurerm-key-vault-tfvars | v0.5.0 |
| <a name="module_data_protection"></a> [data\_protection](#module\_data\_protection) | github.com/DFE-Digital/terraform-azurerm-aspnet-data-protection | v1.0.1 |
| <a name="module_statuscake-tls-monitor"></a> [statuscake-tls-monitor](#module\_statuscake-tls-monitor) | github.com/dfe-digital/terraform-statuscake-tls-monitor | v0.1.4 |

## Resources
Expand Down Expand Up @@ -180,6 +181,7 @@ No resources.
| <a name="input_enable_cdn_frontdoor"></a> [enable\_cdn\_frontdoor](#input\_enable\_cdn\_frontdoor) | Enable Azure CDN Front Door. This will use the Container Apps endpoint as the origin. | `bool` | n/a | yes |
| <a name="input_enable_cdn_frontdoor_health_probe"></a> [enable\_cdn\_frontdoor\_health\_probe](#input\_enable\_cdn\_frontdoor\_health\_probe) | Enable CDN Front Door health probe | `bool` | `false` | no |
| <a name="input_enable_cdn_frontdoor_vdp_redirects"></a> [enable\_cdn\_frontdoor\_vdp\_redirects](#input\_enable\_cdn\_frontdoor\_vdp\_redirects) | Deploy redirects for security.txt and thanks.txt to an external Vulnerability Disclosure Program service | `bool` | `true` | no |
| <a name="input_enable_container_app_file_share"></a> [enable\_container\_app\_file\_share](#input\_enable\_container\_app\_file\_share) | Create an Azure Storage Account and File Share to be mounted to the Container Apps | `bool` | `false` | no |
| <a name="input_enable_container_registry"></a> [enable\_container\_registry](#input\_enable\_container\_registry) | Set to true to create a container registry | `bool` | n/a | yes |
| <a name="input_enable_dns_zone"></a> [enable\_dns\_zone](#input\_enable\_dns\_zone) | Conditionally create a DNS zone | `bool` | n/a | yes |
| <a name="input_enable_event_hub"></a> [enable\_event\_hub](#input\_enable\_event\_hub) | Send Azure Container App logs to an Event Hub sink | `bool` | `false` | no |
Expand Down
1 change: 1 addition & 0 deletions terraform/container-apps-hosting.tf
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,7 @@ module "azure_container_apps_hosting" {
enable_health_insights_api = local.enable_health_insights_api
health_insights_api_cors_origins = local.health_insights_api_cors_origins
health_insights_api_ipv4_allow_list = local.health_insights_api_ipv4_allow_list
enable_container_app_file_share = local.enable_container_app_file_share

enable_cdn_frontdoor = local.enable_cdn_frontdoor
cdn_frontdoor_forwarding_protocol = local.cdn_frontdoor_forwarding_protocol
Expand Down
11 changes: 11 additions & 0 deletions terraform/data-protection.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
module "data_protection" {
source = "github.com/DFE-Digital/terraform-azurerm-aspnet-data-protection?ref=v1.0.1"

data_protection_key_vault_assign_role = false
data_protection_key_vault_subnet_prefix = "172.16.100.0/28"
data_protection_key_vault_access_ipv4 = local.key_vault_access_ipv4
data_protection_resource_prefix = "${local.environment}${local.project_name}"
data_protection_azure_location = local.azure_location
data_protection_tags = local.tags
data_protection_resource_group_name = module.azure_container_apps_hosting.azurerm_resource_group_default.name
}
1 change: 1 addition & 0 deletions terraform/locals.tf
Original file line number Diff line number Diff line change
Expand Up @@ -55,4 +55,5 @@ locals {
health_insights_api_ipv4_allow_list = var.health_insights_api_ipv4_allow_list
enable_cdn_frontdoor_vdp_redirects = var.enable_cdn_frontdoor_vdp_redirects
cdn_frontdoor_vdp_destination_hostname = var.cdn_frontdoor_vdp_destination_hostname
enable_container_app_file_share = var.enable_container_app_file_share
}
6 changes: 6 additions & 0 deletions terraform/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -370,3 +370,9 @@ variable "cdn_frontdoor_vdp_destination_hostname" {
type = string
default = "vdp.security.education.gov.uk"
}

variable "enable_container_app_file_share" {
description = "Create an Azure Storage Account and File Share to be mounted to the Container Apps"
type = bool
default = false
}

0 comments on commit e09afa3

Please sign in to comment.