From 9c69771ab1305c3d35865be6ee270616985e56f5 Mon Sep 17 00:00:00 2001 From: christian-calabrese Date: Wed, 11 Sep 2024 10:45:04 +0200 Subject: [PATCH] [EC-357] - Move application gateway from core to modules (#1149) Co-authored-by: Andrea Grillo --- .../_modules/application_gateway/data.tf | 115 +++++ .../_modules/application_gateway/firewall.tf | 85 ++++ .../_modules/application_gateway/locals.tf | 29 ++ .../_modules/application_gateway/main.tf} | 451 ++++-------------- .../application_gateway/networking.tf | 24 + .../_modules/application_gateway/outputs.tf | 8 + .../_modules/application_gateway/rbac.tf | 49 ++ .../_modules/application_gateway/variables.tf | 120 +++++ src/common/_modules/event_hubs/data.tf | 2 +- src/common/_modules/event_hubs/main.tf | 2 +- src/common/_modules/event_hubs/variables.tf | 7 +- .../_modules/global/modules/dns/outputs.tf | 8 +- src/common/_modules/monitoring/outputs.tf | 9 + src/common/prod/.terraform.lock.hcl | 19 + src/common/prod/README.md | 7 +- src/common/prod/data.tf | 31 +- src/common/prod/global.tf | 3 +- src/common/prod/import.tf | 289 ----------- src/common/prod/locals.tf | 19 + src/common/prod/westeurope.tf | 53 +- src/core/99_variables.tf | 83 ---- src/core/README.md | 44 +- src/core/app_backend.tf | 8 +- src/core/data.tf | 10 + src/core/env/prod/terraform.tfvars | 17 - src/core/firmaconio.tf | 6 - src/core/refactor.tf | 69 +++ 27 files changed, 735 insertions(+), 832 deletions(-) create mode 100644 src/common/_modules/application_gateway/data.tf create mode 100644 src/common/_modules/application_gateway/firewall.tf create mode 100644 src/common/_modules/application_gateway/locals.tf rename src/{core/appgateway.tf => common/_modules/application_gateway/main.tf} (70%) create mode 100644 src/common/_modules/application_gateway/networking.tf create mode 100644 src/common/_modules/application_gateway/outputs.tf create mode 100644 src/common/_modules/application_gateway/rbac.tf create mode 100644 src/common/_modules/application_gateway/variables.tf create mode 100644 src/common/_modules/monitoring/outputs.tf delete mode 100644 src/common/prod/import.tf create mode 100644 src/core/refactor.tf diff --git a/src/common/_modules/application_gateway/data.tf b/src/common/_modules/application_gateway/data.tf new file mode 100644 index 000000000..82cf54d2e --- /dev/null +++ b/src/common/_modules/application_gateway/data.tf @@ -0,0 +1,115 @@ +####################### +### Web Application ### +####################### + +data "azurerm_linux_web_app" "cms_backoffice_app_itn" { + name = "${var.project}-itn-svc-bo-app-01" + resource_group_name = "${var.project}-itn-svc-rg-01" +} + +data "azurerm_linux_web_app" "appservice_continua" { + name = "${var.project}-app-continua" + resource_group_name = "${var.project}-continua-rg" +} + +data "azurerm_linux_web_app" "session_manager" { + name = "io-p-weu-session-manager-app-03" + resource_group_name = "io-p-weu-session-manager-rg-01" +} + +data "azurerm_linux_web_app" "fims_op_app" { + name = "io-p-weu-fims-op-app-01" + resource_group_name = "io-p-weu-fims-rg-01" +} + +data "azurerm_linux_web_app" "appservice_devportal_be" { + name = "${var.project}-app-devportal-be" + resource_group_name = "${var.project}-selfcare-be-rg" +} + +data "azurerm_linux_web_app" "appservice_selfcare_be" { + name = "${var.project}-app-selfcare-be" + resource_group_name = "${var.project}-selfcare-be-rg" +} + +####################### +### Key Vault ### +####################### + +data "azurerm_key_vault_certificate" "app_gw_api" { + name = var.certificates.api + key_vault_id = var.key_vault.id +} + +data "azurerm_key_vault_certificate" "app_gw_api_mtls" { + name = var.certificates.api_mtls + key_vault_id = var.key_vault.id +} + +data "azurerm_key_vault_certificate" "app_gw_api_app" { + name = var.certificates.api_app + key_vault_id = var.key_vault.id +} + +### +# kv where the certificate for api-web domain is located +### +data "azurerm_key_vault" "ioweb_kv" { + name = format("%s-ioweb-kv", var.project) + resource_group_name = format("%s-ioweb-sec-rg", var.project) +} + +data "azurerm_key_vault_certificate" "app_gw_api_web" { + name = var.certificates.api_web + key_vault_id = data.azurerm_key_vault.ioweb_kv.id +} +### + +data "azurerm_key_vault_certificate" "app_gw_api_io_italia_it" { + name = var.certificates.api_io_italia_it + key_vault_id = var.key_vault_common.id +} + +data "azurerm_key_vault_certificate" "app_gw_app_backend_io_italia_it" { + name = var.certificates.app_backend_io_italia_it + key_vault_id = var.key_vault_common.id +} + +data "azurerm_key_vault_certificate" "app_gw_developerportal_backend_io_italia_it" { + name = var.certificates.developerportal_backend_io_italia_it + key_vault_id = var.key_vault_common.id +} + +data "azurerm_key_vault_certificate" "app_gw_api_io_selfcare_pagopa_it" { + name = var.certificates.api_io_selfcare_pagopa_it + key_vault_id = var.key_vault.id +} + +data "azurerm_key_vault_certificate" "app_gw_firmaconio_selfcare_pagopa_it" { + name = var.certificates.firmaconio_selfcare_pagopa_it + key_vault_id = var.key_vault.id +} + +data "azurerm_key_vault_certificate" "app_gw_continua" { + name = var.certificates.continua_io_pagopa_it + key_vault_id = var.key_vault.id +} + +data "azurerm_key_vault_certificate" "app_gw_oauth" { + name = var.certificates.oauth_io_pagopa_it + key_vault_id = var.key_vault.id +} + +data "azurerm_key_vault_certificate" "app_gw_selfcare_io" { + name = var.certificates.selfcare_io_pagopa_it + key_vault_id = var.key_vault.id +} + +data "azurerm_key_vault_secret" "app_gw_mtls_header_name" { + name = "mtls-header-name" + key_vault_id = var.key_vault.id +} + +data "azuread_service_principal" "app_gw_uai_kvreader" { + display_name = format("%s-uai-kvreader", var.project) +} \ No newline at end of file diff --git a/src/common/_modules/application_gateway/firewall.tf b/src/common/_modules/application_gateway/firewall.tf new file mode 100644 index 000000000..ef3e2757d --- /dev/null +++ b/src/common/_modules/application_gateway/firewall.tf @@ -0,0 +1,85 @@ +resource "azurerm_web_application_firewall_policy" "api_app" { + name = try(local.nonstandard[var.location_short].waf_api_app, "${var.project}-waf-agw-api-app-01") + resource_group_name = var.resource_groups.external + location = var.location + + policy_settings { + enabled = true + mode = "Prevention" + request_body_check = true + file_upload_limit_in_mb = 100 + max_request_body_size_in_kb = 128 + } + + managed_rules { + + managed_rule_set { + type = "OWASP" + version = "3.1" + + rule_group_override { + rule_group_name = "REQUEST-913-SCANNER-DETECTION" + disabled_rules = [ + "913100", + "913101", + "913102", + "913110", + "913120", + ] + } + + rule_group_override { + rule_group_name = "REQUEST-920-PROTOCOL-ENFORCEMENT" + disabled_rules = [ + "920300", + "920320", + ] + } + + rule_group_override { + rule_group_name = "REQUEST-930-APPLICATION-ATTACK-LFI" + disabled_rules = [ + "930120", + ] + } + + rule_group_override { + rule_group_name = "REQUEST-932-APPLICATION-ATTACK-RCE" + disabled_rules = [ + "932150", + ] + } + + rule_group_override { + rule_group_name = "REQUEST-941-APPLICATION-ATTACK-XSS" + disabled_rules = [ + "941130", + ] + } + + rule_group_override { + rule_group_name = "REQUEST-942-APPLICATION-ATTACK-SQLI" + disabled_rules = [ + "942100", + "942120", + "942190", + "942200", + "942210", + "942240", + "942250", + "942260", + "942330", + "942340", + "942370", + "942380", + "942430", + "942440", + "942450", + ] + } + + } + } + + tags = var.tags +} \ No newline at end of file diff --git a/src/common/_modules/application_gateway/locals.tf b/src/common/_modules/application_gateway/locals.tf new file mode 100644 index 000000000..ea9a3befe --- /dev/null +++ b/src/common/_modules/application_gateway/locals.tf @@ -0,0 +1,29 @@ +locals { + io_backend_ip_headers_rule = { + name = "http-headers-api-app" + rule_sequence = 100 + conditions = [] + url = null + request_header_configurations = [ + { + header_name = "X-Forwarded-For" + header_value = "{var_client_ip}" + }, + { + header_name = "X-Client-Ip" + header_value = "{var_client_ip}" + }, + ] + response_header_configurations = [] + } + + nonstandard = { + weu = { + waf_api_app = "${var.project}-waf-appgateway-api-app-policy" + agw = "${var.project}-appgateway" + snet = "${var.project}-appgateway-snet" + pip = "${var.project}-appgateway-pip" + id = "${var.project}-appgateway-identity" + } + } +} diff --git a/src/core/appgateway.tf b/src/common/_modules/application_gateway/main.tf similarity index 70% rename from src/core/appgateway.tf rename to src/common/_modules/application_gateway/main.tf index 4cc90ae4c..c7826e31f 100644 --- a/src/core/appgateway.tf +++ b/src/common/_modules/application_gateway/main.tf @@ -1,57 +1,10 @@ -## Application gateway public ip ## -resource "azurerm_public_ip" "appgateway_public_ip" { - name = format("%s-appgateway-pip", local.project) - resource_group_name = azurerm_resource_group.rg_external.name - location = azurerm_resource_group.rg_external.location - sku = "Standard" - allocation_method = "Static" - zones = [1, 2, 3] - - tags = var.tags -} - -# Subnet to host the application gateway -module "appgateway_snet" { - source = "github.com/pagopa/terraform-azurerm-v3//subnet?ref=v8.27.0" - name = format("%s-appgateway-snet", local.project) - address_prefixes = var.cidr_subnet_appgateway - resource_group_name = azurerm_resource_group.rg_common.name - virtual_network_name = data.azurerm_virtual_network.common.name - private_endpoint_network_policies_enabled = true - - service_endpoints = [ - "Microsoft.Web", - ] -} - - -locals { - io_backend_ip_headers_rule = { - name = "http-headers-api-app" - rule_sequence = 100 - conditions = [] - url = null - request_header_configurations = [ - { - header_name = "X-Forwarded-For" - header_value = "{var_client_ip}" - }, - { - header_name = "X-Client-Ip" - header_value = "{var_client_ip}" - }, - ] - response_header_configurations = [] - } -} - ## Application gateway ## module "app_gw" { source = "github.com/pagopa/terraform-azurerm-v3//app_gateway?ref=v8.31.0" - resource_group_name = azurerm_resource_group.rg_external.name - location = azurerm_resource_group.rg_external.location - name = format("%s-appgateway", local.project) + resource_group_name = var.resource_groups.external + location = var.location + name = try(local.nonstandard[var.location_short].agw, "${var.project}-agw-01") zones = [1, 2, 3] # SKU @@ -59,7 +12,7 @@ module "app_gw" { sku_tier = "WAF_v2" # Networking - subnet_id = module.appgateway_snet.id + subnet_id = azurerm_subnet.agw_snet.id public_ip_id = azurerm_public_ip.appgateway_public_ip.id # Configure backends @@ -67,10 +20,10 @@ module "app_gw" { apim = { protocol = "Https" - host = format("api-app.internal.%s.%s", var.dns_zone_io, var.external_domain) + host = format("api-app.internal.%s", var.public_dns_zones.io.name) port = 443 ip_addresses = null # with null value use fqdns - fqdns = [format("api-app.internal.%s.%s", var.dns_zone_io, var.external_domain)] + fqdns = [format("api-app.internal.%s", var.public_dns_zones.io.name)] probe = "/status-0123456789abcdef" probe_name = "probe-apim" request_timeout = 180 @@ -83,8 +36,8 @@ module "app_gw" { port = 443 ip_addresses = null # with null value use fqdns fqdns = [ - module.appservice_app_backendl1.default_site_hostname, - module.appservice_app_backendl2.default_site_hostname, + var.backend_hostnames.app_backendl1, + var.backend_hostnames.app_backendl2, ] probe = "/info" probe_name = "probe-appbackend-app" @@ -154,7 +107,7 @@ module "app_gw" { port = 443 ip_addresses = null # with null value use fqdns fqdns = [ - data.azurerm_linux_web_app.firmaconio_selfcare_web_app.default_hostname, + var.backend_hostnames.firmaconio_selfcare_web_app, ] probe = "/health" probe_name = "probe-firmaconio-selfcare-backend" @@ -192,7 +145,7 @@ module "app_gw" { } ssl_profiles = [{ - name = format("%s-api-mtls-profile", local.project) + name = format("%s-api-mtls-profile", var.project) trusted_client_certificate_names = [format("%s-issuer-chain", var.prefix)] verify_client_cert_issuer_dn = true ssl_policy = { @@ -207,7 +160,7 @@ module "app_gw" { } }, { - name = format("%s-ssl-profile", local.project) + name = format("%s-ssl-profile", var.project) trusted_client_certificate_names = null verify_client_cert_issuer_dn = false ssl_policy = { @@ -225,39 +178,21 @@ module "app_gw" { trusted_client_certificates = [ { secret_name = format("%s-issuer-chain", var.prefix) - key_vault_id = data.azurerm_key_vault.key_vault.id + key_vault_id = var.key_vault.id } ] # Configure listeners listeners = { - - api-io-pagopa-it = { - protocol = "Https" - host = format("api.%s.%s", var.dns_zone_io, var.external_domain) - port = 443 - ssl_profile_name = null - firewall_policy_id = null - - certificate = { - name = var.app_gateway_api_certificate_name - id = replace( - data.azurerm_key_vault_certificate.app_gw_api.secret_id, - "/${data.azurerm_key_vault_certificate.app_gw_api.version}", - "" - ) - } - } - api-mtls-io-pagopa-it = { protocol = "Https" - host = format("api-mtls.%s.%s", var.dns_zone_io, var.external_domain) + host = format("api-mtls.%s", var.public_dns_zones.io.name) port = 443 - ssl_profile_name = format("%s-api-mtls-profile", local.project) + ssl_profile_name = format("%s-api-mtls-profile", var.project) firewall_policy_id = null certificate = { - name = var.app_gateway_api_mtls_certificate_name + name = var.certificates.api_mtls id = replace( data.azurerm_key_vault_certificate.app_gw_api_mtls.secret_id, "/${data.azurerm_key_vault_certificate.app_gw_api_mtls.version}", @@ -274,7 +209,7 @@ module "app_gw" { firewall_policy_id = null certificate = { - name = var.app_gateway_api_io_italia_it_certificate_name + name = var.certificates.api_io_italia_it id = replace( data.azurerm_key_vault_certificate.app_gw_api_io_italia_it.secret_id, "/${data.azurerm_key_vault_certificate.app_gw_api_io_italia_it.version}", @@ -282,53 +217,53 @@ module "app_gw" { ) } } - - api-app-io-pagopa-it = { + + api-io-pagopa-it = { protocol = "Https" - host = format("api-app.%s.%s", var.dns_zone_io, var.external_domain) + host = format("api.%s", var.public_dns_zones.io.name) port = 443 ssl_profile_name = null - firewall_policy_id = azurerm_web_application_firewall_policy.api_app.id + firewall_policy_id = null certificate = { - name = var.app_gateway_api_app_certificate_name + name = var.certificates.api id = replace( - data.azurerm_key_vault_certificate.app_gw_api_app.secret_id, - "/${data.azurerm_key_vault_certificate.app_gw_api_app.version}", + data.azurerm_key_vault_certificate.app_gw_api.secret_id, + "/${data.azurerm_key_vault_certificate.app_gw_api.version}", "" ) } } - api-web-io-pagopa-it = { + api-io-selfcare-pagopa-it = { protocol = "Https" - host = format("api-web.%s.%s", var.dns_zone_io, var.external_domain) + host = "api.${var.public_dns_zones.io_selfcare_pagopa_it.name}" port = 443 ssl_profile_name = null - firewall_policy_id = azurerm_web_application_firewall_policy.api_app.id + firewall_policy_id = null certificate = { - name = var.app_gateway_api_web_certificate_name + name = var.certificates.api_io_selfcare_pagopa_it id = replace( - data.azurerm_key_vault_certificate.app_gw_api_web.secret_id, - "/${data.azurerm_key_vault_certificate.app_gw_api_web.version}", + data.azurerm_key_vault_certificate.app_gw_api_io_selfcare_pagopa_it.secret_id, + "/${data.azurerm_key_vault_certificate.app_gw_api_io_selfcare_pagopa_it.version}", "" ) } } - app-backend-io-italia-it = { + continua-io-pagopa-it = { protocol = "Https" - host = "app-backend.io.italia.it" + host = format("continua.%s", var.public_dns_zones.io.name) port = 443 ssl_profile_name = null - firewall_policy_id = azurerm_web_application_firewall_policy.api_app.id + firewall_policy_id = null certificate = { - name = var.app_gateway_app_backend_io_italia_it_certificate_name + name = var.certificates.continua_io_pagopa_it id = replace( - data.azurerm_key_vault_certificate.app_gw_app_backend_io_italia_it.secret_id, - "/${data.azurerm_key_vault_certificate.app_gw_app_backend_io_italia_it.version}", + data.azurerm_key_vault_certificate.app_gw_continua.secret_id, + "/${data.azurerm_key_vault_certificate.app_gw_continua.version}", "" ) } @@ -342,7 +277,7 @@ module "app_gw" { firewall_policy_id = null certificate = { - name = var.app_gateway_developerportal_backend_io_italia_it_certificate_name + name = var.certificates.developerportal_backend_io_italia_it id = replace( data.azurerm_key_vault_certificate.app_gw_developerportal_backend_io_italia_it.secret_id, "/${data.azurerm_key_vault_certificate.app_gw_developerportal_backend_io_italia_it.version}", @@ -351,86 +286,103 @@ module "app_gw" { } } - api-io-selfcare-pagopa-it = { + firmaconio-selfcare-pagopa-it = { protocol = "Https" - host = "api.${var.dns_zone_io_selfcare}.${var.external_domain}" + host = var.public_dns_zones.firmaconio_selfcare_pagopa_it.name port = 443 ssl_profile_name = null firewall_policy_id = null certificate = { - name = var.app_gateway_api_io_selfcare_pagopa_it_certificate_name + name = var.certificates.firmaconio_selfcare_pagopa_it id = replace( - data.azurerm_key_vault_certificate.app_gw_api_io_selfcare_pagopa_it.secret_id, - "/${data.azurerm_key_vault_certificate.app_gw_api_io_selfcare_pagopa_it.version}", + data.azurerm_key_vault_certificate.app_gw_firmaconio_selfcare_pagopa_it.secret_id, + "/${data.azurerm_key_vault_certificate.app_gw_firmaconio_selfcare_pagopa_it.version}", "" ) } } - firmaconio-selfcare-pagopa-it = { + oauth-io-pagopa-it = { protocol = "Https" - host = format("%s.%s", var.dns_zone_firmaconio_selfcare, var.external_domain) + host = format("oauth.%s", var.public_dns_zones.io.name) port = 443 ssl_profile_name = null firewall_policy_id = null certificate = { - name = var.app_gateway_firmaconio_selfcare_pagopa_it_certificate_name + name = var.certificates.oauth_io_pagopa_it id = replace( - data.azurerm_key_vault_certificate.app_gw_firmaconio_selfcare_pagopa_it.secret_id, - "/${data.azurerm_key_vault_certificate.app_gw_firmaconio_selfcare_pagopa_it.version}", + data.azurerm_key_vault_certificate.app_gw_oauth.secret_id, + "/${data.azurerm_key_vault_certificate.app_gw_oauth.version}", "" ) } } - continua-io-pagopa-it = { + selfcare-io-pagopa-it = { protocol = "Https" - host = format("continua.%s.%s", var.dns_zone_io, var.external_domain) + host = format("selfcare.%s", var.public_dns_zones.io.name) port = 443 - ssl_profile_name = null + ssl_profile_name = format("%s-ssl-profile", var.project) firewall_policy_id = null certificate = { - name = var.app_gateway_continua_io_pagopa_it_certificate_name + name = var.certificates.selfcare_io_pagopa_it id = replace( - data.azurerm_key_vault_certificate.app_gw_continua.secret_id, - "/${data.azurerm_key_vault_certificate.app_gw_continua.version}", + data.azurerm_key_vault_certificate.app_gw_selfcare_io.secret_id, + "/${data.azurerm_key_vault_certificate.app_gw_selfcare_io.version}", "" ) } } - selfcare-io-pagopa-it = { + api-app-io-pagopa-it = { protocol = "Https" - host = format("selfcare.%s.%s", var.dns_zone_io, var.external_domain) + host = format("api-app.%s", var.public_dns_zones.io.name) port = 443 - ssl_profile_name = format("%s-ssl-profile", local.project) - firewall_policy_id = null + ssl_profile_name = null + firewall_policy_id = azurerm_web_application_firewall_policy.api_app.id certificate = { - name = var.app_gateway_selfcare_io_pagopa_it_certificate_name + name = var.certificates.api_app id = replace( - data.azurerm_key_vault_certificate.app_gw_selfcare_io.secret_id, - "/${data.azurerm_key_vault_certificate.app_gw_selfcare_io.version}", + data.azurerm_key_vault_certificate.app_gw_api_app.secret_id, + "/${data.azurerm_key_vault_certificate.app_gw_api_app.version}", "" ) } } - oauth-io-pagopa-it = { + api-web-io-pagopa-it = { protocol = "Https" - host = format("oauth.%s.%s", var.dns_zone_io, var.external_domain) + host = format("api-web.%s", var.public_dns_zones.io.name) port = 443 ssl_profile_name = null - firewall_policy_id = null + firewall_policy_id = azurerm_web_application_firewall_policy.api_app.id certificate = { - name = var.app_gateway_oauth_io_pagopa_it_certificate_name + name = var.certificates.api_web id = replace( - data.azurerm_key_vault_certificate.app_gw_oauth.secret_id, - "/${data.azurerm_key_vault_certificate.app_gw_oauth.version}", + data.azurerm_key_vault_certificate.app_gw_api_web.secret_id, + "/${data.azurerm_key_vault_certificate.app_gw_api_web.version}", + "" + ) + } + } + + app-backend-io-italia-it = { + protocol = "Https" + host = "app-backend.io.italia.it" + port = 443 + ssl_profile_name = null + firewall_policy_id = azurerm_web_application_firewall_policy.api_app.id + + certificate = { + name = var.certificates.app_backend_io_italia_it + id = replace( + data.azurerm_key_vault_certificate.app_gw_app_backend_io_italia_it.secret_id, + "/${data.azurerm_key_vault_certificate.app_gw_app_backend_io_italia_it.version}", "" ) } @@ -856,15 +808,15 @@ module "app_gw" { identity_ids = [azurerm_user_assigned_identity.appgateway.id] # Scaling - # app_gateway_min_capacity = var.app_gateway_min_capacity + # min_capacity = var.min_capacity app_gateway_min_capacity = "10" - app_gateway_max_capacity = var.app_gateway_max_capacity + app_gateway_max_capacity = var.max_capacity - alerts_enabled = var.app_gateway_alerts_enabled + alerts_enabled = var.alerts_enabled action = [ { - action_group_id = data.azurerm_monitor_action_group.error_action_group.id + action_group_id = var.error_action_group_id webhook_properties = null } ] @@ -996,233 +948,4 @@ module "app_gw" { } tags = var.tags -} - -## user assined identity: (application gateway) ## -resource "azurerm_user_assigned_identity" "appgateway" { - resource_group_name = data.azurerm_resource_group.sec_rg.name - location = data.azurerm_resource_group.sec_rg.location - name = format("%s-appgateway-identity", local.project) - - tags = var.tags -} - -resource "azurerm_key_vault_access_policy" "app_gateway_policy" { - key_vault_id = data.azurerm_key_vault.key_vault.id - tenant_id = data.azurerm_client_config.current.tenant_id - object_id = azurerm_user_assigned_identity.appgateway.principal_id - key_permissions = [] - secret_permissions = ["Get", "List"] - certificate_permissions = ["Get", "List"] - storage_permissions = [] -} - -resource "azurerm_key_vault_access_policy" "app_gateway_policy_common" { - key_vault_id = data.azurerm_key_vault.key_vault_common.id - tenant_id = data.azurerm_client_config.current.tenant_id - object_id = azurerm_user_assigned_identity.appgateway.principal_id - key_permissions = [] - secret_permissions = ["Get", "List"] - certificate_permissions = ["Get", "List"] - storage_permissions = [] -} - -resource "azurerm_key_vault_access_policy" "app_gateway_policy_ioweb" { - key_vault_id = data.azurerm_key_vault.ioweb_kv.id - tenant_id = data.azurerm_client_config.current.tenant_id - object_id = azurerm_user_assigned_identity.appgateway.principal_id - key_permissions = [] - secret_permissions = ["Get", "List"] - certificate_permissions = ["Get", "List"] - storage_permissions = [] -} - -## user assined identity: (old application gateway) ## -data "azuread_service_principal" "app_gw_uai_kvreader" { - display_name = format("%s-uai-kvreader", local.project) -} - -resource "azurerm_key_vault_access_policy" "app_gw_uai_kvreader_common" { - key_vault_id = data.azurerm_key_vault.key_vault_common.id - tenant_id = data.azurerm_client_config.current.tenant_id - object_id = data.azuread_service_principal.app_gw_uai_kvreader.object_id - key_permissions = [] - secret_permissions = ["Get", "List"] - certificate_permissions = ["Get", "List"] - storage_permissions = [] -} - -data "azurerm_key_vault_certificate" "app_gw_api" { - name = var.app_gateway_api_certificate_name - key_vault_id = data.azurerm_key_vault.key_vault.id -} - -data "azurerm_key_vault_certificate" "app_gw_api_mtls" { - name = var.app_gateway_api_mtls_certificate_name - key_vault_id = data.azurerm_key_vault.key_vault.id -} - -data "azurerm_key_vault_certificate" "app_gw_api_app" { - name = var.app_gateway_api_app_certificate_name - key_vault_id = data.azurerm_key_vault.key_vault.id -} - -### -# kv where the certificate for api-web domain is located -### -data "azurerm_key_vault" "ioweb_kv" { - name = format("%s-ioweb-kv", local.project) - resource_group_name = format("%s-ioweb-sec-rg", local.project) -} - -data "azurerm_key_vault_certificate" "app_gw_api_web" { - name = var.app_gateway_api_web_certificate_name - key_vault_id = data.azurerm_key_vault.ioweb_kv.id -} -### - -data "azurerm_key_vault_certificate" "app_gw_api_io_italia_it" { - name = var.app_gateway_api_io_italia_it_certificate_name - key_vault_id = data.azurerm_key_vault.key_vault_common.id -} - -data "azurerm_key_vault_certificate" "app_gw_app_backend_io_italia_it" { - name = var.app_gateway_app_backend_io_italia_it_certificate_name - key_vault_id = data.azurerm_key_vault.key_vault_common.id -} - -data "azurerm_key_vault_certificate" "app_gw_developerportal_backend_io_italia_it" { - name = var.app_gateway_developerportal_backend_io_italia_it_certificate_name - key_vault_id = data.azurerm_key_vault.key_vault_common.id -} - -data "azurerm_key_vault_certificate" "app_gw_api_io_selfcare_pagopa_it" { - name = var.app_gateway_api_io_selfcare_pagopa_it_certificate_name - key_vault_id = data.azurerm_key_vault.key_vault.id -} - -data "azurerm_key_vault_certificate" "app_gw_firmaconio_selfcare_pagopa_it" { - name = var.app_gateway_firmaconio_selfcare_pagopa_it_certificate_name - key_vault_id = data.azurerm_key_vault.key_vault.id -} - -data "azurerm_key_vault_certificate" "app_gw_continua" { - name = var.app_gateway_continua_io_pagopa_it_certificate_name - key_vault_id = data.azurerm_key_vault.key_vault.id -} - -data "azurerm_key_vault_certificate" "app_gw_oauth" { - name = var.app_gateway_oauth_io_pagopa_it_certificate_name - key_vault_id = data.azurerm_key_vault.key_vault.id -} - -data "azurerm_key_vault_certificate" "app_gw_selfcare_io" { - name = var.app_gateway_selfcare_io_pagopa_it_certificate_name - key_vault_id = data.azurerm_key_vault.key_vault.id -} - -data "azurerm_key_vault_secret" "app_gw_mtls_header_name" { - name = "mtls-header-name" - key_vault_id = data.azurerm_key_vault.key_vault.id -} - -resource "azurerm_web_application_firewall_policy" "api_app" { - name = format("%s-waf-appgateway-api-app-policy", local.project) - resource_group_name = azurerm_resource_group.rg_external.name - location = azurerm_resource_group.rg_external.location - - policy_settings { - enabled = true - mode = "Prevention" - request_body_check = true - file_upload_limit_in_mb = 100 - max_request_body_size_in_kb = 128 - } - - managed_rules { - - managed_rule_set { - type = "OWASP" - version = "3.1" - - rule_group_override { - rule_group_name = "REQUEST-913-SCANNER-DETECTION" - disabled_rules = [ - "913100", - "913101", - "913102", - "913110", - "913120", - ] - } - - rule_group_override { - rule_group_name = "REQUEST-920-PROTOCOL-ENFORCEMENT" - disabled_rules = [ - "920300", - "920320", - ] - } - - rule_group_override { - rule_group_name = "REQUEST-930-APPLICATION-ATTACK-LFI" - disabled_rules = [ - "930120", - ] - } - - rule_group_override { - rule_group_name = "REQUEST-932-APPLICATION-ATTACK-RCE" - disabled_rules = [ - "932150", - ] - } - - rule_group_override { - rule_group_name = "REQUEST-941-APPLICATION-ATTACK-XSS" - disabled_rules = [ - "941130", - ] - } - - rule_group_override { - rule_group_name = "REQUEST-942-APPLICATION-ATTACK-SQLI" - disabled_rules = [ - "942100", - "942120", - "942190", - "942200", - "942210", - "942240", - "942250", - "942260", - "942330", - "942340", - "942370", - "942380", - "942430", - "942440", - "942450", - ] - } - - } - } - - tags = var.tags -} - - -####################### -## Web Application ## -####################### - -data "azurerm_linux_web_app" "session_manager" { - name = "io-p-weu-session-manager-app-03" - resource_group_name = "io-p-weu-session-manager-rg-01" -} - -data "azurerm_linux_web_app" "fims_op_app" { - name = "io-p-weu-fims-op-app-01" - resource_group_name = "io-p-weu-fims-rg-01" -} +} \ No newline at end of file diff --git a/src/common/_modules/application_gateway/networking.tf b/src/common/_modules/application_gateway/networking.tf new file mode 100644 index 000000000..6e83f1cfa --- /dev/null +++ b/src/common/_modules/application_gateway/networking.tf @@ -0,0 +1,24 @@ +# Subnet to host the application gateway +resource "azurerm_subnet" "agw_snet" { + name = try(local.nonstandard[var.location_short].snet, "${var.project}-agw-snet-01") + resource_group_name = var.resource_groups.common + virtual_network_name = var.vnet_common.name + address_prefixes = var.cidr_subnet + private_endpoint_network_policies = "Enabled" + + service_endpoints = [ + "Microsoft.Web", + ] +} + +## Application gateway public ip ## +resource "azurerm_public_ip" "appgateway_public_ip" { + name = try(local.nonstandard[var.location_short].pip, "${var.project}-agw-pip-01") + resource_group_name = var.resource_groups.external + location = var.location + sku = "Standard" + allocation_method = "Static" + zones = [1, 2, 3] + + tags = var.tags +} \ No newline at end of file diff --git a/src/common/_modules/application_gateway/outputs.tf b/src/common/_modules/application_gateway/outputs.tf new file mode 100644 index 000000000..8f6e05ed5 --- /dev/null +++ b/src/common/_modules/application_gateway/outputs.tf @@ -0,0 +1,8 @@ +output "public_ip" { + value = { + address = azurerm_public_ip.appgateway_public_ip.ip_address + id = azurerm_public_ip.appgateway_public_ip.id + name = azurerm_public_ip.appgateway_public_ip.name + resource_group_name = azurerm_public_ip.appgateway_public_ip.resource_group_name + } +} \ No newline at end of file diff --git a/src/common/_modules/application_gateway/rbac.tf b/src/common/_modules/application_gateway/rbac.tf new file mode 100644 index 000000000..2b94df670 --- /dev/null +++ b/src/common/_modules/application_gateway/rbac.tf @@ -0,0 +1,49 @@ +## user assined identity: (application gateway) ## +resource "azurerm_user_assigned_identity" "appgateway" { + resource_group_name = var.resource_groups.sec + location = var.location + name = try(local.nonstandard[var.location_short].id, "${var.project}-agw-id-01") + + tags = var.tags +} + +resource "azurerm_key_vault_access_policy" "app_gateway_policy" { + key_vault_id = var.key_vault.id + tenant_id = var.datasources.azurerm_client_config.tenant_id + object_id = azurerm_user_assigned_identity.appgateway.principal_id + key_permissions = [] + secret_permissions = ["Get", "List"] + certificate_permissions = ["Get", "List"] + storage_permissions = [] +} + +resource "azurerm_key_vault_access_policy" "app_gateway_policy_common" { + key_vault_id = var.key_vault_common.id + tenant_id = var.datasources.azurerm_client_config.tenant_id + object_id = azurerm_user_assigned_identity.appgateway.principal_id + key_permissions = [] + secret_permissions = ["Get", "List"] + certificate_permissions = ["Get", "List"] + storage_permissions = [] +} + +resource "azurerm_key_vault_access_policy" "app_gateway_policy_ioweb" { + key_vault_id = data.azurerm_key_vault.ioweb_kv.id + tenant_id = var.datasources.azurerm_client_config.tenant_id + object_id = azurerm_user_assigned_identity.appgateway.principal_id + key_permissions = [] + secret_permissions = ["Get", "List"] + certificate_permissions = ["Get", "List"] + storage_permissions = [] +} + +## user assined identity: (old application gateway) ## +resource "azurerm_key_vault_access_policy" "app_gw_uai_kvreader_common" { + key_vault_id = var.key_vault_common.id + tenant_id = var.datasources.azurerm_client_config.tenant_id + object_id = data.azuread_service_principal.app_gw_uai_kvreader.object_id + key_permissions = [] + secret_permissions = ["Get", "List"] + certificate_permissions = ["Get", "List"] + storage_permissions = [] +} \ No newline at end of file diff --git a/src/common/_modules/application_gateway/variables.tf b/src/common/_modules/application_gateway/variables.tf new file mode 100644 index 000000000..e912d5ef0 --- /dev/null +++ b/src/common/_modules/application_gateway/variables.tf @@ -0,0 +1,120 @@ +variable "project" { + type = string + description = "IO prefix, short environment and short location" +} + +variable "prefix" { + type = string + default = "io" + validation { + condition = ( + length(var.prefix) < 6 + ) + error_message = "Max length is 6 chars." + } +} + +variable "location" { + type = string + description = "Azure region" +} + +variable "location_short" { + type = string + description = "Azure region short name" +} + +variable "tags" { + type = map(any) + description = "Resource tags" +} + +variable "resource_groups" { + type = map(string) + description = "Resource group names" +} + +variable "datasources" { + type = map(any) + description = "Common datasources" +} + +variable "external_domain" { + type = string + description = "Domain for delegation" +} + +variable "public_dns_zones" { + type = map(any) + description = "Public dns zones information" +} + +variable "vnet_common" { + type = object({ + id = string + name = string + address_space = list(string) + resource_group_name = string + }) + description = "Information of the common VNet" +} + +variable "cidr_subnet" { + type = list(string) + description = "Application gateway address space." +} + +variable "key_vault" { + type = object({ + id = string + name = string + resource_group_name = string + }) + description = "Information of the Key Vault" +} + +variable "key_vault_common" { + type = object({ + id = string + name = string + resource_group_name = string + }) + description = "Information of the Key Vault Common" +} + +## Application Gateway +variable "certificates" { + type = map(string) + description = "Information of the certificates" +} + +variable "backend_hostnames" { + type = map(string) + description = "Information of the backend hostnames" +} + +variable "min_capacity" { + type = number + default = 0 +} + +variable "max_capacity" { + type = number + default = 2 +} + +variable "alerts_enabled" { + type = bool + description = "Enable alerts" + default = true +} + +variable "deny_paths" { + type = list(string) + description = "Regex patterns to deny requests" +} + +variable "error_action_group_id" { + type = string + description = "Azure Monitor error action group id" +} \ No newline at end of file diff --git a/src/common/_modules/event_hubs/data.tf b/src/common/_modules/event_hubs/data.tf index 79a65d30f..76a5d9945 100644 --- a/src/common/_modules/event_hubs/data.tf +++ b/src/common/_modules/event_hubs/data.tf @@ -1,5 +1,5 @@ data "azurerm_subnet" "function_elt_snet" { name = "fn3eltout" - resource_group_name = var.resource_group_common + resource_group_name = var.resource_groups.common virtual_network_name = var.vnet_common.name } \ No newline at end of file diff --git a/src/common/_modules/event_hubs/main.tf b/src/common/_modules/event_hubs/main.tf index 55ad5abf9..4f75ca6b5 100644 --- a/src/common/_modules/event_hubs/main.tf +++ b/src/common/_modules/event_hubs/main.tf @@ -9,7 +9,7 @@ module "eventhub_snet" { source = "github.com/pagopa/terraform-azurerm-v3//subnet?ref=v8.35.0" name = try(local.nonstandard[var.location_short].evh-snet, "${var.project}-evh-snet-01") address_prefixes = var.cidr_subnet - resource_group_name = var.resource_group_common + resource_group_name = var.resource_groups.common virtual_network_name = var.vnet_common.name service_endpoints = ["Microsoft.EventHub"] private_endpoint_network_policies_enabled = false diff --git a/src/common/_modules/event_hubs/variables.tf b/src/common/_modules/event_hubs/variables.tf index d7e81391a..bce328db7 100644 --- a/src/common/_modules/event_hubs/variables.tf +++ b/src/common/_modules/event_hubs/variables.tf @@ -27,10 +27,9 @@ variable "servicebus_dns_zone" { description = "Private link servicebus dns zone information" } -variable "resource_group_common" { - type = string - description = "Name of common resource group" - default = null +variable "resource_groups" { + type = map(string) + description = "Resource group names" } variable "vnet_common" { diff --git a/src/common/_modules/global/modules/dns/outputs.tf b/src/common/_modules/global/modules/dns/outputs.tf index 2488bd4db..0fedf3972 100644 --- a/src/common/_modules/global/modules/dns/outputs.tf +++ b/src/common/_modules/global/modules/dns/outputs.tf @@ -10,7 +10,7 @@ output "public_dns_zones" { } firmaconio_selfcare_pagopa_it = { - name = azurerm_dns_zone.io_pagopa_it.name + name = azurerm_dns_zone.firmaconio_selfcare_pagopa_it.name } io_italia_it = { @@ -21,7 +21,7 @@ output "public_dns_zones" { } io_selfcare_pagopa_it = { - name = azurerm_dns_zone.io_pagopa_it.name + name = azurerm_dns_zone.io_selfcare_pagopa_it.name api = trimsuffix(azurerm_dns_a_record.api_io_selfcare_pagopa_it.fqdn, ".") } @@ -36,3 +36,7 @@ output "private_dns_zones" { servicebus = azurerm_private_dns_zone.privatelink_servicebus } } + +output "external_domain" { + value = var.external_domain +} diff --git a/src/common/_modules/monitoring/outputs.tf b/src/common/_modules/monitoring/outputs.tf new file mode 100644 index 000000000..d088152f5 --- /dev/null +++ b/src/common/_modules/monitoring/outputs.tf @@ -0,0 +1,9 @@ +output "action_groups" { + value = { + error = azurerm_monitor_action_group.error.id + quarantine_error = azurerm_monitor_action_group.quarantine_error.id + trial_system_error = azurerm_monitor_action_group.trial_system_error.id + email = azurerm_monitor_action_group.email.id + slack = azurerm_monitor_action_group.slack.id + } +} \ No newline at end of file diff --git a/src/common/prod/.terraform.lock.hcl b/src/common/prod/.terraform.lock.hcl index 9ef35e4f0..86e8ae303 100644 --- a/src/common/prod/.terraform.lock.hcl +++ b/src/common/prod/.terraform.lock.hcl @@ -1,6 +1,25 @@ # This file is maintained automatically by "terraform init". # Manual edits may be lost in future updates. +provider "registry.terraform.io/hashicorp/azuread" { + version = "2.53.1" + hashes = [ + "h1:EZNO8sEtUABuRxujQrDrW1z1QsG0dq6iLbzWtnG7Om4=", + "zh:162916b037e5133f49298b0ffa3e7dcef7d76530a8ca738e7293373980f73c68", + "zh:1c3e89cf19118fc07d7b04257251fc9897e722c16e0a0df7b07fcd261f8c12e7", + "zh:492931cea4f30887ab5bca36a8556dfcb897288eddd44619c0217fc5da2d57e7", + "zh:4c895e450e18335ad8714cc6d3488fc1a78816ad2851a91b06cb2ef775dd7c66", + "zh:60d92fdaf7235574201f2d8f68f733ee00a822993b3fc95e6952e09e6ec76999", + "zh:67a169119efa41c1fb867ef1a8e79bf03472a2324384c36eb55370c817dcce42", + "zh:9dd4d5ed9233cf9329262200bc5a1aa60942b80dbc611e2ef4b09f47531b39b1", + "zh:a3c160e35b9e40fc1497b83c2f37a8e24565b05a1783c7733609f3695735c2a9", + "zh:a4a221da42b1f46e7c436c7145e5beaadfd9d03f3be6fd526d132c03f18a5979", + "zh:af0d3476a9702d2287e168e3baa670e64daab9c9b01c01e17025a5248f3e28e9", + "zh:e3579bff7894f3d36066b74ec324be6d28f56a42a387a2b8a0eabf33cbff86df", + "zh:f1749ee8ad972ae6424665aa9d2c0ece8c40c51d41ec2f38b863148cb437e865", + ] +} + provider "registry.terraform.io/hashicorp/azurerm" { version = "3.114.0" constraints = "~> 3.30, <= 3.114.0" diff --git a/src/common/prod/README.md b/src/common/prod/README.md index 620f9893b..afdc083c6 100644 --- a/src/common/prod/README.md +++ b/src/common/prod/README.md @@ -10,6 +10,7 @@ | Name | Source | Version | |------|--------|---------| +| [application\_gateway\_weu](#module\_application\_gateway\_weu) | ../_modules/application_gateway | n/a | | [event\_hubs\_weu](#module\_event\_hubs\_weu) | ../_modules/event_hubs | n/a | | [global](#module\_global) | ../_modules/global | n/a | | [monitoring\_weu](#module\_monitoring\_weu) | ../_modules/monitoring | n/a | @@ -19,8 +20,10 @@ | Name | Type | |------|------| | [azurerm_api_management.apim_v2](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/api_management) | data source | -| [azurerm_monitor_action_group.error_action_group](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/monitor_action_group) | data source | -| [azurerm_public_ip.appgateway_public_ip](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/public_ip) | data source | +| [azurerm_client_config.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/client_config) | data source | +| [azurerm_linux_web_app.app_backendl1](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/linux_web_app) | data source | +| [azurerm_linux_web_app.app_backendl2](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/linux_web_app) | data source | +| [azurerm_linux_web_app.firmaconio_selfcare_web_app](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/linux_web_app) | data source | | [azurerm_resource_group.common_weu](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/resource_group) | data source | | [azurerm_virtual_network.weu_beta](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/virtual_network) | data source | | [azurerm_virtual_network.weu_prod01](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/virtual_network) | data source | diff --git a/src/common/prod/data.tf b/src/common/prod/data.tf index 5300e53d6..746ec9192 100644 --- a/src/common/prod/data.tf +++ b/src/common/prod/data.tf @@ -1,15 +1,3 @@ -# TODO: remove when monitor module is implemented -data "azurerm_monitor_action_group" "error_action_group" { - resource_group_name = "${local.project_weu_legacy}-rg-common" - name = "${replace(local.project_weu_legacy, "-", "")}error" -} - -# TODO: remove when app gateway module is implemented -data "azurerm_public_ip" "appgateway_public_ip" { - name = format("${local.project_weu_legacy}-appgateway-pip") - resource_group_name = "${local.project_weu_legacy}-rg-external" -} - # TODO: remove when apim v2 module is implemented data "azurerm_api_management" "apim_v2" { name = "${local.project_weu_legacy}-apim-v2-api" @@ -36,3 +24,22 @@ data "terraform_remote_state" "core" { key = "io-infra.core.prod.italynorth.tfstate" } } + +data "azurerm_client_config" "current" {} + +data "azurerm_linux_web_app" "firmaconio_selfcare_web_app" { + name = "${local.project_weu_legacy}-sign-backoffice-app" + resource_group_name = "${local.project_weu_legacy}-sign-backend-rg" +} + +# TODO: remove if app_backend module is moved in core or common +data "azurerm_linux_web_app" "app_backendl1" { + name = "${local.project_weu_legacy}-app-appbackendl1" + resource_group_name = "${local.project_weu_legacy}-rg-linux" +} + +# TODO: remove if app_backend module is moved in core or common +data "azurerm_linux_web_app" "app_backendl2" { + name = "${local.project_weu_legacy}-app-appbackendl2" + resource_group_name = "${local.project_weu_legacy}-rg-linux" +} diff --git a/src/common/prod/global.tf b/src/common/prod/global.tf index c9f4eadb5..a830585f7 100644 --- a/src/common/prod/global.tf +++ b/src/common/prod/global.tf @@ -43,8 +43,7 @@ module "global" { firmaconio_selfcare = "firmaconio.selfcare" } - # TODO: remove when app gateway module is implemented - app_gateway_public_ip = data.azurerm_public_ip.appgateway_public_ip.ip_address + app_gateway_public_ip = module.application_gateway_weu.public_ip.address # TODO: remove when apim v2 module is implemented apim_v2_private_ip = data.azurerm_api_management.apim_v2.private_ip_addresses[0] diff --git a/src/common/prod/import.tf b/src/common/prod/import.tf deleted file mode 100644 index 70ef7acd0..000000000 --- a/src/common/prod/import.tf +++ /dev/null @@ -1,289 +0,0 @@ -import { - id = "/subscriptions/ec285037-c673-4f58-b594-d7c480da4e8b/resourceGroups/io-p-rg-common/providers/Microsoft.Insights/components/io-p-ai-common" - to = module.monitoring_weu.azurerm_application_insights.appi -} - -import { - id = "/subscriptions/ec285037-c673-4f58-b594-d7c480da4e8b/resourceGroups/io-p-rg-common/providers/Microsoft.Insights/webTests/CIE-test-io-p-ai-common" - to = module.monitoring_weu.azurerm_application_insights_standard_web_test.web_tests["CIE"] -} - -import { - id = "/subscriptions/ec285037-c673-4f58-b594-d7c480da4e8b/resourceGroups/io-p-rg-common/providers/Microsoft.Insights/webTests/Spid-registry-test-io-p-ai-common" - to = module.monitoring_weu.azurerm_application_insights_standard_web_test.web_tests["Spid-registry"] -} - -import { - id = "/subscriptions/ec285037-c673-4f58-b594-d7c480da4e8b/resourceGroups/io-p-rg-common/providers/Microsoft.Insights/webTests/SpidL2-arubaid-test-io-p-ai-common" - to = module.monitoring_weu.azurerm_application_insights_standard_web_test.web_tests["SpidL2-arubaid"] -} - -import { - id = "/subscriptions/ec285037-c673-4f58-b594-d7c480da4e8b/resourceGroups/io-p-rg-common/providers/Microsoft.Insights/webTests/SpidL2-infocamere-test-io-p-ai-common" - to = module.monitoring_weu.azurerm_application_insights_standard_web_test.web_tests["SpidL2-infocamere"] -} - -import { - to = module.monitoring_weu.azurerm_application_insights_standard_web_test.web_tests["SpidL2-infocertid"] - id = "/subscriptions/ec285037-c673-4f58-b594-d7c480da4e8b/resourceGroups/io-p-rg-common/providers/Microsoft.Insights/webTests/SpidL2-infocertid-test-io-p-ai-common" -} - -import { - to = module.monitoring_weu.azurerm_application_insights_standard_web_test.web_tests["SpidL2-lepidaid"] - id = "/subscriptions/ec285037-c673-4f58-b594-d7c480da4e8b/resourceGroups/io-p-rg-common/providers/Microsoft.Insights/webTests/SpidL2-lepidaid-test-io-p-ai-common" -} - -import { - to = module.monitoring_weu.azurerm_application_insights_standard_web_test.web_tests["SpidL2-namirialid"] - id = "/subscriptions/ec285037-c673-4f58-b594-d7c480da4e8b/resourceGroups/io-p-rg-common/providers/Microsoft.Insights/webTests/SpidL2-namirialid-test-io-p-ai-common" -} - -import { - to = module.monitoring_weu.azurerm_application_insights_standard_web_test.web_tests["SpidL2-posteid"] - id = "/subscriptions/ec285037-c673-4f58-b594-d7c480da4e8b/resourceGroups/io-p-rg-common/providers/Microsoft.Insights/webTests/SpidL2-posteid-test-io-p-ai-common" -} - -import { - to = module.monitoring_weu.azurerm_application_insights_standard_web_test.web_tests["SpidL2-sielteid"] - id = "/subscriptions/ec285037-c673-4f58-b594-d7c480da4e8b/resourceGroups/io-p-rg-common/providers/Microsoft.Insights/webTests/SpidL2-sielteid-test-io-p-ai-common" -} - -import { - to = module.monitoring_weu.azurerm_application_insights_standard_web_test.web_tests["SpidL2-spiditalia"] - id = "/subscriptions/ec285037-c673-4f58-b594-d7c480da4e8b/resourceGroups/io-p-rg-common/providers/Microsoft.Insights/webTests/SpidL2-spiditalia-test-io-p-ai-common" -} - -import { - to = module.monitoring_weu.azurerm_application_insights_standard_web_test.web_tests["api-app.io.pagopa.it"] - id = "/subscriptions/ec285037-c673-4f58-b594-d7c480da4e8b/resourceGroups/io-p-rg-common/providers/Microsoft.Insights/webTests/api-app.io.pagopa.it-test-io-p-ai-common" -} - -import { - to = module.monitoring_weu.azurerm_application_insights_standard_web_test.web_tests["api-mtls.io.pagopa.it"] - id = "/subscriptions/ec285037-c673-4f58-b594-d7c480da4e8b/resourceGroups/io-p-rg-common/providers/Microsoft.Insights/webTests/api-mtls.io.pagopa.it-test-io-p-ai-common" -} - -import { - to = module.monitoring_weu.azurerm_application_insights_standard_web_test.web_tests["api-web.io.pagopa.it"] - id = "/subscriptions/ec285037-c673-4f58-b594-d7c480da4e8b/resourceGroups/io-p-rg-common/providers/Microsoft.Insights/webTests/api-web.io.pagopa.it-test-io-p-ai-common" -} - -import { - to = module.monitoring_weu.azurerm_application_insights_standard_web_test.web_tests["api.io.italia.it"] - id = "/subscriptions/ec285037-c673-4f58-b594-d7c480da4e8b/resourceGroups/io-p-rg-common/providers/Microsoft.Insights/webTests/api.io.italia.it-test-io-p-ai-common" -} - -import { - to = module.monitoring_weu.azurerm_application_insights_standard_web_test.web_tests["api.io.pagopa.it"] - id = "/subscriptions/ec285037-c673-4f58-b594-d7c480da4e8b/resourceGroups/io-p-rg-common/providers/Microsoft.Insights/webTests/api.io.pagopa.it-test-io-p-ai-common" -} - -import { - to = module.monitoring_weu.azurerm_application_insights_standard_web_test.web_tests["api.io.selfcare.pagopa.it"] - id = "/subscriptions/ec285037-c673-4f58-b594-d7c480da4e8b/resourceGroups/io-p-rg-common/providers/Microsoft.Insights/webTests/api.io.selfcare.pagopa.it-test-io-p-ai-common" -} - -import { - to = module.monitoring_weu.azurerm_application_insights_standard_web_test.web_tests["app-backend.io.italia.it"] - id = "/subscriptions/ec285037-c673-4f58-b594-d7c480da4e8b/resourceGroups/io-p-rg-common/providers/Microsoft.Insights/webTests/app-backend.io.italia.it-test-io-p-ai-common" -} - -import { - to = module.monitoring_weu.azurerm_application_insights_standard_web_test.web_tests["assets.cdn.io.italia.it"] - id = "/subscriptions/ec285037-c673-4f58-b594-d7c480da4e8b/resourceGroups/io-p-rg-common/providers/Microsoft.Insights/webTests/assets.cdn.io.italia.it-test-io-p-ai-common" -} - -import { - to = module.monitoring_weu.azurerm_application_insights_standard_web_test.web_tests["assets.cdn.io.pagopa.it"] - id = "/subscriptions/ec285037-c673-4f58-b594-d7c480da4e8b/resourceGroups/io-p-rg-common/providers/Microsoft.Insights/webTests/assets.cdn.io.pagopa.it-test-io-p-ai-common" -} - -import { - to = module.monitoring_weu.azurerm_application_insights_standard_web_test.web_tests["continua.io.pagopa.it"] - id = "/subscriptions/ec285037-c673-4f58-b594-d7c480da4e8b/resourceGroups/io-p-rg-common/providers/Microsoft.Insights/webTests/continua.io.pagopa.it-test-io-p-ai-common" -} - -import { - to = module.monitoring_weu.azurerm_application_insights_standard_web_test.web_tests["developerportal-backend.io.italia.it"] - id = "/subscriptions/ec285037-c673-4f58-b594-d7c480da4e8b/resourceGroups/io-p-rg-common/providers/Microsoft.Insights/webTests/developerportal-backend.io.italia.it-test-io-p-ai-common" -} - -import { - to = module.monitoring_weu.azurerm_application_insights_standard_web_test.web_tests["firmaconio.selfcare.pagopa.it"] - id = "/subscriptions/ec285037-c673-4f58-b594-d7c480da4e8b/resourceGroups/io-p-rg-common/providers/Microsoft.Insights/webTests/firmaconio.selfcare.pagopa.it-test-io-p-ai-common" -} - -import { - to = module.monitoring_weu.azurerm_application_insights_standard_web_test.web_tests["github-raw-status-backend"] - id = "/subscriptions/ec285037-c673-4f58-b594-d7c480da4e8b/resourceGroups/io-p-rg-common/providers/Microsoft.Insights/webTests/github-raw-status-backend-test-io-p-ai-common" -} - -import { - to = module.monitoring_weu.azurerm_application_insights_standard_web_test.web_tests["io.italia.it"] - id = "/subscriptions/ec285037-c673-4f58-b594-d7c480da4e8b/resourceGroups/io-p-rg-common/providers/Microsoft.Insights/webTests/io.italia.it-test-io-p-ai-common" -} - -import { - to = module.monitoring_weu.azurerm_application_insights_standard_web_test.web_tests["io.selfcare.pagopa.it"] - id = "/subscriptions/ec285037-c673-4f58-b594-d7c480da4e8b/resourceGroups/io-p-rg-common/providers/Microsoft.Insights/webTests/io.selfcare.pagopa.it-test-io-p-ai-common" -} - -import { - to = module.monitoring_weu.azurerm_log_analytics_workspace.log - id = "/subscriptions/ec285037-c673-4f58-b594-d7c480da4e8b/resourceGroups/io-p-rg-common/providers/Microsoft.OperationalInsights/workspaces/io-p-law-common" -} - -import { - to = module.monitoring_weu.azurerm_monitor_action_group.email - id = "/subscriptions/ec285037-c673-4f58-b594-d7c480da4e8b/resourceGroups/io-p-rg-common/providers/Microsoft.Insights/actionGroups/EmailPagoPA" -} - -import { - to = module.monitoring_weu.azurerm_monitor_action_group.error - id = "/subscriptions/ec285037-c673-4f58-b594-d7c480da4e8b/resourceGroups/io-p-rg-common/providers/Microsoft.Insights/actionGroups/ioperror" -} - -import { - to = module.monitoring_weu.azurerm_monitor_action_group.quarantine_error - id = "/subscriptions/ec285037-c673-4f58-b594-d7c480da4e8b/resourceGroups/io-p-rg-common/providers/Microsoft.Insights/actionGroups/iopquarantineerror" -} - -import { - to = module.monitoring_weu.azurerm_monitor_action_group.slack - id = "/subscriptions/ec285037-c673-4f58-b594-d7c480da4e8b/resourceGroups/io-p-rg-common/providers/Microsoft.Insights/actionGroups/SlackPagoPA" -} - -import { - to = module.monitoring_weu.azurerm_monitor_action_group.trial_system_error - id = "/subscriptions/ec285037-c673-4f58-b594-d7c480da4e8b/resourceGroups/io-p-rg-common/providers/Microsoft.Insights/actionGroups/ioptrialsystemerror" -} - -import { - to = module.monitoring_weu.azurerm_monitor_metric_alert.metric_alerts["CIE"] - id = "/subscriptions/ec285037-c673-4f58-b594-d7c480da4e8b/resourceGroups/io-p-rg-common/providers/Microsoft.Insights/metricAlerts/CIE-test-io-p-ai-common" -} - -import { - to = module.monitoring_weu.azurerm_monitor_metric_alert.metric_alerts["Spid-registry"] - id = "/subscriptions/ec285037-c673-4f58-b594-d7c480da4e8b/resourceGroups/io-p-rg-common/providers/Microsoft.Insights/metricAlerts/Spid-registry-test-io-p-ai-common" -} - -import { - to = module.monitoring_weu.azurerm_monitor_metric_alert.metric_alerts["SpidL2-arubaid"] - id = "/subscriptions/ec285037-c673-4f58-b594-d7c480da4e8b/resourceGroups/io-p-rg-common/providers/Microsoft.Insights/metricAlerts/SpidL2-arubaid-test-io-p-ai-common" -} - -import { - to = module.monitoring_weu.azurerm_monitor_metric_alert.metric_alerts["SpidL2-infocamere"] - id = "/subscriptions/ec285037-c673-4f58-b594-d7c480da4e8b/resourceGroups/io-p-rg-common/providers/Microsoft.Insights/metricAlerts/SpidL2-infocamere-test-io-p-ai-common" -} - -import { - to = module.monitoring_weu.azurerm_monitor_metric_alert.metric_alerts["SpidL2-infocertid"] - id = "/subscriptions/ec285037-c673-4f58-b594-d7c480da4e8b/resourceGroups/io-p-rg-common/providers/Microsoft.Insights/metricAlerts/SpidL2-infocertid-test-io-p-ai-common" -} - -import { - to = module.monitoring_weu.azurerm_monitor_metric_alert.metric_alerts["SpidL2-lepidaid"] - id = "/subscriptions/ec285037-c673-4f58-b594-d7c480da4e8b/resourceGroups/io-p-rg-common/providers/Microsoft.Insights/metricAlerts/SpidL2-lepidaid-test-io-p-ai-common" -} - -import { - to = module.monitoring_weu.azurerm_monitor_metric_alert.metric_alerts["SpidL2-namirialid"] - id = "/subscriptions/ec285037-c673-4f58-b594-d7c480da4e8b/resourceGroups/io-p-rg-common/providers/Microsoft.Insights/metricAlerts/SpidL2-namirialid-test-io-p-ai-common" -} - -import { - to = module.monitoring_weu.azurerm_monitor_metric_alert.metric_alerts["SpidL2-posteid"] - id = "/subscriptions/ec285037-c673-4f58-b594-d7c480da4e8b/resourceGroups/io-p-rg-common/providers/Microsoft.Insights/metricAlerts/SpidL2-posteid-test-io-p-ai-common" -} - -import { - to = module.monitoring_weu.azurerm_monitor_metric_alert.metric_alerts["SpidL2-sielteid"] - id = "/subscriptions/ec285037-c673-4f58-b594-d7c480da4e8b/resourceGroups/io-p-rg-common/providers/Microsoft.Insights/metricAlerts/SpidL2-sielteid-test-io-p-ai-common" -} - -import { - to = module.monitoring_weu.azurerm_monitor_metric_alert.metric_alerts["SpidL2-spiditalia"] - id = "/subscriptions/ec285037-c673-4f58-b594-d7c480da4e8b/resourceGroups/io-p-rg-common/providers/Microsoft.Insights/metricAlerts/SpidL2-spiditalia-test-io-p-ai-common" -} - -import { - to = module.monitoring_weu.azurerm_monitor_metric_alert.metric_alerts["api-app.io.pagopa.it"] - id = "/subscriptions/ec285037-c673-4f58-b594-d7c480da4e8b/resourceGroups/io-p-rg-common/providers/Microsoft.Insights/metricAlerts/api-app.io.pagopa.it-test-io-p-ai-common" -} - -import { - to = module.monitoring_weu.azurerm_monitor_metric_alert.metric_alerts["api-mtls.io.pagopa.it"] - id = "/subscriptions/ec285037-c673-4f58-b594-d7c480da4e8b/resourceGroups/io-p-rg-common/providers/Microsoft.Insights/metricAlerts/api-mtls.io.pagopa.it-test-io-p-ai-common" -} - -import { - to = module.monitoring_weu.azurerm_monitor_metric_alert.metric_alerts["api-web.io.pagopa.it"] - id = "/subscriptions/ec285037-c673-4f58-b594-d7c480da4e8b/resourceGroups/io-p-rg-common/providers/Microsoft.Insights/metricAlerts/api-web.io.pagopa.it-test-io-p-ai-common" -} - -import { - to = module.monitoring_weu.azurerm_monitor_metric_alert.metric_alerts["api.io.italia.it"] - id = "/subscriptions/ec285037-c673-4f58-b594-d7c480da4e8b/resourceGroups/io-p-rg-common/providers/Microsoft.Insights/metricAlerts/api.io.italia.it-test-io-p-ai-common" -} - -import { - to = module.monitoring_weu.azurerm_monitor_metric_alert.metric_alerts["api.io.pagopa.it"] - id = "/subscriptions/ec285037-c673-4f58-b594-d7c480da4e8b/resourceGroups/io-p-rg-common/providers/Microsoft.Insights/metricAlerts/api.io.pagopa.it-test-io-p-ai-common" -} - -import { - to = module.monitoring_weu.azurerm_monitor_metric_alert.metric_alerts["api.io.selfcare.pagopa.it"] - id = "/subscriptions/ec285037-c673-4f58-b594-d7c480da4e8b/resourceGroups/io-p-rg-common/providers/Microsoft.Insights/metricAlerts/api.io.selfcare.pagopa.it-test-io-p-ai-common" -} - -import { - to = module.monitoring_weu.azurerm_monitor_metric_alert.metric_alerts["app-backend.io.italia.it"] - id = "/subscriptions/ec285037-c673-4f58-b594-d7c480da4e8b/resourceGroups/io-p-rg-common/providers/Microsoft.Insights/metricAlerts/app-backend.io.italia.it-test-io-p-ai-common" -} - -import { - to = module.monitoring_weu.azurerm_monitor_metric_alert.metric_alerts["assets.cdn.io.italia.it"] - id = "/subscriptions/ec285037-c673-4f58-b594-d7c480da4e8b/resourceGroups/io-p-rg-common/providers/Microsoft.Insights/metricAlerts/assets.cdn.io.italia.it-test-io-p-ai-common" -} - -import { - to = module.monitoring_weu.azurerm_monitor_metric_alert.metric_alerts["assets.cdn.io.pagopa.it"] - id = "/subscriptions/ec285037-c673-4f58-b594-d7c480da4e8b/resourceGroups/io-p-rg-common/providers/Microsoft.Insights/metricAlerts/assets.cdn.io.pagopa.it-test-io-p-ai-common" -} - -import { - to = module.monitoring_weu.azurerm_monitor_metric_alert.metric_alerts["continua.io.pagopa.it"] - id = "/subscriptions/ec285037-c673-4f58-b594-d7c480da4e8b/resourceGroups/io-p-rg-common/providers/Microsoft.Insights/metricAlerts/continua.io.pagopa.it-test-io-p-ai-common" -} - -import { - to = module.monitoring_weu.azurerm_monitor_metric_alert.metric_alerts["developerportal-backend.io.italia.it"] - id = "/subscriptions/ec285037-c673-4f58-b594-d7c480da4e8b/resourceGroups/io-p-rg-common/providers/Microsoft.Insights/metricAlerts/developerportal-backend.io.italia.it-test-io-p-ai-common" -} - -import { - to = module.monitoring_weu.azurerm_monitor_metric_alert.metric_alerts["firmaconio.selfcare.pagopa.it"] - id = "/subscriptions/ec285037-c673-4f58-b594-d7c480da4e8b/resourceGroups/io-p-rg-common/providers/Microsoft.Insights/metricAlerts/firmaconio.selfcare.pagopa.it-test-io-p-ai-common" -} - -import { - to = module.monitoring_weu.azurerm_monitor_metric_alert.metric_alerts["github-raw-status-backend"] - id = "/subscriptions/ec285037-c673-4f58-b594-d7c480da4e8b/resourceGroups/io-p-rg-common/providers/Microsoft.Insights/metricAlerts/github-raw-status-backend-test-io-p-ai-common" -} - -import { - to = module.monitoring_weu.azurerm_monitor_metric_alert.metric_alerts["io.italia.it"] - id = "/subscriptions/ec285037-c673-4f58-b594-d7c480da4e8b/resourceGroups/io-p-rg-common/providers/Microsoft.Insights/metricAlerts/io.italia.it-test-io-p-ai-common" -} - -import { - to = module.monitoring_weu.azurerm_monitor_metric_alert.metric_alerts["io.selfcare.pagopa.it"] - id = "/subscriptions/ec285037-c673-4f58-b594-d7c480da4e8b/resourceGroups/io-p-rg-common/providers/Microsoft.Insights/metricAlerts/io.selfcare.pagopa.it-test-io-p-ai-common" -} - -import { - to = module.monitoring_weu.azurerm_monitor_scheduled_query_rules_alert_v2.mailup - id = "/subscriptions/ec285037-c673-4f58-b594-d7c480da4e8b/resourceGroups/io-p-rg-common/providers/Microsoft.Insights/scheduledQueryRules/[SEND.MAILUP.COM] Many Failures" -} diff --git a/src/common/prod/locals.tf b/src/common/prod/locals.tf index 4ec0faac5..dfbca0922 100644 --- a/src/common/prod/locals.tf +++ b/src/common/prod/locals.tf @@ -17,6 +17,25 @@ locals { core = data.terraform_remote_state.core.outputs + # TODO: edit this block when resource groups module is implemented + resource_groups = { + weu = { + common = "${local.project_weu_legacy}-rg-common" + internal = "${local.project_weu_legacy}-rg-internal" + external = "${local.project_weu_legacy}-rg-external" + event = "${local.project_weu_legacy}-evt-rg" + sec = "${local.project_weu_legacy}-sec-rg" + } + + itn = { + common = "${local.project_itn}-common-rg-01" + internal = "${local.project_itn}-common-rg-01" + external = "${local.project_itn}-common-rg-01" + event = "${local.project_itn}-common-rg-01" + sec = "${local.project_itn}-sec-rg-01" + } + } + eventhubs = [ { name = "io-cosmosdb-services" diff --git a/src/common/prod/westeurope.tf b/src/common/prod/westeurope.tf index 7e086d96d..0063be87d 100644 --- a/src/common/prod/westeurope.tf +++ b/src/common/prod/westeurope.tf @@ -9,11 +9,11 @@ module "event_hubs_weu" { location_short = local.location_short[data.azurerm_resource_group.common_weu.location] project = local.project_weu_legacy - resource_group_common = data.azurerm_resource_group.common_weu.name + resource_groups = local.resource_groups[local.location_short[data.azurerm_resource_group.common_weu.location]] servicebus_dns_zone = module.global.dns.private_dns_zones.servicebus vnet_common = local.core.networking.weu.vnet_common key_vault = local.core.key_vault.weu.kv - error_action_group_id = data.azurerm_monitor_action_group.error_action_group.id + error_action_group_id = module.monitoring_weu.action_groups.error cidr_subnet = ["10.0.10.0/24"] sku_name = "Standard" @@ -281,3 +281,52 @@ module "monitoring_weu" { tags = local.tags } +module "application_gateway_weu" { + source = "../_modules/application_gateway" + + location = data.azurerm_resource_group.common_weu.location + location_short = local.location_short[data.azurerm_resource_group.common_weu.location] + project = local.project_weu_legacy + prefix = local.prefix + + datasources = { + azurerm_client_config = data.azurerm_client_config.current + } + + resource_groups = local.resource_groups[local.location_short[data.azurerm_resource_group.common_weu.location]] + + vnet_common = local.core.networking.weu.vnet_common + key_vault = local.core.key_vault.weu.kv + key_vault_common = local.core.key_vault.weu.kv_common + external_domain = module.global.dns.external_domain + public_dns_zones = module.global.dns.public_dns_zones + + backend_hostnames = { + firmaconio_selfcare_web_app = data.azurerm_linux_web_app.firmaconio_selfcare_web_app.default_hostname + app_backendl1 = data.azurerm_linux_web_app.app_backendl1.default_hostname + app_backendl2 = data.azurerm_linux_web_app.app_backendl2.default_hostname + } + certificates = { + api = "api-io-pagopa-it" + api_mtls = "api-mtls-io-pagopa-it" + api_app = "api-app-io-pagopa-it" + api_web = "api-web-io-pagopa-it" + api_io_italia_it = "api-io-italia-it" + app_backend_io_italia_it = "app-backend-io-italia-it" + developerportal_backend_io_italia_it = "developerportal-backend-io-italia-it" + api_io_selfcare_pagopa_it = "api-io-selfcare-pagopa-it" + firmaconio_selfcare_pagopa_it = "firmaconio-selfcare-pagopa-it" + continua_io_pagopa_it = "continua-io-pagopa-it" + selfcare_io_pagopa_it = "selfcare-io-pagopa-it" + oauth_io_pagopa_it = "oauth-io-pagopa-it" + } + + cidr_subnet = ["10.0.13.0/24"] + min_capacity = 4 # 4 capacity=baseline, 10 capacity=high volume event, 15 capacity=very high volume event + max_capacity = 50 + alerts_enabled = true + deny_paths = ["\\/admin\\/(.*)"] + error_action_group_id = module.monitoring_weu.action_groups.error + + tags = merge(local.tags, { Source = "https://github.com/pagopa/io-infra" }) +} diff --git a/src/core/99_variables.tf b/src/core/99_variables.tf index 3d51a6fc6..fae7dccf3 100644 --- a/src/core/99_variables.tf +++ b/src/core/99_variables.tf @@ -321,89 +321,6 @@ variable "vpn_pip_sku" { description = "VPN GW PIP SKU" } -## Application Gateway -variable "app_gateway_api_certificate_name" { - type = string - description = "Application gateway api certificate name on Key Vault" -} - -variable "app_gateway_api_app_certificate_name" { - type = string - description = "Application gateway api certificate name on Key Vault" -} - -variable "app_gateway_api_web_certificate_name" { - type = string - description = "Application gateway api certificate name on Key Vault" -} - -variable "app_gateway_api_mtls_certificate_name" { - type = string - description = "Application gateway api certificate name on Key Vault" -} - -variable "app_gateway_api_io_italia_it_certificate_name" { - type = string - description = "Application gateway api certificate name on Key Vault" -} - -variable "app_gateway_app_backend_io_italia_it_certificate_name" { - type = string - description = "Application gateway api certificate name on Key Vault" -} - -variable "app_gateway_developerportal_backend_io_italia_it_certificate_name" { - type = string - description = "Application gateway api certificate name on Key Vault" -} - -variable "app_gateway_api_io_selfcare_pagopa_it_certificate_name" { - type = string - description = "Application gateway api certificate name on Key Vault" -} - -variable "app_gateway_oauth_io_pagopa_it_certificate_name" { - type = string - description = "Application gateway oauth certificate name on Key Vault" -} - -variable "app_gateway_firmaconio_selfcare_pagopa_it_certificate_name" { - type = string - description = "Application gateway api certificate name on Key Vault" -} - -variable "app_gateway_continua_io_pagopa_it_certificate_name" { - type = string - description = "Application gateway continua certificate name on Key Vault" -} - -variable "app_gateway_selfcare_io_pagopa_it_certificate_name" { - type = string - description = "Application gateway selfcare-io certificate name on Key Vault" -} - -variable "app_gateway_min_capacity" { - type = number - default = 0 -} - -variable "app_gateway_max_capacity" { - type = number - default = 2 -} - -variable "app_gateway_alerts_enabled" { - type = bool - description = "Enable alerts" - default = true -} - -variable "app_gateway_deny_paths" { - type = list(string) - description = "Regex patterns to deny requests" -} -## - ## Apim variable "apim_publisher_name" { type = string diff --git a/src/core/README.md b/src/core/README.md index ec4cb32bd..edc74fd30 100644 --- a/src/core/README.md +++ b/src/core/README.md @@ -40,8 +40,6 @@ | [app\_backendl1\_snet](#module\_app\_backendl1\_snet) | github.com/pagopa/terraform-azurerm-v3//subnet | v8.27.0 | | [app\_backendl2\_snet](#module\_app\_backendl2\_snet) | github.com/pagopa/terraform-azurerm-v3//subnet | v8.27.0 | | [app\_backendli\_snet](#module\_app\_backendli\_snet) | github.com/pagopa/terraform-azurerm-v3//subnet | v8.27.0 | -| [app\_gw](#module\_app\_gw) | github.com/pagopa/terraform-azurerm-v3//app_gateway | v8.31.0 | -| [appgateway\_snet](#module\_appgateway\_snet) | github.com/pagopa/terraform-azurerm-v3//subnet | v8.27.0 | | [appservice\_app\_backendl1](#module\_appservice\_app\_backendl1) | github.com/pagopa/terraform-azurerm-v3//app_service | v8.31.0 | | [appservice\_app\_backendl1\_slot\_staging](#module\_appservice\_app\_backendl1\_slot\_staging) | github.com/pagopa/terraform-azurerm-v3//app_service_slot | v8.31.0 | | [appservice\_app\_backendl2](#module\_appservice\_app\_backendl2) | github.com/pagopa/terraform-azurerm-v3//app_service | v8.31.0 | @@ -96,10 +94,6 @@ | [azurerm_dns_cname_record.assets_cdn_io_italia_it](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/dns_cname_record) | resource | | [azurerm_dns_cname_record.assets_cdn_io_pagopa_it](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/dns_cname_record) | resource | | [azurerm_key_vault_access_policy.apim_v2_kv_policy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource | -| [azurerm_key_vault_access_policy.app_gateway_policy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource | -| [azurerm_key_vault_access_policy.app_gateway_policy_common](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource | -| [azurerm_key_vault_access_policy.app_gateway_policy_ioweb](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource | -| [azurerm_key_vault_access_policy.app_gw_uai_kvreader_common](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource | | [azurerm_key_vault_access_policy.v2_common](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource | | [azurerm_key_vault_secret.appbackend-NORIFICATIONS-STORAGE](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource | | [azurerm_key_vault_secret.appbackend-PUSH-NOTIFICATIONS-STORAGE](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource | @@ -116,7 +110,6 @@ | [azurerm_monitor_metric_alert.too_many_http_5xx](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_metric_alert) | resource | | [azurerm_network_security_group.nsg_apim](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_security_group) | resource | | [azurerm_private_endpoint.locked_profiles_storage_table](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/private_endpoint) | resource | -| [azurerm_public_ip.appgateway_public_ip](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/public_ip) | resource | | [azurerm_public_ip.public_ip_apim](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/public_ip) | resource | | [azurerm_resource_group.assets_cdn_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource | | [azurerm_resource_group.azdo_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource | @@ -138,9 +131,6 @@ | [azurerm_subnet_nat_gateway_association.app_backendl2_snet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/subnet_nat_gateway_association) | resource | | [azurerm_subnet_nat_gateway_association.app_backendli_snet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/subnet_nat_gateway_association) | resource | | [azurerm_subnet_network_security_group_association.snet_nsg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/subnet_network_security_group_association) | resource | -| [azurerm_user_assigned_identity.appgateway](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/user_assigned_identity) | resource | -| [azurerm_web_application_firewall_policy.api_app](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/web_application_firewall_policy) | resource | -| [azuread_service_principal.app_gw_uai_kvreader](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/service_principal) | data source | | [azurerm_api_management.trial_system](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/api_management) | data source | | [azurerm_api_management_group.api_v2_lollipop_assertion_read](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/api_management_group) | data source | | [azurerm_api_management_product.apim_v2_product_lollipop](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/api_management_product) | data source | @@ -166,23 +156,10 @@ | [azurerm_eventhub_authorization_rule.io-p-messages-weu-prod01-evh-ns_message-status_io-fn-messages-cqrs](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/eventhub_authorization_rule) | data source | | [azurerm_eventhub_authorization_rule.io-p-messages-weu-prod01-evh-ns_messages_io-fn-messages-cqrs](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/eventhub_authorization_rule) | data source | | [azurerm_eventhub_authorization_rule.io-p-payments-weu-prod01-evh-ns_payment-updates_io-fn-messages-cqrs](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/eventhub_authorization_rule) | data source | -| [azurerm_key_vault.ioweb_kv](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault) | data source | | [azurerm_key_vault.key_vault](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault) | data source | | [azurerm_key_vault.key_vault_common](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault) | data source | | [azurerm_key_vault_certificate.api_app_internal_io_pagopa_it](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_certificate) | data source | | [azurerm_key_vault_certificate.api_internal_io_italia_it](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_certificate) | data source | -| [azurerm_key_vault_certificate.app_gw_api](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_certificate) | data source | -| [azurerm_key_vault_certificate.app_gw_api_app](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_certificate) | data source | -| [azurerm_key_vault_certificate.app_gw_api_io_italia_it](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_certificate) | data source | -| [azurerm_key_vault_certificate.app_gw_api_io_selfcare_pagopa_it](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_certificate) | data source | -| [azurerm_key_vault_certificate.app_gw_api_mtls](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_certificate) | data source | -| [azurerm_key_vault_certificate.app_gw_api_web](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_certificate) | data source | -| [azurerm_key_vault_certificate.app_gw_app_backend_io_italia_it](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_certificate) | data source | -| [azurerm_key_vault_certificate.app_gw_continua](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_certificate) | data source | -| [azurerm_key_vault_certificate.app_gw_developerportal_backend_io_italia_it](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_certificate) | data source | -| [azurerm_key_vault_certificate.app_gw_firmaconio_selfcare_pagopa_it](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_certificate) | data source | -| [azurerm_key_vault_certificate.app_gw_oauth](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_certificate) | data source | -| [azurerm_key_vault_certificate.app_gw_selfcare_io](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_certificate) | data source | | [azurerm_key_vault_secret.api_gad_client_certificate_verified_header_secret_v2](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_secret) | data source | | [azurerm_key_vault_secret.apim_publisher_email](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_secret) | data source | | [azurerm_key_vault_secret.apim_services_subscription_key](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_secret) | data source | @@ -213,7 +190,6 @@ | [azurerm_key_vault_secret.app_backend_TEST_CGN_FISCAL_CODES](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_secret) | data source | | [azurerm_key_vault_secret.app_backend_TRIAL_SYSTEM_API_KEY](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_secret) | data source | | [azurerm_key_vault_secret.app_backend_UNIQUE_EMAIL_ENFORCEMENT_USER](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_secret) | data source | -| [azurerm_key_vault_secret.app_gw_mtls_header_name](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_secret) | data source | | [azurerm_key_vault_secret.assets_cdn_fn_key_cdn](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_secret) | data source | | [azurerm_key_vault_secret.fn_eucovidcert_API_KEY_APPBACKEND](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_secret) | data source | | [azurerm_key_vault_secret.fn_eucovidcert_API_KEY_PUBLICIOEVENTDISPATCHER](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_secret) | data source | @@ -237,9 +213,6 @@ | [azurerm_linux_web_app.appservice_devportal_be](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/linux_web_app) | data source | | [azurerm_linux_web_app.appservice_selfcare_be](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/linux_web_app) | data source | | [azurerm_linux_web_app.cms_backoffice_app_itn](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/linux_web_app) | data source | -| [azurerm_linux_web_app.fims_op_app](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/linux_web_app) | data source | -| [azurerm_linux_web_app.firmaconio_selfcare_web_app](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/linux_web_app) | data source | -| [azurerm_linux_web_app.session_manager](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/linux_web_app) | data source | | [azurerm_monitor_action_group.error_action_group](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/monitor_action_group) | data source | | [azurerm_nat_gateway.ng](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/nat_gateway) | data source | | [azurerm_private_dns_zone.privatelink_azurewebsites](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/private_dns_zone) | data source | @@ -255,6 +228,7 @@ | [azurerm_storage_account.push_notifications_storage](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/storage_account) | data source | | [azurerm_storage_account.storage_apievents](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/storage_account) | data source | | [azurerm_subnet.admin_snet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subnet) | data source | +| [azurerm_subnet.appgateway_snet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subnet) | data source | | [azurerm_subnet.function_let_snet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subnet) | data source | | [azurerm_subnet.functions_fast_login_snet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subnet) | data source | | [azurerm_subnet.functions_service_messages_snet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subnet) | data source | @@ -278,22 +252,6 @@ | [app\_backend\_names](#input\_app\_backend\_names) | App backend instance names | `list(string)` | `[]` | no | | [app\_backend\_plan\_sku\_size](#input\_app\_backend\_plan\_sku\_size) | App backend app plan sku size | `string` | `"P1v3"` | no | | [app\_backend\_plan\_sku\_tier](#input\_app\_backend\_plan\_sku\_tier) | App backend app plan sku tier | `string` | `"PremiumV3"` | no | -| [app\_gateway\_alerts\_enabled](#input\_app\_gateway\_alerts\_enabled) | Enable alerts | `bool` | `true` | no | -| [app\_gateway\_api\_app\_certificate\_name](#input\_app\_gateway\_api\_app\_certificate\_name) | Application gateway api certificate name on Key Vault | `string` | n/a | yes | -| [app\_gateway\_api\_certificate\_name](#input\_app\_gateway\_api\_certificate\_name) | Application gateway api certificate name on Key Vault | `string` | n/a | yes | -| [app\_gateway\_api\_io\_italia\_it\_certificate\_name](#input\_app\_gateway\_api\_io\_italia\_it\_certificate\_name) | Application gateway api certificate name on Key Vault | `string` | n/a | yes | -| [app\_gateway\_api\_io\_selfcare\_pagopa\_it\_certificate\_name](#input\_app\_gateway\_api\_io\_selfcare\_pagopa\_it\_certificate\_name) | Application gateway api certificate name on Key Vault | `string` | n/a | yes | -| [app\_gateway\_api\_mtls\_certificate\_name](#input\_app\_gateway\_api\_mtls\_certificate\_name) | Application gateway api certificate name on Key Vault | `string` | n/a | yes | -| [app\_gateway\_api\_web\_certificate\_name](#input\_app\_gateway\_api\_web\_certificate\_name) | Application gateway api certificate name on Key Vault | `string` | n/a | yes | -| [app\_gateway\_app\_backend\_io\_italia\_it\_certificate\_name](#input\_app\_gateway\_app\_backend\_io\_italia\_it\_certificate\_name) | Application gateway api certificate name on Key Vault | `string` | n/a | yes | -| [app\_gateway\_continua\_io\_pagopa\_it\_certificate\_name](#input\_app\_gateway\_continua\_io\_pagopa\_it\_certificate\_name) | Application gateway continua certificate name on Key Vault | `string` | n/a | yes | -| [app\_gateway\_deny\_paths](#input\_app\_gateway\_deny\_paths) | Regex patterns to deny requests | `list(string)` | n/a | yes | -| [app\_gateway\_developerportal\_backend\_io\_italia\_it\_certificate\_name](#input\_app\_gateway\_developerportal\_backend\_io\_italia\_it\_certificate\_name) | Application gateway api certificate name on Key Vault | `string` | n/a | yes | -| [app\_gateway\_firmaconio\_selfcare\_pagopa\_it\_certificate\_name](#input\_app\_gateway\_firmaconio\_selfcare\_pagopa\_it\_certificate\_name) | Application gateway api certificate name on Key Vault | `string` | n/a | yes | -| [app\_gateway\_max\_capacity](#input\_app\_gateway\_max\_capacity) | n/a | `number` | `2` | no | -| [app\_gateway\_min\_capacity](#input\_app\_gateway\_min\_capacity) | n/a | `number` | `0` | no | -| [app\_gateway\_oauth\_io\_pagopa\_it\_certificate\_name](#input\_app\_gateway\_oauth\_io\_pagopa\_it\_certificate\_name) | Application gateway oauth certificate name on Key Vault | `string` | n/a | yes | -| [app\_gateway\_selfcare\_io\_pagopa\_it\_certificate\_name](#input\_app\_gateway\_selfcare\_io\_pagopa\_it\_certificate\_name) | Application gateway selfcare-io certificate name on Key Vault | `string` | n/a | yes | | [application\_insights\_name](#input\_application\_insights\_name) | The common Application Insights name | `string` | `""` | no | | [azdo\_sp\_tls\_cert\_enabled](#input\_azdo\_sp\_tls\_cert\_enabled) | Enable Azure DevOps connection for TLS cert management | `string` | `false` | no | | [azdoa\_image\_name](#input\_azdoa\_image\_name) | Azure DevOps Agent image name | `string` | n/a | yes | diff --git a/src/core/app_backend.tf b/src/core/app_backend.tf index 2c9c73802..be93112ab 100644 --- a/src/core/app_backend.tf +++ b/src/core/app_backend.tf @@ -669,7 +669,7 @@ module "appservice_app_backendl1" { allowed_subnets = [ data.azurerm_subnet.services_snet[0].id, data.azurerm_subnet.services_snet[1].id, - module.appgateway_snet.id, + data.azurerm_subnet.appgateway_snet.id, module.apim_v2_snet.id, ] @@ -720,7 +720,7 @@ module "appservice_app_backendl1_slot_staging" { module.azdoa_snet[0].id, data.azurerm_subnet.services_snet[0].id, data.azurerm_subnet.services_snet[1].id, - module.appgateway_snet.id, + data.azurerm_subnet.appgateway_snet.id, module.apim_v2_snet.id, ] @@ -799,7 +799,7 @@ module "appservice_app_backendl2" { allowed_subnets = [ data.azurerm_subnet.services_snet[0].id, data.azurerm_subnet.services_snet[1].id, - module.appgateway_snet.id, + data.azurerm_subnet.appgateway_snet.id, module.apim_v2_snet.id, ] @@ -850,7 +850,7 @@ module "appservice_app_backendl2_slot_staging" { module.azdoa_snet[0].id, data.azurerm_subnet.services_snet[0].id, data.azurerm_subnet.services_snet[1].id, - module.appgateway_snet.id, + data.azurerm_subnet.appgateway_snet.id, module.apim_v2_snet.id, ] diff --git a/src/core/data.tf b/src/core/data.tf index 8d0648abe..b1e1570de 100644 --- a/src/core/data.tf +++ b/src/core/data.tf @@ -438,3 +438,13 @@ data "azurerm_dns_a_record" "api_io_italia_it" { zone_name = data.azurerm_dns_zone.io_italia_it.name resource_group_name = "${local.project}-rg-external" } + +# +# AppGateway +# + +data "azurerm_subnet" "appgateway_snet" { + name = "${local.project}-appgateway-snet" + resource_group_name = azurerm_resource_group.rg_common.name + virtual_network_name = data.azurerm_virtual_network.common.name +} \ No newline at end of file diff --git a/src/core/env/prod/terraform.tfvars b/src/core/env/prod/terraform.tfvars index a139ae1de..a43636930 100644 --- a/src/core/env/prod/terraform.tfvars +++ b/src/core/env/prod/terraform.tfvars @@ -63,23 +63,6 @@ cidr_subnet_dnsforwarder = ["10.0.252.8/29"] # just for reminder: declared in https://github.com/pagopa/io-infra/blob/main/src/domains/ioweb-app/env/weu-prod01/terraform.tfvars # subnet for ioweb_profile -> cidr_subnet_fniowebprofile = ["10.0.117.0/24"] -app_gateway_api_certificate_name = "api-io-pagopa-it" -app_gateway_api_mtls_certificate_name = "api-mtls-io-pagopa-it" -app_gateway_api_app_certificate_name = "api-app-io-pagopa-it" -app_gateway_api_web_certificate_name = "api-web-io-pagopa-it" -app_gateway_api_io_italia_it_certificate_name = "api-io-italia-it" -app_gateway_app_backend_io_italia_it_certificate_name = "app-backend-io-italia-it" -app_gateway_developerportal_backend_io_italia_it_certificate_name = "developerportal-backend-io-italia-it" -app_gateway_api_io_selfcare_pagopa_it_certificate_name = "api-io-selfcare-pagopa-it" -app_gateway_firmaconio_selfcare_pagopa_it_certificate_name = "firmaconio-selfcare-pagopa-it" -app_gateway_continua_io_pagopa_it_certificate_name = "continua-io-pagopa-it" -app_gateway_selfcare_io_pagopa_it_certificate_name = "selfcare-io-pagopa-it" -app_gateway_oauth_io_pagopa_it_certificate_name = "oauth-io-pagopa-it" -app_gateway_min_capacity = 4 # 4 capacity=baseline, 10 capacity=high volume event, 15 capacity=very high volume event -app_gateway_max_capacity = 50 -app_gateway_alerts_enabled = true -app_gateway_deny_paths = ["\\/admin\\/(.*)"] - ## REDIS COMMON ## redis_common = { capacity = 2 diff --git a/src/core/firmaconio.tf b/src/core/firmaconio.tf index ff9874370..ff95c94b4 100644 --- a/src/core/firmaconio.tf +++ b/src/core/firmaconio.tf @@ -6,9 +6,3 @@ locals { } } } - - -data "azurerm_linux_web_app" "firmaconio_selfcare_web_app" { - name = format("%s-backoffice-app", local.firmaconio_project) - resource_group_name = local.firmaconio.resource_group_names.backend -} \ No newline at end of file diff --git a/src/core/refactor.tf b/src/core/refactor.tf new file mode 100644 index 000000000..e850fab92 --- /dev/null +++ b/src/core/refactor.tf @@ -0,0 +1,69 @@ +removed { + from = module.app_gw + lifecycle { + destroy = false + } +} + +removed { + from = azurerm_key_vault_access_policy.app_gateway_policy + lifecycle { + destroy = false + } +} + +removed { + from = azurerm_key_vault_access_policy.app_gateway_policy_common + lifecycle { + destroy = false + } +} + +removed { + from = azurerm_key_vault_access_policy.app_gateway_policy_ioweb + lifecycle { + destroy = false + } +} + +removed { + from = azurerm_key_vault_access_policy.app_gw_uai_kvreader_common + lifecycle { + destroy = false + } +} + +removed { + from = azurerm_public_ip.appgateway_public_ip + lifecycle { + destroy = false + } +} + +removed { + from = azurerm_user_assigned_identity.appgateway + lifecycle { + destroy = false + } +} + +removed { + from = azurerm_web_application_firewall_policy.api_app + lifecycle { + destroy = false + } +} + +removed { + from = azurerm_web_application_firewall_policy.api_app + lifecycle { + destroy = false + } +} + +removed { + from = module.appgateway_snet + lifecycle { + destroy = false + } +} \ No newline at end of file