Infra for new apim (#2278)

hmcts · Sep 26, 2024 · 385ebaa · 385ebaa
1 parent c040355
commit 385ebaa
Show file tree

Hide file tree

Showing 5 changed files with 136 additions and 6 deletions.
diff --git a/infrastructure/api-mgmt-logging.tf b/infrastructure/api-mgmt-logging.tf
@@ -0,0 +1,50 @@
+resource "azurerm_api_management_api_diagnostic" "apim_logs" {
+  provider                 = azurerm.aks-cftapps
+  identifier               = "applicationinsights"
+  resource_group_name      = local.api_mgmt_rg
+  api_management_name      = local.api_mgmt_name
+  api_name                 = "bulk-scan-api"
+  api_management_logger_id = "/subscriptions/${var.cft_subscription_id}/resourceGroups/${local.api_mgmt_rg}/providers/Microsoft.ApiManagement/service/${local.api_mgmt_name}/loggers/cft-api-mgmt-${local.api_mgmt_suffix}-logger"
+
+  sampling_percentage       = 100.0
+  always_log_errors         = true
+  log_client_ip             = true
+  verbosity                 = "verbose"
+  http_correlation_protocol = "W3C"
+
+  frontend_request {
+    body_bytes = 8192
+    headers_to_log = [
+      "content-type",
+      "accept",
+      "origin",
+    ]
+  }
+
+  frontend_response {
+    body_bytes = 8192
+    headers_to_log = [
+      "content-type",
+      "content-length",
+      "origin",
+    ]
+  }
+
+  backend_request {
+    body_bytes = 8192
+    headers_to_log = [
+      "content-type",
+      "accept",
+      "origin",
+    ]
+  }
+
+  backend_response {
+    body_bytes = 8192
+    headers_to_log = [
+      "content-type",
+      "content-length",
+      "origin",
+    ]
+  }
+}
diff --git a/infrastructure/api-mgmt-policy.xml b/infrastructure/api-mgmt-policy.xml
@@ -0,0 +1,22 @@
+<policies>
+  <inbound>
+    <base />
+    <validate-azure-ad-token header-name="Authorization" tenant-id="{TENANT_ID}" failed-validation-httpcode="401" failed-validation-error-message="Unauthorized. Access token is missing or invalid.">
+      <client-application-ids>
+        <application-id>{CLIENT_ID}</application-id>
+      </client-application-ids>
+      <audiences>
+        <audience>{APP_ID}</audience>
+      </audiences>
+    </validate-azure-ad-token>
+  </inbound>
+  <backend>
+    <base />
+  </backend>
+  <outbound>
+    <base />
+  </outbound>
+  <on-error>
+    <base />
+  </on-error>
+</policies>
diff --git a/infrastructure/api-mgmt.tf b/infrastructure/api-mgmt.tf
@@ -0,0 +1,50 @@
+locals {
+  api_mgmt_suffix = var.apim_suffix == "" ? var.env : var.apim_suffix
+  api_mgmt_name   = "cft-api-mgmt-${local.api_mgmt_suffix}"
+  api_mgmt_rg     = join("-", ["cft", var.env, "network-rg"])
+}
+
+module "api_mgmt_product" {
+  source                        = "[email protected]:hmcts/cnp-module-api-mgmt-product?ref=master"
+  api_mgmt_name                 = local.api_mgmt_name
+  api_mgmt_rg                   = local.api_mgmt_rg
+  name                          = "bulk-scan"
+  product_access_control_groups = ["developers"]
+  approval_required             = "false"
+  subscription_required         = "false"
+}
+
+module "api_mgmt" {
+  source         = "[email protected]:hmcts/cnp-module-api-mgmt-api?ref=master"
+  name           = "bulk-scan-api"
+  api_mgmt_name  = local.api_mgmt_name
+  api_mgmt_rg    = local.api_mgmt_rg
+  revision       = "1"
+  product_id     = module.cft_api_mgmt_product.product_id
+  display_name   = "Bulk Scan API"
+  path           = "bulk-scan"
+  protocols      = ["http", "https"]
+  service_url    = "http://${var.product}-${var.component}-${var.env}.service.core-compute-${var.env}.internal"
+  swagger_url    = "https://hmcts.github.io/cnp-api-docs/specs/blob-router-service.json"
+  content_format = "openapi-link"
+}
+
+module "api_mgmt_policy" {
+  source        = "[email protected]:hmcts/cnp-module-api-mgmt-api-policy?ref=master"
+  api_mgmt_name = local.api_mgmt_name
+  api_mgmt_rg   = local.api_mgmt_rg
+  api_name      = module.cft_api_mgmt.name
+  api_policy_xml_content = replace(
+    replace(
+      replace(
+        file("api-mgmt-policy.xml"),
+        "TENANT_ID",
+        data.azurerm_key_vault_secret.apim_tenant_id.value
+      ),
+      "CLIENT_ID",
+      data.azurerm_key_vault_secret.apim_client_id.value
+    ),
+    "APP_ID",
+    data.azurerm_key_vault_secret.apim_app_id.value
+  )
+}
diff --git a/infrastructure/cft-api-mgmt.tf b/infrastructure/cft-api-mgmt.tf
@@ -1,13 +1,8 @@
 locals {
-
   # List of thumbprints to be deployed in the APIM policy
   allowed_certificate_thumbprints = concat(
     compact(var.allowed_client_certificate_thumbprints)
   )
-
-  api_mgmt_suffix = var.apim_suffix == "" ? var.env : var.apim_suffix
-  api_mgmt_name   = "cft-api-mgmt-${local.api_mgmt_suffix}"
-  api_mgmt_rg     = join("-", ["cft", var.env, "network-rg"])
 }
 
 module "cft_api_mgmt_product" {

diff --git a/infrastructure/main.tf b/infrastructure/main.tf
@@ -163,4 +163,17 @@ resource "azurerm_key_vault_secret" "reports_recipients" {
   key_vault_id = data.azurerm_key_vault.reform_scan_key_vault.id
 }
 
-# endregion
+data "azurerm_key_vault_secret" "apim_app_id" {
+  key_vault_id = data.azurerm_key_vault.reform_scan_key_vault.id
+  name         = "bulk-scan-app-id"
+}
+
+data "azurerm_key_vault_secret" "apim_client_id" {
+  key_vault_id = data.azurerm_key_vault.reform_scan_key_vault.id
+  name         = "bulk-scan-client-id"
+}
+
+data "azurerm_key_vault_secret" "apim_tenant_id" {
+  key_vault_id = data.azurerm_key_vault.reform_scan_key_vault.id
+  name         = "tenant-id"
+}