Add middleware to App Gateway (#458)

* Add middleware to app gateway

* fmt

* push middleware image to dev

* wip

* wip

* wip

* wip

* wrong image

* wrong image

* rm entrypoint

* try diff dockerfile fmt

* try diff dockerfile fmt

* try diff dockerfile fmt

* try diff dockerfile fmt

* try diff dockerfile fmt

* try diff dockerfile fmt

* try diff dockerfile fmt

* try diff dockerfile fmt

* try diff dockerfile fmt

* try diff dockerfile fmt

* try diff dockerfile fmt

* try diff dockerfile fmt

* try diff dockerfile fmt

* try diff dockerfile fmt

* try diff dockerfile fmt

* clean

* clean

* clean

---------

Co-authored-by: Administrator <[email protected]>

ops/terraform/main.tf

@@ -44,8 +44,9 @@ module "app_gateway" {
   tags          = local.management_tags
   env           = local.environment
 
-  fqdns      = module.ocr_api.app_hostname
-  depends_on = [module.networking, module.ocr_api]
+  fqdns_ocr        = module.ocr_api.app_hostname
+  fqdns_middleware = module.middleware_api.app_hostname
+  depends_on       = [module.networking, module.ocr_api, module.middleware_api]
 }
 
 module "storage" {
@@ -67,7 +68,12 @@ module "middleware_api" {
   resource_group = data.azurerm_resource_group.rg.name
   app_subnet_id  = module.networking.middlewaresubnet_id
 
+  app_settings = {
+    WEBSITES_PORT = "8081"
+  }
+
   lb_subnet_id = module.networking.lbsubnet_id
+  health_path = "/actuator/health"
   env          = local.environment
   vnet         = module.networking.network_name
   sku_name     = var.sku_name
@@ -82,6 +88,11 @@ module "ocr_api" {
   location       = data.azurerm_resource_group.rg.location
   resource_group = data.azurerm_resource_group.rg.name
   app_subnet_id  = module.networking.ocrsubnet_id
+
+  app_settings = {
+    WEBSITES_PORT = "8000"
+  }
+
   lb_subnet_id   = module.networking.middlewaresubnet_id
   env            = local.environment
   vnet           = module.networking.network_name

ops/terraform/modules/app_gateway/main.tf

@@ -10,21 +10,27 @@ resource "azurerm_public_ip" "lb-pip" {
 
 # since these variables are re-used - a locals block makes this more maintainable
 locals {
-  backend_address_pool_name_static = "${var.name}-${var.env}-beap-static"
-  backend_address_pool_name_api    = "${var.name}-${var.env}-beap-api"
-  frontend_port_name_api           = "${var.name}-${var.env}-feport-api"
-  frontend_port_name_static        = "${var.name}-${var.env}-feport-static"
-  frontend_ip_configuration_name   = "${var.name}-${var.env}-feip"
-  http_setting_name_static         = "${var.name}-${var.env}-be-htst-static"
-  http_setting_name_api            = "${var.name}-${var.env}-be-htst-api"
-  listener_name_static             = "${var.name}-${var.env}-httplstn-static"
-  listener_name_api                = "${var.name}-${var.env}-httplstn-api"
-  request_routing_rule_name_api    = "${var.name}-${var.env}-rqrt-api"
-  request_routing_rule_name_static = "${var.name}-${var.env}-rqrt-static"
-  redirect_configuration_name      = "${var.name}-${var.env}-rdrcfg"
-  static_probe_name_app            = "${var.name}-${var.env}-be-probe-app-static"
-  api_probe_name_app               = "${var.name}-${var.env}-be-probe-app-api"
-  redirect_rule                    = "${var.name}-${var.env}-redirect"
+  backend_address_pool_name_static         = "${var.name}-${var.env}-beap-static"
+  backend_address_pool_name_api_ocr        = "${var.name}-${var.env}-beap-api-ocr"
+  backend_address_pool_name_api_middleware = "${var.name}-${var.env}-beap-api-middleware"
+  frontend_port_name_api_ocr               = "${var.name}-${var.env}-feport-api-ocr"
+  frontend_port_name_api_middleware        = "${var.name}-${var.env}-feport-api-middleware"
+  frontend_port_name_static                = "${var.name}-${var.env}-feport-static"
+  frontend_ip_configuration_name           = "${var.name}-${var.env}-feip"
+  http_setting_name_static                 = "${var.name}-${var.env}-be-htst-static"
+  http_setting_name_api_ocr                = "${var.name}-${var.env}-be-htst-api-ocr"
+  http_setting_name_api_middleware         = "${var.name}-${var.env}-be-htst-api-middleware"
+  listener_name_static                     = "${var.name}-${var.env}-httplstn-static"
+  listener_name_api_ocr                    = "${var.name}-${var.env}-httplstn-api-ocr"
+  listener_name_api_middleware             = "${var.name}-${var.env}-httplstn-api-middleware"
+  request_routing_rule_name_api_ocr        = "${var.name}-${var.env}-rqrt-api-ocr"
+  request_routing_rule_name_api_middleware = "${var.name}-${var.env}-rqrt-api-middleware"
+  request_routing_rule_name_static         = "${var.name}-${var.env}-rqrt-static"
+  redirect_configuration_name              = "${var.name}-${var.env}-rdrcfg"
+  static_probe_name_app                    = "${var.name}-${var.env}-be-probe-app-static"
+  api_probe_name_app_ocr                   = "${var.name}-${var.env}-be-probe-app-api-ocr"
+  api_probe_name_app_middleware            = "${var.name}-${var.env}-be-probe-app-api-middleware"
+  redirect_rule                            = "${var.name}-${var.env}-redirect"
 }
 
 resource "azurerm_application_gateway" "load_balancer" {
@@ -35,7 +41,6 @@ resource "azurerm_application_gateway" "load_balancer" {
   sku {
     name     = "Standard_v2"
     tier     = "Standard_v2"
-    capacity = 2
   }
 
   gateway_ip_configuration {
@@ -72,23 +77,23 @@ resource "azurerm_application_gateway" "load_balancer" {
 
   # ------- OCR API -------------------------
   backend_address_pool {
-    name         = local.backend_address_pool_name_api
-    fqdns        = [var.fqdns]
+    name         = local.backend_address_pool_name_api_ocr
+    fqdns        = [var.fqdns_ocr]
     ip_addresses = var.ip_addresses
   }
 
   backend_http_settings {
-    name                                = local.http_setting_name_api
+    name                                = local.http_setting_name_api_ocr
     cookie_based_affinity               = "Disabled"
     port                                = 443
     protocol                            = "Https"
     request_timeout                     = 120
     pick_host_name_from_backend_address = true
-    probe_name                          = local.api_probe_name_app
+    probe_name                          = local.api_probe_name_app_ocr
   }
 
   probe {
-    name                                      = local.api_probe_name_app
+    name                                      = local.api_probe_name_app_ocr
     interval                                  = 30
     timeout                                   = 30
     unhealthy_threshold                       = 3
@@ -102,6 +107,38 @@ resource "azurerm_application_gateway" "load_balancer" {
     }
   }
 
+  # ------- Middleware API -------------------------
+  backend_address_pool {
+    name         = local.backend_address_pool_name_api_middleware
+    fqdns        = [var.fqdns_middleware]
+    ip_addresses = var.ip_addresses
+  }
+
+  backend_http_settings {
+    name                                = local.http_setting_name_api_middleware
+    cookie_based_affinity               = "Disabled"
+    port                                = 443
+    protocol                            = "Https"
+    request_timeout                     = 120
+    pick_host_name_from_backend_address = true
+    probe_name                          = local.api_probe_name_app_middleware
+  }
+
+  probe {
+    name                                      = local.api_probe_name_app_middleware
+    interval                                  = 30
+    timeout                                   = 30
+    unhealthy_threshold                       = 3
+    protocol                                  = "Https"
+    port                                      = 443
+    path                                      = "/actuator/health"
+    pick_host_name_from_backend_http_settings = true
+    match {
+      body        = "UP"
+      status_code = [200]
+    }
+  }
+
   # ------- Listeners -------------------------
   frontend_ip_configuration {
     name                 = local.frontend_ip_configuration_name
@@ -116,11 +153,19 @@ resource "azurerm_application_gateway" "load_balancer" {
   }
 
   http_listener {
-    name                           = local.listener_name_api
+    name                           = local.listener_name_api_ocr
+    frontend_ip_configuration_name = local.frontend_ip_configuration_name
+    frontend_port_name             = local.frontend_port_name_static
+    protocol                       = "Http"
+    host_names                     = [var.fqdns_ocr]
+  }
+
+  http_listener {
+    name                           = local.listener_name_api_middleware
     frontend_ip_configuration_name = local.frontend_ip_configuration_name
     frontend_port_name             = local.frontend_port_name_static
     protocol                       = "Http"
-    host_names                     = [var.fqdns]
+    host_names                     = [var.fqdns_middleware]
   }
 
   http_listener {
@@ -142,33 +187,48 @@ resource "azurerm_application_gateway" "load_balancer" {
   }
 
   request_routing_rule {
-    name                       = local.request_routing_rule_name_api
+    name                       = local.request_routing_rule_name_api_ocr
     priority                   = 100
     rule_type                  = "Basic"
-    http_listener_name         = local.listener_name_api
-    backend_address_pool_name  = local.backend_address_pool_name_api
-    backend_http_settings_name = local.http_setting_name_api
+    http_listener_name         = local.listener_name_api_ocr
+    backend_address_pool_name  = local.backend_address_pool_name_api_ocr
+    backend_http_settings_name = local.http_setting_name_api_ocr
   }
 
+  request_routing_rule {
+    name                       = local.request_routing_rule_name_api_middleware
+    priority                   = 150
+    rule_type                  = "Basic"
+    http_listener_name         = local.listener_name_api_middleware
+    backend_address_pool_name  = local.backend_address_pool_name_api_middleware
+    backend_http_settings_name = local.http_setting_name_api_middleware
+  }
 
   url_path_map {
     name                               = "${var.name}-${var.env}-urlmap"
     default_backend_address_pool_name  = local.backend_address_pool_name_static
     default_backend_http_settings_name = local.http_setting_name_static
-    default_rewrite_rule_set_name      = "${var.name}-routing"
+    default_rewrite_rule_set_name      = "${var.name}-middleware-routing"
 
     path_rule {
-      name                       = "api"
+      name                       = "ocr"
       paths                      = ["/ocr-api/*", "/ocr-api"]
-      backend_address_pool_name  = local.backend_address_pool_name_api
-      backend_http_settings_name = local.http_setting_name_api
+      backend_address_pool_name  = local.backend_address_pool_name_api_ocr
+      backend_http_settings_name = local.http_setting_name_api_ocr
       // this is the default, why would we set it again?
       // because if we don't do this we get 404s on API calls
-      rewrite_rule_set_name = "${var.name}-routing"
+      rewrite_rule_set_name = "${var.name}-ocr-routing"
+    }
+    path_rule {
+      name                       = "middleware"
+      paths                      = ["/middleware-api/*", "/middleware-api"]
+      backend_address_pool_name  = local.backend_address_pool_name_api_middleware
+      backend_http_settings_name = local.http_setting_name_api_middleware
+      rewrite_rule_set_name      = "${var.name}-middleware-routing"
     }
   }
   rewrite_rule_set {
-    name = "${var.name}-routing"
+    name = "${var.name}-ocr-routing"
 
     rewrite_rule {
       name          = "ocr-api-wildcard"
@@ -189,4 +249,32 @@ resource "azurerm_application_gateway" "load_balancer" {
       }
     }
   }
+
+  rewrite_rule_set {
+    name = "${var.name}-middleware-routing"
+
+    rewrite_rule {
+      name          = "middleware-api-wildcard"
+      rule_sequence = 101
+      condition {
+        ignore_case = true
+        negate      = false
+        pattern     = ".*middleware-api/(.*)"
+        variable    = "var_uri_path"
+      }
+
+      url {
+        path    = "/{var_uri_path_1}"
+        reroute = false
+        # Per documentation, we should be able to leave this pass-through out. See however
+        # https://github.com/terraform-providers/terraform-provider-azurerm/issues/11563
+        query_string = "{var_query_string}"
+      }
+    }
+  }
+
+  autoscale_configuration {
+    min_capacity = 0
+    max_capacity = 5
+  }
 }

ops/terraform/modules/app_gateway/outputs.tf

@@ -1,12 +1,3 @@
-output "fqdn" {
-  value = azurerm_public_ip.lb-pip.fqdn
-}
-
-output "app_gateway_hostname" {
-  value     = azurerm_application_gateway.load_balancer.id
-  sensitive = true
-}
-
 output "app_gateway_ip" {
   value = azurerm_public_ip.lb-pip.ip_address
 }

ops/terraform/modules/app_gateway/variables.tf

@@ -10,7 +10,9 @@ variable "zones" {
   default = ["1", "2", "3"]
 }
 
-variable "fqdns" {
+variable "fqdns_middleware" {
+}
+variable "fqdns_ocr" {
 }
 
 variable "ip_addresses" {

ops/terraform/modules/app_service/main.tf

@@ -1,7 +1,3 @@
-locals {
-  app_settings = merge(var.app_settings, { WEBSITES_PORT = "8000" })
-}
-
 resource "azurerm_service_plan" "asp" {
   name                = "${var.name}-${var.service}-appserviceplan-${var.env}"
   location            = var.location
@@ -18,15 +14,15 @@ resource "azurerm_linux_web_app" "linux_webapp" {
   service_plan_id           = azurerm_service_plan.asp.id
   virtual_network_subnet_id = var.app_subnet_id
 
-  app_settings = local.app_settings
+  app_settings = var.app_settings
 
   identity {
     type = "SystemAssigned"
   }
 
   site_config {
     always_on                         = "true"
-    health_check_path                 = "/"
+    health_check_path                 = var.health_path
     health_check_eviction_time_in_min = 5
     scm_minimum_tls_version           = "1.2"
     use_32_bit_worker                 = false

ops/terraform/modules/app_service/variables.tf

@@ -19,4 +19,7 @@ variable "app_settings" {
   type        = map(string)
   default     = {}
   description = "App Settings or environment variables to apply."
+}
+variable "health_path" {
+  default = "/"
 }