From 3d2e7f855ed16b5981b02b6d5e90110095513061 Mon Sep 17 00:00:00 2001
From: Andrea Grillo <andrea.grillo@pagopa.it>
Date: Mon, 30 Sep 2024 10:24:50 +0200
Subject: [PATCH] [CES-21] Refactoring resource groups in Core configuration
 (#1179)

---
 src/core/README.md                            |  6 +-
 src/core/_modules/container_registry/acr.tf   |  2 +-
 .../container_registry/resource_groups.tf     |  6 --
 .../_modules/container_registry/variables.tf  |  5 +
 src/core/_modules/key_vaults/kv.tf            |  4 +-
 .../_modules/key_vaults/resource_groups.tf    |  6 --
 src/core/_modules/key_vaults/variables.tf     |  5 +
 src/core/data.tf                              | 23 ++---
 src/core/default.tf                           |  7 --
 src/core/keyvault.tf                          |  2 +-
 src/core/monitor.tf                           |  4 +-
 src/core/prod/README.md                       | 15 ++-
 src/core/prod/import.tf                       | 27 ++++++
 src/core/prod/italynorth.tf                   | 13 +--
 src/core/prod/outputs.tf                      | 22 ++++-
 src/core/prod/resource_groups.tf              | 97 +++++++++++++++++++
 src/core/prod/westeurope.tf                   | 42 ++++----
 src/core/removed.tf                           | 34 +++++++
 src/core/resource_groups.tf                   | 20 ----
 19 files changed, 238 insertions(+), 102 deletions(-)
 delete mode 100644 src/core/_modules/container_registry/resource_groups.tf
 delete mode 100644 src/core/_modules/key_vaults/resource_groups.tf
 delete mode 100644 src/core/default.tf
 create mode 100644 src/core/prod/import.tf
 create mode 100644 src/core/prod/resource_groups.tf
 create mode 100644 src/core/removed.tf
 delete mode 100644 src/core/resource_groups.tf

diff --git a/src/core/README.md b/src/core/README.md
index bdebfb914..e25487b09 100644
--- a/src/core/README.md
+++ b/src/core/README.md
@@ -56,11 +56,6 @@
 | [azurerm_key_vault_secret.appinsights_connection_string](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource |
 | [azurerm_key_vault_secret.appinsights_instrumentation_key](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource |
 | [azurerm_monitor_metric_alert.cosmos_api_throttling_alert](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_metric_alert) | resource |
-| [azurerm_resource_group.data](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource |
-| [azurerm_resource_group.default_roleassignment_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource |
-| [azurerm_resource_group.rg_common](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource |
-| [azurerm_resource_group.rg_external](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource |
-| [azurerm_resource_group.rg_internal](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource |
 | [azurerm_api_management.apim](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/api_management) | data source |
 | [azurerm_api_management.trial_system](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/api_management) | data source |
 | [azurerm_application_insights.application_insights](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/application_insights) | data source |
@@ -112,6 +107,7 @@
 | [azurerm_private_dns_zone.privatelink_table_core](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/private_dns_zone) | data source |
 | [azurerm_resource_group.lollipop_function_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/resource_group) | data source |
 | [azurerm_resource_group.notifications_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/resource_group) | data source |
+| [azurerm_resource_group.rg_common](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/resource_group) | data source |
 | [azurerm_resource_group.sec_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/resource_group) | data source |
 | [azurerm_storage_account.locked_profiles_storage](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/storage_account) | data source |
 | [azurerm_storage_account.logs](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/storage_account) | data source |
diff --git a/src/core/_modules/container_registry/acr.tf b/src/core/_modules/container_registry/acr.tf
index c862ad6c6..1bdd49248 100644
--- a/src/core/_modules/container_registry/acr.tf
+++ b/src/core/_modules/container_registry/acr.tf
@@ -1,6 +1,6 @@
 resource "azurerm_container_registry" "this" {
   name                          = local.nonstandard[var.location_short].acr
-  resource_group_name           = azurerm_resource_group.container_registry.name
+  resource_group_name           = var.resource_group_name
   location                      = var.location
   sku                           = "Premium"
   admin_enabled                 = false
diff --git a/src/core/_modules/container_registry/resource_groups.tf b/src/core/_modules/container_registry/resource_groups.tf
deleted file mode 100644
index c47c107db..000000000
--- a/src/core/_modules/container_registry/resource_groups.tf
+++ /dev/null
@@ -1,6 +0,0 @@
-resource "azurerm_resource_group" "container_registry" {
-  name     = local.nonstandard[var.location_short].rg
-  location = var.location
-
-  tags = var.tags
-}
diff --git a/src/core/_modules/container_registry/variables.tf b/src/core/_modules/container_registry/variables.tf
index d9ff209f3..4e80840a0 100644
--- a/src/core/_modules/container_registry/variables.tf
+++ b/src/core/_modules/container_registry/variables.tf
@@ -17,3 +17,8 @@ variable "tags" {
   type        = map(any)
   description = "Resource tags"
 }
+
+variable "resource_group_name" {
+  type        = string
+  description = "Resource group where create resources"
+}
diff --git a/src/core/_modules/key_vaults/kv.tf b/src/core/_modules/key_vaults/kv.tf
index 11d8c32de..1a6c8ca76 100644
--- a/src/core/_modules/key_vaults/kv.tf
+++ b/src/core/_modules/key_vaults/kv.tf
@@ -1,7 +1,7 @@
 resource "azurerm_key_vault" "kv" {
   name                = local.nonstandard[var.location_short].kv
-  location            = azurerm_resource_group.sec.location
-  resource_group_name = azurerm_resource_group.sec.name
+  location            = var.location
+  resource_group_name = var.resource_group_name
   tenant_id           = var.tenant_id
   sku_name            = "standard"
 
diff --git a/src/core/_modules/key_vaults/resource_groups.tf b/src/core/_modules/key_vaults/resource_groups.tf
deleted file mode 100644
index 626775f3a..000000000
--- a/src/core/_modules/key_vaults/resource_groups.tf
+++ /dev/null
@@ -1,6 +0,0 @@
-resource "azurerm_resource_group" "sec" {
-  name     = local.nonstandard[var.location_short].rg
-  location = var.location
-
-  tags = var.tags
-}
diff --git a/src/core/_modules/key_vaults/variables.tf b/src/core/_modules/key_vaults/variables.tf
index f9b2ee4c3..567df9c6c 100644
--- a/src/core/_modules/key_vaults/variables.tf
+++ b/src/core/_modules/key_vaults/variables.tf
@@ -13,6 +13,11 @@ variable "location_short" {
   description = "Azure region short name"
 }
 
+variable "resource_group_name" {
+  type        = string
+  description = "Resource group where create resources"
+}
+
 variable "tags" {
   type        = map(any)
   description = "Resource tags"
diff --git a/src/core/data.tf b/src/core/data.tf
index db2b876e4..ce161769e 100644
--- a/src/core/data.tf
+++ b/src/core/data.tf
@@ -1,10 +1,3 @@
-resource "azurerm_resource_group" "data" {
-  name     = format("%s-data-rg", local.project)
-  location = var.location
-
-  tags = var.tags
-}
-
 data "azurerm_cosmosdb_account" "cosmos_api" {
   name                = format("%s-cosmos-api", local.project)
   resource_group_name = format("%s-rg-internal", local.project)
@@ -15,12 +8,16 @@ data "azurerm_cosmosdb_account" "cosmos_remote_content" {
   resource_group_name = "io-p-messages-data-rg"
 }
 
+data "azurerm_resource_group" "rg_common" {
+  name = "io-p-rg-common"
+}
+
 #
 # APIM
 #
 data "azurerm_subnet" "apim" {
   name                 = "apimv2api"
-  resource_group_name  = azurerm_resource_group.rg_common.name
+  resource_group_name  = data.azurerm_resource_group.rg_common.name
   virtual_network_name = data.azurerm_virtual_network.common.name
 }
 
@@ -271,7 +268,7 @@ data "azurerm_linux_function_app" "citizen_func_02" {
 
 data "azurerm_subnet" "function_let_snet" {
   name                 = "fn3eltout"
-  resource_group_name  = azurerm_resource_group.rg_common.name
+  resource_group_name  = data.azurerm_resource_group.rg_common.name
   virtual_network_name = data.azurerm_virtual_network.common.name
 }
 
@@ -281,14 +278,14 @@ data "azurerm_subnet" "function_let_snet" {
 
 data "azurerm_subnet" "admin_snet" {
   name                 = format("%s-admin-snet", local.project)
-  resource_group_name  = azurerm_resource_group.rg_common.name
+  resource_group_name  = data.azurerm_resource_group.rg_common.name
   virtual_network_name = data.azurerm_virtual_network.common.name
 }
 
 data "azurerm_subnet" "services_snet" {
   count                = var.function_services_count
   name                 = format("%s-services-snet-%d", local.project, count.index + 1)
-  resource_group_name  = azurerm_resource_group.rg_common.name
+  resource_group_name  = data.azurerm_resource_group.rg_common.name
   virtual_network_name = data.azurerm_virtual_network.common.name
 }
 
@@ -427,7 +424,7 @@ data "azurerm_dns_a_record" "api_io_italia_it" {
 
 data "azurerm_subnet" "appgateway_snet" {
   name                 = "${local.project}-appgateway-snet"
-  resource_group_name  = azurerm_resource_group.rg_common.name
+  resource_group_name  = data.azurerm_resource_group.rg_common.name
   virtual_network_name = data.azurerm_virtual_network.common.name
 }
 
@@ -437,6 +434,6 @@ data "azurerm_subnet" "appgateway_snet" {
 
 data "azurerm_subnet" "azdoa_snet" {
   name                 = "azure-devops"
-  resource_group_name  = azurerm_resource_group.rg_common.name
+  resource_group_name  = data.azurerm_resource_group.rg_common.name
   virtual_network_name = data.azurerm_virtual_network.common.name
 }
diff --git a/src/core/default.tf b/src/core/default.tf
deleted file mode 100644
index 0be289f80..000000000
--- a/src/core/default.tf
+++ /dev/null
@@ -1,7 +0,0 @@
-resource "azurerm_resource_group" "default_roleassignment_rg" {
-  #Important: do not create any resource inside this resource group
-  name     = "default-roleassignment-rg"
-  location = var.location
-
-  tags = var.tags
-}
diff --git a/src/core/keyvault.tf b/src/core/keyvault.tf
index 57f6d24bd..ec2343620 100644
--- a/src/core/keyvault.tf
+++ b/src/core/keyvault.tf
@@ -5,7 +5,7 @@ data "azurerm_key_vault" "key_vault" {
 
 data "azurerm_key_vault" "key_vault_common" {
   name                = format("%s-kv-common", local.project)
-  resource_group_name = azurerm_resource_group.rg_common.name
+  resource_group_name = data.azurerm_resource_group.rg_common.name
 }
 
 data "azurerm_resource_group" "sec_rg" {
diff --git a/src/core/monitor.tf b/src/core/monitor.tf
index acd62ba69..fb2f9ecf5 100644
--- a/src/core/monitor.tf
+++ b/src/core/monitor.tf
@@ -1,9 +1,9 @@
 data "azurerm_application_insights" "application_insights" {
   name                = format("%s-ai-common", local.project)
-  resource_group_name = azurerm_resource_group.rg_common.name
+  resource_group_name = data.azurerm_resource_group.rg_common.name
 }
 
 data "azurerm_monitor_action_group" "error_action_group" {
   name                = "${var.prefix}${var.env_short}error"
-  resource_group_name = azurerm_resource_group.rg_common.name
+  resource_group_name = data.azurerm_resource_group.rg_common.name
 }
diff --git a/src/core/prod/README.md b/src/core/prod/README.md
index 689d87a1a..ef81a6112 100644
--- a/src/core/prod/README.md
+++ b/src/core/prod/README.md
@@ -23,12 +23,21 @@
 
 | Name | Type |
 |------|------|
-| [azurerm_resource_group.vnet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource |
+| [azurerm_resource_group.acr_weu](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource |
+| [azurerm_resource_group.assets_cdn_weu](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource |
+| [azurerm_resource_group.common_itn](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource |
+| [azurerm_resource_group.common_weu](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource |
+| [azurerm_resource_group.dashboards_itn](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource |
+| [azurerm_resource_group.external_weu](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource |
+| [azurerm_resource_group.github_managed_identity_itn](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource |
+| [azurerm_resource_group.internal_weu](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource |
+| [azurerm_resource_group.linux_weu](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource |
+| [azurerm_resource_group.role_assignment_itn](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource |
+| [azurerm_resource_group.sec_weu](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource |
 | [azuread_group.adgroup_admin](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source |
 | [azuread_group.adgroup_developers](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source |
 | [azuread_service_principal.platform_iac_sp](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/service_principal) | data source |
 | [azurerm_client_config.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/client_config) | data source |
-| [azurerm_resource_group.common_weu](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/resource_group) | data source |
 | [azurerm_subscription.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subscription) | data source |
 | [azurerm_user_assigned_identity.managed_identity_io_infra_cd](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/user_assigned_identity) | data source |
 | [azurerm_user_assigned_identity.managed_identity_io_infra_ci](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/user_assigned_identity) | data source |
@@ -43,7 +52,7 @@ No inputs.
 
 | Name | Description |
 |------|-------------|
-| <a name="output_azure_devops_agent"></a> [azure\_devops\_agent](#output\_azure\_devops\_agent) | n/a |
 | <a name="output_key_vault"></a> [key\_vault](#output\_key\_vault) | n/a |
 | <a name="output_networking"></a> [networking](#output\_networking) | n/a |
+| <a name="output_resource_groups"></a> [resource\_groups](#output\_resource\_groups) | n/a |
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
diff --git a/src/core/prod/import.tf b/src/core/prod/import.tf
new file mode 100644
index 000000000..8d9d7d4dc
--- /dev/null
+++ b/src/core/prod/import.tf
@@ -0,0 +1,27 @@
+import {
+  to = azurerm_resource_group.internal_weu
+  id = "/subscriptions/ec285037-c673-4f58-b594-d7c480da4e8b/resourceGroups/io-p-rg-internal"
+}
+
+import {
+  to = azurerm_resource_group.external_weu
+  id = "/subscriptions/ec285037-c673-4f58-b594-d7c480da4e8b/resourceGroups/io-p-rg-external"
+}
+
+import {
+  to = azurerm_resource_group.common_weu
+  id = "/subscriptions/ec285037-c673-4f58-b594-d7c480da4e8b/resourceGroups/io-p-rg-common"
+}
+
+
+import {
+  to = azurerm_resource_group.sec_weu
+  id = "/subscriptions/ec285037-c673-4f58-b594-d7c480da4e8b/resourceGroups/io-p-sec-rg"
+}
+
+removed {
+  from = module.key_vault_weu.azurerm_resource_group.sec
+  lifecycle {
+    destroy = false
+  }
+}
diff --git a/src/core/prod/italynorth.tf b/src/core/prod/italynorth.tf
index 0d7db4d19..de74f8113 100644
--- a/src/core/prod/italynorth.tf
+++ b/src/core/prod/italynorth.tf
@@ -1,16 +1,9 @@
-resource "azurerm_resource_group" "vnet" {
-  name     = "${local.project_itn}-common-rg-01"
-  location = "italynorth"
-
-  tags = local.tags
-}
-
 module "networking_itn" {
   source = "../_modules/networking"
 
-  location            = azurerm_resource_group.vnet.location
-  location_short      = local.location_short[azurerm_resource_group.vnet.location]
-  resource_group_name = azurerm_resource_group.vnet.name
+  location            = azurerm_resource_group.common_itn.location
+  location_short      = local.location_short[azurerm_resource_group.common_itn.location]
+  resource_group_name = azurerm_resource_group.common_itn.name
   project             = local.project_itn
 
   vnet_cidr_block = "10.20.0.0/16"
diff --git a/src/core/prod/outputs.tf b/src/core/prod/outputs.tf
index 9a9c35584..d8e868f9e 100644
--- a/src/core/prod/outputs.tf
+++ b/src/core/prod/outputs.tf
@@ -12,9 +12,23 @@ output "key_vault" {
   }
 }
 
-output "azure_devops_agent" {
+output "resource_groups" {
   value = {
-    weu = module.azdoa_weu
-    itn = null
+    italynorth = {
+      location_short = "itn"
+      common         = azurerm_resource_group.common_itn.name
+      dashboards     = azurerm_resource_group.dashboards_itn.name
+      github_id      = azurerm_resource_group.github_managed_identity_itn.name
+    }
+    westeurope = {
+      location_short = "weu"
+      common         = azurerm_resource_group.common_weu.name
+      internal       = azurerm_resource_group.internal_weu.name
+      external       = azurerm_resource_group.external_weu.name
+      sec            = azurerm_resource_group.sec_weu.name
+      acr            = azurerm_resource_group.acr_weu.name
+      assets_cdn     = azurerm_resource_group.assets_cdn_weu.name
+      linux          = azurerm_resource_group.linux_weu.name
+    }
   }
-}
\ No newline at end of file
+}
diff --git a/src/core/prod/resource_groups.tf b/src/core/prod/resource_groups.tf
new file mode 100644
index 000000000..85d72435d
--- /dev/null
+++ b/src/core/prod/resource_groups.tf
@@ -0,0 +1,97 @@
+resource "azurerm_resource_group" "common_itn" {
+  name     = "${local.project_itn}-common-rg-01"
+  location = "italynorth"
+
+  tags = local.tags
+}
+
+moved {
+  from = azurerm_resource_group.vnet
+  to   = azurerm_resource_group.common_itn
+}
+
+resource "azurerm_resource_group" "dashboards_itn" {
+  name     = "${local.project_itn}-common-dashboards-rg-01"
+  location = "italynorth"
+
+  tags = local.tags
+}
+
+# Important: do not create any resource inside this resource group
+resource "azurerm_resource_group" "role_assignment_itn" {
+  name     = "default-roleassignment-rg"
+  location = "italynorth"
+
+  tags = local.tags
+}
+
+resource "azurerm_resource_group" "github_managed_identity_itn" {
+  name     = "${local.project_itn}-github-id-rg-01"
+  location = "italynorth"
+
+  tags = local.tags
+}
+
+resource "azurerm_resource_group" "internal_weu" {
+  name     = format("%s-rg-internal", local.project_weu_legacy)
+  location = "westeurope"
+
+  tags = local.tags
+}
+
+resource "azurerm_resource_group" "external_weu" {
+  name     = format("%s-rg-external", local.project_weu_legacy)
+  location = "westeurope"
+
+  tags = local.tags
+}
+
+resource "azurerm_resource_group" "common_weu" {
+  name     = format("%s-rg-common", local.project_weu_legacy)
+  location = "westeurope"
+
+  tags = local.tags
+}
+
+resource "azurerm_resource_group" "sec_weu" {
+  name     = format("%s-sec-rg", local.project_weu_legacy)
+  location = "westeurope"
+
+  tags = local.tags
+}
+
+resource "azurerm_resource_group" "acr_weu" {
+  name     = format("%s-container-registry-rg", local.project_weu_legacy)
+  location = "westeurope"
+
+  tags = local.tags
+}
+
+moved {
+  from = module.container_registry.azurerm_resource_group.container_registry
+  to   = azurerm_resource_group.acr_weu
+}
+
+resource "azurerm_resource_group" "assets_cdn_weu" {
+  name     = format("%s-assets-cdn-rg", local.project_weu_legacy)
+  location = "westeurope"
+
+  tags = local.tags
+}
+
+import {
+  id = "/subscriptions/ec285037-c673-4f58-b594-d7c480da4e8b/resourceGroups/io-p-assets-cdn-rg"
+  to = azurerm_resource_group.assets_cdn_weu
+}
+
+resource "azurerm_resource_group" "linux_weu" {
+  name     = "${local.project_weu_legacy}-rg-linux"
+  location = "westeurope"
+
+  tags = local.tags
+}
+
+import {
+  id = "/subscriptions/ec285037-c673-4f58-b594-d7c480da4e8b/resourceGroups/io-p-rg-linux"
+  to = azurerm_resource_group.linux_weu
+}
diff --git a/src/core/prod/westeurope.tf b/src/core/prod/westeurope.tf
index ead5d6fea..5b29f97db 100644
--- a/src/core/prod/westeurope.tf
+++ b/src/core/prod/westeurope.tf
@@ -1,13 +1,9 @@
-data "azurerm_resource_group" "common_weu" {
-  name = format("%s-rg-common", local.project_weu_legacy)
-}
-
 module "networking_weu" {
   source = "../_modules/networking"
 
-  location            = data.azurerm_resource_group.common_weu.location
-  location_short      = local.location_short[data.azurerm_resource_group.common_weu.location]
-  resource_group_name = data.azurerm_resource_group.common_weu.name
+  location            = azurerm_resource_group.common_weu.location
+  location_short      = local.location_short[azurerm_resource_group.common_weu.location]
+  resource_group_name = azurerm_resource_group.common_weu.name
   project             = local.project_weu_legacy
 
   vnet_cidr_block = "10.0.0.0/16"
@@ -66,20 +62,22 @@ module "vnet_peering_weu" {
 module "container_registry" {
   source = "../_modules/container_registry"
 
-  location       = data.azurerm_resource_group.common_weu.location
-  location_short = local.location_short[data.azurerm_resource_group.common_weu.location]
-  project        = local.project_weu_legacy
+  location            = azurerm_resource_group.common_weu.location
+  location_short      = local.location_short[azurerm_resource_group.common_weu.location]
+  project             = local.project_weu_legacy
+  resource_group_name = azurerm_resource_group.acr_weu.name
 
-  tags = merge(local.tags, { Source = "https://github.com/pagopa/io-infra" })
+  tags = local.tags
 }
 
 module "key_vault_weu" {
   source = "../_modules/key_vaults"
 
-  location              = data.azurerm_resource_group.common_weu.location
-  location_short        = local.location_short[data.azurerm_resource_group.common_weu.location]
+  location              = azurerm_resource_group.common_weu.location
+  location_short        = local.location_short[azurerm_resource_group.common_weu.location]
   project               = local.project_weu_legacy
-  resource_group_common = data.azurerm_resource_group.common_weu.name
+  resource_group_name   = azurerm_resource_group.sec_weu.name
+  resource_group_common = azurerm_resource_group.common_weu.name
   tenant_id             = data.azurerm_client_config.current.tenant_id
 
   azure_ad_group_admin_object_id            = data.azuread_group.adgroup_admin.object_id
@@ -94,9 +92,9 @@ module "key_vault_weu" {
 module "vpn_weu" {
   source = "../_modules/vpn"
 
-  location            = data.azurerm_resource_group.common_weu.location
-  location_short      = local.location_short[data.azurerm_resource_group.common_weu.location]
-  resource_group_name = data.azurerm_resource_group.common_weu.name
+  location            = azurerm_resource_group.common_weu.location
+  location_short      = local.location_short[azurerm_resource_group.common_weu.location]
+  resource_group_name = azurerm_resource_group.common_weu.name
   project             = local.project_weu_legacy
   prefix              = local.prefix
   env_short           = local.env_short
@@ -112,13 +110,13 @@ module "vpn_weu" {
 module "azdoa_weu" {
   source = "../_modules/azure_devops_agent"
 
-  location            = data.azurerm_resource_group.common_weu.location
-  location_short      = local.location_short[data.azurerm_resource_group.common_weu.location]
-  resource_group_name = data.azurerm_resource_group.common_weu.name
+  location            = azurerm_resource_group.common_weu.location
+  location_short      = local.location_short[azurerm_resource_group.common_weu.location]
+  resource_group_name = azurerm_resource_group.common_weu.name
   project             = local.project_weu_legacy
 
   vnet_common     = module.networking_weu.vnet_common
-  resource_groups = local.resource_groups[local.location_short[data.azurerm_resource_group.common_weu.location]]
+  resource_groups = local.resource_groups[local.location_short[azurerm_resource_group.common_weu.location]]
   datasources = {
     azurerm_client_config = data.azurerm_client_config.current
   }
@@ -126,4 +124,4 @@ module "azdoa_weu" {
   cidr_subnet = ["10.0.250.0/24"]
 
   tags = local.tags
-}
\ No newline at end of file
+}
diff --git a/src/core/removed.tf b/src/core/removed.tf
new file mode 100644
index 000000000..e8d9ee380
--- /dev/null
+++ b/src/core/removed.tf
@@ -0,0 +1,34 @@
+removed {
+  from = azurerm_resource_group.rg_internal
+  lifecycle {
+    destroy = false
+  }
+}
+
+removed {
+  from = azurerm_resource_group.rg_external
+  lifecycle {
+    destroy = false
+  }
+}
+
+removed {
+  from = azurerm_resource_group.rg_common
+  lifecycle {
+    destroy = false
+  }
+}
+
+removed {
+  from = azurerm_resource_group.default_roleassignment_rg
+  lifecycle {
+    destroy = false
+  }
+}
+
+removed {
+  from = azurerm_resource_group.data
+  lifecycle {
+    destroy = false
+  }
+}
diff --git a/src/core/resource_groups.tf b/src/core/resource_groups.tf
deleted file mode 100644
index 33e3613b4..000000000
--- a/src/core/resource_groups.tf
+++ /dev/null
@@ -1,20 +0,0 @@
-resource "azurerm_resource_group" "rg_internal" {
-  name     = format("%s-rg-internal", local.project)
-  location = var.location
-
-  tags = var.tags
-}
-
-resource "azurerm_resource_group" "rg_external" {
-  name     = format("%s-rg-external", local.project)
-  location = var.location
-
-  tags = var.tags
-}
-
-resource "azurerm_resource_group" "rg_common" {
-  name     = format("%s-rg-common", local.project)
-  location = var.location
-
-  tags = var.tags
-}