From 5cf968212c2d3ea43974a2692b5e256e19bf2527 Mon Sep 17 00:00:00 2001 From: Diego Lagos <92735530+diegolagospagopa@users.noreply.github.com> Date: Tue, 21 May 2024 16:39:16 +0200 Subject: [PATCH] feat: domain testit common created (#119) * init github identity * upgrade core modules * fix monitor ita * testit upgrated modules * pre-commit fixs --- src/core/01_keyvault.tf | 2 +- src/core/01_network.tf | 4 +- src/core/01_network_ita.tf | 8 +- src/core/02_monitor_ita.tf | 54 ++++----- src/core/02_monitor_weu.tf | 2 +- src/core/02_vpn.tf | 11 +- src/core/03_apim_0.tf | 6 +- src/core/03_apim_api_configurations.tf | 4 +- src/core/04_azure_devops_agent.tf | 5 +- src/core/04_docker_registry.tf | 2 +- src/core/05_postgres_sql.tf | 4 +- src/core/08_redis.tf | 4 +- src/core/10_containers_app_tools.tf | 2 +- src/core/20_github_identity.tf | 2 +- src/core/README.md | 44 +++---- src/domains/testit-common/01_keyvault_0.tf | 2 +- .../testit-common/10_github_identity.tf | 114 ++++++++++++++++++ src/domains/testit-common/README.md | 9 +- 18 files changed, 200 insertions(+), 79 deletions(-) create mode 100644 src/domains/testit-common/10_github_identity.tf diff --git a/src/core/01_keyvault.tf b/src/core/01_keyvault.tf index 4e86b2d..5cab565 100644 --- a/src/core/01_keyvault.tf +++ b/src/core/01_keyvault.tf @@ -6,7 +6,7 @@ resource "azurerm_resource_group" "sec_rg" { } module "key_vault_core_ita" { - source = "github.com/pagopa/terraform-azurerm-v3.git//key_vault?ref=v8.5.0" + source = "github.com/pagopa/terraform-azurerm-v3.git//key_vault?ref=v8.13.0" name = "${local.project_ita}-core-kv" location = azurerm_resource_group.sec_rg.location resource_group_name = azurerm_resource_group.sec_rg.name diff --git a/src/core/01_network.tf b/src/core/01_network.tf index 7e6a258..94a6538 100644 --- a/src/core/01_network.tf +++ b/src/core/01_network.tf @@ -9,7 +9,7 @@ resource "azurerm_resource_group" "rg_vnet" { # vnet # module "vnet" { - source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//virtual_network?ref=v8.5.0" + source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//virtual_network?ref=v8.13.0" name = local.vnet_name location = azurerm_resource_group.rg_vnet.location resource_group_name = azurerm_resource_group.rg_vnet.name @@ -97,7 +97,7 @@ resource "azurerm_public_ip" "aks_outbound" { # Private endpoints # module "private_endpoints_snet" { - source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet?ref=v8.5.0" + source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet?ref=v8.13.0" name = "${local.project}-private-endpoints-snet" address_prefixes = var.cidr_subnet_private_endpoints virtual_network_name = module.vnet.name diff --git a/src/core/01_network_ita.tf b/src/core/01_network_ita.tf index 2831853..f516b47 100644 --- a/src/core/01_network_ita.tf +++ b/src/core/01_network_ita.tf @@ -6,7 +6,7 @@ resource "azurerm_resource_group" "rg_ita_vnet" { } module "vnet_italy" { - source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//virtual_network?ref=v8.5.0" + source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//virtual_network?ref=v8.13.0" name = local.vnet_ita_name location = var.location_ita @@ -20,7 +20,7 @@ module "vnet_italy" { ## Peering between the vnet(main) and italy vnet module "vnet_ita_peering" { - source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//virtual_network_peering?ref=v8.5.0" + source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//virtual_network_peering?ref=v8.13.0" source_resource_group_name = azurerm_resource_group.rg_ita_vnet.name source_virtual_network_name = module.vnet_italy.name @@ -35,7 +35,7 @@ module "vnet_ita_peering" { } module "packer_azdo_snet" { - source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet?ref=v8.5.0" + source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet?ref=v8.13.0" name = "packer-azdo-subnet" address_prefixes = var.cidr_subnet_packer_azdo virtual_network_name = module.vnet_italy.name @@ -45,7 +45,7 @@ module "packer_azdo_snet" { } module "packer_dns_forwarder_snet" { - source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet?ref=v8.5.0" + source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet?ref=v8.13.0" name = "packer-dns-forwarder-subnet" address_prefixes = var.cidr_subnet_packer_dns_forwarder virtual_network_name = module.vnet_italy.name diff --git a/src/core/02_monitor_ita.tf b/src/core/02_monitor_ita.tf index 568f823..b51f1ce 100644 --- a/src/core/02_monitor_ita.tf +++ b/src/core/02_monitor_ita.tf @@ -36,30 +36,30 @@ resource "azurerm_key_vault_secret" "application_insights_ita_key" { key_vault_id = module.key_vault_core_ita.id } -# resource "azurerm_monitor_ita_action_group" "email_ita" { -# name = "PagoPA" -# resource_group_name = azurerm_resource_group.monitor_ita_rg.name -# short_name = "PagoPA" -# -# email_receiver { -# name = "sendtooperations" -# email_address = data.azurerm_key_vault_secret.monitor_ita_notification_email.value -# use_common_alert_schema = true -# } -# -# tags = var.tags -# } -# -# resource "azurerm_monitor_ita_action_group" "slack_ita" { -# name = "SlackPagoPA" -# resource_group_name = azurerm_resource_group.monitor_ita_rg.name -# short_name = "SlackPagoPA" -# -# email_receiver { -# name = "sendtoslack" -# email_address = data.azurerm_key_vault_secret.monitor_ita_notification_slack_email.value -# use_common_alert_schema = true -# } -# -# tags = var.tags -# } +resource "azurerm_monitor_action_group" "email_ita" { + name = "PagoPA" + resource_group_name = azurerm_resource_group.monitor_ita_rg.name + short_name = "PagoPA" + + email_receiver { + name = "sendtooperations" + email_address = data.azurerm_key_vault_secret.monitor_notification_email.value + use_common_alert_schema = true + } + + tags = var.tags +} + +resource "azurerm_monitor_action_group" "slack_ita" { + name = "SlackPagoPA" + resource_group_name = azurerm_resource_group.monitor_ita_rg.name + short_name = "SlackPagoPA" + + email_receiver { + name = "sendtoslack" + email_address = data.azurerm_key_vault_secret.monitor_notification_slack_email.value + use_common_alert_schema = true + } + + tags = var.tags +} diff --git a/src/core/02_monitor_weu.tf b/src/core/02_monitor_weu.tf index 7276555..028de36 100644 --- a/src/core/02_monitor_weu.tf +++ b/src/core/02_monitor_weu.tf @@ -68,7 +68,7 @@ resource "azurerm_monitor_action_group" "slack" { # # Monitor storage # # # module "security_monitoring_storage" { -# source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//storage_account?ref=v8.5.0" +# source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//storage_account?ref=v8.13.0" # # name = local.monitor_security_storage_name # account_kind = "StorageV2" diff --git a/src/core/02_vpn.tf b/src/core/02_vpn.tf index e5316db..ff31155 100644 --- a/src/core/02_vpn.tf +++ b/src/core/02_vpn.tf @@ -1,6 +1,6 @@ ## VPN subnet module "vpn_snet" { - source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet?ref=v8.5.0" + source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet?ref=v8.13.0" name = "GatewaySubnet" address_prefixes = var.cidr_subnet_vpn virtual_network_name = module.vnet_italy.name @@ -15,7 +15,7 @@ data "azuread_application" "vpn_app" { module "vpn" { count = var.vpn_enabled ? 1 : 0 - source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//vpn_gateway?ref=v8.5.0" + source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//vpn_gateway?ref=v8.13.0" name = "${local.project_ita}-vpn" location = var.location_ita @@ -45,7 +45,7 @@ module "vpn" { # Dns Forwarder module module "subnet_dns_forwarder_lb" { - source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet?ref=v8.5.0" + source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet?ref=v8.13.0" count = var.dns_forwarder_is_enabled ? 1 : 0 name = "${local.project_ita}-dns-forwarder-lb" @@ -55,7 +55,7 @@ module "subnet_dns_forwarder_lb" { } module "subnet_dns_forwarder_vmss" { - source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet?ref=v8.5.0" + source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet?ref=v8.13.0" count = var.dns_forwarder_is_enabled ? 1 : 0 name = "${local.project_ita}-dns-forwarder-vmss" @@ -65,7 +65,7 @@ module "subnet_dns_forwarder_vmss" { } module "dns_forwarder_lb_vmss" { - source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//dns_forwarder_lb_vmss?ref=dns-forwarder-lb-fix" + source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//dns_forwarder_lb_vmss?ref=v8.13.0" count = var.dns_forwarder_is_enabled ? 1 : 0 name = local.project @@ -80,5 +80,6 @@ module "dns_forwarder_lb_vmss" { subscription_id = data.azurerm_subscription.current.subscription_id source_image_name = var.dns_forwarder_vmss_image_name key_vault_id = data.azurerm_key_vault.kv.id + tenant_id = data.azurerm_client_config.current.id tags = var.tags } diff --git a/src/core/03_apim_0.tf b/src/core/03_apim_0.tf index 4bfe02c..6747ed8 100644 --- a/src/core/03_apim_0.tf +++ b/src/core/03_apim_0.tf @@ -22,7 +22,7 @@ # # # APIM subnet # module "apim_snet" { -# source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet?ref=v8.5.0" +# source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet?ref=v8.13.0" # count = var.apim_enabled == true ? 1 : 0 # # name = "${local.project_ita}-apim-snet" @@ -34,7 +34,7 @@ # } # # module "apim_stv2_snet" { -# source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet?ref=v8.5.0" +# source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet?ref=v8.13.0" # count = var.apim_enabled == true ? 1 : 0 # # name = "${local.project_ita}-apim-stv2-snet" @@ -88,7 +88,7 @@ # ########################### # # module "apim" { -# source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//api_management?ref=v8.5.0" +# source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//api_management?ref=v8.13.0" # count = var.apim_enabled == true ? 1 : 0 # # name = "${local.project_ita}-apim" diff --git a/src/core/03_apim_api_configurations.tf b/src/core/03_apim_api_configurations.tf index 95f85c2..5a11a29 100644 --- a/src/core/03_apim_api_configurations.tf +++ b/src/core/03_apim_api_configurations.tf @@ -5,7 +5,7 @@ # module "apim_product_blueprint" { # count = var.apim_enabled == true ? 1 : 0 # -# source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//api_management_product?ref=v8.5.0" +# source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//api_management_product?ref=v8.13.0" # # product_id = "blueprint" # display_name = "blueprint product" @@ -35,7 +35,7 @@ # # } # # module "apim_blueprint_status_v1" { -# source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//api_management_api?ref=v8.5.0" +# source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//api_management_api?ref=v8.13.0" # count = var.apim_enabled == true ? 1 : 0 # # diff --git a/src/core/04_azure_devops_agent.tf b/src/core/04_azure_devops_agent.tf index 2eaff58..08e1427 100644 --- a/src/core/04_azure_devops_agent.tf +++ b/src/core/04_azure_devops_agent.tf @@ -7,7 +7,7 @@ resource "azurerm_resource_group" "azdo_rg" { } module "azdoa_snet" { - source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet?ref=v8.5.0" + source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet?ref=v8.13.0" count = var.enable_azdoa ? 1 : 0 name = local.azuredevops_subnet_name address_prefixes = var.cidr_subnet_azdoa @@ -18,12 +18,11 @@ module "azdoa_snet" { module "azdoa_vmss_li" { - source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//azure_devops_agent?ref=v8.5.0" + source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//azure_devops_agent?ref=v8.13.0" count = var.enable_azdoa ? 1 : 0 name = local.azuredevops_agent_vm_name resource_group_name = azurerm_resource_group.azdo_rg[0].name subnet_id = module.azdoa_snet[0].id - subscription_name = data.azurerm_subscription.current.display_name subscription_id = data.azurerm_subscription.current.subscription_id location = var.location_ita source_image_name = var.azdoa_image_name diff --git a/src/core/04_docker_registry.tf b/src/core/04_docker_registry.tf index f845c93..0071769 100644 --- a/src/core/04_docker_registry.tf +++ b/src/core/04_docker_registry.tf @@ -5,7 +5,7 @@ resource "azurerm_resource_group" "rg_docker" { } module "container_registry_public" { - source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//container_registry?ref=v8.5.0" + source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//container_registry?ref=v8.13.0" name = local.docker_registry_name resource_group_name = azurerm_resource_group.rg_docker.name location = azurerm_resource_group.rg_docker.location diff --git a/src/core/05_postgres_sql.tf b/src/core/05_postgres_sql.tf index a83b9b5..fd80c59 100644 --- a/src/core/05_postgres_sql.tf +++ b/src/core/05_postgres_sql.tf @@ -114,7 +114,7 @@ resource "azurerm_resource_group" "data_rg" { ## Database subnet module "postgres_snet" { - source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet?ref=v8.5.0" + source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet?ref=v8.13.0" name = "${local.project}-postgres-snet" address_prefixes = var.cidr_subnet_postgres resource_group_name = azurerm_resource_group.rg_ita_vnet.name @@ -125,7 +125,7 @@ module "postgres_snet" { module "postgres" { count = var.is_resource_core_enabled.postgresql_server ? 1 : 0 - source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//postgresql_server?ref=v8.5.0" + source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//postgresql_server?ref=v8.13.0" name = "${local.project}-postgres" location = azurerm_resource_group.data_rg.location diff --git a/src/core/08_redis.tf b/src/core/08_redis.tf index 1ae33b4..fa3836d 100644 --- a/src/core/08_redis.tf +++ b/src/core/08_redis.tf @@ -6,7 +6,7 @@ resource "azurerm_resource_group" "redis" { ## redisbase subnet module "redis_snet" { - source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet?ref=v8.5.0" + source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet?ref=v8.13.0" name = "${local.project_ita}-redis-snet" address_prefixes = var.cidr_subnet_redis resource_group_name = azurerm_resource_group.rg_ita_vnet.name @@ -15,7 +15,7 @@ module "redis_snet" { module "redis" { count = var.redis_enabled ? 1 : 0 - source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//redis_cache?ref=v8.5.0" + source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//redis_cache?ref=v8.13.0" name = "${local.project_ita}-redis" resource_group_name = azurerm_resource_group.redis.name location = azurerm_resource_group.redis.location diff --git a/src/core/10_containers_app_tools.tf b/src/core/10_containers_app_tools.tf index 7016b91..cf4ac9f 100644 --- a/src/core/10_containers_app_tools.tf +++ b/src/core/10_containers_app_tools.tf @@ -13,7 +13,7 @@ resource "azurerm_subnet" "tools_cae_snet" { } module "container_app_environment" { - source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//container_app_environment_v2?ref=v8.5.0" + source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//container_app_environment_v2?ref=v8.13.0" resource_group_name = azurerm_resource_group.tools_cae_rg.name location = azurerm_resource_group.tools_cae_rg.location diff --git a/src/core/20_github_identity.tf b/src/core/20_github_identity.tf index 71fb4bd..f69faf7 100644 --- a/src/core/20_github_identity.tf +++ b/src/core/20_github_identity.tf @@ -33,7 +33,7 @@ locals { # create a module for each 20 repos module "identity_cd_01" { - source = "github.com/pagopa/terraform-azurerm-v3//github_federated_identity?ref=v8.5.0" + source = "github.com/pagopa/terraform-azurerm-v3//github_federated_identity?ref=v8.13.0" # pagopa---github--identity prefix = var.prefix env_short = var.env_short diff --git a/src/core/README.md b/src/core/README.md index 031cbb9..b3d974a 100644 --- a/src/core/README.md +++ b/src/core/README.md @@ -39,27 +39,27 @@ az network dns zone show \ | Name | Source | Version | |------|--------|---------| -| [azdoa\_snet](#module\_azdoa\_snet) | git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet | v8.5.0 | -| [azdoa\_vmss\_li](#module\_azdoa\_vmss\_li) | git::https://github.com/pagopa/terraform-azurerm-v3.git//azure_devops_agent | v8.5.0 | -| [container\_app\_environment](#module\_container\_app\_environment) | git::https://github.com/pagopa/terraform-azurerm-v3.git//container_app_environment_v2 | v8.5.0 | -| [container\_registry\_public](#module\_container\_registry\_public) | git::https://github.com/pagopa/terraform-azurerm-v3.git//container_registry | v8.5.0 | -| [dns\_forwarder\_lb\_vmss](#module\_dns\_forwarder\_lb\_vmss) | git::https://github.com/pagopa/terraform-azurerm-v3.git//dns_forwarder_lb_vmss | dns-forwarder-lb-fix | -| [identity\_cd\_01](#module\_identity\_cd\_01) | github.com/pagopa/terraform-azurerm-v3//github_federated_identity | v8.5.0 | -| [key\_vault\_core\_ita](#module\_key\_vault\_core\_ita) | github.com/pagopa/terraform-azurerm-v3.git//key_vault | v8.5.0 | -| [packer\_azdo\_snet](#module\_packer\_azdo\_snet) | git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet | v8.5.0 | -| [packer\_dns\_forwarder\_snet](#module\_packer\_dns\_forwarder\_snet) | git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet | v8.5.0 | -| [postgres](#module\_postgres) | git::https://github.com/pagopa/terraform-azurerm-v3.git//postgresql_server | v8.5.0 | -| [postgres\_snet](#module\_postgres\_snet) | git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet | v8.5.0 | -| [private\_endpoints\_snet](#module\_private\_endpoints\_snet) | git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet | v8.5.0 | -| [redis](#module\_redis) | git::https://github.com/pagopa/terraform-azurerm-v3.git//redis_cache | v8.5.0 | -| [redis\_snet](#module\_redis\_snet) | git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet | v8.5.0 | -| [subnet\_dns\_forwarder\_lb](#module\_subnet\_dns\_forwarder\_lb) | git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet | v8.5.0 | -| [subnet\_dns\_forwarder\_vmss](#module\_subnet\_dns\_forwarder\_vmss) | git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet | v8.5.0 | -| [vnet](#module\_vnet) | git::https://github.com/pagopa/terraform-azurerm-v3.git//virtual_network | v8.5.0 | -| [vnet\_ita\_peering](#module\_vnet\_ita\_peering) | git::https://github.com/pagopa/terraform-azurerm-v3.git//virtual_network_peering | v8.5.0 | -| [vnet\_italy](#module\_vnet\_italy) | git::https://github.com/pagopa/terraform-azurerm-v3.git//virtual_network | v8.5.0 | -| [vpn](#module\_vpn) | git::https://github.com/pagopa/terraform-azurerm-v3.git//vpn_gateway | v8.5.0 | -| [vpn\_snet](#module\_vpn\_snet) | git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet | v8.5.0 | +| [azdoa\_snet](#module\_azdoa\_snet) | git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet | v8.13.0 | +| [azdoa\_vmss\_li](#module\_azdoa\_vmss\_li) | git::https://github.com/pagopa/terraform-azurerm-v3.git//azure_devops_agent | v8.13.0 | +| [container\_app\_environment](#module\_container\_app\_environment) | git::https://github.com/pagopa/terraform-azurerm-v3.git//container_app_environment_v2 | v8.13.0 | +| [container\_registry\_public](#module\_container\_registry\_public) | git::https://github.com/pagopa/terraform-azurerm-v3.git//container_registry | v8.13.0 | +| [dns\_forwarder\_lb\_vmss](#module\_dns\_forwarder\_lb\_vmss) | git::https://github.com/pagopa/terraform-azurerm-v3.git//dns_forwarder_lb_vmss | v8.13.0 | +| [identity\_cd\_01](#module\_identity\_cd\_01) | github.com/pagopa/terraform-azurerm-v3//github_federated_identity | v8.13.0 | +| [key\_vault\_core\_ita](#module\_key\_vault\_core\_ita) | github.com/pagopa/terraform-azurerm-v3.git//key_vault | v8.13.0 | +| [packer\_azdo\_snet](#module\_packer\_azdo\_snet) | git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet | v8.13.0 | +| [packer\_dns\_forwarder\_snet](#module\_packer\_dns\_forwarder\_snet) | git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet | v8.13.0 | +| [postgres](#module\_postgres) | git::https://github.com/pagopa/terraform-azurerm-v3.git//postgresql_server | v8.13.0 | +| [postgres\_snet](#module\_postgres\_snet) | git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet | v8.13.0 | +| [private\_endpoints\_snet](#module\_private\_endpoints\_snet) | git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet | v8.13.0 | +| [redis](#module\_redis) | git::https://github.com/pagopa/terraform-azurerm-v3.git//redis_cache | v8.13.0 | +| [redis\_snet](#module\_redis\_snet) | git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet | v8.13.0 | +| [subnet\_dns\_forwarder\_lb](#module\_subnet\_dns\_forwarder\_lb) | git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet | v8.13.0 | +| [subnet\_dns\_forwarder\_vmss](#module\_subnet\_dns\_forwarder\_vmss) | git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet | v8.13.0 | +| [vnet](#module\_vnet) | git::https://github.com/pagopa/terraform-azurerm-v3.git//virtual_network | v8.13.0 | +| [vnet\_ita\_peering](#module\_vnet\_ita\_peering) | git::https://github.com/pagopa/terraform-azurerm-v3.git//virtual_network_peering | v8.13.0 | +| [vnet\_italy](#module\_vnet\_italy) | git::https://github.com/pagopa/terraform-azurerm-v3.git//virtual_network | v8.13.0 | +| [vpn](#module\_vpn) | git::https://github.com/pagopa/terraform-azurerm-v3.git//vpn_gateway | v8.13.0 | +| [vpn\_snet](#module\_vpn\_snet) | git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet | v8.13.0 | ## Resources @@ -81,7 +81,9 @@ az network dns zone show \ | [azurerm_log_analytics_workspace.log_analytics_workspace](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/log_analytics_workspace) | resource | | [azurerm_log_analytics_workspace.log_analytics_workspace_ita](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/log_analytics_workspace) | resource | | [azurerm_monitor_action_group.email](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_action_group) | resource | +| [azurerm_monitor_action_group.email_ita](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_action_group) | resource | | [azurerm_monitor_action_group.slack](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_action_group) | resource | +| [azurerm_monitor_action_group.slack_ita](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_action_group) | resource | | [azurerm_private_dns_zone.internal_devopslab](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/private_dns_zone) | resource | | [azurerm_private_dns_zone.privatelink_postgres_database_azure_com](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/private_dns_zone) | resource | | [azurerm_private_dns_zone.storage_account](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/private_dns_zone) | resource | diff --git a/src/domains/testit-common/01_keyvault_0.tf b/src/domains/testit-common/01_keyvault_0.tf index 075d05d..34c942e 100644 --- a/src/domains/testit-common/01_keyvault_0.tf +++ b/src/domains/testit-common/01_keyvault_0.tf @@ -6,7 +6,7 @@ resource "azurerm_resource_group" "sec_rg_domain" { } module "key_vault_domain" { - source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//key_vault?ref=v8.8.0" + source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//key_vault?ref=v8.13.0" name = "${local.project}-kv" location = azurerm_resource_group.sec_rg_domain.location diff --git a/src/domains/testit-common/10_github_identity.tf b/src/domains/testit-common/10_github_identity.tf new file mode 100644 index 0000000..0eb9ba6 --- /dev/null +++ b/src/domains/testit-common/10_github_identity.tf @@ -0,0 +1,114 @@ +data "azurerm_resource_group" "identity_rg" { + name = "${local.product}-identity-rg" +} + +data "azurerm_kubernetes_cluster" "aks" { + name = "${local.product}-${var.location_short}-${var.instance}-aks" + resource_group_name = "${local.product}-${var.location_short}-${var.instance}-aks-rg" +} + +data "azurerm_key_vault" "key_vault" { + name = "${local.product}-${var.location_short}-${var.domain}-kv" + resource_group_name = "${local.product}-${var.location_short}-${var.domain}-sec-rg" +} + +# repos must be lower than 20 items +locals { + repos_01 = [ + ] + + federations_01 = [ + for repo in local.repos_01 : { + repository = repo + subject = var.env + } + ] + + # to avoid subscription Contributor -> https://github.com/microsoft/azure-container-apps/issues/35 + environment_cd_roles = { + subscription = [ + "Contributor", + ] + resource_groups = { + "${local.product}-${var.location_short}-${var.domain}-sec-rg" = [ + "Key Vault Reader" + ], + "${local.product}-${var.location_short}-${var.env}-aks-rg" = [ + "Contributor" + ], + } + } +} + +# create a module for each 20 repos +module "identity_cd_01" { + source = "github.com/pagopa/terraform-azurerm-v3//github_federated_identity?ref=v8.13.0" + # pagopa---github--identity + prefix = var.prefix + env_short = var.env_short + domain = "${var.domain}-01" + + identity_role = "cd" + + github_federations = local.federations_01 + + cd_rbac_roles = { + subscription_roles = local.environment_cd_roles.subscription + resource_groups = local.environment_cd_roles.resource_groups + } + + tags = var.tags + + depends_on = [ + data.azurerm_resource_group.identity_rg + ] +} + + +resource "azurerm_key_vault_access_policy" "gha_iac_managed_identities" { + key_vault_id = data.azurerm_key_vault.key_vault.id + tenant_id = data.azurerm_client_config.current.tenant_id + object_id = module.identity_cd_01.identity_principal_id + + secret_permissions = ["Get", "List", "Set", ] + + certificate_permissions = ["SetIssuers", "DeleteIssuers", "Purge", "List", "Get"] + key_permissions = [ + "Get", "List", "Update", "Create", "Import", "Delete", "Encrypt", "Decrypt", "GetRotationPolicy" + ] + + storage_permissions = [] +} + +resource "null_resource" "github_runner_app_permissions_to_namespace_cd_01" { + triggers = { + aks_id = data.azurerm_kubernetes_cluster.aks.id + service_principal_id = module.identity_cd_01.identity_client_id + namespace = var.domain + version = "v2" + } + + provisioner "local-exec" { + command = < ## Requirements @@ -12,7 +11,8 @@ | Name | Source | Version | |------|--------|---------| -| [key\_vault\_domain](#module\_key\_vault\_domain) | git::https://github.com/pagopa/terraform-azurerm-v3.git//key_vault | v8.8.0 | +| [identity\_cd\_01](#module\_identity\_cd\_01) | github.com/pagopa/terraform-azurerm-v3//github_federated_identity | v8.13.0 | +| [key\_vault\_domain](#module\_key\_vault\_domain) | git::https://github.com/pagopa/terraform-azurerm-v3.git//key_vault | v8.13.0 | ## Resources @@ -21,7 +21,9 @@ | [azurerm_key_vault_access_policy.ad_admin_group_policy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource | | [azurerm_key_vault_access_policy.adgroup_developers_policy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource | | [azurerm_key_vault_access_policy.adgroup_externals_policy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource | +| [azurerm_key_vault_access_policy.gha_iac_managed_identities](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource | | [azurerm_resource_group.sec_rg_domain](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource | +| [null_resource.github_runner_app_permissions_to_namespace_cd_01](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource | | [azuread_group.adgroup_admin](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source | | [azuread_group.adgroup_developers](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source | | [azuread_group.adgroup_externals](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source | @@ -29,7 +31,10 @@ | [azurerm_application_insights.application_insights](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/application_insights) | data source | | [azurerm_client_config.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/client_config) | data source | | [azurerm_dns_zone.public](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/dns_zone) | data source | +| [azurerm_key_vault.key_vault](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault) | data source | +| [azurerm_kubernetes_cluster.aks](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/kubernetes_cluster) | data source | | [azurerm_log_analytics_workspace.log_analytics](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/log_analytics_workspace) | data source | +| [azurerm_resource_group.identity_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/resource_group) | data source | | [azurerm_resource_group.monitor_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/resource_group) | data source | | [azurerm_resource_group.rg_vnet_ita](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/resource_group) | data source | | [azurerm_subscription.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subscription) | data source |