Merge branch 'main' into IOPLT-662

src/common/_modules/apim/data.tf

@@ -0,0 +1,26 @@
+data "azurerm_key_vault_secret" "apim_publisher_email" {
+  name         = "apim-publisher-email"
+  key_vault_id = var.key_vault.id
+}
+
+data "azurerm_key_vault_certificate" "api_internal_io_italia_it" {
+  name         = replace(local.apim_hostname_api_internal, ".", "-")
+  key_vault_id = var.key_vault_common.id
+}
+
+data "azurerm_key_vault_certificate" "api_app_internal_io_pagopa_it" {
+  name         = replace(local.apim_hostname_api_app_internal, ".", "-")
+  key_vault_id = var.key_vault.id
+}
+
+data "azurerm_api_management_group" "api_v2_lollipop_assertion_read" {
+  name                = "apilollipopassertionread"
+  api_management_name = module.apim_v2.name
+  resource_group_name = module.apim_v2.resource_group_name
+}
+
+data "azurerm_api_management_product" "apim_v2_product_lollipop" {
+  product_id          = "io-lollipop-api"
+  api_management_name = module.apim_v2.name
+  resource_group_name = module.apim_v2.resource_group_name
+}

src/common/_modules/apim/locals.tf

@@ -0,0 +1,13 @@
+locals {
+  nonstandard = {
+    weu = {
+      snet_name = "apimv2api"
+      nsg_name  = "${var.project}-apim-v2-nsg"
+      pip_name  = "${var.project}-apim-v2-public-ip"
+      apim_name = "${var.project}-apim-v2-api"
+    }
+  }
+
+  apim_hostname_api_internal     = "api-internal.io.italia.it"
+  apim_hostname_api_app_internal = "api-app.internal.io.pagopa.it"
+}

src/common/_modules/apim/main.tf

@@ -0,0 +1,153 @@
+module "apim_v2" {
+  source = "github.com/pagopa/terraform-azurerm-v3//api_management?ref=v8.27.0"
+
+  subnet_id                 = azurerm_subnet.apim.id
+  location                  = var.location
+  name                      = try(local.nonstandard[var.location_short].apim_name, "${var.project}-apim-01")
+  resource_group_name       = var.resource_group_internal
+  publisher_name            = "IO"
+  publisher_email           = data.azurerm_key_vault_secret.apim_publisher_email.value
+  notification_sender_email = data.azurerm_key_vault_secret.apim_publisher_email.value
+  sku_name                  = "Premium_2"
+  virtual_network_type      = "Internal"
+  zones                     = ["1", "2"]
+
+  redis_cache_id       = null
+  public_ip_address_id = azurerm_public_ip.apim.id
+
+  hostname_configuration = {
+    proxy = [
+      {
+        # io-p-apim-api.azure-api.net
+        default_ssl_binding = false
+        host_name           = "io-p-apim-v2-api.azure-api.net"
+        key_vault_id        = null
+      },
+      {
+        # api-internal.io.italia.it
+        default_ssl_binding = true
+        host_name           = local.apim_hostname_api_internal
+        key_vault_id = replace(
+          data.azurerm_key_vault_certificate.api_internal_io_italia_it.secret_id,
+          "/${data.azurerm_key_vault_certificate.api_internal_io_italia_it.version}",
+          ""
+        )
+      },
+      {
+        # api-app.internal.io.pagopa.it
+        default_ssl_binding = false
+        host_name           = local.apim_hostname_api_app_internal
+        key_vault_id = replace(
+          data.azurerm_key_vault_certificate.api_app_internal_io_pagopa_it.secret_id,
+          "/${data.azurerm_key_vault_certificate.api_app_internal_io_pagopa_it.version}",
+          ""
+        )
+      },
+    ]
+    developer_portal = null
+    management       = null
+    portal           = null
+  }
+
+  management_logger_applicaiton_insight_enabled = true
+  application_insights = {
+    enabled             = true
+    instrumentation_key = var.ai_instrumentation_key
+  }
+
+  autoscale = {
+    enabled                       = true
+    default_instances             = 3
+    minimum_instances             = 2
+    maximum_instances             = 6
+    scale_out_capacity_percentage = 50
+    scale_out_time_window         = "PT3M"
+    scale_out_value               = "1"
+    scale_out_cooldown            = "PT5M"
+    scale_in_capacity_percentage  = 20
+    scale_in_time_window          = "PT5M"
+    scale_in_value                = "1"
+    scale_in_cooldown             = "PT5M"
+  }
+
+  action = [
+    {
+      action_group_id    = var.action_group_id
+      webhook_properties = null
+    }
+  ]
+
+  # https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/metrics-supported#microsoftapimanagementservice
+  metric_alerts = {
+    capacity = {
+      description   = "Apim used capacity is too high. Runbook: https://pagopa.atlassian.net/wiki/spaces/IC/pages/791642113/APIM+Capacity"
+      frequency     = "PT5M"
+      window_size   = "PT5M"
+      severity      = 1
+      auto_mitigate = true
+
+      criteria = [{
+        metric_namespace       = "Microsoft.ApiManagement/service"
+        metric_name            = "Capacity"
+        aggregation            = "Average"
+        operator               = "GreaterThan"
+        threshold              = 60
+        skip_metric_validation = false
+        dimension              = []
+      }]
+      dynamic_criteria = []
+    }
+
+    duration = {
+      description   = "Apim abnormal response time"
+      frequency     = "PT5M"
+      window_size   = "PT5M"
+      severity      = 2
+      auto_mitigate = true
+
+      criteria = []
+
+      dynamic_criteria = [{
+        metric_namespace         = "Microsoft.ApiManagement/service"
+        metric_name              = "Duration"
+        aggregation              = "Average"
+        operator                 = "GreaterThan"
+        alert_sensitivity        = "High"
+        evaluation_total_count   = 2
+        evaluation_failure_count = 2
+        skip_metric_validation   = false
+        ignore_data_before       = "2021-01-01T00:00:00Z" # sample data
+        dimension                = []
+      }]
+    }
+
+    requests_failed = {
+      description   = "Apim abnormal failed requests"
+      frequency     = "PT5M"
+      window_size   = "PT5M"
+      severity      = 2
+      auto_mitigate = true
+
+      criteria = []
+
+      dynamic_criteria = [{
+        metric_namespace         = "Microsoft.ApiManagement/service"
+        metric_name              = "Requests"
+        aggregation              = "Total"
+        operator                 = "GreaterThan"
+        alert_sensitivity        = "High"
+        evaluation_total_count   = 2
+        evaluation_failure_count = 2
+        skip_metric_validation   = false
+        ignore_data_before       = "2021-01-01T00:00:00Z" # sample data
+        dimension = [{
+          name     = "BackendResponseCode"
+          operator = "Include"
+          values   = ["5xx"]
+        }]
+      }]
+    }
+  }
+
+  tags = var.tags
+}

src/common/_modules/apim/networking.tf

@@ -0,0 +1,49 @@
+resource "azurerm_subnet" "apim" {
+  name                 = try(local.nonstandard[var.location_short].snet_name, "${var.project}-apim-snet-01")
+  resource_group_name  = var.vnet_common.resource_group_name
+  virtual_network_name = var.vnet_common.name
+  address_prefixes     = [var.cidr_subnet]
+
+  private_endpoint_network_policies = "Enabled"
+
+  service_endpoints = [
+    "Microsoft.Web",
+  ]
+}
+
+resource "azurerm_network_security_group" "apim" {
+  name                = try(local.nonstandard[var.location_short].nsg_name, "${var.project}-apim-nsg-01")
+  resource_group_name = var.resource_group_common
+  location            = var.location
+
+  security_rule {
+    name                       = "managementapim"
+    priority                   = 100
+    direction                  = "Inbound"
+    access                     = "Allow"
+    protocol                   = "Tcp"
+    source_port_range          = "*"
+    destination_port_range     = "3443"
+    source_address_prefix      = "ApiManagement"
+    destination_address_prefix = "VirtualNetwork"
+  }
+
+  tags = var.tags
+}
+
+resource "azurerm_subnet_network_security_group_association" "apim" {
+  subnet_id                 = azurerm_subnet.apim.id
+  network_security_group_id = azurerm_network_security_group.apim.id
+}
+
+resource "azurerm_public_ip" "apim" {
+  name                = try(local.nonstandard[var.location_short].pip_name, "${var.project}-apim-pip-01")
+  resource_group_name = var.resource_group_common
+  location            = var.location
+  allocation_method   = "Static"
+  sku                 = "Standard"
+  domain_name_label   = "apimio"
+  zones               = ["1", "2", "3"]
+
+  tags = var.tags
+}

src/common/_modules/apim/rbac.tf

@@ -0,0 +1,21 @@
+resource "azurerm_key_vault_access_policy" "apim_v2_kv_policy" {
+  key_vault_id = var.key_vault.id
+  tenant_id    = var.datasources.azurerm_client_config.tenant_id
+  object_id    = module.apim_v2.principal_id
+
+  key_permissions         = []
+  secret_permissions      = ["Get", "List"]
+  certificate_permissions = ["Get", "List"]
+  storage_permissions     = []
+}
+
+resource "azurerm_key_vault_access_policy" "v2_common" {
+  key_vault_id = var.key_vault_common.id
+  tenant_id    = var.datasources.azurerm_client_config.tenant_id
+  object_id    = module.apim_v2.principal_id
+
+  key_permissions         = []
+  secret_permissions      = ["Get", "List"]
+  certificate_permissions = ["Get", "List"]
+  storage_permissions     = []
+}

src/common/_modules/apim/subscriptions.tf

@@ -0,0 +1,10 @@
+
+resource "azurerm_api_management_subscription" "pn_lc_subscription_v2" {
+  user_id             = azurerm_api_management_user.pn_user_v2.id
+  api_management_name = module.apim_v2.name
+  resource_group_name = module.apim_v2.resource_group_name
+  product_id          = data.azurerm_api_management_product.apim_v2_product_lollipop.id
+  display_name        = "PN LC"
+  state               = "active"
+  allow_tracing       = false
+}

src/common/_modules/apim/users.tf

@@ -0,0 +1,17 @@
+
+resource "azurerm_api_management_user" "pn_user_v2" {
+  user_id             = "pnapimuser"
+  api_management_name = module.apim_v2.name
+  resource_group_name = module.apim_v2.resource_group_name
+  first_name          = "PNAPIMuser"
+  last_name           = "PNAPIMuser"
+  email               = "[email protected]"
+  state               = "active"
+}
+
+resource "azurerm_api_management_group_user" "pn_user_group_v2" {
+  user_id             = azurerm_api_management_user.pn_user_v2.user_id
+  api_management_name = module.apim_v2.name
+  resource_group_name = module.apim_v2.resource_group_name
+  group_name          = data.azurerm_api_management_group.api_v2_lollipop_assertion_read.name
+}

src/common/_modules/apim/variables.tf

@@ -0,0 +1,86 @@
+variable "resource_group_common" {
+  type        = string
+  description = "Name of common resource group"
+}
+
+variable "resource_group_internal" {
+  type        = string
+  description = "Name of internal resource group"
+}
+
+variable "project" {
+  type        = string
+  description = "IO prefix, short environment and short location"
+}
+
+variable "prefix" {
+  type    = string
+  default = "io"
+  validation {
+    condition = (
+      length(var.prefix) < 6
+    )
+    error_message = "Max length is 6 chars."
+  }
+}
+
+variable "location" {
+  type        = string
+  description = "Azure region"
+}
+
+variable "location_short" {
+  type        = string
+  description = "Azure region short name"
+}
+
+variable "tags" {
+  type        = map(any)
+  description = "Resource tags"
+}
+
+variable "vnet_common" {
+  type = object({
+    id                  = string
+    name                = string
+    address_space       = list(string)
+    resource_group_name = string
+  })
+  description = "Information of the common VNet"
+}
+
+variable "cidr_subnet" {
+  type        = string
+  description = "APIM subnet CIDR block"
+}
+
+variable "action_group_id" {
+  type = string
+}
+
+variable "ai_instrumentation_key" {
+  type = string
+}
+
+variable "key_vault" {
+  type = object({
+    id                  = string
+    name                = string
+    resource_group_name = string
+  })
+  description = "Information of the Key Vault"
+}
+
+variable "key_vault_common" {
+  type = object({
+    id                  = string
+    name                = string
+    resource_group_name = string
+  })
+  description = "Information of the Key Vault Common"
+}
+
+variable "datasources" {
+  type        = map(any)
+  description = "Common datasources"
+}