-#
-# ./setup.sh weu-beta
-# ./setup.sh weu-prod01
-# ./setup.sh weu-prod02
-
-SCRIPT_PATH="$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )"
-CURRENT_DIRECTORY="$(basename "$SCRIPT_PATH")"
-ENV=$1
-# must be subscription in lower case
-subscription=""
-
-#
-# 🏁 start shell init
-#
-if [ -z "$ENV" ]; then
- echo "[ERROR] You must set an ENV parameter"
- exit 0
-fi
-
-if [ ! -d "../env/$ENV" ]; then
- echo "[ERROR] ENV should be one of:"
- ls "../env"
- exit 0
-fi
-
-# shellcheck source=/dev/null
-source "../env/$ENV/backend.ini"
-
-if [ -z "${subscription}" ]; then
- printf "[ERROR] \e[1;31mYou must provide a subscription.\n"
- exit 1
-fi
-
-echo "[INFO] This is the current directory: ${CURRENT_DIRECTORY}"
-
-echo "[INFO] Subscription: ${subscription}"
-az account set -s "${subscription}"
-
-#
-# LOAD VARIABLES
-#
-aks_name_from_cli=$(az aks list -o tsv --query "[?contains(name,'$ENV-aks')].{Name:name}")
-echo "[INFO] aks_name_from_cli: ${aks_name_from_cli}"
-aks_resource_group_name_from_cli=$(az aks list -o tsv --query "[?contains(name,'$ENV-aks')].{Name:resourceGroup}")
-echo "[INFO] aks_resource_group_name_from_cli: ${aks_resource_group_name_from_cli}"
-
-# ⚠️ in widows, even if using cygwin, these variables will contain a landing \r character
-aks_name=${aks_name_from_cli//[$'\r']}
-echo "[INFO] aks_name: ${aks_name}"
-aks_resource_group_name=${aks_resource_group_name_from_cli//[$'\r']}
-echo "[INFO] aks_resource_group_name: ${aks_resource_group_name}"
-
-# if using cygwin, we have to transcode the WORKDIR
-HOME_DIR=$HOME
-if [[ $HOME_DIR == /cygdrive/* ]]; then
- HOME_DIR=$(cygpath -w ~)
- HOME_DIR=${HOME_DIR//\\//}
-fi
-
-#
-# 🖥 start script
-#
-rm -rf "${HOME}/.kube/config-${aks_name}"
-az aks get-credentials -g "${aks_resource_group_name}" -n "${aks_name}" --subscription "${subscription}" --file "~/.kube/config-${aks_name}"
-az aks get-credentials -g "${aks_resource_group_name}" -n "${aks_name}" --subscription "${subscription}" --overwrite-existing
-
-# with AAD auth enabled we need to authenticate the machine on the first setup
-echo "Follow Microsoft sign in steps. kubectl get pods command will fail but it's the expected behavior"
-kubectl --kubeconfig="${HOME_DIR}/.kube/config-${aks_name}" get pods
-kubectl config use-context "${aks_name}"
-echo "**********************"
-echo "*** k8s namespaces ***"
-echo "**********************"
-kubectl get namespaces
diff --git a/src/core/.terraform.lock.hcl b/src/core/.terraform.lock.hcl
index 8c4f2b728..a322a7327 100644
--- a/src/core/.terraform.lock.hcl
+++ b/src/core/.terraform.lock.hcl
@@ -26,7 +26,7 @@ provider "registry.terraform.io/hashicorp/azuread" {
provider "registry.terraform.io/hashicorp/azurerm" {
version = "3.40.0"
- constraints = ">= 3.30.0, <= 3.40.0"
+ constraints = ">= 3.30.0, >= 3.39.0, <= 3.40.0, <= 3.43.0, <= 3.45.0, <= 3.53.0, <= 3.64.0"
hashes = [
"h1:/Jbhw/zNAsDYDoASaG6w+0KZyay9BkUVOpR8b7m0CsA=",
"h1:7Vfig36efXmcsWQSZwdB+bqZLtoZ/RyytY9lXHx9Fic=",
diff --git a/src/core/00_github_runner.tf b/src/core/00_github_runner.tf
index 2fa48e9c2..2d3e51729 100644
--- a/src/core/00_github_runner.tf
+++ b/src/core/00_github_runner.tf
@@ -30,3 +30,91 @@ module "github_runner" {
tags = var.tags
}
+
+locals {
+ repo_owner = "PagoPA"
+ repo_name = "io-infra"
+ image_name = "ghcr.io/pagopa/github-self-hosted-runner-azure:beta-dockerfile-v2@sha256:ed51ac419d78b6410be96ecaa8aa8dbe645aa0309374132886412178e2739a47"
+}
+
+data "azurerm_key_vault_secret" "github_pat_io_infra" {
+ name = "github-pat-io-infra"
+ key_vault_id = module.key_vault_common.id
+}
+
+resource "azapi_resource" "github_runner_job" {
+ type = "Microsoft.App/jobs@2023-05-01"
+ name = "${local.project}-infra-github-runner-job"
+ location = var.location
+ parent_id = azurerm_resource_group.github_runner.id
+
+ body = jsonencode({
+ properties = {
+ configuration = {
+ replicaRetryLimit = 1
+ replicaTimeout = 1800
+ eventTriggerConfig = {
+ parallelism = 1
+ replicaCompletionCount = 1
+ scale = {
+ maxExecutions = 10
+ minExecutions = 0
+ pollingInterval = 20
+ rules = [
+ {
+ name = "github-runner"
+ type = "github-runner"
+ metadata = {
+ github_runner = "https://api.github.com"
+ owner = local.repo_owner
+ runnerScope = "repo"
+ repos = local.repo_name
+ targetWorkflowQueueLength = "1"
+ }
+ auth = [
+ {
+ secretRef = "personal-access-token"
+ triggerParameter = "personalAccessToken"
+ }
+ ]
+ }
+ ]
+ }
+ }
+ secrets = [
+ {
+ name = "personal-access-token"
+ value = "${data.azurerm_key_vault_secret.github_pat_io_infra.value}"
+ }
+ ]
+ triggerType = "Event"
+ }
+ environmentId = module.github_runner.id
+ template = {
+ containers = [
+ {
+ env = [
+ {
+ name = "GITHUB_PAT"
+ secretRef = "personal-access-token"
+ },
+ {
+ name = "REPO_URL"
+ value = "https://github.com/${local.repo_owner}/${local.repo_name}"
+ },
+ {
+ name = "REGISTRATION_TOKEN_API_URL"
+ value = "https://api.github.com/repos/${local.repo_owner}/${local.repo_name}/actions/runners/registration-token"
+ }
+ ]
+ image = local.image_name
+ name = "github-actions-runner-job"
+ resources = {
+ cpu = 0.5
+ memory = "1Gi"
+ }
+ }
+ ] }
+ }
+ })
+}
diff --git a/src/core/99_main.tf b/src/core/99_main.tf
index b975c4db8..19747ed30 100644
--- a/src/core/99_main.tf
+++ b/src/core/99_main.tf
@@ -24,6 +24,10 @@ terraform {
source = "hashicorp/random"
version = "<= 3.4.3"
}
+ azapi = {
+ source = "azure/azapi"
+ version = "<= 1.9.0"
+ }
}
backend "azurerm" {}
@@ -33,6 +37,9 @@ provider "azurerm" {
features {}
}
+provider "azapi" {
+}
+
data "azurerm_subscription" "current" {}
data "azurerm_client_config" "current" {}
diff --git a/src/core/99_variables.tf b/src/core/99_variables.tf
index db9ec3f3e..8f8c4354f 100644
--- a/src/core/99_variables.tf
+++ b/src/core/99_variables.tf
@@ -26,6 +26,17 @@ variable "location" {
default = "westeurope"
}
+variable "location_short" {
+ type = string
+ validation {
+ condition = (
+ length(var.location_short) == 3
+ )
+ error_message = "Length must be 3 chars."
+ }
+ description = "One of weu, neu"
+}
+
variable "lock_enable" {
type = bool
default = false
@@ -83,6 +94,12 @@ variable "dns_zone_io_selfcare" {
description = "The dns subdomain."
}
+variable "dns_zone_firmaconio_selfcare" {
+ type = string
+ default = null
+ description = "The dns subdomain."
+}
+
# azure devops
variable "azdo_sp_tls_cert_enabled" {
type = string
@@ -371,6 +388,11 @@ variable "app_gateway_api_app_certificate_name" {
description = "Application gateway api certificate name on Key Vault"
}
+variable "app_gateway_api_web_certificate_name" {
+ type = string
+ description = "Application gateway api certificate name on Key Vault"
+}
+
variable "app_gateway_api_mtls_certificate_name" {
type = string
description = "Application gateway api certificate name on Key Vault"
@@ -396,11 +418,21 @@ variable "app_gateway_api_io_selfcare_pagopa_it_certificate_name" {
description = "Application gateway api certificate name on Key Vault"
}
+variable "app_gateway_firmaconio_selfcare_pagopa_it_certificate_name" {
+ type = string
+ description = "Application gateway api certificate name on Key Vault"
+}
+
variable "app_gateway_continua_io_pagopa_it_certificate_name" {
type = string
description = "Application gateway continua certificate name on Key Vault"
}
+variable "app_gateway_selfcare_io_pagopa_it_certificate_name" {
+ type = string
+ description = "Application gateway selfcare-io certificate name on Key Vault"
+}
+
variable "app_gateway_min_capacity" {
type = number
default = 0
@@ -985,6 +1017,17 @@ variable "io_sign_service_id" {
default = "01GQQZ9HF5GAPRVKJM1VDAVFHM"
}
+# io-receipt service
+variable "io_receipt_service_id" {
+ type = string
+ description = "The Service ID of io-receipt service"
+ default = "01GQQZ9HF5GAPRVKJM1VDAVFHM"
+}
+
+variable "io_receipt_service_test_url" {
+ type = string
+ description = "The endpoint of Receipt Service (test env)"
+}
# Function CGN
variable "plan_cgn_kind" {
diff --git a/src/core/README.md b/src/core/README.md
index 8c2664c48..a51de55cd 100644
--- a/src/core/README.md
+++ b/src/core/README.md
@@ -4,6 +4,7 @@
| Name | Version |
|------|---------|
+| [azapi](#requirement\_azapi) | <= 1.9.0 |
| [azuread](#requirement\_azuread) | <= 2.33.0 |
| [azurerm](#requirement\_azurerm) | <= 3.40.0 |
| [local](#requirement\_local) | <= 2.3.0 |
@@ -11,13 +12,6 @@
| [random](#requirement\_random) | <= 3.4.3 |
| [tls](#requirement\_tls) | <= 4.0.4 |
-## Providers
-
-| Name | Version |
-|------|---------|
-| [azuread](#provider\_azuread) | 2.33.0 |
-| [azurerm](#provider\_azurerm) | 3.40.0 |
-
## Modules
| Name | Source | Version |
@@ -178,12 +172,13 @@
| [vnet\_weu\_prod02](#module\_vnet\_weu\_prod02) | git::https://github.com/pagopa/terraform-azurerm-v3.git//virtual_network | v4.1.15 |
| [vpn](#module\_vpn) | git::https://github.com/pagopa/terraform-azurerm-v3.git//vpn_gateway | v4.1.15 |
| [vpn\_snet](#module\_vpn\_snet) | git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet | v4.1.15 |
-| [web\_test\_api](#module\_web\_test\_api) | git::https://github.com/pagopa/terraform-azurerm-v3.git//application_insights_web_test_preview | v4.1.15 |
+| [web\_test\_api](#module\_web\_test\_api) | git::https://github.com/pagopa/terraform-azurerm-v3.git//application_insights_web_test_preview | v7.0.0 |
## Resources
| Name | Type |
|------|------|
+| [azapi_resource.github_runner_job](https://registry.terraform.io/providers/azure/azapi/latest/docs/resources/resource) | resource |
| [azurerm_api_management_api_operation_policy.create_service_policy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/api_management_api_operation_policy) | resource |
| [azurerm_api_management_api_operation_policy.create_service_policy_v2](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/api_management_api_operation_policy) | resource |
| [azurerm_api_management_api_operation_policy.submit_message_for_user_policy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/api_management_api_operation_policy) | resource |
@@ -215,6 +210,7 @@
| [azurerm_api_management_api_version_set.io_backend_session_api](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/api_management_api_version_set) | resource |
| [azurerm_api_management_api_version_set.io_backend_session_api_v2](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/api_management_api_version_set) | resource |
| [azurerm_api_management_group_user.pn_user_group](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/api_management_group_user) | resource |
+| [azurerm_api_management_group_user.pn_user_group_v2](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/api_management_group_user) | resource |
| [azurerm_api_management_named_value.api_gad_client_certificate_verified_header](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/api_management_named_value) | resource |
| [azurerm_api_management_named_value.api_gad_client_certificate_verified_header_v2](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/api_management_named_value) | resource |
| [azurerm_api_management_named_value.cgnonboardingportal_os_header_name](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/api_management_named_value) | resource |
@@ -244,7 +240,9 @@
| [azurerm_api_management_named_value.io_fn_cgnmerchant_url](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/api_management_named_value) | resource |
| [azurerm_api_management_named_value.io_fn_cgnmerchant_url_v2](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/api_management_named_value) | resource |
| [azurerm_api_management_subscription.pn_lc_subscription](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/api_management_subscription) | resource |
+| [azurerm_api_management_subscription.pn_lc_subscription_v2](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/api_management_subscription) | resource |
| [azurerm_api_management_user.pn_user](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/api_management_user) | resource |
+| [azurerm_api_management_user.pn_user_v2](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/api_management_user) | resource |
| [azurerm_app_service_plan.cgn_common](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service_plan) | resource |
| [azurerm_app_service_plan.shared_1_plan](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service_plan) | resource |
| [azurerm_app_service_virtual_network_swift_connection.devportal_be](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service_virtual_network_swift_connection) | resource |
@@ -256,33 +254,42 @@
| [azurerm_cdn_profile.assets_cdn_profile](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/cdn_profile) | resource |
| [azurerm_dashboard_grafana.grafana_dashboard](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/dashboard_grafana) | resource |
| [azurerm_dns_a_record.api_app_io_pagopa_it](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/dns_a_record) | resource |
+| [azurerm_dns_a_record.api_internal_io_italia_it](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/dns_a_record) | resource |
| [azurerm_dns_a_record.api_io_italia_it](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/dns_a_record) | resource |
| [azurerm_dns_a_record.api_io_pagopa_it](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/dns_a_record) | resource |
| [azurerm_dns_a_record.api_io_selfcare_pagopa_it](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/dns_a_record) | resource |
| [azurerm_dns_a_record.api_mtls_io_pagopa_it](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/dns_a_record) | resource |
+| [azurerm_dns_a_record.api_web_io_pagopa_it](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/dns_a_record) | resource |
| [azurerm_dns_a_record.app_backend_io_italia_it](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/dns_a_record) | resource |
| [azurerm_dns_a_record.continua_io_pagopa_it](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/dns_a_record) | resource |
| [azurerm_dns_a_record.developerportal_backend_io_italia_it](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/dns_a_record) | resource |
+| [azurerm_dns_a_record.firmaconio_selfcare_pagopa_it](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/dns_a_record) | resource |
+| [azurerm_dns_a_record.selfcare_io_pagopa_it](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/dns_a_record) | resource |
+| [azurerm_dns_caa_record.firmaconio_selfcare_pagopa_it](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/dns_caa_record) | resource |
| [azurerm_dns_caa_record.io_italia_it](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/dns_caa_record) | resource |
| [azurerm_dns_caa_record.io_pagopa_it](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/dns_caa_record) | resource |
| [azurerm_dns_caa_record.io_selfcare_pagopa_it](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/dns_caa_record) | resource |
+| [azurerm_dns_caa_record.ioweb_it](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/dns_caa_record) | resource |
| [azurerm_dns_cname_record.assets_cdn_io_italia_it](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/dns_cname_record) | resource |
| [azurerm_dns_cname_record.assets_cdn_io_pagopa_it](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/dns_cname_record) | resource |
| [azurerm_dns_cname_record.sender](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/dns_cname_record) | resource |
| [azurerm_dns_ns_record.firma_io_pagopa_it_ns](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/dns_ns_record) | resource |
| [azurerm_dns_txt_record.io_italia_it](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/dns_txt_record) | resource |
| [azurerm_dns_txt_record.zendeskverification_io_italia_it](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/dns_txt_record) | resource |
+| [azurerm_dns_zone.firmaconio_selfcare_pagopa_it](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/dns_zone) | resource |
| [azurerm_dns_zone.io_italia_it](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/dns_zone) | resource |
| [azurerm_dns_zone.io_pagopa_it](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/dns_zone) | resource |
| [azurerm_dns_zone.io_selfcare_pagopa_it](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/dns_zone) | resource |
-| [azurerm_key_vault_access_policy.ad_group_policy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource |
-| [azurerm_key_vault_access_policy.adgroup_developers_policy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource |
-| [azurerm_key_vault_access_policy.adgroup_externals_policy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource |
-| [azurerm_key_vault_access_policy.adgroup_security_policy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource |
+| [azurerm_dns_zone.ioweb_it](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/dns_zone) | resource |
+| [azurerm_key_vault_access_policy.adgroup_admin](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource |
+| [azurerm_key_vault_access_policy.adgroup_admin_common](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource |
+| [azurerm_key_vault_access_policy.adgroup_developers](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource |
+| [azurerm_key_vault_access_policy.adgroup_developers_common](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource |
| [azurerm_key_vault_access_policy.apim_kv_policy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource |
| [azurerm_key_vault_access_policy.apim_v2_kv_policy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource |
| [azurerm_key_vault_access_policy.app_gateway_policy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource |
| [azurerm_key_vault_access_policy.app_gateway_policy_common](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource |
+| [azurerm_key_vault_access_policy.app_gateway_policy_ioweb](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource |
| [azurerm_key_vault_access_policy.app_gw_uai_kvreader_common](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource |
| [azurerm_key_vault_access_policy.app_service](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource |
| [azurerm_key_vault_access_policy.azdevops_platform_iac_policy_kv](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource |
@@ -294,7 +301,6 @@
| [azurerm_key_vault_access_policy.github_action_iac_cd_kv_common](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource |
| [azurerm_key_vault_access_policy.github_action_iac_ci_kv](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource |
| [azurerm_key_vault_access_policy.github_action_iac_ci_kv_common](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource |
-| [azurerm_key_vault_access_policy.policy_common_admin](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource |
| [azurerm_key_vault_access_policy.v2_common](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource |
| [azurerm_key_vault_secret.appbackend-NORIFICATIONS-STORAGE](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource |
| [azurerm_key_vault_secret.appbackend-PUSH-NOTIFICATIONS-STORAGE](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource |
@@ -341,6 +347,7 @@
| [azurerm_monitor_metric_alert.function_eucovidcert_health_check](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_metric_alert) | resource |
| [azurerm_monitor_metric_alert.iopstapi_throttling_low_availability](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_metric_alert) | resource |
| [azurerm_monitor_metric_alert.too_many_http_5xx](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_metric_alert) | resource |
+| [azurerm_monitor_scheduled_query_rules_alert.mailup_alert_rule](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_scheduled_query_rules_alert) | resource |
| [azurerm_network_security_group.nsg_apim](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_security_group) | resource |
| [azurerm_postgresql_database.selfcare_subscriptionmigrations_db](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/postgresql_database) | resource |
| [azurerm_postgresql_flexible_server_database.devportalservicedata_db](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/postgresql_flexible_server_database) | resource |
@@ -438,7 +445,6 @@
| [azurerm_resource_group.weu_beta_vnet_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource |
| [azurerm_resource_group.weu_prod01_vnet_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource |
| [azurerm_resource_group.weu_prod02_vnet_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource |
-| [azurerm_role_assignment.service_contributor](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
| [azurerm_role_assignment.service_contributor_v2](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
| [azurerm_service_plan.continua](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/service_plan) | resource |
| [azurerm_service_plan.selfcare_be_common](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/service_plan) | resource |
@@ -470,14 +476,14 @@
| [azuread_application.vpn_app](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/application) | data source |
| [azuread_group.adgroup_admin](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source |
| [azuread_group.adgroup_developers](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source |
-| [azuread_group.adgroup_externals](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source |
-| [azuread_group.adgroup_security](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source |
| [azuread_service_principal.app_gw_uai_kvreader](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/service_principal) | data source |
| [azuread_service_principal.github_action_iac_cd](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/service_principal) | data source |
| [azuread_service_principal.github_action_iac_ci](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/service_principal) | data source |
| [azuread_service_principal.platform_iac_sp](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/service_principal) | data source |
| [azurerm_api_management_group.api_lollipop_assertion_read](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/api_management_group) | data source |
+| [azurerm_api_management_group.api_v2_lollipop_assertion_read](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/api_management_group) | data source |
| [azurerm_api_management_product.apim_product_lollipop](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/api_management_product) | data source |
+| [azurerm_api_management_product.apim_v2_product_lollipop](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/api_management_product) | data source |
| [azurerm_client_config.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/client_config) | data source |
| [azurerm_cosmosdb_account.cosmos_api](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/cosmosdb_account) | data source |
| [azurerm_cosmosdb_account.cosmos_cgn](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/cosmosdb_account) | data source |
@@ -485,6 +491,7 @@
| [azurerm_eventhub_authorization_rule.io-p-messages-weu-prod01-evh-ns_messages_io-fn-messages-cqrs](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/eventhub_authorization_rule) | data source |
| [azurerm_eventhub_authorization_rule.io-p-payments-weu-prod01-evh-ns_payment-updates_io-fn-messages-cqrs](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/eventhub_authorization_rule) | data source |
| [azurerm_function_app.fnapp_bonus](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/function_app) | data source |
+| [azurerm_key_vault.ioweb_kv](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault) | data source |
| [azurerm_key_vault_certificate.api_app_internal_io_pagopa_it](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_certificate) | data source |
| [azurerm_key_vault_certificate.api_internal_io_italia_it](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_certificate) | data source |
| [azurerm_key_vault_certificate.app_gw_api](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_certificate) | data source |
@@ -492,14 +499,18 @@
| [azurerm_key_vault_certificate.app_gw_api_io_italia_it](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_certificate) | data source |
| [azurerm_key_vault_certificate.app_gw_api_io_selfcare_pagopa_it](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_certificate) | data source |
| [azurerm_key_vault_certificate.app_gw_api_mtls](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_certificate) | data source |
+| [azurerm_key_vault_certificate.app_gw_api_web](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_certificate) | data source |
| [azurerm_key_vault_certificate.app_gw_app_backend_io_italia_it](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_certificate) | data source |
| [azurerm_key_vault_certificate.app_gw_continua](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_certificate) | data source |
| [azurerm_key_vault_certificate.app_gw_developerportal_backend_io_italia_it](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_certificate) | data source |
+| [azurerm_key_vault_certificate.app_gw_firmaconio_selfcare_pagopa_it](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_certificate) | data source |
+| [azurerm_key_vault_certificate.app_gw_selfcare_io](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_certificate) | data source |
| [azurerm_key_vault_secret.ad_APPCLIENT_APIM_ID](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_secret) | data source |
| [azurerm_key_vault_secret.ad_APPCLIENT_APIM_SECRET](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_secret) | data source |
| [azurerm_key_vault_secret.adb2c_TENANT_NAME](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_secret) | data source |
| [azurerm_key_vault_secret.adb2c_TOKEN_ATTRIBUTE_NAME](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_secret) | data source |
| [azurerm_key_vault_secret.alert_error_notification_email](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_secret) | data source |
+| [azurerm_key_vault_secret.alert_error_notification_opsgenie](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_secret) | data source |
| [azurerm_key_vault_secret.alert_error_notification_slack](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_secret) | data source |
| [azurerm_key_vault_secret.alert_quarantine_error_notification_slack](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_secret) | data source |
| [azurerm_key_vault_secret.api_gad_client_certificate_verified_header_secret](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_secret) | data source |
@@ -507,6 +518,7 @@
| [azurerm_key_vault_secret.apim_IO_GDPR_SERVICE_KEY](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_secret) | data source |
| [azurerm_key_vault_secret.apim_publisher_email](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_secret) | data source |
| [azurerm_key_vault_secret.apim_services_subscription_key](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_secret) | data source |
+| [azurerm_key_vault_secret.app_backend_ALLOWED_CIE_TEST_FISCAL_CODES](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_secret) | data source |
| [azurerm_key_vault_secret.app_backend_ALLOW_BPD_IP_SOURCE_RANGE](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_secret) | data source |
| [azurerm_key_vault_secret.app_backend_ALLOW_MYPORTAL_IP_SOURCE_RANGE](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_secret) | data source |
| [azurerm_key_vault_secret.app_backend_ALLOW_PAGOPA_IP_SOURCE_RANGE](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_secret) | data source |
@@ -535,6 +547,7 @@
| [azurerm_key_vault_secret.app_backend_PN_API_KEY_UAT_V2](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_secret) | data source |
| [azurerm_key_vault_secret.app_backend_PN_REAL_TEST_USERS](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_secret) | data source |
| [azurerm_key_vault_secret.app_backend_PRE_SHARED_KEY](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_secret) | data source |
+| [azurerm_key_vault_secret.app_backend_RECEIPT_SERVICE_TEST_API_KEY](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_secret) | data source |
| [azurerm_key_vault_secret.app_backend_SAML_CERT](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_secret) | data source |
| [azurerm_key_vault_secret.app_backend_SAML_KEY](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_secret) | data source |
| [azurerm_key_vault_secret.app_backend_TEST_CGN_FISCAL_CODES](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_secret) | data source |
@@ -558,6 +571,7 @@
| [azurerm_key_vault_secret.devportal_cookie_key](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_secret) | data source |
| [azurerm_key_vault_secret.devportal_io_sandbox_fiscal_code](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_secret) | data source |
| [azurerm_key_vault_secret.devportal_jira_token](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_secret) | data source |
+| [azurerm_key_vault_secret.devportal_request_review_legacy_queue_connectionstring](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_secret) | data source |
| [azurerm_key_vault_secret.devportal_service_principal_client_id](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_secret) | data source |
| [azurerm_key_vault_secret.devportal_service_principal_secret](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_secret) | data source |
| [azurerm_key_vault_secret.devportalservicedata_db_server_adm_password](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_secret) | data source |
@@ -596,6 +610,7 @@
| [azurerm_key_vault_secret.fn_services_sandbox_fiscal_code](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_secret) | data source |
| [azurerm_key_vault_secret.fn_services_webhook_channel_aks_url](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_secret) | data source |
| [azurerm_key_vault_secret.fn_services_webhook_channel_url](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_secret) | data source |
+| [azurerm_key_vault_secret.github_pat_io_infra](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_secret) | data source |
| [azurerm_key_vault_secret.io_fn3_admin_key_secret](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_secret) | data source |
| [azurerm_key_vault_secret.io_fn3_admin_key_secret_v2](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_secret) | data source |
| [azurerm_key_vault_secret.io_fn3_eucovidcert_key_secret](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_secret) | data source |
@@ -621,6 +636,8 @@
| [azurerm_key_vault_secret.subscriptionmigrations_db_server_adm_username](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_secret) | data source |
| [azurerm_key_vault_secret.subscriptionmigrations_db_server_fnsubsmigrations_password](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_secret) | data source |
| [azurerm_linux_web_app.app_backend_app_services](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/linux_web_app) | data source |
+| [azurerm_linux_web_app.cms_backoffice_app](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/linux_web_app) | data source |
+| [azurerm_linux_web_app.firmaconio_selfcare_web_app](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/linux_web_app) | data source |
| [azurerm_redis_cache.redis_cgn](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/redis_cache) | data source |
| [azurerm_resource_group.notifications_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/resource_group) | data source |
| [azurerm_resource_group.rg_cgn](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/resource_group) | data source |
@@ -633,6 +650,8 @@
| [azurerm_storage_account.storage_apievents](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/storage_account) | data source |
| [azurerm_storage_account.userbackups](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/storage_account) | data source |
| [azurerm_storage_account.userdatadownload](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/storage_account) | data source |
+| [azurerm_subnet.functions_fast_login_snet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subnet) | data source |
+| [azurerm_subnet.ioweb_profile_snet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subnet) | data source |
| [azurerm_subscription.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subscription) | data source |
## Inputs
@@ -656,11 +675,14 @@
| [app\_gateway\_api\_io\_italia\_it\_certificate\_name](#input\_app\_gateway\_api\_io\_italia\_it\_certificate\_name) | Application gateway api certificate name on Key Vault | `string` | n/a | yes |
| [app\_gateway\_api\_io\_selfcare\_pagopa\_it\_certificate\_name](#input\_app\_gateway\_api\_io\_selfcare\_pagopa\_it\_certificate\_name) | Application gateway api certificate name on Key Vault | `string` | n/a | yes |
| [app\_gateway\_api\_mtls\_certificate\_name](#input\_app\_gateway\_api\_mtls\_certificate\_name) | Application gateway api certificate name on Key Vault | `string` | n/a | yes |
+| [app\_gateway\_api\_web\_certificate\_name](#input\_app\_gateway\_api\_web\_certificate\_name) | Application gateway api certificate name on Key Vault | `string` | n/a | yes |
| [app\_gateway\_app\_backend\_io\_italia\_it\_certificate\_name](#input\_app\_gateway\_app\_backend\_io\_italia\_it\_certificate\_name) | Application gateway api certificate name on Key Vault | `string` | n/a | yes |
| [app\_gateway\_continua\_io\_pagopa\_it\_certificate\_name](#input\_app\_gateway\_continua\_io\_pagopa\_it\_certificate\_name) | Application gateway continua certificate name on Key Vault | `string` | n/a | yes |
| [app\_gateway\_developerportal\_backend\_io\_italia\_it\_certificate\_name](#input\_app\_gateway\_developerportal\_backend\_io\_italia\_it\_certificate\_name) | Application gateway api certificate name on Key Vault | `string` | n/a | yes |
+| [app\_gateway\_firmaconio\_selfcare\_pagopa\_it\_certificate\_name](#input\_app\_gateway\_firmaconio\_selfcare\_pagopa\_it\_certificate\_name) | Application gateway api certificate name on Key Vault | `string` | n/a | yes |
| [app\_gateway\_max\_capacity](#input\_app\_gateway\_max\_capacity) | n/a | `number` | `2` | no |
| [app\_gateway\_min\_capacity](#input\_app\_gateway\_min\_capacity) | n/a | `number` | `0` | no |
+| [app\_gateway\_selfcare\_io\_pagopa\_it\_certificate\_name](#input\_app\_gateway\_selfcare\_io\_pagopa\_it\_certificate\_name) | Application gateway selfcare-io certificate name on Key Vault | `string` | n/a | yes |
| [app\_messages\_count](#input\_app\_messages\_count) | App Messages | `number` | `2` | no |
| [app\_messages\_function\_always\_on](#input\_app\_messages\_function\_always\_on) | n/a | `bool` | `false` | no |
| [app\_messages\_function\_autoscale\_default](#input\_app\_messages\_function\_autoscale\_default) | The number of instances that are available for scaling if metrics are not available for evaluation. | `number` | `1` | no |
@@ -718,6 +740,7 @@
| [continua\_appservice\_sku](#input\_continua\_appservice\_sku) | The SKU for the AppService Plan relative to Continua | `string` | n/a | yes |
| [ddos\_protection\_plan](#input\_ddos\_protection\_plan) | n/a | object({
id = string
enable = bool
}) | `null` | no |
| [dns\_default\_ttl\_sec](#input\_dns\_default\_ttl\_sec) | value | `number` | `3600` | no |
+| [dns\_zone\_firmaconio\_selfcare](#input\_dns\_zone\_firmaconio\_selfcare) | The dns subdomain. | `string` | `null` | no |
| [dns\_zone\_io](#input\_dns\_zone\_io) | The dns subdomain. | `string` | `null` | no |
| [dns\_zone\_io\_selfcare](#input\_dns\_zone\_io\_selfcare) | The dns subdomain. | `string` | `null` | no |
| [ehns\_alerts\_enabled](#input\_ehns\_alerts\_enabled) | Event hub alerts enabled? | `bool` | `true` | no |
@@ -786,11 +809,14 @@
| [function\_services\_kind](#input\_function\_services\_kind) | App service plan kind | `string` | `null` | no |
| [function\_services\_sku\_size](#input\_function\_services\_sku\_size) | App service plan sku size | `string` | `null` | no |
| [function\_services\_sku\_tier](#input\_function\_services\_sku\_tier) | App service plan sku tier | `string` | `null` | no |
+| [io\_receipt\_service\_id](#input\_io\_receipt\_service\_id) | The Service ID of io-receipt service | `string` | `"01GQQZ9HF5GAPRVKJM1VDAVFHM"` | no |
+| [io\_receipt\_service\_test\_url](#input\_io\_receipt\_service\_test\_url) | The endpoint of Receipt Service (test env) | `string` | n/a | yes |
| [io\_sign\_service\_id](#input\_io\_sign\_service\_id) | The Service ID of io-sign service | `string` | `"01GQQZ9HF5GAPRVKJM1VDAVFHM"` | no |
| [law\_daily\_quota\_gb](#input\_law\_daily\_quota\_gb) | The workspace daily quota for ingestion in GB. | `number` | `-1` | no |
| [law\_retention\_in\_days](#input\_law\_retention\_in\_days) | The workspace data retention in days | `number` | `90` | no |
| [law\_sku](#input\_law\_sku) | Sku of the Log Analytics Workspace | `string` | `"PerGB2018"` | no |
| [location](#input\_location) | n/a | `string` | `"westeurope"` | no |
+| [location\_short](#input\_location\_short) | One of weu, neu | `string` | n/a | yes |
| [lock\_enable](#input\_lock\_enable) | Apply locks to block accedentaly deletions. | `bool` | `false` | no |
| [log\_analytics\_workspace\_name](#input\_log\_analytics\_workspace\_name) | The common Log Analytics Workspace name | `string` | `""` | no |
| [log\_analytics\_workspace\_resource\_group\_name](#input\_log\_analytics\_workspace\_resource\_group\_name) | The name of the resource group in which the Log Analytics workspace is located in. | `string` | n/a | yes |
@@ -824,6 +850,7 @@
| Name | Description |
|------|-------------|
+| [dns\_firmaconio\_selfcare\_pagopa\_it\_ns](#output\_dns\_firmaconio\_selfcare\_pagopa\_it\_ns) | n/a |
| [sec\_storage\_id](#output\_sec\_storage\_id) | n/a |
| [sec\_workspace\_id](#output\_sec\_workspace\_id) | n/a |
diff --git a/src/core/api/io_admin/v1/temp_mock_response_500_policy/policy.xml b/src/core/api/io_admin/v1/temp_mock_response_500_policy/policy.xml
new file mode 100644
index 000000000..eec097884
--- /dev/null
+++ b/src/core/api/io_admin/v1/temp_mock_response_500_policy/policy.xml
@@ -0,0 +1,15 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/src/core/api/io_services/v1/temp_mock_response_500_policy/policy.xml b/src/core/api/io_services/v1/temp_mock_response_500_policy/policy.xml
new file mode 100644
index 000000000..eec097884
--- /dev/null
+++ b/src/core/api/io_services/v1/temp_mock_response_500_policy/policy.xml
@@ -0,0 +1,15 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/src/core/apim.tf b/src/core/apim.tf
index 7c33071f3..c862d9ffa 100644
--- a/src/core/apim.tf
+++ b/src/core/apim.tf
@@ -85,11 +85,7 @@ module "apim" {
action = [
{
- action_group_id = azurerm_monitor_action_group.slack.id
- webhook_properties = null
- },
- {
- action_group_id = azurerm_monitor_action_group.email.id
+ action_group_id = azurerm_monitor_action_group.error_action_group.id
webhook_properties = null
}
]
@@ -109,7 +105,7 @@ module "apim" {
metric_name = "Capacity"
aggregation = "Average"
operator = "GreaterThan"
- threshold = 40
+ threshold = 60
skip_metric_validation = false
dimension = []
}]
@@ -282,5 +278,6 @@ resource "azurerm_api_management_subscription" "pn_lc_subscription" {
product_id = data.azurerm_api_management_product.apim_product_lollipop.id
display_name = "PN LC"
state = "active"
+ allow_tracing = false
}
##################################################################
diff --git a/src/core/apim_v2.tf b/src/core/apim_v2.tf
index 1a87590b0..e4b13be0c 100644
--- a/src/core/apim_v2.tf
+++ b/src/core/apim_v2.tf
@@ -124,11 +124,7 @@ module "apim_v2" {
action = [
{
- action_group_id = azurerm_monitor_action_group.slack.id
- webhook_properties = null
- },
- {
- action_group_id = azurerm_monitor_action_group.email.id
+ action_group_id = azurerm_monitor_action_group.error_action_group.id
webhook_properties = null
}
]
@@ -137,7 +133,7 @@ module "apim_v2" {
# https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/metrics-supported#microsoftapimanagementservice
metric_alerts = {
capacity = {
- description = "Apim used capacity is too high"
+ description = "Apim used capacity is too high. Runbook: https://pagopa.atlassian.net/wiki/spaces/IC/pages/791642113/APIM+Capacity"
frequency = "PT5M"
window_size = "PT5M"
severity = 1
@@ -148,7 +144,7 @@ module "apim_v2" {
metric_name = "Capacity"
aggregation = "Average"
operator = "GreaterThan"
- threshold = 40
+ threshold = 60
skip_metric_validation = false
dimension = []
}]
@@ -231,3 +227,46 @@ resource "azurerm_key_vault_access_policy" "v2_common" {
certificate_permissions = ["Get", "List"]
storage_permissions = []
}
+
+##################################################################
+# PN APIM User
+##################################################################
+data "azurerm_api_management_product" "apim_v2_product_lollipop" {
+ product_id = "io-lollipop-api"
+ api_management_name = module.apim_v2.name
+ resource_group_name = module.apim_v2.resource_group_name
+}
+
+data "azurerm_api_management_group" "api_v2_lollipop_assertion_read" {
+ name = "apilollipopassertionread"
+ api_management_name = module.apim_v2.name
+ resource_group_name = module.apim_v2.resource_group_name
+}
+
+resource "azurerm_api_management_user" "pn_user_v2" {
+ user_id = "pnapimuser"
+ api_management_name = module.apim_v2.name
+ resource_group_name = module.apim_v2.resource_group_name
+ first_name = "PNAPIMuser"
+ last_name = "PNAPIMuser"
+ email = "pn-apim-user@pagopa.it"
+ state = "active"
+}
+
+resource "azurerm_api_management_group_user" "pn_user_group_v2" {
+ user_id = azurerm_api_management_user.pn_user_v2.user_id
+ api_management_name = module.apim_v2.name
+ resource_group_name = module.apim_v2.resource_group_name
+ group_name = data.azurerm_api_management_group.api_v2_lollipop_assertion_read.name
+}
+
+resource "azurerm_api_management_subscription" "pn_lc_subscription_v2" {
+ user_id = azurerm_api_management_user.pn_user_v2.id
+ api_management_name = module.apim_v2.name
+ resource_group_name = module.apim_v2.resource_group_name
+ product_id = data.azurerm_api_management_product.apim_v2_product_lollipop.id
+ display_name = "PN LC"
+ state = "active"
+ allow_tracing = false
+}
+##################################################################
\ No newline at end of file
diff --git a/src/core/app_backend.tf b/src/core/app_backend.tf
index adf30b341..9ce8903ac 100644
--- a/src/core/app_backend.tf
+++ b/src/core/app_backend.tf
@@ -42,6 +42,11 @@ locals {
# CIE_METADATA_URL = "https://idserver.servizicie.interno.gov.it:443/idp/shibboleth"
CIE_METADATA_URL = "https://api.is.eng.pagopa.it/idp-keys/cie/latest" # PagoPA internal cache
+ // CIE Test env
+ ALLOWED_CIE_TEST_FISCAL_CODES = data.azurerm_key_vault_secret.app_backend_ALLOWED_CIE_TEST_FISCAL_CODES.value
+ CIE_TEST_METADATA_URL = "https://collaudo.idserver.servizicie.interno.gov.it/idp/shibboleth"
+
+
// AUTHENTICATION
AUTHENTICATION_BASE_PATH = ""
TOKEN_DURATION_IN_SECONDS = "2592000"
@@ -234,6 +239,23 @@ locals {
}
}
},
+ # Receipt Service
+ {
+ serviceId = var.io_receipt_service_id,
+ schemaKind = "ReceiptService",
+ jsonSchema = "unused",
+ isLollipopEnabled = "false",
+ disableLollipopFor = [],
+ testEnvironment = {
+ testUsers = [],
+ baseUrl = var.io_receipt_service_test_url,
+ detailsAuthentication = {
+ type = "API_KEY",
+ header_key_name = "Ocp-Apim-Subscription-Key",
+ key = data.azurerm_key_vault_secret.app_backend_RECEIPT_SERVICE_TEST_API_KEY.value
+ }
+ }
+ },
# Mock Service
{
serviceId = var.third_party_mock_service_id,
@@ -484,6 +506,16 @@ data "azurerm_key_vault_secret" "app_backend_LV_TEST_USERS" {
key_vault_id = module.key_vault_common.id
}
+data "azurerm_key_vault_secret" "app_backend_ALLOWED_CIE_TEST_FISCAL_CODES" {
+ name = "appbackend-ALLOWED-CIE-TEST-FISCAL-CODES"
+ key_vault_id = module.key_vault_common.id
+}
+
+data "azurerm_key_vault_secret" "app_backend_RECEIPT_SERVICE_TEST_API_KEY" {
+ name = "appbackend-RECEIPT-SERVICE-TEST-API-KEY"
+ key_vault_id = module.key_vault_common.id
+}
+
#tfsec:ignore:AZU023
resource "azurerm_key_vault_secret" "appbackend-REDIS-PASSWORD" {
name = "appbackend-REDIS-PASSWORD"
@@ -568,6 +600,12 @@ resource "azurerm_subnet_nat_gateway_association" "app_backendl1_snet" {
subnet_id = module.app_backendl1_snet.id
}
+data "azurerm_subnet" "functions_fast_login_snet" {
+ name = format("%s-%s-fast-login-snet", local.project, var.location_short)
+ virtual_network_name = module.vnet_common.name
+ resource_group_name = azurerm_resource_group.rg_common.name
+}
+
module "appservice_app_backendl1" {
source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//app_service?ref=v4.1.15"
@@ -1038,6 +1076,7 @@ module "appservice_app_backendli" {
module.services_snet[0].id,
module.services_snet[1].id,
module.admin_snet.id,
+ data.azurerm_subnet.functions_fast_login_snet.id,
]
allowed_ips = concat(
@@ -1171,11 +1210,8 @@ module "app_backend_web_test_api" {
actions = [
{
- action_group_id = azurerm_monitor_action_group.email.id,
- },
- {
- action_group_id = azurerm_monitor_action_group.slack.id,
- },
+ action_group_id = azurerm_monitor_action_group.error_action_group.id,
+ }
]
}
diff --git a/src/core/app_messages.tf b/src/core/app_messages.tf
index 973bffa36..f0dd01568 100644
--- a/src/core/app_messages.tf
+++ b/src/core/app_messages.tf
@@ -38,10 +38,11 @@ locals {
PN_SERVICE_ID = var.pn_service_id
// View Features Flag
- USE_FALLBACK = false
- FF_TYPE = "beta"
- FF_BETA_TESTER_LIST = data.azurerm_key_vault_secret.fn_messages_APP_MESSAGES_BETA_FISCAL_CODES.value
- FF_CANARY_USERS_REGEX = "XYZ"
+ USE_FALLBACK = false
+ FF_TYPE = "canary"
+ FF_BETA_TESTER_LIST = data.azurerm_key_vault_secret.fn_messages_APP_MESSAGES_BETA_FISCAL_CODES.value
+ # Takes ~0,4% of users
+ FF_CANARY_USERS_REGEX = "^([(0-9)|(a-f)|(A-F)]{62}00)$"
}
app_settings_1 = {
diff --git a/src/core/appgateway.tf b/src/core/appgateway.tf
index 21191c862..3219f8121 100644
--- a/src/core/appgateway.tf
+++ b/src/core/appgateway.tf
@@ -98,6 +98,20 @@ module "app_gw" {
pick_host_name_from_backend = true
}
+ firmaconio-selfcare-backend = {
+ protocol = "Https"
+ host = null
+ port = 443
+ ip_addresses = null # with null value use fqdns
+ fqdns = [
+ data.azurerm_linux_web_app.firmaconio_selfcare_web_app.default_hostname,
+ ]
+ probe = "/health"
+ probe_name = "probe-firmaconio-selfcare-backend"
+ request_timeout = 180
+ pick_host_name_from_backend = true
+ }
+
continua-app = {
protocol = "Https"
host = null
@@ -112,6 +126,20 @@ module "app_gw" {
pick_host_name_from_backend = true
}
+ selfcare-io-app = {
+ protocol = "Https"
+ host = null
+ port = 443
+ ip_addresses = null # with null value use fqdns
+ fqdns = [
+ data.azurerm_linux_web_app.cms_backoffice_app.default_hostname,
+ ]
+ probe = "/api/info"
+ probe_name = "probe-selfcare-io-app"
+ request_timeout = 10
+ pick_host_name_from_backend = true
+ }
+
}
ssl_profiles = [{
@@ -159,7 +187,7 @@ module "app_gw" {
protocol = "Https"
host = format("api.%s.%s", var.dns_zone_io, var.external_domain)
port = 443
- ssl_profile_name = format("%s-ssl-profile", local.project)
+ ssl_profile_name = null
firewall_policy_id = null
certificate = {
@@ -210,7 +238,7 @@ module "app_gw" {
protocol = "Https"
host = format("api-app.%s.%s", var.dns_zone_io, var.external_domain)
port = 443
- ssl_profile_name = format("%s-ssl-profile", local.project)
+ ssl_profile_name = null
firewall_policy_id = azurerm_web_application_firewall_policy.api_app.id
certificate = {
@@ -223,6 +251,23 @@ module "app_gw" {
}
}
+ api-web-io-pagopa-it = {
+ protocol = "Https"
+ host = format("api-web.%s.%s", var.dns_zone_io, var.external_domain)
+ port = 443
+ ssl_profile_name = null
+ firewall_policy_id = azurerm_web_application_firewall_policy.api_app.id
+
+ certificate = {
+ name = var.app_gateway_api_web_certificate_name
+ id = replace(
+ data.azurerm_key_vault_certificate.app_gw_api_web.secret_id,
+ "/${data.azurerm_key_vault_certificate.app_gw_api_web.version}",
+ ""
+ )
+ }
+ }
+
app-backend-io-italia-it = {
protocol = "Https"
host = "app-backend.io.italia.it"
@@ -244,7 +289,7 @@ module "app_gw" {
protocol = "Https"
host = "developerportal-backend.io.italia.it"
port = 443
- ssl_profile_name = format("%s-ssl-profile", local.project)
+ ssl_profile_name = null
firewall_policy_id = null
certificate = {
@@ -261,7 +306,7 @@ module "app_gw" {
protocol = "Https"
host = local.selfcare_io.backend_hostname
port = 443
- ssl_profile_name = format("%s-ssl-profile", local.project)
+ ssl_profile_name = null
firewall_policy_id = null
certificate = {
@@ -274,11 +319,28 @@ module "app_gw" {
}
}
+ firmaconio-selfcare-pagopa-it = {
+ protocol = "Https"
+ host = format("%s.%s", var.dns_zone_firmaconio_selfcare, var.external_domain)
+ port = 443
+ ssl_profile_name = null
+ firewall_policy_id = null
+
+ certificate = {
+ name = var.app_gateway_firmaconio_selfcare_pagopa_it_certificate_name
+ id = replace(
+ data.azurerm_key_vault_certificate.app_gw_firmaconio_selfcare_pagopa_it.secret_id,
+ "/${data.azurerm_key_vault_certificate.app_gw_firmaconio_selfcare_pagopa_it.version}",
+ ""
+ )
+ }
+ }
+
continua-io-pagopa-it = {
protocol = "Https"
host = format("continua.%s.%s", var.dns_zone_io, var.external_domain)
port = 443
- ssl_profile_name = format("%s-ssl-profile", local.project)
+ ssl_profile_name = null
firewall_policy_id = null
certificate = {
@@ -290,6 +352,23 @@ module "app_gw" {
)
}
}
+
+ selfcare-io-pagopa-it = {
+ protocol = "Https"
+ host = format("selfcare.%s.%s", var.dns_zone_io, var.external_domain)
+ port = 443
+ ssl_profile_name = format("%s-ssl-profile", local.project)
+ firewall_policy_id = null
+
+ certificate = {
+ name = var.app_gateway_selfcare_io_pagopa_it_certificate_name
+ id = replace(
+ data.azurerm_key_vault_certificate.app_gw_selfcare_io.secret_id,
+ "/${data.azurerm_key_vault_certificate.app_gw_selfcare_io.version}",
+ ""
+ )
+ }
+ }
}
# maps listener to backend
@@ -323,6 +402,13 @@ module "app_gw" {
priority = 70
}
+ api-web-io-pagopa-it = {
+ listener = "api-web-io-pagopa-it"
+ backend = "apim"
+ rewrite_rule_set_name = "rewrite-rule-set-api-web"
+ priority = 100
+ }
+
app-backend-io-italia-it = {
listener = "app-backend-io-italia-it"
backend = "appbackend-app"
@@ -344,6 +430,13 @@ module "app_gw" {
priority = 60
}
+ firmaconio-selfcare-pagopa-it = {
+ listener = "firmaconio-selfcare-pagopa-it"
+ backend = "firmaconio-selfcare-backend"
+ rewrite_rule_set_name = "rewrite-rule-set-firmaconio-selfcare-backend"
+ priority = 90
+ }
+
continua-io-pagopa-it = {
listener = "continua-io-pagopa-it"
backend = "continua-app"
@@ -351,6 +444,13 @@ module "app_gw" {
priority = 80
}
+ selfcare-io-pagopa-it = {
+ listener = "selfcare-io-pagopa-it"
+ backend = "selfcare-io-app"
+ rewrite_rule_set_name = "rewrite-rule-set-selfcare-io"
+ priority = 110
+ }
+
}
rewrite_rule_sets = [
@@ -371,7 +471,7 @@ module "app_gw" {
header_value = "{var_client_ip}"
},
{
- # this header will be checked in apim policy
+ # this header will be checked in apim policy (only for MTLS check)
header_name = data.azurerm_key_vault_secret.app_gw_mtls_header_name.value
header_value = "false"
},
@@ -396,7 +496,7 @@ module "app_gw" {
header_value = "{var_client_ip}"
},
{
- # this header will be checked in apim policy
+ # this header will be checked in apim policy (only for MTLS check)
header_name = data.azurerm_key_vault_secret.app_gw_mtls_header_name.value
header_value = "true"
},
@@ -424,6 +524,26 @@ module "app_gw" {
response_header_configurations = []
}]
},
+ {
+ name = "rewrite-rule-set-api-web"
+ rewrite_rules = [{
+ name = "http-headers-api-web"
+ rule_sequence = 100
+ conditions = []
+ url = null
+ request_header_configurations = [
+ {
+ header_name = "X-Forwarded-For"
+ header_value = "{var_client_ip}"
+ },
+ {
+ header_name = "X-Client-Ip"
+ header_value = "{var_client_ip}"
+ },
+ ]
+ response_header_configurations = []
+ }]
+ },
{
name = "rewrite-rule-set-developerportal-backend"
rewrite_rules = [{
@@ -464,6 +584,26 @@ module "app_gw" {
response_header_configurations = []
}]
},
+ {
+ name = "rewrite-rule-set-firmaconio-selfcare-backend"
+ rewrite_rules = [{
+ name = "http-headers-firmaconio-selfcare-backend"
+ rule_sequence = 100
+ conditions = []
+ url = null
+ request_header_configurations = [
+ {
+ header_name = "X-Forwarded-For"
+ header_value = "{var_client_ip}"
+ },
+ {
+ header_name = "X-Client-Ip"
+ header_value = "{var_client_ip}"
+ },
+ ]
+ response_header_configurations = []
+ }]
+ },
{
name = "rewrite-rule-set-continua"
rewrite_rules = [{
@@ -488,6 +628,26 @@ module "app_gw" {
response_header_configurations = []
}]
},
+ {
+ name = "rewrite-rule-set-selfcare-io"
+ rewrite_rules = [{
+ name = "http-headers-selfcare-io"
+ rule_sequence = 100
+ conditions = []
+ url = null
+ request_header_configurations = [
+ {
+ header_name = "X-Forwarded-For"
+ header_value = "{var_client_ip}"
+ },
+ {
+ header_name = "X-Client-Ip"
+ header_value = "{var_client_ip}"
+ },
+ ]
+ response_header_configurations = []
+ }]
+ },
]
# TLS
@@ -501,11 +661,7 @@ module "app_gw" {
action = [
{
- action_group_id = azurerm_monitor_action_group.slack.id
- webhook_properties = null
- },
- {
- action_group_id = azurerm_monitor_action_group.email.id
+ action_group_id = azurerm_monitor_action_group.error_action_group.id
webhook_properties = null
}
]
@@ -528,8 +684,8 @@ module "app_gw" {
metric_name = "ComputeUnits"
operator = "GreaterOrLessThan"
alert_sensitivity = "Low" # todo after api app migration change to High
- evaluation_total_count = 2
- evaluation_failure_count = 2
+ evaluation_total_count = 3
+ evaluation_failure_count = 3
dimension = []
}
]
@@ -610,8 +766,8 @@ module "app_gw" {
metric_name = "FailedRequests"
operator = "GreaterThan"
alert_sensitivity = "High"
- evaluation_total_count = 2
- evaluation_failure_count = 2
+ evaluation_total_count = 4
+ evaluation_failure_count = 4
dimension = []
}
]
@@ -651,6 +807,16 @@ resource "azurerm_key_vault_access_policy" "app_gateway_policy_common" {
storage_permissions = []
}
+resource "azurerm_key_vault_access_policy" "app_gateway_policy_ioweb" {
+ key_vault_id = data.azurerm_key_vault.ioweb_kv.id
+ tenant_id = data.azurerm_client_config.current.tenant_id
+ object_id = azurerm_user_assigned_identity.appgateway.principal_id
+ key_permissions = []
+ secret_permissions = ["Get", "List"]
+ certificate_permissions = ["Get", "List"]
+ storage_permissions = []
+}
+
## user assined identity: (old application gateway) ##
data "azuread_service_principal" "app_gw_uai_kvreader" {
display_name = format("%s-uai-kvreader", local.project)
@@ -681,6 +847,20 @@ data "azurerm_key_vault_certificate" "app_gw_api_app" {
key_vault_id = module.key_vault.id
}
+###
+# kv where the certificate for api-web domain is located
+###
+data "azurerm_key_vault" "ioweb_kv" {
+ name = format("%s-ioweb-kv", local.project)
+ resource_group_name = format("%s-ioweb-sec-rg", local.project)
+}
+
+data "azurerm_key_vault_certificate" "app_gw_api_web" {
+ name = var.app_gateway_api_web_certificate_name
+ key_vault_id = data.azurerm_key_vault.ioweb_kv.id
+}
+###
+
data "azurerm_key_vault_certificate" "app_gw_api_io_italia_it" {
name = var.app_gateway_api_io_italia_it_certificate_name
key_vault_id = module.key_vault_common.id
@@ -701,11 +881,21 @@ data "azurerm_key_vault_certificate" "app_gw_api_io_selfcare_pagopa_it" {
key_vault_id = module.key_vault.id
}
+data "azurerm_key_vault_certificate" "app_gw_firmaconio_selfcare_pagopa_it" {
+ name = var.app_gateway_firmaconio_selfcare_pagopa_it_certificate_name
+ key_vault_id = module.key_vault.id
+}
+
data "azurerm_key_vault_certificate" "app_gw_continua" {
name = var.app_gateway_continua_io_pagopa_it_certificate_name
key_vault_id = module.key_vault.id
}
+data "azurerm_key_vault_certificate" "app_gw_selfcare_io" {
+ name = var.app_gateway_selfcare_io_pagopa_it_certificate_name
+ key_vault_id = module.key_vault.id
+}
+
data "azurerm_key_vault_secret" "app_gw_mtls_header_name" {
name = "mtls-header-name"
key_vault_id = module.key_vault.id
diff --git a/src/core/cgn.tf b/src/core/cgn.tf
index d7abf1333..847fd2c02 100644
--- a/src/core/cgn.tf
+++ b/src/core/cgn.tf
@@ -316,12 +316,13 @@ data "azurerm_key_vault_secret" "cgn_onboarding_backend_identity" {
key_vault_id = module.key_vault_common.id
}
-resource "azurerm_role_assignment" "service_contributor" {
- count = var.env_short == "p" ? 1 : 0
- scope = module.apim.id
- role_definition_name = "API Management Service Contributor"
- principal_id = data.azurerm_key_vault_secret.cgn_onboarding_backend_identity.value
-}
+# TODO rollback after apim-v2 migration
+# resource "azurerm_role_assignment" "service_contributor" {
+# count = var.env_short == "p" ? 1 : 0
+# scope = module.apim.id
+# role_definition_name = "API Management Service Contributor"
+# principal_id = data.azurerm_key_vault_secret.cgn_onboarding_backend_identity.value
+# }
resource "azurerm_resource_group" "cgn_be_rg" {
name = format("%s-cgn-be-rg", local.project)
diff --git a/src/core/data.tf b/src/core/data.tf
index c64255ccf..1f0fc74b5 100644
--- a/src/core/data.tf
+++ b/src/core/data.tf
@@ -146,7 +146,7 @@ resource "azurerm_monitor_metric_alert" "cosmos_api_throttling_alert" {
resource_group_name = azurerm_resource_group.rg_linux.name
scopes = [data.azurerm_cosmosdb_account.cosmos_api.id]
# TODO: add Runbook for checking errors
- description = "One or more collections consumed throughput (RU/s) exceed provisioned throughput. Please, consider to increase RU for these collections. Runbook: https://pagopa.atlassian.net/wiki/spaces/IC/pages/608632903/Throttling+su+risorsa+Cosmos."
+ description = "One or more collections consumed throughput (RU/s) exceed provisioned throughput. Please, consider to increase RU for these collections. Runbook: https://pagopa.atlassian.net/wiki/spaces/IC/pages/723452380/CosmosDB+-+Increase+Max+RU"
severity = 0
window_size = "PT5M"
frequency = "PT5M"
@@ -227,7 +227,7 @@ resource "azurerm_monitor_metric_alert" "cosmos_cgn_throttling_alert" {
resource_group_name = azurerm_resource_group.cgn_be_rg.name
scopes = [data.azurerm_cosmosdb_account.cosmos_cgn.id]
# TODO: add Runbook for checking errors
- description = "One or more collections consumed throughput (RU/s) exceed provisioned throughput. Please, consider to increase RU for these collections. Runbook: https://pagopa.atlassian.net/wiki/spaces/IC/pages/608632903/Throttling+su+risorsa+Cosmos."
+ description = "One or more collections consumed throughput (RU/s) exceed provisioned throughput. Please, consider to increase RU for these collections. Runbook: https://pagopa.atlassian.net/wiki/spaces/IC/pages/723452380/CosmosDB+-+Increase+Max+RU"
severity = 0
window_size = "PT5M"
frequency = "PT5M"
@@ -269,3 +269,12 @@ resource "azurerm_monitor_metric_alert" "cosmos_cgn_throttling_alert" {
tags = var.tags
}
+
+#
+# IO Services CMS BackOffice App
+#
+
+data "azurerm_linux_web_app" "cms_backoffice_app" {
+ name = format("%s-services-cms-backoffice-app", local.project)
+ resource_group_name = format("%s-services-cms-rg", local.project)
+}
diff --git a/src/core/devportal.tf b/src/core/devportal.tf
index cebc37a02..f6500ca53 100644
--- a/src/core/devportal.tf
+++ b/src/core/devportal.tf
@@ -54,6 +54,11 @@ data "azurerm_key_vault_secret" "devportal_cookie_key" {
key_vault_id = module.key_vault_common.id
}
+data "azurerm_key_vault_secret" "devportal_request_review_legacy_queue_connectionstring" {
+ name = "devportal-REQUEST-REVIEW-LEGACY-QUEUE-CONNECTIONSTRING"
+ key_vault_id = module.key_vault_common.id
+}
+
# Only 1 subnet can be associated to a service plan
# azurerm_app_service_virtual_network_swift_connection requires an app service id
# so we choose one of the app service in the app service plan
@@ -99,7 +104,7 @@ module "appservice_devportal_be" {
# Apim connection
APIM_PRODUCT_NAME = "io-services-api"
APIM_USER_GROUPS = "apilimitedmessagewrite,apiinforead,apimessageread,apilimitedprofileread"
- ARM_APIM = "io-p-apim-api"
+ ARM_APIM = "io-p-apim-v2-api"
ARM_RESOURCE_GROUP = "io-p-rg-internal"
ARM_SUBSCRIPTION_ID = data.azurerm_subscription.current.subscription_id
ARM_TENANT_ID = data.azurerm_client_config.current.tenant_id
@@ -139,6 +144,10 @@ module "appservice_devportal_be" {
JIRA_ORGANIZATION_ID_FIELD = "customfield_10088"
JIRA_TOKEN = data.azurerm_key_vault_secret.devportal_jira_token.value
+ # Request Review Legacy Queue
+ REQUEST_REVIEW_LEGACY_QUEUE_CONNECTIONSTRING = data.azurerm_key_vault_secret.devportal_request_review_legacy_queue_connectionstring.value
+ REQUEST_REVIEW_LEGACY_QUEUE_NAME = "request-review-legacy"
+
# Feature Flags
#
# List of (comma separated) APIM userId for whom we want to enable Manage Flow on Service Management.
diff --git a/src/core/dns_firmaconio_selfcare_pagopa_it.tf b/src/core/dns_firmaconio_selfcare_pagopa_it.tf
new file mode 100644
index 000000000..885037346
--- /dev/null
+++ b/src/core/dns_firmaconio_selfcare_pagopa_it.tf
@@ -0,0 +1,50 @@
+resource "azurerm_dns_zone" "firmaconio_selfcare_pagopa_it" {
+ count = (var.dns_zone_firmaconio_selfcare == null || var.external_domain == null) ? 0 : 1
+ name = join(".", [var.dns_zone_firmaconio_selfcare, var.external_domain])
+ resource_group_name = azurerm_resource_group.rg_external.name
+
+ tags = var.tags
+}
+
+# application gateway records
+# firmaconio.selfcare.pagopa.it
+resource "azurerm_dns_a_record" "firmaconio_selfcare_pagopa_it" {
+ name = "@"
+ zone_name = azurerm_dns_zone.firmaconio_selfcare_pagopa_it[0].name
+ resource_group_name = azurerm_resource_group.rg_external.name
+ ttl = var.dns_default_ttl_sec
+ records = [azurerm_public_ip.appgateway_public_ip.ip_address]
+
+ tags = var.tags
+}
+
+resource "azurerm_dns_caa_record" "firmaconio_selfcare_pagopa_it" {
+ name = "@"
+ zone_name = azurerm_dns_zone.firmaconio_selfcare_pagopa_it[0].name
+ resource_group_name = azurerm_resource_group.rg_external.name
+ ttl = var.dns_default_ttl_sec
+
+ record {
+ flags = 0
+ tag = "issue"
+ value = "digicert.com"
+ }
+
+ record {
+ flags = 0
+ tag = "issue"
+ value = "letsencrypt.org"
+ }
+
+ record {
+ flags = 0
+ tag = "iodef"
+ value = "mailto:security+caa@pagopa.it"
+ }
+
+ tags = var.tags
+}
+
+output "dns_firmaconio_selfcare_pagopa_it_ns" {
+ value = azurerm_dns_zone.firmaconio_selfcare_pagopa_it[0].name_servers
+}
diff --git a/src/core/dns_io_italia_it.tf b/src/core/dns_io_italia_it.tf
index db1177020..1ab268092 100644
--- a/src/core/dns_io_italia_it.tf
+++ b/src/core/dns_io_italia_it.tf
@@ -66,6 +66,17 @@ resource "azurerm_dns_a_record" "app_backend_io_italia_it" {
tags = var.tags
}
+# api-internal.io.italia.it
+resource "azurerm_dns_a_record" "api_internal_io_italia_it" {
+ name = "api-internal"
+ zone_name = azurerm_dns_zone.io_italia_it.name
+ resource_group_name = azurerm_resource_group.rg_external.name
+ ttl = "60" # var.dns_default_ttl_sec # TODO rollback after apim-v2 migration
+ records = module.apim_v2.*.private_ip_addresses[0]
+
+ tags = var.tags
+}
+
# TXT for zendeskverification.io.italia.it
resource "azurerm_dns_txt_record" "zendeskverification_io_italia_it" {
name = "zendeskverification"
diff --git a/src/core/dns_io_pagopa_it.tf b/src/core/dns_io_pagopa_it.tf
index 02e2ec6e5..119d2005f 100644
--- a/src/core/dns_io_pagopa_it.tf
+++ b/src/core/dns_io_pagopa_it.tf
@@ -56,6 +56,17 @@ resource "azurerm_dns_a_record" "api_app_io_pagopa_it" {
tags = var.tags
}
+# api-web.io.pagopa.it
+resource "azurerm_dns_a_record" "api_web_io_pagopa_it" {
+ name = "api-web"
+ zone_name = azurerm_dns_zone.io_pagopa_it[0].name
+ resource_group_name = azurerm_resource_group.rg_external.name
+ ttl = var.dns_default_ttl_sec
+ records = [azurerm_public_ip.appgateway_public_ip.ip_address]
+
+ tags = var.tags
+}
+
# api-mtls.io.pagopa.it
resource "azurerm_dns_a_record" "api_mtls_io_pagopa_it" {
name = "api-mtls"
@@ -78,6 +89,17 @@ resource "azurerm_dns_a_record" "continua_io_pagopa_it" {
tags = var.tags
}
+# selfcare.io.pagopa.it
+resource "azurerm_dns_a_record" "selfcare_io_pagopa_it" {
+ name = "selfcare"
+ zone_name = azurerm_dns_zone.io_pagopa_it[0].name
+ resource_group_name = azurerm_resource_group.rg_external.name
+ ttl = var.dns_default_ttl_sec
+ records = [azurerm_public_ip.appgateway_public_ip.ip_address]
+
+ tags = var.tags
+}
+
# firma.io.pagopa.it
resource "azurerm_dns_ns_record" "firma_io_pagopa_it_ns" {
name = "firma"
diff --git a/src/core/dns_ioweb_it.tf b/src/core/dns_ioweb_it.tf
new file mode 100644
index 000000000..689c1b8a6
--- /dev/null
+++ b/src/core/dns_ioweb_it.tf
@@ -0,0 +1,27 @@
+resource "azurerm_dns_zone" "ioweb_it" {
+ name = "ioapp.it"
+ resource_group_name = azurerm_resource_group.rg_external.name
+
+ tags = var.tags
+}
+
+resource "azurerm_dns_caa_record" "ioweb_it" {
+ name = "@"
+ zone_name = azurerm_dns_zone.ioweb_it.name
+ resource_group_name = azurerm_resource_group.rg_external.name
+ ttl = var.dns_default_ttl_sec
+
+ record {
+ flags = 0
+ tag = "issue"
+ value = "letsencrypt.org"
+ }
+
+ record {
+ flags = 0
+ tag = "iodef"
+ value = "mailto:security+caa@pagopa.it"
+ }
+
+ tags = var.tags
+}
\ No newline at end of file
diff --git a/src/core/env/dev/terraform.tfvars b/src/core/env/dev/terraform.tfvars
index e470149cb..9e6800c06 100644
--- a/src/core/env/dev/terraform.tfvars
+++ b/src/core/env/dev/terraform.tfvars
@@ -8,6 +8,9 @@ tags = {
CostCenter = "TS310 - PAGAMENTI & SERVIZI"
}
+location = "westeurope"
+location_short = "weu"
+
# dns
external_domain = "pagopa.it"
dns_zone_io = "dev.io"
diff --git a/src/core/env/prod/terraform.tfvars b/src/core/env/prod/terraform.tfvars
index f993f5aba..5d9140b77 100644
--- a/src/core/env/prod/terraform.tfvars
+++ b/src/core/env/prod/terraform.tfvars
@@ -8,10 +8,14 @@ tags = {
CostCenter = "TS310 - PAGAMENTI & SERVIZI"
}
+location = "westeurope"
+location_short = "weu"
+
# dns
-external_domain = "pagopa.it"
-dns_zone_io = "io"
-dns_zone_io_selfcare = "io.selfcare"
+external_domain = "pagopa.it"
+dns_zone_io = "io"
+dns_zone_io_selfcare = "io.selfcare"
+dns_zone_firmaconio_selfcare = "firmaconio.selfcare"
lock_enable = true
@@ -65,14 +69,20 @@ cidr_subnet_pendpoints = ["10.0.240.0/23"]
cidr_subnet_azdoa = ["10.0.250.0/24"]
cidr_subnet_dnsforwarder = ["10.0.252.8/29"]
+# just for reminder: declared in https://github.com/pagopa/io-infra/blob/main/src/domains/ioweb-app/env/weu-prod01/terraform.tfvars
+# subnet for ioweb_profile -> cidr_subnet_fniowebprofile = ["10.0.117.0/24"]
+
app_gateway_api_certificate_name = "api-io-pagopa-it"
app_gateway_api_mtls_certificate_name = "api-mtls-io-pagopa-it"
app_gateway_api_app_certificate_name = "api-app-io-pagopa-it"
+app_gateway_api_web_certificate_name = "api-web-io-pagopa-it"
app_gateway_api_io_italia_it_certificate_name = "api-io-italia-it"
app_gateway_app_backend_io_italia_it_certificate_name = "app-backend-io-italia-it"
app_gateway_developerportal_backend_io_italia_it_certificate_name = "developerportal-backend-io-italia-it"
app_gateway_api_io_selfcare_pagopa_it_certificate_name = "api-io-selfcare-pagopa-it"
+app_gateway_firmaconio_selfcare_pagopa_it_certificate_name = "firmaconio-selfcare-pagopa-it"
app_gateway_continua_io_pagopa_it_certificate_name = "continua-io-pagopa-it"
+app_gateway_selfcare_io_pagopa_it_certificate_name = "selfcare-io-pagopa-it"
app_gateway_min_capacity = 4 # 4 capacity=baseline, 10 capacity=high volume event, 15 capacity=very high volume event
app_gateway_max_capacity = 50
app_gateway_alerts_enabled = true
@@ -454,6 +464,9 @@ pn_service_id = "01G40DWQGKY5GRWSNM4303VNRP"
# PN Test Endpoint
pn_test_endpoint = "https://api-io.uat.notifichedigitali.it"
+# RECEIPT SERVICE
+io_receipt_service_id = "01H4ZJ62C1CPGJ0PX8Q1BP7FAB"
+io_receipt_service_test_url = "https://api.uat.platform.pagopa.it/receipts/service/v1"
# TP Mock Service Id
third_party_mock_service_id = "01GQQDPM127KFGG6T3660D5TXD"
diff --git a/src/core/events.tf b/src/core/events.tf
index 66a5375cf..450500ee2 100644
--- a/src/core/events.tf
+++ b/src/core/events.tf
@@ -53,11 +53,7 @@ module "event_hub" {
metric_alerts = var.ehns_metric_alerts
action = [
{
- action_group_id = azurerm_monitor_action_group.slack.id
- webhook_properties = null
- },
- {
- action_group_id = azurerm_monitor_action_group.email.id
+ action_group_id = azurerm_monitor_action_group.error_action_group.id
webhook_properties = null
}
]
diff --git a/src/core/firmaconio.tf b/src/core/firmaconio.tf
new file mode 100644
index 000000000..ff9874370
--- /dev/null
+++ b/src/core/firmaconio.tf
@@ -0,0 +1,14 @@
+locals {
+ firmaconio_project = format("%s-sign", local.project)
+ firmaconio = {
+ resource_group_names = {
+ backend = format("%s-backend-rg", local.firmaconio_project)
+ }
+ }
+}
+
+
+data "azurerm_linux_web_app" "firmaconio_selfcare_web_app" {
+ name = format("%s-backoffice-app", local.firmaconio_project)
+ resource_group_name = local.firmaconio.resource_group_names.backend
+}
\ No newline at end of file
diff --git a/src/core/function_admin.tf b/src/core/function_admin.tf
index e10cea8e5..3b6a20ba5 100644
--- a/src/core/function_admin.tf
+++ b/src/core/function_admin.tf
@@ -93,7 +93,7 @@ locals {
AssetsStorageConnection = module.assets_cdn.primary_connection_string
- AZURE_APIM = "io-p-apim-api"
+ AZURE_APIM = "io-p-apim-v2-api"
AZURE_APIM_HOST = local.apim_hostname_api_internal
AZURE_APIM_RESOURCE_GROUP = "io-p-rg-internal"
diff --git a/src/core/function_app.tf b/src/core/function_app.tf
index 59409e9e1..d651d36a4 100644
--- a/src/core/function_app.tf
+++ b/src/core/function_app.tf
@@ -108,6 +108,12 @@ locals {
VISIBLE_SERVICE_BLOB_ID = "visible-services-national.json"
+ # Login Email variables
+ # TODO: change those variables once the service has been created
+ MAGIC_LINK_SERVICE_PUBLIC_URL = "https://example.com"
+ HELP_DESK_REF = "mailto:beta.loginveloce@pagopa.it"
+ #
+
MAILUP_USERNAME = data.azurerm_key_vault_secret.common_MAILUP_USERNAME.value
MAILUP_SECRET = data.azurerm_key_vault_secret.common_MAILUP_SECRET.value
PUBLIC_API_KEY = trimspace(data.azurerm_key_vault_secret.fn_app_PUBLIC_API_KEY.value)
@@ -154,6 +160,12 @@ module "app_snet" {
}
}
+data "azurerm_subnet" "ioweb_profile_snet" {
+ name = format("%s-%s-ioweb-profile-snet", local.project, var.location_short)
+ virtual_network_name = module.vnet_common.name
+ resource_group_name = azurerm_resource_group.rg_common.name
+}
+
#tfsec:ignore:azure-storage-queue-services-logging-enabled:exp:2022-05-01 # already ignored, maybe a bug in tfsec
module "function_app" {
count = var.function_app_count
@@ -200,6 +212,7 @@ module "function_app" {
module.app_backendl1_snet.id,
module.app_backendl2_snet.id,
module.app_backendli_snet.id,
+ data.azurerm_subnet.ioweb_profile_snet.id,
]
tags = var.tags
@@ -372,10 +385,6 @@ resource "azurerm_monitor_metric_alert" "function_app_health_check" {
}
action {
- action_group_id = azurerm_monitor_action_group.email.id
- }
-
- action {
- action_group_id = azurerm_monitor_action_group.slack.id
+ action_group_id = azurerm_monitor_action_group.error_action_group.id
}
}
diff --git a/src/core/function_app_async.tf b/src/core/function_app_async.tf
index 19afa25e8..3c3802fbc 100644
--- a/src/core/function_app_async.tf
+++ b/src/core/function_app_async.tf
@@ -254,10 +254,6 @@ resource "azurerm_monitor_metric_alert" "function_app_async_health_check" {
}
action {
- action_group_id = azurerm_monitor_action_group.email.id
- }
-
- action {
- action_group_id = azurerm_monitor_action_group.slack.id
+ action_group_id = azurerm_monitor_action_group.error_action_group.id
}
}
diff --git a/src/core/function_assets_cdn.tf b/src/core/function_assets_cdn.tf
index ab11ba623..0a8703507 100644
--- a/src/core/function_assets_cdn.tf
+++ b/src/core/function_assets_cdn.tf
@@ -238,11 +238,7 @@ resource "azurerm_monitor_metric_alert" "function_assets_health_check" {
}
action {
- action_group_id = azurerm_monitor_action_group.email.id
- }
-
- action {
- action_group_id = azurerm_monitor_action_group.slack.id
+ action_group_id = azurerm_monitor_action_group.error_action_group.id
}
}
@@ -264,11 +260,7 @@ resource "azurerm_monitor_metric_alert" "function_assets_http_server_errors" {
}
action {
- action_group_id = azurerm_monitor_action_group.email.id
- }
-
- action {
- action_group_id = azurerm_monitor_action_group.slack.id
+ action_group_id = azurerm_monitor_action_group.error_action_group.id
}
}
@@ -290,10 +282,6 @@ resource "azurerm_monitor_metric_alert" "function_assets_response_time" {
}
action {
- action_group_id = azurerm_monitor_action_group.email.id
- }
-
- action {
- action_group_id = azurerm_monitor_action_group.slack.id
+ action_group_id = azurerm_monitor_action_group.error_action_group.id
}
}
diff --git a/src/core/function_cgn.tf b/src/core/function_cgn.tf
index 193a818b1..b73173244 100644
--- a/src/core/function_cgn.tf
+++ b/src/core/function_cgn.tf
@@ -312,10 +312,6 @@ resource "azurerm_monitor_metric_alert" "function_cgn_health_check" {
}
action {
- action_group_id = azurerm_monitor_action_group.email.id
- }
-
- action {
- action_group_id = azurerm_monitor_action_group.slack.id
+ action_group_id = azurerm_monitor_action_group.error_action_group.id
}
}
diff --git a/src/core/function_cgn_merchant.tf b/src/core/function_cgn_merchant.tf
index 2860db398..e4f45fe82 100644
--- a/src/core/function_cgn_merchant.tf
+++ b/src/core/function_cgn_merchant.tf
@@ -125,10 +125,6 @@ resource "azurerm_monitor_metric_alert" "function_cgn_merchant_health_check" {
}
action {
- action_group_id = azurerm_monitor_action_group.email.id
- }
-
- action {
- action_group_id = azurerm_monitor_action_group.slack.id
+ action_group_id = azurerm_monitor_action_group.error_action_group.id
}
}
diff --git a/src/core/function_devportal_service_data.tf b/src/core/function_devportal_service_data.tf
index b66481b93..2e4e9ba7b 100644
--- a/src/core/function_devportal_service_data.tf
+++ b/src/core/function_devportal_service_data.tf
@@ -26,7 +26,7 @@ locals {
APIM_CLIENT_ID = data.azurerm_key_vault_secret.devportal_service_principal_client_id.value
APIM_RESOURCE_GROUP = "io-p-rg-internal"
APIM_SECRET = data.azurerm_key_vault_secret.devportal_service_principal_secret.value
- APIM_SERVICE_NAME = "io-p-apim-api"
+ APIM_SERVICE_NAME = "io-p-apim-v2-api"
APIM_SUBSCRIPTION_ID = data.azurerm_subscription.current.subscription_id
APIM_TENANT_ID = data.azurerm_client_config.current.tenant_id
diff --git a/src/core/function_eucovidcert.tf b/src/core/function_eucovidcert.tf
index 15aa4d35d..1c811e3a3 100644
--- a/src/core/function_eucovidcert.tf
+++ b/src/core/function_eucovidcert.tf
@@ -393,10 +393,6 @@ resource "azurerm_monitor_metric_alert" "function_eucovidcert_health_check" {
}
action {
- action_group_id = azurerm_monitor_action_group.email.id
- }
-
- action {
- action_group_id = azurerm_monitor_action_group.slack.id
+ action_group_id = azurerm_monitor_action_group.error_action_group.id
}
}
diff --git a/src/core/function_messages_cqrs.tf b/src/core/function_messages_cqrs.tf
index 19496f82d..63c3e2c91 100644
--- a/src/core/function_messages_cqrs.tf
+++ b/src/core/function_messages_cqrs.tf
@@ -31,8 +31,8 @@ locals {
MESSAGE_CHANGE_FEED_LEASE_PREFIX = "CosmosApiMessageChangeFeed-00"
// This must be expressed as a Timestamp
- // Saturday 1 October 2022 00:00:00
- MESSAGE_CHANGE_FEED_START_TIME = 1664582400000
+ // Saturday 1 July 2023 00:00:00
+ MESSAGE_CHANGE_FEED_START_TIME = 1688169600000
MESSAGES_TOPIC_CONNECTION_STRING = data.azurerm_eventhub_authorization_rule.io-p-messages-weu-prod01-evh-ns_messages_io-fn-messages-cqrs.primary_connection_string
MESSAGES_TOPIC_NAME = "messages"
diff --git a/src/core/function_subscription_migrations.tf b/src/core/function_subscription_migrations.tf
index f6261a57b..9397b64d4 100644
--- a/src/core/function_subscription_migrations.tf
+++ b/src/core/function_subscription_migrations.tf
@@ -28,7 +28,7 @@ locals {
APIM_CLIENT_ID = data.azurerm_key_vault_secret.selfcare_devportal_service_principal_client_id.value
APIM_RESOURCE_GROUP = "io-p-rg-internal"
APIM_SECRET = data.azurerm_key_vault_secret.selfcare_devportal_service_principal_secret.value
- APIM_SERVICE_NAME = "io-p-apim-api"
+ APIM_SERVICE_NAME = "io-p-apim-v2-api"
APIM_SUBSCRIPTION_ID = data.azurerm_subscription.current.subscription_id
APIM_TENANT_ID = data.azurerm_client_config.current.tenant_id
@@ -282,11 +282,7 @@ module "subscriptionmigrations_db_server" {
monitor_metric_alert_criteria = local.function_subscriptionmigrations.metric_alerts.db
action = [
{
- action_group_id = azurerm_monitor_action_group.email.id
- webhook_properties = null
- },
- {
- action_group_id = azurerm_monitor_action_group.slack.id
+ action_group_id = azurerm_monitor_action_group.error_action_group.id
webhook_properties = null
}
]
diff --git a/src/core/keyvault_access_policy.tf b/src/core/keyvault_access_policy.tf
index 277864229..28b3cc4e5 100644
--- a/src/core/keyvault_access_policy.tf
+++ b/src/core/keyvault_access_policy.tf
@@ -3,87 +3,60 @@ data "azuread_group" "adgroup_admin" {
display_name = format("%s-adgroup-admin", local.project)
}
-## ad group policy ##
-resource "azurerm_key_vault_access_policy" "ad_group_policy" {
+# kv admin policy
+resource "azurerm_key_vault_access_policy" "adgroup_admin" {
key_vault_id = module.key_vault.id
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azuread_group.adgroup_admin.object_id
key_permissions = ["Get", "List", "Update", "Create", "Import", "Delete", ]
- secret_permissions = ["Get", "List", "Set", "Delete", ]
+ secret_permissions = ["Get", "List", "Set", "Delete", "Restore", "Recover", ]
storage_permissions = []
- certificate_permissions = ["Get", "List", "Update", "Create", "Import", "Delete", "Restore", "Purge", "Recover", ]
+ certificate_permissions = ["Get", "List", "Update", "Create", "Import", "Delete", "Restore", "Recover", ]
}
-# kv access policy group adgroup-admin
-resource "azurerm_key_vault_access_policy" "policy_common_admin" {
+# kv-common admin policy
+resource "azurerm_key_vault_access_policy" "adgroup_admin_common" {
key_vault_id = module.key_vault_common.id
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azuread_group.adgroup_admin.object_id
key_permissions = ["Get", "List", "Update", "Create", "Import", "Delete", ]
- secret_permissions = ["Get", "List", "Set", "Delete", ]
+ secret_permissions = ["Get", "List", "Set", "Delete", "Restore", "Recover", ]
storage_permissions = []
- certificate_permissions = ["Get", "List", "Update", "Create", "Import", "Delete", "Restore", "Purge", "Recover", ]
+ certificate_permissions = ["Get", "List", "Update", "Create", "Import", "Delete", "Restore", "Recover", ]
}
data "azuread_group" "adgroup_developers" {
display_name = format("%s-adgroup-developers", local.project)
}
-## ad group policy ##
-resource "azurerm_key_vault_access_policy" "adgroup_developers_policy" {
- count = var.env_short == "d" ? 1 : 0
-
+# kv developers policy
+resource "azurerm_key_vault_access_policy" "adgroup_developers" {
key_vault_id = module.key_vault.id
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azuread_group.adgroup_developers.object_id
key_permissions = ["Get", "List", "Update", "Create", "Import", "Delete", ]
- secret_permissions = ["Get", "List", "Set", "Delete", ]
- storage_permissions = []
- certificate_permissions = ["Get", "List", "Update", "Create", "Import", "Delete", "Restore", "Purge", "Recover", ]
-}
-
-data "azuread_group" "adgroup_externals" {
- display_name = format("%s-adgroup-externals", local.project)
-}
-
-## ad group policy ##
-resource "azurerm_key_vault_access_policy" "adgroup_externals_policy" {
- count = var.env_short == "d" ? 1 : 0
-
- key_vault_id = module.key_vault.id
-
- tenant_id = data.azurerm_client_config.current.tenant_id
- object_id = data.azuread_group.adgroup_externals.object_id
-
- key_permissions = ["Get", "List", "Update", "Create", "Import", "Delete", ]
- secret_permissions = ["Get", "List", "Set", "Delete", ]
+ secret_permissions = ["Get", "List", "Set", "Delete", "Restore", "Recover", ]
storage_permissions = []
- certificate_permissions = ["Get", "List", "Update", "Create", "Import", "Delete", "Restore", "Purge", "Recover", ]
-}
-
-data "azuread_group" "adgroup_security" {
- display_name = format("%s-adgroup-security", local.project)
+ certificate_permissions = ["Get", "List", "Update", "Create", "Import", "Delete", "Restore", "Recover", ]
}
-## ad group policy ##
-resource "azurerm_key_vault_access_policy" "adgroup_security_policy" {
- count = var.env_short == "d" ? 1 : 0
-
- key_vault_id = module.key_vault.id
+# kv-common developers policy
+resource "azurerm_key_vault_access_policy" "adgroup_developers_common" {
+ key_vault_id = module.key_vault_common.id
tenant_id = data.azurerm_client_config.current.tenant_id
- object_id = data.azuread_group.adgroup_security.object_id
+ object_id = data.azuread_group.adgroup_developers.object_id
key_permissions = ["Get", "List", "Update", "Create", "Import", "Delete", ]
- secret_permissions = ["Get", "List", "Set", "Delete", ]
+ secret_permissions = ["Get", "List", "Set", "Delete", "Restore", "Recover", ]
storage_permissions = []
- certificate_permissions = ["Get", "List", "Update", "Create", "Import", "Delete", "Restore", "Purge", "Recover", ]
+ certificate_permissions = ["Get", "List", "Update", "Create", "Import", "Delete", "Restore", "Recover", ]
}
# Microsoft Azure WebSites
diff --git a/src/core/monitor.tf b/src/core/monitor.tf
index fa2c678a3..7f44a59a0 100644
--- a/src/core/monitor.tf
+++ b/src/core/monitor.tf
@@ -48,6 +48,11 @@ data "azurerm_key_vault_secret" "alert_quarantine_error_notification_slack" {
key_vault_id = module.key_vault.id
}
+data "azurerm_key_vault_secret" "alert_error_notification_opsgenie" {
+ name = "alert-error-notification-opsgenie"
+ key_vault_id = module.key_vault.id
+}
+
#
# Actions Groups
#
@@ -68,6 +73,12 @@ resource "azurerm_monitor_action_group" "error_action_group" {
use_common_alert_schema = true
}
+ webhook_receiver {
+ name = "sendtoopsgenie"
+ service_uri = data.azurerm_key_vault_secret.alert_error_notification_opsgenie.value
+ use_common_alert_schema = true
+ }
+
tags = var.tags
}
@@ -113,7 +124,7 @@ resource "azurerm_monitor_action_group" "slack" {
tags = var.tags
}
-## web availabolity test
+## web availability test
locals {
test_urls = [
@@ -122,6 +133,7 @@ locals {
name = local.devportal.backend_hostname,
host = local.devportal.backend_hostname,
path = "/info",
+ frequency = 900
http_status = 200,
ssl_cert_remaining_lifetime_check = 7,
},
@@ -130,6 +142,7 @@ locals {
name = trimsuffix(azurerm_dns_a_record.api_io_italia_it.fqdn, "."),
host = trimsuffix(azurerm_dns_a_record.api_io_italia_it.fqdn, "."),
path = "",
+ frequency = 900
http_status = 404,
ssl_cert_remaining_lifetime_check = 7,
},
@@ -138,6 +151,7 @@ locals {
name = trimsuffix(azurerm_dns_a_record.app_backend_io_italia_it.fqdn, "."),
host = trimsuffix(azurerm_dns_a_record.app_backend_io_italia_it.fqdn, "."),
path = "/info",
+ frequency = 900
http_status = 200,
ssl_cert_remaining_lifetime_check = 7,
},
@@ -146,6 +160,7 @@ locals {
name = "io.italia.it",
host = "io.italia.it",
path = "",
+ frequency = 900
http_status = 200,
ssl_cert_remaining_lifetime_check = 7,
},
@@ -154,6 +169,7 @@ locals {
name = "assets.cdn.io.italia.it",
host = "assets.cdn.io.italia.it",
path = "/status/backend.json",
+ frequency = 900
http_status = 200,
ssl_cert_remaining_lifetime_check = 7,
},
@@ -162,6 +178,7 @@ locals {
name = "assets.cdn.io.pagopa.it",
host = "assets.cdn.io.pagopa.it",
path = "/status/backend.json",
+ frequency = 900
http_status = 200,
ssl_cert_remaining_lifetime_check = 7,
},
@@ -170,6 +187,7 @@ locals {
name = "CIE",
host = trimsuffix(azurerm_dns_a_record.app_backend_io_italia_it.fqdn, "."),
path = "/login?authLevel=SpidL2&entityID=xx_servizicie",
+ frequency = 900
http_status = 200,
ssl_cert_remaining_lifetime_check = 1,
},
@@ -177,6 +195,7 @@ locals {
name = "Spid-registry",
host = "registry.spid.gov.it",
path = "/metadata/idp/spid-entities-idps.xml",
+ frequency = 900
http_status = 200,
ssl_cert_remaining_lifetime_check = 1,
},
@@ -185,6 +204,7 @@ locals {
name = "SpidL2-arubaid",
host = trimsuffix(azurerm_dns_a_record.app_backend_io_italia_it.fqdn, "."),
path = "/login?authLevel=SpidL2&entityID=arubaid",
+ frequency = 900
http_status = 200,
ssl_cert_remaining_lifetime_check = 1,
},
@@ -193,6 +213,7 @@ locals {
name = "SpidL2-infocertid",
host = trimsuffix(azurerm_dns_a_record.app_backend_io_italia_it.fqdn, "."),
path = "/login?authLevel=SpidL2&entityID=infocertid",
+ frequency = 900
http_status = 200,
ssl_cert_remaining_lifetime_check = 1,
},
@@ -201,6 +222,7 @@ locals {
name = "SpidL2-lepidaid",
host = trimsuffix(azurerm_dns_a_record.app_backend_io_italia_it.fqdn, "."),
path = "/login?authLevel=SpidL2&entityID=lepidaid",
+ frequency = 900
http_status = 200,
ssl_cert_remaining_lifetime_check = 1,
},
@@ -209,6 +231,7 @@ locals {
name = "SpidL2-namirialid",
host = trimsuffix(azurerm_dns_a_record.app_backend_io_italia_it.fqdn, "."),
path = "/login?authLevel=SpidL2&entityID=namirialid",
+ frequency = 900
http_status = 200,
ssl_cert_remaining_lifetime_check = 1,
},
@@ -217,6 +240,7 @@ locals {
name = "SpidL2-posteid",
host = trimsuffix(azurerm_dns_a_record.app_backend_io_italia_it.fqdn, "."),
path = "/login?authLevel=SpidL2&entityID=posteid",
+ frequency = 900
http_status = 200,
ssl_cert_remaining_lifetime_check = 1,
},
@@ -225,6 +249,7 @@ locals {
name = "SpidL2-sielteid",
host = trimsuffix(azurerm_dns_a_record.app_backend_io_italia_it.fqdn, "."),
path = "/login?authLevel=SpidL2&entityID=sielteid",
+ frequency = 900
http_status = 200,
ssl_cert_remaining_lifetime_check = 1,
},
@@ -233,6 +258,7 @@ locals {
name = "SpidL2-spiditalia",
host = trimsuffix(azurerm_dns_a_record.app_backend_io_italia_it.fqdn, "."),
path = "/login?authLevel=SpidL2&entityID=spiditalia",
+ frequency = 900
http_status = 200,
ssl_cert_remaining_lifetime_check = 1,
},
@@ -249,6 +275,7 @@ locals {
name = "SpidL2-infocamere",
host = trimsuffix(azurerm_dns_a_record.app_backend_io_italia_it.fqdn, "."),
path = "/login?authLevel=SpidL2&entityID=infocamereid",
+ frequency = 900
http_status = 200,
ssl_cert_remaining_lifetime_check = 1,
},
@@ -265,6 +292,7 @@ locals {
name = trimsuffix(azurerm_dns_a_record.api_io_pagopa_it.fqdn, "."),
host = trimsuffix(azurerm_dns_a_record.api_io_pagopa_it.fqdn, "."),
path = "",
+ frequency = 900
http_status = 404,
ssl_cert_remaining_lifetime_check = 7,
},
@@ -273,14 +301,25 @@ locals {
name = trimsuffix(azurerm_dns_a_record.api_app_io_pagopa_it.fqdn, "."),
host = trimsuffix(azurerm_dns_a_record.api_app_io_pagopa_it.fqdn, "."),
path = "/info",
+ frequency = 900
http_status = 200,
ssl_cert_remaining_lifetime_check = 7,
},
+ {
+ # https://api-web.io.pagopa.it
+ name = trimsuffix(azurerm_dns_a_record.api_web_io_pagopa_it.fqdn, "."),
+ host = trimsuffix(azurerm_dns_a_record.api_web_io_pagopa_it.fqdn, "."),
+ path = "",
+ frequency = 900
+ http_status = 404,
+ ssl_cert_remaining_lifetime_check = 7,
+ },
{
# https://api-mtls.io.pagopa.it
name = trimsuffix(azurerm_dns_a_record.api_mtls_io_pagopa_it.fqdn, "."),
host = trimsuffix(azurerm_dns_a_record.api_mtls_io_pagopa_it.fqdn, "."),
path = "",
+ frequency = 900
http_status = 400,
ssl_cert_remaining_lifetime_check = 7,
},
@@ -289,6 +328,7 @@ locals {
name = trimsuffix(azurerm_dns_a_record.api_io_selfcare_pagopa_it.fqdn, "."),
host = trimsuffix(azurerm_dns_a_record.api_io_selfcare_pagopa_it.fqdn, "."),
path = "/info",
+ frequency = 900
http_status = 200,
ssl_cert_remaining_lifetime_check = 7,
},
@@ -297,6 +337,16 @@ locals {
name = module.selfcare_cdn.fqdn,
host = module.selfcare_cdn.fqdn,
path = "",
+ frequency = 900
+ http_status = 200,
+ ssl_cert_remaining_lifetime_check = 7,
+ },
+ {
+ # https://firmaconio.selfcare.pagopa.it
+ name = trimsuffix(azurerm_dns_a_record.firmaconio_selfcare_pagopa_it.fqdn, "."),
+ host = trimsuffix(azurerm_dns_a_record.firmaconio_selfcare_pagopa_it.fqdn, "."),
+ path = "/health",
+ frequency = 900
http_status = 200,
ssl_cert_remaining_lifetime_check = 7,
},
@@ -305,6 +355,7 @@ locals {
name = "github-raw-status-backend",
host = "raw.githubusercontent.com",
path = "/pagopa/io-services-metadata/master/status/backend.json",
+ frequency = 900
http_status = 200,
ssl_cert_remaining_lifetime_check = 7,
},
@@ -313,7 +364,8 @@ locals {
name = trimsuffix(azurerm_dns_a_record.continua_io_pagopa_it.fqdn, "."),
host = trimsuffix(azurerm_dns_a_record.continua_io_pagopa_it.fqdn, "."),
path = "",
- http_status = 200,
+ frequency = 900
+ http_status = 302,
ssl_cert_remaining_lifetime_check = 7,
},
]
@@ -322,7 +374,7 @@ locals {
module "web_test_api" {
for_each = { for v in local.test_urls : v.name => v if v != null }
- source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//application_insights_web_test_preview?ref=v4.1.15"
+ source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//application_insights_web_test_preview?ref=v7.0.0"
subscription_id = data.azurerm_subscription.current.subscription_id
name = format("%s-test", each.value.name)
@@ -332,7 +384,9 @@ module "web_test_api" {
request_url = format("https://%s%s", each.value.host, each.value.path)
expected_http_status = each.value.http_status
ssl_cert_remaining_lifetime_check = each.value.ssl_cert_remaining_lifetime_check
+ frequency = each.value.frequency
application_insight_id = azurerm_application_insights.application_insights.id
+ alert_description = "Web availability check alert triggered when it fails. Runbook: https://pagopa.atlassian.net/wiki/spaces/IC/pages/762347521/Web+Availability+Test+-+TLS+Probe+Check"
actions = [
{
@@ -341,3 +395,46 @@ module "web_test_api" {
]
}
+
+resource "azurerm_monitor_scheduled_query_rules_alert" "mailup_alert_rule" {
+ name = "[SEND.MAILUP.COM] Many Failures"
+ resource_group_name = azurerm_resource_group.rg_common.name
+ location = azurerm_resource_group.rg_common.location
+
+ data_source_id = azurerm_application_insights.application_insights.id
+ description = "Check in Application Insight - Dependencies the mailup calls. Runbook: https://pagopa.atlassian.net/wiki/spaces/IC/pages/777650829/MailUp+Communication+Failures"
+ enabled = true
+ auto_mitigation_enabled = false
+
+ query = <<-QUERY
+ let timeGrain=5m;
+ let dataset=dependencies
+ // additional filters can be applied here
+ | where client_Type != "Browser"
+ | where target contains "send.mailup.com"
+ | where success == false;
+ dataset
+
+ QUERY
+
+ severity = 1
+ frequency = 5
+ time_window = 30
+ trigger {
+ operator = "GreaterThan"
+ threshold = 10
+ }
+
+ action {
+ action_group = [
+ azurerm_monitor_action_group.error_action_group.id,
+ ]
+ }
+
+ tags = var.tags
+}
+
+import {
+ to = azurerm_monitor_scheduled_query_rules_alert.mailup_alert_rule
+ id = "/subscriptions/ec285037-c673-4f58-b594-d7c480da4e8b/resourceGroups/io-p-rg-common/providers/Microsoft.Insights/scheduledQueryRules/[SEND.MAILUP.COM] Many Failures"
+}
diff --git a/src/core/private_dns_zones.tf b/src/core/private_dns_zones.tf
index a34cf32bf..99710cc14 100644
--- a/src/core/private_dns_zones.tf
+++ b/src/core/private_dns_zones.tf
@@ -52,8 +52,8 @@ resource "azurerm_private_dns_a_record" "api_app_internal_io" {
name = "api-app"
zone_name = azurerm_private_dns_zone.internal_io_pagopa_it[0].name
resource_group_name = azurerm_resource_group.rg_internal.name
- ttl = var.dns_default_ttl_sec
- records = module.apim.*.private_ip_addresses[0]
+ ttl = "60" # var.dns_default_ttl_sec # TODO rollback after apim-v2 migration
+ records = module.apim_v2.*.private_ip_addresses[0]
tags = var.tags
}
diff --git a/src/core/selfcare.tf b/src/core/selfcare.tf
index 182c38929..499e8344b 100644
--- a/src/core/selfcare.tf
+++ b/src/core/selfcare.tf
@@ -205,7 +205,7 @@ module "appservice_selfcare_be" {
# Apim connection
APIM_PRODUCT_NAME = "io-services-api"
APIM_USER_GROUPS = "apimessagewrite,apiinforead,apimessageread,apilimitedprofileread"
- ARM_APIM = "io-p-apim-api"
+ ARM_APIM = "io-p-apim-v2-api"
ARM_RESOURCE_GROUP = "io-p-rg-internal"
ARM_SUBSCRIPTION_ID = data.azurerm_subscription.current.subscription_id
ARM_TENANT_ID = data.azurerm_client_config.current.tenant_id
@@ -244,6 +244,10 @@ module "appservice_selfcare_be" {
SUBSCRIPTION_MIGRATIONS_URL = format("https://%s.azurewebsites.net/api/v1", module.function_subscriptionmigrations.name)
SUBSCRIPTION_MIGRATIONS_APIKEY = data.azurerm_key_vault_secret.selfcare_subsmigrations_apikey.value
+ # Request Review Legacy Queue
+ REQUEST_REVIEW_LEGACY_QUEUE_CONNECTIONSTRING = data.azurerm_key_vault_secret.devportal_request_review_legacy_queue_connectionstring.value
+ REQUEST_REVIEW_LEGACY_QUEUE_NAME = "request-review-legacy"
+
# Feature Flags
#
# List of (comma separated) APIM userId for whom we want to enable Manage Flow on Service Management.
@@ -252,6 +256,10 @@ module "appservice_selfcare_be" {
# Note: The list below is for the user IDs only, not the full path APIM.id.
# UPDATE: The new feature is that "If one of such strings is "*", we suddenly open the feature to everyone.".
MANAGE_FLOW_ENABLE_USER_LIST = "*"
+
+ # Lock the creation of a new APIM user, when resolve SelfCareIdentity.
+ LOCK_SELFCARE_CREATE_NEW_APIM_USER = "false"
+
}
allowed_subnets = [module.appgateway_snet.id]
diff --git a/src/domains/citizen-auth-app/00_azuread.tf b/src/domains/citizen-auth-app/00_azuread.tf
index 316c5675c..bfffd3a8b 100644
--- a/src/domains/citizen-auth-app/00_azuread.tf
+++ b/src/domains/citizen-auth-app/00_azuread.tf
@@ -3,10 +3,6 @@ data "azuread_group" "adgroup_admin" {
display_name = format("%s-adgroup-admin", local.product)
}
-data "azuread_group" "adgroup_contributors" {
- display_name = format("%s-adgroup-contributors", local.product)
-}
-
data "azuread_group" "adgroup_developers" {
display_name = format("%s-adgroup-developers", local.product)
}
diff --git a/src/domains/citizen-auth-app/01_network.tf b/src/domains/citizen-auth-app/01_network.tf
index 327d5bc16..bf647e961 100644
--- a/src/domains/citizen-auth-app/01_network.tf
+++ b/src/domains/citizen-auth-app/01_network.tf
@@ -69,6 +69,12 @@ data "azurerm_subnet" "app_backend_l2_snet" {
resource_group_name = local.vnet_common_resource_group_name
}
+data "azurerm_subnet" "ioweb_profile_snet" {
+ name = format("%s-ioweb-profile-snet", local.common_project)
+ virtual_network_name = local.vnet_common_name
+ resource_group_name = local.vnet_common_resource_group_name
+}
+
data "azurerm_subnet" "apim_snet" {
name = "apimapi"
virtual_network_name = local.vnet_common_name
@@ -92,4 +98,4 @@ data "azurerm_subnet" "appgateway_snet" {
name = "io-p-appgateway-snet"
virtual_network_name = local.vnet_common_name
resource_group_name = local.vnet_common_resource_group_name
-}
\ No newline at end of file
+}
diff --git a/src/domains/citizen-auth-app/04_fims.tf b/src/domains/citizen-auth-app/04_fims.tf
index be470c17b..5d2890f91 100644
--- a/src/domains/citizen-auth-app/04_fims.tf
+++ b/src/domains/citizen-auth-app/04_fims.tf
@@ -5,6 +5,11 @@ resource "azurerm_resource_group" "fims_rg" {
tags = var.tags
}
+data "azurerm_cosmosdb_account" "cosmos_fims" {
+ name = "io-p-citizen-auth-fims-account"
+ resource_group_name = "io-p-citizen-auth-data-rg"
+}
+
data "azurerm_key_vault_secret" "mongodb_connection_string_fims" {
name = "io-p-fims-mongodb-account-connection-string"
key_vault_id = data.azurerm_key_vault.kv.id
@@ -48,26 +53,37 @@ locals {
FETCH_KEEPALIVE_FREE_SOCKET_TIMEOUT = "30000"
FETCH_KEEPALIVE_TIMEOUT = "60000"
- EXPRESS_SERVER_HOSTNAME = "0.0.0.0"
- LOG_LEVEL = "debug"
- APPLICATION_NAME = "io-openid-provider"
- IO_BACKEND_BASE_URL = "https://api-app.io.pagopa.it"
- VERSION = "0.0.1"
- MONGODB_URL = data.azurerm_key_vault_secret.mongodb_connection_string_fims.value
- AUTHENTICATION_COOKIE_KEY = "X-IO-FIMS-Token"
- GRANT_TTL_IN_SECONDS = "86400"
- ISSUER = "https://io-p-citizen-auth-weu-prod01-app-fims.azurewebsites.net"
- COOKIES_KEY = data.azurerm_key_vault_secret.cookies_key_fims.value
- ENABLE_FEATURE_REMEMBER_GRANT = "true"
+ EXPRESS_SERVER_HOSTNAME = "0.0.0.0"
+ LOG_LEVEL = "debug"
+ APPLICATION_NAME = "io-openid-provider"
+ IO_BACKEND_BASE_URL = "https://api-app.io.pagopa.it"
+ VERSION = "0.0.1"
+ MONGODB_URL = data.azurerm_key_vault_secret.mongodb_connection_string_fims.value
+ COSMOSDB_NAME = "fims"
+ COSMOSDB_URI = data.azurerm_cosmosdb_account.cosmos_fims.endpoint
+ COSMOSDB_KEY = data.azurerm_cosmosdb_account.cosmos_fims.primary_key
+ COSMOSDB_CONNECTION_STRING = format("AccountEndpoint=%s;AccountKey=%s;", data.azurerm_cosmosdb_account.cosmos_fims.endpoint, data.azurerm_cosmosdb_account.cosmos_fims.primary_key)
+ AUTHENTICATION_COOKIE_KEY = "X-IO-FIMS-Token"
+ GRANT_TTL_IN_SECONDS = "86400"
+ ISSUER = "https://io-p-citizen-auth-weu-prod01-app-fims.azurewebsites.net"
+ COOKIES_KEY = data.azurerm_key_vault_secret.cookies_key_fims.value
+ ENABLE_FEATURE_REMEMBER_GRANT = "true",
+ APPINSIGHTS_SAMPLING_PERCENTAGE = 100,
+ ENABLE_PROXY = "true"
}
}
}
-module "fims_snet" {
+data "azurerm_nat_gateway" "nat_gateway" {
+ name = "io-p-natgw"
+ resource_group_name = "io-p-rg-common"
+}
+
+module "fims_plus_snet" {
count = var.fims_enabled ? 1 : 0
source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet?ref=v4.1.15"
- name = "fims"
- address_prefixes = var.cidr_subnet_fims
+ name = "fims-plus"
+ address_prefixes = var.cidr_subnet_fims_plus
resource_group_name = data.azurerm_virtual_network.vnet_common.resource_group_name
virtual_network_name = data.azurerm_virtual_network.vnet_common.name
private_endpoint_network_policies_enabled = true
@@ -85,31 +101,28 @@ module "fims_snet" {
}
}
-data "azurerm_nat_gateway" "nat_gateway" {
- name = "io-p-natgw"
- resource_group_name = "io-p-rg-common"
-}
-
-resource "azurerm_subnet_nat_gateway_association" "fims_snet" {
+resource "azurerm_subnet_nat_gateway_association" "fims_plus_snet" {
count = var.fims_enabled ? 1 : 0
nat_gateway_id = data.azurerm_nat_gateway.nat_gateway.id
- subnet_id = module.fims_snet[0].id
+ subnet_id = module.fims_plus_snet[0].id
}
-module "appservice_fims" {
+
+
+module "appservice_fims_plus" {
count = var.fims_enabled ? 1 : 0
source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//app_service?ref=v4.1.15"
# App service plan
plan_type = "internal"
- plan_name = format("%s-plan-fims", local.project)
+ plan_name = format("%s-plan-fims-plus", local.project)
plan_reserved = true # Mandatory for Linux plan
plan_kind = "Linux"
plan_sku_tier = var.fims_plan_sku_tier
plan_sku_size = var.fims_plan_sku_size
# App service
- name = format("%s-app-fims", local.project)
+ name = format("%s-app-fims-plus", local.project)
resource_group_name = azurerm_resource_group.fims_rg[0].name
location = azurerm_resource_group.fims_rg[0].location
@@ -130,20 +143,20 @@ module "appservice_fims" {
[],
)
- subnet_id = module.fims_snet[0].id
+ subnet_id = module.fims_plus_snet[0].id
vnet_integration = true
tags = var.tags
}
-module "appservice_fims_slot_staging" {
+module "appservice_fims_plus_slot_staging" {
count = var.fims_enabled ? 1 : 0
source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//app_service_slot?ref=v4.1.15"
# App service plan
- app_service_plan_id = module.appservice_fims[0].plan_id
- app_service_id = module.appservice_fims[0].id
- app_service_name = module.appservice_fims[0].name
+ app_service_plan_id = module.appservice_fims_plus[0].plan_id
+ app_service_id = module.appservice_fims_plus[0].id
+ app_service_name = module.appservice_fims_plus[0].name
# App service
name = "staging"
@@ -168,18 +181,18 @@ module "appservice_fims_slot_staging" {
[],
)
- subnet_id = module.fims_snet[0].id
+ subnet_id = module.fims_plus_snet[0].id
vnet_integration = true
tags = var.tags
}
-resource "azurerm_monitor_autoscale_setting" "appservice_fims" {
+resource "azurerm_monitor_autoscale_setting" "appservice_fims_plus" {
count = var.fims_enabled ? 1 : 0
- name = format("%s-autoscale", module.appservice_fims[0].name)
+ name = format("%s-autoscale", module.appservice_fims_plus[0].name)
resource_group_name = azurerm_resource_group.fims_rg[0].name
location = azurerm_resource_group.fims_rg[0].location
- target_resource_id = module.appservice_fims[0].plan_id
+ target_resource_id = module.appservice_fims_plus[0].plan_id
profile {
name = "default"
@@ -193,7 +206,7 @@ resource "azurerm_monitor_autoscale_setting" "appservice_fims" {
rule {
metric_trigger {
metric_name = "Requests"
- metric_resource_id = module.appservice_fims[0].id
+ metric_resource_id = module.appservice_fims_plus[0].id
metric_namespace = "microsoft.web/sites"
time_grain = "PT1M"
statistic = "Average"
@@ -215,7 +228,7 @@ resource "azurerm_monitor_autoscale_setting" "appservice_fims" {
rule {
metric_trigger {
metric_name = "CpuPercentage"
- metric_resource_id = module.appservice_fims[0].plan_id
+ metric_resource_id = module.appservice_fims_plus[0].plan_id
metric_namespace = "microsoft.web/serverfarms"
time_grain = "PT1M"
statistic = "Average"
@@ -237,7 +250,7 @@ resource "azurerm_monitor_autoscale_setting" "appservice_fims" {
rule {
metric_trigger {
metric_name = "Requests"
- metric_resource_id = module.appservice_fims[0].id
+ metric_resource_id = module.appservice_fims_plus[0].id
metric_namespace = "microsoft.web/sites"
time_grain = "PT1M"
statistic = "Average"
@@ -259,7 +272,7 @@ resource "azurerm_monitor_autoscale_setting" "appservice_fims" {
rule {
metric_trigger {
metric_name = "CpuPercentage"
- metric_resource_id = module.appservice_fims[0].plan_id
+ metric_resource_id = module.appservice_fims_plus[0].plan_id
metric_namespace = "microsoft.web/serverfarms"
time_grain = "PT1M"
statistic = "Average"
@@ -287,7 +300,7 @@ resource "azurerm_monitor_metric_alert" "too_many_http_5xx" {
name = "[IO-COMMONS | FIMS] Too many 5xx"
resource_group_name = azurerm_resource_group.fims_rg[0].name
- scopes = [module.appservice_fims[0].id]
+ scopes = [module.appservice_fims_plus[0].id]
description = "Whenever the total http server errors exceeds a dynamic threashold."
severity = 0
@@ -316,3 +329,219 @@ resource "azurerm_monitor_metric_alert" "too_many_http_5xx" {
tags = var.tags
}
+
+######################
+# OLD FIMS TO REMOVE #
+######################
+
+module "fims_snet" {
+ count = var.fims_enabled ? 1 : 0
+ source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet?ref=v4.1.15"
+ name = "fims"
+ address_prefixes = var.cidr_subnet_fims
+ resource_group_name = data.azurerm_virtual_network.vnet_common.resource_group_name
+ virtual_network_name = data.azurerm_virtual_network.vnet_common.name
+ private_endpoint_network_policies_enabled = true
+
+ service_endpoints = [
+ "Microsoft.Web",
+ ]
+
+ delegation = {
+ name = "default"
+ service_delegation = {
+ name = "Microsoft.Web/serverFarms"
+ actions = ["Microsoft.Network/virtualNetworks/subnets/action"]
+ }
+ }
+}
+
+resource "azurerm_subnet_nat_gateway_association" "fims_snet" {
+ count = var.fims_enabled ? 1 : 0
+ nat_gateway_id = data.azurerm_nat_gateway.nat_gateway.id
+ subnet_id = module.fims_snet[0].id
+}
+
+module "appservice_fims" {
+ count = var.fims_enabled ? 1 : 0
+ source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//app_service?ref=v4.1.15"
+
+ # App service plan
+ plan_type = "internal"
+ plan_name = format("%s-plan-fims", local.project)
+ plan_reserved = true # Mandatory for Linux plan
+ plan_kind = "Linux"
+ plan_sku_tier = var.fims_plan_sku_tier
+ plan_sku_size = var.fims_plan_sku_size
+
+ # App service
+ name = format("%s-app-fims", local.project)
+ resource_group_name = azurerm_resource_group.fims_rg[0].name
+ location = azurerm_resource_group.fims_rg[0].location
+
+ always_on = true
+ linux_fx_version = "NODE|18-lts"
+ app_command_line = local.fims.app_command_line
+ health_check_path = "/api/info"
+
+ app_settings = local.fims.app_settings_common
+
+ allowed_subnets = [
+ data.azurerm_subnet.appgateway_snet.id,
+ data.azurerm_subnet.apim_snet.id,
+ data.azurerm_subnet.apim_v2_snet.id,
+ ]
+
+ allowed_ips = concat(
+ [],
+ )
+
+ subnet_id = module.fims_snet[0].id
+ vnet_integration = true
+
+ tags = var.tags
+}
+
+module "appservice_fims_slot_staging" {
+ count = var.fims_enabled ? 1 : 0
+ source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//app_service_slot?ref=v4.1.15"
+
+ # App service plan
+ app_service_plan_id = module.appservice_fims[0].plan_id
+ app_service_id = module.appservice_fims[0].id
+ app_service_name = module.appservice_fims[0].name
+
+ # App service
+ name = "staging"
+ resource_group_name = azurerm_resource_group.fims_rg[0].name
+ location = azurerm_resource_group.fims_rg[0].location
+
+ always_on = true
+ linux_fx_version = "NODE|18-lts"
+ app_command_line = local.fims.app_command_line
+ health_check_path = "/api/info"
+
+ app_settings = local.fims.app_settings_common
+
+ allowed_subnets = [
+ data.azurerm_subnet.azdoa_snet[0].id,
+ data.azurerm_subnet.appgateway_snet.id,
+ data.azurerm_subnet.apim_snet.id,
+ data.azurerm_subnet.apim_v2_snet.id,
+ ]
+
+ allowed_ips = concat(
+ [],
+ )
+
+ subnet_id = module.fims_snet[0].id
+ vnet_integration = true
+
+ tags = var.tags
+}
+
+resource "azurerm_monitor_autoscale_setting" "appservice_fims" {
+ count = var.fims_enabled ? 1 : 0
+ name = format("%s-autoscale", module.appservice_fims[0].name)
+ resource_group_name = azurerm_resource_group.fims_rg[0].name
+ location = azurerm_resource_group.fims_rg[0].location
+ target_resource_id = module.appservice_fims[0].plan_id
+
+ profile {
+ name = "default"
+
+ capacity {
+ default = var.fims_autoscale_default
+ minimum = var.fims_autoscale_minimum
+ maximum = var.fims_autoscale_maximum
+ }
+
+ rule {
+ metric_trigger {
+ metric_name = "Requests"
+ metric_resource_id = module.appservice_fims[0].id
+ metric_namespace = "microsoft.web/sites"
+ time_grain = "PT1M"
+ statistic = "Average"
+ time_window = "PT5M"
+ time_aggregation = "Average"
+ operator = "GreaterThan"
+ threshold = 4000
+ divide_by_instance_count = false
+ }
+
+ scale_action {
+ direction = "Increase"
+ type = "ChangeCount"
+ value = "2"
+ cooldown = "PT5M"
+ }
+ }
+
+ rule {
+ metric_trigger {
+ metric_name = "CpuPercentage"
+ metric_resource_id = module.appservice_fims[0].plan_id
+ metric_namespace = "microsoft.web/serverfarms"
+ time_grain = "PT1M"
+ statistic = "Average"
+ time_window = "PT5M"
+ time_aggregation = "Average"
+ operator = "GreaterThan"
+ threshold = 50
+ divide_by_instance_count = false
+ }
+
+ scale_action {
+ direction = "Increase"
+ type = "ChangeCount"
+ value = "2"
+ cooldown = "PT5M"
+ }
+ }
+
+ rule {
+ metric_trigger {
+ metric_name = "Requests"
+ metric_resource_id = module.appservice_fims[0].id
+ metric_namespace = "microsoft.web/sites"
+ time_grain = "PT1M"
+ statistic = "Average"
+ time_window = "PT5M"
+ time_aggregation = "Average"
+ operator = "LessThan"
+ threshold = 1000
+ divide_by_instance_count = false
+ }
+
+ scale_action {
+ direction = "Decrease"
+ type = "ChangeCount"
+ value = "1"
+ cooldown = "PT1H"
+ }
+ }
+
+ rule {
+ metric_trigger {
+ metric_name = "CpuPercentage"
+ metric_resource_id = module.appservice_fims[0].plan_id
+ metric_namespace = "microsoft.web/serverfarms"
+ time_grain = "PT1M"
+ statistic = "Average"
+ time_window = "PT5M"
+ time_aggregation = "Average"
+ operator = "LessThan"
+ threshold = 10
+ divide_by_instance_count = false
+ }
+
+ scale_action {
+ direction = "Decrease"
+ type = "ChangeCount"
+ value = "1"
+ cooldown = "PT1H"
+ }
+ }
+ }
+}
diff --git a/src/domains/citizen-auth-app/06_storage.tf b/src/domains/citizen-auth-app/06_storage.tf
index a9a807ee9..ca2bdde15 100644
--- a/src/domains/citizen-auth-app/06_storage.tf
+++ b/src/domains/citizen-auth-app/06_storage.tf
@@ -1,4 +1,9 @@
data "azurerm_storage_account" "lollipop_assertion_storage" {
name = replace(format("%s-lollipop-assertions-st", local.product), "-", "")
resource_group_name = format("%s-%s-data-rg", local.product, var.domain)
+}
+
+data "azurerm_storage_account" "lv_audit_logs_storage" {
+ name = replace(format("%s-lv-logs-st", local.product), "-", "")
+ resource_group_name = format("%s-%s-data-rg", local.product, var.domain)
}
\ No newline at end of file
diff --git a/src/domains/citizen-auth-app/07_function_fast_login.tf b/src/domains/citizen-auth-app/07_function_fast_login.tf
index 8eef2b645..5a853bb9d 100644
--- a/src/domains/citizen-auth-app/07_function_fast_login.tf
+++ b/src/domains/citizen-auth-app/07_function_fast_login.tf
@@ -25,6 +25,11 @@ locals {
// --------------------------
LOLLIPOP_GET_ASSERTION_BASE_URL = "https://api.io.pagopa.it"
LOLLIPOP_GET_ASSERTION_API_KEY = data.azurerm_key_vault_secret.fast_login_subscription_key.value
+
+ // --------------------------
+ // Fast login audit log storage
+ // --------------------------
+ FAST_LOGIN_AUDIT_CONNECTION_STRING = data.azurerm_storage_account.lv_audit_logs_storage.primary_connection_string
}
}
}
@@ -110,6 +115,7 @@ module "function_fast_login" {
module.fast_login_snet[0].id,
data.azurerm_subnet.app_backend_l1_snet.id,
data.azurerm_subnet.app_backend_l2_snet.id,
+ data.azurerm_subnet.ioweb_profile_snet.id,
]
# Action groups for alerts
diff --git a/src/domains/citizen-auth-app/99_variables.tf b/src/domains/citizen-auth-app/99_variables.tf
index 9c4a994e1..8ac1cfa01 100644
--- a/src/domains/citizen-auth-app/99_variables.tf
+++ b/src/domains/citizen-auth-app/99_variables.tf
@@ -229,6 +229,11 @@ variable "cidr_subnet_fims" {
description = "App service FIMS address space."
}
+variable "cidr_subnet_fims_plus" {
+ type = list(string)
+ description = "App service FIMS+ address space."
+}
+
variable "fims_plan_sku_tier" {
type = string
description = "App service plan sku tier"
diff --git a/src/domains/citizen-auth-app/README.md b/src/domains/citizen-auth-app/README.md
index bd14628b7..b5eb437bd 100644
--- a/src/domains/citizen-auth-app/README.md
+++ b/src/domains/citizen-auth-app/README.md
@@ -10,20 +10,16 @@
| [kubernetes](#requirement\_kubernetes) | = 2.17.0 |
| [null](#requirement\_null) | <= 3.2.1 |
-## Providers
-
-| Name | Version |
-|------|---------|
-| [azuread](#provider\_azuread) | 2.33.0 |
-| [azurerm](#provider\_azurerm) | 3.40.0 |
-
## Modules
| Name | Source | Version |
|------|--------|---------|
| [appservice\_fims](#module\_appservice\_fims) | git::https://github.com/pagopa/terraform-azurerm-v3.git//app_service | v4.1.15 |
+| [appservice\_fims\_plus](#module\_appservice\_fims\_plus) | git::https://github.com/pagopa/terraform-azurerm-v3.git//app_service | v4.1.15 |
+| [appservice\_fims\_plus\_slot\_staging](#module\_appservice\_fims\_plus\_slot\_staging) | git::https://github.com/pagopa/terraform-azurerm-v3.git//app_service_slot | v4.1.15 |
| [appservice\_fims\_slot\_staging](#module\_appservice\_fims\_slot\_staging) | git::https://github.com/pagopa/terraform-azurerm-v3.git//app_service_slot | v4.1.15 |
| [fast\_login\_snet](#module\_fast\_login\_snet) | git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet | v6.19.1 |
+| [fims\_plus\_snet](#module\_fims\_plus\_snet) | git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet | v4.1.15 |
| [fims\_snet](#module\_fims\_snet) | git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet | v4.1.15 |
| [function\_fast\_login](#module\_function\_fast\_login) | git::https://github.com/pagopa/terraform-azurerm-v3.git//function_app | v6.19.1 |
| [function\_fast\_login\_staging\_slot](#module\_function\_fast\_login\_staging\_slot) | git::https://github.com/pagopa/terraform-azurerm-v3.git//function_app_slot | v6.19.1 |
@@ -36,6 +32,7 @@
| Name | Type |
|------|------|
| [azurerm_monitor_autoscale_setting.appservice_fims](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_autoscale_setting) | resource |
+| [azurerm_monitor_autoscale_setting.appservice_fims_plus](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_autoscale_setting) | resource |
| [azurerm_monitor_autoscale_setting.function_fast_login](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_autoscale_setting) | resource |
| [azurerm_monitor_autoscale_setting.function_lollipop](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_autoscale_setting) | resource |
| [azurerm_monitor_metric_alert.too_many_http_5xx](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_metric_alert) | resource |
@@ -44,15 +41,16 @@
| [azurerm_resource_group.fast_login_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource |
| [azurerm_resource_group.fims_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource |
| [azurerm_resource_group.lollipop_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource |
+| [azurerm_subnet_nat_gateway_association.fims_plus_snet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/subnet_nat_gateway_association) | resource |
| [azurerm_subnet_nat_gateway_association.fims_snet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/subnet_nat_gateway_association) | resource |
| [azuread_group.adgroup_admin](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source |
-| [azuread_group.adgroup_contributors](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source |
| [azuread_group.adgroup_developers](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source |
| [azuread_group.adgroup_externals](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source |
| [azuread_group.adgroup_security](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source |
| [azurerm_application_insights.application_insights](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/application_insights) | data source |
| [azurerm_client_config.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/client_config) | data source |
| [azurerm_cosmosdb_account.cosmos_citizen_auth](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/cosmosdb_account) | data source |
+| [azurerm_cosmosdb_account.cosmos_fims](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/cosmosdb_account) | data source |
| [azurerm_cosmosdb_account.cosmosdb_mongo_fims](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/cosmosdb_account) | data source |
| [azurerm_key_vault.kv](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault) | data source |
| [azurerm_key_vault_certificate_data.lollipop_certificate_v1](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_certificate_data) | data source |
@@ -77,12 +75,14 @@
| [azurerm_resource_group.data_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/resource_group) | data source |
| [azurerm_resource_group.monitor_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/resource_group) | data source |
| [azurerm_storage_account.lollipop_assertion_storage](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/storage_account) | data source |
+| [azurerm_storage_account.lv_audit_logs_storage](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/storage_account) | data source |
| [azurerm_subnet.apim_snet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subnet) | data source |
| [azurerm_subnet.apim_v2_snet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subnet) | data source |
| [azurerm_subnet.app_backend_l1_snet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subnet) | data source |
| [azurerm_subnet.app_backend_l2_snet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subnet) | data source |
| [azurerm_subnet.appgateway_snet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subnet) | data source |
| [azurerm_subnet.azdoa_snet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subnet) | data source |
+| [azurerm_subnet.ioweb_profile_snet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subnet) | data source |
| [azurerm_subnet.private_endpoints_subnet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subnet) | data source |
| [azurerm_subscription.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subscription) | data source |
| [azurerm_virtual_network.vnet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/virtual_network) | data source |
@@ -94,6 +94,7 @@
|------|-------------|------|---------|:--------:|
| [application\_insights\_name](#input\_application\_insights\_name) | Specifies the name of the Application Insights. | `string` | n/a | yes |
| [cidr\_subnet\_fims](#input\_cidr\_subnet\_fims) | App service FIMS address space. | `list(string)` | n/a | yes |
+| [cidr\_subnet\_fims\_plus](#input\_cidr\_subnet\_fims\_plus) | App service FIMS+ address space. | `list(string)` | n/a | yes |
| [cidr\_subnet\_fnfastlogin](#input\_cidr\_subnet\_fnfastlogin) | Function Lollipop address space. | `list(string)` | n/a | yes |
| [cidr\_subnet\_fnlollipop](#input\_cidr\_subnet\_fnlollipop) | Function Lollipop address space. | `list(string)` | n/a | yes |
| [domain](#input\_domain) | n/a | `string` | n/a | yes |
diff --git a/src/domains/citizen-auth-app/env/weu-beta/terraform.tfvars b/src/domains/citizen-auth-app/env/weu-beta/terraform.tfvars
index 621be9165..f400a8253 100644
--- a/src/domains/citizen-auth-app/env/weu-beta/terraform.tfvars
+++ b/src/domains/citizen-auth-app/env/weu-beta/terraform.tfvars
@@ -45,3 +45,5 @@ ingress_load_balancer_ip = "10.10.100.250"
cidr_subnet_fnlollipop = ["127.0.0.1/32"]
cidr_subnet_fnfastlogin = ["127.0.0.2/32"]
cidr_subnet_fims = ["127.0.0.3/32"]
+cidr_subnet_fims_plus = ["127.0.0.4/32"]
+
diff --git a/src/domains/citizen-auth-app/env/weu-prod01/terraform.tfvars b/src/domains/citizen-auth-app/env/weu-prod01/terraform.tfvars
index 660e8d2ec..74a321750 100644
--- a/src/domains/citizen-auth-app/env/weu-prod01/terraform.tfvars
+++ b/src/domains/citizen-auth-app/env/weu-prod01/terraform.tfvars
@@ -65,8 +65,9 @@ function_fastlogin_autoscale_default = 10
# FIMS App Service
cidr_subnet_fims = ["10.0.18.0/26"]
+cidr_subnet_fims_plus = ["10.0.18.64/26"]
fims_plan_sku_tier = "PremiumV3"
fims_plan_sku_size = "P1v3"
fims_autoscale_minimum = 1
fims_autoscale_maximum = 3
-fims_autoscale_default = 1
\ No newline at end of file
+fims_autoscale_default = 1
diff --git a/src/domains/citizen-auth-common/00_azuread.tf b/src/domains/citizen-auth-common/00_azuread.tf
index 316c5675c..bfffd3a8b 100644
--- a/src/domains/citizen-auth-common/00_azuread.tf
+++ b/src/domains/citizen-auth-common/00_azuread.tf
@@ -3,10 +3,6 @@ data "azuread_group" "adgroup_admin" {
display_name = format("%s-adgroup-admin", local.product)
}
-data "azuread_group" "adgroup_contributors" {
- display_name = format("%s-adgroup-contributors", local.product)
-}
-
data "azuread_group" "adgroup_developers" {
display_name = format("%s-adgroup-developers", local.product)
}
diff --git a/src/domains/citizen-auth-common/02_key_vault.tf b/src/domains/citizen-auth-common/02_key_vault.tf
index 20a1cbf97..8d6e87211 100644
--- a/src/domains/citizen-auth-common/02_key_vault.tf
+++ b/src/domains/citizen-auth-common/02_key_vault.tf
@@ -31,19 +31,6 @@ resource "azurerm_key_vault_access_policy" "adgroup_admin" {
certificate_permissions = ["Get", "List", "Update", "Create", "Import", "Delete", "Restore", "Recover", ]
}
-## adgroup_developers group policy ##
-resource "azurerm_key_vault_access_policy" "adgroup_contributors" {
- key_vault_id = module.key_vault.id
-
- tenant_id = data.azurerm_client_config.current.tenant_id
- object_id = data.azuread_group.adgroup_contributors.object_id
-
- key_permissions = ["Get", "List", "Update", "Create", "Import", "Delete", ]
- secret_permissions = ["Get", "List", "Set", "Delete", "Restore", "Recover", ]
- storage_permissions = []
- certificate_permissions = ["Get", "List", "Update", "Create", "Import", "Delete", "Restore", "Recover", ]
-}
-
## adgroup_developers group policy ##
resource "azurerm_key_vault_access_policy" "adgroup_developers" {
key_vault_id = module.key_vault.id
diff --git a/src/domains/citizen-auth-common/03_apim.tf b/src/domains/citizen-auth-common/03_apim.tf
index 22470ad39..e91d2a794 100644
--- a/src/domains/citizen-auth-common/03_apim.tf
+++ b/src/domains/citizen-auth-common/03_apim.tf
@@ -103,6 +103,7 @@ resource "azurerm_api_management_subscription" "pagopa" {
product_id = module.apim_product_lollipop.id
display_name = "Lollipop API"
state = "active"
+ allow_tracing = false
}
resource "azurerm_api_management_subscription" "pagopa_fastlogin" {
@@ -112,6 +113,7 @@ resource "azurerm_api_management_subscription" "pagopa_fastlogin" {
product_id = module.apim_product_lollipop.id
display_name = "Fast Login LC"
state = "active"
+ allow_tracing = false
}
####################################################################################
diff --git a/src/domains/citizen-auth-common/03_apim_v2.tf b/src/domains/citizen-auth-common/03_apim_v2.tf
index accbdef04..438ade0b2 100644
--- a/src/domains/citizen-auth-common/03_apim_v2.tf
+++ b/src/domains/citizen-auth-common/03_apim_v2.tf
@@ -96,35 +96,33 @@ resource "azurerm_api_management_group_user" "pagopa_group_v2" {
group_name = azurerm_api_management_group.api_lollipop_assertion_read_v2.name
}
-# TODO import after migration
-# resource "azurerm_api_management_subscription" "pagopa_v2" {
-# user_id = azurerm_api_management_user.pagopa_user_v2.id
-# api_management_name = data.azurerm_api_management.apim_v2_api.name
-# resource_group_name = data.azurerm_api_management.apim_v2_api.resource_group_name
-# product_id = module.apim_v2_product_lollipop.id
-# display_name = "Lollipop API"
-# state = "active"
-# }
-
-# TODO import after migration
-# resource "azurerm_api_management_subscription" "pagopa_fastlogin_v2" {
-# user_id = azurerm_api_management_user.pagopa_user_v2.id
-# api_management_name = data.azurerm_api_management.apim_v2_api.name
-# resource_group_name = data.azurerm_api_management.apim_v2_api.resource_group_name
-# product_id = module.apim_v2_product_lollipop.id
-# display_name = "Fast Login LC"
-# state = "active"
-# }
+resource "azurerm_api_management_subscription" "pagopa_v2" {
+ user_id = azurerm_api_management_user.pagopa_user_v2.id
+ api_management_name = data.azurerm_api_management.apim_v2_api.name
+ resource_group_name = data.azurerm_api_management.apim_v2_api.resource_group_name
+ product_id = module.apim_v2_product_lollipop.id
+ display_name = "Lollipop API"
+ state = "active"
+ allow_tracing = false
+}
+
+resource "azurerm_api_management_subscription" "pagopa_fastlogin_v2" {
+ user_id = azurerm_api_management_user.pagopa_user_v2.id
+ api_management_name = data.azurerm_api_management.apim_v2_api.name
+ resource_group_name = data.azurerm_api_management.apim_v2_api.resource_group_name
+ product_id = module.apim_v2_product_lollipop.id
+ display_name = "Fast Login LC"
+ state = "active"
+ allow_tracing = false
+}
####################################################################################
# PagoPA General Lollipop Secret
####################################################################################
resource "azurerm_key_vault_secret" "first_lollipop_consumer_subscription_key_v2" {
- name = "first-lollipop-consumer-pagopa-subscription-key-v2"
- value = azurerm_api_management_subscription.pagopa.primary_key
- # TODO import after migration value = azurerm_api_management_subscription.pagopa_v2.primary_key
-
+ name = "first-lollipop-consumer-pagopa-subscription-key-v2"
+ value = azurerm_api_management_subscription.pagopa_v2.primary_key
key_vault_id = module.key_vault.id
}
@@ -134,8 +132,7 @@ resource "azurerm_key_vault_secret" "first_lollipop_consumer_subscription_key_v2
# subscription key used for assertion retrieval
resource "azurerm_key_vault_secret" "fast_login_subscription_key_v2" {
- name = "fast-login-subscription-key-v2"
- value = azurerm_api_management_subscription.pagopa_fastlogin.primary_key
- # TODO import after migration value = azurerm_api_management_subscription.pagopa_fastlogin_v2.primary_key
+ name = "fast-login-subscription-key-v2"
+ value = azurerm_api_management_subscription.pagopa_fastlogin_v2.primary_key
key_vault_id = module.key_vault.id
}
\ No newline at end of file
diff --git a/src/domains/citizen-auth-common/03_storage.tf b/src/domains/citizen-auth-common/03_storage.tf
index 6c173f381..58ac57dca 100644
--- a/src/domains/citizen-auth-common/03_storage.tf
+++ b/src/domains/citizen-auth-common/03_storage.tf
@@ -1,3 +1,6 @@
+###
+# LolliPoP Assertion Storage
+###
module "lollipop_assertions_storage" {
source = "git::https://github.com/pagopa/terraform-azurerm-v3//storage_account?ref=v6.1.0"
@@ -79,3 +82,63 @@ resource "azurerm_storage_queue" "lollipop_assertions_storage_revoke_queue" {
name = "pubkeys-revoke" # This value is used in src/core/99_variables.tf#citizen_auth_revoke_queue_name
storage_account_name = module.lollipop_assertions_storage.name
}
+
+###
+# LV Audit Log Storage
+###
+
+module "lv_audit_logs_storage" {
+ source = "git::https://github.com/pagopa/terraform-azurerm-v3//storage_account?ref=v6.1.0"
+
+ name = replace(format("%s-lv-logs-st", local.product), "-", "")
+ domain = upper(var.domain)
+ account_kind = "StorageV2"
+ account_tier = "Standard"
+ access_tier = "Hot"
+ account_replication_type = "GZRS"
+ resource_group_name = azurerm_resource_group.data_rg.name
+ location = var.location
+ advanced_threat_protection = true
+ enable_identity = true
+ public_network_access_enabled = false
+
+ tags = var.tags
+}
+
+module "lv_audit_logs_storage_customer_managed_key" {
+ source = "git::https://github.com/pagopa/terraform-azurerm-v3//storage_account_customer_managed_key?ref=v4.3.1"
+ tenant_id = data.azurerm_subscription.current.tenant_id
+ location = var.location
+ resource_group_name = azurerm_resource_group.data_rg.name
+ key_vault_id = module.key_vault.id
+ key_name = format("%s-key", module.lv_audit_logs_storage.name)
+ storage_id = module.lv_audit_logs_storage.id
+ storage_principal_id = module.lv_audit_logs_storage.identity.0.principal_id
+}
+
+resource "azurerm_private_endpoint" "lv_audit_logs_storage_blob" {
+ name = "${module.lv_audit_logs_storage.name}-blob-endpoint"
+ location = var.location
+ resource_group_name = azurerm_resource_group.data_rg.name
+ subnet_id = data.azurerm_subnet.private_endpoints_subnet.id
+
+ private_service_connection {
+ name = "${module.lv_audit_logs_storage.name}-blob"
+ private_connection_resource_id = module.lv_audit_logs_storage.id
+ is_manual_connection = false
+ subresource_names = ["blob"]
+ }
+
+ private_dns_zone_group {
+ name = "private-dns-zone-group"
+ private_dns_zone_ids = [data.azurerm_private_dns_zone.privatelink_blob_core_windows_net.id]
+ }
+
+ tags = var.tags
+}
+
+resource "azurerm_storage_container" "lv_audit_logs_storage_logs" {
+ name = "logs"
+ storage_account_name = module.lv_audit_logs_storage.name
+ container_access_type = "private"
+}
diff --git a/src/domains/citizen-auth-common/05_database.tf b/src/domains/citizen-auth-common/05_database.tf
index 2aedae4e6..b25f15495 100644
--- a/src/domains/citizen-auth-common/05_database.tf
+++ b/src/domains/citizen-auth-common/05_database.tf
@@ -125,6 +125,195 @@ resource "azurerm_monitor_metric_alert" "cosmosdb_account_normalized_RU_consumpt
############################
# FIMS COSMOS
############################
+module "cosmosdb_account_fims" {
+ source = "git::https://github.com/pagopa/terraform-azurerm-v3//cosmosdb_account?ref=v4.3.1"
+
+ name = "${local.product}-${var.domain}-fims-account"
+ domain = upper(var.domain)
+ location = azurerm_resource_group.data_rg.location
+ resource_group_name = azurerm_resource_group.data_rg.name
+ offer_type = "Standard"
+ enable_free_tier = false
+ kind = "GlobalDocumentDB"
+
+ public_network_access_enabled = false
+ private_endpoint_enabled = true
+ subnet_id = data.azurerm_subnet.private_endpoints_subnet.id
+ private_dns_zone_ids = [data.azurerm_private_dns_zone.privatelink_documents_azure_com.id]
+ is_virtual_network_filter_enabled = false
+
+ main_geo_location_location = azurerm_resource_group.data_rg.location
+ main_geo_location_zone_redundant = true
+ additional_geo_locations = [{
+ location = "northeurope"
+ failover_priority = 1
+ zone_redundant = false
+ }]
+ consistency_policy = {
+ consistency_level = "Session"
+ max_interval_in_seconds = null
+ max_staleness_prefix = null
+ }
+
+ # Action groups for alerts
+ action = [
+ {
+ action_group_id = data.azurerm_monitor_action_group.error_action_group.id
+ webhook_properties = {}
+ }
+ ]
+
+ tags = var.tags
+}
+
+module "cosmosdb_sql_database_fims" {
+ source = "git::https://github.com/pagopa/terraform-azurerm-v3//cosmosdb_sql_database?ref=v4.3.1"
+ name = "fims"
+ resource_group_name = azurerm_resource_group.data_rg.name
+ account_name = module.cosmosdb_account_fims.name
+}
+
+resource "azurerm_cosmosdb_sql_container" "fims_client" {
+
+ name = "Client"
+ resource_group_name = azurerm_resource_group.data_rg.name
+ account_name = module.cosmosdb_account_fims.name
+ database_name = module.cosmosdb_sql_database_fims.name
+
+ partition_key_path = "/organizationId"
+ partition_key_version = 2
+
+ autoscale_settings {
+ max_throughput = var.fims_database.client.max_throughput
+ }
+
+ default_ttl = var.fims_database.client.ttl
+
+ indexing_policy {
+ indexing_mode = "consistent"
+
+ included_path {
+ path = "/*"
+ }
+
+ excluded_path {
+ path = "/\"_etag\"/?"
+ }
+
+ composite_index {
+ index {
+ path = "/id"
+ order = "Descending"
+ }
+ index {
+ path = "/organizationId"
+ order = "Ascending"
+ }
+ }
+ }
+}
+
+resource "azurerm_cosmosdb_sql_container" "fims_grant" {
+
+ name = "Grant"
+ resource_group_name = azurerm_resource_group.data_rg.name
+ account_name = module.cosmosdb_account_fims.name
+ database_name = module.cosmosdb_sql_database_fims.name
+
+ partition_key_path = "/identityId"
+ partition_key_version = 2
+
+ autoscale_settings {
+ max_throughput = var.fims_database.grant.max_throughput
+ }
+
+ default_ttl = var.fims_database.grant.ttl
+
+ indexing_policy {
+ indexing_mode = "consistent"
+
+ included_path {
+ path = "/*"
+ }
+
+ excluded_path {
+ path = "/\"_etag\"/?"
+ }
+
+ composite_index {
+ index {
+ path = "/id"
+ order = "Descending"
+ }
+ index {
+ path = "/identityId"
+ order = "Ascending"
+ }
+ }
+ }
+}
+
+resource "azurerm_cosmosdb_sql_container" "fims_interaction" {
+
+ name = "Interaction"
+ resource_group_name = azurerm_resource_group.data_rg.name
+ account_name = module.cosmosdb_account_fims.name
+ database_name = module.cosmosdb_sql_database_fims.name
+
+ partition_key_path = "/id"
+ partition_key_version = 2
+
+ autoscale_settings {
+ max_throughput = var.fims_database.interaction.max_throughput
+ }
+
+ default_ttl = var.fims_database.interaction.ttl
+
+ indexing_policy {
+ indexing_mode = "consistent"
+
+ included_path {
+ path = "/*"
+ }
+
+ excluded_path {
+ path = "/\"_etag\"/?"
+ }
+ }
+}
+
+resource "azurerm_cosmosdb_sql_container" "fims_session" {
+
+ name = "Session"
+ resource_group_name = azurerm_resource_group.data_rg.name
+ account_name = module.cosmosdb_account_fims.name
+ database_name = module.cosmosdb_sql_database_fims.name
+
+ partition_key_path = "/id"
+ partition_key_version = 2
+
+ autoscale_settings {
+ max_throughput = var.fims_database.session.max_throughput
+ }
+
+ default_ttl = var.fims_database.session.ttl
+
+ indexing_policy {
+ indexing_mode = "consistent"
+
+ included_path {
+ path = "/*"
+ }
+
+ excluded_path {
+ path = "/\"_etag\"/?"
+ }
+ }
+}
+
+############################
+# FIMS MONGO (TO REMOVE)
+############################
module "cosmosdb_account_mongodb_fims" {
source = "git::https://github.com/pagopa/terraform-azurerm-v3//cosmosdb_account?ref=v4.1.5"
@@ -136,7 +325,7 @@ module "cosmosdb_account_mongodb_fims" {
enable_free_tier = false
kind = "MongoDB"
capabilities = ["EnableMongo"]
- mongo_server_version = "4.0"
+ mongo_server_version = "4.2"
public_network_access_enabled = false
private_endpoint_enabled = true
@@ -175,3 +364,5 @@ data "azurerm_key_vault_secret" "mongodb_connection_string_fims" {
name = "io-p-fims-mongodb-account-connection-string"
key_vault_id = module.key_vault.id
}
+
+
diff --git a/src/domains/citizen-auth-common/99_variables.tf b/src/domains/citizen-auth-common/99_variables.tf
index a28761978..0060164dd 100644
--- a/src/domains/citizen-auth-common/99_variables.tf
+++ b/src/domains/citizen-auth-common/99_variables.tf
@@ -78,6 +78,15 @@ variable "citizen_auth_database" {
)
}
+variable "fims_database" {
+ type = map(
+ object({
+ max_throughput = number
+ ttl = number
+ })
+ )
+}
+
### External resources
variable "monitor_resource_group_name" {
diff --git a/src/domains/citizen-auth-common/README.md b/src/domains/citizen-auth-common/README.md
index b2f285fd6..be459dbdf 100644
--- a/src/domains/citizen-auth-common/README.md
+++ b/src/domains/citizen-auth-common/README.md
@@ -8,13 +8,6 @@
| [azurerm](#requirement\_azurerm) | <= 3.40.0 |
| [null](#requirement\_null) | <= 3.2.1 |
-## Providers
-
-| Name | Version |
-|------|---------|
-| [azuread](#provider\_azuread) | 2.33.0 |
-| [azurerm](#provider\_azurerm) | 3.40.0 |
-
## Modules
| Name | Source | Version |
@@ -24,11 +17,15 @@
| [apim\_v2\_lollipop\_api\_v1](#module\_apim\_v2\_lollipop\_api\_v1) | git::https://github.com/pagopa/terraform-azurerm-v3//api_management_api | v4.1.5 |
| [apim\_v2\_product\_lollipop](#module\_apim\_v2\_product\_lollipop) | git::https://github.com/pagopa/terraform-azurerm-v3//api_management_product | v4.1.5 |
| [cosmosdb\_account](#module\_cosmosdb\_account) | git::https://github.com/pagopa/terraform-azurerm-v3//cosmosdb_account | v4.3.1 |
+| [cosmosdb\_account\_fims](#module\_cosmosdb\_account\_fims) | git::https://github.com/pagopa/terraform-azurerm-v3//cosmosdb_account | v4.3.1 |
| [cosmosdb\_account\_mongodb\_fims](#module\_cosmosdb\_account\_mongodb\_fims) | git::https://github.com/pagopa/terraform-azurerm-v3//cosmosdb_account | v4.1.5 |
| [cosmosdb\_sql\_database\_citizen\_auth](#module\_cosmosdb\_sql\_database\_citizen\_auth) | git::https://github.com/pagopa/terraform-azurerm-v3//cosmosdb_sql_database | v4.3.1 |
+| [cosmosdb\_sql\_database\_fims](#module\_cosmosdb\_sql\_database\_fims) | git::https://github.com/pagopa/terraform-azurerm-v3//cosmosdb_sql_database | v4.3.1 |
| [key\_vault](#module\_key\_vault) | git::https://github.com/pagopa/terraform-azurerm-v3.git//key_vault | v4.1.3 |
| [lollipop\_assertions\_storage](#module\_lollipop\_assertions\_storage) | git::https://github.com/pagopa/terraform-azurerm-v3//storage_account | v6.1.0 |
| [lollipop\_assertions\_storage\_customer\_managed\_key](#module\_lollipop\_assertions\_storage\_customer\_managed\_key) | git::https://github.com/pagopa/terraform-azurerm-v3//storage_account_customer_managed_key | v4.3.1 |
+| [lv\_audit\_logs\_storage](#module\_lv\_audit\_logs\_storage) | git::https://github.com/pagopa/terraform-azurerm-v3//storage_account | v6.1.0 |
+| [lv\_audit\_logs\_storage\_customer\_managed\_key](#module\_lv\_audit\_logs\_storage\_customer\_managed\_key) | git::https://github.com/pagopa/terraform-azurerm-v3//storage_account_customer_managed_key | v4.3.1 |
## Resources
@@ -44,12 +41,17 @@
| [azurerm_api_management_named_value.io_fn_weu_lollipop_url_v2](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/api_management_named_value) | resource |
| [azurerm_api_management_subscription.pagopa](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/api_management_subscription) | resource |
| [azurerm_api_management_subscription.pagopa_fastlogin](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/api_management_subscription) | resource |
+| [azurerm_api_management_subscription.pagopa_fastlogin_v2](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/api_management_subscription) | resource |
+| [azurerm_api_management_subscription.pagopa_v2](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/api_management_subscription) | resource |
| [azurerm_api_management_user.pagopa_user](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/api_management_user) | resource |
| [azurerm_api_management_user.pagopa_user_v2](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/api_management_user) | resource |
| [azurerm_cosmosdb_mongo_database.db_fims](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/cosmosdb_mongo_database) | resource |
+| [azurerm_cosmosdb_sql_container.fims_client](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/cosmosdb_sql_container) | resource |
+| [azurerm_cosmosdb_sql_container.fims_grant](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/cosmosdb_sql_container) | resource |
+| [azurerm_cosmosdb_sql_container.fims_interaction](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/cosmosdb_sql_container) | resource |
+| [azurerm_cosmosdb_sql_container.fims_session](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/cosmosdb_sql_container) | resource |
| [azurerm_cosmosdb_sql_container.lollipop_pubkeys](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/cosmosdb_sql_container) | resource |
| [azurerm_key_vault_access_policy.adgroup_admin](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource |
-| [azurerm_key_vault_access_policy.adgroup_contributors](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource |
| [azurerm_key_vault_access_policy.adgroup_developers](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource |
| [azurerm_key_vault_access_policy.azdevops_platform_iac_policy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource |
| [azurerm_key_vault_access_policy.github_action_iac_cd_kv](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource |
@@ -64,12 +66,13 @@
| [azurerm_monitor_metric_alert.cosmosdb_account_normalized_RU_consumption_exceeded](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_metric_alert) | resource |
| [azurerm_private_endpoint.lollipop_assertion_storage_blob](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/private_endpoint) | resource |
| [azurerm_private_endpoint.lollipop_assertion_storage_queue](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/private_endpoint) | resource |
+| [azurerm_private_endpoint.lv_audit_logs_storage_blob](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/private_endpoint) | resource |
| [azurerm_resource_group.data_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource |
| [azurerm_resource_group.sec_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource |
| [azurerm_storage_container.lollipop_assertions_storage_assertions](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_container) | resource |
+| [azurerm_storage_container.lv_audit_logs_storage_logs](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_container) | resource |
| [azurerm_storage_queue.lollipop_assertions_storage_revoke_queue](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_queue) | resource |
| [azuread_group.adgroup_admin](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source |
-| [azuread_group.adgroup_contributors](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source |
| [azuread_group.adgroup_developers](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source |
| [azuread_group.adgroup_externals](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source |
| [azuread_group.adgroup_security](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source |
@@ -108,6 +111,7 @@
| [enable\_azdoa](#input\_enable\_azdoa) | Specifies Azure Devops Agent enabling | `bool` | `true` | no |
| [env](#input\_env) | n/a | `string` | n/a | yes |
| [env\_short](#input\_env\_short) | n/a | `string` | n/a | yes |
+| [fims\_database](#input\_fims\_database) | n/a | map(
object({
max_throughput = number
ttl = number
})
)
| n/a | yes |
| [instance](#input\_instance) | One of beta, prod01, prod02 | `string` | n/a | yes |
| [location](#input\_location) | One of westeurope, northeurope | `string` | n/a | yes |
| [location\_full](#input\_location\_full) | One of West Europe, North Europe | `string` | n/a | yes |
diff --git a/src/domains/citizen-auth-common/env/prod/terraform.tfvars b/src/domains/citizen-auth-common/env/prod/terraform.tfvars
index 20c84ca28..03ebe8713 100644
--- a/src/domains/citizen-auth-common/env/prod/terraform.tfvars
+++ b/src/domains/citizen-auth-common/env/prod/terraform.tfvars
@@ -24,6 +24,25 @@ citizen_auth_database = {
}
}
+fims_database = {
+ client = {
+ max_throughput = 3000
+ ttl = -1
+ },
+ grant = {
+ max_throughput = 3000
+ ttl = -1
+ },
+ interaction = {
+ max_throughput = 3000
+ ttl = -1
+ },
+ session = {
+ max_throughput = 3000
+ ttl = -1
+ }
+}
+
### External resources
monitor_resource_group_name = "io-p-rg-common"
diff --git a/src/domains/ioweb-app/.terraform.lock.hcl b/src/domains/ioweb-app/.terraform.lock.hcl
new file mode 100644
index 000000000..580b11cfd
--- /dev/null
+++ b/src/domains/ioweb-app/.terraform.lock.hcl
@@ -0,0 +1,136 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/azuread" {
+ version = "2.33.0"
+ constraints = "<= 2.33.0"
+ hashes = [
+ "h1:PDiZA9QpXCkaSuWu6jiCRcjVtKJETqjcOZq4I434zfE=",
+ "h1:QAQe2+WSqGnHYAVoA+NN4Oeuoqg5sXq3U9Qmj6S1P5M=",
+ "h1:XIvCW3Nl4bW1bc9f8jyGhft+fQjaed4yy/LFzDAeVJ8=",
+ "h1:Z28tjly5UfKOE+HL/oALxCPhmCuBwUgZ4uaYt68VR3M=",
+ "zh:0602d03d7d7e38819f78dc377e64f365427496edf1065bfbb113e3921ab1c34e",
+ "zh:08843838f4fe146084592472648d4ea7191931eabe042a96c3b3c6eaf8ddfb43",
+ "zh:1c3e89cf19118fc07d7b04257251fc9897e722c16e0a0df7b07fcd261f8c12e7",
+ "zh:26a0d8a186e3b47ea0b7217a8e420b03fda59b7a680bb3ea52cf7d3e6d965ef3",
+ "zh:352a1cacaacd39e796de15a52d192ab0e6eb98dd36b5fbf8ebddd37e6dafa4ac",
+ "zh:3702ad4c534e67e2e07b060bfe5e6edc244c59c911906c8b15b96e7fecb0ff2c",
+ "zh:93b5248d26bdd44845b2ab051a2168c7edad788ae9836f62ea5fb632fd59d7ea",
+ "zh:a7b880155f4a67b52a5bfe78de33dc55254ef80006234f00e36aaf6533b1de4a",
+ "zh:a7cf0829364127c9bca26ec01ea3d66988b43987b2d26a3290487d1fc0da50eb",
+ "zh:b1f82b0d30af733b36a2f849799e0b1ed6a72888fa32a438c829c4e5cff88e20",
+ "zh:b6c2b23770852de8f56b549579c2f5a82afd84a9ca0616d53a25d48488f7aaf0",
+ "zh:d87dfbdfe8ab9d3a2e33f210333d40f211ea7d33bfa671063e6807c6ddd85a52",
+ ]
+}
+
+provider "registry.terraform.io/hashicorp/azurerm" {
+ version = "3.40.0"
+ constraints = ">= 3.30.0, <= 3.40.0"
+ hashes = [
+ "h1:/Jbhw/zNAsDYDoASaG6w+0KZyay9BkUVOpR8b7m0CsA=",
+ "h1:7Vfig36efXmcsWQSZwdB+bqZLtoZ/RyytY9lXHx9Fic=",
+ "h1:VpRitAMc2wjUH/2jCz9MtZZd83UFxwTCamjRvIh/Nvg=",
+ "h1:dSM3nwscFP/OmH5Kr5FGao+9DjIXUEECnbMtWdrQOdg=",
+ "zh:00fa6dc05bf2643c6a3c741edb7d88263698086835a8a613f1d7bd76d1b918fd",
+ "zh:0da9b788e773272a7aa9d59bd9e3d5842edd4acc8c3895bea469e66dc14205a0",
+ "zh:25a8c39d1f042fc7c83ba9dd745c3569ea9e577fadb57563a575fb115ac2b9f1",
+ "zh:4423666dbeae8bc22c6e8898ffbb88745681dc27668ca9104b665dd7f3d7292c",
+ "zh:78c07308e7407b558d15737a98fb5eaf15529d297fc3798de6a7d61e0466e2e3",
+ "zh:894aca7e6f4f331ee8eb51957a180dc03d399d2b1727e0d7842e9b3f022a8c6a",
+ "zh:bb0e620c2161b4c4892a6f50b1c4c69ed70f66bb5e92543a03d79d0e4b1d9441",
+ "zh:c7d8e6a791159ca63b30908c9efe72ab65f60d64b30f0c1eb5a64972f4994844",
+ "zh:d04c11bfd346c1ac34d16bbdca70b23b006e822f6beb236b85375e8343888eb4",
+ "zh:f4edea9660327c7c70a823d786fd1b1c1b186c8759770447f63da72f23e1a73c",
+ "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+ "zh:f986e268949cf445ff53a66af48a87c6f6dba5964e8a5b1dc0ea02afabdd71f7",
+ ]
+}
+
+provider "registry.terraform.io/hashicorp/helm" {
+ version = "2.8.0"
+ constraints = "2.8.0"
+ hashes = [
+ "h1:SAwW8iYsXVDhCs8UL5ElzfN6iP3q3tdObPwJiTpCkKI=",
+ "h1:U0w0mUT0SwZCR0poGNSxGaZJKWcOiu4GerpGztYBiMM=",
+ "h1:a98mBNghv9odh5PVmgdXapgyYJmO/ncAWkwLWdXLuY4=",
+ "h1:abRryu69lsIGXctqjMVoaKqi74eE12Vzd2FLpds1/PI=",
+ "zh:1e42d1a04c07d4006844e477ca32b5f45b04f6525dbbbe00b6be6e6ec5a11c54",
+ "zh:2f87187cb48ccfb18d12e2c4332e7e822923b659e7339b954b7db78aff91529f",
+ "zh:391fe49b4d2dc07bc717248a3fc6952189cfc49c596c514ad72a29c9a9f9d575",
+ "zh:89272048e1e63f3edc3e83dfddd5a9fd4bd2a4ead104e67de1e14319294dedf1",
+ "zh:a5a057c3435a854389ce8a1d98a54aaa7cbab68aca7baa436a605897aa70ff7e",
+ "zh:b1098e53e1a8a3afcd325ecd0328662156b3d9c3d80948f19ba3a4eb870cee2b",
+ "zh:b676f949e8274a2b6c3fa41f5428ea597125579c7b93bb50bb73a5e295a7a447",
+ "zh:cdf7e9460f28c2dbfe49a79a5022bd0d474ff18120d340738aa35456ba77ebca",
+ "zh:e24b59b4ed1c593facbf8051ec58550917991e2e017f3085dac5fb902d9908cb",
+ "zh:e3b5e1f5543cac9d9031a028f1c1be4858fb80fae69f181f21e9465e366ebfa2",
+ "zh:e9fddc0bcdb28503078456f0088851d45451600d229975fd9990ee92c7489a10",
+ "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+ ]
+}
+
+provider "registry.terraform.io/hashicorp/kubernetes" {
+ version = "2.17.0"
+ constraints = "2.17.0"
+ hashes = [
+ "h1:Dq/EHg8mKP9wDDTJx5CzZ+w44wutIZJGfQLrAIznAqY=",
+ "h1:I1L2R+OPgGSh+P6uBSycvvoyRIey/FqMwSvlJ9ccw0o=",
+ "h1:Nu0bV0ehFE3aiAl8+qxBCxi8u+dfjvvhoQOW30rFGPo=",
+ "h1:p2sgF62c2svJSKuImL3/zq/SSPOZFyd4Vj7K0UF2VrQ=",
+ "zh:1cbafea8c404195d8ad2490d75dbeebef131563d3e38dec87231ceb3923a3012",
+ "zh:26d9584423ee77e607999b082de7d9dc3e937934aa83341e0832e7253caf4f51",
+ "zh:333527fc15fb43bbf1898a2f058598c596468a01d88c415627bb617878dc4d4d",
+ "zh:391b8c80e3115af485977d6e949d7260b7fc0b641089b884256bfd36a7077db2",
+ "zh:4d18ba55247486181759d60195777945bcd68e17ccd980820ca18e8a8b94aeb5",
+ "zh:607ae94d85d1c1ed3845bd71095daadea4b2468e16f57fa05c98eab0de6b14ae",
+ "zh:95c6cf22f8ef14e7a4f85e33cff5d6f11056c7880041b71d425d1b5ebbe246e7",
+ "zh:b077edcedb46a313b461ac1e49317872063b3871f2acbe1a50498612cefff387",
+ "zh:c6a7891683e44148b0c928fd4748b7abac727266ab551d679015f5fe8b72d1e6",
+ "zh:e5cebfdf873770c37a4304362003d3fea8d6c2fd819663ad121bc65bb81e4738",
+ "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+ "zh:feb19269e7c0de473ad412b37818b48da0cc91e5c93dd4c77a72676ca97a16b1",
+ ]
+}
+
+provider "registry.terraform.io/hashicorp/null" {
+ version = "3.2.1"
+ constraints = "<= 3.2.1"
+ hashes = [
+ "h1:FbGfc+muBsC17Ohy5g806iuI1hQc4SIexpYCrQHQd8w=",
+ "h1:tSj1mL6OQ8ILGqR2mDu7OYYYWf+hoir0pf9KAQ8IzO8=",
+ "h1:vUW21lLLsKlxtBf0QF7LKJreKxs0CM7YXGzqW1N/ODY=",
+ "h1:ydA0/SNRVB1o95btfshvYsmxA+jZFRZcvKzZSB+4S1M=",
+ "zh:58ed64389620cc7b82f01332e27723856422820cfd302e304b5f6c3436fb9840",
+ "zh:62a5cc82c3b2ddef7ef3a6f2fedb7b9b3deff4ab7b414938b08e51d6e8be87cb",
+ "zh:63cff4de03af983175a7e37e52d4bd89d990be256b16b5c7f919aff5ad485aa5",
+ "zh:74cb22c6700e48486b7cabefa10b33b801dfcab56f1a6ac9b6624531f3d36ea3",
+ "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
+ "zh:79e553aff77f1cfa9012a2218b8238dd672ea5e1b2924775ac9ac24d2a75c238",
+ "zh:a1e06ddda0b5ac48f7e7c7d59e1ab5a4073bbcf876c73c0299e4610ed53859dc",
+ "zh:c37a97090f1a82222925d45d84483b2aa702ef7ab66532af6cbcfb567818b970",
+ "zh:e4453fbebf90c53ca3323a92e7ca0f9961427d2f0ce0d2b65523cc04d5d999c2",
+ "zh:e80a746921946d8b6761e77305b752ad188da60688cfd2059322875d363be5f5",
+ "zh:fbdb892d9822ed0e4cb60f2fedbdbb556e4da0d88d3b942ae963ed6ff091e48f",
+ "zh:fca01a623d90d0cad0843102f9b8b9fe0d3ff8244593bd817f126582b52dd694",
+ ]
+}
+
+provider "registry.terraform.io/hashicorp/tls" {
+ version = "4.0.4"
+ hashes = [
+ "h1:GZcFizg5ZT2VrpwvxGBHQ/hO9r6g0vYdQqx3bFD3anY=",
+ "zh:23671ed83e1fcf79745534841e10291bbf34046b27d6e68a5d0aab77206f4a55",
+ "zh:45292421211ffd9e8e3eb3655677700e3c5047f71d8f7650d2ce30242335f848",
+ "zh:59fedb519f4433c0fdb1d58b27c210b27415fddd0cd73c5312530b4309c088be",
+ "zh:5a8eec2409a9ff7cd0758a9d818c74bcba92a240e6c5e54b99df68fff312bbd5",
+ "zh:5e6a4b39f3171f53292ab88058a59e64825f2b842760a4869e64dc1dc093d1fe",
+ "zh:810547d0bf9311d21c81cc306126d3547e7bd3f194fc295836acf164b9f8424e",
+ "zh:824a5f3617624243bed0259d7dd37d76017097dc3193dac669be342b90b2ab48",
+ "zh:9361ccc7048be5dcbc2fafe2d8216939765b3160bd52734f7a9fd917a39ecbd8",
+ "zh:aa02ea625aaf672e649296bce7580f62d724268189fe9ad7c1b36bb0fa12fa60",
+ "zh:c71b4cd40d6ec7815dfeefd57d88bc592c0c42f5e5858dcc88245d371b4b8b1e",
+ "zh:dabcd52f36b43d250a3d71ad7abfa07b5622c69068d989e60b79b2bb4f220316",
+ "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+ ]
+}
diff --git a/src/domains/ioweb-app/00_azuread.tf b/src/domains/ioweb-app/00_azuread.tf
new file mode 100644
index 000000000..bfffd3a8b
--- /dev/null
+++ b/src/domains/ioweb-app/00_azuread.tf
@@ -0,0 +1,16 @@
+# Azure AD
+data "azuread_group" "adgroup_admin" {
+ display_name = format("%s-adgroup-admin", local.product)
+}
+
+data "azuread_group" "adgroup_developers" {
+ display_name = format("%s-adgroup-developers", local.product)
+}
+
+data "azuread_group" "adgroup_externals" {
+ display_name = format("%s-adgroup-externals", local.product)
+}
+
+data "azuread_group" "adgroup_security" {
+ display_name = format("%s-adgroup-security", local.product)
+}
diff --git a/src/domains/ioweb-app/01_monitor.tf b/src/domains/ioweb-app/01_monitor.tf
new file mode 100644
index 000000000..d2178e06d
--- /dev/null
+++ b/src/domains/ioweb-app/01_monitor.tf
@@ -0,0 +1,33 @@
+data "azurerm_log_analytics_workspace" "log_analytics" {
+ name = var.log_analytics_workspace_name
+ resource_group_name = var.log_analytics_workspace_resource_group_name
+}
+
+data "azurerm_application_insights" "application_insights" {
+ name = var.application_insights_name
+ resource_group_name = var.monitor_resource_group_name
+}
+
+data "azurerm_resource_group" "monitor_rg" {
+ name = var.monitor_resource_group_name
+}
+
+data "azurerm_monitor_action_group" "slack" {
+ resource_group_name = var.monitor_resource_group_name
+ name = local.monitor_action_group_slack_name
+}
+
+data "azurerm_monitor_action_group" "email" {
+ resource_group_name = var.monitor_resource_group_name
+ name = local.monitor_action_group_email_name
+}
+
+data "azurerm_monitor_action_group" "error_action_group" {
+ resource_group_name = var.monitor_resource_group_name
+ name = "${var.prefix}${var.env_short}error"
+}
+
+data "azurerm_monitor_action_group" "quarantine_error_action_group" {
+ resource_group_name = var.monitor_resource_group_name
+ name = "${var.prefix}${var.env_short}quarantineerror"
+}
\ No newline at end of file
diff --git a/src/domains/ioweb-app/01_network.tf b/src/domains/ioweb-app/01_network.tf
new file mode 100644
index 000000000..8c28c718f
--- /dev/null
+++ b/src/domains/ioweb-app/01_network.tf
@@ -0,0 +1,73 @@
+data "azurerm_virtual_network" "vnet" {
+ name = local.vnet_name
+ resource_group_name = local.vnet_resource_group_name
+}
+
+data "azurerm_virtual_network" "vnet_common" {
+ name = local.vnet_common_name
+ resource_group_name = local.vnet_common_resource_group_name
+}
+
+data "azurerm_private_dns_zone" "internal" {
+ name = local.internal_dns_zone_name
+ resource_group_name = local.internal_dns_zone_resource_group_name
+}
+
+data "azurerm_private_dns_zone" "privatelink_blob_core_windows_net" {
+ name = "privatelink.blob.core.windows.net"
+ resource_group_name = format("%s-rg-common", local.product)
+}
+
+data "azurerm_private_dns_zone" "privatelink_queue_core_windows_net" {
+ name = "privatelink.queue.core.windows.net"
+ resource_group_name = format("%s-rg-common", local.product)
+}
+
+data "azurerm_private_dns_zone" "privatelink_file_core_windows_net" {
+ name = "privatelink.file.core.windows.net"
+ resource_group_name = format("%s-rg-common", local.product)
+}
+
+data "azurerm_private_dns_zone" "privatelink_table_core_windows_net" {
+ name = "privatelink.table.core.windows.net"
+ resource_group_name = format("%s-rg-common", local.product)
+}
+
+data "azurerm_private_dns_zone" "privatelink_documents_azure_com" {
+ name = "privatelink.documents.azure.com"
+ resource_group_name = format("%s-rg-common", local.product)
+}
+
+resource "azurerm_private_dns_a_record" "ingress" {
+ name = local.ingress_hostname
+ zone_name = data.azurerm_private_dns_zone.internal.name
+ resource_group_name = local.internal_dns_zone_resource_group_name
+ ttl = 3600
+ records = [var.ingress_load_balancer_ip]
+}
+
+data "azurerm_subnet" "private_endpoints_subnet" {
+ name = "pendpoints"
+ virtual_network_name = local.vnet_common_name
+ resource_group_name = local.vnet_common_resource_group_name
+}
+
+data "azurerm_subnet" "apim_v2_snet" {
+ name = "apimv2api"
+ virtual_network_name = local.vnet_common_name
+ resource_group_name = local.vnet_common_resource_group_name
+}
+
+data "azurerm_subnet" "function_app_snet" {
+ count = 2
+ name = format("%s-app-snet-%d", local.product, count.index + 1)
+ virtual_network_name = local.vnet_common_name
+ resource_group_name = local.vnet_common_resource_group_name
+}
+
+data "azurerm_subnet" "azdoa_snet" {
+ count = var.enable_azdoa ? 1 : 0
+ name = "azure-devops"
+ virtual_network_name = local.vnet_common_name
+ resource_group_name = local.vnet_common_resource_group_name
+}
diff --git a/src/domains/ioweb-app/02_security.tf b/src/domains/ioweb-app/02_security.tf
new file mode 100644
index 000000000..2f3d660d9
--- /dev/null
+++ b/src/domains/ioweb-app/02_security.tf
@@ -0,0 +1,42 @@
+data "azurerm_key_vault" "kv" {
+ name = "${local.product}-${var.domain}-kv"
+ resource_group_name = "${local.product}-${var.domain}-sec-rg"
+}
+
+#######
+# KEYS
+#######
+resource "tls_private_key" "ioweb_profile_jwe_key" {
+ algorithm = "ECDSA"
+ ecdsa_curve = "P256"
+}
+
+resource "tls_private_key" "ioweb_profile_jwt_key" {
+ algorithm = "RSA"
+ rsa_bits = 2048
+}
+#######
+
+resource "azurerm_key_vault_secret" "magic_link_jwe_pub_key" {
+ name = "ioweb-profile-magic-link-jwe-pub-key"
+ value = tls_private_key.ioweb_profile_jwe_key.public_key_pem
+ key_vault_id = data.azurerm_key_vault.kv.id
+}
+
+resource "azurerm_key_vault_secret" "magic_link_jwe_private_key" {
+ name = "ioweb-profile-magic-link-jwe-private-key"
+ value = tls_private_key.ioweb_profile_jwe_key.private_key_pem
+ key_vault_id = data.azurerm_key_vault.kv.id
+}
+
+resource "azurerm_key_vault_secret" "exchange_jwt_pub_key" {
+ name = "ioweb-profile-exchange-jwt-pub-key"
+ value = tls_private_key.ioweb_profile_jwt_key.public_key_pem
+ key_vault_id = data.azurerm_key_vault.kv.id
+}
+
+resource "azurerm_key_vault_secret" "exchange_jwt_private_key" {
+ name = "ioweb-profile-exchange-jwt-private-key"
+ value = tls_private_key.ioweb_profile_jwt_key.private_key_pem
+ key_vault_id = data.azurerm_key_vault.kv.id
+}
diff --git a/src/domains/ioweb-app/05_resource_group.tf b/src/domains/ioweb-app/05_resource_group.tf
new file mode 100644
index 000000000..989358ac1
--- /dev/null
+++ b/src/domains/ioweb-app/05_resource_group.tf
@@ -0,0 +1,14 @@
+resource "azurerm_resource_group" "base_rg" {
+ name = "${local.project}-rg"
+ location = var.location
+
+ tags = var.tags
+}
+
+# resource group for ioweb-profile azure function
+resource "azurerm_resource_group" "ioweb_profile_rg" {
+ name = format("%s-ioweb-profile-rg", local.common_project)
+ location = var.location
+
+ tags = var.tags
+}
diff --git a/src/domains/ioweb-app/06_function_ioweb_profile.tf b/src/domains/ioweb-app/06_function_ioweb_profile.tf
new file mode 100644
index 000000000..26b2050ef
--- /dev/null
+++ b/src/domains/ioweb-app/06_function_ioweb_profile.tf
@@ -0,0 +1,309 @@
+###
+### SECRETS
+###
+data "azurerm_key_vault_secret" "api_beta_testers" {
+ name = "ioweb-profile-api-beta-testers"
+ key_vault_id = data.azurerm_key_vault.kv.id
+}
+
+data "azurerm_key_vault_secret" "functions_fast_login_api_key" {
+ name = "ioweb-profile-functions-fast-login-api-key"
+ key_vault_id = data.azurerm_key_vault.kv.id
+}
+
+data "azurerm_key_vault_secret" "functions_app_api_key" {
+ name = "ioweb-profile-functions-app-api-key"
+ key_vault_id = data.azurerm_key_vault.kv.id
+}
+
+data "azurerm_key_vault_secret" "spid_login_jwt_pub_key" {
+ name = "spid-login-jwt-pub-key"
+ key_vault_id = data.azurerm_key_vault.kv.id
+}
+
+data "azurerm_key_vault_secret" "spid_login_api_key" {
+ name = "ioweb-profile-spid-login-api-key"
+ key_vault_id = data.azurerm_key_vault.kv.id
+}
+###
+
+locals {
+ function_ioweb_profile = {
+ app_settings = {
+ FUNCTIONS_WORKER_PROCESS_COUNT = 4
+ NODE_ENV = "production"
+
+ // Keepalive fields are all optionals
+ FETCH_KEEPALIVE_ENABLED = "true"
+ FETCH_KEEPALIVE_SOCKET_ACTIVE_TTL = "110000"
+ FETCH_KEEPALIVE_MAX_SOCKETS = "40"
+ FETCH_KEEPALIVE_MAX_FREE_SOCKETS = "10"
+ FETCH_KEEPALIVE_FREE_SOCKET_TIMEOUT = "30000"
+ FETCH_KEEPALIVE_TIMEOUT = "60000"
+
+ // --------------
+ // FF AND TESTERS
+ // --------------
+ FF_API_ENABLED = "BETA"
+ BETA_TESTERS = data.azurerm_key_vault_secret.api_beta_testers.value
+
+ // ------------
+ // JWT Config
+ // ------------
+ BEARER_AUTH_HEADER = "authorization"
+ EXCHANGE_JWT_ISSUER = "api-web.io.pagopa.it/ioweb/backend"
+ EXCHANGE_JWT_PUB_KEY = azurerm_key_vault_secret.exchange_jwt_pub_key.value
+ EXCHANGE_JWT_PRIVATE_KEY = azurerm_key_vault_secret.exchange_jwt_private_key.value
+ // 1 hour
+ EXCHANGE_JWT_TTL = "3600"
+ MAGIC_LINK_JWE_PUB_KEY = azurerm_key_vault_secret.magic_link_jwe_pub_key.value
+ MAGIC_LINK_JWE_PRIVATE_KEY = azurerm_key_vault_secret.magic_link_jwe_private_key.value
+ // TBD: more/less than 1 week?
+ MAGIC_LINK_JWE_TTL = "604800"
+
+ HUB_SPID_LOGIN_JWT_ISSUER = "api-web.io.pagopa.it/ioweb/auth"
+ HUB_SPID_LOGIN_JWT_PUB_KEY = data.azurerm_key_vault_secret.spid_login_jwt_pub_key.value
+
+ // -------------------------
+ // Fast Login config
+ // -------------------------
+ FAST_LOGIN_API_KEY = data.azurerm_key_vault_secret.functions_fast_login_api_key.value
+ FAST_LOGIN_CLIENT_BASE_URL = "https://io-p-weu-fast-login-fn.azurewebsites.net"
+
+ // -------------------------
+ // Functions App config
+ // -------------------------
+ FUNCTIONS_APP_API_KEY = data.azurerm_key_vault_secret.functions_app_api_key.value
+ FUNCTIONS_APP_CLIENT_BASE_URL = "https://io-p-app-fn-2.azurewebsites.net"
+
+ // -------------------------
+ // Hub Spid Login for ioweb config
+ // -------------------------
+ HUB_SPID_LOGIN_API_KEY = data.azurerm_key_vault_secret.spid_login_api_key.value
+ HUB_SPID_LOGIN_CLIENT_BASE_URL = "https://io-p-weu-ioweb-spid-login.azurewebsites.net"
+ }
+ }
+}
+
+
+# Subnet to host admin function
+module "ioweb_profile_snet" {
+ source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet?ref=v4.1.15"
+ name = format("%s-ioweb-profile-snet", local.common_project)
+ address_prefixes = var.cidr_subnet_fniowebprofile
+ resource_group_name = data.azurerm_virtual_network.vnet_common.resource_group_name
+ virtual_network_name = data.azurerm_virtual_network.vnet_common.name
+ private_endpoint_network_policies_enabled = false
+
+ service_endpoints = [
+ "Microsoft.Web",
+ "Microsoft.Storage",
+ ]
+
+ delegation = {
+ name = "default"
+ service_delegation = {
+ name = "Microsoft.Web/serverFarms"
+ actions = ["Microsoft.Network/virtualNetworks/subnets/action"]
+ }
+ }
+}
+
+module "function_ioweb_profile" {
+ source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//function_app?ref=v5.2.0"
+
+ resource_group_name = azurerm_resource_group.ioweb_profile_rg.name
+ name = format("%s-ioweb-profile-fn", local.common_project)
+ location = var.location
+ domain = "IO-AUTH"
+ health_check_path = "/api/v1/info"
+
+ node_version = "18"
+ runtime_version = "~4"
+
+ always_on = "true"
+ application_insights_instrumentation_key = data.azurerm_application_insights.application_insights.instrumentation_key
+
+ app_service_plan_info = {
+ kind = var.function_ioweb_profile.kind
+ sku_size = var.function_ioweb_profile.sku_size
+ maximum_elastic_worker_count = 0
+ }
+
+ app_settings = merge(
+ local.function_ioweb_profile.app_settings,
+ )
+
+ internal_storage = {
+ "enable" = true,
+ "private_endpoint_subnet_id" = data.azurerm_subnet.private_endpoints_subnet.id,
+ "private_dns_zone_blob_ids" = [data.azurerm_private_dns_zone.privatelink_blob_core_windows_net.id],
+ "private_dns_zone_queue_ids" = [data.azurerm_private_dns_zone.privatelink_queue_core_windows_net.id],
+ "private_dns_zone_table_ids" = [data.azurerm_private_dns_zone.privatelink_table_core_windows_net.id],
+ "queues" = [],
+ "containers" = [],
+ "blobs_retention_days" = 0,
+ }
+
+ subnet_id = module.ioweb_profile_snet.id
+
+ allowed_subnets = [
+ module.ioweb_profile_snet.id,
+ data.azurerm_subnet.apim_v2_snet.id,
+ data.azurerm_subnet.function_app_snet[0].id,
+ data.azurerm_subnet.function_app_snet[1].id,
+ ]
+
+ enable_healthcheck = false
+
+ # Action groups for alerts
+ action = [
+ {
+ action_group_id = data.azurerm_monitor_action_group.error_action_group.id
+ webhook_properties = {}
+ }
+ ]
+
+ tags = var.tags
+}
+
+module "function_ioweb_profile_staging_slot" {
+ source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//function_app_slot?ref=v5.2.0"
+
+ name = "staging"
+ location = var.location
+ resource_group_name = azurerm_resource_group.ioweb_profile_rg.name
+ function_app_id = module.function_ioweb_profile.id
+ app_service_plan_id = module.function_ioweb_profile.app_service_plan_id
+ health_check_path = "/api/v1/info"
+
+ storage_account_name = module.function_ioweb_profile.storage_account.name
+ storage_account_access_key = module.function_ioweb_profile.storage_account.primary_access_key
+ internal_storage_connection_string = module.function_ioweb_profile.storage_account_internal_function.primary_connection_string
+
+ node_version = "18"
+ always_on = "true"
+ runtime_version = "~4"
+ application_insights_instrumentation_key = data.azurerm_application_insights.application_insights.instrumentation_key
+
+ app_settings = merge(
+ local.function_ioweb_profile.app_settings,
+ )
+
+ subnet_id = module.ioweb_profile_snet.id
+
+ allowed_subnets = [
+ module.ioweb_profile_snet.id,
+ data.azurerm_subnet.azdoa_snet[0].id,
+ data.azurerm_subnet.apim_v2_snet.id,
+ data.azurerm_subnet.function_app_snet[0].id,
+ data.azurerm_subnet.function_app_snet[1].id,
+ ]
+
+ tags = var.tags
+}
+
+resource "azurerm_monitor_autoscale_setting" "function_ioweb_profile" {
+ name = format("%s-autoscale", module.function_ioweb_profile.name)
+ resource_group_name = azurerm_resource_group.ioweb_profile_rg.name
+ location = var.location
+ target_resource_id = module.function_ioweb_profile.app_service_plan_id
+
+ profile {
+ name = "default"
+
+ capacity {
+ default = var.function_ioweb_profile.autoscale_default
+ minimum = var.function_ioweb_profile.autoscale_minimum
+ maximum = var.function_ioweb_profile.autoscale_maximum
+ }
+
+ rule {
+ metric_trigger {
+ metric_name = "Requests"
+ metric_resource_id = module.function_ioweb_profile.id
+ metric_namespace = "microsoft.web/sites"
+ time_grain = "PT1M"
+ statistic = "Average"
+ time_window = "PT5M"
+ time_aggregation = "Average"
+ operator = "GreaterThan"
+ threshold = 3000
+ divide_by_instance_count = false
+ }
+
+ scale_action {
+ direction = "Increase"
+ type = "ChangeCount"
+ value = "2"
+ cooldown = "PT5M"
+ }
+ }
+
+ rule {
+ metric_trigger {
+ metric_name = "CpuPercentage"
+ metric_resource_id = module.function_ioweb_profile.app_service_plan_id
+ metric_namespace = "microsoft.web/serverfarms"
+ time_grain = "PT1M"
+ statistic = "Average"
+ time_window = "PT5M"
+ time_aggregation = "Average"
+ operator = "GreaterThan"
+ threshold = 45
+ divide_by_instance_count = false
+ }
+
+ scale_action {
+ direction = "Increase"
+ type = "ChangeCount"
+ value = "2"
+ cooldown = "PT5M"
+ }
+ }
+
+ rule {
+ metric_trigger {
+ metric_name = "Requests"
+ metric_resource_id = module.function_ioweb_profile.id
+ metric_namespace = "microsoft.web/sites"
+ time_grain = "PT1M"
+ statistic = "Average"
+ time_window = "PT5M"
+ time_aggregation = "Average"
+ operator = "LessThan"
+ threshold = 2000
+ divide_by_instance_count = false
+ }
+
+ scale_action {
+ direction = "Decrease"
+ type = "ChangeCount"
+ value = "1"
+ cooldown = "PT20M"
+ }
+ }
+
+ rule {
+ metric_trigger {
+ metric_name = "CpuPercentage"
+ metric_resource_id = module.function_ioweb_profile.app_service_plan_id
+ metric_namespace = "microsoft.web/serverfarms"
+ time_grain = "PT1M"
+ statistic = "Average"
+ time_window = "PT5M"
+ time_aggregation = "Average"
+ operator = "LessThan"
+ threshold = 30
+ divide_by_instance_count = false
+ }
+
+ scale_action {
+ direction = "Decrease"
+ type = "ChangeCount"
+ value = "1"
+ cooldown = "PT20M"
+ }
+ }
+ }
+}
diff --git a/src/domains/ioweb-app/99_locals.tf b/src/domains/ioweb-app/99_locals.tf
new file mode 100644
index 000000000..84e071f3c
--- /dev/null
+++ b/src/domains/ioweb-app/99_locals.tf
@@ -0,0 +1,24 @@
+locals {
+ project = "${var.prefix}-${var.env_short}-${var.domain}-${var.location_short}-${var.instance}"
+ product = "${var.prefix}-${var.env_short}"
+ common_project = "${var.prefix}-${var.env_short}-${var.location_short}"
+
+ monitor_action_group_slack_name = "SlackPagoPA"
+ monitor_action_group_email_name = "EmailPagoPA"
+
+ vnet_name = "${local.product}-${var.location_short}-${var.instance}-vnet"
+ vnet_resource_group_name = "${local.product}-${var.location_short}-${var.instance}-vnet-rg"
+
+ vnet_common_name = "${local.product}-vnet-common"
+ vnet_common_resource_group_name = "${local.product}-rg-common"
+
+ ingress_hostname = "${var.location_short}${var.instance}.${var.domain}"
+ internal_dns_zone_name = "internal.${var.prefix}.pagopa.it"
+ internal_dns_zone_resource_group_name = "${local.product}-rg-internal"
+
+ acr_name = replace("${local.product}commonacr", "-", "")
+ acr_resource_group_name = "${local.product}-container-registry-rg"
+
+ aks_name = "${local.product}-${var.location_short}-${var.instance}-aks"
+ aks_resource_group_name = "${local.product}-${var.location_short}-${var.instance}-aks-rg"
+}
diff --git a/src/domains/ioweb-app/99_main.tf b/src/domains/ioweb-app/99_main.tf
new file mode 100644
index 000000000..afd878af8
--- /dev/null
+++ b/src/domains/ioweb-app/99_main.tf
@@ -0,0 +1,48 @@
+terraform {
+ required_providers {
+ azurerm = {
+ source = "hashicorp/azurerm"
+ version = "<= 3.40.0"
+ }
+ azuread = {
+ source = "hashicorp/azuread"
+ version = "<= 2.33.0"
+ }
+ null = {
+ source = "hashicorp/null"
+ version = "<= 3.2.1"
+ }
+ kubernetes = {
+ source = "hashicorp/kubernetes"
+ version = "= 2.17.0"
+ }
+ helm = {
+ source = "hashicorp/helm"
+ version = "= 2.8.0"
+ }
+ }
+
+ backend "azurerm" {}
+}
+
+provider "azurerm" {
+ features {
+ key_vault {
+ purge_soft_delete_on_destroy = false
+ }
+ }
+}
+
+data "azurerm_subscription" "current" {}
+
+data "azurerm_client_config" "current" {}
+
+provider "kubernetes" {
+ config_path = "${var.k8s_kube_config_path_prefix}/config-${local.aks_name}"
+}
+
+provider "helm" {
+ kubernetes {
+ config_path = "${var.k8s_kube_config_path_prefix}/config-${local.aks_name}"
+ }
+}
diff --git a/src/domains/ioweb-app/99_variables.tf b/src/domains/ioweb-app/99_variables.tf
new file mode 100644
index 000000000..8ffff08a6
--- /dev/null
+++ b/src/domains/ioweb-app/99_variables.tf
@@ -0,0 +1,148 @@
+# general
+
+variable "prefix" {
+ type = string
+ validation {
+ condition = (
+ length(var.prefix) < 6
+ )
+ error_message = "Max length is 6 chars."
+ }
+}
+
+variable "env" {
+ type = string
+}
+
+variable "env_short" {
+ type = string
+ validation {
+ condition = (
+ length(var.env_short) == 1
+ )
+ error_message = "Length must be 1 chars."
+ }
+}
+
+variable "domain" {
+ type = string
+ validation {
+ condition = (
+ length(var.domain) <= 12
+ )
+ error_message = "Max length is 12 chars."
+ }
+}
+
+variable "location" {
+ type = string
+ description = "One of westeurope, northeurope"
+}
+
+variable "location_short" {
+ type = string
+ validation {
+ condition = (
+ length(var.location_short) == 3
+ )
+ error_message = "Length must be 3 chars."
+ }
+ description = "One of weu, neu"
+}
+
+variable "location_string" {
+ type = string
+ description = "One of West Europe, North Europe"
+}
+
+variable "instance" {
+ type = string
+ description = "One of beta, prod01, prod02"
+}
+
+variable "lock_enable" {
+ type = bool
+ default = false
+ description = "Apply locks to block accedentaly deletions."
+}
+
+variable "tags" {
+ type = map(any)
+ default = {
+ CreatedBy = "Terraform"
+ }
+}
+
+### External resources
+
+variable "monitor_resource_group_name" {
+ type = string
+ description = "Monitor resource group name"
+}
+
+variable "log_analytics_workspace_name" {
+ type = string
+ description = "Specifies the name of the Log Analytics Workspace."
+}
+
+variable "log_analytics_workspace_resource_group_name" {
+ type = string
+ description = "The name of the resource group in which the Log Analytics workspace is located in."
+}
+
+variable "application_insights_name" {
+ type = string
+ description = "Specifies the name of the Application Insights."
+}
+
+### Aks
+
+variable "k8s_kube_config_path_prefix" {
+ type = string
+ default = "~/.kube"
+}
+
+variable "ingress_load_balancer_ip" {
+ type = string
+}
+
+variable "reloader_helm" {
+ type = object({
+ chart_version = string,
+ image_name = string,
+ image_tag = string
+ })
+ description = "reloader helm chart configuration"
+}
+
+variable "tls_cert_check_helm" {
+ type = object({
+ chart_version = string,
+ image_name = string,
+ image_tag = string
+ })
+ description = "tls cert helm chart configuration"
+}
+
+###################
+# ioweb-profile-fn
+###################
+variable "cidr_subnet_fniowebprofile" {
+ type = list(string)
+ description = "Functions ioweb profile address space"
+ default = null
+}
+
+variable "function_ioweb_profile" {
+ type = object({
+ autoscale_minimum = number
+ autoscale_maximum = number
+ autoscale_default = number
+ sku_size = string
+ kind = string
+ })
+}
+
+variable "enable_azdoa" {
+ type = bool
+}
diff --git a/src/domains/ioweb-app/README.md b/src/domains/ioweb-app/README.md
new file mode 100644
index 000000000..3ff495177
--- /dev/null
+++ b/src/domains/ioweb-app/README.md
@@ -0,0 +1,96 @@
+
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| [azuread](#requirement\_azuread) | <= 2.33.0 |
+| [azurerm](#requirement\_azurerm) | <= 3.40.0 |
+| [helm](#requirement\_helm) | = 2.8.0 |
+| [kubernetes](#requirement\_kubernetes) | = 2.17.0 |
+| [null](#requirement\_null) | <= 3.2.1 |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| [function\_ioweb\_profile](#module\_function\_ioweb\_profile) | git::https://github.com/pagopa/terraform-azurerm-v3.git//function_app | v5.2.0 |
+| [function\_ioweb\_profile\_staging\_slot](#module\_function\_ioweb\_profile\_staging\_slot) | git::https://github.com/pagopa/terraform-azurerm-v3.git//function_app_slot | v5.2.0 |
+| [ioweb\_profile\_snet](#module\_ioweb\_profile\_snet) | git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet | v4.1.15 |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [azurerm_key_vault_secret.exchange_jwt_private_key](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource |
+| [azurerm_key_vault_secret.exchange_jwt_pub_key](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource |
+| [azurerm_key_vault_secret.magic_link_jwe_private_key](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource |
+| [azurerm_key_vault_secret.magic_link_jwe_pub_key](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource |
+| [azurerm_monitor_autoscale_setting.function_ioweb_profile](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_autoscale_setting) | resource |
+| [azurerm_private_dns_a_record.ingress](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/private_dns_a_record) | resource |
+| [azurerm_resource_group.base_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource |
+| [azurerm_resource_group.ioweb_profile_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource |
+| [tls_private_key.ioweb_profile_jwe_key](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource |
+| [tls_private_key.ioweb_profile_jwt_key](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource |
+| [azuread_group.adgroup_admin](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source |
+| [azuread_group.adgroup_developers](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source |
+| [azuread_group.adgroup_externals](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source |
+| [azuread_group.adgroup_security](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source |
+| [azurerm_application_insights.application_insights](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/application_insights) | data source |
+| [azurerm_client_config.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/client_config) | data source |
+| [azurerm_key_vault.kv](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault) | data source |
+| [azurerm_key_vault_secret.api_beta_testers](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_secret) | data source |
+| [azurerm_key_vault_secret.functions_app_api_key](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_secret) | data source |
+| [azurerm_key_vault_secret.functions_fast_login_api_key](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_secret) | data source |
+| [azurerm_key_vault_secret.spid_login_api_key](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_secret) | data source |
+| [azurerm_key_vault_secret.spid_login_jwt_pub_key](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_secret) | data source |
+| [azurerm_log_analytics_workspace.log_analytics](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/log_analytics_workspace) | data source |
+| [azurerm_monitor_action_group.email](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/monitor_action_group) | data source |
+| [azurerm_monitor_action_group.error_action_group](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/monitor_action_group) | data source |
+| [azurerm_monitor_action_group.quarantine_error_action_group](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/monitor_action_group) | data source |
+| [azurerm_monitor_action_group.slack](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/monitor_action_group) | data source |
+| [azurerm_private_dns_zone.internal](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/private_dns_zone) | data source |
+| [azurerm_private_dns_zone.privatelink_blob_core_windows_net](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/private_dns_zone) | data source |
+| [azurerm_private_dns_zone.privatelink_documents_azure_com](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/private_dns_zone) | data source |
+| [azurerm_private_dns_zone.privatelink_file_core_windows_net](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/private_dns_zone) | data source |
+| [azurerm_private_dns_zone.privatelink_queue_core_windows_net](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/private_dns_zone) | data source |
+| [azurerm_private_dns_zone.privatelink_table_core_windows_net](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/private_dns_zone) | data source |
+| [azurerm_resource_group.monitor_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/resource_group) | data source |
+| [azurerm_subnet.apim_v2_snet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subnet) | data source |
+| [azurerm_subnet.azdoa_snet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subnet) | data source |
+| [azurerm_subnet.function_app_snet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subnet) | data source |
+| [azurerm_subnet.private_endpoints_subnet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subnet) | data source |
+| [azurerm_subscription.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subscription) | data source |
+| [azurerm_virtual_network.vnet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/virtual_network) | data source |
+| [azurerm_virtual_network.vnet_common](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/virtual_network) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| [application\_insights\_name](#input\_application\_insights\_name) | Specifies the name of the Application Insights. | `string` | n/a | yes |
+| [cidr\_subnet\_fniowebprofile](#input\_cidr\_subnet\_fniowebprofile) | Functions ioweb profile address space | `list(string)` | `null` | no |
+| [domain](#input\_domain) | n/a | `string` | n/a | yes |
+| [enable\_azdoa](#input\_enable\_azdoa) | n/a | `bool` | n/a | yes |
+| [env](#input\_env) | n/a | `string` | n/a | yes |
+| [env\_short](#input\_env\_short) | n/a | `string` | n/a | yes |
+| [function\_ioweb\_profile](#input\_function\_ioweb\_profile) | n/a | object({
autoscale_minimum = number
autoscale_maximum = number
autoscale_default = number
sku_size = string
kind = string
}) | n/a | yes |
+| [ingress\_load\_balancer\_ip](#input\_ingress\_load\_balancer\_ip) | n/a | `string` | n/a | yes |
+| [instance](#input\_instance) | One of beta, prod01, prod02 | `string` | n/a | yes |
+| [k8s\_kube\_config\_path\_prefix](#input\_k8s\_kube\_config\_path\_prefix) | n/a | `string` | `"~/.kube"` | no |
+| [location](#input\_location) | One of westeurope, northeurope | `string` | n/a | yes |
+| [location\_short](#input\_location\_short) | One of weu, neu | `string` | n/a | yes |
+| [location\_string](#input\_location\_string) | One of West Europe, North Europe | `string` | n/a | yes |
+| [lock\_enable](#input\_lock\_enable) | Apply locks to block accedentaly deletions. | `bool` | `false` | no |
+| [log\_analytics\_workspace\_name](#input\_log\_analytics\_workspace\_name) | Specifies the name of the Log Analytics Workspace. | `string` | n/a | yes |
+| [log\_analytics\_workspace\_resource\_group\_name](#input\_log\_analytics\_workspace\_resource\_group\_name) | The name of the resource group in which the Log Analytics workspace is located in. | `string` | n/a | yes |
+| [monitor\_resource\_group\_name](#input\_monitor\_resource\_group\_name) | Monitor resource group name | `string` | n/a | yes |
+| [prefix](#input\_prefix) | n/a | `string` | n/a | yes |
+| [reloader\_helm](#input\_reloader\_helm) | reloader helm chart configuration | object({
chart_version = string,
image_name = string,
image_tag = string
}) | n/a | yes |
+| [tags](#input\_tags) | n/a | `map(any)` | {
"CreatedBy": "Terraform"
} | no |
+| [tls\_cert\_check\_helm](#input\_tls\_cert\_check\_helm) | tls cert helm chart configuration | object({
chart_version = string,
image_name = string,
image_tag = string
}) | n/a | yes |
+
+## Outputs
+
+No outputs.
+
diff --git a/src/domains/ioweb-app/env/weu-prod01/backend.ini b/src/domains/ioweb-app/env/weu-prod01/backend.ini
new file mode 100644
index 000000000..cf83055f5
--- /dev/null
+++ b/src/domains/ioweb-app/env/weu-prod01/backend.ini
@@ -0,0 +1 @@
+subscription=PROD-IO
diff --git a/src/domains/ioweb-app/env/weu-prod01/backend.tfvars b/src/domains/ioweb-app/env/weu-prod01/backend.tfvars
new file mode 100644
index 000000000..936634b3f
--- /dev/null
+++ b/src/domains/ioweb-app/env/weu-prod01/backend.tfvars
@@ -0,0 +1,4 @@
+resource_group_name = "terraform-state-rg"
+storage_account_name = "tfinfprodio"
+container_name = "terraform-state"
+key = "io-infra.ioweb-app-weu-prod01.tfstate"
diff --git a/src/domains/ioweb-app/env/weu-prod01/terraform.tfvars b/src/domains/ioweb-app/env/weu-prod01/terraform.tfvars
new file mode 100644
index 000000000..60af28e34
--- /dev/null
+++ b/src/domains/ioweb-app/env/weu-prod01/terraform.tfvars
@@ -0,0 +1,56 @@
+prefix = "io"
+env_short = "p"
+env = "prod"
+domain = "ioweb"
+location = "westeurope"
+location_short = "weu"
+location_string = "West Europe"
+instance = "prod01"
+
+tags = {
+ CreatedBy = "Terraform"
+ Environment = "Prod"
+ Owner = "IO"
+ Source = "https://github.com/pagopa/io-infra/tree/main/src/domains/ioweb-app"
+ CostCenter = "TS310 - PAGAMENTI & SERVIZI"
+}
+
+### External resources
+
+monitor_resource_group_name = "io-p-rg-common"
+log_analytics_workspace_name = "io-p-law-common"
+log_analytics_workspace_resource_group_name = "io-p-rg-common"
+application_insights_name = "io-p-ai-common"
+
+enable_azdoa = true
+
+### External tools
+
+# chart releases: https://github.com/stakater/Reloader/releases
+# image tags: https://hub.docker.com/r/stakater/reloader/tags
+reloader_helm = {
+ chart_version = "v0.0.118"
+ image_name = "stakater/reloader"
+ image_tag = "v0.0.118@sha256:2d423cab8d0e83d1428ebc70c5c5cafc44bd92a597bff94007f93cddaa607b02"
+}
+# chart releases: https://github.com/pagopa/aks-microservice-chart-blueprint/releases
+# image tags: https://github.com/pagopa/infra-ssl-check/releases
+tls_cert_check_helm = {
+ chart_version = "1.21.0"
+ image_name = "ghcr.io/pagopa/infra-ssl-check"
+ image_tag = "v1.3.4@sha256:c3d45736706c981493b6216451fc65e99a69d5d64409ccb1c4ca93fef57c921d"
+}
+
+### Aks
+
+ingress_load_balancer_ip = "10.11.100.250"
+
+### Fn ioweb-profile
+cidr_subnet_fniowebprofile = ["10.0.117.0/24"]
+function_ioweb_profile = {
+ kind = "Linux"
+ sku_size = "P1v3"
+ autoscale_minimum = 1
+ autoscale_maximum = 30
+ autoscale_default = 1
+}
diff --git a/src/domains/ioweb-app/terraform.sh b/src/domains/ioweb-app/terraform.sh
new file mode 100755
index 000000000..8e90bb419
--- /dev/null
+++ b/src/domains/ioweb-app/terraform.sh
@@ -0,0 +1,56 @@
+#!/bin/bash
+
+set -e
+
+action=$1
+env=$2
+shift 2
+other=$@
+
+if [ -z "$action" ]; then
+ echo "Missed action: init, apply, plan"
+ exit 0
+fi
+
+if [ -z "$env" ]; then
+ echo "env should be: dev, uat or prod."
+ exit 0
+fi
+
+source "./env/$env/backend.ini"
+az account set -s "${subscription}"
+
+if [ "$action" = "force-unlock" ]; then
+ echo "🧭 terraform INIT in env: ${env}"
+ terraform init -reconfigure -backend-config="./env/$env/backend.tfvars" $other
+ warn_message="You are about to unlock Terraform's remote state.
+ This is a dangerous task you want to be aware of before going on.
+ This operation won't affect your infrastructure directly.
+ However, please note that you may lose pieces of information about partially-applied configurations.
+
+ Please refer to the official Terraform documentation about the command:
+ https://developer.hashicorp.com/terraform/cli/commands/force-unlock"
+ printf "\n\e[33m%s\e[0m\n\n" "$warn_message"
+
+ read -r -p "Please enter the LOCK ID: " lock_id
+ terraform force-unlock "$lock_id"
+
+ exit 0 # this line prevents the script to go on
+fi
+
+if echo "init plan apply refresh import output state taint destroy" | grep -w $action > /dev/null; then
+ if [ $action = "init" ]; then
+ terraform $action -reconfigure -backend-config="./env/$env/backend.tfvars" $other
+ elif [ $action = "output" ] || [ $action = "state" ] || [ $action = "taint" ]; then
+ # init terraform backend
+ terraform init -reconfigure -backend-config="./env/$env/backend.tfvars"
+ terraform $action $other
+ else
+ # init terraform backend
+ terraform init -reconfigure -backend-config="./env/$env/backend.tfvars"
+ terraform $action -var-file="./env/$env/terraform.tfvars" $other
+ fi
+else
+ echo "Action not allowed."
+ exit 1
+fi
diff --git a/src/domains/ioweb-common/.terraform.lock.hcl b/src/domains/ioweb-common/.terraform.lock.hcl
new file mode 100644
index 000000000..eeb79cfef
--- /dev/null
+++ b/src/domains/ioweb-common/.terraform.lock.hcl
@@ -0,0 +1,91 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/azuread" {
+ version = "2.33.0"
+ constraints = "<= 2.33.0"
+ hashes = [
+ "h1:PDiZA9QpXCkaSuWu6jiCRcjVtKJETqjcOZq4I434zfE=",
+ "h1:QAQe2+WSqGnHYAVoA+NN4Oeuoqg5sXq3U9Qmj6S1P5M=",
+ "h1:XIvCW3Nl4bW1bc9f8jyGhft+fQjaed4yy/LFzDAeVJ8=",
+ "h1:Z28tjly5UfKOE+HL/oALxCPhmCuBwUgZ4uaYt68VR3M=",
+ "zh:0602d03d7d7e38819f78dc377e64f365427496edf1065bfbb113e3921ab1c34e",
+ "zh:08843838f4fe146084592472648d4ea7191931eabe042a96c3b3c6eaf8ddfb43",
+ "zh:1c3e89cf19118fc07d7b04257251fc9897e722c16e0a0df7b07fcd261f8c12e7",
+ "zh:26a0d8a186e3b47ea0b7217a8e420b03fda59b7a680bb3ea52cf7d3e6d965ef3",
+ "zh:352a1cacaacd39e796de15a52d192ab0e6eb98dd36b5fbf8ebddd37e6dafa4ac",
+ "zh:3702ad4c534e67e2e07b060bfe5e6edc244c59c911906c8b15b96e7fecb0ff2c",
+ "zh:93b5248d26bdd44845b2ab051a2168c7edad788ae9836f62ea5fb632fd59d7ea",
+ "zh:a7b880155f4a67b52a5bfe78de33dc55254ef80006234f00e36aaf6533b1de4a",
+ "zh:a7cf0829364127c9bca26ec01ea3d66988b43987b2d26a3290487d1fc0da50eb",
+ "zh:b1f82b0d30af733b36a2f849799e0b1ed6a72888fa32a438c829c4e5cff88e20",
+ "zh:b6c2b23770852de8f56b549579c2f5a82afd84a9ca0616d53a25d48488f7aaf0",
+ "zh:d87dfbdfe8ab9d3a2e33f210333d40f211ea7d33bfa671063e6807c6ddd85a52",
+ ]
+}
+
+provider "registry.terraform.io/hashicorp/azurerm" {
+ version = "3.40.0"
+ constraints = ">= 3.30.0, <= 3.40.0"
+ hashes = [
+ "h1:/Jbhw/zNAsDYDoASaG6w+0KZyay9BkUVOpR8b7m0CsA=",
+ "h1:7Vfig36efXmcsWQSZwdB+bqZLtoZ/RyytY9lXHx9Fic=",
+ "h1:VpRitAMc2wjUH/2jCz9MtZZd83UFxwTCamjRvIh/Nvg=",
+ "h1:dSM3nwscFP/OmH5Kr5FGao+9DjIXUEECnbMtWdrQOdg=",
+ "zh:00fa6dc05bf2643c6a3c741edb7d88263698086835a8a613f1d7bd76d1b918fd",
+ "zh:0da9b788e773272a7aa9d59bd9e3d5842edd4acc8c3895bea469e66dc14205a0",
+ "zh:25a8c39d1f042fc7c83ba9dd745c3569ea9e577fadb57563a575fb115ac2b9f1",
+ "zh:4423666dbeae8bc22c6e8898ffbb88745681dc27668ca9104b665dd7f3d7292c",
+ "zh:78c07308e7407b558d15737a98fb5eaf15529d297fc3798de6a7d61e0466e2e3",
+ "zh:894aca7e6f4f331ee8eb51957a180dc03d399d2b1727e0d7842e9b3f022a8c6a",
+ "zh:bb0e620c2161b4c4892a6f50b1c4c69ed70f66bb5e92543a03d79d0e4b1d9441",
+ "zh:c7d8e6a791159ca63b30908c9efe72ab65f60d64b30f0c1eb5a64972f4994844",
+ "zh:d04c11bfd346c1ac34d16bbdca70b23b006e822f6beb236b85375e8343888eb4",
+ "zh:f4edea9660327c7c70a823d786fd1b1c1b186c8759770447f63da72f23e1a73c",
+ "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+ "zh:f986e268949cf445ff53a66af48a87c6f6dba5964e8a5b1dc0ea02afabdd71f7",
+ ]
+}
+
+provider "registry.terraform.io/hashicorp/null" {
+ version = "3.2.1"
+ constraints = "<= 3.2.1"
+ hashes = [
+ "h1:FbGfc+muBsC17Ohy5g806iuI1hQc4SIexpYCrQHQd8w=",
+ "h1:tSj1mL6OQ8ILGqR2mDu7OYYYWf+hoir0pf9KAQ8IzO8=",
+ "h1:vUW21lLLsKlxtBf0QF7LKJreKxs0CM7YXGzqW1N/ODY=",
+ "h1:ydA0/SNRVB1o95btfshvYsmxA+jZFRZcvKzZSB+4S1M=",
+ "zh:58ed64389620cc7b82f01332e27723856422820cfd302e304b5f6c3436fb9840",
+ "zh:62a5cc82c3b2ddef7ef3a6f2fedb7b9b3deff4ab7b414938b08e51d6e8be87cb",
+ "zh:63cff4de03af983175a7e37e52d4bd89d990be256b16b5c7f919aff5ad485aa5",
+ "zh:74cb22c6700e48486b7cabefa10b33b801dfcab56f1a6ac9b6624531f3d36ea3",
+ "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
+ "zh:79e553aff77f1cfa9012a2218b8238dd672ea5e1b2924775ac9ac24d2a75c238",
+ "zh:a1e06ddda0b5ac48f7e7c7d59e1ab5a4073bbcf876c73c0299e4610ed53859dc",
+ "zh:c37a97090f1a82222925d45d84483b2aa702ef7ab66532af6cbcfb567818b970",
+ "zh:e4453fbebf90c53ca3323a92e7ca0f9961427d2f0ce0d2b65523cc04d5d999c2",
+ "zh:e80a746921946d8b6761e77305b752ad188da60688cfd2059322875d363be5f5",
+ "zh:fbdb892d9822ed0e4cb60f2fedbdbb556e4da0d88d3b942ae963ed6ff091e48f",
+ "zh:fca01a623d90d0cad0843102f9b8b9fe0d3ff8244593bd817f126582b52dd694",
+ ]
+}
+
+provider "registry.terraform.io/hashicorp/tls" {
+ version = "4.0.4"
+ hashes = [
+ "h1:GZcFizg5ZT2VrpwvxGBHQ/hO9r6g0vYdQqx3bFD3anY=",
+ "h1:Wd3RqmQW60k2QWPN4sK5CtjGuO1d+CRNXgC+D4rKtXc=",
+ "zh:23671ed83e1fcf79745534841e10291bbf34046b27d6e68a5d0aab77206f4a55",
+ "zh:45292421211ffd9e8e3eb3655677700e3c5047f71d8f7650d2ce30242335f848",
+ "zh:59fedb519f4433c0fdb1d58b27c210b27415fddd0cd73c5312530b4309c088be",
+ "zh:5a8eec2409a9ff7cd0758a9d818c74bcba92a240e6c5e54b99df68fff312bbd5",
+ "zh:5e6a4b39f3171f53292ab88058a59e64825f2b842760a4869e64dc1dc093d1fe",
+ "zh:810547d0bf9311d21c81cc306126d3547e7bd3f194fc295836acf164b9f8424e",
+ "zh:824a5f3617624243bed0259d7dd37d76017097dc3193dac669be342b90b2ab48",
+ "zh:9361ccc7048be5dcbc2fafe2d8216939765b3160bd52734f7a9fd917a39ecbd8",
+ "zh:aa02ea625aaf672e649296bce7580f62d724268189fe9ad7c1b36bb0fa12fa60",
+ "zh:c71b4cd40d6ec7815dfeefd57d88bc592c0c42f5e5858dcc88245d371b4b8b1e",
+ "zh:dabcd52f36b43d250a3d71ad7abfa07b5622c69068d989e60b79b2bb4f220316",
+ "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+ ]
+}
diff --git a/src/domains/ioweb-common/00_azuread.tf b/src/domains/ioweb-common/00_azuread.tf
new file mode 100644
index 000000000..bfffd3a8b
--- /dev/null
+++ b/src/domains/ioweb-common/00_azuread.tf
@@ -0,0 +1,16 @@
+# Azure AD
+data "azuread_group" "adgroup_admin" {
+ display_name = format("%s-adgroup-admin", local.product)
+}
+
+data "azuread_group" "adgroup_developers" {
+ display_name = format("%s-adgroup-developers", local.product)
+}
+
+data "azuread_group" "adgroup_externals" {
+ display_name = format("%s-adgroup-externals", local.product)
+}
+
+data "azuread_group" "adgroup_security" {
+ display_name = format("%s-adgroup-security", local.product)
+}
diff --git a/src/domains/ioweb-common/01_monitor.tf b/src/domains/ioweb-common/01_monitor.tf
new file mode 100644
index 000000000..b49fcd618
--- /dev/null
+++ b/src/domains/ioweb-common/01_monitor.tf
@@ -0,0 +1,51 @@
+data "azurerm_log_analytics_workspace" "log_analytics" {
+ name = var.log_analytics_workspace_name
+ resource_group_name = var.log_analytics_workspace_resource_group_name
+}
+
+data "azurerm_application_insights" "application_insights" {
+ name = var.application_insights_name
+ resource_group_name = var.monitor_resource_group_name
+}
+
+data "azurerm_resource_group" "monitor_rg" {
+ name = var.monitor_resource_group_name
+}
+
+data "azurerm_monitor_action_group" "slack" {
+ resource_group_name = var.monitor_resource_group_name
+ name = local.monitor_action_group_slack_name
+}
+
+data "azurerm_monitor_action_group" "email" {
+ resource_group_name = var.monitor_resource_group_name
+ name = local.monitor_action_group_email_name
+}
+
+data "azurerm_monitor_action_group" "error_action_group" {
+ resource_group_name = var.monitor_resource_group_name
+ name = "${var.prefix}${var.env_short}error"
+}
+
+data "azurerm_monitor_action_group" "quarantine_error_action_group" {
+ resource_group_name = var.monitor_resource_group_name
+ name = "${var.prefix}${var.env_short}quarantineerror"
+}
+
+#tfsec:ignore:AZU023
+resource "azurerm_key_vault_secret" "appinsights_instrumentation_key" {
+ name = "appinsights-instrumentation-key"
+ value = data.azurerm_application_insights.application_insights.instrumentation_key
+ content_type = "only instrumentation key"
+
+ key_vault_id = module.key_vault.id
+}
+
+#tfsec:ignore:AZU023
+resource "azurerm_key_vault_secret" "appinsights_connection_string" {
+ name = "appinsights-connection-string"
+ value = data.azurerm_application_insights.application_insights.connection_string
+ content_type = "full connection string, example InstrumentationKey=XXXXX"
+
+ key_vault_id = module.key_vault.id
+}
diff --git a/src/domains/ioweb-common/01_network.tf b/src/domains/ioweb-common/01_network.tf
new file mode 100644
index 000000000..c6e85d0e8
--- /dev/null
+++ b/src/domains/ioweb-common/01_network.tf
@@ -0,0 +1,73 @@
+data "azurerm_virtual_network" "vnet_common" {
+ name = local.vnet_common_name
+ resource_group_name = local.vnet_common_resource_group_name
+}
+
+data "azurerm_subnet" "private_endpoints_subnet" {
+ name = "pendpoints"
+ virtual_network_name = local.vnet_common_name
+ resource_group_name = local.vnet_common_resource_group_name
+}
+
+data "azurerm_private_dns_zone" "privatelink_redis_cache" {
+ name = "privatelink.redis.cache.windows.net"
+ resource_group_name = format("%s-rg-common", local.product)
+ tags = var.tags
+}
+
+data "azurerm_subnet" "azdoa_snet" {
+ name = "azure-devops"
+ virtual_network_name = local.vnet_common_name
+ resource_group_name = local.vnet_common_resource_group_name
+}
+
+data "azurerm_private_dns_zone" "privatelink_blob_core_windows_net" {
+ name = "privatelink.blob.core.windows.net"
+ resource_group_name = local.vnet_common_resource_group_name
+}
+
+data "azurerm_subnet" "apim_v2_snet" {
+ name = "apimv2api"
+ virtual_network_name = local.vnet_common_name
+ resource_group_name = local.vnet_common_resource_group_name
+}
+
+data "azurerm_subnet" "ioweb_profile_snet" {
+ name = format("%s-%s-ioweb-profile-snet", local.product, var.location_short)
+ virtual_network_name = local.vnet_common_name
+ resource_group_name = local.vnet_common_resource_group_name
+}
+
+## redis spid login subnet
+module "redis_spid_login_snet" {
+ source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet?ref=v4.1.15"
+ name = format("%s-redis-spid-login-snet", local.project)
+ address_prefixes = var.subnets_cidrs.redis_spid_login
+ resource_group_name = local.vnet_common_resource_group_name
+ virtual_network_name = local.vnet_common_name
+
+ private_endpoint_network_policies_enabled = false
+}
+
+## spid_login subnet
+module "spid_login_snet" {
+ source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet?ref=v4.1.15"
+ name = format("%s-spid-login-snet", local.project)
+ address_prefixes = var.subnets_cidrs.spid_login
+ resource_group_name = local.vnet_common_resource_group_name
+ virtual_network_name = local.vnet_common_name
+
+ private_endpoint_network_policies_enabled = true
+
+ service_endpoints = [
+ "Microsoft.Web",
+ ]
+
+ delegation = {
+ name = "default"
+ service_delegation = {
+ name = "Microsoft.Web/serverFarms"
+ actions = ["Microsoft.Network/virtualNetworks/subnets/action"]
+ }
+ }
+}
diff --git a/src/domains/ioweb-common/02_security.tf b/src/domains/ioweb-common/02_security.tf
new file mode 100644
index 000000000..56cf33476
--- /dev/null
+++ b/src/domains/ioweb-common/02_security.tf
@@ -0,0 +1,142 @@
+resource "azurerm_resource_group" "sec_rg" {
+ name = "${local.product}-${var.domain}-sec-rg"
+ location = var.location
+
+ tags = var.tags
+}
+
+module "key_vault" {
+ source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//key_vault?ref=v4.1.3"
+
+ name = "${local.product}-${var.domain}-kv"
+ location = azurerm_resource_group.sec_rg.location
+ resource_group_name = azurerm_resource_group.sec_rg.name
+ tenant_id = data.azurerm_client_config.current.tenant_id
+ soft_delete_retention_days = 90
+
+ tags = var.tags
+}
+
+## adgroup_admin group policy ##
+resource "azurerm_key_vault_access_policy" "adgroup_admin" {
+ key_vault_id = module.key_vault.id
+
+ tenant_id = data.azurerm_client_config.current.tenant_id
+ object_id = data.azuread_group.adgroup_admin.object_id
+
+ key_permissions = ["Get", "List", "Update", "Create", "Import", "Delete", ]
+ secret_permissions = ["Get", "List", "Set", "Delete", "Restore", "Recover", ]
+ storage_permissions = []
+ certificate_permissions = ["Get", "List", "Update", "Create", "Import", "Delete", "Restore", "Recover", ]
+}
+
+## adgroup_developers group policy ##
+resource "azurerm_key_vault_access_policy" "adgroup_developers" {
+ key_vault_id = module.key_vault.id
+
+ tenant_id = data.azurerm_client_config.current.tenant_id
+ object_id = data.azuread_group.adgroup_developers.object_id
+
+ key_permissions = ["Get", "List", "Update", "Create", "Import", "Delete", ]
+ secret_permissions = ["Get", "List", "Set", "Delete", "Restore", "Recover", ]
+ storage_permissions = []
+ certificate_permissions = ["Get", "List", "Update", "Create", "Import", "Delete", "Restore", "Recover", ]
+}
+
+# Access policy for CD pipeline
+
+data "azuread_service_principal" "github_action_iac_cd" {
+ display_name = "github-pagopa-io-infra-prod-cd"
+}
+
+resource "azurerm_key_vault_access_policy" "github_action_iac_cd_kv" {
+ key_vault_id = module.key_vault.id
+ tenant_id = data.azurerm_client_config.current.tenant_id
+ object_id = data.azuread_service_principal.github_action_iac_cd.object_id
+
+ secret_permissions = ["Get", "List", "Set", ]
+ storage_permissions = []
+ certificate_permissions = ["SetIssuers", "DeleteIssuers", "Purge", "List", "Get", "ManageContacts", "Create", ]
+}
+
+
+# Access policy for CI pipeline
+
+data "azuread_service_principal" "github_action_iac_ci" {
+ display_name = "github-pagopa-io-infra-prod-ci"
+}
+
+resource "azurerm_key_vault_access_policy" "github_action_iac_ci_kv" {
+ key_vault_id = module.key_vault.id
+ tenant_id = data.azurerm_client_config.current.tenant_id
+ object_id = data.azuread_service_principal.github_action_iac_ci.object_id
+
+ secret_permissions = ["Get", "List", ]
+ storage_permissions = []
+ certificate_permissions = ["Get", "List", ]
+ key_permissions = [
+ "Get",
+ ]
+}
+
+#
+# Azure DevOps policy
+#
+data "azuread_service_principal" "platform_iac_sp" {
+ display_name = "pagopaspa-io-platform-iac-projects-${data.azurerm_subscription.current.subscription_id}"
+}
+
+resource "azurerm_key_vault_access_policy" "azdevops_platform_iac_policy_ioweb_kv" {
+ key_vault_id = module.key_vault.id
+ tenant_id = data.azurerm_client_config.current.tenant_id
+ object_id = data.azuread_service_principal.platform_iac_sp.object_id
+
+ secret_permissions = ["List", "Get"]
+ storage_permissions = []
+ certificate_permissions = ["List", "Get"]
+}
+
+resource "azurerm_key_vault_access_policy" "policy_ioweb_cdn_kv" {
+ key_vault_id = module.key_vault.id
+
+ tenant_id = data.azurerm_client_config.current.tenant_id
+ # Microsoft.AzureFrontDoor-Cdn object-id
+ object_id = "f3b3f72f-4770-47a5-8c1e-aa298003be12"
+
+ secret_permissions = ["Get", ]
+ storage_permissions = []
+ certificate_permissions = ["Get", ]
+}
+
+# ####################
+# ####################
+# Keys #
+# ####################
+# ####################
+
+resource "tls_private_key" "jwt" {
+ algorithm = "RSA"
+ rsa_bits = 2048
+}
+
+# ####################
+# ####################
+# Secrets #
+# ####################
+# ####################
+
+resource "azurerm_key_vault_secret" "spid_login_jwt_pub_key" {
+ name = "spid-login-jwt-pub-key"
+ value = tls_private_key.jwt.public_key_pem
+ key_vault_id = module.key_vault.id
+}
+
+data "azurerm_key_vault_secret" "agid_spid_private_key" {
+ name = "spid-login-AGID-SPID-CERT-KEY"
+ key_vault_id = module.key_vault.id
+}
+
+data "azurerm_key_vault_secret" "agid_spid_cert" {
+ name = "spid-login-AGID-SPID-CERT-PEM"
+ key_vault_id = module.key_vault.id
+}
diff --git a/src/domains/ioweb-common/03_storage.tf b/src/domains/ioweb-common/03_storage.tf
new file mode 100644
index 000000000..cf5bb8f13
--- /dev/null
+++ b/src/domains/ioweb-common/03_storage.tf
@@ -0,0 +1,63 @@
+
+######################
+# SPID LOGS Storage
+######################
+module "spid_logs_storage" {
+ source = "git::https://github.com/pagopa/terraform-azurerm-v3//storage_account?ref=v6.1.0"
+
+ name = replace(format("%s-spid-logs-st", local.project), "-", "")
+ domain = upper(var.domain)
+ account_kind = "StorageV2"
+ account_tier = "Standard"
+ access_tier = "Hot"
+ account_replication_type = "GZRS"
+ resource_group_name = azurerm_resource_group.storage_rg.name
+ location = var.location
+ advanced_threat_protection = true
+ enable_identity = true
+ public_network_access_enabled = false
+
+ tags = var.tags
+}
+
+module "spid_logs_storage_customer_managed_key" {
+ source = "git::https://github.com/pagopa/terraform-azurerm-v3//storage_account_customer_managed_key?ref=v6.1.0"
+ tenant_id = data.azurerm_subscription.current.tenant_id
+ location = var.location
+ resource_group_name = azurerm_resource_group.storage_rg.name
+ key_vault_id = module.key_vault.id
+ key_name = format("%s-key", module.spid_logs_storage.name)
+ storage_id = module.spid_logs_storage.id
+ storage_principal_id = module.spid_logs_storage.identity.0.principal_id
+}
+
+
+resource "azurerm_private_endpoint" "spid_logs_storage_blob" {
+ name = "${module.spid_logs_storage.name}-blob-endpoint"
+ location = var.location
+ resource_group_name = azurerm_resource_group.storage_rg.name
+ subnet_id = data.azurerm_subnet.private_endpoints_subnet.id
+
+ private_service_connection {
+ name = "${module.spid_logs_storage.name}-blob"
+ private_connection_resource_id = module.spid_logs_storage.id
+ is_manual_connection = false
+ subresource_names = ["blob"]
+ }
+
+ private_dns_zone_group {
+ name = "private-dns-zone-group"
+ private_dns_zone_ids = [data.azurerm_private_dns_zone.privatelink_blob_core_windows_net.id]
+ }
+
+ tags = var.tags
+}
+
+
+# Containers
+resource "azurerm_storage_container" "spid_logs" {
+ depends_on = [module.spid_logs_storage]
+ name = "spidlogs"
+ storage_account_name = module.spid_logs_storage.name
+ container_access_type = "private"
+}
\ No newline at end of file
diff --git a/src/domains/ioweb-common/04_redis.tf b/src/domains/ioweb-common/04_redis.tf
new file mode 100644
index 000000000..89d34875a
--- /dev/null
+++ b/src/domains/ioweb-common/04_redis.tf
@@ -0,0 +1,48 @@
+
+/**
+* [REDIS V6]
+*/
+module "redis_spid_login" {
+ source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//redis_cache?ref=v6.11.2"
+ name = format("%s-redis-std-v6", local.project)
+ resource_group_name = azurerm_resource_group.common_rg.name
+ location = azurerm_resource_group.common_rg.location
+ capacity = 0
+ family = "C"
+ sku_name = "Standard"
+ redis_version = "6"
+ enable_authentication = true
+
+ // when azure can apply patch?
+ patch_schedules = [{
+ day_of_week = "Sunday"
+ start_hour_utc = 23
+ },
+ {
+ day_of_week = "Monday"
+ start_hour_utc = 23
+ },
+ {
+ day_of_week = "Tuesday"
+ start_hour_utc = 23
+ },
+ {
+ day_of_week = "Wednesday"
+ start_hour_utc = 23
+ },
+ {
+ day_of_week = "Thursday"
+ start_hour_utc = 23
+ },
+ ]
+
+
+ private_endpoint = {
+ enabled = true
+ virtual_network_id = data.azurerm_virtual_network.vnet_common.id
+ subnet_id = module.redis_spid_login_snet.id
+ private_dns_zone_ids = [data.azurerm_private_dns_zone.privatelink_redis_cache.id]
+ }
+
+ tags = var.tags
+}
diff --git a/src/domains/ioweb-common/05_apim_v2.tf b/src/domains/ioweb-common/05_apim_v2.tf
new file mode 100644
index 000000000..3c06b46cf
--- /dev/null
+++ b/src/domains/ioweb-common/05_apim_v2.tf
@@ -0,0 +1,57 @@
+data "azurerm_api_management" "apim_v2_api" {
+ name = local.apim_v2_name
+ resource_group_name = local.apim_resource_group_name
+}
+
+
+# API Product
+
+module "apim_v2_product_ioweb" {
+ source = "git::https://github.com/pagopa/terraform-azurerm-v3//api_management_product?ref=v4.1.5"
+
+ product_id = "io-web-api"
+ display_name = "IO WEB API"
+ description = "Product for IO WEB Api & Authentication"
+
+ api_management_name = data.azurerm_api_management.apim_v2_api.name
+ resource_group_name = data.azurerm_api_management.apim_v2_api.resource_group_name
+
+ published = true
+ subscription_required = false
+ approval_required = false
+
+ policy_xml = file("./api_product/ioweb/_base_policy.xml")
+}
+
+module "apim_v2_spid_login_api" {
+ source = "git::https://github.com/pagopa/terraform-azurerm-v3//api_management_api?ref=v4.1.5"
+
+ name = format("%s-ioweb-auth", local.product)
+ api_management_name = data.azurerm_api_management.apim_v2_api.name
+ resource_group_name = data.azurerm_api_management.apim_v2_api.resource_group_name
+ product_ids = [module.apim_v2_product_ioweb.product_id]
+ subscription_required = false
+
+ service_url = format("https://%s", module.spid_login.default_site_hostname)
+
+ description = "Login SPID Service Provider"
+ display_name = "IO Web - Authentication"
+ path = local.spid_login_base_path
+ protocols = ["https"]
+
+ content_format = "openapi"
+
+ # NOTE: This openapi does not contains `upgradeToken` endpoint, since it's not necessary
+ content_value = file("./api/ioweb/spid-login/_swagger.json")
+
+ xml_content = file("./api/ioweb/spid-login/_base_policy.xml")
+}
+
+resource "azurerm_api_management_api_operation_policy" "spid_acs" {
+ api_name = format("%s-ioweb-auth", local.product)
+ api_management_name = data.azurerm_api_management.apim_v2_api.name
+ resource_group_name = data.azurerm_api_management.apim_v2_api.resource_group_name
+ operation_id = "postACS"
+
+ xml_content = file("./api/ioweb/spid-login/_postacs_policy.xml")
+}
diff --git a/src/domains/ioweb-common/05_resource_group.tf b/src/domains/ioweb-common/05_resource_group.tf
new file mode 100644
index 000000000..70cf2ccba
--- /dev/null
+++ b/src/domains/ioweb-common/05_resource_group.tf
@@ -0,0 +1,20 @@
+resource "azurerm_resource_group" "common_rg" {
+ name = "${local.project}-common-rg"
+ location = var.location
+
+ tags = var.tags
+}
+
+resource "azurerm_resource_group" "fe_rg" {
+ name = "${local.project}-fe-rg"
+ location = var.location
+
+ tags = var.tags
+}
+
+resource "azurerm_resource_group" "storage_rg" {
+ name = "${local.project}-storage-rg"
+ location = var.location
+
+ tags = var.tags
+}
diff --git a/src/domains/ioweb-common/06_cdn.tf b/src/domains/ioweb-common/06_cdn.tf
new file mode 100644
index 000000000..297fd3543
--- /dev/null
+++ b/src/domains/ioweb-common/06_cdn.tf
@@ -0,0 +1,55 @@
+# core domain external rg
+data "azurerm_resource_group" "core_ext" {
+ name = format("%s-rg-external", local.product)
+}
+
+data "azurerm_dns_zone" "ioapp_it" {
+ name = "ioapp.it"
+ resource_group_name = data.azurerm_resource_group.core_ext.name
+}
+
+module "landing_cdn" {
+ source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//cdn?ref=v7.2.1"
+
+ name = "portal"
+ prefix = local.project
+ resource_group_name = azurerm_resource_group.fe_rg.name
+ location = azurerm_resource_group.fe_rg.location
+ hostname = "ioapp.it"
+ https_rewrite_enabled = true
+
+ index_document = "index.html"
+ error_404_document = "it/404.html"
+
+ dns_zone_name = data.azurerm_dns_zone.ioapp_it.name
+ dns_zone_resource_group_name = data.azurerm_resource_group.core_ext.name
+
+ keyvault_vault_name = module.key_vault.name
+ keyvault_resource_group_name = azurerm_resource_group.sec_rg.name
+ keyvault_subscription_id = data.azurerm_subscription.current.subscription_id
+
+ querystring_caching_behaviour = "BypassCaching"
+
+ global_delivery_rule = {
+ cache_expiration_action = []
+ cache_key_query_string_action = []
+ modify_request_header_action = []
+
+ # HSTS
+ modify_response_header_action = [
+ {
+ action = "Overwrite"
+ name = "Strict-Transport-Security"
+ value = "max-age=31536000"
+ },
+ # Content-Security-Policy (in Report mode)
+ {
+ action = "Append"
+ name = "Content-Security-Policy"
+ value = "script-src 'self' 'unsafe-inline'; worker-src 'none'; font-src data: 'self'; object-src 'none'; "
+ }
+ ]
+ }
+
+ tags = var.tags
+}
diff --git a/src/domains/ioweb-common/10_spid_login.tf b/src/domains/ioweb-common/10_spid_login.tf
new file mode 100644
index 000000000..4ac6943da
--- /dev/null
+++ b/src/domains/ioweb-common/10_spid_login.tf
@@ -0,0 +1,119 @@
+
+############################
+## App service spid login ##
+############################
+module "spid_login" {
+ source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//app_service?ref=v4.1.15"
+
+ # App service plan
+ plan_type = "internal"
+ plan_name = format("%s-plan-spid-login", local.project)
+ plan_kind = "Linux"
+ plan_reserved = true # Mandatory for Linux plan
+ plan_sku_tier = var.spid_login_plan_sku_tier
+ plan_sku_size = var.spid_login_plan_sku_size
+
+ # App service
+ name = format("%s-spid-login", local.project)
+ resource_group_name = azurerm_resource_group.common_rg.name
+ location = azurerm_resource_group.common_rg.location
+
+
+ always_on = true
+ linux_fx_version = "NODE|18-lts"
+ app_command_line = "npm run start"
+ health_check_path = "/healthcheck"
+
+ app_settings = {
+ WEBSITES_ENABLE_APP_SERVICE_STORAGE = false
+ WEBSITES_PORT = 8080
+
+ WEBSITE_NODE_DEFAULT_VERSION = "18.13.0"
+ WEBSITE_RUN_FROM_PACKAGE = "1"
+ WEBSITE_VNET_ROUTE_ALL = "1"
+ WEBSITE_DNS_SERVER = "168.63.129.16"
+
+ // ENVIRONMENT
+ NODE_ENV = "production"
+
+ FETCH_KEEPALIVE_ENABLED = "true"
+ // see https://github.com/MicrosoftDocs/azure-docs/issues/29600#issuecomment-607990556
+ // and https://docs.microsoft.com/it-it/azure/app-service/app-service-web-nodejs-best-practices-and-troubleshoot-guide#scenarios-and-recommendationstroubleshooting
+ // FETCH_KEEPALIVE_SOCKET_ACTIVE_TTL should not exceed 120000 (app service socket timeout)
+ FETCH_KEEPALIVE_SOCKET_ACTIVE_TTL = "110000"
+ // (FETCH_KEEPALIVE_MAX_SOCKETS * number_of_node_processes) should not exceed 160 (max sockets per VM)
+ FETCH_KEEPALIVE_MAX_SOCKETS = "128"
+ FETCH_KEEPALIVE_MAX_FREE_SOCKETS = "10"
+ FETCH_KEEPALIVE_FREE_SOCKET_TIMEOUT = "30000"
+ FETCH_KEEPALIVE_TIMEOUT = "60000"
+
+
+ # REDIS
+ REDIS_URL = module.redis_spid_login.hostname
+ REDIS_PORT = module.redis_spid_login.ssl_port
+ REDIS_PASSWORD = module.redis_spid_login.primary_access_key
+
+ # SPID
+ ORG_ISSUER = "https://api-web.pagopa.it/ioweb/auth"
+ ORG_URL = "https://pagopa.gov.it"
+ ACS_BASE_URL = format("https://%s/%s", var.app_gateway_host_name, local.spid_login_base_path)
+ ORG_DISPLAY_NAME = "PagoPA S.p.A"
+ ORG_NAME = "PagoPA"
+
+ AUTH_N_CONTEXT = "https://www.spid.gov.it/SpidL2"
+
+ ENDPOINT_ACS = "/acs"
+ ENDPOINT_ERROR = "/error"
+ #TODO: set static site success endpoint
+ ENDPOINT_SUCCESS = "/success"
+ ENDPOINT_LOGIN = "/login"
+ ENDPOINT_METADATA = "/metadata"
+ ENDPOINT_LOGOUT = "/logout"
+
+ SPID_ATTRIBUTES = "name,familyName,fiscalNumber"
+
+ REQUIRED_ATTRIBUTES_SERVICE_NAME = "IO Web Onboarding Portal"
+ ENABLE_FULL_OPERATOR_METADATA = true
+ COMPANY_EMAIL = "pagopa@pec.governo.it"
+ COMPANY_FISCAL_CODE = 15376371009
+ COMPANY_IPA_CODE = "PagoPA"
+ COMPANY_NAME = "PagoPA S.p.A"
+ COMPANY_VAT_NUMBER = 15376371009
+
+ METADATA_PUBLIC_CERT = trimspace(data.azurerm_key_vault_secret.agid_spid_cert.value)
+ METADATA_PRIVATE_CERT = trimspace(data.azurerm_key_vault_secret.agid_spid_private_key.value)
+
+ ENABLE_JWT = "true"
+ INCLUDE_SPID_USER_ON_INTROSPECTION = "true"
+
+ TOKEN_EXPIRATION = "3600"
+ JWT_TOKEN_ISSUER = "api-web.io.pagopa.it/ioweb/auth"
+ JWT_TOKEN_PRIVATE_KEY = trimspace(tls_private_key.jwt.private_key_pem)
+ TOKEN_EXPIRATION = 3600
+
+ # ADE
+ ENABLE_ADE_AA = "false"
+
+ # application insights key
+ APPINSIGHTS_DISABLED = false
+ APPINSIGHTS_INSTRUMENTATIONKEY = data.azurerm_application_insights.application_insights.instrumentation_key
+
+ # Spid logs
+ ENABLE_SPID_ACCESS_LOGS = true
+ SPID_LOGS_ENABLE_PAYLOAD_ENCRYPTION = false
+ SPID_LOGS_STORAGE_CONNECTION_STRING = module.spid_logs_storage.primary_connection_string
+ SPID_LOGS_STORAGE_CONTAINER_NAME = azurerm_storage_container.spid_logs.name
+ }
+
+ allowed_subnets = [
+ data.azurerm_subnet.azdoa_snet.id,
+ data.azurerm_subnet.apim_v2_snet.id,
+ data.azurerm_subnet.ioweb_profile_snet.id,
+ ]
+ allowed_ips = []
+
+ subnet_id = module.spid_login_snet.id
+ vnet_integration = true
+
+ tags = var.tags
+}
diff --git a/src/domains/ioweb-common/99_locals.tf b/src/domains/ioweb-common/99_locals.tf
new file mode 100644
index 000000000..dd80188ab
--- /dev/null
+++ b/src/domains/ioweb-common/99_locals.tf
@@ -0,0 +1,18 @@
+locals {
+ project = "${var.prefix}-${var.env_short}-${var.location_short}-${var.domain}"
+ product = "${var.prefix}-${var.env_short}"
+
+ monitor_action_group_slack_name = "SlackPagoPA"
+ monitor_action_group_email_name = "EmailPagoPA"
+
+ vnet_common_name = "${local.product}-vnet-common"
+ vnet_common_resource_group_name = "${local.product}-rg-common"
+
+ acr_name = replace("${local.product}commonacr", "-", "")
+ acr_resource_group_name = "${local.product}-container-registry-rg"
+
+ apim_v2_name = "${local.product}-apim-v2-api"
+ apim_resource_group_name = "${local.product}-rg-internal"
+
+ spid_login_base_path = "ioweb/auth/v1"
+}
diff --git a/src/domains/ioweb-common/99_main.tf b/src/domains/ioweb-common/99_main.tf
new file mode 100644
index 000000000..07e5da8b6
--- /dev/null
+++ b/src/domains/ioweb-common/99_main.tf
@@ -0,0 +1,30 @@
+terraform {
+ required_providers {
+ azurerm = {
+ source = "hashicorp/azurerm"
+ version = "<= 3.40.0"
+ }
+ azuread = {
+ source = "hashicorp/azuread"
+ version = "<= 2.33.0"
+ }
+ null = {
+ source = "hashicorp/null"
+ version = "<= 3.2.1"
+ }
+ }
+
+ backend "azurerm" {}
+}
+
+provider "azurerm" {
+ features {
+ key_vault {
+ purge_soft_delete_on_destroy = false
+ }
+ }
+}
+
+data "azurerm_subscription" "current" {}
+
+data "azurerm_client_config" "current" {}
diff --git a/src/domains/ioweb-common/99_variables.tf b/src/domains/ioweb-common/99_variables.tf
new file mode 100644
index 000000000..a353066c5
--- /dev/null
+++ b/src/domains/ioweb-common/99_variables.tf
@@ -0,0 +1,112 @@
+# general
+
+variable "prefix" {
+ type = string
+ validation {
+ condition = (
+ length(var.prefix) < 6
+ )
+ error_message = "Max length is 6 chars."
+ }
+}
+
+variable "env" {
+ type = string
+}
+
+variable "env_short" {
+ type = string
+ validation {
+ condition = (
+ length(var.env_short) == 1
+ )
+ error_message = "Length must be 1 chars."
+ }
+}
+
+variable "domain" {
+ type = string
+ validation {
+ condition = (
+ length(var.domain) <= 12
+ )
+ error_message = "Max length is 12 chars."
+ }
+}
+
+variable "location" {
+ type = string
+ description = "One of westeurope, northeurope"
+}
+
+variable "location_short" {
+ type = string
+ validation {
+ condition = (
+ length(var.location_short) == 3
+ )
+ error_message = "Length must be 3 chars."
+ }
+ description = "One of wue, neu"
+}
+
+variable "instance" {
+ type = string
+ description = "One of beta, prod01, prod02"
+}
+
+variable "tags" {
+ type = map(any)
+ default = {
+ CreatedBy = "Terraform"
+ }
+}
+
+### External resources
+
+variable "monitor_resource_group_name" {
+ type = string
+ description = "Monitor resource group name"
+}
+
+variable "log_analytics_workspace_name" {
+ type = string
+ description = "Specifies the name of the Log Analytics Workspace."
+}
+
+variable "log_analytics_workspace_resource_group_name" {
+ type = string
+ description = "The name of the resource group in which the Log Analytics workspace is located in."
+}
+
+variable "application_insights_name" {
+ type = string
+ description = "Specifies the name of the Application Insights."
+}
+
+variable "subnets_cidrs" {
+ type = map(
+ list(string)
+ )
+ description = "The CIDR address prefixes of the subnets"
+}
+
+
+### IO WEB Auth
+
+variable "app_gateway_host_name" {
+ type = string
+ description = "Application gateway host name"
+}
+
+variable "spid_login_plan_sku_tier" {
+ description = "App backend app plan sku tier"
+ type = string
+ default = "PremiumV3"
+}
+
+variable "spid_login_plan_sku_size" {
+ description = "App backend app plan sku size"
+ type = string
+ default = "P1v3"
+}
diff --git a/src/domains/ioweb-common/README.md b/src/domains/ioweb-common/README.md
new file mode 100644
index 000000000..8c05972bd
--- /dev/null
+++ b/src/domains/ioweb-common/README.md
@@ -0,0 +1,100 @@
+
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| [azuread](#requirement\_azuread) | <= 2.33.0 |
+| [azurerm](#requirement\_azurerm) | <= 3.40.0 |
+| [null](#requirement\_null) | <= 3.2.1 |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| [apim\_v2\_product\_ioweb](#module\_apim\_v2\_product\_ioweb) | git::https://github.com/pagopa/terraform-azurerm-v3//api_management_product | v4.1.5 |
+| [apim\_v2\_spid\_login\_api](#module\_apim\_v2\_spid\_login\_api) | git::https://github.com/pagopa/terraform-azurerm-v3//api_management_api | v4.1.5 |
+| [key\_vault](#module\_key\_vault) | git::https://github.com/pagopa/terraform-azurerm-v3.git//key_vault | v4.1.3 |
+| [landing\_cdn](#module\_landing\_cdn) | git::https://github.com/pagopa/terraform-azurerm-v3.git//cdn | v7.2.1 |
+| [redis\_spid\_login](#module\_redis\_spid\_login) | git::https://github.com/pagopa/terraform-azurerm-v3.git//redis_cache | v6.11.2 |
+| [redis\_spid\_login\_snet](#module\_redis\_spid\_login\_snet) | git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet | v4.1.15 |
+| [spid\_login](#module\_spid\_login) | git::https://github.com/pagopa/terraform-azurerm-v3.git//app_service | v4.1.15 |
+| [spid\_login\_snet](#module\_spid\_login\_snet) | git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet | v4.1.15 |
+| [spid\_logs\_storage](#module\_spid\_logs\_storage) | git::https://github.com/pagopa/terraform-azurerm-v3//storage_account | v6.1.0 |
+| [spid\_logs\_storage\_customer\_managed\_key](#module\_spid\_logs\_storage\_customer\_managed\_key) | git::https://github.com/pagopa/terraform-azurerm-v3//storage_account_customer_managed_key | v6.1.0 |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [azurerm_api_management_api_operation_policy.spid_acs](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/api_management_api_operation_policy) | resource |
+| [azurerm_key_vault_access_policy.adgroup_admin](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource |
+| [azurerm_key_vault_access_policy.adgroup_developers](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource |
+| [azurerm_key_vault_access_policy.azdevops_platform_iac_policy_ioweb_kv](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource |
+| [azurerm_key_vault_access_policy.github_action_iac_cd_kv](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource |
+| [azurerm_key_vault_access_policy.github_action_iac_ci_kv](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource |
+| [azurerm_key_vault_access_policy.policy_ioweb_cdn_kv](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource |
+| [azurerm_key_vault_secret.appinsights_connection_string](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource |
+| [azurerm_key_vault_secret.appinsights_instrumentation_key](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource |
+| [azurerm_key_vault_secret.spid_login_jwt_pub_key](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource |
+| [azurerm_private_endpoint.spid_logs_storage_blob](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/private_endpoint) | resource |
+| [azurerm_resource_group.common_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource |
+| [azurerm_resource_group.fe_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource |
+| [azurerm_resource_group.sec_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource |
+| [azurerm_resource_group.storage_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource |
+| [azurerm_storage_container.spid_logs](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_container) | resource |
+| [tls_private_key.jwt](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource |
+| [azuread_group.adgroup_admin](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source |
+| [azuread_group.adgroup_developers](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source |
+| [azuread_group.adgroup_externals](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source |
+| [azuread_group.adgroup_security](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source |
+| [azuread_service_principal.github_action_iac_cd](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/service_principal) | data source |
+| [azuread_service_principal.github_action_iac_ci](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/service_principal) | data source |
+| [azuread_service_principal.platform_iac_sp](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/service_principal) | data source |
+| [azurerm_api_management.apim_v2_api](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/api_management) | data source |
+| [azurerm_application_insights.application_insights](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/application_insights) | data source |
+| [azurerm_client_config.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/client_config) | data source |
+| [azurerm_dns_zone.ioapp_it](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/dns_zone) | data source |
+| [azurerm_key_vault_secret.agid_spid_cert](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_secret) | data source |
+| [azurerm_key_vault_secret.agid_spid_private_key](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_secret) | data source |
+| [azurerm_log_analytics_workspace.log_analytics](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/log_analytics_workspace) | data source |
+| [azurerm_monitor_action_group.email](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/monitor_action_group) | data source |
+| [azurerm_monitor_action_group.error_action_group](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/monitor_action_group) | data source |
+| [azurerm_monitor_action_group.quarantine_error_action_group](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/monitor_action_group) | data source |
+| [azurerm_monitor_action_group.slack](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/monitor_action_group) | data source |
+| [azurerm_private_dns_zone.privatelink_blob_core_windows_net](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/private_dns_zone) | data source |
+| [azurerm_private_dns_zone.privatelink_redis_cache](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/private_dns_zone) | data source |
+| [azurerm_resource_group.core_ext](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/resource_group) | data source |
+| [azurerm_resource_group.monitor_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/resource_group) | data source |
+| [azurerm_subnet.apim_v2_snet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subnet) | data source |
+| [azurerm_subnet.azdoa_snet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subnet) | data source |
+| [azurerm_subnet.ioweb_profile_snet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subnet) | data source |
+| [azurerm_subnet.private_endpoints_subnet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subnet) | data source |
+| [azurerm_subscription.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subscription) | data source |
+| [azurerm_virtual_network.vnet_common](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/virtual_network) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| [app\_gateway\_host\_name](#input\_app\_gateway\_host\_name) | Application gateway host name | `string` | n/a | yes |
+| [application\_insights\_name](#input\_application\_insights\_name) | Specifies the name of the Application Insights. | `string` | n/a | yes |
+| [domain](#input\_domain) | n/a | `string` | n/a | yes |
+| [env](#input\_env) | n/a | `string` | n/a | yes |
+| [env\_short](#input\_env\_short) | n/a | `string` | n/a | yes |
+| [instance](#input\_instance) | One of beta, prod01, prod02 | `string` | n/a | yes |
+| [location](#input\_location) | One of westeurope, northeurope | `string` | n/a | yes |
+| [location\_short](#input\_location\_short) | One of wue, neu | `string` | n/a | yes |
+| [log\_analytics\_workspace\_name](#input\_log\_analytics\_workspace\_name) | Specifies the name of the Log Analytics Workspace. | `string` | n/a | yes |
+| [log\_analytics\_workspace\_resource\_group\_name](#input\_log\_analytics\_workspace\_resource\_group\_name) | The name of the resource group in which the Log Analytics workspace is located in. | `string` | n/a | yes |
+| [monitor\_resource\_group\_name](#input\_monitor\_resource\_group\_name) | Monitor resource group name | `string` | n/a | yes |
+| [prefix](#input\_prefix) | n/a | `string` | n/a | yes |
+| [spid\_login\_plan\_sku\_size](#input\_spid\_login\_plan\_sku\_size) | App backend app plan sku size | `string` | `"P1v3"` | no |
+| [spid\_login\_plan\_sku\_tier](#input\_spid\_login\_plan\_sku\_tier) | App backend app plan sku tier | `string` | `"PremiumV3"` | no |
+| [subnets\_cidrs](#input\_subnets\_cidrs) | The CIDR address prefixes of the subnets | map(
list(string)
)
| n/a | yes |
+| [tags](#input\_tags) | n/a | `map(any)` | {
"CreatedBy": "Terraform"
} | no |
+
+## Outputs
+
+No outputs.
+
diff --git a/src/domains/ioweb-common/api/_base_policy.xml b/src/domains/ioweb-common/api/_base_policy.xml
new file mode 100644
index 000000000..ce1df461e
--- /dev/null
+++ b/src/domains/ioweb-common/api/_base_policy.xml
@@ -0,0 +1,26 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/src/domains/ioweb-common/api/ioweb/spid-login/_base_policy.xml b/src/domains/ioweb-common/api/ioweb/spid-login/_base_policy.xml
new file mode 100644
index 000000000..ce1df461e
--- /dev/null
+++ b/src/domains/ioweb-common/api/ioweb/spid-login/_base_policy.xml
@@ -0,0 +1,26 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/src/domains/ioweb-common/api/ioweb/spid-login/_postacs_policy.xml b/src/domains/ioweb-common/api/ioweb/spid-login/_postacs_policy.xml
new file mode 100644
index 000000000..f81ce8e9b
--- /dev/null
+++ b/src/domains/ioweb-common/api/ioweb/spid-login/_postacs_policy.xml
@@ -0,0 +1,10 @@
+
+
+
+
+ *
+
+
+
+
+
diff --git a/src/domains/ioweb-common/api/ioweb/spid-login/_swagger.json b/src/domains/ioweb-common/api/ioweb/spid-login/_swagger.json
new file mode 100644
index 000000000..8df394560
--- /dev/null
+++ b/src/domains/ioweb-common/api/ioweb/spid-login/_swagger.json
@@ -0,0 +1,128 @@
+{
+ "swagger": "2.0",
+ "info": {
+ "title": "HUB Login SPID",
+ "version": "1.0",
+ "description": "Login SPID Service Provider"
+ },
+ "schemes": [
+ "http",
+ "https"
+ ],
+ "securityDefinitions": {},
+ "security": [],
+ "paths": {
+ "/acs": {
+ "post": {
+ "description": "postACS",
+ "operationId": "postACS",
+ "summary": "postACS",
+ "responses": {
+ "200": {
+ "description": "ok"
+ }
+ }
+ }
+ },
+ "/error": {
+ "get": {
+ "description": "getError",
+ "operationId": "getError",
+ "summary": "getError",
+ "responses": {
+ "200": {
+ "description": "ok"
+ }
+ }
+ }
+ },
+ "/invalidate": {
+ "post": {
+ "description": "postInvalidate",
+ "operationId": "postInvalidate",
+ "summary": "postInvalidate",
+ "responses": {
+ "200": {
+ "description": "ok"
+ }
+ }
+ }
+ },
+ "/introspect": {
+ "post": {
+ "description": "postIntrospect",
+ "operationId": "postIntrospect",
+ "summary": "postIntrospect",
+ "responses": {
+ "200": {
+ "description": "ok"
+ }
+ }
+ }
+ },
+ "/login": {
+ "get": {
+ "description": "getLogin",
+ "operationId": "getLogin",
+ "summary": "getLogin",
+ "responses": {
+ "200": {
+ "description": "ok"
+ },
+ "400": {
+ "description": ""
+ }
+ }
+ }
+ },
+ "/logout": {
+ "post": {
+ "description": "postLogout",
+ "operationId": "postLogout",
+ "summary": "postLogout",
+ "responses": {
+ "200": {
+ "description": "ok"
+ }
+ }
+ }
+ },
+ "/metadata": {
+ "get": {
+ "description": "getMetadata",
+ "operationId": "getMetadata",
+ "summary": "getMetadata",
+ "responses": {
+ "200": {
+ "description": "ok"
+ }
+ }
+ }
+ },
+ "/refresh": {
+ "get": {
+ "description": "getRefresh",
+ "operationId": "getRefresh",
+ "summary": "getRefresh",
+ "responses": {
+ "200": {
+ "description": "ok"
+ }
+ }
+ }
+ },
+ "/success": {
+ "get": {
+ "description": "getSuccess",
+ "operationId": "getSuccess",
+ "summary": "getSuccess",
+ "responses": {
+ "200": {
+ "description": "ok"
+ }
+ }
+ }
+ }
+ },
+ "tags": []
+}
diff --git a/src/domains/ioweb-common/api_product/ioweb/_base_policy.xml b/src/domains/ioweb-common/api_product/ioweb/_base_policy.xml
new file mode 100644
index 000000000..1470d7f76
--- /dev/null
+++ b/src/domains/ioweb-common/api_product/ioweb/_base_policy.xml
@@ -0,0 +1,19 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/src/domains/ioweb-common/env/prod/backend.ini b/src/domains/ioweb-common/env/prod/backend.ini
new file mode 100644
index 000000000..cf83055f5
--- /dev/null
+++ b/src/domains/ioweb-common/env/prod/backend.ini
@@ -0,0 +1 @@
+subscription=PROD-IO
diff --git a/src/domains/ioweb-common/env/prod/backend.tfvars b/src/domains/ioweb-common/env/prod/backend.tfvars
new file mode 100644
index 000000000..36f174896
--- /dev/null
+++ b/src/domains/ioweb-common/env/prod/backend.tfvars
@@ -0,0 +1,4 @@
+resource_group_name = "terraform-state-rg"
+storage_account_name = "tfinfprodio"
+container_name = "terraform-state"
+key = "io-infra.ioweb-common-prod.tfstate"
diff --git a/src/domains/ioweb-common/env/prod/terraform.tfvars b/src/domains/ioweb-common/env/prod/terraform.tfvars
new file mode 100644
index 000000000..4fe7c005c
--- /dev/null
+++ b/src/domains/ioweb-common/env/prod/terraform.tfvars
@@ -0,0 +1,33 @@
+prefix = "io"
+env_short = "p"
+env = "prod"
+domain = "ioweb"
+location = "westeurope"
+location_short = "weu"
+instance = "common"
+
+tags = {
+ CreatedBy = "Terraform"
+ Environment = "Prod"
+ Owner = "IO"
+ Source = "https://github.com/pagopa/io-infra/tree/main/src/domains/ioweb-common"
+ CostCenter = "TS310 - PAGAMENTI & SERVIZI"
+}
+
+### External resources
+
+monitor_resource_group_name = "io-p-rg-common"
+log_analytics_workspace_name = "io-p-law-common"
+log_analytics_workspace_resource_group_name = "io-p-rg-common"
+application_insights_name = "io-p-ai-common"
+
+
+# You can retrieve the list of current defined subnets using the CLI command
+# az network vnet subnet list --subscription PROD-IO --vnet-name io-p-vnet-common --resource-group io-p-rg-common --output table
+# and thus define new CIDRs according to the unallocated address space
+subnets_cidrs = {
+ spid_login = ["10.0.114.0/24"]
+ redis_spid_login = ["10.0.116.0/24"]
+}
+
+app_gateway_host_name = "api-web.io.pagopa.it"
diff --git a/src/domains/ioweb-common/terraform.sh b/src/domains/ioweb-common/terraform.sh
new file mode 100755
index 000000000..8e90bb419
--- /dev/null
+++ b/src/domains/ioweb-common/terraform.sh
@@ -0,0 +1,56 @@
+#!/bin/bash
+
+set -e
+
+action=$1
+env=$2
+shift 2
+other=$@
+
+if [ -z "$action" ]; then
+ echo "Missed action: init, apply, plan"
+ exit 0
+fi
+
+if [ -z "$env" ]; then
+ echo "env should be: dev, uat or prod."
+ exit 0
+fi
+
+source "./env/$env/backend.ini"
+az account set -s "${subscription}"
+
+if [ "$action" = "force-unlock" ]; then
+ echo "🧭 terraform INIT in env: ${env}"
+ terraform init -reconfigure -backend-config="./env/$env/backend.tfvars" $other
+ warn_message="You are about to unlock Terraform's remote state.
+ This is a dangerous task you want to be aware of before going on.
+ This operation won't affect your infrastructure directly.
+ However, please note that you may lose pieces of information about partially-applied configurations.
+
+ Please refer to the official Terraform documentation about the command:
+ https://developer.hashicorp.com/terraform/cli/commands/force-unlock"
+ printf "\n\e[33m%s\e[0m\n\n" "$warn_message"
+
+ read -r -p "Please enter the LOCK ID: " lock_id
+ terraform force-unlock "$lock_id"
+
+ exit 0 # this line prevents the script to go on
+fi
+
+if echo "init plan apply refresh import output state taint destroy" | grep -w $action > /dev/null; then
+ if [ $action = "init" ]; then
+ terraform $action -reconfigure -backend-config="./env/$env/backend.tfvars" $other
+ elif [ $action = "output" ] || [ $action = "state" ] || [ $action = "taint" ]; then
+ # init terraform backend
+ terraform init -reconfigure -backend-config="./env/$env/backend.tfvars"
+ terraform $action $other
+ else
+ # init terraform backend
+ terraform init -reconfigure -backend-config="./env/$env/backend.tfvars"
+ terraform $action -var-file="./env/$env/terraform.tfvars" $other
+ fi
+else
+ echo "Action not allowed."
+ exit 1
+fi
diff --git a/src/domains/messages-app/00_azuread.tf b/src/domains/messages-app/00_azuread.tf
index 316c5675c..bfffd3a8b 100644
--- a/src/domains/messages-app/00_azuread.tf
+++ b/src/domains/messages-app/00_azuread.tf
@@ -3,10 +3,6 @@ data "azuread_group" "adgroup_admin" {
display_name = format("%s-adgroup-admin", local.product)
}
-data "azuread_group" "adgroup_contributors" {
- display_name = format("%s-adgroup-contributors", local.product)
-}
-
data "azuread_group" "adgroup_developers" {
display_name = format("%s-adgroup-developers", local.product)
}
diff --git a/src/domains/messages-app/06_events.tf b/src/domains/messages-app/06_events.tf
index d01cfa5a3..86662494a 100644
--- a/src/domains/messages-app/06_events.tf
+++ b/src/domains/messages-app/06_events.tf
@@ -42,11 +42,7 @@ module "event_hub" {
metric_alerts = var.ehns_metric_alerts
action = [
{
- action_group_id = data.azurerm_monitor_action_group.slack.id
- webhook_properties = null
- },
- {
- action_group_id = data.azurerm_monitor_action_group.email.id
+ action_group_id = data.azurerm_monitor_action_group.error_action_group.id
webhook_properties = null
}
]
diff --git a/src/domains/messages-app/README.md b/src/domains/messages-app/README.md
index d3e2cde9f..2d59664de 100644
--- a/src/domains/messages-app/README.md
+++ b/src/domains/messages-app/README.md
@@ -10,15 +10,6 @@
| [kubernetes](#requirement\_kubernetes) | = 2.17.0 |
| [null](#requirement\_null) | <= 3.2.1 |
-## Providers
-
-| Name | Version |
-|------|---------|
-| [azuread](#provider\_azuread) | 2.33.0 |
-| [azurerm](#provider\_azurerm) | 3.40.0 |
-| [helm](#provider\_helm) | 2.8.0 |
-| [kubernetes](#provider\_kubernetes) | 2.17.0 |
-
## Modules
| Name | Source | Version |
@@ -58,7 +49,6 @@
| [kubernetes_role_binding.system_deployer_binding](https://registry.terraform.io/providers/hashicorp/kubernetes/2.17.0/docs/resources/role_binding) | resource |
| [kubernetes_service_account.azure_devops](https://registry.terraform.io/providers/hashicorp/kubernetes/2.17.0/docs/resources/service_account) | resource |
| [azuread_group.adgroup_admin](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source |
-| [azuread_group.adgroup_contributors](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source |
| [azuread_group.adgroup_developers](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source |
| [azuread_group.adgroup_externals](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source |
| [azuread_group.adgroup_security](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source |
diff --git a/src/domains/messages-common/00_azuread.tf b/src/domains/messages-common/00_azuread.tf
index 316c5675c..bfffd3a8b 100644
--- a/src/domains/messages-common/00_azuread.tf
+++ b/src/domains/messages-common/00_azuread.tf
@@ -3,10 +3,6 @@ data "azuread_group" "adgroup_admin" {
display_name = format("%s-adgroup-admin", local.product)
}
-data "azuread_group" "adgroup_contributors" {
- display_name = format("%s-adgroup-contributors", local.product)
-}
-
data "azuread_group" "adgroup_developers" {
display_name = format("%s-adgroup-developers", local.product)
}
diff --git a/src/domains/messages-common/02_key_vault.tf b/src/domains/messages-common/02_key_vault.tf
index 3cf655bb1..5a62b9428 100644
--- a/src/domains/messages-common/02_key_vault.tf
+++ b/src/domains/messages-common/02_key_vault.tf
@@ -30,19 +30,6 @@ resource "azurerm_key_vault_access_policy" "adgroup_admin" {
certificate_permissions = ["Get", "List", "Update", "Create", "Import", "Delete", "Restore", "Recover", ]
}
-## adgroup_developers group policy ##
-resource "azurerm_key_vault_access_policy" "adgroup_contributors" {
- key_vault_id = module.key_vault.id
-
- tenant_id = data.azurerm_client_config.current.tenant_id
- object_id = data.azuread_group.adgroup_contributors.object_id
-
- key_permissions = ["Get", "List", "Update", "Create", "Import", "Delete", ]
- secret_permissions = ["Get", "List", "Set", "Delete", "Restore", "Recover", ]
- storage_permissions = []
- certificate_permissions = ["Get", "List", "Update", "Create", "Import", "Delete", "Restore", "Recover", ]
-}
-
## adgroup_developers group policy ##
resource "azurerm_key_vault_access_policy" "adgroup_developers" {
key_vault_id = module.key_vault.id
diff --git a/src/domains/messages-common/05_apim.tf b/src/domains/messages-common/05_apim.tf
index 73f7e20cf..a87a7f90e 100644
--- a/src/domains/messages-common/05_apim.tf
+++ b/src/domains/messages-common/05_apim.tf
@@ -136,6 +136,7 @@ resource "azurerm_api_management_subscription" "reminder" {
product_id = module.apim_product_notifications.id
display_name = "Reminder API"
state = "active"
+ allow_tracing = false
}
resource "azurerm_key_vault_secret" "reminder_subscription_primary_key" {
@@ -167,6 +168,7 @@ resource "azurerm_api_management_subscription" "payment_updater_reminder" {
product_id = data.azurerm_api_management_product.payment_updater_product.id
display_name = "Payment Updater API"
state = "active"
+ allow_tracing = false
}
resource "azurerm_key_vault_secret" "reminder_paymentapi_subscription_primary_key" {
diff --git a/src/domains/messages-common/05_apim_v2.tf b/src/domains/messages-common/05_apim_v2.tf
index 091d4795d..f605cc6c0 100644
--- a/src/domains/messages-common/05_apim_v2.tf
+++ b/src/domains/messages-common/05_apim_v2.tf
@@ -129,20 +129,19 @@ resource "azurerm_api_management_group_user" "reminder_group_v2" {
api_management_name = azurerm_api_management_user.reminder_user_v2.api_management_name
}
-# TODO import after migration
-# resource "azurerm_api_management_subscription" "reminder_v2" {
-# api_management_name = data.azurerm_api_management.apim_v2_api.name
-# resource_group_name = data.azurerm_api_management.apim_v2_api.resource_group_name
-# user_id = azurerm_api_management_user.reminder_user_v2.id
-# product_id = module.apim_v2_product_notifications.id
-# display_name = "Reminder API"
-# state = "active"
-# }
+resource "azurerm_api_management_subscription" "reminder_v2" {
+ api_management_name = data.azurerm_api_management.apim_v2_api.name
+ resource_group_name = data.azurerm_api_management.apim_v2_api.resource_group_name
+ user_id = azurerm_api_management_user.reminder_user_v2.id
+ product_id = module.apim_v2_product_notifications.id
+ display_name = "Reminder API"
+ state = "active"
+ allow_tracing = false
+}
resource "azurerm_key_vault_secret" "reminder_subscription_primary_key_v2" {
- name = "${format("%s-reminder", local.product)}-subscription-key-v2"
- value = azurerm_api_management_subscription.reminder.primary_key
- #TODO import after migration value = azurerm_api_management_subscription.reminder_v2.primary_key
+ name = "${format("%s-reminder", local.product)}-subscription-key-v2"
+ value = azurerm_api_management_subscription.reminder_v2.primary_key
content_type = "subscription key"
key_vault_id = module.key_vault.id
}
@@ -162,20 +161,19 @@ resource "azurerm_api_management_group_user" "payment_group_v2" {
api_management_name = azurerm_api_management_user.reminder_user_v2.api_management_name
}
-# TODO import after migration
-# resource "azurerm_api_management_subscription" "payment_updater_reminder_v2" {
-# api_management_name = data.azurerm_api_management.apim_v2_api.name
-# resource_group_name = data.azurerm_api_management.apim_v2_api.resource_group_name
-# user_id = azurerm_api_management_user.reminder_user_v2.id
-# product_id = data.azurerm_api_management_product.payment_updater_product_v2.id
-# display_name = "Payment Updater API"
-# state = "active"
-# }
+resource "azurerm_api_management_subscription" "payment_updater_reminder_v2" {
+ api_management_name = data.azurerm_api_management.apim_v2_api.name
+ resource_group_name = data.azurerm_api_management.apim_v2_api.resource_group_name
+ user_id = azurerm_api_management_user.reminder_user_v2.id
+ product_id = data.azurerm_api_management_product.payment_updater_product_v2.id
+ display_name = "Payment Updater API"
+ state = "active"
+ allow_tracing = false
+}
resource "azurerm_key_vault_secret" "reminder_paymentapi_subscription_primary_key_v2" {
- name = "${format("%s-reminder-payment-api", local.product)}-subscription-key-v2"
- value = azurerm_api_management_subscription.payment_updater_reminder.primary_key
- #TODO import after migration value = azurerm_api_management_subscription.payment_updater_reminder_v2.primary_key
+ name = "${format("%s-reminder-payment-api", local.product)}-subscription-key-v2"
+ value = azurerm_api_management_subscription.payment_updater_reminder_v2.primary_key
content_type = "subscription key"
key_vault_id = module.key_vault.id
}
diff --git a/src/domains/messages-common/README.md b/src/domains/messages-common/README.md
index b33de5072..d955cacce 100644
--- a/src/domains/messages-common/README.md
+++ b/src/domains/messages-common/README.md
@@ -8,13 +8,6 @@
| [azurerm](#requirement\_azurerm) | <= 3.40.0 |
| [null](#requirement\_null) | <= 3.2.1 |
-## Providers
-
-| Name | Version |
-|------|---------|
-| [azuread](#provider\_azuread) | 2.33.0 |
-| [azurerm](#provider\_azurerm) | 3.40.0 |
-
## Modules
| Name | Source | Version |
@@ -53,12 +46,13 @@
| [azurerm_api_management_group_user.reminder_group](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/api_management_group_user) | resource |
| [azurerm_api_management_group_user.reminder_group_v2](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/api_management_group_user) | resource |
| [azurerm_api_management_subscription.payment_updater_reminder](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/api_management_subscription) | resource |
+| [azurerm_api_management_subscription.payment_updater_reminder_v2](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/api_management_subscription) | resource |
| [azurerm_api_management_subscription.reminder](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/api_management_subscription) | resource |
+| [azurerm_api_management_subscription.reminder_v2](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/api_management_subscription) | resource |
| [azurerm_api_management_user.reminder_user](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/api_management_user) | resource |
| [azurerm_api_management_user.reminder_user_v2](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/api_management_user) | resource |
| [azurerm_cosmosdb_mongo_database.db_reminder](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/cosmosdb_mongo_database) | resource |
| [azurerm_key_vault_access_policy.adgroup_admin](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource |
-| [azurerm_key_vault_access_policy.adgroup_contributors](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource |
| [azurerm_key_vault_access_policy.adgroup_developers](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource |
| [azurerm_key_vault_access_policy.azdevops_platform_iac_policy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource |
| [azurerm_key_vault_secret.api_storage_connection_string](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource |
@@ -86,7 +80,6 @@
| [azurerm_storage_queue.push_notifications_queue](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_queue) | resource |
| [azurerm_storage_table.notificationhub_beta_test_users_table](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_table) | resource |
| [azuread_group.adgroup_admin](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source |
-| [azuread_group.adgroup_contributors](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source |
| [azuread_group.adgroup_developers](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source |
| [azuread_group.adgroup_externals](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source |
| [azuread_group.adgroup_security](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source |
diff --git a/src/domains/payments-app/00_azuread.tf b/src/domains/payments-app/00_azuread.tf
index 316c5675c..bfffd3a8b 100644
--- a/src/domains/payments-app/00_azuread.tf
+++ b/src/domains/payments-app/00_azuread.tf
@@ -3,10 +3,6 @@ data "azuread_group" "adgroup_admin" {
display_name = format("%s-adgroup-admin", local.product)
}
-data "azuread_group" "adgroup_contributors" {
- display_name = format("%s-adgroup-contributors", local.product)
-}
-
data "azuread_group" "adgroup_developers" {
display_name = format("%s-adgroup-developers", local.product)
}
diff --git a/src/domains/payments-app/04_events.tf b/src/domains/payments-app/04_events.tf
index 26b804e81..59c65a098 100644
--- a/src/domains/payments-app/04_events.tf
+++ b/src/domains/payments-app/04_events.tf
@@ -41,11 +41,7 @@ module "event_hub" {
metric_alerts = var.ehns_metric_alerts
action = [
{
- action_group_id = data.azurerm_monitor_action_group.slack.id
- webhook_properties = null
- },
- {
- action_group_id = data.azurerm_monitor_action_group.email.id
+ action_group_id = data.azurerm_monitor_action_group.error_action_group.id
webhook_properties = null
}
]
diff --git a/src/domains/payments-app/README.md b/src/domains/payments-app/README.md
index eac46527d..8b3a45630 100644
--- a/src/domains/payments-app/README.md
+++ b/src/domains/payments-app/README.md
@@ -10,15 +10,6 @@
| [kubernetes](#requirement\_kubernetes) | = 2.17.0 |
| [null](#requirement\_null) | <= 3.2.1 |
-## Providers
-
-| Name | Version |
-|------|---------|
-| [azuread](#provider\_azuread) | 2.33.0 |
-| [azurerm](#provider\_azurerm) | 3.40.0 |
-| [helm](#provider\_helm) | 2.8.0 |
-| [kubernetes](#provider\_kubernetes) | 2.17.0 |
-
## Modules
| Name | Source | Version |
@@ -47,7 +38,6 @@
| [kubernetes_role_binding.system_deployer_binding](https://registry.terraform.io/providers/hashicorp/kubernetes/2.17.0/docs/resources/role_binding) | resource |
| [kubernetes_service_account.azure_devops](https://registry.terraform.io/providers/hashicorp/kubernetes/2.17.0/docs/resources/service_account) | resource |
| [azuread_group.adgroup_admin](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source |
-| [azuread_group.adgroup_contributors](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source |
| [azuread_group.adgroup_developers](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source |
| [azuread_group.adgroup_externals](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source |
| [azuread_group.adgroup_security](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source |
diff --git a/src/domains/payments-common/00_azuread.tf b/src/domains/payments-common/00_azuread.tf
index 316c5675c..bfffd3a8b 100644
--- a/src/domains/payments-common/00_azuread.tf
+++ b/src/domains/payments-common/00_azuread.tf
@@ -3,10 +3,6 @@ data "azuread_group" "adgroup_admin" {
display_name = format("%s-adgroup-admin", local.product)
}
-data "azuread_group" "adgroup_contributors" {
- display_name = format("%s-adgroup-contributors", local.product)
-}
-
data "azuread_group" "adgroup_developers" {
display_name = format("%s-adgroup-developers", local.product)
}
diff --git a/src/domains/payments-common/02_key_vault.tf b/src/domains/payments-common/02_key_vault.tf
index 30b06a316..1d0fa2f21 100644
--- a/src/domains/payments-common/02_key_vault.tf
+++ b/src/domains/payments-common/02_key_vault.tf
@@ -30,19 +30,6 @@ resource "azurerm_key_vault_access_policy" "adgroup_admin" {
certificate_permissions = ["Get", "List", "Update", "Create", "Import", "Delete", "Restore", "Recover", ]
}
-## adgroup_developers group policy ##
-resource "azurerm_key_vault_access_policy" "adgroup_contributors" {
- key_vault_id = module.key_vault.id
-
- tenant_id = data.azurerm_client_config.current.tenant_id
- object_id = data.azuread_group.adgroup_contributors.object_id
-
- key_permissions = ["Get", "List", "Update", "Create", "Import", "Delete", ]
- secret_permissions = ["Get", "List", "Set", "Delete", "Restore", "Recover", ]
- storage_permissions = []
- certificate_permissions = ["Get", "List", "Update", "Create", "Import", "Delete", "Restore", "Recover", ]
-}
-
## adgroup_developers group policy ##
resource "azurerm_key_vault_access_policy" "adgroup_developers" {
key_vault_id = module.key_vault.id
diff --git a/src/domains/payments-common/03_database.tf b/src/domains/payments-common/03_database.tf
index a313e31de..6ec8f8795 100644
--- a/src/domains/payments-common/03_database.tf
+++ b/src/domains/payments-common/03_database.tf
@@ -79,6 +79,33 @@ module "mongdb_collection_payment" {
lock_enable = true
}
+module "mongdb_collection_payment_sharded" {
+ source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//cosmosdb_mongodb_collection?ref=v4.1.8"
+
+ name = "payment-sharded"
+ resource_group_name = azurerm_resource_group.data_rg.name
+
+ cosmosdb_mongo_account_name = module.cosmosdb_account_mongodb.name
+ cosmosdb_mongo_database_name = azurerm_cosmosdb_mongo_database.db.name
+
+ shard_key = "rptId"
+
+ indexes = [
+ {
+ keys = ["_id"]
+ unique = true
+ },
+ {
+ keys = ["rptId"]
+ unique = false
+ },
+ {
+ keys = ["content_paymentData_payeeFiscalCode", "content_paymentData_noticeNumber"]
+ unique = false
+ },
+ ]
+}
+
module "mongdb_collection_payment_retry" {
source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//cosmosdb_mongodb_collection?ref=v4.1.8"
diff --git a/src/domains/payments-common/README.md b/src/domains/payments-common/README.md
index 47656f21a..2ce187ba4 100644
--- a/src/domains/payments-common/README.md
+++ b/src/domains/payments-common/README.md
@@ -8,13 +8,6 @@
| [azurerm](#requirement\_azurerm) | <= 3.40.0 |
| [null](#requirement\_null) | <= 3.2.1 |
-## Providers
-
-| Name | Version |
-|------|---------|
-| [azuread](#provider\_azuread) | 2.33.0 |
-| [azurerm](#provider\_azurerm) | 3.40.0 |
-
## Modules
| Name | Source | Version |
@@ -27,6 +20,7 @@
| [key\_vault](#module\_key\_vault) | git::https://github.com/pagopa/terraform-azurerm-v3.git//key_vault | v4.1.8 |
| [mongdb\_collection\_payment](#module\_mongdb\_collection\_payment) | git::https://github.com/pagopa/terraform-azurerm-v3.git//cosmosdb_mongodb_collection | v4.1.8 |
| [mongdb\_collection\_payment\_retry](#module\_mongdb\_collection\_payment\_retry) | git::https://github.com/pagopa/terraform-azurerm-v3.git//cosmosdb_mongodb_collection | v4.1.8 |
+| [mongdb\_collection\_payment\_sharded](#module\_mongdb\_collection\_payment\_sharded) | git::https://github.com/pagopa/terraform-azurerm-v3.git//cosmosdb_mongodb_collection | v4.1.8 |
## Resources
@@ -34,7 +28,6 @@
|------|------|
| [azurerm_cosmosdb_mongo_database.db](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/cosmosdb_mongo_database) | resource |
| [azurerm_key_vault_access_policy.adgroup_admin](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource |
-| [azurerm_key_vault_access_policy.adgroup_contributors](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource |
| [azurerm_key_vault_access_policy.adgroup_developers](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource |
| [azurerm_key_vault_access_policy.azdevops_platform_iac_policy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource |
| [azurerm_key_vault_secret.appinsights_connection_string](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource |
@@ -44,7 +37,6 @@
| [azurerm_resource_group.data_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource |
| [azurerm_resource_group.sec_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource |
| [azuread_group.adgroup_admin](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source |
-| [azuread_group.adgroup_contributors](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source |
| [azuread_group.adgroup_developers](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source |
| [azuread_group.adgroup_externals](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source |
| [azuread_group.adgroup_security](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source |
diff --git a/src/domains/profile-app/00_azuread.tf b/src/domains/profile-app/00_azuread.tf
index 316c5675c..bfffd3a8b 100644
--- a/src/domains/profile-app/00_azuread.tf
+++ b/src/domains/profile-app/00_azuread.tf
@@ -3,10 +3,6 @@ data "azuread_group" "adgroup_admin" {
display_name = format("%s-adgroup-admin", local.product)
}
-data "azuread_group" "adgroup_contributors" {
- display_name = format("%s-adgroup-contributors", local.product)
-}
-
data "azuread_group" "adgroup_developers" {
display_name = format("%s-adgroup-developers", local.product)
}
diff --git a/src/domains/profile-app/README.md b/src/domains/profile-app/README.md
index f684f719d..7e0cd4093 100644
--- a/src/domains/profile-app/README.md
+++ b/src/domains/profile-app/README.md
@@ -10,15 +10,6 @@
| [kubernetes](#requirement\_kubernetes) | = 2.17.0 |
| [null](#requirement\_null) | <= 3.2.1 |
-## Providers
-
-| Name | Version |
-|------|---------|
-| [azuread](#provider\_azuread) | 2.33.0 |
-| [azurerm](#provider\_azurerm) | 3.40.0 |
-| [helm](#provider\_helm) | 2.8.0 |
-| [kubernetes](#provider\_kubernetes) | 2.17.0 |
-
## Modules
| Name | Source | Version |
@@ -41,7 +32,6 @@
| [kubernetes_role_binding.system_deployer_binding](https://registry.terraform.io/providers/hashicorp/kubernetes/2.17.0/docs/resources/role_binding) | resource |
| [kubernetes_service_account.azure_devops](https://registry.terraform.io/providers/hashicorp/kubernetes/2.17.0/docs/resources/service_account) | resource |
| [azuread_group.adgroup_admin](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source |
-| [azuread_group.adgroup_contributors](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source |
| [azuread_group.adgroup_developers](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source |
| [azuread_group.adgroup_externals](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source |
| [azuread_group.adgroup_security](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source |
diff --git a/src/domains/profile-common/00_azuread.tf b/src/domains/profile-common/00_azuread.tf
index 316c5675c..bfffd3a8b 100644
--- a/src/domains/profile-common/00_azuread.tf
+++ b/src/domains/profile-common/00_azuread.tf
@@ -3,10 +3,6 @@ data "azuread_group" "adgroup_admin" {
display_name = format("%s-adgroup-admin", local.product)
}
-data "azuread_group" "adgroup_contributors" {
- display_name = format("%s-adgroup-contributors", local.product)
-}
-
data "azuread_group" "adgroup_developers" {
display_name = format("%s-adgroup-developers", local.product)
}
diff --git a/src/domains/profile-common/02_key_vault.tf b/src/domains/profile-common/02_key_vault.tf
index 116a01291..c997d1bd9 100644
--- a/src/domains/profile-common/02_key_vault.tf
+++ b/src/domains/profile-common/02_key_vault.tf
@@ -30,19 +30,6 @@ resource "azurerm_key_vault_access_policy" "adgroup_admin" {
certificate_permissions = ["Get", "List", "Update", "Create", "Import", "Delete", "Restore", "Recover", ]
}
-## adgroup_developers group policy ##
-resource "azurerm_key_vault_access_policy" "adgroup_contributors" {
- key_vault_id = module.key_vault.id
-
- tenant_id = data.azurerm_client_config.current.tenant_id
- object_id = data.azuread_group.adgroup_contributors.object_id
-
- key_permissions = ["Get", "List", "Update", "Create", "Import", "Delete", ]
- secret_permissions = ["Get", "List", "Set", "Delete", "Restore", "Recover", ]
- storage_permissions = []
- certificate_permissions = ["Get", "List", "Update", "Create", "Import", "Delete", "Restore", "Recover", ]
-}
-
## adgroup_developers group policy ##
resource "azurerm_key_vault_access_policy" "adgroup_developers" {
key_vault_id = module.key_vault.id
diff --git a/src/domains/profile-common/README.md b/src/domains/profile-common/README.md
index 2e501cb06..8dd2e4dbc 100644
--- a/src/domains/profile-common/README.md
+++ b/src/domains/profile-common/README.md
@@ -8,13 +8,6 @@
| [azurerm](#requirement\_azurerm) | <= 3.40.0 |
| [null](#requirement\_null) | <= 3.2.1 |
-## Providers
-
-| Name | Version |
-|------|---------|
-| [azuread](#provider\_azuread) | 2.33.0 |
-| [azurerm](#provider\_azurerm) | 3.40.0 |
-
## Modules
| Name | Source | Version |
@@ -26,14 +19,12 @@
| Name | Type |
|------|------|
| [azurerm_key_vault_access_policy.adgroup_admin](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource |
-| [azurerm_key_vault_access_policy.adgroup_contributors](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource |
| [azurerm_key_vault_access_policy.adgroup_developers](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource |
| [azurerm_key_vault_access_policy.azdevops_platform_iac_policy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource |
| [azurerm_key_vault_secret.appinsights_connection_string](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource |
| [azurerm_key_vault_secret.appinsights_instrumentation_key](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource |
| [azurerm_resource_group.sec_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource |
| [azuread_group.adgroup_admin](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source |
-| [azuread_group.adgroup_contributors](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source |
| [azuread_group.adgroup_developers](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source |
| [azuread_group.adgroup_externals](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source |
| [azuread_group.adgroup_security](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source |
diff --git a/src/domains/sign/.terraform.lock.hcl b/src/domains/sign/.terraform.lock.hcl
index 13bd1d69d..9b74c820c 100644
--- a/src/domains/sign/.terraform.lock.hcl
+++ b/src/domains/sign/.terraform.lock.hcl
@@ -47,6 +47,25 @@ provider "registry.terraform.io/hashicorp/azurerm" {
]
}
+provider "registry.terraform.io/hashicorp/http" {
+ version = "3.4.0"
+ hashes = [
+ "h1:AaRLrzxA1t02OIwO32uLp85npqRLZSwPFgrHxb9qp0c=",
+ "zh:56712497a87bc4e91bbaf1a5a2be4b3f9cfa2384baeb20fc9fad0aff8f063914",
+ "zh:6661355e1090ebacab16a40ede35b029caffc279d67da73a000b6eecf0b58eba",
+ "zh:67b92d343e808b92d7e6c3bbcb9b9d5475fecfed0836963f7feb9d9908bd4c4f",
+ "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
+ "zh:86ebb9be9b685c96dbb5c024b55d87526d57a4b127796d6046344f8294d3f28e",
+ "zh:902be7cfca4308cba3e1e7ba6fc292629dfd150eb9a9f054a854fa1532b0ceba",
+ "zh:9ba26e0215cd53b21fe26a0a98c007de1348b7d13a75ae3cfaf7729e0f2c50bb",
+ "zh:a195c941e1f1526147134c257ff549bea4c89c953685acd3d48d9de7a38f39dc",
+ "zh:a7967b3d2a8c3e7e1dc9ae381ca753268f9fce756466fe2fc9e414ca2d85a92e",
+ "zh:bde56542e9a093434d96bea21c341285737c6d38fea2f05e12ba7b333f3e9c05",
+ "zh:c0306f76903024c497fd01f9fd9bace5854c263e87a97bc2e89dcc96d35ca3cc",
+ "zh:f9335a6c336171e85f8e3e99c3d31758811a19aeb21fa8c9013d427e155ae2a9",
+ ]
+}
+
provider "registry.terraform.io/hashicorp/null" {
version = "3.2.1"
constraints = "<= 3.2.1"
diff --git a/src/domains/sign/00_azuread.tf b/src/domains/sign/00_azuread.tf
index 64773a641..099ca18dc 100644
--- a/src/domains/sign/00_azuread.tf
+++ b/src/domains/sign/00_azuread.tf
@@ -3,10 +3,6 @@ data "azuread_group" "adgroup_admin" {
display_name = format("%s-adgroup-admin", local.product)
}
-data "azuread_group" "adgroup_contributors" {
- display_name = format("%s-adgroup-contributors", local.product)
-}
-
data "azuread_group" "adgroup_developers" {
display_name = format("%s-adgroup-developers", local.product)
}
diff --git a/src/domains/sign/99_main.tf b/src/domains/sign/99_main.tf
index ee585c168..17be26fac 100644
--- a/src/domains/sign/99_main.tf
+++ b/src/domains/sign/99_main.tf
@@ -2,11 +2,11 @@ terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
- version = ">= 3.40.0"
+ version = "<= 3.40.0"
}
azuread = {
source = "hashicorp/azuread"
- version = ">= 2.33.0"
+ version = "<= 2.33.0"
}
}
diff --git a/src/domains/sign/99_variables.tf b/src/domains/sign/99_variables.tf
index bbb7c1935..4baa14d8b 100644
--- a/src/domains/sign/99_variables.tf
+++ b/src/domains/sign/99_variables.tf
@@ -58,9 +58,11 @@ variable "dns_default_ttl_sec" {
default = 3600
}
-variable "dns_zone_name" {
- type = string
- description = "The name for the DNS zone"
+variable "dns_zone_names" {
+ type = object({
+ website = string
+ })
+ description = "The names for the DNS zones"
}
variable "subnets_cidrs" {
@@ -109,6 +111,15 @@ variable "io_sign_database_user" {
)
}
+variable "io_sign_database_backoffice" {
+ type = map(
+ object({
+ max_throughput = number
+ ttl = number
+ })
+ )
+}
+
variable "io_sign_issuer_func" {
type = object({
sku_tier = string
@@ -167,3 +178,25 @@ variable "integration_hub" {
})
description = "The configuration, hubs and keys of the event hub relative to external integration"
}
+
+variable "io_common" {
+ type = object({
+ resource_group_name = string
+ log_analytics_workspace_name = string
+ appgateway_snet_name = string
+ vnet_common_name = string
+ })
+ description = "Name of common resources of IO platform"
+}
+
+variable "io_sign_backoffice_app" {
+ type = object({
+ sku_name = string
+ app_settings = list(object({
+ name = string
+ value = optional(string, "")
+ key_vault_secret_name = optional(string)
+ }))
+ })
+ description = "Configuration of the io-sign-backoffice app service"
+}
diff --git a/src/domains/sign/api/backoffice/v1/base_policy.xml b/src/domains/sign/api/backoffice/v1/base_policy.xml
new file mode 100644
index 000000000..d7e1f73f4
--- /dev/null
+++ b/src/domains/sign/api/backoffice/v1/base_policy.xml
@@ -0,0 +1,35 @@
+
+
+
+
+
+ {{io-fn-sign-backoffice-key}}
+
+
+ @(context.Subscription.Id)
+
+
+
+ *
+
+
+ *
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/src/domains/sign/api/issuer/v1/get_signer_by_fiscal_code_policy/policy.xml b/src/domains/sign/api/issuer/v1/get_signer_by_fiscal_code_policy/policy.xml
index de37b6e92..721940218 100644
--- a/src/domains/sign/api/issuer/v1/get_signer_by_fiscal_code_policy/policy.xml
+++ b/src/domains/sign/api/issuer/v1/get_signer_by_fiscal_code_policy/policy.xml
@@ -5,13 +5,13 @@
- https://{{io-sign-cosmosdb-name}}.documents.azure.com/dbs/{{io-sign-cosmosdb-issuer-container-name}}/colls/{{io-sign-cosmosdb-issuer-whitelist-collection-name}}/docs
+ https://{{io-sign-cosmosdb-name}}.documents.azure.com/dbs/{{io-sign-backoffice-database-name}}/colls/{{io-sign-backoffice-api-keys-collection-name}}/docs
POST
@{
var verb = "post";
var resourceType = "docs";
- var resourceLink = "dbs/{{io-sign-cosmosdb-issuer-container-name}}/colls/{{io-sign-cosmosdb-issuer-whitelist-collection-name}}";
+ var resourceLink = "dbs/{{io-sign-backoffice-database-name}}/colls/{{io-sign-backoffice-api-keys-collection-name}}";
var key = "{{io-sign-cosmosdb-key}}";
var keyType = "master";
var tokenVersion = "1.0";
@@ -42,13 +42,16 @@
True
+
+ True
+
@(context.Variables.GetValueOrDefault("requestDateString"))
2018-12-31
- @("{\"query\": \"SELECT w.test_fiscal_codes FROM whitelist w WHERE w.id = @id\", " +
+ @("{\"query\": \"SELECT w.testers FROM whitelist w WHERE w.id = @id\", " +
"\"parameters\": [{ \"name\": \"@id\", \"value\": \"" + context.Subscription.Id + "\"}]}")
@@ -62,13 +65,13 @@
- https://{{io-sign-cosmosdb-name}}.documents.azure.com/dbs/{{io-sign-cosmosdb-issuer-container-name}}/colls/{{io-sign-cosmosdb-issuer-issuers-name}}/docs
+ https://{{io-sign-cosmosdb-name}}.documents.azure.com/dbs/{{io-sign-backoffice-database-name}}/colls/{{io-sign-backoffice-api-keys-collection-name}}/docs
POST
@{
var verb = "post";
var resourceType = "docs";
- var resourceLink = "dbs/{{io-sign-cosmosdb-issuer-container-name}}/colls/{{io-sign-cosmosdb-issuer-issuers-name}}";
+ var resourceLink = "dbs/{{io-sign-backoffice-database-name}}/colls/{{io-sign-backoffice-api-keys-collection-name}}";
var key = "{{io-sign-cosmosdb-key}}";
var keyType = "master";
var tokenVersion = "1.0";
@@ -99,13 +102,16 @@
True
+
+ True
+
@(context.Variables.GetValueOrDefault("requestDateString"))
2018-12-31
- @("{\"query\": \"SELECT i.environment FROM issuers i WHERE i.subscriptionId = @subscriptionId\", " +
+ @("{\"query\": \"SELECT i.environment FROM issuers i WHERE i.id = @subscriptionId\", " +
"\"parameters\": [{ \"name\": \"@subscriptionId\", \"value\": \"" + context.Subscription.Id + "\"}]}")
@@ -116,7 +122,7 @@
@{
@@ -128,8 +134,8 @@
if(envFirstDocument.ContainsKey("environment")){
string issuerEnvironment = (string)envFirstDocument["environment"];
- //If the issuer is not in the TEST environment then I do not perform any checks
- if (issuerEnvironment!="TEST"){
+ //If the issuer is not in the test environment then I do not perform any checks
+ if (issuerEnvironment!="test"){
return "true";
}
}
@@ -144,8 +150,8 @@
JArray documents = (JArray) whitelistFiscalCodeQueryResponse["Documents"];
if (documents.Count > 0){
JObject firstDocument = (JObject) documents[0];
- if(firstDocument.ContainsKey("test_fiscal_codes")){
- JArray whiteListFiscalCodes = (JArray)firstDocument["test_fiscal_codes"];
+ if(firstDocument.ContainsKey("testers")){
+ JArray whiteListFiscalCodes = (JArray)firstDocument["testers"];
foreach (var fiscalCode in whiteListFiscalCodes) {
string fiscalCodeString = (string)fiscalCode;
if(fiscalCodeString==requestFiscalCodeString){
diff --git a/src/domains/sign/api_product/backoffice/_base_policy.xml b/src/domains/sign/api_product/backoffice/_base_policy.xml
new file mode 100644
index 000000000..85cf608b3
--- /dev/null
+++ b/src/domains/sign/api_product/backoffice/_base_policy.xml
@@ -0,0 +1,14 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/src/domains/sign/api_product/sign/_base_policy.xml b/src/domains/sign/api_product/sign/_base_policy.xml
index 7c574a16b..69064bb47 100644
--- a/src/domains/sign/api_product/sign/_base_policy.xml
+++ b/src/domains/sign/api_product/sign/_base_policy.xml
@@ -13,13 +13,13 @@
-->
- https://{{io-sign-cosmosdb-name}}.documents.azure.com/dbs/{{io-sign-cosmosdb-issuer-container-name}}/colls/{{io-sign-cosmosdb-issuer-whitelist-collection-name}}/docs
+ https://{{io-sign-cosmosdb-name}}.documents.azure.com/dbs/{{io-sign-backoffice-database-name}}/colls/{{io-sign-backoffice-api-keys-collection-name}}/docs
POST
@{
var verb = "post";
var resourceType = "docs";
- var resourceLink = "dbs/{{io-sign-cosmosdb-issuer-container-name}}/colls/{{io-sign-cosmosdb-issuer-whitelist-collection-name}}";
+ var resourceLink = "dbs/{{io-sign-backoffice-database-name}}/colls/{{io-sign-backoffice-api-keys-collection-name}}";
var key = "{{io-sign-cosmosdb-key}}";
var keyType = "master";
var tokenVersion = "1.0";
@@ -50,6 +50,9 @@
True
+
+ True
+
@(context.Variables.GetValueOrDefault("requestDateString"))
diff --git a/src/domains/sign/apim.tf b/src/domains/sign/apim.tf
index 0778256f6..f3404f136 100644
--- a/src/domains/sign/apim.tf
+++ b/src/domains/sign/apim.tf
@@ -83,9 +83,26 @@ resource "azurerm_api_management_named_value" "io_sign_cosmosdb_issuer_issuers_c
secret = false
}
+resource "azurerm_api_management_named_value" "backoffice-database-name_apimv1" {
+ name = "io-sign-backoffice-database-name"
+ api_management_name = data.azurerm_api_management.apim_api.name
+ resource_group_name = data.azurerm_api_management.apim_api.resource_group_name
+ display_name = "io-sign-backoffice-database-name"
+ value = module.cosmosdb_sql_database_backoffice.name
+ secret = false
+}
+
+resource "azurerm_api_management_named_value" "backoffice-api-keys-collection-name_apimv1" {
+ name = "io-sign-backoffice-api-keys-collection-name"
+ api_management_name = data.azurerm_api_management.apim_api.name
+ resource_group_name = data.azurerm_api_management.apim_api.resource_group_name
+ display_name = "io-sign-backoffice-api-keys-collection-name"
+ value = module.cosmosdb_sql_container_backoffice-api-keys.name
+ secret = false
+}
module "apim_io_sign_product" {
- source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//api_management_product?ref=v4.1.3"
+ source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//api_management_product?ref=v6.20.2"
product_id = "io-sign-api"
display_name = "IO SIGN API"
@@ -111,7 +128,7 @@ resource "azurerm_api_management_api_operation_policy" "get_signer_by_fiscal_cod
}
module "apim_io_sign_issuer_api_v1" {
- source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//api_management_api?ref=v4.1.3"
+ source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//api_management_api?ref=v6.20.2"
name = format("%s-sign-issuer-api", local.product)
api_management_name = data.azurerm_api_management.apim_api.name
@@ -133,7 +150,7 @@ module "apim_io_sign_issuer_api_v1" {
}
module "apim_io_sign_support_product" {
- source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//api_management_product?ref=v4.1.3"
+ source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//api_management_product?ref=v6.20.2"
product_id = "io-sign-support-api"
display_name = "IO SIGN SUPPORT Product"
@@ -150,7 +167,7 @@ module "apim_io_sign_support_product" {
}
module "apim_io_sign_support_api_v1" {
- source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//api_management_api?ref=v4.1.3"
+ source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//api_management_api?ref=v6.20.2"
name = format("%s-sign-support-api", local.product)
api_management_name = data.azurerm_api_management.apim_api.name
diff --git a/src/domains/sign/apim_v2.tf b/src/domains/sign/apim_v2.tf
index 87a99debe..90e81785e 100644
--- a/src/domains/sign/apim_v2.tf
+++ b/src/domains/sign/apim_v2.tf
@@ -56,6 +56,7 @@ resource "azurerm_api_management_named_value" "io_sign_cosmosdb_key_v2" {
secret = true
}
+# legacy, it can be removed once the backoffice is released
resource "azurerm_api_management_named_value" "io_sign_cosmosdb_issuer_container_name_v2" {
name = "io-sign-cosmosdb-issuer-container-name"
api_management_name = data.azurerm_api_management.apim_v2_api.name
@@ -64,7 +65,6 @@ resource "azurerm_api_management_named_value" "io_sign_cosmosdb_issuer_container
value = module.cosmosdb_sql_database_issuer.name
secret = false
}
-
resource "azurerm_api_management_named_value" "io_sign_cosmosdb_issuer_whitelist_collection_name_new_v2" {
name = "io-sign-cosmosdb-issuer-whitelist-collection-name"
api_management_name = data.azurerm_api_management.apim_v2_api.name
@@ -73,7 +73,6 @@ resource "azurerm_api_management_named_value" "io_sign_cosmosdb_issuer_whitelist
value = module.cosmosdb_sql_container_issuer-issuers-whitelist.name
secret = false
}
-
resource "azurerm_api_management_named_value" "io_sign_cosmosdb_issuer_issuers_collection_name_v2" {
name = "io-sign-cosmosdb-issuer-issuers-name"
api_management_name = data.azurerm_api_management.apim_v2_api.name
@@ -82,10 +81,28 @@ resource "azurerm_api_management_named_value" "io_sign_cosmosdb_issuer_issuers_c
value = module.cosmosdb_sql_container_issuer-issuers.name
secret = false
}
+# end legacy
+
+resource "azurerm_api_management_named_value" "backoffice-database-name" {
+ name = "io-sign-backoffice-database-name"
+ api_management_name = data.azurerm_api_management.apim_v2_api.name
+ resource_group_name = data.azurerm_api_management.apim_v2_api.resource_group_name
+ display_name = "io-sign-backoffice-database-name"
+ value = module.cosmosdb_sql_database_backoffice.name
+ secret = false
+}
+resource "azurerm_api_management_named_value" "backoffice-api-keys-collection-name" {
+ name = "io-sign-backoffice-api-keys-collection-name"
+ api_management_name = data.azurerm_api_management.apim_v2_api.name
+ resource_group_name = data.azurerm_api_management.apim_v2_api.resource_group_name
+ display_name = "io-sign-backoffice-api-keys-collection-name"
+ value = module.cosmosdb_sql_container_backoffice-api-keys.name
+ secret = false
+}
module "apim_v2_io_sign_product" {
- source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//api_management_product?ref=v4.1.3"
+ source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//api_management_product?ref=v6.20.2"
product_id = "io-sign-api"
display_name = "IO SIGN API"
@@ -111,7 +128,7 @@ resource "azurerm_api_management_api_operation_policy" "get_signer_by_fiscal_cod
}
module "apim_v2_io_sign_issuer_api_v1" {
- source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//api_management_api?ref=v4.1.3"
+ source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//api_management_api?ref=v6.20.2"
name = format("%s-sign-issuer-api", local.product)
api_management_name = data.azurerm_api_management.apim_v2_api.name
@@ -133,7 +150,7 @@ module "apim_v2_io_sign_issuer_api_v1" {
}
module "apim_v2_io_sign_support_product" {
- source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//api_management_product?ref=v4.1.3"
+ source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//api_management_product?ref=v6.20.2"
product_id = "io-sign-support-api"
display_name = "IO SIGN SUPPORT Product"
@@ -150,7 +167,7 @@ module "apim_v2_io_sign_support_product" {
}
module "apim_v2_io_sign_support_api_v1" {
- source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//api_management_api?ref=v4.1.3"
+ source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//api_management_api?ref=v6.20.2"
name = format("%s-sign-support-api", local.product)
api_management_name = data.azurerm_api_management.apim_v2_api.name
@@ -170,3 +187,65 @@ module "apim_v2_io_sign_support_api_v1" {
xml_content = file("./api/support/v1/base_policy.xml")
}
+
+# BACK OFFICE
+
+resource "azurerm_api_management_named_value" "io_fn_sign_backoffice_url_v2" {
+ name = "io-fn-sign-backoffice-url"
+ api_management_name = data.azurerm_api_management.apim_v2_api.name
+ resource_group_name = data.azurerm_api_management.apim_v2_api.resource_group_name
+ display_name = "io-fn-sign-backoffice-url"
+ value = format("https://%s-sign-backoffice-app.azurewebsites.net", local.product)
+}
+
+resource "azurerm_api_management_named_value" "io_fn_sign_backoffice_key_v2" {
+ name = "io-fn-sign-backoffice-key"
+ api_management_name = data.azurerm_api_management.apim_v2_api.name
+ resource_group_name = data.azurerm_api_management.apim_v2_api.resource_group_name
+ display_name = "io-fn-sign-backoffice-key"
+ value = module.key_vault_secrets.values["io-fn-sign-support-key"].value
+ secret = true
+}
+
+module "apim_v2_io_sign_backoffice_product" {
+ source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//api_management_product?ref=v6.20.2"
+
+ product_id = format("%s-sign-backoffice-apim-product", local.product)
+ display_name = "IO SIGN BACKOFFICE"
+ description = "Api Management product for io-sign-backoffice REST APIs"
+
+ api_management_name = data.azurerm_api_management.apim_v2_api.name
+ resource_group_name = data.azurerm_api_management.apim_v2_api.resource_group_name
+
+ published = true
+ subscription_required = true
+ approval_required = false
+
+ policy_xml = file("./api_product/backoffice/_base_policy.xml")
+}
+
+data "http" "backoffice_openapi" {
+ url = "https://raw.githubusercontent.com/pagopa/io-sign/main/apps/io-sign-backoffice-app/openapi.yml"
+}
+
+module "apim_v2_io_sign_backoffice_api_v1" {
+ source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//api_management_api?ref=v6.20.2"
+
+ name = format("%s-sign-backoffice-apim-api", local.product)
+ api_management_name = data.azurerm_api_management.apim_v2_api.name
+ resource_group_name = data.azurerm_api_management.apim_v2_api.resource_group_name
+ product_ids = [module.apim_v2_io_sign_backoffice_product.product_id]
+ subscription_required = true
+ service_url = null
+
+ display_name = "IO SIGN BACKOFFICE API"
+ description = "io-sign-backoffice REST APIs"
+
+ path = "api/v1/sign/backoffice"
+ protocols = ["https"]
+
+ content_format = "openapi"
+ content_value = data.http.backoffice_openapi.body
+
+ xml_content = file("./api/backoffice/v1/base_policy.xml")
+}
diff --git a/src/domains/sign/cosmos.tf b/src/domains/sign/cosmos.tf
index beb6c3268..bfe67af28 100644
--- a/src/domains/sign/cosmos.tf
+++ b/src/domains/sign/cosmos.tf
@@ -1,5 +1,5 @@
module "cosmosdb_account" {
- source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//cosmosdb_account?ref=v4.1.8"
+ source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//cosmosdb_account?ref=v6.20.2"
name = format("%s-cosmos", local.project)
domain = var.domain
location = azurerm_resource_group.data_rg.location
diff --git a/src/domains/sign/cosmos_backoffice.tf b/src/domains/sign/cosmos_backoffice.tf
new file mode 100644
index 000000000..4e0fb2ea4
--- /dev/null
+++ b/src/domains/sign/cosmos_backoffice.tf
@@ -0,0 +1,51 @@
+module "cosmosdb_sql_database_backoffice" {
+ source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//cosmosdb_sql_database?ref=v6.20.2"
+ name = "backoffice"
+ resource_group_name = azurerm_resource_group.data_rg.name
+ account_name = module.cosmosdb_account.name
+}
+
+module "cosmosdb_sql_container_backoffice-api-keys" {
+ source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//cosmosdb_sql_container?ref=v6.20.2"
+ name = "api-keys"
+ resource_group_name = azurerm_resource_group.data_rg.name
+ account_name = module.cosmosdb_account.name
+ database_name = module.cosmosdb_sql_database_backoffice.name
+ partition_key_path = "/institutionId"
+
+ autoscale_settings = {
+ max_throughput = var.io_sign_database_backoffice.api_keys.max_throughput
+ }
+
+ default_ttl = var.io_sign_database_backoffice.api_keys.ttl
+}
+
+module "cosmosdb_sql_container_backoffice-issuers" {
+ source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//cosmosdb_sql_container?ref=v6.20.2"
+ name = "issuers"
+ resource_group_name = azurerm_resource_group.data_rg.name
+ account_name = module.cosmosdb_account.name
+ database_name = module.cosmosdb_sql_database_backoffice.name
+ partition_key_path = "/institutionId"
+
+ autoscale_settings = {
+ max_throughput = var.io_sign_database_backoffice.issuers.max_throughput
+ }
+
+ default_ttl = var.io_sign_database_backoffice.issuers.ttl
+}
+
+module "cosmosdb_sql_container_backoffice-consents" {
+ source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//cosmosdb_sql_container?ref=v6.20.2"
+ name = "consents"
+ resource_group_name = azurerm_resource_group.data_rg.name
+ account_name = module.cosmosdb_account.name
+ database_name = module.cosmosdb_sql_database_backoffice.name
+ partition_key_path = "/institutionId"
+
+ autoscale_settings = {
+ max_throughput = var.io_sign_database_backoffice.consents.max_throughput
+ }
+
+ default_ttl = var.io_sign_database_backoffice.consents.ttl
+}
diff --git a/src/domains/sign/cosmos_issuer.tf b/src/domains/sign/cosmos_issuer.tf
index 31581f851..242c0a115 100644
--- a/src/domains/sign/cosmos_issuer.tf
+++ b/src/domains/sign/cosmos_issuer.tf
@@ -1,12 +1,12 @@
module "cosmosdb_sql_database_issuer" {
- source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//cosmosdb_sql_database?ref=v4.1.3"
+ source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//cosmosdb_sql_database?ref=v6.20.2"
name = "issuer"
resource_group_name = azurerm_resource_group.data_rg.name
account_name = module.cosmosdb_account.name
}
module "cosmosdb_sql_container_issuer-dossiers" {
- source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//cosmosdb_sql_container?ref=v4.1.11"
+ source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//cosmosdb_sql_container?ref=v6.20.2"
name = "dossiers"
resource_group_name = azurerm_resource_group.data_rg.name
account_name = module.cosmosdb_account.name
@@ -21,7 +21,7 @@ module "cosmosdb_sql_container_issuer-dossiers" {
}
module "cosmosdb_sql_container_issuer-signature-requests" {
- source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//cosmosdb_sql_container?ref=v4.1.11"
+ source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//cosmosdb_sql_container?ref=v6.20.2"
name = "signature-requests"
resource_group_name = azurerm_resource_group.data_rg.name
account_name = module.cosmosdb_account.name
@@ -36,7 +36,7 @@ module "cosmosdb_sql_container_issuer-signature-requests" {
}
module "cosmosdb_sql_container_issuer-uploads" {
- source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//cosmosdb_sql_container?ref=v4.1.11"
+ source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//cosmosdb_sql_container?ref=v6.20.2"
name = "uploads"
resource_group_name = azurerm_resource_group.data_rg.name
account_name = module.cosmosdb_account.name
@@ -51,7 +51,7 @@ module "cosmosdb_sql_container_issuer-uploads" {
}
module "cosmosdb_sql_container_issuer-issuers" {
- source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//cosmosdb_sql_container?ref=v4.1.11"
+ source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//cosmosdb_sql_container?ref=v6.20.2"
name = "issuers"
resource_group_name = azurerm_resource_group.data_rg.name
account_name = module.cosmosdb_account.name
@@ -66,7 +66,7 @@ module "cosmosdb_sql_container_issuer-issuers" {
}
module "cosmosdb_sql_container_issuer-issuers-by-vat-number" {
- source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//cosmosdb_sql_container?ref=v4.1.11"
+ source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//cosmosdb_sql_container?ref=v6.20.2"
name = "issuers-by-vat-number"
resource_group_name = azurerm_resource_group.data_rg.name
account_name = module.cosmosdb_account.name
@@ -81,7 +81,7 @@ module "cosmosdb_sql_container_issuer-issuers-by-vat-number" {
}
module "cosmosdb_sql_container_issuer-issuers-whitelist" {
- source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//cosmosdb_sql_container?ref=v4.1.11"
+ source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//cosmosdb_sql_container?ref=v6.20.2"
name = "issuers-whitelist"
resource_group_name = azurerm_resource_group.data_rg.name
account_name = module.cosmosdb_account.name
diff --git a/src/domains/sign/cosmos_user.tf b/src/domains/sign/cosmos_user.tf
index 4aadf6174..a7e3c5d4d 100644
--- a/src/domains/sign/cosmos_user.tf
+++ b/src/domains/sign/cosmos_user.tf
@@ -1,12 +1,12 @@
module "cosmosdb_sql_database_user" {
- source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//cosmosdb_sql_database?ref=v4.1.3"
+ source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//cosmosdb_sql_database?ref=v6.20.2"
name = "user"
resource_group_name = azurerm_resource_group.data_rg.name
account_name = module.cosmosdb_account.name
}
module "cosmosdb_sql_container_user-signature-requests" {
- source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//cosmosdb_sql_container?ref=v4.1.11"
+ source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//cosmosdb_sql_container?ref=v6.20.2"
name = "signature-requests"
resource_group_name = azurerm_resource_group.data_rg.name
account_name = module.cosmosdb_account.name
@@ -21,7 +21,7 @@ module "cosmosdb_sql_container_user-signature-requests" {
}
module "cosmosdb_sql_container_user-signatures" {
- source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//cosmosdb_sql_container?ref=v4.1.11"
+ source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//cosmosdb_sql_container?ref=v6.20.2"
name = "signatures"
resource_group_name = azurerm_resource_group.data_rg.name
account_name = module.cosmosdb_account.name
diff --git a/src/domains/sign/dns.tf b/src/domains/sign/dns.tf
index 06f19f529..7ad383639 100644
--- a/src/domains/sign/dns.tf
+++ b/src/domains/sign/dns.tf
@@ -1,7 +1,7 @@
resource "azurerm_dns_zone" "firma_io_pagopa_it" {
count = var.env_short == "p" ? 1 : 0
- name = var.dns_zone_name
+ name = var.dns_zone_names.website
resource_group_name = azurerm_resource_group.integration_rg.name
tags = var.tags
@@ -65,4 +65,4 @@ resource "azurerm_dns_txt_record" "dmarc_mailup_firma_io_pagopa_it" {
record {
value = "v=DMARC1; p=reject; pct=100; adkim=s; aspf=s"
}
-}
+}
\ No newline at end of file
diff --git a/src/domains/sign/env/prod/terraform.tfvars b/src/domains/sign/env/prod/terraform.tfvars
index 75d85b2ef..31db628c3 100644
--- a/src/domains/sign/env/prod/terraform.tfvars
+++ b/src/domains/sign/env/prod/terraform.tfvars
@@ -15,10 +15,11 @@ tags = {
# az network vnet subnet list --subscription PROD-IO --vnet-name io-p-vnet-common --resource-group io-p-rg-common --output table
# and thus define new CIDRs according to the unallocated address space
subnets_cidrs = {
- issuer = ["10.0.102.0/24"]
- user = ["10.0.103.0/24"]
- eventhub = ["10.0.104.0/24"],
- support = ["10.0.147.0/24"]
+ issuer = ["10.0.102.0/24"]
+ user = ["10.0.103.0/24"]
+ eventhub = ["10.0.104.0/24"],
+ support = ["10.0.147.0/24"]
+ backoffice = ["10.0.115.0/24"]
}
storage_account = {
@@ -69,6 +70,21 @@ io_sign_database_user = {
}
}
+io_sign_database_backoffice = {
+ api_keys = {
+ max_throughput = 1000
+ ttl = null
+ }
+ issuers = {
+ max_throughput = 1000
+ ttl = null
+ }
+ consents = {
+ max_throughput = 1000
+ ttl = null
+ }
+}
+
io_sign_issuer_func = {
sku_tier = "PremiumV3"
sku_size = "P1v3"
@@ -93,6 +109,32 @@ io_sign_user_func = {
autoscale_maximum = 5
}
+io_sign_backoffice_app = {
+ sku_name = "P1v3"
+ app_settings = [
+ {
+ name = "NODE_ENV",
+ value = "production"
+ },
+ {
+ name = "WEBSITES_PORT",
+ value = "3000"
+ },
+ {
+ name = "AUTH_SESSION_SECRET",
+ key_vault_secret_name = "bo-auth-session-secret"
+ },
+ {
+ name = "SELFCARE_API_KEY",
+ key_vault_secret_name = "selfcare-prod-api-key"
+ },
+ {
+ name = "PDV_TOKENIZER_API_KEY"
+ key_vault_secret_name = "pdv-tokenizer-api-key"
+ }
+ ]
+}
+
integration_hub = {
auto_inflate_enabled = true
sku_name = "Standard"
@@ -166,7 +208,9 @@ integration_hub = {
# DNS
-dns_zone_name = "firma.io.pagopa.it"
+dns_zone_names = {
+ website = "firma.io.pagopa.it"
+}
dns_ses_validation = [
{
@@ -182,3 +226,10 @@ dns_ses_validation = [
record = "43al7wmot7uxzzz6dfq7fnkcqilx6q6l.dkim.amazonses.com"
},
]
+
+io_common = {
+ resource_group_name = "io-p-rg-common"
+ log_analytics_workspace_name = "io-p-law-common"
+ appgateway_snet_name = "io-p-appgateway-snet"
+ vnet_common_name = "io-p-vnet-common"
+}
diff --git a/src/domains/sign/integration.tf b/src/domains/sign/integration.tf
index 3fb871f1e..cb9705a1f 100644
--- a/src/domains/sign/integration.tf
+++ b/src/domains/sign/integration.tf
@@ -90,11 +90,7 @@ module "event_hub" {
action = [
{
- action_group_id = data.azurerm_monitor_action_group.slack.id
- webhook_properties = null
- },
- {
- action_group_id = data.azurerm_monitor_action_group.email.id
+ action_group_id = data.azurerm_monitor_action_group.error_action_group.id
webhook_properties = null
}
]
diff --git a/src/domains/sign/io_sign_backoffice_app.tf b/src/domains/sign/io_sign_backoffice_app.tf
new file mode 100644
index 000000000..4799c4647
--- /dev/null
+++ b/src/domains/sign/io_sign_backoffice_app.tf
@@ -0,0 +1,178 @@
+locals {
+ backoffice_app_settings = merge({
+ AZURE_SUBSCRIPTION_ID = data.azurerm_subscription.current.subscription_id
+ COSMOS_DB_CONNECTION_STRING = module.cosmosdb_account.connection_strings[0],
+ COSMOS_DB_NAME = module.cosmosdb_sql_database_backoffice.name
+ APIM_RESOURCE_GROUP_NAME = data.azurerm_api_management.apim_v2_api.resource_group_name,
+ APIM_SERVICE_NAME = data.azurerm_api_management.apim_v2_api.name,
+ APIM_PRODUCT_NAME = module.apim_io_sign_product.product_id
+ APPINSIGHTS_INSTRUMENTATIONKEY = sensitive(data.azurerm_application_insights.application_insights.instrumentation_key)
+ },
+ {
+ for s in var.io_sign_backoffice_app.app_settings :
+ s.name => s.key_vault_secret_name != null ? "@Microsoft.KeyVault(VaultName=${module.key_vault.name};SecretName=${s.key_vault_secret_name})" : s.value
+ })
+}
+
+module "io_sign_backoffice_snet" {
+ source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet?ref=v6.20.2"
+ name = format("%s-backoffice-snet", local.project)
+ resource_group_name = data.azurerm_virtual_network.vnet_common.resource_group_name
+ virtual_network_name = data.azurerm_virtual_network.vnet_common.name
+ address_prefixes = var.subnets_cidrs.backoffice
+
+ private_endpoint_network_policies_enabled = false
+
+ service_endpoints = [
+ "Microsoft.Web",
+ "Microsoft.AzureCosmosDB",
+ ]
+
+ delegation = {
+ name = "default"
+ service_delegation = {
+ name = "Microsoft.Web/serverFarms"
+ actions = ["Microsoft.Network/virtualNetworks/subnets/action"]
+ }
+ }
+}
+
+data "azurerm_subnet" "appgateway_snet" {
+ name = var.io_common.appgateway_snet_name
+ virtual_network_name = var.io_common.vnet_common_name
+ resource_group_name = var.io_common.resource_group_name
+}
+
+module "io_sign_backoffice_app" {
+ source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//app_service?ref=v6.20.2"
+
+ name = format("%s-backoffice-app", local.project)
+ location = azurerm_resource_group.backend_rg.location
+ resource_group_name = azurerm_resource_group.backend_rg.name
+
+ plan_name = format("%s-backoffice-plan", local.project)
+ sku_name = var.io_sign_backoffice_app.sku_name
+
+ docker_image = "ghcr.io/pagopa/io-sign-backoffice"
+ docker_image_tag = "latest"
+
+ health_check_path = "/health"
+
+ app_settings = local.backoffice_app_settings
+
+ always_on = true
+ vnet_integration = true
+
+ subnet_id = module.io_sign_backoffice_snet.id
+
+ allowed_subnets = [
+ data.azurerm_subnet.appgateway_snet.id,
+ data.azurerm_subnet.apim_v2.id
+ ]
+
+ tags = var.tags
+}
+
+resource "azurerm_key_vault_access_policy" "backoffice_key_vault_access_policy" {
+ key_vault_id = module.key_vault.id
+ tenant_id = data.azurerm_client_config.current.tenant_id
+ object_id = module.io_sign_backoffice_app.principal_id
+
+ secret_permissions = ["Get"]
+ storage_permissions = []
+ certificate_permissions = []
+}
+
+resource "azurerm_role_assignment" "firmaconio_selfcare_apim_contributor_role" {
+ scope = data.azurerm_api_management.apim_v2_api.id
+ role_definition_name = "API Management Service Contributor"
+ principal_id = module.io_sign_backoffice_app.principal_id
+}
+
+resource "azurerm_private_endpoint" "io_sign_backoffice_app" {
+ name = format("%s-backoffice-endpoint", local.project)
+ location = azurerm_resource_group.data_rg.location
+ resource_group_name = azurerm_resource_group.data_rg.name
+ subnet_id = data.azurerm_subnet.private_endpoints_subnet.id
+
+ private_service_connection {
+ name = format("%s-backoffice-endpoint", local.project)
+ private_connection_resource_id = module.io_sign_backoffice_app.id
+ is_manual_connection = false
+ subresource_names = ["sites"]
+ }
+
+ private_dns_zone_group {
+ name = "private-dns-zone-group"
+ private_dns_zone_ids = [data.azurerm_private_dns_zone.privatelink_azurewebsites_net.id]
+ }
+
+ tags = var.tags
+}
+
+module "io_sign_backoffice_app_staging_slot" {
+ source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//app_service_slot?ref=v7.7.0"
+
+ name = "staging"
+ location = azurerm_resource_group.backend_rg.location
+ resource_group_name = azurerm_resource_group.backend_rg.name
+
+ app_service_id = module.io_sign_backoffice_app.id
+ app_service_name = module.io_sign_backoffice_app.name
+
+ docker_image = "ghcr.io/pagopa/io-sign-backoffice"
+ docker_image_tag = "latest"
+
+ health_check_path = "/health"
+
+ app_settings = local.backoffice_app_settings
+
+ always_on = true
+ vnet_integration = true
+
+ subnet_id = module.io_sign_backoffice_snet.id
+
+ allowed_subnets = [
+ data.azurerm_subnet.appgateway_snet.id,
+ data.azurerm_subnet.apim_v2.id
+ ]
+
+ tags = var.tags
+}
+
+resource "azurerm_key_vault_access_policy" "backoffice_staging_key_vault_access_policy" {
+ key_vault_id = module.key_vault.id
+ tenant_id = data.azurerm_client_config.current.tenant_id
+ object_id = module.io_sign_backoffice_app_staging_slot.principal_id
+
+ secret_permissions = ["Get"]
+ storage_permissions = []
+ certificate_permissions = []
+}
+
+resource "azurerm_role_assignment" "firmaconio_selfcare_staging_apim_contributor_role" {
+ scope = data.azurerm_api_management.apim_v2_api.id
+ role_definition_name = "API Management Service Contributor"
+ principal_id = module.io_sign_backoffice_app_staging_slot.principal_id
+}
+
+resource "azurerm_private_endpoint" "io_sign_backoffice_app_staging_slot" {
+ name = format("%s-backoffice-staging-endpoint", local.project)
+ location = azurerm_resource_group.data_rg.location
+ resource_group_name = azurerm_resource_group.data_rg.name
+ subnet_id = data.azurerm_subnet.private_endpoints_subnet.id
+
+ private_service_connection {
+ name = format("%s-backoffice-staging-endpoint", local.project)
+ private_connection_resource_id = module.io_sign_backoffice_app.id
+ is_manual_connection = false
+ subresource_names = ["sites-staging"]
+ }
+
+ private_dns_zone_group {
+ name = "private-dns-zone-group"
+ private_dns_zone_ids = [data.azurerm_private_dns_zone.privatelink_azurewebsites_net.id]
+ }
+
+ tags = var.tags
+}
diff --git a/src/domains/sign/io_sign_issuer_func.tf b/src/domains/sign/io_sign_issuer_func.tf
index 543a76d86..0617e34c5 100644
--- a/src/domains/sign/io_sign_issuer_func.tf
+++ b/src/domains/sign/io_sign_issuer_func.tf
@@ -27,6 +27,8 @@ locals {
SelfCareApiBasePath = "https://api.selfcare.pagopa.it"
SelfCareApiKey = module.key_vault_secrets.values["SelfCareApiKey"].value
SlackWebhookUrl = module.key_vault_secrets.values["SlackWebhookUrl"].value
+ BackOfficeApiBasePath = "https://api.io.pagopa.it/api/v1/sign/backoffice"
+ BackOfficeApiKey = module.key_vault_secrets.values["BackOfficeApiKey"].value
}
}
}
@@ -40,7 +42,7 @@ module "io_sign_issuer_func" {
health_check_path = "/api/v1/sign/info"
- node_version = "16"
+ node_version = "18"
runtime_version = "~4"
always_on = true
@@ -80,7 +82,7 @@ module "io_sign_issuer_func" {
module "io_sign_issuer_func_staging_slot" {
count = var.io_sign_issuer_func.sku_tier == "PremiumV3" ? 1 : 0
- source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//function_app_slot?ref=v6.0.1"
+ source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//function_app_slot?ref=v6.2.1"
name = "staging"
location = azurerm_resource_group.backend_rg.location
@@ -93,7 +95,7 @@ module "io_sign_issuer_func_staging_slot" {
storage_account_name = module.io_sign_issuer_func.storage_account.name
storage_account_access_key = module.io_sign_issuer_func.storage_account.primary_access_key
- node_version = "16"
+ node_version = "18"
runtime_version = "~4"
always_on = true
application_insights_instrumentation_key = data.azurerm_application_insights.application_insights.instrumentation_key
diff --git a/src/domains/sign/io_sign_support_func.tf b/src/domains/sign/io_sign_support_func.tf
index 6104cca19..f6d221f61 100644
--- a/src/domains/sign/io_sign_support_func.tf
+++ b/src/domains/sign/io_sign_support_func.tf
@@ -14,7 +14,7 @@ locals {
}
module "io_sign_support_func" {
- source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//function_app?ref=v6.1.0"
+ source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//function_app?ref=v6.2.1"
name = format("%s-support-func", local.project)
location = azurerm_resource_group.backend_rg.location
@@ -26,7 +26,7 @@ module "io_sign_support_func" {
always_on = true
runtime_version = "~4"
- node_version = "16"
+ node_version = "18"
app_service_plan_info = {
kind = "Linux"
@@ -52,7 +52,7 @@ module "io_sign_support_func" {
module "io_sign_support_func_staging_slot" {
count = var.io_sign_support_func.sku_tier == "PremiumV3" ? 1 : 0
- source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//function_app_slot?ref=v6.1.0"
+ source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//function_app_slot?ref=v6.2.1"
name = "staging"
location = azurerm_resource_group.backend_rg.location
@@ -68,7 +68,7 @@ module "io_sign_support_func_staging_slot" {
runtime_version = "~4"
always_on = true
- node_version = "16"
+ node_version = "18"
application_insights_instrumentation_key = data.azurerm_application_insights.application_insights.instrumentation_key
app_settings = local.io_sign_support_func.app_settings
diff --git a/src/domains/sign/io_sign_user_func.tf b/src/domains/sign/io_sign_user_func.tf
index f305d5884..d3ab5a668 100644
--- a/src/domains/sign/io_sign_user_func.tf
+++ b/src/domains/sign/io_sign_user_func.tf
@@ -48,7 +48,7 @@ module "io_sign_user_func" {
health_check_path = "/api/v1/sign/info"
- node_version = "16"
+ node_version = "18"
runtime_version = "~4"
always_on = true
@@ -86,7 +86,7 @@ module "io_sign_user_func" {
module "io_sign_user_func_staging_slot" {
count = var.io_sign_user_func.sku_tier == "PremiumV3" ? 1 : 0
- source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//function_app_slot?ref=v6.0.1"
+ source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//function_app_slot?ref=v6.2.1"
name = "staging"
location = azurerm_resource_group.backend_rg.location
@@ -99,7 +99,7 @@ module "io_sign_user_func_staging_slot" {
storage_account_name = module.io_sign_user_func.storage_account.name
storage_account_access_key = module.io_sign_user_func.storage_account.primary_access_key
- node_version = "16"
+ node_version = "18"
runtime_version = "~4"
always_on = true
application_insights_instrumentation_key = data.azurerm_application_insights.application_insights.instrumentation_key
diff --git a/src/domains/sign/key_vault.tf b/src/domains/sign/key_vault.tf
index 88bb11158..fe8bb8bcb 100644
--- a/src/domains/sign/key_vault.tf
+++ b/src/domains/sign/key_vault.tf
@@ -1,5 +1,5 @@
module "key_vault_secrets" {
- source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//key_vault_secrets_query?ref=v4.1.3"
+ source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//key_vault_secrets_query?ref=v6.20.2"
resource_group = azurerm_resource_group.sec_rg.name
key_vault_name = module.key_vault.name
@@ -15,12 +15,13 @@ module "key_vault_secrets" {
"SlackWebhookUrl",
"LollipopPrimaryApiKey",
"LollipopSecondaryApiKey",
- "PdvTokenizerApiKey"
+ "PdvTokenizerApiKey",
+ "BackOfficeApiKey"
]
}
module "key_vault" {
- source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//key_vault?ref=v6.2.2"
+ source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//key_vault?ref=v6.20.2"
name = format("%s-%s-kv", local.product, var.domain)
location = azurerm_resource_group.sec_rg.location
@@ -44,19 +45,6 @@ resource "azurerm_key_vault_access_policy" "adgroup_admin" {
certificate_permissions = ["Get", "List", "Update", "Create", "Import", "Delete", "Restore", "Recover", ]
}
-## adgroup_developers group policy ##
-resource "azurerm_key_vault_access_policy" "adgroup_contributors" {
- key_vault_id = module.key_vault.id
-
- tenant_id = data.azurerm_client_config.current.tenant_id
- object_id = data.azuread_group.adgroup_contributors.object_id
-
- key_permissions = ["Get", "List", "Update", "Create", "Import", "Delete", ]
- secret_permissions = ["Get", "List", "Set", "Delete", "Restore", "Recover", ]
- storage_permissions = []
- certificate_permissions = ["Get", "List", "Update", "Create", "Import", "Delete", "Restore", "Recover", ]
-}
-
## adgroup_developers group policy ##
resource "azurerm_key_vault_access_policy" "adgroup_developers" {
key_vault_id = module.key_vault.id
diff --git a/src/domains/sign/landing.tf b/src/domains/sign/landing.tf
index 62e1b1ace..a162c0236 100644
--- a/src/domains/sign/landing.tf
+++ b/src/domains/sign/landing.tf
@@ -17,7 +17,7 @@ data "azurerm_dns_zone" "io_italia_it" {
}
module "landing_cdn" {
- source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//cdn?ref=v6.3.1"
+ source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//cdn?ref=v6.20.2"
name = "landing"
prefix = local.project
@@ -26,10 +26,6 @@ module "landing_cdn" {
hostname = "firma.io.italia.it"
https_rewrite_enabled = true
- # The argument `lock_enabled` is required by the module; however it must not
- # be used any more, since locks are managed transparently via global policies.
- lock_enabled = false
-
index_document = "index.html"
error_404_document = "index.html"
diff --git a/src/domains/sign/monitoring.tf b/src/domains/sign/monitoring.tf
index d209f9570..3f701b739 100644
--- a/src/domains/sign/monitoring.tf
+++ b/src/domains/sign/monitoring.tf
@@ -51,6 +51,11 @@ resource "azurerm_monitor_action_group" "slack_fci_tech" {
tags = var.tags
}
+data "azurerm_monitor_action_group" "error_action_group" {
+ resource_group_name = "io-p-rg-common"
+ name = "${var.prefix}${var.env_short}error"
+}
+
resource "azurerm_monitor_metric_alert" "io_sign_user_helathcheck" {
name = format("%s-helathcheck", module.io_sign_user_func.name)
resource_group_name = azurerm_resource_group.backend_rg.name
diff --git a/src/domains/sign/network.tf b/src/domains/sign/network.tf
index cee7fa991..5e27bda6b 100644
--- a/src/domains/sign/network.tf
+++ b/src/domains/sign/network.tf
@@ -27,7 +27,7 @@ data "azurerm_nat_gateway" "nat_gateway" {
}
module "io_sign_snet" {
- source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet?ref=v4.1.4"
+ source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet?ref=v6.20.2"
name = format("%s-snet", local.project)
resource_group_name = data.azurerm_virtual_network.vnet_common.resource_group_name
virtual_network_name = data.azurerm_virtual_network.vnet_common.name
@@ -66,7 +66,7 @@ resource "azurerm_network_security_group" "io_sign_issuer_nsg" {
}
module "io_sign_user_snet" {
- source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet?ref=v4.1.4"
+ source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet?ref=v6.20.2"
name = format("%s-user-snet", local.project)
resource_group_name = data.azurerm_virtual_network.vnet_common.resource_group_name
virtual_network_name = data.azurerm_virtual_network.vnet_common.name
@@ -105,7 +105,7 @@ resource "azurerm_network_security_group" "io_sign_user_nsg" {
}
module "io_sign_support_snet" {
- source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet?ref=v4.1.4"
+ source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet?ref=v6.20.2"
name = format("%s-support-snet", local.project)
resource_group_name = data.azurerm_virtual_network.vnet_common.resource_group_name
virtual_network_name = data.azurerm_virtual_network.vnet_common.name
@@ -143,7 +143,7 @@ resource "azurerm_network_security_group" "io_sign_support_nsg" {
}
module "io_sign_eventhub_snet" {
- source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet?ref=v4.1.4"
+ source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet?ref=v6.20.2"
name = format("%s-eventhub-snet", local.project)
resource_group_name = data.azurerm_virtual_network.vnet_common.resource_group_name
virtual_network_name = data.azurerm_virtual_network.vnet_common.name
diff --git a/src/domains/sign/storage.tf b/src/domains/sign/storage.tf
index cf8bfad73..f368e49e1 100644
--- a/src/domains/sign/storage.tf
+++ b/src/domains/sign/storage.tf
@@ -1,5 +1,5 @@
module "io_sign_storage" {
- source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//storage_account?ref=v4.1.5"
+ source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//storage_account?ref=v6.20.2"
name = replace(format("%s-st", local.project), "-", "")
account_kind = "StorageV2"
account_tier = "Standard"
@@ -10,6 +10,7 @@ module "io_sign_storage" {
location = azurerm_resource_group.data_rg.location
advanced_threat_protection = true
allow_nested_items_to_be_public = false
+ public_network_access_enabled = true
network_rules = {
default_action = "Allow"
@@ -24,13 +25,9 @@ module "io_sign_storage" {
action = var.storage_account.enable_low_availability_alert ? [
{
- action_group_id = data.azurerm_monitor_action_group.email.id
+ action_group_id = data.azurerm_monitor_action_group.error_action_group.id
webhook_properties = {}
- },
- {
- action_group_id = data.azurerm_monitor_action_group.slack.id
- webhook_properties = {}
- },
+ }
] : []
tags = var.tags
@@ -115,4 +112,4 @@ resource "azurerm_storage_queue" "waiting_for_qtsp" {
resource "azurerm_storage_queue" "waiting_for_signature_request_updates" {
name = "waiting-for-signature-request-updates"
storage_account_name = module.io_sign_storage.name
-}
\ No newline at end of file
+}
diff --git a/src/packer/README.md b/src/packer/README.md
index 1c3c5bee6..fc5d86834 100644
--- a/src/packer/README.md
+++ b/src/packer/README.md
@@ -9,12 +9,6 @@
| [azurerm](#requirement\_azurerm) | = 3.36.0 |
| [null](#requirement\_null) | = 3.1.0 |
-## Providers
-
-| Name | Version |
-|------|---------|
-| [azurerm](#provider\_azurerm) | 3.36.0 |
-
## Modules
| Name | Source | Version |