diff --git a/manifests/cf-manifest/operations.d/710-rds-broker.yml b/manifests/cf-manifest/operations.d/710-rds-broker.yml index 8a63c511a7..0543716067 100644 --- a/manifests/cf-manifest/operations.d/710-rds-broker.yml +++ b/manifests/cf-manifest/operations.d/710-rds-broker.yml @@ -3,9 +3,9 @@ path: /releases/- value: name: rds-broker - version: 1.55.0 - url: https://s3-eu-west-1.amazonaws.com/gds-paas-build-releases/rds-broker-1.55.0.tgz - sha1: b58a7376431595e20ff2a3aa3acff9fff422dc57 + version: 1.56.0 + url: https://s3-eu-west-1.amazonaws.com/gds-paas-build-releases/rds-broker-1.56.0.tgz + sha1: ce6bb398a79a8e59346db739ef1a858a7c44a5d4 - type: replace path: /instance_groups/- diff --git a/manifests/cf-manifest/operations.d/720-cdn-broker.yml b/manifests/cf-manifest/operations.d/720-cdn-broker.yml index 559c1f05bc..088119c837 100644 --- a/manifests/cf-manifest/operations.d/720-cdn-broker.yml +++ b/manifests/cf-manifest/operations.d/720-cdn-broker.yml @@ -4,9 +4,9 @@ path: /releases/- value: name: cdn-broker - version: 0.1.54 - url: https://s3-eu-west-1.amazonaws.com/gds-paas-build-releases/cdn-broker-0.1.54.tgz - sha1: e97a99e35400160fb09ed4129b57d129040d27ae + version: 0.0.1703150653 + url: https://s3-eu-west-1.amazonaws.com/gds-paas-build-releases/cdn-broker-0.0.1703150653.tgz + sha1: 443c27ff4f6b2eca1b0449a18f05744a1ae6a9dd - type: replace path: /addons/name=loggregator_agent/exclude/jobs/- @@ -32,9 +32,6 @@ broker_username: "cdn-broker" broker_password: ((secrets_cdn_broker_admin_password)) database_url: ((terraform_outputs_cdn_db_connection_string)) - email: "the-multi-cloud-paas-team@digital.cabinet-office.gov.uk" - acme_url: "https://acme-v01.api.letsencrypt.org/directory" - bucket: gds-paas-((environment))-cdn-broker-challenge iam_path_prefix: ((environment))-letsencrypt cloudfront_prefix: ((environment))-cdn aws_access_key_id: "" @@ -45,6 +42,10 @@ default_origin: ((terraform_outputs_cf_apps_domain)) aws_region: "((terraform_outputs_region))" extra_request_headers: "x-cf-instanceid:x-paas-xff-auth-((waf_xff_auth_key))" + host: "0.0.0.0" + port: "443" + tls: ((secrets_cdn_broker_tls_cert)) + - name: cdn-cron release: cdn-broker properties: *cdn-broker-properties @@ -56,3 +57,14 @@ value: name: secrets_cdn_broker_admin_password type: password +- type: replace + path: /variables/- + value: + name: secrets_cdn_broker_tls_cert + type: certificate + update_mode: converge + options: + ca: broker_tls_ca + common_name: "cdn-broker.service.cf.internal" + alternative_names: + - "cdn-broker.service.cf.internal" diff --git a/platform-tests/broker-acceptance/cdn_broker_test.go b/platform-tests/broker-acceptance/cdn_broker_test.go index bd5ab8949e..c6c818964b 100644 --- a/platform-tests/broker-acceptance/cdn_broker_test.go +++ b/platform-tests/broker-acceptance/cdn_broker_test.go @@ -88,16 +88,14 @@ var _ = Describe("CDN broker", func() { }) It("refuses to create a CDN for a domain without a cf create-domain", func() { + orgName := testContext.TestSpace.OrganizationName() domainName := generator.PrefixedRandomName(testConfig.GetNamePrefix(), "cdn-broker") + ".net" domainNameList := fmt.Sprintf(`{"domain": "%s"}`, domainName) serviceInstanceName = generator.PrefixedRandomName(testConfig.GetNamePrefix(), "test-cdn") - // best effort tidyup - we don't really care if these pass or fail. - // currently this kind of failure doesn't actually stop the service - // being "created". - defer pollForServiceDeletionCompletion(serviceInstanceName) - defer cf.Cf("delete-service", serviceInstanceName, "-f") + // purge as service-instance has not been successfully provisioned + defer serviceInstancePurge(serviceInstanceName, orgName) By("attempting to create a CDN instance: "+serviceInstanceName, func() { cf_create_service := cf.Cf("create-service", serviceName, serviceName, serviceInstanceName, "-c", domainNameList).Wait(testConfig.DefaultTimeoutDuration()) @@ -107,17 +105,15 @@ var _ = Describe("CDN broker", func() { }) It("refuses to create a CDN for a domain with wrong ownership", func() { + orgName := testContext.TestSpace.OrganizationName() domainName := generator.PrefixedRandomName(testConfig.GetNamePrefix(), "cdn-broker") + ".net" domainNameList := fmt.Sprintf(`{"domain": "%s"}`, domainName) serviceInstanceName = generator.PrefixedRandomName(testConfig.GetNamePrefix(), "test-cdn") - // best effort tidyup - we don't really care if these pass or fail. - // currently this kind of failure doesn't actually stop the service - // being "created". - defer pollForServiceDeletionCompletion(serviceInstanceName) - defer cf.Cf("delete-domain", domainName, "-f") - defer cf.Cf("delete-service", serviceInstanceName, "-f") + defer cf.Cf("delete-domain", altOrgName, domainName, "-f") + // purge as service-instance has not been successfully provisioned + defer serviceInstancePurge(serviceInstanceName, orgName) By("attempting to create a CDN instance: "+serviceInstanceName, func() { Expect(cf.Cf("create-domain", altOrgName, domainName).Wait(testConfig.DefaultTimeoutDuration())).To(Exit(0)) diff --git a/platform-tests/broker-acceptance/init_test.go b/platform-tests/broker-acceptance/init_test.go index 794095a447..4d88058f2c 100644 --- a/platform-tests/broker-acceptance/init_test.go +++ b/platform-tests/broker-acceptance/init_test.go @@ -181,6 +181,15 @@ func pollForServiceUnbound(dbInstanceName, boundAppName string) { fmt.Fprint(GinkgoWriter, "done\n") } +func serviceInstancePurge(serviceInstanceName string, orgName string) { + workflowhelpers.AsUser(testContext.AdminUserContext(), testContext.ShortTimeout(), func() { + command := cf.Cf("target", "-o", orgName).Wait(testConfig.DefaultTimeoutDuration()) + Expect(command).To(Exit(0)) + command = cf.Cf("purge-service-instance", serviceInstanceName, "-f").Wait(testConfig.DefaultTimeoutDuration()) + Expect(command).To(Exit(0)) + }) +} + type basicAuthRoundTripper struct { username string password string diff --git a/terraform/cloudfoundry/cdn_broker.tf b/terraform/cloudfoundry/cdn_broker.tf index 639c759219..3b582200d2 100644 --- a/terraform/cloudfoundry/cdn_broker.tf +++ b/terraform/cloudfoundry/cdn_broker.tf @@ -13,7 +13,7 @@ resource "aws_elb" "cdn_broker" { } health_check { - target = "HTTP:3000/healthcheck/http" + target = "HTTPS:443/healthcheck/https" interval = var.health_check_interval timeout = var.health_check_timeout healthy_threshold = var.health_check_healthy @@ -21,8 +21,8 @@ resource "aws_elb" "cdn_broker" { } listener { - instance_port = 3000 - instance_protocol = "http" + instance_port = 443 + instance_protocol = "https" lb_port = 443 lb_protocol = "https" ssl_certificate_id = data.aws_acm_certificate.system.arn @@ -40,52 +40,6 @@ resource "aws_lb_ssl_negotiation_policy" "cdn_broker" { } } -resource "aws_s3_bucket" "cdn_broker_bucket" { - bucket = "gds-paas-${var.env}-cdn-broker-challenge" - force_destroy = "true" -} - -resource "aws_s3_bucket_public_access_block" "cdn_broker_bucket" { - bucket = aws_s3_bucket.cdn_broker_bucket.id - - block_public_policy = false -} - -resource "aws_s3_bucket_ownership_controls" "cdn_broker_bucket" { - bucket = aws_s3_bucket.cdn_broker_bucket.id - rule { - object_ownership = "BucketOwnerPreferred" - } -} - -resource "aws_s3_bucket_acl" "cdn_broker_bucket" { - bucket = aws_s3_bucket.cdn_broker_bucket.id - acl = "private" - - depends_on = [aws_s3_bucket_ownership_controls.cdn_broker_bucket] -} - -resource "aws_s3_bucket_policy" "cdn_broker_bucket" { - bucket = aws_s3_bucket.cdn_broker_bucket.id - policy = <