diff --git a/README.md b/README.md index aabbd51..72aa26e 100644 --- a/README.md +++ b/README.md @@ -90,7 +90,7 @@ module "domain" { ### clamav -Creates an application and associated network routing to run ClamAV via API to scan user uploads and outputs the `app_id`, the `route_id`, and the `endpoint` for use elsewhere. +Creates an application to run ClamAV via API to scan user uploads and outputs the `app_id`, the `route_id`, and the `endpoint` for use elsewhere. Notes: * The scanning app requires at least `3GB` of memory, and your `app_name` must be deployed before this module is included. @@ -113,6 +113,8 @@ module "clamav" { } ``` +See for an example of how to set up network policies to reach the clamav app from the client apps. + ### cg_space Creates a new cloud.gov space, such as when creating an egress space, and outputs the `space_id` for use elsewhere. @@ -146,26 +148,22 @@ module "egress_space" { Creates and configures an instance of cg-egress-proxy to proxy traffic from your apps. -Prerequities: - -* existing client_space with already deployed apps -* existing public-egress space to deploy the proxy into +Prerequite: existing public-egress space to deploy the proxy into ``` module "egress_proxy" { source = "github.com/GSA-TTS/terraform-cloudgov//egress_proxy?ref=v2.0.0" - cf_org_name = local.cf_org_name - cf_egress_space = data.cloudfoundry_space.egress_space - cf_client_spaces = {(data.cloudfoundry_space.app_space.name) = data.cloudfoundy_space.app_space.id} - name = "egress-proxy" - allowlist = { - "source_app_name" = ["host.com:443", "otherhost.com:443"] - } + cf_org_name = local.cf_org_name + cf_egress_space = data.cloudfoundry_space.egress_space + name = "egress-proxy" + allowlist = [ "list.of.hosts", "to.allow.access" ] # see egress_proxy/variables.tf for full list of optional arguments } ``` +See for an example of how to set up network policies and credential stores to enable your client app to reach the proxy. + ## Testing diff --git a/egress_proxy/main.tf b/egress_proxy/main.tf index e124f00..b6d5ee0 100644 --- a/egress_proxy/main.tf +++ b/egress_proxy/main.tf @@ -4,8 +4,8 @@ locals { denyacl = templatefile("${path.module}/acl.tftpl", { list = var.denylist }) # Yields something like: orgname-spacename-name.apps.internal, limited to the last 63 characters - route_host = substr("${var.cf_org_name}-${replace(var.cf_egress_space.name, ".", "-")}-${var.name}", -63, -1) - egress_route = "${local.route_host}.apps.internal" + default_route_host = "${var.cf_org_name}-${replace(var.cf_egress_space.name, ".", "-")}-${var.name}" + egress_route = "${replace(lower(substr(coalesce(var.route_host, local.default_route_host), -63, -1)), "/^[^a-z]*/", "")}.apps.internal" } diff --git a/egress_proxy/tests/creation.tftest.hcl b/egress_proxy/tests/creation.tftest.hcl index 90f8ddf..c384d90 100644 --- a/egress_proxy/tests/creation.tftest.hcl +++ b/egress_proxy/tests/creation.tftest.hcl @@ -45,4 +45,30 @@ run "test_proxy_creation" { condition = output.http_port == 8080 error_message = "http_port reports port 8080 for plaintext" } + +} + +run "test_specific_hostname_bug" { + variables { + cf_org_name = "gsa-tts-devtools-prototyping" + cf_egress_space = { + id = "169c6e21-2513-43f7-bbff-80cc5e456882" + name = "rca-tfm-stage-egress" + } + name = "egress-proxy-staging" + } + assert { + condition = can(regex("[a-z]", substr(output.domain, 0, 1))) + error_message = "proxy domain must start with an alpha character" + } +} + +run "test_custom_hostname_is_trimmed" { + variables { + route_host = "-3host-name" + } + assert { + condition = output.domain == "host-name.apps.internal" + error_message = "proxy domain is stripped of any non-alpha characters" + } } diff --git a/egress_proxy/variables.tf b/egress_proxy/variables.tf index 1d26edc..4867e98 100644 --- a/egress_proxy/variables.tf +++ b/egress_proxy/variables.tf @@ -16,6 +16,12 @@ variable "name" { description = "name of the egress proxy application" } +variable "route_host" { + type = string + default = null + description = "Hostname to access the egress proxy on apps.internal domain (optional)" +} + variable "egress_memory" { type = string description = "Memory to allocate to egress proxy app, including unit"