Merge branch 'main' into CES-36-unify-terraform-state-location

pagopa · Oct 28, 2024 · 7b4d1e1 · 7b4d1e1
2 parents 7e8b226 + eb2a8e6
commit 7b4d1e1
Show file tree

Hide file tree

Showing 22 changed files with 535 additions and 52 deletions.
diff --git a/src/common/_modules/app_backend/app_settings.tf b/src/common/_modules/app_backend/app_settings.tf
@@ -56,7 +56,6 @@ locals {
     CGN_API_BASE_PATH                 = "/api/v1/cgn"
     CGN_OPERATOR_SEARCH_API_BASE_PATH = "/api/v1/cgn/operator-search"
     EUCOVIDCERT_API_BASE_PATH         = "/api/v1/eucovidcert"
-    MIT_VOUCHER_API_BASE_PATH         = "/api/v1/mitvoucher/auth"
     IO_SIGN_API_BASE_PATH             = "/api/v1/sign"
     LOLLIPOP_API_BASE_PATH            = "/api/v1"
     TRIAL_SYSTEM_API_BASE_PATH        = "/api/v1"
@@ -85,12 +84,6 @@ locals {
     MYPORTAL_BASE_PATH             = "/myportal/api/v1"
     ALLOW_MYPORTAL_IP_SOURCE_RANGE = data.azurerm_key_vault_secret.app_backend_ALLOW_MYPORTAL_IP_SOURCE_RANGE.value
 
-    // MIT_VOUCHER JWT
-    JWT_MIT_VOUCHER_TOKEN_ISSUER         = "app-backend.io.italia.it"
-    JWT_MIT_VOUCHER_TOKEN_EXPIRATION     = 1200
-    JWT_MIT_VOUCHER_TOKEN_PRIVATE_ES_KEY = data.azurerm_key_vault_secret.app_backend_JWT_MIT_VOUCHER_TOKEN_PRIVATE_ES_KEY.value
-    JWT_MIT_VOUCHER_TOKEN_AUDIENCE       = data.azurerm_key_vault_secret.app_backend_JWT_MIT_VOUCHER_TOKEN_AUDIENCE.value
-
     // BPD
     JWT_SUPPORT_TOKEN_PRIVATE_RSA_KEY = data.azurerm_key_vault_secret.app_backend_JWT_SUPPORT_TOKEN_PRIVATE_RSA_KEY.value
 
@@ -107,7 +100,6 @@ locals {
     FF_BONUS_ENABLED           = 1
     FF_CGN_ENABLED             = 1
     FF_EUCOVIDCERT_ENABLED     = 1
-    FF_MIT_VOUCHER_ENABLED     = 1
     FF_IO_SIGN_ENABLED         = 1
     FF_IO_WALLET_ENABLED       = 1
     FF_IO_WALLET_TRIAL_ENABLED = 1

diff --git a/src/common/_modules/app_backend/data_kv.tf b/src/common/_modules/app_backend/data_kv.tf
@@ -50,16 +50,6 @@ data "azurerm_key_vault_secret" "app_backend_TEST_CGN_FISCAL_CODES" {
   key_vault_id = var.key_vault_common.id
 }
 
-data "azurerm_key_vault_secret" "app_backend_JWT_MIT_VOUCHER_TOKEN_PRIVATE_ES_KEY" {
-  name         = "appbackend-mitvoucher-JWT-PRIVATE-ES-KEY"
-  key_vault_id = var.key_vault_common.id
-}
-
-data "azurerm_key_vault_secret" "app_backend_JWT_MIT_VOUCHER_TOKEN_AUDIENCE" {
-  name         = "appbackend-mitvoucher-JWT-AUDIENCE"
-  key_vault_id = var.key_vault_common.id
-}
-
 data "azurerm_key_vault_secret" "app_backend_PECSERVER_TOKEN_SECRET" {
   name         = "appbackend-PECSERVER-TOKEN-SECRET"
   key_vault_id = var.key_vault_common.id

diff --git a/src/common/_modules/cosmos_api/locals.tf b/src/common/_modules/cosmos_api/locals.tf
@@ -55,7 +55,7 @@ locals {
       partition_key_version = null
       default_ttl           = -1
       autoscale_settings = {
-        max_throughput = 200000
+        max_throughput = 67000
       }
     },
     {
@@ -72,7 +72,7 @@ locals {
       partition_key_version = null
       default_ttl           = -1
       autoscale_settings = {
-        max_throughput = 100000
+        max_throughput = 46000
       }
     },
     {
@@ -124,7 +124,7 @@ locals {
       partition_key_path    = "/fiscalCode"
       partition_key_version = null
       autoscale_settings = {
-        max_throughput = 100000
+        max_throughput = 48000
       }
     },
     {

diff --git a/src/common/prod/locals.tf b/src/common/prod/locals.tf
@@ -75,7 +75,7 @@ locals {
     eucovidcert          = data.azurerm_linux_function_app.eucovidcert.default_hostname
     cgn                  = data.azurerm_linux_function_app.function_cgn.default_hostname
     iosign               = data.azurerm_linux_function_app.io_sign_user.default_hostname
-    cgnonboarding        = "cgnonboardingportal-p-op.azurewebsites.net"
+    cgnonboarding        = "io-p-itn-cgn-search-func-01.azurewebsites.net"
     trial_system_api     = "ts-p-itn-api-func-01.azurewebsites.net"
     trial_system_apim    = data.azurerm_api_management.trial_system.gateway_url
     iowallet             = data.azurerm_linux_function_app.wallet_user.default_hostname

diff --git a/src/core/_modules/custom_roles/outputs.tf b/src/core/_modules/custom_roles/outputs.tf
@@ -0,0 +1,6 @@
+output "pagopa_opex_contributor" {
+  value = {
+    id   = azurerm_role_definition.pagopa_opex_contributor.id
+    name = azurerm_role_definition.pagopa_opex_contributor.name
+  }
+}
diff --git a/src/core/_modules/custom_roles/pagopa_opex_role.tf b/src/core/_modules/custom_roles/pagopa_opex_role.tf
@@ -0,0 +1,18 @@
+resource "azurerm_role_definition" "pagopa_opex_contributor" {
+  name        = "PagoPA Opex Dashboards Contributor"
+  scope       = var.subscription_id
+  description = "Role to manage the Opex Dashboards creation, modification and deletion"
+
+  permissions {
+    actions = [
+      "Microsoft.Portal/dashboards/write",
+      "Microsoft.Portal/dashboards/read",
+      "Microsoft.Portal/dashboards/delete",
+    ]
+    not_actions = []
+  }
+
+  assignable_scopes = [
+    var.subscription_id
+  ]
+}
diff --git a/src/core/_modules/custom_roles/variables.tf b/src/core/_modules/custom_roles/variables.tf
@@ -0,0 +1,4 @@
+variable "subscription_id" {
+  type        = string
+  description = "The subscription ID used as the scope for role definitions."
+}
diff --git a/src/core/prod/README.md b/src/core/prod/README.md
@@ -19,6 +19,7 @@
 |------|--------|---------|
 | <a name="module_azdoa_weu"></a> [azdoa\_weu](#module\_azdoa\_weu) | ../_modules/azure_devops_agent | n/a |
 | <a name="module_container_registry"></a> [container\_registry](#module\_container\_registry) | ../_modules/container_registry | n/a |
+| <a name="module_custom_roles"></a> [custom\_roles](#module\_custom\_roles) | ../_modules/custom_roles | n/a |
 | <a name="module_key_vault_weu"></a> [key\_vault\_weu](#module\_key\_vault\_weu) | ../_modules/key_vaults | n/a |
 | <a name="module_networking_itn"></a> [networking\_itn](#module\_networking\_itn) | ../_modules/networking | n/a |
 | <a name="module_networking_weu"></a> [networking\_weu](#module\_networking\_weu) | ../_modules/networking | n/a |

diff --git a/src/core/prod/italynorth.tf b/src/core/prod/italynorth.tf
@@ -54,3 +54,9 @@ module "vnet_peering_itn" {
     }
   }
 }
+
+module "custom_roles" {
+  source = "../_modules/custom_roles"
+
+  subscription_id = data.azurerm_subscription.current.id
+}
diff --git a/src/domains/citizen-auth-app/01_network_itn.tf b/src/domains/citizen-auth-app/01_network_itn.tf
@@ -246,3 +246,50 @@ resource "azurerm_private_endpoint" "staging_function_profile_async_itn_sites" {
 
   tags = var.tags
 }
+
+## fn-public-itn pep
+resource "azurerm_private_endpoint" "function_public_itn_sites" {
+  name                = "${local.common_project_itn}-public-func-pep-01"
+  location            = local.itn_location
+  resource_group_name = azurerm_resource_group.shared_rg_itn.name
+  subnet_id           = data.azurerm_subnet.itn_pep.id
+
+  private_service_connection {
+    name                           = "${local.common_project_itn}-public-func-pep-01"
+    private_connection_resource_id = module.function_public_itn.id
+    is_manual_connection           = false
+    subresource_names              = ["sites"]
+  }
+
+  private_dns_zone_group {
+    name                 = "private-dns-zone-group"
+    private_dns_zone_ids = [data.azurerm_private_dns_zone.privatelink_azurewebsites_net.id]
+  }
+
+  depends_on = [module.function_public_itn]
+
+  tags = var.tags
+}
+
+resource "azurerm_private_endpoint" "staging_function_public_itn_sites" {
+  name                = "${local.common_project_itn}-fast-login-func-staging-pep-01"
+  location            = local.itn_location
+  resource_group_name = azurerm_resource_group.shared_rg_itn.name
+  subnet_id           = data.azurerm_subnet.itn_pep.id
+
+  private_service_connection {
+    name                           = "${local.common_project_itn}-public-func-staging-pep-01"
+    private_connection_resource_id = module.function_public_itn.id
+    is_manual_connection           = false
+    subresource_names              = ["sites-${module.function_public_staging_slot_itn.name}"]
+  }
+
+  private_dns_zone_group {
+    name                 = "private-dns-zone-group"
+    private_dns_zone_ids = [data.azurerm_private_dns_zone.privatelink_azurewebsites_net.id]
+  }
+
+  depends_on = [module.function_public_itn, module.function_public_staging_slot_itn]
+
+  tags = var.tags
+}
diff --git a/src/domains/citizen-auth-app/04_shared_plan.tf b/src/domains/citizen-auth-app/04_shared_plan.tf
@@ -0,0 +1,39 @@
+resource "azurerm_resource_group" "shared_rg_itn" {
+  name     = format("%s-shared-rg-01", local.project_itn)
+  location = local.itn_location
+}
+
+resource "azurerm_app_service_plan" "shared_plan_itn" {
+  name                = format("%s-shared-asp-01", local.project_itn)
+  location            = azurerm_resource_group.shared_rg_itn.location
+  resource_group_name = azurerm_resource_group.shared_rg_itn.name
+
+  kind     = var.plan_shared_1_kind
+  reserved = true
+
+  sku {
+    tier     = var.plan_shared_1_sku_tier
+    size     = var.plan_shared_1_sku_size
+    capacity = var.plan_shared_1_sku_capacity
+  }
+
+  tags = var.tags
+}
+
+# Subnet to host app function
+module "shared_snet_itn" {
+  source                                    = "git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet?ref=v8.44.0"
+  name                                      = format("%s-shared-snet-01", local.project_itn)
+  address_prefixes                          = var.cidr_subnet_shared_1
+  resource_group_name                       = data.azurerm_resource_group.italy_north_common_rg.name
+  virtual_network_name                      = data.azurerm_virtual_network.common_vnet_italy_north.name
+  private_endpoint_network_policies_enabled = true
+
+  delegation = {
+    name = "default"
+    service_delegation = {
+      name    = "Microsoft.Web/serverFarms"
+      actions = ["Microsoft.Network/virtualNetworks/subnets/action"]
+    }
+  }
+}