diff --git a/aks/application/README.md b/aks/application/README.md index 7547993..6c8cbbc 100644 --- a/aks/application/README.md +++ b/aks/application/README.md @@ -3,7 +3,7 @@ Terraform code for deploying an application. ## Terraform documentation -For the list of requirement, inputs, outputs, resources... check the [terraform module documentation](tfdocs). +For the list of requirement, inputs, outputs, resources... check the [terraform module documentation](tfdocs.md). ## Usage diff --git a/aks/application_configuration/README.md b/aks/application_configuration/README.md index 0a05e34..de2112b 100644 --- a/aks/application_configuration/README.md +++ b/aks/application_configuration/README.md @@ -3,7 +3,7 @@ Terraform code for generating the application configuration. ## Terraform documentation -For the list of requirement, inputs, outputs, resources... check the [terraform module documentation](tfdocs). +For the list of requirement, inputs, outputs, resources... check the [terraform module documentation](tfdocs.md). ## Usage diff --git a/aks/cluster_data/README.md b/aks/cluster_data/README.md index 773d873..9160c77 100644 --- a/aks/cluster_data/README.md +++ b/aks/cluster_data/README.md @@ -3,7 +3,7 @@ Terraform module for managing information about the cluster. ## Terraform documentation -For the list of requirement, inputs, outputs, resources... check the [terraform module documentation](tfdocs). +For the list of requirement, inputs, outputs, resources... check the [terraform module documentation](tfdocs.md). ## Usage diff --git a/aks/dfe_analytics/README.md b/aks/dfe_analytics/README.md index c83b894..994fc8b 100644 --- a/aks/dfe_analytics/README.md +++ b/aks/dfe_analytics/README.md @@ -2,7 +2,7 @@ Create resources in Google cloud Bigquery and provides the required variables to applications so they can send events. ## Terraform documentation -For the list of requirement, inputs, outputs, resources... check the [terraform module documentation](tfdocs). +For the list of requirement, inputs, outputs, resources... check the [terraform module documentation](tfdocs.md). ## Usage ### Reuse existing dataset and events table diff --git a/aks/postgres/README.md b/aks/postgres/README.md index 6e0b722..7646220 100644 --- a/aks/postgres/README.md +++ b/aks/postgres/README.md @@ -3,7 +3,7 @@ Terraform code for deploying a PostgreSQL instance. ## Terraform documentation -For the list of requirement, inputs, outputs, resources... check the [terraform module documentation](tfdocs). +For the list of requirement, inputs, outputs, resources... check the [terraform module documentation](tfdocs.md). ## Usage diff --git a/aks/redis/README.md b/aks/redis/README.md index d404153..056c460 100644 --- a/aks/redis/README.md +++ b/aks/redis/README.md @@ -3,7 +3,7 @@ Terraform code for deploying a Redis instance. ## Terraform documentation -For the list of requirement, inputs, outputs, resources... check the [terraform module documentation](tfdocs). +For the list of requirement, inputs, outputs, resources... check the [terraform module documentation](tfdocs.md). ## Usage diff --git a/aks/secrets/README.md b/aks/secrets/README.md index bd5ecd4..38d0b46 100644 --- a/aks/secrets/README.md +++ b/aks/secrets/README.md @@ -3,7 +3,7 @@ Terraform code for extracting secrets from Azure Key Vaults. ## Terraform documentation -For the list of requirement, inputs, outputs, resources... check the [terraform module documentation](tfdocs). +For the list of requirement, inputs, outputs, resources... check the [terraform module documentation](tfdocs.md). ## Usage diff --git a/dns/Readme.md b/dns/Readme.md deleted file mode 100644 index 6eab579..0000000 --- a/dns/Readme.md +++ /dev/null @@ -1,89 +0,0 @@ -# DNS - -Terraform code for managing Azure DNS Zones and records. - -This is separated into two components - -- zones -- records - -This is becuase a zone will be created initially and then is unlikely to have changes made to it, -while records will be added or changed more frequently. - -# Zones - -There is one zone per service e.g. register, etc - -To create a new zone; - -- Add json files - - - dns/zones/workspace_variables/${zone}-zone.tfvars.json - - dns/zones/workspace_variables/backend_${zone}.tfvars - -- Add the zone to the Makefile - -- Create the containers in the storage account - - - ${zone}-dns-zone-tfstate - -- Run the make command (there is no workflow job for zone creation or update) - - - make ${zone} dnszone-plan - - make ${zone} dnszone-apply - -- Provide the NS records for delegation from service.gov.uk - - - see https://www.gov.uk/service-manual/technology/get-a-domain-name#choose-where-youll-host-your-dns - -Notes; - -- Any zone updates would be made by making changes to the tfvars json file and running a "make ${zone} plan/apply" - -Taking care that if this causes a zone creation the NS records may change and/or existing records may be deleted - -- Our DNS zones have extra txt and caa records to protect against spoofing and invalid certificates, as per - - - see https://www.gov.uk/guidance/protect-domains-that-dont-send-email - - see https://www.gov.uk/service-manual/technology/get-a-domain-name#set-up-security-certificates - -So we add the following 3 records to indicate we don't send mail from these domains, and use Amazon for certificates. - -- TXT record (for SPF) -``` -“v=spf1 -all” -``` - -- TXT record (for DMARC) -``` -"v=DMARC1; p=reject; sp=reject; rua=mailto:dmarc-rua@dmarc.service.gov.uk; ruf=mailto:dmarc-ruf@dmarc.service.gov.uk" -``` - -- CAA record -``` -0 issue "globalsign.com" -``` - -# Records - -There is a json configuration file per env per service e.g. register-qa, register-staging, etc - -To create (or update) records to an existing zone - -- Add (or update) a json file to - - - dns/records/workspace_variables/${zone}-${env}.tfvars.json - - dns/records/workspace_variables/backend_${zone}-${env}.tfvars (only on initial creation) - -- Create the containers in the storage account (only on initial creation) - - - ${zone}-${env}-dns-tfstate - -- Run the make command with DNS_ENV set to the environment you are adding records too - - - make ${zone} dnsrecord-plan DNS_ENV=${env} - - make ${zone} dnsrecord-apply DNS_ENV=${env} - - e.g. make register dnsrecord-plan DNS_ENV=qa - -Note; -- You should always check any changes via terraform plan before applying to make sure you are not making unintended changes. diff --git a/dns/records/data.tf b/dns/records/data.tf deleted file mode 100644 index c499070..0000000 --- a/dns/records/data.tf +++ /dev/null @@ -1,8 +0,0 @@ -# Zone - -data "azurerm_dns_zone" "dns_zone" { - for_each = var.hosted_zone - - name = each.key - resource_group_name = each.value.resource_group_name -} diff --git a/dns/records/readme.md b/dns/records/readme.md index 9f2df59..559add0 100644 --- a/dns/records/readme.md +++ b/dns/records/readme.md @@ -1,6 +1,51 @@ # DNS records -Terraform code for managing Azure DNS records. +Terraform code for managing Azure DNS records, currently A and CNAME records. ## Terraform documentation -For the list of requirement, inputs, outputs, resources... check the [terraform module documentation](tfdocs). +For the list of requirement, inputs, outputs, resources... check the [terraform module documentation](tfdocs.md). + +## Variable +```json +{ + "hosted_zone": { + "": { + "resource_group_name": "", # Usually the same resource group for all domains of a service + "a-records": { # List of A records + "": { + "target": "" + }, + ... + }, + "cnames": { # List of CNAME records + "": { + "target": "" + }, + ... + } + } + } +} +``` + +## Example +```json +{ + "hosted_zone": { + "teacherservices.cloud": { + "resource_group_name": "s189p01-tscdomains-rg", + "a-records": { + "test": { + "target": "51.52.53.54" + } + }, + "cnames": { + "_7008a420a798s7d6fs8df7": { + "target": "_9867w9ef698hery8.vnfitht.acm-validations.aws", + "ttl": 86400 + } + } + } + } +} +``` diff --git a/dns/records/tfdocs.md b/dns/records/tfdocs.md index f3ec2ed..ca14ba7 100644 --- a/dns/records/tfdocs.md +++ b/dns/records/tfdocs.md @@ -18,13 +18,12 @@ No modules. |------|------| | [azurerm_dns_a_record.a_records](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/dns_a_record) | resource | | [azurerm_dns_cname_record.cname_records](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/dns_cname_record) | resource | -| [azurerm_dns_zone.dns_zone](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/dns_zone) | data source | ## Inputs | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [hosted\_zone](#input\_hosted\_zone) | n/a | `map(any)` | `{}` | no | +| [hosted\_zone](#input\_hosted\_zone) | List of zones and the records to create for each one. See [README](readme.md) for details. | `map(any)` | `{}` | no | ## Outputs diff --git a/dns/records/variables.tf b/dns/records/variables.tf index ad63e54..e3636be 100644 --- a/dns/records/variables.tf +++ b/dns/records/variables.tf @@ -1,4 +1,5 @@ variable "hosted_zone" { - type = map(any) - default = {} + type = map(any) + default = {} + description = "List of zones and the records to create for each one. See [README](readme.md) for details." } diff --git a/dns/zones/readme.md b/dns/zones/readme.md index 7c24d01..a60337c 100644 --- a/dns/zones/readme.md +++ b/dns/zones/readme.md @@ -1,6 +1,42 @@ # DNS Zones -Terraform code for managing Azure DNS Zones. +Terraform code for managing Azure DNS Zones and their default CAA and TXT records. ## Terraform documentation -For the list of requirement, inputs, outputs, resources... check the [terraform module documentation](tfdocs). +For the list of requirement, inputs, outputs, resources... check the [terraform module documentation](tfdocs.md). + +## Variable +```json +{ + "hosted_zone": { + "": { + "resource_group_name": "", # Usually the same resource group for all domains of a service + "caa_record_list": ["xxx", ...], # CAA list valid domains for generating TLS certificates + "txt_record_lists": { # Additional TXT records + "": ["x=y", ...] + } + } + } +} +``` + +## Example +```json +{ + "hosted_zone": { + "teacherservices.cloud": { + "resource_group_name": "s189p01-tscdomains-rg", + "caa_record_list": [ + "globalsign.com", + "digicert.com" + ], + "txt_record_lists": { + "@": [ + "v=spf1 -all", + "_globalsign-domain-verification=XXXX" + ] + } + } + } +} +``` diff --git a/dns/zones/tfdocs.md b/dns/zones/tfdocs.md index 4bfe427..0b74ab0 100644 --- a/dns/zones/tfdocs.md +++ b/dns/zones/tfdocs.md @@ -26,8 +26,8 @@ No modules. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [hosted\_zone](#input\_hosted\_zone) | n/a | `map(any)` | `{}` | no | -| [tags](#input\_tags) | n/a | `any` | `null` | no | +| [hosted\_zone](#input\_hosted\_zone) | List of zones and their properties. See [README](readme.md) for details. | `map(any)` | `{}` | no | +| [tags](#input\_tags) | Azure resource tags. Deprecated: set tags at resource group level | `any` | `null` | no | ## Outputs diff --git a/dns/zones/variables.tf b/dns/zones/variables.tf index 1b1f5aa..bda9118 100644 --- a/dns/zones/variables.tf +++ b/dns/zones/variables.tf @@ -1,9 +1,10 @@ - variable "hosted_zone" { - type = map(any) - default = {} + type = map(any) + default = {} + description = "List of zones and their properties. See [README](readme.md) for details." } variable "tags" { - default = null + default = null + description = "Azure resource tags. Deprecated: set tags at resource group level" } diff --git a/domains/environment_domains/README.md b/domains/environment_domains/README.md index 4396bef..0b98cb0 100644 --- a/domains/environment_domains/README.md +++ b/domains/environment_domains/README.md @@ -3,4 +3,4 @@ Create domains for each environment in the [domains infrastructure](../infrastructure/). Generates the DNS records as well as front door domain, endpoint, route, origin, redirect rules... ## Terraform documentation -For the list of requirement, inputs, outputs, resources... check the [terraform module documentation](tfdocs). +For the list of requirement, inputs, outputs, resources... check the [terraform module documentation](tfdocs.md). diff --git a/domains/infrastructure/README.md b/domains/infrastructure/README.md index 020ea19..886ac7c 100644 --- a/domains/infrastructure/README.md +++ b/domains/infrastructure/README.md @@ -3,4 +3,18 @@ Create DNS zone, front door and the default DNS records that will be used to support the service domains of each environment, using the [environment_domains module](../environment_domains/README). ## Terraform documentation -For the list of requirement, inputs, outputs, resources... check the [terraform module documentation](tfdocs). +For the list of requirement, inputs, outputs, resources... check the [terraform module documentation](tfdocs.md). + +## Azure Front Door Diagnostics Log Query +When monitoring is enabled, front door logs are available for query in the Log analytics workspace. +For example, this query filters logs for client requests that returned HTTP status codes of 400 or above, groups these error requests by the host, path, HTTP status code, and resource ID, and then counts them. + +```kql +AzureDiagnostics +| where ResourceProvider == "MICROSOFT.NETWORK" and Category == "FrontdoorAccessLog" +| where isReceivedFromClient_b == true +| where toint(httpStatusCode_s) >= 400 +| extend ParsedUrl = parseurl(requestUri_s) +| summarize RequestCount = count() by Host = tostring(ParsedUrl.Host), Path = tostring(ParsedUrl.Path), StatusCode = httpStatusCode_s, ResourceId +| order by RequestCount desc +``` diff --git a/domains/infrastructure/diagnostics.md b/domains/infrastructure/diagnostics.md deleted file mode 100644 index accd9b7..0000000 --- a/domains/infrastructure/diagnostics.md +++ /dev/null @@ -1,18 +0,0 @@ -# Azure Front Door Diagnostics Log Query - -The script filters logs for client requests that returned HTTP status codes of 400 or above, groups these error requests by the host, path, HTTP status code, and resource ID, and then counts them. - -## KQL Script - -- run the script below or choose one of the auto generated ones from {frontdoor-name}-> logs -> query editor -- once enabled this diagnostis will be set against the frontdoor which sin with in our production subscription - - -```kql -AzureDiagnostics -| where ResourceProvider == "MICROSOFT.NETWORK" and Category == "FrontdoorAccessLog" -| where isReceivedFromClient_b == true -| where toint(httpStatusCode_s) >= 400 -| extend ParsedUrl = parseurl(requestUri_s) -| summarize RequestCount = count() by Host = tostring(ParsedUrl.Host), Path = tostring(ParsedUrl.Path), StatusCode = httpStatusCode_s, ResourceId -| order by RequestCount desc