[#IOPID-279] Create new LV Audit Log storage (#662)

pagopa · Sep 1, 2023 · 0ad39be · 0ad39be
1 parent 64ace1a
commit 0ad39be
Show file tree

Hide file tree

Showing 9 changed files with 90 additions and 11 deletions.
diff --git a/.github/workflows/ioweb_prod_cd.yml b/.github/workflows/ioweb_prod_cd.yml
@@ -28,8 +28,8 @@ jobs:
     steps:
       - name: Create GitHub Runner
         id: create_github_runner
-        # from https://github.com/pagopa/github-self-hosted-runner-azure-create-action/commits/main
-        uses: pagopa/github-self-hosted-runner-azure-create-action@13d5d0ae9550efdd5770b14029d346c7ad490d01
+        # from https://github.com/pagopa/eng-github-actions-iac-template/tree/main/azure/github-self-hosted-runner-azure-create-action
+        uses: pagopa/eng-github-actions-iac-template/azure/github-self-hosted-runner-azure-create-action@main
         with:
           client_id: ${{ secrets.AZURE_CLIENT_ID }}
           tenant_id: ${{ secrets.AZURE_TENANT_ID }}

diff --git a/.github/workflows/ioweb_prod_drift.yml b/.github/workflows/ioweb_prod_drift.yml
@@ -23,8 +23,8 @@ jobs:
     steps:
       - name: Create GitHub Runner
         id: create_github_runner
-        # from https://github.com/pagopa/github-self-hosted-runner-azure-create-action/commits/main
-        uses: pagopa/github-self-hosted-runner-azure-create-action@13d5d0ae9550efdd5770b14029d346c7ad490d01
+        # from https://github.com/pagopa/eng-github-actions-iac-template/tree/main/azure/github-self-hosted-runner-azure-create-action
+        uses: pagopa/eng-github-actions-iac-template/azure/github-self-hosted-runner-azure-create-action@main
         with:
           client_id: ${{ secrets.AZURE_CLIENT_ID }}
           tenant_id: ${{ secrets.AZURE_TENANT_ID }}

diff --git a/.github/workflows/prod_cd_citizen-auth.yml b/.github/workflows/prod_cd_citizen-auth.yml
@@ -28,8 +28,8 @@ jobs:
     steps:
       - name: Create GitHub Runner
         id: create_github_runner
-        # from https://github.com/pagopa/github-self-hosted-runner-azure-create-action/commits/main
-        uses: pagopa/github-self-hosted-runner-azure-create-action@13d5d0ae9550efdd5770b14029d346c7ad490d01
+        # from https://github.com/pagopa/eng-github-actions-iac-template/tree/main/azure/github-self-hosted-runner-azure-create-action
+        uses: pagopa/eng-github-actions-iac-template/azure/github-self-hosted-runner-azure-create-action@main
         with:
           client_id: ${{ secrets.AZURE_CLIENT_ID }}
           tenant_id: ${{ secrets.AZURE_TENANT_ID }}

diff --git a/.github/workflows/prod_ci_citizen-auth.yml b/.github/workflows/prod_ci_citizen-auth.yml
@@ -30,8 +30,8 @@ jobs:
     steps:
       - name: Create GitHub Runner
         id: create_github_runner
-        # from https://github.com/pagopa/github-self-hosted-runner-azure-create-action/commits/main
-        uses: pagopa/github-self-hosted-runner-azure-create-action@13d5d0ae9550efdd5770b14029d346c7ad490d01
+        # from https://github.com/pagopa/eng-github-actions-iac-template/tree/main/azure/github-self-hosted-runner-azure-create-action
+        uses: pagopa/eng-github-actions-iac-template/azure/github-self-hosted-runner-azure-create-action@main
         with:
           client_id: ${{ secrets.AZURE_CLIENT_ID }}
           tenant_id: ${{ secrets.AZURE_TENANT_ID }}

diff --git a/.github/workflows/prod_drift_citizen-auth.yml b/.github/workflows/prod_drift_citizen-auth.yml
@@ -23,8 +23,8 @@ jobs:
     steps:
       - name: Create GitHub Runner
         id: create_github_runner
-        # from https://github.com/pagopa/github-self-hosted-runner-azure-create-action/commits/main
-        uses: pagopa/github-self-hosted-runner-azure-create-action@13d5d0ae9550efdd5770b14029d346c7ad490d01
+        # from https://github.com/pagopa/eng-github-actions-iac-template/tree/main/azure/github-self-hosted-runner-azure-create-action
+        uses: pagopa/eng-github-actions-iac-template/azure/github-self-hosted-runner-azure-create-action@main
         with:
           client_id: ${{ secrets.AZURE_CLIENT_ID }}
           tenant_id: ${{ secrets.AZURE_TENANT_ID }}

diff --git a/src/domains/citizen-auth-app/06_storage.tf b/src/domains/citizen-auth-app/06_storage.tf
@@ -1,4 +1,10 @@
 data "azurerm_storage_account" "lollipop_assertion_storage" {
   name                = replace(format("%s-lollipop-assertions-st", local.product), "-", "")
   resource_group_name = format("%s-%s-data-rg", local.product, var.domain)
-}
+}
+
+// Data must be enabled when the resource will be created
+// data "azurerm_storage_account" "lv_audit_logs_storage" {
+//  name                = replace(format("%s-lv-logs-st", local.product), "-", "")
+//  resource_group_name = format("%s-%s-data-rg", local.product, var.domain)
+//}
diff --git a/src/domains/citizen-auth-app/07_function_fast_login.tf b/src/domains/citizen-auth-app/07_function_fast_login.tf
@@ -25,6 +25,12 @@ locals {
       // --------------------------
       LOLLIPOP_GET_ASSERTION_BASE_URL = "https://api.io.pagopa.it"
       LOLLIPOP_GET_ASSERTION_API_KEY  = data.azurerm_key_vault_secret.fast_login_subscription_key.value
+
+      // --------------------------
+      //  Fast login audit log storage
+      // --------------------------
+      // Wait the resource creation before enable data
+      //FAST_LOGIN_AUDIT_CONNECTION_STRING = data.azurerm_storage_account.lv_audit_logs_storage.primary_connection_string
     }
   }
 }

diff --git a/src/domains/citizen-auth-common/03_storage.tf b/src/domains/citizen-auth-common/03_storage.tf
@@ -1,3 +1,6 @@
+###
+# LolliPoP Assertion Storage
+###
 module "lollipop_assertions_storage" {
   source = "git::https://github.com/pagopa/terraform-azurerm-v3//storage_account?ref=v6.1.0"
 
@@ -79,3 +82,63 @@ resource "azurerm_storage_queue" "lollipop_assertions_storage_revoke_queue" {
   name                 = "pubkeys-revoke" # This value is used in src/core/99_variables.tf#citizen_auth_revoke_queue_name
   storage_account_name = module.lollipop_assertions_storage.name
 }
+
+###
+# LV Audit Log Storage
+###
+
+module "lv_audit_logs_storage" {
+  source = "git::https://github.com/pagopa/terraform-azurerm-v3//storage_account?ref=v6.1.0"
+
+  name                          = replace(format("%s-lv-logs-st", local.product), "-", "")
+  domain                        = upper(var.domain)
+  account_kind                  = "StorageV2"
+  account_tier                  = "Standard"
+  access_tier                   = "Hot"
+  account_replication_type      = "GZRS"
+  resource_group_name           = azurerm_resource_group.data_rg.name
+  location                      = var.location
+  advanced_threat_protection    = true
+  enable_identity               = true
+  public_network_access_enabled = false
+
+  tags = var.tags
+}
+
+module "lv_audit_logs_storage_customer_managed_key" {
+  source               = "git::https://github.com/pagopa/terraform-azurerm-v3//storage_account_customer_managed_key?ref=v4.3.1"
+  tenant_id            = data.azurerm_subscription.current.tenant_id
+  location             = var.location
+  resource_group_name  = azurerm_resource_group.data_rg.name
+  key_vault_id         = module.key_vault.id
+  key_name             = format("%s-key", module.lv_audit_logs_storage.name)
+  storage_id           = module.lv_audit_logs_storage.id
+  storage_principal_id = module.lv_audit_logs_storage.identity.0.principal_id
+}
+
+resource "azurerm_private_endpoint" "lv_audit_logs_storage_blob" {
+  name                = "${module.lv_audit_logs_storage.name}-blob-endpoint"
+  location            = var.location
+  resource_group_name = azurerm_resource_group.data_rg.name
+  subnet_id           = data.azurerm_subnet.private_endpoints_subnet.id
+
+  private_service_connection {
+    name                           = "${module.lv_audit_logs_storage.name}-blob"
+    private_connection_resource_id = module.lv_audit_logs_storage.id
+    is_manual_connection           = false
+    subresource_names              = ["blob"]
+  }
+
+  private_dns_zone_group {
+    name                 = "private-dns-zone-group"
+    private_dns_zone_ids = [data.azurerm_private_dns_zone.privatelink_blob_core_windows_net.id]
+  }
+
+  tags = var.tags
+}
+
+resource "azurerm_storage_container" "lv_audit_logs_storage_logs" {
+  name                  = "logs"
+  storage_account_name  = module.lv_audit_logs_storage.name
+  container_access_type = "private"
+}
diff --git a/src/domains/citizen-auth-common/README.md b/src/domains/citizen-auth-common/README.md
@@ -29,6 +29,8 @@
 | <a name="module_key_vault"></a> [key\_vault](#module\_key\_vault) | git::https://github.com/pagopa/terraform-azurerm-v3.git//key_vault | v4.1.3 |
 | <a name="module_lollipop_assertions_storage"></a> [lollipop\_assertions\_storage](#module\_lollipop\_assertions\_storage) | git::https://github.com/pagopa/terraform-azurerm-v3//storage_account | v6.1.0 |
 | <a name="module_lollipop_assertions_storage_customer_managed_key"></a> [lollipop\_assertions\_storage\_customer\_managed\_key](#module\_lollipop\_assertions\_storage\_customer\_managed\_key) | git::https://github.com/pagopa/terraform-azurerm-v3//storage_account_customer_managed_key | v4.3.1 |
+| <a name="module_lv_audit_logs_storage"></a> [lv\_audit\_logs\_storage](#module\_lv\_audit\_logs\_storage) | git::https://github.com/pagopa/terraform-azurerm-v3//storage_account | v6.1.0 |
+| <a name="module_lv_audit_logs_storage_customer_managed_key"></a> [lv\_audit\_logs\_storage\_customer\_managed\_key](#module\_lv\_audit\_logs\_storage\_customer\_managed\_key) | git::https://github.com/pagopa/terraform-azurerm-v3//storage_account_customer_managed_key | v4.3.1 |
 
 ## Resources
 
@@ -65,9 +67,11 @@
 | [azurerm_monitor_metric_alert.cosmosdb_account_normalized_RU_consumption_exceeded](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_metric_alert) | resource |
 | [azurerm_private_endpoint.lollipop_assertion_storage_blob](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/private_endpoint) | resource |
 | [azurerm_private_endpoint.lollipop_assertion_storage_queue](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/private_endpoint) | resource |
+| [azurerm_private_endpoint.lv_audit_logs_storage_blob](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/private_endpoint) | resource |
 | [azurerm_resource_group.data_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource |
 | [azurerm_resource_group.sec_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource |
 | [azurerm_storage_container.lollipop_assertions_storage_assertions](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_container) | resource |
+| [azurerm_storage_container.lv_audit_logs_storage_logs](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_container) | resource |
 | [azurerm_storage_queue.lollipop_assertions_storage_revoke_queue](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_queue) | resource |
 | [azuread_group.adgroup_admin](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source |
 | [azuread_group.adgroup_developers](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source |