Feat(Terraform): front door #222
Conversation
angela-tran
force-pushed
the
feat/front-door
branch
from
844e2c2 to
2a0e24b
Compare
make endpoint name more unique
remove ip restriction blocks from app service because for app services that integrate with a virtual network using service endpoints (such as the CDT-hosted Benefits client), requests will be routed through Azure's optimized backbone and will not use the app's list of outbound IP addresses.
only allow our Front Door and availability tests.
There was a problem hiding this comment.
Nice work! Just one blocker; the rest are optional. Questions:
- Thoughts about adding a bit of documentation around why we're using Front Door? Or sufficient to have this comment?
- We are allowing the availability tests through, which is good… What do we think about having a smoke test to ensure other requests are not allowed? Could do this through a GitHub Action or Azure Pipeline task.
terraform/front_door.tf
Outdated
| resource "azurerm_cdn_frontdoor_origin_group" "main" { | ||
| name = local.front_door_name | ||
| cdn_frontdoor_profile_id = azurerm_cdn_frontdoor_profile.main.id | ||
| session_affinity_enabled = true |
There was a problem hiding this comment.
Minor: Since (I don't think) we're using cookies, not sure this is necessary. Given there's only one origin, not sure it would make a difference anyway.
| session_affinity_enabled = true |
terraform/front_door.tf
Outdated
| https_port = 443 | ||
| origin_host_header = azurerm_linux_web_app.main.default_hostname | ||
| certificate_name_check_enabled = true | ||
| priority = 1 |
There was a problem hiding this comment.
Minor: The numbers above are all same as the defaults, so could be removed for brevity. Fine either way.
I added a section to the README in 5e6f74e |
Any objection to creating a new issue for this? |
terraform/front_door.tf
Outdated
| enabled = true | ||
| mode = "Prevention" | ||
| custom_block_response_status_code = 403 | ||
| custom_block_response_body = base64encode("Blocked") |
There was a problem hiding this comment.
The term most often associated with 403 is Forbidden: https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/403
terraform/front_door.tf
Outdated
|
|
||
| match_condition { | ||
| match_variable = "RequestUri" | ||
| operator = "EndsWith" |
There was a problem hiding this comment.
This mean any request that ends with /healthcheck will go through, right?
Should we do an exact match here to shore up this one exception and make sure it is the only one? I think Equals is the operator for that: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/cdn_frontdoor_firewall_policy#operator
There was a problem hiding this comment.
It took me a bit to figure out what the Equals operator is matching against, but I got it to work. The match value needs to include the URI scheme, host, and port in addition to the path.
There was a problem hiding this comment.
We currently have the uptime check accessing the App Service directly, not through Front Door. Thinking we should change it to the latter to make it end-to-end. This would remove the need for allowing those requests to the App Service, though not a big deal to leave them.
Seems like a good follow-up! #223 |
There was a problem hiding this comment.
Looks like a great start, thank you @angela-tran! We can worry about deployment when you're back 😄
|
@afeld let me know if there's anything else to change here. This needs your approval before I can merge. Thanks! |
Closes #208
This PR sets up a Front Door with a WAF policy to allow only a certain list of IP addresses.
Note there is some overlap with #213 since the whitelist is different per-environment.
Before merging:
TF_VAR_IP_ADDRESS_WHITELIST_DEVvariable in Azure pipelineAfter merging:
EligibilityVerifierAPI URLSome reference material