From 7153e77ee82d0503e9bf38b7a65aa77001152a3d Mon Sep 17 00:00:00 2001 From: Ryan Ahearn Date: Mon, 25 Nov 2024 17:34:21 -0500 Subject: [PATCH] Remove user-provided-service from egress_proxy's setup --- egress_proxy/acl.tftpl | 6 ++-- egress_proxy/main.tf | 32 ++------------------ egress_proxy/outputs.tf | 25 +++++++--------- egress_proxy/tests/creation.tftest.hcl | 41 +++++--------------------- egress_proxy/variables.tf | 21 ++++--------- 5 files changed, 28 insertions(+), 97 deletions(-) diff --git a/egress_proxy/acl.tftpl b/egress_proxy/acl.tftpl index a109cb1..f0d210a 100644 --- a/egress_proxy/acl.tftpl +++ b/egress_proxy/acl.tftpl @@ -1,5 +1,3 @@ -%{ for app, dests in list ~} -%{ for dest in dests ~} -${ split(":", dest)[0] } -%{ endfor ~} +%{ for dest in list ~} +${ split(":", dest)[0] } %{ endfor ~} diff --git a/egress_proxy/main.tf b/egress_proxy/main.tf index f663480..e124f00 100644 --- a/egress_proxy/main.tf +++ b/egress_proxy/main.tf @@ -1,14 +1,5 @@ locals { # Generate Caddy-compatible allow and deny ACLs, one target per line. - # - # For now, there's just one consolidated allowlist and denylist, no matter - # what apps they were specified for. Future improvments could improve this, - # but it would mean also changing the proxy to be both more complex (in terms - # of how the Caddyfile is constructed) and more discriminating (in terms of - # recognizing client apps based on GUIDs supplied by Envoy in request headers, - # as well as the destination ports). However, adding these improvements won't - # require modifying the module's interface, since we're already collecting - # that refined information. allowacl = templatefile("${path.module}/acl.tftpl", { list = var.allowlist }) denyacl = templatefile("${path.module}/acl.tftpl", { list = var.denylist }) @@ -61,31 +52,12 @@ resource "cloudfoundry_app" "egress_app" { } } -### -### Create a credential service for bound clients to use when make requests of the proxy -### locals { https_proxy = "https://${random_uuid.username.result}:${random_password.password.result}@${local.egress_route}:61443" http_proxy = "http://${random_uuid.username.result}:${random_password.password.result}@${local.egress_route}:8080" domain = local.egress_route username = random_uuid.username.result password = random_password.password.result - protocol = "https" - port = 61443 -} - -resource "cloudfoundry_service_instance" "credentials" { - for_each = var.cf_client_spaces - name = "${var.name}-credentials" - space = each.value - type = "user-provided" - credentials = jsonencode({ - "uri" = local.https_proxy - "http_uri" = local.http_proxy - "domain" = local.domain - "username" = local.username - "password" = local.password - "protocol" = local.protocol - "port" = local.port - }) + https_port = 61443 + http_port = 8080 } diff --git a/egress_proxy/outputs.tf b/egress_proxy/outputs.tf index fef8604..9c1a69a 100644 --- a/egress_proxy/outputs.tf +++ b/egress_proxy/outputs.tf @@ -3,12 +3,21 @@ output "https_proxy" { sensitive = true } +output "http_proxy" { + value = local.http_proxy + sensitive = true +} + output "domain" { value = local.domain } -output "port" { - value = local.port +output "http_port" { + value = local.http_port +} + +output "https_port" { + value = local.https_port } output "username" { @@ -20,18 +29,6 @@ output "password" { sensitive = true } -output "protocol" { - value = local.protocol -} - output "app_id" { value = cloudfoundry_app.egress_app.id } - -output "credential_service_ids" { - value = { for k, v in cloudfoundry_service_instance.credentials : k => v.id } -} - -output "credential_service_name" { - value = values(cloudfoundry_service_instance.credentials)[0].name -} diff --git a/egress_proxy/tests/creation.tftest.hcl b/egress_proxy/tests/creation.tftest.hcl index cfd7867..90f8ddf 100644 --- a/egress_proxy/tests/creation.tftest.hcl +++ b/egress_proxy/tests/creation.tftest.hcl @@ -1,20 +1,4 @@ -mock_provider "cloudfoundry" { - mock_data "cloudfoundry_domain" { - defaults = { - id = "fea49b46-907f-4fe9-8700-ff6e2b438cd3" - } - } - mock_resource "cloudfoundry_route" { - defaults = { - url = "egress-proxy.apps.internal" - } - } - mock_resource "cloudfoundry_app" { - defaults = { - id = "28329663-10fd-4c5d-9b6b-25e3fb108929" - } - } -} +mock_provider "cloudfoundry" {} variables { cf_org_name = "gsa-tts-devtools-prototyping" @@ -22,9 +6,8 @@ variables { id = "5178d8f5-d19a-4782-ad07-467822480c68" name = "terraform-cloudgov-ci-tests-egress" } - cf_client_spaces = { "client-space" = "e243575e-376a-4b70-b891-23c3fa1a0680" } - name = "terraform-egress-app" - allowlist = { "continuous_monitoring-staging" = ["raw.githubusercontent.com:443"] } + name = "terraform-egress-app" + allowlist = ["raw.githubusercontent.com:443"] } run "test_proxy_creation" { @@ -48,28 +31,18 @@ run "test_proxy_creation" { error_message = "Output password must come from the random_password resource" } - assert { - condition = output.protocol == "https" - error_message = "protocol only supports https" - } - assert { condition = output.app_id == cloudfoundry_app.egress_app.id error_message = "Output app_id is the egress_app's ID" } assert { - condition = output.port == 61443 - error_message = "port only supports 61443 internal https listener" - } - - assert { - condition = output.credential_service_ids == { "client-space" = cloudfoundry_service_instance.credentials["client-space"].id } - error_message = "Output credential_service_ids is a map of client_space_ids to credential_instance_ids" + condition = output.https_port == 61443 + error_message = "https_port only supports 61443 internal https listener" } assert { - condition = output.credential_service_name == "${var.name}-credentials" - error_message = "Output credential_service_name is the single name shared by all of the credential services" + condition = output.http_port == 8080 + error_message = "http_port reports port 8080 for plaintext" } } diff --git a/egress_proxy/variables.tf b/egress_proxy/variables.tf index 2906411..1d26edc 100644 --- a/egress_proxy/variables.tf +++ b/egress_proxy/variables.tf @@ -11,11 +11,6 @@ variable "cf_egress_space" { description = "cloud.gov space egress" } -variable "cf_client_spaces" { - type = map(string) - description = "map of cloud.gov space names to spaces ids for client apps" -} - variable "name" { type = string description = "name of the egress proxy application" @@ -41,23 +36,19 @@ variable "allowports" { } variable "allowlist" { - description = "Allowed egress for apps (applied first). A map where keys are app names, and the values are sets of acl strings." + description = "Allowed egress for apps (applied first). A set of allowed acl strings." # See the upstream documentation for possible acl strings: # https://github.com/caddyserver/forwardproxy/blob/caddy2/README.md#caddyfile-syntax-server-configuration - type = map(set(string)) - default = { - # appname = [ "*.example.com:443", "example2.com:443" ] - } + type = set(string) + default = [] # [ "*.example.com:443", "example2.com:443" ] } variable "denylist" { - description = "Denied egress for apps (applied second). A map where keys are app names, and the values are sets of host:port strings." + description = "Denied egress for apps (applied second). A set of disallowed host:port strings." # See the upstream documentation for possible acl strings: # https://github.com/caddyserver/forwardproxy/blob/caddy2/README.md#caddyfile-syntax-server-configuration - type = map(set(string)) - default = { - # appname = [ "bad.example.com:443" ] - } + type = set(string) + default = [] # [ "bad.example.com:443" ] } variable "instances" {