Changes in Terraform to support anti-forgery

Terraform/application.tf

@@ -17,29 +17,36 @@ resource "azurerm_linux_web_app" "linux-web-app" {
   public_network_access_enabled = false
 
   app_settings = {
-    CPD_GOOGLEANALYTICSTAG               = var.cpd_googleanalyticstag
-    CPD_SPACE_ID                         = var.cpd_space_id
-    CPD_PREVIEW_KEY                      = var.cpd_preview_key
-    CPD_DELIVERY_KEY                     = var.cpd_delivery_key
-    CPD_TENANTID                         = var.tenant_id
-    CPD_AZURE_ENVIRONMENT                = lower(terraform.workspace)
-    CPD_CONTENTFUL_ENVIRONMENT           = var.cpd_contentful_env[terraform.workspace]
-    CPD_INSTRUMENTATION_CONNECTIONSTRING = data.azurerm_application_insights.appinsights.connection_string
-    CPD_CLARITY                          = var.cpd_clarity
-    CPD_FEATURE_POLLING_INTERVAL         = var.cpd_feature_polling_interval
-    CPD_SEARCH_CLIENT_API_KEY            = var.cpd_search_client_api_key
-    CPD_SEARCH_ENDPOINT                  = var.cpd_search_endpoint
-    CPD_SEARCH_INDEX_NAME                = var.cpd_search_index_name
-    DOCKER_ENABLE_CI                     = "true"
+    CPD_GOOGLEANALYTICSTAG                      = var.cpd_googleanalyticstag
+    CPD_SPACE_ID                                = var.cpd_space_id
+    CPD_PREVIEW_KEY                             = var.cpd_preview_key
+    CPD_DELIVERY_KEY                            = var.cpd_delivery_key
+    CPD_TENANTID                                = var.tenant_id
+    CPD_AZURE_ENVIRONMENT                       = lower(terraform.workspace)
+    CPD_CONTENTFUL_ENVIRONMENT                  = var.cpd_contentful_env[terraform.workspace]
+    CPD_INSTRUMENTATION_CONNECTIONSTRING        = data.azurerm_application_insights.appinsights.connection_string
+    CPD_CLARITY                                 = var.cpd_clarity
+    CPD_FEATURE_POLLING_INTERVAL                = var.cpd_feature_polling_interval
+    CPD_SEARCH_CLIENT_API_KEY                   = var.cpd_search_client_api_key
+    CPD_SEARCH_ENDPOINT                         = var.cpd_search_endpoint
+    CPD_SEARCH_INDEX_NAME                       = var.cpd_search_index_name
+    CPD_AZURE_DATA_PROTECTION_CONTAINER_NAME    = var.cpd_azure_data_protection_container_name[terraform.workspace]
+    CPD_AZURE_STORAGE_ACCOUNT                   = var.cpd_azure_storage_account[terraform.workspace]
+    CPD_AZURE_MANAGED_IDENTITY_ID               = data.azurerm_user_assigned_identity.appsauai.client_id
+    CPD_AZURE_STORAGE_ACCOUNT_URI_FORMAT_STRING = var.cpd_azure_storage_account_uri_format_string[terraform.workspace]
+    DOCKER_ENABLE_CI                            = "true"
   }
 
   site_config {
     application_stack {
       docker_registry_url = "https://ghcr.io"
       docker_image_name   = "dfe-digital/childrens-social-care-cpd:${nonsensitive(var.cpd_image_tag)}"
     }
+    vnet_route_all_enabled = true
   }
 
+  virtual_network_subnet_id = azurerm_subnet.appstorage.id
+
   logs {
     http_logs {
       file_system {
@@ -49,6 +56,11 @@ resource "azurerm_linux_web_app" "linux-web-app" {
     }
   }
 
+  identity {
+    identity_ids = [data.azurerm_user_assigned_identity.appsauai.id]
+    type         = "UserAssigned"
+  }
+
   tags = data.azurerm_resource_group.rg.tags
 }
 
@@ -59,20 +71,24 @@ resource "azurerm_linux_web_app_slot" "staging" {
   count = terraform.workspace == "Prod" || terraform.workspace == "Load-Test" ? 1 : 0
 
   app_settings = {
-    CPD_GOOGLEANALYTICSTAG               = var.cpd_googleanalyticstag
-    CPD_SPACE_ID                         = var.cpd_space_id
-    CPD_PREVIEW_KEY                      = var.cpd_preview_key
-    CPD_DELIVERY_KEY                     = var.cpd_delivery_key
-    CPD_TENANTID                         = var.tenant_id
-    CPD_AZURE_ENVIRONMENT                = lower(terraform.workspace)
-    CPD_CONTENTFUL_ENVIRONMENT           = var.cpd_contentful_env[terraform.workspace]
-    CPD_INSTRUMENTATION_CONNECTIONSTRING = data.azurerm_application_insights.appinsights.connection_string
-    CPD_CLARITY                          = var.cpd_clarity
-    CPD_FEATURE_POLLING_INTERVAL         = var.cpd_feature_polling_interval
-    CPD_SEARCH_CLIENT_API_KEY            = var.cpd_search_client_api_key
-    CPD_SEARCH_ENDPOINT                  = var.cpd_search_endpoint
-    CPD_SEARCH_INDEX_NAME                = var.cpd_search_index_name
-    DOCKER_ENABLE_CI                     = "true"
+    CPD_GOOGLEANALYTICSTAG                      = var.cpd_googleanalyticstag
+    CPD_SPACE_ID                                = var.cpd_space_id
+    CPD_PREVIEW_KEY                             = var.cpd_preview_key
+    CPD_DELIVERY_KEY                            = var.cpd_delivery_key
+    CPD_TENANTID                                = var.tenant_id
+    CPD_AZURE_ENVIRONMENT                       = lower(terraform.workspace)
+    CPD_CONTENTFUL_ENVIRONMENT                  = var.cpd_contentful_env[terraform.workspace]
+    CPD_INSTRUMENTATION_CONNECTIONSTRING        = data.azurerm_application_insights.appinsights.connection_string
+    CPD_CLARITY                                 = var.cpd_clarity
+    CPD_FEATURE_POLLING_INTERVAL                = var.cpd_feature_polling_interval
+    CPD_SEARCH_CLIENT_API_KEY                   = var.cpd_search_client_api_key
+    CPD_SEARCH_ENDPOINT                         = var.cpd_search_endpoint
+    CPD_SEARCH_INDEX_NAME                       = var.cpd_search_index_name
+    CPD_AZURE_DATA_PROTECTION_CONTAINER_NAME    = var.cpd_azure_data_protection_container_name[terraform.workspace]
+    CPD_AZURE_STORAGE_ACCOUNT                   = var.cpd_azure_storage_account[terraform.workspace]
+    CPD_AZURE_MANAGED_IDENTITY_ID               = data.azurerm_user_assigned_identity.appsauai.client_id
+    CPD_AZURE_STORAGE_ACCOUNT_URI_FORMAT_STRING = var.cpd_azure_storage_account_uri_format_string[terraform.workspace]
+    DOCKER_ENABLE_CI                            = "true"
   }
 
   site_config {

Terraform/managed-identity.tf

@@ -28,3 +28,8 @@ data "azurerm_user_assigned_identity" "uai" {
 #     "Get", "List",
 #   ]
 # }
+
+data "azurerm_user_assigned_identity" "appsauai" {
+  resource_group_name = data.azurerm_resource_group.rg.name
+  name                = var.azure_managed_identity_name[terraform.workspace]
+}

Terraform/networking.tf

@@ -22,6 +22,16 @@ resource "azurerm_subnet" "backend" {
   virtual_network_name                          = data.azurerm_virtual_network.vnet1.name
   address_prefixes                              = [var.vnet_backend_prefixes[terraform.workspace]]
   private_link_service_network_policies_enabled = false
+  service_endpoints                             = ["Microsoft.Storage"]
+}
+
+# Private subnet for the applicaton storage
+resource "azurerm_subnet" "appstorage" {
+  name                                          = var.vnet_appstorage_name[terraform.workspace]
+  resource_group_name                           = data.azurerm_resource_group.rg.name
+  virtual_network_name                          = data.azurerm_virtual_network.vnet1.name
+  address_prefixes                              = [var.vnet_appstorage_prefixes[terraform.workspace]]
+  private_link_service_network_policies_enabled = false
 }
 
 # The public IP address for this service

Terraform/variables.tf

@@ -132,6 +132,31 @@ variable "vnet_backend_prefixes" {
   description = "Subnets used for Backend VNET"
 }
 
+
+variable "vnet_appstorage_name" {
+  type = map(string)
+  default = {
+    Dev       = "s185d01-chidrens-social-care-cpd-sn03"
+    Test      = "s185d02-chidrens-social-care-cpd-sn03"
+    Load-Test = "s185d03-chidrens-social-care-cpd-sn03"
+    Pre-Prod  = "s185t01-chidrens-social-care-cpd-sn03"
+    Prod      = "s185p01-chidrens-social-care-cpd-sn03"
+  }
+  description = "Name of Application Storage VNET"
+}
+
+variable "vnet_appstorage_prefixes" {
+  type = map(string)
+  default = {
+    Dev       = "10.0.0.128/26"
+    Test      = "10.1.0.128/26"
+    Load-Test = "10.2.0.128/26"
+    Pre-Prod  = "10.0.0.128/26"
+    Prod      = "10.0.0.128/26"
+  }
+  description = "Subnets used for Application Storage VNET"
+}
+
 variable "pip_name" {
   type = map(string)
   default = {
@@ -696,6 +721,54 @@ variable "cpd_contentful_env" {
   description = "Contentful Environment Name"
 }
 
+variable "cpd_azure_data_protection_container_name" {
+  type = map(string)
+  default = {
+    Dev       = "data-protection"
+    Test      = "data-protection"
+    Load-Test = "data-protection"
+    Pre-Prod  = "data-protection"
+    Prod      = "data-protection"
+  }
+  description = "Data Protection Container Name"
+}
+
+variable "cpd_azure_storage_account" {
+  type = map(string)
+  default = {
+    Dev       = "s185d01webappsa"
+    Test      = "s185d03webappsa"
+    Load-Test = "s185d03webappsa"
+    Pre-Prod  = "s185t01webappsa"
+    Prod      = "s185p01webappsa"
+  }
+  description = "Storage Account Name for Application"
+}
+
+variable "azure_managed_identity_name" {
+  type = map(string)
+  default = {
+    Dev       = "s185d01-webapprole"
+    Test      = "s185d02-webapprole"
+    Load-Test = "s185d03-webapprole"
+    Pre-Prod  = "s185t01-webapprole"
+    Prod      = "s185p01-webapprole"
+  }
+  description = "Azure Managed Identity Name to Read Storage Account"
+}
+
+variable "cpd_azure_storage_account_uri_format_string" {
+  type = map(string)
+  default = {
+    Dev       = "https://{0}.blob.core.windows.net/{1}"
+    Test      = "https://{0}.blob.core.windows.net/{1}"
+    Load-Test = "https://{0}.blob.core.windows.net/{1}"
+    Pre-Prod  = "https://{0}.blob.core.windows.net/{1}"
+    Prod      = "https://{0}.blob.core.windows.net/{1}"
+  }
+  description = "Storage Account Format String"
+}
+
 variable "fw_diag_name" {
   type = map(string)
   default = {
@@ -804,7 +877,6 @@ variable "search_private_endpoint_conn_name" {
   description = "Name of Private Endpoint Connection"
 }
 
-
 variable "cpd_search_api_key" {
   description = "The Azure AI Search API key"
   sensitive   = true