[PE-703] Private Endpoint Common module and CGN configuration (#1211)

pagopa · Oct 1, 2024 · 1a8508e · 1a8508e
1 parent 03f47f1
commit 1a8508e
Show file tree

Hide file tree

Showing 9 changed files with 114 additions and 0 deletions.
diff --git a/src/common/_modules/global/modules/dns/outputs.tf b/src/common/_modules/global/modules/dns/outputs.tf
@@ -35,6 +35,7 @@ output "private_dns_zones" {
   value = {
     servicebus = azurerm_private_dns_zone.privatelink_servicebus
     documents  = azurerm_private_dns_zone.privatelink_documents
+    postgres   = azurerm_private_dns_zone.privatelink_postgres_database_azure_com
   }
 }
 

diff --git a/src/common/_modules/private_endpoint/data.tf b/src/common/_modules/private_endpoint/data.tf
@@ -0,0 +1,7 @@
+# CGN PostgreSQL Single Server
+
+data "azurerm_postgresql_server" "cgn_psql" {
+  provider            = azurerm.prod-cgn
+  name                = "cgnonboardingportal-p-db-postgresql"
+  resource_group_name = "cgnonboardingportal-p-db-rg"
+}
diff --git a/src/common/_modules/private_endpoint/locals.tf b/src/common/_modules/private_endpoint/locals.tf
@@ -0,0 +1,11 @@
+locals {
+  private_endpoints = {
+    "cgn-psql" = {
+      "01" = {
+        resource_id         = data.azurerm_postgresql_server.cgn_psql.id
+        subresource_names   = ["postgresqlServer"]
+        private_dns_zone_id = var.dns_zones.postgres.id
+      }
+    }
+  }
+}
diff --git a/src/common/_modules/private_endpoint/main.tf b/src/common/_modules/private_endpoint/main.tf
@@ -0,0 +1,27 @@
+resource "azurerm_private_endpoint" "this" {
+  for_each = merge([
+    for pep, instances in local.private_endpoints : {
+      for i, values in instances :
+      "${pep}-pep-${i}" => values
+    }
+  ]...)
+
+  name                = "${var.project}-${each.key}"
+  location            = var.location
+  resource_group_name = var.resource_group_name
+  subnet_id           = var.pep_snet_id
+
+  private_service_connection {
+    name                           = "${var.project}-${each.key}-pep-01"
+    private_connection_resource_id = each.value.resource_id
+    is_manual_connection           = false
+    subresource_names              = each.value.subresource_names
+  }
+
+  private_dns_zone_group {
+    name                 = "private-dns-zone-group"
+    private_dns_zone_ids = [each.value.private_dns_zone_id]
+  }
+
+  tags = var.tags
+}
diff --git a/src/common/_modules/private_endpoint/outputs.tf b/src/common/_modules/private_endpoint/outputs.tf
@@ -0,0 +1,9 @@
+output "private_endpoints" {
+  value = {
+    for k, v in azurerm_private_endpoint.this :
+    k => {
+      name = v.name
+      id   = v.id
+    }
+  }
+}
diff --git a/src/common/_modules/private_endpoint/provider.tf b/src/common/_modules/private_endpoint/provider.tf
@@ -0,0 +1,6 @@
+provider "azurerm" {
+  alias           = "prod-cgn"
+  subscription_id = "74da48a3-b0e7-489d-8172-da79801086ed"
+
+  features {}
+}
diff --git a/src/common/_modules/private_endpoint/variables.tf b/src/common/_modules/private_endpoint/variables.tf
@@ -0,0 +1,39 @@
+variable "project" {
+  type        = string
+  description = "IO prefix, short environment and short location"
+}
+
+variable "location" {
+  type        = string
+  description = "Azure region"
+}
+
+variable "tags" {
+  type        = map(any)
+  description = "Resource tags"
+}
+
+variable "resource_group_name" {
+  type        = string
+  description = "Resource group namee"
+}
+
+variable "pep_snet_id" {
+  type        = string
+  description = "ID of the private endpoint subnet"
+}
+
+variable "dns_zones" {
+  type        = map(any)
+  description = <<EOF
+  Map of private DNS zones
+
+  Example:
+  {
+    postgres = {
+      'id' = 'XXXX'
+    },
+    ...
+  }
+  EOF
+}
diff --git a/src/common/prod/README.md b/src/common/prod/README.md
@@ -20,6 +20,7 @@
 | <a name="module_github_runner_itn"></a> [github\_runner\_itn](#module\_github\_runner\_itn) | ../_modules/github_runner | n/a |
 | <a name="module_global"></a> [global](#module\_global) | ../_modules/global | n/a |
 | <a name="module_monitoring_weu"></a> [monitoring\_weu](#module\_monitoring\_weu) | ../_modules/monitoring | n/a |
+| <a name="module_private_endpoints"></a> [private\_endpoints](#module\_private\_endpoints) | ../_modules/private_endpoint | n/a |
 | <a name="module_redis_weu"></a> [redis\_weu](#module\_redis\_weu) | ../_modules/redis | n/a |
 
 ## Resources

diff --git a/src/common/prod/italynorth.tf b/src/common/prod/italynorth.tf
@@ -20,3 +20,16 @@ module "github_runner_itn" {
 
   tags = local.tags
 }
+
+module "private_endpoints" {
+  source = "../_modules/private_endpoint"
+
+  project             = local.project_itn
+  location            = "italynorth"
+  resource_group_name = local.resource_groups.itn.common
+
+  pep_snet_id = local.core.networking.itn.pep_snet.id
+  dns_zones   = module.global.dns.private_dns_zones
+
+  tags = local.tags
+}