From 78fd36c78baad4389e2438e680aa1ad44e33ce30 Mon Sep 17 00:00:00 2001
From: Mario Mupo <43968294+mamu0@users.noreply.github.com>
Date: Mon, 18 Nov 2024 10:19:24 +0100
Subject: [PATCH 1/5] [CES-68] Added APIM resources creation for italynorth
(#1298)
---
src/common/_modules/apim/data.tf | 25 ++++++++++
src/common/_modules/apim/main.tf | 12 ++---
src/common/_modules/apim/networking.tf | 42 ++++++++++++++++
src/common/_modules/apim/outputs.tf | 4 ++
src/common/prod/README.md | 9 ++++
src/common/prod/iam.tf | 67 ++++++++++++++++++++++++++
src/common/prod/italynorth.tf | 27 +++++++++++
src/common/prod/main.tf | 2 +-
8 files changed, 181 insertions(+), 7 deletions(-)
create mode 100644 src/common/prod/iam.tf
diff --git a/src/common/_modules/apim/data.tf b/src/common/_modules/apim/data.tf
index 4a7c1ca63..c26263da4 100644
--- a/src/common/_modules/apim/data.tf
+++ b/src/common/_modules/apim/data.tf
@@ -11,4 +11,29 @@ data "azurerm_key_vault_certificate" "api_internal_io_italia_it" {
data "azurerm_key_vault_certificate" "api_app_internal_io_pagopa_it" {
name = replace(local.apim_hostname_api_app_internal, ".", "-")
key_vault_id = var.key_vault.id
+}
+
+###############
+# FOR TESTING #
+###############
+
+data "azurerm_private_dns_zone" "azure_api_net" {
+ count = var.migration ? 1 : 0
+
+ name = "azure-api.net"
+ resource_group_name = "io-p-rg-common"
+}
+
+data "azurerm_private_dns_zone" "management_azure_api_net" {
+ count = var.migration ? 1 : 0
+
+ name = "management.azure-api.net"
+ resource_group_name = "io-p-rg-common"
+}
+
+data "azurerm_private_dns_zone" "scm_azure_api_net" {
+ count = var.migration ? 1 : 0
+
+ name = "scm.azure-api.net"
+ resource_group_name = "io-p-rg-common"
}
\ No newline at end of file
diff --git a/src/common/_modules/apim/main.tf b/src/common/_modules/apim/main.tf
index 245175371..745a48104 100644
--- a/src/common/_modules/apim/main.tf
+++ b/src/common/_modules/apim/main.tf
@@ -8,12 +8,12 @@ module "apim_v2" {
publisher_name = "IO"
publisher_email = data.azurerm_key_vault_secret.apim_publisher_email.value
notification_sender_email = data.azurerm_key_vault_secret.apim_publisher_email.value
- sku_name = var.migration ? "Developer_1" : "Premium_2"
+ sku_name = "Premium_2"
virtual_network_type = "Internal"
- zones = var.migration ? null : ["1", "2"]
+ zones = ["1", "2"]
redis_cache_id = null
- public_ip_address_id = var.migration ? null : azurerm_public_ip.apim.id
+ public_ip_address_id = azurerm_public_ip.apim.id
hostname_configuration = var.migration ? null : {
proxy = [
@@ -51,12 +51,12 @@ module "apim_v2" {
management_logger_applicaiton_insight_enabled = true
application_insights = {
- enabled = var.migration ? false : true
+ enabled = true
instrumentation_key = var.ai_instrumentation_key
}
autoscale = {
- enabled = var.migration ? false : true
+ enabled = true
default_instances = 3
minimum_instances = 2
maximum_instances = 6
@@ -78,7 +78,7 @@ module "apim_v2" {
]
# https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/metrics-supported#microsoftapimanagementservice
- metric_alerts = var.migration ? {} : {
+ metric_alerts = {
capacity = {
description = "Apim used capacity is too high. Runbook: https://pagopa.atlassian.net/wiki/spaces/IC/pages/791642113/APIM+Capacity"
frequency = "PT5M"
diff --git a/src/common/_modules/apim/networking.tf b/src/common/_modules/apim/networking.tf
index 4e8ba503d..da6dcd430 100644
--- a/src/common/_modules/apim/networking.tf
+++ b/src/common/_modules/apim/networking.tf
@@ -47,3 +47,45 @@ resource "azurerm_public_ip" "apim" {
tags = var.tags
}
+
+###############
+# FOR TESTING #
+###############
+
+# Define the A Records for APIM ITN
+
+resource "azurerm_private_dns_a_record" "apim_azure_api_net" {
+ count = var.migration ? 1 : 0
+
+ name = module.apim_v2.name
+ zone_name = data.azurerm_private_dns_zone.azure_api_net[0].name
+ resource_group_name = "io-p-rg-common"
+ ttl = 3600
+ records = module.apim_v2.private_ip_addresses
+
+ tags = var.tags
+}
+
+resource "azurerm_private_dns_a_record" "apim_management_azure_api_net" {
+ count = var.migration ? 1 : 0
+
+ name = module.apim_v2.name
+ zone_name = data.azurerm_private_dns_zone.management_azure_api_net[0].name
+ resource_group_name = "io-p-rg-common"
+ ttl = 3600
+ records = module.apim_v2.private_ip_addresses
+
+ tags = var.tags
+}
+
+resource "azurerm_private_dns_a_record" "apim_scm_azure_api_net" {
+ count = var.migration ? 1 : 0
+
+ name = module.apim_v2.name
+ zone_name = data.azurerm_private_dns_zone.scm_azure_api_net[0].name
+ resource_group_name = "io-p-rg-common"
+ ttl = 3600
+ records = module.apim_v2.private_ip_addresses
+
+ tags = var.tags
+}
\ No newline at end of file
diff --git a/src/common/_modules/apim/outputs.tf b/src/common/_modules/apim/outputs.tf
index f5b12617a..f850ad6ef 100644
--- a/src/common/_modules/apim/outputs.tf
+++ b/src/common/_modules/apim/outputs.tf
@@ -17,4 +17,8 @@ output "public_ip" {
output "private_ips" {
value = module.apim_v2.private_ip_addresses
+}
+
+output "id" {
+ value = module.apim_v2.id
}
\ No newline at end of file
diff --git a/src/common/prod/README.md b/src/common/prod/README.md
index 59f107d02..1dbd3a99a 100644
--- a/src/common/prod/README.md
+++ b/src/common/prod/README.md
@@ -10,7 +10,9 @@
| Name | Version |
|------|---------|
+| [azuread](#provider\_azuread) | 2.53.1 |
| [azurerm](#provider\_azurerm) | 3.116.0 |
+| [azurerm.prod-esercenti](#provider\_azurerm.prod-esercenti) | 3.116.0 |
| [azurerm.prod-trial](#provider\_azurerm.prod-trial) | 3.116.0 |
| [terraform](#provider\_terraform) | n/a |
@@ -18,6 +20,7 @@
| Name | Source | Version |
|------|--------|---------|
+| [apim\_itn](#module\_apim\_itn) | ../_modules/apim | n/a |
| [apim\_weu](#module\_apim\_weu) | ../_modules/apim | n/a |
| [app\_backend\_li\_weu](#module\_app\_backend\_li\_weu) | ../_modules/app_backend | n/a |
| [app\_backend\_weu](#module\_app\_backend\_weu) | ../_modules/app_backend | n/a |
@@ -36,6 +39,11 @@
| Name | Type |
|------|------|
| [azurerm_resource_group.github_runner](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource |
+| [azurerm_role_assignment.apim_client_role](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
+| [azurerm_role_assignment.cgn_backend1_role](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
+| [azurerm_role_assignment.dev_portal_role](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
+| [azuread_service_principal.apim_client_svc](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/service_principal) | data source |
+| [azuread_service_principal.dev_portal_svc](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/service_principal) | data source |
| [azurerm_api_management.trial_system](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/api_management) | data source |
| [azurerm_client_config.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/client_config) | data source |
| [azurerm_linux_function_app.app_messages_xl](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/linux_function_app) | data source |
@@ -48,6 +56,7 @@
| [azurerm_linux_function_app.services_app_backend_function_app](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/linux_function_app) | data source |
| [azurerm_linux_function_app.wallet_user](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/linux_function_app) | data source |
| [azurerm_linux_web_app.firmaconio_selfcare_web_app](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/linux_web_app) | data source |
+| [azurerm_linux_web_app.portal_backend_1](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/linux_web_app) | data source |
| [azurerm_subnet.admin_snet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subnet) | data source |
| [azurerm_subnet.cosmos_api_allowed](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subnet) | data source |
| [azurerm_subnet.itn_auth_fast_login_func_snet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subnet) | data source |
diff --git a/src/common/prod/iam.tf b/src/common/prod/iam.tf
new file mode 100644
index 000000000..5018ee8e0
--- /dev/null
+++ b/src/common/prod/iam.tf
@@ -0,0 +1,67 @@
+provider "azurerm" {
+ alias = "prod-esercenti"
+ subscription_id = "74da48a3-b0e7-489d-8172-da79801086ed"
+
+ features {}
+}
+
+locals {
+ role_definition_names = {
+ cgn = [
+ "Reader",
+ "API Management Service Reader Role",
+ "API Management Service Contributor"
+ ]
+ apim_client = [
+ "Reader",
+ "API Management Service Reader Role",
+ "Contributor"
+ ]
+ dev_portal = [
+ "Reader",
+ "API Management Service Reader Role",
+ "Contributor"
+ ]
+ }
+}
+
+# CGN
+
+data "azurerm_linux_web_app" "portal_backend_1" {
+ provider = azurerm.prod-esercenti
+ name = "cgnonboardingportal-p-portal-backend1"
+ resource_group_name = "cgnonboardingportal-p-api-rg"
+}
+
+resource "azurerm_role_assignment" "cgn_backend1_role" {
+ for_each = toset(local.role_definition_names.cgn)
+ principal_id = data.azurerm_linux_web_app.portal_backend_1.identity[0].principal_id
+ role_definition_name = each.value
+ scope = module.apim_itn.id
+}
+
+# APIM CLIENT
+
+data "azuread_service_principal" "apim_client_svc" {
+ display_name = "io-p-apim-api-management-client"
+}
+
+resource "azurerm_role_assignment" "apim_client_role" {
+ for_each = toset(local.role_definition_names.apim_client)
+ principal_id = data.azuread_service_principal.apim_client_svc.id
+ role_definition_name = each.value
+ scope = module.apim_itn.id
+}
+
+# DEVELOPER PORTAL
+
+data "azuread_service_principal" "dev_portal_svc" {
+ display_name = "io-prod-sp-developer-portal"
+}
+
+resource "azurerm_role_assignment" "dev_portal_role" {
+ for_each = toset(local.role_definition_names.dev_portal)
+ principal_id = data.azuread_service_principal.dev_portal_svc.id
+ role_definition_name = each.value
+ scope = module.apim_itn.id
+}
diff --git a/src/common/prod/italynorth.tf b/src/common/prod/italynorth.tf
index a004a0372..fdb699a02 100644
--- a/src/common/prod/italynorth.tf
+++ b/src/common/prod/italynorth.tf
@@ -31,5 +31,32 @@ module "private_endpoints" {
pep_snet_id = local.core.networking.itn.pep_snet.id
dns_zones = module.global.dns.private_dns_zones
+ tags = local.tags
+}
+
+module "apim_itn" {
+ source = "../_modules/apim"
+
+ migration = true
+ location = "italynorth"
+ location_short = local.core.resource_groups.italynorth.location_short
+ project = local.project_itn
+ prefix = local.prefix
+ resource_group_common = local.resource_groups.itn.common
+ resource_group_internal = local.resource_groups.itn.internal
+
+ vnet_common = local.core.networking.itn.vnet_common
+ cidr_subnet = "10.20.100.0/24"
+
+ datasources = {
+ azurerm_client_config = data.azurerm_client_config.current
+ }
+
+ key_vault = local.core.key_vault.weu.kv
+ key_vault_common = local.core.key_vault.weu.kv_common
+
+ action_group_id = module.monitoring_weu.action_groups.error
+ ai_instrumentation_key = module.monitoring_weu.appi_instrumentation_key
+
tags = local.tags
}
\ No newline at end of file
diff --git a/src/common/prod/main.tf b/src/common/prod/main.tf
index 97b629243..f3e334380 100644
--- a/src/common/prod/main.tf
+++ b/src/common/prod/main.tf
@@ -24,4 +24,4 @@ provider "azurerm" {
subscription_id = "a2124115-ba74-462f-832a-9192cbd03649"
features {}
-}
\ No newline at end of file
+}
\ No newline at end of file
From a28e33b0e019ce9f3b02677e0b90b8abb672ee7e Mon Sep 17 00:00:00 2001
From: Mario Mupo <43968294+mamu0@users.noreply.github.com>
Date: Mon, 18 Nov 2024 12:43:17 +0100
Subject: [PATCH 2/5] [FIX] Removed existent role assigned for ITN APIM (#1318)
---
src/common/prod/iam.tf | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/src/common/prod/iam.tf b/src/common/prod/iam.tf
index 5018ee8e0..d4af6a801 100644
--- a/src/common/prod/iam.tf
+++ b/src/common/prod/iam.tf
@@ -9,8 +9,7 @@ locals {
role_definition_names = {
cgn = [
"Reader",
- "API Management Service Reader Role",
- "API Management Service Contributor"
+ "API Management Service Reader Role"
]
apim_client = [
"Reader",
From 55d31b3d68a179aa886347c57f00171bf1560091 Mon Sep 17 00:00:00 2001
From: Mario Mupo <43968294+mamu0@users.noreply.github.com>
Date: Mon, 18 Nov 2024 13:04:23 +0100
Subject: [PATCH 3/5] [FIX] Removed all CGN role assigned for APIM ITN and
moved into CGN domain (#1319)
---
src/common/prod/README.md | 3 ---
src/common/prod/iam.tf | 26 -------------------
.../cgn/_modules/apim/role_assignments.tf | 12 +++++++++
3 files changed, 12 insertions(+), 29 deletions(-)
diff --git a/src/common/prod/README.md b/src/common/prod/README.md
index 1dbd3a99a..1dcb08138 100644
--- a/src/common/prod/README.md
+++ b/src/common/prod/README.md
@@ -12,7 +12,6 @@
|------|---------|
| [azuread](#provider\_azuread) | 2.53.1 |
| [azurerm](#provider\_azurerm) | 3.116.0 |
-| [azurerm.prod-esercenti](#provider\_azurerm.prod-esercenti) | 3.116.0 |
| [azurerm.prod-trial](#provider\_azurerm.prod-trial) | 3.116.0 |
| [terraform](#provider\_terraform) | n/a |
@@ -40,7 +39,6 @@
|------|------|
| [azurerm_resource_group.github_runner](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource |
| [azurerm_role_assignment.apim_client_role](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
-| [azurerm_role_assignment.cgn_backend1_role](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
| [azurerm_role_assignment.dev_portal_role](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
| [azuread_service_principal.apim_client_svc](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/service_principal) | data source |
| [azuread_service_principal.dev_portal_svc](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/service_principal) | data source |
@@ -56,7 +54,6 @@
| [azurerm_linux_function_app.services_app_backend_function_app](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/linux_function_app) | data source |
| [azurerm_linux_function_app.wallet_user](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/linux_function_app) | data source |
| [azurerm_linux_web_app.firmaconio_selfcare_web_app](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/linux_web_app) | data source |
-| [azurerm_linux_web_app.portal_backend_1](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/linux_web_app) | data source |
| [azurerm_subnet.admin_snet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subnet) | data source |
| [azurerm_subnet.cosmos_api_allowed](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subnet) | data source |
| [azurerm_subnet.itn_auth_fast_login_func_snet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subnet) | data source |
diff --git a/src/common/prod/iam.tf b/src/common/prod/iam.tf
index d4af6a801..9ba0d3a6e 100644
--- a/src/common/prod/iam.tf
+++ b/src/common/prod/iam.tf
@@ -1,16 +1,5 @@
-provider "azurerm" {
- alias = "prod-esercenti"
- subscription_id = "74da48a3-b0e7-489d-8172-da79801086ed"
-
- features {}
-}
-
locals {
role_definition_names = {
- cgn = [
- "Reader",
- "API Management Service Reader Role"
- ]
apim_client = [
"Reader",
"API Management Service Reader Role",
@@ -24,21 +13,6 @@ locals {
}
}
-# CGN
-
-data "azurerm_linux_web_app" "portal_backend_1" {
- provider = azurerm.prod-esercenti
- name = "cgnonboardingportal-p-portal-backend1"
- resource_group_name = "cgnonboardingportal-p-api-rg"
-}
-
-resource "azurerm_role_assignment" "cgn_backend1_role" {
- for_each = toset(local.role_definition_names.cgn)
- principal_id = data.azurerm_linux_web_app.portal_backend_1.identity[0].principal_id
- role_definition_name = each.value
- scope = module.apim_itn.id
-}
-
# APIM CLIENT
data "azuread_service_principal" "apim_client_svc" {
diff --git a/src/domains/cgn/_modules/apim/role_assignments.tf b/src/domains/cgn/_modules/apim/role_assignments.tf
index d375fba73..69147034a 100644
--- a/src/domains/cgn/_modules/apim/role_assignments.tf
+++ b/src/domains/cgn/_modules/apim/role_assignments.tf
@@ -3,3 +3,15 @@ resource "azurerm_role_assignment" "service_contributor_v2" {
role_definition_name = "API Management Service Contributor"
principal_id = data.azurerm_key_vault_secret.cgn_onboarding_backend_identity_v2.value
}
+
+resource "azurerm_role_assignment" "service_reader" {
+ scope = data.azurerm_api_management.apim.id
+ role_definition_name = "Reader"
+ principal_id = data.azurerm_key_vault_secret.cgn_onboarding_backend_identity_v2.value
+}
+
+resource "azurerm_role_assignment" "service_reader_v2" {
+ scope = data.azurerm_api_management.apim.id
+ role_definition_name = "API Management Service Reader Role"
+ principal_id = data.azurerm_key_vault_secret.cgn_onboarding_backend_identity_v2.value
+}
From c75398deff1666e9e11e366620130fc4b9133fda Mon Sep 17 00:00:00 2001
From: Gianmaria Scorza
Date: Mon, 18 Nov 2024 13:10:26 +0100
Subject: [PATCH 4/5] [IOPAE-1529] iPatente appGateway config (#1312)
---
.../_modules/application_gateway/data.tf | 15 +++
.../_modules/application_gateway/main.tf | 117 +++++++++++++++++-
.../global/modules/dns/dns_io_pagopa_it.tf | 11 ++
src/common/prod/westeurope.tf | 1 +
4 files changed, 143 insertions(+), 1 deletion(-)
diff --git a/src/common/_modules/application_gateway/data.tf b/src/common/_modules/application_gateway/data.tf
index 31abecf22..5e323bfed 100644
--- a/src/common/_modules/application_gateway/data.tf
+++ b/src/common/_modules/application_gateway/data.tf
@@ -37,6 +37,16 @@ data "azurerm_linux_web_app" "appservice_selfcare_be" {
resource_group_name = "${var.project}-selfcare-be-rg"
}
+data "azurerm_linux_web_app" "ipatente_vehicles_app_itn" {
+ name = "${var.project}-itn-ipatente-vehicles-app-01"
+ resource_group_name = "${var.project}-itn-ipatente-rg-01"
+}
+
+data "azurerm_linux_web_app" "ipatente_licences_app_itn" {
+ name = "${var.project}-itn-ipatente-licences-app-01"
+ resource_group_name = "${var.project}-itn-ipatente-rg-01"
+}
+
#######################
### Key Vault ###
#######################
@@ -110,6 +120,11 @@ data "azurerm_key_vault_certificate" "app_gw_selfcare_io" {
key_vault_id = var.key_vault.id
}
+data "azurerm_key_vault_certificate" "app_gw_ipatente_io" {
+ name = var.certificates.ipatente_io_pagopa_it
+ key_vault_id = var.key_vault.id
+}
+
data "azurerm_key_vault_secret" "app_gw_mtls_header_name" {
name = "mtls-header-name"
key_vault_id = var.key_vault.id
diff --git a/src/common/_modules/application_gateway/main.tf b/src/common/_modules/application_gateway/main.tf
index 622a3eff2..d0c3a3938 100644
--- a/src/common/_modules/application_gateway/main.tf
+++ b/src/common/_modules/application_gateway/main.tf
@@ -138,6 +138,34 @@ module "app_gw" {
request_timeout = 10
pick_host_name_from_backend = true
}
+
+ ipatente-vehicles-io-app = {
+ protocol = "Https"
+ host = null
+ port = 443
+ ip_addresses = null # with null value use fqdns
+ fqdns = [
+ data.azurerm_linux_web_app.ipatente_vehicles_app_itn.default_hostname,
+ ]
+ probe = "/api/info"
+ probe_name = "probe-ipatente-vehicles-io-app"
+ request_timeout = 10
+ pick_host_name_from_backend = true
+ }
+
+ ipatente-licences-io-app = {
+ protocol = "Https"
+ host = null
+ port = 443
+ ip_addresses = null # with null value use fqdns
+ fqdns = [
+ data.azurerm_linux_web_app.ipatente_licences_app_itn.default_hostname,
+ ]
+ probe = "/api/info"
+ probe_name = "probe-ipatente-licences-io-app"
+ request_timeout = 10
+ pick_host_name_from_backend = true
+ }
}
ssl_profiles = [{
@@ -333,6 +361,23 @@ module "app_gw" {
}
}
+ # ipatente-io-pagopa-it = {
+ # protocol = "Https"
+ # host = format("ipatente.%s", var.public_dns_zones.io.name)
+ # port = 443
+ # ssl_profile_name = format("%s-ssl-profile", var.project)
+ # firewall_policy_id = null
+
+ # certificate = {
+ # name = var.certificates.ipatente_io_pagopa_it
+ # id = replace(
+ # data.azurerm_key_vault_certificate.app_gw_ipatente_io.secret_id,
+ # "/${data.azurerm_key_vault_certificate.app_gw_ipatente_io.version}",
+ # ""
+ # )
+ # }
+ # }
+
api-app-io-pagopa-it = {
protocol = "Https"
host = format("api-app.%s", var.public_dns_zones.io.name)
@@ -472,6 +517,13 @@ module "app_gw" {
url_map_name = "io-backend-path-based-rule"
priority = 70
}
+
+
+ # ipatente-io-pagopa-it = {
+ # listener = "ipatente-io-pagopa-it"
+ # url_map_name = "io-ipatente-path-based-rule"
+ # priority = 130
+ # }
}
url_path_map = {
@@ -546,6 +598,23 @@ module "app_gw" {
},
}
}
+
+ # io-ipatente-path-based-rule = {
+ # default_backend = "ipatente-vehicles-io-app"
+ # default_rewrite_rule_set_name = "rewrite-rule-set-api-app"
+ # path_rule = {
+ # ipatente-vehicles = {
+ # paths = ["/veh/*"]
+ # backend = "ipatente-vehicles-io-app",
+ # rewrite_rule_set_name = "rewrite-rule-set-api-app-remove-base-path-ipatente-vehicles"
+ # },
+ # ipatente-licences = {
+ # paths = ["/lic/*"]
+ # backend = "ipatente-licences-io-app",
+ # rewrite_rule_set_name = "rewrite-rule-set-api-app-remove-base-path-ipatente-licences"
+ # },
+ # }
+ # }
}
rewrite_rule_sets = [
@@ -797,7 +866,53 @@ module "app_gw" {
]
response_header_configurations = []
}]
- }
+ },
+ # {
+ # name = "rewrite-rule-set-api-app-remove-base-path-ipatente-vehicles"
+ # rewrite_rules = [
+ # local.io_backend_ip_headers_rule,
+ # {
+ # name = "strip_base_ipatente_vehicles_path"
+ # rule_sequence = 200
+ # conditions = [{
+ # variable = "var_uri_path"
+ # pattern = "/veh/(.*)"
+ # ignore_case = true
+ # negate = false
+ # }]
+ # url = {
+ # path = "/{var_uri_path_1}"
+ # query_string = null
+ # reroute = false
+ # components = "path_only"
+ # }
+ # request_header_configurations = []
+ # response_header_configurations = []
+ # }]
+ # },
+ # {
+ # name = "rewrite-rule-set-api-app-remove-base-path-ipatente-licences"
+ # rewrite_rules = [
+ # local.io_backend_ip_headers_rule,
+ # {
+ # name = "strip_base_ipatente_licences_path"
+ # rule_sequence = 200
+ # conditions = [{
+ # variable = "var_uri_path"
+ # pattern = "/lic/(.*)"
+ # ignore_case = true
+ # negate = false
+ # }]
+ # url = {
+ # path = "/{var_uri_path_1}"
+ # query_string = null
+ # reroute = false
+ # components = "path_only"
+ # }
+ # request_header_configurations = []
+ # response_header_configurations = []
+ # }]
+ # }
]
# TLS
diff --git a/src/common/_modules/global/modules/dns/dns_io_pagopa_it.tf b/src/common/_modules/global/modules/dns/dns_io_pagopa_it.tf
index 1cc44bdf8..f29c98afb 100644
--- a/src/common/_modules/global/modules/dns/dns_io_pagopa_it.tf
+++ b/src/common/_modules/global/modules/dns/dns_io_pagopa_it.tf
@@ -135,3 +135,14 @@ resource "azurerm_dns_a_record" "openid_provider_io_pagopa_it" {
tags = var.tags
}
+
+# ipatente.io.pagopa.it
+resource "azurerm_dns_a_record" "ipatente_io_pagopa_it" {
+ name = "ipatente"
+ zone_name = azurerm_dns_zone.io_pagopa_it.name
+ resource_group_name = var.resource_groups.external
+ ttl = var.dns_default_ttl_sec
+ records = [var.app_gateway_public_ip]
+
+ tags = var.tags
+}
diff --git a/src/common/prod/westeurope.tf b/src/common/prod/westeurope.tf
index ebc2f10f3..02d250329 100644
--- a/src/common/prod/westeurope.tf
+++ b/src/common/prod/westeurope.tf
@@ -327,6 +327,7 @@ module "application_gateway_weu" {
continua_io_pagopa_it = "continua-io-pagopa-it"
selfcare_io_pagopa_it = "selfcare-io-pagopa-it"
oauth_io_pagopa_it = "oauth-io-pagopa-it"
+ ipatente_io_pagopa_it = "ipatente-io-pagopa-it"
}
cidr_subnet = ["10.0.13.0/24"]
From e929903d1c3e13fdbd25390ccde2b3c397b0cec4 Mon Sep 17 00:00:00 2001
From: Gianmaria Scorza
Date: Mon, 18 Nov 2024 15:35:38 +0100
Subject: [PATCH 5/5] [IOPAE-1529] add listener, path based route for ipatente
(#1320)
---
.../_modules/application_gateway/main.tf | 168 +++++++++---------
1 file changed, 84 insertions(+), 84 deletions(-)
diff --git a/src/common/_modules/application_gateway/main.tf b/src/common/_modules/application_gateway/main.tf
index d0c3a3938..6ee13f08e 100644
--- a/src/common/_modules/application_gateway/main.tf
+++ b/src/common/_modules/application_gateway/main.tf
@@ -361,23 +361,6 @@ module "app_gw" {
}
}
- # ipatente-io-pagopa-it = {
- # protocol = "Https"
- # host = format("ipatente.%s", var.public_dns_zones.io.name)
- # port = 443
- # ssl_profile_name = format("%s-ssl-profile", var.project)
- # firewall_policy_id = null
-
- # certificate = {
- # name = var.certificates.ipatente_io_pagopa_it
- # id = replace(
- # data.azurerm_key_vault_certificate.app_gw_ipatente_io.secret_id,
- # "/${data.azurerm_key_vault_certificate.app_gw_ipatente_io.version}",
- # ""
- # )
- # }
- # }
-
api-app-io-pagopa-it = {
protocol = "Https"
host = format("api-app.%s", var.public_dns_zones.io.name)
@@ -428,6 +411,23 @@ module "app_gw" {
)
}
}
+
+ ipatente-io-pagopa-it = {
+ protocol = "Https"
+ host = format("ipatente.%s", var.public_dns_zones.io.name)
+ port = 443
+ ssl_profile_name = format("%s-ssl-profile", var.project)
+ firewall_policy_id = null
+
+ certificate = {
+ name = var.certificates.ipatente_io_pagopa_it
+ id = replace(
+ data.azurerm_key_vault_certificate.app_gw_ipatente_io.secret_id,
+ "/${data.azurerm_key_vault_certificate.app_gw_ipatente_io.version}",
+ ""
+ )
+ }
+ }
}
# maps listener to backend
@@ -519,11 +519,11 @@ module "app_gw" {
}
- # ipatente-io-pagopa-it = {
- # listener = "ipatente-io-pagopa-it"
- # url_map_name = "io-ipatente-path-based-rule"
- # priority = 130
- # }
+ ipatente-io-pagopa-it = {
+ listener = "ipatente-io-pagopa-it"
+ url_map_name = "io-ipatente-path-based-rule"
+ priority = 130
+ }
}
url_path_map = {
@@ -599,22 +599,22 @@ module "app_gw" {
}
}
- # io-ipatente-path-based-rule = {
- # default_backend = "ipatente-vehicles-io-app"
- # default_rewrite_rule_set_name = "rewrite-rule-set-api-app"
- # path_rule = {
- # ipatente-vehicles = {
- # paths = ["/veh/*"]
- # backend = "ipatente-vehicles-io-app",
- # rewrite_rule_set_name = "rewrite-rule-set-api-app-remove-base-path-ipatente-vehicles"
- # },
- # ipatente-licences = {
- # paths = ["/lic/*"]
- # backend = "ipatente-licences-io-app",
- # rewrite_rule_set_name = "rewrite-rule-set-api-app-remove-base-path-ipatente-licences"
- # },
- # }
- # }
+ io-ipatente-path-based-rule = {
+ default_backend = "ipatente-vehicles-io-app"
+ default_rewrite_rule_set_name = "rewrite-rule-set-api-app"
+ path_rule = {
+ ipatente-vehicles = {
+ paths = ["/veh/*"]
+ backend = "ipatente-vehicles-io-app",
+ rewrite_rule_set_name = "rewrite-rule-set-api-app-remove-base-path-ipatente-vehicles"
+ },
+ ipatente-licences = {
+ paths = ["/lic/*"]
+ backend = "ipatente-licences-io-app",
+ rewrite_rule_set_name = "rewrite-rule-set-api-app-remove-base-path-ipatente-licences"
+ },
+ }
+ }
}
rewrite_rule_sets = [
@@ -867,52 +867,52 @@ module "app_gw" {
response_header_configurations = []
}]
},
- # {
- # name = "rewrite-rule-set-api-app-remove-base-path-ipatente-vehicles"
- # rewrite_rules = [
- # local.io_backend_ip_headers_rule,
- # {
- # name = "strip_base_ipatente_vehicles_path"
- # rule_sequence = 200
- # conditions = [{
- # variable = "var_uri_path"
- # pattern = "/veh/(.*)"
- # ignore_case = true
- # negate = false
- # }]
- # url = {
- # path = "/{var_uri_path_1}"
- # query_string = null
- # reroute = false
- # components = "path_only"
- # }
- # request_header_configurations = []
- # response_header_configurations = []
- # }]
- # },
- # {
- # name = "rewrite-rule-set-api-app-remove-base-path-ipatente-licences"
- # rewrite_rules = [
- # local.io_backend_ip_headers_rule,
- # {
- # name = "strip_base_ipatente_licences_path"
- # rule_sequence = 200
- # conditions = [{
- # variable = "var_uri_path"
- # pattern = "/lic/(.*)"
- # ignore_case = true
- # negate = false
- # }]
- # url = {
- # path = "/{var_uri_path_1}"
- # query_string = null
- # reroute = false
- # components = "path_only"
- # }
- # request_header_configurations = []
- # response_header_configurations = []
- # }]
- # }
+ {
+ name = "rewrite-rule-set-api-app-remove-base-path-ipatente-vehicles"
+ rewrite_rules = [
+ local.io_backend_ip_headers_rule,
+ {
+ name = "strip_base_ipatente_vehicles_path"
+ rule_sequence = 200
+ conditions = [{
+ variable = "var_uri_path"
+ pattern = "/veh/(.*)"
+ ignore_case = true
+ negate = false
+ }]
+ url = {
+ path = "/{var_uri_path_1}"
+ query_string = null
+ reroute = false
+ components = "path_only"
+ }
+ request_header_configurations = []
+ response_header_configurations = []
+ }]
+ },
+ {
+ name = "rewrite-rule-set-api-app-remove-base-path-ipatente-licences"
+ rewrite_rules = [
+ local.io_backend_ip_headers_rule,
+ {
+ name = "strip_base_ipatente_licences_path"
+ rule_sequence = 200
+ conditions = [{
+ variable = "var_uri_path"
+ pattern = "/lic/(.*)"
+ ignore_case = true
+ negate = false
+ }]
+ url = {
+ path = "/{var_uri_path_1}"
+ query_string = null
+ reroute = false
+ components = "path_only"
+ }
+ request_header_configurations = []
+ response_header_configurations = []
+ }]
+ }
]
# TLS