Add active directory policy (#23)

* Add active directory policy * Update ad b2c uat info * Update b2c * Add new env var and policy (#32) * Add new env var and policy * Add ACS_BASE_URL * Add temp uat public dns zone (#33) * Add temp uat public dns zone * Add new env var and policy (#32) * Add new env var and policy * Add ACS_BASE_URL * Add temp uat public dns zone * tmp ignore Co-authored-by: pasqualedevita <> Co-authored-by: Matteo Gazzetta <matteo_gazzetta@hotmail.it> * Update also dev * Change UAT app_gateway_host_name (#35) * Fix l1 token upgrade (#34) * increase expiration time * Fix cors allowed headers * backed case sensitive * lower case * Add temp uat public dns zone (#33) * Add temp uat public dns zone * Add new env var and policy (#32) * Add new env var and policy * Add ACS_BASE_URL * Add temp uat public dns zone * tmp ignore Co-authored-by: pasqualedevita <> Co-authored-by: Matteo Gazzetta <matteo_gazzetta@hotmail.it> * Change UAT app_gateway_host_name (#35) * increase expiration time * Fix cors allowed headers * backed case sensitive * lower case * fix dns uat Co-authored-by: Pasquale De Vita <59291437+pasqualedevita@users.noreply.github.com> Co-authored-by: pasqualedevita <> * Add active directory policy * Update ad b2c uat info * Update b2c * Update also dev Co-authored-by: Pasquale De Vita <59291437+pasqualedevita@users.noreply.github.com> Co-authored-by: pasqualedevita <>
pagopa · May 12, 2021 · 4cc2d34 · 4cc2d34
1 parent 13e7404
commit 4cc2d34
Show file tree

Hide file tree

Showing 6 changed files with 64 additions and 9 deletions.
diff --git a/code/api.tf b/code/api.tf
@@ -408,7 +408,10 @@ module "apim_backoffice_api" {
 
   content_value = file("./backoffice_api/swagger.json")
 
-  xml_content = file("./backoffice_api/policy.xml")
+  xml_content = templatefile("./backoffice_api/policy.xml.tpl", {
+    openid_config_url = var.adb2c_openid_config_url
+    audience          = var.adb2c_audience
+  })
 }
 
 module "apim_spid_login_api" {

diff --git a/code/backoffice_api/policy.xml b/code/backoffice_api/policy.xml
diff --git a/code/backoffice_api/policy.xml.tpl b/code/backoffice_api/policy.xml.tpl
@@ -0,0 +1,17 @@
+<policies>
+  <inbound>
+    <base />
+    <validate-jwt header-name="Authorization" failed-validation-httpcode="401" require-expiration-time="true" require-scheme="Bearer" require-signed-tokens="true" >
+      <openid-config url="${openid_config_url}" />
+      <audiences>
+        <audience>${audience}</audience>
+      </audiences>
+    </validate-jwt>
+    <set-header name="X-CGN-USER-ROLE" exists-action="override">
+      <value>ROLE_ADMIN</value>
+    </set-header>
+  </inbound>
+  <outbound>
+    <base />
+  </outbound>
+</policies>
diff --git a/code/variables.tf b/code/variables.tf
@@ -323,3 +323,14 @@ variable "enable_ade_aa_mock" {
   type    = bool
   default = false
 }
+
+## AD B2C
+variable "adb2c_openid_config_url" {
+  type        = string
+  description = "Azure AD B2C OpenID Connect metadata document"
+}
+
+variable "adb2c_audience" {
+  type        = string
+  description = "recipients that the JWT is intended for"
+}
diff --git a/vars/dev.tf b/vars/dev.tf
@@ -238,3 +238,19 @@ resource "tfe_variable" "dev_enable_ade_aa_mock" {
 }
 
 
+
+resource "tfe_variable" "dev_adb2c_openid_config_url" {
+  key          = "adb2c_openid_config_url"
+  value        = "https://testcgnportalbitrock.b2clogin.com/testcgnportalbitrock.onmicrosoft.com/B2C_1_LOGIN/v2.0/.well-known/openid-configuration"
+  category     = "terraform"
+  sensitive    = true
+  workspace_id = data.tfe_workspace.dev.id
+}
+
+resource "tfe_variable" "dev_adb2c_audience" {
+  key          = "adb2c_audience"
+  value        = "5f75f12e-b5a0-4656-b0ff-334bb9d4222f"
+  category     = "terraform"
+  sensitive    = true
+  workspace_id = data.tfe_workspace.dev.id
+}
diff --git a/vars/uat.tf b/vars/uat.tf
@@ -239,3 +239,19 @@ resource "tfe_variable" "uat_enable_ade_aa_mock" {
   category     = "terraform"
   workspace_id = data.tfe_workspace.uat.id
 }
+
+resource "tfe_variable" "uat_adb2c_openid_config_url" {
+  key          = "adb2c_openid_config_url"
+  value        = "https://cgnonboardingportaluat.b2clogin.com/cgnonboardingportaluat.onmicrosoft.com/B2C_1_login/v2.0/.well-known/openid-configuration"
+  category     = "terraform"
+  sensitive    = true
+  workspace_id = data.tfe_workspace.uat.id
+}
+
+resource "tfe_variable" "uat_adb2c_audience" {
+  key          = "adb2c_audience"
+  value        = "2416d411-9cbb-4d4c-a902-2570f031b9f0"
+  category     = "terraform"
+  sensitive    = true
+  workspace_id = data.tfe_workspace.uat.id
+}