[CES-68] Added configuration for APIM migration to itn (#1274)

src/domains/cgn/_modules/apim/data.tf

@@ -1,6 +1,6 @@
 data "azurerm_api_management" "apim" {
-  name                = "${var.project}-apim-v2-api"
-  resource_group_name = "${var.project}-rg-internal"
+  name                = var.apim.name
+  resource_group_name = var.apim.resource_group_name
 }
 
 data "azurerm_key_vault" "key_vault_common" {

src/domains/cgn/_modules/apim/named_values_cgn.tf

@@ -13,4 +13,4 @@ resource "azurerm_api_management_named_value" "io_fn_cgnmerchant_key_v2" {
   display_name        = "io-fn-cgnmerchant-key"
   value               = data.azurerm_key_vault_secret.io_fn_cgnmerchant_key_secret_v2.value
   secret              = "true"
-}
+}

src/domains/cgn/_modules/apim/named_values_cgn_os.tf

@@ -22,4 +22,4 @@ resource "azurerm_api_management_named_value" "cgnonboardingportal_os_header_nam
   display_name        = "cgnonboardingportal-os-header-name"
   value               = data.azurerm_key_vault_secret.cgnonboardingportal_os_header_name.value
   secret              = true
-}
+}

src/domains/cgn/_modules/apim/role_assignments.tf

@@ -5,13 +5,15 @@ resource "azurerm_role_assignment" "service_contributor_v2" {
 }
 
 resource "azurerm_role_assignment" "service_reader" {
+  count                = strcontains(var.apim.name, "itn") ? 1 : 0
   scope                = data.azurerm_api_management.apim.id
   role_definition_name = "Reader"
   principal_id         = data.azurerm_key_vault_secret.cgn_onboarding_backend_identity_v2.value
 }
 
 resource "azurerm_role_assignment" "service_reader_v2" {
+  count                = strcontains(var.apim.name, "itn") ? 1 : 0
   scope                = data.azurerm_api_management.apim.id
   role_definition_name = "API Management Service Reader Role"
   principal_id         = data.azurerm_key_vault_secret.cgn_onboarding_backend_identity_v2.value
-}
+}

src/domains/cgn/_modules/apim/variables.tf

@@ -17,3 +17,11 @@ variable "function_cgn_merchant_hostname" {
   type        = string
   description = "CGN Function App hostname to set in API groups"
 }
+
+variable "apim" {
+  type = object({
+    name                = string
+    resource_group_name = string
+  })
+  description = "API Management"
+}

src/domains/cgn/prod/README.md

@@ -15,6 +15,7 @@ No providers.
 | Name | Source | Version |
 |------|--------|---------|
 | <a name="module_apim"></a> [apim](#module\_apim) | ../_modules/apim | n/a |
+| <a name="module_apim_itn"></a> [apim\_itn](#module\_apim\_itn) | ../_modules/apim | n/a |
 | <a name="module_cosmos"></a> [cosmos](#module\_cosmos) | ../_modules/cosmos | n/a |
 | <a name="module_functions"></a> [functions](#module\_functions) | ../_modules/functions_apps | n/a |
 | <a name="module_networking"></a> [networking](#module\_networking) | ../_modules/networking | n/a |

src/domains/cgn/prod/apim.tf

@@ -4,6 +4,24 @@ module "apim" {
   project                        = local.project
   env_short                      = local.env_short
   function_cgn_merchant_hostname = module.functions.function_app_cgn_merchant.hostname
+  apim = {
+    name                = local.apim_v2_name
+    resource_group_name = local.apim_resource_group_name
+  }
+
+  tags = local.tags
+}
+
+module "apim_itn" {
+  source = "../_modules/apim"
+
+  project                        = local.project
+  env_short                      = local.env_short
+  function_cgn_merchant_hostname = module.functions.function_app_cgn_merchant.hostname
+  apim = {
+    name                = local.apim_itn_name
+    resource_group_name = local.apim_itn_resource_group_name
+  }
 
   tags = local.tags
 }

src/domains/cgn/prod/locals.tf

@@ -6,6 +6,13 @@ locals {
   location           = "westeurope"
   secondary_location = "italynorth"
 
+  # WEU
+  apim_v2_name             = "${local.project}-apim-v2-api"
+  apim_resource_group_name = "${local.project}-rg-internal"
+  # ITN
+  apim_itn_name                = "${local.project}-itn-apim-01"
+  apim_itn_resource_group_name = "${local.project}-itn-common-rg-01"
+
   tags = {
     CostCenter     = "TS310 - PAGAMENTI & SERVIZI"
     CreatedBy      = "Terraform"

src/domains/citizen-auth-common/03_apim_itn.tf

@@ -0,0 +1,263 @@
+####################################################################################
+# Lollipop APIM Product
+####################################################################################
+resource "azurerm_api_management_group" "api_lollipop_assertion_read_itn" {
+  name                = "apilollipopassertionread"
+  api_management_name = data.azurerm_api_management.apim_itn_api.name
+  resource_group_name = data.azurerm_api_management.apim_itn_api.resource_group_name
+  display_name        = "ApiLollipopAssertionRead"
+  description         = "A group that enables LC to retrieve user's assertion on a Lollipop flow"
+}
+
+module "apim_itn_product_lollipop" {
+  source = "git::https://github.com/pagopa/terraform-azurerm-v3//api_management_product?ref=v8.44.1"
+
+  product_id   = "io-lollipop-api"
+  display_name = "IO LOLLIPOP API"
+  description  = "Product for IO Lollipop"
+
+  api_management_name = data.azurerm_api_management.apim_itn_api.name
+  resource_group_name = data.azurerm_api_management.apim_itn_api.resource_group_name
+
+  published             = true
+  subscription_required = true
+  approval_required     = false
+
+  policy_xml = file("./api_product/io_lollipop/_base_policy.xml")
+}
+
+module "apim_itn_lollipop_api_v1" {
+  source = "git::https://github.com/pagopa/terraform-azurerm-v3//api_management_api?ref=v8.44.1"
+
+  name                  = format("%s-lollipop-api", local.product)
+  api_management_name   = data.azurerm_api_management.apim_itn_api.name
+  resource_group_name   = data.azurerm_api_management.apim_itn_api.resource_group_name
+  product_ids           = [module.apim_itn_product_lollipop.product_id]
+  subscription_required = true
+  service_url           = null
+
+  description  = "IO LolliPOP API"
+  display_name = "IO LolliPOP API"
+  path         = "lollipop/api/v1"
+  protocols    = ["https"]
+
+  content_format = "openapi"
+
+  content_value = file("./api/io_lollipop/v1/_openapi.yaml")
+
+  xml_content = file("./api/io_lollipop/v1/policy.xml")
+}
+
+# Named Value fn-lollipop
+resource "azurerm_api_management_named_value" "io_fn_itn_lollipop_url_itn" {
+  name                = "io-fn-itn-lollipop-url"
+  api_management_name = data.azurerm_api_management.apim_itn_api.name
+  resource_group_name = data.azurerm_api_management.apim_itn_api.resource_group_name
+  display_name        = "io-fn-itn-lollipop-url"
+  value               = "https://${data.azurerm_linux_function_app.lollipop_function.default_hostname}"
+}
+
+resource "azurerm_api_management_named_value" "io_fn_itn_lollipop_key_itn" {
+  name                = "io-fn-itn-lollipop-key"
+  api_management_name = data.azurerm_api_management.apim_itn_api.name
+  resource_group_name = data.azurerm_api_management.apim_itn_api.resource_group_name
+  display_name        = "io-fn-itn-lollipop-key"
+  value               = data.azurerm_key_vault_secret.io_fn_itn_lollipop_key_secret_v2.value
+  secret              = "true"
+}
+
+####################################################################################
+# PagoPA General Lollipop User
+####################################################################################
+resource "azurerm_api_management_user" "pagopa_user_itn" {
+  user_id             = "iolollipoppagopauser"
+  api_management_name = data.azurerm_api_management.apim_itn_api.name
+  resource_group_name = data.azurerm_api_management.apim_itn_api.resource_group_name
+  first_name          = "PagoPA"
+  last_name           = "PagoPA"
+  email               = "[email protected]"
+  state               = "active"
+}
+
+resource "azurerm_api_management_group_user" "pagopa_group_itn" {
+  user_id             = azurerm_api_management_user.pagopa_user_itn.user_id
+  api_management_name = data.azurerm_api_management.apim_itn_api.name
+  resource_group_name = data.azurerm_api_management.apim_itn_api.resource_group_name
+  group_name          = azurerm_api_management_group.api_lollipop_assertion_read_itn.name
+}
+
+resource "azurerm_api_management_subscription" "pagopa_itn" {
+  user_id             = azurerm_api_management_user.pagopa_user_itn.id
+  api_management_name = data.azurerm_api_management.apim_itn_api.name
+  resource_group_name = data.azurerm_api_management.apim_itn_api.resource_group_name
+  product_id          = module.apim_itn_product_lollipop.id
+  display_name        = "Lollipop API"
+  state               = "active"
+  allow_tracing       = false
+}
+
+resource "azurerm_api_management_subscription" "pagopa_fastlogin_itn" {
+  user_id             = azurerm_api_management_user.pagopa_user_itn.id
+  api_management_name = data.azurerm_api_management.apim_itn_api.name
+  resource_group_name = data.azurerm_api_management.apim_itn_api.resource_group_name
+  product_id          = module.apim_itn_product_lollipop.id
+  display_name        = "Fast Login LC"
+  state               = "active"
+  allow_tracing       = false
+}
+
+####################################################################################
+# PagoPA General Lollipop Secret
+####################################################################################
+
+resource "azurerm_key_vault_secret" "first_lollipop_consumer_subscription_key_itn" {
+  name         = "first-lollipop-consumer-pagopa-subscription-key-itn"
+  value        = azurerm_api_management_subscription.pagopa_itn.primary_key
+  key_vault_id = module.key_vault.id
+}
+
+###################################################################################
+# PagoPA Functions-fast-login Secrets
+###################################################################################
+
+# subscription key used for assertion retrieval
+resource "azurerm_key_vault_secret" "fast_login_subscription_key_itn" {
+  name         = "fast-login-subscription-key-itn"
+  value        = azurerm_api_management_subscription.pagopa_fastlogin_itn.primary_key
+  key_vault_id = module.key_vault.id
+}
+
+###################################################################################
+# Fast-Login Operation's API
+###################################################################################
+resource "azurerm_api_management_group" "api_fast_login_operation_itn" {
+  name                = "apifastloginoperationwrite"
+  api_management_name = data.azurerm_api_management.apim_itn_api.name
+  resource_group_name = data.azurerm_api_management.apim_itn_api.resource_group_name
+  display_name        = "ApiFastLoginOperationWrite"
+  description         = "A group that enables PagoPa Operation to operate over session lock/unlock"
+}
+
+module "apim_itn_product_fast_login_operation" {
+  source = "git::https://github.com/pagopa/terraform-azurerm-v3//api_management_product?ref=v8.44.1"
+
+  product_id   = "io-fast-login-operation-api"
+  display_name = "IO FAST-LOGIN OPERATION API"
+  description  = "Product for IO Fast Login Operation"
+
+  api_management_name = data.azurerm_api_management.apim_itn_api.name
+  resource_group_name = data.azurerm_api_management.apim_itn_api.resource_group_name
+
+  published             = true
+  subscription_required = true
+  approval_required     = false
+
+  policy_xml = file("./api_product/fast_login_operation/_base_policy.xml")
+}
+
+module "apim_itn_fast_login_operation_api_v1" {
+  source = "git::https://github.com/pagopa/terraform-azurerm-v3//api_management_api?ref=v8.44.1"
+
+  name                  = format("%s-fast-login-operation-api", local.product)
+  api_management_name   = data.azurerm_api_management.apim_itn_api.name
+  resource_group_name   = data.azurerm_api_management.apim_itn_api.resource_group_name
+  product_ids           = [module.apim_itn_product_fast_login_operation.product_id]
+  subscription_required = true
+  service_url           = format(local.fast_login_backend_url, data.azurerm_linux_function_app.functions_fast_login.default_hostname)
+
+  description  = "IO FAST-LOGIN OPERATION API"
+  display_name = "IO Fast-Login Operation API"
+  path         = "fast-login/api/v1"
+  protocols    = ["https"]
+
+  content_format = "openapi"
+
+  content_value = file("./api/fast_login/v1/_openapi.yaml")
+
+  xml_content = file("./api/fast_login/v1/policy.xml")
+}
+
+resource "azurerm_api_management_api_operation_policy" "lock_user_session_for_operation_itn" {
+  api_name            = format("%s-fast-login-operation-api", local.product)
+  api_management_name = data.azurerm_api_management.apim_itn_api.name
+  resource_group_name = data.azurerm_api_management.apim_itn_api.resource_group_name
+  operation_id        = "lockUserSession"
+
+  xml_content = file("./api/fast_login/v1/post_lockusersession_policy/policy.xml")
+}
+
+resource "azurerm_api_management_user" "fast_login_operation_user_itn" {
+  user_id             = "fastloginoperationuser"
+  api_management_name = data.azurerm_api_management.apim_itn_api.name
+  resource_group_name = data.azurerm_api_management.apim_itn_api.resource_group_name
+  first_name          = "PagoPA Operation"
+  last_name           = "PagoPA Operation"
+  email               = "[email protected]"
+  state               = "active"
+}
+
+resource "azurerm_api_management_group_user" "pagopa_operation_group_itn" {
+  user_id             = azurerm_api_management_user.fast_login_operation_user_itn.user_id
+  api_management_name = data.azurerm_api_management.apim_itn_api.name
+  resource_group_name = data.azurerm_api_management.apim_itn_api.resource_group_name
+  group_name          = azurerm_api_management_group.api_fast_login_operation_itn.name
+}
+
+resource "azurerm_api_management_subscription" "pagopa_operation_itn" {
+  user_id             = azurerm_api_management_user.fast_login_operation_user_itn.id
+  api_management_name = data.azurerm_api_management.apim_itn_api.name
+  resource_group_name = data.azurerm_api_management.apim_itn_api.resource_group_name
+  product_id          = module.apim_itn_product_fast_login_operation.id
+  display_name        = "Fast Login Operation API"
+  state               = "active"
+  allow_tracing       = false
+}
+
+# Named Value fn-fast-login
+resource "azurerm_api_management_named_value" "io_fn_itn_fast_login_operation_key_itn" {
+  name                = "io-fn-itn-fast-login-operation-key"
+  api_management_name = data.azurerm_api_management.apim_itn_api.name
+  resource_group_name = data.azurerm_api_management.apim_itn_api.resource_group_name
+  display_name        = "io-fn-itn-fast-login-operation-key"
+  value               = data.azurerm_key_vault_secret.functions_fast_login_api_key.value
+  secret              = "true"
+}
+
+resource "azurerm_api_management_named_value" "api_fast_login_operation_group_name_itn" {
+  name                = "api-fast-login-operation-group-name"
+  api_management_name = data.azurerm_api_management.apim_itn_api.name
+  resource_group_name = data.azurerm_api_management.apim_itn_api.resource_group_name
+  display_name        = "api-fast-login-operation-group-name"
+  value               = azurerm_api_management_group.api_fast_login_operation_itn.display_name
+  secret              = "false"
+}
+
+####################################################################################
+# PagoPA General PN APIM User
+####################################################################################
+resource "azurerm_api_management_user" "pn_user_itn" {
+  user_id             = "pnapimuser"
+  api_management_name = data.azurerm_api_management.apim_itn_api.name
+  resource_group_name = data.azurerm_api_management.apim_itn_api.resource_group_name
+  first_name          = "PNAPIMuser"
+  last_name           = "PNAPIMuser"
+  email               = "[email protected]"
+  state               = "active"
+}
+
+resource "azurerm_api_management_group_user" "pn_group_itn" {
+  user_id             = azurerm_api_management_user.pn_user_itn.user_id
+  api_management_name = data.azurerm_api_management.apim_itn_api.name
+  resource_group_name = data.azurerm_api_management.apim_itn_api.resource_group_name
+  group_name          = azurerm_api_management_group.api_lollipop_assertion_read_itn.name
+}
+
+resource "azurerm_api_management_subscription" "pn_lc_subscription_itn" {
+  user_id             = azurerm_api_management_user.pn_user_itn.id
+  api_management_name = data.azurerm_api_management.apim_itn_api.name
+  resource_group_name = data.azurerm_api_management.apim_itn_api.resource_group_name
+  product_id          = module.apim_itn_product_lollipop.id
+  display_name        = "PN LC"
+  state               = "active"
+  allow_tracing       = false
+}