Skip to content

Commit

Permalink
[EC-196] Module migration and ioplollipopassertionsst migration to ne…
Browse files Browse the repository at this point in the history 
…w Defender (#884)
  • Loading branch information
@Krusty93
Krusty93 authored Feb 21, 2024
1 parent ab2d7d9 commit 0163bc1
Show file tree
Hide file tree
Showing 12 changed files with 78 additions and 87 deletions.
6 changes: 0 additions & 6 deletions src/domains/citizen-auth-app/04_fims.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,11 +10,6 @@ data "azurerm_cosmosdb_account" "cosmos_fims" {
resource_group_name = "io-p-citizen-auth-data-rg"
}

data "azurerm_key_vault_secret" "mongodb_connection_string_fims" {
name = "io-p-fims-mongodb-account-connection-string"
key_vault_id = data.azurerm_key_vault.kv.id
}

data "azurerm_key_vault_secret" "jwk_primary_key_fims" {
name = "io-p-fims-jwk-primary-key"
key_vault_id = data.azurerm_key_vault.kv.id
Expand Down Expand Up @@ -58,7 +53,6 @@ locals {
APPLICATION_NAME = "io-openid-provider"
IO_BACKEND_BASE_URL = "https://api-app.io.pagopa.it"
VERSION = "0.0.1"
MONGODB_URL = data.azurerm_key_vault_secret.mongodb_connection_string_fims.value
COSMOSDB_NAME = "fims"
COSMOSDB_URI = data.azurerm_cosmosdb_account.cosmos_fims.endpoint
COSMOSDB_KEY = data.azurerm_cosmosdb_account.cosmos_fims.primary_key
Expand Down
6 changes: 0 additions & 6 deletions src/domains/citizen-auth-app/05_database.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,9 +7,3 @@ data "azurerm_cosmosdb_account" "cosmos_citizen_auth" {
name = format("%s-%s-account", local.product, var.domain)
resource_group_name = data.azurerm_resource_group.data_rg.name
}

# FIMS
data "azurerm_cosmosdb_account" "cosmosdb_mongo_fims" {
name = "io-p-fims-mongodb-account"
resource_group_name = data.azurerm_resource_group.data_rg.name
}
2 changes: 0 additions & 2 deletions src/domains/citizen-auth-app/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -46,7 +46,6 @@
| [azurerm_client_config.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/client_config) | data source |
| [azurerm_cosmosdb_account.cosmos_citizen_auth](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/cosmosdb_account) | data source |
| [azurerm_cosmosdb_account.cosmos_fims](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/cosmosdb_account) | data source |
| [azurerm_cosmosdb_account.cosmosdb_mongo_fims](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/cosmosdb_account) | data source |
| [azurerm_key_vault.kv](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault) | data source |
| [azurerm_key_vault.kv_common](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault) | data source |
| [azurerm_key_vault_certificate_data.lollipop_certificate_v1](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_certificate_data) | data source |
Expand All @@ -55,7 +54,6 @@
| [azurerm_key_vault_secret.fast_login_subscription_key](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_secret) | data source |
| [azurerm_key_vault_secret.first_lollipop_consumer_subscription_key](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_secret) | data source |
| [azurerm_key_vault_secret.jwk_primary_key_fims](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_secret) | data source |
| [azurerm_key_vault_secret.mongodb_connection_string_fims](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_secret) | data source |
| [azurerm_log_analytics_workspace.log_analytics](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/log_analytics_workspace) | data source |
| [azurerm_monitor_action_group.email](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/monitor_action_group) | data source |
| [azurerm_monitor_action_group.error_action_group](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/monitor_action_group) | data source |
Expand Down
34 changes: 17 additions & 17 deletions src/domains/citizen-auth-common/.terraform.lock.hcl
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion src/domains/citizen-auth-common/01_network.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,7 @@ data "azurerm_private_dns_zone" "privatelink_table_core" {

## Redis Common subnet
module "redis_common_snet" {
source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet?ref=v7.14.0"
source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet?ref=v7.62.0"
name = format("%s-redis-snet", local.project)
address_prefixes = var.cidr_subnet_redis_common
resource_group_name = local.vnet_common_resource_group_name
Expand Down
8 changes: 4 additions & 4 deletions src/domains/citizen-auth-common/02_key_vault.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ resource "azurerm_resource_group" "sec_rg" {
}

module "key_vault" {
source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//key_vault?ref=v4.1.3"
source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//key_vault?ref=v7.62.0"

name = "${local.product}-${var.domain}-kv"
location = azurerm_resource_group.sec_rg.location
Expand All @@ -25,7 +25,7 @@ resource "azurerm_key_vault_access_policy" "adgroup_admin" {
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azuread_group.adgroup_admin.object_id

key_permissions = ["Get", "List", "Update", "Create", "Import", "Delete", ]
key_permissions = ["Get", "List", "Update", "Create", "Import", "Delete", "GetRotationPolicy", ]
secret_permissions = ["Get", "List", "Set", "Delete", "Restore", "Recover", ]
storage_permissions = []
certificate_permissions = ["Get", "List", "Update", "Create", "Import", "Delete", "Restore", "Recover", ]
Expand All @@ -51,7 +51,7 @@ resource "azurerm_key_vault_access_policy" "access_policy_io_infra_ci" {
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_user_assigned_identity.managed_identity_io_infra_ci.principal_id

key_permissions = ["Get", "List"]
key_permissions = ["Get", "List", "GetRotationPolicy"]
secret_permissions = ["Get", "List"]
certificate_permissions = ["Get", "List"]
}
Expand All @@ -62,7 +62,7 @@ resource "azurerm_key_vault_access_policy" "access_policy_io_infra_cd" {
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_user_assigned_identity.managed_identity_io_infra_cd.principal_id

key_permissions = ["Get", "List"]
key_permissions = ["Get", "List", "GetRotationPolicy"]
secret_permissions = ["Get", "List"]
certificate_permissions = ["Get", "List"]
}
Expand Down
16 changes: 8 additions & 8 deletions src/domains/citizen-auth-common/03_apim_v2.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ resource "azurerm_api_management_group" "api_lollipop_assertion_read_v2" {
}

module "apim_v2_product_lollipop" {
source = "git::https://github.com/pagopa/terraform-azurerm-v3//api_management_product?ref=v4.1.5"
source = "git::https://github.com/pagopa/terraform-azurerm-v3//api_management_product?ref=v7.62.0"

product_id = "io-lollipop-api"
display_name = "IO LOLLIPOP API"
Expand All @@ -32,7 +32,7 @@ module "apim_v2_product_lollipop" {
}

module "apim_v2_lollipop_api_v1" {
source = "git::https://github.com/pagopa/terraform-azurerm-v3//api_management_api?ref=v4.1.5"
source = "git::https://github.com/pagopa/terraform-azurerm-v3//api_management_api?ref=v7.62.0"

name = format("%s-lollipop-api", local.product)
api_management_name = data.azurerm_api_management.apim_v2_api.name
Expand Down Expand Up @@ -147,7 +147,7 @@ data "azurerm_linux_web_app" "appservice_fims" {
}

module "apim_product_fims_admin" {
source = "github.com/pagopa/terraform-azurerm-v3.git//api_management_product?ref=v4.1.15"
source = "github.com/pagopa/terraform-azurerm-v3.git//api_management_product?ref=v7.62.0"

product_id = "fims-admin-api"
api_management_name = data.azurerm_api_management.apim_v2_api.name
Expand All @@ -162,7 +162,7 @@ module "apim_product_fims_admin" {
}

module "api_fims_admin" {
source = "github.com/pagopa/terraform-azurerm-v3.git//api_management_api?ref=v4.1.15"
source = "github.com/pagopa/terraform-azurerm-v3.git//api_management_api?ref=v7.62.0"

name = "fims-admin-api"
api_management_name = data.azurerm_api_management.apim_v2_api.name
Expand Down Expand Up @@ -193,7 +193,7 @@ module "api_fims_admin" {
# FIMS public API
####################################################################################
module "apim_product_fims_public" {
source = "github.com/pagopa/terraform-azurerm-v3.git//api_management_product?ref=v4.1.15"
source = "github.com/pagopa/terraform-azurerm-v3.git//api_management_product?ref=v7.62.0"

product_id = "fims-public-api"
api_management_name = data.azurerm_api_management.apim_v2_api.name
Expand All @@ -208,7 +208,7 @@ module "apim_product_fims_public" {
}

module "api_fims_public" {
source = "github.com/pagopa/terraform-azurerm-v3.git//api_management_api?ref=v4.1.15"
source = "github.com/pagopa/terraform-azurerm-v3.git//api_management_api?ref=v7.62.0"

name = "fims-public-api"
api_management_name = data.azurerm_api_management.apim_v2_api.name
Expand Down Expand Up @@ -247,7 +247,7 @@ resource "azurerm_api_management_group" "api_fast_login_operation_v2" {
}

module "apim_v2_product_fast_login_operation" {
source = "git::https://github.com/pagopa/terraform-azurerm-v3//api_management_product?ref=v7.47.0"
source = "git::https://github.com/pagopa/terraform-azurerm-v3//api_management_product?ref=v7.62.0"

product_id = "io-fast-login-operation-api"
display_name = "IO FAST-LOGIN OPERATION API"
Expand All @@ -269,7 +269,7 @@ data "azurerm_linux_function_app" "functions_fast_login" {
}

module "apim_v2_fast_login_operation_api_v1" {
source = "git::https://github.com/pagopa/terraform-azurerm-v3//api_management_api?ref=v7.47.0"
source = "git::https://github.com/pagopa/terraform-azurerm-v3//api_management_api?ref=v7.62.0"

name = format("%s-fast-login-operation-api", local.product)
api_management_name = data.azurerm_api_management.apim_v2_api.name
Expand Down
13 changes: 7 additions & 6 deletions src/domains/citizen-auth-common/03_storage.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ locals {
# LolliPoP Assertion Storage
###
module "lollipop_assertions_storage" {
source = "git::https://github.com/pagopa/terraform-azurerm-v3//storage_account?ref=v6.1.0"
source = "github.com/pagopa/terraform-azurerm-v3//storage_account?ref=v7.62.0"

name = replace(format("%s-lollipop-assertions-st", local.product), "-", "") # `lollipop-assertions-st` is used in src/core/99_variables.tf#citizen_auth_assertion_storage_name
domain = upper(var.domain)
Expand All @@ -17,14 +17,15 @@ module "lollipop_assertions_storage" {
resource_group_name = azurerm_resource_group.data_rg.name
location = var.location
advanced_threat_protection = true
use_legacy_defender_version = false
enable_identity = true
public_network_access_enabled = false

tags = var.tags
}

module "lollipop_assertions_storage_customer_managed_key" {
source = "git::https://github.com/pagopa/terraform-azurerm-v3//storage_account_customer_managed_key?ref=v4.3.1"
source = "git::https://github.com/pagopa/terraform-azurerm-v3//storage_account_customer_managed_key?ref=v7.62.0"
tenant_id = data.azurerm_subscription.current.tenant_id
location = var.location
resource_group_name = azurerm_resource_group.data_rg.name
Expand Down Expand Up @@ -93,7 +94,7 @@ resource "azurerm_storage_queue" "lollipop_assertions_storage_revoke_queue" {
# Immutable LV Audit Log Storage
###
module "immutable_lv_audit_logs_storage" {
source = "git::https://github.com/pagopa/terraform-azurerm-v3//storage_account?ref=v7.32.1"
source = "git::https://github.com/pagopa/terraform-azurerm-v3//storage_account?ref=v7.62.0"

name = replace(format("%s-lv-logs-im-st", local.product), "-", "")
domain = upper(var.domain)
Expand Down Expand Up @@ -123,7 +124,7 @@ module "immutable_lv_audit_logs_storage" {
}

module "immutable_lv_audit_logs_storage_customer_managed_key" {
source = "git::https://github.com/pagopa/terraform-azurerm-v3//storage_account_customer_managed_key?ref=v7.32.1"
source = "git::https://github.com/pagopa/terraform-azurerm-v3//storage_account_customer_managed_key?ref=v7.62.0"
tenant_id = data.azurerm_subscription.current.tenant_id
location = var.location
resource_group_name = azurerm_resource_group.data_rg.name
Expand Down Expand Up @@ -199,7 +200,7 @@ resource "azurerm_storage_management_policy" "immutable_lv_audit_logs_storage_ma
# Citizen Auth Storage
###
module "io_citizen_auth_storage" {
source = "git::https://github.com/pagopa/terraform-azurerm-v3//storage_account?ref=v6.1.0"
source = "git::https://github.com/pagopa/terraform-azurerm-v3//storage_account?ref=v7.62.0"

name = replace(format("%s-st", local.project), "-", "")
domain = upper(var.domain)
Expand Down Expand Up @@ -270,4 +271,4 @@ resource "azurerm_storage_queue" "profiles_to_sanitize" {
depends_on = [module.io_citizen_auth_storage, azurerm_private_endpoint.queue]
name = "profiles-to-sanitize"
storage_account_name = module.io_citizen_auth_storage.name
}
}
2 changes: 1 addition & 1 deletion src/domains/citizen-auth-common/04_redis_common.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
* [REDIS V6]
*/
module "redis_common" {
source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//redis_cache?ref=v7.14.0"
source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//redis_cache?ref=v7.62.0"
name = format("%s-redis-std-v6", local.project)
resource_group_name = azurerm_resource_group.data_rg.name
location = azurerm_resource_group.data_rg.location
Expand Down
32 changes: 18 additions & 14 deletions src/domains/citizen-auth-common/05_database.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ resource "azurerm_resource_group" "data_rg" {
}

module "cosmosdb_account" {
source = "git::https://github.com/pagopa/terraform-azurerm-v3//cosmosdb_account?ref=v4.3.1"
source = "git::https://github.com/pagopa/terraform-azurerm-v3//cosmosdb_account?ref=v7.62.0"

name = "${local.product}-${var.domain}-account"
domain = upper(var.domain)
Expand All @@ -16,11 +16,13 @@ module "cosmosdb_account" {
enable_free_tier = false
kind = "GlobalDocumentDB"

public_network_access_enabled = false
private_endpoint_enabled = true
subnet_id = data.azurerm_subnet.private_endpoints_subnet.id
private_dns_zone_ids = [data.azurerm_private_dns_zone.privatelink_documents_azure_com.id]
is_virtual_network_filter_enabled = false
public_network_access_enabled = false
private_endpoint_enabled = true
private_endpoint_sql_name = "${local.product}-citizen-auth-account"
private_service_connection_sql_name = "${local.product}-citizen-auth-account-private-endpoint"
private_dns_zone_sql_ids = [data.azurerm_private_dns_zone.privatelink_documents_azure_com.id]
subnet_id = data.azurerm_subnet.private_endpoints_subnet.id
is_virtual_network_filter_enabled = false

main_geo_location_location = azurerm_resource_group.data_rg.location
main_geo_location_zone_redundant = true
Expand All @@ -47,7 +49,7 @@ module "cosmosdb_account" {
}

module "cosmosdb_sql_database_citizen_auth" {
source = "git::https://github.com/pagopa/terraform-azurerm-v3//cosmosdb_sql_database?ref=v4.3.1"
source = "git::https://github.com/pagopa/terraform-azurerm-v3//cosmosdb_sql_database?ref=v7.62.0"
name = "citizen-auth"
resource_group_name = azurerm_resource_group.data_rg.name
account_name = module.cosmosdb_account.name
Expand Down Expand Up @@ -126,7 +128,7 @@ resource "azurerm_monitor_metric_alert" "cosmosdb_account_normalized_RU_consumpt
# FIMS COSMOS
############################
module "cosmosdb_account_fims" {
source = "git::https://github.com/pagopa/terraform-azurerm-v3//cosmosdb_account?ref=v4.3.1"
source = "git::https://github.com/pagopa/terraform-azurerm-v3//cosmosdb_account?ref=v7.62.0"

name = "${local.product}-${var.domain}-fims-account"
domain = upper(var.domain)
Expand All @@ -136,11 +138,13 @@ module "cosmosdb_account_fims" {
enable_free_tier = false
kind = "GlobalDocumentDB"

public_network_access_enabled = false
private_endpoint_enabled = true
subnet_id = data.azurerm_subnet.private_endpoints_subnet.id
private_dns_zone_ids = [data.azurerm_private_dns_zone.privatelink_documents_azure_com.id]
is_virtual_network_filter_enabled = false
public_network_access_enabled = false
private_endpoint_enabled = true
private_service_connection_sql_name = "${local.product}-citizen-auth-fims-account-private-endpoint"
private_endpoint_sql_name = "${local.product}-citizen-auth-fims-account"
private_dns_zone_sql_ids = [data.azurerm_private_dns_zone.privatelink_documents_azure_com.id]
subnet_id = data.azurerm_subnet.private_endpoints_subnet.id
is_virtual_network_filter_enabled = false

main_geo_location_location = azurerm_resource_group.data_rg.location
main_geo_location_zone_redundant = true
Expand All @@ -167,7 +171,7 @@ module "cosmosdb_account_fims" {
}

module "cosmosdb_sql_database_fims" {
source = "git::https://github.com/pagopa/terraform-azurerm-v3//cosmosdb_sql_database?ref=v4.3.1"
source = "git::https://github.com/pagopa/terraform-azurerm-v3//cosmosdb_sql_database?ref=v7.62.0"
name = "fims"
resource_group_name = azurerm_resource_group.data_rg.name
account_name = module.cosmosdb_account_fims.name
Expand Down
2 changes: 1 addition & 1 deletion src/domains/citizen-auth-common/99_main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "<= 3.40.0"
version = "<= 3.92.0"
}
azuread = {
source = "hashicorp/azuread"
Expand Down
Loading

0 comments on commit 0163bc1

Please sign in to comment.