Merge branch 'main' into CHK-3579-wallet-ingestion-staging-hub

pagopa · Dec 2, 2024 · 1234ddc · 1234ddc
2 parents 677a0f5 + 09e95c1
commit 1234ddc
Show file tree

Hide file tree

Showing 179 changed files with 1,593 additions and 532 deletions.
diff --git a/src/aks-leonardo/03_aks_0.tf b/src/aks-leonardo/03_aks_0.tf
@@ -55,6 +55,9 @@ module "aks_leonardo" {
   addon_azure_policy_enabled                     = true
   addon_azure_key_vault_secrets_provider_enabled = true
   addon_azure_pod_identity_enabled               = true
+  workload_identity_enabled                      = var.aks_enable_workload_identity
+  oidc_issuer_enabled                            = var.aks_enable_workload_identity
+
 
   alerts_enabled = var.aks_alerts_enabled
   # custom_metric_alerts = local.aks_metrics_alerts

diff --git a/src/aks-leonardo/99_variables.tf b/src/aks-leonardo/99_variables.tf
@@ -566,3 +566,8 @@ variable "monitor_appinsights_name" {
   type        = string
   description = "App insight in europe name"
 }
+
+variable "aks_enable_workload_identity" {
+  type    = bool
+  default = false
+}
diff --git a/src/aks-leonardo/env/itn-dev/terraform.tfvars b/src/aks-leonardo/env/itn-dev/terraform.tfvars
@@ -38,9 +38,11 @@ monitor_appinsights_name                    = "pagopa-d-appinsights"
 #
 # ⛴ AKS
 #
-aks_private_cluster_enabled = false
-aks_alerts_enabled          = false
-aks_kubernetes_version      = "1.29.4"
+aks_private_cluster_enabled  = false
+aks_alerts_enabled           = false
+aks_kubernetes_version       = "1.29.4"
+aks_enable_workload_identity = true
+
 aks_system_node_pool = {
   name            = "padaksleosys",
   vm_size         = "Standard_B2ms",

diff --git a/src/aks-leonardo/env/itn-prod/terraform.tfvars b/src/aks-leonardo/env/itn-prod/terraform.tfvars
@@ -39,10 +39,12 @@ monitor_appinsights_name                    = "pagopa-p-appinsights"
 #
 # ⛴ AKS
 #
-aks_private_cluster_enabled = true
-aks_alerts_enabled          = false
-aks_kubernetes_version      = "1.29.4"
-aks_sku_tier                = "Standard"
+aks_private_cluster_enabled  = true
+aks_alerts_enabled           = false
+aks_kubernetes_version       = "1.29.4"
+aks_sku_tier                 = "Standard"
+aks_enable_workload_identity = false
+
 aks_system_node_pool = {
   name            = "papaksleosys",
   vm_size         = "Standard_D2ds_v5",

diff --git a/src/aks-leonardo/env/itn-uat/terraform.tfvars b/src/aks-leonardo/env/itn-uat/terraform.tfvars
@@ -38,10 +38,12 @@ monitor_appinsights_name                    = "pagopa-u-appinsights"
 #
 # ⛴ AKS
 #
-aks_private_cluster_enabled = true
-aks_alerts_enabled          = false
-aks_kubernetes_version      = "1.29.4"
-aks_sku_tier                = "Standard"
+aks_private_cluster_enabled  = true
+aks_alerts_enabled           = false
+aks_kubernetes_version       = "1.29.4"
+aks_sku_tier                 = "Standard"
+aks_enable_workload_identity = true
+
 aks_system_node_pool = {
   name            = "pauaksleosys",
   vm_size         = "Standard_D2ds_v5",

diff --git a/src/domains/aca-app/00_data.tf b/src/domains/aca-app/00_data.tf
@@ -0,0 +1,3 @@
+data "azurerm_resource_group" "identity_rg" {
+  name = "${local.product}-identity-rg"
+}
diff --git a/src/domains/aca-app/README.md b/src/domains/aca-app/README.md
@@ -15,11 +15,12 @@
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_apim_aca_api_v1"></a> [apim\_aca\_api\_v1](#module\_apim\_aca\_api\_v1) | git::https://github.com/pagopa/terraform-azurerm-v3.git//api_management_api | v6.3.0 |
-| <a name="module_apim_aca_product"></a> [apim\_aca\_product](#module\_apim\_aca\_product) | git::https://github.com/pagopa/terraform-azurerm-v3.git//api_management_product | v6.3.0 |
+| <a name="module___v3__"></a> [\_\_v3\_\_](#module\_\_\_v3\_\_) | git::https://github.com/pagopa/terraform-azurerm-v3 | 63f6181a6f3a51707a2ab4795bdbed2d888c708b |
+| <a name="module_apim_aca_api_v1"></a> [apim\_aca\_api\_v1](#module\_apim\_aca\_api\_v1) | ./.terraform/modules/__v3__/api_management_api | n/a |
+| <a name="module_apim_aca_product"></a> [apim\_aca\_product](#module\_apim\_aca\_product) | ./.terraform/modules/__v3__/api_management_product | n/a |
 | <a name="module_apim_api_debt_positions_for_aca_api_v1"></a> [apim\_api\_debt\_positions\_for\_aca\_api\_v1](#module\_apim\_api\_debt\_positions\_for\_aca\_api\_v1) | git::https://github.com/pagopa/terraform-azurerm-v3//api_management_api | v6.11.2 |
-| <a name="module_pod_identity"></a> [pod\_identity](#module\_pod\_identity) | git::https://github.com/pagopa/terraform-azurerm-v3.git//kubernetes_pod_identity | v6.3.0 |
-| <a name="module_tls_checker"></a> [tls\_checker](#module\_tls\_checker) | git::https://github.com/pagopa/terraform-azurerm-v3.git//tls_checker | v6.3.0 |
+| <a name="module_pod_identity"></a> [pod\_identity](#module\_pod\_identity) | ./.terraform/modules/__v3__/kubernetes_pod_identity | n/a |
+| <a name="module_tls_checker"></a> [tls\_checker](#module\_tls\_checker) | ./.terraform/modules/__v3__/tls_checker | n/a |
 
 ## Resources
 
@@ -66,6 +67,7 @@
 | [azurerm_log_analytics_workspace.log_analytics](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/log_analytics_workspace) | data source |
 | [azurerm_monitor_action_group.email](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/monitor_action_group) | data source |
 | [azurerm_monitor_action_group.slack](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/monitor_action_group) | data source |
+| [azurerm_resource_group.identity_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/resource_group) | data source |
 | [azurerm_resource_group.monitor_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/resource_group) | data source |
 | [azurerm_subnet.apim_vnet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subnet) | data source |
 | [azurerm_subscription.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subscription) | data source |

diff --git a/src/domains/afm-app/00_data.tf b/src/domains/afm-app/00_data.tf
@@ -0,0 +1,3 @@
+data "azurerm_resource_group" "identity_rg" {
+  name = "${local.product}-identity-rg"
+}
diff --git a/src/domains/afm-app/07_gh_runner.tf b/src/domains/afm-app/07_gh_runner.tf
@@ -0,0 +1,56 @@
+locals {
+  # because westeurope does not support any other container app environment creation
+  tools_cae_name = var.env_short != "p" ? "${local.product}-tools-cae" : "${local.product}-itn-core-tools-cae"
+  tools_cae_rg   = var.env_short != "p" ? "${local.product}-core-tools-rg" : "${local.product}-itn-core-tools-rg"
+}
+
+module "gh_runner_job" {
+  source = "./.terraform/modules/__v3__/gh_runner_container_app_job_domain_setup"
+
+  domain_name        = var.domain
+  env_short          = var.env_short
+  environment_name   = local.tools_cae_name
+  environment_rg     = local.tools_cae_rg
+  gh_identity_suffix = "job-01"
+  runner_labels      = ["self-hosted-job"]
+  gh_repositories = [
+    {
+      name : "pagopa-afm-calculator",
+      short_name : "afm-calc"
+    },
+    {
+      name : "pagopa-afm-utils",
+      short_name : "afm-utils"
+    },
+    {
+      name : "pagopa-afm-marketplace-be",
+      short_name : "afm-mkt-be"
+    },
+    {
+      name : "pagopa-afm-fee-reporting-service",
+      short_name : "afm-fee-rpt"
+    }
+  ]
+  job = {
+    name = var.domain
+  }
+  job_meta = {}
+  key_vault = {
+    name        = "${local.product}-kv"     # Name of the KeyVault which stores PAT as secret
+    rg          = "${local.product}-sec-rg" # Resource group of the KeyVault which stores PAT as secret
+    secret_name = "gh-runner-job-pat"       # Data of the KeyVault which stores PAT as secret
+  }
+  kubernetes_deploy = {
+    enabled      = true
+    namespaces   = [kubernetes_namespace.namespace.metadata[0].name]
+    cluster_name = "${local.product}-${var.location_short}-${var.instance}-aks"
+    rg           = "${local.product}-${var.location_short}-${var.instance}-aks-rg"
+  }
+
+  location            = var.gh_runner_job_location
+  prefix              = var.prefix
+  resource_group_name = data.azurerm_resource_group.identity_rg.name
+
+  tags = var.tags
+
+}
diff --git a/src/domains/afm-app/99_main.tf b/src/domains/afm-app/99_main.tf
@@ -48,6 +48,6 @@ provider "helm" {
 }
 
 module "__v3__" {
-  # v8.58.0
-  source = "git::https://github.com/pagopa/terraform-azurerm-v3?ref=63f6181a6f3a51707a2ab4795bdbed2d888c708b"
+  # v8.60.0
+  source = "git::https://github.com/pagopa/terraform-azurerm-v3?ref=551a56a4bf841cd431b51ec951639e74260daf6a"
 }
diff --git a/src/domains/afm-app/99_variables.tf b/src/domains/afm-app/99_variables.tf
@@ -127,3 +127,10 @@ variable "pod_disruption_budgets" {
   description = "Pod disruption budget for domain namespace"
   default     = {}
 }
+
+variable "gh_runner_job_location" {
+  type        = string
+  description = "(Optional) The GH runner container app job location. Consistent with the container app environment location"
+  default     = "westeurope"
+}
+
diff --git a/src/domains/afm-app/README.md b/src/domains/afm-app/README.md
@@ -16,7 +16,7 @@
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module___v3__"></a> [\_\_v3\_\_](#module\_\_\_v3\_\_) | git::https://github.com/pagopa/terraform-azurerm-v3 | 63f6181a6f3a51707a2ab4795bdbed2d888c708b |
+| <a name="module___v3__"></a> [\_\_v3\_\_](#module\_\_\_v3\_\_) | git::https://github.com/pagopa/terraform-azurerm-v3 | 551a56a4bf841cd431b51ec951639e74260daf6a |
 | <a name="module_apim_afm_calculator_node_product"></a> [apim\_afm\_calculator\_node\_product](#module\_apim\_afm\_calculator\_node\_product) | ./.terraform/modules/__v3__/api_management_product | n/a |
 | <a name="module_apim_afm_calculator_product"></a> [apim\_afm\_calculator\_product](#module\_apim\_afm\_calculator\_product) | ./.terraform/modules/__v3__/api_management_product | n/a |
 | <a name="module_apim_afm_marketplace_product"></a> [apim\_afm\_marketplace\_product](#module\_apim\_afm\_marketplace\_product) | ./.terraform/modules/__v3__/api_management_product | n/a |
@@ -27,6 +27,7 @@
 | <a name="module_apim_api_afm_marketplace_api_v1"></a> [apim\_api\_afm\_marketplace\_api\_v1](#module\_apim\_api\_afm\_marketplace\_api\_v1) | ./.terraform/modules/__v3__/api_management_api | n/a |
 | <a name="module_apim_api_afm_marketplace_technical_support_api_v1"></a> [apim\_api\_afm\_marketplace\_technical\_support\_api\_v1](#module\_apim\_api\_afm\_marketplace\_technical\_support\_api\_v1) | ./.terraform/modules/__v3__/api_management_api | n/a |
 | <a name="module_apim_api_afm_utils_v1"></a> [apim\_api\_afm\_utils\_v1](#module\_apim\_api\_afm\_utils\_v1) | ./.terraform/modules/__v3__/api_management_api | n/a |
+| <a name="module_gh_runner_job"></a> [gh\_runner\_job](#module\_gh\_runner\_job) | ./.terraform/modules/__v3__/gh_runner_container_app_job_domain_setup | n/a |
 | <a name="module_pod_identity"></a> [pod\_identity](#module\_pod\_identity) | ./.terraform/modules/__v3__/kubernetes_pod_identity | n/a |
 | <a name="module_tls_checker"></a> [tls\_checker](#module\_tls\_checker) | ./.terraform/modules/__v3__/tls_checker | n/a |
 
@@ -78,6 +79,7 @@
 | [azurerm_monitor_action_group.email](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/monitor_action_group) | data source |
 | [azurerm_monitor_action_group.opsgenie](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/monitor_action_group) | data source |
 | [azurerm_monitor_action_group.slack](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/monitor_action_group) | data source |
+| [azurerm_resource_group.identity_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/resource_group) | data source |
 | [azurerm_resource_group.monitor_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/resource_group) | data source |
 | [azurerm_resource_group.rg_api](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/resource_group) | data source |
 | [azurerm_subscription.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subscription) | data source |
@@ -94,6 +96,7 @@
 | <a name="input_env"></a> [env](#input\_env) | n/a | `string` | n/a | yes |
 | <a name="input_env_short"></a> [env\_short](#input\_env\_short) | n/a | `string` | n/a | yes |
 | <a name="input_external_domain"></a> [external\_domain](#input\_external\_domain) | Domain for delegation | `string` | `null` | no |
+| <a name="input_gh_runner_job_location"></a> [gh\_runner\_job\_location](#input\_gh\_runner\_job\_location) | (Optional) The GH runner container app job location. Consistent with the container app environment location | `string` | `"westeurope"` | no |
 | <a name="input_instance"></a> [instance](#input\_instance) | One of beta, prod01, prod02 | `string` | n/a | yes |
 | <a name="input_k8s_kube_config_path_prefix"></a> [k8s\_kube\_config\_path\_prefix](#input\_k8s\_kube\_config\_path\_prefix) | n/a | `string` | `"~/.kube"` | no |
 | <a name="input_location"></a> [location](#input\_location) | One of westeurope, northeurope | `string` | n/a | yes |

diff --git a/src/domains/afm-app/env/weu-dev/terraform.tfvars b/src/domains/afm-app/env/weu-dev/terraform.tfvars
@@ -1,11 +1,12 @@
-prefix          = "pagopa"
-env_short       = "d"
-env             = "dev"
-domain          = "afm"
-location        = "westeurope"
-location_short  = "weu"
-location_string = "West Europe"
-instance        = "dev"
+prefix                 = "pagopa"
+env_short              = "d"
+env                    = "dev"
+domain                 = "afm"
+location               = "westeurope"
+location_short         = "weu"
+location_string        = "West Europe"
+instance               = "dev"
+gh_runner_job_location = "westeurope"
 
 tags = {
   CreatedBy   = "Terraform"

diff --git a/src/domains/afm-app/env/weu-prod/terraform.tfvars b/src/domains/afm-app/env/weu-prod/terraform.tfvars
@@ -1,11 +1,12 @@
-prefix          = "pagopa"
-env_short       = "p"
-env             = "prod"
-domain          = "afm"
-location        = "westeurope"
-location_short  = "weu"
-location_string = "West Europe"
-instance        = "prod"
+prefix                 = "pagopa"
+env_short              = "p"
+env                    = "prod"
+domain                 = "afm"
+location               = "westeurope"
+location_short         = "weu"
+location_string        = "West Europe"
+instance               = "prod"
+gh_runner_job_location = "italynorth"
 
 tags = {
   CreatedBy   = "Terraform"

diff --git a/src/domains/afm-app/env/weu-uat/terraform.tfvars b/src/domains/afm-app/env/weu-uat/terraform.tfvars
@@ -1,11 +1,12 @@
-prefix          = "pagopa"
-env_short       = "u"
-env             = "uat"
-domain          = "afm"
-location        = "westeurope"
-location_short  = "weu"
-location_string = "West Europe"
-instance        = "uat"
+prefix                 = "pagopa"
+env_short              = "u"
+env                    = "uat"
+domain                 = "afm"
+location               = "westeurope"
+location_short         = "weu"
+location_string        = "West Europe"
+instance               = "uat"
+gh_runner_job_location = "westeurope"
 
 tags = {
   CreatedBy   = "Terraform"

diff --git a/src/domains/apiconfig-app/00_data.tf b/src/domains/apiconfig-app/00_data.tf
@@ -23,6 +23,10 @@ data "azurerm_api_management" "apim" {
   resource_group_name = "${local.product}-api-rg"
 }
 
+data "azurerm_resource_group" "identity_rg" {
+  name = "${local.product}-identity-rg"
+}
+
 locals {
   global_project = format("%s-%s", var.prefix, var.env_short)
 }

diff --git a/src/domains/apiconfig-app/04_apim_product_apiconfig-cache_export.tf b/src/domains/apiconfig-app/04_apim_product_apiconfig-cache_export.tf
@@ -0,0 +1,25 @@
+module "apim_apiconfig_cache_export_product" {
+  source = "./.terraform/modules/__v3__/api_management_product"
+
+  product_id   = local.apiconfig_cache_export_locals.product_id
+  display_name = local.apiconfig_cache_export_locals.display_name
+  description  = local.apiconfig_cache_export_locals.description
+
+  api_management_name = local.pagopa_apim_name
+  resource_group_name = local.pagopa_apim_rg
+
+  published             = true
+  subscription_required = local.apiconfig_cache_export_locals.subscription_required
+  approval_required     = true
+  subscriptions_limit   = local.apiconfig_cache_export_locals.subscription_limit
+
+  policy_xml = file("./api_product/apiconfig-cache/_base_policy.xml")
+}
+
+
+resource "azurerm_api_management_product_group" "access_control_developers_for_cache_export" {
+  product_id          = module.apim_apiconfig_cache_export_product.product_id
+  group_name          = data.azurerm_api_management_group.group_developers.name
+  api_management_name = local.pagopa_apim_name
+  resource_group_name = local.pagopa_apim_rg
+}
diff --git a/src/domains/apiconfig-app/07_gh_runner.tf b/src/domains/apiconfig-app/07_gh_runner.tf
@@ -0,0 +1,44 @@
+locals {
+  # because westeurope does not support any other container app environment creation
+  tools_cae_name = var.env_short != "p" ? "${local.product}-tools-cae" : "${local.product}-itn-core-tools-cae"
+  tools_cae_rg   = var.env_short != "p" ? "${local.product}-core-tools-rg" : "${local.product}-itn-core-tools-rg"
+}
+
+module "gh_runner_job" {
+  source = "./.terraform/modules/__v3__/gh_runner_container_app_job_domain_setup"
+
+  domain_name        = var.domain
+  env_short          = var.env_short
+  environment_name   = local.tools_cae_name
+  environment_rg     = local.tools_cae_rg
+  gh_identity_suffix = "job-01"
+  runner_labels      = ["self-hosted-job"]
+  gh_repositories = [
+    {
+      name : "pagopa-api-config-cache",
+      short_name : "apicfg-cache"
+    }
+  ]
+  job = {
+    name = var.domain
+  }
+  job_meta = {}
+  key_vault = {
+    name        = "${local.product}-kv"     # Name of the KeyVault which stores PAT as secret
+    rg          = "${local.product}-sec-rg" # Resource group of the KeyVault which stores PAT as secret
+    secret_name = "gh-runner-job-pat"       # Data of the KeyVault which stores PAT as secret
+  }
+  kubernetes_deploy = {
+    enabled      = true
+    namespaces   = [kubernetes_namespace.namespace.metadata[0].name]
+    cluster_name = "${local.product}-${var.location_short}-${var.instance}-aks"
+    rg           = "${local.product}-${var.location_short}-${var.instance}-aks-rg"
+  }
+
+  location            = var.location
+  prefix              = var.prefix
+  resource_group_name = data.azurerm_resource_group.identity_rg.name
+
+  tags = var.tags
+
+}
diff --git a/src/domains/apiconfig-app/99_locals.tf b/src/domains/apiconfig-app/99_locals.tf
@@ -95,6 +95,22 @@ locals {
 
     pagopa_tenant_id = data.azurerm_client_config.current.tenant_id
   }
+
+  apiconfig_cache_export_locals = {
+    hostname = var.env == "prod" ? "weuprod.apiconfig.internal.platform.pagopa.it" : "weu${var.env}.apiconfig.internal.${var.env}.platform.pagopa.it"
+
+    product_id            = "apiconfig-cache-export"
+    display_name          = "API Config Cache - Export"
+    description           = "Export APIs of pagoPA cache"
+    subscription_required = true
+    subscription_limit    = 1000
+
+    path        = "api-config-cache-export"
+    service_url = null
+
+    pagopa_tenant_id = data.azurerm_client_config.current.tenant_id
+  }
+
   apim_x_node_product_id = "apim_for_node"
   cfg_x_node_product_id  = "cfg-for-node"
 

diff --git a/src/domains/apiconfig-app/99_main.tf b/src/domains/apiconfig-app/99_main.tf
@@ -63,6 +63,6 @@ data "azurerm_subscription" "current" {}
 data "azurerm_client_config" "current" {}
 
 module "__v3__" {
-  # v8.58.0
-  source = "git::https://github.com/pagopa/terraform-azurerm-v3?ref=63f6181a6f3a51707a2ab4795bdbed2d888c708b"
+  # v8.60.0
+  source = "git::https://github.com/pagopa/terraform-azurerm-v3?ref=551a56a4bf841cd431b51ec951639e74260daf6a"
 }
diff --git a/src/domains/apiconfig-app/99_variables.tf b/src/domains/apiconfig-app/99_variables.tf
@@ -232,3 +232,9 @@ variable "pod_disruption_budgets" {
   description = "Pod disruption budget for domain namespace"
   default     = {}
 }
+
+variable "gh_runner_job_location" {
+  type        = string
+  description = "(Optional) The GH runner container app job location. Consistent with the container app environment location"
+  default     = "westeurope"
+}