Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PUB-2269 Update OTP APIM #399

Merged
merged 11 commits into from
Jan 24, 2024
Merged

PUB-2269 Update OTP APIM #399

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
67b54ee
Use APIM client ID directly in API policy file
KianKwa Dec 21, 2023
94285c1
Remove redundant env replacement
KianKwa Dec 21, 2023
543033d
PUB-2245 - Updated README (#398)
ChrisS1512 Jan 4, 2024
4749d67
PUB-2182 add terraform_format.yml (#400)
NatashaAlker Jan 4, 2024
ff32df2
Merge branch 'freeze' into PUB-2269
KianKwa Jan 8, 2024
6e42a28
Automated Change
KianKwa Jan 8, 2024
189b045
Merge remote-tracking branch 'origin/master' into PUB-2269
KianKwa Jan 9, 2024
bec4321
Automated Change
KianKwa Jan 9, 2024
b44e8a7
Update to use apim client ID
KianKwa Jan 9, 2024
72a93a0
Merge remote-tracking branch 'origin/PUB-2269' into PUB-2269
KianKwa Jan 9, 2024
e7c638e
Merge branch 'master' into PUB-2269
KianKwa Jan 24, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 1 addition & 13 deletions infrastructure/data.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,18 +19,6 @@ data "azurerm_key_vault" "kv" {

data "azurerm_key_vault_secret" "data_client_id" {
count = local.deploy_apim
name = "app-pip-data-management-id"
key_vault_id = data.azurerm_key_vault.kv.id
}

data "azurerm_key_vault_secret" "data_client_pwd" {
count = local.deploy_apim
name = "app-pip-data-management-pwd"
key_vault_id = data.azurerm_key_vault.kv.id
}

data "azurerm_key_vault_secret" "data_client_scope" {
count = local.deploy_apim
name = "app-pip-${var.component}-scope"
name = "app-pip-apim-admin-id"
key_vault_id = data.azurerm_key_vault.kv.id
}
2 changes: 1 addition & 1 deletion infrastructure/resources/api-policy/api-policy.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@
<value>application/x-www-form-urlencoded</value>
</set-header>
<set-body>@{
return "client_id=" + (string)context.Variables["clientId"] + "&scope=" + (string)context.Variables["scope"] + "/.default&client_secret=" + (string)context.Variables["clientSecret"] + "&grant_type=client_credentials";
return "client_id={CLIENT_ID}&scope=" + (string)context.Variables["scope"] + "/.default&client_secret=" + (string)context.Variables["clientSecret"] + "&grant_type=client_credentials";
}</set-body>
</send-request>
<set-variable name="pipAuthToken" value="@("Bearer " + (String)((IResponse)context.Variables["bearerToken"]).Body.As<JObject>()["access_token"])" />
Expand Down
11 changes: 1 addition & 10 deletions infrastructure/resources/operation-policies/sendOtpEmail.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,18 +1,9 @@
<policies>
<inbound>
<send-request ignore-error="false" timeout="20" response-variable-name="pipApimClientId" mode="new">
<set-url>https://pip-ss-kv-{ENV}.vault.azure.net/secrets/app-pip-apim-admin-id/?api-version=7.0</set-url>
<set-method>GET</set-method>
<authentication-managed-identity resource="https://vault.azure.net" />
</send-request>
<set-variable name="clientId" value="@{
var secret = ((IResponse)context.Variables["pipApimClientId"]).Body.As<JObject>();
return secret["value"].ToString();
}" />
<validate-jwt token-value="@((String)context.Request.Body.As<JObject>(preserveContent: true)["bearer"])" failed-validation-httpcode="401" failed-validation-error-message="Unauthorized. Access token is missing or invalid.">
<openid-config url="https://login.microsoftonline.com/{TENANT_ID}/v2.0/.well-known/openid-configuration" />
<audiences>
<audience>@((string)context.Variables["clientId"])</audience>
<audience>{CLIENT_ID}</audience>
</audiences>
<issuers>
<issuer>https://login.microsoftonline.com/{TENANT_ID}/v2.0</issuer>
Expand Down
11 changes: 1 addition & 10 deletions infrastructure/resources/operation-policies/welcome.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,18 +1,9 @@
<policies>
<inbound>
<send-request ignore-error="false" timeout="20" response-variable-name="pipApimClientId" mode="new">
<set-url>https://pip-ss-kv-{ENV}.vault.azure.net/secrets/app-pip-apim-admin-id/?api-version=7.0</set-url>
<set-method>GET</set-method>
<authentication-managed-identity resource="https://vault.azure.net" />
</send-request>
<set-variable name="clientId" value="@{
var secret = ((IResponse)context.Variables["pipApimClientId"]).Body.As<JObject>();
return secret["value"].ToString();
}" />
<validate-jwt header-name="Authorization" failed-validation-httpcode="401" failed-validation-error-message="Access denied due to invalid OAuth information">
<openid-config url="https://login.microsoftonline.com/{TENANT_ID}/.well-known/openid-configuration" />
<audiences>
<audience>@((string)context.Variables["clientId"])</audience>
<audience>{CLIENT_ID}</audience>
</audiences>
<issuers>
<issuer>https://login.microsoftonline.com/{TENANT_ID}/v2.0</issuer>
Expand Down
6 changes: 4 additions & 2 deletions infrastructure/tf-apim-api.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,10 @@
locals {
apim_api_name = "${var.product}-${var.component}-api"
api_policy_raw = file("./resources/api-policy/api-policy.xml")
api_policy = replace(replace(local.api_policy_raw, "{TENANT_ID}", data.azurerm_client_config.current.tenant_id)
, "{ENV}", local.env)
api_policy = replace(replace(replace(local.api_policy_raw,
"{TENANT_ID}", data.azurerm_client_config.current.tenant_id),
"{CLIENT_ID}", length(data.azurerm_key_vault_secret.data_client_id) > 0 ? data.azurerm_key_vault_secret.data_client_id[0].value : ""),
"{ENV}", local.env)
}

module "apim_api" {
Expand Down
5 changes: 3 additions & 2 deletions infrastructure/tf-apim-operations.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,8 +4,9 @@ locals {
for operation_policies_file in local.operation_policies_files :
basename(operation_policies_file) => {
operation_id = replace(basename(operation_policies_file), ".xml", "")
xml_content = replace(replace(file("${path.module}/${operation_policies_file}"), "{TENANT_ID}", data.azurerm_client_config.current.tenant_id)
, "{ENV}", local.env)
xml_content = replace(replace(file("${path.module}/${operation_policies_file}"),
"{TENANT_ID}", data.azurerm_client_config.current.tenant_id),
"{CLIENT_ID}", length(data.azurerm_key_vault_secret.data_client_id) > 0 ? data.azurerm_key_vault_secret.data_client_id[0].value : "")
}
}
}
Expand Down