From 109bc72d4bad93bdb2bee9bff68b506702d5385e Mon Sep 17 00:00:00 2001 From: Ryan Ahearn Date: Tue, 20 Sep 2022 15:30:54 -0400 Subject: [PATCH] Access the API endpiont over internal interfaces --- manifest.yml | 2 +- terraform/production/main.tf | 17 ++++++++++++++ terraform/production/variables.tf | 5 ++++- terraform/shared/container_networking/main.tf | 22 +++++++++++++++++++ .../shared/container_networking/providers.tf | 16 ++++++++++++++ .../shared/container_networking/variables.tf | 13 +++++++++++ terraform/staging/main.tf | 11 ++++++++++ terraform/staging/variables.tf | 5 ++++- 8 files changed, 88 insertions(+), 3 deletions(-) create mode 100644 terraform/shared/container_networking/main.tf create mode 100644 terraform/shared/container_networking/providers.tf create mode 100644 terraform/shared/container_networking/variables.tf diff --git a/manifest.yml b/manifest.yml index 2bd475250..7f5a94b22 100644 --- a/manifest.yml +++ b/manifest.yml @@ -33,7 +33,7 @@ applications: ADMIN_CLIENT_SECRET: ((ADMIN_CLIENT_SECRET)) ADMIN_CLIENT_USERNAME: ((ADMIN_CLIENT_USERNAME)) ADMIN_BASE_URL: https://notifications-admin.app.cloud.gov - API_HOST_NAME: https://notifications-api.app.cloud.gov + API_HOST_NAME: https://notifications-api-((env)).apps.internal:61443 DANGEROUS_SALT: ((DANGEROUS_SALT)) SECRET_KEY: ((SECRET_KEY)) diff --git a/terraform/production/main.tf b/terraform/production/main.tf index 807f4a660..377654b01 100644 --- a/terraform/production/main.tf +++ b/terraform/production/main.tf @@ -30,7 +30,24 @@ module "logo_upload_bucket" { s3_service_name = "${local.app_name}-logo-upload-bucket-${local.env}" } +# ########################################################################## +# The following lines need to be commented out for the initial `terraform apply` +# It can be re-enabled after: +# 1) the api app has first been deployed +# 2) the admin app has first been deployed ########################################################################### +# module "api_network_route" { +# source = "../shared/container_networking" +# +# cf_user = var.cf_user +# cf_password = var.cf_password +# cf_org_name = local.cf_org_name +# cf_space_name = local.cf_space_name +# source_app_name = "${local.app_name}-${local.env}" +# destination_app_name = "notifications-api-${local.env}" +# } + +# ########################################################################## # The following lines need to be commented out for the initial `terraform apply` # It can be re-enabled after: # 1) the app has first been deployed diff --git a/terraform/production/variables.tf b/terraform/production/variables.tf index 2fe500544..bd8f74131 100644 --- a/terraform/production/variables.tf +++ b/terraform/production/variables.tf @@ -1,2 +1,5 @@ -variable "cf_password" {} +variable "cf_password" { + type = string + sensitive = true +} variable "cf_user" {} diff --git a/terraform/shared/container_networking/main.tf b/terraform/shared/container_networking/main.tf new file mode 100644 index 000000000..da8e6f712 --- /dev/null +++ b/terraform/shared/container_networking/main.tf @@ -0,0 +1,22 @@ +data "cloudfoundry_space" "space" { + org_name = var.cf_org_name + name = var.cf_space_name +} + +data "cloudfoundry_app" "source_app" { + name_or_id = var.source_app_name + space = data.cloudfoundry_space.space.id +} + +data "cloudfoundry_app" "destination_app" { + name_or_id = var.destination_app_name + space = data.cloudfoundry_space.space.id +} + +resource "cloudfoundry_network_policy" "internal_route" { + policy { + source_app = data.cloudfoundry_app.source_app.id + destination_app = data.cloudfoundry_app.destination_app.id + port = var.destination_port + } +} diff --git a/terraform/shared/container_networking/providers.tf b/terraform/shared/container_networking/providers.tf new file mode 100644 index 000000000..6fe315c0b --- /dev/null +++ b/terraform/shared/container_networking/providers.tf @@ -0,0 +1,16 @@ +terraform { + required_version = "~> 1.0" + required_providers { + cloudfoundry = { + source = "cloudfoundry-community/cloudfoundry" + version = "~> 0.15" + } + } +} + +provider "cloudfoundry" { + api_url = "https://api.fr.cloud.gov" + user = var.cf_user + password = var.cf_password + app_logs_max = 30 +} diff --git a/terraform/shared/container_networking/variables.tf b/terraform/shared/container_networking/variables.tf new file mode 100644 index 000000000..8e3b75004 --- /dev/null +++ b/terraform/shared/container_networking/variables.tf @@ -0,0 +1,13 @@ +variable "cf_password" { + type = string + sensitive = true +} +variable "cf_user" {} +variable "cf_org_name" {} +variable "cf_space_name" {} +variable "source_app_name" {} +variable "destination_app_name" {} +variable "destination_port" { + type = string + default = "61443" +} diff --git a/terraform/staging/main.tf b/terraform/staging/main.tf index f60fb31bd..d2a62db7f 100644 --- a/terraform/staging/main.tf +++ b/terraform/staging/main.tf @@ -29,3 +29,14 @@ module "logo_upload_bucket" { recursive_delete = local.recursive_delete s3_service_name = "${local.app_name}-logo-upload-bucket-${local.env}" } + +module "api_network_route" { + source = "../shared/container_networking" + + cf_user = var.cf_user + cf_password = var.cf_password + cf_org_name = local.cf_org_name + cf_space_name = local.cf_space_name + source_app_name = "${local.app_name}-${local.env}" + destination_app_name = "notifications-api-${local.env}" +} diff --git a/terraform/staging/variables.tf b/terraform/staging/variables.tf index 2fe500544..bd8f74131 100644 --- a/terraform/staging/variables.tf +++ b/terraform/staging/variables.tf @@ -1,2 +1,5 @@ -variable "cf_password" {} +variable "cf_password" { + type = string + sensitive = true +} variable "cf_user" {}