From d4a162db90b506241d9c01675208ebcdf9e097a6 Mon Sep 17 00:00:00 2001
From: Diego Lagos <92735530+diegolagospagopa@users.noreply.github.com>
Date: Tue, 28 Feb 2023 10:24:39 +0100
Subject: [PATCH] feat: Created domain diego-container-apps + dapr apps (#49)

* changed file names

* removed container apps from diego-app

* created dedicated domain diego-container-apps

* azurerm upgrated to 3.45

* minor fix

* container app for dapr showcase

* pre-commit fixs

* created env for dapr apps

* added backendapp

* pre-commit fixs
---
 src/.env/dev/terraform.tfvars                 |  37 ++--
 src/domains/diego-app/05_container_app_0.tf   |  71 --------
 .../diego-app/05_container_app_amassador.tf   |  36 ----
 .../05_container_app_devops_color_java.tf     |  35 ----
 src/domains/diego-app/99_main.tf              |   2 +-
 src/domains/diego-app/README.md               |  10 +-
 .../devops-java-springboot-color.yaml.tpl     |   2 +-
 .../diego-container-apps/.terraform.lock.hcl  |  61 +++++++
 .../diego-container-apps/00_azuread.tf        |  16 ++
 .../diego-container-apps/00_key_vault.tf      |  15 ++
 .../diego-container-apps/00_monitor.tf        |  23 +++
 .../diego-container-apps/00_network.tf        |   8 +
 .../01_container_app_0.tf                     |  28 +++
 .../diego-container-apps/01_network.tf        |  12 ++
 .../02_container_app_env_dapr.tf              |  49 +++++
 .../02_container_app_env_diego.tf             |  20 +++
 .../03_container_app_amassador.tf             |  36 ++++
 .../03_container_app_devops_color_java.tf     |  35 ++++
 .../03_container_app_devops_darp.tf           | 132 ++++++++++++++
 src/domains/diego-container-apps/99_main.tf   |  58 ++++++
 .../diego-container-apps/99_variables.tf      | 168 ++++++++++++++++++
 src/domains/diego-container-apps/README.md    |  72 ++++++++
 .../container-app/ambassador.yaml.tpl         |  79 ++++++++
 .../devops-java-springboot-color.yaml.tpl     |  79 ++++++++
 .../diego-container-apps/env/dev/backend.ini  |   1 +
 .../env/dev/backend.tfvars                    |   4 +
 .../env/dev/terraform.tfvars                  |  45 +++++
 src/domains/diego-container-apps/terraform.sh |  46 +++++
 28 files changed, 1009 insertions(+), 171 deletions(-)
 delete mode 100644 src/domains/diego-app/05_container_app_0.tf
 delete mode 100644 src/domains/diego-app/05_container_app_amassador.tf
 delete mode 100644 src/domains/diego-app/05_container_app_devops_color_java.tf
 create mode 100644 src/domains/diego-container-apps/.terraform.lock.hcl
 create mode 100644 src/domains/diego-container-apps/00_azuread.tf
 create mode 100644 src/domains/diego-container-apps/00_key_vault.tf
 create mode 100644 src/domains/diego-container-apps/00_monitor.tf
 create mode 100644 src/domains/diego-container-apps/00_network.tf
 create mode 100644 src/domains/diego-container-apps/01_container_app_0.tf
 create mode 100644 src/domains/diego-container-apps/01_network.tf
 create mode 100644 src/domains/diego-container-apps/02_container_app_env_dapr.tf
 create mode 100644 src/domains/diego-container-apps/02_container_app_env_diego.tf
 create mode 100644 src/domains/diego-container-apps/03_container_app_amassador.tf
 create mode 100644 src/domains/diego-container-apps/03_container_app_devops_color_java.tf
 create mode 100644 src/domains/diego-container-apps/03_container_app_devops_darp.tf
 create mode 100644 src/domains/diego-container-apps/99_main.tf
 create mode 100644 src/domains/diego-container-apps/99_variables.tf
 create mode 100644 src/domains/diego-container-apps/README.md
 create mode 100644 src/domains/diego-container-apps/container-app/ambassador.yaml.tpl
 create mode 100644 src/domains/diego-container-apps/container-app/devops-java-springboot-color.yaml.tpl
 create mode 100644 src/domains/diego-container-apps/env/dev/backend.ini
 create mode 100644 src/domains/diego-container-apps/env/dev/backend.tfvars
 create mode 100644 src/domains/diego-container-apps/env/dev/terraform.tfvars
 create mode 100755 src/domains/diego-container-apps/terraform.sh

diff --git a/src/.env/dev/terraform.tfvars b/src/.env/dev/terraform.tfvars
index f5155120..8c0aef59 100644
--- a/src/.env/dev/terraform.tfvars
+++ b/src/.env/dev/terraform.tfvars
@@ -21,24 +21,25 @@ key_vault_name    = "dvopla-d-neu-kv"
 key_vault_rg_name = "dvopla-d-sec-rg"
 
 # ☁️ networking
-cidr_vnet                      = ["10.1.0.0/16"]
-cidr_subnet_k8s                = ["10.1.0.0/17"]
-cidr_subnet_appgateway         = ["10.1.128.0/24"]
-cidr_subnet_postgres           = ["10.1.129.0/24"]
-cidr_subnet_azdoa              = ["10.1.130.0/24"]
-cidr_subnet_app_docker         = ["10.1.132.0/24"]
-cidr_subnet_flex_dbms          = ["10.1.133.0/24"]
-cidr_subnet_apim               = ["10.1.136.0/24"]
-cidr_subnet_appgateway_beta    = ["10.1.138.0/24"]
-cidr_subnet_vpn                = ["10.1.139.0/24"]
-cidr_subnet_dnsforwarder       = ["10.1.140.0/29"]
-cidr_subnet_private_endpoints  = ["10.1.141.0/24"]
-cidr_subnet_eventhub           = ["10.1.142.0/24"]
-cidr_subnet_redis              = ["10.1.143.0/24"]
-cidr_subnet_funcs_diego_domain = ["10.1.144.0/24"]
-cidr_subnet_app_diego_app      = ["10.1.145.0/24"]
-cidr_subnet_container_apps     = ["10.1.146.0/23"]
-cidr_subnet_placeholder        = ["10.1.148.0/24"]
+cidr_vnet                            = ["10.1.0.0/16"]
+cidr_subnet_k8s                      = ["10.1.0.0/17"]
+cidr_subnet_appgateway               = ["10.1.128.0/24"]
+cidr_subnet_postgres                 = ["10.1.129.0/24"]
+cidr_subnet_azdoa                    = ["10.1.130.0/24"]
+cidr_subnet_app_docker               = ["10.1.132.0/24"]
+cidr_subnet_flex_dbms                = ["10.1.133.0/24"]
+cidr_subnet_apim                     = ["10.1.136.0/24"]
+cidr_subnet_appgateway_beta          = ["10.1.138.0/24"]
+cidr_subnet_vpn                      = ["10.1.139.0/24"]
+cidr_subnet_dnsforwarder             = ["10.1.140.0/29"]
+cidr_subnet_private_endpoints        = ["10.1.141.0/24"]
+cidr_subnet_eventhub                 = ["10.1.142.0/24"]
+cidr_subnet_redis                    = ["10.1.143.0/24"]
+cidr_subnet_funcs_diego_domain       = ["10.1.144.0/24"]
+cidr_subnet_app_diego_app            = ["10.1.145.0/24"]
+cidr_subnet_container_apps           = ["10.1.146.0/23"] #placeholder
+dvopla-d-neu-core-github-runner-snet = ["10.1.148.0/23"] #placeholder
+cidr_subnet_container_apps_dapr      = ["10.1.150.0/23"] #placeholder
 
 # dns
 prod_dns_zone_prefix = "devopslab"
diff --git a/src/domains/diego-app/05_container_app_0.tf b/src/domains/diego-app/05_container_app_0.tf
deleted file mode 100644
index f07baa96..00000000
--- a/src/domains/diego-app/05_container_app_0.tf
+++ /dev/null
@@ -1,71 +0,0 @@
-resource "azurerm_resource_group" "container_app_diego" {
-  name     = local.container_app_diego_environment_resource_group
-  location = var.location
-  tags     = var.tags
-}
-
-# Subnet to host the api config
-module "container_apps_snet" {
-  source               = "git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet?ref=v4.1.0"
-  name                 = "${local.project}-container-apps-snet"
-  address_prefixes     = var.cidr_subnet_container_apps
-  virtual_network_name = data.azurerm_virtual_network.vnet_core.name
-
-  resource_group_name = data.azurerm_resource_group.rg_vnet_core.name
-
-  private_endpoint_network_policies_enabled = true
-}
-
-resource "null_resource" "update_az_cli" {
-
-  triggers = {
-    env_name                                   = local.container_app_diego_environment_name
-    rg                                         = azurerm_resource_group.container_app_diego.name
-    subnet_id                                  = module.container_apps_snet.id
-    log_analytics_id                           = data.azurerm_log_analytics_workspace.log_analytics.workspace_id
-    log_analytics_workspace_primary_shared_key = data.azurerm_log_analytics_workspace.log_analytics.primary_shared_key
-  }
-
-  provisioner "local-exec" {
-    command = <<EOT
-      az extension add --name containerapp --upgrade
-      az provider register --namespace Microsoft.App
-      az provider register --namespace Microsoft.OperationalInsights
-    EOT
-  }
-
-  depends_on = [
-    module.container_apps_snet,
-    azurerm_resource_group.container_app_diego
-  ]
-}
-
-resource "null_resource" "container_app_create_env" {
-
-  triggers = {
-    env_name                                   = local.container_app_diego_environment_name
-    rg                                         = azurerm_resource_group.container_app_diego.name
-    subnet_id                                  = module.container_apps_snet.id
-    log_analytics_id                           = data.azurerm_log_analytics_workspace.log_analytics.workspace_id
-    log_analytics_workspace_primary_shared_key = data.azurerm_log_analytics_workspace.log_analytics.primary_shared_key
-  }
-
-  provisioner "local-exec" {
-    command = <<EOT
-      az containerapp env create \
-          -n ${local.container_app_diego_environment_name} \
-          -g ${azurerm_resource_group.container_app_diego.name} \
-          --location ${var.location} \
-          --infrastructure-subnet-resource-id ${module.container_apps_snet.id} \
-          --internal-only false \
-          --logs-destination log-analytics \
-          --logs-workspace-id "${data.azurerm_log_analytics_workspace.log_analytics.workspace_id}" \
-          --logs-workspace-key "${data.azurerm_log_analytics_workspace.log_analytics.primary_shared_key}"
-    EOT
-  }
-
-  depends_on = [
-    module.container_apps_snet,
-    azurerm_resource_group.container_app_diego
-  ]
-}
diff --git a/src/domains/diego-app/05_container_app_amassador.tf b/src/domains/diego-app/05_container_app_amassador.tf
deleted file mode 100644
index a205c8a5..00000000
--- a/src/domains/diego-app/05_container_app_amassador.tf
+++ /dev/null
@@ -1,36 +0,0 @@
-locals {
-  container_app_ambassador_yaml_content = templatefile("${path.module}/container-app/ambassador.yaml.tpl", {
-    REVISION_ID                            = local.container_app_devops_ambassador_revision_id,
-    DVOPLA-D-APPINSIGHTS-CONNECTION-STRING = module.domain_key_vault_secrets_query.values["dvopla-d-appinsights-connection-string"].value,
-    CONTAINER_APP_NAME                     = local.container_app_devops_ambassador_name,
-    CONTAINER_APP_RESOURCE_GROUP           = local.container_app_diego_environment_resource_group,
-    CONTAINER_APP_ENVIRONMENT_NAME         = local.container_app_diego_environment_name,
-  })
-}
-
-resource "local_file" "save_yaml_file_ambassador" {
-  content  = local.container_app_ambassador_yaml_content
-  filename = local.container_app_devops_ambassador_yaml_file_name
-}
-
-resource "null_resource" "apply_container_app_yaml_ambassador" {
-
-  triggers = {
-    REVISION_ID  = local.container_app_devops_ambassador_revision_id
-    CONTENT_FILE = local.container_app_ambassador_yaml_content
-  }
-
-  provisioner "local-exec" {
-    command = <<EOT
-      az containerapp create --name ${local.container_app_devops_ambassador_name} \
-      --resource-group ${azurerm_resource_group.container_app_diego.name} \
-      --environment ${local.container_app_diego_environment_name} \
-      --yaml "${local.container_app_devops_ambassador_yaml_file_name}"
-    EOT
-  }
-
-  depends_on = [
-    local_file.save_yaml_file_ambassador,
-    null_resource.container_app_create_env,
-  ]
-}
diff --git a/src/domains/diego-app/05_container_app_devops_color_java.tf b/src/domains/diego-app/05_container_app_devops_color_java.tf
deleted file mode 100644
index c9d7c35f..00000000
--- a/src/domains/diego-app/05_container_app_devops_color_java.tf
+++ /dev/null
@@ -1,35 +0,0 @@
-locals {
-  container_app_devops_java_springboot_color_yaml_content = templatefile("${path.module}/container-app/devops-java-springboot-color.yaml.tpl", {
-    REVISION_ID                            = local.container_app_devops_java_springboot_color_revision_id,
-    DVOPLA-D-APPINSIGHTS-CONNECTION-STRING = module.domain_key_vault_secrets_query.values["dvopla-d-appinsights-connection-string"].value,
-    CONTAINER_APP_NAME                     = local.container_app_devops_java_springboot_color_name,
-    CONTAINER_APP_RESOURCE_GROUP           = local.container_app_diego_environment_resource_group,
-    CONTAINER_APP_ENVIRONMENT_NAME         = local.container_app_diego_environment_name,
-  })
-}
-
-resource "local_file" "save_yaml_file_devops_color" {
-  content  = local.container_app_devops_java_springboot_color_yaml_content
-  filename = local.container_app_devops_java_springboot_color_yaml_file_name
-}
-
-resource "null_resource" "apply_container_app_yaml_devops_color" {
-
-  triggers = {
-    REVISION_ID = local.container_app_devops_java_springboot_color_revision_id
-  }
-
-  provisioner "local-exec" {
-    command = <<EOT
-      az containerapp create --name ${local.container_app_devops_java_springboot_color_name} \
-      --resource-group ${azurerm_resource_group.container_app_diego.name} \
-      --environment ${local.container_app_diego_environment_name} \
-      --yaml "${local.container_app_devops_java_springboot_color_yaml_file_name}"
-    EOT
-  }
-
-  depends_on = [
-    local_file.save_yaml_file_ambassador,
-    null_resource.container_app_create_env,
-  ]
-}
diff --git a/src/domains/diego-app/99_main.tf b/src/domains/diego-app/99_main.tf
index dc1de0bb..5609c4ae 100644
--- a/src/domains/diego-app/99_main.tf
+++ b/src/domains/diego-app/99_main.tf
@@ -2,7 +2,7 @@ terraform {
   required_providers {
     azurerm = {
       source  = "hashicorp/azurerm"
-      version = "<= 3.38.0"
+      version = "<= 3.45.0"
     }
     azuread = {
       source  = "hashicorp/azuread"
diff --git a/src/domains/diego-app/README.md b/src/domains/diego-app/README.md
index 3270af2c..4b59673c 100644
--- a/src/domains/diego-app/README.md
+++ b/src/domains/diego-app/README.md
@@ -5,7 +5,7 @@
 | Name | Version |
 |------|---------|
 | <a name="requirement_azuread"></a> [azuread](#requirement\_azuread) | = 2.21.0 |
-| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | <= 3.38.0 |
+| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | <= 3.45.0 |
 | <a name="requirement_helm"></a> [helm](#requirement\_helm) | = 2.5.1 |
 | <a name="requirement_kubernetes"></a> [kubernetes](#requirement\_kubernetes) | = 2.11.0 |
 | <a name="requirement_null"></a> [null](#requirement\_null) | = 3.1.1 |
@@ -14,7 +14,6 @@
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_container_apps_snet"></a> [container\_apps\_snet](#module\_container\_apps\_snet) | git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet | v4.1.0 |
 | <a name="module_domain_key_vault_secrets_query"></a> [domain\_key\_vault\_secrets\_query](#module\_domain\_key\_vault\_secrets\_query) | git::https://github.com/pagopa/terraform-azurerm-v3.git//key_vault_secrets_query | v4.1.0 |
 | <a name="module_domain_pod_identity"></a> [domain\_pod\_identity](#module\_domain\_pod\_identity) | git::https://github.com/pagopa/terraform-azurerm-v3.git//kubernetes_pod_identity | v4.1.0 |
 
@@ -26,21 +25,14 @@
 | [azurerm_key_vault_secret.app_insights_connection_string](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource |
 | [azurerm_key_vault_secret.azure_devops_sa_cacrt](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource |
 | [azurerm_key_vault_secret.azure_devops_sa_token](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource |
-| [azurerm_resource_group.container_app_diego](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource |
 | [helm_release.reloader](https://registry.terraform.io/providers/hashicorp/helm/2.5.1/docs/resources/release) | resource |
 | [kubernetes_namespace.domain_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/2.11.0/docs/resources/namespace) | resource |
 | [kubernetes_namespace.system_domain_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/2.11.0/docs/resources/namespace) | resource |
 | [kubernetes_role_binding.deployer_binding](https://registry.terraform.io/providers/hashicorp/kubernetes/2.11.0/docs/resources/role_binding) | resource |
 | [kubernetes_role_binding.system_deployer_binding](https://registry.terraform.io/providers/hashicorp/kubernetes/2.11.0/docs/resources/role_binding) | resource |
 | [kubernetes_service_account.azure_devops](https://registry.terraform.io/providers/hashicorp/kubernetes/2.11.0/docs/resources/service_account) | resource |
-| [local_file.save_yaml_file_ambassador](https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/file) | resource |
-| [local_file.save_yaml_file_devops_color](https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/file) | resource |
 | [null_resource.aks_with_iac_aad_plus_namespace](https://registry.terraform.io/providers/hashicorp/null/3.1.1/docs/resources/resource) | resource |
 | [null_resource.aks_with_iac_aad_plus_namespace_system](https://registry.terraform.io/providers/hashicorp/null/3.1.1/docs/resources/resource) | resource |
-| [null_resource.apply_container_app_yaml_ambassador](https://registry.terraform.io/providers/hashicorp/null/3.1.1/docs/resources/resource) | resource |
-| [null_resource.apply_container_app_yaml_devops_color](https://registry.terraform.io/providers/hashicorp/null/3.1.1/docs/resources/resource) | resource |
-| [null_resource.container_app_create_env](https://registry.terraform.io/providers/hashicorp/null/3.1.1/docs/resources/resource) | resource |
-| [null_resource.update_az_cli](https://registry.terraform.io/providers/hashicorp/null/3.1.1/docs/resources/resource) | resource |
 | [azuread_group.adgroup_admin](https://registry.terraform.io/providers/hashicorp/azuread/2.21.0/docs/data-sources/group) | data source |
 | [azuread_group.adgroup_developers](https://registry.terraform.io/providers/hashicorp/azuread/2.21.0/docs/data-sources/group) | data source |
 | [azuread_group.adgroup_externals](https://registry.terraform.io/providers/hashicorp/azuread/2.21.0/docs/data-sources/group) | data source |
diff --git a/src/domains/diego-app/container-app/devops-java-springboot-color.yaml.tpl b/src/domains/diego-app/container-app/devops-java-springboot-color.yaml.tpl
index 71890c73..f1f6c0c0 100644
--- a/src/domains/diego-app/container-app/devops-java-springboot-color.yaml.tpl
+++ b/src/domains/diego-app/container-app/devops-java-springboot-color.yaml.tpl
@@ -75,5 +75,5 @@ properties:
             failureThreshold: 6
             timeoutSeconds: 10
     scale:
-      minReplicas: 1
+      minReplicas: 0
       maxReplicas: 3
diff --git a/src/domains/diego-container-apps/.terraform.lock.hcl b/src/domains/diego-container-apps/.terraform.lock.hcl
new file mode 100644
index 00000000..e1775e61
--- /dev/null
+++ b/src/domains/diego-container-apps/.terraform.lock.hcl
@@ -0,0 +1,61 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/azuread" {
+  version     = "2.21.0"
+  constraints = "2.21.0"
+  hashes = [
+    "h1:qHYbB6LJsYPVUcd7QkZ5tU+IX+10VcUG4NzsmIuWdlE=",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/azurerm" {
+  version     = "3.45.0"
+  constraints = ">= 3.30.0, 3.45.0, <= 3.45.0"
+  hashes = [
+    "h1:gQLNY1I5e9kcle1p/VYEWb0eteQ/t5kUfnqVu2/GBNY=",
+    "zh:04c5dbb8845366ce5eb0dc2d55e151270cc2c0ace20993867fdae9af43b953ad",
+    "zh:2589585da615ccae341400d45d672ee3fae413fdd88449b5befeff12a85a44b2",
+    "zh:603869ed98fff5d9bf841a51afd9e06b628533c59356c8433aef4b15df63f5f7",
+    "zh:853fecab9c987b6772c8d9aa10362675f6c626b60ebc7118aa33ce91366fcc38",
+    "zh:979848c45e8e058862c36ba3a661457f7c81ef26ebb6634f479600de9c203d65",
+    "zh:9b512c8588ecc9c1b803b746a3a8517422561a918f0dfb0faaa707ed53ef1760",
+    "zh:a9601ffb58043426bcff1220662d6d137f0b2857a24f2dcf180aeac2c9cea688",
+    "zh:d52d2652328f0ed3ba202561d88cb9f43c174edbfaab1abf69f772125dbfe15e",
+    "zh:d92d91ca597c47f575bf3ae129f4b723be9b7dcb71b906ec6ec740fac29b1aaa",
+    "zh:ded73b730e4197b70fda9e83447c119f92f75dc37be3ff2ed45730c8f0348c28",
+    "zh:ec37ac332d50f8ca5827f97198346b0f8ecbf470e2e3ba1e027bb389d826b902",
+    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/helm" {
+  version     = "2.5.1"
+  constraints = "2.5.1"
+  hashes = [
+    "h1:a9KwjqINdNy6IsEbkHUB1vwvYfy5OJ2VxFL9/NDFLoY=",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/kubernetes" {
+  version     = "2.11.0"
+  constraints = "2.11.0"
+  hashes = [
+    "h1:T65SZhN/tQgsAsHe/G5PCgpjofi+aTKPZ+nZg6WOJpc=",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/local" {
+  version = "2.3.0"
+  hashes = [
+    "h1:7y8CXQKtfyvrMCSWgCkCclNN9L161u6jO1dEGVaB5RQ=",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/null" {
+  version     = "3.1.1"
+  constraints = "3.1.1"
+  hashes = [
+    "h1:Pctug/s/2Hg5FJqjYcTM0kPyx3AoYK1MpRWO0T9V2ns=",
+  ]
+}
diff --git a/src/domains/diego-container-apps/00_azuread.tf b/src/domains/diego-container-apps/00_azuread.tf
new file mode 100644
index 00000000..b7f42c3c
--- /dev/null
+++ b/src/domains/diego-container-apps/00_azuread.tf
@@ -0,0 +1,16 @@
+# Azure AD
+data "azuread_group" "adgroup_admin" {
+  display_name = "${local.product}-adgroup-admin"
+}
+
+data "azuread_group" "adgroup_developers" {
+  display_name = "${local.product}-adgroup-developers"
+}
+
+data "azuread_group" "adgroup_externals" {
+  display_name = "${local.product}-adgroup-externals"
+}
+
+data "azuread_group" "adgroup_security" {
+  display_name = "${local.product}-adgroup-security"
+}
diff --git a/src/domains/diego-container-apps/00_key_vault.tf b/src/domains/diego-container-apps/00_key_vault.tf
new file mode 100644
index 00000000..2266e268
--- /dev/null
+++ b/src/domains/diego-container-apps/00_key_vault.tf
@@ -0,0 +1,15 @@
+# data "azurerm_key_vault" "kv_domain" {
+#   name                = "${local.product}-${var.domain}-kv"
+#   resource_group_name = "${local.product}-${var.domain}-sec-rg"
+# }
+
+# module "domain_key_vault_secrets_query" {
+#   source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//key_vault_secrets_query?ref=v5.3.0"
+
+#   key_vault_name = local.key_vault_domain_name
+#   resource_group = local.key_vault_domain_resource_group
+
+#   secrets = [
+#     "dvopla-d-appinsights-connection-string"
+#   ]
+# }
diff --git a/src/domains/diego-container-apps/00_monitor.tf b/src/domains/diego-container-apps/00_monitor.tf
new file mode 100644
index 00000000..e766671c
--- /dev/null
+++ b/src/domains/diego-container-apps/00_monitor.tf
@@ -0,0 +1,23 @@
+data "azurerm_resource_group" "monitor_rg" {
+  name = var.monitor_resource_group_name
+}
+
+data "azurerm_log_analytics_workspace" "log_analytics" {
+  name                = var.log_analytics_workspace_name
+  resource_group_name = var.log_analytics_workspace_resource_group_name
+}
+
+data "azurerm_application_insights" "application_insights" {
+  name                = local.monitor_appinsights_name
+  resource_group_name = data.azurerm_resource_group.monitor_rg.name
+}
+
+data "azurerm_monitor_action_group" "slack" {
+  resource_group_name = var.monitor_resource_group_name
+  name                = local.monitor_action_group_slack_name
+}
+
+data "azurerm_monitor_action_group" "email" {
+  resource_group_name = var.monitor_resource_group_name
+  name                = local.monitor_action_group_email_name
+}
diff --git a/src/domains/diego-container-apps/00_network.tf b/src/domains/diego-container-apps/00_network.tf
new file mode 100644
index 00000000..9af86d31
--- /dev/null
+++ b/src/domains/diego-container-apps/00_network.tf
@@ -0,0 +1,8 @@
+data "azurerm_virtual_network" "vnet_core" {
+  name                = local.vnet_core_name
+  resource_group_name = local.vnet_core_resource_group_name
+}
+
+data "azurerm_resource_group" "rg_vnet_core" {
+  name = local.vnet_core_resource_group_name
+}
diff --git a/src/domains/diego-container-apps/01_container_app_0.tf b/src/domains/diego-container-apps/01_container_app_0.tf
new file mode 100644
index 00000000..e9036efa
--- /dev/null
+++ b/src/domains/diego-container-apps/01_container_app_0.tf
@@ -0,0 +1,28 @@
+resource "azurerm_resource_group" "container_app_diego" {
+  name     = local.container_app_diego_environment_resource_group
+  location = var.location
+  tags     = var.tags
+}
+
+resource "null_resource" "update_az_cli" {
+  triggers = {
+    env_name                                   = local.container_app_diego_environment_name
+    rg                                         = azurerm_resource_group.container_app_diego.name
+    subnet_id                                  = module.container_apps_snet.id
+    log_analytics_id                           = data.azurerm_log_analytics_workspace.log_analytics.workspace_id
+    log_analytics_workspace_primary_shared_key = data.azurerm_log_analytics_workspace.log_analytics.primary_shared_key
+  }
+
+  provisioner "local-exec" {
+    command = <<EOT
+      az extension add --name containerapp --upgrade
+      az provider register --namespace Microsoft.App
+      az provider register --namespace Microsoft.OperationalInsights
+    EOT
+  }
+
+  depends_on = [
+    module.container_apps_snet,
+    azurerm_resource_group.container_app_diego
+  ]
+}
diff --git a/src/domains/diego-container-apps/01_network.tf b/src/domains/diego-container-apps/01_network.tf
new file mode 100644
index 00000000..f669146c
--- /dev/null
+++ b/src/domains/diego-container-apps/01_network.tf
@@ -0,0 +1,12 @@
+# data "azurerm_private_dns_zone" "internal" {
+#   name                = local.internal_dns_zone_name
+#   resource_group_name = local.internal_dns_zone_resource_group_name
+# }
+
+# resource "azurerm_private_dns_a_record" "ingress" {
+#   name                = local.ingress_hostname_prefix
+#   zone_name           = data.azurerm_private_dns_zone.internal.name
+#   resource_group_name = local.internal_dns_zone_resource_group_name
+#   ttl                 = 3600
+#   records             = [var.ingress_load_balancer_ip]
+# }
diff --git a/src/domains/diego-container-apps/02_container_app_env_dapr.tf b/src/domains/diego-container-apps/02_container_app_env_dapr.tf
new file mode 100644
index 00000000..0d6b7ffa
--- /dev/null
+++ b/src/domains/diego-container-apps/02_container_app_env_dapr.tf
@@ -0,0 +1,49 @@
+# Subnet to host the api config
+module "container_apps_dapr_snet" {
+  source               = "git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet?ref=v5.3.0"
+  name                 = "${local.project}-container-apps-dapr-snet"
+  address_prefixes     = var.cidr_subnet_container_apps_dapr
+  virtual_network_name = data.azurerm_virtual_network.vnet_core.name
+
+  resource_group_name                       = data.azurerm_resource_group.rg_vnet_core.name
+  private_endpoint_network_policies_enabled = true
+}
+
+resource "null_resource" "container_app_dapr_create_env" {
+  triggers = {
+    env_name                                   = local.container_app_dapr_environment_name
+    rg                                         = azurerm_resource_group.container_app_diego.name
+    subnet_id                                  = module.container_apps_dapr_snet.id
+    log_analytics_id                           = data.azurerm_log_analytics_workspace.log_analytics.workspace_id
+    log_analytics_workspace_primary_shared_key = data.azurerm_log_analytics_workspace.log_analytics.primary_shared_key
+  }
+
+  provisioner "local-exec" {
+    command = <<EOT
+      az containerapp env create \
+          -n ${local.container_app_dapr_environment_name} \
+          -g ${azurerm_resource_group.container_app_diego.name} \
+          --location ${var.location} \
+          --infrastructure-subnet-resource-id ${module.container_apps_dapr_snet.id} \
+          --internal-only false \
+          --logs-destination log-analytics \
+          --logs-workspace-id "${data.azurerm_log_analytics_workspace.log_analytics.workspace_id}" \
+          --logs-workspace-key "${data.azurerm_log_analytics_workspace.log_analytics.primary_shared_key}"
+    EOT
+  }
+
+  provisioner "local-exec" {
+    when    = destroy
+    command = <<-EOD
+      az containerapp env delete \
+          -n ${self.triggers.env_name} \
+          -g ${self.triggers.rg} \
+          -y --no-wait
+EOD
+  }
+
+  depends_on = [
+    module.container_apps_dapr_snet,
+    azurerm_resource_group.container_app_diego
+  ]
+}
diff --git a/src/domains/diego-container-apps/02_container_app_env_diego.tf b/src/domains/diego-container-apps/02_container_app_env_diego.tf
new file mode 100644
index 00000000..7cbbe964
--- /dev/null
+++ b/src/domains/diego-container-apps/02_container_app_env_diego.tf
@@ -0,0 +1,20 @@
+# Subnet to host the api config
+module "container_apps_snet" {
+  source               = "git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet?ref=v5.3.0"
+  name                 = "${local.project}-container-apps-snet"
+  address_prefixes     = var.cidr_subnet_container_apps
+  virtual_network_name = data.azurerm_virtual_network.vnet_core.name
+
+  resource_group_name = data.azurerm_resource_group.rg_vnet_core.name
+
+  private_endpoint_network_policies_enabled = true
+}
+
+
+resource "azurerm_container_app_environment" "diego_env" {
+  name                       = local.container_app_diego_environment_name
+  location                   = azurerm_resource_group.container_app_diego.location
+  resource_group_name        = azurerm_resource_group.container_app_diego.name
+  log_analytics_workspace_id = data.azurerm_log_analytics_workspace.log_analytics.id
+  infrastructure_subnet_id   = module.container_apps_snet.id
+}
diff --git a/src/domains/diego-container-apps/03_container_app_amassador.tf b/src/domains/diego-container-apps/03_container_app_amassador.tf
new file mode 100644
index 00000000..a9a75ece
--- /dev/null
+++ b/src/domains/diego-container-apps/03_container_app_amassador.tf
@@ -0,0 +1,36 @@
+# locals {
+#   container_app_ambassador_yaml_content = templatefile("${path.module}/container-app/ambassador.yaml.tpl", {
+#     REVISION_ID                            = local.container_app_devops_ambassador_revision_id,
+#     DVOPLA-D-APPINSIGHTS-CONNECTION-STRING = module.domain_key_vault_secrets_query.values["dvopla-d-appinsights-connection-string"].value,
+#     CONTAINER_APP_NAME                     = local.container_app_devops_ambassador_name,
+#     CONTAINER_APP_RESOURCE_GROUP           = local.container_app_diego_environment_resource_group,
+#     CONTAINER_APP_ENVIRONMENT_NAME         = local.container_app_diego_environment_name,
+#   })
+# }
+
+# resource "local_file" "save_yaml_file_ambassador" {
+#   content  = local.container_app_ambassador_yaml_content
+#   filename = local.container_app_devops_ambassador_yaml_file_name
+# }
+
+# resource "null_resource" "apply_container_app_yaml_ambassador" {
+
+#   triggers = {
+#     REVISION_ID  = local.container_app_devops_ambassador_revision_id
+#     CONTENT_FILE = local.container_app_ambassador_yaml_content
+#   }
+
+#   provisioner "local-exec" {
+#     command = <<EOT
+#       az containerapp create --name ${local.container_app_devops_ambassador_name} \
+#       --resource-group ${azurerm_resource_group.container_app_diego.name} \
+#       --environment ${local.container_app_diego_environment_name} \
+#       --yaml "${local.container_app_devops_ambassador_yaml_file_name}"
+#     EOT
+#   }
+
+#   depends_on = [
+#     local_file.save_yaml_file_ambassador,
+#     null_resource.container_app_create_env,
+#   ]
+# }
diff --git a/src/domains/diego-container-apps/03_container_app_devops_color_java.tf b/src/domains/diego-container-apps/03_container_app_devops_color_java.tf
new file mode 100644
index 00000000..9769ec56
--- /dev/null
+++ b/src/domains/diego-container-apps/03_container_app_devops_color_java.tf
@@ -0,0 +1,35 @@
+# locals {
+#   container_app_devops_java_springboot_color_yaml_content = templatefile("${path.module}/container-app/devops-java-springboot-color.yaml.tpl", {
+#     REVISION_ID                            = local.container_app_devops_java_springboot_color_revision_id,
+#     DVOPLA-D-APPINSIGHTS-CONNECTION-STRING = module.domain_key_vault_secrets_query.values["dvopla-d-appinsights-connection-string"].value,
+#     CONTAINER_APP_NAME                     = local.container_app_devops_java_springboot_color_name,
+#     CONTAINER_APP_RESOURCE_GROUP           = local.container_app_diego_environment_resource_group,
+#     CONTAINER_APP_ENVIRONMENT_NAME         = local.container_app_diego_environment_name,
+#   })
+# }
+
+# resource "local_file" "save_yaml_file_devops_color" {
+#   content  = local.container_app_devops_java_springboot_color_yaml_content
+#   filename = local.container_app_devops_java_springboot_color_yaml_file_name
+# }
+
+# resource "null_resource" "apply_container_app_yaml_devops_color" {
+
+#   triggers = {
+#     REVISION_ID = local.container_app_devops_java_springboot_color_revision_id
+#   }
+
+#   provisioner "local-exec" {
+#     command = <<EOT
+#       az containerapp create --name ${local.container_app_devops_java_springboot_color_name} \
+#       --resource-group ${azurerm_resource_group.container_app_diego.name} \
+#       --environment ${local.container_app_diego_environment_name} \
+#       --yaml "${local.container_app_devops_java_springboot_color_yaml_file_name}"
+#     EOT
+#   }
+
+#   depends_on = [
+#     local_file.save_yaml_file_ambassador,
+#     null_resource.container_app_create_env,
+#   ]
+# }
diff --git a/src/domains/diego-container-apps/03_container_app_devops_darp.tf b/src/domains/diego-container-apps/03_container_app_devops_darp.tf
new file mode 100644
index 00000000..93d2ceec
--- /dev/null
+++ b/src/domains/diego-container-apps/03_container_app_devops_darp.tf
@@ -0,0 +1,132 @@
+# locals {
+#   container_app_devops_java_springboot_color_yaml_content = templatefile("${path.module}/container-app/devops-java-springboot-color.yaml.tpl", {
+#     REVISION_ID                            = local.container_app_devops_java_springboot_color_revision_id,
+#     DVOPLA-D-APPINSIGHTS-CONNECTION-STRING = module.domain_key_vault_secrets_query.values["dvopla-d-appinsights-connection-string"].value,
+#     CONTAINER_APP_NAME                     = local.container_app_devops_java_springboot_color_name,
+#     CONTAINER_APP_RESOURCE_GROUP           = local.container_app_diego_environment_resource_group,
+#     CONTAINER_APP_ENVIRONMENT_NAME         = local.container_app_diego_environment_name,
+#   })
+# }
+
+data "azurerm_container_app_environment" "dapr_env" {
+  name                = local.container_app_dapr_environment_name
+  resource_group_name = azurerm_resource_group.container_app_diego.name
+
+  depends_on = [
+    null_resource.container_app_dapr_create_env
+  ]
+}
+
+#
+# Frontend
+#
+resource "azurerm_container_app" "frontend" {
+  name                         = "frontend-dapr-showcase"
+  container_app_environment_id = data.azurerm_container_app_environment.dapr_env.id
+  resource_group_name          = azurerm_resource_group.container_app_diego.name
+  revision_mode                = "Single"
+
+  template {
+    min_replicas = 1
+    max_replicas = 1
+
+    container {
+      name   = "frontend"
+      image  = "ghcr.io/pagopa/devops-webapp-python:beta-colors"
+      cpu    = 0.5
+      memory = "1Gi"
+
+      liveness_probe {
+        failure_count_threshold = 10
+        initial_delay           = 10
+        interval_seconds        = 10
+        path                    = "/status"
+        port                    = 8000
+        transport               = "HTTP"
+      }
+
+      readiness_probe {
+        failure_count_threshold = 10
+        interval_seconds        = 10
+        path                    = "/status"
+        port                    = 8000
+        transport               = "HTTP"
+      }
+    }
+  }
+
+  ingress {
+    external_enabled = true
+    target_port      = 8000
+    traffic_weight {
+      latest_revision = true
+      percentage      = 100
+    }
+  }
+
+  dapr {
+    app_id   = "frontend"
+    app_port = 8000
+  }
+
+  depends_on = [
+    data.azurerm_container_app_environment.dapr_env
+  ]
+}
+
+#
+# backend
+#
+resource "azurerm_container_app" "backend" {
+  name                         = "backend-dapr-showcase"
+  container_app_environment_id = data.azurerm_container_app_environment.dapr_env.id
+  resource_group_name          = azurerm_resource_group.container_app_diego.name
+  revision_mode                = "Single"
+
+  template {
+    min_replicas = 1
+    max_replicas = 1
+
+    container {
+      name   = "backend"
+      image  = "ghcr.io/diegoitaliait/dapr-showcase:beta-enable-dapr"
+      cpu    = 0.5
+      memory = "1Gi"
+
+      liveness_probe {
+        failure_count_threshold = 10
+        initial_delay           = 10
+        interval_seconds        = 10
+        path                    = "/status"
+        port                    = 3000
+        transport               = "HTTP"
+      }
+
+      readiness_probe {
+        failure_count_threshold = 10
+        interval_seconds        = 10
+        path                    = "/status"
+        port                    = 3000
+        transport               = "HTTP"
+      }
+    }
+  }
+
+  ingress {
+    external_enabled = true
+    target_port      = 3000
+    traffic_weight {
+      latest_revision = true
+      percentage      = 100
+    }
+  }
+
+  dapr {
+    app_id   = "backend"
+    app_port = 3000
+  }
+
+  depends_on = [
+    data.azurerm_container_app_environment.dapr_env
+  ]
+}
diff --git a/src/domains/diego-container-apps/99_main.tf b/src/domains/diego-container-apps/99_main.tf
new file mode 100644
index 00000000..fc279fe4
--- /dev/null
+++ b/src/domains/diego-container-apps/99_main.tf
@@ -0,0 +1,58 @@
+terraform {
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = "= 3.45.0"
+    }
+    azuread = {
+      source  = "hashicorp/azuread"
+      version = "= 2.21.0"
+    }
+    null = {
+      source  = "hashicorp/null"
+      version = "= 3.1.1"
+    }
+    kubernetes = {
+      source  = "hashicorp/kubernetes"
+      version = "= 2.11.0"
+    }
+    helm = {
+      source  = "hashicorp/helm"
+      version = "= 2.5.1"
+    }
+    local = {
+      source = "hashicorp/local"
+    }
+  }
+
+  backend "azurerm" {}
+}
+
+provider "azurerm" {
+  features {}
+}
+
+data "azurerm_subscription" "current" {}
+
+data "azurerm_client_config" "current" {}
+
+# data "terraform_remote_state" "core" {
+#   backend = "azurerm"
+
+#   config = {
+#     resource_group_name  = var.terraform_remote_state_core.resource_group_name
+#     storage_account_name = var.terraform_remote_state_core.storage_account_name
+#     container_name       = var.terraform_remote_state_core.container_name
+#     key                  = var.terraform_remote_state_core.key
+#   }
+# }
+
+provider "kubernetes" {
+  config_path = "${var.k8s_kube_config_path_prefix}/config-${local.aks_name}"
+}
+
+provider "helm" {
+  kubernetes {
+    config_path = "${var.k8s_kube_config_path_prefix}/config-${local.aks_name}"
+  }
+}
diff --git a/src/domains/diego-container-apps/99_variables.tf b/src/domains/diego-container-apps/99_variables.tf
new file mode 100644
index 00000000..23d69ebb
--- /dev/null
+++ b/src/domains/diego-container-apps/99_variables.tf
@@ -0,0 +1,168 @@
+locals {
+  product = "${var.prefix}-${var.env_short}"
+  project = "${var.prefix}-${var.env_short}-${var.location_short}-${var.domain}"
+
+  monitor_appinsights_name        = "${local.product}-appinsights"
+  monitor_action_group_slack_name = "SlackPagoPA"
+  monitor_action_group_email_name = "PagoPA"
+
+  ingress_hostname_prefix               = "${var.instance}.${var.domain}"
+  internal_dns_zone_name                = "${var.dns_zone_internal_prefix}.${var.external_domain}"
+  internal_dns_zone_resource_group_name = "${local.product}-vnet-rg"
+
+  vnet_core_name                = "${local.product}-vnet"
+  vnet_core_resource_group_name = "${local.product}-vnet-rg"
+
+  #
+  # KeyVault
+  #
+  key_vault_domain_name           = "dvopla-d-diego-kv"
+  key_vault_domain_resource_group = "dvopla-d-diego-sec-rg"
+
+  #
+  # Container App
+  #
+  container_app_diego_environment_resource_group = "dvopla-d-diego-container-app-rg"
+
+  container_app_diego_environment_name = "dvopla-d-diego-cappenv"
+  container_app_dapr_environment_name  = "dvopla-d-dapr-cappenv"
+
+
+  container_app_devops_java_springboot_color_name           = "devops-color-java-capp"
+  container_app_devops_java_springboot_color_revision_id    = "v1"
+  container_app_devops_java_springboot_color_yaml_file_name = "/tmp/${local.container_app_devops_java_springboot_color_revision_id}-${local.container_app_devops_java_springboot_color_name}.yaml"
+
+  container_app_devops_ambassador_name           = "ambassador-capp"
+  container_app_devops_ambassador_revision_id    = "v3"
+  container_app_devops_ambassador_yaml_file_name = "/tmp/${local.container_app_devops_java_springboot_color_revision_id}-${local.container_app_devops_ambassador_name}.yaml"
+}
+
+variable "prefix" {
+  type = string
+  validation {
+    condition = (
+      length(var.prefix) <= 6
+    )
+    error_message = "Max length is 6 chars."
+  }
+}
+
+variable "env" {
+  type = string
+}
+
+variable "env_short" {
+  type = string
+  validation {
+    condition = (
+      length(var.env_short) == 1
+    )
+    error_message = "Length must be 1 chars."
+  }
+}
+
+variable "domain" {
+  type = string
+  validation {
+    condition = (
+      length(var.domain) <= 12
+    )
+    error_message = "Max length is 12 chars."
+  }
+}
+
+variable "location" {
+  type        = string
+  description = "One of westeurope, northeurope"
+}
+
+variable "location_short" {
+  type = string
+  validation {
+    condition = (
+      length(var.location_short) == 3
+    )
+    error_message = "Length must be 3 chars."
+  }
+  description = "One of wue, neu"
+}
+
+variable "instance" {
+  type        = string
+  description = "One of beta, prod01, prod02"
+}
+
+variable "lock_enable" {
+  type        = bool
+  default     = false
+  description = "Apply locks to block accedentaly deletions."
+}
+
+variable "tags" {
+  type = map(any)
+  default = {
+    CreatedBy = "Terraform"
+  }
+}
+
+variable "terraform_remote_state_core" {
+  type = object({
+    resource_group_name  = string,
+    storage_account_name = string,
+    container_name       = string,
+    key                  = string
+  })
+}
+
+### External resources
+
+variable "monitor_resource_group_name" {
+  type        = string
+  description = "Monitor resource group name"
+}
+
+variable "log_analytics_workspace_name" {
+  type        = string
+  description = "Specifies the name of the Log Analytics Workspace."
+}
+
+variable "log_analytics_workspace_resource_group_name" {
+  type        = string
+  description = "The name of the resource group in which the Log Analytics workspace is located in."
+}
+
+variable "k8s_kube_config_path_prefix" {
+  type    = string
+  default = "~/.kube"
+}
+
+# DNS
+variable "external_domain" {
+  type        = string
+  default     = "pagopa.it"
+  description = "Domain for delegation"
+}
+
+variable "dns_zone_prefix" {
+  type        = string
+  description = "The dns subdomain."
+}
+
+variable "dns_zone_internal_prefix" {
+  type        = string
+  default     = null
+  description = "The dns subdomain."
+}
+
+#
+# VNET
+#
+variable "cidr_subnet_container_apps" {
+  type        = list(string)
+  description = "Subnet for container apps in diego domain"
+}
+
+variable "cidr_subnet_container_apps_dapr" {
+  type        = list(string)
+  description = "Subnet for container apps dapr in diego domain"
+}
diff --git a/src/domains/diego-container-apps/README.md b/src/domains/diego-container-apps/README.md
new file mode 100644
index 00000000..27f53097
--- /dev/null
+++ b/src/domains/diego-container-apps/README.md
@@ -0,0 +1,72 @@
+<!-- markdownlint-disable -->
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_azuread"></a> [azuread](#requirement\_azuread) | = 2.21.0 |
+| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | = 3.45.0 |
+| <a name="requirement_helm"></a> [helm](#requirement\_helm) | = 2.5.1 |
+| <a name="requirement_kubernetes"></a> [kubernetes](#requirement\_kubernetes) | = 2.11.0 |
+| <a name="requirement_null"></a> [null](#requirement\_null) | = 3.1.1 |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_container_apps_dapr_snet"></a> [container\_apps\_dapr\_snet](#module\_container\_apps\_dapr\_snet) | git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet | v5.3.0 |
+| <a name="module_container_apps_snet"></a> [container\_apps\_snet](#module\_container\_apps\_snet) | git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet | v5.3.0 |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [azurerm_container_app.backend](https://registry.terraform.io/providers/hashicorp/azurerm/3.45.0/docs/resources/container_app) | resource |
+| [azurerm_container_app.frontend](https://registry.terraform.io/providers/hashicorp/azurerm/3.45.0/docs/resources/container_app) | resource |
+| [azurerm_container_app_environment.diego_env](https://registry.terraform.io/providers/hashicorp/azurerm/3.45.0/docs/resources/container_app_environment) | resource |
+| [azurerm_resource_group.container_app_diego](https://registry.terraform.io/providers/hashicorp/azurerm/3.45.0/docs/resources/resource_group) | resource |
+| [null_resource.container_app_dapr_create_env](https://registry.terraform.io/providers/hashicorp/null/3.1.1/docs/resources/resource) | resource |
+| [null_resource.update_az_cli](https://registry.terraform.io/providers/hashicorp/null/3.1.1/docs/resources/resource) | resource |
+| [azuread_group.adgroup_admin](https://registry.terraform.io/providers/hashicorp/azuread/2.21.0/docs/data-sources/group) | data source |
+| [azuread_group.adgroup_developers](https://registry.terraform.io/providers/hashicorp/azuread/2.21.0/docs/data-sources/group) | data source |
+| [azuread_group.adgroup_externals](https://registry.terraform.io/providers/hashicorp/azuread/2.21.0/docs/data-sources/group) | data source |
+| [azuread_group.adgroup_security](https://registry.terraform.io/providers/hashicorp/azuread/2.21.0/docs/data-sources/group) | data source |
+| [azurerm_application_insights.application_insights](https://registry.terraform.io/providers/hashicorp/azurerm/3.45.0/docs/data-sources/application_insights) | data source |
+| [azurerm_client_config.current](https://registry.terraform.io/providers/hashicorp/azurerm/3.45.0/docs/data-sources/client_config) | data source |
+| [azurerm_container_app_environment.dapr_env](https://registry.terraform.io/providers/hashicorp/azurerm/3.45.0/docs/data-sources/container_app_environment) | data source |
+| [azurerm_log_analytics_workspace.log_analytics](https://registry.terraform.io/providers/hashicorp/azurerm/3.45.0/docs/data-sources/log_analytics_workspace) | data source |
+| [azurerm_monitor_action_group.email](https://registry.terraform.io/providers/hashicorp/azurerm/3.45.0/docs/data-sources/monitor_action_group) | data source |
+| [azurerm_monitor_action_group.slack](https://registry.terraform.io/providers/hashicorp/azurerm/3.45.0/docs/data-sources/monitor_action_group) | data source |
+| [azurerm_resource_group.monitor_rg](https://registry.terraform.io/providers/hashicorp/azurerm/3.45.0/docs/data-sources/resource_group) | data source |
+| [azurerm_resource_group.rg_vnet_core](https://registry.terraform.io/providers/hashicorp/azurerm/3.45.0/docs/data-sources/resource_group) | data source |
+| [azurerm_subscription.current](https://registry.terraform.io/providers/hashicorp/azurerm/3.45.0/docs/data-sources/subscription) | data source |
+| [azurerm_virtual_network.vnet_core](https://registry.terraform.io/providers/hashicorp/azurerm/3.45.0/docs/data-sources/virtual_network) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_cidr_subnet_container_apps"></a> [cidr\_subnet\_container\_apps](#input\_cidr\_subnet\_container\_apps) | Subnet for container apps in diego domain | `list(string)` | n/a | yes |
+| <a name="input_cidr_subnet_container_apps_dapr"></a> [cidr\_subnet\_container\_apps\_dapr](#input\_cidr\_subnet\_container\_apps\_dapr) | Subnet for container apps dapr in diego domain | `list(string)` | n/a | yes |
+| <a name="input_dns_zone_internal_prefix"></a> [dns\_zone\_internal\_prefix](#input\_dns\_zone\_internal\_prefix) | The dns subdomain. | `string` | `null` | no |
+| <a name="input_dns_zone_prefix"></a> [dns\_zone\_prefix](#input\_dns\_zone\_prefix) | The dns subdomain. | `string` | n/a | yes |
+| <a name="input_domain"></a> [domain](#input\_domain) | n/a | `string` | n/a | yes |
+| <a name="input_env"></a> [env](#input\_env) | n/a | `string` | n/a | yes |
+| <a name="input_env_short"></a> [env\_short](#input\_env\_short) | n/a | `string` | n/a | yes |
+| <a name="input_external_domain"></a> [external\_domain](#input\_external\_domain) | Domain for delegation | `string` | `"pagopa.it"` | no |
+| <a name="input_instance"></a> [instance](#input\_instance) | One of beta, prod01, prod02 | `string` | n/a | yes |
+| <a name="input_k8s_kube_config_path_prefix"></a> [k8s\_kube\_config\_path\_prefix](#input\_k8s\_kube\_config\_path\_prefix) | n/a | `string` | `"~/.kube"` | no |
+| <a name="input_location"></a> [location](#input\_location) | One of westeurope, northeurope | `string` | n/a | yes |
+| <a name="input_location_short"></a> [location\_short](#input\_location\_short) | One of wue, neu | `string` | n/a | yes |
+| <a name="input_lock_enable"></a> [lock\_enable](#input\_lock\_enable) | Apply locks to block accedentaly deletions. | `bool` | `false` | no |
+| <a name="input_log_analytics_workspace_name"></a> [log\_analytics\_workspace\_name](#input\_log\_analytics\_workspace\_name) | Specifies the name of the Log Analytics Workspace. | `string` | n/a | yes |
+| <a name="input_log_analytics_workspace_resource_group_name"></a> [log\_analytics\_workspace\_resource\_group\_name](#input\_log\_analytics\_workspace\_resource\_group\_name) | The name of the resource group in which the Log Analytics workspace is located in. | `string` | n/a | yes |
+| <a name="input_monitor_resource_group_name"></a> [monitor\_resource\_group\_name](#input\_monitor\_resource\_group\_name) | Monitor resource group name | `string` | n/a | yes |
+| <a name="input_prefix"></a> [prefix](#input\_prefix) | n/a | `string` | n/a | yes |
+| <a name="input_tags"></a> [tags](#input\_tags) | n/a | `map(any)` | <pre>{<br>  "CreatedBy": "Terraform"<br>}</pre> | no |
+| <a name="input_terraform_remote_state_core"></a> [terraform\_remote\_state\_core](#input\_terraform\_remote\_state\_core) | n/a | <pre>object({<br>    resource_group_name  = string,<br>    storage_account_name = string,<br>    container_name       = string,<br>    key                  = string<br>  })</pre> | n/a | yes |
+
+## Outputs
+
+No outputs.
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
diff --git a/src/domains/diego-container-apps/container-app/ambassador.yaml.tpl b/src/domains/diego-container-apps/container-app/ambassador.yaml.tpl
new file mode 100644
index 00000000..17ccb15e
--- /dev/null
+++ b/src/domains/diego-container-apps/container-app/ambassador.yaml.tpl
@@ -0,0 +1,79 @@
+---
+kind: containerapp
+location: northeurope
+name: ${CONTAINER_APP_NAME}
+resourceGroup: ${CONTAINER_APP_RESOURCE_GROUP}
+type: Microsoft.App/containerApps
+tags:
+  tagname: value
+properties:
+  managedEnvironmentId: /subscriptions/ac17914c-79bf-48fa-831e-1359ef74c1d5/resourceGroups/${CONTAINER_APP_RESOURCE_GROUP}/providers/Microsoft.App/managedEnvironments/${CONTAINER_APP_ENVIRONMENT_NAME}
+  configuration:
+    activeRevisionsMode: Single #Setting to single automatically deactivates old revisions, and only keeps the latest revision active. Setting to multiple allows you to maintain multiple revisions.
+    secrets:
+      - name: dvopla-d-appinsights-connection-string
+        value: ${DVOPLA-D-APPINSIGHTS-CONNECTION-STRING}
+    ingress:
+      external: true
+      allowInsecure: false
+      targetPort: 3000
+      traffic:
+        - latestRevision: true
+          weight: 100
+      transport: Auto
+    # registries:
+    #   - passwordSecretRef: myregistrypassword
+    #     server: myregistry.azurecr.io
+    #     username: myregistrye
+    # dapr:
+    #   appId: mycontainerapp
+    #   appPort: 80
+    #   appProtocol: http
+    #   enabled: true
+  template:
+    revisionSuffix: rev-${REVISION_ID}
+    containers:
+      - image: ghcr.io/pagopa/devops-app-insights-ambassador:main
+        name: ambassador-app
+        env:
+          - name: APPLICATIONINSIGHTS_CONNECTION_STRING
+            secretRef: dvopla-d-appinsights-connection-string
+        resources:
+          cpu: 0.5
+          memory: 1Gi
+        probes:
+          - type: liveness
+            httpGet:
+              path: "/status"
+              port: 3000
+              # httpHeaders:
+              #   - name: "Custom-Header"
+              #     value: "liveness probe"
+            initialDelaySeconds: 60
+            periodSeconds: 10
+            failureThreshold: 6
+            timeoutSeconds: 10
+          - type: readiness
+            httpGet:
+              path: "/status"
+              port: 3000
+            # tcpSocket:
+            #   port: 3000
+            initialDelaySeconds: 60
+            periodSeconds: 10
+            failureThreshold: 6
+            timeoutSeconds: 10
+          - type: startup
+            httpGet:
+              path: "/status"
+              port: 3000
+              # httpHeaders:
+              #   - name: "Custom-Header"
+              #     value: "startup probe"
+            initialDelaySeconds: 60
+            periodSeconds: 10
+            failureThreshold: 6
+            timeoutSeconds: 10
+    scale:
+      minReplicas: 1
+      maxReplicas: 3
diff --git a/src/domains/diego-container-apps/container-app/devops-java-springboot-color.yaml.tpl b/src/domains/diego-container-apps/container-app/devops-java-springboot-color.yaml.tpl
new file mode 100644
index 00000000..f1f6c0c0
--- /dev/null
+++ b/src/domains/diego-container-apps/container-app/devops-java-springboot-color.yaml.tpl
@@ -0,0 +1,79 @@
+---
+kind: containerapp
+location: northeurope
+name: ${CONTAINER_APP_NAME}
+resourceGroup: ${CONTAINER_APP_RESOURCE_GROUP}
+type: Microsoft.App/containerApps
+tags:
+  tagname: value
+properties:
+  managedEnvironmentId: /subscriptions/ac17914c-79bf-48fa-831e-1359ef74c1d5/resourceGroups/${CONTAINER_APP_RESOURCE_GROUP}/providers/Microsoft.App/managedEnvironments/${CONTAINER_APP_ENVIRONMENT_NAME}
+  configuration:
+    activeRevisionsMode: Single #Setting to single automatically deactivates old revisions, and only keeps the latest revision active. Setting to multiple allows you to maintain multiple revisions.
+    secrets:
+      - name: dvopla-d-appinsights-connection-string
+        value: ${DVOPLA-D-APPINSIGHTS-CONNECTION-STRING}
+    ingress:
+      external: true
+      allowInsecure: false
+      targetPort: 8080
+      traffic:
+        - latestRevision: true
+          weight: 100
+      transport: Auto
+    # registries:
+    #   - passwordSecretRef: myregistrypassword
+    #     server: myregistry.azurecr.io
+    #     username: myregistrye
+    # dapr:
+    #   appId: mycontainerapp
+    #   appPort: 80
+    #   appProtocol: http
+    #   enabled: true
+  template:
+    revisionSuffix: rev-${REVISION_ID}
+    containers:
+      - image: ghcr.io/pagopa/devops-java-springboot-color:0.8.1
+        name: devops-java-springboot-color
+        env:
+          - name: APPLICATIONINSIGHTS_CONNECTION_STRING
+            secretRef: dvopla-d-appinsights-connection-string
+        resources:
+          cpu: 0.5
+          memory: 1Gi
+        probes:
+          - type: liveness
+            httpGet:
+              path: "/status"
+              port: 8080
+              # httpHeaders:
+              #   - name: "Custom-Header"
+              #     value: "liveness probe"
+            initialDelaySeconds: 60
+            periodSeconds: 10
+            failureThreshold: 6
+            timeoutSeconds: 10
+          - type: readiness
+            httpGet:
+              path: "/status"
+              port: 8080
+            # tcpSocket:
+            #   port: 8080
+            initialDelaySeconds: 60
+            periodSeconds: 10
+            failureThreshold: 6
+            timeoutSeconds: 10
+          - type: startup
+            httpGet:
+              path: "/status"
+              port: 8080
+              # httpHeaders:
+              #   - name: "Custom-Header"
+              #     value: "startup probe"
+            initialDelaySeconds: 60
+            periodSeconds: 10
+            failureThreshold: 6
+            timeoutSeconds: 10
+    scale:
+      minReplicas: 0
+      maxReplicas: 3
diff --git a/src/domains/diego-container-apps/env/dev/backend.ini b/src/domains/diego-container-apps/env/dev/backend.ini
new file mode 100644
index 00000000..a7cc599b
--- /dev/null
+++ b/src/domains/diego-container-apps/env/dev/backend.ini
@@ -0,0 +1 @@
+subscription=DevOpsLab
diff --git a/src/domains/diego-container-apps/env/dev/backend.tfvars b/src/domains/diego-container-apps/env/dev/backend.tfvars
new file mode 100644
index 00000000..b7812775
--- /dev/null
+++ b/src/domains/diego-container-apps/env/dev/backend.tfvars
@@ -0,0 +1,4 @@
+resource_group_name  = "io-infra-rg"
+storage_account_name = "dvopladstinfraterraform"
+container_name       = "corestate"
+key                  = "diego-container-app-domain-terraform.tfstate"
diff --git a/src/domains/diego-container-apps/env/dev/terraform.tfvars b/src/domains/diego-container-apps/env/dev/terraform.tfvars
new file mode 100644
index 00000000..a154cb2b
--- /dev/null
+++ b/src/domains/diego-container-apps/env/dev/terraform.tfvars
@@ -0,0 +1,45 @@
+# general
+prefix         = "dvopla"
+env_short      = "d"
+env            = "dev"
+location       = "northeurope"
+location_short = "neu"
+domain         = "diego"
+instance       = "dev"
+
+tags = {
+  CreatedBy   = "Terraform"
+  Environment = "Dev"
+  Owner       = "devops"
+  Source      = "https://github.com/pagopa/dvopla-infrastructure"
+  CostCenter  = "TS310 - PAGAMENTI & SERVIZI"
+  Application = "diego.app"
+}
+
+lock_enable = true
+
+terraform_remote_state_core = {
+  resource_group_name  = "io-infra-rg"
+  storage_account_name = "dvopladstinfraterraform"
+  container_name       = "corestate"
+  key                  = "terraform.tfstate"
+}
+
+### External resources
+
+monitor_resource_group_name                 = "dvopla-d-monitor-rg"
+log_analytics_workspace_name                = "dvopla-d-law"
+log_analytics_workspace_resource_group_name = "dvopla-d-monitor-rg"
+
+#
+# Dns
+#
+external_domain          = "pagopa.it"
+dns_zone_prefix          = "devopslab"
+dns_zone_internal_prefix = "internal.devopslab"
+
+#
+# VNET
+#
+cidr_subnet_container_apps      = ["10.1.146.0/23"]
+cidr_subnet_container_apps_dapr = ["10.1.150.0/23"]
diff --git a/src/domains/diego-container-apps/terraform.sh b/src/domains/diego-container-apps/terraform.sh
new file mode 100755
index 00000000..974249bb
--- /dev/null
+++ b/src/domains/diego-container-apps/terraform.sh
@@ -0,0 +1,46 @@
+#!/bin/bash
+
+set -e
+
+action=$1
+env=$2
+shift 2
+other=$@
+
+subscription="MOCK_VALUE"
+
+if [ -z "$action" ]; then
+  echo "Missed action: init, apply, plan"
+  exit 0
+fi
+
+if [ -z "$env" ]; then
+  echo "env should be: dev, uat or prod."
+  exit 0
+fi
+
+# shellcheck source=/dev/null
+source "./env/$env/backend.ini"
+
+az account set -s "${subscription}"
+
+if echo "init plan apply refresh import output state taint destroy" | grep -w "$action" > /dev/null; then
+  if [ "$action" = "init" ]; then
+    echo "🧭 terraform INIT in env: ${env}"
+    terraform "$action" -reconfigure -backend-config="./env/$env/backend.tfvars" $other
+  elif [ "$action" = "output" ] || [ "$action" = "state" ] || [ "$action" = "taint" ]; then
+    # init terraform backend
+    echo "🧭 terraform (output|state|taint) launched with action: ${action} in env: ${env}"
+    terraform init -reconfigure -backend-config="./env/$env/backend.tfvars"
+    terraform "$action" $other
+  else
+    # init terraform backend
+    echo "🧭 terraform launched with action: ${action} in env: ${env}"
+
+    terraform init -reconfigure -backend-config="./env/$env/backend.tfvars"
+    terraform "$action" -var-file="./env/$env/terraform.tfvars" $other
+  fi
+else
+    echo "Action not allowed."
+    exit 1
+fi