diff --git a/src/domains/testit-app/.terraform.lock.hcl b/src/domains/testit-app/.terraform.lock.hcl
new file mode 100644
index 0000000..853b698
--- /dev/null
+++ b/src/domains/testit-app/.terraform.lock.hcl
@@ -0,0 +1,122 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/azuread" {
+  version     = "2.47.0"
+  constraints = "<= 2.47.0"
+  hashes = [
+    "h1:iRwDQBdXBpVBoYwM9au2RG01RQuJSm3TGQ2kioFVAas=",
+    "zh:1372d81eb24ef3b4b00ea350fe87219f22da51691b8e42ce91d662f6c2a8af5e",
+    "zh:1c3e89cf19118fc07d7b04257251fc9897e722c16e0a0df7b07fcd261f8c12e7",
+    "zh:1e654a74d171d6ff8f9f6f67e3ff1421d4c5e56a18607703626bf12cd23ba001",
+    "zh:35227fad617a0509c64ab5759a8b703b10d244877f1aa5416bfbcc100c96996f",
+    "zh:357f553f0d78d46a96c7b2ed06d25ee0fc60fc5be19812ccb5d969fa47d62e17",
+    "zh:58faa2940065137e3e87d02eba59ab5cd7137d7a18caf225e660d1788f274569",
+    "zh:7308eda0339620fa24f47cedd22221fc2c02cab9d5be1710c09a783aea84eb3a",
+    "zh:863eabf7f908a8263e28d8aa2ad1381affd6bb5c67755216781f674ef214100e",
+    "zh:8b95b595a7c14ed7b56194d03cdec253527e7a146c1c58961be09e6b5c50baee",
+    "zh:afbca6b4fac9a0a488bc22ff9e51a8f14e986137d25275068fd932f379a51d57",
+    "zh:c6aadec4c81a44c3ffc22c2d90ffc6706bf5a9a903a395d896477516f4be6cbb",
+    "zh:e54a59de7d4ef0f3a18f91fed0b54a2bce18257ae2ee1df8a88226e1023c5811",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/azurerm" {
+  version     = "3.104.1"
+  constraints = "<= 3.104.1"
+  hashes = [
+    "h1:U5GAIrGfQyKSOjNatmhTp128MoYaSAmv2MbfUMcLz8s=",
+    "zh:0083c69dfe538d39674816feba339b42c3278e67be8d08991dc73d3714e45696",
+    "zh:201d7db8144f9a01c30931dc9016e4c0b99cfbd3abaab5ec78d1e3b0c6b9018c",
+    "zh:27a63b435cedc6bc0f4a26a1f4b4a04a5bf9533f4694cdcebb997ec1e57dbdba",
+    "zh:2f69e46d3ae4af8774c53a0d26983966b3c492a0ab269af0be9bb50a2a86acf4",
+    "zh:3b8417fc5b8c939745f729454c4a7f0257fd291adf23f944a1556d5148efcf65",
+    "zh:66c49295ff07e1c5e896186971717fa0990d01fc5c2e285aa0f1ab7d03b0db52",
+    "zh:7acb9fdf249e5b90a16112d2604dccd03f62947a5ac17f959ad07712c2b188df",
+    "zh:7d88b263869b42c631543aa02c1d8cf4ed9dd7944ab6b8176e302f26a8561755",
+    "zh:cdb3a300a2b136f904c2d12324a5229ca73e1206f19e6e2503edc681a7ed2e7c",
+    "zh:f1655eb6b16ec65b4c9f78ac5509cc81581e791865d798829e0a22f1a1ce0fbf",
+    "zh:f363153ce52b654d6066e297a85976a0ffcf0ad0eadd9ae6740b76534260a649",
+    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/helm" {
+  version     = "2.12.1"
+  constraints = "<= 2.12.1"
+  hashes = [
+    "h1:7wfYOAeSEchHB8idNl+2jf+OkFi9zFSOLWkEZFuTCik=",
+    "zh:1d623fb1662703f2feb7860e3c795d849c77640eecbc5a776784d08807b15004",
+    "zh:253a5bc62ba2c4314875139e3fbd2feaad5ef6b0fb420302a474ab49e8e51a38",
+    "zh:282358f4ad4f20d0ccaab670b8645228bfad1c03ac0d0df5889f0aea8aeac01a",
+    "zh:4fd06af3091a382b3f0d8f0a60880f59640d2b6d9d6a31f9a873c6f1bde1ec50",
+    "zh:6816976b1830f5629ae279569175e88b497abbbac30ee809948a1f923c67a80d",
+    "zh:7d82c4150cdbf48cfeec867be94c7b9bd7682474d4df0ebb7e24e148f964844f",
+    "zh:83f062049eea2513118a4c6054fb06c8600bac96196f25aed2cc21898ec86e93",
+    "zh:a79eec0cf4c08fca79e44033ec6e470f25ff23c3e2c7f9bc707ed7771c1072c0",
+    "zh:b2b2d904b2821a6e579910320605bc478bbef063579a23fbfdd6fcb5871b81f8",
+    "zh:e91177ca06a15487fc570cb81ecef6359aa399459ea2aa7c4f7367ba86f6fcad",
+    "zh:e976bcb82996fc4968f8382bbcb6673efb1f586bf92074058a232028d97825b1",
+    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/kubernetes" {
+  version     = "2.26.0"
+  constraints = "<= 2.26.0"
+  hashes = [
+    "h1:vTbi/tiJQS8Wto3LLxZ/WWPcptqaMpQlT33s61WTV9Q=",
+    "zh:3f8ee1bffab1ba4f6ae549daae1648974214880d3606b6821cb0aceb365284a4",
+    "zh:5596b1248231cc3b8f6a98f5b78df7120cd3153fd2b34b369dc20356a75bf35b",
+    "zh:64420c9e4aa49c5e443afcd60f3e8d293ea6bd78797d402e21e23605f7757954",
+    "zh:8327a488854e15f8d7eaf8272c3b9d6d1d9a6e68212a8dcb111d7b4023aac6b5",
+    "zh:94c1c9b65280847d28a3e90e5046650858ac0bf87feefd2349336444e21e68e8",
+    "zh:a3fb0b0b4bfd1844bb94011ae80111cedc188085235cf466313ca2151e75c8ca",
+    "zh:ab5e381928144e0c2a9d9768a48e38797642e5c5fb2184370c7c08df500e5db3",
+    "zh:da78995e8d6daf3acfd4c455ebbd12f6bf154cadf455f14ef35c0862e58dd2ec",
+    "zh:e24cdd5b90196df93215f40d821af3a7b4473c53992be4c3038940d117a50eb4",
+    "zh:e632efb3bce6d089b7c08507660af8b2c5e3f94c34fe401bfa228f154405e26e",
+    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+    "zh:f5aea9da0eba25d35fee49db193c4b44cd3746a5578065092c62a53077e50b84",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/local" {
+  version     = "2.5.1"
+  constraints = "<= 2.5.1"
+  hashes = [
+    "h1:tjcGlQAFA0kmQ4vKkIPPUC4it1UYxLbg4YvHOWRAJHA=",
+    "zh:0af29ce2b7b5712319bf6424cb58d13b852bf9a777011a545fac99c7fdcdf561",
+    "zh:126063ea0d79dad1f68fa4e4d556793c0108ce278034f101d1dbbb2463924561",
+    "zh:196bfb49086f22fd4db46033e01655b0e5e036a5582d250412cc690fa7995de5",
+    "zh:37c92ec084d059d37d6cffdb683ccf68e3a5f8d2eb69dd73c8e43ad003ef8d24",
+    "zh:4269f01a98513651ad66763c16b268f4c2da76cc892ccfd54b401fff6cc11667",
+    "zh:51904350b9c728f963eef0c28f1d43e73d010333133eb7f30999a8fb6a0cc3d8",
+    "zh:73a66611359b83d0c3fcba2984610273f7954002febb8a57242bbb86d967b635",
+    "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
+    "zh:7ae387993a92bcc379063229b3cce8af7eaf082dd9306598fcd42352994d2de0",
+    "zh:9e0f365f807b088646db6e4a8d4b188129d9ebdbcf2568c8ab33bddd1b82c867",
+    "zh:b5263acbd8ae51c9cbffa79743fbcadcb7908057c87eb22fd9048268056efbc4",
+    "zh:dfcd88ac5f13c0d04e24be00b686d069b4879cc4add1b7b1a8ae545783d97520",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/null" {
+  version     = "3.2.1"
+  constraints = "<= 3.2.1"
+  hashes = [
+    "h1:tSj1mL6OQ8ILGqR2mDu7OYYYWf+hoir0pf9KAQ8IzO8=",
+    "zh:58ed64389620cc7b82f01332e27723856422820cfd302e304b5f6c3436fb9840",
+    "zh:62a5cc82c3b2ddef7ef3a6f2fedb7b9b3deff4ab7b414938b08e51d6e8be87cb",
+    "zh:63cff4de03af983175a7e37e52d4bd89d990be256b16b5c7f919aff5ad485aa5",
+    "zh:74cb22c6700e48486b7cabefa10b33b801dfcab56f1a6ac9b6624531f3d36ea3",
+    "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
+    "zh:79e553aff77f1cfa9012a2218b8238dd672ea5e1b2924775ac9ac24d2a75c238",
+    "zh:a1e06ddda0b5ac48f7e7c7d59e1ab5a4073bbcf876c73c0299e4610ed53859dc",
+    "zh:c37a97090f1a82222925d45d84483b2aa702ef7ab66532af6cbcfb567818b970",
+    "zh:e4453fbebf90c53ca3323a92e7ca0f9961427d2f0ce0d2b65523cc04d5d999c2",
+    "zh:e80a746921946d8b6761e77305b752ad188da60688cfd2059322875d363be5f5",
+    "zh:fbdb892d9822ed0e4cb60f2fedbdbb556e4da0d88d3b942ae963ed6ff091e48f",
+    "zh:fca01a623d90d0cad0843102f9b8b9fe0d3ff8244593bd817f126582b52dd694",
+  ]
+}
diff --git a/src/domains/testit-app/00_aks.tf b/src/domains/testit-app/00_aks.tf
new file mode 100644
index 0000000..1f848ed
--- /dev/null
+++ b/src/domains/testit-app/00_aks.tf
@@ -0,0 +1,4 @@
+data "azurerm_kubernetes_cluster" "aks" {
+  name                = var.aks_name
+  resource_group_name = var.aks_resource_group_name
+}
diff --git a/src/domains/testit-app/00_azuread.tf b/src/domains/testit-app/00_azuread.tf
new file mode 100644
index 0000000..b7f42c3
--- /dev/null
+++ b/src/domains/testit-app/00_azuread.tf
@@ -0,0 +1,16 @@
+# Azure AD
+data "azuread_group" "adgroup_admin" {
+  display_name = "${local.product}-adgroup-admin"
+}
+
+data "azuread_group" "adgroup_developers" {
+  display_name = "${local.product}-adgroup-developers"
+}
+
+data "azuread_group" "adgroup_externals" {
+  display_name = "${local.product}-adgroup-externals"
+}
+
+data "azuread_group" "adgroup_security" {
+  display_name = "${local.product}-adgroup-security"
+}
diff --git a/src/domains/testit-app/00_key_vault.tf b/src/domains/testit-app/00_key_vault.tf
new file mode 100644
index 0000000..b3bcd57
--- /dev/null
+++ b/src/domains/testit-app/00_key_vault.tf
@@ -0,0 +1,4 @@
+data "azurerm_key_vault" "kv_domain" {
+  name                = local.key_vault_domain_name
+  resource_group_name = local.key_vault_domain_resource_group
+}
diff --git a/src/domains/testit-app/00_monitor.tf b/src/domains/testit-app/00_monitor.tf
new file mode 100644
index 0000000..e766671
--- /dev/null
+++ b/src/domains/testit-app/00_monitor.tf
@@ -0,0 +1,23 @@
+data "azurerm_resource_group" "monitor_rg" {
+  name = var.monitor_resource_group_name
+}
+
+data "azurerm_log_analytics_workspace" "log_analytics" {
+  name                = var.log_analytics_workspace_name
+  resource_group_name = var.log_analytics_workspace_resource_group_name
+}
+
+data "azurerm_application_insights" "application_insights" {
+  name                = local.monitor_appinsights_name
+  resource_group_name = data.azurerm_resource_group.monitor_rg.name
+}
+
+data "azurerm_monitor_action_group" "slack" {
+  resource_group_name = var.monitor_resource_group_name
+  name                = local.monitor_action_group_slack_name
+}
+
+data "azurerm_monitor_action_group" "email" {
+  resource_group_name = var.monitor_resource_group_name
+  name                = local.monitor_action_group_email_name
+}
diff --git a/src/domains/testit-app/00_network.tf b/src/domains/testit-app/00_network.tf
new file mode 100644
index 0000000..9af86d3
--- /dev/null
+++ b/src/domains/testit-app/00_network.tf
@@ -0,0 +1,8 @@
+data "azurerm_virtual_network" "vnet_core" {
+  name                = local.vnet_core_name
+  resource_group_name = local.vnet_core_resource_group_name
+}
+
+data "azurerm_resource_group" "rg_vnet_core" {
+  name = local.vnet_core_resource_group_name
+}
diff --git a/src/domains/testit-app/01_keyvault.tf b/src/domains/testit-app/01_keyvault.tf
new file mode 100644
index 0000000..ead2d92
--- /dev/null
+++ b/src/domains/testit-app/01_keyvault.tf
@@ -0,0 +1,16 @@
+#tfsec:ignore:AZU023
+resource "azurerm_key_vault_secret" "aks_apiserver_url" {
+  name         = "${local.aks_name}-apiserver-url"
+  value        = "https://${local.aks_api_url}:443"
+  content_type = "text/plain"
+
+  key_vault_id = data.azurerm_key_vault.kv_domain.id
+}
+
+resource "azurerm_key_vault_secret" "app_insights_connection_string" {
+  name         = "${local.monitor_appinsights_name}-connection-string"
+  value        = data.azurerm_application_insights.application_insights.connection_string
+  content_type = "text/plain"
+
+  key_vault_id = data.azurerm_key_vault.kv_domain.id
+}
diff --git a/src/domains/testit-app/01_network.tf b/src/domains/testit-app/01_network.tf
new file mode 100644
index 0000000..4faafa1
--- /dev/null
+++ b/src/domains/testit-app/01_network.tf
@@ -0,0 +1,12 @@
+data "azurerm_private_dns_zone" "internal" {
+  name                = local.internal_dns_zone_name
+  resource_group_name = local.internal_dns_zone_resource_group_name
+}
+
+resource "azurerm_private_dns_a_record" "itn_testit_ingress" {
+  name                = local.ingress_hostname_prefix
+  zone_name           = data.azurerm_private_dns_zone.internal.name
+  resource_group_name = local.internal_dns_zone_resource_group_name
+  ttl                 = 3600
+  records             = [var.ingress_load_balancer_ip]
+}
diff --git a/src/domains/testit-app/02_namespace_domain.tf b/src/domains/testit-app/02_namespace_domain.tf
new file mode 100644
index 0000000..1a47218
--- /dev/null
+++ b/src/domains/testit-app/02_namespace_domain.tf
@@ -0,0 +1,34 @@
+resource "kubernetes_namespace" "domain_namespace" {
+  metadata {
+    name = var.domain
+  }
+}
+
+module "domain_pod_identity" {
+  source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//kubernetes_pod_identity?ref=v8.13.0"
+
+  resource_group_name = local.aks_resource_group_name
+  location            = var.location
+  tenant_id           = data.azurerm_subscription.current.tenant_id
+  cluster_name        = local.aks_name
+
+  identity_name = "${var.domain}-pod-identity"
+  namespace     = kubernetes_namespace.domain_namespace.metadata[0].name
+  key_vault_id  = data.azurerm_key_vault.kv_domain.id
+
+  secret_permissions      = ["Get"]
+  certificate_permissions = ["Get"]
+}
+
+resource "helm_release" "reloader" {
+  name       = "reloader"
+  repository = "https://stakater.github.io/stakater-charts"
+  chart      = "reloader"
+  version    = "v1.0.30"
+  namespace  = kubernetes_namespace.domain_namespace.metadata[0].name
+
+  set {
+    name  = "reloader.watchGlobally"
+    value = "false"
+  }
+}
diff --git a/src/domains/testit-app/03_serviceaccounts_azure_devops.tf b/src/domains/testit-app/03_serviceaccounts_azure_devops.tf
new file mode 100644
index 0000000..fc732fb
--- /dev/null
+++ b/src/domains/testit-app/03_serviceaccounts_azure_devops.tf
@@ -0,0 +1,65 @@
+resource "kubernetes_namespace" "system_domain_namespace" {
+  metadata {
+    name = "${var.domain}-system"
+  }
+}
+
+module "system_service_account" {
+  source    = "git::https://github.com/pagopa/terraform-azurerm-v3.git//kubernetes_service_account?ref=v8.13.0"
+  name      = "azure-devops"
+  namespace = kubernetes_namespace.system_domain_namespace.metadata[0].name
+}
+
+#tfsec:ignore:AZU023
+resource "azurerm_key_vault_secret" "azure_devops_sa_token" {
+  name         = "${var.aks_name}-azure-devops-sa-token"
+  value        = module.system_service_account.sa_token
+  content_type = "text/plain"
+
+  key_vault_id = data.azurerm_key_vault.kv_domain.id
+}
+
+#tfsec:ignore:AZU023
+resource "azurerm_key_vault_secret" "azure_devops_sa_cacrt" {
+  name         = "${var.aks_name}-azure-devops-sa-cacrt"
+  value        = module.system_service_account.sa_ca_cert
+  content_type = "text/plain"
+
+  key_vault_id = data.azurerm_key_vault.kv_domain.id
+}
+
+#-------------------------------------------------------------
+
+resource "kubernetes_role_binding" "deployer_binding" {
+  metadata {
+    name      = "deployer-binding"
+    namespace = kubernetes_namespace.domain_namespace.metadata[0].name
+  }
+  role_ref {
+    api_group = "rbac.authorization.k8s.io"
+    kind      = "ClusterRole"
+    name      = "cluster-deployer"
+  }
+  subject {
+    kind      = "ServiceAccount"
+    name      = "azure-devops"
+    namespace = kubernetes_namespace.system_domain_namespace.metadata[0].name
+  }
+}
+
+resource "kubernetes_role_binding" "system_deployer_binding" {
+  metadata {
+    name      = "system-deployer-binding"
+    namespace = kubernetes_namespace.system_domain_namespace.metadata[0].name
+  }
+  role_ref {
+    api_group = "rbac.authorization.k8s.io"
+    kind      = "ClusterRole"
+    name      = "system-cluster-deployer"
+  }
+  subject {
+    kind      = "ServiceAccount"
+    name      = "azure-devops"
+    namespace = kubernetes_namespace.system_domain_namespace.metadata[0].name
+  }
+}
diff --git a/src/domains/testit-app/04_aks_aad_github.tf b/src/domains/testit-app/04_aks_aad_github.tf
new file mode 100644
index 0000000..7742d35
--- /dev/null
+++ b/src/domains/testit-app/04_aks_aad_github.tf
@@ -0,0 +1,70 @@
+# #
+# # CI
+# #
+
+# data "azuread_service_principal" "github_runner_ci" {
+#   display_name = "github-pagopa-devopslab-infra-dev-ci"
+# }
+
+# resource "azurerm_key_vault_access_policy" "github_runner_ci" {
+#   key_vault_id = data.azurerm_key_vault.kv_domain.id
+#   tenant_id    = data.azurerm_client_config.current.tenant_id
+#   object_id    = data.azuread_service_principal.github_runner_ci.object_id
+
+#   secret_permissions = ["Get", "List", "Set", ]
+
+#   certificate_permissions = ["SetIssuers", "DeleteIssuers", "Purge", "List", "Get", ]
+
+#   storage_permissions = []
+# }
+
+# resource "null_resource" "aks_with_iac_aad_plus_namespace_ci" {
+#   triggers = {
+#     aks_id               = data.azurerm_kubernetes_cluster.aks.id
+#     service_principal_id = data.azuread_service_principal.github_runner_ci.id
+#     namespace            = var.domain
+#   }
+
+#   provisioner "local-exec" {
+#     command = <<EOT
+#       az role assignment create --role "Azure Kubernetes Service RBAC Admin" \
+#       --assignee ${self.triggers.service_principal_id} \
+#       --scope ${self.triggers.aks_id}/namespaces/${self.triggers.namespace}
+#     EOT
+#   }
+
+#   provisioner "local-exec" {
+#     when    = destroy
+#     command = <<EOT
+#       az role assignment delete --role "Azure Kubernetes Service RBAC Admin" \
+#       --assignee ${self.triggers.service_principal_id} \
+#       --scope ${self.triggers.aks_id}/namespaces/${self.triggers.namespace}
+#     EOT
+#   }
+# }
+
+# #
+# # CD
+# #
+
+# data "azuread_service_principal" "github_runner_cd" {
+#   display_name = "github-pagopa-devopslab-infra-dev-cd"
+# }
+
+# resource "azurerm_key_vault_access_policy" "github_runner_cd" {
+#   key_vault_id = data.azurerm_key_vault.kv_domain.id
+#   tenant_id    = data.azurerm_client_config.current.tenant_id
+#   object_id    = data.azuread_service_principal.github_runner_cd.object_id
+
+#   secret_permissions = ["Get", "List", "Set", ]
+
+#   certificate_permissions = ["SetIssuers", "DeleteIssuers", "Purge", "List", "Get", ]
+
+#   storage_permissions = []
+# }
+
+# resource "azurerm_role_assignment" "aks_cluster_role" {
+#   scope                = data.azurerm_kubernetes_cluster.aks.id
+#   role_definition_name = "Azure Kubernetes Service RBAC Cluster Admin"
+#   principal_id         = data.azuread_service_principal.github_runner_cd.id
+# }
diff --git a/src/domains/testit-app/80_middleware_tools.tf b/src/domains/testit-app/80_middleware_tools.tf
new file mode 100644
index 0000000..92e6e3f
--- /dev/null
+++ b/src/domains/testit-app/80_middleware_tools.tf
@@ -0,0 +1,27 @@
+module "tls_checker" {
+  source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//tls_checker?ref=v8.13.0"
+
+  https_endpoint                                            = local.domain_aks_hostname
+  alert_name                                                = local.domain_aks_hostname
+  alert_enabled                                             = true
+  helm_chart_present                                        = true
+  helm_chart_version                                        = var.tls_cert_check_helm.chart_version
+  namespace                                                 = kubernetes_namespace.domain_namespace.metadata[0].name
+  helm_chart_image_name                                     = var.tls_cert_check_helm.image_name
+  helm_chart_image_tag                                      = var.tls_cert_check_helm.image_tag
+  location_string                                           = var.location
+  kv_secret_name_for_application_insights_connection_string = "dvopla-d-itn-appinsights-connection-string"
+  keyvault_name                                             = data.azurerm_key_vault.kv_domain.name
+  keyvault_tenant_id                                        = data.azurerm_client_config.current.tenant_id
+  application_insights_resource_group                       = data.azurerm_resource_group.monitor_rg.name
+  application_insights_id                                   = data.azurerm_application_insights.application_insights.id
+  application_insights_action_group_ids                     = [data.azurerm_monitor_action_group.slack.id, data.azurerm_monitor_action_group.email.id]
+}
+
+# module "cert_mounter" {
+#   source           = "git::https://github.com/pagopa/terraform-azurerm-v3.git//cert_mounter?ref=v8.13.0"
+#   namespace        = var.domain
+#   certificate_name = replace(local.domain_aks_hostname, ".", "-")
+#   kv_name          = data.azurerm_key_vault.kv_domain.name
+#   tenant_id        = data.azurerm_subscription.current.tenant_id
+# }
diff --git a/src/domains/testit-app/99_main.tf b/src/domains/testit-app/99_main.tf
new file mode 100644
index 0000000..83a4c00
--- /dev/null
+++ b/src/domains/testit-app/99_main.tf
@@ -0,0 +1,48 @@
+terraform {
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = "<= 3.104.1"
+    }
+    azuread = {
+      source  = "hashicorp/azuread"
+      version = "<= 2.47.0"
+    }
+    null = {
+      source  = "hashicorp/null"
+      version = "<= 3.2.1"
+    }
+    kubernetes = {
+      source  = "hashicorp/kubernetes"
+      version = "<= 2.26.0"
+    }
+    helm = {
+      source  = "hashicorp/helm"
+      version = "<= 2.12.1"
+    }
+    local = {
+      source  = "hashicorp/local"
+      version = "<= 2.5.1"
+    }
+  }
+
+  backend "azurerm" {}
+}
+
+provider "azurerm" {
+  features {}
+}
+
+data "azurerm_subscription" "current" {}
+
+data "azurerm_client_config" "current" {}
+
+provider "kubernetes" {
+  config_path = "${var.k8s_kube_config_path_prefix}/config-${local.aks_name}"
+}
+
+provider "helm" {
+  kubernetes {
+    config_path = "${var.k8s_kube_config_path_prefix}/config-${local.aks_name}"
+  }
+}
diff --git a/src/domains/testit-app/99_variables.tf b/src/domains/testit-app/99_variables.tf
new file mode 100644
index 0000000..238b1cd
--- /dev/null
+++ b/src/domains/testit-app/99_variables.tf
@@ -0,0 +1,185 @@
+locals {
+  product     = "${var.prefix}-${var.env_short}"
+  product_ita = "${var.prefix}-${var.env_short}-${var.location_short}"
+  project     = "${var.prefix}-${var.env_short}-${var.location_short}-${var.domain}"
+
+  monitor_appinsights_name        = "${local.product_ita}-appinsights"
+  monitor_action_group_slack_name = "SlackPagoPA"
+  monitor_action_group_email_name = "PagoPA"
+
+  ingress_hostname_prefix               = "${var.domain}.${var.location_short}"
+  internal_dns_zone_name                = "${var.dns_zone_internal_prefix}.${var.external_domain}"
+  internal_dns_zone_resource_group_name = "${local.product_ita}-vnet-rg"
+
+  domain_aks_hostname = "${var.domain}.${var.location_short}.internal.devopslab.pagopa.it"
+
+  aks_name                = var.aks_name
+  aks_resource_group_name = var.aks_resource_group_name
+
+  vnet_core_name                = "${local.product}-vnet"
+  vnet_core_resource_group_name = "${local.product}-vnet-rg"
+
+  #   # DOMAINS
+  #   domain_namespace        = kubernetes_namespace.domain_namespace.metadata[0].name
+  #   system_domain_namespace = kubernetes_namespace.system_domain_namespace.metadata[0].name
+
+  aks_api_url = data.azurerm_kubernetes_cluster.aks.private_fqdn
+
+  #
+  # KeyVault
+  #
+  key_vault_domain_name           = "dvopla-d-itn-testit-kv"
+  key_vault_domain_resource_group = "dvopla-d-itn-testit-sec-rg"
+
+  # Service account
+  azure_devops_app_service_account_name        = "azure-devops"
+  azure_devops_app_service_account_secret_name = "${local.azure_devops_app_service_account_name}-token"
+
+}
+
+variable "prefix" {
+  type = string
+  validation {
+    condition = (
+      length(var.prefix) <= 6
+    )
+    error_message = "Max length is 6 chars."
+  }
+}
+
+variable "env" {
+  type = string
+}
+
+variable "env_short" {
+  type = string
+  validation {
+    condition = (
+      length(var.env_short) == 1
+    )
+    error_message = "Length must be 1 chars."
+  }
+}
+
+variable "domain" {
+  type = string
+  validation {
+    condition = (
+      length(var.domain) <= 12
+    )
+    error_message = "Max length is 12 chars."
+  }
+}
+
+variable "location" {
+  type        = string
+  description = "One of westeurope, northeurope"
+}
+
+variable "location_short" {
+  type = string
+  validation {
+    condition = (
+      length(var.location_short) == 3
+    )
+    error_message = "Length must be 3 chars."
+  }
+  description = "One of wue, neu"
+}
+
+variable "instance" {
+  type        = string
+  description = "One of beta, prod01, prod02"
+}
+
+variable "lock_enable" {
+  type        = bool
+  default     = false
+  description = "Apply locks to block accedentaly deletions."
+}
+
+variable "tags" {
+  type = map(any)
+  default = {
+    CreatedBy = "Terraform"
+  }
+}
+
+variable "event_hub_port" {
+  type    = number
+  default = 9093
+}
+
+### External resources
+
+variable "monitor_resource_group_name" {
+  type        = string
+  description = "Monitor resource group name"
+}
+
+variable "log_analytics_workspace_name" {
+  type        = string
+  description = "Specifies the name of the Log Analytics Workspace."
+}
+
+variable "log_analytics_workspace_resource_group_name" {
+  type        = string
+  description = "The name of the resource group in which the Log Analytics workspace is located in."
+}
+
+### Aks
+
+variable "aks_name" {
+  type        = string
+  description = "AKS cluster name"
+}
+
+variable "aks_resource_group_name" {
+  type        = string
+  description = "AKS cluster resource name"
+
+}
+
+variable "k8s_kube_config_path_prefix" {
+  type    = string
+  default = "~/.kube"
+}
+
+variable "ingress_load_balancer_ip" {
+  type = string
+}
+
+variable "ingress_load_balancer_hostname" {
+  type    = string
+  default = ""
+}
+
+# DNS
+variable "external_domain" {
+  type        = string
+  default     = "pagopa.it"
+  description = "Domain for delegation"
+}
+
+variable "dns_zone_prefix" {
+  type        = string
+  description = "The dns subdomain."
+}
+
+variable "dns_zone_internal_prefix" {
+  type        = string
+  default     = null
+  description = "The dns subdomain."
+}
+
+#
+# Tls Checker
+#
+variable "tls_cert_check_helm" {
+  type = object({
+    chart_version = string,
+    image_name    = string,
+    image_tag     = string
+  })
+  description = "tls cert helm chart configuration"
+}
diff --git a/src/domains/testit-app/README.md b/src/domains/testit-app/README.md
new file mode 100644
index 0000000..92a1a99
--- /dev/null
+++ b/src/domains/testit-app/README.md
@@ -0,0 +1,83 @@
+<!-- markdownlint-disable -->
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_azuread"></a> [azuread](#requirement\_azuread) | <= 2.47.0 |
+| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | <= 3.104.1 |
+| <a name="requirement_helm"></a> [helm](#requirement\_helm) | <= 2.12.1 |
+| <a name="requirement_kubernetes"></a> [kubernetes](#requirement\_kubernetes) | <= 2.26.0 |
+| <a name="requirement_local"></a> [local](#requirement\_local) | <= 2.5.1 |
+| <a name="requirement_null"></a> [null](#requirement\_null) | <= 3.2.1 |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_domain_pod_identity"></a> [domain\_pod\_identity](#module\_domain\_pod\_identity) | git::https://github.com/pagopa/terraform-azurerm-v3.git//kubernetes_pod_identity | v8.13.0 |
+| <a name="module_system_service_account"></a> [system\_service\_account](#module\_system\_service\_account) | git::https://github.com/pagopa/terraform-azurerm-v3.git//kubernetes_service_account | v8.13.0 |
+| <a name="module_tls_checker"></a> [tls\_checker](#module\_tls\_checker) | git::https://github.com/pagopa/terraform-azurerm-v3.git//tls_checker | v8.13.0 |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [azurerm_key_vault_secret.aks_apiserver_url](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource |
+| [azurerm_key_vault_secret.app_insights_connection_string](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource |
+| [azurerm_key_vault_secret.azure_devops_sa_cacrt](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource |
+| [azurerm_key_vault_secret.azure_devops_sa_token](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource |
+| [azurerm_private_dns_a_record.itn_testit_ingress](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/private_dns_a_record) | resource |
+| [helm_release.reloader](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
+| [kubernetes_namespace.domain_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
+| [kubernetes_namespace.system_domain_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
+| [kubernetes_role_binding.deployer_binding](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/role_binding) | resource |
+| [kubernetes_role_binding.system_deployer_binding](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/role_binding) | resource |
+| [azuread_group.adgroup_admin](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source |
+| [azuread_group.adgroup_developers](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source |
+| [azuread_group.adgroup_externals](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source |
+| [azuread_group.adgroup_security](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source |
+| [azurerm_application_insights.application_insights](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/application_insights) | data source |
+| [azurerm_client_config.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/client_config) | data source |
+| [azurerm_key_vault.kv_domain](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault) | data source |
+| [azurerm_kubernetes_cluster.aks](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/kubernetes_cluster) | data source |
+| [azurerm_log_analytics_workspace.log_analytics](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/log_analytics_workspace) | data source |
+| [azurerm_monitor_action_group.email](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/monitor_action_group) | data source |
+| [azurerm_monitor_action_group.slack](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/monitor_action_group) | data source |
+| [azurerm_private_dns_zone.internal](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/private_dns_zone) | data source |
+| [azurerm_resource_group.monitor_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/resource_group) | data source |
+| [azurerm_resource_group.rg_vnet_core](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/resource_group) | data source |
+| [azurerm_subscription.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subscription) | data source |
+| [azurerm_virtual_network.vnet_core](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/virtual_network) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_aks_name"></a> [aks\_name](#input\_aks\_name) | AKS cluster name | `string` | n/a | yes |
+| <a name="input_aks_resource_group_name"></a> [aks\_resource\_group\_name](#input\_aks\_resource\_group\_name) | AKS cluster resource name | `string` | n/a | yes |
+| <a name="input_dns_zone_internal_prefix"></a> [dns\_zone\_internal\_prefix](#input\_dns\_zone\_internal\_prefix) | The dns subdomain. | `string` | `null` | no |
+| <a name="input_dns_zone_prefix"></a> [dns\_zone\_prefix](#input\_dns\_zone\_prefix) | The dns subdomain. | `string` | n/a | yes |
+| <a name="input_domain"></a> [domain](#input\_domain) | n/a | `string` | n/a | yes |
+| <a name="input_env"></a> [env](#input\_env) | n/a | `string` | n/a | yes |
+| <a name="input_env_short"></a> [env\_short](#input\_env\_short) | n/a | `string` | n/a | yes |
+| <a name="input_event_hub_port"></a> [event\_hub\_port](#input\_event\_hub\_port) | n/a | `number` | `9093` | no |
+| <a name="input_external_domain"></a> [external\_domain](#input\_external\_domain) | Domain for delegation | `string` | `"pagopa.it"` | no |
+| <a name="input_ingress_load_balancer_hostname"></a> [ingress\_load\_balancer\_hostname](#input\_ingress\_load\_balancer\_hostname) | n/a | `string` | `""` | no |
+| <a name="input_ingress_load_balancer_ip"></a> [ingress\_load\_balancer\_ip](#input\_ingress\_load\_balancer\_ip) | n/a | `string` | n/a | yes |
+| <a name="input_instance"></a> [instance](#input\_instance) | One of beta, prod01, prod02 | `string` | n/a | yes |
+| <a name="input_k8s_kube_config_path_prefix"></a> [k8s\_kube\_config\_path\_prefix](#input\_k8s\_kube\_config\_path\_prefix) | n/a | `string` | `"~/.kube"` | no |
+| <a name="input_location"></a> [location](#input\_location) | One of westeurope, northeurope | `string` | n/a | yes |
+| <a name="input_location_short"></a> [location\_short](#input\_location\_short) | One of wue, neu | `string` | n/a | yes |
+| <a name="input_lock_enable"></a> [lock\_enable](#input\_lock\_enable) | Apply locks to block accedentaly deletions. | `bool` | `false` | no |
+| <a name="input_log_analytics_workspace_name"></a> [log\_analytics\_workspace\_name](#input\_log\_analytics\_workspace\_name) | Specifies the name of the Log Analytics Workspace. | `string` | n/a | yes |
+| <a name="input_log_analytics_workspace_resource_group_name"></a> [log\_analytics\_workspace\_resource\_group\_name](#input\_log\_analytics\_workspace\_resource\_group\_name) | The name of the resource group in which the Log Analytics workspace is located in. | `string` | n/a | yes |
+| <a name="input_monitor_resource_group_name"></a> [monitor\_resource\_group\_name](#input\_monitor\_resource\_group\_name) | Monitor resource group name | `string` | n/a | yes |
+| <a name="input_prefix"></a> [prefix](#input\_prefix) | n/a | `string` | n/a | yes |
+| <a name="input_tags"></a> [tags](#input\_tags) | n/a | `map(any)` | <pre>{<br>  "CreatedBy": "Terraform"<br>}</pre> | no |
+| <a name="input_tls_cert_check_helm"></a> [tls\_cert\_check\_helm](#input\_tls\_cert\_check\_helm) | tls cert helm chart configuration | <pre>object({<br>    chart_version = string,<br>    image_name    = string,<br>    image_tag     = string<br>  })</pre> | n/a | yes |
+
+## Outputs
+
+No outputs.
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
diff --git a/src/domains/testit-app/argocd/apps/app-status-standalone.yaml b/src/domains/testit-app/argocd/apps/app-status-standalone.yaml
new file mode 100644
index 0000000..e1048b2
--- /dev/null
+++ b/src/domains/testit-app/argocd/apps/app-status-standalone.yaml
@@ -0,0 +1,37 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: app-status-standalone
+  # You'll usually want to add your resources to the argocd namespace.
+  namespace: argocd
+  # Add this finalizer ONLY if you want these to cascade delete.
+  finalizers:
+    # The default behaviour is foreground cascading deletion
+    - resources-finalizer.argocd.argoproj.io
+    # Alternatively, you can use background cascading deletion
+    # - resources-finalizer.argocd.argoproj.io/background
+  # Add labels to your application object.
+  labels:
+    name: app-status-standalone
+spec:
+  project: terraform-argocd-project
+  source:
+#    chart: microservice-chart
+#    targetRevision: 5.4.0
+    repoURL: 'https://github.com/pagopa/devops-app-status'
+    path: helm/devopslab/diego
+    helm:
+      releaseName: status
+      valueFiles:
+        - values-dev.yaml
+      valuesObject:
+        microservice-chart:
+          namespace: "diego"
+          ingress:
+            path: /terraform-argocd/status(/|$)(.*)
+  destination:
+    server: 'https://kubernetes.default.svc'
+    namespace: diego
+  syncPolicy:
+    automated: {}
+  revisionHistoryLimit: 10
diff --git a/src/domains/testit-app/argocd/apps/apps-terraform-broken.yaml b/src/domains/testit-app/argocd/apps/apps-terraform-broken.yaml
new file mode 100644
index 0000000..c720f54
--- /dev/null
+++ b/src/domains/testit-app/argocd/apps/apps-terraform-broken.yaml
@@ -0,0 +1,28 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: terraform-broken-apps
+  # You'll usually want to add your resources to the argocd namespace.
+  namespace: argocd
+  # Add this finalizer ONLY if you want these to cascade delete.
+  finalizers:
+    # The default behaviour is foreground cascading deletion
+    - resources-finalizer.argocd.argoproj.io
+    # Alternatively, you can use background cascading deletion
+    # - resources-finalizer.argocd.argoproj.io/background
+  # Add labels to your application object.
+  labels:
+    name: terraform-broken-apps
+spec:
+  project: terraform-argocd-project
+  source:
+#    chart: microservice-chart
+    targetRevision: argocd-apps
+    repoURL: 'https://github.com/diegolagospagopa/argocd-showcase'
+    path: argocd/broken-apps
+  destination:
+    server: 'https://kubernetes.default.svc'
+    namespace: diego
+  syncPolicy:
+    automated: {}
+  revisionHistoryLimit: 10
diff --git a/src/domains/testit-app/argocd/apps/apps-terraform-ok.yaml b/src/domains/testit-app/argocd/apps/apps-terraform-ok.yaml
new file mode 100644
index 0000000..5c761c0
--- /dev/null
+++ b/src/domains/testit-app/argocd/apps/apps-terraform-ok.yaml
@@ -0,0 +1,37 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: terraform-ok-apps
+  # You'll usually want to add your resources to the argocd namespace.
+  namespace: argocd
+  # Add this finalizer ONLY if you want these to cascade delete.
+  finalizers:
+    # The default behaviour is foreground cascading deletion
+    - resources-finalizer.argocd.argoproj.io
+    # Alternatively, you can use background cascading deletion
+    # - resources-finalizer.argocd.argoproj.io/background
+  # Add labels to your application object.
+  labels:
+    name: terraform-ok-apps
+spec:
+  project: terraform-argocd-project
+  source:
+#    chart: microservice-chart
+    targetRevision: argocd-apps
+    repoURL: 'https://github.com/diegolagospagopa/argocd-showcase'
+    path: argocd/ok-apps
+#    helm:
+#      releaseName: status
+#      valueFiles:
+#        - values-dev.yaml
+#      valuesObject:
+#        microservice-chart:
+#          namespace: "diego"
+#          ingress:
+#            path: /terraform-argocd/status(/|$)(.*)
+  destination:
+    server: 'https://kubernetes.default.svc'
+    namespace: diego
+  syncPolicy:
+    automated: {}
+  revisionHistoryLimit: 10
diff --git a/src/domains/testit-app/argocd/projects/project-terraform-argocd.yaml b/src/domains/testit-app/argocd/projects/project-terraform-argocd.yaml
new file mode 100644
index 0000000..9738628
--- /dev/null
+++ b/src/domains/testit-app/argocd/projects/project-terraform-argocd.yaml
@@ -0,0 +1,101 @@
+apiVersion: argoproj.io/v1alpha1
+kind: AppProject
+metadata:
+  name: terraform-argocd-project
+  namespace: argocd
+  # Finalizer that ensures that project is not deleted until it is not referenced by any application
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  # Project description
+  description: terraform-argocd Project
+
+  # Allow manifests to deploy from any Git repos
+  sourceRepos:
+  - '*'
+
+  # Only permit applications to deploy to the terraform-argocd namespace in the same cluster
+  # Destination clusters can be identified by 'server', 'name', or both.
+  destinations:
+  - namespace: diego
+    server: https://kubernetes.default.svc
+    name: in-cluster
+  - namespace: argocd
+    server: https://kubernetes.default.svc
+    name: in-cluster
+
+#  # Deny all cluster-scoped resources from being created, except for Namespace
+#  clusterResourceWhitelist:
+#  - group: ''
+#    kind: Namespace
+
+  # Allow all namespaced-scoped resources to be created, except for ResourceQuota, LimitRange, NetworkPolicy
+  namespaceResourceBlacklist:
+  - group: ''
+    kind: ResourceQuota
+  - group: ''
+    kind: LimitRange
+  - group: 'networking.k8s.io/v1'
+    kind: NetworkPolicy
+
+#  # Deny all namespaced-scoped resources from being created, except for Deployment and StatefulSet
+#  namespaceResourceWhitelist:
+#  - group: 'apps'
+#    kind: Deployment
+#  - group: 'apps'
+#    kind: StatefulSet
+
+  # Enables namespace orphaned resource monitoring.
+  orphanedResources:
+    warn: false
+
+#  roles:
+#  # A role which provides read-only access to all applications in the project
+#  - name: read-only
+#    description: Read-only privileges to terraform-argocd
+#    policies:
+#    - p, proj:terraform-argocd:read-only, applications, get, terraform-argocd/*, allow
+#    groups:
+#    - my-oidc-group
+#
+#  # A role which provides sync privileges to only the terraform-argocd-dev application, e.g. to provide
+#  # sync privileges to a CI system
+#  - name: ci-role
+#    description: Sync privileges for terraform-argocd-dev
+#    policies:
+#    - p, proj:terraform-argocd:ci-role, applications, sync, terraform-argocd/terraform-argocd-dev, allow
+
+#    # NOTE: JWT tokens can only be generated by the API server and the token is not persisted
+#    # anywhere by Argo CD. It can be prematurely revoked by removing the entry from this list.
+#    jwtTokens:
+#    - iat: 1535390316
+
+#  # Sync windows restrict when Applications may be synced. https://argo-cd.readthedocs.io/en/stable/user-guide/sync_windows/
+#  syncWindows:
+#  - kind: allow
+#    schedule: '10 1 * * *'
+#    duration: 1h
+#    applications:
+#      - '*-prod'
+#    manualSync: true
+#  - kind: deny
+#    schedule: '0 22 * * *'
+#    duration: 1h
+#    namespaces:
+#      - default
+#  - kind: allow
+#    schedule: '0 23 * * *'
+#    duration: 1h
+#    clusters:
+#      - in-cluster
+#      - cluster1
+
+  # By default, apps may sync to any cluster specified under the `destinations` field, even if they are not
+  # scoped to this project. Set the following field to `true` to restrict apps in this cluster to only clusters
+  # scoped to this project.
+  permitOnlyProjectScopedClusters: false
+
+#  # When using Applications-in-any-namespace, this field determines which namespaces this AppProject permits
+#  # Applications to reside in. Details: https://argo-cd.readthedocs.io/en/stable/operator-manual/app-any-namespace/
+#  sourceNamespaces:
+#  - "argocd-apps-*"
diff --git a/src/domains/testit-common/env/dev/backend.ini b/src/domains/testit-app/env/itn-dev/backend.ini
similarity index 100%
rename from src/domains/testit-common/env/dev/backend.ini
rename to src/domains/testit-app/env/itn-dev/backend.ini
diff --git a/src/domains/testit-app/env/itn-dev/backend.tfvars b/src/domains/testit-app/env/itn-dev/backend.tfvars
new file mode 100644
index 0000000..bad99bf
--- /dev/null
+++ b/src/domains/testit-app/env/itn-dev/backend.tfvars
@@ -0,0 +1,4 @@
+resource_group_name  = "terraform-state-rg"
+storage_account_name = "tfinfdevopslab"
+container_name       = "terraform-state"
+key                  = "testit-app-domain-terraform.tfstate"
diff --git a/src/domains/testit-app/env/itn-dev/terraform.tfvars b/src/domains/testit-app/env/itn-dev/terraform.tfvars
new file mode 100644
index 0000000..090c2b8
--- /dev/null
+++ b/src/domains/testit-app/env/itn-dev/terraform.tfvars
@@ -0,0 +1,54 @@
+# general
+prefix         = "dvopla"
+env_short      = "d"
+env            = "dev"
+location       = "italynorth"
+location_short = "itn"
+domain         = "testit"
+instance       = "dev01"
+
+tags = {
+  CreatedBy   = "Terraform"
+  Environment = "Dev"
+  Owner       = "devops"
+  Source      = "https://github.com/pagopa/dvopla-infrastructure"
+  CostCenter  = "TS310 - PAGAMENTI & SERVIZI"
+  Application = "testit.app"
+}
+
+### External resources
+monitor_resource_group_name                 = "dvopla-d-itn-monitor-rg"
+log_analytics_workspace_name                = "dvopla-d-itn-law"
+log_analytics_workspace_resource_group_name = "dvopla-d-itn-monitor-rg"
+
+
+### Aks
+
+aks_name                = "dvopla-d-itn-dev-aks"
+aks_resource_group_name = "dvopla-d-itn-dev-aks-rg"
+
+ingress_load_balancer_ip       = "10.3.10.250"
+ingress_load_balancer_hostname = "testit.itn.internal.devopslab.pagopa.it"
+
+#
+# Dns
+#
+external_domain          = "pagopa.it"
+dns_zone_prefix          = "devopslab"
+dns_zone_internal_prefix = "internal.devopslab"
+
+#
+# VNET
+#
+cidr_subnet_container_apps = ["10.1.146.0/23"]
+
+#
+# TLS Checker
+#
+# chart releases: https://github.com/pagopa/aks-microservice-chart-blueprint/releases
+# image tags: https://github.com/pagopa/infra-ssl-check/releases
+tls_cert_check_helm = {
+  chart_version = "1.21.0"
+  image_name    = "ghcr.io/pagopa/infra-ssl-check"
+  image_tag     = "v1.2.2@sha256:22f4b53177cc8891bf10cbd0deb39f60e1cd12877021c3048a01e7738f63e0f9"
+}
diff --git a/src/domains/testit-app/terraform.sh b/src/domains/testit-app/terraform.sh
new file mode 100755
index 0000000..bc4439b
--- /dev/null
+++ b/src/domains/testit-app/terraform.sh
@@ -0,0 +1,220 @@
+#!/bin/bash
+############################################################
+# Terraform script for managing infrastructure on Azure
+# Fingerprint: d2hhdHlvdXdhbnQ/Cg==
+############################################################
+# Global variables
+# Version format x.y accepted
+vers="1.5"
+script_name=$(basename "$0")
+git_repo="https://raw.githubusercontent.com/pagopa/eng-common-scripts/main/azure/${script_name}"
+tmp_file="${script_name}.new"
+
+# Define functions
+function clean_environment() {
+  rm -rf .terraform
+  rm tfplan 2>/dev/null
+  echo "cleaned!"
+}
+
+function help_usage() {
+  echo "terraform.sh Version ${vers}"
+  echo
+  echo "Usage: ./script.sh [ACTION] [ENV] [OTHER OPTIONS]"
+  echo "es. ACTION: init, apply, plan, etc."
+  echo "es. ENV: dev, uat, prod, etc."
+  echo
+  echo "Available actions:"
+  echo "  clean         Remove .terraform* folders and tfplan files"
+  echo "  help          This help"
+  echo "  list          List every environment available"
+  echo "  update        Update this script if possible"
+  echo "  summ          Generate summary of Terraform plan"
+  echo "  *             any terraform option"
+}
+
+function init_terraform() {
+  if [ -n "$env" ]; then
+    terraform init -reconfigure -backend-config="./env/$env/backend.tfvars"
+  else
+    echo "ERROR: no env configured!"
+    exit 1
+  fi
+}
+
+function list_env() {
+  # Check if env directory exists
+  if [ ! -d "./env" ]; then
+    echo "No environment directory found"
+    exit 1
+  fi
+
+  # List subdirectories under env directory
+  env_list=$(ls -d ./env/*/ 2>/dev/null)
+
+  # Check if there are any subdirectories
+  if [ -z "$env_list" ]; then
+    echo "No environments found"
+    exit 1
+  fi
+
+  # Print the list of environments
+  echo "Available environments:"
+  for env in $env_list; do
+    env_name=$(echo "$env" | sed 's#./env/##;s#/##')
+    echo "- $env_name"
+  done
+}
+
+function other_actions() {
+  if [ -n "$env" ] && [ -n "$action" ]; then
+    terraform "$action" -var-file="./env/$env/terraform.tfvars" -compact-warnings $other
+  else
+    echo "ERROR: no env or action configured!"
+    exit 1
+  fi
+}
+
+function state_output_taint_actions() {
+  terraform $action $other
+}
+
+function parse_tfplan_option() {
+  # Create an array to contain arguments that do not start with '-tfplan='
+  local other_args=()
+
+  # Loop over all arguments
+  for arg in "$@"; do
+    # If the argument starts with '-tfplan=', extract the file name
+    if [[ "$arg" =~ ^-tfplan= ]]; then
+      echo "${arg#*=}"
+    else
+      # If the argument does not start with '-tfplan=', add it to the other_args array
+      other_args+=("$arg")
+    fi
+  done
+
+  # Print all arguments in other_args separated by spaces
+  echo "${other_args[@]}"
+}
+
+function tfsummary() {
+  local plan_file
+  plan_file=$(parse_tfplan_option "$@")
+  if [ -z "$plan_file" ]; then
+    plan_file="tfplan"
+  fi
+  action="plan"
+  other="-out=${plan_file}"
+  other_actions
+  if [ -n "$(command -v tf-summarize)" ]; then
+    tf-summarize -separate-tree "${plan_file}"
+  else
+    echo "tf-summarize non è installato"
+  fi
+  if [ "$plan_file" == "tfplan" ]; then
+    rm $plan_file
+  fi
+}
+
+
+function update_script() {
+  # Check if the repository was cloned successfully
+  if ! curl -sL "$git_repo" -o "$tmp_file"; then
+    echo "Error cloning the repository"
+    rm "$tmp_file" 2>/dev/null
+    return 1
+  fi
+
+  # Check if a newer version exists
+  remote_vers=$(sed -n '8s/vers="\(.*\)"/\1/p' "$tmp_file")
+  if [ "$(printf '%s\n' "$vers" "$remote_vers" | sort -V | tail -n 1)" == "$vers" ]; then
+    echo "The local script version is equal to or newer than the remote version."
+    rm "$tmp_file" 2>/dev/null
+    return 0
+  fi
+
+  # Check the fingerprint
+  local_fingerprint=$(sed -n '4p' "$0")
+  remote_fingerprint=$(sed -n '4p' "$tmp_file")
+
+  if [ "$local_fingerprint" != "$remote_fingerprint" ]; then
+    echo "The local and remote file fingerprints do not match."
+    rm "$tmp_file" 2>/dev/null
+    return 0
+  fi
+
+  # Show the current and available versions to the user
+  echo "Current script version: $vers"
+  echo "Available script version: $remote_vers"
+
+  # Ask the user if they want to update the script
+  read -rp "Do you want to update the script to version $remote_vers? (y/n): " answer
+
+  if [ "$answer" == "y" ] || [ "$answer" == "Y" ]; then
+    # Replace the local script with the updated version
+    cp "$tmp_file" "$script_name"
+    chmod +x "$script_name"
+    rm "$tmp_file" 2>/dev/null
+
+    echo "Script successfully updated to version $remote_vers"
+  else
+    echo "Update canceled by the user"
+  fi
+
+  rm "$tmp_file" 2>/dev/null
+}
+
+# Check arguments number
+if [ "$#" -lt 1 ]; then
+  help_usage
+  exit 0
+fi
+
+# Parse arguments
+action=$1
+env=$2
+shift 2
+other=$@
+
+if [ -n "$env" ]; then
+  # shellcheck source=/dev/null
+  source "./env/$env/backend.ini"
+  if [ -z "$(command -v az)" ]; then
+    echo "az not found, cannot proceed"
+    exit 1
+  fi
+  az account set -s "${subscription}"
+fi
+
+# Call appropriate function based on action
+case $action in
+  clean)
+    clean_environment
+    ;;
+  ?|help|-h)
+    help_usage
+    ;;
+  init)
+    init_terraform
+    init_terraform "$other"
+    ;;
+  list)
+    list_env
+    ;;
+  output|state|taint)
+    init_terraform
+    state_output_taint_actions $other
+    ;;
+  summ)
+    init_terraform
+    tfsummary "$other"
+    ;;
+  update)
+    update_script
+    ;;
+  *)
+    init_terraform
+    other_actions "$other"
+    ;;
+esac
diff --git a/src/domains/testit-common/env/itn-dev/backend.ini b/src/domains/testit-common/env/itn-dev/backend.ini
new file mode 100644
index 0000000..a7cc599
--- /dev/null
+++ b/src/domains/testit-common/env/itn-dev/backend.ini
@@ -0,0 +1 @@
+subscription=DevOpsLab
diff --git a/src/domains/testit-common/env/dev/backend.tfvars b/src/domains/testit-common/env/itn-dev/backend.tfvars
similarity index 100%
rename from src/domains/testit-common/env/dev/backend.tfvars
rename to src/domains/testit-common/env/itn-dev/backend.tfvars
diff --git a/src/domains/testit-common/env/dev/terraform.tfvars b/src/domains/testit-common/env/itn-dev/terraform.tfvars
similarity index 100%
rename from src/domains/testit-common/env/dev/terraform.tfvars
rename to src/domains/testit-common/env/itn-dev/terraform.tfvars