Skip to content

Commit

Permalink
Merge branch 'main' into IOCIT-176-fn-admin
Browse files Browse the repository at this point in the history
  • Loading branch information
pasqualedevita authored Dec 15, 2022
2 parents ebdadf3 + 5bcfbae commit d4e6014
Show file tree
Hide file tree
Showing 29 changed files with 1,796 additions and 421 deletions.
6 changes: 6 additions & 0 deletions src/core/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -85,6 +85,8 @@
| <a name="module_function_assets_cdn_snet"></a> [function\_assets\_cdn\_snet](#module\_function\_assets\_cdn\_snet) | git::https://github.com/pagopa/azurerm.git//subnet | v1.0.51 |
| <a name="module_function_assets_cdn_staging_slot"></a> [function\_assets\_cdn\_staging\_slot](#module\_function\_assets\_cdn\_staging\_slot) | git::https://github.com/pagopa/azurerm.git//function_app_slot | v3.4.0 |
| <a name="module_function_cgn"></a> [function\_cgn](#module\_function\_cgn) | git::https://github.com/pagopa/azurerm.git//function_app | v3.4.0 |
| <a name="module_function_cgn_merchant"></a> [function\_cgn\_merchant](#module\_function\_cgn\_merchant) | git::https://github.com/pagopa/azurerm.git//function_app | v3.4.0 |
| <a name="module_function_cgn_merchant_staging_slot"></a> [function\_cgn\_merchant\_staging\_slot](#module\_function\_cgn\_merchant\_staging\_slot) | git::https://github.com/pagopa/azurerm.git//function_app_slot | v3.4.0 |
| <a name="module_function_cgn_staging_slot"></a> [function\_cgn\_staging\_slot](#module\_function\_cgn\_staging\_slot) | git::https://github.com/pagopa/azurerm.git//function_app_slot | v3.4.0 |
| <a name="module_function_devportalservicedata"></a> [function\_devportalservicedata](#module\_function\_devportalservicedata) | git::https://github.com/pagopa/azurerm.git//function_app | v2.9.1 |
| <a name="module_function_devportalservicedata_staging_slot"></a> [function\_devportalservicedata\_staging\_slot](#module\_function\_devportalservicedata\_staging\_slot) | git::https://github.com/pagopa/azurerm.git//function_app_slot | v2.9.1 |
Expand Down Expand Up @@ -151,6 +153,8 @@
| [azurerm_api_management_named_value.io_fn3_eucovidcert_url](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/api_management_named_value) | resource |
| [azurerm_api_management_named_value.io_fn3_services_key](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/api_management_named_value) | resource |
| [azurerm_api_management_named_value.io_fn3_services_url](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/api_management_named_value) | resource |
| [azurerm_api_management_named_value.io_fn_cgnmerchant_key](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/api_management_named_value) | resource |
| [azurerm_api_management_named_value.io_fn_cgnmerchant_url](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/api_management_named_value) | resource |
| [azurerm_app_service_plan.cgn_common](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service_plan) | resource |
| [azurerm_app_service_plan.selfcare_be_common](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service_plan) | resource |
| [azurerm_app_service_virtual_network_swift_connection.devportal_be](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service_virtual_network_swift_connection) | resource |
Expand Down Expand Up @@ -223,6 +227,7 @@
| [azurerm_monitor_metric_alert.function_assets_http_server_errors](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_metric_alert) | resource |
| [azurerm_monitor_metric_alert.function_assets_response_time](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_metric_alert) | resource |
| [azurerm_monitor_metric_alert.function_cgn_health_check](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_metric_alert) | resource |
| [azurerm_monitor_metric_alert.function_cgn_merchant_health_check](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_metric_alert) | resource |
| [azurerm_monitor_metric_alert.function_eucovidcert_health_check](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_metric_alert) | resource |
| [azurerm_monitor_metric_alert.function_services_health_check](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_metric_alert) | resource |
| [azurerm_monitor_metric_alert.too_many_http_5xx](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_metric_alert) | resource |
Expand Down Expand Up @@ -449,6 +454,7 @@
| [azurerm_key_vault_secret.fnapp_eucovidcert_authtoken](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_secret) | data source |
| [azurerm_key_vault_secret.io_fn3_eucovidcert_key_secret](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_secret) | data source |
| [azurerm_key_vault_secret.io_fn3_services_key_secret](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_secret) | data source |
| [azurerm_key_vault_secret.io_fn_cgnmerchant_key_secret](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_secret) | data source |
| [azurerm_key_vault_secret.monitor_notification_email](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_secret) | data source |
| [azurerm_key_vault_secret.monitor_notification_slack_email](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_secret) | data source |
| [azurerm_key_vault_secret.sec_storage_id](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_secret) | data source |
Expand Down
41 changes: 23 additions & 18 deletions src/core/api/io_services/v1/policy.xml
Original file line number Diff line number Diff line change
Expand Up @@ -16,29 +16,34 @@
<set-backend-service base-url="https://io-p-services-fn-2.azurewebsites.net/api/v1" />
</when>
<otherwise>
<set-backend-service id="apim-generated-policy" base-url="{{io-fn3-services-url}}/api/v1" />
<!-- https://docs.microsoft.com/en-us/dotnet/api/system.random.next?view=net-6.0#system-random-next(system-int32-system-int32) -->
<!-- <set-variable name="urlWeight" value="@{
Random rnd = new Random();
int urlWeight = rnd.Next(1, 1001);
return urlWeight;}" />
<!-- The following policy fragment allows to split inbound traffic based on a fixed window. A Random value picked from this window can determine
when traffic should be redirected to a specific backend pool. i.e: 1/1000 req must be redirected to back-end-1, the remaining must be redirected to
default-back-end.
-->
<set-variable name="weights" value="@{
Random rnd = new Random();
return JObject.FromObject(
new {
urlWeight = rnd.Next(1, 1001),
fnWeight = rnd.Next(1, 101)
});}" />
<choose>
<when condition="@(context.Variables.GetValueOrDefault<int>("urlWeight") <= 1)">
<set-backend-service base-url="https://io-p-services-fn-1.azurewebsites.net/api/v1" />
</when>
<when condition="@(context.Variables.GetValueOrDefault<int>("urlWeight") > 1)">
<set-backend-service base-url="https://io-p-services-fn-2.azurewebsites.net/api/v1" />
<when condition="@(context.Variables.GetValueOrDefault<JObject>("weights").GetValue("urlWeight").ToObject<int>() <= 1000)">
<!-- The following policy fragment allows to split traffic up to 50% for each backend pool instance -->
<choose>
<when condition="@(context.Variables.GetValueOrDefault<JObject>("weights").GetValue("fnWeight").ToObject<int>() <= 50)">
<set-backend-service base-url="https://io-p-services-fn-1.azurewebsites.net/api/v1" />
</when>
<otherwise>
<set-backend-service base-url="https://io-p-services-fn-2.azurewebsites.net/api/v1" />
</otherwise>
</choose>
</when>
<otherwise>
<return-response>
<set-status code="500" reason="InternalServerError" />
<set-header name="Microsoft-Azure-Api-Management-Correlation-Id" exists-action="override">
<value>@{return Guid.NewGuid().ToString();}</value>
</set-header>
<set-body>A gateway-related error occurred while processing the request.</set-body>
</return-response>
<set-backend-service id="apim-generated-policy" base-url="{{io-fn3-services-url}}/api/v1" />
</otherwise>
</choose> -->
</choose>
</otherwise>
</choose>
<set-header name="x-functions-key" exists-action="override">
Expand Down
30 changes: 29 additions & 1 deletion src/core/cgn.tf
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,11 @@ data "azurerm_resource_group" "rg_cgn" {
name = format("%s-rg-cgn", local.project)
}

data "azurerm_storage_account" "iopstcgn" {
name = "iopstcgn"
resource_group_name = data.azurerm_resource_group.rg_cgn.name
}

## redis cgn subnet
module "redis_cgn_snet" {
source = "git::https://github.com/pagopa/azurerm.git//subnet?ref=v2.0.26"
Expand Down Expand Up @@ -277,6 +282,29 @@ module "api_cgn_merchant" {
xml_content = file("./api/cgn/v1/_base_policy.xml")
}

# Named Values function-cgn-merchant
resource "azurerm_api_management_named_value" "io_fn_cgnmerchant_url" {
name = "io-fn-cgnmerchant-url"
api_management_name = module.apim.name
resource_group_name = module.apim.resource_group_name
display_name = "io-fn-cgnmerchant-url"
value = "https://${module.function_cgn_merchant.default_hostname}"
}

data "azurerm_key_vault_secret" "io_fn_cgnmerchant_key_secret" {
name = "io-fn-cgnmerchant-KEY-APIM"
key_vault_id = data.azurerm_key_vault.common.id
}

resource "azurerm_api_management_named_value" "io_fn_cgnmerchant_key" {
name = "io-fn-cgnmerchant-key"
api_management_name = module.apim.name
resource_group_name = module.apim.resource_group_name
display_name = "io-fn-cgnmerchant-key"
value = data.azurerm_key_vault_secret.io_fn_cgnmerchant_key_secret.value
secret = "true"
}

## App registration for cgn backend portal ##

/*
Expand Down Expand Up @@ -349,4 +377,4 @@ module "cgn_snet" {
actions = ["Microsoft.Network/virtualNetworks/subnets/action"]
}
}
}
}
9 changes: 0 additions & 9 deletions src/core/function_cgn.tf
Original file line number Diff line number Diff line change
Expand Up @@ -27,15 +27,6 @@ data "azurerm_key_vault_secret" "fn_cgn_CGN_DATA_BACKUP_CONNECTION" {
key_vault_id = data.azurerm_key_vault.common.id
}

# 
# STORAGE
#

data "azurerm_storage_account" "iopstcgn" {
name = "iopstcgn"
resource_group_name = data.azurerm_resource_group.rg_cgn.name
}

#
# APP CONFIGURATION
#
Expand Down
132 changes: 132 additions & 0 deletions src/core/function_cgn_merchant.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,132 @@
#
# APP CONFIGURATION
#

locals {
function_cgn_merchant = {
app_settings_common = {
FUNCTIONS_WORKER_RUNTIME = "node"
WEBSITE_RUN_FROM_PACKAGE = "1"
WEBSITE_VNET_ROUTE_ALL = "1"
WEBSITE_DNS_SERVER = "168.63.129.16"
FUNCTIONS_WORKER_PROCESS_COUNT = 4
NODE_ENV = "production"

COSMOSDB_CGN_URI = data.azurerm_cosmosdb_account.cosmos_cgn.endpoint
COSMOSDB_CGN_KEY = data.azurerm_cosmosdb_account.cosmos_cgn.primary_master_key
COSMOSDB_CGN_DATABASE_NAME = "db"
COSMOSDB_CONNECTION_STRING = format("AccountEndpoint=%s;AccountKey=%s;", data.azurerm_cosmosdb_account.cosmos_cgn.endpoint, data.azurerm_cosmosdb_account.cosmos_cgn.primary_master_key)

// Keepalive fields are all optionals
FETCH_KEEPALIVE_ENABLED = "true"
FETCH_KEEPALIVE_SOCKET_ACTIVE_TTL = "110000"
FETCH_KEEPALIVE_MAX_SOCKETS = "40"
FETCH_KEEPALIVE_MAX_FREE_SOCKETS = "10"
FETCH_KEEPALIVE_FREE_SOCKET_TIMEOUT = "30000"
FETCH_KEEPALIVE_TIMEOUT = "60000"

# Storage account connection string:
CGN_STORAGE_CONNECTION_STRING = data.azurerm_storage_account.iopstcgn.primary_connection_string

// REDIS
REDIS_URL = data.azurerm_redis_cache.redis_cgn.hostname
REDIS_PORT = data.azurerm_redis_cache.redis_cgn.ssl_port
REDIS_PASSWORD = data.azurerm_redis_cache.redis_cgn.primary_access_key
}
}
}

#tfsec:ignore:azure-storage-queue-services-logging-enabled:exp:2022-05-01 # already ignored, maybe a bug in tfsec
module "function_cgn_merchant" {
source = "git::https://github.com/pagopa/azurerm.git//function_app?ref=v3.4.0"

resource_group_name = azurerm_resource_group.cgn_be_rg.name
name = format("%s-cgn-merchant-fn", local.project)
location = var.location
app_service_plan_id = azurerm_app_service_plan.cgn_common.id
health_check_path = "/api/v1/cgn/merchant/info"

os_type = "linux"
linux_fx_version = "NODE|14"
runtime_version = "~4"

always_on = "true"
application_insights_instrumentation_key = data.azurerm_application_insights.application_insights.instrumentation_key

app_settings = merge(
local.function_cgn_merchant.app_settings_common,
)

subnet_id = module.cgn_snet.id

allowed_subnets = [
module.cgn_snet.id,
module.apim_snet.id,
]

tags = var.tags
}

module "function_cgn_merchant_staging_slot" {
source = "git::https://github.com/pagopa/azurerm.git//function_app_slot?ref=v3.4.0"

name = "staging"
location = var.location
resource_group_name = azurerm_resource_group.cgn_be_rg.name
function_app_name = module.function_cgn_merchant.name
function_app_id = module.function_cgn_merchant.id
app_service_plan_id = azurerm_app_service_plan.cgn_common.id
health_check_path = "/api/v1/cgn/merchant/info"

storage_account_name = module.function_cgn_merchant.storage_account.name
storage_account_access_key = module.function_cgn_merchant.storage_account.primary_access_key

os_type = "linux"
linux_fx_version = "NODE|14"
always_on = "true"
runtime_version = "~4"
application_insights_instrumentation_key = data.azurerm_application_insights.application_insights.instrumentation_key

app_settings = merge(
local.function_cgn_merchant.app_settings_common,
)

subnet_id = module.cgn_snet.id

allowed_subnets = [
module.cgn_snet.id,
data.azurerm_subnet.azdoa_snet[0].id,
module.apim_snet.id,
]

tags = var.tags
}

## Alerts

resource "azurerm_monitor_metric_alert" "function_cgn_merchant_health_check" {
name = "${module.function_cgn_merchant.name}-health-check-failed"
resource_group_name = azurerm_resource_group.cgn_be_rg.name
scopes = [module.function_cgn_merchant.id]
description = "${module.function_cgn_merchant.name} health check failed"
severity = 1
frequency = "PT5M"
auto_mitigate = false
enabled = false # todo enable after deploy

criteria {
metric_namespace = "Microsoft.Web/sites"
metric_name = "HealthCheckStatus"
aggregation = "Average"
operator = "LessThan"
threshold = 50
}

action {
action_group_id = azurerm_monitor_action_group.email.id
}

action {
action_group_id = azurerm_monitor_action_group.slack.id
}
}
28 changes: 14 additions & 14 deletions src/domains/sign/.terraform.lock.hcl

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

14 changes: 8 additions & 6 deletions src/domains/sign/00_azuread.tf
Original file line number Diff line number Diff line change
Expand Up @@ -11,13 +11,15 @@ data "azuread_group" "adgroup_developers" {
display_name = format("%s-adgroup-developers", local.product)
}

data "azuread_group" "adgroup_externals" {
display_name = format("%s-adgroup-externals", local.product)
}
# Unused at the moment
# data "azuread_group" "adgroup_externals" {
# display_name = format("%s-adgroup-externals", local.product)
# }

data "azuread_group" "adgroup_security" {
display_name = format("%s-adgroup-security", local.product)
}
# Unused at the moment
# data "azuread_group" "adgroup_security" {
# display_name = format("%s-adgroup-security", local.product)
# }

data "azuread_group" "adgroup_sign" {
display_name = format("%s-adgroup-sign", local.product)
Expand Down
6 changes: 3 additions & 3 deletions src/domains/sign/00_resource_groups.tf
Original file line number Diff line number Diff line change
@@ -1,19 +1,19 @@
resource "azurerm_resource_group" "data_rg" {
name = "${local.project}-data-rg"
name = format("%s-data-rg", local.project)
location = var.location

tags = var.tags
}

resource "azurerm_resource_group" "backend_rg" {
name = "${local.project}-backend-rg"
name = format("%s-backend-rg", local.project)
location = var.location

tags = var.tags
}

resource "azurerm_resource_group" "sec_rg" {
name = "${local.project}-sec-rg"
name = format("%s-sec-rg", local.project)
location = var.location

tags = var.tags
Expand Down
14 changes: 2 additions & 12 deletions src/domains/sign/99_locals.tf
Original file line number Diff line number Diff line change
@@ -1,14 +1,4 @@
locals {
project = "${var.prefix}-${var.env_short}-${var.domain}"
product = "${var.prefix}-${var.env_short}"

app_insights_ips_west_europe = [
"51.144.56.96/28",
"51.144.56.112/28",
"51.144.56.128/28",
"51.144.56.144/28",
"51.144.56.160/28",
"51.144.56.176/28",
]

project = format("%s-%s-%s", var.prefix, var.env_short, var.domain)
product = format("%s-%s", var.prefix, var.env_short)
}
4 changes: 3 additions & 1 deletion src/domains/sign/99_main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "= 2.87.0"
version = "<= 2.98.0"
}
azuread = {
source = "hashicorp/azuread"
Expand All @@ -11,6 +11,8 @@ terraform {
}

backend "azurerm" {}

required_version = ">= 1.1.7"
}

provider "azurerm" {
Expand Down
Loading

0 comments on commit d4e6014

Please sign in to comment.