Merge branch 'main' into 369-vpn-gateway-configuration-for-site-2-sit…

…e-vpn-with-traffic-selectors
pagopa · Jan 16, 2025 · 8dc4d51 · 8dc4d51
2 parents fc0dbb2 + e57ed12
commit 8dc4d51
Show file tree

Hide file tree

Showing 31 changed files with 857 additions and 85 deletions.
diff --git a/azure_devops_agent/main.tf b/azure_devops_agent/main.tf
@@ -79,6 +79,7 @@ resource "azurerm_linux_virtual_machine_scale_set" "this" {
       # Ignore changes to these tags because they are generated by az devops.
       tags["__AzureDevOpsElasticPool"],
       tags["__AzureDevOpsElasticPoolTimeStamp"],
+      instances
     ]
   }
 

diff --git a/azure_devops_agent_custom_image/packer/script-config.sh b/azure_devops_agent_custom_image/packer/script-config.sh
@@ -10,32 +10,33 @@ function check_command(){
   fi
 }
 
-# install zip unzip ca-certificates curl wget apt-transport-https lsb-release gnupg jq
+### install zip unzip ca-certificates curl wget apt-transport-https lsb-release gnupg jq
 apt-get -y update
 apt-get -y --allow-unauthenticated install zip unzip ca-certificates curl wget apt-transport-https lsb-release gnupg jq
 
 check_command "zip"
 check_command "unzip"
 check_command "jq"
 
-# install az cli
+### AZ CLI
 curl -sL https://aka.ms/InstallAzureCLIDeb | bash
 
 check_command "az"
 
-# install helm
-az acr helm install-cli -y --client-version 3.14.2
+### HELM
+az acr helm install-cli -y --client-version 3.16.3
 
 check_command "helm"
 
-# install kubectl
+### KUBECTL
 # https://kubernetes.io/releases/
 # https://github.com/Azure/kubelogin/releases
-az aks install-cli --client-version 1.29.7 --kubelogin-version 0.1.4
+az aks install-cli --client-version 1.29.11 --kubelogin-version 0.1.4
 
 check_command "kubectl"
 check_command "kubelogin"
 
+### DOCKER & DOCKER COMPOSE
 # setup DOCKER installation from https://docs.docker.com/engine/install/ubuntu/
 curl -fsSL https://download.docker.com/linux/ubuntu/gpg |
     gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg
@@ -49,44 +50,84 @@ apt-get -y install python3-pip
 
 check_command "python3"
 
-# DOCKER & DOCKER COMPOSE
 apt-get -y --allow-unauthenticated install docker-ce docker-ce-cli containerd.io docker-compose-plugin
 
 check_command "docker"
 
-# install YQ from https://github.com/mikefarah/yq#install
-YQ_VERSION="v4.43.1"
+### YQ from https://github.com/mikefarah/yq#install
+YQ_VERSION="v4.44.5"
 YQ_BINARY="yq_linux_amd64"
 wget https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/${YQ_BINARY}.tar.gz -O - |\
   tar xz && mv ${YQ_BINARY} /usr/bin/yq
 
 check_command "yq"
 
-# install SOPS from https://github.com/mozilla/sops
-SOPS_VERSION="3.9.0"
+### SOPS from https://github.com/mozilla/sops
+SOPS_VERSION="3.9.1"
 wget "https://github.com/mozilla/sops/releases/download/v${SOPS_VERSION}/sops_${SOPS_VERSION}_amd64.deb"
 apt install -y "$PWD/sops_${SOPS_VERSION}_amd64.deb"
 
 check_command "sops"
 
-# install Velero
+### Velero
 VELERO_VERSION=v1.13.2
 wget https://github.com/vmware-tanzu/velero/releases/download/${VELERO_VERSION}/velero-${VELERO_VERSION}-linux-amd64.tar.gz && \
 tar -zxvf velero-${VELERO_VERSION}-linux-amd64.tar.gz && \
 sudo mv velero-${VELERO_VERSION}-linux-amd64/velero /usr/bin/velero
 
 check_command "velero"
 
-# install packer
+### Packer
 curl -fsSL https://apt.releases.hashicorp.com/gpg | sudo gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg && \
 echo "deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list > /dev/null && \
 sudo apt-get update && \
 sudo apt-get install -y packer
 
 check_command "packer"
 
-# prepare machine for k6 large load test
+### TEMPORAL
+TEMPORAL_VERSION=1.1.2
+wget https://github.com/temporalio/cli/releases/download/v${TEMPORAL_VERSION}/temporal_cli_${TEMPORAL_VERSION}_linux_amd64.tar.gz && \
+tar -zxvf temporal_cli_${TEMPORAL_VERSION}_linux_amd64.tar.gz && \
+sudo mv temporal /usr/bin/temporal
 
+check_command "temporal"
+
+### ARGOCD
+ARGOCD_VERSION=2.13.1
+wget https://github.com/argoproj/argo-cd/releases/download/v${ARGOCD_VERSION}/argocd-linux-amd64 && \
+chmod +x argocd-linux-amd64 && \
+sudo mv argocd-linux-amd64 /usr/bin/argocd
+
+check_command "argocd"
+
+### NodeJS 20.x
+if [ -f /usr/share/keyrings/nodesource.gpg ]; then
+    echo "Removing existing NodeSource GPG key..."
+    rm -f /usr/share/keyrings/nodesource.gpg
+fi
+
+if [ -f /etc/apt/sources.list.d/nodesource.list ]; then
+    echo "Removing existing NodeSource repository configuration..."
+    rm -f /etc/apt/sources.list.d/nodesource.list
+fi
+
+curl -fsSL https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key | \
+    gpg --dearmor -o /usr/share/keyrings/nodesource.gpg
+
+echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/nodesource.gpg] https://deb.nodesource.com/node_20.x nodistro main" | \
+    tee /etc/apt/sources.list.d/nodesource.list > /dev/null
+
+apt-get update
+apt-get install -y nodejs
+
+check_command "node"
+check_command "npm"
+
+echo "Node.js version: $(node --version)"
+echo "npm version: $(npm --version)"
+
+### prepare machine for k6 large load test
 sysctl -w net.ipv4.ip_local_port_range="1024 65535"
 sysctl -w net.ipv4.tcp_tw_reuse=1
 sysctl -w net.ipv4.tcp_timestamps=1

diff --git a/cosmosdb_account/README.md b/cosmosdb_account/README.md
@@ -164,6 +164,7 @@ No modules.
 | <a name="input_allowed_virtual_network_subnet_ids"></a> [allowed\_virtual\_network\_subnet\_ids](#input\_allowed\_virtual\_network\_subnet\_ids) | The subnets id that are allowed to access this CosmosDB account. | `list(string)` | `[]` | no |
 | <a name="input_backup_continuous_enabled"></a> [backup\_continuous\_enabled](#input\_backup\_continuous\_enabled) | Enable Continuous Backup | `bool` | `true` | no |
 | <a name="input_backup_periodic_enabled"></a> [backup\_periodic\_enabled](#input\_backup\_periodic\_enabled) | Enable Periodic Backup | <pre>object({<br/>    interval_in_minutes = string<br/>    retention_in_hours  = string<br/>    storage_redundancy  = string<br/>  })</pre> | `null` | no |
+| <a name="input_burst_capacity_enabled"></a> [burst\_capacity\_enabled](#input\_burst\_capacity\_enabled) | (Optional) Enable burst capacity for this Cosmos DB account. Defaults to false. | `bool` | `false` | no |
 | <a name="input_capabilities"></a> [capabilities](#input\_capabilities) | The capabilities which should be enabled for this Cosmos DB account. | `list(string)` | `[]` | no |
 | <a name="input_consistency_policy"></a> [consistency\_policy](#input\_consistency\_policy) | Specifies a consistency\_policy resource, used to define the consistency policy for this CosmosDB account. | <pre>object({<br/>    consistency_level       = string # The Consistency Level to use for this CosmosDB Account - can be either BoundedStaleness, Eventual, Session, Strong or ConsistentPrefix.<br/>    max_interval_in_seconds = number # When used with the Bounded Staleness consistency level, this value represents the time amount of staleness (in seconds) tolerated. Accepted range for this value is 5 - 86400 (1 day). Defaults to 5. Required when consistency_level is set to BoundedStaleness.<br/>    max_staleness_prefix    = number # When used with the Bounded Staleness consistency level, this value represents the number of stale requests tolerated. Accepted range for this value is 10 – 2147483647. Defaults to 100. Required when consistency_level is set to BoundedStaleness.<br/>  })</pre> | <pre>{<br/>  "consistency_level": "BoundedStaleness",<br/>  "max_interval_in_seconds": 5,<br/>  "max_staleness_prefix": 100<br/>}</pre> | no |
 | <a name="input_domain"></a> [domain](#input\_domain) | (Optional) Specifies the domain of the CosmosDB Account. | `string` | n/a | yes |

diff --git a/cosmosdb_account/main.tf b/cosmosdb_account/main.tf
@@ -8,8 +8,8 @@ resource "azurerm_cosmosdb_account" "this" {
   enable_automatic_failover = var.enable_automatic_failover
   key_vault_key_id          = var.key_vault_key_id
 
-  mongo_server_version = var.mongo_server_version
-
+  mongo_server_version   = var.mongo_server_version
+  burst_capacity_enabled = var.burst_capacity_enabled
   geo_location {
     location          = var.main_geo_location_location
     failover_priority = 0

diff --git a/cosmosdb_account/variables.tf b/cosmosdb_account/variables.tf
@@ -253,3 +253,10 @@ variable "action" {
   ))
   default = []
 }
+
+
+variable "burst_capacity_enabled" {
+  type        = bool
+  description = "(Optional) Enable burst capacity for this Cosmos DB account. Defaults to false."
+  default     = false
+}
diff --git a/gh_runner_container_app_job_domain_setup/README.md b/gh_runner_container_app_job_domain_setup/README.md
@@ -25,6 +25,7 @@ module "gh_runner_job" {
       short_name: "payopt"
     }
   ]
+  gh_env = var.env
   job = {
     name = "paymentoption"
   }
@@ -46,12 +47,6 @@ module "gh_runner_job" {
     rg           = "${local.product}-${var.location_short}-${var.instance}-aks-rg"
   }
   
-  # optional
-  function_deploy = {
-    enabled      = true
-    function_rg  = ["<rg name 1>", "<rg name 2>"]
-  }
-  
   #optional
   custom_rg_permissions = [
     {
@@ -90,7 +85,7 @@ This module provides the appropriate permissions to the GH runner identity to de
 | Name | Source | Version |
 |------|--------|---------|
 | <a name="module_container_app_job"></a> [container\_app\_job](#module\_container\_app\_job) | ../container_app_job_gh_runner_v2 | n/a |
-| <a name="module_identity_cd"></a> [identity\_cd](#module\_identity\_cd) | github.com/pagopa/terraform-azurerm-v3//github_federated_identity | v8.22.0 |
+| <a name="module_identity_cd"></a> [identity\_cd](#module\_identity\_cd) | ../github_federated_identity | n/a |
 
 ## Resources
 
@@ -111,10 +106,11 @@ This module provides the appropriate permissions to the GH runner identity to de
 | <a name="input_container"></a> [container](#input\_container) | Job Container configuration | <pre>object({<br/>    cpu    = number<br/>    memory = string<br/>    image  = string<br/>  })</pre> | <pre>{<br/>  "cpu": 0.5,<br/>  "image": "ghcr.io/pagopa/github-self-hosted-runner-azure:latest",<br/>  "memory": "1Gi"<br/>}</pre> | no |
 | <a name="input_custom_rg_permissions"></a> [custom\_rg\_permissions](#input\_custom\_rg\_permissions) | (Optional) List of resource group permission assigned to the job identity | <pre>list(object({<br/>    # name of the resource group on which the permissions are given<br/>    rg_name = string<br/>    # list of permission assigned on with rg_name scope<br/>    permissions = list(string)<br/>  }))</pre> | `[]` | no |
 | <a name="input_domain_name"></a> [domain\_name](#input\_domain\_name) | (Required) Domain name for the configured repositories | `string` | n/a | yes |
+| <a name="input_domain_security_rg_name"></a> [domain\_security\_rg\_name](#input\_domain\_security\_rg\_name) | (Optional) Security rg name for the domain | `string` | n/a | yes |
 | <a name="input_env_short"></a> [env\_short](#input\_env\_short) | Short environment prefix | `string` | n/a | yes |
 | <a name="input_environment_name"></a> [environment\_name](#input\_environment\_name) | (Required) Container App Environment configuration (Log Analytics Workspace) | `string` | n/a | yes |
 | <a name="input_environment_rg"></a> [environment\_rg](#input\_environment\_rg) | (Required) Container App Environment configuration (Log Analytics Workspace) | `string` | n/a | yes |
-| <a name="input_function_deploy"></a> [function\_deploy](#input\_function\_deploy) | (Optional) Enables and specifies the function app deploy permissions | <pre>object({<br/>    # enables the permission handdling for azure function deploy<br/>    enabled = optional(bool, false)<br/>    # list of function resource group names<br/>    function_rg = optional(list(string), [])<br/>  })</pre> | <pre>{<br/>  "enabled": false,<br/>  "function_rg": []<br/>}</pre> | no |
+| <a name="input_gh_env"></a> [gh\_env](#input\_gh\_env) | Github environment name | `string` | n/a | yes |
 | <a name="input_gh_identity_suffix"></a> [gh\_identity\_suffix](#input\_gh\_identity\_suffix) | (Optional) Suffix used in the gh identity name. Necessary to distinguish the identities when more than 20 repos are used | `string` | `"01"` | no |
 | <a name="input_gh_repositories"></a> [gh\_repositories](#input\_gh\_repositories) | (Required) List of gh repository names and short names on which the managed identity will have permission. Max 20 repos. All repos must belong to the same organization, check `job_meta` variable | <pre>list(object({<br/>    name       = string<br/>    short_name = string<br/>  }))</pre> | n/a | yes |
 | <a name="input_job"></a> [job](#input\_job) | Container App job configuration | <pre>object({<br/>    name                 = string<br/>    scale_max_executions = optional(number, 5)<br/>    scale_min_executions = optional(number, 0)<br/>  })</pre> | n/a | yes |

diff --git a/gh_runner_container_app_job_domain_setup/locals.tf b/gh_runner_container_app_job_domain_setup/locals.tf
@@ -5,7 +5,7 @@ locals {
   federations = [
     for repo in var.gh_repositories : {
       repository = repo.name
-      subject    = "github-${var.environment_name}"
+      subject    = var.gh_env
     }
   ]
 
@@ -17,13 +17,16 @@ locals {
   } : {}
 
   custom_permissions = { for perm in var.custom_rg_permissions : perm.rg_name => perm.permissions }
+  domain_sec_rg_permission = var.domain_security_rg_name != null ? {
+    "${var.domain_security_rg_name}" = [
+      "Key Vault Reader"
+    ]
+  } : {}
 
-  function_deploy_permission = var.function_deploy.enabled ? { for rg in var.function_deploy.function_rg : rg => ["Contributor"] } : {}
 
-  # to avoid subscription Contributor -> https://github.com/microsoft/azure-container-apps/issues/35
   environment_cd_roles = {
     subscription = [
-      "Reader"
+      "Contributor"
     ]
     resource_groups = merge(
       {
@@ -36,7 +39,7 @@ locals {
       },
       local.aks_rg_permission,
       local.custom_permissions,
-      local.function_deploy_permission
+      local.domain_sec_rg_permission
     )
   }
 }
diff --git a/gh_runner_container_app_job_domain_setup/main.tf b/gh_runner_container_app_job_domain_setup/main.tf
@@ -44,7 +44,7 @@ module "container_app_job" {
 
 # create a module for each 20 repos
 module "identity_cd" {
-  source    = "github.com/pagopa/terraform-azurerm-v3//github_federated_identity?ref=v8.22.0"
+  source    = "../github_federated_identity"
   prefix    = var.prefix
   env_short = var.env_short
   domain    = "${var.domain_name}-${var.gh_identity_suffix}"

diff --git a/gh_runner_container_app_job_domain_setup/variables.tf b/gh_runner_container_app_job_domain_setup/variables.tf
@@ -40,6 +40,11 @@ variable "env_short" {
   }
 }
 
+variable "gh_env" {
+  type        = string
+  description = "Github environment name"
+}
+
 variable "environment_name" {
   type        = string
   description = "(Required) Container App Environment configuration (Log Analytics Workspace)"
@@ -204,26 +209,6 @@ variable "kubernetes_deploy" {
   }
 }
 
-
-variable "function_deploy" {
-  type = object({
-    # enables the permission handdling for azure function deploy
-    enabled = optional(bool, false)
-    # list of function resource group names
-    function_rg = optional(list(string), [])
-  })
-  description = "(Optional) Enables and specifies the function app deploy permissions"
-  default = {
-    enabled     = false
-    function_rg = []
-  }
-
-  validation {
-    condition     = var.function_deploy.enabled ? length(var.function_deploy.function_rg) > 0 : true
-    error_message = "Function rg not defined"
-  }
-}
-
 variable "custom_rg_permissions" {
   type = list(object({
     # name of the resource group on which the permissions are given
@@ -255,3 +240,8 @@ variable "domain_name" {
   type        = string
   description = "(Required) Domain name for the configured repositories"
 }
+
+variable "domain_security_rg_name" {
+  type        = string
+  description = "(Optional) Security rg name for the domain"
+}
diff --git a/kubernetes_cluster/01_main.tf b/kubernetes_cluster/01_main.tf
@@ -76,6 +76,7 @@ resource "azurerm_kubernetes_cluster" "this" {
 
   workload_identity_enabled = var.workload_identity_enabled
   oidc_issuer_enabled       = local.oidc_issuer_enabled
+  cost_analysis_enabled     = var.cost_analysis_enabled
 
   dynamic "network_profile" {
     for_each = var.network_profile != null ? [var.network_profile] : []

diff --git a/kubernetes_cluster/02_monitor_aks.tf b/kubernetes_cluster/02_monitor_aks.tf
@@ -7,6 +7,7 @@ resource "azurerm_monitor_metric_alert" "this" {
   name                = "${azurerm_kubernetes_cluster.this.name}-${upper(each.key)}"
   resource_group_name = var.resource_group_name
   scopes              = [azurerm_kubernetes_cluster.this.id]
+  description         = each.value.description
   frequency           = each.value.frequency
   window_size         = each.value.window_size
   enabled             = var.alerts_enabled

diff --git a/kubernetes_cluster/99_variables.tf b/kubernetes_cluster/99_variables.tf
@@ -311,6 +311,14 @@ variable "addon_azure_pod_identity_enabled" {
   default     = false
 }
 
+# The sku_tier must be set to Standard or Premium to enable this feature.
+# Enabling this will add Kubernetes Namespace and Deployment details to the Cost Analysis views in the Azure portal.
+variable "cost_analysis_enabled" {
+  type        = bool
+  default     = false
+  description = "(Optional) Should cost analysis be enabled for this Kubernetes Cluster? Defaults to false."
+}
+
 #
 # 📄 Logs
 #

diff --git a/kubernetes_cluster/99_variables_monitoring_alerts.tf b/kubernetes_cluster/99_variables_monitoring_alerts.tf
@@ -9,6 +9,8 @@ variable "default_metric_alerts" {
   type = map(object({
     # criteria.*.aggregation to be one of [Average Count Minimum Maximum Total]
     aggregation = string
+    # (Optional) Specifies the description of the scheduled metric rule.
+    description = optional(string)
     # "Insights.Container/pods" "Insights.Container/nodes"
     metric_namespace = string
     metric_name      = string
@@ -38,6 +40,7 @@ variable "default_metric_alerts" {
     node_cpu_usage_percentage = {
       aggregation      = "Average"
       metric_namespace = "Microsoft.ContainerService/managedClusters"
+      description      = "High node cpu usage"
       metric_name      = "node_cpu_usage_percentage"
       operator         = "GreaterThan"
       threshold        = 80
@@ -56,6 +59,7 @@ variable "default_metric_alerts" {
     node_memory_working_set_percentage = {
       aggregation      = "Average"
       metric_namespace = "Microsoft.ContainerService/managedClusters"
+      description      = "High node memory usage"
       metric_name      = "node_memory_working_set_percentage"
       operator         = "GreaterThan"
       threshold        = 80
@@ -73,6 +77,7 @@ variable "default_metric_alerts" {
     pods_failed = {
       aggregation      = "Average"
       metric_namespace = "Microsoft.ContainerService/managedClusters"
+      description      = "Pod state phase failed"
       metric_name      = "kube_pod_status_phase"
       operator         = "GreaterThan"
       threshold        = 0