+data "azuread_service_principal" "iac_sp_plan" {
+ display_name = "azdo-sp-plan-devopslab-${var.env}"
+}
+
+resource "azurerm_key_vault_access_policy" "iac_sp_plan_policy" {
+ key_vault_id = module.key_vault_domain.id
+ tenant_id = data.azurerm_client_config.current.tenant_id
+ object_id = data.azuread_service_principal.iac_sp_plan.object_id
+
+ secret_permissions = ["Get", "List", "Set", ]
+
+ certificate_permissions = ["SetIssuers", "DeleteIssuers", "Purge", "List", "Get", "Import"]
+
+ storage_permissions = []
+}
diff --git a/src/domains/blueprint-common/99_main.tf b/src/domains/blueprint-common/99_main.tf
new file mode 100644
index 00000000..6f2846aa
--- /dev/null
+++ b/src/domains/blueprint-common/99_main.tf
@@ -0,0 +1,45 @@
+terraform {
+ required_providers {
+ azurerm = {
+ source = "hashicorp/azurerm"
+ version = "<= 3.71.0"
+ }
+ azuread = {
+ source = "hashicorp/azuread"
+ version = "= 2.21.0"
+ }
+ null = {
+ source = "hashicorp/null"
+ version = "= 3.1.1"
+ }
+ pkcs12 = {
+ source = "chilicat/pkcs12"
+ version = "0.0.7"
+ }
+ }
+
+ backend "azurerm" {}
+}
+
+provider "azurerm" {
+ features {
+ key_vault {
+ purge_soft_delete_on_destroy = false
+ }
+ }
+}
+
+data "azurerm_subscription" "current" {}
+
+data "azurerm_client_config" "current" {}
+
+data "terraform_remote_state" "core" {
+ backend = "azurerm"
+
+ config = {
+ resource_group_name = var.terraform_remote_state_core.resource_group_name
+ storage_account_name = var.terraform_remote_state_core.storage_account_name
+ container_name = var.terraform_remote_state_core.container_name
+ key = var.terraform_remote_state_core.key
+ }
+}
diff --git a/src/domains/blueprint-common/99_main.tf.ci b/src/domains/blueprint-common/99_main.tf.ci
new file mode 100644
index 00000000..027f4ce0
--- /dev/null
+++ b/src/domains/blueprint-common/99_main.tf.ci
@@ -0,0 +1,44 @@
+terraform {
+ required_providers {
+ azurerm = {
+ source = "hashicorp/azurerm"
+ version = "<= 3.71.0"
+ }
+ azuread = {
+ source = "hashicorp/azuread"
+ version = "= 2.21.0"
+ }
+ null = {
+ source = "hashicorp/null"
+ version = "= 3.1.1"
+ }
+ pkcs12 = {
+ source = "chilicat/pkcs12"
+ version = "0.0.7"
+ }
+ }
+
+}
+
+provider "azurerm" {
+ features {
+ key_vault {
+ purge_soft_delete_on_destroy = false
+ }
+ }
+}
+
+data "azurerm_subscription" "current" {}
+
+data "azurerm_client_config" "current" {}
+
+data "terraform_remote_state" "core" {
+ backend = "azurerm"
+
+ config = {
+ resource_group_name = var.terraform_remote_state_core.resource_group_name
+ storage_account_name = var.terraform_remote_state_core.storage_account_name
+ container_name = var.terraform_remote_state_core.container_name
+ key = var.terraform_remote_state_core.key
+ }
+}
diff --git a/src/domains/blueprint-common/99_variables.tf b/src/domains/blueprint-common/99_variables.tf
new file mode 100644
index 00000000..d857f8b0
--- /dev/null
+++ b/src/domains/blueprint-common/99_variables.tf
@@ -0,0 +1,119 @@
+# general
+locals {
+ project = "${var.prefix}-${var.env_short}-${var.location_short}-${var.domain}"
+ product = "${var.prefix}-${var.env_short}"
+
+ # monitor
+ monitor_rg_name = "${local.product}-monitor-rg"
+ monitor_log_analytics_workspace_name = "${local.product}-law"
+ monitor_appinsights_name = "${local.product}-appinsights"
+ monitor_security_storage_name = replace("${local.product}-sec-monitor-st", "-", "")
+
+ monitor_action_group_slack_name = "SlackPagoPA"
+ monitor_action_group_email_name = "PagoPA"
+
+ vnet_core_name = "${local.product}-vnet"
+ vnet_core_resource_group_name = "${local.product}-vnet-rg"
+
+ dns_zone_public_name = "devopslab.pagopa.it"
+ dns_zone_private_name = "internal.devopslab.pagopa.it"
+
+}
+
+variable "prefix" {
+ type = string
+ validation {
+ condition = (
+ length(var.prefix) <= 6
+ )
+ error_message = "Max length is 6 chars."
+ }
+}
+
+variable "env" {
+ type = string
+}
+
+variable "env_short" {
+ type = string
+ validation {
+ condition = (
+ length(var.env_short) == 1
+ )
+ error_message = "Length must be 1 chars."
+ }
+}
+
+variable "domain" {
+ type = string
+ validation {
+ condition = (
+ length(var.domain) <= 12
+ )
+ error_message = "Max length is 12 chars."
+ }
+}
+
+variable "location" {
+ type = string
+ description = "One of westeurope, northeurope"
+}
+
+variable "location_short" {
+ type = string
+ validation {
+ condition = (
+ length(var.location_short) == 3
+ )
+ error_message = "Length must be 3 chars."
+ }
+ description = "One of wue, neu"
+}
+
+variable "instance" {
+ type = string
+ description = "One of beta, prod01, prod02"
+}
+
+variable "lock_enable" {
+ type = bool
+ default = false
+ description = "Apply locks to block accedentaly deletions."
+}
+
+variable "tags" {
+ type = map(any)
+ default = {
+ CreatedBy = "Terraform"
+ }
+}
+
+# DNS
+variable "external_domain" {
+ type = string
+ default = "pagopa.it"
+ description = "Domain for delegation"
+}
+
+variable "dns_zone_prefix" {
+ type = string
+ default = "devopslab"
+ description = "The dns subdomain."
+}
+
+### External resources
+
+variable "monitor_resource_group_name" {
+ type = string
+ description = "Monitor resource group name"
+}
+
+variable "log_analytics_workspace_name" {
+ type = string
+ description = "Specifies the name of the Log Analytics Workspace."
+}
+
+variable "log_analytics_workspace_resource_group_name" {
+ type = string
+ description = "The name of the resource group in which the Log Analytics workspace is located in."
+}
diff --git a/src/domains/blueprint-common/README.md b/src/domains/blueprint-common/README.md
new file mode 100644
index 00000000..f4511b6c
--- /dev/null
+++ b/src/domains/blueprint-common/README.md
@@ -0,0 +1,68 @@
+
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| [azuread](#requirement\_azuread) | = 2.21.0 |
+| [azurerm](#requirement\_azurerm) | <= 3.71.0 |
+| [null](#requirement\_null) | = 3.1.1 |
+| [pkcs12](#requirement\_pkcs12) | 0.0.7 |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| [key\_vault\_domain](#module\_key\_vault\_domain) | git::https://github.com/pagopa/terraform-azurerm-v3.git//key_vault | v7.7.0 |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [azurerm_key_vault_access_policy.ad_admin_group_policy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource |
+| [azurerm_key_vault_access_policy.adgroup_developers_policy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource |
+| [azurerm_key_vault_access_policy.adgroup_externals_policy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource |
+| [azurerm_key_vault_access_policy.azdevops_platform_iac_policy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource |
+| [azurerm_key_vault_access_policy.iac_sp_plan_policy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource |
+| [azurerm_resource_group.sec_rg_domain](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource |
+| [azuread_group.adgroup_admin](https://registry.terraform.io/providers/hashicorp/azuread/2.21.0/docs/data-sources/group) | data source |
+| [azuread_group.adgroup_developers](https://registry.terraform.io/providers/hashicorp/azuread/2.21.0/docs/data-sources/group) | data source |
+| [azuread_group.adgroup_externals](https://registry.terraform.io/providers/hashicorp/azuread/2.21.0/docs/data-sources/group) | data source |
+| [azuread_group.adgroup_security](https://registry.terraform.io/providers/hashicorp/azuread/2.21.0/docs/data-sources/group) | data source |
+| [azuread_service_principal.iac_sp_plan](https://registry.terraform.io/providers/hashicorp/azuread/2.21.0/docs/data-sources/service_principal) | data source |
+| [azuread_service_principal.platform_iac_sp](https://registry.terraform.io/providers/hashicorp/azuread/2.21.0/docs/data-sources/service_principal) | data source |
+| [azurerm_application_insights.application_insights](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/application_insights) | data source |
+| [azurerm_client_config.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/client_config) | data source |
+| [azurerm_dns_zone.public](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/dns_zone) | data source |
+| [azurerm_log_analytics_workspace.log_analytics](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/log_analytics_workspace) | data source |
+| [azurerm_monitor_action_group.email](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/monitor_action_group) | data source |
+| [azurerm_monitor_action_group.slack](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/monitor_action_group) | data source |
+| [azurerm_resource_group.monitor_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/resource_group) | data source |
+| [azurerm_resource_group.rg_vnet_core](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/resource_group) | data source |
+| [azurerm_subscription.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subscription) | data source |
+| [azurerm_virtual_network.vnet_core](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/virtual_network) | data source |
+| [terraform_remote_state.core](https://registry.terraform.io/providers/hashicorp/terraform/latest/docs/data-sources/remote_state) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| [dns\_zone\_prefix](#input\_dns\_zone\_prefix) | The dns subdomain. | `string` | `"devopslab"` | no |
+| [domain](#input\_domain) | n/a | `string` | n/a | yes |
+| [env](#input\_env) | n/a | `string` | n/a | yes |
+| [env\_short](#input\_env\_short) | n/a | `string` | n/a | yes |
+| [external\_domain](#input\_external\_domain) | Domain for delegation | `string` | `"pagopa.it"` | no |
+| [instance](#input\_instance) | One of beta, prod01, prod02 | `string` | n/a | yes |
+| [location](#input\_location) | One of westeurope, northeurope | `string` | n/a | yes |
+| [location\_short](#input\_location\_short) | One of wue, neu | `string` | n/a | yes |
+| [lock\_enable](#input\_lock\_enable) | Apply locks to block accedentaly deletions. | `bool` | `false` | no |
+| [log\_analytics\_workspace\_name](#input\_log\_analytics\_workspace\_name) | Specifies the name of the Log Analytics Workspace. | `string` | n/a | yes |
+| [log\_analytics\_workspace\_resource\_group\_name](#input\_log\_analytics\_workspace\_resource\_group\_name) | The name of the resource group in which the Log Analytics workspace is located in. | `string` | n/a | yes |
+| [monitor\_resource\_group\_name](#input\_monitor\_resource\_group\_name) | Monitor resource group name | `string` | n/a | yes |
+| [prefix](#input\_prefix) | n/a | `string` | n/a | yes |
+| [tags](#input\_tags) | n/a | `map(any)` | {
"CreatedBy": "Terraform"
}
| no |
+
+## Outputs
+
+No outputs.
+
diff --git a/src/domains/blueprint-common/env/dev/backend.ini b/src/domains/blueprint-common/env/dev/backend.ini
new file mode 100644
index 00000000..a7cc599b
--- /dev/null
+++ b/src/domains/blueprint-common/env/dev/backend.ini
@@ -0,0 +1 @@
+subscription=DevOpsLab
diff --git a/src/domains/blueprint-common/env/dev/backend.tfvars b/src/domains/blueprint-common/env/dev/backend.tfvars
new file mode 100644
index 00000000..d1917fa7
--- /dev/null
+++ b/src/domains/blueprint-common/env/dev/backend.tfvars
@@ -0,0 +1,4 @@
+resource_group_name = "terraform-state-rg"
+storage_account_name = "tfinfdevopslab"
+container_name = "terraform-state"
+key = "blueprint-common-domain-terraform.tfstate"
diff --git a/src/domains/blueprint-common/env/dev/terraform.tfvars b/src/domains/blueprint-common/env/dev/terraform.tfvars
new file mode 100644
index 00000000..cac8603a
--- /dev/null
+++ b/src/domains/blueprint-common/env/dev/terraform.tfvars
@@ -0,0 +1,24 @@
+# general
+prefix = "dvopla"
+env_short = "d"
+env = "dev"
+location = "northeurope"
+location_short = "neu"
+domain = "blueprint"
+instance = "dev"
+
+tags = {
+ CreatedBy = "Terraform"
+ Environment = "Dev"
+ Owner = "devops"
+ Source = "https://github.com/pagopa/dvopla-infrastructure"
+ CostCenter = "TS310 - PAGAMENTI & SERVIZI"
+ Application = "blueprint.common"
+}
+
+lock_enable = true
+
+### External resources
+monitor_resource_group_name = "dvopla-d-monitor-rg"
+log_analytics_workspace_name = "dvopla-d-law"
+log_analytics_workspace_resource_group_name = "dvopla-d-monitor-rg"
diff --git a/src/domains/blueprint-common/terraform.sh b/src/domains/blueprint-common/terraform.sh
new file mode 100755
index 00000000..974249bb
--- /dev/null
+++ b/src/domains/blueprint-common/terraform.sh
@@ -0,0 +1,46 @@
+#!/bin/bash
+
+set -e
+
+action=$1
+env=$2
+shift 2
+other=$@
+
+subscription="MOCK_VALUE"
+
+if [ -z "$action" ]; then
+ echo "Missed action: init, apply, plan"
+ exit 0
+fi
+
+if [ -z "$env" ]; then
+ echo "env should be: dev, uat or prod."
+ exit 0
+fi
+
+# shellcheck source=/dev/null
+source "./env/$env/backend.ini"
+
+az account set -s "${subscription}"
+
+if echo "init plan apply refresh import output state taint destroy" | grep -w "$action" > /dev/null; then
+ if [ "$action" = "init" ]; then
+ echo "🧠terraform INIT in env: ${env}"
+ terraform "$action" -reconfigure -backend-config="./env/$env/backend.tfvars" $other
+ elif [ "$action" = "output" ] || [ "$action" = "state" ] || [ "$action" = "taint" ]; then
+ # init terraform backend
+ echo "🧠terraform (output|state|taint) launched with action: ${action} in env: ${env}"
+ terraform init -reconfigure -backend-config="./env/$env/backend.tfvars"
+ terraform "$action" $other
+ else
+ # init terraform backend
+ echo "🧠terraform launched with action: ${action} in env: ${env}"
+
+ terraform init -reconfigure -backend-config="./env/$env/backend.tfvars"
+ terraform "$action" -var-file="./env/$env/terraform.tfvars" $other
+ fi
+else
+ echo "Action not allowed."
+ exit 1
+fi
diff --git a/src/packer/README.md b/src/packer/README.md
index fc5d8683..5de7a11c 100644
--- a/src/packer/README.md
+++ b/src/packer/README.md
@@ -13,7 +13,7 @@
| Name | Source | Version |
|------|--------|---------|
-| [azdoa\_custom\_image](#module\_azdoa\_custom\_image) | git::https://github.com/pagopa/terraform-azurerm-v3.git//azure_devops_agent_custom_image | v6.20.0 |
+| [azdoa\_custom\_image](#module\_azdoa\_custom\_image) | git::https://github.com/pagopa/terraform-azurerm-v3.git//azure_devops_agent_custom_image | 3a39074 |
## Resources