Skip to content

Commit

Permalink
Auth- 2655 dns switch sandpit (#1594)
Browse files Browse the repository at this point in the history 
* Enable Cloud-front Sandpit & authdevs and Switch DNS
  • Loading branch information
@pskushwaha1
pskushwaha1 authored May 1, 2024
1 parent d3e3ea1 commit 04a6efa
Show file tree
Hide file tree
Showing 6 changed files with 27 additions and 8 deletions.
4 changes: 4 additions & 0 deletions ci/terraform/authdev1.tfvars
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,10 @@ frontend_auto_scaling_min_count = 1
frontend_auto_scaling_max_count = 2
ecs_desired_count = 1

#cloudfront flag
cloudfront_auth_frontend_enabled = true
cloudfront_auth_dns_enabled = true

alb_idle_timeout = 30

url_for_support_links = "https://home.build.account.gov.uk/contact-gov-uk-one-login"
Expand Down
4 changes: 4 additions & 0 deletions ci/terraform/authdev2.tfvars
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,10 @@ frontend_auto_scaling_min_count = 1
frontend_auto_scaling_max_count = 2
ecs_desired_count = 1

#cloudfront flag
cloudfront_auth_frontend_enabled = true
cloudfront_auth_dns_enabled = true

alb_idle_timeout = 30

url_for_support_links = "https://home.build.account.gov.uk/contact-gov-uk-one-login"
Expand Down
10 changes: 5 additions & 5 deletions ci/terraform/route53.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,8 +13,8 @@ resource "aws_route53_record" "frontend" {

alias {
evaluate_target_health = false
name = aws_lb.frontend_alb.dns_name
zone_id = aws_lb.frontend_alb.zone_id
name = var.cloudfront_auth_dns_enabled ? aws_cloudformation_stack.cloudfront[0].outputs["DistributionDomain"] : aws_lb.frontend_alb.dns_name
zone_id = var.cloudfront_auth_dns_enabled ? var.cloudfront_zoneid : aws_lb.frontend_alb.zone_id
}
}

Expand All @@ -25,8 +25,8 @@ resource "aws_route53_record" "frontend_record" {

alias {
evaluate_target_health = false
name = aws_lb.frontend_alb.dns_name
zone_id = aws_lb.frontend_alb.zone_id
name = var.cloudfront_auth_dns_enabled ? aws_cloudformation_stack.cloudfront[0].outputs["DistributionDomain"] : aws_lb.frontend_alb.dns_name
zone_id = var.cloudfront_auth_dns_enabled ? var.cloudfront_zoneid : aws_lb.frontend_alb.zone_id
}
}

Expand Down Expand Up @@ -102,7 +102,7 @@ resource "aws_route53_record" "Cloudfront_frontend_record" {
resource "aws_acm_certificate" "cloudfront_frontend_certificate" {
provider = aws.cloudfront
count = var.cloudfront_auth_frontend_enabled ? 1 : 0
domain_name = aws_route53_record.frontend.name
domain_name = local.frontend_fqdn
validation_method = "DNS"

tags = local.default_tags
Expand Down
1 change: 1 addition & 0 deletions ci/terraform/sandpit.tfvars
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@ ecs_desired_count = 1

#cloudfront enabled flag
cloudfront_auth_frontend_enabled = true
cloudfront_auth_dns_enabled = true

alb_idle_timeout = 30

Expand Down
14 changes: 12 additions & 2 deletions ci/terraform/variables.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -286,15 +286,25 @@ variable "cloudfront_auth_frontend_enabled" {
description = "Feature flag to control the creation cloudfront DNS record origin & Cloudfront Certificate"
}

variable "cloudfront_auth_dns_enabled" {
type = bool
default = false
description = "Feature flag to control the switch of DNS record to cloudfront"
}

variable "cloudfront_zoneid" {
type = string
default = "Z2FDTNDATAQYW2"
description = "This global zone id of CloudFront distribution "
}

variable "auth_origin_cloakingheader" {
type = string
sensitive = true
description = "This is header value for Cloufront to to verify requests are coming from the correct CloudFront distribution to ALB "
}

variable "previous_auth_origin_cloakingheader" {
type = string
sensitive = true
description = "This is previous header value when the value is rotated to ensure WAF will allow requests during rotation "
}

Expand Down
2 changes: 1 addition & 1 deletion ci/terraform/waf-cf.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -497,7 +497,7 @@ resource "aws_wafv2_web_acl_logging_configuration" "frontend_cloudfront_waf_logg
resource "aws_cloudwatch_log_subscription_filter" "frontend_cloudfront_waf_subscription" {
provider = aws.cloudfront

count = var.cloudfront_auth_frontend_enabled ? 1 : 0
count = var.cloudfront_auth_frontend_enabled && var.environment == "production" || var.environment == "staging" ? 1 : 0
name = "${aws_cloudwatch_log_group.frontend_cloudfront_waf_log_group[0].name}-splunk-subscription-${count.index}"
log_group_name = aws_cloudwatch_log_group.frontend_cloudfront_waf_log_group[0].name
filter_pattern = ""
Expand Down

0 comments on commit 04a6efa

Please sign in to comment.