diff --git a/src/core/99_variables.tf b/src/core/99_variables.tf
index a26f98f86..8f8c4354f 100644
--- a/src/core/99_variables.tf
+++ b/src/core/99_variables.tf
@@ -26,6 +26,17 @@ variable "location" {
default = "westeurope"
}
+variable "location_short" {
+ type = string
+ validation {
+ condition = (
+ length(var.location_short) == 3
+ )
+ error_message = "Length must be 3 chars."
+ }
+ description = "One of weu, neu"
+}
+
variable "lock_enable" {
type = bool
default = false
@@ -417,6 +428,11 @@ variable "app_gateway_continua_io_pagopa_it_certificate_name" {
description = "Application gateway continua certificate name on Key Vault"
}
+variable "app_gateway_selfcare_io_pagopa_it_certificate_name" {
+ type = string
+ description = "Application gateway selfcare-io certificate name on Key Vault"
+}
+
variable "app_gateway_min_capacity" {
type = number
default = 0
diff --git a/src/core/README.md b/src/core/README.md
index 8e6dc1db5..f155a3b2b 100644
--- a/src/core/README.md
+++ b/src/core/README.md
@@ -269,6 +269,7 @@
| [azurerm_dns_a_record.continua_io_pagopa_it](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/dns_a_record) | resource |
| [azurerm_dns_a_record.developerportal_backend_io_italia_it](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/dns_a_record) | resource |
| [azurerm_dns_a_record.firmaconio_selfcare_pagopa_it](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/dns_a_record) | resource |
+| [azurerm_dns_a_record.selfcare_io_pagopa_it](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/dns_a_record) | resource |
| [azurerm_dns_caa_record.firmaconio_selfcare_pagopa_it](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/dns_caa_record) | resource |
| [azurerm_dns_caa_record.io_italia_it](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/dns_caa_record) | resource |
| [azurerm_dns_caa_record.io_pagopa_it](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/dns_caa_record) | resource |
@@ -508,6 +509,7 @@
| [azurerm_key_vault_certificate.app_gw_continua](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_certificate) | data source |
| [azurerm_key_vault_certificate.app_gw_developerportal_backend_io_italia_it](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_certificate) | data source |
| [azurerm_key_vault_certificate.app_gw_firmaconio_selfcare_pagopa_it](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_certificate) | data source |
+| [azurerm_key_vault_certificate.app_gw_selfcare_io](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_certificate) | data source |
| [azurerm_key_vault_secret.ad_APPCLIENT_APIM_ID](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_secret) | data source |
| [azurerm_key_vault_secret.ad_APPCLIENT_APIM_SECRET](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_secret) | data source |
| [azurerm_key_vault_secret.adb2c_TENANT_NAME](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_secret) | data source |
@@ -638,6 +640,7 @@
| [azurerm_key_vault_secret.subscriptionmigrations_db_server_adm_username](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_secret) | data source |
| [azurerm_key_vault_secret.subscriptionmigrations_db_server_fnsubsmigrations_password](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_secret) | data source |
| [azurerm_linux_web_app.app_backend_app_services](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/linux_web_app) | data source |
+| [azurerm_linux_web_app.cms_backoffice_app](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/linux_web_app) | data source |
| [azurerm_linux_web_app.firmaconio_selfcare_web_app](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/linux_web_app) | data source |
| [azurerm_redis_cache.redis_cgn](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/redis_cache) | data source |
| [azurerm_resource_group.notifications_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/resource_group) | data source |
@@ -651,6 +654,8 @@
| [azurerm_storage_account.storage_apievents](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/storage_account) | data source |
| [azurerm_storage_account.userbackups](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/storage_account) | data source |
| [azurerm_storage_account.userdatadownload](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/storage_account) | data source |
+| [azurerm_subnet.functions_fast_login_snet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subnet) | data source |
+| [azurerm_subnet.ioweb_profile_snet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subnet) | data source |
| [azurerm_subscription.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subscription) | data source |
## Inputs
@@ -681,6 +686,7 @@
| [app\_gateway\_firmaconio\_selfcare\_pagopa\_it\_certificate\_name](#input\_app\_gateway\_firmaconio\_selfcare\_pagopa\_it\_certificate\_name) | Application gateway api certificate name on Key Vault | `string` | n/a | yes |
| [app\_gateway\_max\_capacity](#input\_app\_gateway\_max\_capacity) | n/a | `number` | `2` | no |
| [app\_gateway\_min\_capacity](#input\_app\_gateway\_min\_capacity) | n/a | `number` | `0` | no |
+| [app\_gateway\_selfcare\_io\_pagopa\_it\_certificate\_name](#input\_app\_gateway\_selfcare\_io\_pagopa\_it\_certificate\_name) | Application gateway selfcare-io certificate name on Key Vault | `string` | n/a | yes |
| [app\_messages\_count](#input\_app\_messages\_count) | App Messages | `number` | `2` | no |
| [app\_messages\_function\_always\_on](#input\_app\_messages\_function\_always\_on) | n/a | `bool` | `false` | no |
| [app\_messages\_function\_autoscale\_default](#input\_app\_messages\_function\_autoscale\_default) | The number of instances that are available for scaling if metrics are not available for evaluation. | `number` | `1` | no |
@@ -814,6 +820,7 @@
| [law\_retention\_in\_days](#input\_law\_retention\_in\_days) | The workspace data retention in days | `number` | `90` | no |
| [law\_sku](#input\_law\_sku) | Sku of the Log Analytics Workspace | `string` | `"PerGB2018"` | no |
| [location](#input\_location) | n/a | `string` | `"westeurope"` | no |
+| [location\_short](#input\_location\_short) | One of weu, neu | `string` | n/a | yes |
| [lock\_enable](#input\_lock\_enable) | Apply locks to block accedentaly deletions. | `bool` | `false` | no |
| [log\_analytics\_workspace\_name](#input\_log\_analytics\_workspace\_name) | The common Log Analytics Workspace name | `string` | `""` | no |
| [log\_analytics\_workspace\_resource\_group\_name](#input\_log\_analytics\_workspace\_resource\_group\_name) | The name of the resource group in which the Log Analytics workspace is located in. | `string` | n/a | yes |
diff --git a/src/core/app_backend.tf b/src/core/app_backend.tf
index 968817d79..9ce8903ac 100644
--- a/src/core/app_backend.tf
+++ b/src/core/app_backend.tf
@@ -600,6 +600,12 @@ resource "azurerm_subnet_nat_gateway_association" "app_backendl1_snet" {
subnet_id = module.app_backendl1_snet.id
}
+data "azurerm_subnet" "functions_fast_login_snet" {
+ name = format("%s-%s-fast-login-snet", local.project, var.location_short)
+ virtual_network_name = module.vnet_common.name
+ resource_group_name = azurerm_resource_group.rg_common.name
+}
+
module "appservice_app_backendl1" {
source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//app_service?ref=v4.1.15"
@@ -1070,6 +1076,7 @@ module "appservice_app_backendli" {
module.services_snet[0].id,
module.services_snet[1].id,
module.admin_snet.id,
+ data.azurerm_subnet.functions_fast_login_snet.id,
]
allowed_ips = concat(
diff --git a/src/core/appgateway.tf b/src/core/appgateway.tf
index c8f4350ac..3219f8121 100644
--- a/src/core/appgateway.tf
+++ b/src/core/appgateway.tf
@@ -126,6 +126,20 @@ module "app_gw" {
pick_host_name_from_backend = true
}
+ selfcare-io-app = {
+ protocol = "Https"
+ host = null
+ port = 443
+ ip_addresses = null # with null value use fqdns
+ fqdns = [
+ data.azurerm_linux_web_app.cms_backoffice_app.default_hostname,
+ ]
+ probe = "/api/info"
+ probe_name = "probe-selfcare-io-app"
+ request_timeout = 10
+ pick_host_name_from_backend = true
+ }
+
}
ssl_profiles = [{
@@ -338,6 +352,23 @@ module "app_gw" {
)
}
}
+
+ selfcare-io-pagopa-it = {
+ protocol = "Https"
+ host = format("selfcare.%s.%s", var.dns_zone_io, var.external_domain)
+ port = 443
+ ssl_profile_name = format("%s-ssl-profile", local.project)
+ firewall_policy_id = null
+
+ certificate = {
+ name = var.app_gateway_selfcare_io_pagopa_it_certificate_name
+ id = replace(
+ data.azurerm_key_vault_certificate.app_gw_selfcare_io.secret_id,
+ "/${data.azurerm_key_vault_certificate.app_gw_selfcare_io.version}",
+ ""
+ )
+ }
+ }
}
# maps listener to backend
@@ -413,6 +444,13 @@ module "app_gw" {
priority = 80
}
+ selfcare-io-pagopa-it = {
+ listener = "selfcare-io-pagopa-it"
+ backend = "selfcare-io-app"
+ rewrite_rule_set_name = "rewrite-rule-set-selfcare-io"
+ priority = 110
+ }
+
}
rewrite_rule_sets = [
@@ -590,6 +628,26 @@ module "app_gw" {
response_header_configurations = []
}]
},
+ {
+ name = "rewrite-rule-set-selfcare-io"
+ rewrite_rules = [{
+ name = "http-headers-selfcare-io"
+ rule_sequence = 100
+ conditions = []
+ url = null
+ request_header_configurations = [
+ {
+ header_name = "X-Forwarded-For"
+ header_value = "{var_client_ip}"
+ },
+ {
+ header_name = "X-Client-Ip"
+ header_value = "{var_client_ip}"
+ },
+ ]
+ response_header_configurations = []
+ }]
+ },
]
# TLS
@@ -833,6 +891,11 @@ data "azurerm_key_vault_certificate" "app_gw_continua" {
key_vault_id = module.key_vault.id
}
+data "azurerm_key_vault_certificate" "app_gw_selfcare_io" {
+ name = var.app_gateway_selfcare_io_pagopa_it_certificate_name
+ key_vault_id = module.key_vault.id
+}
+
data "azurerm_key_vault_secret" "app_gw_mtls_header_name" {
name = "mtls-header-name"
key_vault_id = module.key_vault.id
diff --git a/src/core/data.tf b/src/core/data.tf
index 4b226846f..1f0fc74b5 100644
--- a/src/core/data.tf
+++ b/src/core/data.tf
@@ -269,3 +269,12 @@ resource "azurerm_monitor_metric_alert" "cosmos_cgn_throttling_alert" {
tags = var.tags
}
+
+#
+# IO Services CMS BackOffice App
+#
+
+data "azurerm_linux_web_app" "cms_backoffice_app" {
+ name = format("%s-services-cms-backoffice-app", local.project)
+ resource_group_name = format("%s-services-cms-rg", local.project)
+}
diff --git a/src/core/dns_io_pagopa_it.tf b/src/core/dns_io_pagopa_it.tf
index 997411f65..119d2005f 100644
--- a/src/core/dns_io_pagopa_it.tf
+++ b/src/core/dns_io_pagopa_it.tf
@@ -89,6 +89,17 @@ resource "azurerm_dns_a_record" "continua_io_pagopa_it" {
tags = var.tags
}
+# selfcare.io.pagopa.it
+resource "azurerm_dns_a_record" "selfcare_io_pagopa_it" {
+ name = "selfcare"
+ zone_name = azurerm_dns_zone.io_pagopa_it[0].name
+ resource_group_name = azurerm_resource_group.rg_external.name
+ ttl = var.dns_default_ttl_sec
+ records = [azurerm_public_ip.appgateway_public_ip.ip_address]
+
+ tags = var.tags
+}
+
# firma.io.pagopa.it
resource "azurerm_dns_ns_record" "firma_io_pagopa_it_ns" {
name = "firma"
diff --git a/src/core/env/dev/terraform.tfvars b/src/core/env/dev/terraform.tfvars
index e470149cb..9e6800c06 100644
--- a/src/core/env/dev/terraform.tfvars
+++ b/src/core/env/dev/terraform.tfvars
@@ -8,6 +8,9 @@ tags = {
CostCenter = "TS310 - PAGAMENTI & SERVIZI"
}
+location = "westeurope"
+location_short = "weu"
+
# dns
external_domain = "pagopa.it"
dns_zone_io = "dev.io"
diff --git a/src/core/env/prod/terraform.tfvars b/src/core/env/prod/terraform.tfvars
index 50a8fa7bf..5d9140b77 100644
--- a/src/core/env/prod/terraform.tfvars
+++ b/src/core/env/prod/terraform.tfvars
@@ -8,6 +8,9 @@ tags = {
CostCenter = "TS310 - PAGAMENTI & SERVIZI"
}
+location = "westeurope"
+location_short = "weu"
+
# dns
external_domain = "pagopa.it"
dns_zone_io = "io"
@@ -66,6 +69,9 @@ cidr_subnet_pendpoints = ["10.0.240.0/23"]
cidr_subnet_azdoa = ["10.0.250.0/24"]
cidr_subnet_dnsforwarder = ["10.0.252.8/29"]
+# just for reminder: declared in https://github.com/pagopa/io-infra/blob/main/src/domains/ioweb-app/env/weu-prod01/terraform.tfvars
+# subnet for ioweb_profile -> cidr_subnet_fniowebprofile = ["10.0.117.0/24"]
+
app_gateway_api_certificate_name = "api-io-pagopa-it"
app_gateway_api_mtls_certificate_name = "api-mtls-io-pagopa-it"
app_gateway_api_app_certificate_name = "api-app-io-pagopa-it"
@@ -76,6 +82,7 @@ app_gateway_developerportal_backend_io_italia_it_certificate_name = "developerpo
app_gateway_api_io_selfcare_pagopa_it_certificate_name = "api-io-selfcare-pagopa-it"
app_gateway_firmaconio_selfcare_pagopa_it_certificate_name = "firmaconio-selfcare-pagopa-it"
app_gateway_continua_io_pagopa_it_certificate_name = "continua-io-pagopa-it"
+app_gateway_selfcare_io_pagopa_it_certificate_name = "selfcare-io-pagopa-it"
app_gateway_min_capacity = 4 # 4 capacity=baseline, 10 capacity=high volume event, 15 capacity=very high volume event
app_gateway_max_capacity = 50
app_gateway_alerts_enabled = true
diff --git a/src/core/function_app.tf b/src/core/function_app.tf
index 7eacc6629..d651d36a4 100644
--- a/src/core/function_app.tf
+++ b/src/core/function_app.tf
@@ -160,6 +160,12 @@ module "app_snet" {
}
}
+data "azurerm_subnet" "ioweb_profile_snet" {
+ name = format("%s-%s-ioweb-profile-snet", local.project, var.location_short)
+ virtual_network_name = module.vnet_common.name
+ resource_group_name = azurerm_resource_group.rg_common.name
+}
+
#tfsec:ignore:azure-storage-queue-services-logging-enabled:exp:2022-05-01 # already ignored, maybe a bug in tfsec
module "function_app" {
count = var.function_app_count
@@ -206,6 +212,7 @@ module "function_app" {
module.app_backendl1_snet.id,
module.app_backendl2_snet.id,
module.app_backendli_snet.id,
+ data.azurerm_subnet.ioweb_profile_snet.id,
]
tags = var.tags
diff --git a/src/domains/citizen-auth-app/01_network.tf b/src/domains/citizen-auth-app/01_network.tf
index 327d5bc16..bf647e961 100644
--- a/src/domains/citizen-auth-app/01_network.tf
+++ b/src/domains/citizen-auth-app/01_network.tf
@@ -69,6 +69,12 @@ data "azurerm_subnet" "app_backend_l2_snet" {
resource_group_name = local.vnet_common_resource_group_name
}
+data "azurerm_subnet" "ioweb_profile_snet" {
+ name = format("%s-ioweb-profile-snet", local.common_project)
+ virtual_network_name = local.vnet_common_name
+ resource_group_name = local.vnet_common_resource_group_name
+}
+
data "azurerm_subnet" "apim_snet" {
name = "apimapi"
virtual_network_name = local.vnet_common_name
@@ -92,4 +98,4 @@ data "azurerm_subnet" "appgateway_snet" {
name = "io-p-appgateway-snet"
virtual_network_name = local.vnet_common_name
resource_group_name = local.vnet_common_resource_group_name
-}
\ No newline at end of file
+}
diff --git a/src/domains/citizen-auth-app/07_function_fast_login.tf b/src/domains/citizen-auth-app/07_function_fast_login.tf
index a073517b9..5a853bb9d 100644
--- a/src/domains/citizen-auth-app/07_function_fast_login.tf
+++ b/src/domains/citizen-auth-app/07_function_fast_login.tf
@@ -115,6 +115,7 @@ module "function_fast_login" {
module.fast_login_snet[0].id,
data.azurerm_subnet.app_backend_l1_snet.id,
data.azurerm_subnet.app_backend_l2_snet.id,
+ data.azurerm_subnet.ioweb_profile_snet.id,
]
# Action groups for alerts
diff --git a/src/domains/citizen-auth-app/README.md b/src/domains/citizen-auth-app/README.md
index 6c11ad5af..ec1c53ca4 100644
--- a/src/domains/citizen-auth-app/README.md
+++ b/src/domains/citizen-auth-app/README.md
@@ -89,6 +89,7 @@
| [azurerm_subnet.app_backend_l2_snet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subnet) | data source |
| [azurerm_subnet.appgateway_snet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subnet) | data source |
| [azurerm_subnet.azdoa_snet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subnet) | data source |
+| [azurerm_subnet.ioweb_profile_snet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subnet) | data source |
| [azurerm_subnet.private_endpoints_subnet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subnet) | data source |
| [azurerm_subscription.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subscription) | data source |
| [azurerm_virtual_network.vnet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/virtual_network) | data source |
diff --git a/src/domains/ioweb-app/.terraform.lock.hcl b/src/domains/ioweb-app/.terraform.lock.hcl
index 690471b58..580b11cfd 100644
--- a/src/domains/ioweb-app/.terraform.lock.hcl
+++ b/src/domains/ioweb-app/.terraform.lock.hcl
@@ -115,3 +115,22 @@ provider "registry.terraform.io/hashicorp/null" {
"zh:fca01a623d90d0cad0843102f9b8b9fe0d3ff8244593bd817f126582b52dd694",
]
}
+
+provider "registry.terraform.io/hashicorp/tls" {
+ version = "4.0.4"
+ hashes = [
+ "h1:GZcFizg5ZT2VrpwvxGBHQ/hO9r6g0vYdQqx3bFD3anY=",
+ "zh:23671ed83e1fcf79745534841e10291bbf34046b27d6e68a5d0aab77206f4a55",
+ "zh:45292421211ffd9e8e3eb3655677700e3c5047f71d8f7650d2ce30242335f848",
+ "zh:59fedb519f4433c0fdb1d58b27c210b27415fddd0cd73c5312530b4309c088be",
+ "zh:5a8eec2409a9ff7cd0758a9d818c74bcba92a240e6c5e54b99df68fff312bbd5",
+ "zh:5e6a4b39f3171f53292ab88058a59e64825f2b842760a4869e64dc1dc093d1fe",
+ "zh:810547d0bf9311d21c81cc306126d3547e7bd3f194fc295836acf164b9f8424e",
+ "zh:824a5f3617624243bed0259d7dd37d76017097dc3193dac669be342b90b2ab48",
+ "zh:9361ccc7048be5dcbc2fafe2d8216939765b3160bd52734f7a9fd917a39ecbd8",
+ "zh:aa02ea625aaf672e649296bce7580f62d724268189fe9ad7c1b36bb0fa12fa60",
+ "zh:c71b4cd40d6ec7815dfeefd57d88bc592c0c42f5e5858dcc88245d371b4b8b1e",
+ "zh:dabcd52f36b43d250a3d71ad7abfa07b5622c69068d989e60b79b2bb4f220316",
+ "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+ ]
+}
diff --git a/src/domains/ioweb-app/01_network.tf b/src/domains/ioweb-app/01_network.tf
index 96b42ff13..8c28c718f 100644
--- a/src/domains/ioweb-app/01_network.tf
+++ b/src/domains/ioweb-app/01_network.tf
@@ -51,3 +51,23 @@ data "azurerm_subnet" "private_endpoints_subnet" {
virtual_network_name = local.vnet_common_name
resource_group_name = local.vnet_common_resource_group_name
}
+
+data "azurerm_subnet" "apim_v2_snet" {
+ name = "apimv2api"
+ virtual_network_name = local.vnet_common_name
+ resource_group_name = local.vnet_common_resource_group_name
+}
+
+data "azurerm_subnet" "function_app_snet" {
+ count = 2
+ name = format("%s-app-snet-%d", local.product, count.index + 1)
+ virtual_network_name = local.vnet_common_name
+ resource_group_name = local.vnet_common_resource_group_name
+}
+
+data "azurerm_subnet" "azdoa_snet" {
+ count = var.enable_azdoa ? 1 : 0
+ name = "azure-devops"
+ virtual_network_name = local.vnet_common_name
+ resource_group_name = local.vnet_common_resource_group_name
+}
diff --git a/src/domains/ioweb-app/02_security.tf b/src/domains/ioweb-app/02_security.tf
index 31ed9ca52..2f3d660d9 100644
--- a/src/domains/ioweb-app/02_security.tf
+++ b/src/domains/ioweb-app/02_security.tf
@@ -2,3 +2,41 @@ data "azurerm_key_vault" "kv" {
name = "${local.product}-${var.domain}-kv"
resource_group_name = "${local.product}-${var.domain}-sec-rg"
}
+
+#######
+# KEYS
+#######
+resource "tls_private_key" "ioweb_profile_jwe_key" {
+ algorithm = "ECDSA"
+ ecdsa_curve = "P256"
+}
+
+resource "tls_private_key" "ioweb_profile_jwt_key" {
+ algorithm = "RSA"
+ rsa_bits = 2048
+}
+#######
+
+resource "azurerm_key_vault_secret" "magic_link_jwe_pub_key" {
+ name = "ioweb-profile-magic-link-jwe-pub-key"
+ value = tls_private_key.ioweb_profile_jwe_key.public_key_pem
+ key_vault_id = data.azurerm_key_vault.kv.id
+}
+
+resource "azurerm_key_vault_secret" "magic_link_jwe_private_key" {
+ name = "ioweb-profile-magic-link-jwe-private-key"
+ value = tls_private_key.ioweb_profile_jwe_key.private_key_pem
+ key_vault_id = data.azurerm_key_vault.kv.id
+}
+
+resource "azurerm_key_vault_secret" "exchange_jwt_pub_key" {
+ name = "ioweb-profile-exchange-jwt-pub-key"
+ value = tls_private_key.ioweb_profile_jwt_key.public_key_pem
+ key_vault_id = data.azurerm_key_vault.kv.id
+}
+
+resource "azurerm_key_vault_secret" "exchange_jwt_private_key" {
+ name = "ioweb-profile-exchange-jwt-private-key"
+ value = tls_private_key.ioweb_profile_jwt_key.private_key_pem
+ key_vault_id = data.azurerm_key_vault.kv.id
+}
diff --git a/src/domains/ioweb-app/05_resource_group.tf b/src/domains/ioweb-app/05_resource_group.tf
index d13a197f2..989358ac1 100644
--- a/src/domains/ioweb-app/05_resource_group.tf
+++ b/src/domains/ioweb-app/05_resource_group.tf
@@ -4,3 +4,11 @@ resource "azurerm_resource_group" "base_rg" {
tags = var.tags
}
+
+# resource group for ioweb-profile azure function
+resource "azurerm_resource_group" "ioweb_profile_rg" {
+ name = format("%s-ioweb-profile-rg", local.common_project)
+ location = var.location
+
+ tags = var.tags
+}
diff --git a/src/domains/ioweb-app/06_function_ioweb_profile.tf b/src/domains/ioweb-app/06_function_ioweb_profile.tf
new file mode 100644
index 000000000..26b2050ef
--- /dev/null
+++ b/src/domains/ioweb-app/06_function_ioweb_profile.tf
@@ -0,0 +1,309 @@
+###
+### SECRETS
+###
+data "azurerm_key_vault_secret" "api_beta_testers" {
+ name = "ioweb-profile-api-beta-testers"
+ key_vault_id = data.azurerm_key_vault.kv.id
+}
+
+data "azurerm_key_vault_secret" "functions_fast_login_api_key" {
+ name = "ioweb-profile-functions-fast-login-api-key"
+ key_vault_id = data.azurerm_key_vault.kv.id
+}
+
+data "azurerm_key_vault_secret" "functions_app_api_key" {
+ name = "ioweb-profile-functions-app-api-key"
+ key_vault_id = data.azurerm_key_vault.kv.id
+}
+
+data "azurerm_key_vault_secret" "spid_login_jwt_pub_key" {
+ name = "spid-login-jwt-pub-key"
+ key_vault_id = data.azurerm_key_vault.kv.id
+}
+
+data "azurerm_key_vault_secret" "spid_login_api_key" {
+ name = "ioweb-profile-spid-login-api-key"
+ key_vault_id = data.azurerm_key_vault.kv.id
+}
+###
+
+locals {
+ function_ioweb_profile = {
+ app_settings = {
+ FUNCTIONS_WORKER_PROCESS_COUNT = 4
+ NODE_ENV = "production"
+
+ // Keepalive fields are all optionals
+ FETCH_KEEPALIVE_ENABLED = "true"
+ FETCH_KEEPALIVE_SOCKET_ACTIVE_TTL = "110000"
+ FETCH_KEEPALIVE_MAX_SOCKETS = "40"
+ FETCH_KEEPALIVE_MAX_FREE_SOCKETS = "10"
+ FETCH_KEEPALIVE_FREE_SOCKET_TIMEOUT = "30000"
+ FETCH_KEEPALIVE_TIMEOUT = "60000"
+
+ // --------------
+ // FF AND TESTERS
+ // --------------
+ FF_API_ENABLED = "BETA"
+ BETA_TESTERS = data.azurerm_key_vault_secret.api_beta_testers.value
+
+ // ------------
+ // JWT Config
+ // ------------
+ BEARER_AUTH_HEADER = "authorization"
+ EXCHANGE_JWT_ISSUER = "api-web.io.pagopa.it/ioweb/backend"
+ EXCHANGE_JWT_PUB_KEY = azurerm_key_vault_secret.exchange_jwt_pub_key.value
+ EXCHANGE_JWT_PRIVATE_KEY = azurerm_key_vault_secret.exchange_jwt_private_key.value
+ // 1 hour
+ EXCHANGE_JWT_TTL = "3600"
+ MAGIC_LINK_JWE_PUB_KEY = azurerm_key_vault_secret.magic_link_jwe_pub_key.value
+ MAGIC_LINK_JWE_PRIVATE_KEY = azurerm_key_vault_secret.magic_link_jwe_private_key.value
+ // TBD: more/less than 1 week?
+ MAGIC_LINK_JWE_TTL = "604800"
+
+ HUB_SPID_LOGIN_JWT_ISSUER = "api-web.io.pagopa.it/ioweb/auth"
+ HUB_SPID_LOGIN_JWT_PUB_KEY = data.azurerm_key_vault_secret.spid_login_jwt_pub_key.value
+
+ // -------------------------
+ // Fast Login config
+ // -------------------------
+ FAST_LOGIN_API_KEY = data.azurerm_key_vault_secret.functions_fast_login_api_key.value
+ FAST_LOGIN_CLIENT_BASE_URL = "https://io-p-weu-fast-login-fn.azurewebsites.net"
+
+ // -------------------------
+ // Functions App config
+ // -------------------------
+ FUNCTIONS_APP_API_KEY = data.azurerm_key_vault_secret.functions_app_api_key.value
+ FUNCTIONS_APP_CLIENT_BASE_URL = "https://io-p-app-fn-2.azurewebsites.net"
+
+ // -------------------------
+ // Hub Spid Login for ioweb config
+ // -------------------------
+ HUB_SPID_LOGIN_API_KEY = data.azurerm_key_vault_secret.spid_login_api_key.value
+ HUB_SPID_LOGIN_CLIENT_BASE_URL = "https://io-p-weu-ioweb-spid-login.azurewebsites.net"
+ }
+ }
+}
+
+
+# Subnet to host admin function
+module "ioweb_profile_snet" {
+ source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet?ref=v4.1.15"
+ name = format("%s-ioweb-profile-snet", local.common_project)
+ address_prefixes = var.cidr_subnet_fniowebprofile
+ resource_group_name = data.azurerm_virtual_network.vnet_common.resource_group_name
+ virtual_network_name = data.azurerm_virtual_network.vnet_common.name
+ private_endpoint_network_policies_enabled = false
+
+ service_endpoints = [
+ "Microsoft.Web",
+ "Microsoft.Storage",
+ ]
+
+ delegation = {
+ name = "default"
+ service_delegation = {
+ name = "Microsoft.Web/serverFarms"
+ actions = ["Microsoft.Network/virtualNetworks/subnets/action"]
+ }
+ }
+}
+
+module "function_ioweb_profile" {
+ source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//function_app?ref=v5.2.0"
+
+ resource_group_name = azurerm_resource_group.ioweb_profile_rg.name
+ name = format("%s-ioweb-profile-fn", local.common_project)
+ location = var.location
+ domain = "IO-AUTH"
+ health_check_path = "/api/v1/info"
+
+ node_version = "18"
+ runtime_version = "~4"
+
+ always_on = "true"
+ application_insights_instrumentation_key = data.azurerm_application_insights.application_insights.instrumentation_key
+
+ app_service_plan_info = {
+ kind = var.function_ioweb_profile.kind
+ sku_size = var.function_ioweb_profile.sku_size
+ maximum_elastic_worker_count = 0
+ }
+
+ app_settings = merge(
+ local.function_ioweb_profile.app_settings,
+ )
+
+ internal_storage = {
+ "enable" = true,
+ "private_endpoint_subnet_id" = data.azurerm_subnet.private_endpoints_subnet.id,
+ "private_dns_zone_blob_ids" = [data.azurerm_private_dns_zone.privatelink_blob_core_windows_net.id],
+ "private_dns_zone_queue_ids" = [data.azurerm_private_dns_zone.privatelink_queue_core_windows_net.id],
+ "private_dns_zone_table_ids" = [data.azurerm_private_dns_zone.privatelink_table_core_windows_net.id],
+ "queues" = [],
+ "containers" = [],
+ "blobs_retention_days" = 0,
+ }
+
+ subnet_id = module.ioweb_profile_snet.id
+
+ allowed_subnets = [
+ module.ioweb_profile_snet.id,
+ data.azurerm_subnet.apim_v2_snet.id,
+ data.azurerm_subnet.function_app_snet[0].id,
+ data.azurerm_subnet.function_app_snet[1].id,
+ ]
+
+ enable_healthcheck = false
+
+ # Action groups for alerts
+ action = [
+ {
+ action_group_id = data.azurerm_monitor_action_group.error_action_group.id
+ webhook_properties = {}
+ }
+ ]
+
+ tags = var.tags
+}
+
+module "function_ioweb_profile_staging_slot" {
+ source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//function_app_slot?ref=v5.2.0"
+
+ name = "staging"
+ location = var.location
+ resource_group_name = azurerm_resource_group.ioweb_profile_rg.name
+ function_app_id = module.function_ioweb_profile.id
+ app_service_plan_id = module.function_ioweb_profile.app_service_plan_id
+ health_check_path = "/api/v1/info"
+
+ storage_account_name = module.function_ioweb_profile.storage_account.name
+ storage_account_access_key = module.function_ioweb_profile.storage_account.primary_access_key
+ internal_storage_connection_string = module.function_ioweb_profile.storage_account_internal_function.primary_connection_string
+
+ node_version = "18"
+ always_on = "true"
+ runtime_version = "~4"
+ application_insights_instrumentation_key = data.azurerm_application_insights.application_insights.instrumentation_key
+
+ app_settings = merge(
+ local.function_ioweb_profile.app_settings,
+ )
+
+ subnet_id = module.ioweb_profile_snet.id
+
+ allowed_subnets = [
+ module.ioweb_profile_snet.id,
+ data.azurerm_subnet.azdoa_snet[0].id,
+ data.azurerm_subnet.apim_v2_snet.id,
+ data.azurerm_subnet.function_app_snet[0].id,
+ data.azurerm_subnet.function_app_snet[1].id,
+ ]
+
+ tags = var.tags
+}
+
+resource "azurerm_monitor_autoscale_setting" "function_ioweb_profile" {
+ name = format("%s-autoscale", module.function_ioweb_profile.name)
+ resource_group_name = azurerm_resource_group.ioweb_profile_rg.name
+ location = var.location
+ target_resource_id = module.function_ioweb_profile.app_service_plan_id
+
+ profile {
+ name = "default"
+
+ capacity {
+ default = var.function_ioweb_profile.autoscale_default
+ minimum = var.function_ioweb_profile.autoscale_minimum
+ maximum = var.function_ioweb_profile.autoscale_maximum
+ }
+
+ rule {
+ metric_trigger {
+ metric_name = "Requests"
+ metric_resource_id = module.function_ioweb_profile.id
+ metric_namespace = "microsoft.web/sites"
+ time_grain = "PT1M"
+ statistic = "Average"
+ time_window = "PT5M"
+ time_aggregation = "Average"
+ operator = "GreaterThan"
+ threshold = 3000
+ divide_by_instance_count = false
+ }
+
+ scale_action {
+ direction = "Increase"
+ type = "ChangeCount"
+ value = "2"
+ cooldown = "PT5M"
+ }
+ }
+
+ rule {
+ metric_trigger {
+ metric_name = "CpuPercentage"
+ metric_resource_id = module.function_ioweb_profile.app_service_plan_id
+ metric_namespace = "microsoft.web/serverfarms"
+ time_grain = "PT1M"
+ statistic = "Average"
+ time_window = "PT5M"
+ time_aggregation = "Average"
+ operator = "GreaterThan"
+ threshold = 45
+ divide_by_instance_count = false
+ }
+
+ scale_action {
+ direction = "Increase"
+ type = "ChangeCount"
+ value = "2"
+ cooldown = "PT5M"
+ }
+ }
+
+ rule {
+ metric_trigger {
+ metric_name = "Requests"
+ metric_resource_id = module.function_ioweb_profile.id
+ metric_namespace = "microsoft.web/sites"
+ time_grain = "PT1M"
+ statistic = "Average"
+ time_window = "PT5M"
+ time_aggregation = "Average"
+ operator = "LessThan"
+ threshold = 2000
+ divide_by_instance_count = false
+ }
+
+ scale_action {
+ direction = "Decrease"
+ type = "ChangeCount"
+ value = "1"
+ cooldown = "PT20M"
+ }
+ }
+
+ rule {
+ metric_trigger {
+ metric_name = "CpuPercentage"
+ metric_resource_id = module.function_ioweb_profile.app_service_plan_id
+ metric_namespace = "microsoft.web/serverfarms"
+ time_grain = "PT1M"
+ statistic = "Average"
+ time_window = "PT5M"
+ time_aggregation = "Average"
+ operator = "LessThan"
+ threshold = 30
+ divide_by_instance_count = false
+ }
+
+ scale_action {
+ direction = "Decrease"
+ type = "ChangeCount"
+ value = "1"
+ cooldown = "PT20M"
+ }
+ }
+ }
+}
diff --git a/src/domains/ioweb-app/99_variables.tf b/src/domains/ioweb-app/99_variables.tf
index 1b4809cde..8ffff08a6 100644
--- a/src/domains/ioweb-app/99_variables.tf
+++ b/src/domains/ioweb-app/99_variables.tf
@@ -123,3 +123,26 @@ variable "tls_cert_check_helm" {
})
description = "tls cert helm chart configuration"
}
+
+###################
+# ioweb-profile-fn
+###################
+variable "cidr_subnet_fniowebprofile" {
+ type = list(string)
+ description = "Functions ioweb profile address space"
+ default = null
+}
+
+variable "function_ioweb_profile" {
+ type = object({
+ autoscale_minimum = number
+ autoscale_maximum = number
+ autoscale_default = number
+ sku_size = string
+ kind = string
+ })
+}
+
+variable "enable_azdoa" {
+ type = bool
+}
diff --git a/src/domains/ioweb-app/README.md b/src/domains/ioweb-app/README.md
index b5fb57c62..c9466527c 100644
--- a/src/domains/ioweb-app/README.md
+++ b/src/domains/ioweb-app/README.md
@@ -16,17 +16,30 @@
|------|---------|
| [azuread](#provider\_azuread) | 2.33.0 |
| [azurerm](#provider\_azurerm) | 3.40.0 |
+| [tls](#provider\_tls) | 4.0.4 |
## Modules
-No modules.
+| Name | Source | Version |
+|------|--------|---------|
+| [function\_ioweb\_profile](#module\_function\_ioweb\_profile) | git::https://github.com/pagopa/terraform-azurerm-v3.git//function_app | v5.2.0 |
+| [function\_ioweb\_profile\_staging\_slot](#module\_function\_ioweb\_profile\_staging\_slot) | git::https://github.com/pagopa/terraform-azurerm-v3.git//function_app_slot | v5.2.0 |
+| [ioweb\_profile\_snet](#module\_ioweb\_profile\_snet) | git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet | v4.1.15 |
## Resources
| Name | Type |
|------|------|
+| [azurerm_key_vault_secret.exchange_jwt_private_key](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource |
+| [azurerm_key_vault_secret.exchange_jwt_pub_key](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource |
+| [azurerm_key_vault_secret.magic_link_jwe_private_key](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource |
+| [azurerm_key_vault_secret.magic_link_jwe_pub_key](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource |
+| [azurerm_monitor_autoscale_setting.function_ioweb_profile](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_autoscale_setting) | resource |
| [azurerm_private_dns_a_record.ingress](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/private_dns_a_record) | resource |
| [azurerm_resource_group.base_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource |
+| [azurerm_resource_group.ioweb_profile_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource |
+| [tls_private_key.ioweb_profile_jwe_key](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource |
+| [tls_private_key.ioweb_profile_jwt_key](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource |
| [azuread_group.adgroup_admin](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source |
| [azuread_group.adgroup_developers](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source |
| [azuread_group.adgroup_externals](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source |
@@ -34,6 +47,11 @@ No modules.
| [azurerm_application_insights.application_insights](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/application_insights) | data source |
| [azurerm_client_config.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/client_config) | data source |
| [azurerm_key_vault.kv](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault) | data source |
+| [azurerm_key_vault_secret.api_beta_testers](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_secret) | data source |
+| [azurerm_key_vault_secret.functions_app_api_key](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_secret) | data source |
+| [azurerm_key_vault_secret.functions_fast_login_api_key](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_secret) | data source |
+| [azurerm_key_vault_secret.spid_login_api_key](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_secret) | data source |
+| [azurerm_key_vault_secret.spid_login_jwt_pub_key](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_secret) | data source |
| [azurerm_log_analytics_workspace.log_analytics](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/log_analytics_workspace) | data source |
| [azurerm_monitor_action_group.email](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/monitor_action_group) | data source |
| [azurerm_monitor_action_group.error_action_group](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/monitor_action_group) | data source |
@@ -46,6 +64,9 @@ No modules.
| [azurerm_private_dns_zone.privatelink_queue_core_windows_net](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/private_dns_zone) | data source |
| [azurerm_private_dns_zone.privatelink_table_core_windows_net](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/private_dns_zone) | data source |
| [azurerm_resource_group.monitor_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/resource_group) | data source |
+| [azurerm_subnet.apim_v2_snet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subnet) | data source |
+| [azurerm_subnet.azdoa_snet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subnet) | data source |
+| [azurerm_subnet.function_app_snet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subnet) | data source |
| [azurerm_subnet.private_endpoints_subnet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subnet) | data source |
| [azurerm_subscription.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subscription) | data source |
| [azurerm_virtual_network.vnet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/virtual_network) | data source |
@@ -56,9 +77,12 @@ No modules.
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| [application\_insights\_name](#input\_application\_insights\_name) | Specifies the name of the Application Insights. | `string` | n/a | yes |
+| [cidr\_subnet\_fniowebprofile](#input\_cidr\_subnet\_fniowebprofile) | Functions ioweb profile address space | `list(string)` | `null` | no |
| [domain](#input\_domain) | n/a | `string` | n/a | yes |
+| [enable\_azdoa](#input\_enable\_azdoa) | n/a | `bool` | n/a | yes |
| [env](#input\_env) | n/a | `string` | n/a | yes |
| [env\_short](#input\_env\_short) | n/a | `string` | n/a | yes |
+| [function\_ioweb\_profile](#input\_function\_ioweb\_profile) | n/a | object({
autoscale_minimum = number
autoscale_maximum = number
autoscale_default = number
sku_size = string
kind = string
}) | n/a | yes |
| [ingress\_load\_balancer\_ip](#input\_ingress\_load\_balancer\_ip) | n/a | `string` | n/a | yes |
| [instance](#input\_instance) | One of beta, prod01, prod02 | `string` | n/a | yes |
| [k8s\_kube\_config\_path\_prefix](#input\_k8s\_kube\_config\_path\_prefix) | n/a | `string` | `"~/.kube"` | no |
diff --git a/src/domains/ioweb-app/env/weu-prod01/terraform.tfvars b/src/domains/ioweb-app/env/weu-prod01/terraform.tfvars
index c0b92b343..60af28e34 100644
--- a/src/domains/ioweb-app/env/weu-prod01/terraform.tfvars
+++ b/src/domains/ioweb-app/env/weu-prod01/terraform.tfvars
@@ -22,6 +22,8 @@ log_analytics_workspace_name = "io-p-law-common"
log_analytics_workspace_resource_group_name = "io-p-rg-common"
application_insights_name = "io-p-ai-common"
+enable_azdoa = true
+
### External tools
# chart releases: https://github.com/stakater/Reloader/releases
@@ -42,3 +44,13 @@ tls_cert_check_helm = {
### Aks
ingress_load_balancer_ip = "10.11.100.250"
+
+### Fn ioweb-profile
+cidr_subnet_fniowebprofile = ["10.0.117.0/24"]
+function_ioweb_profile = {
+ kind = "Linux"
+ sku_size = "P1v3"
+ autoscale_minimum = 1
+ autoscale_maximum = 30
+ autoscale_default = 1
+}
diff --git a/src/domains/ioweb-common/01_network.tf b/src/domains/ioweb-common/01_network.tf
index 09b1b87ae..c6e85d0e8 100644
--- a/src/domains/ioweb-common/01_network.tf
+++ b/src/domains/ioweb-common/01_network.tf
@@ -3,6 +3,12 @@ data "azurerm_virtual_network" "vnet_common" {
resource_group_name = local.vnet_common_resource_group_name
}
+data "azurerm_subnet" "private_endpoints_subnet" {
+ name = "pendpoints"
+ virtual_network_name = local.vnet_common_name
+ resource_group_name = local.vnet_common_resource_group_name
+}
+
data "azurerm_private_dns_zone" "privatelink_redis_cache" {
name = "privatelink.redis.cache.windows.net"
resource_group_name = format("%s-rg-common", local.product)
@@ -15,12 +21,23 @@ data "azurerm_subnet" "azdoa_snet" {
resource_group_name = local.vnet_common_resource_group_name
}
+data "azurerm_private_dns_zone" "privatelink_blob_core_windows_net" {
+ name = "privatelink.blob.core.windows.net"
+ resource_group_name = local.vnet_common_resource_group_name
+}
+
data "azurerm_subnet" "apim_v2_snet" {
name = "apimv2api"
virtual_network_name = local.vnet_common_name
resource_group_name = local.vnet_common_resource_group_name
}
+data "azurerm_subnet" "ioweb_profile_snet" {
+ name = format("%s-%s-ioweb-profile-snet", local.product, var.location_short)
+ virtual_network_name = local.vnet_common_name
+ resource_group_name = local.vnet_common_resource_group_name
+}
+
## redis spid login subnet
module "redis_spid_login_snet" {
source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet?ref=v4.1.15"
diff --git a/src/domains/ioweb-common/03_storage.tf b/src/domains/ioweb-common/03_storage.tf
new file mode 100644
index 000000000..cf5bb8f13
--- /dev/null
+++ b/src/domains/ioweb-common/03_storage.tf
@@ -0,0 +1,63 @@
+
+######################
+# SPID LOGS Storage
+######################
+module "spid_logs_storage" {
+ source = "git::https://github.com/pagopa/terraform-azurerm-v3//storage_account?ref=v6.1.0"
+
+ name = replace(format("%s-spid-logs-st", local.project), "-", "")
+ domain = upper(var.domain)
+ account_kind = "StorageV2"
+ account_tier = "Standard"
+ access_tier = "Hot"
+ account_replication_type = "GZRS"
+ resource_group_name = azurerm_resource_group.storage_rg.name
+ location = var.location
+ advanced_threat_protection = true
+ enable_identity = true
+ public_network_access_enabled = false
+
+ tags = var.tags
+}
+
+module "spid_logs_storage_customer_managed_key" {
+ source = "git::https://github.com/pagopa/terraform-azurerm-v3//storage_account_customer_managed_key?ref=v6.1.0"
+ tenant_id = data.azurerm_subscription.current.tenant_id
+ location = var.location
+ resource_group_name = azurerm_resource_group.storage_rg.name
+ key_vault_id = module.key_vault.id
+ key_name = format("%s-key", module.spid_logs_storage.name)
+ storage_id = module.spid_logs_storage.id
+ storage_principal_id = module.spid_logs_storage.identity.0.principal_id
+}
+
+
+resource "azurerm_private_endpoint" "spid_logs_storage_blob" {
+ name = "${module.spid_logs_storage.name}-blob-endpoint"
+ location = var.location
+ resource_group_name = azurerm_resource_group.storage_rg.name
+ subnet_id = data.azurerm_subnet.private_endpoints_subnet.id
+
+ private_service_connection {
+ name = "${module.spid_logs_storage.name}-blob"
+ private_connection_resource_id = module.spid_logs_storage.id
+ is_manual_connection = false
+ subresource_names = ["blob"]
+ }
+
+ private_dns_zone_group {
+ name = "private-dns-zone-group"
+ private_dns_zone_ids = [data.azurerm_private_dns_zone.privatelink_blob_core_windows_net.id]
+ }
+
+ tags = var.tags
+}
+
+
+# Containers
+resource "azurerm_storage_container" "spid_logs" {
+ depends_on = [module.spid_logs_storage]
+ name = "spidlogs"
+ storage_account_name = module.spid_logs_storage.name
+ container_access_type = "private"
+}
\ No newline at end of file
diff --git a/src/domains/ioweb-common/05_resource_group.tf b/src/domains/ioweb-common/05_resource_group.tf
index 6c79dd39e..70cf2ccba 100644
--- a/src/domains/ioweb-common/05_resource_group.tf
+++ b/src/domains/ioweb-common/05_resource_group.tf
@@ -11,3 +11,10 @@ resource "azurerm_resource_group" "fe_rg" {
tags = var.tags
}
+
+resource "azurerm_resource_group" "storage_rg" {
+ name = "${local.project}-storage-rg"
+ location = var.location
+
+ tags = var.tags
+}
diff --git a/src/domains/ioweb-common/10_spid_login.tf b/src/domains/ioweb-common/10_spid_login.tf
index a00ca838e..4ac6943da 100644
--- a/src/domains/ioweb-common/10_spid_login.tf
+++ b/src/domains/ioweb-common/10_spid_login.tf
@@ -87,7 +87,7 @@ module "spid_login" {
INCLUDE_SPID_USER_ON_INTROSPECTION = "true"
TOKEN_EXPIRATION = "3600"
- JWT_TOKEN_ISSUER = "SPID"
+ JWT_TOKEN_ISSUER = "api-web.io.pagopa.it/ioweb/auth"
JWT_TOKEN_PRIVATE_KEY = trimspace(tls_private_key.jwt.private_key_pem)
TOKEN_EXPIRATION = 3600
@@ -99,15 +99,18 @@ module "spid_login" {
APPINSIGHTS_INSTRUMENTATIONKEY = data.azurerm_application_insights.application_insights.instrumentation_key
# Spid logs
- #TODO: enable logs
- ENABLE_SPID_ACCESS_LOGS = false
- # SPID_LOGS_STORAGE_CONNECTION_STRING = "DefaultEndpointsProtocol=https;AccountName=${module.storage_account.name};AccountKey=${module.storage_account.primary_access_key};BlobEndpoint=${module.storage_account.primary_blob_endpoint};"
- # SPID_LOGS_STORAGE_CONTAINER_NAME = azurerm_storage_container.spid_logs.name
- # SPID_LOGS_PUBLIC_KEY = trimspace(data.azurerm_key_vault_secret.spid_logs_public_key.value)
+ ENABLE_SPID_ACCESS_LOGS = true
+ SPID_LOGS_ENABLE_PAYLOAD_ENCRYPTION = false
+ SPID_LOGS_STORAGE_CONNECTION_STRING = module.spid_logs_storage.primary_connection_string
+ SPID_LOGS_STORAGE_CONTAINER_NAME = azurerm_storage_container.spid_logs.name
}
- allowed_subnets = [data.azurerm_subnet.azdoa_snet.id, data.azurerm_subnet.apim_v2_snet.id]
- allowed_ips = []
+ allowed_subnets = [
+ data.azurerm_subnet.azdoa_snet.id,
+ data.azurerm_subnet.apim_v2_snet.id,
+ data.azurerm_subnet.ioweb_profile_snet.id,
+ ]
+ allowed_ips = []
subnet_id = module.spid_login_snet.id
vnet_integration = true
diff --git a/src/domains/ioweb-common/README.md b/src/domains/ioweb-common/README.md
index fa387ad59..a6e4c7c1f 100644
--- a/src/domains/ioweb-common/README.md
+++ b/src/domains/ioweb-common/README.md
@@ -28,6 +28,8 @@
| [redis\_spid\_login\_snet](#module\_redis\_spid\_login\_snet) | git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet | v4.1.15 |
| [spid\_login](#module\_spid\_login) | git::https://github.com/pagopa/terraform-azurerm-v3.git//app_service | v4.1.15 |
| [spid\_login\_snet](#module\_spid\_login\_snet) | git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet | v4.1.15 |
+| [spid\_logs\_storage](#module\_spid\_logs\_storage) | git::https://github.com/pagopa/terraform-azurerm-v3//storage_account | v6.1.0 |
+| [spid\_logs\_storage\_customer\_managed\_key](#module\_spid\_logs\_storage\_customer\_managed\_key) | git::https://github.com/pagopa/terraform-azurerm-v3//storage_account_customer_managed_key | v6.1.0 |
## Resources
@@ -43,9 +45,12 @@
| [azurerm_key_vault_secret.appinsights_connection_string](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource |
| [azurerm_key_vault_secret.appinsights_instrumentation_key](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource |
| [azurerm_key_vault_secret.spid_login_jwt_pub_key](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource |
+| [azurerm_private_endpoint.spid_logs_storage_blob](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/private_endpoint) | resource |
| [azurerm_resource_group.common_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource |
| [azurerm_resource_group.fe_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource |
| [azurerm_resource_group.sec_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource |
+| [azurerm_resource_group.storage_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource |
+| [azurerm_storage_container.spid_logs](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_container) | resource |
| [tls_private_key.jwt](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource |
| [azuread_group.adgroup_admin](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source |
| [azuread_group.adgroup_developers](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source |
@@ -65,11 +70,14 @@
| [azurerm_monitor_action_group.error_action_group](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/monitor_action_group) | data source |
| [azurerm_monitor_action_group.quarantine_error_action_group](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/monitor_action_group) | data source |
| [azurerm_monitor_action_group.slack](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/monitor_action_group) | data source |
+| [azurerm_private_dns_zone.privatelink_blob_core_windows_net](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/private_dns_zone) | data source |
| [azurerm_private_dns_zone.privatelink_redis_cache](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/private_dns_zone) | data source |
| [azurerm_resource_group.core_ext](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/resource_group) | data source |
| [azurerm_resource_group.monitor_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/resource_group) | data source |
| [azurerm_subnet.apim_v2_snet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subnet) | data source |
| [azurerm_subnet.azdoa_snet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subnet) | data source |
+| [azurerm_subnet.ioweb_profile_snet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subnet) | data source |
+| [azurerm_subnet.private_endpoints_subnet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subnet) | data source |
| [azurerm_subscription.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subscription) | data source |
| [azurerm_virtual_network.vnet_common](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/virtual_network) | data source |