[FIX] Removed all CGN role assigned for APIM ITN and moved into CGN d…

…omain (#1319)
pagopa · Nov 18, 2024 · 55d31b3 · 55d31b3
1 parent a28e33b
commit 55d31b3
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 29 deletions.
diff --git a/src/common/prod/README.md b/src/common/prod/README.md
@@ -12,7 +12,6 @@
 |------|---------|
 | <a name="provider_azuread"></a> [azuread](#provider\_azuread) | 2.53.1 |
 | <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | 3.116.0 |
-| <a name="provider_azurerm.prod-esercenti"></a> [azurerm.prod-esercenti](#provider\_azurerm.prod-esercenti) | 3.116.0 |
 | <a name="provider_azurerm.prod-trial"></a> [azurerm.prod-trial](#provider\_azurerm.prod-trial) | 3.116.0 |
 | <a name="provider_terraform"></a> [terraform](#provider\_terraform) | n/a |
 
@@ -40,7 +39,6 @@
 |------|------|
 | [azurerm_resource_group.github_runner](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource |
 | [azurerm_role_assignment.apim_client_role](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
-| [azurerm_role_assignment.cgn_backend1_role](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
 | [azurerm_role_assignment.dev_portal_role](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
 | [azuread_service_principal.apim_client_svc](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/service_principal) | data source |
 | [azuread_service_principal.dev_portal_svc](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/service_principal) | data source |
@@ -56,7 +54,6 @@
 | [azurerm_linux_function_app.services_app_backend_function_app](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/linux_function_app) | data source |
 | [azurerm_linux_function_app.wallet_user](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/linux_function_app) | data source |
 | [azurerm_linux_web_app.firmaconio_selfcare_web_app](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/linux_web_app) | data source |
-| [azurerm_linux_web_app.portal_backend_1](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/linux_web_app) | data source |
 | [azurerm_subnet.admin_snet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subnet) | data source |
 | [azurerm_subnet.cosmos_api_allowed](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subnet) | data source |
 | [azurerm_subnet.itn_auth_fast_login_func_snet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subnet) | data source |

diff --git a/src/common/prod/iam.tf b/src/common/prod/iam.tf
@@ -1,16 +1,5 @@
-provider "azurerm" {
-  alias           = "prod-esercenti"
-  subscription_id = "74da48a3-b0e7-489d-8172-da79801086ed"
-
-  features {}
-}
-
 locals {
   role_definition_names = {
-    cgn = [
-      "Reader",
-      "API Management Service Reader Role"
-    ]
     apim_client = [
       "Reader",
       "API Management Service Reader Role",
@@ -24,21 +13,6 @@ locals {
   }
 }
 
-# CGN
-
-data "azurerm_linux_web_app" "portal_backend_1" {
-  provider            = azurerm.prod-esercenti
-  name                = "cgnonboardingportal-p-portal-backend1"
-  resource_group_name = "cgnonboardingportal-p-api-rg"
-}
-
-resource "azurerm_role_assignment" "cgn_backend1_role" {
-  for_each             = toset(local.role_definition_names.cgn)
-  principal_id         = data.azurerm_linux_web_app.portal_backend_1.identity[0].principal_id
-  role_definition_name = each.value
-  scope                = module.apim_itn.id
-}
-
 # APIM CLIENT
 
 data "azuread_service_principal" "apim_client_svc" {

diff --git a/src/domains/cgn/_modules/apim/role_assignments.tf b/src/domains/cgn/_modules/apim/role_assignments.tf
@@ -3,3 +3,15 @@ resource "azurerm_role_assignment" "service_contributor_v2" {
   role_definition_name = "API Management Service Contributor"
   principal_id         = data.azurerm_key_vault_secret.cgn_onboarding_backend_identity_v2.value
 }
+
+resource "azurerm_role_assignment" "service_reader" {
+  scope                = data.azurerm_api_management.apim.id
+  role_definition_name = "Reader"
+  principal_id         = data.azurerm_key_vault_secret.cgn_onboarding_backend_identity_v2.value
+}
+
+resource "azurerm_role_assignment" "service_reader_v2" {
+  scope                = data.azurerm_api_management.apim.id
+  role_definition_name = "API Management Service Reader Role"
+  principal_id         = data.azurerm_key_vault_secret.cgn_onboarding_backend_identity_v2.value
+}