Merge branch 'main' into bip-dev

src/common/_modules/apim/main.tf

@@ -8,14 +8,14 @@ module "apim_v2" {
   publisher_name            = "IO"
   publisher_email           = data.azurerm_key_vault_secret.apim_publisher_email.value
   notification_sender_email = data.azurerm_key_vault_secret.apim_publisher_email.value
-  sku_name                  = "Premium_2"
+  sku_name                  = var.migration ? "Developer_1" : "Premium_2"
   virtual_network_type      = "Internal"
-  zones                     = ["1", "2"]
+  zones                     = var.migration ? null : ["1", "2"]
 
   redis_cache_id       = null
-  public_ip_address_id = azurerm_public_ip.apim.id
+  public_ip_address_id = var.migration ? null : azurerm_public_ip.apim.id
 
-  hostname_configuration = {
+  hostname_configuration = var.migration ? null : {
     proxy = [
       {
         # io-p-apim-api.azure-api.net
@@ -51,12 +51,12 @@ module "apim_v2" {
 
   management_logger_applicaiton_insight_enabled = true
   application_insights = {
-    enabled             = true
+    enabled             = var.migration ? false : true
     instrumentation_key = var.ai_instrumentation_key
   }
 
   autoscale = {
-    enabled                       = true
+    enabled                       = var.migration ? false : true
     default_instances             = 3
     minimum_instances             = 2
     maximum_instances             = 6
@@ -78,7 +78,7 @@ module "apim_v2" {
   ]
 
   # https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/metrics-supported#microsoftapimanagementservice
-  metric_alerts = {
+  metric_alerts = var.migration ? {} : {
     capacity = {
       description   = "Apim used capacity is too high. Runbook: https://pagopa.atlassian.net/wiki/spaces/IC/pages/791642113/APIM+Capacity"
       frequency     = "PT5M"

src/common/_modules/apim/variables.tf

@@ -84,3 +84,9 @@ variable "datasources" {
   type        = map(any)
   description = "Common datasources"
 }
+
+variable "migration" {
+  type        = bool
+  default     = false
+  description = "Specify if it is a migration"
+}

src/common/_modules/cosmos_api/networking.tf

@@ -19,3 +19,20 @@ resource "azurerm_private_endpoint" "sql" {
 
   tags = var.tags
 }
+
+resource "azurerm_private_endpoint" "sql_itn" {
+
+  name                = "${var.project}-itn-api-cosno-pep-01"
+  location            = "italynorth"
+  resource_group_name = azurerm_cosmosdb_account.this.resource_group_name
+  subnet_id           = var.secondary_location_pep_snet_id
+
+  private_service_connection {
+    name                           = "${var.project}-itn-api-cosno-pep-01"
+    private_connection_resource_id = azurerm_cosmosdb_account.this.id
+    is_manual_connection           = false
+    subresource_names              = ["Sql"]
+  }
+
+  tags = var.tags
+}

src/common/_modules/cosmos_api/variables.tf

@@ -48,6 +48,11 @@ variable "secondary_location" {
   default = null
 }
 
+variable "secondary_location_pep_snet_id" {
+  type        = string
+  description = "Id of the subnet holding private endpoints in the secondary location"
+}
+
 variable "documents_dns_zone" {
   type = object({
     id                  = string

src/common/_modules/global/modules/dns/outputs.tf

@@ -45,4 +45,4 @@ output "external_domain" {
 
 output "dns_default_ttl_sec" {
   value = var.dns_default_ttl_sec
-}
+}

src/common/_modules/global/modules/dns/private_dns_zone_links.tf

@@ -153,6 +153,17 @@ resource "azurerm_private_dns_zone_virtual_network_link" "srch_private_vnet_comm
   tags = var.tags
 }
 
+resource "azurerm_private_dns_zone_virtual_network_link" "vault_private_vnet_common" {
+  for_each              = { for name, vnet in var.vnets : name => vnet if contains(["weu", "itn"], name) }
+  name                  = each.value.name
+  resource_group_name   = var.resource_groups.common
+  private_dns_zone_name = azurerm_private_dns_zone.privatelink_vault.name
+  virtual_network_id    = each.value.id
+  registration_enabled  = false
+
+  tags = var.tags
+}
+
 resource "azurerm_private_dns_zone_virtual_network_link" "azure_api_net_vnet_common" {
   for_each              = { for name, vnet in var.vnets : name => vnet if contains(["weu", "itn"], name) }
   name                  = each.value.name
@@ -184,4 +195,4 @@ resource "azurerm_private_dns_zone_virtual_network_link" "scm_azure_api_net_vnet
   registration_enabled  = false
 
   tags = var.tags
-}
+}

src/common/_modules/global/modules/dns/private_dns_zones.tf

@@ -106,6 +106,11 @@ resource "azurerm_private_dns_zone" "privatelink_srch" {
   resource_group_name = var.resource_groups.common
 }
 
+resource "azurerm_private_dns_zone" "privatelink_vault" {
+  name                = "privatelink.vaultcore.azure.net"
+  resource_group_name = var.resource_groups.common
+}
+
 resource "azurerm_private_dns_zone" "azure_api_net" {
   name                = "azure-api.net"
   resource_group_name = var.resource_groups.common
@@ -125,4 +130,4 @@ resource "azurerm_private_dns_zone" "scm_azure_api_net" {
   resource_group_name = var.resource_groups.common
 
   tags = var.tags
-}
+}

src/common/prod/README.md

@@ -18,6 +18,7 @@
 
 | Name | Source | Version |
 |------|--------|---------|
+| <a name="module_apim_itn"></a> [apim\_itn](#module\_apim\_itn) | ../_modules/apim | n/a |
 | <a name="module_apim_weu"></a> [apim\_weu](#module\_apim\_weu) | ../_modules/apim | n/a |
 | <a name="module_app_backend_li_weu"></a> [app\_backend\_li\_weu](#module\_app\_backend\_li\_weu) | ../_modules/app_backend | n/a |
 | <a name="module_app_backend_weu"></a> [app\_backend\_weu](#module\_app\_backend\_weu) | ../_modules/app_backend | n/a |

src/common/prod/italynorth.tf

@@ -31,5 +31,32 @@ module "private_endpoints" {
   pep_snet_id = local.core.networking.itn.pep_snet.id
   dns_zones   = module.global.dns.private_dns_zones
 
+  tags = local.tags
+}
+
+module "apim_itn" {
+  source = "../_modules/apim"
+
+  migration               = true
+  location                = "italynorth"
+  location_short          = local.core.resource_groups.italynorth.location_short
+  project                 = local.project_itn
+  prefix                  = local.prefix
+  resource_group_common   = local.resource_groups.itn.common
+  resource_group_internal = local.resource_groups.itn.internal
+
+  vnet_common = local.core.networking.itn.vnet_common
+  cidr_subnet = "10.20.100.0/24"
+
+  datasources = {
+    azurerm_client_config = data.azurerm_client_config.current
+  }
+
+  key_vault        = local.core.key_vault.weu.kv
+  key_vault_common = local.core.key_vault.weu.kv_common
+
+  action_group_id        = module.monitoring_weu.action_groups.error
+  ai_instrumentation_key = module.monitoring_weu.appi_instrumentation_key
+
   tags = local.tags
 }

src/common/prod/westeurope.tf

@@ -385,12 +385,13 @@ module "cosmos_api_weu" {
   location_short = local.core.resource_groups.westeurope.location_short
   project        = local.project_weu_legacy
 
-  resource_group_internal = local.core.resource_groups.westeurope.internal
-  vnet_common             = local.core.networking.weu.vnet_common
-  pep_snet                = local.core.networking.weu.pep_snet
-  secondary_location      = "northeurope"
-  documents_dns_zone      = module.global.dns.private_dns_zones.documents
-  allowed_subnets_ids     = values(data.azurerm_subnet.cosmos_api_allowed)[*].id
+  resource_group_internal        = local.core.resource_groups.westeurope.internal
+  vnet_common                    = local.core.networking.weu.vnet_common
+  pep_snet                       = local.core.networking.weu.pep_snet
+  secondary_location             = "italynorth"
+  secondary_location_pep_snet_id = local.core.networking.itn.pep_snet.id
+  documents_dns_zone             = module.global.dns.private_dns_zones.documents
+  allowed_subnets_ids            = values(data.azurerm_subnet.cosmos_api_allowed)[*].id
 
   error_action_group_id = module.monitoring_weu.action_groups.error
 

src/domains/citizen-auth-app/99_variables.tf

@@ -341,7 +341,7 @@ variable "plan_shared_1_sku_size" {
 variable "plan_shared_1_sku_capacity" {
   description = "Shared functions app plan capacity"
   type        = number
-  default     = 1
+  default     = 3
 }
 ###########################
 ################################

src/domains/citizen-auth-app/README.md

@@ -229,7 +229,7 @@
 | <a name="input_lollipop_enabled"></a> [lollipop\_enabled](#input\_lollipop\_enabled) | Lollipop function enabled? | `bool` | `false` | no |
 | <a name="input_monitor_resource_group_name"></a> [monitor\_resource\_group\_name](#input\_monitor\_resource\_group\_name) | Monitor resource group name | `string` | n/a | yes |
 | <a name="input_plan_shared_1_kind"></a> [plan\_shared\_1\_kind](#input\_plan\_shared\_1\_kind) | App service plan kind | `string` | `null` | no |
-| <a name="input_plan_shared_1_sku_capacity"></a> [plan\_shared\_1\_sku\_capacity](#input\_plan\_shared\_1\_sku\_capacity) | Shared functions app plan capacity | `number` | `1` | no |
+| <a name="input_plan_shared_1_sku_capacity"></a> [plan\_shared\_1\_sku\_capacity](#input\_plan\_shared\_1\_sku\_capacity) | Shared functions app plan capacity | `number` | `3` | no |
 | <a name="input_plan_shared_1_sku_size"></a> [plan\_shared\_1\_sku\_size](#input\_plan\_shared\_1\_sku\_size) | App service plan sku size | `string` | `null` | no |
 | <a name="input_plan_shared_1_sku_tier"></a> [plan\_shared\_1\_sku\_tier](#input\_plan\_shared\_1\_sku\_tier) | App service plan sku tier | `string` | `null` | no |
 | <a name="input_prefix"></a> [prefix](#input\_prefix) | n/a | `string` | n/a | yes |

src/domains/citizen-auth-common/01_network.tf

@@ -70,6 +70,11 @@ resource "azurerm_private_endpoint" "cosmos_db" {
     is_manual_connection           = false
     subresource_names              = ["Sql"]
   }
+
+  private_dns_zone_group {
+    name                 = "private-dns-zone-group"
+    private_dns_zone_ids = [data.azurerm_private_dns_zone.privatelink_documents_azure_com.id]
+  }
 }
 
 ## Redis Common subnet

src/domains/citizen-auth-common/02_key_vault.tf

@@ -67,6 +67,38 @@ resource "azurerm_key_vault_access_policy" "access_policy_io_infra_cd" {
   certificate_permissions = ["Get", "List"]
 }
 
+
+# -----------------------------------
+#  Auth&Identity monorepo pipelines
+# -----------------------------------
+
+resource "azurerm_key_vault_access_policy" "access_policy_auth_n_identity_infra_ci" {
+  key_vault_id = module.key_vault.id
+
+  tenant_id = data.azurerm_client_config.current.tenant_id
+  object_id = data.azurerm_user_assigned_identity.managed_identity_auth_n_identity_infra_ci.principal_id
+
+  key_permissions         = ["Get", "List", "GetRotationPolicy"]
+  secret_permissions      = ["Get", "List"]
+  certificate_permissions = ["Get", "List"]
+}
+
+resource "azurerm_key_vault_access_policy" "access_policy_auth_n_identity_infra_cd" {
+  key_vault_id = module.key_vault.id
+
+  tenant_id = data.azurerm_client_config.current.tenant_id
+  object_id = data.azurerm_user_assigned_identity.managed_identity_auth_n_identity_infra_cd.principal_id
+
+  key_permissions         = ["Get", "List", "GetRotationPolicy"]
+  secret_permissions      = ["Get", "List", "Set"]
+  certificate_permissions = ["Get", "List"]
+}
+
+
+
+
+
+
 #
 # azure devops policy
 #

src/domains/citizen-auth-common/05_database.tf

@@ -16,18 +16,15 @@ module "cosmosdb_account" {
   enable_free_tier    = false
   kind                = "GlobalDocumentDB"
 
-  public_network_access_enabled       = false
-  private_endpoint_enabled            = true
-  private_endpoint_sql_name           = "${local.product}-citizen-auth-account"
-  private_service_connection_sql_name = "${local.product}-citizen-auth-account-private-endpoint"
-  private_dns_zone_sql_ids            = [data.azurerm_private_dns_zone.privatelink_documents_azure_com.id]
-  subnet_id                           = data.azurerm_subnet.private_endpoints_subnet.id
-  is_virtual_network_filter_enabled   = false
-
-  main_geo_location_location       = azurerm_resource_group.data_rg.location
+  public_network_access_enabled     = false
+  private_endpoint_enabled          = false
+  subnet_id                         = data.azurerm_subnet.private_endpoints_subnet.id
+  is_virtual_network_filter_enabled = false
+
+  main_geo_location_location       = "italynorth"
   main_geo_location_zone_redundant = true
   additional_geo_locations = [{
-    location          = "italynorth"
+    location          = azurerm_resource_group.data_rg.location
     failover_priority = 1
     zone_redundant    = true
   }]

src/domains/citizen-auth-common/06_data.tf

@@ -12,6 +12,17 @@ data "azurerm_user_assigned_identity" "managed_identity_io_infra_cd" {
   resource_group_name = "${local.product}-identity-rg"
 }
 
+data "azurerm_user_assigned_identity" "managed_identity_auth_n_identity_infra_ci" {
+  name                = "${local.product}-auth-github-ci-identity"
+  resource_group_name = "${local.product}-identity-rg"
+}
+
+data "azurerm_user_assigned_identity" "managed_identity_auth_n_identity_infra_cd" {
+  name                = "${local.product}-auth-github-cd-identity"
+  resource_group_name = "${local.product}-identity-rg"
+}
+
+
 # ITN LOLLIPOP FUNCTION
 data "azurerm_resource_group" "lollipop_function_rg" {
   name = format("%s-itn-lollipop-rg-01", local.product)

src/domains/citizen-auth-common/README.md

@@ -56,6 +56,8 @@
 | [azurerm_api_management_user.pagopa_user_v2](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/api_management_user) | resource |
 | [azurerm_api_management_user.pn_user_v2](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/api_management_user) | resource |
 | [azurerm_cosmosdb_sql_container.lollipop_pubkeys](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/cosmosdb_sql_container) | resource |
+| [azurerm_key_vault_access_policy.access_policy_auth_n_identity_infra_cd](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource |
+| [azurerm_key_vault_access_policy.access_policy_auth_n_identity_infra_ci](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource |
 | [azurerm_key_vault_access_policy.access_policy_io_infra_cd](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource |
 | [azurerm_key_vault_access_policy.access_policy_io_infra_ci](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource |
 | [azurerm_key_vault_access_policy.adgroup_admin](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource |
@@ -112,6 +114,8 @@
 | [azurerm_subnet.private_endpoints_subnet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subnet) | data source |
 | [azurerm_subnet.private_endpoints_subnet_itn](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subnet) | data source |
 | [azurerm_subscription.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subscription) | data source |
+| [azurerm_user_assigned_identity.managed_identity_auth_n_identity_infra_cd](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/user_assigned_identity) | data source |
+| [azurerm_user_assigned_identity.managed_identity_auth_n_identity_infra_ci](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/user_assigned_identity) | data source |
 | [azurerm_user_assigned_identity.managed_identity_io_infra_cd](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/user_assigned_identity) | data source |
 | [azurerm_user_assigned_identity.managed_identity_io_infra_ci](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/user_assigned_identity) | data source |
 | [azurerm_virtual_network.vnet_common](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/virtual_network) | data source |