[TCE-169][TCE-199] Use CDN over apex domain for static assets

src/core/00_dns.tf

@@ -29,7 +29,7 @@ resource "azurerm_dns_ns_record" "dev_portalefatturazione_pagopa_it_ns" {
 # agw
 #
 resource "azurerm_dns_a_record" "agw" {
-  name                = "@"
+  name                = var.dns_api_prefix
   zone_name           = azurerm_dns_zone.portalefatturazione[0].name
   resource_group_name = azurerm_resource_group.networking.name
   records             = [azurerm_public_ip.agw.ip_address]

src/core/00_key_vault.tf

@@ -88,3 +88,15 @@ resource "azurerm_key_vault_access_policy" "agw_policy" {
   storage_permissions     = []
   certificate_permissions = ["Get", "List"]
 }
+
+#
+# policy cdn
+#
+resource "azurerm_key_vault_access_policy" "cdn_policy" {
+  key_vault_id            = module.key_vault.id
+  tenant_id               = data.azurerm_client_config.current.tenant_id
+  object_id               = var.azuread_service_principal_azure_cdn_frontdoor_id
+  secret_permissions      = ["Get"]
+  storage_permissions     = []
+  certificate_permissions = ["Get"]
+}

src/core/00_resource_groups.tf

@@ -32,4 +32,10 @@ resource "azurerm_resource_group" "identity" {
   name     = format("%s-%s-rg", local.project, "identity")
   location = var.location
   tags     = var.tags
+}
+
+resource "azurerm_resource_group" "cdn" {
+  name     = format("%s-%s-rg", local.project, "cdn")
+  location = var.location
+  tags     = var.tags
 }

src/core/10_appgateway.tf

@@ -28,7 +28,7 @@ resource "azurerm_user_assigned_identity" "agw" {
 
 # read the certificate before provisioning the appgateway
 data "azurerm_key_vault_certificate" "agw_app" {
-  name         = var.agw_app_certificate_name
+  name         = var.agw_api_app_certificate_name
   key_vault_id = module.key_vault.id
 }
 
@@ -80,12 +80,12 @@ module "agw" {
   listeners = {
     app = {
       protocol           = "Https"
-      host               = join(".", [var.dns_zone_portalefatturazione_prefix, var.dns_external_domain])
+      host               = join(".", [var.dns_api_prefix, var.dns_zone_portalefatturazione_prefix, var.dns_external_domain])
       port               = 443
       ssl_profile_name   = null
       firewall_policy_id = null
       certificate = {
-        name = var.agw_app_certificate_name
+        name = var.agw_api_app_certificate_name
         id = replace(
           data.azurerm_key_vault_certificate.agw_app.secret_id,
           "/${data.azurerm_key_vault_certificate.agw_app.version}",

src/core/20_appservice.tf

@@ -34,8 +34,8 @@ module "app" {
   allowed_ips      = []
   subnet_id        = module.app_snet.id
   app_settings = {
-    WEBSITES_ENABLE_APP_SERVICE_STORAGE = false           # disable SMB mount across scale instances of /home
-    WEBSITES_PORT                       = 8080            # look at EXPOSE port in Dockerfile of container
+    WEBSITES_ENABLE_APP_SERVICE_STORAGE = false # disable SMB mount across scale instances of /home
+    WEBSITES_PORT                       = 8080  # look at EXPOSE port in Dockerfile of container
   }
   tags = var.tags
 }

src/core/60_cdn.tf

@@ -0,0 +1,19 @@
+module "cdn" {
+  source                           = "./.terraform/modules/__v3__/cdn/"
+  # unfortunately, the module will create some ugly resource names
+  # like, fat-p-cdn-cdn-endpoint, as in "${var.prefix}-${var.name}-cdn-endpoint"
+  name                             = "cdn" 
+  resource_group_name              = azurerm_resource_group.cdn.name
+  location                         = var.secondary_location
+  storage_account_replication_type = var.cdn_storage_account_replication_type
+  prefix                           = local.project
+  dns_zone_name                    = azurerm_dns_zone.portalefatturazione[0].name
+  dns_zone_resource_group_name     = azurerm_resource_group.networking.name
+  hostname                         = join(".", [var.dns_zone_portalefatturazione_prefix, var.dns_external_domain])
+  keyvault_vault_name              = module.key_vault.name
+  keyvault_subscription_id         = data.azurerm_subscription.current.subscription_id
+  keyvault_resource_group_name     = module.key_vault.resource_group_name
+  index_document                   = "index.html"
+  error_404_document               = "404.html"
+  tags                             = var.tags
+}

src/core/99_variables.tf

@@ -76,12 +76,34 @@ variable "dns_external_domain" {
   default     = "pagopa.it"
 }
 
+variable "dns_api_prefix" {
+  type        = string
+  description = "dns name of the api endpoint"
+  default     = "api"
+}
+
 variable "dns_default_ttl_sec" {
   type        = number
   description = "dns ttl"
   default     = 3600
 }
 
+#
+# cdn
+#
+variable "azuread_service_principal_azure_cdn_frontdoor_id" {
+  type        = string
+  description = "azure cdn front door principal id"
+  # this is the deafult value for tenant pagopa.it
+  default = "f3b3f72f-4770-47a5-8c1e-aa298003be12"
+}
+
+variable "cdn_storage_account_replication_type" {
+  type        = string
+  description = "storage account replication type for the cdn endpoint"
+  default     = "ZRS"
+}
+
 #
 # networking
 #
@@ -144,7 +166,7 @@ variable "secondary_cidr_pvt_endp_snet" {
 #
 # appgateway
 #
-variable "agw_app_certificate_name" {
+variable "agw_api_app_certificate_name" {
   type        = string
   description = "the certificate name on the kv for the api endpoint"
 }

src/core/env/prod/terraform.tfvars

@@ -17,7 +17,7 @@ tags = {
 #
 # dns
 #
-dns_zone_portalefatturazione_prefix = "portalefatturazione" # FIXME
+dns_zone_portalefatturazione_prefix = "portalefatturazione"
 
 #
 # networking
@@ -40,7 +40,7 @@ secondary_cidr_pvt_endp_snet = ["10.1.60.0/23"]
 #
 # appgateway
 #
-agw_app_certificate_name = "portalefatturazione-pagopa-it"
+agw_api_app_certificate_name = "api-portalefatturazione-pagopa-it"
 
 #
 # appservice