From 8c267b34063d44c0a38c45f8b382f8e4b5b646c7 Mon Sep 17 00:00:00 2001
From: Ryan Ahearn <ryan.ahearn@gsa.gov>
Date: Fri, 22 Nov 2024 13:46:30 -0500
Subject: [PATCH] Enable connecting egress-proxy to multiple client spaces

---
 README.md                              |  8 ++++----
 egress_proxy/main.tf                   |  9 +++++----
 egress_proxy/outputs.tf                |  8 ++++++--
 egress_proxy/tests/creation.tftest.hcl | 20 +++++++++++---------
 egress_proxy/variables.tf              |  9 +++------
 5 files changed, 29 insertions(+), 25 deletions(-)

diff --git a/README.md b/README.md
index d389eb8..f36d7ec 100644
--- a/README.md
+++ b/README.md
@@ -156,10 +156,10 @@ Prerequities:
 module "egress_proxy" {
   source = "github.com/GSA-TTS/terraform-cloudgov//egress_proxy?ref=v2.0.0-beta.1"
 
-  cf_org_name     = local.cf_org_name
-  cf_egress_space = data.cloudfoundry_space.egress_space
-  cf_client_space = data.cloudfoundry_space.app_space
-  name            = "egress-proxy"
+  cf_org_name      = local.cf_org_name
+  cf_egress_space  = data.cloudfoundry_space.egress_space
+  cf_client_spaces = {(data.cloudfoundry_space.app_space.name) = data.cloudfoundy_space.app_space.id}
+  name             = "egress-proxy"
   allowlist = {
     "source_app_name" = ["host.com:443", "otherhost.com:443"]
   }
diff --git a/egress_proxy/main.tf b/egress_proxy/main.tf
index 25de278..451c6f5 100644
--- a/egress_proxy/main.tf
+++ b/egress_proxy/main.tf
@@ -13,7 +13,7 @@ locals {
   denyacl  = templatefile("${path.module}/acl.tftpl", { list = var.denylist })
 
   # Yields something like: orgname-spacename-name.apps.internal, limited to the last 63 characters
-  route_host = substr("${var.cf_org_name}-${replace(var.cf_egress_space.name, ".", "-")}-${var.name}", -63, -1)
+  route_host   = substr("${var.cf_org_name}-${replace(var.cf_egress_space.name, ".", "-")}-${var.name}", -63, -1)
   egress_route = "${local.route_host}.apps.internal"
 }
 
@@ -74,9 +74,10 @@ locals {
 }
 
 resource "cloudfoundry_service_instance" "credentials" {
-  name  = "${var.name}-creds"
-  space = var.cf_client_space.id
-  type  = "user-provided"
+  for_each = var.cf_client_spaces
+  name     = "${var.name}-credentials"
+  space    = each.value
+  type     = "user-provided"
   credentials = jsonencode({
     "uri"      = local.https_proxy
     "domain"   = local.domain
diff --git a/egress_proxy/outputs.tf b/egress_proxy/outputs.tf
index 6bce021..fef8604 100644
--- a/egress_proxy/outputs.tf
+++ b/egress_proxy/outputs.tf
@@ -28,6 +28,10 @@ output "app_id" {
   value = cloudfoundry_app.egress_app.id
 }
 
-output "credential_service_id" {
-  value = cloudfoundry_service_instance.credentials.id
+output "credential_service_ids" {
+  value = { for k, v in cloudfoundry_service_instance.credentials : k => v.id }
+}
+
+output "credential_service_name" {
+  value = values(cloudfoundry_service_instance.credentials)[0].name
 }
diff --git a/egress_proxy/tests/creation.tftest.hcl b/egress_proxy/tests/creation.tftest.hcl
index 4f7abb5..cfd7867 100644
--- a/egress_proxy/tests/creation.tftest.hcl
+++ b/egress_proxy/tests/creation.tftest.hcl
@@ -22,12 +22,9 @@ variables {
     id   = "5178d8f5-d19a-4782-ad07-467822480c68"
     name = "terraform-cloudgov-ci-tests-egress"
   }
-  cf_client_space = {
-    id   = "e243575e-376a-4b70-b891-23c3fa1a0680"
-    name = "terraform-cloudgov-ci-tests"
-  }
-  name      = "terraform-egress-app"
-  allowlist = { "continuous_monitoring-staging" = ["raw.githubusercontent.com:443"] }
+  cf_client_spaces = { "client-space" = "e243575e-376a-4b70-b891-23c3fa1a0680" }
+  name             = "terraform-egress-app"
+  allowlist        = { "continuous_monitoring-staging" = ["raw.githubusercontent.com:443"] }
 }
 
 run "test_proxy_creation" {
@@ -37,7 +34,7 @@ run "test_proxy_creation" {
   }
 
   assert {
-    condition     = output.domain == cloudfoundry_route.egress_route.url
+    condition     = output.domain == local.egress_route
     error_message = "Output domain must match the route url"
   }
 
@@ -67,7 +64,12 @@ run "test_proxy_creation" {
   }
 
   assert {
-    condition     = output.credential_service_id == cloudfoundry_service_instance.credentials.id
-    error_message = "Output credential_service_id is the user-provided-service's guid"
+    condition     = output.credential_service_ids == { "client-space" = cloudfoundry_service_instance.credentials["client-space"].id }
+    error_message = "Output credential_service_ids is a map of client_space_ids to credential_instance_ids"
+  }
+
+  assert {
+    condition     = output.credential_service_name == "${var.name}-credentials"
+    error_message = "Output credential_service_name is the single name shared by all of the credential services"
   }
 }
diff --git a/egress_proxy/variables.tf b/egress_proxy/variables.tf
index 242b46f..2906411 100644
--- a/egress_proxy/variables.tf
+++ b/egress_proxy/variables.tf
@@ -11,12 +11,9 @@ variable "cf_egress_space" {
   description = "cloud.gov space egress"
 }
 
-variable "cf_client_space" {
-  type = object({
-    id   = string
-    name = string
-  })
-  description = "cloud.gov space for client apps"
+variable "cf_client_spaces" {
+  type        = map(string)
+  description = "map of cloud.gov space names to spaces ids for client apps"
 }
 
 variable "name" {