[#IOPID-1765] session manager app service (#960)

pagopa · Apr 23, 2024 · 2137fef · 2137fef
1 parent f013101
commit 2137fef
Show file tree

Hide file tree

Showing 10 changed files with 346 additions and 23 deletions.
diff --git a/src/domains/citizen-auth-app/01_network.tf b/src/domains/citizen-auth-app/01_network.tf
@@ -93,3 +93,35 @@ data "azurerm_subnet" "appgateway_snet" {
   virtual_network_name = local.vnet_common_name
   resource_group_name  = local.vnet_common_resource_group_name
 }
+
+## session_manager subnet
+data "azurerm_resource_group" "italy_north_common_rg" {
+  name = format("%s-itn-common-rg-001", local.product)
+}
+
+data "azurerm_virtual_network" "common_vnet_italy_north" {
+  name                = format("%s-itn-common-vnet-001", local.product)
+  resource_group_name = data.azurerm_resource_group.italy_north_common_rg.name
+}
+
+module "session_manager_snet" {
+  source               = "git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet?ref=v8.4.0"
+  name                 = format("%s-session-manager-snet", local.common_session_manager_project)
+  address_prefixes     = var.cidr_subnet_session_manager
+  resource_group_name  = data.azurerm_resource_group.italy_north_common_rg.name
+  virtual_network_name = data.azurerm_virtual_network.common_vnet_italy_north.name
+
+  private_endpoint_network_policies_enabled = true
+
+  service_endpoints = [
+    "Microsoft.Web",
+  ]
+
+  delegation = {
+    name = "default"
+    service_delegation = {
+      name    = "Microsoft.Web/serverFarms"
+      actions = ["Microsoft.Network/virtualNetworks/subnets/action"]
+    }
+  }
+}
diff --git a/src/domains/citizen-auth-app/04_function_lollipop.tf b/src/domains/citizen-auth-app/04_function_lollipop.tf
@@ -127,6 +127,7 @@ module "function_lollipop" {
     data.azurerm_subnet.apim_v2_snet.id,
     data.azurerm_subnet.app_backend_l1_snet.id,
     data.azurerm_subnet.app_backend_l2_snet.id,
+    module.session_manager_snet.id,
   ]
 
   # Action groups for alerts

diff --git a/src/domains/citizen-auth-app/04_redis.tf b/src/domains/citizen-auth-app/04_redis.tf
@@ -1,6 +1,16 @@
-
-# Redis Common
+# Citizen-auth domain Redis Common
 data "azurerm_redis_cache" "redis_common" {
   name                = format("%s-%s-%s-redis-std-v6", local.product, var.location_short, var.domain)
   resource_group_name = data.azurerm_resource_group.data_rg.name
 }
+
+### IO-core domain Redis Common
+data "azurerm_resource_group" "core_domain_common_rg" {
+  name = format("%s-rg-common", local.product)
+}
+
+data "azurerm_redis_cache" "core_domain_redis_common" {
+  name                = format("%s-redis-common", local.product)
+  resource_group_name = data.azurerm_resource_group.core_domain_common_rg.name
+}
+###
diff --git a/src/domains/citizen-auth-app/07_function_fast_login.tf b/src/domains/citizen-auth-app/07_function_fast_login.tf
@@ -141,6 +141,7 @@ module "function_fast_login" {
     data.azurerm_subnet.app_backend_l1_snet.id,
     data.azurerm_subnet.app_backend_l2_snet.id,
     data.azurerm_subnet.ioweb_profile_snet.id,
+    module.session_manager_snet.id,
   ]
 
   # Action groups for alerts

diff --git a/src/domains/citizen-auth-app/08_session_manager.tf b/src/domains/citizen-auth-app/08_session_manager.tf
@@ -0,0 +1,214 @@
+resource "azurerm_resource_group" "session_manager_rg" {
+  name     = format("%s-session-manager-rg", local.common_session_manager_project)
+  location = var.session_manager_location
+
+  tags = var.tags
+}
+
+#################################
+## Session Manager App service ##
+#################################
+locals {
+  app_settings_common = {
+    WEBSITES_ENABLE_APP_SERVICE_STORAGE = false
+    WEBSITES_PORT                       = 8080
+
+    WEBSITE_NODE_DEFAULT_VERSION = "20.12.2"
+    WEBSITE_RUN_FROM_PACKAGE     = "1"
+    WEBSITE_VNET_ROUTE_ALL       = "1"
+
+    // ENVIRONMENT
+    NODE_ENV = "production"
+
+    FETCH_KEEPALIVE_ENABLED = "true"
+    // see https://github.com/MicrosoftDocs/azure-docs/issues/29600#issuecomment-607990556
+    // and https://docs.microsoft.com/it-it/azure/app-service/app-service-web-nodejs-best-practices-and-troubleshoot-guide#scenarios-and-recommendationstroubleshooting
+    // FETCH_KEEPALIVE_SOCKET_ACTIVE_TTL should not exceed 120000 (app service socket timeout)
+    FETCH_KEEPALIVE_SOCKET_ACTIVE_TTL = "110000"
+    // (FETCH_KEEPALIVE_MAX_SOCKETS * number_of_node_processes) should not exceed 160 (max sockets per VM)
+    FETCH_KEEPALIVE_MAX_SOCKETS         = "128"
+    FETCH_KEEPALIVE_MAX_FREE_SOCKETS    = "10"
+    FETCH_KEEPALIVE_FREE_SOCKET_TIMEOUT = "30000"
+    FETCH_KEEPALIVE_TIMEOUT             = "60000"
+
+    # REDIS AUTHENTICATION
+    REDIS_URL      = data.azurerm_redis_cache.core_domain_redis_common.hostname
+    REDIS_PORT     = data.azurerm_redis_cache.core_domain_redis_common.ssl_port
+    REDIS_PASSWORD = data.azurerm_redis_cache.core_domain_redis_common.primary_access_key
+  }
+}
+
+module "session_manager" {
+  source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//app_service?ref=v8.4.0"
+
+  # App service plan
+  plan_type = "internal"
+  plan_name = format("%s-plan-session-manager", local.common_session_manager_project)
+  sku_name  = var.session_manager_plan_sku_name
+
+  # App service
+  name                = format("%s-session-manager", local.common_session_manager_project)
+  resource_group_name = azurerm_resource_group.session_manager_rg.name
+  location            = azurerm_resource_group.session_manager_rg.location
+
+  always_on                    = true
+  node_version                 = "20-lts"
+  app_command_line             = "npm run start"
+  health_check_path            = "/healthcheck"
+  health_check_maxpingfailures = 3
+
+  app_settings = local.app_settings_common
+
+  allowed_subnets = [
+    data.azurerm_subnet.apim_v2_snet.id,
+    data.azurerm_subnet.appgateway_snet.id
+    // TODO: add proxy subnet
+  ]
+  allowed_ips = []
+
+  subnet_id        = module.session_manager_snet.id
+  vnet_integration = true
+
+  tags = var.tags
+}
+
+## staging slot
+module "session_manager_staging" {
+  source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//app_service_slot?ref=v8.4.0"
+
+  app_service_id   = module.session_manager.id
+  app_service_name = module.session_manager.name
+
+  name                = format("%s-session-manager-staging", local.common_session_manager_project)
+  resource_group_name = azurerm_resource_group.session_manager_rg.name
+  location            = azurerm_resource_group.session_manager_rg.location
+
+  always_on         = true
+  node_version      = "20-lts"
+  app_command_line  = "npm run start"
+  health_check_path = "/healthcheck"
+
+  app_settings = local.app_settings_common
+
+  allowed_subnets = [
+    data.azurerm_subnet.apim_v2_snet.id,
+    data.azurerm_subnet.appgateway_snet.id
+    // TODO: add proxy subnet
+  ]
+  allowed_ips = []
+
+  subnet_id        = module.session_manager_snet.id
+  vnet_integration = true
+
+  tags = var.tags
+}
+
+## autoscaling
+resource "azurerm_monitor_autoscale_setting" "session_manager_autoscale_setting" {
+  name                = format("%s-autoscale", module.session_manager.name)
+  resource_group_name = azurerm_resource_group.session_manager_rg.name
+  location            = azurerm_resource_group.session_manager_rg.location
+  target_resource_id  = module.session_manager.plan_id
+
+  profile {
+    name = "default"
+
+    capacity {
+      default = var.session_manager_autoscale_settings.autoscale_default
+      minimum = var.session_manager_autoscale_settings.autoscale_minimum
+      maximum = var.session_manager_autoscale_settings.autoscale_maximum
+    }
+
+    # Increase rules
+
+    rule {
+      metric_trigger {
+        metric_name              = "Requests"
+        metric_resource_id       = module.session_manager.id
+        metric_namespace         = "microsoft.web/sites"
+        time_grain               = "PT1M"
+        statistic                = "Average"
+        time_window              = "PT1M"
+        time_aggregation         = "Average"
+        operator                 = "GreaterThan"
+        threshold                = 4000
+        divide_by_instance_count = false
+      }
+
+      scale_action {
+        direction = "Increase"
+        type      = "ChangeCount"
+        value     = "2"
+        cooldown  = "PT1M"
+      }
+    }
+
+    rule {
+      metric_trigger {
+        metric_name              = "CpuPercentage"
+        metric_resource_id       = module.session_manager.plan_id
+        metric_namespace         = "microsoft.web/serverfarms"
+        time_grain               = "PT1M"
+        statistic                = "Average"
+        time_window              = "PT1M"
+        time_aggregation         = "Average"
+        operator                 = "GreaterThan"
+        threshold                = 40
+        divide_by_instance_count = false
+      }
+
+      scale_action {
+        direction = "Increase"
+        type      = "ChangeCount"
+        value     = "2"
+        cooldown  = "PT1M"
+      }
+    }
+
+    # Decrease rules
+
+    rule {
+      metric_trigger {
+        metric_name              = "Requests"
+        metric_resource_id       = module.session_manager.id
+        metric_namespace         = "microsoft.web/sites"
+        time_grain               = "PT1M"
+        statistic                = "Average"
+        time_window              = "PT15M"
+        time_aggregation         = "Average"
+        operator                 = "LessThan"
+        threshold                = 1500
+        divide_by_instance_count = false
+      }
+
+      scale_action {
+        direction = "Decrease"
+        type      = "ChangeCount"
+        value     = "1"
+        cooldown  = "PT30M"
+      }
+    }
+
+    rule {
+      metric_trigger {
+        metric_name              = "CpuPercentage"
+        metric_resource_id       = module.session_manager.plan_id
+        metric_namespace         = "microsoft.web/serverfarms"
+        time_grain               = "PT1M"
+        statistic                = "Average"
+        time_window              = "PT15M"
+        time_aggregation         = "Average"
+        operator                 = "LessThan"
+        threshold                = 15
+        divide_by_instance_count = false
+      }
+
+      scale_action {
+        direction = "Decrease"
+        type      = "ChangeCount"
+        value     = "1"
+        cooldown  = "PT30M"
+      }
+    }
+  }
+}
diff --git a/src/domains/citizen-auth-app/99_locals.tf b/src/domains/citizen-auth-app/99_locals.tf
@@ -3,6 +3,8 @@ locals {
   product        = "${var.prefix}-${var.env_short}"
   common_project = "${var.prefix}-${var.env_short}-${var.location_short}"
 
+  common_session_manager_project = "${var.prefix}-${var.env_short}-${var.session_manager_location_short}"
+
   monitor_action_group_slack_name = "SlackPagoPA"
   monitor_action_group_email_name = "EmailPagoPA"
 

diff --git a/src/domains/citizen-auth-app/99_variables.tf b/src/domains/citizen-auth-app/99_variables.tf
@@ -55,6 +55,16 @@ variable "location_string" {
   description = "One of West Europe, North Europe"
 }
 
+variable "session_manager_location" {
+  type        = string
+  description = "Due to capacity issues, session_manager will be created on northitaly"
+}
+
+variable "session_manager_location_short" {
+  type    = string
+  default = "itn"
+}
+
 variable "instance" {
   type        = string
   description = "One of beta, prod01, prod02"
@@ -217,3 +227,25 @@ variable "function_fastlogin_autoscale_default" {
   default     = 1
 }
 
+####################
+# Session manager ##
+####################
+variable "cidr_subnet_session_manager" {
+  type        = list(string)
+  description = "Session manager app service address space."
+}
+
+variable "session_manager_plan_sku_name" {
+  description = "App service plan sku name"
+  type        = string
+  default     = "P1v3"
+}
+
+variable "session_manager_autoscale_settings" {
+  type = object({
+    autoscale_minimum = number
+    autoscale_maximum = number
+    autoscale_default = number
+  })
+}
+####################