From 33ce55b5057440d4bea8429a449cc509dd486546 Mon Sep 17 00:00:00 2001 From: pasqualespica Date: Thu, 19 Dec 2024 13:27:15 +0100 Subject: [PATCH] add cert payopt.itn.internal.platform.pagopa.it --- azure-devops/paymentoptions/00_key_vault.tf | 10 +- .../paymentoptions/00_secrets_payopt.tf | 49 +++--- .../paymentoptions/00_secrets_prod.tf | 6 +- .../paymentoptions/00_service_connections.tf | 8 +- .../03_service_connections_aks.tf | 24 +-- .../03_service_connections_tls_certificate.tf | 56 +++---- ...-payopt-itn-internal-platform-pagopa-it.tf | 158 +++++++++--------- 7 files changed, 154 insertions(+), 157 deletions(-) diff --git a/azure-devops/paymentoptions/00_key_vault.tf b/azure-devops/paymentoptions/00_key_vault.tf index 051ef11d..7c25d06f 100644 --- a/azure-devops/paymentoptions/00_key_vault.tf +++ b/azure-devops/paymentoptions/00_key_vault.tf @@ -15,10 +15,10 @@ data "azurerm_key_vault" "domain_kv_uat" { } -# data "azurerm_key_vault" "domain_kv_prod" { +data "azurerm_key_vault" "domain_kv_prod" { -# provider = azurerm.prod + provider = azurerm.prod -# resource_group_name = local.prod_payopt_key_vault_resource_group -# name = local.prod_payopt_key_vault_name -# } + resource_group_name = local.prod_payopt_key_vault_resource_group + name = local.prod_payopt_key_vault_name +} diff --git a/azure-devops/paymentoptions/00_secrets_payopt.tf b/azure-devops/paymentoptions/00_secrets_payopt.tf index b36bee4a..58a6285b 100644 --- a/azure-devops/paymentoptions/00_secrets_payopt.tf +++ b/azure-devops/paymentoptions/00_secrets_payopt.tf @@ -36,26 +36,23 @@ module "payopt_uat_secrets" { ] } -# module "payopt_prod_secrets" { +module "payopt_prod_secrets" { -# providers = { -# azurerm = azurerm.prod -# } + providers = { + azurerm = azurerm.prod + } -# source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//key_vault_secrets_query?ref=v8.22.0" + source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//key_vault_secrets_query?ref=v8.22.0" -# resource_group = local.prod_payopt_key_vault_resource_group -# key_vault_name = local.prod_payopt_key_vault_name + resource_group = local.prod_payopt_key_vault_resource_group + key_vault_name = local.prod_payopt_key_vault_name -# secrets = [ -# "pagopa-p-itn-prod-aks-azure-devops-sa-token", -# "pagopa-p-itn-prod-aks-azure-devops-sa-cacrt", -# "pagopa-p-itn-prod-aks-apiserver-url", -# "institutions-storage-account-connection-string", -# "notices-storage-account-connection-string", -# "notices-mongo-connection-string", -# ] -# } + secrets = [ + "pagopa-p-itn-prod-aks-azure-devops-sa-token", + "pagopa-p-itn-prod-aks-azure-devops-sa-cacrt", + "pagopa-p-itn-prod-aks-apiserver-url" + ] +} module "general_dev_secrets" { @@ -86,18 +83,16 @@ module "general_uat_secrets" { secrets = [] } -# module "general_prod_secrets" { +module "general_prod_secrets" { -# providers = { -# azurerm = azurerm.prod -# } + providers = { + azurerm = azurerm.prod + } -# source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//key_vault_secrets_query?ref=v8.22.0" + source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//key_vault_secrets_query?ref=v8.22.0" -# resource_group = "pagopa-p-sec-rg" -# key_vault_name = "pagopa-p-kv" + resource_group = "pagopa-p-sec-rg" + key_vault_name = "pagopa-p-kv" -# secrets = [ -# "integration-test-subkey", -# ] -# } + secrets = [] +} diff --git a/azure-devops/paymentoptions/00_secrets_prod.tf b/azure-devops/paymentoptions/00_secrets_prod.tf index 9bbed567..df49ed36 100644 --- a/azure-devops/paymentoptions/00_secrets_prod.tf +++ b/azure-devops/paymentoptions/00_secrets_prod.tf @@ -18,9 +18,9 @@ module "secrets" { ] } -# data "azurerm_subscriptions" "prod" { -# display_name_prefix = local.prod_subscription_name -# } +data "azurerm_subscriptions" "prod" { + display_name_prefix = local.prod_subscription_name +} data "azurerm_subscriptions" "uat" { display_name_prefix = local.uat_subscription_name diff --git a/azure-devops/paymentoptions/00_service_connections.tf b/azure-devops/paymentoptions/00_service_connections.tf index d545c0c9..83fcf679 100644 --- a/azure-devops/paymentoptions/00_service_connections.tf +++ b/azure-devops/paymentoptions/00_service_connections.tf @@ -29,7 +29,7 @@ data "azuredevops_serviceendpoint_azurerm" "uat" { service_endpoint_name = var.service_connection_uat_azurerm_name } -# data "azuredevops_serviceendpoint_azurerm" "prod" { -# project_id = data.azuredevops_project.project.id -# service_endpoint_name = var.service_connection_prod_azurerm_name -# } +data "azuredevops_serviceendpoint_azurerm" "prod" { + project_id = data.azuredevops_project.project.id + service_endpoint_name = var.service_connection_prod_azurerm_name +} diff --git a/azure-devops/paymentoptions/03_service_connections_aks.tf b/azure-devops/paymentoptions/03_service_connections_aks.tf index 9d179d9b..6a9e112b 100644 --- a/azure-devops/paymentoptions/03_service_connections_aks.tf +++ b/azure-devops/paymentoptions/03_service_connections_aks.tf @@ -24,15 +24,15 @@ resource "azuredevops_serviceendpoint_kubernetes" "aks_uat" { } } -# resource "azuredevops_serviceendpoint_kubernetes" "aks_prod" { -# depends_on = [data.azuredevops_project.project] -# project_id = data.azuredevops_project.project.id -# service_endpoint_name = local.srv_endpoint_name_aks_prod -# apiserver_url = module.payopt_prod_secrets.values["pagopa-p-itn-prod-aks-apiserver-url"].value -# authorization_type = "ServiceAccount" -# service_account { -# # base64 values -# token = module.payopt_prod_secrets.values["pagopa-p-itn-prod-aks-azure-devops-sa-token"].value -# ca_cert = module.payopt_prod_secrets.values["pagopa-p-itn-prod-aks-azure-devops-sa-cacrt"].value -# } -# } +resource "azuredevops_serviceendpoint_kubernetes" "aks_prod" { + depends_on = [data.azuredevops_project.project] + project_id = data.azuredevops_project.project.id + service_endpoint_name = local.srv_endpoint_name_aks_prod + apiserver_url = module.payopt_prod_secrets.values["pagopa-p-itn-prod-aks-apiserver-url"].value + authorization_type = "ServiceAccount" + service_account { + # base64 values + token = module.payopt_prod_secrets.values["pagopa-p-itn-prod-aks-azure-devops-sa-token"].value + ca_cert = module.payopt_prod_secrets.values["pagopa-p-itn-prod-aks-azure-devops-sa-cacrt"].value + } +} diff --git a/azure-devops/paymentoptions/03_service_connections_tls_certificate.tf b/azure-devops/paymentoptions/03_service_connections_tls_certificate.tf index 4e7ffa54..ee0ad55d 100644 --- a/azure-devops/paymentoptions/03_service_connections_tls_certificate.tf +++ b/azure-devops/paymentoptions/03_service_connections_tls_certificate.tf @@ -59,31 +59,31 @@ resource "azurerm_key_vault_access_policy" "UAT-PAYOPT-TLS-CERT-SERVICE-CONN_kv_ certificate_permissions = ["Get", "Import"] } -# # -# # PROD -# # -# module "PROD-PAYOPT-TLS-CERT-SERVICE-CONN" { -# providers = { -# azurerm = azurerm.prod -# } - -# depends_on = [data.azuredevops_project.project] -# source = "git::https://github.com/pagopa/azuredevops-tf-modules.git//azuredevops_serviceendpoint_federated?ref=v9.2.1" - -# project_id = data.azuredevops_project.project.id -# name = "${local.prefix}-${local.domain}-p-tls-cert-azdo" -# tenant_id = data.azurerm_client_config.current.tenant_id -# subscription_name = var.prod_subscription_name -# subscription_id = data.azurerm_subscriptions.prod.subscriptions[0].subscription_id -# location = local.location_westeurope -# resource_group_name = local.prod_identity_rg_name -# } - -# resource "azurerm_key_vault_access_policy" "PROD-PAYOPT-TLS-CERT-SERVICE-CONN_kv_access_policy" { -# provider = azurerm.prod -# key_vault_id = data.azurerm_key_vault.domain_kv_prod.id -# tenant_id = data.azurerm_client_config.current.tenant_id -# object_id = module.PROD-PAYOPT-TLS-CERT-SERVICE-CONN.service_principal_object_id - -# certificate_permissions = ["Get", "Import"] -# } +# +# PROD +# +module "PROD-PAYOPT-TLS-CERT-SERVICE-CONN" { + providers = { + azurerm = azurerm.prod + } + + depends_on = [data.azuredevops_project.project] + source = "git::https://github.com/pagopa/azuredevops-tf-modules.git//azuredevops_serviceendpoint_federated?ref=v9.2.1" + + project_id = data.azuredevops_project.project.id + name = "${local.prefix}-${local.domain}-p-tls-cert-azdo" + tenant_id = data.azurerm_client_config.current.tenant_id + subscription_name = var.prod_subscription_name + subscription_id = data.azurerm_subscriptions.prod.subscriptions[0].subscription_id + location = local.location_westeurope + resource_group_name = local.prod_identity_rg_name +} + +resource "azurerm_key_vault_access_policy" "PROD-PAYOPT-TLS-CERT-SERVICE-CONN_kv_access_policy" { + provider = azurerm.prod + key_vault_id = data.azurerm_key_vault.domain_kv_prod.id + tenant_id = data.azurerm_client_config.current.tenant_id + object_id = module.PROD-PAYOPT-TLS-CERT-SERVICE-CONN.service_principal_object_id + + certificate_permissions = ["Get", "Import"] +} diff --git a/azure-devops/paymentoptions/05_tlscert-payopt-itn-internal-platform-pagopa-it.tf b/azure-devops/paymentoptions/05_tlscert-payopt-itn-internal-platform-pagopa-it.tf index faadee36..e45380a4 100644 --- a/azure-devops/paymentoptions/05_tlscert-payopt-itn-internal-platform-pagopa-it.tf +++ b/azure-devops/paymentoptions/05_tlscert-payopt-itn-internal-platform-pagopa-it.tf @@ -1,88 +1,90 @@ -# variable "tlscert-payopt-itn-internal-prod-platform-pagopa-it" { -# default = { -# repository = { -# organization = "pagopa" -# name = "le-azure-acme-tiny" -# branch_name = "refs/heads/master" -# pipelines_path = "." -# } -# pipeline = { -# enable_tls_cert = true -# path = "TLS-Certificates\\PROD" -# dns_record_name = "payopt.itn.internal" -# dns_zone_name = "platform.pagopa.it" -# dns_zone_resource_group = "pagopa-p-vnet-rg" -# # common variables to all pipelines -# variables = { -# } -# # common secret variables to all pipelines -# variables_secret = { -# } -# } -# } -# } +variable "tlscert-payopt-itn-internal-prod-platform-pagopa-it" { + default = { + repository = { + organization = "pagopa" + name = "le-azure-acme-tiny" + branch_name = "refs/heads/master" + pipelines_path = "." + } + pipeline = { + enable_tls_cert = true + path = "TLS-Certificates\\PROD" + dns_record_name = "payopt.itn.internal" + dns_zone_name = "platform.pagopa.it" + dns_zone_resource_group = "pagopa-p-vnet-rg" + # common variables to all pipelines + variables = { + CERT_NAME_EXPIRE_SECONDS = "2592000" #30 days + KEY_VAULT_NAME = "pagopa-p-itn-payopt-kv" + } + # common secret variables to all pipelines + variables_secret = { + } + } + } +} -# locals { -# tlscert-payopt-itn-internal-prod-platform-pagopa-it = { -# tenant_id = data.azurerm_client_config.current.tenant_id -# subscription_name = "PROD-PAGOPA" -# subscription_id = data.azurerm_subscriptions.prod.subscriptions[0].subscription_id -# } -# tlscert-payopt-itn-internal-prod-platform-pagopa-it-variables = { -# KEY_VAULT_SERVICE_CONNECTION = module.PROD-PAYOPT-TLS-CERT-SERVICE-CONN.service_endpoint_name -# } -# tlscert-payopt-itn-internal-prod-platform-pagopa-it-variables_secret = { -# } -# } +locals { + tlscert-payopt-itn-internal-prod-platform-pagopa-it = { + tenant_id = data.azurerm_client_config.current.tenant_id + subscription_name = "PROD-PAGOPA" + subscription_id = data.azurerm_subscriptions.prod.subscriptions[0].subscription_id + } + tlscert-payopt-itn-internal-prod-platform-pagopa-it-variables = { + KEY_VAULT_SERVICE_CONNECTION = module.PROD-PAYOPT-TLS-CERT-SERVICE-CONN.service_endpoint_name + } + tlscert-payopt-itn-internal-prod-platform-pagopa-it-variables_secret = { + } +} -# module "tlscert-payopt-itn-internal-prod-platform-pagopa-it-cert_az" { +module "tlscert-payopt-itn-internal-prod-platform-pagopa-it-cert_az" { -# providers = { -# azurerm = azurerm.prod -# } + providers = { + azurerm = azurerm.prod + } -# source = "./.terraform/modules/__azdo__/azuredevops_build_definition_tls_cert_federated" -# count = var.tlscert-payopt-itn-internal-prod-platform-pagopa-it.pipeline.enable_tls_cert == true ? 1 : 0 + source = "./.terraform/modules/__azdo__/azuredevops_build_definition_tls_cert_federated" + count = var.tlscert-payopt-itn-internal-prod-platform-pagopa-it.pipeline.enable_tls_cert == true ? 1 : 0 -# project_id = data.azuredevops_project.project.id -# repository = var.tlscert-payopt-itn-internal-prod-platform-pagopa-it.repository -# path = var.tlscert-payopt-itn-internal-prod-platform-pagopa-it.pipeline.path -# github_service_connection_id = data.azuredevops_serviceendpoint_github.github_ro.id + project_id = data.azuredevops_project.project.id + repository = var.tlscert-payopt-itn-internal-prod-platform-pagopa-it.repository + path = var.tlscert-payopt-itn-internal-prod-platform-pagopa-it.pipeline.path + github_service_connection_id = data.azuredevops_serviceendpoint_github.github_ro.id -# dns_record_name = var.tlscert-payopt-itn-internal-prod-platform-pagopa-it.pipeline.dns_record_name -# dns_zone_name = var.tlscert-payopt-itn-internal-prod-platform-pagopa-it.pipeline.dns_zone_name -# dns_zone_resource_group = var.tlscert-payopt-itn-internal-prod-platform-pagopa-it.pipeline.dns_zone_resource_group -# tenant_id = local.tlscert-payopt-itn-internal-prod-platform-pagopa-it.tenant_id -# subscription_name = local.tlscert-payopt-itn-internal-prod-platform-pagopa-it.subscription_name -# subscription_id = local.tlscert-payopt-itn-internal-prod-platform-pagopa-it.subscription_id -# location = local.location_westeurope -# credential_key_vault_name = local.prod_payopt_key_vault_name -# credential_key_vault_resource_group = local.prod_payopt_key_vault_resource_group -# managed_identity_resource_group_name = local.prod_identity_rg_name + dns_record_name = var.tlscert-payopt-itn-internal-prod-platform-pagopa-it.pipeline.dns_record_name + dns_zone_name = var.tlscert-payopt-itn-internal-prod-platform-pagopa-it.pipeline.dns_zone_name + dns_zone_resource_group = var.tlscert-payopt-itn-internal-prod-platform-pagopa-it.pipeline.dns_zone_resource_group + tenant_id = local.tlscert-payopt-itn-internal-prod-platform-pagopa-it.tenant_id + subscription_name = local.tlscert-payopt-itn-internal-prod-platform-pagopa-it.subscription_name + subscription_id = local.tlscert-payopt-itn-internal-prod-platform-pagopa-it.subscription_id + location = local.location_westeurope + credential_key_vault_name = local.prod_payopt_key_vault_name + credential_key_vault_resource_group = local.prod_payopt_key_vault_resource_group + managed_identity_resource_group_name = local.prod_identity_rg_name -# variables = merge( -# var.tlscert-payopt-itn-internal-prod-platform-pagopa-it.pipeline.variables, -# local.tlscert-payopt-itn-internal-prod-platform-pagopa-it-variables, -# ) + variables = merge( + var.tlscert-payopt-itn-internal-prod-platform-pagopa-it.pipeline.variables, + local.tlscert-payopt-itn-internal-prod-platform-pagopa-it-variables, + ) -# variables_secret = merge( -# var.tlscert-payopt-itn-internal-prod-platform-pagopa-it.pipeline.variables_secret, -# local.tlscert-payopt-itn-internal-prod-platform-pagopa-it-variables_secret, -# ) + variables_secret = merge( + var.tlscert-payopt-itn-internal-prod-platform-pagopa-it.pipeline.variables_secret, + local.tlscert-payopt-itn-internal-prod-platform-pagopa-it-variables_secret, + ) -# service_connection_ids_authorization = [ -# module.PROD-PAYOPT-TLS-CERT-SERVICE-CONN.service_endpoint_id, -# ] + service_connection_ids_authorization = [ + module.PROD-PAYOPT-TLS-CERT-SERVICE-CONN.service_endpoint_id, + ] -# schedules = { -# days_to_build = ["Wed",Fri"] -# schedule_only_with_changes = false -# start_hours = 13 -# start_minutes = 0 -# time_zone = "(UTC+01:00) Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna" -# branch_filter = { -# include = ["master"] -# exclude = [] -# } -# } -# } + schedules = { + days_to_build = ["Wed", "Fri"] + schedule_only_with_changes = false + start_hours = 3 + start_minutes = 0 + time_zone = "(UTC+01:00) Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna" + branch_filter = { + include = ["master"] + exclude = [] + } + } +}