From d06654dc9c96c951c669748c1f6492b3e176baab Mon Sep 17 00:00:00 2001 From: James Miller Date: Mon, 2 Sep 2024 12:10:59 +0100 Subject: [PATCH 1/3] Fastly config for mobile backend --- mobile-backend.tf | 7 +++ modules/mobile-backend/main.tf | 74 +++++++++++++++++++++++++++++ modules/mobile-backend/outputs.tf | 0 modules/mobile-backend/provider.tf | 9 ++++ modules/mobile-backend/variables.tf | 11 +++++ 5 files changed, 101 insertions(+) create mode 100644 mobile-backend.tf create mode 100644 modules/mobile-backend/main.tf create mode 100644 modules/mobile-backend/outputs.tf create mode 100644 modules/mobile-backend/provider.tf create mode 100644 modules/mobile-backend/variables.tf diff --git a/mobile-backend.tf b/mobile-backend.tf new file mode 100644 index 0000000..62b39d5 --- /dev/null +++ b/mobile-backend.tf @@ -0,0 +1,7 @@ +module "mobile-backend-integration" { + source = "./modules/mobile-backend" + + environment = "integration" + hostname = "app.integration.publishing.service.gov.uk" + origin_hostname = "govuk-app-remote-config-integration.s3.eu-west-1.amazonaws.com" +} diff --git a/modules/mobile-backend/main.tf b/modules/mobile-backend/main.tf new file mode 100644 index 0000000..a386e2e --- /dev/null +++ b/modules/mobile-backend/main.tf @@ -0,0 +1,74 @@ +locals { + strip_headers = [ + "x-amz-id-2", + "x-amz-meta-server-side-encryption", + "x-amz-request-id", + "x-amz-version-id", + "x-amz-server-side-encryption" + ] + # headers to add + ttl = "300s" # 5 minutes + cache_control = "max-age=300, public, immutable" + access_control_allow_origin = "*" +} + +resource "fastly_service_vcl" "mobile_backend_service" { + name = "Mobile backend - ${title(var.environment)}" + http3 = true + + domain { + name = var.hostname + } + + backend { + name = "Mobile backend config bucket - ${var.environment}" + address = var.origin_hostname + port = 443 + + connect_timeout = 1000 + first_byte_timeout = 15000 + max_conn = 200 + between_bytes_timeout = 10000 + + ssl_check_cert = true + ssl_ciphers = "ECDHE-RSA-AES256-GCM-SHA384" + ssl_cert_hostname = var.origin_hostname + ssl_sni_hostname = var.origin_hostname + min_tls_version = "1.2" + } + + dynamic "header" { + for_each = local.strip_headers + content { + destination = "http.${header.value}" + name = "Remove ${header.value}" + action = "delete" + type = "cache" + } + } + + header { + destination = "ttl" + name = "Add ttl header" + action = "set" + type = "response" + source = local.ttl + } + + header { + destination = "http.Cache-Control" + name = "Add Cache-Control header" + action = "set" + type = "response" + source = local.cache_control + } + + header { + destination = "http.Access-Control-Allow-Origin" + name = "Add Access-Control-Allow-Origin header" + action = "set" + type = "response" + source = local.access_control_allow_origin + } + +} diff --git a/modules/mobile-backend/outputs.tf b/modules/mobile-backend/outputs.tf new file mode 100644 index 0000000..e69de29 diff --git a/modules/mobile-backend/provider.tf b/modules/mobile-backend/provider.tf new file mode 100644 index 0000000..88b34fd --- /dev/null +++ b/modules/mobile-backend/provider.tf @@ -0,0 +1,9 @@ +terraform { + required_version = "~> 1.7" + required_providers { + fastly = { + source = "fastly/fastly" + version = ">= 5.11.0" + } + } +} diff --git a/modules/mobile-backend/variables.tf b/modules/mobile-backend/variables.tf new file mode 100644 index 0000000..4c7d2b8 --- /dev/null +++ b/modules/mobile-backend/variables.tf @@ -0,0 +1,11 @@ +variable "environment" { + type = string +} + +variable "hostname" { + type = string +} + +variable "origin_hostname" { + type = string +} From 9e029f42b97db2ac558bbbddf8b6a4c01e228059 Mon Sep 17 00:00:00 2001 From: James Miller Date: Wed, 4 Sep 2024 15:10:53 +0100 Subject: [PATCH 2/3] add placeholder domain names to get services set up --- mobile-backend.tf | 18 +++++++++++++++++- modules/mobile-backend/main.tf | 2 +- 2 files changed, 18 insertions(+), 2 deletions(-) diff --git a/mobile-backend.tf b/mobile-backend.tf index 62b39d5..23dafef 100644 --- a/mobile-backend.tf +++ b/mobile-backend.tf @@ -2,6 +2,22 @@ module "mobile-backend-integration" { source = "./modules/mobile-backend" environment = "integration" - hostname = "app.integration.publishing.service.gov.uk" + hostname = "app.integration.govuk.digital" origin_hostname = "govuk-app-remote-config-integration.s3.eu-west-1.amazonaws.com" } + +module "mobile-backend-staging" { + source = "./modules/mobile-backend" + + environment = "staging" + hostname = "app.staging.govuk.digital" + origin_hostname = "govuk-app-remote-config-staging.s3.eu-west-1.amazonaws.com" +} + +module "mobile-backend-production" { + source = "./modules/mobile-backend" + + environment = "production" + hostname = "app.govuk.digital" + origin_hostname = "govuk-app-remote-config-production.s3.eu-west-1.amazonaws.com" +} diff --git a/modules/mobile-backend/main.tf b/modules/mobile-backend/main.tf index a386e2e..31b8485 100644 --- a/modules/mobile-backend/main.tf +++ b/modules/mobile-backend/main.tf @@ -13,7 +13,7 @@ locals { } resource "fastly_service_vcl" "mobile_backend_service" { - name = "Mobile backend - ${title(var.environment)}" + name = "GOV.UK App mobile backend - ${title(var.environment)}" http3 = true domain { From bf699e09662aee1079b6791a9f94e9c294599c85 Mon Sep 17 00:00:00 2001 From: Sam Simpson Date: Thu, 5 Sep 2024 14:25:28 +0100 Subject: [PATCH 3/3] Make mobile-backend a standalone TF module --- mobile-backend.tf | 23 ------------------ mobile-backend/.terraform.lock.hcl | 24 +++++++++++++++++++ mobile-backend/main.tf | 17 +++++++++++++ .../outputs.tf | 0 .../main.tf => mobile-backend/service.tf | 12 ++++++---- mobile-backend/variables.tf | 7 ++++++ modules/mobile-backend/provider.tf | 9 ------- modules/mobile-backend/variables.tf | 11 --------- 8 files changed, 56 insertions(+), 47 deletions(-) delete mode 100644 mobile-backend.tf create mode 100644 mobile-backend/.terraform.lock.hcl create mode 100644 mobile-backend/main.tf rename {modules/mobile-backend => mobile-backend}/outputs.tf (100%) rename modules/mobile-backend/main.tf => mobile-backend/service.tf (84%) create mode 100644 mobile-backend/variables.tf delete mode 100644 modules/mobile-backend/provider.tf delete mode 100644 modules/mobile-backend/variables.tf diff --git a/mobile-backend.tf b/mobile-backend.tf deleted file mode 100644 index 23dafef..0000000 --- a/mobile-backend.tf +++ /dev/null @@ -1,23 +0,0 @@ -module "mobile-backend-integration" { - source = "./modules/mobile-backend" - - environment = "integration" - hostname = "app.integration.govuk.digital" - origin_hostname = "govuk-app-remote-config-integration.s3.eu-west-1.amazonaws.com" -} - -module "mobile-backend-staging" { - source = "./modules/mobile-backend" - - environment = "staging" - hostname = "app.staging.govuk.digital" - origin_hostname = "govuk-app-remote-config-staging.s3.eu-west-1.amazonaws.com" -} - -module "mobile-backend-production" { - source = "./modules/mobile-backend" - - environment = "production" - hostname = "app.govuk.digital" - origin_hostname = "govuk-app-remote-config-production.s3.eu-west-1.amazonaws.com" -} diff --git a/mobile-backend/.terraform.lock.hcl b/mobile-backend/.terraform.lock.hcl new file mode 100644 index 0000000..8ee7082 --- /dev/null +++ b/mobile-backend/.terraform.lock.hcl @@ -0,0 +1,24 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/fastly/fastly" { + version = "5.11.0" + constraints = "5.11.0" + hashes = [ + "h1:kv4rW+6dyoJHxbZswm0vC4+e96D7NlzGo/sa6Psr4hU=", + "zh:0a209382e7644ceb6d0c871109cb730e772ac436f63a5c5814d12a476cc72986", + "zh:38efbb97d1aa2ae056fd9f8189a4773e29140af4a2a6d42fa37ae67a549c7649", + "zh:59bc24ff24197fd1bf428aa6ac213ea07ddea9ca33f71c3916578c7983e834c6", + "zh:66685d0635de949de8d9d685ea46c8714e06833cb2817e06284e278ecbad29cd", + "zh:71bbd37e880007c0bc3838dbb58847a7b6470c12d2278f91095c735760df0138", + "zh:7f74a806b384682e9f8d359b03e61904a45c4e618207edc31aeae2430daa21d6", + "zh:8114e395890a44973e08d134b057014c493a70087bd7e757fa6a680e5109f4a1", + "zh:8b4fd50aea90cda18519ba260f295afa4d55bdd951daca4c4bffb10e7920796f", + "zh:9783df35130f247ce8e58fc9ec601aeabd4cce065c382795e10a6503c7b42053", + "zh:d7c1323e48d323eef73ad1c84dcb5fbdfa4a79953337582e4f995dab73bf69df", + "zh:d938c14524d6c868c5a5803dcd572a0beb38f39059685f3222b9a465c08eda2d", + "zh:e8dfdf179c442cfe00c2981d0d997488eb9ca207226f9549e9bd3a258e783d2e", + "zh:f756a5fe204792ca10b0d2416491741b4199324bd6019706a65abfce78a4fcc7", + "zh:f9341da542f8dcd5c3ac1011fb937df596a0176f594dc0cb93a424fbcabb2ae2", + ] +} diff --git a/mobile-backend/main.tf b/mobile-backend/main.tf new file mode 100644 index 0000000..1ef45ee --- /dev/null +++ b/mobile-backend/main.tf @@ -0,0 +1,17 @@ +terraform { + cloud { + organization = "govuk" + workspaces { + tags = ["fastly", "mobile-backend"] + } + } + required_version = "~> 1.7" + required_providers { + fastly = { + source = "fastly/fastly" + version = "5.11.0" + } + } +} + +provider "fastly" {} diff --git a/modules/mobile-backend/outputs.tf b/mobile-backend/outputs.tf similarity index 100% rename from modules/mobile-backend/outputs.tf rename to mobile-backend/outputs.tf diff --git a/modules/mobile-backend/main.tf b/mobile-backend/service.tf similarity index 84% rename from modules/mobile-backend/main.tf rename to mobile-backend/service.tf index 31b8485..0ba7ffe 100644 --- a/modules/mobile-backend/main.tf +++ b/mobile-backend/service.tf @@ -1,4 +1,8 @@ locals { + secrets = yamldecode(var.secrets) + hostname = local.secrets["hostname"] + origin_hostname = local.secrets["origin_hostname"] + strip_headers = [ "x-amz-id-2", "x-amz-meta-server-side-encryption", @@ -17,12 +21,12 @@ resource "fastly_service_vcl" "mobile_backend_service" { http3 = true domain { - name = var.hostname + name = local.hostname } backend { name = "Mobile backend config bucket - ${var.environment}" - address = var.origin_hostname + address = local.origin_hostname port = 443 connect_timeout = 1000 @@ -32,8 +36,8 @@ resource "fastly_service_vcl" "mobile_backend_service" { ssl_check_cert = true ssl_ciphers = "ECDHE-RSA-AES256-GCM-SHA384" - ssl_cert_hostname = var.origin_hostname - ssl_sni_hostname = var.origin_hostname + ssl_cert_hostname = local.origin_hostname + ssl_sni_hostname = local.origin_hostname min_tls_version = "1.2" } diff --git a/mobile-backend/variables.tf b/mobile-backend/variables.tf new file mode 100644 index 0000000..218341d --- /dev/null +++ b/mobile-backend/variables.tf @@ -0,0 +1,7 @@ +variable "environment" { + type = string +} + +variable "secrets" { + type = string +} diff --git a/modules/mobile-backend/provider.tf b/modules/mobile-backend/provider.tf deleted file mode 100644 index 88b34fd..0000000 --- a/modules/mobile-backend/provider.tf +++ /dev/null @@ -1,9 +0,0 @@ -terraform { - required_version = "~> 1.7" - required_providers { - fastly = { - source = "fastly/fastly" - version = ">= 5.11.0" - } - } -} diff --git a/modules/mobile-backend/variables.tf b/modules/mobile-backend/variables.tf deleted file mode 100644 index 4c7d2b8..0000000 --- a/modules/mobile-backend/variables.tf +++ /dev/null @@ -1,11 +0,0 @@ -variable "environment" { - type = string -} - -variable "hostname" { - type = string -} - -variable "origin_hostname" { - type = string -}