Merge branch 'dev' into story-786/vnet

CDCgov · Mar 8, 2024 · 8183319 · 8183319
2 parents 54c1ec7 + c957830
commit 8183319
Show file tree

Hide file tree

Showing 15 changed files with 291 additions and 46 deletions.
diff --git a/.github/workflows/db_rollback.yml b/.github/workflows/db_rollback.yml
@@ -64,11 +64,35 @@ jobs:
           echo "DATABASE_HOSTNAME=$DATABASE_HOSTNAME" >> "$GITHUB_ENV"
           echo "DATABASE_PASSWORD=$DATABASE_PASSWORD" >> "$GITHUB_ENV"
 
-      - name: Run Db Rollback
-        uses: liquibase-github-actions/[email protected]
+      - name: Connect to VPN
+        uses: josiahsiegel/[email protected]
+        id: connect_vpn
+        if: github.event.inputs.environment != 'internal'
         with:
-          changelogFile: ${{ github.event.inputs.rollbackFile }}
-          count: ${{ github.event.inputs.rollbackCount }}
-          url: "jdbc:postgresql://${{ env.DATABASE_HOSTNAME }}:5432/postgres"
-          username: cdcti-github
-          password: ${{ env.DATABASE_PASSWORD }}
+          PING_URL: ${{ env.DATABASE_HOSTNAME }}
+          FILE_OVPN: ./operations/vpn/${{ github.event.inputs.environment }}.ovpn
+          TLS_KEY: ${{ secrets.VPN_TLS_KEY }}
+        env:
+          CA_CRT: ${{ secrets.VPN_CA_CERTIFICATE }}
+          USER_CRT: ${{ secrets.VPN_GITHUB_CERTIFICATE }}
+          USER_KEY: ${{ secrets.VPN_GITHUB_SECRET_KEY }}
+
+      - name: Fail if VPN isn't Connected
+        if: github.event.inputs.environment != 'internal' && steps.connect_vpn.outputs.STATUS != 'true'
+        run: |
+          echo 'VPN connected: ${{ steps.connect_vpn.outputs.STATUS }}'
+          exit 1
+
+      - name: Install Liquibase
+        run: |
+          wget -O- https://repo.liquibase.com/liquibase.asc | gpg --dearmor > liquibase-keyring.gpg && \cat liquibase-keyring.gpg | sudo tee /usr/share/keyrings/liquibase-keyring.gpg > /dev/null && \echo 'deb [arch=amd64 signed-by=/usr/share/keyrings/liquibase-keyring.gpg] https://repo.liquibase.com stable main' | sudo tee /etc/apt/sources.list.d/liquibase.list
+          sudo apt-get update
+          sudo apt-get install liquibase
+          liquibase -v
+
+      - name: Run Db migration
+        run: liquibase rollback-count --changelog-file ${{ github.event.inputs.rollbackFile }} --count ${{ github.event.inputs.rollbackCount }} --url 'jdbc:postgresql://${{ env.DATABASE_HOSTNAME }}:5432/postgres' --username cdcti-github --password '${{ env.DATABASE_PASSWORD }}'
+
+      - name: Disconnect VPN
+        if: github.event.inputs.environment != 'internal' && always()
+        run: sudo killall openvpn
diff --git a/.github/workflows/dev-deploy.yml b/.github/workflows/dev-deploy.yml
@@ -18,6 +18,10 @@ jobs:
       AZURE_CLIENT_ID: ${{ secrets.AZURE_CDC_CLIENT_ID }}
       AZURE_TENANT_ID: ${{ secrets.AZURE_CDC_TENANT_ID }}
       AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_CDC_DMZ_C1_SUBSCRIPTION_ID }}
+      VPN_TLS_KEY: ${{ secrets.VPN_TLS_KEY }}
+      VPN_CA_CERTIFICATE: ${{ secrets.VPN_CA_CERTIFICATE }}
+      VPN_GITHUB_CERTIFICATE: ${{ secrets.VPN_GITHUB_CERTIFICATE}}
+      VPN_GITHUB_SECRET_KEY: ${{ secrets.VPN_GITHUB_SECRET_KEY }}
 
   dev-deploy:
     name: Dev Application Deploy

diff --git a/.github/workflows/terraform-deploy_reusable.yml b/.github/workflows/terraform-deploy_reusable.yml
@@ -24,6 +24,14 @@ on:
         required: true
       AZURE_SUBSCRIPTION_ID:
         required: true
+      VPN_TLS_KEY:
+        required: false
+      VPN_CA_CERTIFICATE:
+        required: false
+      VPN_GITHUB_CERTIFICATE:
+        required: false
+      VPN_GITHUB_SECRET_KEY:
+        required: false
     outputs:
       REGISTRY:
         description: The container registry
@@ -85,13 +93,39 @@ jobs:
           echo "DATABASE_HOSTNAME=$DATABASE_HOSTNAME" >> "$GITHUB_ENV"
           echo "DATABASE_PASSWORD=$DATABASE_PASSWORD" >> "$GITHUB_ENV"
 
-      - name: Run Db migration
-        uses: liquibase-github-actions/[email protected]
+      - name: Connect to VPN
+        uses: josiahsiegel/[email protected]
+        id: connect_vpn
+        if: inputs.ENVIRONMENT != 'internal' && inputs.ENVIRONMENT != 'pr'
         with:
-          changelogFile: ./etor/databaseMigrations/root.yml
-          url: "jdbc:postgresql://${{ env.DATABASE_HOSTNAME }}:5432/postgres"
-          username: cdcti-github
-          password: ${{ env.DATABASE_PASSWORD }}
+          PING_URL: ${{ env.DATABASE_HOSTNAME }}
+          FILE_OVPN: ./operations/vpn/${{ inputs.ENVIRONMENT }}.ovpn
+          TLS_KEY: ${{ secrets.VPN_TLS_KEY }}
+        env:
+          CA_CRT: ${{ secrets.VPN_CA_CERTIFICATE }}
+          USER_CRT: ${{ secrets.VPN_GITHUB_CERTIFICATE }}
+          USER_KEY: ${{ secrets.VPN_GITHUB_SECRET_KEY }}
+
+      - name: Fail if VPN isn't Connected
+        if: inputs.ENVIRONMENT != 'internal' && inputs.ENVIRONMENT != 'pr' && steps.connect_vpn.outputs.STATUS != 'true'
+        run: |
+          echo 'VPN connected: ${{ steps.connect_vpn.outputs.STATUS }}'
+          exit 1
+
+      - name: Install Liquibase
+        run: |
+          wget -O- https://repo.liquibase.com/liquibase.asc | gpg --dearmor > liquibase-keyring.gpg && \cat liquibase-keyring.gpg | sudo tee /usr/share/keyrings/liquibase-keyring.gpg > /dev/null && \echo 'deb [arch=amd64 signed-by=/usr/share/keyrings/liquibase-keyring.gpg] https://repo.liquibase.com stable main' | sudo tee /etc/apt/sources.list.d/liquibase.list
+          sudo apt-get update
+          sudo apt-get install liquibase
+          liquibase -v
+
+      - name: Run Db migration
+        working-directory: ./
+        run: liquibase update --changelog-file ./etor/databaseMigrations/root.yml --url 'jdbc:postgresql://${{ env.DATABASE_HOSTNAME }}:5432/postgres' --username cdcti-github --password '${{ env.DATABASE_PASSWORD }}'
+
+      - name: Disconnect VPN
+        if: inputs.ENVIRONMENT != 'internal' && inputs.ENVIRONMENT != 'pr' && always()
+        run: sudo killall openvpn
 
       - id: export-terraform-output
         name: Export Terraform Output

diff --git a/operations/environments/dev/main.tf b/operations/environments/dev/main.tf
@@ -29,4 +29,5 @@ module "template" {
 
   environment = "dev"
   deployer_id = "f5feabe7-5d37-40ba-94f2-e5c0760b4561" //github app registration in CDC Azure Entra
+  vpn_root_certificate = "MIIC5jCCAc6gAwIBAgIIWvb3sLkOQtcwDQYJKoZIhvcNAQELBQAwETEPMA0GA1UEAxMGVlBOIENBMB4XDTI0MDMwODE1MjM0OFoXDTI3MDMwODE1MjM0OFowETEPMA0GA1UEAxMGVlBOIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAt1v2bAATE7IOJkqUrbwQw6X99fi3Ywf1bv0uZ0gGDjG10H+PB2BUzZ94RNcB4Oezi6t+/WAQUkhRozemFkegSkfKHEehAT6nu6OBXKt2rH/oJtpKR791ab9H9aQ6e5LO9OZ237QL6XikhGG7HXqG9ndYnhBYPy2/pd8VV6ZwqMR3PkfBJaC4tKy4d8dim+PMpT5rqPGbsf9H+dydvG6JOKZiHb3/yqi6fqoise1yY64aDwFC9MbEbtgXpvmBFsei2PA/XH5FqE6F/kyCg7mO5TSYYEqx0PCTPmICAT4iw5ELMyAhVKL2OpMjqw5YAYr/TGqlfyEYpBBQMvC3K9OmUwIDAQABo0IwQDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQU5idI+AFsHn8BjvNBE5ShE+aFor0wDQYJKoZIhvcNAQELBQADggEBAJkDtuHj4QGyXtooiM7xfHZ/lGdDZvF+KAVfFKAlsIO8y1NS2iAeNT6MmampwzWzXIUMk9vxvALUoh2MJkWP5CX2e3vDj2lGpbhK5//rfWDin1/jj28+KZzSVsk4i/EkdBWW7eCKU401rafVOjSLmM5mfDTAHNrFxzQWJF5WL7TxrQw7chrnpy4v0V7/y4h+QsQja8LXx9keEdB2BQSjndAqxB9dblFALantpuEOM2pS3GCaC2REXSnKsgSEQoVL07MSndpCpdv5bsEkppM5LBC6gL66a43Lho3kSCm4ZU51mjJtNwadeBXpHjkJ1yiBA7CG/Roa+THAiV+VMP75g3E="  # pragma: allowlist secret
 }
diff --git a/operations/environments/pr/main.tf b/operations/environments/pr/main.tf
@@ -28,11 +28,19 @@ resource "azurerm_resource_group" "group" { //create the PR resource group becau
   location = "East US"
 }
 
+resource "azurerm_virtual_network" "vnet" { //create the PR resource group because it has a dynamic name that cannot be always pre-created
+  name     = "csels-rsti-pr${var.pr_number}-moderate-app-vnet"
+  location = azurerm_resource_group.group.location
+  resource_group_name = azurerm_resource_group.group.name
+
+  address_space = ["10.0.0.0/25"]
+}
+
 module "template" {
   source = "../../template/"
 
   environment = "pr${var.pr_number}"
   deployer_id = "d59c2c86-de5e-41b7-a752-0869a73f5a60" //github app registration in Flexion Azure Entra
 
-  depends_on = [azurerm_resource_group.group]
+  depends_on = [azurerm_resource_group.group, azurerm_virtual_network.vnet]
 }
diff --git a/operations/environments/prd/main.tf b/operations/environments/prd/main.tf
@@ -29,4 +29,5 @@ module "template" {
 
   environment = "prd"
   deployer_id = "f5feabe7-5d37-40ba-94f2-e5c0760b4561" //github app registration in CDC Azure Entra
+  vpn_root_certificate = "MIIC5jCCAc6gAwIBAgIIeHnOQDhz00AwDQYJKoZIhvcNAQELBQAwETEPMA0GA1UEAxMGVlBOIENBMB4XDTI0MDMwODE1NDA1M1oXDTI3MDMwODE1NDA1M1owETEPMA0GA1UEAxMGVlBOIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAkgeXZ6ReEQ5HAqlXULUUdVfCMtMPmlTeCFFkhD9i5E5lRg78PyJqczHMzCB6l83O/PrLWXjT3/s/R58cfeHJg/SndGwt/2uKhj1kNW7Ivc8kF0pgSL3lDR+NSj5OPda45EY30ZlTjgygmb9MjfCT2BmgjGcfUbgm0jzgDZsk7bLUUJkL38DJP+v2M6sDxyxMjoY9gJ1Kq5Fg81serJlZHaACShuuhgiKqH3+hwvIPluK8Y40FWfiKpGRjdkAXGTmB+afMeA4L1amyticIPzzOytIHFIDMOKgJRL62UQe+alzubXkYbDtEgDCOwF8k5TRiu9MUwID34CLkp2VWnLnUwIDAQABo0IwQDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUHyrypPmh+KVb2sspeGsxboG1hQwwDQYJKoZIhvcNAQELBQADggEBAGmfFRLgqLQxedGHeXQoajHzhCvk+62lDR1xy0s2mklA3eRxzOyaXRPgmM6lbGBm6LdLxo5nxGgfD4h2vOBZl4MXOFLryLm97QtDZ34YkxGn+tugUAXpWBB/EJIynib1Ywyg6Kv6g3oYjf2bc8Ae9bOWGR0FtOGn8TvmSzKLXoUwQd0u9DEA774YtpvPxHxw69uyf8x2nekpyWNyFbR6DWJEA9M+BHeR0oGEGoc5FH6zTgstbdeNVou3NNQlRKlWD26vWeCeQvbKDK5+KuOPjjDTimGdx1GfA9z/ai/pX+K/NKvvC4JXQdW7jYYu3QFglP70esT9mBCxVQbXd49oD9M="  # pragma: allowlist secret
 }
diff --git a/operations/environments/stg/main.tf b/operations/environments/stg/main.tf
@@ -29,4 +29,5 @@ module "template" {
 
   environment = "stg"
   deployer_id = "f5feabe7-5d37-40ba-94f2-e5c0760b4561" //github app registration in CDC Azure Entra
+  vpn_root_certificate = "MIIC5jCCAc6gAwIBAgIIUC720RvICDQwDQYJKoZIhvcNAQELBQAwETEPMA0GA1UEAxMGVlBOIENBMB4XDTI0MDMwODE1MzY1MloXDTI3MDMwODE1MzY1MlowETEPMA0GA1UEAxMGVlBOIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtn+H6PbB2y/JmoTTNuxljVY7I02BblPmnzwzQhEPAZjoMVQTsEvS5rr/ILLFFF5FdTcyPYJpD5Tvd+w1v62xV4QhZSFpSSyfRvsi6uzOLOyDOhVN++GWAjKyTvaOO654JwX/qj7nHSYQLQFtnf9OkixZazO8o0snXpGCSYKgxhBox6+XyZpjjwoFt+wMrNalrAOWCtAp/pgIB7xyStcWyGEi7vACiV+7rzI2Kxh+PfaltS4wU1vWN7jN2GxMbVG3539ybiT4fpoGuDWjZ7t7tp1LgQa1n7tlvNR0W01pdt7U/fPL9ynfyuP8Wph8eetW9THYtJkBTNk7KyhE+z36TwIDAQABo0IwQDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQU85kmRn9Cnq9LjFeKjwrMUhgo3xowDQYJKoZIhvcNAQELBQADggEBAHjzfciR/TqJojJ3xd2AmMQev5Aw6Wf9gFfhv0eb9bmqyeJ23bYhOvqWxIxb01TBp5CNhWgWuUE68cQpEqafu9JOITDk9GtQ9m6/4sHOhzqM11beGqKlomQuT+I/M/gS0pUcr//W7riTkOQQI6DHKgpoGoRXpk9/V5GrwQauZjy1hRyRpVlg4xDgJJqRr5PKUErtA07DYck+AblJW4msglfyM2HTvvMLNdsmiZmjFdU1osT0WT/W9nY+RGadAo47x6qknpFoDoVtIQ3XNH3C5Scl1bGphfQdmEjNVhg7a8gSWat7n1OjFiz3OvTqy5MsssmRz4WlOM5+xOhiT2OambA="  # pragma: allowlist secret
 }
diff --git a/operations/template/app.tf b/operations/template/app.tf
@@ -26,23 +26,31 @@ resource "azurerm_linux_web_app" "api" {
 
   https_only = true
 
-  virtual_network_subnet_id = azurerm_subnet.app.id
+  virtual_network_subnet_id = local.cdc_domain_environment ? azurerm_subnet.app.id : null
 
   site_config {
-    scm_use_main_ip_restriction = true
+    scm_use_main_ip_restriction = local.cdc_domain_environment ? true : null
 
-    ip_restriction {
-      name       = "deny_all_ipv4"
-      action     = "Deny"
-      ip_address = "0.0.0.0/0"
-      priority   = "200"
+    dynamic "ip_restriction" {
+      for_each = local.cdc_domain_environment ? [1] : []
+
+      content {
+        name       = "deny_all_ipv4"
+        action     = "Deny"
+        ip_address = "0.0.0.0/0"
+        priority   = "200"
+      }
     }
 
-    ip_restriction {
-      name       = "deny_all_ipv6"
-      action     = "Deny"
-      ip_address = "::/0"
-      priority   = "201"
+    dynamic "ip_restriction" {
+      for_each = local.cdc_domain_environment ? [1] : []
+
+      content {
+        name       = "deny_all_ipv6"
+        action     = "Deny"
+        ip_address = "::/0"
+        priority   = "201"
+      }
     }
   }
 

diff --git a/operations/template/db.tf b/operations/template/db.tf
@@ -11,8 +11,8 @@ resource "azurerm_postgresql_flexible_server" "database" {
   storage_mb            = "32768"
   auto_grow_enabled     = true
   backup_retention_days = "14"
-  delegated_subnet_id   = azurerm_subnet.database.id
-  private_dns_zone_id   = azurerm_private_dns_zone.dns_zone.id
+  delegated_subnet_id   = local.cdc_domain_environment ? azurerm_subnet.database.id : null
+  private_dns_zone_id   = local.cdc_domain_environment ? azurerm_private_dns_zone.dns_zone.id : null
 
   authentication {
     password_auth_enabled         = "false"
@@ -30,14 +30,14 @@ resource "azurerm_postgresql_flexible_server" "database" {
   }
 }
 
-#resource "azurerm_postgresql_flexible_server_active_directory_administrator" "admin_for_deployer" {
-#  server_name         = azurerm_postgresql_flexible_server.database.name
-#  resource_group_name = data.azurerm_resource_group.group.name
-#  tenant_id           = data.azurerm_client_config.current.tenant_id
-#  object_id           = var.deployer_id
-#  principal_name      = "cdcti-github"
-#  principal_type      = "ServicePrincipal"
-#}
+resource "azurerm_postgresql_flexible_server_active_directory_administrator" "admin_for_deployer" {
+  server_name         = azurerm_postgresql_flexible_server.database.name
+  resource_group_name = data.azurerm_resource_group.group.name
+  tenant_id           = data.azurerm_client_config.current.tenant_id
+  object_id           = var.deployer_id
+  principal_name      = "cdcti-github"
+  principal_type      = "ServicePrincipal"
+}
 
 resource "azurerm_postgresql_flexible_server_active_directory_administrator" "admin_for_app" {
   server_name         = azurerm_postgresql_flexible_server.database.name
@@ -48,9 +48,10 @@ resource "azurerm_postgresql_flexible_server_active_directory_administrator" "ad
   principal_type      = "ServicePrincipal"
 }
 
-#resource "azurerm_postgresql_flexible_server_firewall_rule" "db_firewall_5" {
-#  name             = "AllowAzure"
-#  server_id        = azurerm_postgresql_flexible_server.database.id
-#  start_ip_address = "0.0.0.0"
-#  end_ip_address   = "0.0.0.0"
-#}
+resource "azurerm_postgresql_flexible_server_firewall_rule" "db_firewall_5" {
+  count            = local.cdc_domain_environment ? 0 : 1
+  name             = "AllowAzure"
+  server_id        = azurerm_postgresql_flexible_server.database.id
+  start_ip_address = "0.0.0.0"
+  end_ip_address   = "0.0.0.0"
+}
diff --git a/operations/template/key.tf b/operations/template/key.tf
@@ -81,5 +81,3 @@ resource "azurerm_key_vault_secret" "trusted_intermediary_private_key" {
   }
   depends_on = [azurerm_key_vault_access_policy.allow_github_deployer] //wait for the permission that allows our deployer to write the secret
 }
-
-
diff --git a/operations/template/main.tf b/operations/template/main.tf
@@ -7,6 +7,7 @@ locals {
   selected_rs_environment_prefix = lookup(local.environment_to_rs_environment_prefix_mapping, var.environment, "staging")
   rs_domain_prefix               = "${local.selected_rs_environment_prefix}${length(local.selected_rs_environment_prefix) == 0 ? "" : "."}"
   higher_environment_level       = var.environment == "stg" || var.environment == "prd"
+  cdc_domain_environment         = var.environment == "dev" || var.environment == "stg" || var.environment == "prd"
 }
 
 data "azurerm_resource_group" "group" {

diff --git a/operations/template/net.tf b/operations/template/net.tf
@@ -3,11 +3,15 @@ data "azurerm_virtual_network" "app" {
   resource_group_name = data.azurerm_resource_group.group.name
 }
 
+locals {
+  subnets_cidrs = cidrsubnets(data.azurerm_virtual_network.app.address_space[0], 2, 2, 2, 3, 3)
+}
+
 resource "azurerm_subnet" "app" {
   name                 = "app"
   resource_group_name  = data.azurerm_resource_group.group.name
   virtual_network_name = data.azurerm_virtual_network.app.name
-  address_prefixes     = ["172.17.67.128/26"]
+  address_prefixes     = [local.subnets_cidrs[0]]
 
   service_endpoints = [
     "Microsoft.AzureActiveDirectory",
@@ -35,7 +39,7 @@ resource "azurerm_subnet" "database" {
   name                 = "database"
   resource_group_name  = data.azurerm_resource_group.group.name
   virtual_network_name = data.azurerm_virtual_network.app.name
-  address_prefixes     = ["172.17.67.192/27"]
+  address_prefixes     = [local.subnets_cidrs[1]]
 
   service_endpoints = [
     "Microsoft.AzureActiveDirectory",
@@ -59,6 +63,45 @@ resource "azurerm_subnet" "database" {
   }
 }
 
+resource "azurerm_subnet" "vpn" {
+  name                 = "GatewaySubnet"
+  resource_group_name  = data.azurerm_resource_group.group.name
+  virtual_network_name = data.azurerm_virtual_network.app.name
+  address_prefixes     = [local.subnets_cidrs[2]]
+}
+
+resource "azurerm_subnet" "resolver_inbound" {
+  name                 = "resolver-inbound"
+  resource_group_name  = data.azurerm_resource_group.group.name
+  virtual_network_name = data.azurerm_virtual_network.app.name
+  address_prefixes     = [local.subnets_cidrs[3]]
+
+  delegation {
+    name = "delegation"
+
+    service_delegation {
+      name    = "Microsoft.Network/dnsResolvers"
+      actions = ["Microsoft.Network/virtualNetworks/subnets/join/action"]
+    }
+  }
+}
+
+resource "azurerm_subnet" "resolver_outbound" {
+  name                 = "resolver-outbound"
+  resource_group_name  = data.azurerm_resource_group.group.name
+  virtual_network_name = data.azurerm_virtual_network.app.name
+  address_prefixes     = [local.subnets_cidrs[4]]
+
+  delegation {
+    name = "delegation"
+
+    service_delegation {
+      name    = "Microsoft.Network/dnsResolvers"
+      actions = ["Microsoft.Network/virtualNetworks/subnets/join/action"]
+    }
+  }
+}
+
 resource "azurerm_private_dns_zone" "dns_zone" {
   name                = "privateintermediary.postgres.database.azure.com"
   resource_group_name = data.azurerm_resource_group.group.name

diff --git a/operations/template/variables.tf b/operations/template/variables.tf
@@ -7,3 +7,9 @@ variable "deployer_id" {
   type     = string
   nullable = false
 }
+
+variable "vpn_root_certificate" {
+  type     = string
+  nullable = true
+  default = null
+}
Original file line number	Diff line number	Diff line change
Expand Up		@@ -81,5 +81,3 @@ resource "azurerm_key_vault_secret" "trusted_intermediary_private_key" {
		}
		depends_on = [azurerm_key_vault_access_policy.allow_github_deployer] //wait for the permission that allows our deployer to write the secret
		}