Remove network policies from egress_proxy module to avoid circular de…

…pendencies
GSA-TTS · Nov 22, 2024 · 06883e5 · 06883e5
1 parent 50526ab
commit 06883e5
Show file tree

Hide file tree

Showing 4 changed files with 28 additions and 47 deletions.
diff --git a/egress_proxy/main.tf b/egress_proxy/main.tf
@@ -1,8 +1,4 @@
 locals {
-
-  # Make a clean list of the client apps for iteration purposes
-  clients = toset(keys(merge(var.allowlist, var.denylist)))
-
   # Generate Caddy-compatible allow and deny ACLs, one target per line.
   #
   # For now, there's just one consolidated allowlist and denylist, no matter
@@ -17,20 +13,6 @@ locals {
   denyacl  = templatefile("${path.module}/acl.tftpl", { list = var.denylist })
 }
 
-###
-### Set up the authenticated egress application in the target space on apps.internal
-###
-
-data "cloudfoundry_domain" "internal" {
-  name = "apps.internal"
-}
-
-resource "cloudfoundry_route" "egress_route" {
-  space  = var.cf_egress_space.id
-  domain = data.cloudfoundry_domain.internal.id
-  host   = substr("${var.cf_org_name}-${replace(var.cf_egress_space.name, ".", "-")}-${var.name}", -63, -1)
-  # Yields something like: orgname-spacename-name.apps.internal, limited to the last 63 characters
-}
 
 resource "random_uuid" "username" {}
 resource "random_password" "password" {
@@ -62,10 +44,6 @@ resource "cloudfoundry_app" "egress_app" {
   instances        = var.instances
   strategy         = "rolling"
 
-  routes = [{
-    route = cloudfoundry_route.egress_route.url
-  }]
-
   environment = {
     PROXY_PORTS : join(" ", var.allowports)
     PROXY_ALLOW : local.allowacl
@@ -76,24 +54,20 @@ resource "cloudfoundry_app" "egress_app" {
 }
 
 ###
-### Set up network policies so that the clients can reach the proxy
+### Set up the authenticated egress application in the target space on apps.internal
 ###
-
-data "cloudfoundry_app" "clients" {
-  for_each   = local.clients
-  name       = each.key
-  space_name = var.cf_client_space.name
-  org_name   = var.cf_org_name
+data "cloudfoundry_domain" "internal" {
+  name = "apps.internal"
 }
 
-resource "cloudfoundry_network_policy" "client_routing" {
-  provider = cloudfoundry-community
-  for_each = local.clients
-  policy {
-    source_app      = data.cloudfoundry_app.clients[each.key].id
-    destination_app = cloudfoundry_app.egress_app.id
-    port            = "61443"
-  }
+resource "cloudfoundry_route" "egress_route" {
+  space  = var.cf_egress_space.id
+  domain = data.cloudfoundry_domain.internal.id
+  host   = substr("${var.cf_org_name}-${replace(var.cf_egress_space.name, ".", "-")}-${var.name}", -63, -1)
+  # Yields something like: orgname-spacename-name.apps.internal, limited to the last 63 characters
+  destinations = [{
+    app_id = cloudfoundry_app.egress_app.id
+  }]
 }
 
 ###
@@ -106,7 +80,6 @@ locals {
   password    = random_password.password.result
   protocol    = "https"
   port        = 61443
-  app_id      = cloudfoundry_app.egress_app.id
 }
 
 resource "cloudfoundry_service_instance" "credentials" {

diff --git a/egress_proxy/outputs.tf b/egress_proxy/outputs.tf
@@ -7,6 +7,10 @@ output "domain" {
   value = local.domain
 }
 
+output "port" {
+  value = local.port
+}
+
 output "username" {
   value = local.username
 }
@@ -21,9 +25,9 @@ output "protocol" {
 }
 
 output "app_id" {
-  value = local.app_id
+  value = cloudfoundry_app.egress_app.id
 }
 
-output "port" {
-  value = local.port
+output "credential_service_id" {
+  value = cloudfoundry_service_instance.credentials.id
 }
diff --git a/egress_proxy/providers.tf b/egress_proxy/providers.tf
@@ -5,10 +5,5 @@ terraform {
       source  = "cloudfoundry/cloudfoundry"
       version = ">=1.1.0"
     }
-
-    cloudfoundry-community = {
-      source  = "cloudfoundry-community/cloudfoundry"
-      version = ">=0.53.1"
-    }
   }
 }
diff --git a/egress_proxy/tests/creation.tftest.hcl b/egress_proxy/tests/creation.tftest.hcl
@@ -9,8 +9,12 @@ mock_provider "cloudfoundry" {
       url = "egress-proxy.apps.internal"
     }
   }
+  mock_resource "cloudfoundry_app" {
+    defaults = {
+      id = "28329663-10fd-4c5d-9b6b-25e3fb108929"
+    }
+  }
 }
-mock_provider "cloudfoundry-community" {}
 
 variables {
   cf_org_name = "gsa-tts-devtools-prototyping"
@@ -61,4 +65,9 @@ run "test_proxy_creation" {
     condition     = output.port == 61443
     error_message = "port only supports 61443 internal https listener"
   }
+
+  assert {
+    condition     = output.credential_service_id == cloudfoundry_service_instance.credentials.id
+    error_message = "Output credential_service_id is the user-provided-service's guid"
+  }
 }