Merge branch 'main' into IOPAE-1529-ipatente-appgateway-vehicles-lice…

…nces-ipatente-listeners

src/domains/ioweb-common/01_network.tf

@@ -40,7 +40,7 @@ data "azurerm_subnet" "ioweb_profile_snet" {
 
 ## redis spid login subnet
 module "redis_spid_login_snet" {
-  source               = "git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet?ref=v4.1.15"
+  source               = "git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet?ref=v8.56.0"
   name                 = format("%s-redis-spid-login-snet", local.project)
   address_prefixes     = var.subnets_cidrs.redis_spid_login
   resource_group_name  = local.vnet_common_resource_group_name
@@ -51,7 +51,7 @@ module "redis_spid_login_snet" {
 
 ## spid_login subnet
 module "spid_login_snet" {
-  source               = "git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet?ref=v4.1.15"
+  source               = "git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet?ref=v8.56.0"
   name                 = format("%s-spid-login-snet", local.project)
   address_prefixes     = var.subnets_cidrs.spid_login
   resource_group_name  = local.vnet_common_resource_group_name

src/domains/ioweb-common/01_network_itn.tf

@@ -0,0 +1,10 @@
+data "azurerm_virtual_network" "common_itn" {
+  name                = "${local.common_project_itn}-common-vnet-01"
+  resource_group_name = "${local.common_project_itn}-common-rg-01"
+}
+
+data "azurerm_subnet" "private_endpoints_subnet_itn" {
+  name                 = "${local.common_project_itn}-pep-snet-01"
+  virtual_network_name = data.azurerm_virtual_network.common_itn.name
+  resource_group_name  = data.azurerm_virtual_network.common_itn.resource_group_name
+}

src/domains/ioweb-common/02_security.tf

@@ -6,7 +6,7 @@ resource "azurerm_resource_group" "sec_rg" {
 }
 
 module "key_vault" {
-  source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//key_vault?ref=v4.1.3"
+  source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//key_vault?ref=v8.56.0"
 
   name                       = "${local.product}-${var.domain}-kv"
   location                   = azurerm_resource_group.sec_rg.location
@@ -24,7 +24,7 @@ resource "azurerm_key_vault_access_policy" "adgroup_admin" {
   tenant_id = data.azurerm_client_config.current.tenant_id
   object_id = data.azuread_group.adgroup_admin.object_id
 
-  key_permissions         = ["Get", "List", "Update", "Create", "Import", "Delete", ]
+  key_permissions         = ["Get", "List", "Update", "Create", "Import", "Delete", "GetRotationPolicy"]
   secret_permissions      = ["Get", "List", "Set", "Delete", "Restore", "Recover", ]
   storage_permissions     = []
   certificate_permissions = ["Get", "List", "Update", "Create", "Import", "Delete", "Restore", "Recover", ]
@@ -37,7 +37,7 @@ resource "azurerm_key_vault_access_policy" "adgroup_developers" {
   tenant_id = data.azurerm_client_config.current.tenant_id
   object_id = data.azuread_group.adgroup_developers.object_id
 
-  key_permissions         = ["Get", "List", "Update", "Create", "Import", "Delete", ]
+  key_permissions         = ["Get", "List", "Update", "Create", "Import", "Delete", "GetRotationPolicy"]
   secret_permissions      = ["Get", "List", "Set", "Delete", "Restore", "Recover", ]
   storage_permissions     = []
   certificate_permissions = ["Get", "List", "Update", "Create", "Import", "Delete", "Restore", "Recover", ]
@@ -50,7 +50,7 @@ resource "azurerm_key_vault_access_policy" "access_policy_io_infra_ci" {
   tenant_id = data.azurerm_client_config.current.tenant_id
   object_id = data.azurerm_user_assigned_identity.managed_identity_io_infra_ci.principal_id
 
-  key_permissions         = ["Get", "List"]
+  key_permissions         = ["Get", "List", "GetRotationPolicy"]
   secret_permissions      = ["Get", "List"]
   certificate_permissions = ["Get", "List"]
 }
@@ -61,7 +61,7 @@ resource "azurerm_key_vault_access_policy" "access_policy_io_infra_cd" {
   tenant_id = data.azurerm_client_config.current.tenant_id
   object_id = data.azurerm_user_assigned_identity.managed_identity_io_infra_cd.principal_id
 
-  key_permissions         = ["Get", "List"]
+  key_permissions         = ["Get", "List", "GetRotationPolicy"]
   secret_permissions      = ["Get", "List"]
   certificate_permissions = ["Get", "List"]
 }

src/domains/ioweb-common/03_storage.tf

@@ -7,7 +7,7 @@ locals {
 # Immutable SPID LOGS Storage
 ######################
 module "immutable_spid_logs_storage" {
-  source = "git::https://github.com/pagopa/terraform-azurerm-v3//storage_account?ref=v7.32.1"
+  source = "git::https://github.com/pagopa/terraform-azurerm-v3//storage_account?ref=v8.56.0"
 
   name                          = replace(format("%s-spid-logs-im-st", local.project), "-", "")
   domain                        = upper(var.domain)
@@ -37,7 +37,7 @@ module "immutable_spid_logs_storage" {
 }
 
 module "immutable_spid_logs_storage_customer_managed_key" {
-  source               = "git::https://github.com/pagopa/terraform-azurerm-v3//storage_account_customer_managed_key?ref=v7.32.1"
+  source               = "git::https://github.com/pagopa/terraform-azurerm-v3//storage_account_customer_managed_key?ref=v8.56.0"
   tenant_id            = data.azurerm_subscription.current.tenant_id
   location             = var.location
   resource_group_name  = azurerm_resource_group.storage_rg.name

src/domains/ioweb-common/04_redis.tf

@@ -3,7 +3,7 @@
 * [REDIS V6]
 */
 module "redis_spid_login" {
-  source                = "git::https://github.com/pagopa/terraform-azurerm-v3.git//redis_cache?ref=v6.11.2"
+  source                = "git::https://github.com/pagopa/terraform-azurerm-v3.git//redis_cache?ref=v8.56.0"
   name                  = format("%s-redis-std-v6", local.project)
   resource_group_name   = azurerm_resource_group.common_rg.name
   location              = azurerm_resource_group.common_rg.location
@@ -12,6 +12,7 @@ module "redis_spid_login" {
   sku_name              = "Standard"
   redis_version         = "6"
   enable_authentication = true
+  zones                 = null
 
   // when azure can apply patch?
   patch_schedules = [{

src/domains/ioweb-common/05_apim_itn.tf

@@ -1,7 +1,7 @@
 # API Product
 
 module "apim_itn_product_ioweb" {
-  source = "git::https://github.com/pagopa/terraform-azurerm-v3//api_management_product?ref=v4.1.5"
+  source = "git::https://github.com/pagopa/terraform-azurerm-v3//api_management_product?ref=v8.56.0"
 
   product_id   = "io-web-api"
   display_name = "IO WEB API"
@@ -18,7 +18,7 @@ module "apim_itn_product_ioweb" {
 }
 
 module "apim_itn_spid_login_api" {
-  source = "git::https://github.com/pagopa/terraform-azurerm-v3//api_management_api?ref=v4.1.5"
+  source = "git::https://github.com/pagopa/terraform-azurerm-v3//api_management_api?ref=v8.56.0"
 
   name                  = format("%s-ioweb-auth", local.product)
   api_management_name   = data.azurerm_api_management.apim_itn_api.name

src/domains/ioweb-common/05_apim_v2.tf

@@ -1,7 +1,7 @@
 # API Product
 
 module "apim_v2_product_ioweb" {
-  source = "git::https://github.com/pagopa/terraform-azurerm-v3//api_management_product?ref=v4.1.5"
+  source = "git::https://github.com/pagopa/terraform-azurerm-v3//api_management_product?ref=v8.56.0"
 
   product_id   = "io-web-api"
   display_name = "IO WEB API"
@@ -18,7 +18,7 @@ module "apim_v2_product_ioweb" {
 }
 
 module "apim_v2_spid_login_api" {
-  source = "git::https://github.com/pagopa/terraform-azurerm-v3//api_management_api?ref=v4.1.5"
+  source = "git::https://github.com/pagopa/terraform-azurerm-v3//api_management_api?ref=v8.56.0"
 
   name                  = format("%s-ioweb-auth", local.product)
   api_management_name   = data.azurerm_api_management.apim_v2_api.name

src/domains/ioweb-common/05_resource_group.tf

@@ -18,3 +18,7 @@ resource "azurerm_resource_group" "storage_rg" {
 
   tags = var.tags
 }
+
+data "azurerm_resource_group" "common_rg_weu" {
+  name = "${local.product}-rg-common"
+}

src/domains/ioweb-common/06_cdn.tf

@@ -9,7 +9,7 @@ data "azurerm_dns_zone" "ioapp_it" {
 }
 
 module "landing_cdn" {
-  source = "github.com/pagopa/terraform-azurerm-v3.git//cdn?ref=v7.59.0"
+  source = "github.com/pagopa/terraform-azurerm-v3.git//cdn?ref=v8.56.0"
 
   name                             = "portal"
   prefix                           = local.project
@@ -22,6 +22,8 @@ module "landing_cdn" {
   index_document     = "index.html"
   error_404_document = "it/404/index.html"
 
+  advanced_threat_protection_enabled = false
+
   dns_zone_name                = data.azurerm_dns_zone.ioapp_it.name
   dns_zone_resource_group_name = data.azurerm_resource_group.core_ext.name
 

src/domains/ioweb-common/06_cdn_itn.tf

@@ -0,0 +1,49 @@
+resource "azurerm_resource_group" "io_web_profile_itn_fe_rg" {
+  name     = format("%s-ioweb-fe-rg-01", local.project_itn)
+  location = local.itn_location
+}
+
+module "io_web_profile_itn_fe_st" {
+  source = "github.com/pagopa/dx//infra/modules/azure_storage_account?ref=main"
+
+  // s tier -> Standard LRS
+  // l tier -> Standard ZRS
+  tier = "l"
+
+  # NOTE: domain omitted for characters shortage
+  environment = {
+    prefix          = var.prefix
+    env_short       = var.env_short
+    location        = local.itn_location
+    app_name        = replace("ioweb-profile", "-", "")
+    instance_number = "01"
+  }
+  access_tier = "Hot"
+
+  resource_group_name                  = azurerm_resource_group.io_web_profile_itn_fe_rg.name
+  subnet_pep_id                        = data.azurerm_subnet.private_endpoints_subnet_itn.id
+  private_dns_zone_resource_group_name = data.azurerm_resource_group.common_rg_weu.name
+
+  # storage should be accessible by CDN via private endpoint
+  # see https://learn.microsoft.com/en-us/azure/frontdoor/standard-premium/how-to-enable-private-link-storage-account
+  force_public_network_access_enabled = false
+  subservices_enabled = {
+    blob = true
+  }
+  blob_features = {
+    versioning = true
+    change_feed = {
+      enabled = false
+    }
+    immutability_policy = {
+      enabled = false
+    }
+  }
+
+  static_website = {
+    index_document     = "index.html"
+    error_404_document = "it/404/index.html"
+  }
+
+  tags = var.tags
+}

src/domains/ioweb-common/10_spid_login.tf

@@ -7,15 +7,12 @@ locals {
 ## App service spid login ##
 ############################
 module "spid_login" {
-  source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//app_service?ref=v4.1.15"
+  source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//app_service?ref=v8.56.0"
 
   # App service plan
-  plan_type     = "internal"
-  plan_name     = format("%s-plan-spid-login", local.project)
-  plan_kind     = "Linux"
-  plan_reserved = true # Mandatory for Linux plan
-  plan_sku_tier = var.spid_login_plan_sku_tier
-  plan_sku_size = var.spid_login_plan_sku_size
+  plan_type = "internal"
+  plan_name = format("%s-plan-spid-login", local.project)
+  sku_name  = var.spid_login_plan_sku_size
 
   # App service
   name                = format("%s-spid-login", local.project)
@@ -24,17 +21,18 @@ module "spid_login" {
 
 
   always_on         = true
-  linux_fx_version  = "NODE|18-lts"
+  node_version      = "18-lts"
   app_command_line  = "npm run start"
   health_check_path = "/healthcheck"
 
+  ip_restriction_default_action = "Deny"
+
   app_settings = {
     WEBSITES_ENABLE_APP_SERVICE_STORAGE = false
     WEBSITES_PORT                       = 8080
 
     WEBSITE_NODE_DEFAULT_VERSION = "18.13.0"
     WEBSITE_RUN_FROM_PACKAGE     = "1"
-    WEBSITE_VNET_ROUTE_ALL       = "1"
     WEBSITE_DNS_SERVER           = "168.63.129.16"
 
     // ENVIRONMENT

src/domains/ioweb-common/99_locals.tf

@@ -20,3 +20,11 @@ locals {
 
   spid_login_base_path = "ioweb/auth/v1"
 }
+
+# Region ITN
+locals {
+  itn_location       = "italynorth"
+  itn_location_short = "itn"
+  project_itn        = "${local.product}-${local.itn_location_short}-${var.domain}"
+  common_project_itn = "${local.product}-${local.itn_location_short}"
+}

src/domains/ioweb-common/99_main.tf

@@ -2,7 +2,7 @@ terraform {
   required_providers {
     azurerm = {
       source  = "hashicorp/azurerm"
-      version = "<= 3.40.0"
+      version = "<= 3.116.0"
     }
     azuread = {
       source  = "hashicorp/azuread"