diff --git a/.github/workflows/static_analysis.yml b/.github/workflows/static_analysis.yml index 0d363c640..1d14472cb 100644 --- a/.github/workflows/static_analysis.yml +++ b/.github/workflows/static_analysis.yml @@ -19,6 +19,6 @@ jobs: name: Terraform Validation secrets: inherit with: - terraform_version: "1.7.5" + terraform_version: "1.10.2" pre_commit_tf_tag: "v1.96.1@sha256:9aea677ac51d67eb96b3bbb4cf93b16afdde5476f984e75e87888850d18146c9" - enable_modified_files_detection: true \ No newline at end of file + enable_modified_files_detection: true diff --git a/.terraform-version b/.terraform-version index 66beabb57..5ad2491cf 100644 --- a/.terraform-version +++ b/.terraform-version @@ -1 +1 @@ -1.9.8 +1.10.2 diff --git a/src/_modules/common_values/data.tf b/src/_modules/common_values/data.tf index bab08d328..f74007dc1 100644 --- a/src/_modules/common_values/data.tf +++ b/src/_modules/common_values/data.tf @@ -3,13 +3,13 @@ data "azurerm_virtual_network" "weu_prod01" { resource_group_name = "${local.project_weu}-prod01-vnet-rg" } -data "terraform_remote_state" "core" { +data "terraform_remote_state" "common" { backend = "azurerm" config = { resource_group_name = "terraform-state-rg" storage_account_name = "iopitntfst001" container_name = "terraform-state" - key = "io-infra.core.prod.italynorth.tfstate" + key = "io-infra.common.prod.tfstate" } } diff --git a/src/_modules/common_values/locals.tf b/src/_modules/common_values/locals.tf index 514d3fd31..876ad9b61 100644 --- a/src/_modules/common_values/locals.tf +++ b/src/_modules/common_values/locals.tf @@ -10,5 +10,5 @@ locals { project_itn = "${local.prefix}-${local.env_short}-${local.location_short.italynorth}" project_weu = "${local.prefix}-${local.env_short}-${local.location_short.westeurope}" project_weu_legacy = "${local.prefix}-${local.env_short}" - core = data.terraform_remote_state.core.outputs + common = data.terraform_remote_state.common.outputs } \ No newline at end of file diff --git a/src/_modules/common_values/outputs_configurable.tf b/src/_modules/common_values/outputs_configurable.tf deleted file mode 100644 index 09fefcbe1..000000000 --- a/src/_modules/common_values/outputs_configurable.tf +++ /dev/null @@ -1,13 +0,0 @@ - -output "scaling_gate" { - description = < [azuread](#provider\_azuread) | 2.53.1 | | [azurerm](#provider\_azurerm) | 3.116.0 | -| [azurerm.prod-trial](#provider\_azurerm.prod-trial) | 3.116.0 | | [terraform](#provider\_terraform) | n/a | ## Modules @@ -42,7 +41,6 @@ | [azurerm_role_assignment.dev_portal_role](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource | | [azuread_service_principal.apim_client_svc](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/service_principal) | data source | | [azuread_service_principal.dev_portal_svc](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/service_principal) | data source | -| [azurerm_api_management.trial_system](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/api_management) | data source | | [azurerm_client_config.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/client_config) | data source | | [azurerm_linux_function_app.app_messages_xl](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/linux_function_app) | data source | | [azurerm_linux_function_app.eucovidcert](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/linux_function_app) | data source | @@ -68,5 +66,10 @@ No inputs. ## Outputs -No outputs. +| Name | Description | +|------|-------------| +| [apim](#output\_apim) | n/a | +| [pep\_subnets](#output\_pep\_subnets) | n/a | +| [private\_endpoints](#output\_private\_endpoints) | n/a | +| [virtual\_networks](#output\_virtual\_networks) | n/a | diff --git a/src/common/prod/data.tf b/src/common/prod/data.tf index b446de182..6a48ceafe 100644 --- a/src/common/prod/data.tf +++ b/src/common/prod/data.tf @@ -45,9 +45,8 @@ data "azurerm_linux_function_app" "function_assets_cdn" { } data "azurerm_linux_function_app" "function_profile" { - count = local.function_profile_count - name = "${local.project_itn}-auth-profile-fn-0${count.index + 1}" - resource_group_name = "${local.project_itn}-profile-rg-0${count.index + 1}" + name = "${local.project_itn}-auth-profile-fn-01" + resource_group_name = "${local.project_itn}-profile-rg-01" } data "azurerm_linux_function_app" "app_messages_xl" { @@ -62,8 +61,8 @@ data "azurerm_linux_function_app" "services_app_backend_function_app" { } data "azurerm_linux_function_app" "lollipop_function" { - name = "${local.project_itn}-lollipop-fn-01" - resource_group_name = "${local.project_itn}-lollipop-rg-01" + name = "${local.project_itn}-auth-lollipop-func-02" + resource_group_name = "${local.project_itn}-auth-lollipop-rg-02" } data "azurerm_linux_function_app" "eucovidcert" { @@ -86,12 +85,6 @@ data "azurerm_linux_function_app" "wallet_user" { name = "${local.project_itn}-wallet-user-func-02" } -data "azurerm_api_management" "trial_system" { - provider = azurerm.prod-trial - name = "ts-p-itn-apim-01" - resource_group_name = "ts-p-itn-routing-rg-01" -} - data "azurerm_subnet" "admin_snet" { name = "${local.project_weu_legacy}-admin-snet" resource_group_name = local.core.networking.weu.vnet_common.resource_group_name diff --git a/src/common/prod/locals.tf b/src/common/prod/locals.tf index 68a132f97..6e684c032 100644 --- a/src/common/prod/locals.tf +++ b/src/common/prod/locals.tf @@ -17,7 +17,7 @@ locals { core = data.terraform_remote_state.core.outputs - function_profile_count = 2 + function_profile_count = 1 app_messages_count = 2 # TODO: edit this block when resource groups module is implemented @@ -52,9 +52,6 @@ locals { 2 = { cidr_subnet = ["10.0.153.0/24"] }, - 3 = { - cidr_subnet = ["10.0.156.0/24"] - } } app_backendli = { @@ -67,7 +64,7 @@ locals { } backend_hostnames = { - app = [for key, value in data.azurerm_linux_function_app.function_profile : value.default_hostname] + app = [data.azurerm_linux_function_app.function_profile.default_hostname] app_messages = [for key, value in data.azurerm_linux_function_app.app_messages_xl : value.default_hostname] assets_cdn = data.azurerm_linux_function_app.function_assets_cdn.default_hostname services_app_backend = data.azurerm_linux_function_app.services_app_backend_function_app.default_hostname @@ -77,8 +74,6 @@ locals { iosign = data.azurerm_linux_function_app.io_sign_user.default_hostname iofims = data.azurerm_linux_function_app.io_fims_user.default_hostname cgnonboarding = "io-p-itn-cgn-search-func-01.azurewebsites.net" - trial_system_api = "ts-p-itn-api-func-01.azurewebsites.net" - trial_system_apim = data.azurerm_api_management.trial_system.gateway_url iowallet = data.azurerm_linux_function_app.wallet_user.default_hostname } diff --git a/src/common/prod/main.tf b/src/common/prod/main.tf index f3e334380..c9afe146f 100644 --- a/src/common/prod/main.tf +++ b/src/common/prod/main.tf @@ -18,10 +18,3 @@ terraform { provider "azurerm" { features {} } - -provider "azurerm" { - alias = "prod-trial" - subscription_id = "a2124115-ba74-462f-832a-9192cbd03649" - - features {} -} \ No newline at end of file diff --git a/src/common/prod/outputs.tf b/src/common/prod/outputs.tf new file mode 100644 index 000000000..b230825b3 --- /dev/null +++ b/src/common/prod/outputs.tf @@ -0,0 +1,49 @@ +output "apim" { + value = { + itn = { + id = module.apim_itn.id + resource_group_common = local.resource_groups.itn.common + resource_group_internal = local.resource_groups.itn.internal + } + weu = { + id = module.apim_weu.id + resource_group_common = local.core.resource_groups.westeurope.common + resource_group_internal = local.core.resource_groups.westeurope.internal + } + } +} + +output "private_endpoints" { + value = module.private_endpoints.private_endpoints +} + +output "virtual_networks" { + value = { + weu = { + id = local.core.networking.weu.vnet_common.id + name = local.core.networking.weu.vnet_common.name + resource_group_name = local.core.networking.weu.vnet_common.resource_group_name + } + itn = { + id = local.core.networking.itn.vnet_common.id + name = local.core.networking.itn.vnet_common.name + resource_group_name = local.core.networking.itn.vnet_common.resource_group_name + } + prod01 = { + id = data.azurerm_virtual_network.weu_prod01.id + name = data.azurerm_virtual_network.weu_prod01.name + resource_group_name = data.azurerm_virtual_network.weu_prod01.resource_group_name + } + } +} + +output "pep_subnets" { + value = { + itn = { + id = local.core.networking.itn.pep_snet.id + }, + weu = { + id = local.core.networking.weu.pep_snet.id + } + } +} \ No newline at end of file diff --git a/src/common/prod/westeurope.tf b/src/common/prod/westeurope.tf index 64db8af9a..d6303bb91 100644 --- a/src/common/prod/westeurope.tf +++ b/src/common/prod/westeurope.tf @@ -327,12 +327,15 @@ module "application_gateway_weu" { continua_io_pagopa_it = "continua-io-pagopa-it" selfcare_io_pagopa_it = "selfcare-io-pagopa-it" oauth_io_pagopa_it = "oauth-io-pagopa-it" - ipatente_io_pagopa_it = "ipatente-io-pagopa-it" + vehicles_ipatente_io_pagopa_it = "vehicles-ipatente-io-pagopa-it" + licences_ipatente_io_pagopa_it = "licences-ipatente-io-pagopa-it" + payments_ipatente_io_pagopa_it = "payments-ipatente-io-pagopa-it" + practices_ipatente_io_pagopa_it = "practices-ipatente-io-pagopa-it" } cidr_subnet = ["10.0.13.0/24"] - min_capacity = 20 # 4 capacity=baseline, 10 capacity=high volume event, 15 capacity=very high volume event - max_capacity = 100 + min_capacity = 10 # 4 capacity=baseline, 10 capacity=high volume event, 15 capacity=very high volume event + max_capacity = 80 alerts_enabled = true deny_paths = ["\\/admin\\/(.*)"] error_action_group_id = module.monitoring_weu.action_groups.error diff --git a/src/core/prod/README.md b/src/core/prod/README.md index dc2a14051..bc389b70a 100644 --- a/src/core/prod/README.md +++ b/src/core/prod/README.md @@ -32,6 +32,7 @@ | Name | Type | |------|------| | [azurerm_resource_group.acr_weu](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource | +| [azurerm_resource_group.agw_itn](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource | | [azurerm_resource_group.assets_cdn_weu](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource | | [azurerm_resource_group.common_itn](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource | | [azurerm_resource_group.common_weu](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource | diff --git a/src/core/prod/resource_groups.tf b/src/core/prod/resource_groups.tf index 330f148e7..0b83f02a7 100644 --- a/src/core/prod/resource_groups.tf +++ b/src/core/prod/resource_groups.tf @@ -5,6 +5,13 @@ resource "azurerm_resource_group" "common_itn" { tags = local.tags } +resource "azurerm_resource_group" "agw_itn" { + name = "${local.project_itn}-agw-rg-01" + location = "italynorth" + + tags = local.tags +} + resource "azurerm_resource_group" "dashboards_itn" { name = "${local.project_itn}-common-dashboards-rg-01" location = "italynorth" diff --git a/src/domains/cgn/_modules/functions_apps/data.tf b/src/domains/cgn/_modules/functions_apps/data.tf index a1e509d22..90a49e356 100644 --- a/src/domains/cgn/_modules/functions_apps/data.tf +++ b/src/domains/cgn/_modules/functions_apps/data.tf @@ -9,6 +9,12 @@ data "azurerm_subnet" "snet_apim_v2" { resource_group_name = local.resource_group_name_common } +data "azurerm_subnet" "apim_itn_snet" { + name = "io-p-itn-apim-snet-01" + virtual_network_name = local.vnet_common_name_itn + resource_group_name = local.vnet_common_resource_group_name_itn +} + data "azurerm_subnet" "snet_azdoa" { name = "azure-devops" virtual_network_name = local.vnet_name_common @@ -27,12 +33,6 @@ data "azurerm_subnet" "snet_backendl2" { resource_group_name = local.resource_group_name_common } -data "azurerm_subnet" "snet_backendl3" { - name = "appbackendl3" - virtual_network_name = local.vnet_name_common - resource_group_name = local.resource_group_name_common -} - data "azurerm_subnet" "snet_backendli" { name = "appbackendli" virtual_network_name = local.vnet_name_common @@ -98,4 +98,4 @@ data "azurerm_subnet" "private_endpoints_subnet" { data "azurerm_private_dns_zone" "function_app" { name = "privatelink.azurewebsites.net" resource_group_name = local.resource_group_name_common -} \ No newline at end of file +} diff --git a/src/domains/cgn/_modules/functions_apps/function_app_cgn.tf b/src/domains/cgn/_modules/functions_apps/function_app_cgn.tf index 4287a4a9a..68199e909 100644 --- a/src/domains/cgn/_modules/functions_apps/function_app_cgn.tf +++ b/src/domains/cgn/_modules/functions_apps/function_app_cgn.tf @@ -45,7 +45,7 @@ module "function_cgn" { data.azurerm_subnet.snet_backendl2.id, data.azurerm_subnet.snet_backendli.id, data.azurerm_subnet.snet_apim_v2.id, - data.azurerm_subnet.snet_backendl3.id + data.azurerm_subnet.apim_itn_snet.id, ] tags = var.tags @@ -89,7 +89,7 @@ module "function_cgn_staging_slot" { data.azurerm_subnet.snet_backendl2.id, data.azurerm_subnet.snet_backendli.id, data.azurerm_subnet.snet_apim_v2.id, - data.azurerm_subnet.snet_backendl3.id, + data.azurerm_subnet.apim_itn_snet.id, ] tags = var.tags diff --git a/src/domains/cgn/_modules/functions_apps/function_app_cgn_merchant.tf b/src/domains/cgn/_modules/functions_apps/function_app_cgn_merchant.tf index 10e33ba4d..8af82d513 100644 --- a/src/domains/cgn/_modules/functions_apps/function_app_cgn_merchant.tf +++ b/src/domains/cgn/_modules/functions_apps/function_app_cgn_merchant.tf @@ -23,7 +23,8 @@ module "function_cgn_merchant" { allowed_subnets = [ var.subnet_id, - data.azurerm_subnet.snet_apim_v2.id + data.azurerm_subnet.snet_apim_v2.id, + data.azurerm_subnet.apim_itn_snet.id, ] tags = var.tags @@ -57,7 +58,8 @@ module "function_cgn_merchant_staging_slot" { allowed_subnets = [ var.subnet_id, data.azurerm_subnet.snet_azdoa.id, - data.azurerm_subnet.snet_apim_v2.id + data.azurerm_subnet.snet_apim_v2.id, + data.azurerm_subnet.apim_itn_snet.id, ] tags = var.tags diff --git a/src/domains/cgn/_modules/functions_apps/locals.tf b/src/domains/cgn/_modules/functions_apps/locals.tf index 14ae60592..454d7226b 100644 --- a/src/domains/cgn/_modules/functions_apps/locals.tf +++ b/src/domains/cgn/_modules/functions_apps/locals.tf @@ -92,3 +92,11 @@ locals { } } } + +# Region ITN +locals { + itn_location_short = "itn" + + vnet_common_name_itn = "${var.project}-${local.itn_location_short}-common-vnet-01" + vnet_common_resource_group_name_itn = "${var.project}-${local.itn_location_short}-common-rg-01" +} diff --git a/src/domains/citizen-auth-app/01_network.tf b/src/domains/citizen-auth-app/01_network.tf index 7dd9d8de6..56639f6fe 100644 --- a/src/domains/citizen-auth-app/01_network.tf +++ b/src/domains/citizen-auth-app/01_network.tf @@ -74,18 +74,6 @@ data "azurerm_subnet" "app_backend_l2_snet" { resource_group_name = local.vnet_common_resource_group_name } -data "azurerm_subnet" "app_backend_l3_snet" { - name = "appbackendl3" - virtual_network_name = local.vnet_common_name - resource_group_name = local.vnet_common_resource_group_name -} - -data "azurerm_subnet" "ioweb_profile_snet" { - name = format("%s-ioweb-profile-snet", local.common_project) - virtual_network_name = local.vnet_common_name - resource_group_name = local.vnet_common_resource_group_name -} - data "azurerm_subnet" "fims_op_app_snet_01" { name = "io-p-weu-fims-op-app-snet-01" virtual_network_name = local.vnet_common_name @@ -150,28 +138,6 @@ module "session_manager_snet" { } } -module "session_manager_snet_04" { - source = "github.com/pagopa/terraform-azurerm-v3//subnet?ref=v8.22.0" - name = format("%s-session-manager-snet-04", local.common_project) - address_prefixes = var.cidr_subnet_session_manager_04 - resource_group_name = data.azurerm_virtual_network.common_vnet.resource_group_name - virtual_network_name = data.azurerm_virtual_network.common_vnet.name - - private_endpoint_network_policies_enabled = true - - service_endpoints = [ - "Microsoft.Web", - ] - - delegation = { - name = "default" - service_delegation = { - name = "Microsoft.Web/serverFarms" - actions = ["Microsoft.Network/virtualNetworks/subnets/action"] - } - } -} - ######################### # Private Endpoints ######################### @@ -197,27 +163,6 @@ resource "azurerm_private_endpoint" "session_manager_sites" { tags = var.tags } -resource "azurerm_private_endpoint" "session_manager_sites_04" { - name = "${local.common_project}-session-manager-app-pep-04" - location = var.location - resource_group_name = azurerm_resource_group.session_manager_rg_weu.name - subnet_id = data.azurerm_subnet.private_endpoints_subnet.id - - private_service_connection { - name = "${local.common_project}-session-manager-app-pep-04" - private_connection_resource_id = module.session_manager_weu_04.id - is_manual_connection = false - subresource_names = ["sites"] - } - - private_dns_zone_group { - name = "private-dns-zone-group" - private_dns_zone_ids = [data.azurerm_private_dns_zone.privatelink_azurewebsites_net.id] - } - - tags = var.tags -} - resource "azurerm_private_endpoint" "staging_session_manager_sites" { name = "${local.common_project}-session-manager-staging-app-pep-01" location = var.location @@ -239,27 +184,6 @@ resource "azurerm_private_endpoint" "staging_session_manager_sites" { tags = var.tags } -resource "azurerm_private_endpoint" "staging_session_manager_sites_04" { - name = "${local.common_project}-session-manager-staging-app-pep-04" - location = var.location - resource_group_name = azurerm_resource_group.session_manager_rg_weu.name - subnet_id = data.azurerm_subnet.private_endpoints_subnet.id - - private_service_connection { - name = "${local.common_project}-session-manager-staging-app-pep-04" - private_connection_resource_id = module.session_manager_weu_04.id - is_manual_connection = false - subresource_names = ["sites-${module.session_manager_weu_staging_04.name}"] - } - - private_dns_zone_group { - name = "private-dns-zone-group" - private_dns_zone_ids = [data.azurerm_private_dns_zone.privatelink_azurewebsites_net.id] - } - - tags = var.tags -} - data "azurerm_nat_gateway" "nat_gateway" { name = "${local.product}-natgw" resource_group_name = format("%s-rg-common", local.product) @@ -270,11 +194,6 @@ resource "azurerm_subnet_nat_gateway_association" "session_manager_snet" { subnet_id = module.session_manager_snet.id } -resource "azurerm_subnet_nat_gateway_association" "session_manager_snet_04" { - nat_gateway_id = data.azurerm_nat_gateway.nat_gateway.id - subnet_id = module.session_manager_snet_04.id -} - data "azurerm_resource_group" "rg_external" { name = format("%s-rg-external", local.product) } diff --git a/src/domains/citizen-auth-app/01_network_itn.tf b/src/domains/citizen-auth-app/01_network_itn.tf index 9a883bf1e..e12f88339 100644 --- a/src/domains/citizen-auth-app/01_network_itn.tf +++ b/src/domains/citizen-auth-app/01_network_itn.tf @@ -65,50 +65,6 @@ module "fn_profile_async_snet" { # Private Endpoints ######################### -## fn-lollipop-itn - -resource "azurerm_private_endpoint" "function_lollipop_itn_sites" { - name = "${local.common_project_itn}-lollipop-fn-pep-01" - location = local.itn_location - resource_group_name = azurerm_resource_group.lollipop_rg_itn.name - subnet_id = data.azurerm_subnet.itn_pep.id - - private_service_connection { - name = "${local.common_project_itn}-lollipop-fn-pep-01" - private_connection_resource_id = module.function_lollipop_itn.id - is_manual_connection = false - subresource_names = ["sites"] - } - - private_dns_zone_group { - name = "private-dns-zone-group" - private_dns_zone_ids = [data.azurerm_private_dns_zone.privatelink_azurewebsites_net.id] - } - - tags = var.tags -} - -resource "azurerm_private_endpoint" "staging_function_lollipop_itn_sites" { - name = "${local.common_project}-lollipop-fn-staging-pep-01" - location = local.itn_location - resource_group_name = azurerm_resource_group.lollipop_rg_itn.name - subnet_id = data.azurerm_subnet.itn_pep.id - - private_service_connection { - name = "${local.common_project_itn}-lollipop-fn-staging-app-pep-01" - private_connection_resource_id = module.function_lollipop_itn.id - is_manual_connection = false - subresource_names = ["sites-${module.function_lollipop_staging_slot_itn.name}"] - } - - private_dns_zone_group { - name = "private-dns-zone-group" - private_dns_zone_ids = [data.azurerm_private_dns_zone.privatelink_azurewebsites_net.id] - } - - tags = var.tags -} - ## itn-profile-fn resource "azurerm_private_endpoint" "function_profile_itn_sites" { diff --git a/src/domains/citizen-auth-app/04_function_lollipop.tf b/src/domains/citizen-auth-app/04_function_lollipop.tf deleted file mode 100644 index 24ab736b9..000000000 --- a/src/domains/citizen-auth-app/04_function_lollipop.tf +++ /dev/null @@ -1,571 +0,0 @@ -data "azurerm_key_vault_secret" "first_lollipop_consumer_subscription_key" { - name = "first-lollipop-consumer-pagopa-subscription-key-v2" # itn" Change it for itn switch - key_vault_id = data.azurerm_key_vault.kv.id -} - -locals { - function_lollipop = { - app_settings = { - FUNCTIONS_WORKER_PROCESS_COUNT = 8 - NODE_ENV = "production" - - // Keepalive fields are all optionals - FETCH_KEEPALIVE_ENABLED = "true" - FETCH_KEEPALIVE_SOCKET_ACTIVE_TTL = "110000" - FETCH_KEEPALIVE_MAX_SOCKETS = "40" - FETCH_KEEPALIVE_MAX_FREE_SOCKETS = "10" - FETCH_KEEPALIVE_FREE_SOCKET_TIMEOUT = "30000" - FETCH_KEEPALIVE_TIMEOUT = "60000" - - COSMOSDB_NAME = "citizen-auth" - COSMOSDB_URI = data.azurerm_cosmosdb_account.cosmos_citizen_auth.endpoint - COSMOSDB_KEY = data.azurerm_cosmosdb_account.cosmos_citizen_auth.primary_key - COSMOS_API_CONNECTION_STRING = format("AccountEndpoint=%s;AccountKey=%s;", data.azurerm_cosmosdb_account.cosmos_citizen_auth.endpoint, data.azurerm_cosmosdb_account.cosmos_citizen_auth.primary_key) - - #TODO: move to new storage on itn - LOLLIPOP_ASSERTION_STORAGE_CONNECTION_STRING = data.azurerm_storage_account.lollipop_assertion_storage.primary_connection_string - LOLLIPOP_ASSERTION_REVOKE_QUEUE = "pubkeys-revoke-v2" - - // ------------ - // JWT Config - // ------------ - ISSUER = local.lollipop_jwt_host - - PRIMARY_PRIVATE_KEY = trimspace(data.azurerm_key_vault_certificate_data.lollipop_certificate_v1.key) - PRIMARY_PUBLIC_KEY = trimspace(data.azurerm_key_vault_certificate_data.lollipop_certificate_v1.pem) - - // Use it during rotation period. See https://pagopa.atlassian.net/wiki/spaces/IC/pages/645136398/LolliPoP+Procedura+di+rotazione+dei+certificati - //SECONDARY_PUBLIC_KEY = - - - // ------------------------- - // First LolliPoP Consumer - // ------------------------- - FIRST_LC_ASSERTION_CLIENT_BASE_URL = "https://api.io.pagopa.it" - FIRST_LC_ASSERTION_CLIENT_SUBSCRIPTION_KEY = data.azurerm_key_vault_secret.first_lollipop_consumer_subscription_key.value - } - } -} - -resource "azurerm_resource_group" "lollipop_rg_itn" { - name = format("%s-lollipop-rg-01", local.common_project_itn) - location = local.itn_location - - tags = var.tags -} - -# Subnet to host admin function - -resource "azurerm_subnet" "lollipop_snet_itn" { - name = format("%s-lollipop-snet-01", local.common_project_itn) - resource_group_name = data.azurerm_virtual_network.common_vnet_italy_north.resource_group_name - virtual_network_name = data.azurerm_virtual_network.common_vnet_italy_north.name - address_prefixes = var.cidr_subnet_fnlollipop_itn - - service_endpoints = [ - "Microsoft.Web", - "Microsoft.AzureCosmosDB", - "Microsoft.Storage", - ] - - delegation { - name = "default" - service_delegation { - name = "Microsoft.Web/serverFarms" - actions = ["Microsoft.Network/virtualNetworks/subnets/action"] - } - } - - private_link_service_network_policies_enabled = true - private_endpoint_network_policies_enabled = true -} - -module "function_lollipop_itn" { - source = "github.com/pagopa/terraform-azurerm-v3//function_app?ref=v8.28.2" - - resource_group_name = azurerm_resource_group.lollipop_rg_itn.name - name = format("%s-lollipop-fn-01", local.common_project_itn) - location = local.itn_location - domain = "IO-COMMONS" - health_check_path = "/info" - health_check_maxpingfailures = "2" - - enable_function_app_public_network_access = false - - storage_account_info = { - account_kind = "StorageV2" - account_tier = "Standard" - account_replication_type = "ZRS" - access_tier = "Hot" - advanced_threat_protection_enable = false - public_network_access_enabled = false - use_legacy_defender_version = true - } - - node_version = "18" - runtime_version = "~4" - - always_on = "true" - application_insights_instrumentation_key = data.azurerm_application_insights.application_insights.instrumentation_key - - app_service_plan_info = { - kind = var.function_lollipop_kind - sku_size = var.function_lollipop_sku_size - maximum_elastic_worker_count = 0 - worker_count = null - zone_balancing_enabled = true - } - - app_settings = merge( - local.function_lollipop.app_settings, - { "AzureWebJobs.HandlePubKeyRevoke.Disabled" = "0" }, - ) - - sticky_app_setting_names = ["AzureWebJobs.HandlePubKeyRevoke.Disabled"] - - internal_storage = { - "enable" = true, - "private_endpoint_subnet_id" = data.azurerm_subnet.itn_pep.id, - "private_dns_zone_blob_ids" = [data.azurerm_private_dns_zone.privatelink_blob_core_windows_net.id], - "private_dns_zone_queue_ids" = [data.azurerm_private_dns_zone.privatelink_queue_core_windows_net.id], - "private_dns_zone_table_ids" = [data.azurerm_private_dns_zone.privatelink_table_core_windows_net.id], - "queues" = [], - "containers" = [], - "blobs_retention_days" = 0, - } - - subnet_id = azurerm_subnet.lollipop_snet_itn.id - - # Action groups for alerts - action = [ - { - action_group_id = data.azurerm_monitor_action_group.error_action_group.id - webhook_properties = {} - } - ] - - tags = var.tags -} - -module "function_lollipop_staging_slot_itn" { - source = "github.com/pagopa/terraform-azurerm-v3//function_app_slot?ref=v8.28.2" - - name = "staging" - location = local.itn_location - resource_group_name = azurerm_resource_group.lollipop_rg_itn.name - function_app_id = module.function_lollipop_itn.id - app_service_plan_id = module.function_lollipop_itn.app_service_plan_id - health_check_path = "/info" - - storage_account_name = module.function_lollipop_itn.storage_account.name - storage_account_access_key = module.function_lollipop_itn.storage_account.primary_access_key - internal_storage_connection_string = module.function_lollipop_itn.storage_account_internal_function.primary_connection_string - - node_version = "18" - always_on = "true" - runtime_version = "~4" - application_insights_instrumentation_key = data.azurerm_application_insights.application_insights.instrumentation_key - - app_settings = merge( - local.function_lollipop.app_settings, - { "AzureWebJobs.HandlePubKeyRevoke.Disabled" = "1" }, - ) - - subnet_id = azurerm_subnet.lollipop_snet_itn.id - - allowed_subnets = [ - data.azurerm_subnet.azdoa_snet[0].id, - ] - - tags = var.tags -} - -resource "azurerm_monitor_autoscale_setting" "function_lollipop_itn" { - name = replace(module.function_lollipop_itn.name, "-fn-", "-as-") - resource_group_name = azurerm_resource_group.lollipop_rg_itn.name - location = local.itn_location - target_resource_id = module.function_lollipop_itn.app_service_plan_id - - profile { - name = "evening" - - capacity { - default = 10 - minimum = 4 - maximum = 20 - } - - recurrence { - timezone = "W. Europe Standard Time" - hours = [19] - minutes = [30] - days = [ - "Monday", - "Tuesday", - "Wednesday", - "Thursday", - "Friday", - "Saturday", - "Sunday" - ] - } - - rule { - metric_trigger { - metric_name = "Requests" - metric_resource_id = module.function_lollipop_itn.id - metric_namespace = "microsoft.web/sites" - time_grain = "PT1M" - statistic = "Max" - time_window = "PT1M" - time_aggregation = "Maximum" - operator = "GreaterThan" - threshold = 2500 - divide_by_instance_count = true - } - - scale_action { - direction = "Increase" - type = "ChangeCount" - value = "2" - cooldown = "PT1M" - } - } - - rule { - metric_trigger { - metric_name = "CpuPercentage" - metric_resource_id = module.function_lollipop_itn.app_service_plan_id - metric_namespace = "microsoft.web/serverfarms" - time_grain = "PT1M" - statistic = "Max" - time_window = "PT1M" - time_aggregation = "Maximum" - operator = "GreaterThan" - threshold = 35 - divide_by_instance_count = false - } - - scale_action { - direction = "Increase" - type = "ChangeCount" - value = "4" - cooldown = "PT1M" - } - } - - rule { - metric_trigger { - metric_name = "Requests" - metric_resource_id = module.function_lollipop_itn.id - metric_namespace = "microsoft.web/sites" - time_grain = "PT1M" - statistic = "Average" - time_window = "PT5M" - time_aggregation = "Average" - operator = "LessThan" - threshold = 200 - divide_by_instance_count = true - } - - scale_action { - direction = "Decrease" - type = "ChangeCount" - value = "1" - cooldown = "PT1M" - } - } - - rule { - metric_trigger { - metric_name = "CpuPercentage" - metric_resource_id = module.function_lollipop_itn.app_service_plan_id - metric_namespace = "microsoft.web/serverfarms" - time_grain = "PT1M" - statistic = "Average" - time_window = "PT5M" - time_aggregation = "Average" - operator = "LessThan" - threshold = 15 - divide_by_instance_count = false - } - - scale_action { - direction = "Decrease" - type = "ChangeCount" - value = "1" - cooldown = "PT1M" - } - } - } - - profile { - name = "{\"name\":\"default\",\"for\":\"evening\"}" - - recurrence { - timezone = "W. Europe Standard Time" - hours = [22] - minutes = [59] - days = [ - "Monday", - "Tuesday", - "Wednesday", - "Thursday", - "Friday", - "Saturday", - "Sunday" - ] - } - - capacity { - default = 10 - minimum = 3 - maximum = 30 - } - - rule { - metric_trigger { - metric_name = "Requests" - metric_resource_id = module.function_lollipop_itn.id - metric_namespace = "microsoft.web/sites" - time_grain = "PT1M" - statistic = "Max" - time_window = "PT1M" - time_aggregation = "Maximum" - operator = "GreaterThan" - threshold = 3000 - divide_by_instance_count = true - } - - scale_action { - direction = "Increase" - type = "ChangeCount" - value = "2" - cooldown = "PT1M" - } - } - - rule { - metric_trigger { - metric_name = "CpuPercentage" - metric_resource_id = module.function_lollipop_itn.app_service_plan_id - metric_namespace = "microsoft.web/serverfarms" - time_grain = "PT1M" - statistic = "Max" - time_window = "PT1M" - time_aggregation = "Maximum" - operator = "GreaterThan" - threshold = 35 - divide_by_instance_count = false - } - - scale_action { - direction = "Increase" - type = "ChangeCount" - value = "4" - cooldown = "PT1M" - } - } - - rule { - metric_trigger { - metric_name = "Requests" - metric_resource_id = module.function_lollipop_itn.id - metric_namespace = "microsoft.web/sites" - time_grain = "PT1M" - statistic = "Average" - time_window = "PT5M" - time_aggregation = "Average" - operator = "LessThan" - threshold = 300 - divide_by_instance_count = true - } - - scale_action { - direction = "Decrease" - type = "ChangeCount" - value = "1" - cooldown = "PT1M" - } - } - - rule { - metric_trigger { - metric_name = "CpuPercentage" - metric_resource_id = module.function_lollipop_itn.app_service_plan_id - metric_namespace = "microsoft.web/serverfarms" - time_grain = "PT1M" - statistic = "Average" - time_window = "PT5M" - time_aggregation = "Average" - operator = "LessThan" - threshold = 15 - divide_by_instance_count = false - } - - scale_action { - direction = "Decrease" - type = "ChangeCount" - value = "1" - cooldown = "PT2M" - } - } - } - - profile { - name = module.common_values.scaling_gate.name - - fixed_date { - timezone = module.common_values.scaling_gate.timezone - start = module.common_values.scaling_gate.start - end = module.common_values.scaling_gate.end - } - - capacity { - default = 20 - minimum = 15 - maximum = 30 - } - - rule { - metric_trigger { - metric_name = "Requests" - metric_resource_id = module.function_lollipop_itn.id - metric_namespace = "microsoft.web/sites" - time_grain = "PT1M" - statistic = "Max" - time_window = "PT1M" - time_aggregation = "Maximum" - operator = "GreaterThan" - threshold = 3000 - divide_by_instance_count = true - } - - scale_action { - direction = "Increase" - type = "ChangeCount" - value = "2" - cooldown = "PT1M" - } - } - - rule { - metric_trigger { - metric_name = "CpuPercentage" - metric_resource_id = module.function_lollipop_itn.app_service_plan_id - metric_namespace = "microsoft.web/serverfarms" - time_grain = "PT1M" - statistic = "Max" - time_window = "PT1M" - time_aggregation = "Maximum" - operator = "GreaterThan" - threshold = 35 - divide_by_instance_count = false - } - - scale_action { - direction = "Increase" - type = "ChangeCount" - value = "4" - cooldown = "PT1M" - } - } - - rule { - metric_trigger { - metric_name = "Requests" - metric_resource_id = module.function_lollipop_itn.id - metric_namespace = "microsoft.web/sites" - time_grain = "PT1M" - statistic = "Average" - time_window = "PT5M" - time_aggregation = "Average" - operator = "LessThan" - threshold = 300 - divide_by_instance_count = true - } - - scale_action { - direction = "Decrease" - type = "ChangeCount" - value = "1" - cooldown = "PT1M" - } - } - - rule { - metric_trigger { - metric_name = "CpuPercentage" - metric_resource_id = module.function_lollipop_itn.app_service_plan_id - metric_namespace = "microsoft.web/serverfarms" - time_grain = "PT1M" - statistic = "Average" - time_window = "PT5M" - time_aggregation = "Average" - operator = "LessThan" - threshold = 15 - divide_by_instance_count = false - } - - scale_action { - direction = "Decrease" - type = "ChangeCount" - value = "1" - cooldown = "PT2M" - } - } - } - - tags = var.tags -} - -# --------------------------------- -# Alerts -# --------------------------------- - -resource "azurerm_monitor_scheduled_query_rules_alert_v2" "alert_function_lollipop_itn_HandlePubKeyRevoke_failure" { - - name = "[${upper(var.domain)}|${module.function_lollipop_itn.name}] The revocation of one or more PubKeys has failed" - resource_group_name = azurerm_resource_group.lollipop_rg_itn.name - location = var.location - - // check once per day - evaluation_frequency = "P1D" - window_duration = "P1D" - scopes = [data.azurerm_application_insights.application_insights.id] - severity = 1 - criteria { - query = <<-QUERY -exceptions -| where cloud_RoleName == "${module.function_lollipop_itn.name}" -| where outerMessage startswith "HandlePubKeyRevoke|" -| extend - event_name = tostring(customDimensions.name), - event_maxRetryCount = toint(customDimensions.maxRetryCount), - event_retryCount = toint(customDimensions.retryCount), - event_assertionRef = tostring(customDimensions.assertionRef), - event_detail = tostring(customDimensions.detail), - event_fatal = tostring(customDimensions.fatal), - event_isSuccess = tostring(customDimensions.isSuccess), - event_modelId = tostring(customDimensions.modelId) -| where event_name == "lollipop.pubKeys.revoke.failure" and event_retryCount == event_maxRetryCount-1 - QUERY - time_aggregation_method = "Count" - threshold = 1 - operator = "GreaterThanOrEqual" - - failing_periods { - minimum_failing_periods_to_trigger_alert = 1 - number_of_evaluation_periods = 1 - } - } - - auto_mitigation_enabled = false - description = "One or more PubKey has not been revoked. Please, check the poison-queue and re-schedule the operation." - enabled = true - action { - action_groups = [data.azurerm_monitor_action_group.error_action_group.id] - } - - tags = var.tags -} diff --git a/src/domains/citizen-auth-app/07_data.tf b/src/domains/citizen-auth-app/07_data.tf new file mode 100644 index 000000000..79e637ed1 --- /dev/null +++ b/src/domains/citizen-auth-app/07_data.tf @@ -0,0 +1,9 @@ +data "azurerm_linux_function_app" "function_web_profile" { + name = format("%s-webprof-func-01", local.short_project_itn) + resource_group_name = format("%s-webprof-rg-01", local.short_project_itn) +} + +data "azurerm_linux_function_app" "function_lollipop_itn_v2" { + name = format("%s-lollipop-func-02", local.short_project_itn) + resource_group_name = format("%s-lollipop-rg-02", local.short_project_itn) +} diff --git a/src/domains/citizen-auth-app/08_session_manager.tf b/src/domains/citizen-auth-app/08_session_manager.tf index 4df8946d8..a095c3be5 100644 --- a/src/domains/citizen-auth-app/08_session_manager.tf +++ b/src/domains/citizen-auth-app/08_session_manager.tf @@ -146,7 +146,7 @@ locals { # Functions Lollipop config LOLLIPOP_API_BASE_PATH = "/api/v1" - LOLLIPOP_API_URL = "https://${module.function_lollipop_itn.default_hostname}" + LOLLIPOP_API_URL = "https://${data.azurerm_linux_function_app.function_lollipop_itn_v2.default_hostname}" LOLLIPOP_API_KEY = data.azurerm_key_vault_secret.functions_lollipop_api_key.value LOLLIPOP_REVOKE_STORAGE_CONNECTION_STRING = data.azurerm_storage_account.lollipop_assertion_storage.primary_connection_string @@ -284,53 +284,6 @@ module "session_manager_weu" { tags = var.tags } -module "session_manager_weu_04" { - source = "github.com/pagopa/terraform-azurerm-v3//app_service?ref=v8.28.1" - - # App service plan - plan_type = "internal" - plan_name = format("%s-session-manager-asp-04", local.common_project) - zone_balancing_enabled = true - sku_name = var.session_manager_plan_sku_name - - # App service - name = "${local.app_name_weu}-04" - resource_group_name = azurerm_resource_group.session_manager_rg_weu.name - location = var.location - - always_on = true - node_version = "20-lts" - # NOTE: - # 1. index.js file is generated from the deploy pipeline - # 2. the linux container for app services already has pm2 installed - # (refer to https://learn.microsoft.com/en-us/azure/app-service/configure-language-nodejs?pivots=platform-linux#run-with-pm2) - app_command_line = "pm2 start index.js -i max --no-daemon" - health_check_path = "/healthcheck" - health_check_maxpingfailures = 2 - - auto_heal_enabled = true - auto_heal_settings = { - startup_time = "00:05:00" - slow_requests_count = 50 - slow_requests_interval = "00:01:00" - slow_requests_time = "00:00:10" - } - - app_settings = merge( - local.app_settings_common, - { - APPINSIGHTS_CLOUD_ROLE_NAME = "${local.app_name_weu}-04" - } - ) - sticky_settings = concat(["APPINSIGHTS_CLOUD_ROLE_NAME"]) - - subnet_id = module.session_manager_snet_04.id - vnet_integration = true - public_network_access_enabled = false - - tags = var.tags -} - ## staging slot module "session_manager_weu_staging" { source = "github.com/pagopa/terraform-azurerm-v3//app_service_slot?ref=v8.28.1" @@ -383,44 +336,3 @@ module "session_manager_weu_staging" { tags = var.tags } - -module "session_manager_weu_staging_04" { - source = "github.com/pagopa/terraform-azurerm-v3//app_service_slot?ref=v8.28.1" - - app_service_id = module.session_manager_weu_04.id - app_service_name = module.session_manager_weu_04.name - - name = "staging" - resource_group_name = azurerm_resource_group.session_manager_rg_weu.name - location = var.location - - always_on = true - node_version = "20-lts" - # NOTE: - # 1. index.js file is generated from the deploy pipeline - # 2. the linux container for app services already has pm2 installed - # (refer to https://learn.microsoft.com/en-us/azure/app-service/configure-language-nodejs?pivots=platform-linux#run-with-pm2) - app_command_line = "pm2 start index.js -i max --no-daemon" - health_check_path = "/healthcheck" - - auto_heal_enabled = true - auto_heal_settings = { - startup_time = "00:05:00" - slow_requests_count = 50 - slow_requests_interval = "00:01:00" - slow_requests_time = "00:00:10" - } - - app_settings = merge( - local.app_settings_common, - { - APPINSIGHTS_CLOUD_ROLE_NAME = "${module.session_manager_weu_04.name}-staging" - } - ) - - subnet_id = module.session_manager_snet_04.id - vnet_integration = true - public_network_access_enabled = false - - tags = var.tags -} diff --git a/src/domains/citizen-auth-app/09_function_profile.tf b/src/domains/citizen-auth-app/09_function_profile.tf index c7800c355..ef51dacd1 100644 --- a/src/domains/citizen-auth-app/09_function_profile.tf +++ b/src/domains/citizen-auth-app/09_function_profile.tf @@ -9,12 +9,12 @@ data "azurerm_key_vault_secret" "ioweb_profile_function_api_key" { } data "azurerm_key_vault_secret" "common_MAILUP_USERNAME" { - name = "common-MAILUP2-USERNAME" + name = "common-MAILUP-AI-USERNAME" key_vault_id = data.azurerm_key_vault.kv_common.id } data "azurerm_key_vault_secret" "common_MAILUP_SECRET" { - name = "common-MAILUP2-SECRET" + name = "common-MAILUP-AI-SECRET" key_vault_id = data.azurerm_key_vault.kv_common.id } @@ -121,7 +121,7 @@ locals { # Login Email variables MAGIC_LINK_SERVICE_API_KEY = data.azurerm_key_vault_secret.ioweb_profile_function_api_key.value - MAGIC_LINK_SERVICE_PUBLIC_URL = format("https://%s-%s-%s-ioweb-profile-fn.azurewebsites.net", var.prefix, var.env_short, var.location_short) + MAGIC_LINK_SERVICE_PUBLIC_URL = format("https://%s-auth-webprof-func-01.azurewebsites.net", local.common_project_itn) IOWEB_ACCESS_REF = "https://ioapp.it" # @@ -413,110 +413,6 @@ resource "azurerm_monitor_autoscale_setting" "function_profile" { } } } - - profile { - name = module.common_values.scaling_gate.name - - fixed_date { - timezone = module.common_values.scaling_gate.timezone - start = module.common_values.scaling_gate.start - end = module.common_values.scaling_gate.end - } - - capacity { - default = 20 - minimum = 15 - maximum = 30 - } - - rule { - metric_trigger { - metric_name = "Requests" - metric_resource_id = module.function_profile[count.index].id - metric_namespace = "microsoft.web/sites" - time_grain = "PT1M" - statistic = "Max" - time_window = "PT2M" - time_aggregation = "Maximum" - operator = "GreaterThan" - threshold = 2000 - divide_by_instance_count = true - } - - scale_action { - direction = "Increase" - type = "ChangeCount" - value = "2" - cooldown = "PT1M" - } - } - - rule { - metric_trigger { - metric_name = "CpuPercentage" - metric_resource_id = module.function_profile[count.index].app_service_plan_id - metric_namespace = "microsoft.web/serverfarms" - time_grain = "PT1M" - statistic = "Max" - time_window = "PT1M" - time_aggregation = "Maximum" - operator = "GreaterThan" - threshold = 40 - divide_by_instance_count = false - } - - scale_action { - direction = "Increase" - type = "ChangeCount" - value = "4" - cooldown = "PT1M" - } - } - - rule { - metric_trigger { - metric_name = "Requests" - metric_resource_id = module.function_profile[count.index].id - metric_namespace = "microsoft.web/sites" - time_grain = "PT1M" - statistic = "Average" - time_window = "PT5M" - time_aggregation = "Average" - operator = "LessThan" - threshold = 200 - divide_by_instance_count = true - } - - scale_action { - direction = "Decrease" - type = "ChangeCount" - value = "1" - cooldown = "PT1M" - } - } - - rule { - metric_trigger { - metric_name = "CpuPercentage" - metric_resource_id = module.function_profile[count.index].app_service_plan_id - metric_namespace = "microsoft.web/serverfarms" - time_grain = "PT1M" - statistic = "Average" - time_window = "PT5M" - time_aggregation = "Average" - operator = "LessThan" - threshold = 15 - divide_by_instance_count = false - } - - scale_action { - direction = "Decrease" - type = "ChangeCount" - value = "1" - cooldown = "PT2M" - } - } - } } ## Alerts diff --git a/src/domains/citizen-auth-app/10_function_public.tf b/src/domains/citizen-auth-app/10_function_public.tf index 9ff1b3a68..96b6d8c47 100644 --- a/src/domains/citizen-auth-app/10_function_public.tf +++ b/src/domains/citizen-auth-app/10_function_public.tf @@ -150,6 +150,28 @@ resource "azurerm_monitor_autoscale_setting" "function_public_itn" { } } + rule { + metric_trigger { + metric_name = "Requests" + metric_resource_id = data.azurerm_linux_function_app.function_web_profile.id + metric_namespace = "microsoft.web/sites" + time_grain = "PT1M" + statistic = "Average" + time_window = "PT5M" + time_aggregation = "Average" + operator = "GreaterThan" + threshold = 3000 + divide_by_instance_count = false + } + + scale_action { + direction = "Increase" + type = "ChangeCount" + value = "2" + cooldown = "PT5M" + } + } + rule { metric_trigger { metric_name = "CpuPercentage" @@ -194,6 +216,28 @@ resource "azurerm_monitor_autoscale_setting" "function_public_itn" { } } + rule { + metric_trigger { + metric_name = "Requests" + metric_resource_id = data.azurerm_linux_function_app.function_web_profile.id + metric_namespace = "microsoft.web/sites" + time_grain = "PT1M" + statistic = "Average" + time_window = "PT5M" + time_aggregation = "Average" + operator = "LessThan" + threshold = 2000 + divide_by_instance_count = false + } + + scale_action { + direction = "Decrease" + type = "ChangeCount" + value = "1" + cooldown = "PT20M" + } + } + rule { metric_trigger { metric_name = "CpuPercentage" diff --git a/src/domains/citizen-auth-app/99_variables.tf b/src/domains/citizen-auth-app/99_variables.tf index ab9e8d19c..838b96111 100644 --- a/src/domains/citizen-auth-app/99_variables.tf +++ b/src/domains/citizen-auth-app/99_variables.tf @@ -181,24 +181,12 @@ variable "cidr_subnet_session_manager" { description = "Session manager app service address space." } -variable "cidr_subnet_session_manager_04" { - type = list(string) - description = "Session manager app service instance 4 address space." -} - variable "session_manager_plan_sku_name" { description = "App service plan sku name" type = string default = "P1v3" } -variable "session_manager_autoscale_settings" { - type = object({ - autoscale_minimum = number - autoscale_maximum = number - autoscale_default = number - }) -} #################### # DNS @@ -219,7 +207,7 @@ variable "dns_zone_io" { ################################ variable "function_profile_count" { type = number - default = 2 + default = 1 } variable "cidr_subnet_profile_itn" { diff --git a/src/domains/citizen-auth-app/README.md b/src/domains/citizen-auth-app/README.md index bb4dd076b..1101813c5 100644 --- a/src/domains/citizen-auth-app/README.md +++ b/src/domains/citizen-auth-app/README.md @@ -24,8 +24,6 @@ | [common\_values](#module\_common\_values) | ../../_modules/common_values | n/a | | [fn\_profile\_async\_snet](#module\_fn\_profile\_async\_snet) | git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet | v8.44.0 | | [fn\_profile\_snet](#module\_fn\_profile\_snet) | git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet | v8.44.0 | -| [function\_lollipop\_itn](#module\_function\_lollipop\_itn) | github.com/pagopa/terraform-azurerm-v3//function_app | v8.28.2 | -| [function\_lollipop\_staging\_slot\_itn](#module\_function\_lollipop\_staging\_slot\_itn) | github.com/pagopa/terraform-azurerm-v3//function_app_slot | v8.28.2 | | [function\_profile](#module\_function\_profile) | git::https://github.com/pagopa/terraform-azurerm-v3.git//function_app | v8.44.0 | | [function\_profile\_async](#module\_function\_profile\_async) | git::https://github.com/pagopa/terraform-azurerm-v3.git//function_app | v8.44.0 | | [function\_profile\_async\_staging\_slot](#module\_function\_profile\_async\_staging\_slot) | git::https://github.com/pagopa/terraform-azurerm-v3.git//function_app_slot | v8.44.0 | @@ -34,11 +32,8 @@ | [function\_public\_staging\_slot\_itn](#module\_function\_public\_staging\_slot\_itn) | git::https://github.com/pagopa/terraform-azurerm-v3.git//function_app_slot | v8.44.0 | | [locked\_profiles\_storage](#module\_locked\_profiles\_storage) | github.com/pagopa/terraform-azurerm-v3//storage_account | v8.27.0 | | [session\_manager\_snet](#module\_session\_manager\_snet) | github.com/pagopa/terraform-azurerm-v3//subnet | v8.22.0 | -| [session\_manager\_snet\_04](#module\_session\_manager\_snet\_04) | github.com/pagopa/terraform-azurerm-v3//subnet | v8.22.0 | | [session\_manager\_weu](#module\_session\_manager\_weu) | github.com/pagopa/terraform-azurerm-v3//app_service | v8.28.1 | -| [session\_manager\_weu\_04](#module\_session\_manager\_weu\_04) | github.com/pagopa/terraform-azurerm-v3//app_service | v8.28.1 | | [session\_manager\_weu\_staging](#module\_session\_manager\_weu\_staging) | github.com/pagopa/terraform-azurerm-v3//app_service_slot | v8.28.1 | -| [session\_manager\_weu\_staging\_04](#module\_session\_manager\_weu\_staging\_04) | github.com/pagopa/terraform-azurerm-v3//app_service_slot | v8.28.1 | | [shared\_snet\_itn](#module\_shared\_snet\_itn) | git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet | v8.44.0 | | [tests](#module\_tests) | ../../_modules/test_users | n/a | @@ -47,37 +42,28 @@ | Name | Type | |------|------| | [azurerm_app_service_plan.shared_plan_itn](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service_plan) | resource | -| [azurerm_monitor_autoscale_setting.function_lollipop_itn](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_autoscale_setting) | resource | | [azurerm_monitor_autoscale_setting.function_profile](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_autoscale_setting) | resource | | [azurerm_monitor_autoscale_setting.function_profile_async](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_autoscale_setting) | resource | | [azurerm_monitor_autoscale_setting.function_public_itn](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_autoscale_setting) | resource | | [azurerm_monitor_metric_alert.function_profile_async_health_check](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_metric_alert) | resource | | [azurerm_monitor_metric_alert.function_profile_health_check](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_metric_alert) | resource | -| [azurerm_monitor_scheduled_query_rules_alert_v2.alert_function_lollipop_itn_HandlePubKeyRevoke_failure](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_scheduled_query_rules_alert_v2) | resource | | [azurerm_monitor_scheduled_query_rules_alert_v2.samlresponse_missing_detection_alert](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_scheduled_query_rules_alert_v2) | resource | | [azurerm_private_dns_a_record.ingress](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/private_dns_a_record) | resource | -| [azurerm_private_endpoint.function_lollipop_itn_sites](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/private_endpoint) | resource | | [azurerm_private_endpoint.function_profile_async_itn_sites](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/private_endpoint) | resource | | [azurerm_private_endpoint.function_profile_itn_sites](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/private_endpoint) | resource | | [azurerm_private_endpoint.function_public_itn_sites](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/private_endpoint) | resource | | [azurerm_private_endpoint.locked_profiles_storage_table](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/private_endpoint) | resource | | [azurerm_private_endpoint.session_manager_sites](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/private_endpoint) | resource | -| [azurerm_private_endpoint.session_manager_sites_04](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/private_endpoint) | resource | -| [azurerm_private_endpoint.staging_function_lollipop_itn_sites](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/private_endpoint) | resource | | [azurerm_private_endpoint.staging_function_profile_async_itn_sites](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/private_endpoint) | resource | | [azurerm_private_endpoint.staging_function_profile_itn_sites](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/private_endpoint) | resource | | [azurerm_private_endpoint.staging_function_public_itn_sites](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/private_endpoint) | resource | | [azurerm_private_endpoint.staging_session_manager_sites](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/private_endpoint) | resource | -| [azurerm_private_endpoint.staging_session_manager_sites_04](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/private_endpoint) | resource | | [azurerm_resource_group.function_profile_async_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource | | [azurerm_resource_group.function_profile_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource | -| [azurerm_resource_group.lollipop_rg_itn](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource | | [azurerm_resource_group.session_manager_rg_weu](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource | | [azurerm_resource_group.shared_rg_itn](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource | | [azurerm_storage_table.locked_profiles](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_table) | resource | -| [azurerm_subnet.lollipop_snet_itn](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/subnet) | resource | | [azurerm_subnet_nat_gateway_association.session_manager_snet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/subnet_nat_gateway_association) | resource | -| [azurerm_subnet_nat_gateway_association.session_manager_snet_04](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/subnet_nat_gateway_association) | resource | | [azuread_group.adgroup_admin](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source | | [azuread_group.adgroup_developers](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source | | [azuread_group.adgroup_externals](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source | @@ -100,7 +86,6 @@ | [azurerm_key_vault_secret.app_backend_UNIQUE_EMAIL_ENFORCEMENT_USER](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_secret) | data source | | [azurerm_key_vault_secret.common_MAILUP_SECRET](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_secret) | data source | | [azurerm_key_vault_secret.common_MAILUP_USERNAME](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_secret) | data source | -| [azurerm_key_vault_secret.first_lollipop_consumer_subscription_key](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_secret) | data source | | [azurerm_key_vault_secret.fn_app_AZURE_NH_ENDPOINT](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_secret) | data source | | [azurerm_key_vault_secret.fn_app_PUBLIC_API_KEY](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_secret) | data source | | [azurerm_key_vault_secret.fn_app_SPID_LOGS_PUBLIC_KEY](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_secret) | data source | @@ -117,6 +102,8 @@ | [azurerm_key_vault_secret.session_manager_JWT_ZENDESK_SUPPORT_TOKEN_SECRET](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_secret) | data source | | [azurerm_key_vault_secret.session_manager_TEST_LOGIN_PASSWORD](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_secret) | data source | | [azurerm_key_vault_secret.session_manager_UNIQUE_EMAIL_ENFORCEMENT_USER](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_secret) | data source | +| [azurerm_linux_function_app.function_lollipop_itn_v2](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/linux_function_app) | data source | +| [azurerm_linux_function_app.function_web_profile](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/linux_function_app) | data source | | [azurerm_linux_function_app.itn_auth_lv_func](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/linux_function_app) | data source | | [azurerm_log_analytics_workspace.log_analytics](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/log_analytics_workspace) | data source | | [azurerm_monitor_action_group.email](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/monitor_action_group) | data source | @@ -154,11 +141,9 @@ | [azurerm_subnet.apim_v2_snet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subnet) | data source | | [azurerm_subnet.app_backend_l1_snet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subnet) | data source | | [azurerm_subnet.app_backend_l2_snet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subnet) | data source | -| [azurerm_subnet.app_backend_l3_snet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subnet) | data source | | [azurerm_subnet.appgateway_snet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subnet) | data source | | [azurerm_subnet.azdoa_snet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subnet) | data source | | [azurerm_subnet.fims_op_app_snet_01](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subnet) | data source | -| [azurerm_subnet.ioweb_profile_snet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subnet) | data source | | [azurerm_subnet.itn_pep](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subnet) | data source | | [azurerm_subnet.private_endpoints_subnet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subnet) | data source | | [azurerm_subnet.self_hosted_runner_snet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subnet) | data source | @@ -178,7 +163,6 @@ | [cidr\_subnet\_profile\_async\_itn](#input\_cidr\_subnet\_profile\_async\_itn) | Function app address space. | `list(string)` | n/a | yes | | [cidr\_subnet\_profile\_itn](#input\_cidr\_subnet\_profile\_itn) | Function app address space. | `list(string)` | n/a | yes | | [cidr\_subnet\_session\_manager](#input\_cidr\_subnet\_session\_manager) | Session manager app service address space. | `list(string)` | n/a | yes | -| [cidr\_subnet\_session\_manager\_04](#input\_cidr\_subnet\_session\_manager\_04) | Session manager app service instance 4 address space. | `list(string)` | n/a | yes | | [cidr\_subnet\_shared\_1](#input\_cidr\_subnet\_shared\_1) | n/a | `list(string)` | n/a | yes | | [dns\_zone\_io](#input\_dns\_zone\_io) | The dns subdomain. | `string` | `null` | no | | [domain](#input\_domain) | n/a | `string` | n/a | yes | @@ -196,7 +180,7 @@ | [function\_profile\_async\_autoscale\_minimum](#input\_function\_profile\_async\_autoscale\_minimum) | The minimum number of instances for this resource. | `number` | `1` | no | | [function\_profile\_async\_kind](#input\_function\_profile\_async\_kind) | App service plan kind | `string` | `null` | no | | [function\_profile\_async\_sku\_size](#input\_function\_profile\_async\_sku\_size) | App service plan sku size | `string` | `null` | no | -| [function\_profile\_count](#input\_function\_profile\_count) | ############################### Function Profile ############################### | `number` | `2` | no | +| [function\_profile\_count](#input\_function\_profile\_count) | ############################### Function Profile ############################### | `number` | `1` | no | | [function\_profile\_kind](#input\_function\_profile\_kind) | App service plan kind | `string` | `null` | no | | [function\_profile\_sku\_size](#input\_function\_profile\_sku\_size) | App service plan sku size | `string` | `null` | no | | [function\_public\_autoscale\_default](#input\_function\_public\_autoscale\_default) | The number of instances that are available for scaling if metrics are not available for evaluation. | `number` | `1` | no | @@ -218,7 +202,6 @@ | [plan\_shared\_1\_sku\_tier](#input\_plan\_shared\_1\_sku\_tier) | App service plan sku tier | `string` | `null` | no | | [prefix](#input\_prefix) | n/a | `string` | n/a | yes | | [reloader\_helm](#input\_reloader\_helm) | reloader helm chart configuration | 
object({
    chart_version = string,
    image_name    = string,
    image_tag     = string
  })
| n/a | yes | -| [session\_manager\_autoscale\_settings](#input\_session\_manager\_autoscale\_settings) | n/a | 
object({
    autoscale_minimum = number
    autoscale_maximum = number
    autoscale_default = number
  })
| n/a | yes | | [session\_manager\_plan\_sku\_name](#input\_session\_manager\_plan\_sku\_name) | App service plan sku name | `string` | `"P1v3"` | no | | [tags](#input\_tags) | n/a | `map(any)` | 
{
  "CreatedBy": "Terraform"
}
| no | | [tls\_cert\_check\_helm](#input\_tls\_cert\_check\_helm) | tls cert helm chart configuration | 
object({
    chart_version = string,
    image_name    = string,
    image_tag     = string
  })
| n/a | yes | diff --git a/src/domains/citizen-auth-app/env/weu-prod01/terraform.tfvars b/src/domains/citizen-auth-app/env/weu-prod01/terraform.tfvars index 3235c527a..0375517ad 100644 --- a/src/domains/citizen-auth-app/env/weu-prod01/terraform.tfvars +++ b/src/domains/citizen-auth-app/env/weu-prod01/terraform.tfvars @@ -78,13 +78,7 @@ function_public_autoscale_maximum = 30 function_public_autoscale_default = 10 # Session manager -cidr_subnet_session_manager = ["10.0.149.0/26"] -cidr_subnet_session_manager_04 = ["10.0.149.64/26"] -session_manager_autoscale_settings = { - autoscale_minimum = 3 - autoscale_default = 3 - autoscale_maximum = 30 -} +cidr_subnet_session_manager = ["10.0.149.0/26"] # DNS external_domain = "pagopa.it" diff --git a/src/domains/citizen-auth-common/06_data.tf b/src/domains/citizen-auth-common/06_data.tf index a796b5800..9dab40ee3 100644 --- a/src/domains/citizen-auth-common/06_data.tf +++ b/src/domains/citizen-auth-common/06_data.tf @@ -25,11 +25,11 @@ data "azurerm_user_assigned_identity" "managed_identity_auth_n_identity_infra_cd # ITN LOLLIPOP FUNCTION data "azurerm_resource_group" "lollipop_function_rg" { - name = format("%s-itn-lollipop-rg-01", local.product) + name = format("%s-auth-lollipop-rg-02", local.common_project_itn) } data "azurerm_linux_function_app" "lollipop_function" { - name = format("%s-itn-lollipop-fn-01", local.product) + name = format("%s-auth-lollipop-func-02", local.common_project_itn) resource_group_name = data.azurerm_resource_group.lollipop_function_rg.name } ####################### @@ -66,4 +66,4 @@ data "azurerm_linux_function_app" "functions_fast_login" { data "azurerm_key_vault_secret" "functions_fast_login_api_key" { name = "io-fn-weu-fast-login-KEY-APIM" key_vault_id = module.key_vault.id -} \ No newline at end of file +} diff --git a/src/domains/elt/_modules/function_apps/monitor.tf b/src/domains/elt/_modules/function_apps/monitor.tf index ed6b5dfc1..07cca2d6b 100644 --- a/src/domains/elt/_modules/function_apps/monitor.tf +++ b/src/domains/elt/_modules/function_apps/monitor.tf @@ -25,7 +25,11 @@ resource "azurerm_monitor_scheduled_query_rules_alert_v2" "service_preferences_f location = var.location scopes = [data.azurerm_storage_account.function_elt_internal_storage.id] - description = "Permanent failures processing Service Preferences export to PDND. REQUIRED MANUAL ACTION" + description = <<-EOT + Permanent failures processing Service Preferences export to PDND. REQUIRED MANUAL ACTION. + For more info see runbook + https://pagopa.atlassian.net/wiki/spaces/IAEI/pages/1417412755/Fallimenti+ingestion+data-lake + EOT severity = 1 auto_mitigation_enabled = false @@ -59,7 +63,11 @@ resource "azurerm_monitor_scheduled_query_rules_alert_v2" "profiles_failure_aler location = var.location scopes = [data.azurerm_storage_account.function_elt_internal_storage.id] - description = "Permanent failures processing Profiles export to PDND. REQUIRED MANUAL ACTION" + description = <<-EOT + Permanent failures processing Profiles export to PDND. REQUIRED MANUAL ACTION. + For more info see runbook + https://pagopa.atlassian.net/wiki/spaces/IAEI/pages/1417412755/Fallimenti+ingestion+data-lake + EOT severity = 1 auto_mitigation_enabled = false @@ -93,7 +101,11 @@ resource "azurerm_monitor_scheduled_query_rules_alert_v2" "profile_deletion_fail location = var.location scopes = [data.azurerm_storage_account.function_elt_internal_storage.id] - description = "Permanent failures processing Profiles export to PDND. REQUIRED MANUAL ACTION" + description = <<-EOT + Permanent failures processing Profiles deletions export to PDND. REQUIRED MANUAL ACTION. + For more info see runbook + https://pagopa.atlassian.net/wiki/spaces/IAEI/pages/1417412755/Fallimenti+ingestion+data-lake + EOT severity = 1 auto_mitigation_enabled = false diff --git a/src/domains/eucovidcert/_modules/function_apps/data.tf b/src/domains/eucovidcert/_modules/function_apps/data.tf index e0cc679ce..43f8bc789 100644 --- a/src/domains/eucovidcert/_modules/function_apps/data.tf +++ b/src/domains/eucovidcert/_modules/function_apps/data.tf @@ -9,6 +9,12 @@ data "azurerm_subnet" "snet_apim_v2" { resource_group_name = local.resource_group_name_common } +data "azurerm_subnet" "apim_itn_snet" { + name = "io-p-itn-apim-snet-01" + virtual_network_name = local.vnet_common_name_itn + resource_group_name = local.vnet_common_resource_group_name_itn +} + data "azurerm_subnet" "snet_azdoa" { name = "azure-devops" virtual_network_name = local.vnet_name_common @@ -27,12 +33,6 @@ data "azurerm_subnet" "snet_backendl2" { resource_group_name = local.resource_group_name_common } -data "azurerm_subnet" "snet_backendl3" { - name = "appbackendl3" - virtual_network_name = local.vnet_name_common - resource_group_name = local.resource_group_name_common -} - data "azurerm_linux_function_app" "function_services" { count = 2 name = "${var.project}-services-fn-${count.index + 1}" @@ -112,4 +112,4 @@ data "azurerm_key_vault_secret" "fn_eucovidcert_FNSERVICES_API_KEY" { data "azurerm_monitor_action_group" "error_action_group" { name = "${replace("${var.project}", "-", "")}error" resource_group_name = local.resource_group_name_common -} \ No newline at end of file +} diff --git a/src/domains/eucovidcert/_modules/function_apps/function_app_eucovidcert.tf b/src/domains/eucovidcert/_modules/function_apps/function_app_eucovidcert.tf index e717bed04..3c607d280 100644 --- a/src/domains/eucovidcert/_modules/function_apps/function_app_eucovidcert.tf +++ b/src/domains/eucovidcert/_modules/function_apps/function_app_eucovidcert.tf @@ -39,7 +39,7 @@ module "function_eucovidcert" { data.azurerm_subnet.snet_backendl1.id, data.azurerm_subnet.snet_backendl2.id, data.azurerm_subnet.snet_apim_v2.id, - data.azurerm_subnet.snet_backendl3.id + data.azurerm_subnet.apim_itn_snet.id ] tags = var.tags @@ -78,7 +78,7 @@ module "function_eucovidcert_staging_slot" { data.azurerm_subnet.snet_backendl1.id, data.azurerm_subnet.snet_backendl2.id, data.azurerm_subnet.snet_apim_v2.id, - data.azurerm_subnet.snet_backendl3.id + data.azurerm_subnet.apim_itn_snet.id ] tags = var.tags diff --git a/src/domains/eucovidcert/_modules/function_apps/locals.tf b/src/domains/eucovidcert/_modules/function_apps/locals.tf index 959524b5b..28af80540 100644 --- a/src/domains/eucovidcert/_modules/function_apps/locals.tf +++ b/src/domains/eucovidcert/_modules/function_apps/locals.tf @@ -52,3 +52,11 @@ locals { } } } + +# Region ITN +locals { + itn_location_short = "itn" + + vnet_common_name_itn = "${var.project}-${local.itn_location_short}-common-vnet-01" + vnet_common_resource_group_name_itn = "${var.project}-${local.itn_location_short}-common-rg-01" +} diff --git a/src/domains/functions/README.md b/src/domains/functions/README.md index b28a3a8af..a62ef00a8 100644 --- a/src/domains/functions/README.md +++ b/src/domains/functions/README.md @@ -42,6 +42,8 @@ | [azurerm_monitor_metric_alert.function_assets_health_check](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_metric_alert) | resource | | [azurerm_monitor_metric_alert.function_assets_http_server_errors](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_metric_alert) | resource | | [azurerm_monitor_metric_alert.function_assets_response_time](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_metric_alert) | resource | +| [azurerm_monitor_scheduled_query_rules_alert_v2.alert_failed_delete_procedure](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_scheduled_query_rules_alert_v2) | resource | +| [azurerm_monitor_scheduled_query_rules_alert_v2.alert_failed_download_procedure](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_scheduled_query_rules_alert_v2) | resource | | [azurerm_resource_group.admin_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource | | [azurerm_resource_group.services_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource | | [azurerm_app_service.appservice_app_backendli](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/app_service) | data source | @@ -74,6 +76,7 @@ | [azurerm_key_vault_secret.fn_services_webhook_channel_aks_url](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_secret) | data source | | [azurerm_key_vault_secret.fn_services_webhook_channel_url](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_secret) | data source | | [azurerm_monitor_action_group.error_action_group](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/monitor_action_group) | data source | +| [azurerm_monitor_action_group.io_auth_error_action_group](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/monitor_action_group) | data source | | [azurerm_monitor_action_group.io_com_action_group](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/monitor_action_group) | data source | | [azurerm_private_dns_zone.privatelink_blob_core](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/private_dns_zone) | data source | | [azurerm_private_dns_zone.privatelink_queue_core](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/private_dns_zone) | data source | diff --git a/src/domains/functions/data.tf b/src/domains/functions/data.tf index c076eb802..ca391d2a5 100644 --- a/src/domains/functions/data.tf +++ b/src/domains/functions/data.tf @@ -33,6 +33,11 @@ data "azurerm_monitor_action_group" "io_com_action_group" { resource_group_name = "io-p-itn-msgs-rg-01" } +data "azurerm_monitor_action_group" "io_auth_error_action_group" { + name = "io-p-itn-auth-error-ag-01" + resource_group_name = "io-p-itn-auth-common-rg-01" +} + data "azurerm_private_dns_zone" "privatelink_queue_core" { name = "privatelink.queue.core.windows.net" resource_group_name = local.rg_common_name @@ -73,12 +78,12 @@ data "azurerm_key_vault_secret" "app_backend_PRE_SHARED_KEY" { # MAILUP data "azurerm_key_vault_secret" "common_MAILUP_USERNAME" { - name = "common-MAILUP2-USERNAME" + name = "common-MAILUP-AI-USERNAME" key_vault_id = data.azurerm_key_vault.common.id } data "azurerm_key_vault_secret" "common_MAILUP_SECRET" { - name = "common-MAILUP2-SECRET" + name = "common-MAILUP-AI-SECRET" key_vault_id = data.azurerm_key_vault.common.id } diff --git a/src/domains/functions/function_admin.tf b/src/domains/functions/function_admin.tf index 04b3d7228..8335e4350 100644 --- a/src/domains/functions/function_admin.tf +++ b/src/domains/functions/function_admin.tf @@ -299,6 +299,96 @@ module "function_admin_staging_slot" { tags = var.tags } +// ---------------------------------------------------- +// Alerts +// ---------------------------------------------------- +resource "azurerm_monitor_scheduled_query_rules_alert_v2" "alert_failed_delete_procedure" { + enabled = true + name = "[IO-AUTH | ${module.function_admin.name}] Found one or more failed DELETE procedures" + resource_group_name = azurerm_resource_group.admin_rg.name + scopes = [data.azurerm_application_insights.application_insights.id] + description = < [apim\_itn\_bff\_api](#module\_apim\_itn\_bff\_api) | git::https://github.com/pagopa/terraform-azurerm-v3//api_management_api | v4.1.5 | -| [apim\_v2\_bff\_api](#module\_apim\_v2\_bff\_api) | git::https://github.com/pagopa/terraform-azurerm-v3//api_management_api | v4.1.5 | -| [function\_ioweb\_profile](#module\_function\_ioweb\_profile) | git::https://github.com/pagopa/terraform-azurerm-v3.git//function_app | v5.2.0 | -| [function\_ioweb\_profile\_staging\_slot](#module\_function\_ioweb\_profile\_staging\_slot) | git::https://github.com/pagopa/terraform-azurerm-v3.git//function_app_slot | v5.2.0 | -| [ioweb\_profile\_snet](#module\_ioweb\_profile\_snet) | git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet | v4.1.15 | +No modules. ## Resources | Name | Type | |------|------| -| [azurerm_api_management_api_operation_policy.unlock_user_session_policy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/api_management_api_operation_policy) | resource | -| [azurerm_api_management_api_operation_policy.unlock_user_session_policy_itn](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/api_management_api_operation_policy) | resource | -| [azurerm_api_management_named_value.io_fn3_services_key_itn](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/api_management_named_value) | resource | -| [azurerm_api_management_named_value.io_fn3_services_key_v2](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/api_management_named_value) | resource | | [azurerm_key_vault_secret.exchange_jwt_private_key](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource | | [azurerm_key_vault_secret.exchange_jwt_pub_key](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource | | [azurerm_key_vault_secret.magic_link_jwe_private_key](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource | | [azurerm_key_vault_secret.magic_link_jwe_pub_key](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource | -| [azurerm_monitor_autoscale_setting.function_ioweb_profile](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_autoscale_setting) | resource | -| [azurerm_monitor_scheduled_query_rules_alert_v2.alert_too_much_calls_on_unlock](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_scheduled_query_rules_alert_v2) | resource | -| [azurerm_monitor_scheduled_query_rules_alert_v2.alert_too_much_invalid_codes_on_unlock](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_scheduled_query_rules_alert_v2) | resource | | [azurerm_private_dns_a_record.ingress](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/private_dns_a_record) | resource | | [azurerm_resource_group.base_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource | | [azurerm_resource_group.ioweb_profile_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource | @@ -59,12 +46,8 @@ | [azurerm_client_config.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/client_config) | data source | | [azurerm_key_vault.key_vault_common](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault) | data source | | [azurerm_key_vault.kv](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault) | data source | -| [azurerm_key_vault_secret.api_beta_testers](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_secret) | data source | -| [azurerm_key_vault_secret.functions_app_api_key](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_secret) | data source | -| [azurerm_key_vault_secret.functions_fast_login_api_key](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_secret) | data source | | [azurerm_key_vault_secret.io_fn3_services_key_secret](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_secret) | data source | -| [azurerm_key_vault_secret.spid_login_api_key](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_secret) | data source | -| [azurerm_key_vault_secret.spid_login_jwt_pub_key](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_secret) | data source | +| [azurerm_linux_function_app.function_web_profile](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/linux_function_app) | data source | | [azurerm_log_analytics_workspace.log_analytics](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/log_analytics_workspace) | data source | | [azurerm_monitor_action_group.email](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/monitor_action_group) | data source | | [azurerm_monitor_action_group.error_action_group](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/monitor_action_group) | data source | @@ -96,12 +79,10 @@ | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | [application\_insights\_name](#input\_application\_insights\_name) | Specifies the name of the Application Insights. | `string` | n/a | yes | -| [cidr\_subnet\_fniowebprofile](#input\_cidr\_subnet\_fniowebprofile) | Functions ioweb profile address space | `list(string)` | `null` | no | | [domain](#input\_domain) | n/a | `string` | n/a | yes | | [enable\_azdoa](#input\_enable\_azdoa) | n/a | `bool` | n/a | yes | | [env](#input\_env) | n/a | `string` | n/a | yes | | [env\_short](#input\_env\_short) | n/a | `string` | n/a | yes | -| [function\_ioweb\_profile](#input\_function\_ioweb\_profile) | n/a | 
object({
    autoscale_minimum = number
    autoscale_maximum = number
    autoscale_default = number
    sku_size          = string
    kind              = string
  })
| n/a | yes | | [ingress\_load\_balancer\_ip](#input\_ingress\_load\_balancer\_ip) | n/a | `string` | n/a | yes | | [instance](#input\_instance) | One of prod01 | `string` | n/a | yes | | [k8s\_kube\_config\_path\_prefix](#input\_k8s\_kube\_config\_path\_prefix) | n/a | `string` | `"~/.kube"` | no | diff --git a/src/domains/ioweb-app/api/bff/_base_policy.xml b/src/domains/ioweb-app/api/bff/_base_policy.xml deleted file mode 100644 index 878fa0743..000000000 --- a/src/domains/ioweb-app/api/bff/_base_policy.xml +++ /dev/null @@ -1,26 +0,0 @@ - - - - - - - - - - - - - - - diff --git a/src/domains/ioweb-app/api/bff/policy.xml b/src/domains/ioweb-app/api/bff/policy.xml deleted file mode 100644 index 7112c9bc9..000000000 --- a/src/domains/ioweb-app/api/bff/policy.xml +++ /dev/null @@ -1,31 +0,0 @@ - - - - - {{ioweb-profile-api-key}} - - - - https://ioapp.it/ - - - OPTIONS - GET - POST - - -
Content-Type
-
Authorization
- - - - - - - - - - - - - diff --git a/src/domains/ioweb-app/api/bff/post_unlockusersession_policy/policy.xml b/src/domains/ioweb-app/api/bff/post_unlockusersession_policy/policy.xml deleted file mode 100644 index 30a3d2062..000000000 --- a/src/domains/ioweb-app/api/bff/post_unlockusersession_policy/policy.xml +++ /dev/null @@ -1,18 +0,0 @@ - - - - - - - - - - - - - - - - - - diff --git a/src/domains/ioweb-app/env/weu-prod01/terraform.tfvars b/src/domains/ioweb-app/env/weu-prod01/terraform.tfvars index 7145a489e..353b13c2d 100644 --- a/src/domains/ioweb-app/env/weu-prod01/terraform.tfvars +++ b/src/domains/ioweb-app/env/weu-prod01/terraform.tfvars @@ -44,13 +44,3 @@ tls_cert_check_helm = { ### Aks ingress_load_balancer_ip = "10.11.0.254" - -### Fn ioweb-profile -cidr_subnet_fniowebprofile = ["10.0.117.0/24"] -function_ioweb_profile = { - kind = "Linux" - sku_size = "P1v3" - autoscale_minimum = 2 - autoscale_maximum = 30 - autoscale_default = 2 -} diff --git a/src/domains/ioweb-common/.terraform.lock.hcl b/src/domains/ioweb-common/.terraform.lock.hcl index fbaef71b8..da3fd1141 100644 --- a/src/domains/ioweb-common/.terraform.lock.hcl +++ b/src/domains/ioweb-common/.terraform.lock.hcl @@ -25,31 +25,31 @@ provider "registry.terraform.io/hashicorp/azuread" { } provider "registry.terraform.io/hashicorp/azurerm" { - version = "3.40.0" - constraints = ">= 3.30.0, <= 3.40.0, <= 3.53.0, <= 3.71.0, <= 3.85.0" + version = "3.116.0" + constraints = "~> 3.30, ~> 3.76, ~> 3.95, != 3.97.0, != 3.97.1, <= 3.116.0" hashes = [ - "h1:/Jbhw/zNAsDYDoASaG6w+0KZyay9BkUVOpR8b7m0CsA=", - "h1:7Vfig36efXmcsWQSZwdB+bqZLtoZ/RyytY9lXHx9Fic=", - "h1:VpRitAMc2wjUH/2jCz9MtZZd83UFxwTCamjRvIh/Nvg=", - "h1:dSM3nwscFP/OmH5Kr5FGao+9DjIXUEECnbMtWdrQOdg=", - "zh:00fa6dc05bf2643c6a3c741edb7d88263698086835a8a613f1d7bd76d1b918fd", - "zh:0da9b788e773272a7aa9d59bd9e3d5842edd4acc8c3895bea469e66dc14205a0", - "zh:25a8c39d1f042fc7c83ba9dd745c3569ea9e577fadb57563a575fb115ac2b9f1", - "zh:4423666dbeae8bc22c6e8898ffbb88745681dc27668ca9104b665dd7f3d7292c", - "zh:78c07308e7407b558d15737a98fb5eaf15529d297fc3798de6a7d61e0466e2e3", - "zh:894aca7e6f4f331ee8eb51957a180dc03d399d2b1727e0d7842e9b3f022a8c6a", - "zh:bb0e620c2161b4c4892a6f50b1c4c69ed70f66bb5e92543a03d79d0e4b1d9441", - "zh:c7d8e6a791159ca63b30908c9efe72ab65f60d64b30f0c1eb5a64972f4994844", - "zh:d04c11bfd346c1ac34d16bbdca70b23b006e822f6beb236b85375e8343888eb4", - "zh:f4edea9660327c7c70a823d786fd1b1c1b186c8759770447f63da72f23e1a73c", + "h1:2QbjtN4oMXzdA++Nvrj/wSmWZTPgXKOSFGGQCLEMrb4=", + "h1:BCR3NIorFSvGG3v/+JOiiw3VM4PkChLO4m84wzD9NDo=", + "h1:SJM/KQDW9blKFmLMaupsZVYtcZ0fYpjLHEriMgCBGCY=", + "h1:jwwbQ09fH1RdcNsknt1AkvfSUbULsl7nZQn6S8fabFI=", + "zh:02b6606aff025fc2a962b3e568e000300abe959adac987183c24dac8eb057f4d", + "zh:2a23a8ce24ff9e885925ffee0c3ea7eadba7a702541d05869275778aa47bdea7", + "zh:57d10746384baeca4d5c56e88872727cdc150f437b8c5e14f0542127f7475e24", + "zh:59e3ebde1a2e1e094c671e179f231ead60684390dbf02d2b1b7fe67a228daa1a", + "zh:5f1f5c7d09efa2ee8ddf21bd9efbbf8286f6e90047556bef305c062fa0ac5880", + "zh:a40646aee3c9907276dab926e6123a8d70b1e56174836d4c59a9992034f88d70", + "zh:c21d40461bc5836cf56ad3d93d2fc47f61138574a55e972ad5ff1cb73bab66dc", + "zh:c56fb91a5ae66153ba0f737a26da1b3d4f88fdef7d41c63e06c5772d93b26953", + "zh:d1e60e85f51d12fc150aeab8e31d3f18f859c32f927f99deb5b74cb1e10087aa", + "zh:ed35e727e7d79e687cd3d148f52b442961ede286e7c5b4da1dcd9f0128009466", "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", - "zh:f986e268949cf445ff53a66af48a87c6f6dba5964e8a5b1dc0ea02afabdd71f7", + "zh:f6d2a4e7c58f44e7d04a4a9c73f35ed452f412c97c85def68c4b52814cbe03ab", ] } provider "registry.terraform.io/hashicorp/null" { version = "3.2.1" - constraints = "<= 3.2.1" + constraints = "~> 3.2, <= 3.2.1" hashes = [ "h1:FbGfc+muBsC17Ohy5g806iuI1hQc4SIexpYCrQHQd8w=", "h1:tSj1mL6OQ8ILGqR2mDu7OYYYWf+hoir0pf9KAQ8IzO8=", @@ -71,23 +71,23 @@ provider "registry.terraform.io/hashicorp/null" { } provider "registry.terraform.io/hashicorp/tls" { - version = "4.0.4" + version = "4.0.6" hashes = [ - "h1:GZcFizg5ZT2VrpwvxGBHQ/hO9r6g0vYdQqx3bFD3anY=", - "h1:Wd3RqmQW60k2QWPN4sK5CtjGuO1d+CRNXgC+D4rKtXc=", - "h1:pe9vq86dZZKCm+8k1RhzARwENslF3SXb9ErHbQfgjXU=", - "h1:rKKMyIEBZwR+8j6Tx3PwqBrStuH+J+pxcbCR5XN8WAw=", - "zh:23671ed83e1fcf79745534841e10291bbf34046b27d6e68a5d0aab77206f4a55", - "zh:45292421211ffd9e8e3eb3655677700e3c5047f71d8f7650d2ce30242335f848", - "zh:59fedb519f4433c0fdb1d58b27c210b27415fddd0cd73c5312530b4309c088be", - "zh:5a8eec2409a9ff7cd0758a9d818c74bcba92a240e6c5e54b99df68fff312bbd5", - "zh:5e6a4b39f3171f53292ab88058a59e64825f2b842760a4869e64dc1dc093d1fe", - "zh:810547d0bf9311d21c81cc306126d3547e7bd3f194fc295836acf164b9f8424e", - "zh:824a5f3617624243bed0259d7dd37d76017097dc3193dac669be342b90b2ab48", - "zh:9361ccc7048be5dcbc2fafe2d8216939765b3160bd52734f7a9fd917a39ecbd8", - "zh:aa02ea625aaf672e649296bce7580f62d724268189fe9ad7c1b36bb0fa12fa60", - "zh:c71b4cd40d6ec7815dfeefd57d88bc592c0c42f5e5858dcc88245d371b4b8b1e", - "zh:dabcd52f36b43d250a3d71ad7abfa07b5622c69068d989e60b79b2bb4f220316", + "h1:/sSdjHoiykrPdyBP1JE03V/KDgLXnHZhHcSOYIdDH/A=", + "h1:17Y+vdYNKgphpe1/SU5PBnGuYKEJkJZ7MZCnmAwsAGQ=", + "h1:dYSb3V94K5dDMtrBRLPzBpkMTPn+3cXZ/kIJdtFL+2M=", + "h1:n3M50qfWfRSpQV9Pwcvuse03pEizqrmYEryxKky4so4=", + "zh:10de0d8af02f2e578101688fd334da3849f56ea91b0d9bd5b1f7a243417fdda8", + "zh:37fc01f8b2bc9d5b055dc3e78bfd1beb7c42cfb776a4c81106e19c8911366297", + "zh:4578ca03d1dd0b7f572d96bd03f744be24c726bfd282173d54b100fd221608bb", + "zh:6c475491d1250050765a91a493ef330adc24689e8837a0f07da5a0e1269e11c1", + "zh:81bde94d53cdababa5b376bbc6947668be4c45ab655de7aa2e8e4736dfd52509", + "zh:abdce260840b7b050c4e401d4f75c7a199fafe58a8b213947a258f75ac18b3e8", + "zh:b754cebfc5184873840f16a642a7c9ef78c34dc246a8ae29e056c79939963c7a", + "zh:c928b66086078f9917aef0eec15982f2e337914c5c4dbc31dd4741403db7eb18", + "zh:cded27bee5f24de6f2ee0cfd1df46a7f88e84aaffc2ecbf3ff7094160f193d50", + "zh:d65eb3867e8f69aaf1b8bb53bd637c99c6b649ba3db16ded50fa9a01076d1a27", + "zh:ecb0c8b528c7a619fa71852bb3fb5c151d47576c5aab2bf3af4db52588722eeb", "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", ] } diff --git a/src/domains/ioweb-common/01_network.tf b/src/domains/ioweb-common/01_network.tf index c6e85d0e8..698ce3f85 100644 --- a/src/domains/ioweb-common/01_network.tf +++ b/src/domains/ioweb-common/01_network.tf @@ -32,15 +32,21 @@ data "azurerm_subnet" "apim_v2_snet" { resource_group_name = local.vnet_common_resource_group_name } -data "azurerm_subnet" "ioweb_profile_snet" { - name = format("%s-%s-ioweb-profile-snet", local.product, var.location_short) - virtual_network_name = local.vnet_common_name - resource_group_name = local.vnet_common_resource_group_name +data "azurerm_subnet" "apim_itn_snet" { + name = "io-p-itn-apim-snet-01" + virtual_network_name = local.vnet_common_name_itn + resource_group_name = local.vnet_common_resource_group_name_itn +} + +data "azurerm_subnet" "ioweb_profile_itn_snet" { + name = format("%s-auth-webprof-func-snet-01", local.common_project_itn) + virtual_network_name = local.vnet_common_name_itn + resource_group_name = local.vnet_common_resource_group_name_itn } ## redis spid login subnet module "redis_spid_login_snet" { - source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet?ref=v4.1.15" + source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet?ref=v8.56.0" name = format("%s-redis-spid-login-snet", local.project) address_prefixes = var.subnets_cidrs.redis_spid_login resource_group_name = local.vnet_common_resource_group_name @@ -51,7 +57,7 @@ module "redis_spid_login_snet" { ## spid_login subnet module "spid_login_snet" { - source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet?ref=v4.1.15" + source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet?ref=v8.56.0" name = format("%s-spid-login-snet", local.project) address_prefixes = var.subnets_cidrs.spid_login resource_group_name = local.vnet_common_resource_group_name diff --git a/src/domains/ioweb-common/01_network_itn.tf b/src/domains/ioweb-common/01_network_itn.tf new file mode 100644 index 000000000..b68b5f94b --- /dev/null +++ b/src/domains/ioweb-common/01_network_itn.tf @@ -0,0 +1,10 @@ +data "azurerm_virtual_network" "common_itn" { + name = "${local.common_project_itn}-common-vnet-01" + resource_group_name = "${local.common_project_itn}-common-rg-01" +} + +data "azurerm_subnet" "private_endpoints_subnet_itn" { + name = "${local.common_project_itn}-pep-snet-01" + virtual_network_name = data.azurerm_virtual_network.common_itn.name + resource_group_name = data.azurerm_virtual_network.common_itn.resource_group_name +} diff --git a/src/domains/ioweb-common/02_security.tf b/src/domains/ioweb-common/02_security.tf index 9e796cc44..80096d32b 100644 --- a/src/domains/ioweb-common/02_security.tf +++ b/src/domains/ioweb-common/02_security.tf @@ -6,7 +6,7 @@ resource "azurerm_resource_group" "sec_rg" { } module "key_vault" { - source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//key_vault?ref=v4.1.3" + source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//key_vault?ref=v8.56.0" name = "${local.product}-${var.domain}-kv" location = azurerm_resource_group.sec_rg.location @@ -24,7 +24,7 @@ resource "azurerm_key_vault_access_policy" "adgroup_admin" { tenant_id = data.azurerm_client_config.current.tenant_id object_id = data.azuread_group.adgroup_admin.object_id - key_permissions = ["Get", "List", "Update", "Create", "Import", "Delete", ] + key_permissions = ["Get", "List", "Update", "Create", "Import", "Delete", "GetRotationPolicy"] secret_permissions = ["Get", "List", "Set", "Delete", "Restore", "Recover", ] storage_permissions = [] certificate_permissions = ["Get", "List", "Update", "Create", "Import", "Delete", "Restore", "Recover", ] @@ -37,7 +37,7 @@ resource "azurerm_key_vault_access_policy" "adgroup_developers" { tenant_id = data.azurerm_client_config.current.tenant_id object_id = data.azuread_group.adgroup_developers.object_id - key_permissions = ["Get", "List", "Update", "Create", "Import", "Delete", ] + key_permissions = ["Get", "List", "Update", "Create", "Import", "Delete", "GetRotationPolicy"] secret_permissions = ["Get", "List", "Set", "Delete", "Restore", "Recover", ] storage_permissions = [] certificate_permissions = ["Get", "List", "Update", "Create", "Import", "Delete", "Restore", "Recover", ] @@ -50,7 +50,7 @@ resource "azurerm_key_vault_access_policy" "access_policy_io_infra_ci" { tenant_id = data.azurerm_client_config.current.tenant_id object_id = data.azurerm_user_assigned_identity.managed_identity_io_infra_ci.principal_id - key_permissions = ["Get", "List"] + key_permissions = ["Get", "List", "GetRotationPolicy"] secret_permissions = ["Get", "List"] certificate_permissions = ["Get", "List"] } @@ -61,7 +61,7 @@ resource "azurerm_key_vault_access_policy" "access_policy_io_infra_cd" { tenant_id = data.azurerm_client_config.current.tenant_id object_id = data.azurerm_user_assigned_identity.managed_identity_io_infra_cd.principal_id - key_permissions = ["Get", "List"] + key_permissions = ["Get", "List", "GetRotationPolicy"] secret_permissions = ["Get", "List"] certificate_permissions = ["Get", "List"] } diff --git a/src/domains/ioweb-common/03_storage.tf b/src/domains/ioweb-common/03_storage.tf index 2e82a0a47..e9500202e 100644 --- a/src/domains/ioweb-common/03_storage.tf +++ b/src/domains/ioweb-common/03_storage.tf @@ -7,7 +7,7 @@ locals { # Immutable SPID LOGS Storage ###################### module "immutable_spid_logs_storage" { - source = "git::https://github.com/pagopa/terraform-azurerm-v3//storage_account?ref=v7.32.1" + source = "git::https://github.com/pagopa/terraform-azurerm-v3//storage_account?ref=v8.56.0" name = replace(format("%s-spid-logs-im-st", local.project), "-", "") domain = upper(var.domain) @@ -37,7 +37,7 @@ module "immutable_spid_logs_storage" { } module "immutable_spid_logs_storage_customer_managed_key" { - source = "git::https://github.com/pagopa/terraform-azurerm-v3//storage_account_customer_managed_key?ref=v7.32.1" + source = "git::https://github.com/pagopa/terraform-azurerm-v3//storage_account_customer_managed_key?ref=v8.56.0" tenant_id = data.azurerm_subscription.current.tenant_id location = var.location resource_group_name = azurerm_resource_group.storage_rg.name diff --git a/src/domains/ioweb-common/04_redis.tf b/src/domains/ioweb-common/04_redis.tf index 89d34875a..aff091088 100644 --- a/src/domains/ioweb-common/04_redis.tf +++ b/src/domains/ioweb-common/04_redis.tf @@ -3,7 +3,7 @@ * [REDIS V6] */ module "redis_spid_login" { - source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//redis_cache?ref=v6.11.2" + source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//redis_cache?ref=v8.56.0" name = format("%s-redis-std-v6", local.project) resource_group_name = azurerm_resource_group.common_rg.name location = azurerm_resource_group.common_rg.location @@ -12,6 +12,7 @@ module "redis_spid_login" { sku_name = "Standard" redis_version = "6" enable_authentication = true + zones = null // when azure can apply patch? patch_schedules = [{ diff --git a/src/domains/ioweb-common/05_apim_itn.tf b/src/domains/ioweb-common/05_apim_itn.tf index a12099262..5738ba213 100644 --- a/src/domains/ioweb-common/05_apim_itn.tf +++ b/src/domains/ioweb-common/05_apim_itn.tf @@ -1,7 +1,7 @@ # API Product module "apim_itn_product_ioweb" { - source = "git::https://github.com/pagopa/terraform-azurerm-v3//api_management_product?ref=v4.1.5" + source = "git::https://github.com/pagopa/terraform-azurerm-v3//api_management_product?ref=v8.56.0" product_id = "io-web-api" display_name = "IO WEB API" @@ -18,7 +18,7 @@ module "apim_itn_product_ioweb" { } module "apim_itn_spid_login_api" { - source = "git::https://github.com/pagopa/terraform-azurerm-v3//api_management_api?ref=v4.1.5" + source = "git::https://github.com/pagopa/terraform-azurerm-v3//api_management_api?ref=v8.56.0" name = format("%s-ioweb-auth", local.product) api_management_name = data.azurerm_api_management.apim_itn_api.name diff --git a/src/domains/ioweb-common/05_apim_v2.tf b/src/domains/ioweb-common/05_apim_v2.tf index 5eb2c1cee..dfc08c63e 100644 --- a/src/domains/ioweb-common/05_apim_v2.tf +++ b/src/domains/ioweb-common/05_apim_v2.tf @@ -1,7 +1,7 @@ # API Product module "apim_v2_product_ioweb" { - source = "git::https://github.com/pagopa/terraform-azurerm-v3//api_management_product?ref=v4.1.5" + source = "git::https://github.com/pagopa/terraform-azurerm-v3//api_management_product?ref=v8.56.0" product_id = "io-web-api" display_name = "IO WEB API" @@ -18,7 +18,7 @@ module "apim_v2_product_ioweb" { } module "apim_v2_spid_login_api" { - source = "git::https://github.com/pagopa/terraform-azurerm-v3//api_management_api?ref=v4.1.5" + source = "git::https://github.com/pagopa/terraform-azurerm-v3//api_management_api?ref=v8.56.0" name = format("%s-ioweb-auth", local.product) api_management_name = data.azurerm_api_management.apim_v2_api.name diff --git a/src/domains/ioweb-common/05_resource_group.tf b/src/domains/ioweb-common/05_resource_group.tf index 70cf2ccba..66a00b807 100644 --- a/src/domains/ioweb-common/05_resource_group.tf +++ b/src/domains/ioweb-common/05_resource_group.tf @@ -18,3 +18,12 @@ resource "azurerm_resource_group" "storage_rg" { tags = var.tags } + +data "azurerm_resource_group" "common_rg_weu" { + name = "${local.product}-rg-common" +} + +# core domain external rg +data "azurerm_resource_group" "core_ext" { + name = format("%s-rg-external", local.product) +} diff --git a/src/domains/ioweb-common/06_cdn.tf b/src/domains/ioweb-common/06_cdn.tf index 988193f2c..639610e64 100644 --- a/src/domains/ioweb-common/06_cdn.tf +++ b/src/domains/ioweb-common/06_cdn.tf @@ -1,15 +1,5 @@ -# core domain external rg -data "azurerm_resource_group" "core_ext" { - name = format("%s-rg-external", local.product) -} - -data "azurerm_dns_zone" "ioapp_it" { - name = "ioapp.it" - resource_group_name = data.azurerm_resource_group.core_ext.name -} - module "landing_cdn" { - source = "github.com/pagopa/terraform-azurerm-v3.git//cdn?ref=v7.59.0" + source = "github.com/pagopa/terraform-azurerm-v3.git//cdn?ref=v8.56.0" name = "portal" prefix = local.project @@ -22,6 +12,8 @@ module "landing_cdn" { index_document = "index.html" error_404_document = "it/404/index.html" + advanced_threat_protection_enabled = false + dns_zone_name = data.azurerm_dns_zone.ioapp_it.name dns_zone_resource_group_name = data.azurerm_resource_group.core_ext.name diff --git a/src/domains/ioweb-common/06_cdn_itn.tf b/src/domains/ioweb-common/06_cdn_itn.tf new file mode 100644 index 000000000..b29e6248f --- /dev/null +++ b/src/domains/ioweb-common/06_cdn_itn.tf @@ -0,0 +1,226 @@ +data "azurerm_dns_zone" "ioapp_it" { + name = "ioapp.it" + resource_group_name = data.azurerm_resource_group.core_ext.name +} + +resource "azurerm_resource_group" "io_web_profile_itn_fe_rg" { + name = format("%s-fe-rg-01", local.project_itn) + location = local.itn_location + + tags = var.tags +} + +module "io_web_profile_itn_fe_st" { + source = "github.com/pagopa/dx//infra/modules/azure_storage_account?ref=main" + + // s tier -> Standard LRS + // l tier -> Standard ZRS + tier = "l" + + # NOTE: domain omitted for characters shortage + environment = { + prefix = var.prefix + env_short = var.env_short + location = local.itn_location + app_name = replace("ioweb-profile", "-", "") + instance_number = "01" + } + access_tier = "Hot" + + resource_group_name = azurerm_resource_group.io_web_profile_itn_fe_rg.name + subnet_pep_id = data.azurerm_subnet.private_endpoints_subnet_itn.id + private_dns_zone_resource_group_name = data.azurerm_resource_group.common_rg_weu.name + + force_public_network_access_enabled = true + subservices_enabled = { + blob = true + } + blob_features = { + versioning = true + change_feed = { + enabled = false + } + immutability_policy = { + enabled = false + } + } + + static_website = { + enabled = true + index_document = "index.html" + error_404_document = "it/404/index.html" + } + + tags = var.tags +} + +##################### +# CDN +##################### +resource "azurerm_cdn_frontdoor_profile" "portal_profile" { + name = format("%s-%s-profile-portal-afd-01", local.product, var.domain) + resource_group_name = azurerm_resource_group.io_web_profile_itn_fe_rg.name + sku_name = "Standard_AzureFrontDoor" + + tags = var.tags +} + +resource "azurerm_cdn_frontdoor_endpoint" "portal_cdn_endpoint" { + name = format("%s-profile-fde-01", local.project_itn) + cdn_frontdoor_profile_id = azurerm_cdn_frontdoor_profile.portal_profile.id + + tags = var.tags +} + +resource "azurerm_cdn_frontdoor_origin_group" "portal_cdn_origin_group" { + name = format("%s-profile-fdog-01", local.project_itn) + cdn_frontdoor_profile_id = azurerm_cdn_frontdoor_profile.portal_profile.id + + load_balancing { + # latency in milliseconds for probes to fall into the lowest latency bucket. + # defaults to 50 + additional_latency_in_milliseconds = 5 + } +} + +resource "azurerm_cdn_frontdoor_origin" "portal_cdn_origin" { + name = format("%s-profile-fdo-01", local.project_itn) + enabled = true + cdn_frontdoor_origin_group_id = azurerm_cdn_frontdoor_origin_group.portal_cdn_origin_group.id + host_name = module.io_web_profile_itn_fe_st.primary_web_host + certificate_name_check_enabled = true + origin_host_header = module.io_web_profile_itn_fe_st.primary_web_host +} + +resource "azurerm_cdn_frontdoor_rule_set" "portal_cdn_rule_set" { + name = "Ruleset" + cdn_frontdoor_profile_id = azurerm_cdn_frontdoor_profile.portal_profile.id +} + +resource "azurerm_cdn_frontdoor_rule" "portal_cdn_rule_global" { + depends_on = [azurerm_cdn_frontdoor_origin_group.portal_cdn_origin_group, azurerm_cdn_frontdoor_origin.portal_cdn_origin] + + name = "Global" + cdn_frontdoor_rule_set_id = azurerm_cdn_frontdoor_rule_set.portal_cdn_rule_set.id + + # NOTE: A Front Door Rule with a lesser order value will be applied before a rule with a greater order value. + # If the Front Door Rule has an order value of 0 they do not require any conditions and the actions will always be applied. + order = 0 + + actions { + response_header_action { + header_name = "Strict-Transport-Security" + header_action = "Overwrite" + value = "max-age=31536000" # 1 year + } + response_header_action { + header_name = "Content-Security-Policy" + header_action = "Append" + value = "script-src 'self' 'unsafe-inline'; worker-src 'none'; font-src data: 'self'; object-src 'none';" + } + response_header_action { + header_name = "Cache-Control" + header_action = "Overwrite" + value = "no-cache" + } + } +} + +# This rule ensures that root files are always taken from the blob storage, therefore +# surpassing the caching internal capabilities of the CDN profile. +resource "azurerm_cdn_frontdoor_rule" "portal_cdn_rule_rootfiles" { + depends_on = [azurerm_cdn_frontdoor_origin_group.portal_cdn_origin_group, azurerm_cdn_frontdoor_origin.portal_cdn_origin] + name = "TakeRootFilesFromStorage" + cdn_frontdoor_rule_set_id = azurerm_cdn_frontdoor_rule_set.portal_cdn_rule_set.id + + # NOTE: A Front Door Rule with a lesser order value will be applied before a rule with a greater order value. + # If the Front Door Rule has an order value of 0 they do not require any conditions and the actions will always be applied. + order = 1 + + # IF + conditions { + request_uri_condition { + operator = "EndsWith" + match_values = ["/"] + } + + } + # THEN + actions { + route_configuration_override_action { + cache_behavior = "Disabled" + } + } +} + +resource "azurerm_cdn_frontdoor_route" "portal_cdn_route" { + depends_on = [ + azurerm_cdn_frontdoor_origin_group.portal_cdn_origin_group, + azurerm_cdn_frontdoor_origin.portal_cdn_origin, + azurerm_cdn_frontdoor_endpoint.portal_cdn_endpoint, + azurerm_cdn_frontdoor_rule_set.portal_cdn_rule_set + ] + + name = format("%s-profile-fdr-01", local.project_itn) + enabled = true + + cdn_frontdoor_origin_group_id = azurerm_cdn_frontdoor_origin_group.portal_cdn_origin_group.id + cdn_frontdoor_origin_ids = [azurerm_cdn_frontdoor_origin.portal_cdn_origin.id] + cdn_frontdoor_endpoint_id = azurerm_cdn_frontdoor_endpoint.portal_cdn_endpoint.id + cdn_frontdoor_rule_set_ids = [azurerm_cdn_frontdoor_rule_set.portal_cdn_rule_set.id] + cdn_frontdoor_custom_domain_ids = [azurerm_cdn_frontdoor_custom_domain.portal_custom_domain.id] + + supported_protocols = ["Http", "Https"] + https_redirect_enabled = true + patterns_to_match = ["/*"] + + cache { + query_string_caching_behavior = "IgnoreQueryString" + compression_enabled = false + } +} + +resource "azurerm_cdn_frontdoor_custom_domain" "portal_custom_domain" { + name = "account-ioapp-it" + cdn_frontdoor_profile_id = azurerm_cdn_frontdoor_profile.portal_profile.id + + dns_zone_id = data.azurerm_dns_zone.ioapp_it.id + host_name = "account.ioapp.it" + + tls { + certificate_type = "ManagedCertificate" + minimum_tls_version = "TLS12" + } +} + +resource "azurerm_cdn_frontdoor_custom_domain_association" "portal_cdn_domain_association" { + cdn_frontdoor_custom_domain_id = azurerm_cdn_frontdoor_custom_domain.portal_custom_domain.id + cdn_frontdoor_route_ids = [azurerm_cdn_frontdoor_route.portal_cdn_route.id] +} +##################### + +##################### +# DNS ZONE UPDATE +##################### +resource "azurerm_dns_cname_record" "account" { + name = "account" + zone_name = data.azurerm_dns_zone.ioapp_it.name + resource_group_name = data.azurerm_resource_group.core_ext.name + ttl = "3600" + target_resource_id = azurerm_cdn_frontdoor_endpoint.portal_cdn_endpoint.id +} + +resource "azurerm_dns_txt_record" "dns_txt" { + name = "_dnsauth.account" + zone_name = data.azurerm_dns_zone.ioapp_it.name + resource_group_name = data.azurerm_resource_group.core_ext.name + ttl = "3600" + record { + value = azurerm_cdn_frontdoor_custom_domain.portal_custom_domain.validation_token + } + tags = merge(var.tags, { + origin = "account.ioapp.it" + cdn = azurerm_cdn_frontdoor_profile.portal_profile.name + }) +} +#################### diff --git a/src/domains/ioweb-common/10_spid_login.tf b/src/domains/ioweb-common/10_spid_login.tf index 96d1ba61a..8e27a50f5 100644 --- a/src/domains/ioweb-common/10_spid_login.tf +++ b/src/domains/ioweb-common/10_spid_login.tf @@ -7,15 +7,12 @@ locals { ## App service spid login ## ############################ module "spid_login" { - source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//app_service?ref=v4.1.15" + source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//app_service?ref=v8.56.0" # App service plan - plan_type = "internal" - plan_name = format("%s-plan-spid-login", local.project) - plan_kind = "Linux" - plan_reserved = true # Mandatory for Linux plan - plan_sku_tier = var.spid_login_plan_sku_tier - plan_sku_size = var.spid_login_plan_sku_size + plan_type = "internal" + plan_name = format("%s-plan-spid-login", local.project) + sku_name = var.spid_login_plan_sku_size # App service name = format("%s-spid-login", local.project) @@ -24,17 +21,18 @@ module "spid_login" { always_on = true - linux_fx_version = "NODE|18-lts" + node_version = "18-lts" app_command_line = "npm run start" health_check_path = "/healthcheck" + ip_restriction_default_action = "Deny" + app_settings = { WEBSITES_ENABLE_APP_SERVICE_STORAGE = false WEBSITES_PORT = 8080 WEBSITE_NODE_DEFAULT_VERSION = "18.13.0" WEBSITE_RUN_FROM_PACKAGE = "1" - WEBSITE_VNET_ROUTE_ALL = "1" WEBSITE_DNS_SERVER = "168.63.129.16" // ENVIRONMENT @@ -117,7 +115,8 @@ module "spid_login" { allowed_subnets = [ data.azurerm_subnet.azdoa_snet.id, data.azurerm_subnet.apim_v2_snet.id, - data.azurerm_subnet.ioweb_profile_snet.id, + data.azurerm_subnet.ioweb_profile_itn_snet.id, + data.azurerm_subnet.apim_itn_snet.id, ] allowed_ips = [] diff --git a/src/domains/ioweb-common/99_locals.tf b/src/domains/ioweb-common/99_locals.tf index 66a08b8c2..7aafaa87e 100644 --- a/src/domains/ioweb-common/99_locals.tf +++ b/src/domains/ioweb-common/99_locals.tf @@ -20,3 +20,18 @@ locals { spid_login_base_path = "ioweb/auth/v1" } + +# Region ITN +locals { + itn_location = "italynorth" + itn_location_short = "itn" + project_itn = "${var.prefix}-${var.env_short}-${local.itn_location_short}-${var.domain}" + common_project_itn = "${local.product}-${local.itn_location_short}" + + # auth n identity domain + short_domain = "auth" + short_project_itn = "${local.product}-${local.itn_location_short}-${local.short_domain}" + + vnet_common_name_itn = "${local.common_project_itn}-common-vnet-01" + vnet_common_resource_group_name_itn = "${local.common_project_itn}-common-rg-01" +} diff --git a/src/domains/ioweb-common/99_main.tf b/src/domains/ioweb-common/99_main.tf index 07e5da8b6..c9053dd2f 100644 --- a/src/domains/ioweb-common/99_main.tf +++ b/src/domains/ioweb-common/99_main.tf @@ -2,7 +2,7 @@ terraform { required_providers { azurerm = { source = "hashicorp/azurerm" - version = "<= 3.40.0" + version = "<= 3.116.0" } azuread = { source = "hashicorp/azuread" diff --git a/src/domains/ioweb-common/README.md b/src/domains/ioweb-common/README.md index 1af93a5b1..52a2f6680 100644 --- a/src/domains/ioweb-common/README.md +++ b/src/domains/ioweb-common/README.md @@ -5,7 +5,7 @@ | Name | Version | |------|---------| | [azuread](#requirement\_azuread) | <= 2.33.0 | -| [azurerm](#requirement\_azurerm) | <= 3.40.0 | +| [azurerm](#requirement\_azurerm) | <= 3.116.0 | | [null](#requirement\_null) | <= 3.2.1 | ## Providers @@ -13,25 +13,26 @@ | Name | Version | |------|---------| | [azuread](#provider\_azuread) | 2.33.0 | -| [azurerm](#provider\_azurerm) | 3.40.0 | -| [tls](#provider\_tls) | 4.0.4 | +| [azurerm](#provider\_azurerm) | 3.116.0 | +| [tls](#provider\_tls) | 4.0.6 | ## Modules | Name | Source | Version | |------|--------|---------| -| [apim\_itn\_product\_ioweb](#module\_apim\_itn\_product\_ioweb) | git::https://github.com/pagopa/terraform-azurerm-v3//api_management_product | v4.1.5 | -| [apim\_itn\_spid\_login\_api](#module\_apim\_itn\_spid\_login\_api) | git::https://github.com/pagopa/terraform-azurerm-v3//api_management_api | v4.1.5 | -| [apim\_v2\_product\_ioweb](#module\_apim\_v2\_product\_ioweb) | git::https://github.com/pagopa/terraform-azurerm-v3//api_management_product | v4.1.5 | -| [apim\_v2\_spid\_login\_api](#module\_apim\_v2\_spid\_login\_api) | git::https://github.com/pagopa/terraform-azurerm-v3//api_management_api | v4.1.5 | -| [immutable\_spid\_logs\_storage](#module\_immutable\_spid\_logs\_storage) | git::https://github.com/pagopa/terraform-azurerm-v3//storage_account | v7.32.1 | -| [immutable\_spid\_logs\_storage\_customer\_managed\_key](#module\_immutable\_spid\_logs\_storage\_customer\_managed\_key) | git::https://github.com/pagopa/terraform-azurerm-v3//storage_account_customer_managed_key | v7.32.1 | -| [key\_vault](#module\_key\_vault) | git::https://github.com/pagopa/terraform-azurerm-v3.git//key_vault | v4.1.3 | -| [landing\_cdn](#module\_landing\_cdn) | github.com/pagopa/terraform-azurerm-v3.git//cdn | v7.59.0 | -| [redis\_spid\_login](#module\_redis\_spid\_login) | git::https://github.com/pagopa/terraform-azurerm-v3.git//redis_cache | v6.11.2 | -| [redis\_spid\_login\_snet](#module\_redis\_spid\_login\_snet) | git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet | v4.1.15 | -| [spid\_login](#module\_spid\_login) | git::https://github.com/pagopa/terraform-azurerm-v3.git//app_service | v4.1.15 | -| [spid\_login\_snet](#module\_spid\_login\_snet) | git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet | v4.1.15 | +| [apim\_itn\_product\_ioweb](#module\_apim\_itn\_product\_ioweb) | git::https://github.com/pagopa/terraform-azurerm-v3//api_management_product | v8.56.0 | +| [apim\_itn\_spid\_login\_api](#module\_apim\_itn\_spid\_login\_api) | git::https://github.com/pagopa/terraform-azurerm-v3//api_management_api | v8.56.0 | +| [apim\_v2\_product\_ioweb](#module\_apim\_v2\_product\_ioweb) | git::https://github.com/pagopa/terraform-azurerm-v3//api_management_product | v8.56.0 | +| [apim\_v2\_spid\_login\_api](#module\_apim\_v2\_spid\_login\_api) | git::https://github.com/pagopa/terraform-azurerm-v3//api_management_api | v8.56.0 | +| [immutable\_spid\_logs\_storage](#module\_immutable\_spid\_logs\_storage) | git::https://github.com/pagopa/terraform-azurerm-v3//storage_account | v8.56.0 | +| [immutable\_spid\_logs\_storage\_customer\_managed\_key](#module\_immutable\_spid\_logs\_storage\_customer\_managed\_key) | git::https://github.com/pagopa/terraform-azurerm-v3//storage_account_customer_managed_key | v8.56.0 | +| [io\_web\_profile\_itn\_fe\_st](#module\_io\_web\_profile\_itn\_fe\_st) | github.com/pagopa/dx//infra/modules/azure_storage_account | main | +| [key\_vault](#module\_key\_vault) | git::https://github.com/pagopa/terraform-azurerm-v3.git//key_vault | v8.56.0 | +| [landing\_cdn](#module\_landing\_cdn) | github.com/pagopa/terraform-azurerm-v3.git//cdn | v8.56.0 | +| [redis\_spid\_login](#module\_redis\_spid\_login) | git::https://github.com/pagopa/terraform-azurerm-v3.git//redis_cache | v8.56.0 | +| [redis\_spid\_login\_snet](#module\_redis\_spid\_login\_snet) | git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet | v8.56.0 | +| [spid\_login](#module\_spid\_login) | git::https://github.com/pagopa/terraform-azurerm-v3.git//app_service | v8.56.0 | +| [spid\_login\_snet](#module\_spid\_login\_snet) | git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet | v8.56.0 | ## Resources @@ -39,6 +40,18 @@ |------|------| | [azurerm_api_management_api_operation_policy.spid_acs](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/api_management_api_operation_policy) | resource | | [azurerm_api_management_api_operation_policy.spid_acs_itn](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/api_management_api_operation_policy) | resource | +| [azurerm_cdn_frontdoor_custom_domain.portal_custom_domain](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/cdn_frontdoor_custom_domain) | resource | +| [azurerm_cdn_frontdoor_custom_domain_association.portal_cdn_domain_association](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/cdn_frontdoor_custom_domain_association) | resource | +| [azurerm_cdn_frontdoor_endpoint.portal_cdn_endpoint](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/cdn_frontdoor_endpoint) | resource | +| [azurerm_cdn_frontdoor_origin.portal_cdn_origin](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/cdn_frontdoor_origin) | resource | +| [azurerm_cdn_frontdoor_origin_group.portal_cdn_origin_group](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/cdn_frontdoor_origin_group) | resource | +| [azurerm_cdn_frontdoor_profile.portal_profile](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/cdn_frontdoor_profile) | resource | +| [azurerm_cdn_frontdoor_route.portal_cdn_route](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/cdn_frontdoor_route) | resource | +| [azurerm_cdn_frontdoor_rule.portal_cdn_rule_global](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/cdn_frontdoor_rule) | resource | +| [azurerm_cdn_frontdoor_rule.portal_cdn_rule_rootfiles](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/cdn_frontdoor_rule) | resource | +| [azurerm_cdn_frontdoor_rule_set.portal_cdn_rule_set](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/cdn_frontdoor_rule_set) | resource | +| [azurerm_dns_cname_record.account](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/dns_cname_record) | resource | +| [azurerm_dns_txt_record.dns_txt](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/dns_txt_record) | resource | | [azurerm_key_vault_access_policy.access_policy_auth_n_identity_infra_cd](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource | | [azurerm_key_vault_access_policy.access_policy_auth_n_identity_infra_ci](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource | | [azurerm_key_vault_access_policy.access_policy_io_infra_cd](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource | @@ -53,6 +66,7 @@ | [azurerm_private_endpoint.immutable_spid_logs_storage_blob](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/private_endpoint) | resource | | [azurerm_resource_group.common_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource | | [azurerm_resource_group.fe_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource | +| [azurerm_resource_group.io_web_profile_itn_fe_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource | | [azurerm_resource_group.sec_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource | | [azurerm_resource_group.storage_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource | | [azurerm_storage_container.immutable_audit_logs](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_container) | resource | @@ -78,17 +92,21 @@ | [azurerm_monitor_action_group.slack](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/monitor_action_group) | data source | | [azurerm_private_dns_zone.privatelink_blob_core_windows_net](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/private_dns_zone) | data source | | [azurerm_private_dns_zone.privatelink_redis_cache](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/private_dns_zone) | data source | +| [azurerm_resource_group.common_rg_weu](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/resource_group) | data source | | [azurerm_resource_group.core_ext](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/resource_group) | data source | | [azurerm_resource_group.monitor_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/resource_group) | data source | +| [azurerm_subnet.apim_itn_snet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subnet) | data source | | [azurerm_subnet.apim_v2_snet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subnet) | data source | | [azurerm_subnet.azdoa_snet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subnet) | data source | -| [azurerm_subnet.ioweb_profile_snet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subnet) | data source | +| [azurerm_subnet.ioweb_profile_itn_snet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subnet) | data source | | [azurerm_subnet.private_endpoints_subnet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subnet) | data source | +| [azurerm_subnet.private_endpoints_subnet_itn](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subnet) | data source | | [azurerm_subscription.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subscription) | data source | | [azurerm_user_assigned_identity.managed_identity_auth_n_identity_infra_cd](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/user_assigned_identity) | data source | | [azurerm_user_assigned_identity.managed_identity_auth_n_identity_infra_ci](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/user_assigned_identity) | data source | | [azurerm_user_assigned_identity.managed_identity_io_infra_cd](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/user_assigned_identity) | data source | | [azurerm_user_assigned_identity.managed_identity_io_infra_ci](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/user_assigned_identity) | data source | +| [azurerm_virtual_network.common_itn](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/virtual_network) | data source | | [azurerm_virtual_network.vnet_common](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/virtual_network) | data source | ## Inputs diff --git a/src/domains/messages-app/01_network.tf b/src/domains/messages-app/01_network.tf index 4379d366d..d09eee3cf 100644 --- a/src/domains/messages-app/01_network.tf +++ b/src/domains/messages-app/01_network.tf @@ -64,12 +64,6 @@ data "azurerm_subnet" "app_backendl2_snet" { resource_group_name = local.vnet_common_resource_group_name } -data "azurerm_subnet" "app_backendl3_snet" { - name = "appbackendl3" - virtual_network_name = local.vnet_common_name - resource_group_name = local.vnet_common_resource_group_name -} - data "azurerm_subnet" "apim_snet" { name = "apimv2api" virtual_network_name = local.vnet_common_name diff --git a/src/domains/messages-app/10_function_messages.tf b/src/domains/messages-app/10_function_messages.tf index c87210e36..37f6f3f0e 100644 --- a/src/domains/messages-app/10_function_messages.tf +++ b/src/domains/messages-app/10_function_messages.tf @@ -168,7 +168,6 @@ module "app_messages_function" { data.azurerm_subnet.app_backendl1_snet.id, data.azurerm_subnet.app_backendl2_snet.id, data.azurerm_subnet.apim_snet.id, - data.azurerm_subnet.app_backendl3_snet.id, data.azurerm_subnet.apim_itn_snet.id, ] @@ -223,7 +222,6 @@ module "app_messages_function_staging_slot" { data.azurerm_subnet.app_backendl1_snet.id, data.azurerm_subnet.app_backendl2_snet.id, data.azurerm_subnet.azdoa_snet.id, - data.azurerm_subnet.app_backendl3_snet.id ] allowed_ips = concat( diff --git a/src/domains/messages-app/10_function_messages_xl.tf b/src/domains/messages-app/10_function_messages_xl.tf index b9911c059..9fba14388 100644 --- a/src/domains/messages-app/10_function_messages_xl.tf +++ b/src/domains/messages-app/10_function_messages_xl.tf @@ -87,7 +87,6 @@ module "app_messages_function_xl" { data.azurerm_subnet.app_backendl1_snet.id, data.azurerm_subnet.app_backendl2_snet.id, data.azurerm_subnet.apim_snet.id, - data.azurerm_subnet.app_backendl3_snet.id, data.azurerm_subnet.apim_itn_snet.id, ] @@ -149,7 +148,6 @@ module "app_messages_function_staging_slot_xl" { data.azurerm_subnet.app_backendl2_snet.id, data.azurerm_subnet.azdoa_snet.id, data.azurerm_subnet.github_snet.id, - data.azurerm_subnet.app_backendl3_snet.id ] allowed_ips = concat( @@ -618,110 +616,6 @@ resource "azurerm_monitor_autoscale_setting" "app_messages_function_xl" { } } - profile { - name = module.common_values.scaling_gate.name - - capacity { - minimum = 6 - maximum = 30 - default = 10 - } - - fixed_date { - timezone = module.common_values.scaling_gate.timezone - start = module.common_values.scaling_gate.start - end = module.common_values.scaling_gate.end - } - - rule { - metric_trigger { - metric_name = "Requests" - metric_resource_id = module.app_messages_function_xl[count.index].id - metric_namespace = "microsoft.web/sites" - time_grain = "PT1M" - statistic = "Max" - time_window = "PT1M" - time_aggregation = "Maximum" - operator = "GreaterThan" - threshold = 3000 - divide_by_instance_count = true - } - - scale_action { - direction = "Increase" - type = "ChangeCount" - value = "2" - cooldown = "PT1M" - } - } - - rule { - metric_trigger { - metric_name = "CpuPercentage" - metric_resource_id = module.app_messages_function_xl[count.index].app_service_plan_id - metric_namespace = "microsoft.web/serverfarms" - time_grain = "PT1M" - statistic = "Max" - time_window = "PT1M" - time_aggregation = "Maximum" - operator = "GreaterThan" - threshold = 40 - divide_by_instance_count = false - } - - scale_action { - direction = "Increase" - type = "ChangeCount" - value = "3" - cooldown = "PT2M" - } - } - - rule { - metric_trigger { - metric_name = "Requests" - metric_resource_id = module.app_messages_function_xl[count.index].id - metric_namespace = "microsoft.web/sites" - time_grain = "PT1M" - statistic = "Average" - time_window = "PT5M" - time_aggregation = "Average" - operator = "LessThan" - threshold = 300 - divide_by_instance_count = true - } - - scale_action { - direction = "Decrease" - type = "ChangeCount" - value = "1" - cooldown = "PT1M" - } - } - - rule { - metric_trigger { - metric_name = "CpuPercentage" - metric_resource_id = module.app_messages_function_xl[count.index].app_service_plan_id - metric_namespace = "microsoft.web/serverfarms" - time_grain = "PT1M" - statistic = "Average" - time_window = "PT5M" - time_aggregation = "Average" - operator = "LessThan" - threshold = 15 - divide_by_instance_count = false - } - - scale_action { - direction = "Decrease" - type = "ChangeCount" - value = "1" - cooldown = "PT2M" - } - } - } - tags = var.tags } diff --git a/src/domains/messages-app/README.md b/src/domains/messages-app/README.md index 530b43644..d72e08b51 100644 --- a/src/domains/messages-app/README.md +++ b/src/domains/messages-app/README.md @@ -122,7 +122,6 @@ | [azurerm_subnet.apim_snet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subnet) | data source | | [azurerm_subnet.app_backendl1_snet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subnet) | data source | | [azurerm_subnet.app_backendl2_snet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subnet) | data source | -| [azurerm_subnet.app_backendl3_snet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subnet) | data source | | [azurerm_subnet.azdoa_snet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subnet) | data source | | [azurerm_subnet.github_snet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subnet) | data source | | [azurerm_subnet.private_endpoints_subnet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subnet) | data source | diff --git a/src/identity/prod/README.md b/src/identity/prod/README.md index 3e7f44d9f..b5c96af0c 100644 --- a/src/identity/prod/README.md +++ b/src/identity/prod/README.md @@ -13,7 +13,7 @@ | Name | Version | |------|---------| | [azurerm.prod-cgn](#provider\_azurerm.prod-cgn) | 3.116.0 | -| [azurerm.prod-trial](#provider\_azurerm.prod-trial) | 3.116.0 | +| [azurerm.prod-selc](#provider\_azurerm.prod-selc) | 3.116.0 | ## Modules @@ -27,12 +27,10 @@ |------|------| | [azurerm_role_assignment.cd_cgn](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource | | [azurerm_role_assignment.cd_cgn_postgresql](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource | -| [azurerm_role_assignment.cd_trial_system](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource | +| [azurerm_role_assignment.cd_selc_evhns](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource | | [azurerm_role_assignment.ci_cgn](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource | -| [azurerm_role_assignment.ci_trial_system](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource | | [azurerm_postgresql_server.cgn_psql](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/postgresql_server) | data source | | [azurerm_subscription.cgn](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subscription) | data source | -| [azurerm_subscription.trial_system](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subscription) | data source | ## Inputs diff --git a/src/identity/prod/data.tf b/src/identity/prod/data.tf index ba4ea68d5..2bed8e1bc 100644 --- a/src/identity/prod/data.tf +++ b/src/identity/prod/data.tf @@ -1,7 +1,3 @@ -data "azurerm_subscription" "trial_system" { - provider = azurerm.prod-trial -} - data "azurerm_subscription" "cgn" { provider = azurerm.prod-cgn } @@ -10,4 +6,4 @@ data "azurerm_postgresql_server" "cgn_psql" { provider = azurerm.prod-cgn name = "cgnonboardingportal-p-db-postgresql" resource_group_name = "cgnonboardingportal-p-db-rg" -} \ No newline at end of file +} diff --git a/src/identity/prod/main.tf b/src/identity/prod/main.tf index 4bbdf4512..77ad99560 100644 --- a/src/identity/prod/main.tf +++ b/src/identity/prod/main.tf @@ -20,20 +20,19 @@ provider "azurerm" { } provider "azurerm" { - alias = "prod-trial" - subscription_id = "a2124115-ba74-462f-832a-9192cbd03649" + alias = "prod-cgn" + subscription_id = "74da48a3-b0e7-489d-8172-da79801086ed" features {} } provider "azurerm" { - alias = "prod-cgn" - subscription_id = "74da48a3-b0e7-489d-8172-da79801086ed" + alias = "prod-selc" + subscription_id = "813119d7-0943-46ed-8ebe-cebe24f9106c" features {} } - module "federated_identities" { source = "github.com/pagopa/dx//infra/modules/azure_federated_identity_with_github?ref=main" @@ -86,20 +85,6 @@ module "federated_identities" { tags = local.tags } -resource "azurerm_role_assignment" "ci_trial_system" { - provider = azurerm.prod-trial - scope = data.azurerm_subscription.trial_system.id - principal_id = module.federated_identities.federated_ci_identity.id - role_definition_name = "Reader" -} - -resource "azurerm_role_assignment" "cd_trial_system" { - provider = azurerm.prod-trial - scope = data.azurerm_subscription.trial_system.id - principal_id = module.federated_identities.federated_cd_identity.id - role_definition_name = "Reader" -} - resource "azurerm_role_assignment" "ci_cgn" { provider = azurerm.prod-cgn scope = data.azurerm_subscription.cgn.id @@ -120,3 +105,10 @@ resource "azurerm_role_assignment" "cd_cgn_postgresql" { principal_id = module.federated_identities.federated_cd_identity.id role_definition_name = "Contributor" } + +resource "azurerm_role_assignment" "cd_selc_evhns" { + provider = azurerm.prod-selc + scope = "/subscriptions/813119d7-0943-46ed-8ebe-cebe24f9106c/resourceGroups/selc-p-event-rg/providers/Microsoft.EventHub/namespaces/selc-p-eventhub-ns" + principal_id = module.federated_identities.federated_cd_identity.id + role_definition_name = "Contributor" +} \ No newline at end of file