Merge branch 'main' into IOPID-583--add-ioweb-cdn

.github/workflows/ioweb_prod_cd.yml

@@ -28,8 +28,8 @@ jobs:
     steps:
       - name: Create GitHub Runner
         id: create_github_runner
-        # from https://github.com/pagopa/github-self-hosted-runner-azure-create-action/commits/main
-        uses: pagopa/github-self-hosted-runner-azure-create-action@13d5d0ae9550efdd5770b14029d346c7ad490d01
+        # from https://github.com/pagopa/eng-github-actions-iac-template/tree/main/azure/github-self-hosted-runner-azure-create-action
+        uses: pagopa/eng-github-actions-iac-template/azure/github-self-hosted-runner-azure-create-action@main
         with:
           client_id: ${{ secrets.AZURE_CLIENT_ID }}
           tenant_id: ${{ secrets.AZURE_TENANT_ID }}

.github/workflows/ioweb_prod_drift.yml

@@ -23,8 +23,8 @@ jobs:
     steps:
       - name: Create GitHub Runner
         id: create_github_runner
-        # from https://github.com/pagopa/github-self-hosted-runner-azure-create-action/commits/main
-        uses: pagopa/github-self-hosted-runner-azure-create-action@13d5d0ae9550efdd5770b14029d346c7ad490d01
+        # from https://github.com/pagopa/eng-github-actions-iac-template/tree/main/azure/github-self-hosted-runner-azure-create-action
+        uses: pagopa/eng-github-actions-iac-template/azure/github-self-hosted-runner-azure-create-action@main
         with:
           client_id: ${{ secrets.AZURE_CLIENT_ID }}
           tenant_id: ${{ secrets.AZURE_TENANT_ID }}

.github/workflows/prod_cd_citizen-auth.yml

@@ -28,8 +28,8 @@ jobs:
     steps:
       - name: Create GitHub Runner
         id: create_github_runner
-        # from https://github.com/pagopa/github-self-hosted-runner-azure-create-action/commits/main
-        uses: pagopa/github-self-hosted-runner-azure-create-action@13d5d0ae9550efdd5770b14029d346c7ad490d01
+        # from https://github.com/pagopa/eng-github-actions-iac-template/tree/main/azure/github-self-hosted-runner-azure-create-action
+        uses: pagopa/eng-github-actions-iac-template/azure/github-self-hosted-runner-azure-create-action@main
         with:
           client_id: ${{ secrets.AZURE_CLIENT_ID }}
           tenant_id: ${{ secrets.AZURE_TENANT_ID }}
@@ -132,8 +132,8 @@ jobs:
     steps:
       - name: Cleanup GitHub Runner
         id: cleanup_github_runner
-        # from https://github.com/pagopa/github-self-hosted-runner-azure-cleanup-action/commits/main
-        uses: pagopa/github-self-hosted-runner-azure-cleanup-action@97731a35e6ffc79b66c4dfd2aae5e4fd04e3ebb5
+        # from https://github.com/pagopa/eng-github-actions-iac-template/tree/main/azure/github-self-hosted-runner-azure-cleanup-action
+        uses: pagopa/eng-github-actions-iac-template/azure/github-self-hosted-runner-azure-cleanup-action@main
         with:
           client_id: ${{ secrets.AZURE_CLIENT_ID }}
           tenant_id: ${{ secrets.AZURE_TENANT_ID }}

.github/workflows/prod_ci_citizen-auth.yml

@@ -30,8 +30,8 @@ jobs:
     steps:
       - name: Create GitHub Runner
         id: create_github_runner
-        # from https://github.com/pagopa/github-self-hosted-runner-azure-create-action/commits/main
-        uses: pagopa/github-self-hosted-runner-azure-create-action@13d5d0ae9550efdd5770b14029d346c7ad490d01
+        # from https://github.com/pagopa/eng-github-actions-iac-template/tree/main/azure/github-self-hosted-runner-azure-create-action
+        uses: pagopa/eng-github-actions-iac-template/azure/github-self-hosted-runner-azure-create-action@main
         with:
           client_id: ${{ secrets.AZURE_CLIENT_ID }}
           tenant_id: ${{ secrets.AZURE_TENANT_ID }}
@@ -98,8 +98,8 @@ jobs:
     steps:
       - name: Cleanup GitHub Runner
         id: cleanup_github_runner
-        # from https://github.com/pagopa/github-self-hosted-runner-azure-cleanup-action/commits/main
-        uses: pagopa/github-self-hosted-runner-azure-cleanup-action@97731a35e6ffc79b66c4dfd2aae5e4fd04e3ebb5
+        # from https://github.com/pagopa/eng-github-actions-iac-template/tree/main/azure/github-self-hosted-runner-azure-cleanup-action
+        uses: pagopa/eng-github-actions-iac-template/azure/github-self-hosted-runner-azure-cleanup-action@main
         with:
           client_id: ${{ secrets.AZURE_CLIENT_ID }}
           tenant_id: ${{ secrets.AZURE_TENANT_ID }}

.github/workflows/prod_drift_citizen-auth.yml

@@ -23,8 +23,8 @@ jobs:
     steps:
       - name: Create GitHub Runner
         id: create_github_runner
-        # from https://github.com/pagopa/github-self-hosted-runner-azure-create-action/commits/main
-        uses: pagopa/github-self-hosted-runner-azure-create-action@13d5d0ae9550efdd5770b14029d346c7ad490d01
+        # from https://github.com/pagopa/eng-github-actions-iac-template/tree/main/azure/github-self-hosted-runner-azure-create-action
+        uses: pagopa/eng-github-actions-iac-template/azure/github-self-hosted-runner-azure-create-action@main
         with:
           client_id: ${{ secrets.AZURE_CLIENT_ID }}
           tenant_id: ${{ secrets.AZURE_TENANT_ID }}

.github/workflows/static_analysis.yml

@@ -18,6 +18,8 @@ jobs:
             src/.template-app
             src/.template-common
             src/aks-platform
+            src/domains/ioweb-app
+            src/domains/ioweb-common
             src/domains/citizen-auth-app
             src/domains/citizen-auth-common
             src/domains/messages-app

.terraform-version

@@ -1 +1 @@
-1.3.9
+1.5.6

src/domains/citizen-auth-app/06_storage.tf

@@ -1,4 +1,9 @@
 data "azurerm_storage_account" "lollipop_assertion_storage" {
   name                = replace(format("%s-lollipop-assertions-st", local.product), "-", "")
   resource_group_name = format("%s-%s-data-rg", local.product, var.domain)
+}
+
+data "azurerm_storage_account" "lv_audit_logs_storage" {
+  name                = replace(format("%s-lv-logs-st", local.product), "-", "")
+  resource_group_name = format("%s-%s-data-rg", local.product, var.domain)
 }

src/domains/citizen-auth-app/07_function_fast_login.tf

@@ -25,6 +25,11 @@ locals {
       // --------------------------
       LOLLIPOP_GET_ASSERTION_BASE_URL = "https://api.io.pagopa.it"
       LOLLIPOP_GET_ASSERTION_API_KEY  = data.azurerm_key_vault_secret.fast_login_subscription_key.value
+
+      // --------------------------
+      //  Fast login audit log storage
+      // --------------------------
+      FAST_LOGIN_AUDIT_CONNECTION_STRING = data.azurerm_storage_account.lv_audit_logs_storage.primary_connection_string
     }
   }
 }

src/domains/citizen-auth-app/README.md

@@ -76,6 +76,7 @@
 | [azurerm_resource_group.data_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/resource_group) | data source |
 | [azurerm_resource_group.monitor_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/resource_group) | data source |
 | [azurerm_storage_account.lollipop_assertion_storage](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/storage_account) | data source |
+| [azurerm_storage_account.lv_audit_logs_storage](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/storage_account) | data source |
 | [azurerm_subnet.apim_snet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subnet) | data source |
 | [azurerm_subnet.apim_v2_snet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subnet) | data source |
 | [azurerm_subnet.app_backend_l1_snet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subnet) | data source |

src/domains/citizen-auth-common/03_storage.tf

@@ -1,3 +1,6 @@
+###
+# LolliPoP Assertion Storage
+###
 module "lollipop_assertions_storage" {
   source = "git::https://github.com/pagopa/terraform-azurerm-v3//storage_account?ref=v6.1.0"
 
@@ -79,3 +82,63 @@ resource "azurerm_storage_queue" "lollipop_assertions_storage_revoke_queue" {
   name                 = "pubkeys-revoke" # This value is used in src/core/99_variables.tf#citizen_auth_revoke_queue_name
   storage_account_name = module.lollipop_assertions_storage.name
 }
+
+###
+# LV Audit Log Storage
+###
+
+module "lv_audit_logs_storage" {
+  source = "git::https://github.com/pagopa/terraform-azurerm-v3//storage_account?ref=v6.1.0"
+
+  name                          = replace(format("%s-lv-logs-st", local.product), "-", "")
+  domain                        = upper(var.domain)
+  account_kind                  = "StorageV2"
+  account_tier                  = "Standard"
+  access_tier                   = "Hot"
+  account_replication_type      = "GZRS"
+  resource_group_name           = azurerm_resource_group.data_rg.name
+  location                      = var.location
+  advanced_threat_protection    = true
+  enable_identity               = true
+  public_network_access_enabled = false
+
+  tags = var.tags
+}
+
+module "lv_audit_logs_storage_customer_managed_key" {
+  source               = "git::https://github.com/pagopa/terraform-azurerm-v3//storage_account_customer_managed_key?ref=v4.3.1"
+  tenant_id            = data.azurerm_subscription.current.tenant_id
+  location             = var.location
+  resource_group_name  = azurerm_resource_group.data_rg.name
+  key_vault_id         = module.key_vault.id
+  key_name             = format("%s-key", module.lv_audit_logs_storage.name)
+  storage_id           = module.lv_audit_logs_storage.id
+  storage_principal_id = module.lv_audit_logs_storage.identity.0.principal_id
+}
+
+resource "azurerm_private_endpoint" "lv_audit_logs_storage_blob" {
+  name                = "${module.lv_audit_logs_storage.name}-blob-endpoint"
+  location            = var.location
+  resource_group_name = azurerm_resource_group.data_rg.name
+  subnet_id           = data.azurerm_subnet.private_endpoints_subnet.id
+
+  private_service_connection {
+    name                           = "${module.lv_audit_logs_storage.name}-blob"
+    private_connection_resource_id = module.lv_audit_logs_storage.id
+    is_manual_connection           = false
+    subresource_names              = ["blob"]
+  }
+
+  private_dns_zone_group {
+    name                 = "private-dns-zone-group"
+    private_dns_zone_ids = [data.azurerm_private_dns_zone.privatelink_blob_core_windows_net.id]
+  }
+
+  tags = var.tags
+}
+
+resource "azurerm_storage_container" "lv_audit_logs_storage_logs" {
+  name                  = "logs"
+  storage_account_name  = module.lv_audit_logs_storage.name
+  container_access_type = "private"
+}

src/domains/citizen-auth-common/05_database.tf

@@ -125,6 +125,195 @@ resource "azurerm_monitor_metric_alert" "cosmosdb_account_normalized_RU_consumpt
 ############################
 # FIMS COSMOS
 ############################
+module "cosmosdb_account_fims" {
+  source = "git::https://github.com/pagopa/terraform-azurerm-v3//cosmosdb_account?ref=v4.3.1"
+
+  name                = "${local.product}-${var.domain}-fims-account"
+  domain              = upper(var.domain)
+  location            = azurerm_resource_group.data_rg.location
+  resource_group_name = azurerm_resource_group.data_rg.name
+  offer_type          = "Standard"
+  enable_free_tier    = false
+  kind                = "GlobalDocumentDB"
+
+  public_network_access_enabled     = false
+  private_endpoint_enabled          = true
+  subnet_id                         = data.azurerm_subnet.private_endpoints_subnet.id
+  private_dns_zone_ids              = [data.azurerm_private_dns_zone.privatelink_documents_azure_com.id]
+  is_virtual_network_filter_enabled = false
+
+  main_geo_location_location       = azurerm_resource_group.data_rg.location
+  main_geo_location_zone_redundant = true
+  additional_geo_locations = [{
+    location          = "northeurope"
+    failover_priority = 1
+    zone_redundant    = false
+  }]
+  consistency_policy = {
+    consistency_level       = "Session"
+    max_interval_in_seconds = null
+    max_staleness_prefix    = null
+  }
+
+  # Action groups for alerts
+  action = [
+    {
+      action_group_id    = data.azurerm_monitor_action_group.error_action_group.id
+      webhook_properties = {}
+    }
+  ]
+
+  tags = var.tags
+}
+
+module "cosmosdb_sql_database_fims" {
+  source              = "git::https://github.com/pagopa/terraform-azurerm-v3//cosmosdb_sql_database?ref=v4.3.1"
+  name                = "fims"
+  resource_group_name = azurerm_resource_group.data_rg.name
+  account_name        = module.cosmosdb_account_fims.name
+}
+
+resource "azurerm_cosmosdb_sql_container" "fims_client" {
+
+  name                = "Client"
+  resource_group_name = azurerm_resource_group.data_rg.name
+  account_name        = module.cosmosdb_account_fims.name
+  database_name       = module.cosmosdb_sql_database_fims.name
+
+  partition_key_path    = "/organizationId"
+  partition_key_version = 2
+
+  autoscale_settings {
+    max_throughput = var.fims_database.client.max_throughput
+  }
+
+  default_ttl = var.fims_database.client.ttl
+
+  indexing_policy {
+    indexing_mode = "consistent"
+
+    included_path {
+      path = "/*"
+    }
+
+    excluded_path {
+      path = "/\"_etag\"/?"
+    }
+
+    composite_index {
+      index {
+        path  = "/id"
+        order = "Descending"
+      }
+      index {
+        path  = "/organizationId"
+        order = "Ascending"
+      }
+    }
+  }
+}
+
+resource "azurerm_cosmosdb_sql_container" "fims_grant" {
+
+  name                = "Grant"
+  resource_group_name = azurerm_resource_group.data_rg.name
+  account_name        = module.cosmosdb_account_fims.name
+  database_name       = module.cosmosdb_sql_database_fims.name
+
+  partition_key_path    = "/identityId"
+  partition_key_version = 2
+
+  autoscale_settings {
+    max_throughput = var.fims_database.grant.max_throughput
+  }
+
+  default_ttl = var.fims_database.grant.ttl
+
+  indexing_policy {
+    indexing_mode = "consistent"
+
+    included_path {
+      path = "/*"
+    }
+
+    excluded_path {
+      path = "/\"_etag\"/?"
+    }
+
+    composite_index {
+      index {
+        path  = "/id"
+        order = "Descending"
+      }
+      index {
+        path  = "/identityId"
+        order = "Ascending"
+      }
+    }
+  }
+}
+
+resource "azurerm_cosmosdb_sql_container" "fims_interaction" {
+
+  name                = "Interaction"
+  resource_group_name = azurerm_resource_group.data_rg.name
+  account_name        = module.cosmosdb_account_fims.name
+  database_name       = module.cosmosdb_sql_database_fims.name
+
+  partition_key_path    = "/id"
+  partition_key_version = 2
+
+  autoscale_settings {
+    max_throughput = var.fims_database.interaction.max_throughput
+  }
+
+  default_ttl = var.fims_database.interaction.ttl
+
+  indexing_policy {
+    indexing_mode = "consistent"
+
+    included_path {
+      path = "/*"
+    }
+
+    excluded_path {
+      path = "/\"_etag\"/?"
+    }
+  }
+}
+
+resource "azurerm_cosmosdb_sql_container" "fims_session" {
+
+  name                = "Session"
+  resource_group_name = azurerm_resource_group.data_rg.name
+  account_name        = module.cosmosdb_account_fims.name
+  database_name       = module.cosmosdb_sql_database_fims.name
+
+  partition_key_path    = "/id"
+  partition_key_version = 2
+
+  autoscale_settings {
+    max_throughput = var.fims_database.session.max_throughput
+  }
+
+  default_ttl = var.fims_database.session.ttl
+
+  indexing_policy {
+    indexing_mode = "consistent"
+
+    included_path {
+      path = "/*"
+    }
+
+    excluded_path {
+      path = "/\"_etag\"/?"
+    }
+  }
+}
+
+############################
+# FIMS MONGO (TO REMOVE)
+############################
 module "cosmosdb_account_mongodb_fims" {
   source = "git::https://github.com/pagopa/terraform-azurerm-v3//cosmosdb_account?ref=v4.1.5"
 
@@ -175,3 +364,5 @@ data "azurerm_key_vault_secret" "mongodb_connection_string_fims" {
   name         = "io-p-fims-mongodb-account-connection-string"
   key_vault_id = module.key_vault.id
 }
+
+