Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

PAY-7103: Calculate the AMOUNT DUE and OVERPAYMENTS for ( Issue refun… #1670

Merged
merged 16 commits into from
Aug 22, 2024

Conversation

Thor-tech-of-metal
Copy link
Contributor

PAY-7103: Calculate the AMOUNT DUE and OVERPAYMENTS for ( Issue refund and Remission-Refunds)
[PAY-7103] (https://tools.hmcts.net/jira/browse/PAY-7103).

Thor-tech-of-metal and others added 5 commits July 15, 2024 15:20
…o PAY-7103-NEW

# Conflicts:
#	infrastructure/aat.tfvars
#	infrastructure/demo.tfvars
#	infrastructure/ithc.tfvars
#	infrastructure/perftest.tfvars
#	infrastructure/prod.tfvars
@hmcts-jenkins-a-to-c
Copy link
Contributor

hmcts-jenkins-a-to-c bot commented Jul 15, 2024

Plan Result (aat)

⚠️ Resource Deletion will happen

This plan contains resource delete operation. Please check the plan result very carefully!

Plan: 3 to add, 9 to change, 3 to destroy.
  • Create
    • azurerm_key_vault_secret.fee_pay_team_bulk_scan_subscription_key
  • Update
    • azurerm_api_management_subscription.fee_pay_team_telephony_subscription
    • azurerm_api_management_subscription.pcipal_supplier_subscription
    • azurerm_key_vault_secret.POSTGRES-USER
    • azurerm_key_vault_secret.POSTGRES_DATABASE
    • azurerm_key_vault_secret.POSTGRES_HOST
    • azurerm_key_vault_secret.POSTGRES_PORT
    • module.cft_api_mgmt_policy.azurerm_api_management_api_policy.api_policy
    • module.payment-database-v15.random_password.password
    • module.sdp_db_user[0].random_password.sdp_read_user_password
  • Delete
    • azurerm_key_vault_secret.fee_pay_team_telephony_subscription_key
  • Replace
    • module.sdp_db_user[0].azurerm_key_vault_secret.sdp_vault_sdp_read_user_name
    • module.sdp_db_user[0].azurerm_key_vault_secret.sdp_vault_sdp_read_user_password
Change Result (Click me)
  # azurerm_api_management_subscription.fee_pay_team_telephony_subscription will be updated in-place
  ~ resource "azurerm_api_management_subscription" "fee_pay_team_telephony_subscription" {
      ~ allow_tracing       = false -> true
        id                  = "/subscriptions/96c274ce-846d-4e48-89a7-d528432298a7/resourceGroups/cft-aat-network-rg/providers/Microsoft.ApiManagement/service/cft-api-mgmt-stg/subscriptions/5a89d26c-6d91-4997-8a4e-13e4e279ee0a"
        # (8 unchanged attributes hidden)
    }

  # azurerm_api_management_subscription.pcipal_supplier_subscription will be updated in-place
  ~ resource "azurerm_api_management_subscription" "pcipal_supplier_subscription" {
      ~ allow_tracing       = false -> true
        id                  = "/subscriptions/96c274ce-846d-4e48-89a7-d528432298a7/resourceGroups/cft-aat-network-rg/providers/Microsoft.ApiManagement/service/cft-api-mgmt-stg/subscriptions/ea576e34-00bd-4eff-80d5-85f6c6392bb2"
        # (8 unchanged attributes hidden)
    }

  # azurerm_key_vault_secret.POSTGRES-USER will be updated in-place
  ~ resource "azurerm_key_vault_secret" "POSTGRES-USER" {
        id                      = "https://ccpay-aat.vault.azure.net/secrets/api-POSTGRES-USER/49d2db01c3004797b78e8227ee43b11c"
        name                    = "api-POSTGRES-USER"
        tags                    = {}
        # (6 unchanged attributes hidden)
    }

  # azurerm_key_vault_secret.POSTGRES_DATABASE will be updated in-place
  ~ resource "azurerm_key_vault_secret" "POSTGRES_DATABASE" {
        id                      = "https://ccpay-aat.vault.azure.net/secrets/api-POSTGRES-DATABASE/532cd5adacd8497d984dcb98551ab045"
        name                    = "api-POSTGRES-DATABASE"
        tags                    = {}
        # (6 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

  # azurerm_key_vault_secret.POSTGRES_HOST will be updated in-place
  ~ resource "azurerm_key_vault_secret" "POSTGRES_HOST" {
        id                      = "https://ccpay-aat.vault.azure.net/secrets/api-POSTGRES-HOST/376bcb969fbe473e8c33baea1ec2f657"
        name                    = "api-POSTGRES-HOST"
        tags                    = {}
        # (6 unchanged attributes hidden)
    }

  # azurerm_key_vault_secret.POSTGRES_PORT will be updated in-place
  ~ resource "azurerm_key_vault_secret" "POSTGRES_PORT" {
        id                      = "https://ccpay-aat.vault.azure.net/secrets/api-POSTGRES-PORT/506999aa03c64d56a73580c29b6d46f2"
        name                    = "api-POSTGRES-PORT"
        tags                    = {}
        # (6 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

  # azurerm_key_vault_secret.fee_pay_team_bulk_scan_subscription_key will be created
  + resource "azurerm_key_vault_secret" "fee_pay_team_bulk_scan_subscription_key" {
      + id                      = (known after apply)
      + key_vault_id            = "/subscriptions/1c4f0704-a29e-403d-b719-b90c34ef14c9/resourceGroups/ccpay-aat/providers/Microsoft.KeyVault/vaults/ccpay-aat"
      + name                    = "fee-pay-team-telephony-cft-apim-subscription-key"
      + resource_id             = (known after apply)
      + resource_versionless_id = (known after apply)
      + value                   = (sensitive value)
      + version                 = (known after apply)
      + versionless_id          = (known after apply)
    }

  # azurerm_key_vault_secret.fee_pay_team_telephony_subscription_key will be destroyed
  # (because azurerm_key_vault_secret.fee_pay_team_telephony_subscription_key is not in configuration)
  - resource "azurerm_key_vault_secret" "fee_pay_team_telephony_subscription_key" {
      - id                      = "https://ccpay-aat.vault.azure.net/secrets/fee-pay-team-telephony-cft-apim-subscription-key/cac77dc44d8a43cf8df99f1834f59cb0" -> null
      - key_vault_id            = "/subscriptions/1c4f0704-a29e-403d-b719-b90c34ef14c9/resourceGroups/ccpay-aat/providers/Microsoft.KeyVault/vaults/ccpay-aat" -> null
      - name                    = "fee-pay-team-telephony-cft-apim-subscription-key" -> null
      - resource_id             = "/subscriptions/1c4f0704-a29e-403d-b719-b90c34ef14c9/resourceGroups/ccpay-aat/providers/Microsoft.KeyVault/vaults/ccpay-aat/secrets/fee-pay-team-telephony-cft-apim-subscription-key/versions/cac77dc44d8a43cf8df99f1834f59cb0" -> null
      - resource_versionless_id = "/subscriptions/1c4f0704-a29e-403d-b719-b90c34ef14c9/resourceGroups/ccpay-aat/providers/Microsoft.KeyVault/vaults/ccpay-aat/secrets/fee-pay-team-telephony-cft-apim-subscription-key" -> null
      - tags                    = {} -> null
      - value                   = (sensitive value) -> null
      - version                 = "cac77dc44d8a43cf8df99f1834f59cb0" -> null
      - versionless_id          = "https://ccpay-aat.vault.azure.net/secrets/fee-pay-team-telephony-cft-apim-subscription-key" -> null
    }

  # module.cft_api_mgmt_policy.azurerm_api_management_api_policy.api_policy will be updated in-place
  ~ resource "azurerm_api_management_api_policy" "api_policy" {
        id                  = "/subscriptions/96c274ce-846d-4e48-89a7-d528432298a7/resourceGroups/cft-aat-network-rg/providers/Microsoft.ApiManagement/service/cft-api-mgmt-stg/apis/telephony-api"
      ~ xml_content         = <<-EOT
          - <policies>
          - 	<backend>
          - 		<base />
          - 	</backend>
          - 	<inbound>
          - 		<base />
          - 		<choose>
          - 			<when condition="@(context.Request.Headers["X-ARR-ClientCertThumbprint"] == null)">
          - 				<return-response>
          - 					<set-status code="401" />
          - 					<set-body>Missing client certificate.</set-body>
          - 				</return-response>
          - 			</when>
          - 			<when condition="@(!(new string[] {&quot;B1BF8007527F85085D7C4A3DC406A9A6D124D721&quot;,&quot;68EDF481C5394D65962E9810913455D3EC635FA5&quot;,&quot;13D1848E8B050CE55E4D41A35A60FF4A17E686A6&quot;,&quot;C46826BF1E82DF37664F7A3678E6498D056DA4A9&quot;,&quot;B660C97A7CC2734ABD41FBF9F6ADAA61B0C399D4&quot;}.Contains(context.Request.Headers[&quot;X-ARR-ClientCertThumbprint&quot;].First().ToUpperInvariant())))">
          - 				<return-response>
          - 					<set-status code="401" />
          - 					<set-body>Invalid client certificate.</set-body>
          - 				</return-response>
          - 			</when>
          - 			<!--          <when condition="@(context.Request.Certificate == null || context.Request.Certificate.NotAfter < DateTime.Now || context.Request.Certificate.NotBefore > DateTime.Now || !(new string[] {"B1BF8007527F85085D7C4A3DC406A9A6D124D721","68EDF481C5394D65962E9810913455D3EC635FA5","13D1848E8B050CE55E4D41A35A60FF4A17E686A6","C46826BF1E82DF37664F7A3678E6498D056DA4A9","B660C97A7CC2734ABD41FBF9F6ADAA61B0C399D4"}.Any(c => c == context.Request.Certificate.Thumbprint)))" >-->
          - 			<!--              <return-response>-->
          - 			<!--                <set-status code="401" />-->
          - 			<!--                <set-body>Invalid client certificate. Please check expiry.</set-body>-->
          - 			<!--              </return-response>-->
          - 			<!--          </when>-->
          - 		</choose>
          - 		<!-- generate totp -->
          - 		<set-variable name="client_id" value="api_gw" />
          - 		<set-variable name="client_secret" value="C5OI566EGMPHT3CC" />
          - 		<set-variable name="one_time_password" value="@{
          + <policies>
          +     <backend>
          +         <base/>
          +     </backend>
          +     <inbound>
          +         <base/>
          +         <choose>
          +             <when condition="@(context.Request.Certificate == null || context.Request.Certificate.NotAfter &lt; DateTime.Now || context.Request.Certificate.NotBefore &gt; DateTime.Now || !(new string[] {&quot;B1BF8007527F85085D7C4A3DC406A9A6D124D721&quot;,&quot;68EDF481C5394D65962E9810913455D3EC635FA5&quot;,&quot;13D1848E8B050CE55E4D41A35A60FF4A17E686A6&quot;,&quot;C46826BF1E82DF37664F7A3678E6498D056DA4A9&quot;,&quot;B660C97A7CC2734ABD41FBF9F6ADAA61B0C399D4&quot;}.Any(c => c == context.Request.Certificate.Thumbprint)))" >
          +                 <return-response>
          +                     <set-status code="403" reason="Invalid client certificate."/>
          +                 </return-response>
          +             </when>
          +         </choose>
          +         <!-- generate totp -->
          +         <set-variable name="client_id" value="api_gw" />
          +         <set-variable name="client_secret" value="C5OI566EGMPHT3CC" />
          +         <set-variable name="one_time_password" value="@{
                            const string Base32AllowedCharacters = &quot;ABCDEFGHIJKLMNOPQRSTUVWXYZ234567&quot;;
                            var bits = &quot;C5OI566EGMPHT3CC&quot;.ToUpper().ToCharArray().Select(c => Convert.ToString(Base32AllowedCharacters.IndexOf(c), 2).PadLeft(5, '0')).Aggregate((a, b) => a + b);
                            var secretKeyBytes = Enumerable.Range(0, bits.Length / 8).Select(i => Convert.ToByte(bits.Substring(i * 8, 8), 2)).ToArray();
            
                            var unixTimestamp = (long) (DateTime.UtcNow.Subtract(new DateTime(1970, 1, 1))).TotalSeconds;
                            var timeIndex = unixTimestamp / 30;
                            byte[] challenge = BitConverter.GetBytes(timeIndex);
                            if (BitConverter.IsLittleEndian) {
                                Array.Reverse(challenge);
                            }
            
                            HMACSHA1 hmac = new HMACSHA1(secretKeyBytes);
                            byte[] hash = hmac.ComputeHash(challenge);
                            int offset = hash[19] &amp; 0xf;
                            int truncatedHash = hash[offset] &amp; 0x7f;
                            for (int i = 1; i &lt; 4; i++)
                            {
                                truncatedHash &lt;&lt;= 8;
                                truncatedHash |= hash[offset + i] &amp; 0xff;
                            }
                            truncatedHash %= 1000000;
                            return truncatedHash.ToString(&quot;D6&quot;);
          -             }" />
          - 		<send-request ignore-error="false" timeout="20" response-variable-name="s2sBearerToken" mode="new">
          - 			<set-url>http://rpe-service-auth-provider-aat.service.core-compute-aat.internal/lease</set-url>
          - 			<set-method>POST</set-method>
          - 			<set-header name="Content-Type" exists-action="override">
          - 				<value>application/json</value>
          - 			</set-header>
          - 			<set-body>@{
          -                 return new JObject(
          -                 new JProperty("microservice", (string)context.Variables["client_id"]),
          -                 new JProperty("oneTimePassword", (string)context.Variables["one_time_password"])
          -                 ).ToString();
          -                 }</set-body>
          - 		</send-request>
          - 		<set-header name="ServiceAuthorization" exists-action="override">
          - 			<value>@("Bearer " + ((IResponse)context.Variables["s2sBearerToken"]).Body.As&lt;string&gt;())</value>
          - 		</set-header>
          - 	</inbound>
          - 	<outbound>
          - 		<base />
          - 	</outbound>
          - 	<on-error>
          - 		<base />
          - 	</on-error>
          +             }"/>
          +         <send-request ignore-error="false" timeout="20" response-variable-name="s2sBearerToken" mode="new">
          +             <set-url>http://rpe-service-auth-provider-aat.service.core-compute-aat.internal/lease</set-url>
          +             <set-method>POST</set-method>
          +             <set-header name="Content-Type" exists-action="override">
          +                 <value>application/json</value>
          +             </set-header>
          +             <set-body>@{
          +                 return new JObject(
          +                 new JProperty("microservice", (string)context.Variables["client_id"]),
          +                 new JProperty("oneTimePassword", (string)context.Variables["one_time_password"])
          +                 ).ToString();
          +                 }</set-body>
          +         </send-request>
          + 
          +         <set-header name="ServiceAuthorization" exists-action="override">
          +             <value>@("Bearer " + ((IResponse)context.Variables["s2sBearerToken"]).Body.As&lt;string&gt;())</value>
          +         </set-header>
          +     </inbound>
          +     <outbound>
          +         <base/>
          +     </outbound>
          +     <on-error>
          +         <base/>
          +     </on-error>
            </policies>
        EOT
        # (3 unchanged attributes hidden)
    }

  # module.payment-database-v15.random_password.password will be updated in-place
  ~ resource "random_password" "password" {
        id               = "none"
        # (13 unchanged attributes hidden)
    }

  # module.sdp_db_user[0].data.azurerm_key_vault.sdp_vault will be read during apply
  # (depends on a resource or a module with changes pending)
 <= data "azurerm_key_vault" "sdp_vault" {
      + access_policy                   = (known after apply)
      + enable_rbac_authorization       = (known after apply)
      + enabled_for_deployment          = (known after apply)
      + enabled_for_disk_encryption     = (known after apply)
      + enabled_for_template_deployment = (known after apply)
      + id                              = (known after apply)
      + location                        = (known after apply)
      + name                            = "mi-vault-dev"
      + network_acls                    = (known after apply)
      + public_network_access_enabled   = (known after apply)
      + purge_protection_enabled        = (known after apply)
      + resource_group_name             = "mi-dev-rg"
      + sku_name                        = (known after apply)
      + tags                            = (known after apply)
      + tenant_id                       = (known after apply)
      + vault_uri                       = (known after apply)
    }

  # module.sdp_db_user[0].data.azurerm_subscription.current will be read during apply
  # (depends on a resource or a module with changes pending)
 <= data "azurerm_subscription" "current" {
      + display_name          = (known after apply)
      + id                    = (known after apply)
      + location_placement_id = (known after apply)
      + quota_id              = (known after apply)
      + spending_limit        = (known after apply)
      + state                 = (known after apply)
      + subscription_id       = (known after apply)
      + tags                  = (known after apply)
      + tenant_id             = (known after apply)
    }

  # module.sdp_db_user[0].azurerm_key_vault_secret.sdp_vault_sdp_read_user_name must be replaced
-/+ resource "azurerm_key_vault_secret" "sdp_vault_sdp_read_user_name" {
      ~ id                      = "https://mi-vault-dev.vault.azure.net/secrets/payment-postgres-db-v15-aat-read-user-name/fad8536e6484416896c72f9c36185769" -> (known after apply)
      ~ key_vault_id            = "/subscriptions/867a878b-cb68-4de5-9741-361ac9e178b6/resourceGroups/mi-dev-rg/providers/Microsoft.KeyVault/vaults/mi-vault-dev" # forces replacement -> (known after apply) # forces replacement
        name                    = "payment-postgres-db-v15-aat-read-user-name"
      ~ resource_id             = "/subscriptions/867a878b-cb68-4de5-9741-361ac9e178b6/resourceGroups/mi-dev-rg/providers/Microsoft.KeyVault/vaults/mi-vault-dev/secrets/payment-postgres-db-v15-aat-read-user-name/versions/fad8536e6484416896c72f9c36185769" -> (known after apply)
      ~ resource_versionless_id = "/subscriptions/867a878b-cb68-4de5-9741-361ac9e178b6/resourceGroups/mi-dev-rg/providers/Microsoft.KeyVault/vaults/mi-vault-dev/secrets/payment-postgres-db-v15-aat-read-user-name" -> (known after apply)
      - tags                    = {} -> null
      ~ version                 = "fad8536e6484416896c72f9c36185769" -> (known after apply)
      ~ versionless_id          = "https://mi-vault-dev.vault.azure.net/secrets/payment-postgres-db-v15-aat-read-user-name" -> (known after apply)
        # (1 unchanged attribute hidden)
    }

  # module.sdp_db_user[0].azurerm_key_vault_secret.sdp_vault_sdp_read_user_password must be replaced
-/+ resource "azurerm_key_vault_secret" "sdp_vault_sdp_read_user_password" {
      ~ id                      = "https://mi-vault-dev.vault.azure.net/secrets/payment-postgres-db-v15-aat-read-user-password/553757a11bb2419e981a635703e7af80" -> (known after apply)
      ~ key_vault_id            = "/subscriptions/867a878b-cb68-4de5-9741-361ac9e178b6/resourceGroups/mi-dev-rg/providers/Microsoft.KeyVault/vaults/mi-vault-dev" # forces replacement -> (known after apply) # forces replacement
        name                    = "payment-postgres-db-v15-aat-read-user-password"
      ~ resource_id             = "/subscriptions/867a878b-cb68-4de5-9741-361ac9e178b6/resourceGroups/mi-dev-rg/providers/Microsoft.KeyVault/vaults/mi-vault-dev/secrets/payment-postgres-db-v15-aat-read-user-password/versions/553757a11bb2419e981a635703e7af80" -> (known after apply)
      ~ resource_versionless_id = "/subscriptions/867a878b-cb68-4de5-9741-361ac9e178b6/resourceGroups/mi-dev-rg/providers/Microsoft.KeyVault/vaults/mi-vault-dev/secrets/payment-postgres-db-v15-aat-read-user-password" -> (known after apply)
      - tags                    = {} -> null
      ~ version                 = "553757a11bb2419e981a635703e7af80" -> (known after apply)
      ~ versionless_id          = "https://mi-vault-dev.vault.azure.net/secrets/payment-postgres-db-v15-aat-read-user-password" -> (known after apply)
        # (1 unchanged attribute hidden)
    }

  # module.sdp_db_user[0].random_password.sdp_read_user_password will be updated in-place
  ~ resource "random_password" "sdp_read_user_password" {
        id               = "none"
        # (13 unchanged attributes hidden)
    }

Plan: 3 to add, 9 to change, 3 to destroy.

@hmcts-jenkins-a-to-c
Copy link
Contributor

hmcts-jenkins-a-to-c bot commented Jul 15, 2024

Plan Result (prod)

⚠️ Resource Deletion will happen

This plan contains resource delete operation. Please check the plan result very carefully!

Plan: 3 to add, 9 to change, 3 to destroy.
  • Create
    • azurerm_key_vault_secret.fee_pay_team_bulk_scan_subscription_key
  • Update
    • azurerm_api_management_subscription.fee_pay_team_telephony_subscription
    • azurerm_api_management_subscription.pcipal_supplier_subscription
    • azurerm_key_vault_secret.POSTGRES-USER
    • azurerm_key_vault_secret.POSTGRES_DATABASE
    • azurerm_key_vault_secret.POSTGRES_HOST
    • azurerm_key_vault_secret.POSTGRES_PORT
    • module.cft_api_mgmt_policy.azurerm_api_management_api_policy.api_policy
    • module.payment-database-v15.random_password.password
    • module.sdp_db_user[0].random_password.sdp_read_user_password
  • Delete
    • azurerm_key_vault_secret.fee_pay_team_telephony_subscription_key
  • Replace
    • module.sdp_db_user[0].azurerm_key_vault_secret.sdp_vault_sdp_read_user_name
    • module.sdp_db_user[0].azurerm_key_vault_secret.sdp_vault_sdp_read_user_password
Change Result (Click me)
  # azurerm_api_management_subscription.fee_pay_team_telephony_subscription will be updated in-place
  ~ resource "azurerm_api_management_subscription" "fee_pay_team_telephony_subscription" {
      ~ allow_tracing       = false -> true
        id                  = "/subscriptions/8cbc6f36-7c56-4963-9d36-739db5d00b27/resourceGroups/cft-prod-network-rg/providers/Microsoft.ApiManagement/service/cft-api-mgmt-prod/subscriptions/7229a544-a882-4520-a81e-2cd4ed6f0031"
        # (8 unchanged attributes hidden)
    }

  # azurerm_api_management_subscription.pcipal_supplier_subscription will be updated in-place
  ~ resource "azurerm_api_management_subscription" "pcipal_supplier_subscription" {
      ~ allow_tracing       = false -> true
        id                  = "/subscriptions/8cbc6f36-7c56-4963-9d36-739db5d00b27/resourceGroups/cft-prod-network-rg/providers/Microsoft.ApiManagement/service/cft-api-mgmt-prod/subscriptions/abd7d0f5-77bc-462c-a658-c8d1e1b40837"
        # (8 unchanged attributes hidden)
    }

  # azurerm_key_vault_secret.POSTGRES-USER will be updated in-place
  ~ resource "azurerm_key_vault_secret" "POSTGRES-USER" {
        id                      = "https://ccpay-prod.vault.azure.net/secrets/api-POSTGRES-USER/0d6885a22a414c8bb97a13e2956e9f70"
        name                    = "api-POSTGRES-USER"
        tags                    = {}
        # (6 unchanged attributes hidden)
    }

  # azurerm_key_vault_secret.POSTGRES_DATABASE will be updated in-place
  ~ resource "azurerm_key_vault_secret" "POSTGRES_DATABASE" {
        id                      = "https://ccpay-prod.vault.azure.net/secrets/api-POSTGRES-DATABASE/d8473b3aef8f497d850fb458dff45742"
        name                    = "api-POSTGRES-DATABASE"
        tags                    = {}
        # (6 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

  # azurerm_key_vault_secret.POSTGRES_HOST will be updated in-place
  ~ resource "azurerm_key_vault_secret" "POSTGRES_HOST" {
        id                      = "https://ccpay-prod.vault.azure.net/secrets/api-POSTGRES-HOST/0e744add9ca24607995a6c455197383d"
        name                    = "api-POSTGRES-HOST"
        tags                    = {}
        # (6 unchanged attributes hidden)
    }

  # azurerm_key_vault_secret.POSTGRES_PORT will be updated in-place
  ~ resource "azurerm_key_vault_secret" "POSTGRES_PORT" {
        id                      = "https://ccpay-prod.vault.azure.net/secrets/api-POSTGRES-PORT/bb9fe667578149d6ae294f14dbb0bb2f"
        name                    = "api-POSTGRES-PORT"
        tags                    = {}
        # (6 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

  # azurerm_key_vault_secret.fee_pay_team_bulk_scan_subscription_key will be created
  + resource "azurerm_key_vault_secret" "fee_pay_team_bulk_scan_subscription_key" {
      + id                      = (known after apply)
      + key_vault_id            = "/subscriptions/8999dec3-0104-4a27-94ee-6588559729d1/resourceGroups/ccpay-prod/providers/Microsoft.KeyVault/vaults/ccpay-prod"
      + name                    = "fee-pay-team-telephony-cft-apim-subscription-key"
      + resource_id             = (known after apply)
      + resource_versionless_id = (known after apply)
      + value                   = (sensitive value)
      + version                 = (known after apply)
      + versionless_id          = (known after apply)
    }

  # azurerm_key_vault_secret.fee_pay_team_telephony_subscription_key will be destroyed
  # (because azurerm_key_vault_secret.fee_pay_team_telephony_subscription_key is not in configuration)
  - resource "azurerm_key_vault_secret" "fee_pay_team_telephony_subscription_key" {
      - id                      = "https://ccpay-prod.vault.azure.net/secrets/fee-pay-team-telephony-cft-apim-subscription-key/02e16f659083422484f07bcc5ab67b2c" -> null
      - key_vault_id            = "/subscriptions/8999dec3-0104-4a27-94ee-6588559729d1/resourceGroups/ccpay-prod/providers/Microsoft.KeyVault/vaults/ccpay-prod" -> null
      - name                    = "fee-pay-team-telephony-cft-apim-subscription-key" -> null
      - resource_id             = "/subscriptions/8999dec3-0104-4a27-94ee-6588559729d1/resourceGroups/ccpay-prod/providers/Microsoft.KeyVault/vaults/ccpay-prod/secrets/fee-pay-team-telephony-cft-apim-subscription-key/versions/02e16f659083422484f07bcc5ab67b2c" -> null
      - resource_versionless_id = "/subscriptions/8999dec3-0104-4a27-94ee-6588559729d1/resourceGroups/ccpay-prod/providers/Microsoft.KeyVault/vaults/ccpay-prod/secrets/fee-pay-team-telephony-cft-apim-subscription-key" -> null
      - tags                    = {} -> null
      - value                   = (sensitive value) -> null
      - version                 = "02e16f659083422484f07bcc5ab67b2c" -> null
      - versionless_id          = "https://ccpay-prod.vault.azure.net/secrets/fee-pay-team-telephony-cft-apim-subscription-key" -> null
    }

  # module.cft_api_mgmt_policy.azurerm_api_management_api_policy.api_policy will be updated in-place
  ~ resource "azurerm_api_management_api_policy" "api_policy" {
        id                  = "/subscriptions/8cbc6f36-7c56-4963-9d36-739db5d00b27/resourceGroups/cft-prod-network-rg/providers/Microsoft.ApiManagement/service/cft-api-mgmt-prod/apis/telephony-api"
      ~ xml_content         = <<-EOT
          - <policies>
          - 	<backend>
          - 		<base />
          - 	</backend>
          - 	<inbound>
          - 		<base />
          - 		<choose>
          - 			<when condition="@(context.Request.Headers["X-ARR-ClientCertThumbprint"] == null)">
          - 				<return-response>
          - 					<set-status code="401" />
          - 					<set-body>Missing client certificate.</set-body>
          - 				</return-response>
          - 			</when>
          - 			<when condition="@(!(new string[] {&quot;68EDF481C5394D65962E9810913455D3EC635FA5&quot;,&quot;C46826BF1E82DF37664F7A3678E6498D056DA4A9&quot;}.Contains(context.Request.Headers[&quot;X-ARR-ClientCertThumbprint&quot;].First().ToUpperInvariant())))">
          - 				<return-response>
          - 					<set-status code="401" />
          - 					<set-body>Invalid client certificate.</set-body>
          - 				</return-response>
          - 			</when>
          - 			<!--          <when condition="@(context.Request.Certificate == null || context.Request.Certificate.NotAfter < DateTime.Now || context.Request.Certificate.NotBefore > DateTime.Now || !(new string[] {"68EDF481C5394D65962E9810913455D3EC635FA5","C46826BF1E82DF37664F7A3678E6498D056DA4A9"}.Any(c => c == context.Request.Certificate.Thumbprint)))" >-->
          - 			<!--              <return-response>-->
          - 			<!--                <set-status code="401" />-->
          - 			<!--                <set-body>Invalid client certificate. Please check expiry.</set-body>-->
          - 			<!--              </return-response>-->
          - 			<!--          </when>-->
          - 		</choose>
          - 		<!-- generate totp -->
          - 		<set-variable name="client_id" value="api_gw" />
          - 		<set-variable name="client_secret" value="JBSAAHPPEHPK3PXP" />
          - 		<set-variable name="one_time_password" value="@{
          + <policies>
          +     <backend>
          +         <base/>
          +     </backend>
          +     <inbound>
          +         <base/>
          +         <choose>
          +             <when condition="@(context.Request.Certificate == null || context.Request.Certificate.NotAfter &lt; DateTime.Now || context.Request.Certificate.NotBefore &gt; DateTime.Now || !(new string[] {&quot;68EDF481C5394D65962E9810913455D3EC635FA5&quot;,&quot;C46826BF1E82DF37664F7A3678E6498D056DA4A9&quot;}.Any(c => c == context.Request.Certificate.Thumbprint)))" >
          +                 <return-response>
          +                     <set-status code="403" reason="Invalid client certificate."/>
          +                 </return-response>
          +             </when>
          +         </choose>
          +         <!-- generate totp -->
          +         <set-variable name="client_id" value="api_gw" />
          +         <set-variable name="client_secret" value="JBSAAHPPEHPK3PXP" />
          +         <set-variable name="one_time_password" value="@{
                            const string Base32AllowedCharacters = &quot;ABCDEFGHIJKLMNOPQRSTUVWXYZ234567&quot;;
                            var bits = &quot;JBSAAHPPEHPK3PXP&quot;.ToUpper().ToCharArray().Select(c => Convert.ToString(Base32AllowedCharacters.IndexOf(c), 2).PadLeft(5, '0')).Aggregate((a, b) => a + b);
                            var secretKeyBytes = Enumerable.Range(0, bits.Length / 8).Select(i => Convert.ToByte(bits.Substring(i * 8, 8), 2)).ToArray();
            
                            var unixTimestamp = (long) (DateTime.UtcNow.Subtract(new DateTime(1970, 1, 1))).TotalSeconds;
                            var timeIndex = unixTimestamp / 30;
                            byte[] challenge = BitConverter.GetBytes(timeIndex);
                            if (BitConverter.IsLittleEndian) {
                                Array.Reverse(challenge);
                            }
            
                            HMACSHA1 hmac = new HMACSHA1(secretKeyBytes);
                            byte[] hash = hmac.ComputeHash(challenge);
                            int offset = hash[19] &amp; 0xf;
                            int truncatedHash = hash[offset] &amp; 0x7f;
                            for (int i = 1; i &lt; 4; i++)
                            {
                                truncatedHash &lt;&lt;= 8;
                                truncatedHash |= hash[offset + i] &amp; 0xff;
                            }
                            truncatedHash %= 1000000;
                            return truncatedHash.ToString(&quot;D6&quot;);
          -             }" />
          - 		<send-request ignore-error="false" timeout="20" response-variable-name="s2sBearerToken" mode="new">
          - 			<set-url>http://rpe-service-auth-provider-prod.service.core-compute-prod.internal/lease</set-url>
          - 			<set-method>POST</set-method>
          - 			<set-header name="Content-Type" exists-action="override">
          - 				<value>application/json</value>
          - 			</set-header>
          - 			<set-body>@{
          -                 return new JObject(
          -                 new JProperty("microservice", (string)context.Variables["client_id"]),
          -                 new JProperty("oneTimePassword", (string)context.Variables["one_time_password"])
          -                 ).ToString();
          -                 }</set-body>
          - 		</send-request>
          - 		<set-header name="ServiceAuthorization" exists-action="override">
          - 			<value>@("Bearer " + ((IResponse)context.Variables["s2sBearerToken"]).Body.As&lt;string&gt;())</value>
          - 		</set-header>
          - 	</inbound>
          - 	<outbound>
          - 		<base />
          - 	</outbound>
          - 	<on-error>
          - 		<base />
          - 	</on-error>
          +             }"/>
          +         <send-request ignore-error="false" timeout="20" response-variable-name="s2sBearerToken" mode="new">
          +             <set-url>http://rpe-service-auth-provider-prod.service.core-compute-prod.internal/lease</set-url>
          +             <set-method>POST</set-method>
          +             <set-header name="Content-Type" exists-action="override">
          +                 <value>application/json</value>
          +             </set-header>
          +             <set-body>@{
          +                 return new JObject(
          +                 new JProperty("microservice", (string)context.Variables["client_id"]),
          +                 new JProperty("oneTimePassword", (string)context.Variables["one_time_password"])
          +                 ).ToString();
          +                 }</set-body>
          +         </send-request>
          + 
          +         <set-header name="ServiceAuthorization" exists-action="override">
          +             <value>@("Bearer " + ((IResponse)context.Variables["s2sBearerToken"]).Body.As&lt;string&gt;())</value>
          +         </set-header>
          +     </inbound>
          +     <outbound>
          +         <base/>
          +     </outbound>
          +     <on-error>
          +         <base/>
          +     </on-error>
            </policies>
        EOT
        # (3 unchanged attributes hidden)
    }

  # module.payment-database-v15.random_password.password will be updated in-place
  ~ resource "random_password" "password" {
        id               = "none"
        # (13 unchanged attributes hidden)
    }

  # module.sdp_db_user[0].data.azurerm_key_vault.sdp_vault will be read during apply
  # (depends on a resource or a module with changes pending)
 <= data "azurerm_key_vault" "sdp_vault" {
      + access_policy                   = (known after apply)
      + enable_rbac_authorization       = (known after apply)
      + enabled_for_deployment          = (known after apply)
      + enabled_for_disk_encryption     = (known after apply)
      + enabled_for_template_deployment = (known after apply)
      + id                              = (known after apply)
      + location                        = (known after apply)
      + name                            = "mi-vault-prod"
      + network_acls                    = (known after apply)
      + public_network_access_enabled   = (known after apply)
      + purge_protection_enabled        = (known after apply)
      + resource_group_name             = "mi-prod-rg"
      + sku_name                        = (known after apply)
      + tags                            = (known after apply)
      + tenant_id                       = (known after apply)
      + vault_uri                       = (known after apply)
    }

  # module.sdp_db_user[0].data.azurerm_subscription.current will be read during apply
  # (depends on a resource or a module with changes pending)
 <= data "azurerm_subscription" "current" {
      + display_name          = (known after apply)
      + id                    = (known after apply)
      + location_placement_id = (known after apply)
      + quota_id              = (known after apply)
      + spending_limit        = (known after apply)
      + state                 = (known after apply)
      + subscription_id       = (known after apply)
      + tags                  = (known after apply)
      + tenant_id             = (known after apply)
    }

  # module.sdp_db_user[0].azurerm_key_vault_secret.sdp_vault_sdp_read_user_name must be replaced
-/+ resource "azurerm_key_vault_secret" "sdp_vault_sdp_read_user_name" {
      ~ id                      = "https://mi-vault-prod.vault.azure.net/secrets/payment-postgres-db-v15-prod-read-user-name/f0f76d330d494f338106fc0688418d7e" -> (known after apply)
      ~ key_vault_id            = "/subscriptions/5ca62022-6aa2-4cee-aaa7-e7536c8d566c/resourceGroups/mi-prod-rg/providers/Microsoft.KeyVault/vaults/mi-vault-prod" # forces replacement -> (known after apply) # forces replacement
        name                    = "payment-postgres-db-v15-prod-read-user-name"
      ~ resource_id             = "/subscriptions/5ca62022-6aa2-4cee-aaa7-e7536c8d566c/resourceGroups/mi-prod-rg/providers/Microsoft.KeyVault/vaults/mi-vault-prod/secrets/payment-postgres-db-v15-prod-read-user-name/versions/f0f76d330d494f338106fc0688418d7e" -> (known after apply)
      ~ resource_versionless_id = "/subscriptions/5ca62022-6aa2-4cee-aaa7-e7536c8d566c/resourceGroups/mi-prod-rg/providers/Microsoft.KeyVault/vaults/mi-vault-prod/secrets/payment-postgres-db-v15-prod-read-user-name" -> (known after apply)
      - tags                    = {} -> null
      ~ version                 = "f0f76d330d494f338106fc0688418d7e" -> (known after apply)
      ~ versionless_id          = "https://mi-vault-prod.vault.azure.net/secrets/payment-postgres-db-v15-prod-read-user-name" -> (known after apply)
        # (1 unchanged attribute hidden)
    }

  # module.sdp_db_user[0].azurerm_key_vault_secret.sdp_vault_sdp_read_user_password must be replaced
-/+ resource "azurerm_key_vault_secret" "sdp_vault_sdp_read_user_password" {
      ~ id                      = "https://mi-vault-prod.vault.azure.net/secrets/payment-postgres-db-v15-prod-read-user-password/e5708524d592459fb8a40f2db5cbcee7" -> (known after apply)
      ~ key_vault_id            = "/subscriptions/5ca62022-6aa2-4cee-aaa7-e7536c8d566c/resourceGroups/mi-prod-rg/providers/Microsoft.KeyVault/vaults/mi-vault-prod" # forces replacement -> (known after apply) # forces replacement
        name                    = "payment-postgres-db-v15-prod-read-user-password"
      ~ resource_id             = "/subscriptions/5ca62022-6aa2-4cee-aaa7-e7536c8d566c/resourceGroups/mi-prod-rg/providers/Microsoft.KeyVault/vaults/mi-vault-prod/secrets/payment-postgres-db-v15-prod-read-user-password/versions/e5708524d592459fb8a40f2db5cbcee7" -> (known after apply)
      ~ resource_versionless_id = "/subscriptions/5ca62022-6aa2-4cee-aaa7-e7536c8d566c/resourceGroups/mi-prod-rg/providers/Microsoft.KeyVault/vaults/mi-vault-prod/secrets/payment-postgres-db-v15-prod-read-user-password" -> (known after apply)
      - tags                    = {} -> null
      ~ version                 = "e5708524d592459fb8a40f2db5cbcee7" -> (known after apply)
      ~ versionless_id          = "https://mi-vault-prod.vault.azure.net/secrets/payment-postgres-db-v15-prod-read-user-password" -> (known after apply)
        # (1 unchanged attribute hidden)
    }

  # module.sdp_db_user[0].random_password.sdp_read_user_password will be updated in-place
  ~ resource "random_password" "sdp_read_user_password" {
        id               = "none"
        # (13 unchanged attributes hidden)
    }

Plan: 3 to add, 9 to change, 3 to destroy.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants