DFE-Digital · DrizzlyOwl · Sep 3, 2024 · Aug 22, 2024 · Aug 22, 2024 · Aug 22, 2024
@@ -9,38 +9,40 @@
     </PropertyGroup>
 
     <ItemGroup>
-        <PackageReference Include="Microsoft.ApplicationInsights.AspNetCore" Version="2.22.0"/>
-        <PackageReference Include="Microsoft.Azure.AppConfiguration.AspNetCore" Version="7.3.0"/>
+        <PackageReference Include="Azure.Extensions.AspNetCore.DataProtection.Keys" Version="1.2.4" />
+        <PackageReference Include="Azure.Identity" Version="1.12.0" />
+        <PackageReference Include="Microsoft.ApplicationInsights.AspNetCore" Version="2.22.0" />
+        <PackageReference Include="Microsoft.Azure.AppConfiguration.AspNetCore" Version="7.3.0" />
         <PackageReference Include="Microsoft.EntityFrameworkCore.Design" Version="8.0.7">
             <PrivateAssets>all</PrivateAssets>
             <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
         </PackageReference>
-        <PackageReference Include="Microsoft.FeatureManagement.AspNetCore" Version="3.5.0"/>
-        <PackageReference Include="Microsoft.Identity.Web" Version="2.21.1"/>
-        <PackageReference Include="NetEscapades.AspNetCore.SecurityHeaders" Version="0.22.0"/>
-        <PackageReference Include="NetEscapades.AspNetCore.SecurityHeaders.TagHelpers" Version="0.22.0"/>
-        <PackageReference Include="Serilog.AspNetCore" Version="8.0.2"/>
-        <PackageReference Include="Serilog.Sinks.ApplicationInsights" Version="4.0.0"/>
+        <PackageReference Include="Microsoft.FeatureManagement.AspNetCore" Version="3.5.0" />
+        <PackageReference Include="Microsoft.Identity.Web" Version="2.21.1" />
+        <PackageReference Include="NetEscapades.AspNetCore.SecurityHeaders" Version="0.22.0" />
+        <PackageReference Include="NetEscapades.AspNetCore.SecurityHeaders.TagHelpers" Version="0.22.0" />
+        <PackageReference Include="Serilog.AspNetCore" Version="8.0.2" />
+        <PackageReference Include="Serilog.Sinks.ApplicationInsights" Version="4.0.0" />
     </ItemGroup>
 
     <ItemGroup>
-        <Content Remove="package.json"/>
+        <Content Remove="package.json" />
         <None Include="package.json">
             <CopyToOutputDirectory>Never</CopyToOutputDirectory>
         </None>
-        <Content Remove="package-lock.json"/>
+        <Content Remove="package-lock.json" />
         <None Include="package-lock.json">
             <CopyToOutputDirectory>Never</CopyToOutputDirectory>
         </None>
-        <Content Remove=".stylelintrc.json"/>
+        <Content Remove=".stylelintrc.json" />
         <None Include=".stylelintrc.json">
             <CopyToOutputDirectory>Never</CopyToOutputDirectory>
         </None>
     </ItemGroup>
 
     <ItemGroup>
-        <ProjectReference Include="..\DfE.FindInformationAcademiesTrusts.Data.AcademiesDb\DfE.FindInformationAcademiesTrusts.Data.AcademiesDb.csproj"/>
-        <ProjectReference Include="..\DfE.FindInformationAcademiesTrusts.Data.Hardcoded\DfE.FindInformationAcademiesTrusts.Data.Hardcoded.csproj"/>
-        <ProjectReference Include="..\DfE.FindInformationAcademiesTrusts.Data\DfE.FindInformationAcademiesTrusts.Data.csproj"/>
+        <ProjectReference Include="..\DfE.FindInformationAcademiesTrusts.Data.AcademiesDb\DfE.FindInformationAcademiesTrusts.Data.AcademiesDb.csproj" />
+        <ProjectReference Include="..\DfE.FindInformationAcademiesTrusts.Data.Hardcoded\DfE.FindInformationAcademiesTrusts.Data.Hardcoded.csproj" />
+        <ProjectReference Include="..\DfE.FindInformationAcademiesTrusts.Data\DfE.FindInformationAcademiesTrusts.Data.csproj" />
     </ItemGroup>
 </Project>
@@ -1,5 +1,7 @@
+using System.Data;
 using System.Diagnostics.CodeAnalysis;
 using System.Reflection;
+using Azure.Identity;
 using DfE.FindInformationAcademiesTrusts.Authorization;
 using DfE.FindInformationAcademiesTrusts.Data;
 using DfE.FindInformationAcademiesTrusts.Data.AcademiesDb;
@@ -19,6 +21,7 @@
 using Microsoft.AspNetCore.Authentication.Cookies;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.CookiePolicy;
+using Microsoft.AspNetCore.DataProtection;
 using Microsoft.AspNetCore.HttpOverrides;
 using Microsoft.EntityFrameworkCore;
 using Microsoft.FeatureManagement;
@@ -68,6 +71,8 @@
 
             AddDependenciesTo(builder);
 
+            AddDataProtectionServices(builder);
+
             var app = builder.Build();
             ConfigureHttpRequestPipeline(app);
             app.Run();
@@ -143,19 +148,19 @@
                    .WithNonce()
                    .From(new[]
                    {
                        "https://js.monitor.azure.com/scripts/b/ai.2.min.js",
                        "https://js.monitor.azure.com/scripts/b/ai.3.gbl.min.js",
                        "https://js.monitor.azure.com/scripts/b/ext/ai.clck.2.8.18.min.js",
                        "https://www.googletagmanager.com"
                    });
                cspBuilder.AddConnectSrc()
                    .Self()
                    .From(new[]
                    {
                        "https://*.in.applicationinsights.azure.com//v2/track",
                        "https://*.in.applicationinsights.azure.com/v2/track",
                        "https://js.monitor.azure.com/scripts/b/ai.config.1.cfg.json",
                        "https://*.google-analytics.com"
                    });
                cspBuilder.AddObjectSrc().None();
                cspBuilder.AddBlockAllMixedContent();
@@ -258,6 +263,33 @@
             });
     }
 
+    private static void AddDataProtectionServices(WebApplicationBuilder builder)
+    {
+        // Setup basic Data Protection and persist keys.xml to local file system
+        var dp = builder.Services.AddDataProtection();
+
+        // If a Key Vault Key URI is defined, expect to encrypt the keys.xml
+        var kvProtectionKeyUri = builder.Configuration.GetValue<string>("DataProtection:KeyVaultKey");
+        if (!string.IsNullOrWhiteSpace(kvProtectionKeyUri))
+        {
+            var kvProtectionPath = builder.Configuration.GetValue<string>("DataProtection:Path");
+
+            if (string.IsNullOrWhiteSpace(kvProtectionPath))
+            {
+                throw new InvalidOperationException("DataProtection:Path is undefined or empty");
+            }
+
+            var kvProtectionPathDir = new DirectoryInfo(kvProtectionPath);
+            if (!kvProtectionPathDir.Exists || kvProtectionPathDir.Attributes.HasFlag(FileAttributes.ReadOnly))
+            {
+                throw new ReadOnlyException($"DataProtection path '{kvProtectionPath}' cannot be written to");
+            }
+
+            dp.PersistKeysToFileSystem(kvProtectionPathDir);
+            dp.ProtectKeysWithAzureKeyVault(new Uri(kvProtectionKeyUri), new DefaultAzureCredential());
+        }
+    }
+
     private static void ReconfigureLogging(WebApplicationBuilder builder)
     {
         if (builder.Environment.IsLocalDevelopment() || builder.Environment.IsContinuousIntegration())

@@ -40,5 +40,9 @@
   },
   "FeatureManagement": {
     "TestFlag": false
+  },
+  "DataProtection": {
+    "KeyVaultKey": "",
+    "Path": "srv/app/storage"
   }
 }
@@ -141,6 +141,7 @@ No providers.
 |------|--------|---------|
 | <a name="module_azure_container_apps_hosting"></a> [azure\_container\_apps\_hosting](#module\_azure\_container\_apps\_hosting) | github.com/DFE-Digital/terraform-azurerm-container-apps-hosting | v1.11.0 |
 | <a name="module_azurerm_key_vault"></a> [azurerm\_key\_vault](#module\_azurerm\_key\_vault) | github.com/DFE-Digital/terraform-azurerm-key-vault-tfvars | v0.4.2 |
+| <a name="module_data_protection"></a> [data\_protection](#module\_data\_protection) | github.com/DFE-Digital/terraform-azurerm-aspnet-data-protection | v1.1.0 |
 | <a name="module_statuscake-tls-monitor"></a> [statuscake-tls-monitor](#module\_statuscake-tls-monitor) | github.com/dfe-digital/terraform-statuscake-tls-monitor | v0.1.4 |
 
 ## Resources
@@ -184,6 +185,7 @@ No resources.
 | <a name="input_dns_zone_domain_name"></a> [dns\_zone\_domain\_name](#input\_dns\_zone\_domain\_name) | DNS zone domain name. If created, records will automatically be created to point to the CDN. | `string` | n/a | yes |
 | <a name="input_enable_cdn_frontdoor"></a> [enable\_cdn\_frontdoor](#input\_enable\_cdn\_frontdoor) | Enable Azure CDN FrontDoor. This will use the Container Apps endpoint as the origin. | `bool` | `false` | no |
 | <a name="input_enable_cdn_frontdoor_health_probe"></a> [enable\_cdn\_frontdoor\_health\_probe](#input\_enable\_cdn\_frontdoor\_health\_probe) | Enable CDN Front Door health probe | `bool` | n/a | yes |
+| <a name="input_enable_container_app_file_share"></a> [enable\_container\_app\_file\_share](#input\_enable\_container\_app\_file\_share) | Create an Azure Storage Account and File Share to be mounted to the Container Apps | `bool` | n/a | yes |
 | <a name="input_enable_container_health_probe"></a> [enable\_container\_health\_probe](#input\_enable\_container\_health\_probe) | Enable liveness probes for the Container | `bool` | `true` | no |
 | <a name="input_enable_container_registry"></a> [enable\_container\_registry](#input\_enable\_container\_registry) | Set to true to create a container registry | `bool` | n/a | yes |
 | <a name="input_enable_dns_zone"></a> [enable\_dns\_zone](#input\_enable\_dns\_zone) | Conditionally create a DNS zone | `bool` | n/a | yes |

@@ -70,6 +70,8 @@ module "azure_container_apps_hosting" {
   monitor_email_receivers      = local.monitor_email_receivers
   monitor_endpoint_healthcheck = local.monitor_endpoint_healthcheck
 
+  enable_container_app_file_share = local.enable_container_app_file_share
+
   existing_logic_app_workflow                  = local.existing_logic_app_workflow
   existing_network_watcher_name                = local.existing_network_watcher_name
   existing_network_watcher_resource_group_name = local.existing_network_watcher_resource_group_name

@@ -0,0 +1,12 @@
+module "data_protection" {
+  source = "github.com/DFE-Digital/terraform-azurerm-aspnet-data-protection?ref=v1.1.0"
+
+  data_protection_key_vault_assign_role                 = false
+  data_protection_key_vault_subnet_prefix               = "172.16.100.0/28"
+  data_protection_key_vault_access_ipv4                 = local.key_vault_access_ipv4
+  data_protection_resource_prefix                       = "${local.environment}${local.project_name}"
+  data_protection_azure_location                        = local.azure_location
+  data_protection_tags                                  = local.tags
+  data_protection_resource_group_name                   = module.azure_container_apps_hosting.azurerm_resource_group_default.name
+  data_protection_diagnostic_log_analytics_workspace_id = module.azure_container_apps_hosting.azurerm_log_analytics_workspace_container_app.id
+}
@@ -66,4 +66,5 @@ locals {
   statuscake_contact_group_name                   = var.statuscake_contact_group_name
   statuscake_contact_group_integrations           = var.statuscake_contact_group_integrations
   statuscake_contact_group_email_addresses        = var.statuscake_contact_group_email_addresses
+  enable_container_app_file_share                 = var.enable_container_app_file_share
 }
@@ -433,3 +433,8 @@ variable "statuscake_contact_group_email_addresses" {
   type        = list(string)
   default     = []
 }
+
+variable "enable_container_app_file_share" {
+  description = "Create an Azure Storage Account and File Share to be mounted to the Container Apps"
+  type        = bool
+}