Skip to content

Commit

Permalink
MLPAB-1682 Enable internal routing for requests to mock onelogin serv…
Browse files Browse the repository at this point in the history 
…ice (#906)

* create a service discovery dns for the mock one login service

* allow app to talk to mock via security group rules

* pass issuer url to app and mock-onelogin;

* enable the mock for demo and ur environments
  • Loading branch information
@andrewpearce-digital
andrewpearce-digital authored Dec 7, 2023
1 parent ac09af7 commit da598cb
Show file tree
Hide file tree
Showing 8 changed files with 98 additions and 85 deletions.
30 changes: 15 additions & 15 deletions terraform/environment/.terraform.lock.hcl
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

7 changes: 7 additions & 0 deletions terraform/environment/region/dns.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -54,3 +54,10 @@ resource "aws_route53_record" "mock_onelogin" {
create_before_destroy = true
}
}

resource "aws_service_discovery_private_dns_namespace" "mock_one_login" {
name = "${data.aws_default_tags.current.tags.environment-name}.internal.modernising.ecs"
description = "Private DNS namespace for the mock-onelogin service"
vpc = data.aws_vpc.main.id
provider = aws.region
}
11 changes: 8 additions & 3 deletions terraform/environment/region/ecs.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -73,14 +73,19 @@ module "mock_onelogin" {
container_version = var.mock_onelogin_service_container_version
alb_deletion_protection_enabled = var.alb_deletion_protection_enabled
container_port = 8080
# TODO: figure out how to internally reference this
public_access_enabled = true # var.public_access_enabled
redirect_base_url = var.app_env_vars.auth_redirect_base_url
public_access_enabled = var.public_access_enabled
redirect_base_url = var.app_env_vars.auth_redirect_base_url
network = {
vpc_id = data.aws_vpc.main.id
application_subnets = data.aws_subnet.application.*.id
public_subnets = data.aws_subnet.public.*.id
}
aws_service_discovery_private_dns_namespace = {
id = aws_service_discovery_private_dns_namespace.mock_one_login.id
name = aws_service_discovery_private_dns_namespace.mock_one_login.name
}
app_ecs_service_security_group_id = module.app.ecs_service_security_group.id

providers = {
aws.region = aws.region
}
Expand Down
4 changes: 2 additions & 2 deletions terraform/environment/region/modules/app/ecs.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -336,11 +336,11 @@ locals {
},
{
name = "ISSUER",
value = var.mock_onelogin_enabled ? "https://${data.aws_default_tags.current.tags.environment-name}-mock-onelogin.app.modernising.opg.service.justice.gov.uk" : "https://oidc.integration.account.gov.uk"
value = var.mock_onelogin_enabled ? "http://mock-onelogin.${data.aws_default_tags.current.tags.environment-name}.internal.modernising.ecs:8080" : "https://oidc.integration.account.gov.uk"
},
{
name = "MOCK_IDENTITY_PUBLIC_KEY",
value = var.mock_onelogin_enabled ? "LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFSlEyVmtpZWtzNW9rSTIxY1Jma0FhOXVxN0t4TQo2bTJqWllCeHBybFVXQlpDRWZ4cTI3cFV0Qzd5aXplVlRiZUVqUnlJaStYalhPQjFBbDhPbHFtaXJnPT0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg==" : ""
value = var.mock_onelogin_enabled ? "LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFSlEyVmtpZWtzNW9rSTIxY1Jma0FhOXVxN0t4TQo2bTJqWllCeHBybFVXQlpDRWZ4cTI3cFV0Qzd5aXplVlRiZUVqUnlJaStYalhPQjFBbDhPbHFtaXJnPT0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg==" : "" #pragma: allowlist secret
},
{
name = "APP_PUBLIC_URL",
Expand Down
4 changes: 4 additions & 0 deletions terraform/environment/region/modules/app/outputs.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,3 +9,7 @@ output "load_balancer_security_group" {
output "ecs_service" {
value = aws_ecs_service.app
}

output "ecs_service_security_group" {
value = aws_security_group.app_ecs_service
}
49 changes: 47 additions & 2 deletions terraform/environment/region/modules/mock_onelogin/ecs.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,10 @@ resource "aws_ecs_service" "mock_onelogin" {
assign_public_ip = false
}

service_registries {
registry_arn = aws_service_discovery_service.mock_onelogin.arn
}

load_balancer {
target_group_arn = aws_lb_target_group.mock_onelogin.arn
container_name = "mock_onelogin"
Expand All @@ -35,6 +39,31 @@ resource "aws_ecs_service" "mock_onelogin" {
provider = aws.region
}

resource "aws_service_discovery_service" "mock_onelogin" {
name = "mock-onelogin"

dns_config {
namespace_id = var.aws_service_discovery_private_dns_namespace.id

dns_records {
ttl = 10
type = "A"
}

routing_policy = "MULTIVALUE"
}

health_check_custom_config {
failure_threshold = 1
}

provider = aws.region
}

locals {
mock_onelogin_service_discovery_fqdn = "${aws_service_discovery_service.mock_onelogin.name}.${var.aws_service_discovery_private_dns_namespace.name}"
}

resource "aws_security_group" "mock_onelogin_ecs_service" {
name_prefix = "${local.name_prefix}-ecs-service"
description = "mock-onelogin service security group"
Expand All @@ -46,7 +75,7 @@ resource "aws_security_group" "mock_onelogin_ecs_service" {
}

resource "aws_security_group_rule" "mock_onelogin_ecs_service_ingress" {
description = "Allow Port 80 ingress from the application load balancer"
description = "Allow Port 80 ingress from the mock-onelogin load balancer"
type = "ingress"
from_port = 80
to_port = var.container_port
Expand All @@ -59,6 +88,22 @@ resource "aws_security_group_rule" "mock_onelogin_ecs_service_ingress" {
provider = aws.region
}


resource "aws_security_group_rule" "mock_one_login_service_app_ingress" {
description = "Allow Port 8080 ingress from the app ecs service"
type = "ingress"
from_port = var.container_port
to_port = var.container_port
protocol = "tcp"
security_group_id = aws_security_group.mock_onelogin_ecs_service.id
source_security_group_id = var.app_ecs_service_security_group_id
lifecycle {
create_before_destroy = true
}

provider = aws.region
}

resource "aws_security_group_rule" "mock_onelogin_ecs_service_egress" {
description = "Allow any egress from service"
type = "egress"
Expand Down Expand Up @@ -123,7 +168,7 @@ locals {
},
{
name = "INTERNAL_URL",
value = local.mock_onelogin_url
value = "http://${local.mock_onelogin_service_discovery_fqdn}:${var.container_port}"
},
{
name = "CLIENT_ID",
Expand Down
13 changes: 13 additions & 0 deletions terraform/environment/region/modules/mock_onelogin/variables.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -78,3 +78,16 @@ variable "redirect_base_url" {
type = string
description = "Base URL expected for redirect_url"
}

variable "aws_service_discovery_private_dns_namespace" {
type = object({
id = string
name = string
})
description = "ID and name of the AWS Service Discovery private DNS namespace"
}

variable "app_ecs_service_security_group_id" {
type = string
description = "ID of the security group for the app ECS service"
}
65 changes: 2 additions & 63 deletions terraform/environment/terraform.tfvars.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -61,67 +61,6 @@
},
"s3_antivirus_provisioned_concurrency": 0
},
"testevents": {
"account_id": "653761790766",
"account_name": "development",
"is_production": false,
"regions": [
"eu-west-1"
],
"app": {
"env": {
"app_public_url": "",
"auth_redirect_base_url": "https://demo.app.modernising.opg.service.justice.gov.uk",
"notify_is_production": "",
"onelogin_url": "https://home.integration.account.gov.uk"
},
"autoscaling": {
"minimum": 1,
"maximum": 3
}
},
"mock_onelogin_enabled": false,
"uid_service": {
"base_url": "https://development.lpa-uid.api.opg.service.justice.gov.uk",
"api_arns": [
"arn:aws:execute-api:eu-west-1:288342028542:*/*/POST/cases",
"arn:aws:execute-api:eu-west-2:288342028542:*/*/POST/cases",
"arn:aws:execute-api:eu-west-1:288342028542:*/*/GET/health",
"arn:aws:execute-api:eu-west-2:288342028542:*/*/GET/health"
]
},
"backups": {
"backup_plan_enabled": false,
"copy_action_enabled": false
},
"dynamodb": {
"region_replica_enabled": false,
"stream_enabled": false
},
"ecs": {
"fargate_spot_capacity_provider_enabled": true
},
"cloudwatch_log_groups": {
"application_log_retention_days": 7
},
"application_load_balancer": {
"deletion_protection_enabled": false
},
"cloudwatch_application_insights_enabled": false,
"pagerduty_service_name": "OPG Modernising LPA Non-Production",
"event_bus": {
"target_event_bus_arn": "arn:aws:events:eu-west-1:288342028542:event-bus/dev-poas",
"receive_account_ids": ["288342028542"]
},
"reduced_fees": {
"enabled": true,
"s3_object_replication_enabled": true,
"target_environment": "dev",
"destination_account_id": "288342028542",
"enable_s3_batch_job_replication_scheduler": true
},
"s3_antivirus_provisioned_concurrency": 0
},
"demo": {
"account_id": "653761790766",
"account_name": "development",
Expand All @@ -141,7 +80,7 @@
"maximum": 3
}
},
"mock_onelogin_enabled": false,
"mock_onelogin_enabled": true,
"uid_service": {
"base_url": "https://development.lpa-uid.api.opg.service.justice.gov.uk",
"api_arns": [
Expand Down Expand Up @@ -202,7 +141,7 @@
"maximum": 3
}
},
"mock_onelogin_enabled": false,
"mock_onelogin_enabled": true,
"uid_service": {
"base_url": "https://development.lpa-uid.api.opg.service.justice.gov.uk",
"api_arns": [
Expand Down

0 comments on commit da598cb

Please sign in to comment.