[CES-103] - Moved cosmos-api to common folder (#1173)

Co-authored-by: Andrea Grillo <[email protected]>

.github/workflows/static_analysis.yml

@@ -44,7 +44,6 @@ jobs:
           newmap[src/domains/profile-app]="."
           newmap[src/domains/profile-common]="."
           newmap[src/domains/functions]="."
-          newmap[src/cosmos-api]="./prod"
           newmap[src/github-runner]="."
           newmap[src/packer]="."
 

src/common/_modules/cosmos_api/cosmos_account.tf

@@ -0,0 +1,43 @@
+resource "azurerm_cosmosdb_account" "this" {
+  name                = "${var.project}-cosmos-api"
+  resource_group_name = var.resource_groups.internal
+  location            = var.location
+
+  offer_type        = "Standard"
+  free_tier_enabled = false
+
+  automatic_failover_enabled = true
+  ip_range_filter            = join(",", local.ip_range_filter)
+
+  geo_location {
+    location          = var.location
+    failover_priority = 0
+    zone_redundant    = true
+  }
+
+  dynamic "geo_location" {
+    for_each = var.secondary_location != null ? [var.secondary_location] : []
+    content {
+      location          = geo_location.value
+      failover_priority = 1
+      zone_redundant    = false
+    }
+  }
+
+  consistency_policy {
+    consistency_level = "Strong" # TODO: Consider returning to BoundedSession
+  }
+
+  public_network_access_enabled     = true
+  is_virtual_network_filter_enabled = true
+
+  dynamic "virtual_network_rule" {
+    for_each = var.allowed_subnets_ids
+
+    content {
+      id = virtual_network_rule.value
+    }
+  }
+
+  tags = var.tags
+}

src/cosmos-api/prod/cosmos_containers.tf → src/common/_modules/cosmos_api/cosmos_containers.tf

@@ -10,6 +10,7 @@ resource "azurerm_cosmosdb_sql_container" "these" {
   partition_key_path    = each.value.partition_key_path
   partition_key_version = lookup(each.value, "partition_key_version", 2)
   throughput            = lookup(each.value, "throughput", null)
+  default_ttl           = lookup(each.value, "default_ttl", null)
 
   dynamic "autoscale_settings" {
     for_each = lookup(each.value, "autoscale_settings", null) != null ? [1] : []

src/cosmos-api/prod/locals.tf → src/common/_modules/cosmos_api/locals.tf

@@ -1,20 +1,5 @@
 locals {
-  prefix             = "io"
-  env_short          = "p"
-  project            = "${local.prefix}-${local.env_short}"
-  location           = "westeurope"
-  secondary_location = "northeurope"
-
-  resource_group_name_internal = "${local.project}-rg-internal"
-
-  tags = {
-    CostCenter  = "TS310 - PAGAMENTI & SERVIZI"
-    CreatedBy   = "Terraform"
-    Environment = "Prod"
-    Owner       = "IO"
-    Source      = "https://github.com/pagopa/io-infra/blob/main/src/cosmos-api/prod"
-  }
-
+  ip_range_filter = ["52.174.88.118", "40.91.208.65", "13.69.64.208/28", "13.69.71.192/27", "13.93.36.78", "20.86.93.32/27", "20.86.93.64/28", "20.126.243.151", "20.126.241.238", "20.103.132.139", "20.103.131.1"]
   cosmosdb_containers = [
     {
       name                  = "activations"
@@ -68,6 +53,7 @@ locals {
       name                  = "message-status"
       partition_key_path    = "/messageId"
       partition_key_version = null
+      default_ttl           = -1
       autoscale_settings = {
         max_throughput = 67000
       }
@@ -84,6 +70,7 @@ locals {
       name                  = "messages"
       partition_key_path    = "/fiscalCode"
       partition_key_version = null
+      default_ttl           = -1
       autoscale_settings = {
         max_throughput = 46000
       }

src/cosmos-api/prod/networking.tf → src/common/_modules/cosmos_api/networking.tf

@@ -3,7 +3,7 @@ resource "azurerm_private_endpoint" "sql" {
   name                = "${azurerm_cosmosdb_account.this.name}-sql-endpoint"
   location            = azurerm_cosmosdb_account.this.location
   resource_group_name = azurerm_cosmosdb_account.this.resource_group_name
-  subnet_id           = data.azurerm_subnet.pep.id
+  subnet_id           = var.pep_snet.id
 
   private_service_connection {
     name                           = "${azurerm_cosmosdb_account.this.name}-sql"
@@ -14,8 +14,8 @@ resource "azurerm_private_endpoint" "sql" {
 
   private_dns_zone_group {
     name                 = "private-dns-zone-group"
-    private_dns_zone_ids = [data.azurerm_private_dns_zone.documents.id]
+    private_dns_zone_ids = [var.documents_dns_zone.id]
   }
 
-  tags = local.tags
+  tags = var.tags
 }

src/common/_modules/cosmos_api/variables.tf

@@ -0,0 +1,63 @@
+variable "project" {
+  type        = string
+  description = "IO prefix, short environment and short location"
+}
+
+variable "location" {
+  type        = string
+  description = "Azure region"
+}
+
+variable "location_short" {
+  type        = string
+  description = "Azure region short name"
+}
+
+variable "tags" {
+  type        = map(any)
+  description = "Resource tags"
+}
+
+variable "resource_groups" {
+  type        = map(string)
+  description = "Resource group names"
+}
+
+variable "vnet_common" {
+  type = object({
+    id                  = string
+    name                = string
+    address_space       = list(string)
+    resource_group_name = string
+  })
+  description = "Information of the common VNet"
+}
+
+variable "pep_snet" {
+  type = object({
+    id               = string
+    name             = string
+    address_prefixes = list(string)
+  })
+}
+
+variable "secondary_location" {
+  type        = string
+  description = "The secondary location used for geo_replication of the cosmos database. If omitted, geo replication is not enabled."
+
+  default = null
+}
+
+variable "documents_dns_zone" {
+  type = object({
+    id                  = string
+    name                = string
+    resource_group_name = string
+  })
+  description = "Private link documents dns zone information"
+}
+
+variable "allowed_subnets_ids" {
+  type        = list(string)
+  description = "List of the IDs of the subnets allowed to contact the cosmos account"
+}

src/common/_modules/global/modules/dns/outputs.tf

@@ -34,6 +34,7 @@ output "public_dns_zones" {
 output "private_dns_zones" {
   value = {
     servicebus = azurerm_private_dns_zone.privatelink_servicebus
+    documents  = azurerm_private_dns_zone.privatelink_documents
   }
 }
 

src/common/prod/README.md

@@ -13,6 +13,7 @@
 | <a name="module_apim_weu"></a> [apim\_weu](#module\_apim\_weu) | ../_modules/apim | n/a |
 | <a name="module_application_gateway_weu"></a> [application\_gateway\_weu](#module\_application\_gateway\_weu) | ../_modules/application_gateway | n/a |
 | <a name="module_assets_cdn_weu"></a> [assets\_cdn\_weu](#module\_assets\_cdn\_weu) | ../_modules/assets_cdn | n/a |
+| <a name="module_cosmos_api_weu"></a> [cosmos\_api\_weu](#module\_cosmos\_api\_weu) | ../_modules/cosmos_api | n/a |
 | <a name="module_event_hubs_weu"></a> [event\_hubs\_weu](#module\_event\_hubs\_weu) | ../_modules/event_hubs | n/a |
 | <a name="module_github_runner_itn"></a> [github\_runner\_itn](#module\_github\_runner\_itn) | ../_modules/github_runner | n/a |
 | <a name="module_global"></a> [global](#module\_global) | ../_modules/global | n/a |
@@ -31,6 +32,7 @@
 | [azurerm_linux_web_app.firmaconio_selfcare_web_app](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/linux_web_app) | data source |
 | [azurerm_resource_group.common_weu](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/resource_group) | data source |
 | [azurerm_resource_group.internal_weu](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/resource_group) | data source |
+| [azurerm_subnet.cosmos_api_allowed](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subnet) | data source |
 | [azurerm_virtual_network.weu_beta](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/virtual_network) | data source |
 | [azurerm_virtual_network.weu_prod01](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/virtual_network) | data source |
 | [terraform_remote_state.core](https://registry.terraform.io/providers/hashicorp/terraform/latest/docs/data-sources/remote_state) | data source |

src/common/prod/data.tf

@@ -48,4 +48,13 @@ data "azurerm_linux_web_app" "app_backendl2" {
 data "azurerm_linux_function_app" "function_assets_cdn" {
   name                = "${local.project_weu_legacy}-assets-cdn-fn"
   resource_group_name = "${local.project_weu_legacy}-assets-cdn-rg"
-}
+}
+
+# Cosmos API
+data "azurerm_subnet" "cosmos_api_allowed" {
+  for_each = toset(local.cosmos_api.allowed_subnets)
+
+  name                 = each.value
+  virtual_network_name = local.core.networking.weu.vnet_common.name
+  resource_group_name  = local.core.networking.weu.vnet_common.resource_group_name
+}

src/common/prod/locals.tf

@@ -36,6 +36,10 @@ locals {
     }
   }
 
+  cosmos_api = {
+    allowed_subnets = ["fn3admin", "fn3app1", "fn3app2", "fn3appasync", "fn3assets", "fn3public", "fn3services", "fn3slackbot"]
+  }
+
   eventhubs = [
     {
       name              = "io-cosmosdb-services"

src/common/prod/westeurope.tf

@@ -380,5 +380,22 @@ module "assets_cdn_weu" {
     hostname = data.azurerm_linux_function_app.function_assets_cdn.default_hostname
   }
 
+  tags = local.tags
+}
+
+module "cosmos_api_weu" {
+  source = "../_modules/cosmos_api"
+
+  location       = data.azurerm_resource_group.common_weu.location
+  location_short = local.location_short[data.azurerm_resource_group.common_weu.location]
+  project        = local.project_weu_legacy
+
+  resource_groups     = local.resource_groups[local.location_short[data.azurerm_resource_group.common_weu.location]]
+  vnet_common         = local.core.networking.weu.vnet_common
+  pep_snet            = local.core.networking.weu.pep_snet
+  secondary_location  = "northeurope"
+  documents_dns_zone  = module.global.dns.private_dns_zones.documents
+  allowed_subnets_ids = values(data.azurerm_subnet.cosmos_api_allowed)[*].id
+
   tags = local.tags
 }