diff --git a/src/domains/blueprint-app/env/dev/terraform.tfvars b/src/domains/blueprint-app/env/dev/terraform.tfvars index 0ccbec08..b1ba447b 100644 --- a/src/domains/blueprint-app/env/dev/terraform.tfvars +++ b/src/domains/blueprint-app/env/dev/terraform.tfvars @@ -29,7 +29,7 @@ log_analytics_workspace_resource_group_name = "dvopla-d-monitor-rg" aks_name = "dvopla-d-neu-dev01-aks" aks_resource_group_name = "dvopla-d-neu-dev01-aks-rg" -ingress_load_balancer_ip = "10.11.100.250" +ingress_load_balancer_ip = "10.3.1.250" ingress_load_balancer_hostname = "dev01.blueprint.internal.devopslab.pagopa.it" # diff --git a/src/domains/diego-app/.terraform.lock.hcl b/src/domains/diego-app/.terraform.lock.hcl index ac16e0e5..e0cf9bed 100644 --- a/src/domains/diego-app/.terraform.lock.hcl +++ b/src/domains/diego-app/.terraform.lock.hcl @@ -2,127 +2,109 @@ # Manual edits may be lost in future updates. provider "registry.terraform.io/hashicorp/azuread" { - version = "2.21.0" - constraints = "2.21.0" + version = "2.47.0" + constraints = "<= 2.47.0" hashes = [ - "h1:9gG6SWoUZZmmXbYBv6ra2RF5NYpamB9tGjsuBxrasFQ=", - "h1:KbY8dRdbfTwTzEBcdOFdD50JX8CUG5Mni25D2+k1rGc=", - "h1:akcofWscEl0ecIbf7lyEqRvPfOdA5q75EZvK8uSum1c=", - "h1:qHYbB6LJsYPVUcd7QkZ5tU+IX+10VcUG4NzsmIuWdlE=", - "zh:18c56e0478e8b3849f6d52f7e0ee495538e7fce66f22fc84a79599615e50ad1c", - "zh:1b95ba8dddc46c744b2d2be7da6fafaa8ebd8368d46ff77416a95cb7d622251e", + "h1:iRwDQBdXBpVBoYwM9au2RG01RQuJSm3TGQ2kioFVAas=", + "zh:1372d81eb24ef3b4b00ea350fe87219f22da51691b8e42ce91d662f6c2a8af5e", "zh:1c3e89cf19118fc07d7b04257251fc9897e722c16e0a0df7b07fcd261f8c12e7", - "zh:2b7559f9febd770b38deb2d7aee61cea03d9f7a39673e1c72252530825523206", - "zh:466f1099109fd0283d0a4ae6716d831b09d66218ad8abacf8787e9c634ce7a6f", - "zh:7d56b3c034496c62d0993e51339f876732bb5050f8bb0739cef952f7e881e79f", - "zh:7d600af10920dd9b2349cf745b112e07eb24e2ae25006e32db0a39e8c863b11d", - "zh:81eaaa3944a874b0ade6c23785d736e217554dc74b6a7c06cc8750de97ecca04", - "zh:9a4563c1dceb85f3f58787803af1d5b0baf26d802588d263d05cbd8a4f510e76", - "zh:cb885a238449548d392f7e3f00b1a3aebd41bbeefab23c40b180a058e8565638", - "zh:cd34877f0aa3120cd0b51dadde38c471ae35ea2a8a64604bba578901298c7c77", - "zh:da62d6cb7331e5893ac58942b12cbef5c0727390044ec1f25f5778010fb9e5d4", + "zh:1e654a74d171d6ff8f9f6f67e3ff1421d4c5e56a18607703626bf12cd23ba001", + "zh:35227fad617a0509c64ab5759a8b703b10d244877f1aa5416bfbcc100c96996f", + "zh:357f553f0d78d46a96c7b2ed06d25ee0fc60fc5be19812ccb5d969fa47d62e17", + "zh:58faa2940065137e3e87d02eba59ab5cd7137d7a18caf225e660d1788f274569", + "zh:7308eda0339620fa24f47cedd22221fc2c02cab9d5be1710c09a783aea84eb3a", + "zh:863eabf7f908a8263e28d8aa2ad1381affd6bb5c67755216781f674ef214100e", + "zh:8b95b595a7c14ed7b56194d03cdec253527e7a146c1c58961be09e6b5c50baee", + "zh:afbca6b4fac9a0a488bc22ff9e51a8f14e986137d25275068fd932f379a51d57", + "zh:c6aadec4c81a44c3ffc22c2d90ffc6706bf5a9a903a395d896477516f4be6cbb", + "zh:e54a59de7d4ef0f3a18f91fed0b54a2bce18257ae2ee1df8a88226e1023c5811", ] } provider "registry.terraform.io/hashicorp/azurerm" { - version = "3.45.0" - constraints = ">= 3.30.0, <= 3.45.0, <= 3.64.0" + version = "3.96.0" + constraints = ">= 3.30.0, <= 3.96.0, <= 3.97.1" hashes = [ - "h1:4BOYXFMiLk4ozEZHUhquRnE5urebcWvaCUV3uys646o=", - "h1:V3CLlXij3vZzxw51hvCBnqriy73llPG21NjO+7sLr+U=", - "h1:VQWxV5+qelZeUCjpdLvZ7iAom4RvG+fVVgK6ELvw/cs=", - "h1:gQLNY1I5e9kcle1p/VYEWb0eteQ/t5kUfnqVu2/GBNY=", - "zh:04c5dbb8845366ce5eb0dc2d55e151270cc2c0ace20993867fdae9af43b953ad", - "zh:2589585da615ccae341400d45d672ee3fae413fdd88449b5befeff12a85a44b2", - "zh:603869ed98fff5d9bf841a51afd9e06b628533c59356c8433aef4b15df63f5f7", - "zh:853fecab9c987b6772c8d9aa10362675f6c626b60ebc7118aa33ce91366fcc38", - "zh:979848c45e8e058862c36ba3a661457f7c81ef26ebb6634f479600de9c203d65", - "zh:9b512c8588ecc9c1b803b746a3a8517422561a918f0dfb0faaa707ed53ef1760", - "zh:a9601ffb58043426bcff1220662d6d137f0b2857a24f2dcf180aeac2c9cea688", - "zh:d52d2652328f0ed3ba202561d88cb9f43c174edbfaab1abf69f772125dbfe15e", - "zh:d92d91ca597c47f575bf3ae129f4b723be9b7dcb71b906ec6ec740fac29b1aaa", - "zh:ded73b730e4197b70fda9e83447c119f92f75dc37be3ff2ed45730c8f0348c28", - "zh:ec37ac332d50f8ca5827f97198346b0f8ecbf470e2e3ba1e027bb389d826b902", + "h1:p81ospFjXO6UGMCct9mDXgjMNqtc9YKeRE2hXjefhUM=", + "zh:2fb3f3c309bc8b040cd63f3a5711d4a6fc107e653a760063ec3ee6417912d14d", + "zh:45b83f492bd371c837df6d68e96ee3ab89faa00f740bca915187b344fd795ae3", + "zh:4a8b9f31da14ae824b2358fe772bb03ee79283d3294985f2acb48a0d4cd950bb", + "zh:4ab3c38b6141a0bd52d9216383d256771c0bfdc1869dccf52f414ed04290ed35", + "zh:6772d182dde23ff3fe10497f104a866cfc1cb848988f830100247363f9dd9ef7", + "zh:85875de128bc2d119c63f16116773594345ad5d0e8a3b464f7612479900df640", + "zh:9cd696005f4cfab4662d7db81039a64fc4c66d6eeedddf0808f2e97bc8af25f4", + "zh:bdc8921161253d3bff8f951cbf63f73f856bbda0ee2e9f51af60d74464059d21", + "zh:d7320767f7cde3796906f453a99ba80284fe8479ce127a4703ecf45dd9ef1321", + "zh:e0c28b79c0bf5004a9d094a68ec0c887c7df307f2cedeed2cbbef567c61443c6", + "zh:f069aa8e951508ea812cb8fef73f79594212864014eb85db39cdea2c648f69ee", "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", ] } provider "registry.terraform.io/hashicorp/helm" { - version = "2.7.1" - constraints = ">= 2.5.1, 2.7.1, <= 2.7.1" + version = "2.12.1" + constraints = "<= 2.12.1" hashes = [ - "h1:11oWNeohjD8Fy9S7WQSKY3GmDZi7gVdMRp8/Wqxn410=", - "h1:L5qLTfZH7PnZt9+YnS7iYmPBEDQOpEjZiF0v50BRNi8=", - "h1:OGZRkgiLBWmoA8/a9xZnEs5gsC5JhW+75++MkCPQbqw=", - "h1:jIiXxDpkVLVRTuY1w6GwhWvPWbvbn4vdIkPx87rcW4U=", - "zh:13e2467092deeff01c4cfa2b54ba4510aa7a9b06c58f22c4215b0f4333858364", - "zh:4549843db4fdf5d8150e8c0734e67b54b5c3bcfc914e3221e6952f428fb984d2", - "zh:55b5f83ed52f93dd00a73c33c948326052efd700350c19e63bb1679b12bfcda6", - "zh:749397e41393289eb0ef6efd0a75911d29b8aa7f48e5d6813b4b350dad91acbd", - "zh:7a4a2c95b055f6c8e70d1fc7a4cc4fd6e4f04845be36e40d42d31dfc13db37b8", - "zh:8143e5b8218857052505c805b570889b862c618ce6cbfbddb98938ff7a5901d3", - "zh:856d94b3b34d6204d66c6de4feab4737c74dba037ad64e4c613e8eec61d17f1a", - "zh:b9b037f1edda209022df1c7fc906786970524873e27b061f3355cb9bbed2cf08", - "zh:c433b27f52a0600490af07f8b217ab0b1048ba347d68e6fe478aba18634e78d9", - "zh:da133748368c6e27b433cd7faeb7b800536c8651e7af0415452901dfc7577dbf", - "zh:eecc63c2dec8aafa2ffd7426800c3e1a5e31e848be01ea9511ad0184dce15945", + "h1:7wfYOAeSEchHB8idNl+2jf+OkFi9zFSOLWkEZFuTCik=", + "zh:1d623fb1662703f2feb7860e3c795d849c77640eecbc5a776784d08807b15004", + "zh:253a5bc62ba2c4314875139e3fbd2feaad5ef6b0fb420302a474ab49e8e51a38", + "zh:282358f4ad4f20d0ccaab670b8645228bfad1c03ac0d0df5889f0aea8aeac01a", + "zh:4fd06af3091a382b3f0d8f0a60880f59640d2b6d9d6a31f9a873c6f1bde1ec50", + "zh:6816976b1830f5629ae279569175e88b497abbbac30ee809948a1f923c67a80d", + "zh:7d82c4150cdbf48cfeec867be94c7b9bd7682474d4df0ebb7e24e148f964844f", + "zh:83f062049eea2513118a4c6054fb06c8600bac96196f25aed2cc21898ec86e93", + "zh:a79eec0cf4c08fca79e44033ec6e470f25ff23c3e2c7f9bc707ed7771c1072c0", + "zh:b2b2d904b2821a6e579910320605bc478bbef063579a23fbfdd6fcb5871b81f8", + "zh:e91177ca06a15487fc570cb81ecef6359aa399459ea2aa7c4f7367ba86f6fcad", + "zh:e976bcb82996fc4968f8382bbcb6673efb1f586bf92074058a232028d97825b1", "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", ] } provider "registry.terraform.io/hashicorp/kubernetes" { - version = "2.23.0" - constraints = "2.23.0" + version = "2.26.0" + constraints = "<= 2.26.0" hashes = [ - "h1:arTzD0XG/DswGCAx9JEttkSKe9RyyFW9W7UWcXF13dU=", - "h1:cMs2scNCSgQhGamomGT5Ag4i8ms/mql1AR7NJc2hmbA=", - "h1:sNA/0F6F3RW/Ew54jZatGlE6v2BvSKUEV7MQ6WPJECU=", - "h1:xyFc77aYkPoU4Xt1i5t0B1IaS8TbTtp9aCSuQKDayII=", - "zh:10488a12525ed674359585f83e3ee5e74818b5c98e033798351678b21b2f7d89", - "zh:1102ba5ca1a595f880e67102bbf999cc8b60203272a078a5b1e896d173f3f34b", - "zh:1347cf958ed3f3f80b3c7b3e23ddda3d6c6573a81847a8ee92b7df231c238bf6", - "zh:2cb18e9f5156bc1b1ee6bc580a709f7c2737d142722948f4a6c3c8efe757fa8d", - "zh:5506aa6f28dcca2a265ccf8e34478b5ec2cb43b867fe6d93b0158f01590fdadd", - "zh:6217a20686b631b1dcb448ee4bc795747ebc61b56fbe97a1ad51f375ebb0d996", - "zh:8accf916c00579c22806cb771e8909b349ffb7eb29d9c5468d0a3f3166c7a84a", - "zh:9379b0b54a0fa030b19c7b9356708ec8489e194c3b5e978df2d31368563308e5", - "zh:aa99c580890691036c2931841e88e7ee80d59ae52289c8c2c28ea0ac23e31520", - "zh:c57376d169875990ac68664d227fb69cd0037b92d0eba6921d757c3fd1879080", - "zh:e6068e3f94f6943b5586557b73f109debe19d1a75ca9273a681d22d1ce066579", + "h1:vTbi/tiJQS8Wto3LLxZ/WWPcptqaMpQlT33s61WTV9Q=", + "zh:3f8ee1bffab1ba4f6ae549daae1648974214880d3606b6821cb0aceb365284a4", + "zh:5596b1248231cc3b8f6a98f5b78df7120cd3153fd2b34b369dc20356a75bf35b", + "zh:64420c9e4aa49c5e443afcd60f3e8d293ea6bd78797d402e21e23605f7757954", + "zh:8327a488854e15f8d7eaf8272c3b9d6d1d9a6e68212a8dcb111d7b4023aac6b5", + "zh:94c1c9b65280847d28a3e90e5046650858ac0bf87feefd2349336444e21e68e8", + "zh:a3fb0b0b4bfd1844bb94011ae80111cedc188085235cf466313ca2151e75c8ca", + "zh:ab5e381928144e0c2a9d9768a48e38797642e5c5fb2184370c7c08df500e5db3", + "zh:da78995e8d6daf3acfd4c455ebbd12f6bf154cadf455f14ef35c0862e58dd2ec", + "zh:e24cdd5b90196df93215f40d821af3a7b4473c53992be4c3038940d117a50eb4", + "zh:e632efb3bce6d089b7c08507660af8b2c5e3f94c34fe401bfa228f154405e26e", "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + "zh:f5aea9da0eba25d35fee49db193c4b44cd3746a5578065092c62a53077e50b84", ] } provider "registry.terraform.io/hashicorp/local" { - version = "2.4.0" + version = "2.5.1" hashes = [ - "h1:7RnIbO3CFakblTJs7o0mUiY44dc9xGYsLhSNFSNS1Ds=", - "h1:Bs7LAkV/iQTLv72j+cTMrvx2U3KyXrcVHaGbdns1NcE=", - "h1:R97FTYETo88sT2VHfMgkPU3lzCsZLunPftjSI5vfKe8=", - "h1:ZUEYUmm2t4vxwzxy1BvN1wL6SDWrDxfH7pxtzX8c6d0=", - "zh:53604cd29cb92538668fe09565c739358dc53ca56f9f11312b9d7de81e48fab9", - "zh:66a46e9c508716a1c98efbf793092f03d50049fa4a83cd6b2251e9a06aca2acf", - "zh:70a6f6a852dd83768d0778ce9817d81d4b3f073fab8fa570bff92dcb0824f732", + "h1:tjcGlQAFA0kmQ4vKkIPPUC4it1UYxLbg4YvHOWRAJHA=", + "zh:0af29ce2b7b5712319bf6424cb58d13b852bf9a777011a545fac99c7fdcdf561", + "zh:126063ea0d79dad1f68fa4e4d556793c0108ce278034f101d1dbbb2463924561", + "zh:196bfb49086f22fd4db46033e01655b0e5e036a5582d250412cc690fa7995de5", + "zh:37c92ec084d059d37d6cffdb683ccf68e3a5f8d2eb69dd73c8e43ad003ef8d24", + "zh:4269f01a98513651ad66763c16b268f4c2da76cc892ccfd54b401fff6cc11667", + "zh:51904350b9c728f963eef0c28f1d43e73d010333133eb7f30999a8fb6a0cc3d8", + "zh:73a66611359b83d0c3fcba2984610273f7954002febb8a57242bbb86d967b635", "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", - "zh:82a803f2f484c8b766e2e9c32343e9c89b91997b9f8d2697f9f3837f62926b35", - "zh:9708a4e40d6cc4b8afd1352e5186e6e1502f6ae599867c120967aebe9d90ed04", - "zh:973f65ce0d67c585f4ec250c1e634c9b22d9c4288b484ee2a871d7fa1e317406", - "zh:c8fa0f98f9316e4cfef082aa9b785ba16e36ff754d6aba8b456dab9500e671c6", - "zh:cfa5342a5f5188b20db246c73ac823918c189468e1382cb3c48a9c0c08fc5bf7", - "zh:e0e2b477c7e899c63b06b38cd8684a893d834d6d0b5e9b033cedc06dd7ffe9e2", - "zh:f62d7d05ea1ee566f732505200ab38d94315a4add27947a60afa29860822d3fc", - "zh:fa7ce69dde358e172bd719014ad637634bbdabc49363104f4fca759b4b73f2ce", + "zh:7ae387993a92bcc379063229b3cce8af7eaf082dd9306598fcd42352994d2de0", + "zh:9e0f365f807b088646db6e4a8d4b188129d9ebdbcf2568c8ab33bddd1b82c867", + "zh:b5263acbd8ae51c9cbffa79743fbcadcb7908057c87eb22fd9048268056efbc4", + "zh:dfcd88ac5f13c0d04e24be00b686d069b4879cc4add1b7b1a8ae545783d97520", ] } provider "registry.terraform.io/hashicorp/null" { version = "3.2.1" - constraints = "3.2.1, <= 3.2.1" + constraints = "<= 3.2.1" hashes = [ - "h1:FbGfc+muBsC17Ohy5g806iuI1hQc4SIexpYCrQHQd8w=", "h1:tSj1mL6OQ8ILGqR2mDu7OYYYWf+hoir0pf9KAQ8IzO8=", - "h1:vUW21lLLsKlxtBf0QF7LKJreKxs0CM7YXGzqW1N/ODY=", - "h1:ydA0/SNRVB1o95btfshvYsmxA+jZFRZcvKzZSB+4S1M=", "zh:58ed64389620cc7b82f01332e27723856422820cfd302e304b5f6c3436fb9840", "zh:62a5cc82c3b2ddef7ef3a6f2fedb7b9b3deff4ab7b414938b08e51d6e8be87cb", "zh:63cff4de03af983175a7e37e52d4bd89d990be256b16b5c7f919aff5ad485aa5", diff --git a/src/domains/diego-app/00_acr.tf b/src/domains/diego-app/00_acr.tf deleted file mode 100644 index f157e37a..00000000 --- a/src/domains/diego-app/00_acr.tf +++ /dev/null @@ -1,4 +0,0 @@ -data "azurerm_container_registry" "acr" { - name = local.docker_registry_name - resource_group_name = local.docker_rg_name -} diff --git a/src/domains/diego-app/00_key_vault.tf b/src/domains/diego-app/00_key_vault.tf index 021395db..b3bcd57e 100644 --- a/src/domains/diego-app/00_key_vault.tf +++ b/src/domains/diego-app/00_key_vault.tf @@ -1,15 +1,4 @@ data "azurerm_key_vault" "kv_domain" { - name = "${local.product}-${var.domain}-kv" - resource_group_name = "${local.product}-${var.domain}-sec-rg" -} - -module "domain_key_vault_secrets_query" { - source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//key_vault_secrets_query?ref=v6.20.1" - - key_vault_name = local.key_vault_domain_name - resource_group = local.key_vault_domain_resource_group - - secrets = [ - "dvopla-d-appinsights-connection-string" - ] + name = local.key_vault_domain_name + resource_group_name = local.key_vault_domain_resource_group } diff --git a/src/domains/diego-app/01_network.tf b/src/domains/diego-app/01_network.tf index 673e95e9..47830a45 100644 --- a/src/domains/diego-app/01_network.tf +++ b/src/domains/diego-app/01_network.tf @@ -3,7 +3,7 @@ data "azurerm_private_dns_zone" "internal" { resource_group_name = local.internal_dns_zone_resource_group_name } -resource "azurerm_private_dns_a_record" "ingress" { +resource "azurerm_private_dns_a_record" "itn_diego_ingress" { name = local.ingress_hostname_prefix zone_name = data.azurerm_private_dns_zone.internal.name resource_group_name = local.internal_dns_zone_resource_group_name diff --git a/src/domains/diego-app/02_namespace_domain.tf b/src/domains/diego-app/02_namespace_domain.tf index 78efc766..fc5139ae 100644 --- a/src/domains/diego-app/02_namespace_domain.tf +++ b/src/domains/diego-app/02_namespace_domain.tf @@ -5,7 +5,7 @@ resource "kubernetes_namespace" "domain_namespace" { } module "domain_pod_identity" { - source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//kubernetes_pod_identity?ref=v6.20.2" + source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//kubernetes_pod_identity?ref=v7.76.0" resource_group_name = local.aks_resource_group_name location = var.location diff --git a/src/domains/diego-app/03_serviceaccounts_azure_devops.tf b/src/domains/diego-app/03_serviceaccounts_azure_devops.tf index d3769326..f9e4b24e 100644 --- a/src/domains/diego-app/03_serviceaccounts_azure_devops.tf +++ b/src/domains/diego-app/03_serviceaccounts_azure_devops.tf @@ -1,99 +1,99 @@ -#resource "kubernetes_namespace" "system_domain_namespace" { -# metadata { -# name = "${var.domain}-system" -# } -#} +resource "kubernetes_namespace" "system_domain_namespace" { + metadata { + name = "${var.domain}-system" + } +} + +resource "kubernetes_service_account" "azure_devops" { + metadata { + name = local.azure_devops_app_service_account_name + namespace = local.system_domain_namespace + } + automount_service_account_token = false +} + +resource "kubernetes_secret_v1" "azure_devops_service_account_default_secret" { + metadata { + name = local.azure_devops_app_service_account_secret_name + namespace = kubernetes_namespace.system_domain_namespace.metadata[0].name + annotations = { + "kubernetes.io/service-account.name" = local.azure_devops_app_service_account_name + } + } + + type = "kubernetes.io/service-account-token" +} + # -#resource "kubernetes_service_account" "azure_devops" { -# metadata { -# name = local.azure_devops_app_service_account_name -# namespace = local.system_domain_namespace -# } -# automount_service_account_token = false -#} +# Secrets service account on KV # -#resource "kubernetes_secret_v1" "azure_devops_service_account_default_secret" { -# metadata { -# name = local.azure_devops_app_service_account_secret_name -# namespace = kubernetes_namespace.system_domain_namespace.metadata[0].name -# annotations = { -# "kubernetes.io/service-account.name" = local.azure_devops_app_service_account_name -# } -# } -# -# type = "kubernetes.io/service-account-token" -#} -# -## -## Secrets service account on KV -## -#data "kubernetes_secret" "azure_devops_secret" { -# metadata { -# name = local.azure_devops_app_service_account_secret_name -# namespace = local.system_domain_namespace -# } -# binary_data = { -# "ca.crt" = "" -# "token" = "" -# } -# -# depends_on = [ -# kubernetes_secret_v1.azure_devops_service_account_default_secret -# ] -#} -# -##tfsec:ignore:AZU023 -#resource "azurerm_key_vault_secret" "azure_devops_sa_token" { -# depends_on = [kubernetes_service_account.azure_devops] -# name = "${var.aks_name}-azure-devops-sa-token" -# value = data.kubernetes_secret.azure_devops_secret.binary_data["token"] # base64 value -# content_type = "text/plain" -# -# key_vault_id = data.azurerm_key_vault.kv_domain.id -#} -# -##tfsec:ignore:AZU023 -#resource "azurerm_key_vault_secret" "azure_devops_sa_cacrt" { -# depends_on = [kubernetes_service_account.azure_devops] -# name = "${var.aks_name}-azure-devops-sa-cacrt" -# value = data.kubernetes_secret.azure_devops_secret.binary_data["ca.crt"] # base64 value -# content_type = "text/plain" -# -# key_vault_id = data.azurerm_key_vault.kv_domain.id -#} -# -##------------------------------------------------------------- -# -#resource "kubernetes_role_binding" "deployer_binding" { -# metadata { -# name = "deployer-binding" -# namespace = local.domain_namespace -# } -# role_ref { -# api_group = "rbac.authorization.k8s.io" -# kind = "ClusterRole" -# name = "cluster-deployer" -# } -# subject { -# kind = "ServiceAccount" -# name = "azure-devops" -# namespace = local.system_domain_namespace -# } -#} -# -#resource "kubernetes_role_binding" "system_deployer_binding" { -# metadata { -# name = "system-deployer-binding" -# namespace = local.system_domain_namespace -# } -# role_ref { -# api_group = "rbac.authorization.k8s.io" -# kind = "ClusterRole" -# name = "system-cluster-deployer" -# } -# subject { -# kind = "ServiceAccount" -# name = "azure-devops" -# namespace = local.system_domain_namespace -# } -#} +data "kubernetes_secret" "azure_devops_secret" { + metadata { + name = local.azure_devops_app_service_account_secret_name + namespace = local.system_domain_namespace + } + binary_data = { + "ca.crt" = "" + "token" = "" + } + + depends_on = [ + kubernetes_secret_v1.azure_devops_service_account_default_secret + ] +} + +#tfsec:ignore:AZU023 +resource "azurerm_key_vault_secret" "azure_devops_sa_token" { + depends_on = [kubernetes_service_account.azure_devops] + name = "${var.aks_name}-azure-devops-sa-token" + value = data.kubernetes_secret.azure_devops_secret.binary_data["token"] # base64 value + content_type = "text/plain" + + key_vault_id = data.azurerm_key_vault.kv_domain.id +} + +#tfsec:ignore:AZU023 +resource "azurerm_key_vault_secret" "azure_devops_sa_cacrt" { + depends_on = [kubernetes_service_account.azure_devops] + name = "${var.aks_name}-azure-devops-sa-cacrt" + value = data.kubernetes_secret.azure_devops_secret.binary_data["ca.crt"] # base64 value + content_type = "text/plain" + + key_vault_id = data.azurerm_key_vault.kv_domain.id +} + +#------------------------------------------------------------- + +resource "kubernetes_role_binding" "deployer_binding" { + metadata { + name = "deployer-binding" + namespace = local.domain_namespace + } + role_ref { + api_group = "rbac.authorization.k8s.io" + kind = "ClusterRole" + name = "cluster-deployer" + } + subject { + kind = "ServiceAccount" + name = "azure-devops" + namespace = local.system_domain_namespace + } +} + +resource "kubernetes_role_binding" "system_deployer_binding" { + metadata { + name = "system-deployer-binding" + namespace = local.system_domain_namespace + } + role_ref { + api_group = "rbac.authorization.k8s.io" + kind = "ClusterRole" + name = "system-cluster-deployer" + } + subject { + kind = "ServiceAccount" + name = "azure-devops" + namespace = local.system_domain_namespace + } +} diff --git a/src/domains/diego-app/04_aks_aad_github.tf b/src/domains/diego-app/04_aks_aad_github.tf index 3c991c9a..7742d359 100644 --- a/src/domains/diego-app/04_aks_aad_github.tf +++ b/src/domains/diego-app/04_aks_aad_github.tf @@ -1,70 +1,70 @@ -# -# CI -# +# # +# # CI +# # -data "azuread_service_principal" "github_runner_ci" { - display_name = "github-pagopa-devopslab-infra-dev-ci" -} +# data "azuread_service_principal" "github_runner_ci" { +# display_name = "github-pagopa-devopslab-infra-dev-ci" +# } -resource "azurerm_key_vault_access_policy" "github_runner_ci" { - key_vault_id = data.azurerm_key_vault.kv_domain.id - tenant_id = data.azurerm_client_config.current.tenant_id - object_id = data.azuread_service_principal.github_runner_ci.object_id +# resource "azurerm_key_vault_access_policy" "github_runner_ci" { +# key_vault_id = data.azurerm_key_vault.kv_domain.id +# tenant_id = data.azurerm_client_config.current.tenant_id +# object_id = data.azuread_service_principal.github_runner_ci.object_id - secret_permissions = ["Get", "List", "Set", ] +# secret_permissions = ["Get", "List", "Set", ] - certificate_permissions = ["SetIssuers", "DeleteIssuers", "Purge", "List", "Get", ] +# certificate_permissions = ["SetIssuers", "DeleteIssuers", "Purge", "List", "Get", ] - storage_permissions = [] -} +# storage_permissions = [] +# } -resource "null_resource" "aks_with_iac_aad_plus_namespace_ci" { - triggers = { - aks_id = data.azurerm_kubernetes_cluster.aks.id - service_principal_id = data.azuread_service_principal.github_runner_ci.id - namespace = var.domain - } +# resource "null_resource" "aks_with_iac_aad_plus_namespace_ci" { +# triggers = { +# aks_id = data.azurerm_kubernetes_cluster.aks.id +# service_principal_id = data.azuread_service_principal.github_runner_ci.id +# namespace = var.domain +# } - provisioner "local-exec" { - command = < [azuread](#requirement\_azuread) | = 2.21.0 | -| [azurerm](#requirement\_azurerm) | <= 3.45.0 | +| [azuread](#requirement\_azuread) | <= 2.47.0 | +| [azurerm](#requirement\_azurerm) | <= 3.96.0 | | [helm](#requirement\_helm) | <= 2.12.1 | | [kubernetes](#requirement\_kubernetes) | <= 2.26.0 | -| [null](#requirement\_null) | = 3.2.1 | +| [null](#requirement\_null) | <= 3.2.1 | ## Modules | Name | Source | Version | |------|--------|---------| -| [cert\_mounter](#module\_cert\_mounter) | git::https://github.com/pagopa/terraform-azurerm-v3.git//cert_mounter | v6.20.1 | -| [domain\_key\_vault\_secrets\_query](#module\_domain\_key\_vault\_secrets\_query) | git::https://github.com/pagopa/terraform-azurerm-v3.git//key_vault_secrets_query | v6.20.1 | -| [domain\_pod\_identity](#module\_domain\_pod\_identity) | git::https://github.com/pagopa/terraform-azurerm-v3.git//kubernetes_pod_identity | v6.20.2 | -| [tls\_checker](#module\_tls\_checker) | git::https://github.com/pagopa/terraform-azurerm-v3.git//tls_checker | v6.20.1 | +| [domain\_pod\_identity](#module\_domain\_pod\_identity) | git::https://github.com/pagopa/terraform-azurerm-v3.git//kubernetes_pod_identity | v7.76.0 | ## Resources | Name | Type | |------|------| -| [azurerm_key_vault_access_policy.github_runner_cd](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource | -| [azurerm_key_vault_access_policy.github_runner_ci](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource | | [azurerm_key_vault_secret.aks_apiserver_url](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource | | [azurerm_key_vault_secret.app_insights_connection_string](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource | -| [azurerm_private_dns_a_record.ingress](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/private_dns_a_record) | resource | -| [azurerm_role_assignment.aks_cluster_role](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource | +| [azurerm_key_vault_secret.azure_devops_sa_cacrt](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource | +| [azurerm_key_vault_secret.azure_devops_sa_token](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource | +| [azurerm_private_dns_a_record.itn_diego_ingress](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/private_dns_a_record) | resource | | [helm_release.reloader](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource | -| [kubernetes_config_map.added](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/config_map) | resource | -| [kubernetes_config_map.changed](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/config_map) | resource | -| [kubernetes_config_map.replaced](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/config_map) | resource | | [kubernetes_manifest.argocd_app_status_standalone](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/manifest) | resource | | [kubernetes_manifest.argocd_apps_ok](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/manifest) | resource | | [kubernetes_manifest.argocd_broken_apps](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/manifest) | resource | | [kubernetes_manifest.argocd_project_terraform](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/manifest) | resource | | [kubernetes_namespace.domain_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource | -| [null_resource.aks_with_iac_aad_plus_namespace_ci](https://registry.terraform.io/providers/hashicorp/null/3.2.1/docs/resources/resource) | resource | -| [azuread_group.adgroup_admin](https://registry.terraform.io/providers/hashicorp/azuread/2.21.0/docs/data-sources/group) | data source | -| [azuread_group.adgroup_developers](https://registry.terraform.io/providers/hashicorp/azuread/2.21.0/docs/data-sources/group) | data source | -| [azuread_group.adgroup_externals](https://registry.terraform.io/providers/hashicorp/azuread/2.21.0/docs/data-sources/group) | data source | -| [azuread_group.adgroup_security](https://registry.terraform.io/providers/hashicorp/azuread/2.21.0/docs/data-sources/group) | data source | -| [azuread_service_principal.github_runner_cd](https://registry.terraform.io/providers/hashicorp/azuread/2.21.0/docs/data-sources/service_principal) | data source | -| [azuread_service_principal.github_runner_ci](https://registry.terraform.io/providers/hashicorp/azuread/2.21.0/docs/data-sources/service_principal) | data source | +| [kubernetes_namespace.system_domain_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource | +| [kubernetes_role_binding.deployer_binding](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/role_binding) | resource | +| [kubernetes_role_binding.system_deployer_binding](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/role_binding) | resource | +| [kubernetes_secret_v1.azure_devops_service_account_default_secret](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret_v1) | resource | +| [kubernetes_service_account.azure_devops](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/service_account) | resource | +| [azuread_group.adgroup_admin](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source | +| [azuread_group.adgroup_developers](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source | +| [azuread_group.adgroup_externals](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source | +| [azuread_group.adgroup_security](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source | | [azurerm_application_insights.application_insights](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/application_insights) | data source | | [azurerm_client_config.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/client_config) | data source | -| [azurerm_container_registry.acr](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/container_registry) | data source | | [azurerm_key_vault.kv_domain](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault) | data source | | [azurerm_kubernetes_cluster.aks](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/kubernetes_cluster) | data source | | [azurerm_log_analytics_workspace.log_analytics](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/log_analytics_workspace) | data source | @@ -58,6 +52,7 @@ | [azurerm_resource_group.rg_vnet_core](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/resource_group) | data source | | [azurerm_subscription.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subscription) | data source | | [azurerm_virtual_network.vnet_core](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/virtual_network) | data source | +| [kubernetes_secret.azure_devops_secret](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/data-sources/secret) | data source | ## Inputs diff --git a/src/domains/diego-app/env/dev/backend.tfvars b/src/domains/diego-app/env/dev/backend.tfvars index 94c8af3e..73f03849 100644 --- a/src/domains/diego-app/env/dev/backend.tfvars +++ b/src/domains/diego-app/env/dev/backend.tfvars @@ -1,4 +1,4 @@ -resource_group_name = "io-infra-rg" -storage_account_name = "dvopladstinfraterraform" -container_name = "corestate" +resource_group_name = "terraform-state-rg" +storage_account_name = "tfinfdevopslab" +container_name = "terraform-state" key = "diego-app-domain-terraform.tfstate" diff --git a/src/domains/diego-app/env/dev/terraform.tfvars b/src/domains/diego-app/env/dev/terraform.tfvars index 62b77833..cbd74059 100644 --- a/src/domains/diego-app/env/dev/terraform.tfvars +++ b/src/domains/diego-app/env/dev/terraform.tfvars @@ -2,8 +2,8 @@ prefix = "dvopla" env_short = "d" env = "dev" -location = "northeurope" -location_short = "neu" +location = "italynorth" +location_short = "itn" domain = "diego" instance = "dev01" @@ -18,13 +18,6 @@ tags = { lock_enable = true -terraform_remote_state_core = { - resource_group_name = "io-infra-rg" - storage_account_name = "dvopladstinfraterraform" - container_name = "corestate" - key = "terraform.tfstate" -} - ### External resources monitor_resource_group_name = "dvopla-d-monitor-rg" @@ -33,10 +26,10 @@ log_analytics_workspace_resource_group_name = "dvopla-d-monitor-rg" ### Aks -aks_name = "dvopla-d-neu-dev01-aks" -aks_resource_group_name = "dvopla-d-neu-dev01-aks-rg" +aks_name = "dvopla-d-itn-dev-aks" +aks_resource_group_name = "dvopla-d-itn-dev-aks-rg" -ingress_load_balancer_ip = "10.11.100.250" +ingress_load_balancer_ip = "10.3.1.250" ingress_load_balancer_hostname = "dev01.diego.internal.devopslab.pagopa.it" # diff --git a/src/domains/diego-common/.terraform.lock.hcl b/src/domains/diego-common/.terraform.lock.hcl index f401c1cd..22727e41 100644 --- a/src/domains/diego-common/.terraform.lock.hcl +++ b/src/domains/diego-common/.terraform.lock.hcl @@ -27,70 +27,70 @@ provider "registry.terraform.io/chilicat/pkcs12" { } provider "registry.terraform.io/hashicorp/azuread" { - version = "2.21.0" - constraints = "2.21.0" + version = "2.47.0" + constraints = "<= 2.47.0" hashes = [ - "h1:9gG6SWoUZZmmXbYBv6ra2RF5NYpamB9tGjsuBxrasFQ=", - "h1:KbY8dRdbfTwTzEBcdOFdD50JX8CUG5Mni25D2+k1rGc=", - "h1:akcofWscEl0ecIbf7lyEqRvPfOdA5q75EZvK8uSum1c=", - "h1:qHYbB6LJsYPVUcd7QkZ5tU+IX+10VcUG4NzsmIuWdlE=", - "zh:18c56e0478e8b3849f6d52f7e0ee495538e7fce66f22fc84a79599615e50ad1c", - "zh:1b95ba8dddc46c744b2d2be7da6fafaa8ebd8368d46ff77416a95cb7d622251e", + "h1:KB9BNRNStbdsfdRmVXUwXtN77qgX5VjBy2UALcqp218=", + "h1:g8+gBFM4QVOEQFqAEs5pR6iXpbGvgPvcEi1evHwziyw=", + "h1:iRwDQBdXBpVBoYwM9au2RG01RQuJSm3TGQ2kioFVAas=", + "h1:zYMGokLn44KSWir7Nr4t8lEAPMB6JuXd2LlP2Ac2tMY=", + "zh:1372d81eb24ef3b4b00ea350fe87219f22da51691b8e42ce91d662f6c2a8af5e", "zh:1c3e89cf19118fc07d7b04257251fc9897e722c16e0a0df7b07fcd261f8c12e7", - "zh:2b7559f9febd770b38deb2d7aee61cea03d9f7a39673e1c72252530825523206", - "zh:466f1099109fd0283d0a4ae6716d831b09d66218ad8abacf8787e9c634ce7a6f", - "zh:7d56b3c034496c62d0993e51339f876732bb5050f8bb0739cef952f7e881e79f", - "zh:7d600af10920dd9b2349cf745b112e07eb24e2ae25006e32db0a39e8c863b11d", - "zh:81eaaa3944a874b0ade6c23785d736e217554dc74b6a7c06cc8750de97ecca04", - "zh:9a4563c1dceb85f3f58787803af1d5b0baf26d802588d263d05cbd8a4f510e76", - "zh:cb885a238449548d392f7e3f00b1a3aebd41bbeefab23c40b180a058e8565638", - "zh:cd34877f0aa3120cd0b51dadde38c471ae35ea2a8a64604bba578901298c7c77", - "zh:da62d6cb7331e5893ac58942b12cbef5c0727390044ec1f25f5778010fb9e5d4", + "zh:1e654a74d171d6ff8f9f6f67e3ff1421d4c5e56a18607703626bf12cd23ba001", + "zh:35227fad617a0509c64ab5759a8b703b10d244877f1aa5416bfbcc100c96996f", + "zh:357f553f0d78d46a96c7b2ed06d25ee0fc60fc5be19812ccb5d969fa47d62e17", + "zh:58faa2940065137e3e87d02eba59ab5cd7137d7a18caf225e660d1788f274569", + "zh:7308eda0339620fa24f47cedd22221fc2c02cab9d5be1710c09a783aea84eb3a", + "zh:863eabf7f908a8263e28d8aa2ad1381affd6bb5c67755216781f674ef214100e", + "zh:8b95b595a7c14ed7b56194d03cdec253527e7a146c1c58961be09e6b5c50baee", + "zh:afbca6b4fac9a0a488bc22ff9e51a8f14e986137d25275068fd932f379a51d57", + "zh:c6aadec4c81a44c3ffc22c2d90ffc6706bf5a9a903a395d896477516f4be6cbb", + "zh:e54a59de7d4ef0f3a18f91fed0b54a2bce18257ae2ee1df8a88226e1023c5811", ] } provider "registry.terraform.io/hashicorp/azurerm" { - version = "3.38.0" - constraints = ">= 3.30.0, 3.38.0, <= 3.38.0" + version = "3.94.0" + constraints = ">= 3.30.0, <= 3.96.0, <= 3.97.1" hashes = [ - "h1:Isa/rY8+4+DCatuYgmDT4TYkcp/he7RrfR6jyhrm7hQ=", - "h1:Pq4ZX7h5FM1h+NBCjReCPMy1qwaFAvJ3EY45+mObfSg=", - "h1:Wb7brdbvDPw01eMasdl8vmkPeCZLT0rbOQRAHw2N/TY=", - "h1:cRwQAznzBQsumUaPUvDHqmKLP+tM9jNL0kEngi4S3r0=", - "zh:08df48bdaf162bf3da7ac2b09147d44f94fae6f3cfd97d6cf9c45cb7c1c36a44", - "zh:220b68a3f819777872281974e6621527698575096c3a2ef78cb0aabf28665161", - "zh:25db1128a96599ffbcc7e865579bec7c009cb4e7f7731e0e30d261ab02cc38d5", - "zh:279444db11f570b837143559e5df7453bd8aeda4e22a9879a5a1a795bf6612a3", - "zh:2d506b6b865f6d5143e54e139d9a61b18bdcc8b9485d2bc7237e95a53a9c7ed9", - "zh:6ddb2cbcdf15b432508fe00ee7863f6d51a136db1746e7af03bec8ce2a09bad3", - "zh:96b664a716678923ce0f9828eaad22b5353669fa5013ea39b7b8081a77988b85", - "zh:a9ca583b219a3daba171ca11908547abb1b09453934950aacff17ae8b51d0ff0", - "zh:aa497620c82afab7819736180f0a56b76da6f3e23bd0580383fda98104b4e5c2", - "zh:ab9e9f3c35288d0bd615024f213e46d16d639c281f7d850b21971b530d08e231", - "zh:b164a0ddb30b64c35f13dad0aa9701a4e3eb24dc8165a3e794c499f1e9070b99", + "h1:Kd1Vhk4bPbiP0ZWo1pDEW1De3oNbODgh2bhX9Y6AJ6I=", + "h1:a51ZYUp5uuboql399mflWZDrErlhhYz0ujJFsc9gjhg=", + "h1:a8L0H+sq8UBeArGs/jzQYEnJ2rNmR8Um3BOGBA1m1t8=", + "h1:t3fM/PO8PLAA5mK3esAypp01V6Vh75kjPnNqxQeVrV0=", + "zh:20d102bc63096ade82f8da81c91afaffa858aa56fe9a7ad02f24f5ae5618bc53", + "zh:3ddb9d6173a4fdb9b2352a76324ee321976915544ae66cbb863c7a60f0593f05", + "zh:4bc6c62142f67192d2def11f4fd419c54dddd89a5448af036bfc60b15eb0509a", + "zh:4c5120c2101a51524af32c4220c5e376f97a227730dd92ec0b06ac677e4b39f2", + "zh:585fa7ab876d09899cd2d842f12bc28c34556b4d47919eceadefab6fa47f909f", + "zh:59de7ea462470dee7088fc4deeff48e1ffd286eaca1185c219be68dadde745b8", + "zh:8421a46dd3bc4bc2eb56f7eb9b91cc84a66070b72195a805862c6022adee2da0", + "zh:a2fcb5a091d5944dc50f1e51f53fa4d370810a507fbf4122920d756083d8df19", + "zh:beb6b93a2a16942625bb6ac1e52bf26878e35f5562f3173279423ca66553b6d7", + "zh:c6846892ea68f49c838d90b75793d1f3a866871dd701ccb575b1eecccd4e7051", + "zh:ddd59492b6d5ce4c83f06a5b16c520048f3e9bb898bab4f3910042f5c01ffeda", "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", ] } provider "registry.terraform.io/hashicorp/null" { - version = "3.1.1" - constraints = "3.1.1, <= 3.2.1" + version = "3.2.1" + constraints = "<= 3.2.1" hashes = [ - "h1:1J3nqAREzuaLE7x98LEELCCaMV6BRiawHSg9MmFvfQo=", - "h1:71sNUDvmiJcijsvfXpiLCz0lXIBSsEJjMxljt7hxMhw=", - "h1:Pctug/s/2Hg5FJqjYcTM0kPyx3AoYK1MpRWO0T9V2ns=", - "h1:YvH6gTaQzGdNv+SKTZujU1O0bO+Pw6vJHOPhqgN8XNs=", - "zh:063466f41f1d9fd0dd93722840c1314f046d8760b1812fa67c34de0afcba5597", - "zh:08c058e367de6debdad35fc24d97131c7cf75103baec8279aba3506a08b53faf", - "zh:73ce6dff935150d6ddc6ac4a10071e02647d10175c173cfe5dca81f3d13d8afe", + "h1:FbGfc+muBsC17Ohy5g806iuI1hQc4SIexpYCrQHQd8w=", + "h1:tSj1mL6OQ8ILGqR2mDu7OYYYWf+hoir0pf9KAQ8IzO8=", + "h1:vUW21lLLsKlxtBf0QF7LKJreKxs0CM7YXGzqW1N/ODY=", + "h1:ydA0/SNRVB1o95btfshvYsmxA+jZFRZcvKzZSB+4S1M=", + "zh:58ed64389620cc7b82f01332e27723856422820cfd302e304b5f6c3436fb9840", + "zh:62a5cc82c3b2ddef7ef3a6f2fedb7b9b3deff4ab7b414938b08e51d6e8be87cb", + "zh:63cff4de03af983175a7e37e52d4bd89d990be256b16b5c7f919aff5ad485aa5", + "zh:74cb22c6700e48486b7cabefa10b33b801dfcab56f1a6ac9b6624531f3d36ea3", "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", - "zh:8fdd792a626413502e68c195f2097352bdc6a0df694f7df350ed784741eb587e", - "zh:976bbaf268cb497400fd5b3c774d218f3933271864345f18deebe4dcbfcd6afa", - "zh:b21b78ca581f98f4cdb7a366b03ae9db23a73dfa7df12c533d7c19b68e9e72e5", - "zh:b7fc0c1615dbdb1d6fd4abb9c7dc7da286631f7ca2299fb9cd4664258ccfbff4", - "zh:d1efc942b2c44345e0c29bc976594cb7278c38cfb8897b344669eafbc3cddf46", - "zh:e356c245b3cd9d4789bab010893566acace682d7db877e52d40fc4ca34a50924", - "zh:ea98802ba92fcfa8cf12cbce2e9e7ebe999afbf8ed47fa45fc847a098d89468b", - "zh:eff8872458806499889f6927b5d954560f3d74bf20b6043409edf94d26cd906f", + "zh:79e553aff77f1cfa9012a2218b8238dd672ea5e1b2924775ac9ac24d2a75c238", + "zh:a1e06ddda0b5ac48f7e7c7d59e1ab5a4073bbcf876c73c0299e4610ed53859dc", + "zh:c37a97090f1a82222925d45d84483b2aa702ef7ab66532af6cbcfb567818b970", + "zh:e4453fbebf90c53ca3323a92e7ca0f9961427d2f0ce0d2b65523cc04d5d999c2", + "zh:e80a746921946d8b6761e77305b752ad188da60688cfd2059322875d363be5f5", + "zh:fbdb892d9822ed0e4cb60f2fedbdbb556e4da0d88d3b942ae963ed6ff091e48f", + "zh:fca01a623d90d0cad0843102f9b8b9fe0d3ff8244593bd817f126582b52dd694", ] } diff --git a/src/domains/diego-common/01_keyvault_0.tf b/src/domains/diego-common/01_keyvault_0.tf index c253b3eb..4c1f81af 100644 --- a/src/domains/diego-common/01_keyvault_0.tf +++ b/src/domains/diego-common/01_keyvault_0.tf @@ -1,14 +1,14 @@ resource "azurerm_resource_group" "sec_rg_domain" { - name = "${local.product}-${var.domain}-sec-rg" + name = "${local.project}-sec-rg" location = var.location tags = var.tags } module "key_vault_domain" { - source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//key_vault?ref=v4.1.0" + source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//key_vault?ref=v7.76.0" - name = "${local.product}-${var.domain}-kv" + name = "${local.project}-kv" location = azurerm_resource_group.sec_rg_domain.location resource_group_name = azurerm_resource_group.sec_rg_domain.name tenant_id = data.azurerm_client_config.current.tenant_id @@ -66,41 +66,3 @@ resource "azurerm_key_vault_access_policy" "adgroup_externals_policy" { storage_permissions = [] certificate_permissions = ["Get", "List", "Update", "Create", "Import", "Delete", "Restore", "Purge", "Recover", "ManageContacts", ] } - -# -# IaC -# - -#pagopaspa-dvopla-platform-iac-projects-{subscription} -data "azuread_service_principal" "platform_iac_sp" { - display_name = "pagopaspa-devops-platform-iac-projects-${data.azurerm_subscription.current.subscription_id}" -} - -resource "azurerm_key_vault_access_policy" "azdevops_platform_iac_policy" { - key_vault_id = module.key_vault_domain.id - tenant_id = data.azurerm_client_config.current.tenant_id - object_id = data.azuread_service_principal.platform_iac_sp.object_id - - secret_permissions = ["Get", "List", "Set", ] - - certificate_permissions = ["SetIssuers", "DeleteIssuers", "Purge", "List", "Get", ] - - storage_permissions = [] -} - -#azdo-sp-plan-devopslab- -data "azuread_service_principal" "iac_sp_plan" { - display_name = "azdo-sp-plan-devopslab-${var.env}" -} - -resource "azurerm_key_vault_access_policy" "iac_sp_plan_policy" { - key_vault_id = module.key_vault_domain.id - tenant_id = data.azurerm_client_config.current.tenant_id - object_id = data.azuread_service_principal.iac_sp_plan.object_id - - secret_permissions = ["Get", "List", "Set", ] - - certificate_permissions = ["SetIssuers", "DeleteIssuers", "Purge", "List", "Get", "Import"] - - storage_permissions = [] -} diff --git a/src/domains/diego-common/08_cdn.tf b/src/domains/diego-common/08_cdn.tf index d4791b96..e0c77898 100644 --- a/src/domains/diego-common/08_cdn.tf +++ b/src/domains/diego-common/08_cdn.tf @@ -1,60 +1,63 @@ -### Frontend common resources -resource "azurerm_resource_group" "devopslab_cdn_rg" { - name = "${local.project}-cdn-rg" - location = var.location - - tags = var.tags -} - -### Frontend resources -#tfsec:ignore:azure-storage-queue-services-logging-enabled:exp:2022-05-01 # already ignored, maybe a bug in tfsec -module "devopslab_cdn" { - source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//cdn?ref=v4.1.0" - - name = "diego" - prefix = local.product - resource_group_name = azurerm_resource_group.devopslab_cdn_rg.name - location = azurerm_resource_group.devopslab_cdn_rg.location - hostname = "cdn-diego-app.devopslab.pagopa.it" - https_rewrite_enabled = true - lock_enabled = false - - index_document = "index.html" - error_404_document = "404.html" - - dns_zone_name = data.azurerm_dns_zone.public.name - dns_zone_resource_group_name = data.azurerm_resource_group.rg_vnet_core.name - - keyvault_vault_name = module.key_vault_domain.name - keyvault_resource_group_name = azurerm_resource_group.sec_rg_domain.name - keyvault_subscription_id = data.azurerm_subscription.current.subscription_id - - querystring_caching_behaviour = "BypassCaching" - - global_delivery_rule = { - cache_expiration_action = [] - cache_key_query_string_action = [] - modify_request_header_action = [] - - # HSTS - modify_response_header_action = [{ - action = "Overwrite" - name = "Strict-Transport-Security" - value = "max-age=31536000" - }, - # Content-Security-Policy (in Report mode) - { - action = "Append" - name = "Content-Security-Policy-Report-Only" - value = "script-src 'self' https://www.google.com https://www.gstatic.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; worker-src 'none'; font-src 'self' https://fonts.googleapis.com https://fonts.gstatic.com; " - }, - { - action = "Append" - name = "Content-Security-Policy-Report-Only" - value = "img-src 'self' https://assets.cdn.io.italia.it data:; " - } - ] - } - - tags = var.tags -} +# ### Frontend common resources +# resource "azurerm_resource_group" "devopslab_cdn_rg" { +# count = var.is_feature_enabled.cdn ? 1: 0 +# name = "${local.project}-cdn-rg" +# location = var.location + +# tags = var.tags +# } + +# ### Frontend resources +# #tfsec:ignore:azure-storage-queue-services-logging-enabled:exp:2022-05-01 # already ignored, maybe a bug in tfsec +# module "devopslab_cdn" { +# count = var.is_feature_enabled.cdn ? 1: 0 +# source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//cdn?ref=v7.76.0" + +# name = "diego" +# prefix = local.project +# resource_group_name = azurerm_resource_group.devopslab_cdn_rg[0].name +# location = azurerm_resource_group.devopslab_cdn_rg[0].location +# hostname = "cdn-diego-app.devopslab.pagopa.it" +# https_rewrite_enabled = true + +# log_analytics_workspace_id = data.azurerm_log_analytics_workspace.log_analytics.id + +# index_document = "index.html" +# error_404_document = "404.html" + +# dns_zone_name = data.azurerm_dns_zone.public.name +# dns_zone_resource_group_name = data.azurerm_resource_group.rg_vnet_core.name + +# keyvault_vault_name = module.key_vault_domain.name +# keyvault_resource_group_name = azurerm_resource_group.sec_rg_domain.name +# keyvault_subscription_id = data.azurerm_subscription.current.subscription_id + +# querystring_caching_behaviour = "BypassCaching" + +# global_delivery_rule = { +# cache_expiration_action = [] +# cache_key_query_string_action = [] +# modify_request_header_action = [] + +# # HSTS +# modify_response_header_action = [{ +# action = "Overwrite" +# name = "Strict-Transport-Security" +# value = "max-age=31536000" +# }, +# # Content-Security-Policy (in Report mode) +# { +# action = "Append" +# name = "Content-Security-Policy-Report-Only" +# value = "script-src 'self' https://www.google.com https://www.gstatic.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; worker-src 'none'; font-src 'self' https://fonts.googleapis.com https://fonts.gstatic.com; " +# }, +# { +# action = "Append" +# name = "Content-Security-Policy-Report-Only" +# value = "img-src 'self' https://assets.cdn.io.italia.it data:; " +# } +# ] +# } + +# tags = var.tags +# } diff --git a/src/domains/diego-common/09_let_encrypt_credentials.tf b/src/domains/diego-common/09_let_encrypt_credentials.tf index 4671fe78..564c0d6a 100644 --- a/src/domains/diego-common/09_let_encrypt_credentials.tf +++ b/src/domains/diego-common/09_let_encrypt_credentials.tf @@ -1,8 +1,8 @@ -module "letsencrypt_diego" { - source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//letsencrypt_credential?ref=v4.1.0" +# module "letsencrypt_diego" { +# source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//letsencrypt_credential?ref=v7.76.0" - prefix = "dvopla" - env = "d" - key_vault_name = "dvopla-d-diego-kv" - subscription_name = "devopslab" -} +# prefix = "dvopla" +# env = "d" +# key_vault_name = "dvopla-d-diego-kv" +# subscription_name = "devopslab" +# } diff --git a/src/domains/diego-common/99_main.tf b/src/domains/diego-common/99_main.tf index ec6fef3d..ca3c095a 100644 --- a/src/domains/diego-common/99_main.tf +++ b/src/domains/diego-common/99_main.tf @@ -2,15 +2,15 @@ terraform { required_providers { azurerm = { source = "hashicorp/azurerm" - version = "= 3.38.0" + version = "<= 3.96.0" } azuread = { source = "hashicorp/azuread" - version = "= 2.21.0" + version = "<= 2.47.0" } null = { source = "hashicorp/null" - version = "= 3.1.1" + version = "<= 3.2.1" } pkcs12 = { source = "chilicat/pkcs12" diff --git a/src/domains/diego-common/99_variables.tf b/src/domains/diego-common/99_variables.tf index c41bbd99..0cc60cef 100644 --- a/src/domains/diego-common/99_variables.tf +++ b/src/domains/diego-common/99_variables.tf @@ -90,13 +90,11 @@ variable "tags" { } } -variable "terraform_remote_state_core" { +variable "is_feature_enabled" { type = object({ - resource_group_name = string, - storage_account_name = string, - container_name = string, - key = string + cdn = optional(bool, false) }) + description = "Features enabled in this domain" } # DNS diff --git a/src/domains/diego-common/README.md b/src/domains/diego-common/README.md index c870540d..5c4bd099 100644 --- a/src/domains/diego-common/README.md +++ b/src/domains/diego-common/README.md @@ -4,48 +4,41 @@ | Name | Version | |------|---------| -| [azuread](#requirement\_azuread) | = 2.21.0 | -| [azurerm](#requirement\_azurerm) | = 3.38.0 | -| [null](#requirement\_null) | = 3.1.1 | +| [azuread](#requirement\_azuread) | <= 2.47.0 | +| [azurerm](#requirement\_azurerm) | <= 3.96.0 | +| [null](#requirement\_null) | <= 3.2.1 | | [pkcs12](#requirement\_pkcs12) | 0.0.7 | ## Modules | Name | Source | Version | |------|--------|---------| -| [devopslab\_cdn](#module\_devopslab\_cdn) | git::https://github.com/pagopa/terraform-azurerm-v3.git//cdn | v4.1.0 | -| [key\_vault\_domain](#module\_key\_vault\_domain) | git::https://github.com/pagopa/terraform-azurerm-v3.git//key_vault | v4.1.0 | -| [letsencrypt\_diego](#module\_letsencrypt\_diego) | git::https://github.com/pagopa/terraform-azurerm-v3.git//letsencrypt_credential | v4.1.0 | +| [key\_vault\_domain](#module\_key\_vault\_domain) | git::https://github.com/pagopa/terraform-azurerm-v3.git//key_vault | v7.76.0 | ## Resources | Name | Type | |------|------| -| [azurerm_key_vault_access_policy.ad_admin_group_policy](https://registry.terraform.io/providers/hashicorp/azurerm/3.38.0/docs/resources/key_vault_access_policy) | resource | -| [azurerm_key_vault_access_policy.adgroup_developers_policy](https://registry.terraform.io/providers/hashicorp/azurerm/3.38.0/docs/resources/key_vault_access_policy) | resource | -| [azurerm_key_vault_access_policy.adgroup_externals_policy](https://registry.terraform.io/providers/hashicorp/azurerm/3.38.0/docs/resources/key_vault_access_policy) | resource | -| [azurerm_key_vault_access_policy.azdevops_platform_iac_policy](https://registry.terraform.io/providers/hashicorp/azurerm/3.38.0/docs/resources/key_vault_access_policy) | resource | -| [azurerm_key_vault_access_policy.iac_sp_plan_policy](https://registry.terraform.io/providers/hashicorp/azurerm/3.38.0/docs/resources/key_vault_access_policy) | resource | -| [azurerm_resource_group.devopslab_cdn_rg](https://registry.terraform.io/providers/hashicorp/azurerm/3.38.0/docs/resources/resource_group) | resource | -| [azurerm_resource_group.sec_rg_domain](https://registry.terraform.io/providers/hashicorp/azurerm/3.38.0/docs/resources/resource_group) | resource | -| [azuread_group.adgroup_admin](https://registry.terraform.io/providers/hashicorp/azuread/2.21.0/docs/data-sources/group) | data source | -| [azuread_group.adgroup_developers](https://registry.terraform.io/providers/hashicorp/azuread/2.21.0/docs/data-sources/group) | data source | -| [azuread_group.adgroup_externals](https://registry.terraform.io/providers/hashicorp/azuread/2.21.0/docs/data-sources/group) | data source | -| [azuread_group.adgroup_security](https://registry.terraform.io/providers/hashicorp/azuread/2.21.0/docs/data-sources/group) | data source | -| [azuread_service_principal.iac_sp_plan](https://registry.terraform.io/providers/hashicorp/azuread/2.21.0/docs/data-sources/service_principal) | data source | -| [azuread_service_principal.platform_iac_sp](https://registry.terraform.io/providers/hashicorp/azuread/2.21.0/docs/data-sources/service_principal) | data source | -| [azurerm_application_insights.application_insights](https://registry.terraform.io/providers/hashicorp/azurerm/3.38.0/docs/data-sources/application_insights) | data source | -| [azurerm_client_config.current](https://registry.terraform.io/providers/hashicorp/azurerm/3.38.0/docs/data-sources/client_config) | data source | -| [azurerm_dns_zone.public](https://registry.terraform.io/providers/hashicorp/azurerm/3.38.0/docs/data-sources/dns_zone) | data source | -| [azurerm_log_analytics_workspace.log_analytics](https://registry.terraform.io/providers/hashicorp/azurerm/3.38.0/docs/data-sources/log_analytics_workspace) | data source | -| [azurerm_monitor_action_group.email](https://registry.terraform.io/providers/hashicorp/azurerm/3.38.0/docs/data-sources/monitor_action_group) | data source | -| [azurerm_monitor_action_group.slack](https://registry.terraform.io/providers/hashicorp/azurerm/3.38.0/docs/data-sources/monitor_action_group) | data source | -| [azurerm_private_dns_zone.storage_account_private_dns_zone](https://registry.terraform.io/providers/hashicorp/azurerm/3.38.0/docs/data-sources/private_dns_zone) | data source | -| [azurerm_resource_group.monitor_rg](https://registry.terraform.io/providers/hashicorp/azurerm/3.38.0/docs/data-sources/resource_group) | data source | -| [azurerm_resource_group.rg_vnet_core](https://registry.terraform.io/providers/hashicorp/azurerm/3.38.0/docs/data-sources/resource_group) | data source | -| [azurerm_subnet.private_endpoint](https://registry.terraform.io/providers/hashicorp/azurerm/3.38.0/docs/data-sources/subnet) | data source | -| [azurerm_subscription.current](https://registry.terraform.io/providers/hashicorp/azurerm/3.38.0/docs/data-sources/subscription) | data source | -| [azurerm_virtual_network.vnet_core](https://registry.terraform.io/providers/hashicorp/azurerm/3.38.0/docs/data-sources/virtual_network) | data source | +| [azurerm_key_vault_access_policy.ad_admin_group_policy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource | +| [azurerm_key_vault_access_policy.adgroup_developers_policy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource | +| [azurerm_key_vault_access_policy.adgroup_externals_policy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource | +| [azurerm_resource_group.sec_rg_domain](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource | +| [azuread_group.adgroup_admin](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source | +| [azuread_group.adgroup_developers](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source | +| [azuread_group.adgroup_externals](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source | +| [azuread_group.adgroup_security](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source | +| [azurerm_application_insights.application_insights](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/application_insights) | data source | +| [azurerm_client_config.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/client_config) | data source | +| [azurerm_dns_zone.public](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/dns_zone) | data source | +| [azurerm_log_analytics_workspace.log_analytics](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/log_analytics_workspace) | data source | +| [azurerm_monitor_action_group.email](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/monitor_action_group) | data source | +| [azurerm_monitor_action_group.slack](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/monitor_action_group) | data source | +| [azurerm_private_dns_zone.storage_account_private_dns_zone](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/private_dns_zone) | data source | +| [azurerm_resource_group.monitor_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/resource_group) | data source | +| [azurerm_resource_group.rg_vnet_core](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/resource_group) | data source | +| [azurerm_subnet.private_endpoint](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subnet) | data source | +| [azurerm_subscription.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subscription) | data source | +| [azurerm_virtual_network.vnet_core](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/virtual_network) | data source | ## Inputs @@ -57,6 +50,7 @@ | [env\_short](#input\_env\_short) | n/a | `string` | n/a | yes | | [external\_domain](#input\_external\_domain) | Domain for delegation | `string` | `"pagopa.it"` | no | | [instance](#input\_instance) | One of beta, prod01, prod02 | `string` | n/a | yes | +| [is\_feature\_enabled](#input\_is\_feature\_enabled) | Features enabled in this domain | 
object({
    cdn = optional(bool, false)
  })
| n/a | yes | | [location](#input\_location) | One of westeurope, northeurope | `string` | n/a | yes | | [location\_short](#input\_location\_short) | One of wue, neu | `string` | n/a | yes | | [lock\_enable](#input\_lock\_enable) | Apply locks to block accedentaly deletions. | `bool` | `false` | no | @@ -65,7 +59,6 @@ | [monitor\_resource\_group\_name](#input\_monitor\_resource\_group\_name) | Monitor resource group name | `string` | n/a | yes | | [prefix](#input\_prefix) | n/a | `string` | n/a | yes | | [tags](#input\_tags) | n/a | `map(any)` | 
{
  "CreatedBy": "Terraform"
}
| no | -| [terraform\_remote\_state\_core](#input\_terraform\_remote\_state\_core) | n/a | 
object({
    resource_group_name  = string,
    storage_account_name = string,
    container_name       = string,
    key                  = string
  })
| n/a | yes | ## Outputs diff --git a/src/domains/diego-common/env/dev/backend.tfvars b/src/domains/diego-common/env/dev/backend.tfvars index 34545b44..baae221c 100644 --- a/src/domains/diego-common/env/dev/backend.tfvars +++ b/src/domains/diego-common/env/dev/backend.tfvars @@ -1,4 +1,4 @@ -resource_group_name = "io-infra-rg" -storage_account_name = "dvopladstinfraterraform" -container_name = "corestate" +resource_group_name = "terraform-state-rg" +storage_account_name = "tfinfdevopslab" +container_name = "terraform-state" key = "diego-common-domain-terraform.tfstate" diff --git a/src/domains/diego-common/env/dev/terraform.tfvars b/src/domains/diego-common/env/dev/terraform.tfvars index a0c94885..0d0ac3e5 100644 --- a/src/domains/diego-common/env/dev/terraform.tfvars +++ b/src/domains/diego-common/env/dev/terraform.tfvars @@ -2,8 +2,8 @@ prefix = "dvopla" env_short = "d" env = "dev" -location = "northeurope" -location_short = "neu" +location = "italynorth" +location_short = "itn" domain = "diego" instance = "dev" @@ -18,14 +18,12 @@ tags = { lock_enable = true -terraform_remote_state_core = { - resource_group_name = "io-infra-rg" - storage_account_name = "dvopladstinfraterraform" - container_name = "corestate" - key = "terraform.tfstate" -} cidr_subnet_funcs_diego_domain = ["10.1.144.0/24"] +is_feature_enabled = { + cdn = false +} + ### External resources monitor_resource_group_name = "dvopla-d-monitor-rg" log_analytics_workspace_name = "dvopla-d-law"