PAY-6706: New CFT APIM Migration #591

davejones74 · 2024-07-26T19:24:06Z

Jira link (if applicable)

https://tools.hmcts.net/jira/browse/PAY-6706

Change description

New APIM API Migration including updated API Policy for app-gateway and exela self certs."

Checklist

commit messages are meaningful and follow good commit message guidelines
README and other documentation has been updated / added (if needed)
tests have been updated / new tests has been added (if needed)
Does this PR introduce a breaking change

hmcts-jenkins-a-to-c · 2024-07-26T19:31:24Z

Plan Result (aat)

Plan: 0 to add, 4 to change, 0 to destroy.

Update
- azurerm_api_management_subscription.fee_pay_team_fee_register_subscription
- azurerm_api_management_subscription.liberata_supplier_fee_register_subscription
- module.cft_api_mgmt_api.azurerm_api_management_api.api
- module.cft_api_mgmt_policy.azurerm_api_management_api_policy.api_policy

Change Result (Click me)

  # azurerm_api_management_subscription.fee_pay_team_fee_register_subscription will be updated in-place
  ~ resource "azurerm_api_management_subscription" "fee_pay_team_fee_register_subscription" {
      ~ allow_tracing       = false -> true
        id                  = "/subscriptions/96c274ce-846d-4e48-89a7-d528432298a7/resourceGroups/cft-aat-network-rg/providers/Microsoft.ApiManagement/service/cft-api-mgmt-stg/subscriptions/7a413a4b-70fd-43ae-891f-781fb1b54508"
        # (10 unchanged attributes hidden)
    }

  # azurerm_api_management_subscription.liberata_supplier_fee_register_subscription will be updated in-place
  ~ resource "azurerm_api_management_subscription" "liberata_supplier_fee_register_subscription" {
      ~ allow_tracing       = false -> true
        id                  = "/subscriptions/96c274ce-846d-4e48-89a7-d528432298a7/resourceGroups/cft-aat-network-rg/providers/Microsoft.ApiManagement/service/cft-api-mgmt-stg/subscriptions/1b28771a-f1bf-484a-b7f6-ead7cc86407f"
        # (10 unchanged attributes hidden)
    }

  # module.cft_api_mgmt_api.azurerm_api_management_api.api will be updated in-place
  ~ resource "azurerm_api_management_api" "api" {
        id                    = "/subscriptions/96c274ce-846d-4e48-89a7-d528432298a7/resourceGroups/cft-aat-network-rg/providers/Microsoft.ApiManagement/service/cft-api-mgmt-stg/apis/feeregister-api;rev=1"
        name                  = "feeregister-api"
      ~ protocols             = [
          + "http",
            # (1 unchanged element hidden)
        ]
        # (17 unchanged attributes hidden)

        # (2 unchanged blocks hidden)
    }

  # module.cft_api_mgmt_policy.azurerm_api_management_api_policy.api_policy will be updated in-place
  ~ resource "azurerm_api_management_api_policy" "api_policy" {
        id                  = "/subscriptions/96c274ce-846d-4e48-89a7-d528432298a7/resourceGroups/cft-aat-network-rg/providers/Microsoft.ApiManagement/service/cft-api-mgmt-stg/apis/feeregister-api"
      ~ xml_content         = <<-EOT
          - <policies>
          - 	<backend>
          - 		<base />
          - 	</backend>
          - 	<inbound>
          - 		<base />
          - 		<choose>
          - 			<when condition="@(context.Request.Headers["X-ARR-ClientCertThumbprint"] == null)">
          - 				<return-response>
          - 					<set-status code="401" />
          - 					<set-body>Missing client certificate</set-body>
          - 				</return-response>
          - 			</when>
          - 			<when condition="@(!(new string[] {&quot;B1BF8007527F85085D7C4A3DC406A9A6D124D721&quot;,&quot;E5F54E7BA2B780E2B1B1FFAC68F801251935BE80&quot;,&quot;B9D9E70AC23EAF8EA094F6B59EF77FF77D977CBE&quot;,&quot;D36AC5686200258AE7C03CCCA70E14B69C17F94B&quot;}.Any(c => context.Request.Headers.ContainsKey(&quot;X-ARR-ClientCertThumbprint&quot;) && context.Request.Headers[&quot;X-ARR-ClientCertThumbprint&quot;].Contains(c))))">
          - 				<return-response>
          - 					<set-status code="401" />
          - 					<set-body>Invalid client certificate</set-body>
          - 				</return-response>
          - 			</when>
          - 			<when condition="@(context.Request.Certificate == null || context.Request.Certificate.NotAfter < DateTime.Now || context.Request.Certificate.NotBefore > DateTime.Now || !(new string[] {&quot;B1BF8007527F85085D7C4A3DC406A9A6D124D721&quot;,&quot;E5F54E7BA2B780E2B1B1FFAC68F801251935BE80&quot;,&quot;B9D9E70AC23EAF8EA094F6B59EF77FF77D977CBE&quot;,&quot;D36AC5686200258AE7C03CCCA70E14B69C17F94B&quot;}.Any(c => c == context.Request.Certificate.Thumbprint)))">
          - 				<return-response>
          - 					<set-status code="401" reason="Invalid client certificate. Please check expiry." />
          - 				</return-response>
          - 			</when>
          - 		</choose>
          - 	</inbound>
          - 	<outbound>
          - 		<base />
          - 	</outbound>
          - 	<on-error>
          - 		<base />
          - 	</on-error>
          + <policies>
          +   <backend>
          +     <base/>
          +   </backend>
          +   <inbound>
          +     <base/>
          +     <choose>
          +       <when condition="@(context.Request.Headers["X-ARR-ClientCertThumbprint"] == null)">
          +         <return-response>
          +           <set-status code="401" />
          +           <set-body>Missing client certificate.</set-body>
          +         </return-response>
          +       </when>
          +       <when condition="@(!(new string[] {&quot;B1BF8007527F85085D7C4A3DC406A9A6D124D721&quot;,&quot;E5F54E7BA2B780E2B1B1FFAC68F801251935BE80&quot;,&quot;B9D9E70AC23EAF8EA094F6B59EF77FF77D977CBE&quot;,&quot;D36AC5686200258AE7C03CCCA70E14B69C17F94B&quot;}.Contains(context.Request.Headers[&quot;X-ARR-ClientCertThumbprint&quot;].First().ToUpperInvariant())))">
          +         <return-response>
          +           <set-status code="401" />
          +           <set-body>Invalid client certificate.</set-body>
          +         </return-response>
          +       </when>
          + <!--      <when condition="@(context.Request.Certificate == null || context.Request.Certificate.NotAfter < DateTime.Now || context.Request.Certificate.NotBefore > DateTime.Now || !(new string[] {&quot;B1BF8007527F85085D7C4A3DC406A9A6D124D721&quot;,&quot;E5F54E7BA2B780E2B1B1FFAC68F801251935BE80&quot;,&quot;B9D9E70AC23EAF8EA094F6B59EF77FF77D977CBE&quot;,&quot;D36AC5686200258AE7C03CCCA70E14B69C17F94B&quot;}.Any(c => c == context.Request.Certificate.Thumbprint)))" >-->
          + <!--        <return-response>-->
          + <!--          <set-status code="401" />-->
          + <!--          <set-body>Invalid client certificate. Please check expiry.</set-body>-->
          + <!--        </return-response>-->
          + <!--      </when>-->
          +     </choose>
          +   </inbound>
          +   <outbound>
          +     <base/>
          + </outbound>
          +   <on-error>
          +     <base/>
          +   </on-error>
            </policies>
        EOT
        # (3 unchanged attributes hidden)
    }

Plan: 0 to add, 4 to change, 0 to destroy.

hmcts-jenkins-a-to-c · 2024-07-26T19:32:01Z

Plan Result (prod)

Plan: 0 to add, 4 to change, 0 to destroy.

Update
- azurerm_api_management_subscription.fee_pay_team_fee_register_subscription
- azurerm_api_management_subscription.liberata_supplier_fee_register_subscription
- module.cft_api_mgmt_api.azurerm_api_management_api.api
- module.cft_api_mgmt_policy.azurerm_api_management_api_policy.api_policy

Change Result (Click me)

  # azurerm_api_management_subscription.fee_pay_team_fee_register_subscription will be updated in-place
  ~ resource "azurerm_api_management_subscription" "fee_pay_team_fee_register_subscription" {
      ~ allow_tracing       = false -> true
        id                  = "/subscriptions/8cbc6f36-7c56-4963-9d36-739db5d00b27/resourceGroups/cft-prod-network-rg/providers/Microsoft.ApiManagement/service/cft-api-mgmt-prod/subscriptions/e7275ccd-3c77-4a1e-abc1-e7238ca213f3"
        # (10 unchanged attributes hidden)
    }

  # azurerm_api_management_subscription.liberata_supplier_fee_register_subscription will be updated in-place
  ~ resource "azurerm_api_management_subscription" "liberata_supplier_fee_register_subscription" {
      ~ allow_tracing       = false -> true
        id                  = "/subscriptions/8cbc6f36-7c56-4963-9d36-739db5d00b27/resourceGroups/cft-prod-network-rg/providers/Microsoft.ApiManagement/service/cft-api-mgmt-prod/subscriptions/027a013b-1be4-4c13-9888-705b9e0d3982"
        # (10 unchanged attributes hidden)
    }

  # module.cft_api_mgmt_api.azurerm_api_management_api.api will be updated in-place
  ~ resource "azurerm_api_management_api" "api" {
        id                    = "/subscriptions/8cbc6f36-7c56-4963-9d36-739db5d00b27/resourceGroups/cft-prod-network-rg/providers/Microsoft.ApiManagement/service/cft-api-mgmt-prod/apis/feeregister-api;rev=1"
        name                  = "feeregister-api"
      ~ protocols             = [
          + "http",
            # (1 unchanged element hidden)
        ]
        # (17 unchanged attributes hidden)

        # (2 unchanged blocks hidden)
    }

  # module.cft_api_mgmt_policy.azurerm_api_management_api_policy.api_policy will be updated in-place
  ~ resource "azurerm_api_management_api_policy" "api_policy" {
        id                  = "/subscriptions/8cbc6f36-7c56-4963-9d36-739db5d00b27/resourceGroups/cft-prod-network-rg/providers/Microsoft.ApiManagement/service/cft-api-mgmt-prod/apis/feeregister-api"
      ~ xml_content         = <<-EOT
          - <policies>
          - 	<backend>
          - 		<base />
          - 	</backend>
          - 	<inbound>
          - 		<base />
          - 		<choose>
          - 			<when condition="@(context.Request.Headers["X-ARR-ClientCertThumbprint"] == null)">
          - 				<return-response>
          - 					<set-status code="401" />
          - 					<set-body>Missing client certificate</set-body>
          - 				</return-response>
          - 			</when>
          - 			<when condition="@(!(new string[] {&quot;B9D9E70AC23EAF8EA094F6B59EF77FF77D977CBE&quot;,&quot;68EDF481C5394D65962E9810913455D3EC635FA5&quot;,&quot;B1BF8007527F85085D7C4A3DC406A9A6D124D721&quot;,&quot;B49BDDE7818B78058AC7401BE0284A40845031E3&quot;,&quot;C6E2FBAB5FED58FD86C10A3BD212CF44668FD1A3&quot;,&quot;7744A2F56BD3B73C0D7FED61309E1C65AF08538C&quot;}.Any(c => context.Request.Headers.ContainsKey(&quot;X-ARR-ClientCertThumbprint&quot;) && context.Request.Headers[&quot;X-ARR-ClientCertThumbprint&quot;].Contains(c))))">
          - 				<return-response>
          - 					<set-status code="401" />
          - 					<set-body>Invalid client certificate</set-body>
          - 				</return-response>
          - 			</when>
          - 			<when condition="@(context.Request.Certificate == null || context.Request.Certificate.NotAfter < DateTime.Now || context.Request.Certificate.NotBefore > DateTime.Now || !(new string[] {&quot;B9D9E70AC23EAF8EA094F6B59EF77FF77D977CBE&quot;,&quot;68EDF481C5394D65962E9810913455D3EC635FA5&quot;,&quot;B1BF8007527F85085D7C4A3DC406A9A6D124D721&quot;,&quot;B49BDDE7818B78058AC7401BE0284A40845031E3&quot;,&quot;C6E2FBAB5FED58FD86C10A3BD212CF44668FD1A3&quot;,&quot;7744A2F56BD3B73C0D7FED61309E1C65AF08538C&quot;}.Any(c => c == context.Request.Certificate.Thumbprint)))">
          - 				<return-response>
          - 					<set-status code="401" reason="Invalid client certificate. Please check expiry." />
          - 				</return-response>
          - 			</when>
          - 		</choose>
          - 	</inbound>
          - 	<outbound>
          - 		<base />
          - 	</outbound>
          - 	<on-error>
          - 		<base />
          - 	</on-error>
          + <policies>
          +   <backend>
          +     <base/>
          +   </backend>
          +   <inbound>
          +     <base/>
          +     <choose>
          +       <when condition="@(context.Request.Headers["X-ARR-ClientCertThumbprint"] == null)">
          +         <return-response>
          +           <set-status code="401" />
          +           <set-body>Missing client certificate.</set-body>
          +         </return-response>
          +       </when>
          +       <when condition="@(!(new string[] {&quot;B9D9E70AC23EAF8EA094F6B59EF77FF77D977CBE&quot;,&quot;68EDF481C5394D65962E9810913455D3EC635FA5&quot;,&quot;B1BF8007527F85085D7C4A3DC406A9A6D124D721&quot;,&quot;B49BDDE7818B78058AC7401BE0284A40845031E3&quot;,&quot;C6E2FBAB5FED58FD86C10A3BD212CF44668FD1A3&quot;,&quot;7744A2F56BD3B73C0D7FED61309E1C65AF08538C&quot;}.Contains(context.Request.Headers[&quot;X-ARR-ClientCertThumbprint&quot;].First().ToUpperInvariant())))">
          +         <return-response>
          +           <set-status code="401" />
          +           <set-body>Invalid client certificate.</set-body>
          +         </return-response>
          +       </when>
          + <!--      <when condition="@(context.Request.Certificate == null || context.Request.Certificate.NotAfter < DateTime.Now || context.Request.Certificate.NotBefore > DateTime.Now || !(new string[] {&quot;B9D9E70AC23EAF8EA094F6B59EF77FF77D977CBE&quot;,&quot;68EDF481C5394D65962E9810913455D3EC635FA5&quot;,&quot;B1BF8007527F85085D7C4A3DC406A9A6D124D721&quot;,&quot;B49BDDE7818B78058AC7401BE0284A40845031E3&quot;,&quot;C6E2FBAB5FED58FD86C10A3BD212CF44668FD1A3&quot;,&quot;7744A2F56BD3B73C0D7FED61309E1C65AF08538C&quot;}.Any(c => c == context.Request.Certificate.Thumbprint)))" >-->
          + <!--        <return-response>-->
          + <!--          <set-status code="401" />-->
          + <!--          <set-body>Invalid client certificate. Please check expiry.</set-body>-->
          + <!--        </return-response>-->
          + <!--      </when>-->
          +     </choose>
          +   </inbound>
          +   <outbound>
          +     <base/>
          + </outbound>
          +   <on-error>
          +     <base/>
          +   </on-error>
            </policies>
        EOT
        # (3 unchanged attributes hidden)
    }

Plan: 0 to add, 4 to change, 0 to destroy.

davejones74 added 3 commits July 24, 2024 16:53

Update to add http protocol support.

436187e

Update azurerm version.

71e36f7

Update API Policy and thumbprints.

f01558b

davejones74 changed the title ~~Pay 6706 new apim migration~~ PAY-6706: New CFT APIM Migration Jul 26, 2024

davejones74 requested a review from a team July 26, 2024 19:24

Updating Terraform Formatting

6885df3

hmcts-jenkins-a-to-c bot added the aat/add-or-update label Jul 26, 2024

hmcts-jenkins-a-to-c bot added the prod/add-or-update label Jul 26, 2024

hmcts-jenkins-a-to-c bot deployed to preview July 26, 2024 19:32 View deployment

hmcts-jenkins-a-to-c bot added ns:fees-pay prd:fees-register rel:fees-register-api-pr-591 labels Jul 26, 2024

hmcts-jenkins-a-to-c bot deployed to preview July 26, 2024 19:36 View deployment

Thor-tech-of-metal previously approved these changes Jul 29, 2024

View reviewed changes

Commented out expiry check.

e49a269

davejones74 dismissed Thor-tech-of-metal’s stale review via e49a269 July 29, 2024 17:54

hmcts-jenkins-a-to-c bot deployed to preview July 29, 2024 18:00 View deployment

davejones74 merged commit b9195c7 into master Jul 29, 2024
5 checks passed

davejones74 deleted the PAY-6706-New-APIM-Migration branch July 29, 2024 21:35

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

PAY-6706: New CFT APIM Migration #591

PAY-6706: New CFT APIM Migration #591

davejones74 commented Jul 26, 2024

hmcts-jenkins-a-to-c bot commented Jul 26, 2024 •

edited

Loading

hmcts-jenkins-a-to-c bot commented Jul 26, 2024 •

edited

Loading

PAY-6706: New CFT APIM Migration #591

PAY-6706: New CFT APIM Migration #591

Conversation

davejones74 commented Jul 26, 2024

Jira link (if applicable)

Change description

Checklist

hmcts-jenkins-a-to-c bot commented Jul 26, 2024 • edited Loading

Plan Result (aat)

hmcts-jenkins-a-to-c bot commented Jul 26, 2024 • edited Loading

Plan Result (prod)

hmcts-jenkins-a-to-c bot commented Jul 26, 2024 •

edited

Loading

hmcts-jenkins-a-to-c bot commented Jul 26, 2024 •

edited

Loading