Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[CES-584] Add roles to IO AD Groups with APIM as scope #1386

Merged
merged 3 commits into from
Jan 21, 2025
Merged

[CES-584] Add roles to IO AD Groups with APIM as scope #1386

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
bfec613
fix var
Jan 16, 2025
149abac
add roles to apim
Jan 17, 2025
9c6c300
Merge branch 'main' into CES-584-allineamento-permessi-gruppi-entra-i…
Krusty93 Jan 20, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
70 changes: 70 additions & 0 deletions src/common/_modules/apim/rbac.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,3 +19,73 @@ resource "azurerm_key_vault_access_policy" "v2_common" {
certificate_permissions = ["Get", "List"]
storage_permissions = []
}

module "iam_adgroup_wallet_admins" {
source = "github.com/pagopa/dx//infra/modules/azure_role_assignments?ref=main"

principal_id = var.azure_adgroup_wallet_admins_object_id

apim = [
{
name = module.apim_v2.name
resource_group_name = module.apim_v2.resource_group_name
role = "owner"
}
]
}

module "iam_adgroup_com_admins" {
source = "github.com/pagopa/dx//infra/modules/azure_role_assignments?ref=main"

principal_id = var.azure_adgroup_com_admins_object_id

apim = [
{
name = module.apim_v2.name
resource_group_name = module.apim_v2.resource_group_name
role = "owner"
}
]
}

module "iam_adgroup_svc_admins" {
source = "github.com/pagopa/dx//infra/modules/azure_role_assignments?ref=main"

principal_id = var.azure_adgroup_svc_admins_object_id

apim = [
{
name = module.apim_v2.name
resource_group_name = module.apim_v2.resource_group_name
role = "owner"
}
]
}

module "iam_adgroup_auth_admins" {
source = "github.com/pagopa/dx//infra/modules/azure_role_assignments?ref=main"

principal_id = var.azure_adgroup_auth_admins_object_id

apim = [
{
name = module.apim_v2.name
resource_group_name = module.apim_v2.resource_group_name
role = "owner"
}
]
}

module "iam_adgroup_bonus_admins" {
source = "github.com/pagopa/dx//infra/modules/azure_role_assignments?ref=main"

principal_id = var.azure_adgroup_bonus_admins_object_id

apim = [
{
name = module.apim_v2.name
resource_group_name = module.apim_v2.resource_group_name
role = "owner"
}
]
}
27 changes: 26 additions & 1 deletion src/common/_modules/apim/variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -89,4 +89,29 @@ variable "migration" {
type = bool
default = false
description = "Specify if it is a migration"
}
}

variable "azure_adgroup_wallet_admins_object_id" {
type = string
description = "Object Id of the Entra group for subscription admins"
}

variable "azure_adgroup_com_admins_object_id" {
type = string
description = "Object Id of the Entra group for subscription admins"
}

variable "azure_adgroup_svc_admins_object_id" {
type = string
description = "Object Id of the Entra group for subscription admins"
}

variable "azure_adgroup_auth_admins_object_id" {
type = string
description = "Object Id of the Entra group for subscription admins"
}

variable "azure_adgroup_bonus_admins_object_id" {
type = string
description = "Object Id of the Entra group for subscription admins"
}
5 changes: 5 additions & 0 deletions src/common/prod/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,11 @@
| [azurerm_resource_group.github_runner](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource |
| [azurerm_role_assignment.apim_client_role](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
| [azurerm_role_assignment.dev_portal_role](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
| [azuread_group.auth_admins](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source |
| [azuread_group.bonus_admins](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source |
| [azuread_group.com_admins](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source |
| [azuread_group.svc_admins](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source |
| [azuread_group.wallet_admins](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source |
| [azuread_service_principal.apim_client_svc](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/service_principal) | data source |
| [azuread_service_principal.dev_portal_svc](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/service_principal) | data source |
| [azurerm_client_config.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/client_config) | data source |
Expand Down
21 changes: 21 additions & 0 deletions src/common/prod/data.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,27 @@ data "azurerm_linux_web_app" "firmaconio_selfcare_web_app" {
resource_group_name = "${local.project_weu_legacy}-sign-backend-rg"
}

# AD Groups
data "azuread_group" "wallet_admins" {
display_name = "${local.prefix}-${local.env_short}-adgroup-wallet-admins"
}

data "azuread_group" "com_admins" {
display_name = "${local.prefix}-${local.env_short}-adgroup-com-admins"
}

data "azuread_group" "svc_admins" {
display_name = "${local.prefix}-${local.env_short}-adgroup-svc-admins"
}

data "azuread_group" "auth_admins" {
display_name = "${local.prefix}-${local.env_short}-adgroup-auth-admins"
}

data "azuread_group" "bonus_admins" {
display_name = "${local.prefix}-${local.env_short}-adgroup-bonus-admins"
}

# Cosmos API
data "azurerm_subnet" "cosmos_api_allowed" {
for_each = toset(local.cosmos_api.allowed_subnets)
Expand Down
8 changes: 7 additions & 1 deletion src/common/prod/italynorth.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -58,5 +58,11 @@ module "apim_itn" {
action_group_id = module.monitoring_weu.action_groups.error
ai_instrumentation_key = module.monitoring_weu.appi_instrumentation_key

azure_adgroup_wallet_admins_object_id = data.azuread_group.wallet_admins.object_id
azure_adgroup_com_admins_object_id = data.azuread_group.com_admins.object_id
azure_adgroup_svc_admins_object_id = data.azuread_group.svc_admins.object_id
azure_adgroup_auth_admins_object_id = data.azuread_group.auth_admins.object_id
azure_adgroup_bonus_admins_object_id = data.azuread_group.bonus_admins.object_id

tags = local.tags
}
}
8 changes: 7 additions & 1 deletion src/common/prod/westeurope.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -334,7 +334,7 @@ module "application_gateway_weu" {
}

cidr_subnet = ["10.0.13.0/24"]
min_capacity = 10 # 4 capacity=baseline, 10 capacity=high volume event, 15 capacity=very high volume event
min_capacity = 7 # 4 capacity=baseline, 10 capacity=high volume event, 15 capacity=very high volume event
max_capacity = 80
alerts_enabled = true
deny_paths = ["\\/admin\\/(.*)"]
Expand Down Expand Up @@ -366,6 +366,12 @@ module "apim_weu" {
action_group_id = module.monitoring_weu.action_groups.error
ai_instrumentation_key = module.monitoring_weu.appi_instrumentation_key

azure_adgroup_wallet_admins_object_id = data.azuread_group.wallet_admins.object_id
azure_adgroup_com_admins_object_id = data.azuread_group.com_admins.object_id
azure_adgroup_svc_admins_object_id = data.azuread_group.svc_admins.object_id
azure_adgroup_auth_admins_object_id = data.azuread_group.auth_admins.object_id
azure_adgroup_bonus_admins_object_id = data.azuread_group.bonus_admins.object_id

tags = local.tags
}

Expand Down
Loading