[#IOPID-1514] Added missing SAMLResponse alert (#942)

Co-authored-by: Greta Quadrati <75862507+gquadrati@users.noreply.github.com>
pagopa · Apr 15, 2024 · 6dc2166 · 6dc2166
1 parent 2f1a4c5
commit 6dc2166
Show file tree

Hide file tree

Showing 3 changed files with 57 additions and 0 deletions.
diff --git a/src/domains/citizen-auth-app/01_monitor.tf b/src/domains/citizen-auth-app/01_monitor.tf
@@ -1,3 +1,12 @@
+##########################
+# APP GATEWAY DATA SOURCE
+##########################
+data "azurerm_application_gateway" "app_gateway" {
+  name                = format("%s-appgateway", local.product)
+  resource_group_name = local.appgw_resource_group_name
+}
+##########################
+
 data "azurerm_log_analytics_workspace" "log_analytics" {
   name                = var.log_analytics_workspace_name
   resource_group_name = var.log_analytics_workspace_resource_group_name
@@ -31,3 +40,47 @@ data "azurerm_monitor_action_group" "email" {
   resource_group_name = var.monitor_resource_group_name
   name                = local.monitor_action_group_email_name
 }
+
+resource "azurerm_monitor_scheduled_query_rules_alert_v2" "samlresponse_missing_detection_alert" {
+  enabled                 = true
+  name                    = "[${upper(var.domain)}] Missing required SAMLResponse in assertionConsumerService"
+  resource_group_name     = data.azurerm_resource_group.monitor_rg.name
+  scopes                  = [data.azurerm_application_gateway.app_gateway.id]
+  description             = <<-EOT
+    Detected multiple SAMLResponse missing during assertionConsumerService.
+    IdP is unknown here but you can watch Mixpanel events to identify the IdP
+    that is causing the alert to trigger
+  EOT
+  severity                = 1
+  auto_mitigation_enabled = true
+  location                = data.azurerm_resource_group.monitor_rg.location
+
+  // check once every 5 minutes(evaluation_frequency)
+  // on the last 10 minutes of data(window_duration)
+  evaluation_frequency = "PT5M"
+  window_duration      = "PT10M"
+
+  criteria {
+    query                   = <<-QUERY
+AzureDiagnostics
+| where originalHost_s in ("app-backend.io.italia.it", "api-app.io.pagopa.it")
+| where requestUri_s == "/error.html"
+| where httpMethod_s == "GET"
+| where requestQuery_s contains "Missing%20SAMLResponse%20in%20ACS"
+    QUERY
+    operator                = "GreaterThanOrEqual"
+    time_aggregation_method = "Count"
+    threshold               = 25
+    failing_periods {
+      minimum_failing_periods_to_trigger_alert = 1
+      number_of_evaluation_periods             = 1
+    }
+  }
+
+  # Action groups for alerts
+  action {
+    action_groups = [data.azurerm_monitor_action_group.error_action_group.id]
+  }
+
+  tags = var.tags
+}
diff --git a/src/domains/citizen-auth-app/99_locals.tf b/src/domains/citizen-auth-app/99_locals.tf
@@ -23,4 +23,6 @@ locals {
   aks_resource_group_name = "${local.product}-${var.location_short}-${var.instance}-aks-rg"
 
   lollipop_jwt_host = "api.io.pagopa.it"
+
+  appgw_resource_group_name = "${local.product}-rg-external"
 }
diff --git a/src/domains/citizen-auth-app/README.md b/src/domains/citizen-auth-app/README.md
@@ -28,6 +28,7 @@
 | [azurerm_monitor_autoscale_setting.function_fast_login](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_autoscale_setting) | resource |
 | [azurerm_monitor_autoscale_setting.function_lollipop](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_autoscale_setting) | resource |
 | [azurerm_monitor_scheduled_query_rules_alert_v2.alert_function_lollipop_HandlePubKeyRevoke_failure](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_scheduled_query_rules_alert_v2) | resource |
+| [azurerm_monitor_scheduled_query_rules_alert_v2.samlresponse_missing_detection_alert](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_scheduled_query_rules_alert_v2) | resource |
 | [azurerm_private_dns_a_record.ingress](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/private_dns_a_record) | resource |
 | [azurerm_resource_group.fast_login_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource |
 | [azurerm_resource_group.lollipop_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource |
@@ -36,6 +37,7 @@
 | [azuread_group.adgroup_externals](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source |
 | [azuread_group.adgroup_security](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source |
 | [azurerm_app_service.app_backend_li](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/app_service) | data source |
+| [azurerm_application_gateway.app_gateway](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/application_gateway) | data source |
 | [azurerm_application_insights.application_insights](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/application_insights) | data source |
 | [azurerm_client_config.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/client_config) | data source |
 | [azurerm_cosmosdb_account.cosmos_citizen_auth](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/cosmosdb_account) | data source |