[EC-357] Move KeyVault resources to modules (#1106)

.github/workflows/core_code_review.yaml

@@ -2,7 +2,7 @@ name: PR - Core TF Validation
 
 # This pipeline starts automatically when a PR is opened.
 #
-# It is responsible for managing changes related solely to the NEW infrastructure. 
+# It is responsible for managing changes related solely to the NEW infrastructure.
 # Therefore, it checks whether the changes have occurred only in the directories listed in "paths."
 #
 ## NOTE: 'NEW infrastructure' refers to the new Terraform infrastructure located in the src/core/prod folder, which no longer requires the terraform.sh script to be applied.

src/core/README.md

@@ -56,8 +56,6 @@
 | <a name="module_dns_forwarder_snet"></a> [dns\_forwarder\_snet](#module\_dns\_forwarder\_snet) | github.com/pagopa/terraform-azurerm-v3//subnet | v8.27.0 |
 | <a name="module_event_hub"></a> [event\_hub](#module\_event\_hub) | github.com/pagopa/terraform-azurerm-v3//eventhub | v8.27.0 |
 | <a name="module_eventhub_snet"></a> [eventhub\_snet](#module\_eventhub\_snet) | github.com/pagopa/terraform-azurerm-v3//subnet | v8.27.0 |
-| <a name="module_key_vault"></a> [key\_vault](#module\_key\_vault) | github.com/pagopa/terraform-azurerm-v3//key_vault | v8.27.0 |
-| <a name="module_key_vault_common"></a> [key\_vault\_common](#module\_key\_vault\_common) | github.com/pagopa/terraform-azurerm-v3//key_vault | v8.27.0 |
 | <a name="module_locked_profiles_storage"></a> [locked\_profiles\_storage](#module\_locked\_profiles\_storage) | github.com/pagopa/terraform-azurerm-v3//storage_account | v8.27.0 |
 | <a name="module_redis_common_backup_zrs"></a> [redis\_common\_backup\_zrs](#module\_redis\_common\_backup\_zrs) | github.com/pagopa/terraform-azurerm-v3//storage_account | v8.27.0 |
 | <a name="module_redis_common_snet"></a> [redis\_common\_snet](#module\_redis\_common\_snet) | github.com/pagopa/terraform-azurerm-v3//subnet | v8.27.0 |
@@ -158,7 +156,6 @@
 | [azurerm_resource_group.rg_external](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource |
 | [azurerm_resource_group.rg_internal](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource |
 | [azurerm_resource_group.rg_linux](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource |
-| [azurerm_resource_group.sec_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource |
 | [azurerm_storage_container.storage_api_cached](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_container) | resource |
 | [azurerm_storage_container.storage_api_message_content](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_container) | resource |
 | [azurerm_storage_queue.storage_account_apievents_events_queue](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_queue) | resource |
@@ -202,6 +199,8 @@
 | [azurerm_eventhub_authorization_rule.io-p-messages-weu-prod01-evh-ns_messages_io-fn-messages-cqrs](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/eventhub_authorization_rule) | data source |
 | [azurerm_eventhub_authorization_rule.io-p-payments-weu-prod01-evh-ns_payment-updates_io-fn-messages-cqrs](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/eventhub_authorization_rule) | data source |
 | [azurerm_key_vault.ioweb_kv](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault) | data source |
+| [azurerm_key_vault.key_vault](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault) | data source |
+| [azurerm_key_vault.key_vault_common](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault) | data source |
 | [azurerm_key_vault_certificate.api_app_internal_io_pagopa_it](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_certificate) | data source |
 | [azurerm_key_vault_certificate.api_internal_io_italia_it](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_certificate) | data source |
 | [azurerm_key_vault_certificate.app_gw_api](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_certificate) | data source |
@@ -296,6 +295,7 @@
 | [azurerm_redis_cache.redis_common](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/redis_cache) | data source |
 | [azurerm_resource_group.lollipop_function_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/resource_group) | data source |
 | [azurerm_resource_group.notifications_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/resource_group) | data source |
+| [azurerm_resource_group.sec_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/resource_group) | data source |
 | [azurerm_storage_account.logs](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/storage_account) | data source |
 | [azurerm_storage_account.lollipop_assertions_storage](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/storage_account) | data source |
 | [azurerm_storage_account.notifications](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/storage_account) | data source |

src/core/_modules/key_vaults/kv.tf

@@ -0,0 +1,18 @@
+resource "azurerm_key_vault" "kv" {
+  name                = local.nonstandard[var.location_short].kv
+  location            = azurerm_resource_group.sec.location
+  resource_group_name = azurerm_resource_group.sec.name
+  tenant_id           = var.tenant_id
+  sku_name            = "standard"
+
+  enabled_for_disk_encryption = true
+  purge_protection_enabled    = true
+  soft_delete_retention_days  = 15
+
+  network_acls {
+    bypass         = "AzureServices"
+    default_action = "Allow" #tfsec:ignore:AZU020
+  }
+
+  tags = var.tags
+}

src/core/_modules/key_vaults/kv_common.tf

@@ -0,0 +1,18 @@
+resource "azurerm_key_vault" "common" {
+  name                = local.nonstandard[var.location_short].kv_common
+  location            = var.location
+  resource_group_name = var.resource_group_common
+  tenant_id           = var.tenant_id
+  sku_name            = "standard"
+
+  enabled_for_disk_encryption = true
+  purge_protection_enabled    = true
+  soft_delete_retention_days  = 90
+
+  network_acls {
+    bypass         = "AzureServices"
+    default_action = "Allow" #tfsec:ignore:AZU020
+  }
+
+  tags = var.tags
+}

src/core/_modules/key_vaults/locals.tf

@@ -0,0 +1,9 @@
+locals {
+  nonstandard = {
+    weu = {
+      rg        = "${var.project}-sec-rg"
+      kv        = "${var.project}-kv"
+      kv_common = "${var.project}-kv-common"
+    }
+  }
+}

src/core/_modules/key_vaults/outputs.tf

@@ -0,0 +1,15 @@
+output "kv" {
+  value = {
+    id                  = azurerm_key_vault.common.id
+    name                = azurerm_key_vault.common.name
+    resource_group_name = azurerm_key_vault.common.resource_group_name
+  }
+}
+
+output "kv_common" {
+  value = {
+    id                  = azurerm_key_vault.kv.id
+    name                = azurerm_key_vault.kv.name
+    resource_group_name = azurerm_key_vault.kv.resource_group_name
+  }
+}

src/core/_modules/key_vaults/resource_groups.tf

@@ -0,0 +1,6 @@
+resource "azurerm_resource_group" "sec" {
+  name     = local.nonstandard[var.location_short].rg
+  location = var.location
+
+  tags = var.tags
+}

src/core/_modules/key_vaults/variables.tf

@@ -0,0 +1,29 @@
+variable "project" {
+  type        = string
+  description = "IO prefix, short environment and short location"
+}
+
+variable "location" {
+  type        = string
+  description = "Azure region"
+}
+
+variable "location_short" {
+  type        = string
+  description = "Azure region short name"
+}
+
+variable "tags" {
+  type        = map(any)
+  description = "Resource tags"
+}
+
+variable "resource_group_common" {
+  type        = string
+  description = "Name of common resource group"
+  default     = null
+}
+
+variable "tenant_id" {
+  type = string
+}

src/core/apim_v2.tf

@@ -1,16 +1,16 @@
 data "azurerm_key_vault_secret" "apim_publisher_email" {
   name         = "apim-publisher-email"
-  key_vault_id = module.key_vault.id
+  key_vault_id = data.azurerm_key_vault.key_vault.id
 }
 
 data "azurerm_key_vault_certificate" "api_internal_io_italia_it" {
   name         = replace(local.apim_hostname_api_internal, ".", "-")
-  key_vault_id = module.key_vault_common.id
+  key_vault_id = data.azurerm_key_vault.key_vault_common.id
 }
 
 data "azurerm_key_vault_certificate" "api_app_internal_io_pagopa_it" {
   name         = replace(local.apim_hostname_api_app_internal, ".", "-")
-  key_vault_id = module.key_vault.id
+  key_vault_id = data.azurerm_key_vault.key_vault.id
 }
 
 # APIM subnet
@@ -222,7 +222,7 @@ module "apim_v2" {
 
 # ## api management key vault policy ##
 resource "azurerm_key_vault_access_policy" "apim_v2_kv_policy" {
-  key_vault_id = module.key_vault.id
+  key_vault_id = data.azurerm_key_vault.key_vault.id
   tenant_id    = data.azurerm_client_config.current.tenant_id
   object_id    = module.apim_v2.principal_id
 
@@ -233,7 +233,7 @@ resource "azurerm_key_vault_access_policy" "apim_v2_kv_policy" {
 }
 
 resource "azurerm_key_vault_access_policy" "v2_common" {
-  key_vault_id = module.key_vault_common.id
+  key_vault_id = data.azurerm_key_vault.key_vault_common.id
   tenant_id    = data.azurerm_client_config.current.tenant_id
   object_id    = module.apim_v2.principal_id
 

src/core/apim_v2_io_admin_api.tf

@@ -24,7 +24,7 @@ resource "azurerm_api_management_named_value" "io_fn3_admin_url_v2" {
 
 data "azurerm_key_vault_secret" "io_fn3_admin_key_secret_v2" {
   name         = "fn3admin-KEY-APIM"
-  key_vault_id = module.key_vault_common.id
+  key_vault_id = data.azurerm_key_vault.key_vault_common.id
 }
 
 resource "azurerm_api_management_named_value" "io_fn3_admin_key_v2" {

src/core/apim_v2_io_public_api.tf

@@ -24,7 +24,7 @@ resource "azurerm_api_management_named_value" "io_fn3_public_url_v2" {
 
 data "azurerm_key_vault_secret" "io_fn3_public_key_secret_v2" {
   name         = "fn3public-KEY-APIM"
-  key_vault_id = module.key_vault_common.id
+  key_vault_id = data.azurerm_key_vault.key_vault_common.id
 }
 
 resource "azurerm_api_management_named_value" "io_fn3_public_key_v2" {

src/core/apim_v2_io_services_api.tf

@@ -42,7 +42,7 @@ resource "azurerm_api_management_named_value" "io_fn3_services_url_v2" {
 
 data "azurerm_key_vault_secret" "io_fn3_services_key_secret_v2" {
   name         = "fn3services-KEY-APIM"
-  key_vault_id = module.key_vault_common.id
+  key_vault_id = data.azurerm_key_vault.key_vault_common.id
 }
 
 resource "azurerm_api_management_named_value" "io_fn3_services_key_v2" {
@@ -58,7 +58,7 @@ resource "azurerm_api_management_named_value" "io_fn3_services_key_v2" {
 
 data "azurerm_key_vault_secret" "io_fn3_eucovidcert_key_secret_v2" {
   name         = "io-fn3-eucovidcert-KEY-APIM"
-  key_vault_id = module.key_vault_common.id
+  key_vault_id = data.azurerm_key_vault.key_vault_common.id
 }
 
 resource "azurerm_api_management_named_value" "io_fn3_eucovidcert_key_v2" {
@@ -82,7 +82,7 @@ resource "azurerm_api_management_named_value" "io_fn3_eucovidcert_url_alt_v2" {
 # Named Value api gad certificate header
 data "azurerm_key_vault_secret" "api_gad_client_certificate_verified_header_secret_v2" {
   name         = "apigad-GAD-CLIENT-CERTIFICATE-VERIFIED-HEADER"
-  key_vault_id = module.key_vault_common.id
+  key_vault_id = data.azurerm_key_vault.key_vault_common.id
 }
 
 resource "azurerm_api_management_named_value" "api_gad_client_certificate_verified_header_v2" {