diff --git a/src/.env/dev/terraform.tfvars b/src/.env/dev/terraform.tfvars index 2daac54a..042195ea 100644 --- a/src/.env/dev/terraform.tfvars +++ b/src/.env/dev/terraform.tfvars @@ -28,16 +28,16 @@ key_vault_name = "dvopla-d-neu-kv" key_vault_rg_name = "dvopla-d-sec-rg" # ☁️ networking -cidr_vnet = ["10.1.0.0/16"] -cidr_subnet_appgateway = ["10.1.128.0/24"] -cidr_subnet_postgres = ["10.1.129.0/24"] -cidr_subnet_azdoa = ["10.1.130.0/24"] -cidr_subnet_app_docker = ["10.1.132.0/24"] -cidr_subnet_flex_dbms = ["10.1.133.0/24"] -cidr_subnet_apim = ["10.1.136.0/24"] -cidr_subnet_appgateway_beta = ["10.1.138.0/24"] -cidr_subnet_vpn = ["10.1.139.0/24"] -cidr_subnet_dnsforwarder = ["10.1.140.0/29"] +cidr_vnet = ["10.1.0.0/16"] +cidr_subnet_appgateway = ["10.1.128.0/24"] +cidr_subnet_postgres = ["10.1.129.0/24"] +cidr_subnet_azdoa = ["10.1.130.0/24"] +cidr_subnet_app_docker = ["10.1.132.0/24"] +cidr_subnet_flex_dbms = ["10.1.133.0/24"] +cidr_subnet_apim = ["10.1.136.0/24"] +cidr_subnet_appgateway_beta = ["10.1.138.0/24"] +cidr_subnet_vpn = ["10.1.139.0/24"] +# cidr_subnet_dnsforwarder = ["10.1.140.0/29"] cidr_subnet_private_endpoints = ["10.1.141.0/24"] cidr_subnet_eventhub = ["10.1.142.0/24"] cidr_subnet_redis = ["10.1.143.0/24"] diff --git a/src/core/.terraform.lock.hcl b/src/core/.terraform.lock.hcl index 310b2fa2..136b54cf 100644 --- a/src/core/.terraform.lock.hcl +++ b/src/core/.terraform.lock.hcl @@ -48,24 +48,24 @@ provider "registry.terraform.io/hashicorp/azuread" { } provider "registry.terraform.io/hashicorp/azurerm" { - version = "3.96.0" - constraints = ">= 3.30.0, >= 3.74.0, >= 3.76.0, <= 3.96.0, <= 3.97.1" + version = "3.97.1" + constraints = ">= 3.30.0, >= 3.74.0, <= 3.97.1, <= 3.100.0, <= 3.101.0" hashes = [ - "h1:SJmniidGZj2RfXwrWBPOtNEq8RhHK2ONz5GRpQhTuEY=", - "h1:m1dRKavp189/pmyeJy6JjYZaDCXonvWIPO9rFJnpdTI=", - "h1:o1BGLLHL33WaMjlUYSCr6zo7nuw4mKrpcLee14fSLc0=", - "h1:p81ospFjXO6UGMCct9mDXgjMNqtc9YKeRE2hXjefhUM=", - "zh:2fb3f3c309bc8b040cd63f3a5711d4a6fc107e653a760063ec3ee6417912d14d", - "zh:45b83f492bd371c837df6d68e96ee3ab89faa00f740bca915187b344fd795ae3", - "zh:4a8b9f31da14ae824b2358fe772bb03ee79283d3294985f2acb48a0d4cd950bb", - "zh:4ab3c38b6141a0bd52d9216383d256771c0bfdc1869dccf52f414ed04290ed35", - "zh:6772d182dde23ff3fe10497f104a866cfc1cb848988f830100247363f9dd9ef7", - "zh:85875de128bc2d119c63f16116773594345ad5d0e8a3b464f7612479900df640", - "zh:9cd696005f4cfab4662d7db81039a64fc4c66d6eeedddf0808f2e97bc8af25f4", - "zh:bdc8921161253d3bff8f951cbf63f73f856bbda0ee2e9f51af60d74464059d21", - "zh:d7320767f7cde3796906f453a99ba80284fe8479ce127a4703ecf45dd9ef1321", - "zh:e0c28b79c0bf5004a9d094a68ec0c887c7df307f2cedeed2cbbef567c61443c6", - "zh:f069aa8e951508ea812cb8fef73f79594212864014eb85db39cdea2c648f69ee", + "h1:LtwGbd4HEb5QCXmdxSvTjPSh8/Gp8eAQMYfiAKaubV4=", + "h1:klBuN2uVZF7AVMhskbbgF8pygyhPBxsjedB1GUV79PA=", + "h1:m5wyoRGjbVfJU2YaGZrN1lfGgjpyuwi7Ykw1uHdwlAg=", + "h1:vwYchGsh1TY+/GjUv6CUS6It2opnMYYYVt4GBvCmesY=", + "zh:15171efcc3aa3a37748c502c493cb16ecff603b81ada4499a843574976bac524", + "zh:2ca6c13a4a96f67763ecced0015c7b101ee02d54ea54b28a8df4ae06468071b1", + "zh:2e3c77dbfd8f760132ecef2d6117e939cbea26b96aba5e4d926e7f7f0f7afe72", + "zh:4bc346eece1622be93c73801d8256502b11fd7c2e7f7cea12d048bb9fc9fe900", + "zh:4f1042942ed8d0433680a367527289459d43b0894a51eaba83ac414e80d5187f", + "zh:63e674c31482ae3579ea84daf5b1ba066ce40cb23475f54e17b6b131320a1bec", + "zh:8327148766dcb7a174673729a832c8095d7e137d0e6c7e2a9a01da48b8b73fbe", + "zh:851b3ae417059a80c7813e7f0063298a590a42f056004f2c2558ea14061c207e", + "zh:ac081b48907139c121a422ae9b1f40fc72c6aaaeb05cbdbf848102a6a5f426f4", + "zh:dc1d663df2d95e4ba91070ceb20d3560b6ea5c465d39c57a5979319302643e41", + "zh:ed26457367cbbb94237e935d297cb31b5687f9abf697377da0ee46974480db9b", "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", ] } diff --git a/src/core/00_entra.tf b/src/core/00_entra.tf new file mode 100644 index 00000000..e0f233cd --- /dev/null +++ b/src/core/00_entra.tf @@ -0,0 +1,18 @@ +# +# Azure AD Access Policy +# +data "azuread_group" "adgroup_admin" { + display_name = "${local.project}-adgroup-admin" +} + +data "azuread_group" "adgroup_developers" { + display_name = "${local.project}-adgroup-developers" +} + +data "azuread_group" "adgroup_externals" { + display_name = "${local.project}-adgroup-externals" +} + +data "azuread_group" "adgroup_security" { + display_name = "${local.project}-adgroup-security" +} diff --git a/src/core/00_keyvault.tf b/src/core/00_keyvault.tf new file mode 100644 index 00000000..8ee042c3 --- /dev/null +++ b/src/core/00_keyvault.tf @@ -0,0 +1,14 @@ +data "azurerm_key_vault" "kv" { + name = var.key_vault_name + resource_group_name = var.key_vault_rg_name +} + +data "azurerm_key_vault_secret" "monitor_notification_slack_email" { + name = "monitor-notification-slack-email" + key_vault_id = data.azurerm_key_vault.kv.id +} + +data "azurerm_key_vault_secret" "monitor_notification_email" { + name = "monitor-notification-email" + key_vault_id = data.azurerm_key_vault.kv.id +} diff --git a/src/core/01_keyvault.tf b/src/core/01_keyvault.tf index 8ee042c3..4e86b2d7 100644 --- a/src/core/01_keyvault.tf +++ b/src/core/01_keyvault.tf @@ -1,14 +1,72 @@ -data "azurerm_key_vault" "kv" { - name = var.key_vault_name - resource_group_name = var.key_vault_rg_name +resource "azurerm_resource_group" "sec_rg" { + name = "${local.project_ita}-sec-rg" + location = var.location_ita + + tags = var.tags +} + +module "key_vault_core_ita" { + source = "github.com/pagopa/terraform-azurerm-v3.git//key_vault?ref=v8.5.0" + name = "${local.project_ita}-core-kv" + location = azurerm_resource_group.sec_rg.location + resource_group_name = azurerm_resource_group.sec_rg.name + tenant_id = data.azurerm_client_config.current.tenant_id + + tags = var.tags +} + +## ad group policy ## +resource "azurerm_key_vault_access_policy" "adgroup_admin_policy" { + key_vault_id = module.key_vault_core_ita.id + + tenant_id = data.azurerm_client_config.current.tenant_id + object_id = data.azuread_group.adgroup_admin.object_id + + key_permissions = ["Get", "List", "Update", "Create", "Import", "Delete", ] + secret_permissions = ["Get", "List", "Set", "Delete", "Recover", "Backup", "Restore"] + storage_permissions = [] + certificate_permissions = ["Get", "List", "Update", "Create", "Import", "Delete", "Restore", "Purge", "Recover", ] +} + +## ad group policy ## +resource "azurerm_key_vault_access_policy" "adgroup_developers_policy" { + key_vault_id = module.key_vault_core_ita.id + + tenant_id = data.azurerm_client_config.current.tenant_id + object_id = data.azuread_group.adgroup_developers.object_id + + key_permissions = var.env_short == "d" ? ["Get", "List", "Update", "Create", "Import", "Delete", ] : ["Get", "List", "Update", "Create", "Import", ] + secret_permissions = var.env_short == "d" ? ["Get", "List", "Set", "Delete", ] : ["Get", "List", "Set", ] + storage_permissions = [] + certificate_permissions = var.env_short == "d" ? ["Get", "List", "Update", "Create", "Import", "Delete", "Restore", "Purge", "Recover", ] : ["Get", "List", "Update", "Create", "Import", "Restore", "Recover", ] } -data "azurerm_key_vault_secret" "monitor_notification_slack_email" { - name = "monitor-notification-slack-email" - key_vault_id = data.azurerm_key_vault.kv.id +## ad group policy ## +resource "azurerm_key_vault_access_policy" "adgroup_externals_policy" { + count = var.env_short == "d" ? 1 : 0 + + key_vault_id = module.key_vault_core_ita.id + + tenant_id = data.azurerm_client_config.current.tenant_id + object_id = data.azuread_group.adgroup_externals.object_id + + key_permissions = ["Get", "List", "Update", "Create", "Import", "Delete", ] + secret_permissions = ["Get", "List", "Set", "Delete", ] + storage_permissions = [] + certificate_permissions = ["Get", "List", "Update", "Create", "Import", "Delete", "Restore", "Purge", "Recover", ] } -data "azurerm_key_vault_secret" "monitor_notification_email" { - name = "monitor-notification-email" - key_vault_id = data.azurerm_key_vault.kv.id +## ad group policy ## +resource "azurerm_key_vault_access_policy" "adgroup_security_policy" { + count = var.env_short == "d" ? 1 : 0 + + key_vault_id = module.key_vault_core_ita.id + + tenant_id = data.azurerm_client_config.current.tenant_id + object_id = data.azuread_group.adgroup_security.object_id + + key_permissions = ["Get", "List", "Update", "Create", "Import", "Delete", ] + secret_permissions = ["Get", "List", "Set", "Delete", ] + storage_permissions = [] + certificate_permissions = ["Get", "List", "Update", "Create", "Import", "Delete", "Restore", "Purge", "Recover", ] } diff --git a/src/core/01_network.tf b/src/core/01_network.tf index 69471fee..7e6a258d 100644 --- a/src/core/01_network.tf +++ b/src/core/01_network.tf @@ -5,18 +5,11 @@ resource "azurerm_resource_group" "rg_vnet" { tags = var.tags } -resource "azurerm_resource_group" "rg_ita_vnet" { - name = "${local.project_ita}-vnet-rg" - location = var.location_ita - - tags = var.tags -} - # # vnet # module "vnet" { - source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//virtual_network?ref=v7.77.0" + source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//virtual_network?ref=v8.5.0" name = local.vnet_name location = azurerm_resource_group.rg_vnet.location resource_group_name = azurerm_resource_group.rg_vnet.name @@ -25,35 +18,6 @@ module "vnet" { tags = var.tags } -module "vnet_italy" { - source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//virtual_network?ref=v7.77.0" - - name = "${local.project_ita}-vnet" - location = var.location_ita - resource_group_name = azurerm_resource_group.rg_ita_vnet.name - - address_space = var.cidr_vnet_italy - ddos_protection_plan = var.vnet_ita_ddos_protection_plan - - tags = var.tags -} - -## Peering between the vnet(main) and italy vnet -module "vnet_ita_peering" { - source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//virtual_network_peering?ref=v7.77.0" - - source_resource_group_name = azurerm_resource_group.rg_ita_vnet.name - source_virtual_network_name = module.vnet_italy.name - source_remote_virtual_network_id = module.vnet_italy.id - source_use_remote_gateways = true - source_allow_forwarded_traffic = true - - target_resource_group_name = azurerm_resource_group.rg_vnet.name - target_virtual_network_name = module.vnet.name - target_remote_virtual_network_id = module.vnet.id - target_allow_gateway_transit = true - -} # # Public IP @@ -133,7 +97,7 @@ resource "azurerm_public_ip" "aks_outbound" { # Private endpoints # module "private_endpoints_snet" { - source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet?ref=v7.77.0" + source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet?ref=v8.5.0" name = "${local.project}-private-endpoints-snet" address_prefixes = var.cidr_subnet_private_endpoints virtual_network_name = module.vnet.name @@ -147,19 +111,3 @@ module "private_endpoints_snet" { "Microsoft.Storage", ] } - -module "private_endpoints_italy_snet" { - source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet?ref=v7.77.0" - name = "${local.project}-private-endpoints-italy-snet" - address_prefixes = var.cidr_subnet_private_endpoints_italy - virtual_network_name = module.vnet_italy.name - - resource_group_name = azurerm_resource_group.rg_ita_vnet.name - - private_endpoint_network_policies_enabled = false - service_endpoints = [ - "Microsoft.Web", - "Microsoft.AzureCosmosDB", - "Microsoft.Storage", - ] -} diff --git a/src/core/01_network_ita.tf b/src/core/01_network_ita.tf new file mode 100644 index 00000000..28318536 --- /dev/null +++ b/src/core/01_network_ita.tf @@ -0,0 +1,55 @@ +resource "azurerm_resource_group" "rg_ita_vnet" { + name = local.vnet_ita_resource_group_name + location = var.location_ita + + tags = var.tags +} + +module "vnet_italy" { + source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//virtual_network?ref=v8.5.0" + + name = local.vnet_ita_name + location = var.location_ita + resource_group_name = azurerm_resource_group.rg_ita_vnet.name + + address_space = var.cidr_vnet_italy + ddos_protection_plan = var.vnet_ita_ddos_protection_plan + + tags = var.tags +} + +## Peering between the vnet(main) and italy vnet +module "vnet_ita_peering" { + source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//virtual_network_peering?ref=v8.5.0" + + source_resource_group_name = azurerm_resource_group.rg_ita_vnet.name + source_virtual_network_name = module.vnet_italy.name + source_remote_virtual_network_id = module.vnet_italy.id + source_use_remote_gateways = false + source_allow_forwarded_traffic = true + + target_resource_group_name = azurerm_resource_group.rg_vnet.name + target_virtual_network_name = module.vnet.name + target_remote_virtual_network_id = module.vnet.id + target_allow_gateway_transit = false +} + +module "packer_azdo_snet" { + source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet?ref=v8.5.0" + name = "packer-azdo-subnet" + address_prefixes = var.cidr_subnet_packer_azdo + virtual_network_name = module.vnet_italy.name + resource_group_name = azurerm_resource_group.rg_ita_vnet.name + service_endpoints = [] + private_endpoint_network_policies_enabled = true +} + +module "packer_dns_forwarder_snet" { + source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet?ref=v8.5.0" + name = "packer-dns-forwarder-subnet" + address_prefixes = var.cidr_subnet_packer_dns_forwarder + virtual_network_name = module.vnet_italy.name + resource_group_name = azurerm_resource_group.rg_ita_vnet.name + service_endpoints = [] + private_endpoint_network_policies_enabled = true +} diff --git a/src/core/02_dns_private.tf b/src/core/02_dns_private.tf index 9a9db767..74ca588d 100644 --- a/src/core/02_dns_private.tf +++ b/src/core/02_dns_private.tf @@ -4,14 +4,14 @@ resource "azurerm_private_dns_zone" "internal_devopslab" { count = (var.dns_zone_internal_prefix == null || var.external_domain == null) ? 0 : 1 name = local.dns_zone_private_name - resource_group_name = azurerm_resource_group.rg_vnet.name + resource_group_name = azurerm_resource_group.rg_ita_vnet.name tags = var.tags } resource "azurerm_private_dns_zone_virtual_network_link" "vnet_core" { name = local.vnet_resource_group_name - resource_group_name = azurerm_resource_group.rg_vnet.name + resource_group_name = azurerm_resource_group.rg_ita_vnet.name private_dns_zone_name = azurerm_private_dns_zone.internal_devopslab[0].name virtual_network_id = module.vnet.id @@ -22,7 +22,7 @@ resource "azurerm_private_dns_zone_virtual_network_link" "vnet_core" { resource "azurerm_private_dns_zone" "privatelink_postgres_database_azure_com" { name = "privatelink.postgres.database.azure.com" - resource_group_name = azurerm_resource_group.rg_vnet.name + resource_group_name = azurerm_resource_group.rg_ita_vnet.name tags = var.tags } @@ -32,7 +32,7 @@ resource "azurerm_private_dns_zone_virtual_network_link" "privatelink_postgres_d name = "${local.project}-pg-flex-link" private_dns_zone_name = azurerm_private_dns_zone.privatelink_postgres_database_azure_com.name - resource_group_name = azurerm_resource_group.rg_vnet.name + resource_group_name = azurerm_resource_group.rg_ita_vnet.name virtual_network_id = module.vnet.id registration_enabled = false @@ -43,12 +43,12 @@ resource "azurerm_private_dns_zone_virtual_network_link" "privatelink_postgres_d resource "azurerm_private_dns_zone" "storage_account" { name = "privatelink.blob.core.windows.net" - resource_group_name = azurerm_resource_group.rg_vnet.name + resource_group_name = azurerm_resource_group.rg_ita_vnet.name } resource "azurerm_private_dns_zone_virtual_network_link" "storage_account_vnet" { name = "${local.project}-storage-account-vnet-private-dns-zone-link" - resource_group_name = azurerm_resource_group.rg_vnet.name + resource_group_name = azurerm_resource_group.rg_ita_vnet.name private_dns_zone_name = azurerm_private_dns_zone.storage_account.name virtual_network_id = module.vnet.id } diff --git a/src/core/02_dns_public.tf b/src/core/02_dns_public.tf index 48776bfb..763c44a7 100644 --- a/src/core/02_dns_public.tf +++ b/src/core/02_dns_public.tf @@ -3,30 +3,15 @@ # resource "azurerm_dns_zone" "public" { name = local.prod_dns_zone_public_name - resource_group_name = azurerm_resource_group.rg_vnet.name + resource_group_name = azurerm_resource_group.rg_ita_vnet.name tags = var.tags } -# Prod ONLY record to LAB public DNS delegation -resource "azurerm_dns_ns_record" "lab_it_ns" { - name = "lab" - zone_name = azurerm_dns_zone.public.name - resource_group_name = azurerm_resource_group.rg_vnet.name - records = [ - "ns1-08.azure-dns.com.", - "ns2-08.azure-dns.net.", - "ns3-08.azure-dns.org.", - "ns4-08.azure-dns.info." - ] - ttl = var.dns_default_ttl_sec - tags = var.tags -} - resource "azurerm_dns_cname_record" "public_healthy" { name = "healthy" zone_name = azurerm_dns_zone.public.name - resource_group_name = azurerm_resource_group.rg_vnet.name + resource_group_name = azurerm_resource_group.rg_ita_vnet.name ttl = 300 record = "google.com" @@ -42,19 +27,9 @@ resource "azurerm_dns_cname_record" "public_healthy" { resource "azurerm_dns_a_record" "api_devopslab_pagopa_it" { name = "api" zone_name = azurerm_dns_zone.public.name - resource_group_name = azurerm_resource_group.rg_vnet.name + resource_group_name = azurerm_resource_group.rg_ita_vnet.name ttl = var.dns_default_ttl_sec records = [azurerm_public_ip.appgateway_public_ip.ip_address] tags = var.tags } - -resource "azurerm_dns_a_record" "helm_template_ingress_devopslab_pagopa_it" { - name = "helm-template.ingress" - zone_name = azurerm_dns_zone.public.name - resource_group_name = azurerm_resource_group.rg_vnet.name - ttl = var.dns_default_ttl_sec - records = azurerm_public_ip.aks_outbound[*].ip_address - - tags = var.tags -} diff --git a/src/core/02_monitor_ita.tf b/src/core/02_monitor_ita.tf new file mode 100644 index 00000000..568f823b --- /dev/null +++ b/src/core/02_monitor_ita.tf @@ -0,0 +1,65 @@ +resource "azurerm_resource_group" "monitor_ita_rg" { + name = local.monitor_ita_rg_name + location = var.location_ita + + tags = var.tags +} + +resource "azurerm_log_analytics_workspace" "log_analytics_workspace_ita" { + name = local.monitor_ita_log_analytics_workspace_name + location = azurerm_resource_group.monitor_ita_rg.location + resource_group_name = azurerm_resource_group.monitor_ita_rg.name + sku = var.law_sku + retention_in_days = var.law_retention_in_days + daily_quota_gb = var.law_daily_quota_gb + + tags = var.tags +} + +# Application insights +resource "azurerm_application_insights" "application_insights_ita" { + name = local.monitor_ita_appinsights_name + location = azurerm_resource_group.monitor_ita_rg.location + resource_group_name = azurerm_resource_group.monitor_ita_rg.name + application_type = "other" + workspace_id = azurerm_log_analytics_workspace.log_analytics_workspace_ita.id + + tags = var.tags +} + +#tfsec:ignore:AZU023 +resource "azurerm_key_vault_secret" "application_insights_ita_key" { + name = "appinsights-instrumentation-ita-key" + value = azurerm_application_insights.application_insights_ita.instrumentation_key + content_type = "text/plain" + + key_vault_id = module.key_vault_core_ita.id +} + +# resource "azurerm_monitor_ita_action_group" "email_ita" { +# name = "PagoPA" +# resource_group_name = azurerm_resource_group.monitor_ita_rg.name +# short_name = "PagoPA" +# +# email_receiver { +# name = "sendtooperations" +# email_address = data.azurerm_key_vault_secret.monitor_ita_notification_email.value +# use_common_alert_schema = true +# } +# +# tags = var.tags +# } +# +# resource "azurerm_monitor_ita_action_group" "slack_ita" { +# name = "SlackPagoPA" +# resource_group_name = azurerm_resource_group.monitor_ita_rg.name +# short_name = "SlackPagoPA" +# +# email_receiver { +# name = "sendtoslack" +# email_address = data.azurerm_key_vault_secret.monitor_ita_notification_slack_email.value +# use_common_alert_schema = true +# } +# +# tags = var.tags +# } diff --git a/src/core/02_monitor.tf b/src/core/02_monitor_weu.tf similarity index 69% rename from src/core/02_monitor.tf rename to src/core/02_monitor_weu.tf index a4e2403a..7276555b 100644 --- a/src/core/02_monitor.tf +++ b/src/core/02_monitor_weu.tf @@ -30,10 +30,10 @@ resource "azurerm_application_insights" "application_insights" { #tfsec:ignore:AZU023 resource "azurerm_key_vault_secret" "application_insights_key" { name = "appinsights-instrumentation-key" - value = azurerm_application_insights.application_insights.instrumentation_key + value = azurerm_application_insights.application_insights_ita.instrumentation_key content_type = "text/plain" - key_vault_id = data.azurerm_key_vault.kv.id + key_vault_id = module.key_vault_core_ita.id } resource "azurerm_monitor_action_group" "email" { @@ -64,25 +64,25 @@ resource "azurerm_monitor_action_group" "slack" { tags = var.tags } +# # +# # Monitor storage +# # +# module "security_monitoring_storage" { +# source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//storage_account?ref=v8.5.0" # -# Monitor storage +# name = local.monitor_security_storage_name +# account_kind = "StorageV2" +# account_tier = "Standard" +# account_replication_type = "LRS" +# access_tier = "Hot" +# blob_versioning_enabled = false +# resource_group_name = azurerm_resource_group.monitor_rg.name +# location = var.location +# advanced_threat_protection = false +# allow_nested_items_to_be_public = false +# public_network_access_enabled = true # -module "security_monitoring_storage" { - source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//storage_account?ref=v7.77.0" - - name = local.monitor_security_storage_name - account_kind = "StorageV2" - account_tier = "Standard" - account_replication_type = "LRS" - access_tier = "Hot" - blob_versioning_enabled = false - resource_group_name = azurerm_resource_group.monitor_rg.name - location = var.location - advanced_threat_protection = false - allow_nested_items_to_be_public = false - public_network_access_enabled = true - - blob_delete_retention_days = 1 - - tags = var.tags -} +# blob_delete_retention_days = 1 +# +# tags = var.tags +# } diff --git a/src/core/02_vpn.tf b/src/core/02_vpn.tf index a02957bd..e5316db6 100644 --- a/src/core/02_vpn.tf +++ b/src/core/02_vpn.tf @@ -1,10 +1,10 @@ ## VPN subnet module "vpn_snet" { - source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet?ref=v7.77.0" + source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet?ref=v8.5.0" name = "GatewaySubnet" address_prefixes = var.cidr_subnet_vpn - virtual_network_name = module.vnet.name - resource_group_name = azurerm_resource_group.rg_vnet.name + virtual_network_name = module.vnet_italy.name + resource_group_name = azurerm_resource_group.rg_ita_vnet.name service_endpoints = [] private_endpoint_network_policies_enabled = true } @@ -15,14 +15,15 @@ data "azuread_application" "vpn_app" { module "vpn" { count = var.vpn_enabled ? 1 : 0 - source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//vpn_gateway?ref=v7.77.0" + source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//vpn_gateway?ref=v8.5.0" - name = "${local.project}-vpn" - location = var.location - resource_group_name = azurerm_resource_group.rg_vnet.name - sku = var.vpn_sku - pip_sku = var.vpn_pip_sku - subnet_id = module.vpn_snet.id + name = "${local.project_ita}-vpn" + location = var.location_ita + resource_group_name = azurerm_resource_group.rg_ita_vnet.name + sku = var.vpn_sku + pip_sku = var.vpn_pip_sku + pip_allocation_method = "Static" + subnet_id = module.vpn_snet.id vpn_client_configuration = [ { @@ -41,44 +42,43 @@ module "vpn" { tags = var.tags } -# -# DNS Forwarder -# -resource "azurerm_resource_group" "dns_forwarder" { +# Dns Forwarder module - name = "${local.project}-dns-forwarder-rg" - location = var.location +module "subnet_dns_forwarder_lb" { + source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet?ref=v8.5.0" + count = var.dns_forwarder_is_enabled ? 1 : 0 - tags = var.tags + name = "${local.project_ita}-dns-forwarder-lb" + address_prefixes = var.cidr_subnet_dnsforwarder_lb + virtual_network_name = local.vnet_ita_name + resource_group_name = local.vnet_ita_resource_group_name } -module "dns_forwarder_snet" { - - source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet?ref=v7.77.0" - name = "${local.project}-dnsforwarder-snet" - address_prefixes = var.cidr_subnet_dnsforwarder - resource_group_name = azurerm_resource_group.rg_vnet.name - virtual_network_name = module.vnet.name - private_endpoint_network_policies_enabled = true +module "subnet_dns_forwarder_vmss" { + source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet?ref=v8.5.0" + count = var.dns_forwarder_is_enabled ? 1 : 0 - delegation = { - name = "delegation" - service_delegation = { - name = "Microsoft.ContainerInstance/containerGroups" - actions = ["Microsoft.Network/virtualNetworks/subnets/action"] - } - } + name = "${local.project_ita}-dns-forwarder-vmss" + address_prefixes = var.cidr_subnet_dnsforwarder_vmss + virtual_network_name = local.vnet_ita_name + resource_group_name = local.vnet_ita_resource_group_name } -module "dns_forwarder" { - count = var.dns_forwarder_enabled ? 1 : 0 +module "dns_forwarder_lb_vmss" { + source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//dns_forwarder_lb_vmss?ref=dns-forwarder-lb-fix" + count = var.dns_forwarder_is_enabled ? 1 : 0 - source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//dns_forwarder?ref=v7.77.0" + name = local.project + virtual_network_name = local.vnet_ita_name + resource_group_name = local.vnet_ita_resource_group_name - name = "${local.project}-dns-forwarder" - location = var.location - resource_group_name = azurerm_resource_group.rg_vnet.name - subnet_id = module.dns_forwarder_snet.id + subnet_lb_id = module.subnet_dns_forwarder_lb[0].id + static_address_lb = cidrhost(var.cidr_subnet_dnsforwarder_lb[0], 4) + subnet_vmss_id = module.subnet_dns_forwarder_vmss[0].id - tags = var.tags + location = var.location_ita + subscription_id = data.azurerm_subscription.current.subscription_id + source_image_name = var.dns_forwarder_vmss_image_name + key_vault_id = data.azurerm_key_vault.kv.id + tags = var.tags } diff --git a/src/core/03_apim_0.tf b/src/core/03_apim_0.tf index b80fba61..4bfe02c0 100644 --- a/src/core/03_apim_0.tf +++ b/src/core/03_apim_0.tf @@ -1,167 +1,167 @@ -# 🔐 KV -data "azurerm_key_vault_secret" "apim_publisher_email" { - name = "apim-publisher-email" - key_vault_id = data.azurerm_key_vault.kv.id -} - -## 🎫 Certificates - -data "azurerm_key_vault_certificate" "apim_internal_certificate" { - name = var.apim_api_internal_certificate_name - key_vault_id = data.azurerm_key_vault.kv.id -} - -#-------------------------------------------------------------------------------------------------- - -resource "azurerm_resource_group" "rg_api" { - name = "${local.project}-api-rg" - location = var.location - - tags = var.tags -} - -# APIM subnet -module "apim_snet" { - source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet?ref=v7.77.0" - count = var.apim_enabled == true ? 1 : 0 - - name = "${local.project}-apim-snet" - resource_group_name = azurerm_resource_group.rg_vnet.name - virtual_network_name = module.vnet.name - address_prefixes = var.cidr_subnet_apim - - private_endpoint_network_policies_enabled = true -} - -module "apim_stv2_snet" { - source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet?ref=v7.77.0" - count = var.apim_enabled == true ? 1 : 0 - - name = "${local.project}-apim-stv2-snet" - resource_group_name = azurerm_resource_group.rg_vnet.name - virtual_network_name = module.vnet.name - address_prefixes = var.cidr_subnet_apim_stv2 - - private_endpoint_network_policies_enabled = true -} - -resource "azurerm_network_security_group" "apim_snet_nsg" { - name = "apim-snet-nsg" - location = var.location - resource_group_name = azurerm_resource_group.rg_vnet.name -} - -resource "azurerm_network_security_rule" "apim_snet_nsg_rules" { - count = length(var.apim_subnet_nsg_security_rules) - - network_security_group_name = azurerm_network_security_group.apim_snet_nsg.name - name = var.apim_subnet_nsg_security_rules[count.index].name - resource_group_name = azurerm_resource_group.rg_vnet.name - priority = var.apim_subnet_nsg_security_rules[count.index].priority - direction = var.apim_subnet_nsg_security_rules[count.index].direction - access = var.apim_subnet_nsg_security_rules[count.index].access - protocol = var.apim_subnet_nsg_security_rules[count.index].protocol - source_port_range = var.apim_subnet_nsg_security_rules[count.index].source_port_range - destination_port_range = var.apim_subnet_nsg_security_rules[count.index].destination_port_range - source_address_prefix = var.apim_subnet_nsg_security_rules[count.index].source_address_prefix - destination_address_prefix = var.apim_subnet_nsg_security_rules[count.index].destination_address_prefix -} - -resource "azurerm_subnet_network_security_group_association" "apim_stv2_snet" { - count = var.apim_enabled == true ? 1 : 0 - - subnet_id = module.apim_stv2_snet[0].id - network_security_group_id = azurerm_network_security_group.apim_snet_nsg.id -} - -resource "azurerm_subnet_network_security_group_association" "apim_snet" { - count = var.apim_enabled == true ? 1 : 0 - - subnet_id = module.apim_snet[0].id - network_security_group_id = azurerm_network_security_group.apim_snet_nsg.id -} - -#-------------------------------------------------------------------------------------------------- - -########################### -## Api Management (apim) ## -########################### - -module "apim" { - source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//api_management?ref=v7.77.0" - count = var.apim_enabled == true ? 1 : 0 - - name = "${local.project}-apim" - - subnet_id = module.apim_snet[0].id - location = azurerm_resource_group.rg_api.location - resource_group_name = azurerm_resource_group.rg_api.name - - publisher_name = var.apim_publisher_name - publisher_email = data.azurerm_key_vault_secret.apim_publisher_email.value - sku_name = var.apim_sku - virtual_network_type = "Internal" - - redis_connection_string = null - redis_cache_id = null - - # This enables the Username and Password Identity Provider - sign_up_enabled = false - - application_insights = { - enabled = true - instrumentation_key = azurerm_application_insights.application_insights.instrumentation_key - } - - tags = var.tags -} - -# -# 🔐 Key Vault Access Policies -# - -## api management policy ## -resource "azurerm_key_vault_access_policy" "api_management_policy" { - count = var.apim_enabled == true ? 1 : 0 - - key_vault_id = data.azurerm_key_vault.kv.id - tenant_id = data.azurerm_client_config.current.tenant_id - object_id = module.apim[0].principal_id - - key_permissions = [] - secret_permissions = ["Get", "List"] - certificate_permissions = ["Get", "List"] - storage_permissions = [] -} - -# -# 🏷 custom domain -# -resource "azurerm_api_management_custom_domain" "api_custom_domain" { - count = var.apim_enabled == true ? 1 : 0 - - api_management_id = module.apim[0].id - - gateway { - host_name = local.api_internal_domain - key_vault_id = replace( - data.azurerm_key_vault_certificate.apim_internal_certificate.secret_id, - "/${data.azurerm_key_vault_certificate.apim_internal_certificate.version}", - "" - ) - } -} - -# api.internal.*.userregistry.pagopa.it -resource "azurerm_private_dns_a_record" "api_internal" { - count = var.apim_enabled == true ? 1 : 0 - - - name = "api" - records = module.apim[0].*.private_ip_addresses[0] - ttl = var.dns_default_ttl_sec - - zone_name = azurerm_private_dns_zone.internal_devopslab[0].name - resource_group_name = azurerm_resource_group.rg_vnet.name - tags = var.tags -} +# # 🔐 KV +# data "azurerm_key_vault_secret" "apim_publisher_email" { +# name = "apim-publisher-email" +# key_vault_id = module.key_vault_core_ita.id +# } +# +# ## 🎫 Certificates +# +# data "azurerm_key_vault_certificate" "apim_internal_certificate" { +# name = var.apim_api_internal_certificate_name +# key_vault_id = module.key_vault_core_ita.id +# } +# +# #-------------------------------------------------------------------------------------------------- +# +# resource "azurerm_resource_group" "rg_api" { +# name = "${local.project_ita}-api-rg" +# location = var.location_ita +# +# tags = var.tags +# } +# +# # APIM subnet +# module "apim_snet" { +# source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet?ref=v8.5.0" +# count = var.apim_enabled == true ? 1 : 0 +# +# name = "${local.project_ita}-apim-snet" +# resource_group_name = azurerm_resource_group.rg_ita_vnet.name +# virtual_network_name = module.vnet_italy.name +# address_prefixes = var.cidr_subnet_apim +# +# private_endpoint_network_policies_enabled = true +# } +# +# module "apim_stv2_snet" { +# source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet?ref=v8.5.0" +# count = var.apim_enabled == true ? 1 : 0 +# +# name = "${local.project_ita}-apim-stv2-snet" +# resource_group_name = azurerm_resource_group.rg_vnet.name +# virtual_network_name = module.vnet_italy.name +# address_prefixes = var.cidr_subnet_apim_stv2 +# +# private_endpoint_network_policies_enabled = true +# } +# +# resource "azurerm_network_security_group" "apim_snet_nsg" { +# name = "apim-snet-nsg" +# location = var.location_ita +# resource_group_name = azurerm_resource_group.rg_vnet.name +# } +# +# resource "azurerm_network_security_rule" "apim_snet_nsg_rules" { +# count = length(var.apim_subnet_nsg_security_rules) +# +# network_security_group_name = azurerm_network_security_group.apim_snet_nsg.name +# name = var.apim_subnet_nsg_security_rules[count.index].name +# resource_group_name = azurerm_resource_group.rg_vnet.name +# priority = var.apim_subnet_nsg_security_rules[count.index].priority +# direction = var.apim_subnet_nsg_security_rules[count.index].direction +# access = var.apim_subnet_nsg_security_rules[count.index].access +# protocol = var.apim_subnet_nsg_security_rules[count.index].protocol +# source_port_range = var.apim_subnet_nsg_security_rules[count.index].source_port_range +# destination_port_range = var.apim_subnet_nsg_security_rules[count.index].destination_port_range +# source_address_prefix = var.apim_subnet_nsg_security_rules[count.index].source_address_prefix +# destination_address_prefix = var.apim_subnet_nsg_security_rules[count.index].destination_address_prefix +# } +# +# resource "azurerm_subnet_network_security_group_association" "apim_stv2_snet" { +# count = var.apim_enabled == true ? 1 : 0 +# +# subnet_id = module.apim_stv2_snet[0].id +# network_security_group_id = azurerm_network_security_group.apim_snet_nsg.id +# } +# +# resource "azurerm_subnet_network_security_group_association" "apim_snet" { +# count = var.apim_enabled == true ? 1 : 0 +# +# subnet_id = module.apim_snet[0].id +# network_security_group_id = azurerm_network_security_group.apim_snet_nsg.id +# } +# +# #-------------------------------------------------------------------------------------------------- +# +# ########################### +# ## Api Management (apim) ## +# ########################### +# +# module "apim" { +# source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//api_management?ref=v8.5.0" +# count = var.apim_enabled == true ? 1 : 0 +# +# name = "${local.project_ita}-apim" +# +# subnet_id = module.apim_snet[0].id +# location = azurerm_resource_group.rg_api.location +# resource_group_name = azurerm_resource_group.rg_api.name +# +# publisher_name = var.apim_publisher_name +# publisher_email = data.azurerm_key_vault_secret.apim_publisher_email.value +# sku_name = var.apim_sku +# virtual_network_type = "Internal" +# +# redis_connection_string = null +# redis_cache_id = null +# +# # This enables the Username and Password Identity Provider +# sign_up_enabled = false +# +# application_insights = { +# enabled = true +# instrumentation_key = azurerm_application_insights.application_insights.instrumentation_key +# } +# +# tags = var.tags +# } +# +# # +# # 🔐 Key Vault Access Policies +# # +# +# ## api management policy ## +# resource "azurerm_key_vault_access_policy" "api_management_policy" { +# count = var.apim_enabled == true ? 1 : 0 +# +# key_vault_id = module.key_vault_core_ita.id +# tenant_id = data.azurerm_client_config.current.tenant_id +# object_id = module.apim[0].principal_id +# +# key_permissions = [] +# secret_permissions = ["Get", "List"] +# certificate_permissions = ["Get", "List"] +# storage_permissions = [] +# } +# +# # +# # 🏷 custom domain +# # +# resource "azurerm_api_management_custom_domain" "api_custom_domain" { +# count = var.apim_enabled == true ? 1 : 0 +# +# api_management_id = module.apim[0].id +# +# gateway { +# host_name = local.api_internal_domain +# key_vault_id = replace( +# data.azurerm_key_vault_certificate.apim_internal_certificate.secret_id, +# "/${data.azurerm_key_vault_certificate.apim_internal_certificate.version}", +# "" +# ) +# } +# } +# +# # api.internal.*.userregistry.pagopa.it +# resource "azurerm_private_dns_a_record" "api_internal" { +# count = var.apim_enabled == true ? 1 : 0 +# +# +# name = "api" +# records = module.apim[0].*.private_ip_addresses[0] +# ttl = var.dns_default_ttl_sec +# +# zone_name = azurerm_private_dns_zone.internal_devopslab[0].name +# resource_group_name = azurerm_resource_group.rg_vnet.name +# tags = var.tags +# } diff --git a/src/core/03_apim_api_configurations.tf b/src/core/03_apim_api_configurations.tf index 6011ff94..95f85c22 100644 --- a/src/core/03_apim_api_configurations.tf +++ b/src/core/03_apim_api_configurations.tf @@ -1,62 +1,62 @@ -############## -## Products ## -############## - -module "apim_product_blueprint" { - count = var.apim_enabled == true ? 1 : 0 - - source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//api_management_product?ref=v7.77.0" - - product_id = "blueprint" - display_name = "blueprint product" - description = "Product for blueprint backend" - - api_management_name = module.apim[0].name - resource_group_name = module.apim[0].resource_group_name - - published = true - subscription_required = true - approval_required = false - - policy_xml = file("./api_product/blueprint/_base_policy.xml") -} - - -############## -## APIs ## -############## - -# resource "azurerm_api_management_api_version_set" "apim_blueprint_product" { -# name = local.apim_blueprint_product.api_name -# resource_group_name = module.apim.resource_group_name -# api_management_name = module.apim.name -# display_name = local.apim_blueprint_product.display_name -# versioning_scheme = "Segment" +# ############## +# ## Products ## +# ############## +# +# module "apim_product_blueprint" { +# count = var.apim_enabled == true ? 1 : 0 +# +# source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//api_management_product?ref=v8.5.0" +# +# product_id = "blueprint" +# display_name = "blueprint product" +# description = "Product for blueprint backend" +# +# api_management_name = module.apim[0].name +# resource_group_name = module.apim[0].resource_group_name +# +# published = true +# subscription_required = true +# approval_required = false +# +# policy_xml = file("./api_product/blueprint/_base_policy.xml") +# } +# +# +# ############## +# ## APIs ## +# ############## +# +# # resource "azurerm_api_management_api_version_set" "apim_blueprint_product" { +# # name = local.apim_blueprint_product.api_name +# # resource_group_name = module.apim.resource_group_name +# # api_management_name = module.apim.name +# # display_name = local.apim_blueprint_product.display_name +# # versioning_scheme = "Segment" +# # } +# +# module "apim_blueprint_status_v1" { +# source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//api_management_api?ref=v8.5.0" +# count = var.apim_enabled == true ? 1 : 0 +# +# +# name = "${var.domain}-blueprint-status-api" +# api_management_name = module.apim[0].name +# product_ids = [module.apim_product_blueprint[0].product_id] +# subscription_required = false +# # version_set_id = azurerm_api_management_api_version_set.apim_blueprint_product.id +# # api_version = "v1" +# service_url = "https://dev01.blueprint.internal.devopslab.pagopa.it/blueprint/v5-java-helm-basic-test/status" +# resource_group_name = module.apim[0].resource_group_name +# +# description = "blueprint - status" +# display_name = "blueprint - status" +# path = "blueprint" +# protocols = ["https"] +# +# content_format = "openapi" +# content_value = templatefile("./api/blueprint/status/openapi_webapp_python.json.tftpl", { +# projectName = "${var.env}-status-api" +# }) +# +# xml_content = file("./api/blueprint/status/_base_policy.xml") # } - -module "apim_blueprint_status_v1" { - source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//api_management_api?ref=v7.77.0" - count = var.apim_enabled == true ? 1 : 0 - - - name = "${var.domain}-blueprint-status-api" - api_management_name = module.apim[0].name - product_ids = [module.apim_product_blueprint[0].product_id] - subscription_required = false - # version_set_id = azurerm_api_management_api_version_set.apim_blueprint_product.id - # api_version = "v1" - service_url = "https://dev01.blueprint.internal.devopslab.pagopa.it/blueprint/v5-java-helm-basic-test/status" - resource_group_name = module.apim[0].resource_group_name - - description = "blueprint - status" - display_name = "blueprint - status" - path = "blueprint" - protocols = ["https"] - - content_format = "openapi" - content_value = templatefile("./api/blueprint/status/openapi_webapp_python.json.tftpl", { - projectName = "${var.env}-status-api" - }) - - xml_content = file("./api/blueprint/status/_base_policy.xml") -} diff --git a/src/core/04_azure_devops_agent.tf b/src/core/04_azure_devops_agent.tf index a94548bf..2eaff58e 100644 --- a/src/core/04_azure_devops_agent.tf +++ b/src/core/04_azure_devops_agent.tf @@ -7,25 +7,25 @@ resource "azurerm_resource_group" "azdo_rg" { } module "azdoa_snet" { - source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet?ref=v7.77.0" + source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet?ref=v8.5.0" count = var.enable_azdoa ? 1 : 0 name = local.azuredevops_subnet_name address_prefixes = var.cidr_subnet_azdoa - resource_group_name = azurerm_resource_group.rg_vnet.name - virtual_network_name = module.vnet.name + resource_group_name = azurerm_resource_group.rg_ita_vnet.name + virtual_network_name = module.vnet_italy.name private_endpoint_network_policies_enabled = true } module "azdoa_vmss_li" { - source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//azure_devops_agent?ref=v7.77.0" + source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//azure_devops_agent?ref=v8.5.0" count = var.enable_azdoa ? 1 : 0 name = local.azuredevops_agent_vm_name resource_group_name = azurerm_resource_group.azdo_rg[0].name subnet_id = module.azdoa_snet[0].id subscription_name = data.azurerm_subscription.current.display_name subscription_id = data.azurerm_subscription.current.subscription_id - location = var.location + location = var.location_ita source_image_name = var.azdoa_image_name tags = var.tags diff --git a/src/core/04_docker_registry.tf b/src/core/04_docker_registry.tf index 9e350fef..f845c932 100644 --- a/src/core/04_docker_registry.tf +++ b/src/core/04_docker_registry.tf @@ -1,11 +1,11 @@ resource "azurerm_resource_group" "rg_docker" { name = local.docker_rg_name - location = var.location + location = var.location_ita tags = var.tags } -module "container_registry_private" { - source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//container_registry?ref=v7.77.0" +module "container_registry_public" { + source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//container_registry?ref=v8.5.0" name = local.docker_registry_name resource_group_name = azurerm_resource_group.rg_docker.name location = azurerm_resource_group.rg_docker.location @@ -15,13 +15,8 @@ module "container_registry_private" { anonymous_pull_enabled = false zone_redundancy_enabled = false public_network_access_enabled = true + private_endpoint_enabled = false - private_endpoint = { - enabled = false - private_dns_zone_ids = null - subnet_id = null - virtual_network_id = null - } # georeplications = [{ # # location = var.location_seconsary diff --git a/src/core/05_postgres_sql.tf b/src/core/05_postgres_sql.tf index be656ece..a83b9b5c 100644 --- a/src/core/05_postgres_sql.tf +++ b/src/core/05_postgres_sql.tf @@ -71,46 +71,68 @@ locals { } } -data "azurerm_key_vault_secret" "postgres_administrator_login" { - name = "postgres-administrator-login" - key_vault_id = data.azurerm_key_vault.kv.id +# +# KeyVault +# +resource "random_password" "pg_admin_password" { + length = 8 + special = true + upper = false + min_numeric = 1 + min_special = 1 + min_upper = 1 + min_lower = 1 + override_special = "-" } -data "azurerm_key_vault_secret" "postgres_administrator_login_password" { - name = "postgres-administrator-login-password" - key_vault_id = data.azurerm_key_vault.kv.id +resource "azurerm_key_vault_secret" "pg_admin_password" { + + name = "pg-admin-password" + value = random_password.pg_admin_password.result + content_type = "text/plain" + + key_vault_id = module.key_vault_core_ita.id +} + +resource "azurerm_key_vault_secret" "pg_admin_user" { + + name = "pg-admin-user" + value = "postgres" + content_type = "text/plain" + + key_vault_id = module.key_vault_core_ita.id } #-------------------------------------------------------------------------------------------------- resource "azurerm_resource_group" "data_rg" { name = "${local.project}-data-rg" - location = var.location + location = var.location_ita tags = var.tags } ## Database subnet module "postgres_snet" { - source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet?ref=v7.77.0" + source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet?ref=v8.5.0" name = "${local.project}-postgres-snet" address_prefixes = var.cidr_subnet_postgres - resource_group_name = azurerm_resource_group.rg_vnet.name - virtual_network_name = module.vnet.name + resource_group_name = azurerm_resource_group.rg_ita_vnet.name + virtual_network_name = module.vnet_italy.name service_endpoints = ["Microsoft.Sql"] private_endpoint_network_policies_enabled = true } module "postgres" { count = var.is_resource_core_enabled.postgresql_server ? 1 : 0 - source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//postgresql_server?ref=v7.77.0" + source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//postgresql_server?ref=v8.5.0" name = "${local.project}-postgres" location = azurerm_resource_group.data_rg.location resource_group_name = azurerm_resource_group.data_rg.name - administrator_login = data.azurerm_key_vault_secret.postgres_administrator_login.value - administrator_login_password = data.azurerm_key_vault_secret.postgres_administrator_login_password.value + administrator_login = azurerm_key_vault_secret.pg_admin_user.value + administrator_login_password = azurerm_key_vault_secret.pg_admin_password.value sku_name = "B_Gen5_1" db_version = 11 geo_redundant_backup_enabled = false @@ -119,7 +141,7 @@ module "postgres" { network_rules = var.postgres_network_rules private_endpoint = { enabled = false - virtual_network_id = azurerm_resource_group.rg_vnet.id + virtual_network_id = azurerm_resource_group.rg_ita_vnet.id subnet_id = module.postgres_snet.id private_dns_zone_ids = [] } @@ -141,44 +163,3 @@ module "postgres" { tags = var.tags } - -# # -# # 🔐 KV section -# # -# data "azuread_application" "postgres" { -# display_name = module.postgres.name -# } - -# resource "azurerm_key_vault_access_policy" "postgres" { -# count = var.postgres_byok_enabled ? 1 : 0 -# key_vault_id = data.azurerm_key_vault.kv.id -# tenant_id = data.azurerm_client_config.current.tenant_id -# object_id = data.azuread_application.postgres.object_id -# key_permissions = ["Get", "WrapKey", "UnwrapKey", ] -# secret_permissions = [] -# certificate_permissions = [] -# storage_permissions = [] -# } - -# resource "azurerm_key_vault_key" "postgres" { -# count = var.postgres_byok_enabled ? 1 : 0 -# name = "postgres-key" -# key_vault_id = data.azurerm_key_vault.kv.id -# key_type = "RSA-HSM" -# key_size = 2048 -# key_opts = [ -# "decrypt", -# "encrypt", -# "sign", -# "unwrapKey", -# "verify", -# "wrapKey", -# ] -# } - -# resource "azurerm_postgresql_server_key" "postgres" { -# count = var.postgres_byok_enabled ? 1 : 0 -# depends_on = [azurerm_key_vault_access_policy.postgres] -# server_id = module.postgres.id -# key_vault_key_id = azurerm_key_vault_key.postgres[0].id -# } diff --git a/src/core/07_web_test_preview.tf b/src/core/07_web_test_preview.tf deleted file mode 100644 index 96682f91..00000000 --- a/src/core/07_web_test_preview.tf +++ /dev/null @@ -1,36 +0,0 @@ -locals { - - test_urls = [ - { - # management.env.cstar.pagopa.it - host = "google.com", - path = "/", - expected_http_status = 200 - }, - ] - -} - -module "web_test_availability_alert_rules_for_api" { - for_each = { for v in local.test_urls : v.host => v if v != null } - source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//application_insights_web_test_preview?ref=v7.77.0" - - subscription_id = data.azurerm_subscription.current.subscription_id - name = "${each.value.host}-test-avail" - location = azurerm_resource_group.monitor_rg.location - resource_group = azurerm_resource_group.monitor_rg.name - application_insight_name = azurerm_application_insights.application_insights.name - application_insight_id = azurerm_application_insights.application_insights.id - request_url = "https://${each.value.host}${each.value.path}" - ssl_cert_remaining_lifetime_check = 7 - expected_http_status = each.value.expected_http_status - - actions = [ - { - action_group_id = azurerm_monitor_action_group.email.id, - }, - { - action_group_id = azurerm_monitor_action_group.slack.id, - }, - ] -} diff --git a/src/core/08_redis.tf b/src/core/08_redis.tf index a068793d..1ae33b40 100644 --- a/src/core/08_redis.tf +++ b/src/core/08_redis.tf @@ -1,22 +1,22 @@ resource "azurerm_resource_group" "redis" { - name = "${local.project}-redis-rg" - location = var.location + name = "${local.project_ita}-redis-rg" + location = var.location_ita tags = var.tags } ## redisbase subnet module "redis_snet" { - source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet?ref=v7.77.0" - name = "${local.project}-redis-snet" + source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet?ref=v8.5.0" + name = "${local.project_ita}-redis-snet" address_prefixes = var.cidr_subnet_redis - resource_group_name = azurerm_resource_group.rg_vnet.name - virtual_network_name = module.vnet.name + resource_group_name = azurerm_resource_group.rg_ita_vnet.name + virtual_network_name = module.vnet_italy.name } module "redis" { count = var.redis_enabled ? 1 : 0 - source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//redis_cache?ref=v7.77.0" - name = "${local.project}-redis" + source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//redis_cache?ref=v8.5.0" + name = "${local.project_ita}-redis" resource_group_name = azurerm_resource_group.redis.name location = azurerm_resource_group.redis.location capacity = 1 @@ -29,7 +29,7 @@ module "redis" { private_endpoint = { enabled = true - virtual_network_id = module.vnet.id + virtual_network_id = module.vnet_italy.id subnet_id = module.redis_snet.id private_dns_zone_ids = [azurerm_private_dns_zone.internal_devopslab[0].id] } diff --git a/src/core/09_dns_forwarder.tf b/src/core/09_dns_forwarder.tf deleted file mode 100644 index 038a1012..00000000 --- a/src/core/09_dns_forwarder.tf +++ /dev/null @@ -1,17 +0,0 @@ - -# Dns Forwarder module - -module "dns_forwarder_lb_vmss" { - source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//dns_forwarder_lb_vmss?ref=v7.77.0" - count = var.dns_forwarder_is_enabled ? 1 : 0 - - name = local.project - virtual_network_name = local.vnet_name - resource_group_name = local.vnet_resource_group_name - location = var.location - subscription_id = data.azurerm_subscription.current.subscription_id - source_image_name = local.dns_forwarder_vm_image_name - tenant_id = data.azurerm_client_config.current.tenant_id - key_vault_id = data.azurerm_key_vault.kv.id - tags = var.tags -} diff --git a/src/core/10_tools_cae.tf b/src/core/10_containers_app_tools.tf similarity index 63% rename from src/core/10_tools_cae.tf rename to src/core/10_containers_app_tools.tf index 07cdd07e..7016b91e 100644 --- a/src/core/10_tools_cae.tf +++ b/src/core/10_containers_app_tools.tf @@ -1,25 +1,25 @@ resource "azurerm_resource_group" "tools_cae_rg" { name = var.container_app_tools_cae_env_rg - location = var.location + location = var.location_ita tags = var.tags } resource "azurerm_subnet" "tools_cae_snet" { - name = "${local.project_neu}-tool-cae-snet" - resource_group_name = module.vnet.resource_group_name - virtual_network_name = module.vnet.name + name = "${local.project_ita}-tool-cae-snet" + resource_group_name = module.vnet_italy.resource_group_name + virtual_network_name = module.vnet_italy.name address_prefixes = var.cidr_subnet_tools_cae } module "container_app_environment" { - source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//container_app_environment_v2?ref=v7.77.0" + source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//container_app_environment_v2?ref=v8.5.0" resource_group_name = azurerm_resource_group.tools_cae_rg.name location = azurerm_resource_group.tools_cae_rg.location - name = "${local.project_neu}-tool-cae" + name = "${local.project_ita}-tool-cae" internal_load_balancer = false - log_analytics_workspace_id = azurerm_log_analytics_workspace.log_analytics_workspace.id + log_analytics_workspace_id = azurerm_log_analytics_workspace.log_analytics_workspace_ita.id tags = var.tags } diff --git a/src/core/20_github_identity.tf b/src/core/20_github_identity.tf index 1d9933e2..71fb4bde 100644 --- a/src/core/20_github_identity.tf +++ b/src/core/20_github_identity.tf @@ -33,7 +33,7 @@ locals { # create a module for each 20 repos module "identity_cd_01" { - source = "github.com/pagopa/terraform-azurerm-v3//github_federated_identity?ref=v7.77.0" + source = "github.com/pagopa/terraform-azurerm-v3//github_federated_identity?ref=v8.5.0" # pagopa---github--identity prefix = var.prefix env_short = var.env_short diff --git a/src/core/99_main.tf b/src/core/99_main.tf index ca539de9..b2fb20e9 100644 --- a/src/core/99_main.tf +++ b/src/core/99_main.tf @@ -2,7 +2,7 @@ terraform { required_providers { azurerm = { source = "hashicorp/azurerm" - version = "<= 3.96.0" + version = "<= 3.101.0" } azuread = { source = "hashicorp/azuread" diff --git a/src/core/99_variables.tf b/src/core/99_variables.tf index 41959c91..2a8abc3f 100644 --- a/src/core/99_variables.tf +++ b/src/core/99_variables.tf @@ -9,9 +9,8 @@ locals { vnet_resource_group_name = "${local.project}-vnet-rg" vnet_name = "${local.project}-vnet" - # VNET Ephemeral - vnet_ephemeral_resource_group_name = "${local.project}-ephemeral-vnet-rg" - vnet_ephemeral_name = "${local.project}-ephemeral-vnet" + vnet_ita_resource_group_name = "${local.project_ita}-vnet-rg" + vnet_ita_name = "${local.project_ita}-vnet" appgateway_public_ip_name = "${local.project}-gw-pip" appgateway_beta_public_ip_name = "${local.project}-gw-beta-pip" @@ -30,8 +29,8 @@ locals { dns_zone_private_name = "${var.dns_zone_internal_prefix}.${var.external_domain}" # ACR DOCKER - docker_rg_name = "${local.project}-dockerreg-rg" - docker_registry_name = replace("${var.prefix}-${var.env_short}-${var.location_short}-acr", "-", "") + docker_rg_name = "${local.project}-docker-registry-rg" + docker_registry_name = replace("${var.prefix}-${var.env_short}-${var.location_short_ita}-acr", "-", "") # monitor monitor_rg_name = "${local.project}-monitor-rg" @@ -39,13 +38,17 @@ locals { monitor_appinsights_name = "${local.project}-appinsights" monitor_security_storage_name = replace("${local.project}-sec-monitor-st", "-", "") - # Azure DevOps - azuredevops_rg_name = "${local.project}-azdoa-rg" - azuredevops_agent_vm_name = "${local.project}-vmss-ubuntu-azdoa" - azuredevops_subnet_name = "${local.project}-azdoa-snet" - # Dns Forwarder - dns_forwarder_vm_image_name = "${local.project}-dns-forwarder-ubuntu2204-image-v1" + # monitor + monitor_ita_rg_name = "${local.project_ita}-monitor-rg" + monitor_ita_log_analytics_workspace_name = "${local.project_ita}-law" + monitor_ita_appinsights_name = "${local.project_ita}-appinsights" + monitor_ita_security_storage_name = replace("${local.project_ita}-sec-monitor-st", "-", "") + + # Azure DevOps + azuredevops_rg_name = "${local.project_ita}-azdoa-rg" + azuredevops_agent_vm_name = "${local.project_ita}-vmss-ubuntu-azdoa" + azuredevops_subnet_name = "${local.project_ita}-azdoa-snet" } variable "prefix" { @@ -99,6 +102,23 @@ variable "location_short" { description = "Location short like eg: neu, weu.." } +variable "location_ita" { + type = string + description = "Main location" +} + +variable "location_short_ita" { + type = string + validation { + condition = ( + length(var.location_short_ita) == 3 + ) + error_message = "Length must be 3 chars." + } + description = "Location short for italy: itn" +} + + variable "lock_enable" { type = bool default = false @@ -133,9 +153,24 @@ variable "cidr_subnet_vpn" { description = "VPN network address space." } -variable "cidr_subnet_dnsforwarder" { +variable "cidr_subnet_packer_azdo" { + type = list(string) + description = "VPN network address space." +} + +variable "cidr_subnet_packer_dns_forwarder" { + type = list(string) + description = "VPN network address space." +} + +variable "cidr_subnet_dnsforwarder_lb" { type = list(string) - description = "DNS Forwarder network address space." + description = "DNS Forwarder network address space for LB." +} + +variable "cidr_subnet_dnsforwarder_vmss" { + type = list(string) + description = "DNS Forwarder network address space for VMSS." } variable "cidr_subnet_redis" { @@ -170,30 +205,7 @@ variable "cidr_vnet_italy" { description = "Address prefixes for vnet in italy." } -variable "cidr_subnet_private_endpoints_italy" { - type = list(string) - description = "Subnet cidr." -} - ### Italy location -variable "location_ita" { - type = string - description = "Main location" - default = "italynorth" -} - -variable "location_short_ita" { - type = string - validation { - condition = ( - length(var.location_short_ita) == 3 - ) - error_message = "Length must be 3 chars." - } - description = "Location short for italy: itn" - default = "itn" -} - variable "vnet_ita_ddos_protection_plan" { type = object({ id = string @@ -341,16 +353,19 @@ variable "dns_forwarder_enabled" { ## VPN ## variable "vpn_sku" { type = string - default = "VpnGw1" description = "VPN Gateway SKU" } variable "vpn_pip_sku" { type = string - default = "Basic" description = "VPN GW PIP SKU" } +variable "dns_forwarder_vmss_image_name" { + type = string + description = "vpn dns forwarder image name" +} + # # Redis # diff --git a/src/core/README.md b/src/core/README.md index 1ed56f9e..031cbb9b 100644 --- a/src/core/README.md +++ b/src/core/README.md @@ -29,7 +29,7 @@ az network dns zone show \ |------|---------| | [azapi](#requirement\_azapi) | <= 1.12.0 | | [azuread](#requirement\_azuread) | <= 2.47.0 | -| [azurerm](#requirement\_azurerm) | <= 3.96.0 | +| [azurerm](#requirement\_azurerm) | <= 3.101.0 | | [local](#requirement\_local) | <= 2.3.0 | | [null](#requirement\_null) | <= 3.2.1 | | [random](#requirement\_random) | <= 3.6.0 | @@ -39,52 +39,49 @@ az network dns zone show \ | Name | Source | Version | |------|--------|---------| -| [apim](#module\_apim) | git::https://github.com/pagopa/terraform-azurerm-v3.git//api_management | v7.77.0 | -| [apim\_blueprint\_status\_v1](#module\_apim\_blueprint\_status\_v1) | git::https://github.com/pagopa/terraform-azurerm-v3.git//api_management_api | v7.77.0 | -| [apim\_product\_blueprint](#module\_apim\_product\_blueprint) | git::https://github.com/pagopa/terraform-azurerm-v3.git//api_management_product | v7.77.0 | -| [apim\_snet](#module\_apim\_snet) | git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet | v7.77.0 | -| [apim\_stv2\_snet](#module\_apim\_stv2\_snet) | git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet | v7.77.0 | -| [azdoa\_snet](#module\_azdoa\_snet) | git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet | v7.77.0 | -| [azdoa\_vmss\_li](#module\_azdoa\_vmss\_li) | git::https://github.com/pagopa/terraform-azurerm-v3.git//azure_devops_agent | v7.77.0 | -| [container\_app\_environment](#module\_container\_app\_environment) | git::https://github.com/pagopa/terraform-azurerm-v3.git//container_app_environment_v2 | v7.77.0 | -| [container\_registry\_private](#module\_container\_registry\_private) | git::https://github.com/pagopa/terraform-azurerm-v3.git//container_registry | v7.77.0 | -| [dns\_forwarder](#module\_dns\_forwarder) | git::https://github.com/pagopa/terraform-azurerm-v3.git//dns_forwarder | v7.77.0 | -| [dns\_forwarder\_lb\_vmss](#module\_dns\_forwarder\_lb\_vmss) | git::https://github.com/pagopa/terraform-azurerm-v3.git//dns_forwarder_lb_vmss | v7.77.0 | -| [dns\_forwarder\_snet](#module\_dns\_forwarder\_snet) | git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet | v7.77.0 | -| [identity\_cd\_01](#module\_identity\_cd\_01) | github.com/pagopa/terraform-azurerm-v3//github_federated_identity | v7.77.0 | -| [postgres](#module\_postgres) | git::https://github.com/pagopa/terraform-azurerm-v3.git//postgresql_server | v7.77.0 | -| [postgres\_snet](#module\_postgres\_snet) | git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet | v7.77.0 | -| [private\_endpoints\_italy\_snet](#module\_private\_endpoints\_italy\_snet) | git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet | v7.77.0 | -| [private\_endpoints\_snet](#module\_private\_endpoints\_snet) | git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet | v7.77.0 | -| [redis](#module\_redis) | git::https://github.com/pagopa/terraform-azurerm-v3.git//redis_cache | v7.77.0 | -| [redis\_snet](#module\_redis\_snet) | git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet | v7.77.0 | -| [security\_monitoring\_storage](#module\_security\_monitoring\_storage) | git::https://github.com/pagopa/terraform-azurerm-v3.git//storage_account | v7.77.0 | -| [vnet](#module\_vnet) | git::https://github.com/pagopa/terraform-azurerm-v3.git//virtual_network | v7.77.0 | -| [vnet\_ita\_peering](#module\_vnet\_ita\_peering) | git::https://github.com/pagopa/terraform-azurerm-v3.git//virtual_network_peering | v7.77.0 | -| [vnet\_italy](#module\_vnet\_italy) | git::https://github.com/pagopa/terraform-azurerm-v3.git//virtual_network | v7.77.0 | -| [vpn](#module\_vpn) | git::https://github.com/pagopa/terraform-azurerm-v3.git//vpn_gateway | v7.77.0 | -| [vpn\_snet](#module\_vpn\_snet) | git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet | v7.77.0 | -| [web\_test\_availability\_alert\_rules\_for\_api](#module\_web\_test\_availability\_alert\_rules\_for\_api) | git::https://github.com/pagopa/terraform-azurerm-v3.git//application_insights_web_test_preview | v7.77.0 | +| [azdoa\_snet](#module\_azdoa\_snet) | git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet | v8.5.0 | +| [azdoa\_vmss\_li](#module\_azdoa\_vmss\_li) | git::https://github.com/pagopa/terraform-azurerm-v3.git//azure_devops_agent | v8.5.0 | +| [container\_app\_environment](#module\_container\_app\_environment) | git::https://github.com/pagopa/terraform-azurerm-v3.git//container_app_environment_v2 | v8.5.0 | +| [container\_registry\_public](#module\_container\_registry\_public) | git::https://github.com/pagopa/terraform-azurerm-v3.git//container_registry | v8.5.0 | +| [dns\_forwarder\_lb\_vmss](#module\_dns\_forwarder\_lb\_vmss) | git::https://github.com/pagopa/terraform-azurerm-v3.git//dns_forwarder_lb_vmss | dns-forwarder-lb-fix | +| [identity\_cd\_01](#module\_identity\_cd\_01) | github.com/pagopa/terraform-azurerm-v3//github_federated_identity | v8.5.0 | +| [key\_vault\_core\_ita](#module\_key\_vault\_core\_ita) | github.com/pagopa/terraform-azurerm-v3.git//key_vault | v8.5.0 | +| [packer\_azdo\_snet](#module\_packer\_azdo\_snet) | git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet | v8.5.0 | +| [packer\_dns\_forwarder\_snet](#module\_packer\_dns\_forwarder\_snet) | git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet | v8.5.0 | +| [postgres](#module\_postgres) | git::https://github.com/pagopa/terraform-azurerm-v3.git//postgresql_server | v8.5.0 | +| [postgres\_snet](#module\_postgres\_snet) | git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet | v8.5.0 | +| [private\_endpoints\_snet](#module\_private\_endpoints\_snet) | git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet | v8.5.0 | +| [redis](#module\_redis) | git::https://github.com/pagopa/terraform-azurerm-v3.git//redis_cache | v8.5.0 | +| [redis\_snet](#module\_redis\_snet) | git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet | v8.5.0 | +| [subnet\_dns\_forwarder\_lb](#module\_subnet\_dns\_forwarder\_lb) | git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet | v8.5.0 | +| [subnet\_dns\_forwarder\_vmss](#module\_subnet\_dns\_forwarder\_vmss) | git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet | v8.5.0 | +| [vnet](#module\_vnet) | git::https://github.com/pagopa/terraform-azurerm-v3.git//virtual_network | v8.5.0 | +| [vnet\_ita\_peering](#module\_vnet\_ita\_peering) | git::https://github.com/pagopa/terraform-azurerm-v3.git//virtual_network_peering | v8.5.0 | +| [vnet\_italy](#module\_vnet\_italy) | git::https://github.com/pagopa/terraform-azurerm-v3.git//virtual_network | v8.5.0 | +| [vpn](#module\_vpn) | git::https://github.com/pagopa/terraform-azurerm-v3.git//vpn_gateway | v8.5.0 | +| [vpn\_snet](#module\_vpn\_snet) | git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet | v8.5.0 | ## Resources | Name | Type | |------|------| -| [azurerm_api_management_custom_domain.api_custom_domain](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/api_management_custom_domain) | resource | | [azurerm_application_insights.application_insights](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/application_insights) | resource | +| [azurerm_application_insights.application_insights_ita](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/application_insights) | resource | | [azurerm_dns_a_record.api_devopslab_pagopa_it](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/dns_a_record) | resource | -| [azurerm_dns_a_record.helm_template_ingress_devopslab_pagopa_it](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/dns_a_record) | resource | | [azurerm_dns_cname_record.public_healthy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/dns_cname_record) | resource | -| [azurerm_dns_ns_record.lab_it_ns](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/dns_ns_record) | resource | | [azurerm_dns_zone.public](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/dns_zone) | resource | -| [azurerm_key_vault_access_policy.api_management_policy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource | +| [azurerm_key_vault_access_policy.adgroup_admin_policy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource | +| [azurerm_key_vault_access_policy.adgroup_developers_policy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource | +| [azurerm_key_vault_access_policy.adgroup_externals_policy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource | +| [azurerm_key_vault_access_policy.adgroup_security_policy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource | +| [azurerm_key_vault_secret.application_insights_ita_key](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource | | [azurerm_key_vault_secret.application_insights_key](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource | +| [azurerm_key_vault_secret.pg_admin_password](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource | +| [azurerm_key_vault_secret.pg_admin_user](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource | | [azurerm_log_analytics_workspace.log_analytics_workspace](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/log_analytics_workspace) | resource | +| [azurerm_log_analytics_workspace.log_analytics_workspace_ita](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/log_analytics_workspace) | resource | | [azurerm_monitor_action_group.email](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_action_group) | resource | | [azurerm_monitor_action_group.slack](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_action_group) | resource | -| [azurerm_network_security_group.apim_snet_nsg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_security_group) | resource | -| [azurerm_network_security_rule.apim_snet_nsg_rules](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_security_rule) | resource | -| [azurerm_private_dns_a_record.api_internal](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/private_dns_a_record) | resource | | [azurerm_private_dns_zone.internal_devopslab](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/private_dns_zone) | resource | | [azurerm_private_dns_zone.privatelink_postgres_database_azure_com](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/private_dns_zone) | resource | | [azurerm_private_dns_zone.storage_account](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/private_dns_zone) | resource | @@ -98,27 +95,26 @@ az network dns zone show \ | [azurerm_public_ip.appgateway_public_ip](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/public_ip) | resource | | [azurerm_resource_group.azdo_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource | | [azurerm_resource_group.data_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource | -| [azurerm_resource_group.dns_forwarder](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource | | [azurerm_resource_group.managed_identities_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource | +| [azurerm_resource_group.monitor_ita_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource | | [azurerm_resource_group.monitor_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource | | [azurerm_resource_group.redis](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource | -| [azurerm_resource_group.rg_api](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource | | [azurerm_resource_group.rg_docker](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource | | [azurerm_resource_group.rg_ita_vnet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource | | [azurerm_resource_group.rg_vnet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource | +| [azurerm_resource_group.sec_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource | | [azurerm_resource_group.tools_cae_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource | | [azurerm_subnet.tools_cae_snet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/subnet) | resource | -| [azurerm_subnet_network_security_group_association.apim_snet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/subnet_network_security_group_association) | resource | -| [azurerm_subnet_network_security_group_association.apim_stv2_snet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/subnet_network_security_group_association) | resource | +| [random_password.pg_admin_password](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) | resource | | [azuread_application.vpn_app](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/application) | data source | +| [azuread_group.adgroup_admin](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source | +| [azuread_group.adgroup_developers](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source | +| [azuread_group.adgroup_externals](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source | +| [azuread_group.adgroup_security](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source | | [azurerm_client_config.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/client_config) | data source | | [azurerm_key_vault.kv](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault) | data source | -| [azurerm_key_vault_certificate.apim_internal_certificate](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_certificate) | data source | -| [azurerm_key_vault_secret.apim_publisher_email](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_secret) | data source | | [azurerm_key_vault_secret.monitor_notification_email](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_secret) | data source | | [azurerm_key_vault_secret.monitor_notification_slack_email](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_secret) | data source | -| [azurerm_key_vault_secret.postgres_administrator_login](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_secret) | data source | -| [azurerm_key_vault_secret.postgres_administrator_login_password](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_secret) | data source | | [azurerm_resource_group.identity_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/resource_group) | data source | | [azurerm_subscription.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subscription) | data source | | [azurerm_virtual_network.vnet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/virtual_network) | data source | @@ -138,10 +134,12 @@ az network dns zone show \ | [cidr\_subnet\_apim](#input\_cidr\_subnet\_apim) | Address prefixes subnet api management. | `list(string)` | `null` | no | | [cidr\_subnet\_apim\_stv2](#input\_cidr\_subnet\_apim\_stv2) | Address prefixes subnet api management stv2. | `list(string)` | `null` | no | | [cidr\_subnet\_azdoa](#input\_cidr\_subnet\_azdoa) | Azure DevOps agent network address space. | `list(string)` | n/a | yes | -| [cidr\_subnet\_dnsforwarder](#input\_cidr\_subnet\_dnsforwarder) | DNS Forwarder network address space. | `list(string)` | n/a | yes | +| [cidr\_subnet\_dnsforwarder\_lb](#input\_cidr\_subnet\_dnsforwarder\_lb) | DNS Forwarder network address space for LB. | `list(string)` | n/a | yes | +| [cidr\_subnet\_dnsforwarder\_vmss](#input\_cidr\_subnet\_dnsforwarder\_vmss) | DNS Forwarder network address space for VMSS. | `list(string)` | n/a | yes | +| [cidr\_subnet\_packer\_azdo](#input\_cidr\_subnet\_packer\_azdo) | VPN network address space. | `list(string)` | n/a | yes | +| [cidr\_subnet\_packer\_dns\_forwarder](#input\_cidr\_subnet\_packer\_dns\_forwarder) | VPN network address space. | `list(string)` | n/a | yes | | [cidr\_subnet\_postgres](#input\_cidr\_subnet\_postgres) | Database network address space. | `list(string)` | n/a | yes | | [cidr\_subnet\_private\_endpoints](#input\_cidr\_subnet\_private\_endpoints) | Subnet cidr postgres flex. | `list(string)` | n/a | yes | -| [cidr\_subnet\_private\_endpoints\_italy](#input\_cidr\_subnet\_private\_endpoints\_italy) | Subnet cidr. | `list(string)` | n/a | yes | | [cidr\_subnet\_redis](#input\_cidr\_subnet\_redis) | Redis. | `list(string)` | n/a | yes | | [cidr\_subnet\_tools\_cae](#input\_cidr\_subnet\_tools\_cae) | n/a | `list(string)` | n/a | yes | | [cidr\_subnet\_vpn](#input\_cidr\_subnet\_vpn) | VPN network address space. | `list(string)` | n/a | yes | @@ -151,6 +149,7 @@ az network dns zone show \ | [dns\_default\_ttl\_sec](#input\_dns\_default\_ttl\_sec) | value | `number` | `3600` | no | | [dns\_forwarder\_enabled](#input\_dns\_forwarder\_enabled) | Enable dns forwarder setup | `bool` | `false` | no | | [dns\_forwarder\_is\_enabled](#input\_dns\_forwarder\_is\_enabled) | Allow to enable or disable dns forwarder backup | `bool` | `true` | no | +| [dns\_forwarder\_vmss\_image\_name](#input\_dns\_forwarder\_vmss\_image\_name) | vpn dns forwarder image name | `string` | n/a | yes | | [dns\_zone\_internal\_prefix](#input\_dns\_zone\_internal\_prefix) | The dns subdomain. | `string` | `null` | no | | [dns\_zone\_prefix](#input\_dns\_zone\_prefix) | n/a | `string` | n/a | yes | | [domain](#input\_domain) | n/a | `string` | n/a | yes | @@ -166,9 +165,9 @@ az network dns zone show \ | [law\_retention\_in\_days](#input\_law\_retention\_in\_days) | The workspace data retention in days | `number` | `30` | no | | [law\_sku](#input\_law\_sku) | Sku of the Log Analytics Workspace | `string` | `"PerGB2018"` | no | | [location](#input\_location) | n/a | `string` | `"westeurope"` | no | -| [location\_ita](#input\_location\_ita) | Main location | `string` | `"italynorth"` | no | +| [location\_ita](#input\_location\_ita) | Main location | `string` | n/a | yes | | [location\_short](#input\_location\_short) | Location short like eg: neu, weu.. | `string` | n/a | yes | -| [location\_short\_ita](#input\_location\_short\_ita) | Location short for italy: itn | `string` | `"itn"` | no | +| [location\_short\_ita](#input\_location\_short\_ita) | Location short for italy: itn | `string` | n/a | yes | | [lock\_enable](#input\_lock\_enable) | Apply locks to block accedentaly deletions. | `bool` | `false` | no | | [postgres\_alerts\_enabled](#input\_postgres\_alerts\_enabled) | Database alerts enabled? | `bool` | `false` | no | | [postgres\_byok\_enabled](#input\_postgres\_byok\_enabled) | Enable postgresql encryption with Customer Managed Key (BYOK) | `bool` | `false` | no | @@ -178,10 +177,10 @@ az network dns zone show \ | [prefix](#input\_prefix) | n/a | `string` | `"dvopla"` | no | | [redis\_enabled](#input\_redis\_enabled) | Redis | `bool` | `false` | no | | [tags](#input\_tags) | n/a | `map(any)` | 
{
  "CreatedBy": "Terraform"
}
| no | -| [vnet\_ita\_ddos\_protection\_plan](#input\_vnet\_ita\_ddos\_protection\_plan) | n/a | 
object({
    id     = string
    enable = bool
  })
| `null` | no | +| [vnet\_ita\_ddos\_protection\_plan](#input\_vnet\_ita\_ddos\_protection\_plan) | ## Italy location | 
object({
    id     = string
    enable = bool
  })
| `null` | no | | [vpn\_enabled](#input\_vpn\_enabled) | Enable VPN setup | `bool` | `false` | no | -| [vpn\_pip\_sku](#input\_vpn\_pip\_sku) | VPN GW PIP SKU | `string` | `"Basic"` | no | -| [vpn\_sku](#input\_vpn\_sku) | VPN Gateway SKU | `string` | `"VpnGw1"` | no | +| [vpn\_pip\_sku](#input\_vpn\_pip\_sku) | VPN GW PIP SKU | `string` | n/a | yes | +| [vpn\_sku](#input\_vpn\_sku) | VPN Gateway SKU | `string` | n/a | yes | ## Outputs diff --git a/src/core/env/dev/terraform.tfvars b/src/core/env/dev/terraform.tfvars index 05b368e2..d89cfd1c 100644 --- a/src/core/env/dev/terraform.tfvars +++ b/src/core/env/dev/terraform.tfvars @@ -1,10 +1,12 @@ # general -env_short = "d" -env = "dev" -prefix = "dvopla" -domain = "core" -location = "northeurope" -location_short = "neu" +env_short = "d" +env = "dev" +prefix = "dvopla" +domain = "core" +location = "northeurope" +location_short = "neu" +location_ita = "italynorth" +location_short_ita = "itn" tags = { CreatedBy = "Terraform" @@ -30,28 +32,34 @@ key_vault_rg_name = "dvopla-d-sec-rg" # ☁️ networking cidr_vnet = ["10.1.0.0/16"] cidr_subnet_appgateway = ["10.1.128.0/24"] -cidr_subnet_postgres = ["10.1.129.0/24"] -cidr_subnet_azdoa = ["10.1.130.0/24"] cidr_subnet_app_docker = ["10.1.132.0/24"] cidr_subnet_flex_dbms = ["10.1.133.0/24"] -cidr_subnet_apim = ["10.1.136.0/24"] cidr_subnet_appgateway_beta = ["10.1.138.0/24"] -cidr_subnet_vpn = ["10.1.139.0/24"] -cidr_subnet_dnsforwarder = ["10.1.140.0/29"] cidr_subnet_private_endpoints = ["10.1.141.0/24"] cidr_subnet_eventhub = ["10.1.142.0/24"] -cidr_subnet_redis = ["10.1.143.0/24"] cidr_subnet_funcs_diego_domain = ["10.1.144.0/24"] cidr_subnet_app_diego_app = ["10.1.145.0/24"] cidr_subnet_github_runner_self_hosted = ["10.1.148.0/23"] cidr_subnet_container_apps_dapr = ["10.1.150.0/23"] #placeholder cidr_subnet_apim_stv2 = ["10.1.152.0/24"] -cidr_subnet_tools_cae = ["10.1.248.0/23"] ### Italy cidr_vnet_italy = ["10.3.0.0/16"] -cidr_subnet_private_endpoints_italy = ["10.3.251.0/24"] +cidr_subnet_aks = ["10.3.0.0/23"] #place holder +cidr_subnet_vpn = ["10.3.2.0/24"] +cidr_subnet_apim = ["10.3.3.0/24"] +cidr_subnet_postgres = ["10.3.4.0/24"] +cidr_subnet_redis = ["10.3.5.0/24"] +cidr_subnet_azdoa = ["10.3.6.0/29"] + +cidr_subnet_dnsforwarder_lb = ["10.3.200.0/29"] +cidr_subnet_dnsforwarder_vmss = ["10.3.200.8/29"] + +cidr_subnet_packer_azdo = ["10.3.254.0/28"] +cidr_subnet_packer_dns_forwarder = ["10.3.254.16/28"] + +cidr_subnet_tools_cae = ["10.3.252.0/23"] # azure devops enable_azdoa = true @@ -60,6 +68,8 @@ enable_iac_pipeline = true # VPN vpn_enabled = true dns_forwarder_enabled = true +vpn_sku = "VpnGw1" +vpn_pip_sku = "Standard" # app_gateway app_gateway_is_enabled = false @@ -167,7 +177,8 @@ redis_enabled = false law_daily_quota_gb = 1 -azdoa_image_name = "azdo-agent-ubuntu2204-image-velero-v1" +azdoa_image_name = "azdo-agent-ubuntu2204-image-v1" +dns_forwarder_vmss_image_name = "dvopla-d-itn-dns-forwarder-ubuntu2204-image-v1" # # Container app ENV diff --git a/src/packer/.terraform.lock.hcl b/src/packer/.terraform.lock.hcl index d981cd87..63f0da43 100644 --- a/src/packer/.terraform.lock.hcl +++ b/src/packer/.terraform.lock.hcl @@ -2,74 +2,77 @@ # Manual edits may be lost in future updates. provider "registry.terraform.io/hashicorp/azuread" { - version = "2.10.0" - constraints = "2.10.0" + version = "2.47.0" + constraints = "<= 2.47.0" hashes = [ - "h1:PW8Nwk1j7mm77Mlpc8DWnqjHqnSvBcvcOXDLbS1PACo=", - "h1:cP6vfuXYR5suhxO6SK/O+payBUt0pF7y+H00dmK9BDQ=", - "h1:gdC9ZhsqA/WAP6XIKO1EJyS9JEz+NYzxbpwNtMATprI=", - "h1:ufHQieXkEfagCV6KcXCawmg5lx0bLbYiXxeDFrJugtg=", - "zh:0c7540003a9ce0926dbb945b07dbd853f0d476d8fa3ba9660f3419201d6ec424", - "zh:16564bc569bf1202353aa2827257b65bd84e447ccbd777c4c79840b45421d39a", - "zh:26b1e51d83d12561a90d917606c34a615a448338a8bb9464e2f186fca9128873", - "zh:55c7d6a375b90d642de983dbc0217c23b6221251fa7499d351725885fde5ae0f", - "zh:612aa0bd17ca54117d8b65b4d7119a415aa47f3c573e793ca59ec46bd027f28c", - "zh:710fa7920e4cff3f8ce2c0f5650a8ff533b8ee1408da59ffd35b878dfa0cfb85", - "zh:7cb51092cf40a4ae92c31ac28cb547419dac675efe02990b3d6f2c80a4d70ef4", - "zh:81f5785beadf83be022ce009e995f744e47bcec0bb8d5d6c76ef7daf8f36159f", - "zh:8b833f623e873438f58f2e8dd5a2c17aaa38b945c0aa7338f80a2913b32fac88", - "zh:e85576db09c5bc4adf5ef3f3b0d1703dfad8578360961d7a68d1b01a8469443c", - "zh:eedb8939221efbab68ea89d561c33354d4066a5b22656ca23314053be4962fe0", + "h1:KB9BNRNStbdsfdRmVXUwXtN77qgX5VjBy2UALcqp218=", + "h1:g8+gBFM4QVOEQFqAEs5pR6iXpbGvgPvcEi1evHwziyw=", + "h1:iRwDQBdXBpVBoYwM9au2RG01RQuJSm3TGQ2kioFVAas=", + "h1:zYMGokLn44KSWir7Nr4t8lEAPMB6JuXd2LlP2Ac2tMY=", + "zh:1372d81eb24ef3b4b00ea350fe87219f22da51691b8e42ce91d662f6c2a8af5e", + "zh:1c3e89cf19118fc07d7b04257251fc9897e722c16e0a0df7b07fcd261f8c12e7", + "zh:1e654a74d171d6ff8f9f6f67e3ff1421d4c5e56a18607703626bf12cd23ba001", + "zh:35227fad617a0509c64ab5759a8b703b10d244877f1aa5416bfbcc100c96996f", + "zh:357f553f0d78d46a96c7b2ed06d25ee0fc60fc5be19812ccb5d969fa47d62e17", + "zh:58faa2940065137e3e87d02eba59ab5cd7137d7a18caf225e660d1788f274569", + "zh:7308eda0339620fa24f47cedd22221fc2c02cab9d5be1710c09a783aea84eb3a", + "zh:863eabf7f908a8263e28d8aa2ad1381affd6bb5c67755216781f674ef214100e", + "zh:8b95b595a7c14ed7b56194d03cdec253527e7a146c1c58961be09e6b5c50baee", + "zh:afbca6b4fac9a0a488bc22ff9e51a8f14e986137d25275068fd932f379a51d57", + "zh:c6aadec4c81a44c3ffc22c2d90ffc6706bf5a9a903a395d896477516f4be6cbb", + "zh:e54a59de7d4ef0f3a18f91fed0b54a2bce18257ae2ee1df8a88226e1023c5811", ] } provider "registry.terraform.io/hashicorp/azurerm" { - version = "3.36.0" - constraints = "3.36.0" + version = "3.97.0" + constraints = "<= 3.97.0, <= 3.101.0" hashes = [ - "h1:5QKOFigw44W3w/HfV8o+k8+UyhAXf+4E7MPh14C3Gbg=", - "h1:FUwQUSs5nWDpP5isF3SiTPe+K927/L07yXumr6gQ1GQ=", - "h1:W7oq9M6gplv2g8nHFR3lkwBmVaUxWj289eWNwwe0wek=", - "h1:iVUkJ0kqVTdiU4RLU8TjX1QgOK1tc+Bi+rn0qGqsMvg=", - "zh:1f33ba9f4e4d7aac33ba414a978e3aa76fee355eb5e213adca52fd3b3e04a709", - "zh:1f812d28672f8693dd8f13aa4d94a13724d5985c62e0e9f2154bc8f1e34a8b99", - "zh:422c4da1f56a5c6a20ceee10782e6f21db97bfe978676bf8b108f23c028ae12f", - "zh:4890a7032a4075c2a900670efdcbf6cda240aa270e3ddda8936fea0708fbb0d2", - "zh:5dfeace4cd5f90e255307d55b6a9b57590103b4eec07ec44aa4d29cb414067f4", - "zh:828d156e1deee82fb49738c6b3011f5dafd9043976e8d353e7f2d90ede85a984", - "zh:8df2bb82da3551c7837e5c893d839ae0174305cb17815c0fb0f64f40ef06d00e", - "zh:c22a3e151872d082ea323b85b4731f9371c30369eb50a84b08638b36ddcae967", - "zh:d938f8aff30bd48d3fab96dc162c1b78680226fa8509042dad742e7218311855", + "h1:TH+9J9uKY+cv3UpblFePRWn34Ltnvlbyq632LN/HXkc=", + "h1:VzEIAZkMWp2roiimZr0AQjp15aXL3ULDnJ96gFEgf6M=", + "h1:g5kZLUsjJLJtWAHRYMioNhVa4dHf0l6MwsWHeVUe3XY=", + "h1:kucoUAGMwPYz6rwRescfWNZiCtCtVrq1bm+ilQc+n7Y=", + "zh:18601a52f77ceae0df85f0fe61cda608d74b80495ab89f27f97f54c08c80c807", + "zh:3749cc4e86a7242e9ac52bc7a5a42dc597cba79a643be95688e94cf9d600de45", + "zh:6273666c7f288bf4b72717f5c0264046814e8e8917e77060ef7d873d89e4eb8e", + "zh:67f8788cb2e2e1b81c6757957638818c2dc87e37ed6d3cd9576a2c1782718a9f", + "zh:987b4c27cb88a05b1693615a2b4659b10d831f72fc855e6c97757d27fb07c126", + "zh:98ccf842593b462e889874aca9067a6525b430594a1b549dadb0a125c73f757f", + "zh:aa4911942c5ff5d38e76768acecf88839f4357689442cda259a52c463b94a6dd", + "zh:b36c7b97c56ab89aa47eb1ad1e06e8fe52d775add5ccad3038f2e24afd60e73d", + "zh:bee2afcadde5d044138b0938eee991a391283c3afb71b7a4388d4c64961d33ef", + "zh:e700b8d34367496fac293cd11b62302ad262705f72c8f19942e46fbef8607ece", "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", - "zh:fc85a4b1d6df95188d0e12e15f1fc292f9781362c8da9c2bc70ff56ae313f3ac", - "zh:fee5a19577b195bf38b7ad1cb0f4f98c218b95b8679ba12766ce67e7674e2505", + "zh:f81158dfe5b328bd47ba9997fcbacaec894fdcbd08f234ca16b9a7f2e3c22928", ] } provider "registry.terraform.io/hashicorp/null" { - version = "3.1.0" - constraints = "3.1.0, <= 3.2.1" + version = "3.2.0" + constraints = "<= 3.2.0, <= 3.2.1" hashes = [ - "h1:SFT7X3zY18CLWjoH2GfQyapxsRv6GDKsy9cF1aRwncc=", - "h1:grYDj8/Lvp1OwME+g1AsECPN1czO5ssSf+8fCluCHQY=", - "h1:vpC6bgUQoJ0znqIKVFevOdq+YQw42bRq0u+H3nto8nA=", - "h1:xhbHC6in3nQryvTQBWKxebi3inG5OCgHgc4fRxL0ymc=", - "zh:02a1675fd8de126a00460942aaae242e65ca3380b5bb192e8773ef3da9073fd2", - "zh:53e30545ff8926a8e30ad30648991ca8b93b6fa496272cd23b26763c8ee84515", - "zh:5f9200bf708913621d0f6514179d89700e9aa3097c77dac730e8ba6e5901d521", - "zh:9ebf4d9704faba06b3ec7242c773c0fbfe12d62db7d00356d4f55385fc69bfb2", - "zh:a6576c81adc70326e4e1c999c04ad9ca37113a6e925aefab4765e5a5198efa7e", - "zh:a8a42d13346347aff6c63a37cda9b2c6aa5cc384a55b2fe6d6adfa390e609c53", - "zh:c797744d08a5307d50210e0454f91ca4d1c7621c68740441cf4579390452321d", - "zh:cecb6a304046df34c11229f20a80b24b1603960b794d68361a67c5efe58e62b8", - "zh:e1371aa1e502000d9974cfaff5be4cfa02f47b17400005a16f14d2ef30dc2a70", - "zh:fc39cc1fe71234a0b0369d5c5c7f876c71b956d23d7d6f518289737a001ba69b", - "zh:fea4227271ebf7d9e2b61b89ce2328c7262acd9fd190e1fd6d15a591abfa848e", + "h1:6yiJqQ6JAJW3oMxuZrWoUgHYpkscorX40Q/LzOMzY+w=", + "h1:J80oY79aQzHfzXYidtMrn9+G+F4YLL4iJqFBMHbLcWM=", + "h1:ZbuTqXe8q7Z0IJ2wkF4nio7eZDQc02sezY0esJ5b1Bc=", + "h1:pfjuwssoCoBDRbutlVLAP8wiDrkQ3G4d3rs+f7uSh2A=", + "zh:1d88ea3af09dcf91ad0aaa0d3978ca8dcb49dc866c8615202b738d73395af6b5", + "zh:3844db77bfac2aca43aaa46f3f698c8e5320a47e838ee1318408663449547e7e", + "zh:538fadbd87c576a332b7524f352e6004f94c27afdd3b5d105820d328dc49c5e3", + "zh:56def6f00fc2bc9c3c265b841ce71e80b77e319de7b0f662425b8e5e7eb26846", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:8fce56e5f1d13041d8047a1d0c93f930509704813a28f8d39c2b2082d7eebf9f", + "zh:989e909a5eca96b8bdd4a0e8609f1bd525949fd226ae870acedf2da0c55b0451", + "zh:99ddc34ad13e04e9c3477f5422fbec20fc13395ff940720c287bfa5c546d2fbc", + "zh:b546666da4b4b60c0eec23faab7f94dc900e48f66b5436fc1ac0b87c6709ef04", + "zh:d56643cb08cba6e074d70c4af37d5de2bd7c505f81d866d6d47c9e1d28ec65d1", + "zh:f39ac5ff9e9d00e6a670bce6825529eded4b0b4966abba36a387db5f0712d7ba", + "zh:fe102389facd09776502327352be99becc1ac09e80bc287db84a268172be641f", ] } provider "registry.terraform.io/hashicorp/random" { - version = "3.6.0" + version = "3.6.0" + constraints = "<= 3.6.0" hashes = [ "h1:I8MBeauYA8J8yheLJ8oSMWqB0kovn16dF/wKZ1QTdkk=", "h1:R5Ucn26riKIEijcsiOMBR3uOAjuOMfI1x7XvH4P6B1w=", diff --git a/src/packer/00_network.tf b/src/packer/00_network.tf new file mode 100644 index 00000000..7a64d1d1 --- /dev/null +++ b/src/packer/00_network.tf @@ -0,0 +1,20 @@ +data "azurerm_virtual_network" "vnet_ita" { + name = local.vnet_ita_core_name + resource_group_name = local.vnet_ita_core_rg_name +} + +data "azurerm_resource_group" "rg_vnet_ita" { + name = local.vnet_ita_core_rg_name +} + +data "azurerm_subnet" "packer_azdo_subnet" { + name = local.subnet_packer_azdo_name + virtual_network_name = local.vnet_ita_core_name + resource_group_name = local.vnet_ita_core_rg_name +} + +data "azurerm_subnet" "packer_dns_subnet" { + name = local.subnet_packer_dnsforwarder_name + virtual_network_name = local.vnet_ita_core_name + resource_group_name = local.vnet_ita_core_rg_name +} diff --git a/src/packer/01_azure_devops_agent.tf b/src/packer/01_azure_devops_agent.tf index 6a32b8c1..1240b54e 100644 --- a/src/packer/01_azure_devops_agent.tf +++ b/src/packer/01_azure_devops_agent.tf @@ -1,15 +1,14 @@ data "azurerm_resource_group" "resource_group" { - name = "${local.project}-azdoa-rg" + name = local.azdo_resource_group_name } - module "azdoa_custom_image" { - source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//azure_devops_agent_custom_image?ref=v7.50.0" + source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//azure_devops_agent_custom_image?ref=update-azdo-image" resource_group_name = data.azurerm_resource_group.resource_group.name location = var.location - image_name = "azdo-agent-ubuntu2204-image-velero" - image_version = "v2" + image_name = "azdo-agent-ubuntu2204-image" + image_version = var.azdo_image_version subscription_id = data.azurerm_subscription.current.subscription_id prefix = "devopla" - tags = var.tags + } diff --git a/src/packer/02_dns_forwarder.tf b/src/packer/02_dns_forwarder.tf index 043051a3..db584e9c 100644 --- a/src/packer/02_dns_forwarder.tf +++ b/src/packer/02_dns_forwarder.tf @@ -1,15 +1,10 @@ -data "azurerm_resource_group" "vnet_rg" { - name = "${local.project}-vnet-rg" -} - module "dns_forwarder_image" { - source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//dns_forwarder_vm_image?ref=v7.69.1" - resource_group_name = data.azurerm_resource_group.vnet_rg.name + source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//dns_forwarder_vm_image?ref=update-azdo-image" + resource_group_name = data.azurerm_resource_group.rg_vnet_ita.name location = var.location image_name = "${local.project}-dns-forwarder-ubuntu2204-image" image_version = var.dns_forwarder_image_version subscription_id = data.azurerm_subscription.current.subscription_id prefix = local.project - tags = var.tags } diff --git a/src/packer/99_main.tf b/src/packer/99_main.tf index ded826d8..f9e7f7c8 100644 --- a/src/packer/99_main.tf +++ b/src/packer/99_main.tf @@ -2,14 +2,14 @@ terraform { required_providers { azurerm = { source = "hashicorp/azurerm" - version = "= 3.36.0" + version = "<= 3.101.0" } azuread = { source = "hashicorp/azuread" - version = "= 2.10.0" + version = "<= 2.47.0" } null = { - version = "= 3.1.0" + version = "<= 3.2.0" } } diff --git a/src/packer/99_variables.tf b/src/packer/99_variables.tf index 97f0a25c..5be37fed 100644 --- a/src/packer/99_variables.tf +++ b/src/packer/99_variables.tf @@ -1,7 +1,15 @@ # general locals { - project = "${var.prefix}-${var.env_short}" + project = "${var.prefix}-${var.env_short}-${var.location_short}" + + vnet_ita_core_name = "dvopla-d-itn-vnet" + vnet_ita_core_rg_name = "dvopla-d-itn-vnet-rg" + + azdo_resource_group_name = "dvopla-d-itn-azdoa-rg" + + subnet_packer_azdo_name = "packer-azdo-subnet" + subnet_packer_dnsforwarder_name = "packer-dns-forwarder-subnet" } @@ -46,6 +54,11 @@ variable "location_short" { description = "Location short like eg: neu, weu.." } +variable "azdo_image_version" { + type = string + description = "Version string to allow to force the creation of the image" +} + variable "dns_forwarder_image_version" { type = string description = "Version string to allow to force the creation of the image" diff --git a/src/packer/README.md b/src/packer/README.md index fdfff8dc..329f0cbf 100644 --- a/src/packer/README.md +++ b/src/packer/README.md @@ -5,30 +5,34 @@ | Name | Version | |------|---------| -| [azuread](#requirement\_azuread) | = 2.10.0 | -| [azurerm](#requirement\_azurerm) | = 3.36.0 | -| [null](#requirement\_null) | = 3.1.0 | +| [azuread](#requirement\_azuread) | <= 2.47.0 | +| [azurerm](#requirement\_azurerm) | <= 3.101.0 | +| [null](#requirement\_null) | <= 3.2.0 | ## Modules | Name | Source | Version | |------|--------|---------| -| [azdoa\_custom\_image](#module\_azdoa\_custom\_image) | git::https://github.com/pagopa/terraform-azurerm-v3.git//azure_devops_agent_custom_image | v7.50.0 | -| [dns\_forwarder\_image](#module\_dns\_forwarder\_image) | git::https://github.com/pagopa/terraform-azurerm-v3.git//dns_forwarder_vm_image | v7.69.1 | +| [azdoa\_custom\_image](#module\_azdoa\_custom\_image) | git::https://github.com/pagopa/terraform-azurerm-v3.git//azure_devops_agent_custom_image | update-azdo-image | +| [dns\_forwarder\_image](#module\_dns\_forwarder\_image) | git::https://github.com/pagopa/terraform-azurerm-v3.git//dns_forwarder_vm_image | update-azdo-image | ## Resources | Name | Type | |------|------| -| [azurerm_client_config.current](https://registry.terraform.io/providers/hashicorp/azurerm/3.36.0/docs/data-sources/client_config) | data source | -| [azurerm_resource_group.resource_group](https://registry.terraform.io/providers/hashicorp/azurerm/3.36.0/docs/data-sources/resource_group) | data source | -| [azurerm_resource_group.vnet_rg](https://registry.terraform.io/providers/hashicorp/azurerm/3.36.0/docs/data-sources/resource_group) | data source | -| [azurerm_subscription.current](https://registry.terraform.io/providers/hashicorp/azurerm/3.36.0/docs/data-sources/subscription) | data source | +| [azurerm_client_config.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/client_config) | data source | +| [azurerm_resource_group.resource_group](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/resource_group) | data source | +| [azurerm_resource_group.rg_vnet_ita](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/resource_group) | data source | +| [azurerm_subnet.packer_azdo_subnet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subnet) | data source | +| [azurerm_subnet.packer_dns_subnet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subnet) | data source | +| [azurerm_subscription.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subscription) | data source | +| [azurerm_virtual_network.vnet_ita](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/virtual_network) | data source | ## Inputs | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| +| [azdo\_image\_version](#input\_azdo\_image\_version) | Version string to allow to force the creation of the image | `string` | n/a | yes | | [dns\_forwarder\_image\_version](#input\_dns\_forwarder\_image\_version) | Version string to allow to force the creation of the image | `string` | n/a | yes | | [env](#input\_env) | n/a | `string` | n/a | yes | | [env\_short](#input\_env\_short) | n/a | `string` | n/a | yes | diff --git a/src/packer/env/dev/terraform.tfvars b/src/packer/env/dev/terraform.tfvars index 60d0ff2c..d8f81f94 100644 --- a/src/packer/env/dev/terraform.tfvars +++ b/src/packer/env/dev/terraform.tfvars @@ -2,17 +2,17 @@ prefix = "dvopla" env_short = "d" env = "dev" -location = "northeurope" -location_short = "neu" -domain = "packer" +location = "italynorth" +location_short = "itn" tags = { CreatedBy = "Terraform" Environment = "Dev" Owner = "devops" - Source = "https://github.com/pagopa/dvopla-infrastructure" + Source = "https://github.com/pagopa/devopslab-infrastructure" CostCenter = "TS310 - PAGAMENTI & SERVIZI" - Application = "marco.common" + Application = "packer" } dns_forwarder_image_version = "v1" +azdo_image_version = "v1"