move op app and func to italynorth

pagopa · Dec 3, 2024 · 6ab035e · 6ab035e
1 parent 6d6c1d4
commit 6ab035e
Show file tree

Hide file tree

Showing 8 changed files with 217 additions and 6 deletions.
diff --git a/.github/workflows/op-app-deploy.yaml b/.github/workflows/op-app-deploy.yaml
@@ -11,7 +11,7 @@ jobs:
     with:
       workspace_name: op-app
       environment: app-prod
-      resource_group_name: io-p-weu-fims-rg-01
-      web_app_name: io-p-weu-fims-op-app-01
+      resource_group_name: io-p-itn-fims-rg-01
+      web_app_name: io-p-itn-fims-op-app-01
       use_staging_slot: false
       use_private_agent: true
diff --git a/.github/workflows/op-func-deploy.yaml b/.github/workflows/op-func-deploy.yaml
@@ -11,7 +11,7 @@ jobs:
     with:
       workspace_name: op-func
       environment: app-prod
-      resource_group_name: io-p-weu-fims-rg-01
-      web_app_name: io-p-weu-fims-op-func-01
+      resource_group_name: io-p-itn-fims-rg-01
+      web_app_name: io-p-itn-fims-op-func-01
       use_staging_slot: false
       use_private_agent: true
diff --git a/infra/resources/_modules/web_apps_itn/data.tf b/infra/resources/_modules/web_apps_itn/data.tf
@@ -11,7 +11,18 @@ data "azurerm_cosmosdb_sql_database" "fims_user" {
   account_name        = var.cosmosdb_account.name
 }
 
+data "azurerm_cosmosdb_sql_database" "fims_op" {
+  name                = "op"
+  resource_group_name = var.cosmosdb_account.resource_group_name
+  account_name        = var.cosmosdb_account.name
+}
+
 data "azurerm_storage_account" "fims" {
   name                = var.storage.name
   resource_group_name = var.storage.resource_group_name
 }
+
+data "azurerm_storage_account" "audit" {
+  name                = var.audit_storage.name
+  resource_group_name = var.audit_storage.resource_group_name
+}
diff --git a/infra/resources/_modules/web_apps_itn/op_app.tf b/infra/resources/_modules/web_apps_itn/op_app.tf
@@ -0,0 +1,87 @@
+locals {
+  op_app = {
+    common_app_settings = {
+      WEBSITE_WARMUP_PATH               = "/health"
+      WEBSITE_SWAP_WARMUP_PING_STATUSES = "200"
+      COSMOS_ENDPOINT                   = data.azurerm_cosmosdb_account.fims.endpoint
+      COSMOS_DBNAME                     = data.azurerm_cosmosdb_sql_database.fims_op.name
+      REDIS_URL                         = var.redis_cache.url
+      REDIS_PASSWORD                    = var.redis_cache.access_key
+      # https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-best-practices-connection#idle-timeout
+      REDIS_PING_INTERVAL      = 1000 * 60 * 9
+      OIDC_ISSUER              = "@Microsoft.KeyVault(VaultName=${var.key_vault.name};SecretName=op-app-base-url)"
+      SESSION_MANAGER_BASE_URL = "@Microsoft.KeyVault(VaultName=${var.key_vault.name};SecretName=op-app-session-manager-base-url)"
+      LOLLIPOP_BASE_URL        = "@Microsoft.KeyVault(VaultName=${var.key_vault.name};SecretName=op-app-lollipop-base-url)"
+      LOLLIPOP_API_KEY         = "@Microsoft.KeyVault(VaultName=${var.key_vault.name};SecretName=op-app-lollipop-api-key)"
+      ACCESS_QUEUE_URL         = "${data.azurerm_storage_account.fims.primary_queue_endpoint}${var.storage.queues.access.name}"
+      AUDIT_EVENT_QUEUE_URL    = "${data.azurerm_storage_account.fims.primary_queue_endpoint}${var.storage.queues.audit_events.name}"
+      KEY_VAULT_URL            = var.key_vault.vault_uri
+      KEY_VAULT_KEY_NAME       = "op-app-key"
+    }
+  }
+}
+
+module "op_app" {
+  source = "git::https://github.com/pagopa/dx.git//infra/modules/azure_app_service?ref=main"
+
+  environment = merge(var.environment, {
+    app_name        = "op",
+    instance_number = "01"
+  })
+
+  tier = "l"
+
+  resource_group_name = var.resource_group_name
+
+  health_check_path = "/health"
+
+  application_insights_connection_string = var.application_insights.connection_string
+
+  app_settings = merge(local.op_app.common_app_settings, {
+    NODE_ENV = "production"
+  })
+
+  slot_app_settings = merge(local.op_app.common_app_settings, {
+    NODE_ENV = "development"
+  })
+
+  sticky_app_setting_names = ["NODE_ENV"]
+
+  private_dns_zone_resource_group_name = var.private_dns_zone_resource_group_name
+  virtual_network                      = var.virtual_network
+
+  subnet_cidr   = var.subnet_cidrs.op_app
+  subnet_pep_id = var.subnet_pep_id
+
+  tags = var.tags
+}
+
+resource "azurerm_role_assignment" "key_vault_op_app" {
+  for_each             = toset(["Key Vault Secrets User", "Key Vault Crypto User"])
+  scope                = var.key_vault.id
+  role_definition_name = each.key
+  principal_id         = module.op_app.app_service.app_service.principal_id
+}
+
+resource "azurerm_role_assignment" "storage_op_app" {
+  for_each             = toset(["Storage Queue Data Message Processor", "Storage Queue Data Message Sender"])
+  scope                = var.storage.id
+  role_definition_name = each.key
+  principal_id         = module.op_app.app_service.app_service.principal_id
+}
+
+resource "azurerm_redis_cache_access_policy_assignment" "op_app" {
+  name               = "op_app"
+  redis_cache_id     = var.redis_cache.id
+  access_policy_name = "Data Contributor"
+  object_id          = module.op_app.app_service.app_service.principal_id
+  object_id_alias    = "ServicePrincipal"
+}
+
+resource "azurerm_cosmosdb_sql_role_assignment" "op_app" {
+  resource_group_name = data.azurerm_cosmosdb_account.fims.resource_group_name
+  account_name        = data.azurerm_cosmosdb_account.fims.name
+  role_definition_id  = "${data.azurerm_cosmosdb_account.fims.id}/sqlRoleDefinitions/00000000-0000-0000-0000-000000000002"
+  principal_id        = module.op_app.app_service.app_service.principal_id
+  scope               = data.azurerm_cosmosdb_account.fims.id
+}
diff --git a/infra/resources/_modules/web_apps_itn/op_func.tf b/infra/resources/_modules/web_apps_itn/op_func.tf
@@ -0,0 +1,74 @@
+/*locals {
+  op_func = {
+    common_app_settings = {
+      WEBSITE_WARMUP_PATH               = "/api/health"
+      WEBSITE_SWAP_WARMUP_PING_STATUSES = "200"
+      COSMOS_ENDPOINT                   = data.azurerm_cosmosdb_account.fims.endpoint
+      COSMOS_DBNAME                     = data.azurerm_cosmosdb_sql_database.fims_op.name,
+      FIMS_STORAGE__queueServiceUri     = data.azurerm_storage_account.fims.primary_queue_endpoint,
+      CONFIG_QUEUE_NAME                 = var.storage.queues.config.name
+      AUDIT_EVENT_QUEUE_NAME            = var.storage.queues.audit_events.name
+      AUDIT_EVENT_CONTAINER_NAME        = var.audit_storage.containers.events.name
+      AUDIT_STORAGE_URI                 = data.azurerm_storage_account.audit.primary_blob_endpoint
+    }
+  }
+}
+
+module "op_func" {
+  source = "git::https://github.com/pagopa/dx.git//infra/modules/azure_function_app?ref=main"
+
+  environment = merge(var.environment, {
+    app_name        = "op",
+    instance_number = "01"
+  })
+
+  tier = "l"
+
+  # reuse op-app plan
+  app_service_plan_id = module.op_app.app_service.plan.id
+
+  resource_group_name = var.resource_group_name
+
+  health_check_path = local.op_func.common_app_settings.WEBSITE_WARMUP_PATH
+
+  application_insights_connection_string = var.application_insights.connection_string
+
+  app_settings = merge(local.op_func.common_app_settings, {
+    NODE_ENV = "production"
+  })
+
+  slot_app_settings = merge(local.op_func.common_app_settings, {
+    NODE_ENV = "development"
+  })
+
+  sticky_app_setting_names = ["NODE_ENV"]
+
+  private_dns_zone_resource_group_name = var.private_dns_zone_resource_group_name
+  virtual_network                      = var.virtual_network
+
+  subnet_cidr   = var.subnet_cidrs.op_func
+  subnet_pep_id = var.subnet_pep_id
+
+  tags = var.tags
+}
+
+resource "azurerm_role_assignment" "config_queue_op_func" {
+  for_each             = toset(["Storage Queue Data Message Processor", "Storage Queue Data Reader"])
+  scope                = var.storage.id
+  role_definition_name = each.key
+  principal_id         = module.op_func.function_app.function_app.principal_id
+}
+
+resource "azurerm_role_assignment" "audit_event_container_op_func" {
+  scope                = var.audit_storage.id
+  role_definition_name = "Storage Blob Data Contributor"
+  principal_id         = module.op_func.function_app.function_app.principal_id
+}
+
+resource "azurerm_cosmosdb_sql_role_assignment" "op_func" {
+  resource_group_name = data.azurerm_cosmosdb_account.fims.resource_group_name
+  account_name        = data.azurerm_cosmosdb_account.fims.name
+  role_definition_id  = "${data.azurerm_cosmosdb_account.fims.id}/sqlRoleDefinitions/00000000-0000-0000-0000-000000000002"
+  principal_id        = module.op_func.function_app.function_app.principal_id
+  scope               = data.azurerm_cosmosdb_account.fims.id
+}*/
diff --git a/infra/resources/_modules/web_apps_itn/variables.tf b/infra/resources/_modules/web_apps_itn/variables.tf
@@ -29,18 +29,27 @@ variable "subnet_pep_id" {
 
 variable "subnet_cidrs" {
   type = object({
+    op_app    = string
+    op_func   = string
     user_func = string
   })
 }
 
+variable "key_vault" {
+  type = object({
+    id        = string
+    name      = string
+    vault_uri = string
+  })
+}
+
 variable "key_vault_common" {
   type = object({
     id   = string
     name = string
   })
 }
 
-
 variable "cosmosdb_account" {
   type = object({
     name                = string
@@ -54,6 +63,9 @@ variable "storage" {
     name                = string
     resource_group_name = string
     queues = object({
+      audit_events = object({
+        name = string
+      })
       config = object({
         name = string
       })
@@ -67,6 +79,27 @@ variable "storage" {
   })
 }
 
+variable "audit_storage" {
+  type = object({
+    id                  = string
+    name                = string
+    resource_group_name = string
+    containers = object({
+      events = object({
+        name = string
+      })
+    })
+  })
+}
+
+variable "redis_cache" {
+  type = object({
+    id         = string
+    url        = string
+    access_key = string
+  })
+}
+
 variable "application_insights" {
   type = object({
     connection_string = string

diff --git a/infra/resources/prod/.terraform.lock.hcl b/infra/resources/prod/.terraform.lock.hcl
diff --git a/infra/resources/prod/web_apps.tf b/infra/resources/prod/web_apps.tf
@@ -52,13 +52,18 @@ module "web_apps_itn" {
   virtual_network = data.azurerm_virtual_network.itn_common
   subnet_pep_id   = data.azurerm_subnet.itn_pep.id
   subnet_cidrs = {
+    op_app    = "10.20.23.0/26"
+    op_func   = "10.20.23.64/26"
     user_func = "10.20.23.128/26"
   }
   private_dns_zone_resource_group_name = "${local.common_project}-rg-common"
 
   # backing services
+  key_vault            = module.key_vaults.fims
+  redis_cache          = module.redis_cache.fims
   cosmosdb_account     = module.cosmos.fims
   storage              = module.storage.fims
+  audit_storage        = module.storage.audit
   application_insights = data.azurerm_application_insights.common
   key_vault_common     = module.key_vaults.common
 }