diff --git a/src/aks-platform/02_aks.tf b/src/aks-platform/02_aks.tf
index 224c4f80..28410fc4 100644
--- a/src/aks-platform/02_aks.tf
+++ b/src/aks-platform/02_aks.tf
@@ -109,18 +109,18 @@ module "aks" {
}
module "velero" {
- source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//kubernetes_cluster_velero?ref=8171afb"
- count = var.aks_enabled ? 1 : 0
- backup_storage_container_name = "velero-backup"
- subscription_id = data.azurerm_subscription.current.subscription_id
- tenant_id = data.azurerm_subscription.current.tenant_id
- resource_group_name = azurerm_resource_group.rg_aks_backup.name
- prefix = "devopla"
- aks_cluster_name = module.aks[count.index].name
- aks_cluster_rg = azurerm_resource_group.rg_aks.name
- location = var.location
- use_storage_private_endpoint = true
- private_endpoint_subnet_id = data.azurerm_subnet.private_endpoint_subnet.id
+ source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//kubernetes_cluster_velero?ref=8171afb"
+ count = var.aks_enabled ? 1 : 0
+ backup_storage_container_name = "velero-backup"
+ subscription_id = data.azurerm_subscription.current.subscription_id
+ tenant_id = data.azurerm_subscription.current.tenant_id
+ resource_group_name = azurerm_resource_group.rg_aks_backup.name
+ prefix = "devopla"
+ aks_cluster_name = module.aks[count.index].name
+ aks_cluster_rg = azurerm_resource_group.rg_aks.name
+ location = var.location
+ use_storage_private_endpoint = true
+ private_endpoint_subnet_id = data.azurerm_subnet.private_endpoint_subnet.id
storage_account_private_dns_zone_id = data.azurerm_private_dns_zone.storage_account_private_dns_zone.id
tags = var.tags
@@ -128,15 +128,15 @@ module "velero" {
module "aks_namespace_backup" {
source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//kubernetes_velero_backup?ref=f38e1ca"
- count = var.aks_enabled ? 1 : 0
+ count = var.aks_enabled ? 1 : 0
# required
- backup_name = "daily-backup"
- namespaces = ["ALL"]
+ backup_name = "daily-backup"
+ namespaces = ["ALL"]
aks_cluster_name = module.aks[count.index].name
# optional
- ttl = "72h0m0s"
- schedule = "0 3 * * *" #refers to UTC timezone
+ ttl = "72h0m0s"
+ schedule = "0 3 * * *" #refers to UTC timezone
volume_snapshot = false
depends_on = [
diff --git a/src/aks-platform/99_locals.tf b/src/aks-platform/99_locals.tf
index 1808e080..3db25f41 100644
--- a/src/aks-platform/99_locals.tf
+++ b/src/aks-platform/99_locals.tf
@@ -3,10 +3,10 @@ locals {
project = "${var.prefix}-${var.env_short}-${var.location_short}-${var.domain}"
# AKS
- aks_rg_name = "${local.project}-aks-rg"
+ aks_rg_name = "${local.project}-aks-rg"
aks_backup_rg_name = "${local.project}-aks-backup-rg"
- aks_cluster_name = "${local.project}-aks"
- velero_rg_name = "${local.project}-velero"
+ aks_cluster_name = "${local.project}-aks"
+ velero_rg_name = "${local.project}-velero"
# VNET
vnet_core_resource_group_name = "${local.product}-vnet-rg"
diff --git a/src/aks-platform/README.md b/src/aks-platform/README.md
index d8e10e7e..f7d02c9b 100644
--- a/src/aks-platform/README.md
+++ b/src/aks-platform/README.md
@@ -38,15 +38,18 @@ Re-enable all the resource, commented before to complete the procedure
| Name | Source | Version |
|------|--------|---------|
| [aks](#module\_aks) | git::https://github.com/pagopa/terraform-azurerm-v3.git//kubernetes_cluster | v7.2.0 |
+| [aks\_namespace\_backup](#module\_aks\_namespace\_backup) | git::https://github.com/pagopa/terraform-azurerm-v3.git//kubernetes_velero_backup | f38e1ca |
| [keda\_pod\_identity](#module\_keda\_pod\_identity) | git::https://github.com/pagopa/terraform-azurerm-v3.git//kubernetes_pod_identity | v6.20.1 |
| [nginx\_ingress](#module\_nginx\_ingress) | terraform-module/release/helm | 2.7.0 |
| [snet\_aks](#module\_snet\_aks) | git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet | v6.20.1 |
+| [velero](#module\_velero) | git::https://github.com/pagopa/terraform-azurerm-v3.git//kubernetes_cluster_velero | 8171afb |
## Resources
| Name | Type |
|------|------|
| [azurerm_resource_group.rg_aks](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource |
+| [azurerm_resource_group.rg_aks_backup](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource |
| [azurerm_role_assignment.aks_to_acr](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
| [azurerm_role_assignment.keda_monitoring_reader](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
| [azurerm_role_assignment.managed_identity_operator_vs_aks_managed_identity](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
@@ -74,10 +77,12 @@ Re-enable all the resource, commented before to complete the procedure
| [azurerm_log_analytics_workspace.log_analytics_workspace](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/log_analytics_workspace) | data source |
| [azurerm_monitor_action_group.email](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/monitor_action_group) | data source |
| [azurerm_monitor_action_group.slack](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/monitor_action_group) | data source |
+| [azurerm_private_dns_zone.storage_account_private_dns_zone](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/private_dns_zone) | data source |
| [azurerm_public_ip.pip_aks_outboud](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/public_ip) | data source |
| [azurerm_resource_group.rg_monitor](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/resource_group) | data source |
| [azurerm_resource_group.vnet_aks_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/resource_group) | data source |
| [azurerm_resource_group.vnet_core_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/resource_group) | data source |
+| [azurerm_subnet.private_endpoint_subnet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subnet) | data source |
| [azurerm_subscription.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subscription) | data source |
| [azurerm_virtual_network.vnet_aks](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/virtual_network) | data source |
| [azurerm_virtual_network.vnet_core](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/virtual_network) | data source |
diff --git a/src/core/02_dns_private.tf b/src/core/02_dns_private.tf
index ee0f1a6a..926a3c92 100644
--- a/src/core/02_dns_private.tf
+++ b/src/core/02_dns_private.tf
@@ -52,6 +52,3 @@ resource "azurerm_private_dns_zone_virtual_network_link" "storage_account_vnet"
private_dns_zone_name = azurerm_private_dns_zone.storage_account.name
virtual_network_id = module.vnet.id
}
-
-
-
diff --git a/src/core/README.md b/src/core/README.md
index be3c7c4e..8b852c6c 100644
--- a/src/core/README.md
+++ b/src/core/README.md
@@ -69,7 +69,9 @@ az network dns zone show \
| [azurerm_monitor_action_group.slack](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_action_group) | resource |
| [azurerm_private_dns_zone.internal_devopslab](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/private_dns_zone) | resource |
| [azurerm_private_dns_zone.privatelink_postgres_database_azure_com](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/private_dns_zone) | resource |
+| [azurerm_private_dns_zone.storage_account](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/private_dns_zone) | resource |
| [azurerm_private_dns_zone_virtual_network_link.privatelink_postgres_database_azure_com_vnet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/private_dns_zone_virtual_network_link) | resource |
+| [azurerm_private_dns_zone_virtual_network_link.storage_account_vnet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/private_dns_zone_virtual_network_link) | resource |
| [azurerm_private_dns_zone_virtual_network_link.vnet_core](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/private_dns_zone_virtual_network_link) | resource |
| [azurerm_public_ip.aks_outbound](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/public_ip) | resource |
| [azurerm_public_ip.appgateway_beta_public_ip](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/public_ip) | resource |
diff --git a/src/coreplus/01_network_aks_platform.tf b/src/coreplus/01_network_aks_platform.tf
index 82767ff0..45237c31 100644
--- a/src/coreplus/01_network_aks_platform.tf
+++ b/src/coreplus/01_network_aks_platform.tf
@@ -85,7 +85,7 @@ resource "azurerm_private_dns_zone_virtual_network_link" "vnet_aks" {
resource "azurerm_private_dns_zone_virtual_network_link" "storage_account_vnet" {
- for_each = { for n in var.aks_networks : n.domain_name => n }
+ for_each = { for n in var.aks_networks : n.domain_name => n }
name = module.vnet_aks[each.key].name
resource_group_name = data.azurerm_resource_group.rg_vnet.name
private_dns_zone_name = data.azurerm_private_dns_zone.storage.name
diff --git a/src/coreplus/README.md b/src/coreplus/README.md
index c1805579..933fbb25 100644
--- a/src/coreplus/README.md
+++ b/src/coreplus/README.md
@@ -50,6 +50,7 @@
| [azurerm_key_vault_access_policy.app_gateway_policy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource |
| [azurerm_monitor_action_group.error_action_group](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_action_group) | resource |
| [azurerm_private_dns_a_record.api_internal](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/private_dns_a_record) | resource |
+| [azurerm_private_dns_zone_virtual_network_link.storage_account_vnet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/private_dns_zone_virtual_network_link) | resource |
| [azurerm_private_dns_zone_virtual_network_link.vnet_aks](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/private_dns_zone_virtual_network_link) | resource |
| [azurerm_public_ip.outbound_ip_aks](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/public_ip) | resource |
| [azurerm_resource_group.app_service_docker_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource |
@@ -85,6 +86,7 @@
| [azurerm_monitor_action_group.slack](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/monitor_action_group) | data source |
| [azurerm_private_dns_zone.internal](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/private_dns_zone) | data source |
| [azurerm_private_dns_zone.privatelink_postgres_database_azure_com](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/private_dns_zone) | data source |
+| [azurerm_private_dns_zone.storage](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/private_dns_zone) | data source |
| [azurerm_public_ip.appgateway_beta_public_ip](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/public_ip) | data source |
| [azurerm_public_ip.appgateway_public_ip](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/public_ip) | data source |
| [azurerm_resource_group.kv_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/resource_group) | data source |
diff --git a/src/domains/blueprint-common/.terraform.lock.hcl b/src/domains/blueprint-common/.terraform.lock.hcl
new file mode 100644
index 00000000..e0d882ac
--- /dev/null
+++ b/src/domains/blueprint-common/.terraform.lock.hcl
@@ -0,0 +1,96 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/chilicat/pkcs12" {
+ version = "0.0.7"
+ constraints = "0.0.7"
+ hashes = [
+ "h1:LFd43VGi5SWWP8KX8hkPVmNBk0BBC46nOPEk7qjqMbA=",
+ "h1:YH7CVRfoqapMV0Vra8EXqR1ziOJ54m4dSl0w48tlzkU=",
+ "h1:iNsHrEe1U/103ZLBxlCgiFv1uwONVmWstl4TWqBelAI=",
+ "h1:zaF83pVyNkqAL55dZmDJi2yODaQkMyaQr5OLDmTMxeo=",
+ "zh:0890343e35d99263280abb8c8e035aa7ae0e201619a134b4a01076b27614124b",
+ "zh:13aabd4e1d383990d0bc7520b46710c3774b19bf63cb2e7a1065e6bfea6c91e8",
+ "zh:1aa060e180359f216c05b8f9d24bff290b489f1d21c0c9afc0d723244168c5db",
+ "zh:22f0e40d149d3c634bc6918f33e8893f1d99bda6779a99d33f9ac36c90409533",
+ "zh:2ffebc8d12a5acd7d06373dc2d6e83db1f48bc19cfa1df41e992cc064a0e2a00",
+ "zh:34e6a466a7b5b1ca5d6c6f86254d3ac5afaa12a51d1ee354c93957f251f8db6d",
+ "zh:3737926802592fe2aa07d798fc9acc5626351ce5fbc35bc65513f4adc8448657",
+ "zh:a7087d650efc7a492d024d556eb9b8bb5c402495cf9ed6d74c73fa8f6ba373fe",
+ "zh:bf1c4e55ccd918083d286aa483e81d6f05bae0337674f6e66971f63dbdc9cce0",
+ "zh:cca35bb97f3bac0ff161793c910156fd9ba67ee16e6fa46cc9d08bb04594a90a",
+ "zh:d71d85d11631350310be495b65c5ede34c30224cfdc4a59c9c10875ccf290507",
+ "zh:efd1eff32db110d1a1402ae4dd6f1e82b2f2c233fbf28fd451d95f9eb8593b51",
+ "zh:f367e41e63267d108e4de9ade6b491935f9dd624c0d6d80627ab3d483673b0d7",
+ "zh:f7b169cac88e712fecd0873b7099a43aade86819106dc53c9a13c69116ca2a5e",
+ ]
+}
+
+provider "registry.terraform.io/hashicorp/azuread" {
+ version = "2.21.0"
+ constraints = "2.21.0"
+ hashes = [
+ "h1:9gG6SWoUZZmmXbYBv6ra2RF5NYpamB9tGjsuBxrasFQ=",
+ "h1:KbY8dRdbfTwTzEBcdOFdD50JX8CUG5Mni25D2+k1rGc=",
+ "h1:akcofWscEl0ecIbf7lyEqRvPfOdA5q75EZvK8uSum1c=",
+ "h1:qHYbB6LJsYPVUcd7QkZ5tU+IX+10VcUG4NzsmIuWdlE=",
+ "zh:18c56e0478e8b3849f6d52f7e0ee495538e7fce66f22fc84a79599615e50ad1c",
+ "zh:1b95ba8dddc46c744b2d2be7da6fafaa8ebd8368d46ff77416a95cb7d622251e",
+ "zh:1c3e89cf19118fc07d7b04257251fc9897e722c16e0a0df7b07fcd261f8c12e7",
+ "zh:2b7559f9febd770b38deb2d7aee61cea03d9f7a39673e1c72252530825523206",
+ "zh:466f1099109fd0283d0a4ae6716d831b09d66218ad8abacf8787e9c634ce7a6f",
+ "zh:7d56b3c034496c62d0993e51339f876732bb5050f8bb0739cef952f7e881e79f",
+ "zh:7d600af10920dd9b2349cf745b112e07eb24e2ae25006e32db0a39e8c863b11d",
+ "zh:81eaaa3944a874b0ade6c23785d736e217554dc74b6a7c06cc8750de97ecca04",
+ "zh:9a4563c1dceb85f3f58787803af1d5b0baf26d802588d263d05cbd8a4f510e76",
+ "zh:cb885a238449548d392f7e3f00b1a3aebd41bbeefab23c40b180a058e8565638",
+ "zh:cd34877f0aa3120cd0b51dadde38c471ae35ea2a8a64604bba578901298c7c77",
+ "zh:da62d6cb7331e5893ac58942b12cbef5c0727390044ec1f25f5778010fb9e5d4",
+ ]
+}
+
+provider "registry.terraform.io/hashicorp/azurerm" {
+ version = "3.71.0"
+ constraints = ">= 3.30.0, <= 3.71.0"
+ hashes = [
+ "h1:QI0iaPNi0qAOIbXptd4ZObi0D5X1jojom5774GtEspA=",
+ "h1:nTc6DFS9euNgUkNylQ/AxNYN9Ln1dyL+WVIBNcict7Y=",
+ "h1:vhmOvVQgCyxXeS25wKuPTNpOAAtocPj5faL1yFS/Bcc=",
+ "h1:xySu+5dS0H9KYVsQoFp61uc5XLRKif9FrFs//OPNDrM=",
+ "zh:06f0d225b1711dfad256ff33134f878acc8f84624d9da66b075b075cc4d75892",
+ "zh:09ff74056818babe02ea5a633bffe2b8223eaf79916dc1db169651ef7725c22f",
+ "zh:27687e0f8458e6d88ebea94352eb523f56e8f5cdc468268af8f38dc4a4265bf4",
+ "zh:2d81bfab3c6a9b897fa8fbb5256c9e5a944e6ecbf7f73a2a3e2b53a2c4fbcfc5",
+ "zh:4cfc744cfc37aeeeecd82800c70e2591b38447af9e3c51bcbf06a5efe842ed65",
+ "zh:734fbb81508b264f772a076338ddf1c7b25534d2007a1738a7d55587478ed258",
+ "zh:9a5502c364f58073599fff8cdd8adc32e7f7bcd00a4d9b57d2fff678fd8a8319",
+ "zh:9bc528f7e78dbfd106f94b741b68dedd3dd3d31c3defcddcc1972c8e52a6b7db",
+ "zh:c30db03d877f9a7ae0c19d3fd338bbf95cdddbf6df1023709dbfa99689abac14",
+ "zh:c51d4065145b8f4ca45fc9a0f3ca7f2d933bc0302af2eead74f3ce64a9221ae8",
+ "zh:e23029fc7f81723795d7da770131adb1ce6f4d32f0a57eb75d47e036a0a19833",
+ "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+ ]
+}
+
+provider "registry.terraform.io/hashicorp/null" {
+ version = "3.1.1"
+ constraints = "3.1.1"
+ hashes = [
+ "h1:1J3nqAREzuaLE7x98LEELCCaMV6BRiawHSg9MmFvfQo=",
+ "h1:71sNUDvmiJcijsvfXpiLCz0lXIBSsEJjMxljt7hxMhw=",
+ "h1:Pctug/s/2Hg5FJqjYcTM0kPyx3AoYK1MpRWO0T9V2ns=",
+ "h1:YvH6gTaQzGdNv+SKTZujU1O0bO+Pw6vJHOPhqgN8XNs=",
+ "zh:063466f41f1d9fd0dd93722840c1314f046d8760b1812fa67c34de0afcba5597",
+ "zh:08c058e367de6debdad35fc24d97131c7cf75103baec8279aba3506a08b53faf",
+ "zh:73ce6dff935150d6ddc6ac4a10071e02647d10175c173cfe5dca81f3d13d8afe",
+ "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
+ "zh:8fdd792a626413502e68c195f2097352bdc6a0df694f7df350ed784741eb587e",
+ "zh:976bbaf268cb497400fd5b3c774d218f3933271864345f18deebe4dcbfcd6afa",
+ "zh:b21b78ca581f98f4cdb7a366b03ae9db23a73dfa7df12c533d7c19b68e9e72e5",
+ "zh:b7fc0c1615dbdb1d6fd4abb9c7dc7da286631f7ca2299fb9cd4664258ccfbff4",
+ "zh:d1efc942b2c44345e0c29bc976594cb7278c38cfb8897b344669eafbc3cddf46",
+ "zh:e356c245b3cd9d4789bab010893566acace682d7db877e52d40fc4ca34a50924",
+ "zh:ea98802ba92fcfa8cf12cbce2e9e7ebe999afbf8ed47fa45fc847a098d89468b",
+ "zh:eff8872458806499889f6927b5d954560f3d74bf20b6043409edf94d26cd906f",
+ ]
+}
diff --git a/src/domains/blueprint-common/00_azuread.tf b/src/domains/blueprint-common/00_azuread.tf
new file mode 100644
index 00000000..b7f42c3c
--- /dev/null
+++ b/src/domains/blueprint-common/00_azuread.tf
@@ -0,0 +1,16 @@
+# Azure AD
+data "azuread_group" "adgroup_admin" {
+ display_name = "${local.product}-adgroup-admin"
+}
+
+data "azuread_group" "adgroup_developers" {
+ display_name = "${local.product}-adgroup-developers"
+}
+
+data "azuread_group" "adgroup_externals" {
+ display_name = "${local.product}-adgroup-externals"
+}
+
+data "azuread_group" "adgroup_security" {
+ display_name = "${local.product}-adgroup-security"
+}
diff --git a/src/domains/blueprint-common/00_monitor.tf b/src/domains/blueprint-common/00_monitor.tf
new file mode 100644
index 00000000..e766671c
--- /dev/null
+++ b/src/domains/blueprint-common/00_monitor.tf
@@ -0,0 +1,23 @@
+data "azurerm_resource_group" "monitor_rg" {
+ name = var.monitor_resource_group_name
+}
+
+data "azurerm_log_analytics_workspace" "log_analytics" {
+ name = var.log_analytics_workspace_name
+ resource_group_name = var.log_analytics_workspace_resource_group_name
+}
+
+data "azurerm_application_insights" "application_insights" {
+ name = local.monitor_appinsights_name
+ resource_group_name = data.azurerm_resource_group.monitor_rg.name
+}
+
+data "azurerm_monitor_action_group" "slack" {
+ resource_group_name = var.monitor_resource_group_name
+ name = local.monitor_action_group_slack_name
+}
+
+data "azurerm_monitor_action_group" "email" {
+ resource_group_name = var.monitor_resource_group_name
+ name = local.monitor_action_group_email_name
+}
diff --git a/src/domains/blueprint-common/00_network.tf b/src/domains/blueprint-common/00_network.tf
new file mode 100644
index 00000000..13b80fb0
--- /dev/null
+++ b/src/domains/blueprint-common/00_network.tf
@@ -0,0 +1,13 @@
+data "azurerm_virtual_network" "vnet_core" {
+ name = local.vnet_core_name
+ resource_group_name = local.vnet_core_resource_group_name
+}
+
+data "azurerm_resource_group" "rg_vnet_core" {
+ name = local.vnet_core_resource_group_name
+}
+
+data "azurerm_dns_zone" "public" {
+ name = local.dns_zone_public_name
+ resource_group_name = local.vnet_core_resource_group_name
+}
diff --git a/src/domains/blueprint-common/01_keyvault_0.tf b/src/domains/blueprint-common/01_keyvault_0.tf
new file mode 100644
index 00000000..a5268717
--- /dev/null
+++ b/src/domains/blueprint-common/01_keyvault_0.tf
@@ -0,0 +1,106 @@
+resource "azurerm_resource_group" "sec_rg_domain" {
+ name = "${local.product}-${var.domain}-sec-rg"
+ location = var.location
+
+ tags = var.tags
+}
+
+module "key_vault_domain" {
+ source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//key_vault?ref=v7.7.0"
+
+ name = "${local.product}-${var.domain}-kv"
+ location = azurerm_resource_group.sec_rg_domain.location
+ resource_group_name = azurerm_resource_group.sec_rg_domain.name
+ tenant_id = data.azurerm_client_config.current.tenant_id
+ soft_delete_retention_days = 90
+ sku_name = "premium"
+
+ lock_enable = true
+
+ tags = var.tags
+}
+
+## ad group policy ##
+resource "azurerm_key_vault_access_policy" "ad_admin_group_policy" {
+ key_vault_id = module.key_vault_domain.id
+
+ tenant_id = data.azurerm_client_config.current.tenant_id
+ object_id = data.azuread_group.adgroup_admin.object_id
+
+ key_permissions = ["Get", "List", "Update", "Create", "Import", "Delete", ]
+ secret_permissions = ["Get", "List", "Set", "Delete", ]
+ storage_permissions = []
+ certificate_permissions = ["Get", "List", "Update", "Create", "Import", "Delete", "Restore", "Purge", "Recover", ]
+}
+
+#
+# policy developers
+#
+resource "azurerm_key_vault_access_policy" "adgroup_developers_policy" {
+
+ key_vault_id = module.key_vault_domain.id
+
+ tenant_id = data.azurerm_client_config.current.tenant_id
+ object_id = data.azuread_group.adgroup_developers.object_id
+
+ key_permissions = var.env_short == "d" ? ["Get", "List", "Update", "Create", "Import", "Delete", ] : ["Get", "List", "Update", "Create", "Import", ]
+ secret_permissions = var.env_short == "d" ? ["Get", "List", "Set", "Delete", ] : ["Get", "List", "Set", ]
+ storage_permissions = []
+ certificate_permissions = var.env_short == "d" ? ["Get", "List", "Update", "Create", "Import", "Delete", "Restore", "Purge", "Recover", "ManageContacts", ] : ["Get", "List", "Update", "Create", "Import", "Restore", "Recover", ]
+}
+
+#
+# policy externals
+#
+
+resource "azurerm_key_vault_access_policy" "adgroup_externals_policy" {
+ count = var.env_short == "d" ? 1 : 0
+
+ key_vault_id = module.key_vault_domain.id
+
+ tenant_id = data.azurerm_client_config.current.tenant_id
+ object_id = data.azuread_group.adgroup_developers.object_id
+
+ key_permissions = ["Get", "List", "Update", "Create", "Import", "Delete", ]
+ secret_permissions = ["Get", "List", "Set", "Delete", ]
+ storage_permissions = []
+ certificate_permissions = ["Get", "List", "Update", "Create", "Import", "Delete", "Restore", "Purge", "Recover", "ManageContacts", ]
+}
+
+#
+# IaC
+#
+
+#pagopaspa-dvopla-platform-iac-projects-{subscription}
+data "azuread_service_principal" "platform_iac_sp" {
+ display_name = "pagopaspa-devops-platform-iac-projects-${data.azurerm_subscription.current.subscription_id}"
+}
+
+resource "azurerm_key_vault_access_policy" "azdevops_platform_iac_policy" {
+ key_vault_id = module.key_vault_domain.id
+ tenant_id = data.azurerm_client_config.current.tenant_id
+ object_id = data.azuread_service_principal.platform_iac_sp.object_id
+
+ secret_permissions = ["Get", "List", "Set", ]
+
+ certificate_permissions = ["SetIssuers", "DeleteIssuers", "Purge", "List", "Get", ]
+
+ storage_permissions = []
+}
+
+#azdo-sp-plan-devopslab-
+data "azuread_service_principal" "iac_sp_plan" {
+ display_name = "azdo-sp-plan-devopslab-${var.env}"
+}
+
+resource "azurerm_key_vault_access_policy" "iac_sp_plan_policy" {
+ key_vault_id = module.key_vault_domain.id
+ tenant_id = data.azurerm_client_config.current.tenant_id
+ object_id = data.azuread_service_principal.iac_sp_plan.object_id
+
+ secret_permissions = ["Get", "List", "Set", ]
+
+ certificate_permissions = ["SetIssuers", "DeleteIssuers", "Purge", "List", "Get", "Import"]
+
+ storage_permissions = []
+}
diff --git a/src/domains/blueprint-common/99_main.tf b/src/domains/blueprint-common/99_main.tf
new file mode 100644
index 00000000..6f2846aa
--- /dev/null
+++ b/src/domains/blueprint-common/99_main.tf
@@ -0,0 +1,45 @@
+terraform {
+ required_providers {
+ azurerm = {
+ source = "hashicorp/azurerm"
+ version = "<= 3.71.0"
+ }
+ azuread = {
+ source = "hashicorp/azuread"
+ version = "= 2.21.0"
+ }
+ null = {
+ source = "hashicorp/null"
+ version = "= 3.1.1"
+ }
+ pkcs12 = {
+ source = "chilicat/pkcs12"
+ version = "0.0.7"
+ }
+ }
+
+ backend "azurerm" {}
+}
+
+provider "azurerm" {
+ features {
+ key_vault {
+ purge_soft_delete_on_destroy = false
+ }
+ }
+}
+
+data "azurerm_subscription" "current" {}
+
+data "azurerm_client_config" "current" {}
+
+data "terraform_remote_state" "core" {
+ backend = "azurerm"
+
+ config = {
+ resource_group_name = var.terraform_remote_state_core.resource_group_name
+ storage_account_name = var.terraform_remote_state_core.storage_account_name
+ container_name = var.terraform_remote_state_core.container_name
+ key = var.terraform_remote_state_core.key
+ }
+}
diff --git a/src/domains/blueprint-common/99_main.tf.ci b/src/domains/blueprint-common/99_main.tf.ci
new file mode 100644
index 00000000..027f4ce0
--- /dev/null
+++ b/src/domains/blueprint-common/99_main.tf.ci
@@ -0,0 +1,44 @@
+terraform {
+ required_providers {
+ azurerm = {
+ source = "hashicorp/azurerm"
+ version = "<= 3.71.0"
+ }
+ azuread = {
+ source = "hashicorp/azuread"
+ version = "= 2.21.0"
+ }
+ null = {
+ source = "hashicorp/null"
+ version = "= 3.1.1"
+ }
+ pkcs12 = {
+ source = "chilicat/pkcs12"
+ version = "0.0.7"
+ }
+ }
+
+}
+
+provider "azurerm" {
+ features {
+ key_vault {
+ purge_soft_delete_on_destroy = false
+ }
+ }
+}
+
+data "azurerm_subscription" "current" {}
+
+data "azurerm_client_config" "current" {}
+
+data "terraform_remote_state" "core" {
+ backend = "azurerm"
+
+ config = {
+ resource_group_name = var.terraform_remote_state_core.resource_group_name
+ storage_account_name = var.terraform_remote_state_core.storage_account_name
+ container_name = var.terraform_remote_state_core.container_name
+ key = var.terraform_remote_state_core.key
+ }
+}
diff --git a/src/domains/blueprint-common/99_variables.tf b/src/domains/blueprint-common/99_variables.tf
new file mode 100644
index 00000000..d857f8b0
--- /dev/null
+++ b/src/domains/blueprint-common/99_variables.tf
@@ -0,0 +1,119 @@
+# general
+locals {
+ project = "${var.prefix}-${var.env_short}-${var.location_short}-${var.domain}"
+ product = "${var.prefix}-${var.env_short}"
+
+ # monitor
+ monitor_rg_name = "${local.product}-monitor-rg"
+ monitor_log_analytics_workspace_name = "${local.product}-law"
+ monitor_appinsights_name = "${local.product}-appinsights"
+ monitor_security_storage_name = replace("${local.product}-sec-monitor-st", "-", "")
+
+ monitor_action_group_slack_name = "SlackPagoPA"
+ monitor_action_group_email_name = "PagoPA"
+
+ vnet_core_name = "${local.product}-vnet"
+ vnet_core_resource_group_name = "${local.product}-vnet-rg"
+
+ dns_zone_public_name = "devopslab.pagopa.it"
+ dns_zone_private_name = "internal.devopslab.pagopa.it"
+
+}
+
+variable "prefix" {
+ type = string
+ validation {
+ condition = (
+ length(var.prefix) <= 6
+ )
+ error_message = "Max length is 6 chars."
+ }
+}
+
+variable "env" {
+ type = string
+}
+
+variable "env_short" {
+ type = string
+ validation {
+ condition = (
+ length(var.env_short) == 1
+ )
+ error_message = "Length must be 1 chars."
+ }
+}
+
+variable "domain" {
+ type = string
+ validation {
+ condition = (
+ length(var.domain) <= 12
+ )
+ error_message = "Max length is 12 chars."
+ }
+}
+
+variable "location" {
+ type = string
+ description = "One of westeurope, northeurope"
+}
+
+variable "location_short" {
+ type = string
+ validation {
+ condition = (
+ length(var.location_short) == 3
+ )
+ error_message = "Length must be 3 chars."
+ }
+ description = "One of wue, neu"
+}
+
+variable "instance" {
+ type = string
+ description = "One of beta, prod01, prod02"
+}
+
+variable "lock_enable" {
+ type = bool
+ default = false
+ description = "Apply locks to block accedentaly deletions."
+}
+
+variable "tags" {
+ type = map(any)
+ default = {
+ CreatedBy = "Terraform"
+ }
+}
+
+# DNS
+variable "external_domain" {
+ type = string
+ default = "pagopa.it"
+ description = "Domain for delegation"
+}
+
+variable "dns_zone_prefix" {
+ type = string
+ default = "devopslab"
+ description = "The dns subdomain."
+}
+
+### External resources
+
+variable "monitor_resource_group_name" {
+ type = string
+ description = "Monitor resource group name"
+}
+
+variable "log_analytics_workspace_name" {
+ type = string
+ description = "Specifies the name of the Log Analytics Workspace."
+}
+
+variable "log_analytics_workspace_resource_group_name" {
+ type = string
+ description = "The name of the resource group in which the Log Analytics workspace is located in."
+}
diff --git a/src/domains/blueprint-common/README.md b/src/domains/blueprint-common/README.md
new file mode 100644
index 00000000..f4511b6c
--- /dev/null
+++ b/src/domains/blueprint-common/README.md
@@ -0,0 +1,68 @@
+
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| [azuread](#requirement\_azuread) | = 2.21.0 |
+| [azurerm](#requirement\_azurerm) | <= 3.71.0 |
+| [null](#requirement\_null) | = 3.1.1 |
+| [pkcs12](#requirement\_pkcs12) | 0.0.7 |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| [key\_vault\_domain](#module\_key\_vault\_domain) | git::https://github.com/pagopa/terraform-azurerm-v3.git//key_vault | v7.7.0 |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [azurerm_key_vault_access_policy.ad_admin_group_policy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource |
+| [azurerm_key_vault_access_policy.adgroup_developers_policy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource |
+| [azurerm_key_vault_access_policy.adgroup_externals_policy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource |
+| [azurerm_key_vault_access_policy.azdevops_platform_iac_policy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource |
+| [azurerm_key_vault_access_policy.iac_sp_plan_policy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource |
+| [azurerm_resource_group.sec_rg_domain](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource |
+| [azuread_group.adgroup_admin](https://registry.terraform.io/providers/hashicorp/azuread/2.21.0/docs/data-sources/group) | data source |
+| [azuread_group.adgroup_developers](https://registry.terraform.io/providers/hashicorp/azuread/2.21.0/docs/data-sources/group) | data source |
+| [azuread_group.adgroup_externals](https://registry.terraform.io/providers/hashicorp/azuread/2.21.0/docs/data-sources/group) | data source |
+| [azuread_group.adgroup_security](https://registry.terraform.io/providers/hashicorp/azuread/2.21.0/docs/data-sources/group) | data source |
+| [azuread_service_principal.iac_sp_plan](https://registry.terraform.io/providers/hashicorp/azuread/2.21.0/docs/data-sources/service_principal) | data source |
+| [azuread_service_principal.platform_iac_sp](https://registry.terraform.io/providers/hashicorp/azuread/2.21.0/docs/data-sources/service_principal) | data source |
+| [azurerm_application_insights.application_insights](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/application_insights) | data source |
+| [azurerm_client_config.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/client_config) | data source |
+| [azurerm_dns_zone.public](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/dns_zone) | data source |
+| [azurerm_log_analytics_workspace.log_analytics](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/log_analytics_workspace) | data source |
+| [azurerm_monitor_action_group.email](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/monitor_action_group) | data source |
+| [azurerm_monitor_action_group.slack](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/monitor_action_group) | data source |
+| [azurerm_resource_group.monitor_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/resource_group) | data source |
+| [azurerm_resource_group.rg_vnet_core](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/resource_group) | data source |
+| [azurerm_subscription.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subscription) | data source |
+| [azurerm_virtual_network.vnet_core](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/virtual_network) | data source |
+| [terraform_remote_state.core](https://registry.terraform.io/providers/hashicorp/terraform/latest/docs/data-sources/remote_state) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| [dns\_zone\_prefix](#input\_dns\_zone\_prefix) | The dns subdomain. | `string` | `"devopslab"` | no |
+| [domain](#input\_domain) | n/a | `string` | n/a | yes |
+| [env](#input\_env) | n/a | `string` | n/a | yes |
+| [env\_short](#input\_env\_short) | n/a | `string` | n/a | yes |
+| [external\_domain](#input\_external\_domain) | Domain for delegation | `string` | `"pagopa.it"` | no |
+| [instance](#input\_instance) | One of beta, prod01, prod02 | `string` | n/a | yes |
+| [location](#input\_location) | One of westeurope, northeurope | `string` | n/a | yes |
+| [location\_short](#input\_location\_short) | One of wue, neu | `string` | n/a | yes |
+| [lock\_enable](#input\_lock\_enable) | Apply locks to block accedentaly deletions. | `bool` | `false` | no |
+| [log\_analytics\_workspace\_name](#input\_log\_analytics\_workspace\_name) | Specifies the name of the Log Analytics Workspace. | `string` | n/a | yes |
+| [log\_analytics\_workspace\_resource\_group\_name](#input\_log\_analytics\_workspace\_resource\_group\_name) | The name of the resource group in which the Log Analytics workspace is located in. | `string` | n/a | yes |
+| [monitor\_resource\_group\_name](#input\_monitor\_resource\_group\_name) | Monitor resource group name | `string` | n/a | yes |
+| [prefix](#input\_prefix) | n/a | `string` | n/a | yes |
+| [tags](#input\_tags) | n/a | `map(any)` | {
"CreatedBy": "Terraform"
} | no |
+
+## Outputs
+
+No outputs.
+
diff --git a/src/domains/blueprint-common/env/dev/backend.ini b/src/domains/blueprint-common/env/dev/backend.ini
new file mode 100644
index 00000000..a7cc599b
--- /dev/null
+++ b/src/domains/blueprint-common/env/dev/backend.ini
@@ -0,0 +1 @@
+subscription=DevOpsLab
diff --git a/src/domains/blueprint-common/env/dev/backend.tfvars b/src/domains/blueprint-common/env/dev/backend.tfvars
new file mode 100644
index 00000000..d1917fa7
--- /dev/null
+++ b/src/domains/blueprint-common/env/dev/backend.tfvars
@@ -0,0 +1,4 @@
+resource_group_name = "terraform-state-rg"
+storage_account_name = "tfinfdevopslab"
+container_name = "terraform-state"
+key = "blueprint-common-domain-terraform.tfstate"
diff --git a/src/domains/blueprint-common/env/dev/terraform.tfvars b/src/domains/blueprint-common/env/dev/terraform.tfvars
new file mode 100644
index 00000000..cac8603a
--- /dev/null
+++ b/src/domains/blueprint-common/env/dev/terraform.tfvars
@@ -0,0 +1,24 @@
+# general
+prefix = "dvopla"
+env_short = "d"
+env = "dev"
+location = "northeurope"
+location_short = "neu"
+domain = "blueprint"
+instance = "dev"
+
+tags = {
+ CreatedBy = "Terraform"
+ Environment = "Dev"
+ Owner = "devops"
+ Source = "https://github.com/pagopa/dvopla-infrastructure"
+ CostCenter = "TS310 - PAGAMENTI & SERVIZI"
+ Application = "blueprint.common"
+}
+
+lock_enable = true
+
+### External resources
+monitor_resource_group_name = "dvopla-d-monitor-rg"
+log_analytics_workspace_name = "dvopla-d-law"
+log_analytics_workspace_resource_group_name = "dvopla-d-monitor-rg"
diff --git a/src/domains/blueprint-common/terraform.sh b/src/domains/blueprint-common/terraform.sh
new file mode 100755
index 00000000..974249bb
--- /dev/null
+++ b/src/domains/blueprint-common/terraform.sh
@@ -0,0 +1,46 @@
+#!/bin/bash
+
+set -e
+
+action=$1
+env=$2
+shift 2
+other=$@
+
+subscription="MOCK_VALUE"
+
+if [ -z "$action" ]; then
+ echo "Missed action: init, apply, plan"
+ exit 0
+fi
+
+if [ -z "$env" ]; then
+ echo "env should be: dev, uat or prod."
+ exit 0
+fi
+
+# shellcheck source=/dev/null
+source "./env/$env/backend.ini"
+
+az account set -s "${subscription}"
+
+if echo "init plan apply refresh import output state taint destroy" | grep -w "$action" > /dev/null; then
+ if [ "$action" = "init" ]; then
+ echo "🧠terraform INIT in env: ${env}"
+ terraform "$action" -reconfigure -backend-config="./env/$env/backend.tfvars" $other
+ elif [ "$action" = "output" ] || [ "$action" = "state" ] || [ "$action" = "taint" ]; then
+ # init terraform backend
+ echo "🧠terraform (output|state|taint) launched with action: ${action} in env: ${env}"
+ terraform init -reconfigure -backend-config="./env/$env/backend.tfvars"
+ terraform "$action" $other
+ else
+ # init terraform backend
+ echo "🧠terraform launched with action: ${action} in env: ${env}"
+
+ terraform init -reconfigure -backend-config="./env/$env/backend.tfvars"
+ terraform "$action" -var-file="./env/$env/terraform.tfvars" $other
+ fi
+else
+ echo "Action not allowed."
+ exit 1
+fi
diff --git a/src/packer/README.md b/src/packer/README.md
index fc5d8683..5de7a11c 100644
--- a/src/packer/README.md
+++ b/src/packer/README.md
@@ -13,7 +13,7 @@
| Name | Source | Version |
|------|--------|---------|
-| [azdoa\_custom\_image](#module\_azdoa\_custom\_image) | git::https://github.com/pagopa/terraform-azurerm-v3.git//azure_devops_agent_custom_image | v6.20.0 |
+| [azdoa\_custom\_image](#module\_azdoa\_custom\_image) | git::https://github.com/pagopa/terraform-azurerm-v3.git//azure_devops_agent_custom_image | 3a39074 |
## Resources