Merge branch 'main' into CES-68-change-apim-functions

src/common/_modules/apim/data.tf

@@ -11,4 +11,29 @@ data "azurerm_key_vault_certificate" "api_internal_io_italia_it" {
 data "azurerm_key_vault_certificate" "api_app_internal_io_pagopa_it" {
   name         = replace(local.apim_hostname_api_app_internal, ".", "-")
   key_vault_id = var.key_vault.id
+}
+
+###############
+# FOR TESTING #
+###############
+
+data "azurerm_private_dns_zone" "azure_api_net" {
+  count = var.migration ? 1 : 0
+
+  name                = "azure-api.net"
+  resource_group_name = "io-p-rg-common"
+}
+
+data "azurerm_private_dns_zone" "management_azure_api_net" {
+  count = var.migration ? 1 : 0
+
+  name                = "management.azure-api.net"
+  resource_group_name = "io-p-rg-common"
+}
+
+data "azurerm_private_dns_zone" "scm_azure_api_net" {
+  count = var.migration ? 1 : 0
+
+  name                = "scm.azure-api.net"
+  resource_group_name = "io-p-rg-common"
 }

src/common/_modules/apim/main.tf

@@ -8,12 +8,12 @@ module "apim_v2" {
   publisher_name            = "IO"
   publisher_email           = data.azurerm_key_vault_secret.apim_publisher_email.value
   notification_sender_email = data.azurerm_key_vault_secret.apim_publisher_email.value
-  sku_name                  = var.migration ? "Developer_1" : "Premium_2"
+  sku_name                  = "Premium_2"
   virtual_network_type      = "Internal"
-  zones                     = var.migration ? null : ["1", "2"]
+  zones                     = ["1", "2"]
 
   redis_cache_id       = null
-  public_ip_address_id = var.migration ? null : azurerm_public_ip.apim.id
+  public_ip_address_id = azurerm_public_ip.apim.id
 
   hostname_configuration = var.migration ? null : {
     proxy = [
@@ -51,12 +51,12 @@ module "apim_v2" {
 
   management_logger_applicaiton_insight_enabled = true
   application_insights = {
-    enabled             = var.migration ? false : true
+    enabled             = true
     instrumentation_key = var.ai_instrumentation_key
   }
 
   autoscale = {
-    enabled                       = var.migration ? false : true
+    enabled                       = true
     default_instances             = 3
     minimum_instances             = 2
     maximum_instances             = 6
@@ -78,7 +78,7 @@ module "apim_v2" {
   ]
 
   # https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/metrics-supported#microsoftapimanagementservice
-  metric_alerts = var.migration ? {} : {
+  metric_alerts = {
     capacity = {
       description   = "Apim used capacity is too high. Runbook: https://pagopa.atlassian.net/wiki/spaces/IC/pages/791642113/APIM+Capacity"
       frequency     = "PT5M"

src/common/_modules/apim/networking.tf

@@ -47,3 +47,45 @@ resource "azurerm_public_ip" "apim" {
 
   tags = var.tags
 }
+
+###############
+# FOR TESTING #
+###############
+
+# Define the A Records for APIM ITN
+
+resource "azurerm_private_dns_a_record" "apim_azure_api_net" {
+  count = var.migration ? 1 : 0
+
+  name                = module.apim_v2.name
+  zone_name           = data.azurerm_private_dns_zone.azure_api_net[0].name
+  resource_group_name = "io-p-rg-common"
+  ttl                 = 3600
+  records             = module.apim_v2.private_ip_addresses
+
+  tags = var.tags
+}
+
+resource "azurerm_private_dns_a_record" "apim_management_azure_api_net" {
+  count = var.migration ? 1 : 0
+
+  name                = module.apim_v2.name
+  zone_name           = data.azurerm_private_dns_zone.management_azure_api_net[0].name
+  resource_group_name = "io-p-rg-common"
+  ttl                 = 3600
+  records             = module.apim_v2.private_ip_addresses
+
+  tags = var.tags
+}
+
+resource "azurerm_private_dns_a_record" "apim_scm_azure_api_net" {
+  count = var.migration ? 1 : 0
+
+  name                = module.apim_v2.name
+  zone_name           = data.azurerm_private_dns_zone.scm_azure_api_net[0].name
+  resource_group_name = "io-p-rg-common"
+  ttl                 = 3600
+  records             = module.apim_v2.private_ip_addresses
+
+  tags = var.tags
+}

src/common/_modules/apim/outputs.tf

@@ -17,4 +17,8 @@ output "public_ip" {
 
 output "private_ips" {
   value = module.apim_v2.private_ip_addresses
+}
+
+output "id" {
+  value = module.apim_v2.id
 }

src/common/_modules/application_gateway/data.tf

@@ -37,6 +37,16 @@ data "azurerm_linux_web_app" "appservice_selfcare_be" {
   resource_group_name = "${var.project}-selfcare-be-rg"
 }
 
+data "azurerm_linux_web_app" "ipatente_vehicles_app_itn" {
+  name                = "${var.project}-itn-ipatente-vehicles-app-01"
+  resource_group_name = "${var.project}-itn-ipatente-rg-01"
+}
+
+data "azurerm_linux_web_app" "ipatente_licences_app_itn" {
+  name                = "${var.project}-itn-ipatente-licences-app-01"
+  resource_group_name = "${var.project}-itn-ipatente-rg-01"
+}
+
 #######################
 ###    Key Vault    ###
 #######################
@@ -110,6 +120,11 @@ data "azurerm_key_vault_certificate" "app_gw_selfcare_io" {
   key_vault_id = var.key_vault.id
 }
 
+data "azurerm_key_vault_certificate" "app_gw_ipatente_io" {
+  name         = var.certificates.ipatente_io_pagopa_it
+  key_vault_id = var.key_vault.id
+}
+
 data "azurerm_key_vault_secret" "app_gw_mtls_header_name" {
   name         = "mtls-header-name"
   key_vault_id = var.key_vault.id

src/common/_modules/application_gateway/main.tf

@@ -138,6 +138,34 @@ module "app_gw" {
       request_timeout             = 10
       pick_host_name_from_backend = true
     }
+
+    ipatente-vehicles-io-app = {
+      protocol     = "Https"
+      host         = null
+      port         = 443
+      ip_addresses = null # with null value use fqdns
+      fqdns = [
+        data.azurerm_linux_web_app.ipatente_vehicles_app_itn.default_hostname,
+      ]
+      probe                       = "/api/info"
+      probe_name                  = "probe-ipatente-vehicles-io-app"
+      request_timeout             = 10
+      pick_host_name_from_backend = true
+    }
+
+    ipatente-licences-io-app = {
+      protocol     = "Https"
+      host         = null
+      port         = 443
+      ip_addresses = null # with null value use fqdns
+      fqdns = [
+        data.azurerm_linux_web_app.ipatente_licences_app_itn.default_hostname,
+      ]
+      probe                       = "/api/info"
+      probe_name                  = "probe-ipatente-licences-io-app"
+      request_timeout             = 10
+      pick_host_name_from_backend = true
+    }
   }
 
   ssl_profiles = [{
@@ -383,6 +411,23 @@ module "app_gw" {
         )
       }
     }
+
+    ipatente-io-pagopa-it = {
+      protocol           = "Https"
+      host               = format("ipatente.%s", var.public_dns_zones.io.name)
+      port               = 443
+      ssl_profile_name   = format("%s-ssl-profile", var.project)
+      firewall_policy_id = null
+
+      certificate = {
+        name = var.certificates.ipatente_io_pagopa_it
+        id = replace(
+          data.azurerm_key_vault_certificate.app_gw_ipatente_io.secret_id,
+          "/${data.azurerm_key_vault_certificate.app_gw_ipatente_io.version}",
+          ""
+        )
+      }
+    }
   }
 
   # maps listener to backend
@@ -472,6 +517,13 @@ module "app_gw" {
       url_map_name = "io-backend-path-based-rule"
       priority     = 70
     }
+
+
+    ipatente-io-pagopa-it = {
+      listener     = "ipatente-io-pagopa-it"
+      url_map_name = "io-ipatente-path-based-rule"
+      priority     = 130
+    }
   }
 
   url_path_map = {
@@ -546,6 +598,23 @@ module "app_gw" {
         },
       }
     }
+
+    io-ipatente-path-based-rule = {
+      default_backend               = "ipatente-vehicles-io-app"
+      default_rewrite_rule_set_name = "rewrite-rule-set-api-app"
+      path_rule = {
+        ipatente-vehicles = {
+          paths                 = ["/veh/*"]
+          backend               = "ipatente-vehicles-io-app",
+          rewrite_rule_set_name = "rewrite-rule-set-api-app-remove-base-path-ipatente-vehicles"
+        },
+        ipatente-licences = {
+          paths                 = ["/lic/*"]
+          backend               = "ipatente-licences-io-app",
+          rewrite_rule_set_name = "rewrite-rule-set-api-app-remove-base-path-ipatente-licences"
+        },
+      }
+    }
   }
 
   rewrite_rule_sets = [
@@ -797,6 +866,52 @@ module "app_gw" {
         ]
         response_header_configurations = []
       }]
+    },
+    {
+      name = "rewrite-rule-set-api-app-remove-base-path-ipatente-vehicles"
+      rewrite_rules = [
+        local.io_backend_ip_headers_rule,
+        {
+          name          = "strip_base_ipatente_vehicles_path"
+          rule_sequence = 200
+          conditions = [{
+            variable    = "var_uri_path"
+            pattern     = "/veh/(.*)"
+            ignore_case = true
+            negate      = false
+          }]
+          url = {
+            path         = "/{var_uri_path_1}"
+            query_string = null
+            reroute      = false
+            components   = "path_only"
+          }
+          request_header_configurations  = []
+          response_header_configurations = []
+      }]
+    },
+    {
+      name = "rewrite-rule-set-api-app-remove-base-path-ipatente-licences"
+      rewrite_rules = [
+        local.io_backend_ip_headers_rule,
+        {
+          name          = "strip_base_ipatente_licences_path"
+          rule_sequence = 200
+          conditions = [{
+            variable    = "var_uri_path"
+            pattern     = "/lic/(.*)"
+            ignore_case = true
+            negate      = false
+          }]
+          url = {
+            path         = "/{var_uri_path_1}"
+            query_string = null
+            reroute      = false
+            components   = "path_only"
+          }
+          request_header_configurations  = []
+          response_header_configurations = []
+      }]
     }
   ]
 

src/common/_modules/global/modules/dns/dns_io_pagopa_it.tf

@@ -135,3 +135,14 @@ resource "azurerm_dns_a_record" "openid_provider_io_pagopa_it" {
 
   tags = var.tags
 }
+
+# ipatente.io.pagopa.it
+resource "azurerm_dns_a_record" "ipatente_io_pagopa_it" {
+  name                = "ipatente"
+  zone_name           = azurerm_dns_zone.io_pagopa_it.name
+  resource_group_name = var.resource_groups.external
+  ttl                 = var.dns_default_ttl_sec
+  records             = [var.app_gateway_public_ip]
+
+  tags = var.tags
+}

src/common/prod/README.md

@@ -10,6 +10,7 @@
 
 | Name | Version |
 |------|---------|
+| <a name="provider_azuread"></a> [azuread](#provider\_azuread) | 2.53.1 |
 | <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | 3.116.0 |
 | <a name="provider_azurerm.prod-trial"></a> [azurerm.prod-trial](#provider\_azurerm.prod-trial) | 3.116.0 |
 | <a name="provider_terraform"></a> [terraform](#provider\_terraform) | n/a |
@@ -18,6 +19,7 @@
 
 | Name | Source | Version |
 |------|--------|---------|
+| <a name="module_apim_itn"></a> [apim\_itn](#module\_apim\_itn) | ../_modules/apim | n/a |
 | <a name="module_apim_weu"></a> [apim\_weu](#module\_apim\_weu) | ../_modules/apim | n/a |
 | <a name="module_app_backend_li_weu"></a> [app\_backend\_li\_weu](#module\_app\_backend\_li\_weu) | ../_modules/app_backend | n/a |
 | <a name="module_app_backend_weu"></a> [app\_backend\_weu](#module\_app\_backend\_weu) | ../_modules/app_backend | n/a |
@@ -36,6 +38,10 @@
 | Name | Type |
 |------|------|
 | [azurerm_resource_group.github_runner](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource |
+| [azurerm_role_assignment.apim_client_role](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
+| [azurerm_role_assignment.dev_portal_role](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
+| [azuread_service_principal.apim_client_svc](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/service_principal) | data source |
+| [azuread_service_principal.dev_portal_svc](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/service_principal) | data source |
 | [azurerm_api_management.trial_system](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/api_management) | data source |
 | [azurerm_client_config.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/client_config) | data source |
 | [azurerm_linux_function_app.app_messages_xl](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/linux_function_app) | data source |

src/common/prod/iam.tf

@@ -0,0 +1,40 @@
+locals {
+  role_definition_names = {
+    apim_client = [
+      "Reader",
+      "API Management Service Reader Role",
+      "Contributor"
+    ]
+    dev_portal = [
+      "Reader",
+      "API Management Service Reader Role",
+      "Contributor"
+    ]
+  }
+}
+
+# APIM CLIENT
+
+data "azuread_service_principal" "apim_client_svc" {
+  display_name = "io-p-apim-api-management-client"
+}
+
+resource "azurerm_role_assignment" "apim_client_role" {
+  for_each             = toset(local.role_definition_names.apim_client)
+  principal_id         = data.azuread_service_principal.apim_client_svc.id
+  role_definition_name = each.value
+  scope                = module.apim_itn.id
+}
+
+# DEVELOPER PORTAL
+
+data "azuread_service_principal" "dev_portal_svc" {
+  display_name = "io-prod-sp-developer-portal"
+}
+
+resource "azurerm_role_assignment" "dev_portal_role" {
+  for_each             = toset(local.role_definition_names.dev_portal)
+  principal_id         = data.azuread_service_principal.dev_portal_svc.id
+  role_definition_name = each.value
+  scope                = module.apim_itn.id
+}