diff --git a/src/common/_modules/cosmos_api/alerts.tf b/src/common/_modules/cosmos_api/alerts.tf new file mode 100644 index 000000000..a94653ba6 --- /dev/null +++ b/src/common/_modules/cosmos_api/alerts.tf @@ -0,0 +1,48 @@ +resource "azurerm_monitor_metric_alert" "throttling_alert" { + + name = "[IO-COMMONS | ${azurerm_cosmosdb_account.this.name}] Throttling" + resource_group_name = var.resource_group_internal + scopes = [azurerm_cosmosdb_account.this.id] + # TODO: add Runbook for checking errors + description = "One or more collections consumed throughput (RU/s) exceed provisioned throughput. Please, consider to increase RU for these collections. Runbook: https://pagopa.atlassian.net/wiki/spaces/IC/pages/723452380/CosmosDB+-+Increase+Max+RU" + severity = 0 + window_size = "PT5M" + frequency = "PT5M" + auto_mitigate = false + + # Metric info + # https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/metrics-supported#microsoftdocumentdbdatabaseaccounts + criteria { + metric_namespace = "Microsoft.DocumentDB/databaseAccounts" + metric_name = "TotalRequestUnits" + aggregation = "Total" + operator = "GreaterThan" + threshold = 0 + skip_metric_validation = false + + + dimension { + name = "Region" + operator = "Include" + values = [var.location] + } + dimension { + name = "StatusCode" + operator = "Include" + values = ["429"] + } + dimension { + name = "CollectionName" + operator = "Include" + values = ["*"] + } + + } + + action { + action_group_id = var.error_action_group_id + webhook_properties = {} + } + + tags = var.tags +} diff --git a/src/common/_modules/cosmos_api/variables.tf b/src/common/_modules/cosmos_api/variables.tf index 1594dfa07..ab0f04b14 100644 --- a/src/common/_modules/cosmos_api/variables.tf +++ b/src/common/_modules/cosmos_api/variables.tf @@ -61,3 +61,8 @@ variable "allowed_subnets_ids" { type = list(string) description = "List of the IDs of the subnets allowed to contact the cosmos account" } + +variable "error_action_group_id" { + type = string + description = "Azure Monitor error action group id" +} diff --git a/src/common/_modules/monitoring/appi.tf b/src/common/_modules/monitoring/appi.tf index 0745b5c02..d003db622 100644 --- a/src/common/_modules/monitoring/appi.tf +++ b/src/common/_modules/monitoring/appi.tf @@ -9,3 +9,21 @@ resource "azurerm_application_insights" "appi" { tags = var.tags } + +#tfsec:ignore:AZU023 +resource "azurerm_key_vault_secret" "appinsights_instrumentation_key" { + name = "appinsights-instrumentation-key" + value = azurerm_application_insights.appi.instrumentation_key + content_type = "only instrumentation key" + + key_vault_id = var.kv_common_id +} + +#tfsec:ignore:AZU023 +resource "azurerm_key_vault_secret" "appinsights_connection_string" { + name = "appinsights-connection-string" + value = azurerm_application_insights.appi.connection_string + content_type = "full connection string, example InstrumentationKey=XXXXX" + + key_vault_id = var.kv_common_id +} diff --git a/src/common/_modules/monitoring/variables.tf b/src/common/_modules/monitoring/variables.tf index 4674e050f..63a12a67d 100644 --- a/src/common/_modules/monitoring/variables.tf +++ b/src/common/_modules/monitoring/variables.tf @@ -29,6 +29,11 @@ variable "kv_id" { description = "Id of the IO KeyVault" } +variable "kv_common_id" { + type = string + description = "Id of the IO Common KeyVault" +} + variable "test_urls" { type = list(object({ name = string diff --git a/src/common/prod/removed.tf b/src/common/prod/removed.tf deleted file mode 100644 index a39d7148e..000000000 --- a/src/common/prod/removed.tf +++ /dev/null @@ -1,13 +0,0 @@ -removed { - from = module.assets_cdn_weu.azurerm_resource_group.assets_cdn_rg - lifecycle { - destroy = false - } -} - -removed { - from = azurerm_resource_group.rg_linux - lifecycle { - destroy = false - } -} diff --git a/src/common/prod/westeurope.tf b/src/common/prod/westeurope.tf index 846b74a2c..3a67063d8 100644 --- a/src/common/prod/westeurope.tf +++ b/src/common/prod/westeurope.tf @@ -41,7 +41,8 @@ module "monitoring_weu" { project = local.project_weu_legacy resource_group_common = local.core.resource_groups.westeurope.common - kv_id = local.core.key_vault.weu.kv.id + kv_id = local.core.key_vault.weu.kv.id + kv_common_id = local.core.key_vault.weu.kv_common.id test_urls = [ { @@ -391,6 +392,8 @@ module "cosmos_api_weu" { documents_dns_zone = module.global.dns.private_dns_zones.documents allowed_subnets_ids = values(data.azurerm_subnet.cosmos_api_allowed)[*].id + error_action_group_id = module.monitoring_weu.action_groups.error + tags = local.tags } diff --git a/src/core/README.md b/src/core/README.md index e25487b09..1232ce82b 100644 --- a/src/core/README.md +++ b/src/core/README.md @@ -53,76 +53,14 @@ | [azurerm_api_management_named_value.io_fn3_eucovidcert_url_alt_v2](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/api_management_named_value) | resource | | [azurerm_api_management_named_value.io_fn3_services_key_v2](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/api_management_named_value) | resource | | [azurerm_api_management_named_value.io_fn3_services_url_v2](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/api_management_named_value) | resource | -| [azurerm_key_vault_secret.appinsights_connection_string](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource | -| [azurerm_key_vault_secret.appinsights_instrumentation_key](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource | -| [azurerm_monitor_metric_alert.cosmos_api_throttling_alert](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_metric_alert) | resource | | [azurerm_api_management.apim](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/api_management) | data source | -| [azurerm_api_management.trial_system](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/api_management) | data source | -| [azurerm_application_insights.application_insights](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/application_insights) | data source | | [azurerm_client_config.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/client_config) | data source | -| [azurerm_cosmosdb_account.cosmos_api](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/cosmosdb_account) | data source | -| [azurerm_cosmosdb_account.cosmos_remote_content](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/cosmosdb_account) | data source | -| [azurerm_dns_a_record.api_app_io_pagopa_it](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/dns_a_record) | data source | -| [azurerm_dns_a_record.api_io_italia_it](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/dns_a_record) | data source | -| [azurerm_dns_a_record.api_io_pagopa_it](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/dns_a_record) | data source | -| [azurerm_dns_a_record.api_io_selfcare_pagopa_it](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/dns_a_record) | data source | -| [azurerm_dns_a_record.api_mtls_io_pagopa_it](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/dns_a_record) | data source | -| [azurerm_dns_a_record.api_web_io_pagopa_it](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/dns_a_record) | data source | -| [azurerm_dns_a_record.app_backend_io_italia_it](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/dns_a_record) | data source | -| [azurerm_dns_a_record.continua_io_pagopa_it](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/dns_a_record) | data source | -| [azurerm_dns_a_record.developerportal_backend_io_italia_it](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/dns_a_record) | data source | -| [azurerm_dns_a_record.firmaconio_selfcare_pagopa_it](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/dns_a_record) | data source | -| [azurerm_dns_a_record.selfcare_cdn](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/dns_a_record) | data source | -| [azurerm_dns_zone.firmaconio_selfcare_pagopa_it](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/dns_zone) | data source | -| [azurerm_dns_zone.io_italia_it](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/dns_zone) | data source | -| [azurerm_dns_zone.io_pagopa_it](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/dns_zone) | data source | -| [azurerm_dns_zone.io_selfcare_pagopa_it](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/dns_zone) | data source | -| [azurerm_eventhub_authorization_rule.io-p-messages-weu-prod01-evh-ns_message-status_io-fn-messages-cqrs](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/eventhub_authorization_rule) | data source | -| [azurerm_eventhub_authorization_rule.io-p-messages-weu-prod01-evh-ns_messages_io-fn-messages-cqrs](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/eventhub_authorization_rule) | data source | -| [azurerm_eventhub_authorization_rule.io-p-payments-weu-prod01-evh-ns_payment-updates_io-fn-messages-cqrs](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/eventhub_authorization_rule) | data source | -| [azurerm_key_vault.key_vault](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault) | data source | | [azurerm_key_vault.key_vault_common](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault) | data source | | [azurerm_key_vault_secret.api_gad_client_certificate_verified_header_secret_v2](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_secret) | data source | -| [azurerm_key_vault_secret.apim_services_subscription_key](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_secret) | data source | -| [azurerm_key_vault_secret.app_backend_PRE_SHARED_KEY](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_secret) | data source | | [azurerm_key_vault_secret.io_fn3_eucovidcert_key_secret_v2](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_secret) | data source | | [azurerm_key_vault_secret.io_fn3_services_key_secret_v2](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_secret) | data source | -| [azurerm_linux_function_app.app_messages_1](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/linux_function_app) | data source | -| [azurerm_linux_function_app.app_messages_2](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/linux_function_app) | data source | -| [azurerm_linux_function_app.citizen_func_01](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/linux_function_app) | data source | -| [azurerm_linux_function_app.citizen_func_02](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/linux_function_app) | data source | -| [azurerm_linux_function_app.eucovidcert](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/linux_function_app) | data source | -| [azurerm_linux_function_app.function_app](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/linux_function_app) | data source | -| [azurerm_linux_function_app.function_cgn](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/linux_function_app) | data source | -| [azurerm_linux_function_app.lollipop_function](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/linux_function_app) | data source | -| [azurerm_linux_function_app.services_app_backend_function_app](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/linux_function_app) | data source | -| [azurerm_linux_web_app.appservice_continua](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/linux_web_app) | data source | -| [azurerm_linux_web_app.appservice_devportal_be](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/linux_web_app) | data source | -| [azurerm_linux_web_app.appservice_selfcare_be](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/linux_web_app) | data source | -| [azurerm_linux_web_app.cms_backoffice_app_itn](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/linux_web_app) | data source | -| [azurerm_monitor_action_group.error_action_group](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/monitor_action_group) | data source | -| [azurerm_nat_gateway.ng](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/nat_gateway) | data source | -| [azurerm_private_dns_zone.privatelink_azurewebsites](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/private_dns_zone) | data source | -| [azurerm_private_dns_zone.privatelink_servicebus](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/private_dns_zone) | data source | -| [azurerm_private_dns_zone.privatelink_table_core](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/private_dns_zone) | data source | -| [azurerm_resource_group.lollipop_function_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/resource_group) | data source | -| [azurerm_resource_group.notifications_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/resource_group) | data source | | [azurerm_resource_group.rg_common](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/resource_group) | data source | -| [azurerm_resource_group.sec_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/resource_group) | data source | -| [azurerm_storage_account.locked_profiles_storage](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/storage_account) | data source | -| [azurerm_storage_account.logs](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/storage_account) | data source | -| [azurerm_storage_account.lollipop_assertions_storage](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/storage_account) | data source | -| [azurerm_storage_account.notifications](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/storage_account) | data source | -| [azurerm_storage_account.push_notifications_storage](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/storage_account) | data source | -| [azurerm_subnet.admin_snet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subnet) | data source | -| [azurerm_subnet.apim](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subnet) | data source | -| [azurerm_subnet.appgateway_snet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subnet) | data source | -| [azurerm_subnet.azdoa_snet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subnet) | data source | -| [azurerm_subnet.function_let_snet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subnet) | data source | -| [azurerm_subnet.private_endpoints_subnet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subnet) | data source | -| [azurerm_subnet.services_snet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subnet) | data source | | [azurerm_subscription.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subscription) | data source | -| [azurerm_virtual_network.common](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/virtual_network) | data source | ## Inputs diff --git a/src/core/_import_script.sh b/src/core/_import_script.sh deleted file mode 100755 index 20b8de9a0..000000000 --- a/src/core/_import_script.sh +++ /dev/null @@ -1,87 +0,0 @@ -#!/bin/bash - -bash terraform.sh init prod - -### Step 1 - -# bash terraform.sh import prod 'azurerm_resource_group.rg_common' '/subscriptions/ec285037-c673-4f58-b594-d7c480da4e8b/resourceGroups/io-p-rg-common' - -# bash terraform.sh import prod 'module.key_vault_common.azurerm_key_vault.this' '/subscriptions/ec285037-c673-4f58-b594-d7c480da4e8b/resourceGroups/io-p-rg-common/providers/Microsoft.KeyVault/vaults/io-p-kv-common' - -# terraform state rm 'module.key_vault.azurerm_management_lock.this[0]' - -# bash terraform.sh import prod 'azurerm_log_analytics_workspace.log_analytics_workspace' '/subscriptions/ec285037-c673-4f58-b594-d7c480da4e8b/resourceGroups/io-p-rg-common/providers/Microsoft.OperationalInsights/workspaces/io-p-law-common' - -# bash terraform.sh import prod 'azurerm_application_insights.application_insights' '/subscriptions/ec285037-c673-4f58-b594-d7c480da4e8b/resourceGroups/io-p-rg-common/providers/microsoft.insights/components/io-p-ai-common' - -# bash terraform.sh import prod 'azurerm_private_dns_zone.privatelink_servicebus' '/subscriptions/ec285037-c673-4f58-b594-d7c480da4e8b/resourceGroups/io-p-evt-rg/providers/Microsoft.Network/privateDnsZones/privatelink.servicebus.windows.net' - -# bash terraform.sh import prod 'azurerm_private_dns_zone.privatelink_documents' '/subscriptions/ec285037-c673-4f58-b594-d7c480da4e8b/resourceGroups/io-p-rg-common/providers/Microsoft.Network/privateDnsZones/privatelink.documents.azure.com' - -# bash terraform.sh import prod 'azurerm_private_dns_zone.privatelink_blob_core' '/subscriptions/ec285037-c673-4f58-b594-d7c480da4e8b/resourceGroups/io-p-rg-common/providers/Microsoft.Network/privateDnsZones/privatelink.blob.core.windows.net' - -# bash terraform.sh import prod 'azurerm_private_dns_zone.privatelink_file_core' '/subscriptions/ec285037-c673-4f58-b594-d7c480da4e8b/resourceGroups/io-p-rg-common/providers/Microsoft.Network/privateDnsZones/privatelink.file.core.windows.net' - -# bash terraform.sh import prod 'azurerm_private_dns_zone.privatelink_table_core' '/subscriptions/ec285037-c673-4f58-b594-d7c480da4e8b/resourceGroups/io-p-rg-common/providers/Microsoft.Network/privateDnsZones/privatelink.table.core.windows.net' - -# bash terraform.sh import prod 'azurerm_private_dns_zone.privatelink_queue_core' '/subscriptions/ec285037-c673-4f58-b594-d7c480da4e8b/resourceGroups/io-p-rg-common/providers/Microsoft.Network/privateDnsZones/privatelink.queue.core.windows.net' - -# bash terraform.sh import prod 'module.vnet_common.azurerm_virtual_network.this' '/subscriptions/ec285037-c673-4f58-b594-d7c480da4e8b/resourceGroups/io-p-rg-common/providers/Microsoft.Network/virtualNetworks/io-p-vnet-common' - -# bash terraform.sh import prod 'module.redis_common_snet.azurerm_subnet.this' '/subscriptions/ec285037-c673-4f58-b594-d7c480da4e8b/resourceGroups/io-p-rg-common/providers/Microsoft.Network/virtualNetworks/io-p-vnet-common/subnets/rediscommon' - -# bash terraform.sh import prod 'module.redis_common.azurerm_redis_cache.this' '/subscriptions/ec285037-c673-4f58-b594-d7c480da4e8b/resourceGroups/io-p-rg-common/providers/Microsoft.Cache/Redis/io-p-redis-common' - -# bash terraform.sh import prod 'module.redis_common_backup.azurerm_storage_account.this' '/subscriptions/ec285037-c673-4f58-b594-d7c480da4e8b/resourceGroups/io-p-rg-common/providers/Microsoft.Storage/storageAccounts/iopstredis' - -# bash terraform.sh import prod 'module.assets_cdn.azurerm_storage_account.this' '/subscriptions/ec285037-c673-4f58-b594-d7c480da4e8b/resourceGroups/io-p-rg-common/providers/Microsoft.Storage/storageAccounts/iopstcdnassets' - -# terraform state rm azurerm_management_lock.assets_cdn_profile - -# terraform state rm azurerm_management_lock.assets_cdn_endpoint - -# bash terraform.sh import prod 'module.azdoa_snet[0].azurerm_subnet.this' '/subscriptions/ec285037-c673-4f58-b594-d7c480da4e8b/resourceGroups/io-p-rg-common/providers/Microsoft.Network/virtualNetworks/io-p-vnet-common/subnets/azure-devops' - -# bash terraform.sh import prod 'azurerm_private_dns_zone_virtual_network_link.servicebus_private_vnet_common' '/subscriptions/ec285037-c673-4f58-b594-d7c480da4e8b/resourceGroups/io-p-evt-rg/providers/Microsoft.Network/privateDnsZones/privatelink.servicebus.windows.net/virtualNetworkLinks/io-p-evh-ns-private-dns-zone-link-01' - -# terraform state rm 'module.event_hub.azurerm_private_dns_zone.eventhub[0]' - -# terraform state rm 'module.event_hub.azurerm_private_dns_zone_virtual_network_link.eventhub[0]' - -### Step 2 - -# bash terraform.sh import prod 'module.storage_api.azurerm_storage_account.this' '/subscriptions/ec285037-c673-4f58-b594-d7c480da4e8b/resourceGroups/io-p-rg-internal/providers/Microsoft.Storage/storageAccounts/iopstapi' - -# bash terraform.sh import prod 'azurerm_storage_container.storage_api_message_content' 'https://iopstapi.blob.core.windows.net/message-content' - -# bash terraform.sh import prod 'azurerm_storage_container.storage_api_cached' 'https://iopstapi.blob.core.windows.net/cached' - -# bash terraform.sh import prod 'azurerm_storage_table.storage_api_subscriptionsfeedbyday' "https://iopstapi.table.core.windows.net/Tables('SubscriptionsFeedByDay')" - -# bash terraform.sh import prod 'azurerm_storage_table.storage_api_faileduserdataprocessing' "https://iopstapi.table.core.windows.net/Tables('FailedUserDataProcessing')" - -# bash terraform.sh import prod 'azurerm_storage_table.storage_api_validationtokens' "https://iopstapi.table.core.windows.net/Tables('ValidationTokens')" - -# bash terraform.sh import prod 'module.storage_api_replica.azurerm_storage_account.this' '/subscriptions/ec285037-c673-4f58-b594-d7c480da4e8b/resourceGroups/io-p-rg-internal/providers/Microsoft.Storage/storageAccounts/iopstapireplica' - -### Step 3 - -# bash terraform.sh import prod 'module.nat_gateway.azurerm_nat_gateway.this' '/subscriptions/ec285037-c673-4f58-b594-d7c480da4e8b/resourceGroups/io-p-rg-common/providers/Microsoft.Network/natGateways/io-p-natgw' - -# bash terraform.sh import prod 'module.nat_gateway.azurerm_public_ip.this[0]' '/subscriptions/ec285037-c673-4f58-b594-d7c480da4e8b/resourceGroups/io-p-rg-common/providers/Microsoft.Network/publicIPAddresses/io-p-natgw-pip-01' - -# bash terraform.sh import prod 'module.nat_gateway.azurerm_public_ip.this[1]' '/subscriptions/ec285037-c673-4f58-b594-d7c480da4e8b/resourceGroups/io-p-rg-common/providers/Microsoft.Network/publicIPAddresses/io-p-natgw-pip-02' - -# bash terraform.sh import prod 'module.nat_gateway.azurerm_nat_gateway_public_ip_association.this[0]' '/subscriptions/ec285037-c673-4f58-b594-d7c480da4e8b/resourceGroups/io-p-rg-common/providers/Microsoft.Network/natGateways/io-p-natgw|/subscriptions/ec285037-c673-4f58-b594-d7c480da4e8b/resourceGroups/io-p-rg-common/providers/Microsoft.Network/publicIPAddresses/io-p-natgw-pip-01' - -# bash terraform.sh import prod 'module.nat_gateway.azurerm_nat_gateway_public_ip_association.this[1]' '/subscriptions/ec285037-c673-4f58-b594-d7c480da4e8b/resourceGroups/io-p-rg-common/providers/Microsoft.Network/natGateways/io-p-natgw|/subscriptions/ec285037-c673-4f58-b594-d7c480da4e8b/resourceGroups/io-p-rg-common/providers/Microsoft.Network/publicIPAddresses/io-p-natgw-pip-02' - -# bash terraform.sh import prod 'azurerm_subnet_nat_gateway_association.app_backendl1_snet' '/subscriptions/ec285037-c673-4f58-b594-d7c480da4e8b/resourceGroups/io-p-rg-common/providers/Microsoft.Network/virtualNetworks/io-p-vnet-common/subnets/appbackendl1' - -# bash terraform.sh import prod 'azurerm_subnet_nat_gateway_association.app_backendl2_snet' '/subscriptions/ec285037-c673-4f58-b594-d7c480da4e8b/resourceGroups/io-p-rg-common/providers/Microsoft.Network/virtualNetworks/io-p-vnet-common/subnets/appbackendl2' - -# bash terraform.sh import prod 'azurerm_subnet_nat_gateway_association.app_backendli_snet' '/subscriptions/ec285037-c673-4f58-b594-d7c480da4e8b/resourceGroups/io-p-rg-common/providers/Microsoft.Network/virtualNetworks/io-p-vnet-common/subnets/appbackendli' - -# bash terraform.sh import prod 'azurerm_subnet_nat_gateway_association.function_eucovidcert_snet' '/subscriptions/ec285037-c673-4f58-b594-d7c480da4e8b/resourceGroups/io-p-rg-common/providers/Microsoft.Network/virtualNetworks/io-p-vnet-common/subnets/io-p-eucovidcert-snet' - -# bash terraform.sh import prod 'azurerm_subnet_nat_gateway_association.cgn_snet' '/subscriptions/ec285037-c673-4f58-b594-d7c480da4e8b/resourceGroups/io-p-rg-common/providers/Microsoft.Network/virtualNetworks/io-p-vnet-common/subnets/io-p-cgn-snet' diff --git a/src/core/data.tf b/src/core/data.tf index ce161769e..dd7086276 100644 --- a/src/core/data.tf +++ b/src/core/data.tf @@ -1,439 +1,13 @@ -data "azurerm_cosmosdb_account" "cosmos_api" { - name = format("%s-cosmos-api", local.project) - resource_group_name = format("%s-rg-internal", local.project) -} - -data "azurerm_cosmosdb_account" "cosmos_remote_content" { - name = "io-p-messages-remote-content" - resource_group_name = "io-p-messages-data-rg" -} - -data "azurerm_resource_group" "rg_common" { - name = "io-p-rg-common" -} - -# -# APIM -# -data "azurerm_subnet" "apim" { - name = "apimv2api" - resource_group_name = data.azurerm_resource_group.rg_common.name - virtual_network_name = data.azurerm_virtual_network.common.name -} - data "azurerm_api_management" "apim" { name = "io-p-apim-v2-api" resource_group_name = "io-p-rg-internal" } -# -# Logs resources -# - -data "azurerm_storage_account" "logs" { - name = replace(format("%s-stlogs", local.project), "-", "") - resource_group_name = format("%s-rg-operations", local.project) -} - -# -# Notifications resources -# - -data "azurerm_resource_group" "notifications_rg" { - name = format("%s-weu-messages-notifications-rg", local.project) -} - -data "azurerm_storage_account" "push_notifications_storage" { - name = replace(format("%s-weu-messages-notifst", local.project), "-", "") - resource_group_name = data.azurerm_resource_group.notifications_rg.name -} - -data "azurerm_storage_account" "notifications" { - name = replace(format("%s-stnotifications", local.project), "-", "") - resource_group_name = format("%s-rg-internal", local.project) -} - -# -# LOLLIPOP -# - -data "azurerm_storage_account" "lollipop_assertions_storage" { - name = replace(format("%s-%s", var.citizen_auth_product, var.citizen_auth_assertion_storage_name), "-", "") - resource_group_name = format("%s-%s-data-rg", var.citizen_auth_product, var.citizen_auth_domain) -} - -data "azurerm_resource_group" "lollipop_function_rg" { - name = format("%s-itn-lollipop-rg-01", local.project) -} - -data "azurerm_linux_function_app" "lollipop_function" { - name = format("%s-itn-lollipop-fn-01", local.project) - resource_group_name = data.azurerm_resource_group.lollipop_function_rg.name -} - -# todo migrate storage account and related resources -locals { - storage_account_notifications_queue_push_notifications = "push-notifications" -} - -# Event hubs - -data "azurerm_eventhub_authorization_rule" "io-p-payments-weu-prod01-evh-ns_payment-updates_io-fn-messages-cqrs" { - name = "io-fn-messages-cqrs" - namespace_name = "${local.project}-payments-weu-prod01-evh-ns" - eventhub_name = "payment-updates" - resource_group_name = "${local.project}-payments-weu-prod01-evt-rg" -} - -data "azurerm_eventhub_authorization_rule" "io-p-messages-weu-prod01-evh-ns_messages_io-fn-messages-cqrs" { - name = "io-fn-messages-cqrs" - namespace_name = "${local.project}-messages-weu-prod01-evh-ns" - eventhub_name = "messages" - resource_group_name = "${local.project}-messages-weu-prod01-evt-rg" -} - -data "azurerm_eventhub_authorization_rule" "io-p-messages-weu-prod01-evh-ns_message-status_io-fn-messages-cqrs" { - name = "io-fn-messages-cqrs" - namespace_name = "${local.project}-messages-weu-prod01-evh-ns" - eventhub_name = "message-status" - resource_group_name = "${local.project}-messages-weu-prod01-evt-rg" -} - -data "azurerm_key_vault_secret" "apim_services_subscription_key" { - name = "apim-IO-SERVICE-KEY" - key_vault_id = data.azurerm_key_vault.key_vault_common.id -} - - - -# -# App Backend shared resources -# - -data "azurerm_key_vault_secret" "app_backend_PRE_SHARED_KEY" { - name = "appbackend-PRE-SHARED-KEY" - key_vault_id = data.azurerm_key_vault.key_vault_common.id -} - -data "azurerm_storage_account" "locked_profiles_storage" { - name = replace("${local.project}-locked-profiles-st", "-", "") - resource_group_name = "${local.project}-rg-internal" -} - - -# ----------------------------------------------- -# Alerts -# ----------------------------------------------- - -resource "azurerm_monitor_metric_alert" "cosmos_api_throttling_alert" { - - name = "[IO-COMMONS | ${data.azurerm_cosmosdb_account.cosmos_api.name}] Throttling" - resource_group_name = "${local.project}-rg-linux" - scopes = [data.azurerm_cosmosdb_account.cosmos_api.id] - # TODO: add Runbook for checking errors - description = "One or more collections consumed throughput (RU/s) exceed provisioned throughput. Please, consider to increase RU for these collections. Runbook: https://pagopa.atlassian.net/wiki/spaces/IC/pages/723452380/CosmosDB+-+Increase+Max+RU" - severity = 0 - window_size = "PT5M" - frequency = "PT5M" - auto_mitigate = false - - # Metric info - # https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/metrics-supported#microsoftdocumentdbdatabaseaccounts - criteria { - metric_namespace = "Microsoft.DocumentDB/databaseAccounts" - metric_name = "TotalRequestUnits" - aggregation = "Total" - operator = "GreaterThan" - threshold = 0 - skip_metric_validation = false - - - dimension { - name = "Region" - operator = "Include" - values = ["West Europe"] - } - dimension { - name = "StatusCode" - operator = "Include" - values = ["429"] - } - dimension { - name = "CollectionName" - operator = "Include" - values = ["*"] - } - - } - - action { - action_group_id = data.azurerm_monitor_action_group.error_action_group.id - webhook_properties = {} - } - - tags = var.tags -} - -# -# Services App service and fn -# -data "azurerm_linux_web_app" "cms_backoffice_app_itn" { - name = "${local.project}-itn-svc-bo-app-01" - resource_group_name = "${local.project}-itn-svc-rg-01" -} - -data "azurerm_linux_function_app" "services_app_backend_function_app" { - resource_group_name = format("%s-itn-svc-rg-01", local.project) - name = format("%s-itn-svc-app-be-func-01", local.project) -} - -# -# CGN -# - -data "azurerm_linux_function_app" "function_cgn" { - resource_group_name = "${local.project}-cgn-be-rg" - name = format("%s-cgn-fn", local.project) -} - -# -# SelfCare -# - -data "azurerm_dns_a_record" "selfcare_cdn" { - name = "@" - resource_group_name = data.azurerm_dns_zone.io_selfcare_pagopa_it[0].resource_group_name - zone_name = data.azurerm_dns_zone.io_selfcare_pagopa_it[0].name -} - -# -# DevPortal -# - -data "azurerm_linux_web_app" "appservice_devportal_be" { - name = "${local.project}-app-devportal-be" - resource_group_name = "${local.project}-selfcare-be-rg" -} - -data "azurerm_linux_web_app" "appservice_selfcare_be" { - name = "${local.project}-app-selfcare-be" - resource_group_name = "${local.project}-selfcare-be-rg" -} - -# -# Continua -# - -data "azurerm_linux_web_app" "appservice_continua" { - name = "${local.project}-app-continua" - resource_group_name = "${local.project}-continua-rg" -} - -# -# EuCovid -# - -data "azurerm_linux_function_app" "eucovidcert" { - resource_group_name = "${local.project}-rg-eucovidcert" - name = format("%s-eucovidcert-fn", local.project) -} - -# -# Messages -# - -data "azurerm_linux_function_app" "app_messages_1" { - resource_group_name = "${local.project}-app-messages-rg-1" - name = "${local.project}-app-messages-fn-1" -} - -data "azurerm_linux_function_app" "app_messages_2" { - resource_group_name = "${local.project}-app-messages-rg-2" - name = "${local.project}-app-messages-fn-2" -} - -data "azurerm_linux_function_app" "citizen_func_01" { - resource_group_name = "io-p-itn-msgs-rg-01" - name = "io-p-itn-msgs-citizen-func-01" -} - -data "azurerm_linux_function_app" "citizen_func_02" { - resource_group_name = "io-p-itn-msgs-rg-01" - name = "io-p-itn-msgs-citizen-func-02" -} - -# -# ELT -# - -data "azurerm_subnet" "function_let_snet" { - name = "fn3eltout" - resource_group_name = data.azurerm_resource_group.rg_common.name - virtual_network_name = data.azurerm_virtual_network.common.name -} - -# -# Functions -# - -data "azurerm_subnet" "admin_snet" { - name = format("%s-admin-snet", local.project) - resource_group_name = data.azurerm_resource_group.rg_common.name - virtual_network_name = data.azurerm_virtual_network.common.name -} - -data "azurerm_subnet" "services_snet" { - count = var.function_services_count - name = format("%s-services-snet-%d", local.project, count.index + 1) - resource_group_name = data.azurerm_resource_group.rg_common.name - virtual_network_name = data.azurerm_virtual_network.common.name -} - -data "azurerm_linux_function_app" "function_app" { - count = var.function_app_count - name = format("%s-app-fn-%d", local.project, count.index + 1) - resource_group_name = format("%s-app-rg-%d", local.project, count.index + 1) -} - -data "azurerm_api_management" "trial_system" { - provider = azurerm.prod-trial - name = "ts-p-itn-apim-01" - resource_group_name = "ts-p-itn-routing-rg-01" -} - -### Network and DNS -# TO BE REMOVED WHEN RESOURCES ARE -# MOVED TO THE MODULAR FORM -data "azurerm_virtual_network" "common" { - name = "${local.project}-vnet-common" - resource_group_name = "${local.project}-rg-common" +data "azurerm_key_vault" "key_vault_common" { + name = format("%s-kv-common", local.project) + resource_group_name = data.azurerm_resource_group.rg_common.name } -data "azurerm_nat_gateway" "ng" { - name = "${local.project}-natgw" - resource_group_name = "${local.project}-rg-common" -} - -data "azurerm_private_dns_zone" "privatelink_table_core" { - name = "privatelink.table.core.windows.net" - resource_group_name = "${local.project}-rg-common" -} - -data "azurerm_private_dns_zone" "privatelink_servicebus" { - name = "privatelink.servicebus.windows.net" - resource_group_name = "${local.project}-evt-rg" -} - -data "azurerm_private_dns_zone" "privatelink_azurewebsites" { - name = "privatelink.azurewebsites.net" - resource_group_name = "${local.project}-rg-common" -} - -data "azurerm_dns_zone" "io_pagopa_it" { - count = (var.dns_zone_io == null || var.external_domain == null) ? 0 : 1 - name = "io.pagopa.it" - resource_group_name = "${local.project}-rg-external" -} - -data "azurerm_dns_zone" "io_italia_it" { - name = "io.italia.it" - resource_group_name = "${local.project}-rg-external" -} - -data "azurerm_dns_zone" "io_selfcare_pagopa_it" { - count = (var.dns_zone_io_selfcare == null || var.external_domain == null) ? 0 : 1 - name = "io.selfcare.pagopa.it" - resource_group_name = "${local.project}-rg-external" -} - -data "azurerm_dns_zone" "firmaconio_selfcare_pagopa_it" { - count = (var.dns_zone_firmaconio_selfcare == null || var.external_domain == null) ? 0 : 1 - name = "firmaconio.selfcare.pagopa.it" - resource_group_name = "${local.project}-rg-external" -} - -data "azurerm_subnet" "private_endpoints_subnet" { - name = "pendpoints" - virtual_network_name = "${local.project}-vnet-common" - resource_group_name = "${local.project}-rg-common" -} - -data "azurerm_dns_a_record" "developerportal_backend_io_italia_it" { - name = "developerportal-backend" - zone_name = data.azurerm_dns_zone.io_italia_it.name - resource_group_name = "${local.project}-rg-external" -} - -data "azurerm_dns_a_record" "app_backend_io_italia_it" { - name = "app-backend" - zone_name = data.azurerm_dns_zone.io_italia_it.name - resource_group_name = "${local.project}-rg-external" -} - -data "azurerm_dns_a_record" "api_io_pagopa_it" { - name = "api" - zone_name = data.azurerm_dns_zone.io_pagopa_it[0].name - resource_group_name = "${local.project}-rg-external" -} - -data "azurerm_dns_a_record" "api_app_io_pagopa_it" { - name = "api-app" - zone_name = data.azurerm_dns_zone.io_pagopa_it[0].name - resource_group_name = "${local.project}-rg-external" -} - -data "azurerm_dns_a_record" "api_web_io_pagopa_it" { - name = "api-web" - zone_name = data.azurerm_dns_zone.io_pagopa_it[0].name - resource_group_name = "${local.project}-rg-external" -} - -data "azurerm_dns_a_record" "api_mtls_io_pagopa_it" { - name = "api-mtls" - zone_name = data.azurerm_dns_zone.io_pagopa_it[0].name - resource_group_name = "${local.project}-rg-external" -} - -data "azurerm_dns_a_record" "continua_io_pagopa_it" { - name = "continua" - zone_name = data.azurerm_dns_zone.io_pagopa_it[0].name - resource_group_name = "${local.project}-rg-external" -} - -data "azurerm_dns_a_record" "api_io_selfcare_pagopa_it" { - name = "api" - zone_name = data.azurerm_dns_zone.io_selfcare_pagopa_it[0].name - resource_group_name = "${local.project}-rg-external" -} - -data "azurerm_dns_a_record" "firmaconio_selfcare_pagopa_it" { - name = "@" - zone_name = data.azurerm_dns_zone.firmaconio_selfcare_pagopa_it[0].name - resource_group_name = "${local.project}-rg-external" -} - -data "azurerm_dns_a_record" "api_io_italia_it" { - name = "api" - zone_name = data.azurerm_dns_zone.io_italia_it.name - resource_group_name = "${local.project}-rg-external" -} - -# -# AppGateway -# - -data "azurerm_subnet" "appgateway_snet" { - name = "${local.project}-appgateway-snet" - resource_group_name = data.azurerm_resource_group.rg_common.name - virtual_network_name = data.azurerm_virtual_network.common.name -} - -# -# Azure DevOps Agent -# - -data "azurerm_subnet" "azdoa_snet" { - name = "azure-devops" - resource_group_name = data.azurerm_resource_group.rg_common.name - virtual_network_name = data.azurerm_virtual_network.common.name +data "azurerm_resource_group" "rg_common" { + name = "io-p-rg-common" } diff --git a/src/core/devportal.tf b/src/core/devportal.tf deleted file mode 100644 index 972560415..000000000 --- a/src/core/devportal.tf +++ /dev/null @@ -1,8 +0,0 @@ -### Common resources - -locals { - devportal = { - backend_hostname = trimsuffix(data.azurerm_dns_a_record.developerportal_backend_io_italia_it.fqdn, ".") - frontend_hostname = "developer.${var.dns_zone_io}.italia.it" - } -} diff --git a/src/core/env/dev/backend.ini b/src/core/env/dev/backend.ini deleted file mode 100644 index 3120eb660..000000000 --- a/src/core/env/dev/backend.ini +++ /dev/null @@ -1 +0,0 @@ -subscription=DEV-IO diff --git a/src/core/env/dev/backend.tfvars b/src/core/env/dev/backend.tfvars deleted file mode 100644 index 3606cf50a..000000000 --- a/src/core/env/dev/backend.tfvars +++ /dev/null @@ -1,4 +0,0 @@ -resource_group_name = "io-infra-rg" -storage_account_name = "ioinfrastterraformdev" -container_name = "azurermstate" -key = "terraform.tfstate" diff --git a/src/core/env/dev/terraform.tfvars b/src/core/env/dev/terraform.tfvars deleted file mode 100644 index 9e6800c06..000000000 --- a/src/core/env/dev/terraform.tfvars +++ /dev/null @@ -1,155 +0,0 @@ -env_short = "d" - -tags = { - CreatedBy = "Terraform" - Environment = "Dev" - Owner = "IO" - Source = "https://github.com/pagopa/io-infra" - CostCenter = "TS310 - PAGAMENTI & SERVIZI" -} - -location = "westeurope" -location_short = "weu" - -# dns -external_domain = "pagopa.it" -dns_zone_io = "dev.io" - -lock_enable = true -azdo_sp_tls_cert_enabled = true -enable_azdoa = true -enable_iac_pipeline = true - -common_rg = "io-p-rg-common" - -## Network -vnet_name = "io-p-vnet-common" - -cidr_subnet_eventhub = ["10.1.xxx.xxx/xx"] -## - -## Monitor -log_analytics_workspace_name = "io-p-law-common" -application_insights_name = "io-p-ai-common" -monitor_resource_group_name = "io-p-rg-common" -log_analytics_workspace_resource_group_name = "io-p-rg-common" -monitor_action_group_email_name = "EMAIL PAGOPA-ALERTS" -monitor_action_group_slack_name = "SLACK PAGOPA_STATUS" -## - -## Event hub -ehns_sku_name = "Standard" -ehns_capacity = 5 -ehns_auto_inflate_enabled = true -ehns_maximum_throughput_units = 5 -ehns_zone_redundant = true -ehns_alerts_enabled = true - -ehns_metric_alerts = { - no_trx = { - aggregation = "Total" - metric_name = "IncomingMessages" - description = "No transactions received from acquirer in the last 24h" - operator = "LessThanOrEqual" - threshold = 1000 - frequency = "PT1H" - window_size = "P1D" - dimension = [ - { - name = "EntityName" - operator = "Include" - values = ["rtd-trx"] - } - ], - }, - active_connections = { - aggregation = "Average" - metric_name = "ActiveConnections" - description = null - operator = "LessThanOrEqual" - threshold = 0 - frequency = "PT5M" - window_size = "PT15M" - dimension = [], - }, - error_trx = { - aggregation = "Total" - metric_name = "IncomingMessages" - description = "Transactions rejected from one acquirer file received. trx write on eventhub. check immediately" - operator = "GreaterThan" - threshold = 0 - frequency = "PT5M" - window_size = "PT30M" - dimension = [ - { - name = "EntityName" - operator = "Include" - values = ["bpd-trx-error", - "rtd-trx-error"] - } - ], - }, -} - -# App Messages -app_messages_function_always_on = true - -app_messages_function_kind = "Linux" -app_messages_function_sku_tier = "Standard" -app_messages_function_sku_size = "S1" -app_messages_function_autoscale_minimum = 1 -app_messages_function_autoscale_maximum = 3 -app_messages_function_autoscale_default = 1 - -# Function Messages CQRS -function_messages_cqrs_always_on = true - -function_messages_cqrs_kind = "Linux" -function_messages_cqrs_sku_tier = "Standard" -function_messages_cqrs_sku_size = "S1" -function_messages_cqrs_autoscale_minimum = 1 -function_messages_cqrs_autoscale_maximum = 3 -function_messages_cqrs_autoscale_default = 1 - -eventhubs = [ - { - name = "io-cosmosdb-services" - partitions = 5 - message_retention = 7 - keys = [ - { - name = "io-fn-elt" - listen = false - send = true - manage = false - }, - { - name = "pdnd" - listen = true - send = false - manage = false - } - ] - }, - { - name = "io-cosmosdb-profiles" - partitions = 5 - message_retention = 7 - consumers = [] - keys = [ - { - name = "io-fn-elt" - listen = false - send = true - manage = false - }, - { - name = "pdnd" - listen = true - send = false - manage = false - } - ] - } -] -## diff --git a/src/core/firmaconio.tf b/src/core/firmaconio.tf deleted file mode 100644 index ff95c94b4..000000000 --- a/src/core/firmaconio.tf +++ /dev/null @@ -1,8 +0,0 @@ -locals { - firmaconio_project = format("%s-sign", local.project) - firmaconio = { - resource_group_names = { - backend = format("%s-backend-rg", local.firmaconio_project) - } - } -} diff --git a/src/core/keyvault.tf b/src/core/keyvault.tf deleted file mode 100644 index ec2343620..000000000 --- a/src/core/keyvault.tf +++ /dev/null @@ -1,31 +0,0 @@ -data "azurerm_key_vault" "key_vault" { - name = format("%s-kv", local.project) - resource_group_name = data.azurerm_resource_group.sec_rg.name -} - -data "azurerm_key_vault" "key_vault_common" { - name = format("%s-kv-common", local.project) - resource_group_name = data.azurerm_resource_group.rg_common.name -} - -data "azurerm_resource_group" "sec_rg" { - name = format("%s-sec-rg", local.project) -} - -#tfsec:ignore:AZU023 -resource "azurerm_key_vault_secret" "appinsights_instrumentation_key" { - name = "appinsights-instrumentation-key" - value = data.azurerm_application_insights.application_insights.instrumentation_key - content_type = "only instrumentation key" - - key_vault_id = data.azurerm_key_vault.key_vault_common.id -} - -#tfsec:ignore:AZU023 -resource "azurerm_key_vault_secret" "appinsights_connection_string" { - name = "appinsights-connection-string" - value = data.azurerm_application_insights.application_insights.connection_string - content_type = "full connection string, example InstrumentationKey=XXXXX" - - key_vault_id = data.azurerm_key_vault.key_vault_common.id -} diff --git a/src/core/keyvault_access_policy.tf b/src/core/keyvault_access_policy.tf deleted file mode 100644 index 799031437..000000000 --- a/src/core/keyvault_access_policy.tf +++ /dev/null @@ -1,161 +0,0 @@ -# Azure AD -# data "azuread_group" "adgroup_admin" { -# display_name = format("%s-adgroup-admin", local.project) -# } - -# kv admin policy -# resource "azurerm_key_vault_access_policy" "adgroup_admin" { -# key_vault_id = data.azurerm_key_vault.key_vault.id - -# tenant_id = data.azurerm_client_config.current.tenant_id -# object_id = data.azuread_group.adgroup_admin.object_id - -# key_permissions = ["Get", "List", "Update", "Create", "Import", "Delete", ] -# secret_permissions = ["Get", "List", "Set", "Delete", "Restore", "Recover", ] -# storage_permissions = [] -# certificate_permissions = ["Get", "List", "Update", "Create", "Import", "Delete", "Restore", "Recover", ] -# } - -# kv-common admin policy -# resource "azurerm_key_vault_access_policy" "adgroup_admin_common" { -# key_vault_id = data.azurerm_key_vault.key_vault_common.id - -# tenant_id = data.azurerm_client_config.current.tenant_id -# object_id = data.azuread_group.adgroup_admin.object_id - -# key_permissions = ["Get", "List", "Update", "Create", "Import", "Delete", ] -# secret_permissions = ["Get", "List", "Set", "Delete", "Restore", "Recover", ] -# storage_permissions = [] -# certificate_permissions = ["Get", "List", "Update", "Create", "Import", "Delete", "Restore", "Recover", ] -# } - -# kv-common managed identities reader policy -# resource "azurerm_key_vault_access_policy" "access_policy_io_infra_ci" { -# key_vault_id = data.azurerm_key_vault.key_vault_common.id - -# tenant_id = data.azurerm_client_config.current.tenant_id -# object_id = data.azurerm_user_assigned_identity.managed_identity_io_infra_ci.principal_id - -# key_permissions = ["Get", "List"] -# secret_permissions = ["Get", "List"] -# certificate_permissions = ["Get", "List"] -# } - -# resource "azurerm_key_vault_access_policy" "access_policy_io_infra_cd" { -# key_vault_id = data.azurerm_key_vault.key_vault_common.id - -# tenant_id = data.azurerm_client_config.current.tenant_id -# object_id = data.azurerm_user_assigned_identity.managed_identity_io_infra_cd.principal_id - -# key_permissions = ["Get", "List"] -# secret_permissions = ["Get", "List"] -# certificate_permissions = ["Get", "List"] -# } - -# resource "azurerm_key_vault_access_policy" "access_policy_kv_io_infra_cd" { -# key_vault_id = data.azurerm_key_vault.key_vault.id - -# tenant_id = data.azurerm_client_config.current.tenant_id -# object_id = data.azurerm_user_assigned_identity.managed_identity_io_infra_cd.principal_id - -# secret_permissions = ["Get", "List", "Set", ] -# storage_permissions = [] -# certificate_permissions = ["SetIssuers", "DeleteIssuers", "Purge", "List", "Get", "ManageContacts", ] -# } - -# data "azuread_group" "adgroup_developers" { -# display_name = format("%s-adgroup-developers", local.project) -# } - -# kv developers policy -# resource "azurerm_key_vault_access_policy" "adgroup_developers" { -# key_vault_id = data.azurerm_key_vault.key_vault.id - -# tenant_id = data.azurerm_client_config.current.tenant_id -# object_id = data.azuread_group.adgroup_developers.object_id - -# key_permissions = ["Get", "List", "Update", "Create", "Import", "Delete", ] -# secret_permissions = ["Get", "List", "Set", "Delete", "Restore", "Recover", ] -# storage_permissions = [] -# certificate_permissions = ["Get", "List", "Update", "Create", "Import", "Delete", "Restore", "Recover", ] -# } - -# kv-common developers policy -# resource "azurerm_key_vault_access_policy" "adgroup_developers_common" { -# key_vault_id = data.azurerm_key_vault.key_vault_common.id - -# tenant_id = data.azurerm_client_config.current.tenant_id -# object_id = data.azuread_group.adgroup_developers.object_id - -# key_permissions = ["Get", "List", "Update", "Create", "Import", "Delete", ] -# secret_permissions = ["Get", "List", "Set", "Delete", "Restore", "Recover", ] -# storage_permissions = [] -# certificate_permissions = ["Get", "List", "Update", "Create", "Import", "Delete", "Restore", "Recover", ] -# } - -# Microsoft Azure WebSites -# TODO: To remove, the old app service (api-gad) has been removed so app services not needs to access to key vaults -# resource "azurerm_key_vault_access_policy" "app_service" { -# key_vault_id = data.azurerm_key_vault.key_vault_common.id - -# tenant_id = data.azurerm_client_config.current.tenant_id -# object_id = "bb319217-f6ab-45d9-833d-555ef1173316" - -# secret_permissions = ["Get", ] -# storage_permissions = [] -# certificate_permissions = ["Get", ] -# } - -# Microsoft.AzureFrontDoor-Cdn Enterprise application. -# Note: the application id is always the same in every tenant while the object id is different. -# resource "azurerm_key_vault_access_policy" "cdn_common" { -# key_vault_id = data.azurerm_key_vault.key_vault_common.id - -# tenant_id = data.azurerm_client_config.current.tenant_id -# object_id = "f3b3f72f-4770-47a5-8c1e-aa298003be12" - -# secret_permissions = ["Get", ] -# storage_permissions = [] -# certificate_permissions = ["Get", ] -# } - -# resource "azurerm_key_vault_access_policy" "cdn_kv" { -# key_vault_id = data.azurerm_key_vault.key_vault.id - -# tenant_id = data.azurerm_client_config.current.tenant_id -# object_id = "f3b3f72f-4770-47a5-8c1e-aa298003be12" - -# secret_permissions = ["Get", ] -# storage_permissions = [] -# certificate_permissions = ["Get", ] -# } - - -# -# azure devops policy -# - -#pagopaspa-cstar-platform-iac-projects-{subscription} -# data "azuread_service_principal" "platform_iac_sp" { -# display_name = "pagopaspa-io-platform-iac-projects-${data.azurerm_subscription.current.subscription_id}" -# } - -# resource "azurerm_key_vault_access_policy" "azdevops_platform_iac_policy_kv" { -# key_vault_id = data.azurerm_key_vault.key_vault.id -# tenant_id = data.azurerm_client_config.current.tenant_id -# object_id = data.azuread_service_principal.platform_iac_sp.object_id - -# secret_permissions = ["Get", "List", "Set", ] -# storage_permissions = [] -# certificate_permissions = ["SetIssuers", "DeleteIssuers", "Purge", "List", "Get", "ManageContacts", ] -# } - -# resource "azurerm_key_vault_access_policy" "azdevops_platform_iac_policy_kv_common" { -# key_vault_id = data.azurerm_key_vault.key_vault_common.id -# tenant_id = data.azurerm_client_config.current.tenant_id -# object_id = data.azuread_service_principal.platform_iac_sp.object_id - -# secret_permissions = ["Get", "List", "Set", ] -# storage_permissions = [] -# certificate_permissions = ["SetIssuers", "DeleteIssuers", "Purge", "List", "Get", "ManageContacts", ] -# } diff --git a/src/core/migrate.sh b/src/core/migrate.sh deleted file mode 100755 index 058aa1729..000000000 --- a/src/core/migrate.sh +++ /dev/null @@ -1,102 +0,0 @@ -#!/usr/bin/env bash -set -e -############################################################ -# Remove and import a Terraform resource from the tfstate -############################################################ -# Global variables -VERS="1.0" - -############################################################ -# Print usage information # -############################################################ -function print_usage() { - me=`basename "$0"` - echo "Setup v."${VERS} "sets up a configuration relative to a specific subscription" - echo " ./${me} " - for thisenv in $(ls "env/") - do - echo " Example: ./${me} \"module.function_lollipop[0].azurerm_function_app.this\" \"module.function_lollipop[0].azurerm_linux_function_app.this\" ${thisenv}" - done - echo - echo "Syntax: setup.sh [-l|h]" - echo " options:" - echo " h Print this Help." - echo " l List available environments." - echo -} - -function removeAndImport() { - local old_resource_name="$1" - # Square brackets are not processed normally by grep, otherwise - esc_old_resource_name=$(echo "$old_resource_name" | sed 's/\[/\\[/g; s/\]/\\]/g') - - local new_resource_name="$2" - - # Check if the "Terraform" and "jq" commands are available - if ! which terraform &> /dev/null && which jq &> /dev/null; then - echo "Please install terraform and jq before proceeding." - exit 1 - fi - - if [ -z "$old_resource_name" ] || [ -z "$new_resource_name" ] ; then - echo "You need to define the resources to be removed and imported in order to proceed and the environment to be used!!" - exit 1 - fi - if [ "$(terraform show | grep $esc_old_resource_name)" ]; then - # Look for the resource ID in the child_module - resource_id=$(terraform show -json | jq --arg resource "$old_resource_name" '.values.root_module.child_modules[].resources[] | select(.address==$resource).values.id' | tr -d '"') - if [ -z "$resource_id" ]; then - # Otherwise it search for it in the root_module - resource_id=$(terraform show -json | jq --arg resource "$old_resource_name" '.values.root_module.resources[] | select(.address==$resource).values.id' | tr -d '"') - fi - echo "resource_id: ${resource_id}" - # Import the resource - echo "Importing the resource ${new_resource_name}" - echo "$new_resource_name $resource_id" - ./terraform.sh import prod $new_resource_name $resource_id - if [ $? -eq 0 ]; then - echo "Successfully imported the resource ${new_resource_name} with ID: ${resource_id}!" - # Remove the resource from the state file - echo "Removing the resource ${old_resource_name}" - terraform state rm "$old_resource_name" - if [ $? -eq 0 ]; then - echo "$old_resource_name removed!" - else - echo "I can't remove the resource $old_resource_name from your Terraform state!" - fi - else - echo "I can't import the resource $new_resource_name" - fi - else - echo "I can't find the resource $old_resource_name in your Terraform state" - fi -} - -############################################################ -# Main program # -############################################################ -# Get the options -while getopts ":hl-:" option; do - case $option in - h) # display Help - print_usage - exit;; - l) # list available environments - echo "Available environment(-s):" - ls -1 "env/" - exit;; - *) # Invalid option - echo "Error: Invalid option" - exit;; - esac -done - -if [[ $2 ]]; then - removeAndImport $1 $2 - -else - print_usage -fi -exit 0 - - diff --git a/src/core/monitor.tf b/src/core/monitor.tf deleted file mode 100644 index fb2f9ecf5..000000000 --- a/src/core/monitor.tf +++ /dev/null @@ -1,9 +0,0 @@ -data "azurerm_application_insights" "application_insights" { - name = format("%s-ai-common", local.project) - resource_group_name = data.azurerm_resource_group.rg_common.name -} - -data "azurerm_monitor_action_group" "error_action_group" { - name = "${var.prefix}${var.env_short}error" - resource_group_name = data.azurerm_resource_group.rg_common.name -} diff --git a/src/core/prod/resource_groups.tf b/src/core/prod/resource_groups.tf index 94f29b3a4..330f148e7 100644 --- a/src/core/prod/resource_groups.tf +++ b/src/core/prod/resource_groups.tf @@ -69,11 +69,6 @@ resource "azurerm_resource_group" "assets_cdn_weu" { tags = local.tags } -import { - id = "/subscriptions/ec285037-c673-4f58-b594-d7c480da4e8b/resourceGroups/io-p-assets-cdn-rg" - to = azurerm_resource_group.assets_cdn_weu -} - resource "azurerm_resource_group" "linux_weu" { name = "${local.project_weu_legacy}-rg-linux" location = "westeurope" diff --git a/src/domains/citizen-auth-app/09_function_profile_async.tf b/src/domains/citizen-auth-app/09_function_profile_async.tf index 333ed0cd4..1f639e99b 100644 --- a/src/domains/citizen-auth-app/09_function_profile_async.tf +++ b/src/domains/citizen-auth-app/09_function_profile_async.tf @@ -43,8 +43,8 @@ module "function_profile_async" { app_settings = merge( local.function_profile_async.app_settings_common, { "AzureWebJobs.MigrateServicePreferenceFromLegacy.Disabled" = "1", - "AzureWebJobs.StoreSpidLogs.Disabled" = "1", - "AzureWebJobs.OnProfileUpdate.Disabled" = "1", + "AzureWebJobs.StoreSpidLogs.Disabled" = "1", + "AzureWebJobs.OnProfileUpdate.Disabled" = "1", } )