Merge branch 'main' into SFEQS-1382-update-io-sign-azure-runtime-env

pagopa · Sep 25, 2023 · 0f71c2e · 0f71c2e
2 parents f2b3d69 + e640a73
commit 0f71c2e
Show file tree

Hide file tree

Showing 25 changed files with 699 additions and 10 deletions.
diff --git a/src/core/99_variables.tf b/src/core/99_variables.tf
@@ -26,6 +26,17 @@ variable "location" {
   default = "westeurope"
 }
 
+variable "location_short" {
+  type = string
+  validation {
+    condition = (
+      length(var.location_short) == 3
+    )
+    error_message = "Length must be 3 chars."
+  }
+  description = "One of weu, neu"
+}
+
 variable "lock_enable" {
   type        = bool
   default     = false
@@ -417,6 +428,11 @@ variable "app_gateway_continua_io_pagopa_it_certificate_name" {
   description = "Application gateway continua certificate name on Key Vault"
 }
 
+variable "app_gateway_selfcare_io_pagopa_it_certificate_name" {
+  type        = string
+  description = "Application gateway selfcare-io certificate name on Key Vault"
+}
+
 variable "app_gateway_min_capacity" {
   type    = number
   default = 0

diff --git a/src/core/README.md b/src/core/README.md
@@ -269,6 +269,7 @@
 | [azurerm_dns_a_record.continua_io_pagopa_it](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/dns_a_record) | resource |
 | [azurerm_dns_a_record.developerportal_backend_io_italia_it](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/dns_a_record) | resource |
 | [azurerm_dns_a_record.firmaconio_selfcare_pagopa_it](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/dns_a_record) | resource |
+| [azurerm_dns_a_record.selfcare_io_pagopa_it](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/dns_a_record) | resource |
 | [azurerm_dns_caa_record.firmaconio_selfcare_pagopa_it](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/dns_caa_record) | resource |
 | [azurerm_dns_caa_record.io_italia_it](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/dns_caa_record) | resource |
 | [azurerm_dns_caa_record.io_pagopa_it](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/dns_caa_record) | resource |
@@ -508,6 +509,7 @@
 | [azurerm_key_vault_certificate.app_gw_continua](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_certificate) | data source |
 | [azurerm_key_vault_certificate.app_gw_developerportal_backend_io_italia_it](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_certificate) | data source |
 | [azurerm_key_vault_certificate.app_gw_firmaconio_selfcare_pagopa_it](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_certificate) | data source |
+| [azurerm_key_vault_certificate.app_gw_selfcare_io](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_certificate) | data source |
 | [azurerm_key_vault_secret.ad_APPCLIENT_APIM_ID](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_secret) | data source |
 | [azurerm_key_vault_secret.ad_APPCLIENT_APIM_SECRET](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_secret) | data source |
 | [azurerm_key_vault_secret.adb2c_TENANT_NAME](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_secret) | data source |
@@ -638,6 +640,7 @@
 | [azurerm_key_vault_secret.subscriptionmigrations_db_server_adm_username](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_secret) | data source |
 | [azurerm_key_vault_secret.subscriptionmigrations_db_server_fnsubsmigrations_password](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_secret) | data source |
 | [azurerm_linux_web_app.app_backend_app_services](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/linux_web_app) | data source |
+| [azurerm_linux_web_app.cms_backoffice_app](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/linux_web_app) | data source |
 | [azurerm_linux_web_app.firmaconio_selfcare_web_app](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/linux_web_app) | data source |
 | [azurerm_redis_cache.redis_cgn](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/redis_cache) | data source |
 | [azurerm_resource_group.notifications_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/resource_group) | data source |
@@ -651,6 +654,8 @@
 | [azurerm_storage_account.storage_apievents](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/storage_account) | data source |
 | [azurerm_storage_account.userbackups](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/storage_account) | data source |
 | [azurerm_storage_account.userdatadownload](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/storage_account) | data source |
+| [azurerm_subnet.functions_fast_login_snet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subnet) | data source |
+| [azurerm_subnet.ioweb_profile_snet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subnet) | data source |
 | [azurerm_subscription.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subscription) | data source |
 
 ## Inputs
@@ -681,6 +686,7 @@
 | <a name="input_app_gateway_firmaconio_selfcare_pagopa_it_certificate_name"></a> [app\_gateway\_firmaconio\_selfcare\_pagopa\_it\_certificate\_name](#input\_app\_gateway\_firmaconio\_selfcare\_pagopa\_it\_certificate\_name) | Application gateway api certificate name on Key Vault | `string` | n/a | yes |
 | <a name="input_app_gateway_max_capacity"></a> [app\_gateway\_max\_capacity](#input\_app\_gateway\_max\_capacity) | n/a | `number` | `2` | no |
 | <a name="input_app_gateway_min_capacity"></a> [app\_gateway\_min\_capacity](#input\_app\_gateway\_min\_capacity) | n/a | `number` | `0` | no |
+| <a name="input_app_gateway_selfcare_io_pagopa_it_certificate_name"></a> [app\_gateway\_selfcare\_io\_pagopa\_it\_certificate\_name](#input\_app\_gateway\_selfcare\_io\_pagopa\_it\_certificate\_name) | Application gateway selfcare-io certificate name on Key Vault | `string` | n/a | yes |
 | <a name="input_app_messages_count"></a> [app\_messages\_count](#input\_app\_messages\_count) | App Messages | `number` | `2` | no |
 | <a name="input_app_messages_function_always_on"></a> [app\_messages\_function\_always\_on](#input\_app\_messages\_function\_always\_on) | n/a | `bool` | `false` | no |
 | <a name="input_app_messages_function_autoscale_default"></a> [app\_messages\_function\_autoscale\_default](#input\_app\_messages\_function\_autoscale\_default) | The number of instances that are available for scaling if metrics are not available for evaluation. | `number` | `1` | no |
@@ -814,6 +820,7 @@
 | <a name="input_law_retention_in_days"></a> [law\_retention\_in\_days](#input\_law\_retention\_in\_days) | The workspace data retention in days | `number` | `90` | no |
 | <a name="input_law_sku"></a> [law\_sku](#input\_law\_sku) | Sku of the Log Analytics Workspace | `string` | `"PerGB2018"` | no |
 | <a name="input_location"></a> [location](#input\_location) | n/a | `string` | `"westeurope"` | no |
+| <a name="input_location_short"></a> [location\_short](#input\_location\_short) | One of weu, neu | `string` | n/a | yes |
 | <a name="input_lock_enable"></a> [lock\_enable](#input\_lock\_enable) | Apply locks to block accedentaly deletions. | `bool` | `false` | no |
 | <a name="input_log_analytics_workspace_name"></a> [log\_analytics\_workspace\_name](#input\_log\_analytics\_workspace\_name) | The common Log Analytics Workspace name | `string` | `""` | no |
 | <a name="input_log_analytics_workspace_resource_group_name"></a> [log\_analytics\_workspace\_resource\_group\_name](#input\_log\_analytics\_workspace\_resource\_group\_name) | The name of the resource group in which the Log Analytics workspace is located in. | `string` | n/a | yes |

diff --git a/src/core/app_backend.tf b/src/core/app_backend.tf
@@ -600,6 +600,12 @@ resource "azurerm_subnet_nat_gateway_association" "app_backendl1_snet" {
   subnet_id      = module.app_backendl1_snet.id
 }
 
+data "azurerm_subnet" "functions_fast_login_snet" {
+  name                 = format("%s-%s-fast-login-snet", local.project, var.location_short)
+  virtual_network_name = module.vnet_common.name
+  resource_group_name  = azurerm_resource_group.rg_common.name
+}
+
 module "appservice_app_backendl1" {
   source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//app_service?ref=v4.1.15"
 
@@ -1070,6 +1076,7 @@ module "appservice_app_backendli" {
     module.services_snet[0].id,
     module.services_snet[1].id,
     module.admin_snet.id,
+    data.azurerm_subnet.functions_fast_login_snet.id,
   ]
 
   allowed_ips = concat(

diff --git a/src/core/appgateway.tf b/src/core/appgateway.tf
@@ -126,6 +126,20 @@ module "app_gw" {
       pick_host_name_from_backend = true
     }
 
+    selfcare-io-app = {
+      protocol     = "Https"
+      host         = null
+      port         = 443
+      ip_addresses = null # with null value use fqdns
+      fqdns = [
+        data.azurerm_linux_web_app.cms_backoffice_app.default_hostname,
+      ]
+      probe                       = "/api/info"
+      probe_name                  = "probe-selfcare-io-app"
+      request_timeout             = 10
+      pick_host_name_from_backend = true
+    }
+
   }
 
   ssl_profiles = [{
@@ -338,6 +352,23 @@ module "app_gw" {
         )
       }
     }
+
+    selfcare-io-pagopa-it = {
+      protocol           = "Https"
+      host               = format("selfcare.%s.%s", var.dns_zone_io, var.external_domain)
+      port               = 443
+      ssl_profile_name   = format("%s-ssl-profile", local.project)
+      firewall_policy_id = null
+
+      certificate = {
+        name = var.app_gateway_selfcare_io_pagopa_it_certificate_name
+        id = replace(
+          data.azurerm_key_vault_certificate.app_gw_selfcare_io.secret_id,
+          "/${data.azurerm_key_vault_certificate.app_gw_selfcare_io.version}",
+          ""
+        )
+      }
+    }
   }
 
   # maps listener to backend
@@ -413,6 +444,13 @@ module "app_gw" {
       priority              = 80
     }
 
+    selfcare-io-pagopa-it = {
+      listener              = "selfcare-io-pagopa-it"
+      backend               = "selfcare-io-app"
+      rewrite_rule_set_name = "rewrite-rule-set-selfcare-io"
+      priority              = 110
+    }
+
   }
 
   rewrite_rule_sets = [
@@ -590,6 +628,26 @@ module "app_gw" {
         response_header_configurations = []
       }]
     },
+    {
+      name = "rewrite-rule-set-selfcare-io"
+      rewrite_rules = [{
+        name          = "http-headers-selfcare-io"
+        rule_sequence = 100
+        conditions    = []
+        url           = null
+        request_header_configurations = [
+          {
+            header_name  = "X-Forwarded-For"
+            header_value = "{var_client_ip}"
+          },
+          {
+            header_name  = "X-Client-Ip"
+            header_value = "{var_client_ip}"
+          },
+        ]
+        response_header_configurations = []
+      }]
+    },
   ]
 
   # TLS
@@ -833,6 +891,11 @@ data "azurerm_key_vault_certificate" "app_gw_continua" {
   key_vault_id = module.key_vault.id
 }
 
+data "azurerm_key_vault_certificate" "app_gw_selfcare_io" {
+  name         = var.app_gateway_selfcare_io_pagopa_it_certificate_name
+  key_vault_id = module.key_vault.id
+}
+
 data "azurerm_key_vault_secret" "app_gw_mtls_header_name" {
   name         = "mtls-header-name"
   key_vault_id = module.key_vault.id

diff --git a/src/core/data.tf b/src/core/data.tf
@@ -269,3 +269,12 @@ resource "azurerm_monitor_metric_alert" "cosmos_cgn_throttling_alert" {
 
   tags = var.tags
 }
+
+#
+# IO Services CMS BackOffice App
+#
+
+data "azurerm_linux_web_app" "cms_backoffice_app" {
+  name                = format("%s-services-cms-backoffice-app", local.project)
+  resource_group_name = format("%s-services-cms-rg", local.project)
+}
diff --git a/src/core/dns_io_pagopa_it.tf b/src/core/dns_io_pagopa_it.tf
@@ -89,6 +89,17 @@ resource "azurerm_dns_a_record" "continua_io_pagopa_it" {
   tags = var.tags
 }
 
+# selfcare.io.pagopa.it
+resource "azurerm_dns_a_record" "selfcare_io_pagopa_it" {
+  name                = "selfcare"
+  zone_name           = azurerm_dns_zone.io_pagopa_it[0].name
+  resource_group_name = azurerm_resource_group.rg_external.name
+  ttl                 = var.dns_default_ttl_sec
+  records             = [azurerm_public_ip.appgateway_public_ip.ip_address]
+
+  tags = var.tags
+}
+
 # firma.io.pagopa.it
 resource "azurerm_dns_ns_record" "firma_io_pagopa_it_ns" {
   name                = "firma"

diff --git a/src/core/env/dev/terraform.tfvars b/src/core/env/dev/terraform.tfvars
@@ -8,6 +8,9 @@ tags = {
   CostCenter  = "TS310 - PAGAMENTI & SERVIZI"
 }
 
+location       = "westeurope"
+location_short = "weu"
+
 # dns
 external_domain = "pagopa.it"
 dns_zone_io     = "dev.io"

diff --git a/src/core/env/prod/terraform.tfvars b/src/core/env/prod/terraform.tfvars
@@ -8,6 +8,9 @@ tags = {
   CostCenter  = "TS310 - PAGAMENTI & SERVIZI"
 }
 
+location       = "westeurope"
+location_short = "weu"
+
 # dns
 external_domain              = "pagopa.it"
 dns_zone_io                  = "io"
@@ -66,6 +69,9 @@ cidr_subnet_pendpoints   = ["10.0.240.0/23"]
 cidr_subnet_azdoa        = ["10.0.250.0/24"]
 cidr_subnet_dnsforwarder = ["10.0.252.8/29"]
 
+# just for reminder: declared in https://github.com/pagopa/io-infra/blob/main/src/domains/ioweb-app/env/weu-prod01/terraform.tfvars
+# subnet for ioweb_profile -> cidr_subnet_fniowebprofile = ["10.0.117.0/24"]
+
 app_gateway_api_certificate_name                                  = "api-io-pagopa-it"
 app_gateway_api_mtls_certificate_name                             = "api-mtls-io-pagopa-it"
 app_gateway_api_app_certificate_name                              = "api-app-io-pagopa-it"
@@ -76,6 +82,7 @@ app_gateway_developerportal_backend_io_italia_it_certificate_name = "developerpo
 app_gateway_api_io_selfcare_pagopa_it_certificate_name            = "api-io-selfcare-pagopa-it"
 app_gateway_firmaconio_selfcare_pagopa_it_certificate_name        = "firmaconio-selfcare-pagopa-it"
 app_gateway_continua_io_pagopa_it_certificate_name                = "continua-io-pagopa-it"
+app_gateway_selfcare_io_pagopa_it_certificate_name                = "selfcare-io-pagopa-it"
 app_gateway_min_capacity                                          = 4 # 4 capacity=baseline, 10 capacity=high volume event, 15 capacity=very high volume event
 app_gateway_max_capacity                                          = 50
 app_gateway_alerts_enabled                                        = true

diff --git a/src/core/function_app.tf b/src/core/function_app.tf
@@ -160,6 +160,12 @@ module "app_snet" {
   }
 }
 
+data "azurerm_subnet" "ioweb_profile_snet" {
+  name                 = format("%s-%s-ioweb-profile-snet", local.project, var.location_short)
+  virtual_network_name = module.vnet_common.name
+  resource_group_name  = azurerm_resource_group.rg_common.name
+}
+
 #tfsec:ignore:azure-storage-queue-services-logging-enabled:exp:2022-05-01 # already ignored, maybe a bug in tfsec
 module "function_app" {
   count  = var.function_app_count
@@ -206,6 +212,7 @@ module "function_app" {
     module.app_backendl1_snet.id,
     module.app_backendl2_snet.id,
     module.app_backendli_snet.id,
+    data.azurerm_subnet.ioweb_profile_snet.id,
   ]
 
   tags = var.tags

diff --git a/src/domains/citizen-auth-app/01_network.tf b/src/domains/citizen-auth-app/01_network.tf
@@ -69,6 +69,12 @@ data "azurerm_subnet" "app_backend_l2_snet" {
   resource_group_name  = local.vnet_common_resource_group_name
 }
 
+data "azurerm_subnet" "ioweb_profile_snet" {
+  name                 = format("%s-ioweb-profile-snet", local.common_project)
+  virtual_network_name = local.vnet_common_name
+  resource_group_name  = local.vnet_common_resource_group_name
+}
+
 data "azurerm_subnet" "apim_snet" {
   name                 = "apimapi"
   virtual_network_name = local.vnet_common_name
@@ -92,4 +98,4 @@ data "azurerm_subnet" "appgateway_snet" {
   name                 = "io-p-appgateway-snet"
   virtual_network_name = local.vnet_common_name
   resource_group_name  = local.vnet_common_resource_group_name
-}
+}
diff --git a/src/domains/citizen-auth-app/07_function_fast_login.tf b/src/domains/citizen-auth-app/07_function_fast_login.tf
@@ -115,6 +115,7 @@ module "function_fast_login" {
     module.fast_login_snet[0].id,
     data.azurerm_subnet.app_backend_l1_snet.id,
     data.azurerm_subnet.app_backend_l2_snet.id,
+    data.azurerm_subnet.ioweb_profile_snet.id,
   ]
 
   # Action groups for alerts

diff --git a/src/domains/citizen-auth-app/README.md b/src/domains/citizen-auth-app/README.md
@@ -89,6 +89,7 @@
 | [azurerm_subnet.app_backend_l2_snet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subnet) | data source |
 | [azurerm_subnet.appgateway_snet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subnet) | data source |
 | [azurerm_subnet.azdoa_snet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subnet) | data source |
+| [azurerm_subnet.ioweb_profile_snet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subnet) | data source |
 | [azurerm_subnet.private_endpoints_subnet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subnet) | data source |
 | [azurerm_subscription.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subscription) | data source |
 | [azurerm_virtual_network.vnet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/virtual_network) | data source |

diff --git a/src/domains/ioweb-app/.terraform.lock.hcl b/src/domains/ioweb-app/.terraform.lock.hcl
diff --git a/src/domains/ioweb-app/01_network.tf b/src/domains/ioweb-app/01_network.tf
@@ -51,3 +51,23 @@ data "azurerm_subnet" "private_endpoints_subnet" {
   virtual_network_name = local.vnet_common_name
   resource_group_name  = local.vnet_common_resource_group_name
 }
+
+data "azurerm_subnet" "apim_v2_snet" {
+  name                 = "apimv2api"
+  virtual_network_name = local.vnet_common_name
+  resource_group_name  = local.vnet_common_resource_group_name
+}
+
+data "azurerm_subnet" "function_app_snet" {
+  count                = 2
+  name                 = format("%s-app-snet-%d", local.product, count.index + 1)
+  virtual_network_name = local.vnet_common_name
+  resource_group_name  = local.vnet_common_resource_group_name
+}
+
+data "azurerm_subnet" "azdoa_snet" {
+  count                = var.enable_azdoa ? 1 : 0
+  name                 = "azure-devops"
+  virtual_network_name = local.vnet_common_name
+  resource_group_name  = local.vnet_common_resource_group_name
+}