From c463be18049e0b4ca4aea471e66e7a9f693ad043 Mon Sep 17 00:00:00 2001
From: mamari90 <130982006+mamari90@users.noreply.github.com>
Date: Tue, 12 Sep 2023 12:49:18 +0200
Subject: [PATCH] integrated velero

---
 src/aks-platform/00_network.tf          |  13 +++
 src/aks-platform/02_aks.tf              |  48 +++++++++++
 src/aks-platform/02_velero.tf           | 108 ------------------------
 src/aks-platform/99_locals.tf           |   1 +
 src/aks-platform/velero-credentials.tpl |   6 --
 src/core/02_dns_private.tf              |  16 ++++
 src/coreplus/00_network.tf              |   5 ++
 src/coreplus/01_network_aks_platform.tf |   9 ++
 src/coreplus/99_variables.tf            |   1 +
 9 files changed, 93 insertions(+), 114 deletions(-)
 delete mode 100644 src/aks-platform/02_velero.tf
 delete mode 100644 src/aks-platform/velero-credentials.tpl

diff --git a/src/aks-platform/00_network.tf b/src/aks-platform/00_network.tf
index 0dbe5135..d2d774a6 100644
--- a/src/aks-platform/00_network.tf
+++ b/src/aks-platform/00_network.tf
@@ -30,3 +30,16 @@ data "azurerm_public_ip" "pip_aks_outboud" {
   name                = var.public_ip_aksoutbound_name
   resource_group_name = data.azurerm_resource_group.vnet_aks_rg.name
 }
+
+
+
+
+data "azurerm_subnet" "private_endpoint_subnet" {
+  name                 = "${local.product}-private-endpoints-snet"
+  resource_group_name  = data.azurerm_resource_group.vnet_core_rg.name
+  virtual_network_name = data.azurerm_virtual_network.vnet_core.name
+}
+
+data "azurerm_private_dns_zone" "storage_account_private_dns_zone" {
+  name = "privatelink.blob.core.windows.net"
+}
diff --git a/src/aks-platform/02_aks.tf b/src/aks-platform/02_aks.tf
index b3a652b5..224c4f80 100644
--- a/src/aks-platform/02_aks.tf
+++ b/src/aks-platform/02_aks.tf
@@ -4,6 +4,15 @@ resource "azurerm_resource_group" "rg_aks" {
   tags     = var.tags
 }
 
+
+resource "azurerm_resource_group" "rg_aks_backup" {
+  name     = local.aks_backup_rg_name
+  location = var.location
+  tags     = var.tags
+}
+
+
+
 module "aks" {
   source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//kubernetes_cluster?ref=v7.2.0"
 
@@ -87,6 +96,9 @@ module "aks" {
       webhook_properties = null
     }
   ]
+
+
+
   tags = var.tags
 
   depends_on = [
@@ -96,6 +108,42 @@ module "aks" {
   ]
 }
 
+module "velero" {
+  source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//kubernetes_cluster_velero?ref=8171afb"
+  count = var.aks_enabled ? 1 : 0
+  backup_storage_container_name = "velero-backup"
+  subscription_id = data.azurerm_subscription.current.subscription_id
+  tenant_id = data.azurerm_subscription.current.tenant_id
+  resource_group_name = azurerm_resource_group.rg_aks_backup.name
+  prefix = "devopla"
+  aks_cluster_name = module.aks[count.index].name
+  aks_cluster_rg = azurerm_resource_group.rg_aks.name
+  location = var.location
+  use_storage_private_endpoint = true
+  private_endpoint_subnet_id = data.azurerm_subnet.private_endpoint_subnet.id
+  storage_account_private_dns_zone_id = data.azurerm_private_dns_zone.storage_account_private_dns_zone.id
+
+  tags = var.tags
+}
+
+module "aks_namespace_backup" {
+  source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//kubernetes_velero_backup?ref=f38e1ca"
+  count = var.aks_enabled ? 1 : 0
+  # required
+  backup_name = "daily-backup"
+  namespaces = ["ALL"]
+  aks_cluster_name = module.aks[count.index].name
+
+  # optional
+  ttl = "72h0m0s"
+  schedule = "0 3 * * *" #refers to UTC timezone
+  volume_snapshot = false
+
+  depends_on = [
+    module.velero
+  ]
+}
+
 resource "azurerm_role_assignment" "managed_identity_operator_vs_aks_managed_identity" {
   scope                = azurerm_resource_group.rg_aks.id
   role_definition_name = "Managed Identity Operator"
diff --git a/src/aks-platform/02_velero.tf b/src/aks-platform/02_velero.tf
deleted file mode 100644
index ce9ee5dc..00000000
--- a/src/aks-platform/02_velero.tf
+++ /dev/null
@@ -1,108 +0,0 @@
-resource "azurerm_resource_group" "velero_rg" {
-  location = var.location
-  name     = local.velero_rg_name
-}
-
-
-module "velero_storage_account" {
-
-  source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//storage_account?ref=v7.2.0"
-
-  name = "${var.prefix}velerosa"
-
-  account_kind                    = "BlobStorage"
-  account_tier                    = "Standard"
-  account_replication_type        = "LRS"
-  blob_versioning_enabled         = true
-  resource_group_name             = azurerm_resource_group.velero_rg.name
-  location                        = var.location
-  allow_nested_items_to_be_public = true
-  advanced_threat_protection      = true
-  enable_low_availability_alert   = false
-  public_network_access_enabled   = true
-  tags                            = var.tags
-
-
-}
-
-resource "azurerm_storage_container" "velero_backup_container" {
-  name                  = "velero-backup"
-  storage_account_name  = module.velero_storage_account.name
-  container_access_type = "private"
-
-}
-
-
-data "azuread_client_config" "current" {}
-
-resource "azuread_application" "sp_applicaiton" {
-  display_name     = "velero-sp"
-  owners           = [data.azuread_client_config.current.object_id]
-}
-
-resource "azuread_service_principal" "sp" {
-  application_id    = azuread_application.sp_applicaiton.application_id
-  owners            = [data.azuread_client_config.current.object_id]
-}
-
-
-resource "azuread_service_principal_password" "sp_password" {
-  service_principal_id = azuread_service_principal.sp.object_id
-}
-
-
-resource "azurerm_role_assignment" "sp_role" {
-  scope                = "/subscriptions/${data.azurerm_subscription.current.subscription_id}"
-  role_definition_name = "Contributor"
-  principal_id         = azuread_service_principal.sp.object_id
-}
-
-
-resource "local_file" "credentials" {
-  content  = templatefile("./velero-credentials.tpl", {
-    subscription_id = data.azurerm_subscription.current.subscription_id
-    tenant_id = data.azurerm_subscription.current.tenant_id
-    client_id = azuread_service_principal.sp.id
-    client_secret = azuread_service_principal_password.sp_password.value
-    backup_rg = azurerm_resource_group.velero_rg.name
-  })
-  filename = "${path.module}/credentials-velero.txt"
-}
-
-
-resource "null_resource" "install_velero" {
-  depends_on = [local_file.credentials]
-
-  triggers = {
-    bucket = azurerm_storage_container.velero_backup_container.name
-    storage_account = module.velero_storage_account.id
-    rg = azurerm_resource_group.velero_rg.name
-    subscription_id = data.azurerm_subscription.current.subscription_id
-    credentials = filemd5(local_file.credentials.filename)
-  }
-
-  provisioner "local-exec" {
-    when    = destroy
-    command = <<EOT
-    velero uninstall --force
-    EOT
-  }
-
-  provisioner "local-exec" {
-    command     = <<EOT
-    velero install --provider azure --plugins velero/velero-plugin-for-microsoft-azure:v1.5.0 \
-    --bucket ${azurerm_storage_container.velero_backup_container.name} \
-    --secret-file ${local_file.credentials.filename} \
-    --backup-location-config resourceGroup=${azurerm_resource_group.velero_rg.name},storageAccount=${module.velero_storage_account.name},subscriptionId=${data.azurerm_subscription.current.subscription_id} \
-    # funziona?
-    --use-restic
-    # to test
-    --set configuration.backupStorageLocation.config.subscriptionId=$AZURE_SUBSCRIPTION_ID
-    --set configuration.volumeSnapshotLocation.config.resourceGroup=$STORAGE_RESOURCE_GROUP
-    --set configuration.volumeSnapshotLocation.config.subscriptionId=$AZURE_SUBSCRIPTION_ID
-    EOT
-  }
-}
-
-
-
diff --git a/src/aks-platform/99_locals.tf b/src/aks-platform/99_locals.tf
index 8ce72c01..1808e080 100644
--- a/src/aks-platform/99_locals.tf
+++ b/src/aks-platform/99_locals.tf
@@ -4,6 +4,7 @@ locals {
 
   # AKS
   aks_rg_name      = "${local.project}-aks-rg"
+  aks_backup_rg_name = "${local.project}-aks-backup-rg"
   aks_cluster_name = "${local.project}-aks"
   velero_rg_name   = "${local.project}-velero"
 
diff --git a/src/aks-platform/velero-credentials.tpl b/src/aks-platform/velero-credentials.tpl
deleted file mode 100644
index 97bfb749..00000000
--- a/src/aks-platform/velero-credentials.tpl
+++ /dev/null
@@ -1,6 +0,0 @@
-AZURE_SUBSCRIPTION_ID=${subscription_id}
-AZURE_TENANT_ID=${tenant_id}
-AZURE_CLIENT_ID=${client_id}
-AZURE_CLIENT_SECRET=${client_secret}
-AZURE_RESOURCE_GROUP=${backup_rg}
-AZURE_CLOUD_NAME=AzurePublicCloud
diff --git a/src/core/02_dns_private.tf b/src/core/02_dns_private.tf
index 5c2112a2..ee0f1a6a 100644
--- a/src/core/02_dns_private.tf
+++ b/src/core/02_dns_private.tf
@@ -39,3 +39,19 @@ resource "azurerm_private_dns_zone_virtual_network_link" "privatelink_postgres_d
 
   tags = var.tags
 }
+
+
+resource "azurerm_private_dns_zone" "storage_account" {
+  name                = "privatelink.blob.core.windows.net"
+  resource_group_name = azurerm_resource_group.rg_vnet.name
+}
+
+resource "azurerm_private_dns_zone_virtual_network_link" "storage_account_vnet" {
+  name                  = "${local.project}-storage-account-vnet-private-dns-zone-link"
+  resource_group_name   = azurerm_resource_group.rg_vnet.name
+  private_dns_zone_name = azurerm_private_dns_zone.storage_account.name
+  virtual_network_id    = module.vnet.id
+}
+
+
+
diff --git a/src/coreplus/00_network.tf b/src/coreplus/00_network.tf
index b16b853a..7880c8e2 100644
--- a/src/coreplus/00_network.tf
+++ b/src/coreplus/00_network.tf
@@ -12,6 +12,11 @@ data "azurerm_private_dns_zone" "internal" {
   resource_group_name = data.azurerm_resource_group.rg_vnet.name
 }
 
+data "azurerm_private_dns_zone" "storage" {
+  name                = local.dns_zone_private_name_storage
+  resource_group_name = data.azurerm_resource_group.rg_vnet.name
+}
+
 data "azurerm_private_dns_zone" "privatelink_postgres_database_azure_com" {
   name                = local.dns_zone_private_name_postgres
   resource_group_name = data.azurerm_resource_group.rg_vnet.name
diff --git a/src/coreplus/01_network_aks_platform.tf b/src/coreplus/01_network_aks_platform.tf
index e2e3e7a8..82767ff0 100644
--- a/src/coreplus/01_network_aks_platform.tf
+++ b/src/coreplus/01_network_aks_platform.tf
@@ -82,3 +82,12 @@ resource "azurerm_private_dns_zone_virtual_network_link" "vnet_aks" {
 
   tags = var.tags
 }
+
+
+resource "azurerm_private_dns_zone_virtual_network_link" "storage_account_vnet" {
+  for_each = { for n in var.aks_networks : n.domain_name => n }
+  name                  = module.vnet_aks[each.key].name
+  resource_group_name   = data.azurerm_resource_group.rg_vnet.name
+  private_dns_zone_name = data.azurerm_private_dns_zone.storage.name
+  virtual_network_id    = module.vnet_aks[each.key].id
+}
diff --git a/src/coreplus/99_variables.tf b/src/coreplus/99_variables.tf
index 43c50150..e2a27869 100644
--- a/src/coreplus/99_variables.tf
+++ b/src/coreplus/99_variables.tf
@@ -33,6 +33,7 @@ locals {
   cosmosdb_enable = 1
 
   dns_zone_private_name          = "internal.${var.prod_dns_zone_prefix}.${var.external_domain}"
+  dns_zone_private_name_storage  = "privatelink.blob.core.windows.net"
   dns_zone_private_name_postgres = "privatelink.postgres.database.azure.com"
 
   #