Fix egress proxy route bug

README.md

@@ -90,7 +90,7 @@ module "domain" {
 
 ### clamav
 
-Creates an application and associated network routing to run ClamAV via API to scan user uploads and outputs the `app_id`, the `route_id`, and the `endpoint` for use elsewhere.
+Creates an application to run ClamAV via API to scan user uploads and outputs the `app_id`, the `route_id`, and the `endpoint` for use elsewhere.
 
 Notes:
 * The scanning app requires at least `3GB` of memory, and your `app_name` must be deployed before this module is included.
@@ -113,6 +113,8 @@ module "clamav" {
 }
 ```
 
+See <UPGRADING.md> for an example of how to set up network policies to reach the clamav app from the client apps.
+
 ### cg_space
 
 Creates a new cloud.gov space, such as when creating an egress space, and outputs the `space_id` for use elsewhere.
@@ -146,26 +148,22 @@ module "egress_space" {
 
 Creates and configures an instance of cg-egress-proxy to proxy traffic from your apps.
 
-Prerequities:
-
-* existing client_space with already deployed apps
-* existing public-egress space to deploy the proxy into
+Prerequite: existing public-egress space to deploy the proxy into
 
 ```
 module "egress_proxy" {
   source = "github.com/GSA-TTS/terraform-cloudgov//egress_proxy?ref=v2.0.0"
 
-  cf_org_name      = local.cf_org_name
-  cf_egress_space  = data.cloudfoundry_space.egress_space
-  cf_client_spaces = {(data.cloudfoundry_space.app_space.name) = data.cloudfoundy_space.app_space.id}
-  name             = "egress-proxy"
-  allowlist = {
-    "source_app_name" = ["host.com:443", "otherhost.com:443"]
-  }
+  cf_org_name     = local.cf_org_name
+  cf_egress_space = data.cloudfoundry_space.egress_space
+  name            = "egress-proxy"
+  allowlist       = [ "list.of.hosts", "to.allow.access" ]
   # see egress_proxy/variables.tf for full list of optional arguments
 }
 ```
 
+See <UPGRADING.md> for an example of how to set up network policies and credential stores to enable your client app to reach the proxy.
+
 ## Testing
 
 

egress_proxy/main.tf

@@ -4,8 +4,8 @@ locals {
   denyacl  = templatefile("${path.module}/acl.tftpl", { list = var.denylist })
 
   # Yields something like: orgname-spacename-name.apps.internal, limited to the last 63 characters
-  route_host   = substr("${var.cf_org_name}-${replace(var.cf_egress_space.name, ".", "-")}-${var.name}", -63, -1)
-  egress_route = "${local.route_host}.apps.internal"
+  default_route_host = "${var.cf_org_name}-${replace(var.cf_egress_space.name, ".", "-")}-${var.name}"
+  egress_route       = "${replace(lower(substr(coalesce(var.route_host, local.default_route_host), -63, -1)), "/^[^a-z]*/", "")}.apps.internal"
 }
 
 

egress_proxy/tests/creation.tftest.hcl

@@ -45,4 +45,30 @@ run "test_proxy_creation" {
     condition     = output.http_port == 8080
     error_message = "http_port reports port 8080 for plaintext"
   }
+
+}
+
+run "test_specific_hostname_bug" {
+  variables {
+    cf_org_name = "gsa-tts-devtools-prototyping"
+    cf_egress_space = {
+      id   = "169c6e21-2513-43f7-bbff-80cc5e456882"
+      name = "rca-tfm-stage-egress"
+    }
+    name = "egress-proxy-staging"
+  }
+  assert {
+    condition     = can(regex("[a-z]", substr(output.domain, 0, 1)))
+    error_message = "proxy domain must start with an alpha character"
+  }
+}
+
+run "test_custom_hostname_is_trimmed" {
+  variables {
+    route_host = "-3host-name"
+  }
+  assert {
+    condition     = output.domain == "host-name.apps.internal"
+    error_message = "proxy domain is stripped of any non-alpha characters"
+  }
 }

egress_proxy/variables.tf

@@ -16,6 +16,12 @@ variable "name" {
   description = "name of the egress proxy application"
 }
 
+variable "route_host" {
+  type        = string
+  default     = null
+  description = "Hostname to access the egress proxy on apps.internal domain (optional)"
+}
+
 variable "egress_memory" {
   type        = string
   description = "Memory to allocate to egress proxy app, including unit"