diff --git a/Dfe.PrepareConversions/Dfe.PrepareConversions/Dfe.PrepareConversions.csproj b/Dfe.PrepareConversions/Dfe.PrepareConversions/Dfe.PrepareConversions.csproj index d72a48a8b..82f7aae29 100644 --- a/Dfe.PrepareConversions/Dfe.PrepareConversions/Dfe.PrepareConversions.csproj +++ b/Dfe.PrepareConversions/Dfe.PrepareConversions/Dfe.PrepareConversions.csproj @@ -38,6 +38,8 @@ + + diff --git a/Dfe.PrepareConversions/Dfe.PrepareConversions/Startup.cs b/Dfe.PrepareConversions/Dfe.PrepareConversions/Startup.cs index ac1bde54a..b33bae644 100644 --- a/Dfe.PrepareConversions/Dfe.PrepareConversions/Startup.cs +++ b/Dfe.PrepareConversions/Dfe.PrepareConversions/Startup.cs @@ -95,6 +95,8 @@ public void ConfigureServices(IServiceCollection services) options.MaxAge = TimeSpan.FromDays(365); }); + services.AddDataProtectionService(Configuration); + services.AddScoped(sp => sp.GetService()?.HttpContext?.Session); services.AddSession(options => { diff --git a/Dfe.PrepareConversions/Dfe.PrepareConversions/Utils/DataProtectionService.cs b/Dfe.PrepareConversions/Dfe.PrepareConversions/Utils/DataProtectionService.cs new file mode 100644 index 000000000..fd76c82fb --- /dev/null +++ b/Dfe.PrepareConversions/Dfe.PrepareConversions/Utils/DataProtectionService.cs @@ -0,0 +1,31 @@ +using Azure.Identity; +using Microsoft.Extensions.Configuration; +using Microsoft.Extensions.DependencyInjection; +using Microsoft.AspNetCore.DataProtection; +using System; +using System.IO; + +namespace Dfe.PrepareConversions.Utils +{ + internal static class DataProtectionService + { + public static void AddDataProtectionService(this IServiceCollection services, IConfiguration configuration) + { + var dp = services.AddDataProtection(); + var dpTargetPath = "@/srv/app/storage"; + + if (Directory.Exists(dpTargetPath)) { + // If a Key Vault Key URI is defined, expect to encrypt the keys.xml + string kvProtectionKeyUri = configuration.GetValue("DataProtection:KeyVaultKey"); + + if (!string.IsNullOrWhiteSpace(kvProtectionKeyUri)) + { + throw new InvalidOperationException("DataProtection:Path is undefined or empty"); + } + + dp.PersistKeysToFileSystem(new DirectoryInfo(dpTargetPath)); + dp.ProtectKeysWithAzureKeyVault(new Uri(kvProtectionKeyUri), new DefaultAzureCredential()); + } + } + } +} diff --git a/terraform/README.md b/terraform/README.md index bc2f03c18..7d3b3f318 100644 --- a/terraform/README.md +++ b/terraform/README.md @@ -139,6 +139,7 @@ No providers. |------|--------|---------| | [azure\_container\_apps\_hosting](#module\_azure\_container\_apps\_hosting) | github.com/DFE-Digital/terraform-azurerm-container-apps-hosting | v1.15.0 | | [azurerm\_key\_vault](#module\_azurerm\_key\_vault) | github.com/DFE-Digital/terraform-azurerm-key-vault-tfvars | v0.5.0 | +| [data\_protection](#module\_data\_protection) | github.com/DFE-Digital/terraform-azurerm-aspnet-data-protection | v1.0.1 | | [statuscake-tls-monitor](#module\_statuscake-tls-monitor) | github.com/dfe-digital/terraform-statuscake-tls-monitor | v0.1.4 | ## Resources @@ -180,6 +181,7 @@ No resources. | [enable\_cdn\_frontdoor](#input\_enable\_cdn\_frontdoor) | Enable Azure CDN Front Door. This will use the Container Apps endpoint as the origin. | `bool` | n/a | yes | | [enable\_cdn\_frontdoor\_health\_probe](#input\_enable\_cdn\_frontdoor\_health\_probe) | Enable CDN Front Door health probe | `bool` | `false` | no | | [enable\_cdn\_frontdoor\_vdp\_redirects](#input\_enable\_cdn\_frontdoor\_vdp\_redirects) | Deploy redirects for security.txt and thanks.txt to an external Vulnerability Disclosure Program service | `bool` | `true` | no | +| [enable\_container\_app\_file\_share](#input\_enable\_container\_app\_file\_share) | Create an Azure Storage Account and File Share to be mounted to the Container Apps | `bool` | `false` | no | | [enable\_container\_registry](#input\_enable\_container\_registry) | Set to true to create a container registry | `bool` | n/a | yes | | [enable\_dns\_zone](#input\_enable\_dns\_zone) | Conditionally create a DNS zone | `bool` | n/a | yes | | [enable\_event\_hub](#input\_enable\_event\_hub) | Send Azure Container App logs to an Event Hub sink | `bool` | `false` | no | diff --git a/terraform/container-apps-hosting.tf b/terraform/container-apps-hosting.tf index 7a535f162..c5ede03a1 100644 --- a/terraform/container-apps-hosting.tf +++ b/terraform/container-apps-hosting.tf @@ -32,6 +32,7 @@ module "azure_container_apps_hosting" { enable_health_insights_api = local.enable_health_insights_api health_insights_api_cors_origins = local.health_insights_api_cors_origins health_insights_api_ipv4_allow_list = local.health_insights_api_ipv4_allow_list + enable_container_app_file_share = local.enable_container_app_file_share enable_cdn_frontdoor = local.enable_cdn_frontdoor cdn_frontdoor_forwarding_protocol = local.cdn_frontdoor_forwarding_protocol diff --git a/terraform/data-protection.tf b/terraform/data-protection.tf new file mode 100644 index 000000000..afae37aa5 --- /dev/null +++ b/terraform/data-protection.tf @@ -0,0 +1,11 @@ +module "data_protection" { + source = "github.com/DFE-Digital/terraform-azurerm-aspnet-data-protection?ref=v1.0.1" + + data_protection_key_vault_assign_role = false + data_protection_key_vault_subnet_prefix = "172.16.100.0/28" + data_protection_key_vault_access_ipv4 = local.key_vault_access_ipv4 + data_protection_resource_prefix = "${local.environment}${local.project_name}" + data_protection_azure_location = local.azure_location + data_protection_tags = local.tags + data_protection_resource_group_name = module.azure_container_apps_hosting.azurerm_resource_group_default.name +} diff --git a/terraform/locals.tf b/terraform/locals.tf index 14690b545..ad0353af0 100644 --- a/terraform/locals.tf +++ b/terraform/locals.tf @@ -55,4 +55,5 @@ locals { health_insights_api_ipv4_allow_list = var.health_insights_api_ipv4_allow_list enable_cdn_frontdoor_vdp_redirects = var.enable_cdn_frontdoor_vdp_redirects cdn_frontdoor_vdp_destination_hostname = var.cdn_frontdoor_vdp_destination_hostname + enable_container_app_file_share = var.enable_container_app_file_share } diff --git a/terraform/variables.tf b/terraform/variables.tf index 835c2a512..425144cfb 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -370,3 +370,9 @@ variable "cdn_frontdoor_vdp_destination_hostname" { type = string default = "vdp.security.education.gov.uk" } + +variable "enable_container_app_file_share" { + description = "Create an Azure Storage Account and File Share to be mounted to the Container Apps" + type = bool + default = false +}