feat: Add umberto domain (#96)

* fix: precommit * feat: add umberto domain --------- Co-authored-by: Umberto Coppola Bottazzi <umberto.coppolabottazzi@pagopa.it>
pagopa · Dec 11, 2023 · 3303630 · 3303630
1 parent 5531fc2
commit 3303630
Show file tree

Hide file tree

Showing 15 changed files with 564 additions and 9 deletions.
diff --git a/src/core/03_apim_0.tf b/src/core/03_apim_0.tf
@@ -22,8 +22,8 @@ resource "azurerm_resource_group" "rg_api" {
 
 # APIM subnet
 module "apim_snet" {
-  source               = "git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet?ref=v7.23.0"
-      count = var.apim_enabled == true ? 1 : 0
+  source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet?ref=v7.23.0"
+  count  = var.apim_enabled == true ? 1 : 0
 
   name                 = "${local.project}-apim-snet"
   resource_group_name  = azurerm_resource_group.rg_vnet.name
@@ -34,8 +34,8 @@ module "apim_snet" {
 }
 
 module "apim_stv2_snet" {
-  source               = "git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet?ref=v7.23.0"
-      count = var.apim_enabled == true ? 1 : 0
+  source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet?ref=v7.23.0"
+  count  = var.apim_enabled == true ? 1 : 0
 
   name                 = "${local.project}-apim-stv2-snet"
   resource_group_name  = azurerm_resource_group.rg_vnet.name
@@ -68,14 +68,14 @@ resource "azurerm_network_security_rule" "apim_snet_nsg_rules" {
 }
 
 resource "azurerm_subnet_network_security_group_association" "apim_stv2_snet" {
-      count = var.apim_enabled == true ? 1 : 0
+  count = var.apim_enabled == true ? 1 : 0
 
   subnet_id                 = module.apim_stv2_snet[0].id
   network_security_group_id = azurerm_network_security_group.apim_snet_nsg.id
 }
 
 resource "azurerm_subnet_network_security_group_association" "apim_snet" {
-      count = var.apim_enabled == true ? 1 : 0
+  count = var.apim_enabled == true ? 1 : 0
 
   subnet_id                 = module.apim_snet[0].id
   network_security_group_id = azurerm_network_security_group.apim_snet_nsg.id
@@ -138,7 +138,7 @@ resource "azurerm_key_vault_access_policy" "api_management_policy" {
 # 🏷 custom domain
 #
 resource "azurerm_api_management_custom_domain" "api_custom_domain" {
-    count = var.apim_enabled == true ? 1 : 0
+  count = var.apim_enabled == true ? 1 : 0
 
   api_management_id = module.apim[0].id
 

diff --git a/src/core/99_variables.tf b/src/core/99_variables.tf
@@ -16,8 +16,8 @@ locals {
 
   #APIM
   # api.internal.*.devopslab.pagopa.it
-  api_internal_domain            = "api.internal.${var.prod_dns_zone_prefix}.${var.external_domain}"
-  apim_management_public_ip_name = "${local.project}-apim-management-pip"
+  api_internal_domain              = "api.internal.${var.prod_dns_zone_prefix}.${var.external_domain}"
+  apim_management_public_ip_name   = "${local.project}-apim-management-pip"
   apim_management_public_ip_name_2 = "${local.project}-apim-management-v2-pip"
 
   #AKS

diff --git a/src/core/README.md b/src/core/README.md
@@ -60,6 +60,7 @@ az network dns zone show \
 
 | Name | Type |
 |------|------|
+| [azurerm_api_management_custom_domain.api_custom_domain](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/api_management_custom_domain) | resource |
 | [azurerm_application_insights.application_insights](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/application_insights) | resource |
 | [azurerm_dns_a_record.api_devopslab_pagopa_it](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/dns_a_record) | resource |
 | [azurerm_dns_a_record.helm_template_ingress_devopslab_pagopa_it](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/dns_a_record) | resource |
@@ -84,6 +85,7 @@ az network dns zone show \
 | [azurerm_private_dns_zone_virtual_network_link.vnet_core](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/private_dns_zone_virtual_network_link) | resource |
 | [azurerm_public_ip.aks_outbound](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/public_ip) | resource |
 | [azurerm_public_ip.apim_management_public_ip](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/public_ip) | resource |
+| [azurerm_public_ip.apim_management_public_ip_2](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/public_ip) | resource |
 | [azurerm_public_ip.appgateway_beta_public_ip](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/public_ip) | resource |
 | [azurerm_public_ip.appgateway_public_ip](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/public_ip) | resource |
 | [azurerm_resource_group.azdo_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource |

diff --git a/src/domains/umberto-common/.terraform.lock.hcl b/src/domains/umberto-common/.terraform.lock.hcl
diff --git a/src/domains/umberto-common/00_azuread.tf b/src/domains/umberto-common/00_azuread.tf
@@ -0,0 +1,16 @@
+# Azure AD
+data "azuread_group" "adgroup_admin" {
+  display_name = "${local.product}-adgroup-admin"
+}
+
+data "azuread_group" "adgroup_developers" {
+  display_name = "${local.product}-adgroup-developers"
+}
+
+data "azuread_group" "adgroup_externals" {
+  display_name = "${local.product}-adgroup-externals"
+}
+
+data "azuread_group" "adgroup_security" {
+  display_name = "${local.product}-adgroup-security"
+}
diff --git a/src/domains/umberto-common/00_monitor.tf b/src/domains/umberto-common/00_monitor.tf
@@ -0,0 +1,23 @@
+data "azurerm_resource_group" "monitor_rg" {
+  name = var.monitor_resource_group_name
+}
+
+data "azurerm_log_analytics_workspace" "log_analytics" {
+  name                = var.log_analytics_workspace_name
+  resource_group_name = var.log_analytics_workspace_resource_group_name
+}
+
+data "azurerm_application_insights" "application_insights" {
+  name                = local.monitor_appinsights_name
+  resource_group_name = data.azurerm_resource_group.monitor_rg.name
+}
+
+data "azurerm_monitor_action_group" "slack" {
+  resource_group_name = var.monitor_resource_group_name
+  name                = local.monitor_action_group_slack_name
+}
+
+data "azurerm_monitor_action_group" "email" {
+  resource_group_name = var.monitor_resource_group_name
+  name                = local.monitor_action_group_email_name
+}
diff --git a/src/domains/umberto-common/01_keyvault_0.tf b/src/domains/umberto-common/01_keyvault_0.tf
@@ -0,0 +1,106 @@
+resource "azurerm_resource_group" "sec_rg_domain" {
+  name     = "${local.product}-${var.domain}-sec-rg"
+  location = var.location
+
+  tags = var.tags
+}
+
+module "key_vault_domain" {
+  source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//key_vault?ref=v7.7.0"
+
+  name                       = "${local.product}-${var.domain}-kv"
+  location                   = azurerm_resource_group.sec_rg_domain.location
+  resource_group_name        = azurerm_resource_group.sec_rg_domain.name
+  tenant_id                  = data.azurerm_client_config.current.tenant_id
+  soft_delete_retention_days = 90
+  sku_name                   = "premium"
+
+  lock_enable = true
+
+  tags = var.tags
+}
+
+## ad group policy ##
+resource "azurerm_key_vault_access_policy" "ad_admin_group_policy" {
+  key_vault_id = module.key_vault_domain.id
+
+  tenant_id = data.azurerm_client_config.current.tenant_id
+  object_id = data.azuread_group.adgroup_admin.object_id
+
+  key_permissions         = ["Get", "List", "Update", "Create", "Import", "Delete", ]
+  secret_permissions      = ["Get", "List", "Set", "Delete", ]
+  storage_permissions     = []
+  certificate_permissions = ["Get", "List", "Update", "Create", "Import", "Delete", "Restore", "Purge", "Recover", ]
+}
+
+#
+# policy developers
+#
+resource "azurerm_key_vault_access_policy" "adgroup_developers_policy" {
+
+  key_vault_id = module.key_vault_domain.id
+
+  tenant_id = data.azurerm_client_config.current.tenant_id
+  object_id = data.azuread_group.adgroup_developers.object_id
+
+  key_permissions         = var.env_short == "d" ? ["Get", "List", "Update", "Create", "Import", "Delete", ] : ["Get", "List", "Update", "Create", "Import", ]
+  secret_permissions      = var.env_short == "d" ? ["Get", "List", "Set", "Delete", ] : ["Get", "List", "Set", ]
+  storage_permissions     = []
+  certificate_permissions = var.env_short == "d" ? ["Get", "List", "Update", "Create", "Import", "Delete", "Restore", "Purge", "Recover", "ManageContacts", ] : ["Get", "List", "Update", "Create", "Import", "Restore", "Recover", ]
+}
+
+#
+# policy externals
+#
+
+resource "azurerm_key_vault_access_policy" "adgroup_externals_policy" {
+  count = var.env_short == "d" ? 1 : 0
+
+  key_vault_id = module.key_vault_domain.id
+
+  tenant_id = data.azurerm_client_config.current.tenant_id
+  object_id = data.azuread_group.adgroup_developers.object_id
+
+  key_permissions         = ["Get", "List", "Update", "Create", "Import", "Delete", ]
+  secret_permissions      = ["Get", "List", "Set", "Delete", ]
+  storage_permissions     = []
+  certificate_permissions = ["Get", "List", "Update", "Create", "Import", "Delete", "Restore", "Purge", "Recover", "ManageContacts", ]
+}
+
+#
+# IaC
+#
+
+#pagopaspa-dvopla-platform-iac-projects-{subscription}
+data "azuread_service_principal" "platform_iac_sp" {
+  display_name = "pagopaspa-devops-platform-iac-projects-${data.azurerm_subscription.current.subscription_id}"
+}
+
+resource "azurerm_key_vault_access_policy" "azdevops_platform_iac_policy" {
+  key_vault_id = module.key_vault_domain.id
+  tenant_id    = data.azurerm_client_config.current.tenant_id
+  object_id           = data.azuread_service_principal.platform_iac_sp.object_id
+
+  secret_permissions = ["Get", "List", "Set", ]
+
+  certificate_permissions = ["SetIssuers", "DeleteIssuers", "Purge", "List", "Get", ]
+
+  storage_permissions = []
+}
+
+#azdo-sp-plan-devopslab-<env>
+data "azuread_service_principal" "iac_sp_plan" {
+  display_name = "azdo-sp-plan-devopslab-${var.env}"
+}
+
+resource "azurerm_key_vault_access_policy" "iac_sp_plan_policy" {
+  key_vault_id = module.key_vault_domain.id
+  tenant_id    = data.azurerm_client_config.current.tenant_id
+  object_id    = data.azuread_service_principal.iac_sp_plan.object_id
+
+  secret_permissions = ["Get", "List", "Set", ]
+
+  certificate_permissions = ["SetIssuers", "DeleteIssuers", "Purge", "List", "Get", "Import"]
+
+  storage_permissions = []
+}
diff --git a/src/domains/umberto-common/99_main.tf b/src/domains/umberto-common/99_main.tf
@@ -0,0 +1,34 @@
+terraform {
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = "<= 3.71.0"
+    }
+    azuread = {
+      source  = "hashicorp/azuread"
+      version = "= 2.21.0"
+    }
+    null = {
+      source  = "hashicorp/null"
+      version = "= 3.1.1"
+    }
+    pkcs12 = {
+      source  = "chilicat/pkcs12"
+      version = "0.0.7"
+    }
+  }
+
+  backend "azurerm" {}
+}
+
+provider "azurerm" {
+  features {
+    key_vault {
+      purge_soft_delete_on_destroy = false
+    }
+  }
+}
+
+data "azurerm_subscription" "current" {}
+
+data "azurerm_client_config" "current" {}
diff --git a/src/domains/umberto-common/99_main.tf.ci b/src/domains/umberto-common/99_main.tf.ci
@@ -0,0 +1,33 @@
+terraform {
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = "<= 3.71.0"
+    }
+    azuread = {
+      source  = "hashicorp/azuread"
+      version = "= 2.21.0"
+    }
+    null = {
+      source  = "hashicorp/null"
+      version = "= 3.1.1"
+    }
+    pkcs12 = {
+      source  = "chilicat/pkcs12"
+      version = "0.0.7"
+    }
+  }
+
+}
+
+provider "azurerm" {
+  features {
+    key_vault {
+      purge_soft_delete_on_destroy = false
+    }
+  }
+}
+
+data "azurerm_subscription" "current" {}
+
+data "azurerm_client_config" "current" {}