[EC-357] - Move application gateway from core to modules (#1149)

Co-authored-by: Andrea Grillo <[email protected]>
pagopa · Sep 11, 2024 · 9c69771 · 9c69771
1 parent 87a31bf
commit 9c69771
Show file tree

Hide file tree

Showing 27 changed files with 735 additions and 832 deletions.
diff --git a/src/common/_modules/application_gateway/data.tf b/src/common/_modules/application_gateway/data.tf
@@ -0,0 +1,115 @@
+#######################
+### Web Application ###
+#######################
+
+data "azurerm_linux_web_app" "cms_backoffice_app_itn" {
+  name                = "${var.project}-itn-svc-bo-app-01"
+  resource_group_name = "${var.project}-itn-svc-rg-01"
+}
+
+data "azurerm_linux_web_app" "appservice_continua" {
+  name                = "${var.project}-app-continua"
+  resource_group_name = "${var.project}-continua-rg"
+}
+
+data "azurerm_linux_web_app" "session_manager" {
+  name                = "io-p-weu-session-manager-app-03"
+  resource_group_name = "io-p-weu-session-manager-rg-01"
+}
+
+data "azurerm_linux_web_app" "fims_op_app" {
+  name                = "io-p-weu-fims-op-app-01"
+  resource_group_name = "io-p-weu-fims-rg-01"
+}
+
+data "azurerm_linux_web_app" "appservice_devportal_be" {
+  name                = "${var.project}-app-devportal-be"
+  resource_group_name = "${var.project}-selfcare-be-rg"
+}
+
+data "azurerm_linux_web_app" "appservice_selfcare_be" {
+  name                = "${var.project}-app-selfcare-be"
+  resource_group_name = "${var.project}-selfcare-be-rg"
+}
+
+#######################
+###    Key Vault    ###
+#######################
+
+data "azurerm_key_vault_certificate" "app_gw_api" {
+  name         = var.certificates.api
+  key_vault_id = var.key_vault.id
+}
+
+data "azurerm_key_vault_certificate" "app_gw_api_mtls" {
+  name         = var.certificates.api_mtls
+  key_vault_id = var.key_vault.id
+}
+
+data "azurerm_key_vault_certificate" "app_gw_api_app" {
+  name         = var.certificates.api_app
+  key_vault_id = var.key_vault.id
+}
+
+###
+# kv where the certificate for api-web domain is located
+###
+data "azurerm_key_vault" "ioweb_kv" {
+  name                = format("%s-ioweb-kv", var.project)
+  resource_group_name = format("%s-ioweb-sec-rg", var.project)
+}
+
+data "azurerm_key_vault_certificate" "app_gw_api_web" {
+  name         = var.certificates.api_web
+  key_vault_id = data.azurerm_key_vault.ioweb_kv.id
+}
+###
+
+data "azurerm_key_vault_certificate" "app_gw_api_io_italia_it" {
+  name         = var.certificates.api_io_italia_it
+  key_vault_id = var.key_vault_common.id
+}
+
+data "azurerm_key_vault_certificate" "app_gw_app_backend_io_italia_it" {
+  name         = var.certificates.app_backend_io_italia_it
+  key_vault_id = var.key_vault_common.id
+}
+
+data "azurerm_key_vault_certificate" "app_gw_developerportal_backend_io_italia_it" {
+  name         = var.certificates.developerportal_backend_io_italia_it
+  key_vault_id = var.key_vault_common.id
+}
+
+data "azurerm_key_vault_certificate" "app_gw_api_io_selfcare_pagopa_it" {
+  name         = var.certificates.api_io_selfcare_pagopa_it
+  key_vault_id = var.key_vault.id
+}
+
+data "azurerm_key_vault_certificate" "app_gw_firmaconio_selfcare_pagopa_it" {
+  name         = var.certificates.firmaconio_selfcare_pagopa_it
+  key_vault_id = var.key_vault.id
+}
+
+data "azurerm_key_vault_certificate" "app_gw_continua" {
+  name         = var.certificates.continua_io_pagopa_it
+  key_vault_id = var.key_vault.id
+}
+
+data "azurerm_key_vault_certificate" "app_gw_oauth" {
+  name         = var.certificates.oauth_io_pagopa_it
+  key_vault_id = var.key_vault.id
+}
+
+data "azurerm_key_vault_certificate" "app_gw_selfcare_io" {
+  name         = var.certificates.selfcare_io_pagopa_it
+  key_vault_id = var.key_vault.id
+}
+
+data "azurerm_key_vault_secret" "app_gw_mtls_header_name" {
+  name         = "mtls-header-name"
+  key_vault_id = var.key_vault.id
+}
+
+data "azuread_service_principal" "app_gw_uai_kvreader" {
+  display_name = format("%s-uai-kvreader", var.project)
+}
diff --git a/src/common/_modules/application_gateway/firewall.tf b/src/common/_modules/application_gateway/firewall.tf
@@ -0,0 +1,85 @@
+resource "azurerm_web_application_firewall_policy" "api_app" {
+  name                = try(local.nonstandard[var.location_short].waf_api_app, "${var.project}-waf-agw-api-app-01")
+  resource_group_name = var.resource_groups.external
+  location            = var.location
+
+  policy_settings {
+    enabled                     = true
+    mode                        = "Prevention"
+    request_body_check          = true
+    file_upload_limit_in_mb     = 100
+    max_request_body_size_in_kb = 128
+  }
+
+  managed_rules {
+
+    managed_rule_set {
+      type    = "OWASP"
+      version = "3.1"
+
+      rule_group_override {
+        rule_group_name = "REQUEST-913-SCANNER-DETECTION"
+        disabled_rules = [
+          "913100",
+          "913101",
+          "913102",
+          "913110",
+          "913120",
+        ]
+      }
+
+      rule_group_override {
+        rule_group_name = "REQUEST-920-PROTOCOL-ENFORCEMENT"
+        disabled_rules = [
+          "920300",
+          "920320",
+        ]
+      }
+
+      rule_group_override {
+        rule_group_name = "REQUEST-930-APPLICATION-ATTACK-LFI"
+        disabled_rules = [
+          "930120",
+        ]
+      }
+
+      rule_group_override {
+        rule_group_name = "REQUEST-932-APPLICATION-ATTACK-RCE"
+        disabled_rules = [
+          "932150",
+        ]
+      }
+
+      rule_group_override {
+        rule_group_name = "REQUEST-941-APPLICATION-ATTACK-XSS"
+        disabled_rules = [
+          "941130",
+        ]
+      }
+
+      rule_group_override {
+        rule_group_name = "REQUEST-942-APPLICATION-ATTACK-SQLI"
+        disabled_rules = [
+          "942100",
+          "942120",
+          "942190",
+          "942200",
+          "942210",
+          "942240",
+          "942250",
+          "942260",
+          "942330",
+          "942340",
+          "942370",
+          "942380",
+          "942430",
+          "942440",
+          "942450",
+        ]
+      }
+
+    }
+  }
+
+  tags = var.tags
+}
diff --git a/src/common/_modules/application_gateway/locals.tf b/src/common/_modules/application_gateway/locals.tf
@@ -0,0 +1,29 @@
+locals {
+  io_backend_ip_headers_rule = {
+    name          = "http-headers-api-app"
+    rule_sequence = 100
+    conditions    = []
+    url           = null
+    request_header_configurations = [
+      {
+        header_name  = "X-Forwarded-For"
+        header_value = "{var_client_ip}"
+      },
+      {
+        header_name  = "X-Client-Ip"
+        header_value = "{var_client_ip}"
+      },
+    ]
+    response_header_configurations = []
+  }
+
+  nonstandard = {
+    weu = {
+      waf_api_app = "${var.project}-waf-appgateway-api-app-policy"
+      agw         = "${var.project}-appgateway"
+      snet        = "${var.project}-appgateway-snet"
+      pip         = "${var.project}-appgateway-pip"
+      id          = "${var.project}-appgateway-identity"
+    }
+  }
+}