feat: fix reachability from appbel3 to downstream applications (#1232)

src/domains/cgn/_modules/functions_apps/data.tf

@@ -27,6 +27,12 @@ data "azurerm_subnet" "snet_backendl2" {
   resource_group_name  = local.resource_group_name_common
 }
 
+data "azurerm_subnet" "snet_backendl3" {
+  name                 = "appbackendl3"
+  virtual_network_name = local.vnet_name_common
+  resource_group_name  = local.resource_group_name_common
+}
+
 data "azurerm_subnet" "snet_backendli" {
   name                 = "appbackendli"
   virtual_network_name = local.vnet_name_common
@@ -82,3 +88,14 @@ data "azurerm_monitor_action_group" "error_action_group" {
   name                = "${replace("${var.project}", "-", "")}error"
   resource_group_name = local.resource_group_name_common
 }
+
+data "azurerm_subnet" "private_endpoints_subnet" {
+  name                 = "pendpoints"
+  virtual_network_name = local.vnet_name_common
+  resource_group_name  = local.resource_group_name_common
+}
+
+data "azurerm_private_dns_zone" "function_app" {
+  name                = "privatelink.azurewebsites.net"
+  resource_group_name = local.resource_group_name_common
+}

src/domains/cgn/_modules/functions_apps/function_app_cgn.tf

@@ -42,6 +42,7 @@ module "function_cgn" {
     data.azurerm_subnet.snet_backendl2.id,
     data.azurerm_subnet.snet_backendli.id,
     data.azurerm_subnet.snet_apim_v2.id,
+    data.azurerm_subnet.snet_backendl3.id
   ]
 
   sticky_app_setting_names = [
@@ -91,7 +92,50 @@ module "function_cgn_staging_slot" {
     data.azurerm_subnet.snet_backendl2.id,
     data.azurerm_subnet.snet_backendli.id,
     data.azurerm_subnet.snet_apim_v2.id,
+    data.azurerm_subnet.snet_backendl3.id,
   ]
 
   tags = var.tags
 }
+
+resource "azurerm_private_endpoint" "function_sites" {
+  name                = "${var.project}-cgn-fn-pep"
+  location            = var.location
+  resource_group_name = var.resource_group_name
+  subnet_id           = data.azurerm_subnet.private_endpoints_subnet.id
+
+  private_service_connection {
+    name                           = "${var.project}-cgn-fn-pep"
+    private_connection_resource_id = module.function_cgn.id
+    is_manual_connection           = false
+    subresource_names              = ["sites"]
+  }
+
+  private_dns_zone_group {
+    name                 = "private-dns-zone-group"
+    private_dns_zone_ids = [data.azurerm_private_dns_zone.function_app.id]
+  }
+
+  tags = var.tags
+}
+
+resource "azurerm_private_endpoint" "staging_function_sites" {
+  name                = "${var.project}-cgn-fn-staging-pep"
+  location            = var.location
+  resource_group_name = var.resource_group_name
+  subnet_id           = data.azurerm_subnet.private_endpoints_subnet.id
+
+  private_service_connection {
+    name                           = "${var.project}-cgn-fn-pep"
+    private_connection_resource_id = module.function_cgn.id
+    is_manual_connection           = false
+    subresource_names              = ["sites-${module.function_cgn_staging_slot.name}"]
+  }
+
+  private_dns_zone_group {
+    name                 = "private-dns-zone-group"
+    private_dns_zone_ids = [data.azurerm_private_dns_zone.function_app.id]
+  }
+
+  tags = var.tags
+}

src/domains/cgn/prod/locals.tf

@@ -4,7 +4,7 @@ locals {
   project   = "${local.prefix}-${local.env_short}"
 
   location           = "westeurope"
-  secondary_location = "northeurope"
+  secondary_location = "italynorth"
 
   tags = {
     CostCenter     = "TS310 - PAGAMENTI & SERVIZI"

src/domains/eucovidcert/_modules/function_apps/data.tf

@@ -27,8 +27,8 @@ data "azurerm_subnet" "snet_backendl2" {
   resource_group_name  = local.resource_group_name_common
 }
 
-data "azurerm_subnet" "snet_pblevtdispatcher" {
-  name                 = "fnpblevtdispatcherout"
+data "azurerm_subnet" "snet_backendl3" {
+  name                 = "appbackendl3"
   virtual_network_name = local.vnet_name_common
   resource_group_name  = local.resource_group_name_common
 }
@@ -112,4 +112,4 @@ data "azurerm_key_vault_secret" "fn_eucovidcert_FNSERVICES_API_KEY" {
 data "azurerm_monitor_action_group" "error_action_group" {
   name                = "${replace("${var.project}", "-", "")}error"
   resource_group_name = local.resource_group_name_common
-}
+}

src/domains/eucovidcert/_modules/function_apps/function_app_eucovidcert.tf

@@ -38,8 +38,8 @@ module "function_eucovidcert" {
     var.subnet_id,
     data.azurerm_subnet.snet_backendl1.id,
     data.azurerm_subnet.snet_backendl2.id,
-    data.azurerm_subnet.snet_pblevtdispatcher.id,
     data.azurerm_subnet.snet_apim_v2.id,
+    data.azurerm_subnet.snet_backendl3.id
   ]
 
   tags = var.tags
@@ -77,8 +77,8 @@ module "function_eucovidcert_staging_slot" {
     var.subnet_id,
     data.azurerm_subnet.snet_backendl1.id,
     data.azurerm_subnet.snet_backendl2.id,
-    data.azurerm_subnet.snet_pblevtdispatcher.id,
     data.azurerm_subnet.snet_apim_v2.id,
+    data.azurerm_subnet.snet_backendl3.id
   ]
 
   tags = var.tags

src/domains/messages-app/01_network.tf

@@ -64,6 +64,12 @@ data "azurerm_subnet" "app_backendl2_snet" {
   resource_group_name  = local.vnet_common_resource_group_name
 }
 
+data "azurerm_subnet" "app_backendl3_snet" {
+  name                 = "appbackendl3"
+  virtual_network_name = local.vnet_common_name
+  resource_group_name  = local.vnet_common_resource_group_name
+}
+
 data "azurerm_subnet" "apim_snet" {
   name                 = "apimv2api"
   virtual_network_name = local.vnet_common_name

src/domains/messages-app/10_function_messages.tf

@@ -168,6 +168,7 @@ module "app_messages_function" {
     data.azurerm_subnet.app_backendl1_snet.id,
     data.azurerm_subnet.app_backendl2_snet.id,
     data.azurerm_subnet.apim_snet.id,
+    data.azurerm_subnet.app_backendl3_snet.id
   ]
 
   allowed_ips = concat(
@@ -221,6 +222,7 @@ module "app_messages_function_staging_slot" {
     data.azurerm_subnet.app_backendl1_snet.id,
     data.azurerm_subnet.app_backendl2_snet.id,
     data.azurerm_subnet.azdoa_snet.id,
+    data.azurerm_subnet.app_backendl3_snet.id
   ]
 
   allowed_ips = concat(

src/domains/messages-app/10_function_messages_xl.tf

@@ -87,6 +87,7 @@ module "app_messages_function_xl" {
     data.azurerm_subnet.app_backendl1_snet.id,
     data.azurerm_subnet.app_backendl2_snet.id,
     data.azurerm_subnet.apim_snet.id,
+    data.azurerm_subnet.app_backendl3_snet.id
   ]
 
   allowed_ips = concat(
@@ -147,6 +148,7 @@ module "app_messages_function_staging_slot_xl" {
     data.azurerm_subnet.app_backendl2_snet.id,
     data.azurerm_subnet.azdoa_snet.id,
     data.azurerm_subnet.github_snet.id,
+    data.azurerm_subnet.app_backendl3_snet.id
   ]
 
   allowed_ips = concat(
@@ -622,4 +624,4 @@ resource "azurerm_subnet_nat_gateway_association" "net_gateway_association_subne
   count          = var.app_messages_count
   nat_gateway_id = data.azurerm_nat_gateway.nat_gateway.id
   subnet_id      = module.app_messages_snet_xl[count.index].id
-}
+}

src/domains/messages-app/README.md

@@ -111,6 +111,7 @@
 | [azurerm_subnet.apim_snet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subnet) | data source |
 | [azurerm_subnet.app_backendl1_snet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subnet) | data source |
 | [azurerm_subnet.app_backendl2_snet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subnet) | data source |
+| [azurerm_subnet.app_backendl3_snet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subnet) | data source |
 | [azurerm_subnet.azdoa_snet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subnet) | data source |
 | [azurerm_subnet.github_snet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subnet) | data source |
 | [azurerm_subnet.private_endpoints_subnet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subnet) | data source |