feat: Added workload identity into ecommerce (#362)

* added skip_provider_registration to avoid problems with terraform * added skip_provider_registration to avoid problems with terraform * added data for service connection workload identity * changed service connection with workload identity
pagopa · Sep 23, 2024 · 1169c26 · 1169c26
1 parent c439ecf
commit 1169c26
Show file tree

Hide file tree

Showing 13 changed files with 168 additions and 100 deletions.
diff --git a/azure-devops/ecommerce/00_service_connections.tf b/azure-devops/ecommerce/00_service_connections.tf
@@ -34,20 +34,20 @@ data "azuredevops_serviceendpoint_azurerm" "prod" {
   service_endpoint_name = var.service_connection_prod_azurerm_name
 }
 
+# #
+# # ACR
+# #
+# data "azuredevops_serviceendpoint_azurecr" "dev" {
+#   project_id            = data.azuredevops_project.project.id
+#   service_endpoint_name = var.service_connection_dev_acr_name
+# }
 #
-# ACR
+# data "azuredevops_serviceendpoint_azurecr" "uat" {
+#   project_id            = data.azuredevops_project.project.id
+#   service_endpoint_name = var.service_connection_uat_acr_name
+# }
 #
-data "azuredevops_serviceendpoint_azurecr" "dev" {
-  project_id            = data.azuredevops_project.project.id
-  service_endpoint_name = var.service_connection_dev_acr_name
-}
-
-data "azuredevops_serviceendpoint_azurecr" "uat" {
-  project_id            = data.azuredevops_project.project.id
-  service_endpoint_name = var.service_connection_uat_acr_name
-}
-
-data "azuredevops_serviceendpoint_azurecr" "prod" {
-  project_id            = data.azuredevops_project.project.id
-  service_endpoint_name = var.service_connection_prod_acr_name
-}
+# data "azuredevops_serviceendpoint_azurecr" "prod" {
+#   project_id            = data.azuredevops_project.project.id
+#   service_endpoint_name = var.service_connection_prod_acr_name
+# }
diff --git a/azure-devops/ecommerce/00_service_connections_docker_workload_identity.tf b/azure-devops/ecommerce/00_service_connections_docker_workload_identity.tf
@@ -0,0 +1,39 @@
+### ⚠️ the workload identities was created manually because there are a problem
+### with the provider and the docker@2 plugin for azdo
+
+#
+# 🇪🇺 WEU
+#
+data "azuredevops_serviceendpoint_azurecr" "dev_weu_workload_identity" {
+  project_id            = data.azuredevops_project.project.id
+  service_endpoint_name = var.acr_weu_service_connection_workload_identity_dev
+}
+
+data "azuredevops_serviceendpoint_azurecr" "uat_weu_workload_identity" {
+  project_id            = data.azuredevops_project.project.id
+  service_endpoint_name = var.acr_weu_service_connection_workload_identity_uat
+}
+
+data "azuredevops_serviceendpoint_azurecr" "prod_weu_workload_identity" {
+  project_id            = data.azuredevops_project.project.id
+  service_endpoint_name = var.acr_weu_service_connection_workload_identity_prod
+}
+
+#
+# 🇮🇹 Italy Workload identity
+#
+
+data "azuredevops_serviceendpoint_azurecr" "dev_ita_workload_identity" {
+  project_id            = data.azuredevops_project.project.id
+  service_endpoint_name = var.acr_ita_service_connection_workload_identity_dev
+}
+
+data "azuredevops_serviceendpoint_azurecr" "uat_ita_workload_identity" {
+  project_id            = data.azuredevops_project.project.id
+  service_endpoint_name = var.acr_ita_service_connection_workload_identity_uat
+}
+
+data "azuredevops_serviceendpoint_azurecr" "prod_ita_workload_identity" {
+  project_id            = data.azuredevops_project.project.id
+  service_endpoint_name = var.acr_ita_service_connection_workload_identity_prod
+}
diff --git a/azure-devops/ecommerce/06_pagopa-ecommerce-event-dispatcher-service.tf b/azure-devops/ecommerce/06_pagopa-ecommerce-event-dispatcher-service.tf
@@ -49,12 +49,12 @@ locals {
 
     # acr section
     k8s_image_repository_name            = replace(var.pagopa-ecommerce-event-dispatcher-service.repository.name, "-", "")
-    dev_container_registry_service_conn  = data.azuredevops_serviceendpoint_azurecr.dev.id
-    dev_container_registry_name          = data.azuredevops_serviceendpoint_azurecr.dev.service_endpoint_name
-    uat_container_registry_service_conn  = data.azuredevops_serviceendpoint_azurecr.uat.id
-    uat_container_registry_name          = data.azuredevops_serviceendpoint_azurecr.uat.service_endpoint_name
-    prod_container_registry_service_conn = data.azuredevops_serviceendpoint_azurecr.prod.id
-    prod_container_registry_name         = data.azuredevops_serviceendpoint_azurecr.prod.service_endpoint_name
+    dev_container_registry_service_conn  = data.azuredevops_serviceendpoint_azurecr.dev_weu_workload_identity.id
+    dev_container_registry_name          = data.azuredevops_serviceendpoint_azurecr.dev_weu_workload_identity.service_endpoint_name
+    uat_container_registry_service_conn  = data.azuredevops_serviceendpoint_azurecr.uat_weu_workload_identity.id
+    uat_container_registry_name          = data.azuredevops_serviceendpoint_azurecr.uat_weu_workload_identity.service_endpoint_name
+    prod_container_registry_service_conn = data.azuredevops_serviceendpoint_azurecr.prod_weu_workload_identity.id
+    prod_container_registry_name         = data.azuredevops_serviceendpoint_azurecr.prod_weu_workload_identity.service_endpoint_name
 
     # aks section
     dev_kubernetes_service_conn  = azuredevops_serviceendpoint_kubernetes.aks_dev.id
@@ -120,9 +120,9 @@ module "pagopa-ecommerce-event-dispatcher-service_deploy" {
 
   service_connection_ids_authorization = [
     data.azuredevops_serviceendpoint_github.github_ro.id,
-    data.azuredevops_serviceendpoint_azurecr.dev.id,
-    data.azuredevops_serviceendpoint_azurecr.uat.id,
-    data.azuredevops_serviceendpoint_azurecr.prod.id,
+    data.azuredevops_serviceendpoint_azurecr.dev_weu_workload_identity.id,
+    data.azuredevops_serviceendpoint_azurecr.uat_weu_workload_identity.id,
+    data.azuredevops_serviceendpoint_azurecr.prod_weu_workload_identity.id,
     data.azuredevops_serviceendpoint_azurerm.dev.id,
     data.azuredevops_serviceendpoint_azurerm.uat.id,
     data.azuredevops_serviceendpoint_azurerm.prod.id,

diff --git a/azure-devops/ecommerce/06_pagopa-ecommerce-helpdesk-commands-service.tf b/azure-devops/ecommerce/06_pagopa-ecommerce-helpdesk-commands-service.tf
@@ -49,12 +49,12 @@ locals {
 
     # acr section
     k8s_image_repository_name            = replace(var.pagopa-ecommerce-helpdesk-commands-service.repository.name, "-", "")
-    dev_container_registry_service_conn  = data.azuredevops_serviceendpoint_azurecr.dev.id
-    dev_container_registry_name          = data.azuredevops_serviceendpoint_azurecr.dev.service_endpoint_name
-    uat_container_registry_service_conn  = data.azuredevops_serviceendpoint_azurecr.uat.id
-    uat_container_registry_name          = data.azuredevops_serviceendpoint_azurecr.uat.service_endpoint_name
-    prod_container_registry_service_conn = data.azuredevops_serviceendpoint_azurecr.prod.id
-    prod_container_registry_name         = data.azuredevops_serviceendpoint_azurecr.prod.service_endpoint_name
+    dev_container_registry_service_conn  = data.azuredevops_serviceendpoint_azurecr.dev_weu_workload_identity.id
+    dev_container_registry_name          = data.azuredevops_serviceendpoint_azurecr.dev_weu_workload_identity.service_endpoint_name
+    uat_container_registry_service_conn  = data.azuredevops_serviceendpoint_azurecr.uat_weu_workload_identity.id
+    uat_container_registry_name          = data.azuredevops_serviceendpoint_azurecr.uat_weu_workload_identity.service_endpoint_name
+    prod_container_registry_service_conn = data.azuredevops_serviceendpoint_azurecr.prod_weu_workload_identity.id
+    prod_container_registry_name         = data.azuredevops_serviceendpoint_azurecr.prod_weu_workload_identity.service_endpoint_name
 
     # aks section
     dev_kubernetes_service_conn  = azuredevops_serviceendpoint_kubernetes.aks_dev.id
@@ -122,9 +122,9 @@ module "pagopa-ecommerce-helpdesk-commands-service_deploy" {
 
   service_connection_ids_authorization = [
     data.azuredevops_serviceendpoint_github.github_ro.id,
-    data.azuredevops_serviceendpoint_azurecr.dev.id,
-    data.azuredevops_serviceendpoint_azurecr.uat.id,
-    data.azuredevops_serviceendpoint_azurecr.prod.id,
+    data.azuredevops_serviceendpoint_azurecr.dev_weu_workload_identity.id,
+    data.azuredevops_serviceendpoint_azurecr.uat_weu_workload_identity.id,
+    data.azuredevops_serviceendpoint_azurecr.prod_weu_workload_identity.id,
     data.azuredevops_serviceendpoint_azurerm.dev.id,
     data.azuredevops_serviceendpoint_azurerm.uat.id,
     data.azuredevops_serviceendpoint_azurerm.prod.id,

diff --git a/azure-devops/ecommerce/06_pagopa-ecommerce-helpdesk-service.tf b/azure-devops/ecommerce/06_pagopa-ecommerce-helpdesk-service.tf
@@ -49,12 +49,12 @@ locals {
 
     # acr section
     k8s_image_repository_name            = replace(var.pagopa-ecommerce-helpdesk-service.repository.name, "-", "")
-    dev_container_registry_service_conn  = data.azuredevops_serviceendpoint_azurecr.dev.id
-    dev_container_registry_name          = data.azuredevops_serviceendpoint_azurecr.dev.service_endpoint_name
-    uat_container_registry_service_conn  = data.azuredevops_serviceendpoint_azurecr.uat.id
-    uat_container_registry_name          = data.azuredevops_serviceendpoint_azurecr.uat.service_endpoint_name
-    prod_container_registry_service_conn = data.azuredevops_serviceendpoint_azurecr.prod.id
-    prod_container_registry_name         = data.azuredevops_serviceendpoint_azurecr.prod.service_endpoint_name
+    dev_container_registry_service_conn  = data.azuredevops_serviceendpoint_azurecr.dev_weu_workload_identity.id
+    dev_container_registry_name          = data.azuredevops_serviceendpoint_azurecr.dev_weu_workload_identity.service_endpoint_name
+    uat_container_registry_service_conn  = data.azuredevops_serviceendpoint_azurecr.uat_weu_workload_identity.id
+    uat_container_registry_name          = data.azuredevops_serviceendpoint_azurecr.uat_weu_workload_identity.service_endpoint_name
+    prod_container_registry_service_conn = data.azuredevops_serviceendpoint_azurecr.prod_weu_workload_identity.id
+    prod_container_registry_name         = data.azuredevops_serviceendpoint_azurecr.prod_weu_workload_identity.service_endpoint_name
 
     # aks section
     dev_kubernetes_service_conn  = azuredevops_serviceendpoint_kubernetes.aks_dev.id
@@ -126,9 +126,9 @@ module "pagopa-ecommerce-helpdesk-service_deploy" {
 
   service_connection_ids_authorization = [
     data.azuredevops_serviceendpoint_github.github_ro.id,
-    data.azuredevops_serviceendpoint_azurecr.dev.id,
-    data.azuredevops_serviceendpoint_azurecr.uat.id,
-    data.azuredevops_serviceendpoint_azurecr.prod.id,
+    data.azuredevops_serviceendpoint_azurecr.dev_weu_workload_identity.id,
+    data.azuredevops_serviceendpoint_azurecr.uat_weu_workload_identity.id,
+    data.azuredevops_serviceendpoint_azurecr.prod_weu_workload_identity.id,
     data.azuredevops_serviceendpoint_azurerm.dev.id,
     data.azuredevops_serviceendpoint_azurerm.uat.id,
     data.azuredevops_serviceendpoint_azurerm.prod.id,

diff --git a/azure-devops/ecommerce/06_pagopa-ecommerce-notifications-service.tf b/azure-devops/ecommerce/06_pagopa-ecommerce-notifications-service.tf
@@ -51,13 +51,13 @@ locals {
     tenant_id         = data.azurerm_client_config.current.tenant_id
 
     # acr section
-    dev_container_registry_service_conn  = data.azuredevops_serviceendpoint_azurecr.dev.id
-    uat_container_registry_service_conn  = data.azuredevops_serviceendpoint_azurecr.uat.id
-    prod_container_registry_service_conn = data.azuredevops_serviceendpoint_azurecr.prod.id
+    dev_container_registry_service_conn  = data.azuredevops_serviceendpoint_azurecr.dev_weu_workload_identity.id
+    uat_container_registry_service_conn  = data.azuredevops_serviceendpoint_azurecr.uat_weu_workload_identity.id
+    prod_container_registry_service_conn = data.azuredevops_serviceendpoint_azurecr.prod_weu_workload_identity.id
     k8s_image_repository_name            = replace(var.pagopa-notifications-service.repository.name, "-", "")
-    dev_container_registry_name          = data.azuredevops_serviceendpoint_azurecr.dev.service_endpoint_name
-    uat_container_registry_name          = data.azuredevops_serviceendpoint_azurecr.uat.service_endpoint_name
-    prod_container_registry_name         = data.azuredevops_serviceendpoint_azurecr.prod.service_endpoint_name
+    dev_container_registry_name          = data.azuredevops_serviceendpoint_azurecr.dev_weu_workload_identity.service_endpoint_name
+    uat_container_registry_name          = data.azuredevops_serviceendpoint_azurecr.uat_weu_workload_identity.service_endpoint_name
+    prod_container_registry_name         = data.azuredevops_serviceendpoint_azurecr.prod_weu_workload_identity.service_endpoint_name
 
     # aks section
     dev_kubernetes_service_conn  = azuredevops_serviceendpoint_kubernetes.aks_dev.id
@@ -125,9 +125,9 @@ module "pagopa-ecommerce-notifications-service_deploy" {
 
   service_connection_ids_authorization = [
     data.azuredevops_serviceendpoint_github.github_ro.id,
-    data.azuredevops_serviceendpoint_azurecr.dev.id,
-    data.azuredevops_serviceendpoint_azurecr.uat.id,
-    data.azuredevops_serviceendpoint_azurecr.prod.id,
+    data.azuredevops_serviceendpoint_azurecr.dev_weu_workload_identity.id,
+    data.azuredevops_serviceendpoint_azurecr.uat_weu_workload_identity.id,
+    data.azuredevops_serviceendpoint_azurecr.prod_weu_workload_identity.id,
     data.azuredevops_serviceendpoint_azurerm.dev.id,
     data.azuredevops_serviceendpoint_azurerm.uat.id,
     data.azuredevops_serviceendpoint_azurerm.prod.id,

diff --git a/azure-devops/ecommerce/06_pagopa-ecommerce-payment-requests-service.tf b/azure-devops/ecommerce/06_pagopa-ecommerce-payment-requests-service.tf
@@ -49,12 +49,12 @@ locals {
 
     # acr section
     k8s_image_repository_name            = replace(var.pagopa-ecommerce-payment-requests-service.repository.name, "-", "")
-    dev_container_registry_service_conn  = data.azuredevops_serviceendpoint_azurecr.dev.id
-    dev_container_registry_name          = data.azuredevops_serviceendpoint_azurecr.dev.service_endpoint_name
-    uat_container_registry_service_conn  = data.azuredevops_serviceendpoint_azurecr.uat.id
-    uat_container_registry_name          = data.azuredevops_serviceendpoint_azurecr.uat.service_endpoint_name
-    prod_container_registry_service_conn = data.azuredevops_serviceendpoint_azurecr.prod.id
-    prod_container_registry_name         = data.azuredevops_serviceendpoint_azurecr.prod.service_endpoint_name
+    dev_container_registry_service_conn  = data.azuredevops_serviceendpoint_azurecr.dev_weu_workload_identity.id
+    dev_container_registry_name          = data.azuredevops_serviceendpoint_azurecr.dev_weu_workload_identity.service_endpoint_name
+    uat_container_registry_service_conn  = data.azuredevops_serviceendpoint_azurecr.uat_weu_workload_identity.id
+    uat_container_registry_name          = data.azuredevops_serviceendpoint_azurecr.uat_weu_workload_identity.service_endpoint_name
+    prod_container_registry_service_conn = data.azuredevops_serviceendpoint_azurecr.prod_weu_workload_identity.id
+    prod_container_registry_name         = data.azuredevops_serviceendpoint_azurecr.prod_weu_workload_identity.service_endpoint_name
 
     # aks section
     dev_kubernetes_service_conn  = azuredevops_serviceendpoint_kubernetes.aks_dev.id
@@ -120,9 +120,9 @@ module "pagopa-ecommerce-payment-requests-service_deploy" {
 
   service_connection_ids_authorization = [
     data.azuredevops_serviceendpoint_github.github_ro.id,
-    data.azuredevops_serviceendpoint_azurecr.dev.id,
-    data.azuredevops_serviceendpoint_azurecr.uat.id,
-    data.azuredevops_serviceendpoint_azurecr.prod.id,
+    data.azuredevops_serviceendpoint_azurecr.dev_weu_workload_identity.id,
+    data.azuredevops_serviceendpoint_azurecr.uat_weu_workload_identity.id,
+    data.azuredevops_serviceendpoint_azurecr.prod_weu_workload_identity.id,
     data.azuredevops_serviceendpoint_azurerm.dev.id,
     data.azuredevops_serviceendpoint_azurerm.uat.id,
     data.azuredevops_serviceendpoint_azurerm.prod.id,

diff --git a/azure-devops/ecommerce/06_pagopa-ecommerce-payments-methods-service.tf b/azure-devops/ecommerce/06_pagopa-ecommerce-payments-methods-service.tf
@@ -49,12 +49,12 @@ locals {
 
     # acr section
     k8s_image_repository_name            = replace(var.pagopa-ecommerce-payment-methods-service.repository.name, "-", "")
-    dev_container_registry_service_conn  = data.azuredevops_serviceendpoint_azurecr.dev.id
-    dev_container_registry_name          = data.azuredevops_serviceendpoint_azurecr.dev.service_endpoint_name
-    uat_container_registry_service_conn  = data.azuredevops_serviceendpoint_azurecr.uat.id
-    uat_container_registry_name          = data.azuredevops_serviceendpoint_azurecr.uat.service_endpoint_name
-    prod_container_registry_service_conn = data.azuredevops_serviceendpoint_azurecr.prod.id
-    prod_container_registry_name         = data.azuredevops_serviceendpoint_azurecr.prod.service_endpoint_name
+    dev_container_registry_service_conn  = data.azuredevops_serviceendpoint_azurecr.dev_weu_workload_identity.id
+    dev_container_registry_name          = data.azuredevops_serviceendpoint_azurecr.dev_weu_workload_identity.service_endpoint_name
+    uat_container_registry_service_conn  = data.azuredevops_serviceendpoint_azurecr.uat_weu_workload_identity.id
+    uat_container_registry_name          = data.azuredevops_serviceendpoint_azurecr.uat_weu_workload_identity.service_endpoint_name
+    prod_container_registry_service_conn = data.azuredevops_serviceendpoint_azurecr.prod_weu_workload_identity.id
+    prod_container_registry_name         = data.azuredevops_serviceendpoint_azurecr.prod_weu_workload_identity.service_endpoint_name
 
     # aks section
     dev_kubernetes_service_conn  = azuredevops_serviceendpoint_kubernetes.aks_dev.id
@@ -120,9 +120,9 @@ module "pagopa-ecommerce-payment-methods-service_deploy" {
 
   service_connection_ids_authorization = [
     data.azuredevops_serviceendpoint_github.github_ro.id,
-    data.azuredevops_serviceendpoint_azurecr.dev.id,
-    data.azuredevops_serviceendpoint_azurecr.uat.id,
-    data.azuredevops_serviceendpoint_azurecr.prod.id,
+    data.azuredevops_serviceendpoint_azurecr.dev_weu_workload_identity.id,
+    data.azuredevops_serviceendpoint_azurecr.uat_weu_workload_identity.id,
+    data.azuredevops_serviceendpoint_azurecr.prod_weu_workload_identity.id,
     data.azuredevops_serviceendpoint_azurerm.dev.id,
     data.azuredevops_serviceendpoint_azurerm.uat.id,
     data.azuredevops_serviceendpoint_azurerm.prod.id,

diff --git a/azure-devops/ecommerce/06_pagopa-ecommerce-transactions-scheduler-service.tf b/azure-devops/ecommerce/06_pagopa-ecommerce-transactions-scheduler-service.tf
@@ -49,12 +49,12 @@ locals {
 
     # acr section
     k8s_image_repository_name            = replace(var.pagopa-ecommerce-transactions-scheduler-service.repository.name, "-", "")
-    dev_container_registry_service_conn  = data.azuredevops_serviceendpoint_azurecr.dev.id
-    dev_container_registry_name          = data.azuredevops_serviceendpoint_azurecr.dev.service_endpoint_name
-    uat_container_registry_service_conn  = data.azuredevops_serviceendpoint_azurecr.uat.id
-    uat_container_registry_name          = data.azuredevops_serviceendpoint_azurecr.uat.service_endpoint_name
-    prod_container_registry_service_conn = data.azuredevops_serviceendpoint_azurecr.prod.id
-    prod_container_registry_name         = data.azuredevops_serviceendpoint_azurecr.prod.service_endpoint_name
+    dev_container_registry_service_conn  = data.azuredevops_serviceendpoint_azurecr.dev_weu_workload_identity.id
+    dev_container_registry_name          = data.azuredevops_serviceendpoint_azurecr.dev_weu_workload_identity.service_endpoint_name
+    uat_container_registry_service_conn  = data.azuredevops_serviceendpoint_azurecr.uat_weu_workload_identity.id
+    uat_container_registry_name          = data.azuredevops_serviceendpoint_azurecr.uat_weu_workload_identity.service_endpoint_name
+    prod_container_registry_service_conn = data.azuredevops_serviceendpoint_azurecr.prod_weu_workload_identity.id
+    prod_container_registry_name         = data.azuredevops_serviceendpoint_azurecr.prod_weu_workload_identity.service_endpoint_name
 
     # aks section
     dev_kubernetes_service_conn  = azuredevops_serviceendpoint_kubernetes.aks_dev.id
@@ -120,9 +120,9 @@ module "pagopa-ecommerce-transactions-scheduler-service_deploy" {
 
   service_connection_ids_authorization = [
     data.azuredevops_serviceendpoint_github.github_ro.id,
-    data.azuredevops_serviceendpoint_azurecr.dev.id,
-    data.azuredevops_serviceendpoint_azurecr.uat.id,
-    data.azuredevops_serviceendpoint_azurecr.prod.id,
+    data.azuredevops_serviceendpoint_azurecr.dev_weu_workload_identity.id,
+    data.azuredevops_serviceendpoint_azurecr.uat_weu_workload_identity.id,
+    data.azuredevops_serviceendpoint_azurecr.prod_weu_workload_identity.id,
     data.azuredevops_serviceendpoint_azurerm.dev.id,
     data.azuredevops_serviceendpoint_azurerm.uat.id,
     data.azuredevops_serviceendpoint_azurerm.prod.id,