[CES-68] Added APIM roles for functions in selfcare domain (#1414)

src/domains/selfcare/_modules/app_services/function_devportal_service_data.tf

@@ -1,10 +1,11 @@
 module "function_devportalservicedata" {
   source = "github.com/pagopa/terraform-azurerm-v3//function_app?ref=v7.69.1"
 
-  name                = "${var.project}-devportalsrvdata-fn"
-  location            = var.location
-  resource_group_name = var.resource_group_name
-  app_service_plan_id = azurerm_service_plan.selfcare_be_common.id
+  name                    = "${var.project}-devportalsrvdata-fn"
+  location                = var.location
+  resource_group_name     = var.resource_group_name
+  app_service_plan_id     = azurerm_service_plan.selfcare_be_common.id
+  system_identity_enabled = true
 
   application_insights_instrumentation_key = var.app_insights_key
 
@@ -71,11 +72,12 @@ module "function_devportalservicedata" {
 module "function_devportalservicedata_staging_slot" {
   source = "github.com/pagopa/terraform-azurerm-v3.git//function_app_slot?ref=v7.69.1"
 
-  name                = "staging"
-  location            = var.location
-  resource_group_name = module.function_subscriptionmigrations.resource_group_name
-  function_app_id     = module.function_devportalservicedata.id
-  app_service_plan_id = azurerm_service_plan.selfcare_be_common.id
+  name                    = "staging"
+  location                = var.location
+  resource_group_name     = module.function_subscriptionmigrations.resource_group_name
+  function_app_id         = module.function_devportalservicedata.id
+  app_service_plan_id     = azurerm_service_plan.selfcare_be_common.id
+  system_identity_enabled = true
 
   application_insights_instrumentation_key = var.app_insights_key
 

src/domains/selfcare/_modules/app_services/function_subscription_migrations.tf

@@ -1,10 +1,11 @@
 module "function_subscriptionmigrations" {
   source = "github.com/pagopa/terraform-azurerm-v3//function_app?ref=v7.69.1"
 
-  name                = "${var.project}-subsmigrations-fn"
-  location            = var.location
-  resource_group_name = var.resource_group_name
-  app_service_plan_id = azurerm_service_plan.selfcare_be_common.id
+  name                    = "${var.project}-subsmigrations-fn"
+  location                = var.location
+  resource_group_name     = var.resource_group_name
+  app_service_plan_id     = azurerm_service_plan.selfcare_be_common.id
+  system_identity_enabled = true
 
   application_insights_instrumentation_key = var.app_insights_key
 
@@ -68,11 +69,12 @@ module "function_subscriptionmigrations" {
 module "function_subscriptionmigrations_staging_slot" {
   source = "github.com/pagopa/terraform-azurerm-v3//function_app_slot?ref=v7.69.1"
 
-  name                = "staging"
-  location            = var.location
-  resource_group_name = module.function_subscriptionmigrations.resource_group_name
-  function_app_id     = module.function_subscriptionmigrations.id
-  app_service_plan_id = azurerm_service_plan.selfcare_be_common.id
+  name                    = "staging"
+  location                = var.location
+  resource_group_name     = module.function_subscriptionmigrations.resource_group_name
+  function_app_id         = module.function_subscriptionmigrations.id
+  app_service_plan_id     = azurerm_service_plan.selfcare_be_common.id
+  system_identity_enabled = true
 
   application_insights_instrumentation_key = var.app_insights_key
 

src/domains/selfcare/_modules/app_services/locals.tf

@@ -156,10 +156,10 @@ locals {
       COSMOSDB_URI                       = data.azurerm_cosmosdb_account.cosmos_api.endpoint
 
       // connection to APIM
-      APIM_CLIENT_ID       = data.azurerm_key_vault_secret.apim_service_principal_client_id.value
-      APIM_RESOURCE_GROUP  = "io-p-rg-internal"
-      APIM_SECRET          = data.azurerm_key_vault_secret.apim_service_principal_secret.value
-      APIM_SERVICE_NAME    = "io-p-apim-v2-api"
+      APIM_SERVICE_NAME    = "io-p-apim-v2-api"                                                   # For ITN Migration replace with io-p-itn-apim-01
+      APIM_RESOURCE_GROUP  = "io-p-rg-internal"                                                   # For ITN Migration replace with io-p-itn-common-rg-01
+      APIM_CLIENT_ID       = data.azurerm_key_vault_secret.apim_service_principal_client_id.value # Remove after ITN migration
+      APIM_SECRET          = data.azurerm_key_vault_secret.apim_service_principal_secret.value    # Remove after ITN migration
       APIM_SUBSCRIPTION_ID = data.azurerm_subscription.current.subscription_id
       APIM_TENANT_ID       = data.azurerm_client_config.current.tenant_id
 
@@ -201,14 +201,14 @@ locals {
       ADMIN_API_KEY = data.azurerm_key_vault_secret.devportal_apim_io_service_key.value
 
       # Apim connection
+      ARM_APIM                    = "io-p-apim-v2-api" # For ITN Migration replace with io-p-itn-apim-01
+      ARM_RESOURCE_GROUP          = "io-p-rg-internal" # For ITN Migration replace with io-p-itn-common-rg-01
       APIM_PRODUCT_NAME           = "io-services-api"
       APIM_USER_GROUPS            = "apilimitedmessagewrite,apiinforead,apimessageread,apilimitedprofileread"
-      ARM_APIM                    = "io-p-apim-v2-api"
-      ARM_RESOURCE_GROUP          = "io-p-rg-internal"
       ARM_SUBSCRIPTION_ID         = data.azurerm_subscription.current.subscription_id
       ARM_TENANT_ID               = data.azurerm_client_config.current.tenant_id
-      SERVICE_PRINCIPAL_CLIENT_ID = data.azurerm_key_vault_secret.apim_service_principal_client_id.value
-      SERVICE_PRINCIPAL_SECRET    = data.azurerm_key_vault_secret.apim_service_principal_secret.value
+      SERVICE_PRINCIPAL_CLIENT_ID = data.azurerm_key_vault_secret.apim_service_principal_client_id.value # Remove after ITN migration
+      SERVICE_PRINCIPAL_SECRET    = data.azurerm_key_vault_secret.apim_service_principal_secret.value    # Remove after ITN migration
       SERVICE_PRINCIPAL_TENANT_ID = data.azurerm_client_config.current.tenant_id
       USE_SERVICE_PRINCIPAL       = "1"
 

src/domains/selfcare/_modules/app_services/outputs.tf

@@ -18,4 +18,26 @@ output "app_service_common" {
       principal_id        = module.appservice_selfcare_be.principal_id
     }
   }
+}
+
+output "function_subscriptionmigrations" {
+  value = {
+    id           = module.function_subscriptionmigrations.id
+    principal_id = module.function_subscriptionmigrations.system_identity_principal
+    slot = {
+      id           = module.function_subscriptionmigrations_staging_slot.id
+      principal_id = module.function_subscriptionmigrations_staging_slot.system_identity_principal
+    }
+  }
+}
+
+output "function_devportalservicedata" {
+  value = {
+    id           = module.function_devportalservicedata.id
+    principal_id = module.function_devportalservicedata.system_identity_principal
+    slot = {
+      id           = module.function_devportalservicedata_staging_slot.id
+      principal_id = module.function_devportalservicedata_staging_slot.system_identity_principal
+    }
+  }
 }

src/domains/selfcare/prod/westeurope/README.md

@@ -31,6 +31,14 @@
 | [azurerm_role_assignment.devportal_be_apim_itn](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
 | [azurerm_role_assignment.devportal_be_apim_v2](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
 | [azurerm_role_assignment.devs_group_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
+| [azurerm_role_assignment.function_devportalservicedata_itn](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
+| [azurerm_role_assignment.function_devportalservicedata_staging_slot_itn](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
+| [azurerm_role_assignment.function_devportalservicedata_staging_slot_v2](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
+| [azurerm_role_assignment.function_devportalservicedata_v2](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
+| [azurerm_role_assignment.function_subscriptionmigrations_itn](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
+| [azurerm_role_assignment.function_subscriptionmigrations_staging_slot_itn](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
+| [azurerm_role_assignment.function_subscriptionmigrations_staging_slot_v2](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
+| [azurerm_role_assignment.function_subscriptionmigrations_v2](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
 | [azurerm_role_assignment.selfcare_be_apim_itn](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
 | [azurerm_role_assignment.selfcare_be_apim_v2](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
 | [azuread_group.svc_admins](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source |

src/domains/selfcare/prod/westeurope/app_services.tf

@@ -40,6 +40,8 @@ module "app_services" {
   tags = local.tags
 }
 
+# App Services
+
 resource "azurerm_role_assignment" "devportal_be_apim_v2" {
   role_definition_name = "API Management Service Operator Role"
   scope                = data.azurerm_api_management.apim_v2_api.id
@@ -62,4 +64,58 @@ resource "azurerm_role_assignment" "selfcare_be_apim_itn" {
   role_definition_name = "API Management Service Operator Role"
   scope                = data.azurerm_api_management.apim_itn_api.id
   principal_id         = module.app_services.app_service_common.selfcare_be.principal_id
-}
+}
+
+# Functions
+
+resource "azurerm_role_assignment" "function_subscriptionmigrations_v2" {
+  role_definition_name = "API Management Service Operator Role"
+  scope                = data.azurerm_api_management.apim_v2_api.id
+  principal_id         = module.app_services.function_subscriptionmigrations.principal_id
+}
+
+resource "azurerm_role_assignment" "function_devportalservicedata_v2" {
+  role_definition_name = "API Management Service Operator Role"
+  scope                = data.azurerm_api_management.apim_v2_api.id
+  principal_id         = module.app_services.function_devportalservicedata.principal_id
+}
+
+resource "azurerm_role_assignment" "function_subscriptionmigrations_itn" {
+  role_definition_name = "API Management Service Operator Role"
+  scope                = data.azurerm_api_management.apim_itn_api.id
+  principal_id         = module.app_services.function_subscriptionmigrations.principal_id
+}
+
+resource "azurerm_role_assignment" "function_devportalservicedata_itn" {
+  role_definition_name = "API Management Service Operator Role"
+  scope                = data.azurerm_api_management.apim_itn_api.id
+  principal_id         = module.app_services.function_devportalservicedata.principal_id
+}
+
+# Functions Slots
+
+resource "azurerm_role_assignment" "function_subscriptionmigrations_staging_slot_v2" {
+  role_definition_name = "API Management Service Operator Role"
+  scope                = data.azurerm_api_management.apim_v2_api.id
+  principal_id         = module.app_services.function_subscriptionmigrations.slot.principal_id
+}
+
+resource "azurerm_role_assignment" "function_devportalservicedata_staging_slot_v2" {
+  role_definition_name = "API Management Service Operator Role"
+  scope                = data.azurerm_api_management.apim_v2_api.id
+  principal_id         = module.app_services.function_devportalservicedata.slot.principal_id
+}
+
+resource "azurerm_role_assignment" "function_subscriptionmigrations_staging_slot_itn" {
+  role_definition_name = "API Management Service Operator Role"
+  scope                = data.azurerm_api_management.apim_itn_api.id
+  principal_id         = module.app_services.function_subscriptionmigrations.slot.principal_id
+}
+
+resource "azurerm_role_assignment" "function_devportalservicedata_staging_slot_itn" {
+  role_definition_name = "API Management Service Operator Role"
+  scope                = data.azurerm_api_management.apim_itn_api.id
+  principal_id         = module.app_services.function_devportalservicedata.slot.principal_id
+}
+
+