From f8cac4864a77b134e7c4c96c63c7360a19d97aee Mon Sep 17 00:00:00 2001 From: ffppa Date: Tue, 24 Sep 2024 16:40:50 +0200 Subject: [PATCH 01/41] fix: [PAYMCLOUD-92] Fix source and modified path filter excluding scripts folder (#2438) --- .github/workflows/static_analysis_pr.yml | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) diff --git a/.github/workflows/static_analysis_pr.yml b/.github/workflows/static_analysis_pr.yml index ea87928309..6ad6651860 100644 --- a/.github/workflows/static_analysis_pr.yml +++ b/.github/workflows/static_analysis_pr.yml @@ -24,6 +24,7 @@ jobs: # # Discover only the paths changed inside src and src/domains, between my current branch and origin/main # + ignored_path="domains|scripts|github|.devops" echo "get current branch" current_branch=${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}} echo "current branch: $current_branch" @@ -31,7 +32,7 @@ jobs: git diff --name-only $current_branch origin/main --output=/tmp/diff.txt echo "get modified paths from source" # i'm using echo because using grep directly fails. it produces an invalid output that breaks the variable assignment - source_count=$(echo "$(grep -v 'domains' /tmp/diff.txt | wc -l )") + source_count=$(echo "$(egrep -v "$ignored_path" /tmp/diff.txt | wc -l )") echo "source count: $source_count" if [[ $source_count -eq 0 ]] then @@ -39,7 +40,7 @@ jobs: modified_paths_source="" else echo "in source if false" - modified_paths_source=$(grep -v 'domains' /tmp/diff.txt | grep '/' | cut -d '/' -f 1,2 | uniq ) + modified_paths_source=$(egrep -v "$ignored_path" /tmp/diff.txt | grep '/' | cut -d '/' -f 1,2 | uniq ) fi echo "modified_paths_source: $modified_paths_source" @@ -59,13 +60,22 @@ jobs: echo "modified_paths_domains: $modified_paths_domains" echo "merge paths" - modified_paths="$modified_paths_source $modified_paths_domains .github" + modified_paths="$modified_paths_source $modified_paths_domains" echo "📌 modified_paths" # - # This is the only way to pass a string with paths to other step without error, usign env the paths force an error + # This is the only way to pass a string with paths to other step without error, using env the paths force an error # echo "$modified_paths" > "/tmp/paths.txt" + # Check if any of the modified files are in the 'src' directory + if echo "$modified_paths" | grep -q '^src/'; then + echo "src folder modified." + echo "run_static_analysis=true" >> $GITHUB_ENV + else + echo "src folder not modified." + echo "run_static_analysis=false" >> $GITHUB_ENV + fi + shell: bash - name: ⏬ Download only changed folders @@ -95,6 +105,7 @@ jobs: du -h -d 3 . - name: Static Analysis + if: env.run_static_analysis == 'true' uses: pagopa/eng-github-actions-iac-template/azure/terraform-static-analysis@v1.14.1 with: precommit_version: 'v1.89.1@sha256:1ea921bc4fe87651d41677218e537afdcdb8202e757e554b9866668eaba144c5' From bbebd4a5d9f2d81ce4d640f67eed86dc7bd95da8 Mon Sep 17 00:00:00 2001 From: Alessio Cialini <63233981+alessio-cialini@users.noreply.github.com> Date: Wed, 25 Sep 2024 10:49:39 +0200 Subject: [PATCH 02/41] feat: PPANTT-115 Introduced payment-options infra (#2405) * [PPANTT-115] feat: Introduced paymentoptions infra * [PPANTT-115] feat: Updated EH config * [PPANTT-115] feat: removed printit references * Update src/domains/paymentoptions-secrets/99_locals.tf Co-authored-by: Jacopo Carlini * [PPANTT-115] feat: Update pagopa-payment-options-service * [PPANTT-115] feat: Update apim_payment_options file * new domain name * rename * app * app * lets * dns * DEV applied * align cfg uat and prod * [PPANTT-115] feat: Updated data, subkey, keyvault --------- Co-authored-by: Jacopo Carlini Co-authored-by: Jacopo Carlini Co-authored-by: pasqualespica <36746022+pasqualespica@users.noreply.github.com> --- .../paymentoptions-app/.terraform.lock.hcl | 107 ++++++ src/domains/paymentoptions-app/00_alerts.tf | 72 ++++ src/domains/paymentoptions-app/00_data.tf | 38 ++ src/domains/paymentoptions-app/00_keyvault.tf | 10 + src/domains/paymentoptions-app/00_monitor.tf | 35 ++ src/domains/paymentoptions-app/00_network.tf | 15 + src/domains/paymentoptions-app/01_network.tf | 9 + .../paymentoptions-app/02_namespace.tf | 20 ++ .../03_serviceaccounts_azure_devops.tf | 67 ++++ .../04_apim_payment_options.tf | 25 ++ .../05_aks_middleware_tools.tf | 49 +++ src/domains/paymentoptions-app/05_subkey.tf | 17 + src/domains/paymentoptions-app/06_keyvault.tf | 69 ++++ src/domains/paymentoptions-app/90_pdb.tf | 15 + src/domains/paymentoptions-app/99_locals.tf | 41 +++ src/domains/paymentoptions-app/99_main.tf | 49 +++ .../paymentoptions-app/99_variables.tf | 158 +++++++++ .../api_product/_base_policy.xml | 14 + .../env/itn-dev/backend.ini | 1 + .../env/itn-dev/backend.tfvars | 4 + .../env/itn-dev/terraform.tfvars | 38 ++ .../env/itn-prod/backend.ini | 1 + .../env/itn-prod/backend.tfvars | 4 + .../env/itn-prod/terraform.tfvars | 47 +++ .../env/itn-uat/backend.ini | 1 + .../env/itn-uat/backend.tfvars | 4 + .../env/itn-uat/terraform.tfvars | 38 ++ .../helm/cert-mounter.yaml.tpl | 13 + src/domains/paymentoptions-app/terraform.sh | 324 ++++++++++++++++++ .../paymentoptions-common/.terraform.lock.hcl | 65 ++++ src/domains/paymentoptions-common/00_data.tf | 4 + .../paymentoptions-common/00_monitor.tf | 45 +++ .../paymentoptions-common/00_network.tf | 37 ++ .../paymentoptions-common/01_network.tf | 14 + .../paymentoptions-common/03_eventhub.tf | 86 +++++ .../10_github_identity.tf | 207 +++++++++++ .../paymentoptions-common/99_locals.tf | 32 ++ src/domains/paymentoptions-common/99_main.tf | 31 ++ .../paymentoptions-common/99_variables.tf | 219 ++++++++++++ .../env/itn-dev/backend.ini | 1 + .../env/itn-dev/backend.tfvars | 4 + .../env/itn-dev/terraform.tfvars | 106 ++++++ .../env/itn-prod/backend.ini | 1 + .../env/itn-prod/backend.tfvars | 4 + .../env/itn-prod/terraform.tfvars | 106 ++++++ .../env/itn-uat/backend.ini | 1 + .../env/itn-uat/backend.tfvars | 4 + .../env/itn-uat/terraform.tfvars | 106 ++++++ .../paymentoptions-common/terraform.sh | 324 ++++++++++++++++++ .../.terraform.lock.hcl | 107 ++++++ .../paymentoptions-secrets/00_azuread.tf | 16 + .../paymentoptions-secrets/01_keyvault.tf | 101 ++++++ src/domains/paymentoptions-secrets/02_azdo.tf | 23 ++ .../paymentoptions-secrets/02_init_sops.tf | 21 ++ .../paymentoptions-secrets/03_sops_secrets.tf | 54 +++ .../paymentoptions-secrets/99_locals.tf | 11 + src/domains/paymentoptions-secrets/99_main.tf | 43 +++ .../paymentoptions-secrets/99_variables.tf | 101 ++++++ .../env/itn-dev/backend.ini | 1 + .../env/itn-dev/backend.tfvars | 4 + .../env/itn-dev/terraform.tfvars | 30 ++ .../env/itn-prod/backend.ini | 1 + .../env/itn-prod/backend.tfvars | 4 + .../env/itn-prod/terraform.tfvars | 30 ++ .../env/itn-uat/backend.ini | 1 + .../env/itn-uat/backend.tfvars | 4 + .../env/itn-uat/terraform.tfvars | 27 ++ .../secret/itn-dev/configs.json | 1 + .../secret/itn-dev/secret.ini | 3 + .../secret/itn-prod/configs.json | 2 + .../secret/itn-prod/secret.ini | 3 + .../secret/itn-uat/configs.json | 2 + .../secret/itn-uat/secret.ini | 3 + src/domains/paymentoptions-secrets/sops.sh | 137 ++++++++ .../paymentoptions-secrets/terraform.sh | 324 ++++++++++++++++++ .../paymentoptions-secrets/terrasops.sh | 29 ++ 76 files changed, 3765 insertions(+) create mode 100644 src/domains/paymentoptions-app/.terraform.lock.hcl create mode 100644 src/domains/paymentoptions-app/00_alerts.tf create mode 100644 src/domains/paymentoptions-app/00_data.tf create mode 100644 src/domains/paymentoptions-app/00_keyvault.tf create mode 100644 src/domains/paymentoptions-app/00_monitor.tf create mode 100644 src/domains/paymentoptions-app/00_network.tf create mode 100644 src/domains/paymentoptions-app/01_network.tf create mode 100644 src/domains/paymentoptions-app/02_namespace.tf create mode 100644 src/domains/paymentoptions-app/03_serviceaccounts_azure_devops.tf create mode 100644 src/domains/paymentoptions-app/04_apim_payment_options.tf create mode 100644 src/domains/paymentoptions-app/05_aks_middleware_tools.tf create mode 100644 src/domains/paymentoptions-app/05_subkey.tf create mode 100644 src/domains/paymentoptions-app/06_keyvault.tf create mode 100644 src/domains/paymentoptions-app/90_pdb.tf create mode 100644 src/domains/paymentoptions-app/99_locals.tf create mode 100644 src/domains/paymentoptions-app/99_main.tf create mode 100644 src/domains/paymentoptions-app/99_variables.tf create mode 100644 src/domains/paymentoptions-app/api_product/_base_policy.xml create mode 100644 src/domains/paymentoptions-app/env/itn-dev/backend.ini create mode 100644 src/domains/paymentoptions-app/env/itn-dev/backend.tfvars create mode 100644 src/domains/paymentoptions-app/env/itn-dev/terraform.tfvars create mode 100644 src/domains/paymentoptions-app/env/itn-prod/backend.ini create mode 100644 src/domains/paymentoptions-app/env/itn-prod/backend.tfvars create mode 100644 src/domains/paymentoptions-app/env/itn-prod/terraform.tfvars create mode 100644 src/domains/paymentoptions-app/env/itn-uat/backend.ini create mode 100644 src/domains/paymentoptions-app/env/itn-uat/backend.tfvars create mode 100644 src/domains/paymentoptions-app/env/itn-uat/terraform.tfvars create mode 100644 src/domains/paymentoptions-app/helm/cert-mounter.yaml.tpl create mode 100755 src/domains/paymentoptions-app/terraform.sh create mode 100644 src/domains/paymentoptions-common/.terraform.lock.hcl create mode 100644 src/domains/paymentoptions-common/00_data.tf create mode 100644 src/domains/paymentoptions-common/00_monitor.tf create mode 100644 src/domains/paymentoptions-common/00_network.tf create mode 100644 src/domains/paymentoptions-common/01_network.tf create mode 100644 src/domains/paymentoptions-common/03_eventhub.tf create mode 100644 src/domains/paymentoptions-common/10_github_identity.tf create mode 100644 src/domains/paymentoptions-common/99_locals.tf create mode 100644 src/domains/paymentoptions-common/99_main.tf create mode 100644 src/domains/paymentoptions-common/99_variables.tf create mode 100644 src/domains/paymentoptions-common/env/itn-dev/backend.ini create mode 100644 src/domains/paymentoptions-common/env/itn-dev/backend.tfvars create mode 100644 src/domains/paymentoptions-common/env/itn-dev/terraform.tfvars create mode 100644 src/domains/paymentoptions-common/env/itn-prod/backend.ini create mode 100644 src/domains/paymentoptions-common/env/itn-prod/backend.tfvars create mode 100644 src/domains/paymentoptions-common/env/itn-prod/terraform.tfvars create mode 100644 src/domains/paymentoptions-common/env/itn-uat/backend.ini create mode 100644 src/domains/paymentoptions-common/env/itn-uat/backend.tfvars create mode 100644 src/domains/paymentoptions-common/env/itn-uat/terraform.tfvars create mode 100755 src/domains/paymentoptions-common/terraform.sh create mode 100644 src/domains/paymentoptions-secrets/.terraform.lock.hcl create mode 100644 src/domains/paymentoptions-secrets/00_azuread.tf create mode 100644 src/domains/paymentoptions-secrets/01_keyvault.tf create mode 100644 src/domains/paymentoptions-secrets/02_azdo.tf create mode 100644 src/domains/paymentoptions-secrets/02_init_sops.tf create mode 100644 src/domains/paymentoptions-secrets/03_sops_secrets.tf create mode 100644 src/domains/paymentoptions-secrets/99_locals.tf create mode 100644 src/domains/paymentoptions-secrets/99_main.tf create mode 100644 src/domains/paymentoptions-secrets/99_variables.tf create mode 100644 src/domains/paymentoptions-secrets/env/itn-dev/backend.ini create mode 100644 src/domains/paymentoptions-secrets/env/itn-dev/backend.tfvars create mode 100644 src/domains/paymentoptions-secrets/env/itn-dev/terraform.tfvars create mode 100644 src/domains/paymentoptions-secrets/env/itn-prod/backend.ini create mode 100644 src/domains/paymentoptions-secrets/env/itn-prod/backend.tfvars create mode 100644 src/domains/paymentoptions-secrets/env/itn-prod/terraform.tfvars create mode 100644 src/domains/paymentoptions-secrets/env/itn-uat/backend.ini create mode 100644 src/domains/paymentoptions-secrets/env/itn-uat/backend.tfvars create mode 100644 src/domains/paymentoptions-secrets/env/itn-uat/terraform.tfvars create mode 100644 src/domains/paymentoptions-secrets/secret/itn-dev/configs.json create mode 100644 src/domains/paymentoptions-secrets/secret/itn-dev/secret.ini create mode 100644 src/domains/paymentoptions-secrets/secret/itn-prod/configs.json create mode 100644 src/domains/paymentoptions-secrets/secret/itn-prod/secret.ini create mode 100644 src/domains/paymentoptions-secrets/secret/itn-uat/configs.json create mode 100644 src/domains/paymentoptions-secrets/secret/itn-uat/secret.ini create mode 100644 src/domains/paymentoptions-secrets/sops.sh create mode 100755 src/domains/paymentoptions-secrets/terraform.sh create mode 100644 src/domains/paymentoptions-secrets/terrasops.sh diff --git a/src/domains/paymentoptions-app/.terraform.lock.hcl b/src/domains/paymentoptions-app/.terraform.lock.hcl new file mode 100644 index 0000000000..949f808b96 --- /dev/null +++ b/src/domains/paymentoptions-app/.terraform.lock.hcl @@ -0,0 +1,107 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/azuread" { + version = "2.47.0" + constraints = "<= 2.47.0" + hashes = [ + "h1:g8+gBFM4QVOEQFqAEs5pR6iXpbGvgPvcEi1evHwziyw=", + "h1:iRwDQBdXBpVBoYwM9au2RG01RQuJSm3TGQ2kioFVAas=", + "zh:1372d81eb24ef3b4b00ea350fe87219f22da51691b8e42ce91d662f6c2a8af5e", + "zh:1c3e89cf19118fc07d7b04257251fc9897e722c16e0a0df7b07fcd261f8c12e7", + "zh:1e654a74d171d6ff8f9f6f67e3ff1421d4c5e56a18607703626bf12cd23ba001", + "zh:35227fad617a0509c64ab5759a8b703b10d244877f1aa5416bfbcc100c96996f", + "zh:357f553f0d78d46a96c7b2ed06d25ee0fc60fc5be19812ccb5d969fa47d62e17", + "zh:58faa2940065137e3e87d02eba59ab5cd7137d7a18caf225e660d1788f274569", + "zh:7308eda0339620fa24f47cedd22221fc2c02cab9d5be1710c09a783aea84eb3a", + "zh:863eabf7f908a8263e28d8aa2ad1381affd6bb5c67755216781f674ef214100e", + "zh:8b95b595a7c14ed7b56194d03cdec253527e7a146c1c58961be09e6b5c50baee", + "zh:afbca6b4fac9a0a488bc22ff9e51a8f14e986137d25275068fd932f379a51d57", + "zh:c6aadec4c81a44c3ffc22c2d90ffc6706bf5a9a903a395d896477516f4be6cbb", + "zh:e54a59de7d4ef0f3a18f91fed0b54a2bce18257ae2ee1df8a88226e1023c5811", + ] +} + +provider "registry.terraform.io/hashicorp/azurerm" { + version = "3.106.0" + constraints = "~> 3.30, <= 3.106.0" + hashes = [ + "h1:6t9Nz9tYAR9BfHZ8yc56m+GKRl0nriwjQ5DyA0/TnCs=", + "h1:Mxe1/I27IZK3BP6cm84Gt0+7PXd2EDaDUMxuljm/rUA=", + "zh:07980d6fdc40c0adb670c8413a5c667917d6dbb51fcedc467c35d64c2f3a1f47", + "zh:2e6e8491b1f089644b0d23f8da83398f1e10cf5a62b16efcef2b5454fe923038", + "zh:450dbd72821c5619cc3bcdc20fdd0e29515147e44b733f9c79d3a75851810055", + "zh:5e234c0a2f3c9677ea72b2a6e6ca90defb99fab29ae565f5d1f70728ba4ba78f", + "zh:83fd042ece6977429d79affd03d6ce963d2f122604dbf15a1abf203d7a7bbc8a", + "zh:93027e1f66b3bf83398d572d4e6f6e7777330c78c54da3226dadd50fd868ada9", + "zh:ae3d1dd66140c303df97d93c47a60f16735ce17cf156f45475dcee4a7360af5b", + "zh:daf9d2eb89e785458a76b88bf2ef0696c472094c77cc9cff3b3ea4b885c5a482", + "zh:dd46370141651e6549da6d85e25c7a6770c47581bbaaa27eda2886d41d849747", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + "zh:f77405c0d8f6e0d93d9da83256b3b02c164bad4c791ed9604310ff02ae086ad1", + "zh:ffa769147bda833aef8802e3a391bd175ec749862764d61cbdaa8200d5b8f893", + ] +} + +provider "registry.terraform.io/hashicorp/helm" { + version = "2.12.1" + constraints = "~> 2.12, <= 2.12.1" + hashes = [ + "h1:7wfYOAeSEchHB8idNl+2jf+OkFi9zFSOLWkEZFuTCik=", + "h1:aBfcqM4cbywa7TAxfT1YoFS+Cst9waerlm4XErFmJlk=", + "zh:1d623fb1662703f2feb7860e3c795d849c77640eecbc5a776784d08807b15004", + "zh:253a5bc62ba2c4314875139e3fbd2feaad5ef6b0fb420302a474ab49e8e51a38", + "zh:282358f4ad4f20d0ccaab670b8645228bfad1c03ac0d0df5889f0aea8aeac01a", + "zh:4fd06af3091a382b3f0d8f0a60880f59640d2b6d9d6a31f9a873c6f1bde1ec50", + "zh:6816976b1830f5629ae279569175e88b497abbbac30ee809948a1f923c67a80d", + "zh:7d82c4150cdbf48cfeec867be94c7b9bd7682474d4df0ebb7e24e148f964844f", + "zh:83f062049eea2513118a4c6054fb06c8600bac96196f25aed2cc21898ec86e93", + "zh:a79eec0cf4c08fca79e44033ec6e470f25ff23c3e2c7f9bc707ed7771c1072c0", + "zh:b2b2d904b2821a6e579910320605bc478bbef063579a23fbfdd6fcb5871b81f8", + "zh:e91177ca06a15487fc570cb81ecef6359aa399459ea2aa7c4f7367ba86f6fcad", + "zh:e976bcb82996fc4968f8382bbcb6673efb1f586bf92074058a232028d97825b1", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} + +provider "registry.terraform.io/hashicorp/kubernetes" { + version = "2.29.0" + constraints = "~> 2.27, <= 2.29.0" + hashes = [ + "h1:7C1MinWhowW8EnlSYhhAFV3bte8x5YcSF5QxUPdoXDk=", + "h1:Igs0JTtmzn5q7RHqrvrTMCD/DCSLPMinvUnhYZ2oITw=", + "zh:3edd5dc319b95fe94e61b82d10c1ce7fb53a2f21b067ddb742f2d7d0d19dd113", + "zh:4b9096e6d0cfa0efd4c89270e3d25fea49db570e2cfbe49c5d1de085a15f2578", + "zh:5397573838bcb8844248c8d6ac93cca7f39a0b707ac3ce7a7b306c50c261c195", + "zh:5d635370720d356b7bcb5756ca28de3275ca32ca1ef0201414caecd3a14759ac", + "zh:71a52280408f3fb0ff1866a9ab8059b0d9bde5481869658798e0773461f22eff", + "zh:748663ef0248d2d95f5dea2974332432a395165657856878c5dc6f000b37cc25", + "zh:7fbc1e084bbbb51e31afd3df0c77e833ae59e88cf42b9e2c17b0b1a1e3894723", + "zh:ae89b4be473b446270fa24dc1ef51b0cc4c2a528d9838ec15246d28bac165df3", + "zh:b6433970d680a0cc9898f915224508b5ece86ae4418372fa6bebd2a9d344f226", + "zh:bf871955cf49015e6a0433e814a22a109c1537a775b8b5dc7b37ad05c324904a", + "zh:c16fac91b2197b443a191d98cf37424feed550387ab11bd1427bde819722005e", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} + +provider "registry.terraform.io/hashicorp/null" { + version = "3.2.1" + constraints = "~> 3.2, <= 3.2.1" + hashes = [ + "h1:tSj1mL6OQ8ILGqR2mDu7OYYYWf+hoir0pf9KAQ8IzO8=", + "h1:ydA0/SNRVB1o95btfshvYsmxA+jZFRZcvKzZSB+4S1M=", + "zh:58ed64389620cc7b82f01332e27723856422820cfd302e304b5f6c3436fb9840", + "zh:62a5cc82c3b2ddef7ef3a6f2fedb7b9b3deff4ab7b414938b08e51d6e8be87cb", + "zh:63cff4de03af983175a7e37e52d4bd89d990be256b16b5c7f919aff5ad485aa5", + "zh:74cb22c6700e48486b7cabefa10b33b801dfcab56f1a6ac9b6624531f3d36ea3", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:79e553aff77f1cfa9012a2218b8238dd672ea5e1b2924775ac9ac24d2a75c238", + "zh:a1e06ddda0b5ac48f7e7c7d59e1ab5a4073bbcf876c73c0299e4610ed53859dc", + "zh:c37a97090f1a82222925d45d84483b2aa702ef7ab66532af6cbcfb567818b970", + "zh:e4453fbebf90c53ca3323a92e7ca0f9961427d2f0ce0d2b65523cc04d5d999c2", + "zh:e80a746921946d8b6761e77305b752ad188da60688cfd2059322875d363be5f5", + "zh:fbdb892d9822ed0e4cb60f2fedbdbb556e4da0d88d3b942ae963ed6ff091e48f", + "zh:fca01a623d90d0cad0843102f9b8b9fe0d3ff8244593bd817f126582b52dd694", + ] +} diff --git a/src/domains/paymentoptions-app/00_alerts.tf b/src/domains/paymentoptions-app/00_alerts.tf new file mode 100644 index 0000000000..f6c5b8f409 --- /dev/null +++ b/src/domains/paymentoptions-app/00_alerts.tf @@ -0,0 +1,72 @@ +## Print Notice Service ## + +resource "azurerm_monitor_scheduled_query_rules_alert" "pagopa-payment-options-service-responsetime-upd" { + count = var.env_short == "p" ? 1 : 0 + resource_group_name = "dashboards" + name = "pagopa-${var.env_short}-pagopa-print-payment-notice-service-rest-responsetime @ _payment-options-service" + location = var.location + + action { + action_group = can(data.azurerm_monitor_action_group.opsgenie[0]) ? [data.azurerm_monitor_action_group.email.id, data.azurerm_monitor_action_group.slack.id, data.azurerm_monitor_action_group.opsgenie[0].id] : [data.azurerm_monitor_action_group.email.id, data.azurerm_monitor_action_group.slack.id] + email_subject = "Email Header" + custom_webhook_payload = "{}" + } + + data_source_id = data.azurerm_api_management.apim.id + description = "Response time for /payment-options is less than or equal to 1.5s - https://portal.azure.com/?l=en.en-us#@pagopait.onmicrosoft.com/dashboard/arm/subscriptions/b9fc9419-6097-45fe-9f74-ba0641c91912/resourcegroups/dashboards/providers/microsoft.portal/dashboards/pagopa-p-opex_pagopa-payment-options" + enabled = true + query = (<<-QUERY +let threshold = 1500; +AzureDiagnostics +| where url_s matches regex "/payment-options" +| summarize + watermark=threshold, + duration_percentile_95=percentiles(DurationMs, 95) by bin(TimeGenerated, 5m) +| where duration_percentile_95 > threshold + QUERY + ) + severity = 2 + frequency = 5 + time_window = 10 + trigger { + operator = "GreaterThanOrEqual" + threshold = 2 + } +} + +resource "azurerm_monitor_scheduled_query_rules_alert" "pagopa-payment-options-rest-availability-upd" { + count = var.env_short == "p" ? 1 : 0 + resource_group_name = "dashboards" + name = "pagopa-${var.env_short}-pagopa-payment-options-rest-availability @ _print-payment-options" + location = var.location + + action { + action_group = can(data.azurerm_monitor_action_group.opsgenie[0]) ? [data.azurerm_monitor_action_group.email.id, data.azurerm_monitor_action_group.slack.id, data.azurerm_monitor_action_group.opsgenie[0].id] : [data.azurerm_monitor_action_group.email.id, data.azurerm_monitor_action_group.slack.id] + email_subject = "Email Header" + custom_webhook_payload = "{}" + } + + data_source_id = data.azurerm_api_management.apim.id + description = "Availability for /payment-options is less than or equal to 99% - https://portal.azure.com/?l=en.en-us#@pagopait.onmicrosoft.com/dashboard/arm/subscriptions/b9fc9419-6097-45fe-9f74-ba0641c91912/resourcegroups/dashboards/providers/microsoft.portal/dashboards/pagopa-p-opex_pagopa-payment-options" + enabled = true + query = (<<-QUERY +let threshold = 0.99; +AzureDiagnostics +| where url_s matches regex "/payment-options'" +| summarize + Total=count(), + Success=count(responseCode_d < 500) + by bin(TimeGenerated, 5m) +| extend availability=toreal(Success) / Total +| where availability < threshold + QUERY + ) + severity = 1 + frequency = 5 + time_window = 5 + trigger { + operator = "GreaterThanOrEqual" + threshold = 1 + } +} + diff --git a/src/domains/paymentoptions-app/00_data.tf b/src/domains/paymentoptions-app/00_data.tf new file mode 100644 index 0000000000..2e8642786e --- /dev/null +++ b/src/domains/paymentoptions-app/00_data.tf @@ -0,0 +1,38 @@ +### EVH +data "azurerm_eventhub_authorization_rule" "payment_options_re_authorization_rule_writer" { + name = "${local.project}-payment-options-re-tx" + resource_group_name = "${local.project}-evh-rg" + eventhub_name = "pagopa-payopt-evh" + namespace_name = "${local.project}-evh" +} + +data "azurerm_eventhub_authorization_rule" "pagopa_weu_core_evh_ns04_nodo_dei_pagamenti_cache_sync_reader" { + name = "nodo-dei-pagamenti-cache-sync-rx" + namespace_name = "${local.product}-${local.evt_hub_location}-evh-ns04" + eventhub_name = "nodo-dei-pagamenti-cache" + resource_group_name = "${local.product}-msg-rg" +} + +data "azurerm_eventhub_authorization_rule" "pagopa_weu_core_evh_ns04_nodo_dei_pagamenti_verify_ko_writer" { + name = "nodo-dei-pagamenti-verify-ko-tx" + namespace_name = "${local.product}-${local.evt_hub_location}-evh-ns03" + eventhub_name = "nodo-dei-pagamenti-verify-ko" + resource_group_name = "${local.product}-msg-rg" +} + +data "azurerm_api_management" "apim" { + name = "${var.prefix}-${var.env_short}-apim" + resource_group_name = "${var.prefix}-${var.env_short}-api-rg" +} + +data "azurerm_api_management_product" "apim_api_config_product" { + product_id = "product-api-config-auth" + api_management_name = local.pagopa_apim_name + resource_group_name = local.pagopa_apim_rg +} + +data "azurerm_api_management_product" "apim_forwarder_product" { + product_id = "product-node-forwarder" + api_management_name = local.pagopa_apim_name + resource_group_name = local.pagopa_apim_rg +} diff --git a/src/domains/paymentoptions-app/00_keyvault.tf b/src/domains/paymentoptions-app/00_keyvault.tf new file mode 100644 index 0000000000..c94a899cca --- /dev/null +++ b/src/domains/paymentoptions-app/00_keyvault.tf @@ -0,0 +1,10 @@ +data "azurerm_key_vault" "kv" { + name = "${local.project}-kv" + resource_group_name = "${local.project}-sec-rg" +} + + +data "azurerm_kubernetes_cluster" "aks" { + name = local.aks_name + resource_group_name = local.aks_resource_group_name +} diff --git a/src/domains/paymentoptions-app/00_monitor.tf b/src/domains/paymentoptions-app/00_monitor.tf new file mode 100644 index 0000000000..311dc4ff7d --- /dev/null +++ b/src/domains/paymentoptions-app/00_monitor.tf @@ -0,0 +1,35 @@ +# +# 🇮🇹 Monitor Italy +# +data "azurerm_resource_group" "monitor_italy_rg" { + name = var.monitor_italy_resource_group_name +} + +data "azurerm_log_analytics_workspace" "log_analytics_italy" { + name = var.log_analytics_italy_workspace_name + resource_group_name = var.log_analytics_italy_workspace_resource_group_name +} + +data "azurerm_application_insights" "application_insights_italy" { + name = local.monitor_appinsights_italy_name + resource_group_name = data.azurerm_resource_group.monitor_italy_rg.name +} + +# +# Actions Group +# +data "azurerm_monitor_action_group" "slack" { + name = local.monitor_action_group_slack_name + resource_group_name = var.monitor_italy_resource_group_name +} + +data "azurerm_monitor_action_group" "email" { + resource_group_name = var.monitor_italy_resource_group_name + name = local.monitor_action_group_email_name +} + +data "azurerm_monitor_action_group" "opsgenie" { + count = var.env_short == "p" ? 1 : 0 + resource_group_name = var.monitor_resource_group_name + name = local.monitor_action_group_opsgenie_name +} diff --git a/src/domains/paymentoptions-app/00_network.tf b/src/domains/paymentoptions-app/00_network.tf new file mode 100644 index 0000000000..355c8e2333 --- /dev/null +++ b/src/domains/paymentoptions-app/00_network.tf @@ -0,0 +1,15 @@ +data "azurerm_virtual_network" "vnet" { + name = local.vnet_name + resource_group_name = local.vnet_resource_group_name +} + +data "azurerm_private_dns_zone" "internal" { + name = local.internal_dns_zone_name + resource_group_name = local.internal_dns_zone_resource_group_name +} + +data "azurerm_subnet" "apim_vnet" { + name = local.pagopa_apim_snet + resource_group_name = local.pagopa_vnet_rg + virtual_network_name = local.pagopa_vnet_integration +} diff --git a/src/domains/paymentoptions-app/01_network.tf b/src/domains/paymentoptions-app/01_network.tf new file mode 100644 index 0000000000..73614770ca --- /dev/null +++ b/src/domains/paymentoptions-app/01_network.tf @@ -0,0 +1,9 @@ +#-------------------------------------------------- + +resource "azurerm_private_dns_a_record" "ingress" { + name = local.ingress_hostname + zone_name = data.azurerm_private_dns_zone.internal.name + resource_group_name = local.internal_dns_zone_resource_group_name + ttl = 3600 + records = [var.ingress_load_balancer_ip] +} diff --git a/src/domains/paymentoptions-app/02_namespace.tf b/src/domains/paymentoptions-app/02_namespace.tf new file mode 100644 index 0000000000..a62b8cc66c --- /dev/null +++ b/src/domains/paymentoptions-app/02_namespace.tf @@ -0,0 +1,20 @@ +resource "kubernetes_namespace" "namespace" { + metadata { + name = var.domain + } +} + +module "pod_identity" { + source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//kubernetes_pod_identity?ref=v8.18.0" + + resource_group_name = local.aks_resource_group_name + location = var.location + tenant_id = data.azurerm_subscription.current.tenant_id + cluster_name = local.aks_name + + identity_name = "${kubernetes_namespace.namespace.metadata[0].name}-pod-identity" + namespace = kubernetes_namespace.namespace.metadata[0].name + key_vault_id = data.azurerm_key_vault.kv.id + + secret_permissions = ["Get"] +} diff --git a/src/domains/paymentoptions-app/03_serviceaccounts_azure_devops.tf b/src/domains/paymentoptions-app/03_serviceaccounts_azure_devops.tf new file mode 100644 index 0000000000..f24964a97d --- /dev/null +++ b/src/domains/paymentoptions-app/03_serviceaccounts_azure_devops.tf @@ -0,0 +1,67 @@ +resource "kubernetes_namespace" "namespace_system" { + metadata { + name = "${var.domain}-system" + } +} + +module "kubernetes_service_account" { + source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//kubernetes_service_account?ref=v8.18.0" + name = "azure-devops" + namespace = "${var.domain}-system" +} + +#tfsec:ignore:AZU023 +resource "azurerm_key_vault_secret" "azure_devops_sa_token" { + depends_on = [module.kubernetes_service_account] + name = "${local.aks_name}-azure-devops-sa-token" + value = module.kubernetes_service_account.sa_token # base64 value + content_type = "text/plain" + + key_vault_id = data.azurerm_key_vault.kv.id +} + +#tfsec:ignore:AZU023 +resource "azurerm_key_vault_secret" "azure_devops_sa_cacrt" { + depends_on = [module.kubernetes_service_account] + name = "${local.aks_name}-azure-devops-sa-cacrt" + value = module.kubernetes_service_account.sa_ca_cert # base64 value + content_type = "text/plain" + + key_vault_id = data.azurerm_key_vault.kv.id +} + +#-------------------------------------------------------------------------------------------------- + +resource "kubernetes_role_binding" "deployer_binding" { + metadata { + name = "deployer-binding" + namespace = kubernetes_namespace.namespace.metadata[0].name + } + role_ref { + api_group = "rbac.authorization.k8s.io" + kind = "ClusterRole" + name = "cluster-deployer" + } + subject { + kind = "ServiceAccount" + name = "azure-devops" + namespace = kubernetes_namespace.namespace_system.metadata[0].name + } +} + +resource "kubernetes_role_binding" "system_deployer_binding" { + metadata { + name = "system-deployer-binding" + namespace = kubernetes_namespace.namespace_system.metadata[0].name + } + role_ref { + api_group = "rbac.authorization.k8s.io" + kind = "ClusterRole" + name = "system-cluster-deployer" + } + subject { + kind = "ServiceAccount" + name = "azure-devops" + namespace = kubernetes_namespace.namespace_system.metadata[0].name + } +} diff --git a/src/domains/paymentoptions-app/04_apim_payment_options.tf b/src/domains/paymentoptions-app/04_apim_payment_options.tf new file mode 100644 index 0000000000..813fdf05fe --- /dev/null +++ b/src/domains/paymentoptions-app/04_apim_payment_options.tf @@ -0,0 +1,25 @@ +locals { + apim_payment_options_pagopa_api = { + display_name = "Payment Options Product pagoPA" + description = "API for Payment Options" + } +} + +module "apim_payment_options_product" { + source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//api_management_product?ref=v8.18.0" + count = var.is_feature_enabled.paymentoptions ? 1 : 0 + + product_id = "pagopa_payment_options" + display_name = local.apim_payment_options_pagopa_api.display_name + description = local.apim_payment_options_pagopa_api.description + + api_management_name = local.pagopa_apim_name + resource_group_name = local.pagopa_apim_rg + + published = false + subscription_required = true + approval_required = false + # subscriptions_limit = 1000 + + policy_xml = file("./api_product/_base_policy.xml") +} diff --git a/src/domains/paymentoptions-app/05_aks_middleware_tools.tf b/src/domains/paymentoptions-app/05_aks_middleware_tools.tf new file mode 100644 index 0000000000..83a33add1e --- /dev/null +++ b/src/domains/paymentoptions-app/05_aks_middleware_tools.tf @@ -0,0 +1,49 @@ +module "tls_checker" { + source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//tls_checker?ref=v8.22.0" + + https_endpoint = local.domain_hostname + alert_name = local.domain_hostname + alert_enabled = true + helm_chart_present = true + namespace = kubernetes_namespace.namespace.metadata[0].name + location_string = var.location_string + kv_secret_name_for_application_insights_connection_string = "app-insight-connection-string" + application_insights_resource_group = data.azurerm_resource_group.monitor_italy_rg.name + application_insights_id = data.azurerm_application_insights.application_insights_italy.id + application_insights_action_group_ids = [data.azurerm_monitor_action_group.slack.id, data.azurerm_monitor_action_group.email.id] + keyvault_name = data.azurerm_key_vault.kv.name + keyvault_tenant_id = data.azurerm_client_config.current.tenant_id +} + +resource "helm_release" "cert_mounter" { + name = "cert-mounter-blueprint" + repository = "https://pagopa.github.io/aks-helm-cert-mounter-blueprint" + chart = "cert-mounter-blueprint" + version = "1.0.4" + namespace = var.domain + timeout = 120 + force_update = true + + values = [ + templatefile("${path.root}/helm/cert-mounter.yaml.tpl", { + NAMESPACE = var.domain, + DOMAIN = var.domain, + CERTIFICATE_NAME = replace(local.domain_hostname, ".", "-"), + ENV_SHORT = var.env_short, + KV_NAME = data.azurerm_key_vault.kv.name + }) + ] +} + +resource "helm_release" "reloader" { + name = "reloader" + repository = "https://stakater.github.io/stakater-charts" + chart = "reloader" + version = "v1.0.69" + namespace = kubernetes_namespace.namespace.metadata[0].name + + set { + name = "reloader.watchGlobally" + value = "false" + } +} diff --git a/src/domains/paymentoptions-app/05_subkey.tf b/src/domains/paymentoptions-app/05_subkey.tf new file mode 100644 index 0000000000..a72efc1a5f --- /dev/null +++ b/src/domains/paymentoptions-app/05_subkey.tf @@ -0,0 +1,17 @@ +resource "azurerm_api_management_subscription" "api_config_subkey" { + api_management_name = data.azurerm_api_management.apim.name + resource_group_name = data.azurerm_api_management.apim.resource_group_name + product_id = data.azurerm_api_management_product.apim_api_config_product.id + display_name = "Subscription for Api Config APIM" + allow_tracing = false + state = "active" +} + +resource "azurerm_api_management_subscription" "forwarder_subkey" { + api_management_name = data.azurerm_api_management.apim.name + resource_group_name = data.azurerm_api_management.apim.resource_group_name + product_id = data.azurerm_api_management_product.apim_forwarder_product.id + display_name = "Subscription for Forwarder APIM" + allow_tracing = false + state = "active" +} diff --git a/src/domains/paymentoptions-app/06_keyvault.tf b/src/domains/paymentoptions-app/06_keyvault.tf new file mode 100644 index 0000000000..d8e87d4494 --- /dev/null +++ b/src/domains/paymentoptions-app/06_keyvault.tf @@ -0,0 +1,69 @@ +locals { + aks_api_url = var.env_short == "d" ? data.azurerm_kubernetes_cluster.aks.fqdn : data.azurerm_kubernetes_cluster.aks.private_fqdn +} + +#tfsec:ignore:AZU023 +resource "azurerm_key_vault_secret" "aks_apiserver_url" { + name = "${local.aks_name}-apiserver-url" + value = "https://${local.aks_api_url}:443" + content_type = "text/plain" + + key_vault_id = data.azurerm_key_vault.kv.id +} + +## Manual secrets + +resource "azurerm_key_vault_secret" "application_insights_connection_string" { + name = "app-insight-connection-string" + value = data.azurerm_application_insights.application_insights_italy.connection_string + content_type = "text/plain" + key_vault_id = data.azurerm_key_vault.kv.id +} + + +resource "azurerm_key_vault_secret" "tenant_id" { + name = "tenant-id" + value = data.azurerm_subscription.current.tenant_id + content_type = "text/plain" + key_vault_id = data.azurerm_key_vault.kv.id +} + +# Event Hub + +resource "azurerm_key_vault_secret" "ehub_payment-options-re_jaas_config" { + name = "ehub-${var.env_short}-payment-options-re-jaas-config" + value = "org.apache.kafka.common.security.plain.PlainLoginModule required username=\"$ConnectionString\" password=\"${data.azurerm_eventhub_authorization_rule.payment_options_re_authorization_rule_writer.primary_connection_string}\";" + content_type = "text/plain" + key_vault_id = data.azurerm_key_vault.kv.id +} + +resource "azurerm_key_vault_secret" "ehub_nodo_pagamenti_cache_jaas_config" { + name = "ehub-${var.env_short}-nodo-pagamenti-cache-jaas-config" + value = "org.apache.kafka.common.security.plain.PlainLoginModule required username=\"$ConnectionString\" password=\"${data.azurerm_eventhub_authorization_rule.pagopa_weu_core_evh_ns04_nodo_dei_pagamenti_cache_sync_reader.primary_connection_string}\";" + content_type = "text/plain" + key_vault_id = data.azurerm_key_vault.kv.id +} + +resource "azurerm_key_vault_secret" "ehub_nodo-dei-pagamenti-verify-ko_jaas_config" { + name = "ehub-${var.env_short}-nodo-dei-pagamenti-verify-ko-jaas-config" + value = "org.apache.kafka.common.security.plain.PlainLoginModule required username=\"$ConnectionString\" password=\"${data.azurerm_eventhub_authorization_rule.pagopa_weu_core_evh_ns04_nodo_dei_pagamenti_verify_ko_writer.primary_connection_string}\";" + content_type = "text/plain" + key_vault_id = data.azurerm_key_vault.kv.id +} + +resource "azurerm_key_vault_secret" "api_config_subscription_key" { + name = "api-config-sub-key" + value = azurerm_api_management_subscription.api_config_subkey.primary_key + content_type = "text/plain" + + key_vault_id = data.azurerm_key_vault.kv.id +} + +resource "azurerm_key_vault_secret" "forwarder_subscription_key" { + name = "forwarder-sub-key" + value = azurerm_api_management_subscription.forwarder_subkey.primary_key + content_type = "text/plain" + + key_vault_id = data.azurerm_key_vault.kv.id +} + diff --git a/src/domains/paymentoptions-app/90_pdb.tf b/src/domains/paymentoptions-app/90_pdb.tf new file mode 100644 index 0000000000..b88494a798 --- /dev/null +++ b/src/domains/paymentoptions-app/90_pdb.tf @@ -0,0 +1,15 @@ +resource "kubernetes_pod_disruption_budget_v1" "payment_options" { + + for_each = var.pod_disruption_budgets + + metadata { + namespace = kubernetes_namespace.namespace.metadata[0].name + name = each.key + } + spec { + min_available = each.value.minAvailable + selector { + match_labels = each.value.matchLabels + } + } +} diff --git a/src/domains/paymentoptions-app/99_locals.tf b/src/domains/paymentoptions-app/99_locals.tf new file mode 100644 index 0000000000..cd17c927c9 --- /dev/null +++ b/src/domains/paymentoptions-app/99_locals.tf @@ -0,0 +1,41 @@ +locals { + product = "${var.prefix}-${var.env_short}" + project_short = "${var.prefix}-${var.env_short}-${var.domain}" + project = "${var.prefix}-${var.env_short}-${var.location_short}-${var.domain}" + + location_short_weu = "weu" + project_short_weu = "${var.prefix}-${var.env_short}-${local.location_short_weu}" + + project_core_itn = "${var.prefix}-${var.env_short}-${var.location_short}-core" + + + monitor_action_group_slack_name = "SlackPagoPA" + monitor_action_group_email_name = "PagoPA" + monitor_action_group_opsgenie_name = "Opsgenie" + monitor_appinsights_name = "${local.product}-appinsights" + monitor_appinsights_italy_name = "${local.project_core_itn}-appinsights" + + vnet_name = "${var.prefix}-${var.env_short}-${var.location_short}-vnet" + vnet_resource_group_name = "${var.prefix}-${var.env_short}-${var.location_short}-vnet-rg" + + aks_name = "${local.product}-${var.location_short}-${var.instance}-aks" + aks_resource_group_name = "${local.product}-${var.location_short}-${var.instance}-aks-rg" + + ingress_hostname = "${var.domain}.itn" + internal_dns_zone_name = "${var.dns_zone_internal_prefix}.${var.external_domain}" + internal_dns_zone_resource_group_name = "${local.product}-vnet-rg" + + pagopa_apim_snet = "${local.product}-apim-snet" + pagopa_vnet_integration = "pagopa-${var.env_short}-vnet-integration" + pagopa_vnet_rg = "pagopa-${var.env_short}-vnet-rg" + + domain_hostname = "${var.dns_zone_prefix}.${local.internal_dns_zone_name}" + + pagopa_apim_name = "${local.product}-apim" + pagopa_apim_rg = "${local.product}-api-rg" + + apim_hostname = "api.${var.apim_dns_zone_prefix}.${var.external_domain}" + + evt_hub_location = "${local.location_short_weu}-core" + +} diff --git a/src/domains/paymentoptions-app/99_main.tf b/src/domains/paymentoptions-app/99_main.tf new file mode 100644 index 0000000000..8bf0b91ba8 --- /dev/null +++ b/src/domains/paymentoptions-app/99_main.tf @@ -0,0 +1,49 @@ +terraform { + required_version = ">= 1.6.0" + required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = "<= 3.106.0" + } + azuread = { + source = "hashicorp/azuread" + version = "<= 2.47.0" + } + null = { + source = "hashicorp/null" + version = "<= 3.2.1" + } + kubernetes = { + source = "hashicorp/kubernetes" + version = "<= 2.29.0" + } + helm = { + source = "hashicorp/helm" + version = "<= 2.12.1" + } + } + + backend "azurerm" {} +} + +provider "azurerm" { + features { + key_vault { + purge_soft_delete_on_destroy = false + } + } +} + +data "azurerm_subscription" "current" {} + +data "azurerm_client_config" "current" {} + +provider "kubernetes" { + config_path = "${var.k8s_kube_config_path_prefix}/config-${local.aks_name}" +} + +provider "helm" { + kubernetes { + config_path = "${var.k8s_kube_config_path_prefix}/config-${local.aks_name}" + } +} diff --git a/src/domains/paymentoptions-app/99_variables.tf b/src/domains/paymentoptions-app/99_variables.tf new file mode 100644 index 0000000000..0c2a945686 --- /dev/null +++ b/src/domains/paymentoptions-app/99_variables.tf @@ -0,0 +1,158 @@ +# general + +variable "prefix" { + type = string + validation { + condition = ( + length(var.prefix) <= 6 + ) + error_message = "Max length is 6 chars." + } +} + +variable "env" { + type = string +} + +variable "env_short" { + type = string + validation { + condition = ( + length(var.env_short) == 1 + ) + error_message = "Length must be 1 chars." + } +} + +variable "domain" { + type = string + validation { + condition = ( + length(var.domain) <= 12 + ) + error_message = "Max length is 12 chars." + } +} + +variable "location" { + type = string + description = "One of westeurope, northeurope" +} + +variable "location_short" { + type = string + validation { + condition = ( + length(var.location_short) == 3 + ) + error_message = "Length must be 3 chars." + } + description = "One of wue, neu" +} + +variable "location_string" { + type = string + description = "One of West Europe, North Europe" +} + +variable "instance" { + type = string + description = "One of beta, prod01, prod02" +} + +variable "tags" { + type = map(any) + default = { + CreatedBy = "Terraform" + } +} + +### Features flags + +variable "is_feature_enabled" { + type = object({ + paymentoptions = bool + }) + default = { + paymentoptions = false + } +} +### External resources + +variable "monitor_resource_group_name" { + type = string + description = "Monitor resource group name" +} + +variable "log_analytics_workspace_name" { + type = string + description = "Specifies the name of the Log Analytics Workspace." +} + +variable "log_analytics_workspace_resource_group_name" { + type = string + description = "The name of the resource group in which the Log Analytics workspace is located in." +} + +variable "monitor_italy_resource_group_name" { + type = string + description = "Monitor Italy resource group name" +} + +variable "log_analytics_italy_workspace_name" { + type = string + description = "Specifies the name of the Log Analytics Workspace Italy." +} + +variable "log_analytics_italy_workspace_resource_group_name" { + type = string + description = "The name of the resource group in which the Log Analytics workspace Italy is located in." +} + + +### Aks +variable "ingress_load_balancer_ip" { + type = string +} + +variable "k8s_kube_config_path_prefix" { + type = string + default = "~/.kube" +} + +variable "external_domain" { + type = string + default = null + description = "Domain for delegation" +} + +variable "dns_zone_internal_prefix" { + type = string + default = null + description = "The dns subdomain." +} + +variable "apim_dns_zone_prefix" { + type = string + default = null + description = "The dns subdomain for apim." +} + +# DNS + +variable "dns_zone_prefix" { + type = string + default = null + description = "The wallet dns subdomain." +} + +### PDB +variable "pod_disruption_budgets" { + type = map(object({ + name = optional(string, null) + minAvailable = optional(number, null) + matchLabels = optional(map(any), {}) + })) + description = "Pod disruption budget for domain namespace" + default = {} +} diff --git a/src/domains/paymentoptions-app/api_product/_base_policy.xml b/src/domains/paymentoptions-app/api_product/_base_policy.xml new file mode 100644 index 0000000000..ce18a37436 --- /dev/null +++ b/src/domains/paymentoptions-app/api_product/_base_policy.xml @@ -0,0 +1,14 @@ + + + + + + + + + + + + + + diff --git a/src/domains/paymentoptions-app/env/itn-dev/backend.ini b/src/domains/paymentoptions-app/env/itn-dev/backend.ini new file mode 100644 index 0000000000..f3ea2d530c --- /dev/null +++ b/src/domains/paymentoptions-app/env/itn-dev/backend.ini @@ -0,0 +1 @@ +subscription=DEV-pagoPA \ No newline at end of file diff --git a/src/domains/paymentoptions-app/env/itn-dev/backend.tfvars b/src/domains/paymentoptions-app/env/itn-dev/backend.tfvars new file mode 100644 index 0000000000..34401b3ea9 --- /dev/null +++ b/src/domains/paymentoptions-app/env/itn-dev/backend.tfvars @@ -0,0 +1,4 @@ +resource_group_name = "terraform-state-rg" +storage_account_name = "tfinfdevpagopa" +container_name = "terraform-state" +key = "paymentoptions-app-dev.terraform.tfstate" diff --git a/src/domains/paymentoptions-app/env/itn-dev/terraform.tfvars b/src/domains/paymentoptions-app/env/itn-dev/terraform.tfvars new file mode 100644 index 0000000000..0787a27660 --- /dev/null +++ b/src/domains/paymentoptions-app/env/itn-dev/terraform.tfvars @@ -0,0 +1,38 @@ +prefix = "pagopa" +env_short = "d" +env = "dev" +domain = "payopt" +location = "italynorth" +location_short = "itn" +location_string = "Italy North" +instance = "dev" + +tags = { + CreatedBy = "Terraform" + Environment = "Dev" + Owner = "pagoPA" + Source = "https://github.com/pagopa/pagopa-infra/tree/main/src/domains/paymentoptions-app" + CostCenter = "TS310 - PAGAMENTI & SERVIZI" +} + +### External resources + +monitor_italy_resource_group_name = "pagopa-d-itn-core-monitor-rg" +log_analytics_italy_workspace_name = "pagopa-d-itn-core-law" +log_analytics_italy_workspace_resource_group_name = "pagopa-d-itn-core-monitor-rg" + +monitor_resource_group_name = "pagopa-d-monitor-rg" +log_analytics_workspace_name = "pagopa-d-law" +log_analytics_workspace_resource_group_name = "pagopa-d-monitor-rg" + +external_domain = "pagopa.it" +dns_zone_internal_prefix = "internal.dev.platform" +dns_zone_prefix = "payopt.itn" +apim_dns_zone_prefix = "dev.platform" +### Aks + +ingress_load_balancer_ip = "10.3.2.250" + +is_feature_enabled = { + paymentoptions = true +} diff --git a/src/domains/paymentoptions-app/env/itn-prod/backend.ini b/src/domains/paymentoptions-app/env/itn-prod/backend.ini new file mode 100644 index 0000000000..ddda4bb50f --- /dev/null +++ b/src/domains/paymentoptions-app/env/itn-prod/backend.ini @@ -0,0 +1 @@ +subscription=prod-pagoPA diff --git a/src/domains/paymentoptions-app/env/itn-prod/backend.tfvars b/src/domains/paymentoptions-app/env/itn-prod/backend.tfvars new file mode 100644 index 0000000000..184ba40d9d --- /dev/null +++ b/src/domains/paymentoptions-app/env/itn-prod/backend.tfvars @@ -0,0 +1,4 @@ +resource_group_name = "terraform-state-rg" +storage_account_name = "tfinfprodpagopa" +container_name = "terraform-state" +key = "paymentoptions-app-prod.terraform.tfstate" diff --git a/src/domains/paymentoptions-app/env/itn-prod/terraform.tfvars b/src/domains/paymentoptions-app/env/itn-prod/terraform.tfvars new file mode 100644 index 0000000000..eff33890b2 --- /dev/null +++ b/src/domains/paymentoptions-app/env/itn-prod/terraform.tfvars @@ -0,0 +1,47 @@ +prefix = "pagopa" +env_short = "p" +env = "prod" +domain = "payopt" +location = "italynorth" +location_short = "itn" +location_string = "Italy North" +instance = "prod" + +tags = { + CreatedBy = "Terraform" + Environment = "prod" + Owner = "pagoPA" + Source = "https://github.com/pagopa/pagopa-infra/tree/main/src/domains/paymentoptions-app" + CostCenter = "TS310 - PAGAMENTI & SERVIZI" +} + +### External resources + +monitor_italy_resource_group_name = "pagopa-p-itn-core-monitor-rg" +log_analytics_italy_workspace_name = "pagopa-p-itn-core-law" +log_analytics_italy_workspace_resource_group_name = "pagopa-p-itn-core-monitor-rg" + +monitor_resource_group_name = "pagopa-p-monitor-rg" +log_analytics_workspace_name = "pagopa-p-law" +log_analytics_workspace_resource_group_name = "pagopa-p-monitor-rg" + +external_domain = "pagopa.it" +dns_zone_internal_prefix = "internal.platform" +dns_zone_prefix = "payopt.itn" +apim_dns_zone_prefix = "platform" +### Aks + +ingress_load_balancer_ip = "10.3.2.250" + +is_feature_enabled = { + paymentoptions = true +} + +pod_disruption_budgets = { + "payment-options-service" = { + minAvailable = 2 + matchLabels = { + "app.kubernetes.io/instance" = "payment-options-service" + } + }, +} diff --git a/src/domains/paymentoptions-app/env/itn-uat/backend.ini b/src/domains/paymentoptions-app/env/itn-uat/backend.ini new file mode 100644 index 0000000000..1759a0ca0d --- /dev/null +++ b/src/domains/paymentoptions-app/env/itn-uat/backend.ini @@ -0,0 +1 @@ +subscription=UAT-pagoPA \ No newline at end of file diff --git a/src/domains/paymentoptions-app/env/itn-uat/backend.tfvars b/src/domains/paymentoptions-app/env/itn-uat/backend.tfvars new file mode 100644 index 0000000000..3fa5ce28c3 --- /dev/null +++ b/src/domains/paymentoptions-app/env/itn-uat/backend.tfvars @@ -0,0 +1,4 @@ +resource_group_name = "terraform-state-rg" +storage_account_name = "tfinfuatpagopa" +container_name = "terraform-state" +key = "paymentoptions-app-uat.terraform.tfstate" diff --git a/src/domains/paymentoptions-app/env/itn-uat/terraform.tfvars b/src/domains/paymentoptions-app/env/itn-uat/terraform.tfvars new file mode 100644 index 0000000000..f9fef84f60 --- /dev/null +++ b/src/domains/paymentoptions-app/env/itn-uat/terraform.tfvars @@ -0,0 +1,38 @@ +prefix = "pagopa" +env_short = "u" +env = "uat" +domain = "payopt" +location = "italynorth" +location_short = "itn" +location_string = "Italy North" +instance = "uat" + +tags = { + CreatedBy = "Terraform" + Environment = "Uat" + Owner = "pagoPA" + Source = "https://github.com/pagopa/pagopa-infra/tree/main/src/domains/paymentoptions-app" + CostCenter = "TS310 - PAGAMENTI & SERVIZI" +} + +### External resources + +monitor_italy_resource_group_name = "pagopa-u-itn-core-monitor-rg" +log_analytics_italy_workspace_name = "pagopa-u-itn-core-law" +log_analytics_italy_workspace_resource_group_name = "pagopa-u-itn-core-monitor-rg" + +monitor_resource_group_name = "pagopa-u-monitor-rg" +log_analytics_workspace_name = "pagopa-u-law" +log_analytics_workspace_resource_group_name = "pagopa-u-monitor-rg" + +external_domain = "pagopa.it" +dns_zone_internal_prefix = "internal.uat.platform" +dns_zone_prefix = "payopt.itn" +apim_dns_zone_prefix = "uat.platform" +### Aks + +ingress_load_balancer_ip = "10.3.2.250" + +is_feature_enabled = { + paymentoptions = true +} diff --git a/src/domains/paymentoptions-app/helm/cert-mounter.yaml.tpl b/src/domains/paymentoptions-app/helm/cert-mounter.yaml.tpl new file mode 100644 index 0000000000..73ee05d737 --- /dev/null +++ b/src/domains/paymentoptions-app/helm/cert-mounter.yaml.tpl @@ -0,0 +1,13 @@ +namespace: ${NAMESPACE} +nameOverride: "" +fullnameOverride: "" + +deployment: + create: true + +kvCertificatesName: + - ${CERTIFICATE_NAME} + +keyvault: + name: "${KV_NAME}" + tenantId: "7788edaf-0346-4068-9d79-c868aed15b3d" diff --git a/src/domains/paymentoptions-app/terraform.sh b/src/domains/paymentoptions-app/terraform.sh new file mode 100755 index 0000000000..047a7512d0 --- /dev/null +++ b/src/domains/paymentoptions-app/terraform.sh @@ -0,0 +1,324 @@ +#!/bin/bash +############################################################ +# Terraform script for managing infrastructure on Azure +# Fingerprint: d2hhdHlvdXdhbnQ/Cg== +############################################################ +# Global variables +# Version format x.y accepted +vers="1.11" +script_name=$(basename "$0") +git_repo="https://raw.githubusercontent.com/pagopa/eng-common-scripts/main/azure/${script_name}" +tmp_file="${script_name}.new" +# Check if the third parameter exists and is a file +if [ -n "$3" ] && [ -f "$3" ]; then + FILE_ACTION=true +else + FILE_ACTION=false +fi + +# Define functions +function clean_environment() { + rm -rf .terraform + rm tfplan 2>/dev/null + echo "cleaned!" +} + +function download_tool() { + #default value + cpu_type="intel" + os_type=$(uname) + + # only on MacOS + if [ "$os_type" == "Darwin" ]; then + cpu_brand=$(sysctl -n machdep.cpu.brand_string) + if grep -q -i "intel" <<< "$cpu_brand"; then + cpu_type="intel" + else + cpu_type="arm" + fi + fi + + echo $cpu_type + tool=$1 + git_repo="https://raw.githubusercontent.com/pagopa/eng-common-scripts/main/golang/${tool}_${cpu_type}" + if ! command -v $tool &> /dev/null; then + if ! curl -sL "$git_repo" -o "$tool"; then + echo "Error downloading ${tool}" + return 1 + else + chmod +x $tool + echo "${tool} downloaded! Please note this tool WON'T be copied in your **/bin folder for safety reasons. +You need to do it yourself!" + read -p "Press enter to continue" + + + fi + fi +} + +function extract_resources() { + TF_FILE=$1 + ENV=$2 + TARGETS="" + + # Check if the file exists + if [ ! -f "$TF_FILE" ]; then + echo "File $TF_FILE does not exist." + exit 1 + fi + + # Check if the directory exists + if [ ! -d "./env/$ENV" ]; then + echo "Directory ./env/$ENV does not exist." + exit 1 + fi + + TMP_FILE=$(mktemp) + grep -E '^resource|^module' $TF_FILE > $TMP_FILE + + while read -r line ; do + TYPE=$(echo $line | cut -d '"' -f 1 | tr -d ' ') + if [ "$TYPE" == "module" ]; then + NAME=$(echo $line | cut -d '"' -f 2) + TARGETS+=" -target=\"$TYPE.$NAME\"" + else + NAME1=$(echo $line | cut -d '"' -f 2) + NAME2=$(echo $line | cut -d '"' -f 4) + TARGETS+=" -target=\"$NAME1.$NAME2\"" + fi + done < $TMP_FILE + + rm $TMP_FILE + + echo "./terraform.sh $action $ENV $TARGETS" +} + +function help_usage() { + echo "terraform.sh Version ${vers}" + echo + echo "Usage: ./script.sh [ACTION] [ENV] [OTHER OPTIONS]" + echo "es. ACTION: init, apply, plan, etc." + echo "es. ENV: dev, uat, prod, etc." + echo + echo "Available actions:" + echo " clean Remove .terraform* folders and tfplan files" + echo " help This help" + echo " list List every environment available" + echo " update Update this script if possible" + echo " summ Generate summary of Terraform plan" + echo " tflist Generate an improved output of terraform state list" + echo " tlock Generate or update the dependency lock file" + echo " * any terraform option" +} + +function init_terraform() { + if [ -n "$env" ]; then + terraform init -reconfigure -backend-config="./env/$env/backend.tfvars" + else + echo "ERROR: no env configured!" + exit 1 + fi +} + +function list_env() { + # Check if env directory exists + if [ ! -d "./env" ]; then + echo "No environment directory found" + exit 1 + fi + + # List subdirectories under env directory + env_list=$(ls -d ./env/*/ 2>/dev/null) + + # Check if there are any subdirectories + if [ -z "$env_list" ]; then + echo "No environments found" + exit 1 + fi + + # Print the list of environments + echo "Available environments:" + for env in $env_list; do + env_name=$(echo "$env" | sed 's#./env/##;s#/##') + echo "- $env_name" + done +} + +function other_actions() { + if [ -n "$env" ] && [ -n "$action" ]; then + terraform "$action" -var-file="./env/$env/terraform.tfvars" -compact-warnings $other + else + echo "ERROR: no env or action configured!" + exit 1 + fi +} + +function state_output_taint_actions() { + if [ "$action" == "tflist" ]; then + # If 'tflist' is not installed globally and there is no 'tflist' file in the current directory, + # attempt to download the 'tflist' tool + if ! command -v tflist &> /dev/null && [ ! -f "tflist" ]; then + download_tool "tflist" + if [ $? -ne 0 ]; then + echo "Error: Failed to download tflist!!" + exit 1 + else + echo "tflist downloaded!" + fi + fi + if command -v tflist &> /dev/null; then + terraform state list | tflist + else + terraform state list | ./tflist + fi + else + terraform $action $other + fi +} + + +function parse_tfplan_option() { + # Create an array to contain arguments that do not start with '-tfplan=' + local other_args=() + + # Loop over all arguments + for arg in "$@"; do + # If the argument starts with '-tfplan=', extract the file name + if [[ "$arg" =~ ^-tfplan= ]]; then + echo "${arg#*=}" + else + # If the argument does not start with '-tfplan=', add it to the other_args array + other_args+=("$arg") + fi + done + + # Print all arguments in other_args separated by spaces + echo "${other_args[@]}" +} + +function tfsummary() { + local plan_file + plan_file=$(parse_tfplan_option "$@") + if [ -z "$plan_file" ]; then + plan_file="tfplan" + fi + action="plan" + other="-out=${plan_file}" + other_actions + if [ -n "$(command -v tf-summarize)" ]; then + tf-summarize -tree "${plan_file}" + else + echo "tf-summarize is not installed" + fi + if [ "$plan_file" == "tfplan" ]; then + rm $plan_file + fi +} + +function update_script() { + # Check if the repository was cloned successfully + if ! curl -sL "$git_repo" -o "$tmp_file"; then + echo "Error cloning the repository" + rm "$tmp_file" 2>/dev/null + return 1 + fi + + # Check if a newer version exists + remote_vers=$(sed -n '8s/vers="\(.*\)"/\1/p' "$tmp_file") + if [ "$(printf '%s\n' "$vers" "$remote_vers" | sort -V | tail -n 1)" == "$vers" ]; then + echo "The local script version is equal to or newer than the remote version." + rm "$tmp_file" 2>/dev/null + return 0 + fi + + # Check the fingerprint + local_fingerprint=$(sed -n '4p' "$0") + remote_fingerprint=$(sed -n '4p' "$tmp_file") + + if [ "$local_fingerprint" != "$remote_fingerprint" ]; then + echo "The local and remote file fingerprints do not match." + rm "$tmp_file" 2>/dev/null + return 0 + fi + + # Show the current and available versions to the user + echo "Current script version: $vers" + echo "Available script version: $remote_vers" + + # Ask the user if they want to update the script + read -rp "Do you want to update the script to version $remote_vers? (y/n): " answer + + if [ "$answer" == "y" ] || [ "$answer" == "Y" ]; then + # Replace the local script with the updated version + cp "$tmp_file" "$script_name" + chmod +x "$script_name" + rm "$tmp_file" 2>/dev/null + + echo "Script successfully updated to version $remote_vers" + else + echo "Update canceled by the user" + fi + + rm "$tmp_file" 2>/dev/null +} + +# Check arguments number +if [ "$#" -lt 1 ]; then + help_usage + exit 0 +fi + +# Parse arguments +action=$1 +env=$2 +filetf=$3 +shift 2 +other=$@ + +if [ -n "$env" ]; then + # shellcheck source=/dev/null + source "./env/$env/backend.ini" + if [ -z "$(command -v az)" ]; then + echo "az not found, cannot proceed" + exit 1 + fi + az account set -s "${subscription}" +fi + +# Call appropriate function based on action +case $action in + clean) + clean_environment + ;; + ?|help|-h) + help_usage + ;; + init) + init_terraform "$other" + ;; + list) + list_env + ;; + output|state|taint|tflist) + init_terraform + state_output_taint_actions $other + ;; + summ) + init_terraform + tfsummary "$other" + ;; + tlock) + terraform providers lock -platform=windows_amd64 -platform=darwin_amd64 -platform=darwin_arm64 -platform=linux_amd64 + ;; + update) + update_script + ;; + *) + if [ "$FILE_ACTION" = true ]; then + extract_resources "$filetf" "$env" + else + init_terraform + other_actions "$other" + fi + ;; +esac diff --git a/src/domains/paymentoptions-common/.terraform.lock.hcl b/src/domains/paymentoptions-common/.terraform.lock.hcl new file mode 100644 index 0000000000..c1bc80ffb2 --- /dev/null +++ b/src/domains/paymentoptions-common/.terraform.lock.hcl @@ -0,0 +1,65 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/azuread" { + version = "2.47.0" + constraints = "<= 2.47.0" + hashes = [ + "h1:g8+gBFM4QVOEQFqAEs5pR6iXpbGvgPvcEi1evHwziyw=", + "h1:iRwDQBdXBpVBoYwM9au2RG01RQuJSm3TGQ2kioFVAas=", + "zh:1372d81eb24ef3b4b00ea350fe87219f22da51691b8e42ce91d662f6c2a8af5e", + "zh:1c3e89cf19118fc07d7b04257251fc9897e722c16e0a0df7b07fcd261f8c12e7", + "zh:1e654a74d171d6ff8f9f6f67e3ff1421d4c5e56a18607703626bf12cd23ba001", + "zh:35227fad617a0509c64ab5759a8b703b10d244877f1aa5416bfbcc100c96996f", + "zh:357f553f0d78d46a96c7b2ed06d25ee0fc60fc5be19812ccb5d969fa47d62e17", + "zh:58faa2940065137e3e87d02eba59ab5cd7137d7a18caf225e660d1788f274569", + "zh:7308eda0339620fa24f47cedd22221fc2c02cab9d5be1710c09a783aea84eb3a", + "zh:863eabf7f908a8263e28d8aa2ad1381affd6bb5c67755216781f674ef214100e", + "zh:8b95b595a7c14ed7b56194d03cdec253527e7a146c1c58961be09e6b5c50baee", + "zh:afbca6b4fac9a0a488bc22ff9e51a8f14e986137d25275068fd932f379a51d57", + "zh:c6aadec4c81a44c3ffc22c2d90ffc6706bf5a9a903a395d896477516f4be6cbb", + "zh:e54a59de7d4ef0f3a18f91fed0b54a2bce18257ae2ee1df8a88226e1023c5811", + ] +} + +provider "registry.terraform.io/hashicorp/azurerm" { + version = "3.106.0" + constraints = "~> 3.30, <= 3.106.0" + hashes = [ + "h1:6t9Nz9tYAR9BfHZ8yc56m+GKRl0nriwjQ5DyA0/TnCs=", + "h1:Mxe1/I27IZK3BP6cm84Gt0+7PXd2EDaDUMxuljm/rUA=", + "zh:07980d6fdc40c0adb670c8413a5c667917d6dbb51fcedc467c35d64c2f3a1f47", + "zh:2e6e8491b1f089644b0d23f8da83398f1e10cf5a62b16efcef2b5454fe923038", + "zh:450dbd72821c5619cc3bcdc20fdd0e29515147e44b733f9c79d3a75851810055", + "zh:5e234c0a2f3c9677ea72b2a6e6ca90defb99fab29ae565f5d1f70728ba4ba78f", + "zh:83fd042ece6977429d79affd03d6ce963d2f122604dbf15a1abf203d7a7bbc8a", + "zh:93027e1f66b3bf83398d572d4e6f6e7777330c78c54da3226dadd50fd868ada9", + "zh:ae3d1dd66140c303df97d93c47a60f16735ce17cf156f45475dcee4a7360af5b", + "zh:daf9d2eb89e785458a76b88bf2ef0696c472094c77cc9cff3b3ea4b885c5a482", + "zh:dd46370141651e6549da6d85e25c7a6770c47581bbaaa27eda2886d41d849747", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + "zh:f77405c0d8f6e0d93d9da83256b3b02c164bad4c791ed9604310ff02ae086ad1", + "zh:ffa769147bda833aef8802e3a391bd175ec749862764d61cbdaa8200d5b8f893", + ] +} + +provider "registry.terraform.io/hashicorp/null" { + version = "3.2.2" + constraints = "<= 3.2.2" + hashes = [ + "h1:IMVAUHKoydFrlPrl9OzasDnw/8ntZFerCC9iXw1rXQY=", + "h1:vWAsYRd7MjYr3adj8BVKRohVfHpWQdvkIwUQ2Jf5FVM=", + "zh:3248aae6a2198f3ec8394218d05bd5e42be59f43a3a7c0b71c66ec0df08b69e7", + "zh:32b1aaa1c3013d33c245493f4a65465eab9436b454d250102729321a44c8ab9a", + "zh:38eff7e470acb48f66380a73a5c7cdd76cc9b9c9ba9a7249c7991488abe22fe3", + "zh:4c2f1faee67af104f5f9e711c4574ff4d298afaa8a420680b0cb55d7bbc65606", + "zh:544b33b757c0b954dbb87db83a5ad921edd61f02f1dc86c6186a5ea86465b546", + "zh:696cf785090e1e8cf1587499516b0494f47413b43cb99877ad97f5d0de3dc539", + "zh:6e301f34757b5d265ae44467d95306d61bef5e41930be1365f5a8dcf80f59452", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:913a929070c819e59e94bb37a2a253c228f83921136ff4a7aa1a178c7cce5422", + "zh:aa9015926cd152425dbf86d1abdbc74bfe0e1ba3d26b3db35051d7b9ca9f72ae", + "zh:bb04798b016e1e1d49bcc76d62c53b56c88c63d6f2dfe38821afef17c416a0e1", + "zh:c23084e1b23577de22603cff752e59128d83cfecc2e6819edadd8cf7a10af11e", + ] +} diff --git a/src/domains/paymentoptions-common/00_data.tf b/src/domains/paymentoptions-common/00_data.tf new file mode 100644 index 0000000000..453409f78e --- /dev/null +++ b/src/domains/paymentoptions-common/00_data.tf @@ -0,0 +1,4 @@ +data "azurerm_key_vault" "kv" { + name = "${local.project}-kv" + resource_group_name = "${local.project}-sec-rg" +} diff --git a/src/domains/paymentoptions-common/00_monitor.tf b/src/domains/paymentoptions-common/00_monitor.tf new file mode 100644 index 0000000000..3be0e0c27b --- /dev/null +++ b/src/domains/paymentoptions-common/00_monitor.tf @@ -0,0 +1,45 @@ +# +# 🇮🇹 Monitor Italy +# +data "azurerm_resource_group" "monitor_italy_rg" { + name = var.monitor_italy_resource_group_name +} + +data "azurerm_log_analytics_workspace" "log_analytics_italy" { + name = var.log_analytics_italy_workspace_name + resource_group_name = var.log_analytics_italy_workspace_resource_group_name +} + +data "azurerm_application_insights" "application_insights_italy" { + name = local.monitor_appinsights_italy_name + resource_group_name = data.azurerm_resource_group.monitor_italy_rg.name +} + +# ### 🇪🇺 +# data "azurerm_resource_group" "monitor_rg" { +# name = var.monitor_resource_group_name +# } +# +# data "azurerm_log_analytics_workspace" "log_analytics" { +# name = var.log_analytics_workspace_name +# resource_group_name = var.log_analytics_workspace_resource_group_name +# } +# +# data "azurerm_application_insights" "application_insights" { +# name = local.monitor_appinsights_name +# resource_group_name = data.azurerm_resource_group.monitor_rg.name +# } + +# +# Action Groups +# +data "azurerm_monitor_action_group" "slack" { + resource_group_name = var.monitor_resource_group_name + name = local.monitor_action_group_slack_name +} + +data "azurerm_monitor_action_group" "email" { + resource_group_name = var.monitor_resource_group_name + name = local.monitor_action_group_email_name +} + diff --git a/src/domains/paymentoptions-common/00_network.tf b/src/domains/paymentoptions-common/00_network.tf new file mode 100644 index 0000000000..73fad2990a --- /dev/null +++ b/src/domains/paymentoptions-common/00_network.tf @@ -0,0 +1,37 @@ +data "azurerm_virtual_network" "vnet_italy" { + name = local.vnet_italy_name + resource_group_name = local.vnet_italy_resource_group_name +} + +data "azurerm_resource_group" "rg_vnet_italy" { + name = local.vnet_italy_resource_group_name +} + +# +# Subnets +# +data "azurerm_subnet" "aks_subnet" { + name = local.aks_subnet_name + virtual_network_name = local.vnet_italy_name + resource_group_name = local.vnet_italy_resource_group_name +} + +# +# Private DNS Zones +# +data "azurerm_private_dns_zone" "internal" { + name = local.internal_dns_zone_name + resource_group_name = local.internal_dns_zone_resource_group_name +} + +# +# Eventhub +# +data "azurerm_private_dns_zone" "eventhub" { + name = "privatelink.servicebus.windows.net" + resource_group_name = local.msg_resource_group_name +} + +data "azurerm_resource_group" "rg_event_private_dns_zone" { + name = local.msg_resource_group_name +} diff --git a/src/domains/paymentoptions-common/01_network.tf b/src/domains/paymentoptions-common/01_network.tf new file mode 100644 index 0000000000..202f24163e --- /dev/null +++ b/src/domains/paymentoptions-common/01_network.tf @@ -0,0 +1,14 @@ +resource "azurerm_private_dns_a_record" "ingress" { + name = local.ingress_hostname + zone_name = data.azurerm_private_dns_zone.internal.name + resource_group_name = local.internal_dns_zone_resource_group_name + ttl = 3600 + records = [var.ingress_load_balancer_ip] +} + +resource "azurerm_subnet" "eventhub_italy" { + name = "${local.project}-eventhub-snet" + resource_group_name = data.azurerm_resource_group.rg_vnet_italy.name + virtual_network_name = data.azurerm_virtual_network.vnet_italy.name + address_prefixes = var.cidr_paymentoptions_eventhub_italy +} diff --git a/src/domains/paymentoptions-common/03_eventhub.tf b/src/domains/paymentoptions-common/03_eventhub.tf new file mode 100644 index 0000000000..b2693b1ba8 --- /dev/null +++ b/src/domains/paymentoptions-common/03_eventhub.tf @@ -0,0 +1,86 @@ +resource "azurerm_resource_group" "eventhub_ita_rg" { + name = local.eventhub_resource_group_name + location = var.location + + tags = var.tags +} + +module "eventhub_namespace" { + source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//eventhub?ref=v8.22.0" + name = "${local.project}-evh" + location = var.location + resource_group_name = azurerm_resource_group.eventhub_ita_rg.name + auto_inflate_enabled = var.ehns_auto_inflate_enabled + sku = var.ehns_sku_name + capacity = var.ehns_capacity + maximum_throughput_units = var.ehns_maximum_throughput_units + #zone_redundat is always true + + virtual_network_ids = [data.azurerm_virtual_network.vnet_italy.id] + private_endpoint_subnet_id = azurerm_subnet.eventhub_italy.id + public_network_access_enabled = var.ehns_public_network_access + private_endpoint_created = var.ehns_private_endpoint_is_present + + private_endpoint_resource_group_name = azurerm_resource_group.eventhub_ita_rg.name + + private_dns_zones = { + id = [data.azurerm_private_dns_zone.eventhub.id] + name = [data.azurerm_private_dns_zone.eventhub.name] + resource_group_name = data.azurerm_resource_group.rg_event_private_dns_zone.name + } + + private_dns_zone_record_A_name = "${var.domain}.${var.location_short}" + + action = [ + { + action_group_id = data.azurerm_monitor_action_group.slack.id + webhook_properties = null + }, + { + action_group_id = data.azurerm_monitor_action_group.email.id + webhook_properties = null + } + ] + + metric_alerts_create = var.ehns_alerts_enabled + metric_alerts = var.ehns_metric_alerts + + tags = var.tags +} + +# +# CONFIGURATION +# +module "eventhub_paymentoptions_configuration" { + source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//eventhub_configuration?ref=v8.22.0" + count = var.is_feature_enabled.eventhub ? 1 : 0 + + event_hub_namespace_name = module.eventhub_namespace.name + event_hub_namespace_resource_group_name = azurerm_resource_group.eventhub_ita_rg.name + + eventhubs = [ + { + name = "${var.prefix}-${var.domain}-evh" + partitions = 1 + message_retention = 1 + consumers = [ + "${local.project}-payment-options-re-rx", + ] + keys = [ + { + name = "${local.project}-payment-options-re-tx" + listen = false + send = true + manage = false + }, + { + name = "${local.project}-payment-options-re-rx" # internal use + listen = true + send = false + manage = false + } + ] + }, + ] +} + diff --git a/src/domains/paymentoptions-common/10_github_identity.tf b/src/domains/paymentoptions-common/10_github_identity.tf new file mode 100644 index 0000000000..41e54948b3 --- /dev/null +++ b/src/domains/paymentoptions-common/10_github_identity.tf @@ -0,0 +1,207 @@ +data "azurerm_resource_group" "identity_rg" { + name = "${local.product}-identity-rg" +} + +data "azurerm_kubernetes_cluster" "aks" { + name = "${local.product}-${var.location_short}-${var.instance}-aks" + resource_group_name = "${local.product}-${var.location_short}-${var.instance}-aks-rg" +} + +data "azurerm_key_vault" "key_vault" { + name = "${local.product}-${var.location_short}-${var.domain}-kv" + resource_group_name = "${local.product}-${var.location_short}-${var.domain}-sec-rg" +} + +# repos must be lower than 20 items +locals { + repos_01 = [ + "pagopa-payment-options-service", + ] + + federations_01 = [ + for repo in local.repos_01 : { + repository = repo + subject = var.env + } + ] + + federations_01_pr = [ + for repo in local.repos_01 : { + repository = repo + subject = "pull_request" + } + ] + + federations_01_ref = [ + for repo in local.repos_01 : { + repository = repo + credentials_scope = "ref" + subject = "refs/heads/main" + } + ] + + + # to avoid subscription Contributor -> https://github.com/microsoft/azure-container-apps/issues/35 + environment_cd_roles = { + subscription = [ + "Contributor", + ] + resource_groups = { + "${local.product}-${var.location_short}-${var.domain}-sec-rg" = [ + "Key Vault Reader" + ], + "${local.product}-${var.location_short}-${var.env}-aks-rg" = [ + "Contributor" + ], + } + } +} + +# create a module for each 20 repos +module "identity_cd_01" { + source = "github.com/pagopa/terraform-azurerm-v3//github_federated_identity?ref=v8.22.0" + # pagopa---github--identity + prefix = var.prefix + env_short = var.env_short + domain = "${var.domain}-01" + + identity_role = "cd" + + github_federations = local.federations_01 + + cd_rbac_roles = { + subscription_roles = local.environment_cd_roles.subscription + resource_groups = local.environment_cd_roles.resource_groups + } + + tags = var.tags + + depends_on = [ + data.azurerm_resource_group.identity_rg + ] +} + +resource "azurerm_key_vault_access_policy" "gha_iac_managed_identities" { + key_vault_id = data.azurerm_key_vault.key_vault.id + tenant_id = data.azurerm_client_config.current.tenant_id + object_id = module.identity_cd_01.identity_principal_id + + secret_permissions = ["Get", "List", "Set", ] + + certificate_permissions = ["SetIssuers", "DeleteIssuers", "Purge", "List", "Get"] + key_permissions = [ + "Get", "List", "Update", "Create", "Import", "Delete", "Encrypt", "Decrypt", "GetRotationPolicy" + ] + + storage_permissions = [] +} + +resource "null_resource" "github_runner_app_permissions_to_namespace_cd_01" { + triggers = { + aks_id = data.azurerm_kubernetes_cluster.aks.id + service_principal_id = module.identity_cd_01.identity_client_id + namespace = var.domain + version = "v2" + } + + provisioner "local-exec" { + command = </dev/null + echo "cleaned!" +} + +function download_tool() { + #default value + cpu_type="intel" + os_type=$(uname) + + # only on MacOS + if [ "$os_type" == "Darwin" ]; then + cpu_brand=$(sysctl -n machdep.cpu.brand_string) + if grep -q -i "intel" <<< "$cpu_brand"; then + cpu_type="intel" + else + cpu_type="arm" + fi + fi + + echo $cpu_type + tool=$1 + git_repo="https://raw.githubusercontent.com/pagopa/eng-common-scripts/main/golang/${tool}_${cpu_type}" + if ! command -v $tool &> /dev/null; then + if ! curl -sL "$git_repo" -o "$tool"; then + echo "Error downloading ${tool}" + return 1 + else + chmod +x $tool + echo "${tool} downloaded! Please note this tool WON'T be copied in your **/bin folder for safety reasons. +You need to do it yourself!" + read -p "Press enter to continue" + + + fi + fi +} + +function extract_resources() { + TF_FILE=$1 + ENV=$2 + TARGETS="" + + # Check if the file exists + if [ ! -f "$TF_FILE" ]; then + echo "File $TF_FILE does not exist." + exit 1 + fi + + # Check if the directory exists + if [ ! -d "./env/$ENV" ]; then + echo "Directory ./env/$ENV does not exist." + exit 1 + fi + + TMP_FILE=$(mktemp) + grep -E '^resource|^module' $TF_FILE > $TMP_FILE + + while read -r line ; do + TYPE=$(echo $line | cut -d '"' -f 1 | tr -d ' ') + if [ "$TYPE" == "module" ]; then + NAME=$(echo $line | cut -d '"' -f 2) + TARGETS+=" -target=\"$TYPE.$NAME\"" + else + NAME1=$(echo $line | cut -d '"' -f 2) + NAME2=$(echo $line | cut -d '"' -f 4) + TARGETS+=" -target=\"$NAME1.$NAME2\"" + fi + done < $TMP_FILE + + rm $TMP_FILE + + echo "./terraform.sh $action $ENV $TARGETS" +} + +function help_usage() { + echo "terraform.sh Version ${vers}" + echo + echo "Usage: ./script.sh [ACTION] [ENV] [OTHER OPTIONS]" + echo "es. ACTION: init, apply, plan, etc." + echo "es. ENV: dev, uat, prod, etc." + echo + echo "Available actions:" + echo " clean Remove .terraform* folders and tfplan files" + echo " help This help" + echo " list List every environment available" + echo " update Update this script if possible" + echo " summ Generate summary of Terraform plan" + echo " tflist Generate an improved output of terraform state list" + echo " tlock Generate or update the dependency lock file" + echo " * any terraform option" +} + +function init_terraform() { + if [ -n "$env" ]; then + terraform init -reconfigure -backend-config="./env/$env/backend.tfvars" + else + echo "ERROR: no env configured!" + exit 1 + fi +} + +function list_env() { + # Check if env directory exists + if [ ! -d "./env" ]; then + echo "No environment directory found" + exit 1 + fi + + # List subdirectories under env directory + env_list=$(ls -d ./env/*/ 2>/dev/null) + + # Check if there are any subdirectories + if [ -z "$env_list" ]; then + echo "No environments found" + exit 1 + fi + + # Print the list of environments + echo "Available environments:" + for env in $env_list; do + env_name=$(echo "$env" | sed 's#./env/##;s#/##') + echo "- $env_name" + done +} + +function other_actions() { + if [ -n "$env" ] && [ -n "$action" ]; then + terraform "$action" -var-file="./env/$env/terraform.tfvars" -compact-warnings $other + else + echo "ERROR: no env or action configured!" + exit 1 + fi +} + +function state_output_taint_actions() { + if [ "$action" == "tflist" ]; then + # If 'tflist' is not installed globally and there is no 'tflist' file in the current directory, + # attempt to download the 'tflist' tool + if ! command -v tflist &> /dev/null && [ ! -f "tflist" ]; then + download_tool "tflist" + if [ $? -ne 0 ]; then + echo "Error: Failed to download tflist!!" + exit 1 + else + echo "tflist downloaded!" + fi + fi + if command -v tflist &> /dev/null; then + terraform state list | tflist + else + terraform state list | ./tflist + fi + else + terraform $action $other + fi +} + + +function parse_tfplan_option() { + # Create an array to contain arguments that do not start with '-tfplan=' + local other_args=() + + # Loop over all arguments + for arg in "$@"; do + # If the argument starts with '-tfplan=', extract the file name + if [[ "$arg" =~ ^-tfplan= ]]; then + echo "${arg#*=}" + else + # If the argument does not start with '-tfplan=', add it to the other_args array + other_args+=("$arg") + fi + done + + # Print all arguments in other_args separated by spaces + echo "${other_args[@]}" +} + +function tfsummary() { + local plan_file + plan_file=$(parse_tfplan_option "$@") + if [ -z "$plan_file" ]; then + plan_file="tfplan" + fi + action="plan" + other="-out=${plan_file}" + other_actions + if [ -n "$(command -v tf-summarize)" ]; then + tf-summarize -tree "${plan_file}" + else + echo "tf-summarize is not installed" + fi + if [ "$plan_file" == "tfplan" ]; then + rm $plan_file + fi +} + +function update_script() { + # Check if the repository was cloned successfully + if ! curl -sL "$git_repo" -o "$tmp_file"; then + echo "Error cloning the repository" + rm "$tmp_file" 2>/dev/null + return 1 + fi + + # Check if a newer version exists + remote_vers=$(sed -n '8s/vers="\(.*\)"/\1/p' "$tmp_file") + if [ "$(printf '%s\n' "$vers" "$remote_vers" | sort -V | tail -n 1)" == "$vers" ]; then + echo "The local script version is equal to or newer than the remote version." + rm "$tmp_file" 2>/dev/null + return 0 + fi + + # Check the fingerprint + local_fingerprint=$(sed -n '4p' "$0") + remote_fingerprint=$(sed -n '4p' "$tmp_file") + + if [ "$local_fingerprint" != "$remote_fingerprint" ]; then + echo "The local and remote file fingerprints do not match." + rm "$tmp_file" 2>/dev/null + return 0 + fi + + # Show the current and available versions to the user + echo "Current script version: $vers" + echo "Available script version: $remote_vers" + + # Ask the user if they want to update the script + read -rp "Do you want to update the script to version $remote_vers? (y/n): " answer + + if [ "$answer" == "y" ] || [ "$answer" == "Y" ]; then + # Replace the local script with the updated version + cp "$tmp_file" "$script_name" + chmod +x "$script_name" + rm "$tmp_file" 2>/dev/null + + echo "Script successfully updated to version $remote_vers" + else + echo "Update canceled by the user" + fi + + rm "$tmp_file" 2>/dev/null +} + +# Check arguments number +if [ "$#" -lt 1 ]; then + help_usage + exit 0 +fi + +# Parse arguments +action=$1 +env=$2 +filetf=$3 +shift 2 +other=$@ + +if [ -n "$env" ]; then + # shellcheck source=/dev/null + source "./env/$env/backend.ini" + if [ -z "$(command -v az)" ]; then + echo "az not found, cannot proceed" + exit 1 + fi + az account set -s "${subscription}" +fi + +# Call appropriate function based on action +case $action in + clean) + clean_environment + ;; + ?|help|-h) + help_usage + ;; + init) + init_terraform "$other" + ;; + list) + list_env + ;; + output|state|taint|tflist) + init_terraform + state_output_taint_actions $other + ;; + summ) + init_terraform + tfsummary "$other" + ;; + tlock) + terraform providers lock -platform=windows_amd64 -platform=darwin_amd64 -platform=darwin_arm64 -platform=linux_amd64 + ;; + update) + update_script + ;; + *) + if [ "$FILE_ACTION" = true ]; then + extract_resources "$filetf" "$env" + else + init_terraform + other_actions "$other" + fi + ;; +esac diff --git a/src/domains/paymentoptions-secrets/.terraform.lock.hcl b/src/domains/paymentoptions-secrets/.terraform.lock.hcl new file mode 100644 index 0000000000..a389468af5 --- /dev/null +++ b/src/domains/paymentoptions-secrets/.terraform.lock.hcl @@ -0,0 +1,107 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/azuread" { + version = "2.47.0" + constraints = "<= 2.47.0" + hashes = [ + "h1:g8+gBFM4QVOEQFqAEs5pR6iXpbGvgPvcEi1evHwziyw=", + "h1:iRwDQBdXBpVBoYwM9au2RG01RQuJSm3TGQ2kioFVAas=", + "zh:1372d81eb24ef3b4b00ea350fe87219f22da51691b8e42ce91d662f6c2a8af5e", + "zh:1c3e89cf19118fc07d7b04257251fc9897e722c16e0a0df7b07fcd261f8c12e7", + "zh:1e654a74d171d6ff8f9f6f67e3ff1421d4c5e56a18607703626bf12cd23ba001", + "zh:35227fad617a0509c64ab5759a8b703b10d244877f1aa5416bfbcc100c96996f", + "zh:357f553f0d78d46a96c7b2ed06d25ee0fc60fc5be19812ccb5d969fa47d62e17", + "zh:58faa2940065137e3e87d02eba59ab5cd7137d7a18caf225e660d1788f274569", + "zh:7308eda0339620fa24f47cedd22221fc2c02cab9d5be1710c09a783aea84eb3a", + "zh:863eabf7f908a8263e28d8aa2ad1381affd6bb5c67755216781f674ef214100e", + "zh:8b95b595a7c14ed7b56194d03cdec253527e7a146c1c58961be09e6b5c50baee", + "zh:afbca6b4fac9a0a488bc22ff9e51a8f14e986137d25275068fd932f379a51d57", + "zh:c6aadec4c81a44c3ffc22c2d90ffc6706bf5a9a903a395d896477516f4be6cbb", + "zh:e54a59de7d4ef0f3a18f91fed0b54a2bce18257ae2ee1df8a88226e1023c5811", + ] +} + +provider "registry.terraform.io/hashicorp/azurerm" { + version = "3.106.0" + constraints = "~> 3.30, <= 3.106.0" + hashes = [ + "h1:6t9Nz9tYAR9BfHZ8yc56m+GKRl0nriwjQ5DyA0/TnCs=", + "h1:Mxe1/I27IZK3BP6cm84Gt0+7PXd2EDaDUMxuljm/rUA=", + "zh:07980d6fdc40c0adb670c8413a5c667917d6dbb51fcedc467c35d64c2f3a1f47", + "zh:2e6e8491b1f089644b0d23f8da83398f1e10cf5a62b16efcef2b5454fe923038", + "zh:450dbd72821c5619cc3bcdc20fdd0e29515147e44b733f9c79d3a75851810055", + "zh:5e234c0a2f3c9677ea72b2a6e6ca90defb99fab29ae565f5d1f70728ba4ba78f", + "zh:83fd042ece6977429d79affd03d6ce963d2f122604dbf15a1abf203d7a7bbc8a", + "zh:93027e1f66b3bf83398d572d4e6f6e7777330c78c54da3226dadd50fd868ada9", + "zh:ae3d1dd66140c303df97d93c47a60f16735ce17cf156f45475dcee4a7360af5b", + "zh:daf9d2eb89e785458a76b88bf2ef0696c472094c77cc9cff3b3ea4b885c5a482", + "zh:dd46370141651e6549da6d85e25c7a6770c47581bbaaa27eda2886d41d849747", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + "zh:f77405c0d8f6e0d93d9da83256b3b02c164bad4c791ed9604310ff02ae086ad1", + "zh:ffa769147bda833aef8802e3a391bd175ec749862764d61cbdaa8200d5b8f893", + ] +} + +provider "registry.terraform.io/hashicorp/external" { + version = "2.2.3" + constraints = "<= 2.2.3" + hashes = [ + "h1:648ZjJR81c2W1OLtYmUQa9/1rGr3vvZSuX9dR1ucGWY=", + "h1:D2RKjqoU26isFINpmeKG9NS0LvkPmrQkNXeYO2TdgyA=", + "zh:184ecd339d764de845db0e5b8a9c87893dcd0c9d822167f73658f89d80ec31c9", + "zh:2661eaca31d17d6bbb18a8f673bbfe3fe1b9b7326e60d0ceb302017003274e3c", + "zh:2c0a180f6d1fc2ba6e03f7dfc5f73b617e45408681f75bca75aa82f3796df0e4", + "zh:4b92ae44c6baef4c4952c47be00541055cb5280dd3bc8031dba5a1b2ee982387", + "zh:5641694d5daf3893d7ea90be03b6fa575211a08814ffe70998d5adb8b59cdc0a", + "zh:5bd55a2be8a1c20d732ac9c604b839e1cadc8c49006315dffa4d709b6874df32", + "zh:6e0ef5d11e1597202424b7d69b9da7b881494c9b13a3d4026fc47012dc651c79", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:9e19f89fa25004d3b926a8d15ea630b4bde62f1fa4ed5e11a3d27aabddb77353", + "zh:b763efdd69fd097616b4a4c89cf333b4cee9699ac6432d73d2756f8335d1213f", + "zh:e3b561efdee510b2b445f76a52a902c52bee8e13095e7f4bed7c80f10f8d294a", + "zh:fe660bb8781ee043a093b9a20e53069974475dcaa5791a1f45fd03c61a26478a", + ] +} + +provider "registry.terraform.io/hashicorp/kubernetes" { + version = "2.16.1" + constraints = "<= 2.16.1" + hashes = [ + "h1:PO4Ye/+lu5hCaUEOtwNOldQYoA0dqL1bcBICIpdlcd8=", + "h1:kO/d+ZMZYM2tNMMFHZqBmVR0MeemoGnI2G2NSN92CrU=", + "zh:06224975f5910d41e73b35a4d5079861da2c24f9353e3ebb015fbb3b3b996b1c", + "zh:2bc400a8d9fe7755cca27c2551564a9e2609cfadc77f526ef855114ee02d446f", + "zh:3a479014187af1d0aec3a1d3d9c09551b801956fe6dd29af1186dec86712731b", + "zh:73fb0a69f1abdb02858b6589f7fab6d989a0f422f7ad95ed662aaa84872d3473", + "zh:a33852cd382cbc8e06d3f6c018b468ad809d24d912d64722e037aed1f9bf39db", + "zh:b533ff2214dca90296b1d22eace7eaa7e3efe5a7ae9da66a112094abc932db4f", + "zh:ddf74d8bb1aeb01dc2c36ef40e2b283d32b2a96db73f6daaf179fa2f10949c80", + "zh:e720f3a15d34e795fa9ff90bc755e838ebb4aef894aa2a423fb16dfa6d6b0667", + "zh:e789ae70a658800cb0a19ef7e4e9b26b5a38a92b43d1f41d64fc8bb46539cefb", + "zh:e8aed7dc0bd8f843d607dee5f72640dbef6835a8b1c6ea12cea5b4ec53e463f7", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + "zh:fb3ac4f43c8b0dfc0b0103dd0f062ea72b3a34518d4c8808e3a44c9a3dd5f024", + ] +} + +provider "registry.terraform.io/hashicorp/null" { + version = "3.2.1" + constraints = "~> 3.2, <= 3.2.1" + hashes = [ + "h1:tSj1mL6OQ8ILGqR2mDu7OYYYWf+hoir0pf9KAQ8IzO8=", + "h1:ydA0/SNRVB1o95btfshvYsmxA+jZFRZcvKzZSB+4S1M=", + "zh:58ed64389620cc7b82f01332e27723856422820cfd302e304b5f6c3436fb9840", + "zh:62a5cc82c3b2ddef7ef3a6f2fedb7b9b3deff4ab7b414938b08e51d6e8be87cb", + "zh:63cff4de03af983175a7e37e52d4bd89d990be256b16b5c7f919aff5ad485aa5", + "zh:74cb22c6700e48486b7cabefa10b33b801dfcab56f1a6ac9b6624531f3d36ea3", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:79e553aff77f1cfa9012a2218b8238dd672ea5e1b2924775ac9ac24d2a75c238", + "zh:a1e06ddda0b5ac48f7e7c7d59e1ab5a4073bbcf876c73c0299e4610ed53859dc", + "zh:c37a97090f1a82222925d45d84483b2aa702ef7ab66532af6cbcfb567818b970", + "zh:e4453fbebf90c53ca3323a92e7ca0f9961427d2f0ce0d2b65523cc04d5d999c2", + "zh:e80a746921946d8b6761e77305b752ad188da60688cfd2059322875d363be5f5", + "zh:fbdb892d9822ed0e4cb60f2fedbdbb556e4da0d88d3b942ae963ed6ff091e48f", + "zh:fca01a623d90d0cad0843102f9b8b9fe0d3ff8244593bd817f126582b52dd694", + ] +} diff --git a/src/domains/paymentoptions-secrets/00_azuread.tf b/src/domains/paymentoptions-secrets/00_azuread.tf new file mode 100644 index 0000000000..14a0893a9f --- /dev/null +++ b/src/domains/paymentoptions-secrets/00_azuread.tf @@ -0,0 +1,16 @@ +# Azure AD +data "azuread_group" "adgroup_admin" { + display_name = "${local.product}-adgroup-admin" +} + +data "azuread_group" "adgroup_developers" { + display_name = "${local.product}-adgroup-developers" +} + +data "azuread_group" "adgroup_externals" { + display_name = "${local.product}-adgroup-externals" +} + +data "azuread_group" "adgroup_security" { + display_name = "${local.product}-adgroup-security" +} \ No newline at end of file diff --git a/src/domains/paymentoptions-secrets/01_keyvault.tf b/src/domains/paymentoptions-secrets/01_keyvault.tf new file mode 100644 index 0000000000..28af4e56e2 --- /dev/null +++ b/src/domains/paymentoptions-secrets/01_keyvault.tf @@ -0,0 +1,101 @@ +resource "azurerm_resource_group" "sec_rg" { + name = "${local.product}-${var.location_short}-${var.domain}-sec-rg" + location = var.location + + tags = var.tags +} + +module "key_vault" { + source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//key_vault?ref=v8.22.0" + + name = "${local.product}-${var.location_short}-${var.domain}-kv" + location = azurerm_resource_group.sec_rg.location + resource_group_name = azurerm_resource_group.sec_rg.name + tenant_id = data.azurerm_client_config.current.tenant_id + soft_delete_retention_days = 90 + + tags = var.tags +} + +## ad group policy ## +resource "azurerm_key_vault_access_policy" "ad_group_policy" { + key_vault_id = module.key_vault.id + + tenant_id = data.azurerm_client_config.current.tenant_id + object_id = data.azuread_group.adgroup_admin.object_id + + key_permissions = ["Get", "List", "Update", "Create", "Import", "Delete", "Encrypt", "Decrypt", "Backup", "Purge", "Recover", "Restore", "Sign", "UnwrapKey", "Update", "Verify", "WrapKey", "Release", "Rotate", "GetRotationPolicy", "SetRotationPolicy"] + secret_permissions = ["Get", "List", "Set", "Delete", "Backup", "Purge", "Recover", "Restore"] + storage_permissions = [] + certificate_permissions = ["Get", "List", "Update", "Create", "Import", "Delete", "Restore", "Purge", "Recover", ] +} + +## ad group policy ## +resource "azurerm_key_vault_access_policy" "adgroup_developers_policy" { + count = var.env_short != "p" ? 1 : 0 + + key_vault_id = module.key_vault.id + + tenant_id = data.azurerm_client_config.current.tenant_id + object_id = data.azuread_group.adgroup_developers.object_id + + key_permissions = ["Get", "List", "Update", "Create", "Import", "Delete", "Encrypt", "Decrypt", "Recover", "Rotate", "GetRotationPolicy"] + secret_permissions = ["Get", "List", "Set", "Delete", "Recover", ] + storage_permissions = [] + certificate_permissions = [ + "Get", "List", "Update", "Create", "Import", + "Delete", "Restore", "Purge", "Recover" + ] +} + +## ad group policy ## +resource "azurerm_key_vault_access_policy" "adgroup_externals_policy" { + count = var.env_short != "p" ? 1 : 0 + + key_vault_id = module.key_vault.id + + tenant_id = data.azurerm_client_config.current.tenant_id + object_id = data.azuread_group.adgroup_externals.object_id + + key_permissions = ["Get", "List", "Update", "Create", "Import", "Delete", "Encrypt", "Decrypt", "Recover", "Rotate", "GetRotationPolicy"] + secret_permissions = ["Get", "List", "Set", "Delete", "Recover", ] + storage_permissions = [] + certificate_permissions = [ + "Get", "List", "Update", "Create", "Import", + "Delete", "Restore", "Purge", "Recover" + ] +} + +## ad group policy ## +data "azuread_service_principal" "iac_principal" { + count = var.enable_iac_pipeline ? 1 : 0 + display_name = "pagopaspa-pagoPA-iac-${data.azurerm_subscription.current.subscription_id}" +} + +resource "azurerm_key_vault_access_policy" "azdevops_iac_policy" { + count = var.enable_iac_pipeline ? 1 : 0 + key_vault_id = module.key_vault.id + tenant_id = data.azurerm_client_config.current.tenant_id + object_id = data.azuread_service_principal.iac_principal[0].object_id + + secret_permissions = ["Get", "List", "Set", ] + certificate_permissions = ["SetIssuers", "DeleteIssuers", "Purge", "List", "Get"] + key_permissions = ["Get", "List", "Update", "Create", "Import", "Delete", "Encrypt", "Decrypt"] + + storage_permissions = [] +} + +################ +## Secrets ## +################ + +# create json letsencrypt inside kv +# requierd: Docker +module "letsencrypt_paymentoptions" { + source = "git::https://github.com/pagopa/terraform-azurerm-v3.git///letsencrypt_credential?ref=v8.44.0" + + prefix = var.prefix + env = var.env_short + key_vault_name = module.key_vault.name + subscription_name = local.subscription_name +} diff --git a/src/domains/paymentoptions-secrets/02_azdo.tf b/src/domains/paymentoptions-secrets/02_azdo.tf new file mode 100644 index 0000000000..5683ffec89 --- /dev/null +++ b/src/domains/paymentoptions-secrets/02_azdo.tf @@ -0,0 +1,23 @@ +# +# Policy +# + +data "azurerm_user_assigned_identity" "iac_federated_azdo" { + for_each = local.azdo_iac_managed_identities + name = each.key + resource_group_name = local.azdo_managed_identity_rg_name +} + +resource "azurerm_key_vault_access_policy" "azdevops_iac_managed_identities" { + for_each = local.azdo_iac_managed_identities + + key_vault_id = module.key_vault.id + tenant_id = data.azurerm_client_config.current.tenant_id + object_id = data.azurerm_user_assigned_identity.iac_federated_azdo[each.key].principal_id + + secret_permissions = ["Get", "List", "Set", ] + + certificate_permissions = ["SetIssuers", "DeleteIssuers", "Purge", "List", "Get"] + + storage_permissions = [] +} diff --git a/src/domains/paymentoptions-secrets/02_init_sops.tf b/src/domains/paymentoptions-secrets/02_init_sops.tf new file mode 100644 index 0000000000..e93d0651a0 --- /dev/null +++ b/src/domains/paymentoptions-secrets/02_init_sops.tf @@ -0,0 +1,21 @@ +moved { + from = azurerm_key_vault_key.generated + to = azurerm_key_vault_key.sops_key +} + +resource "azurerm_key_vault_key" "sops_key" { + name = "${local.product}-${var.domain}-sops-key" + key_vault_id = module.key_vault.id + key_type = "RSA" + key_size = 2048 + + key_opts = [ + "decrypt", + "encrypt", + ] + + depends_on = [ + azurerm_key_vault_access_policy.adgroup_developers_policy, + azurerm_key_vault_access_policy.ad_group_policy, + ] +} diff --git a/src/domains/paymentoptions-secrets/03_sops_secrets.tf b/src/domains/paymentoptions-secrets/03_sops_secrets.tf new file mode 100644 index 0000000000..aa759d304e --- /dev/null +++ b/src/domains/paymentoptions-secrets/03_sops_secrets.tf @@ -0,0 +1,54 @@ +moved { + from = data.external.external2 + to = data.external.terrasops +} + +data "external" "terrasops" { + program = [ + "bash", "terrasops.sh" + ] + query = { + env = "${var.location_short}-${var.env}" + } + +} + +locals { + all_enc_secrets_value = can(data.external.terrasops.result) ? flatten([ + for k, v in data.external.terrasops.result : { + valore = v + chiave = k + } + ]) : [] + + config_secret_data = jsondecode(file(var.input_file)) + all_config_secrets_value = flatten([ + for kc, vc in local.config_secret_data : { + valore = vc + chiave = kc + } + ]) + + all_secrets_value = concat(local.all_config_secrets_value, local.all_enc_secrets_value) +} + +## SOPS secrets + +## Upload all encrypted secrets +resource "azurerm_key_vault_secret" "secret" { + for_each = { for i, v in local.all_secrets_value : local.all_secrets_value[i].chiave => i } + + key_vault_id = module.key_vault.id + name = local.all_secrets_value[each.value].chiave + value = local.all_secrets_value[each.value].valore + + depends_on = [ + module.key_vault, + azurerm_key_vault_key.sops_key, + data.external.terrasops, + azurerm_key_vault_access_policy.adgroup_developers_policy, + azurerm_key_vault_access_policy.ad_group_policy, + ] +} + +# ⚠️ The secrets from resources are set in paymentoptions-app to avoid circular dependency diff --git a/src/domains/paymentoptions-secrets/99_locals.tf b/src/domains/paymentoptions-secrets/99_locals.tf new file mode 100644 index 0000000000..084cb86f0c --- /dev/null +++ b/src/domains/paymentoptions-secrets/99_locals.tf @@ -0,0 +1,11 @@ +locals { + project = "${var.prefix}-${var.env_short}-${var.location_short}-${var.domain}" + product = "${var.prefix}-${var.env_short}" + + + subscription_name = "${var.env}-${var.prefix}" + + azdo_managed_identity_rg_name = "pagopa-${var.env_short}-identity-rg" + azdo_iac_managed_identities = toset(["azdo-${var.env}-pagopa-iac-deploy", "azdo-${var.env}-pagopa-iac-plan"]) + +} diff --git a/src/domains/paymentoptions-secrets/99_main.tf b/src/domains/paymentoptions-secrets/99_main.tf new file mode 100644 index 0000000000..93ec8f61ca --- /dev/null +++ b/src/domains/paymentoptions-secrets/99_main.tf @@ -0,0 +1,43 @@ +terraform { + required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = "<= 3.106.0" + } + azuread = { + source = "hashicorp/azuread" + version = "<= 2.47.0" + } + null = { + source = "hashicorp/null" + version = "<= 3.2.1" + } + external = { + source = "hashicorp/external" + version = "<= 2.2.3" + } + kubernetes = { + source = "hashicorp/kubernetes" + version = "<= 2.16.1" + } + } + + backend "azurerm" {} +} + +provider "azurerm" { + features { + key_vault { + purge_soft_delete_on_destroy = false + } + } +} + +provider "kubernetes" { + config_path = "~/.kube/config-${var.prefix}-${var.env_short}-${var.location_short}-${var.env}-aks" + config_context = "${var.prefix}-${var.env_short}-${var.location_short}-${var.env}-aks" +} + +data "azurerm_subscription" "current" {} + +data "azurerm_client_config" "current" {} diff --git a/src/domains/paymentoptions-secrets/99_variables.tf b/src/domains/paymentoptions-secrets/99_variables.tf new file mode 100644 index 0000000000..3a7cff7fcf --- /dev/null +++ b/src/domains/paymentoptions-secrets/99_variables.tf @@ -0,0 +1,101 @@ +# general + +variable "prefix" { + type = string + validation { + condition = ( + length(var.prefix) <= 6 + ) + error_message = "Max length is 6 chars." + } +} + +variable "env" { + type = string +} + +variable "env_short" { + type = string + validation { + condition = ( + length(var.env_short) == 1 + ) + error_message = "Length must be 1 chars." + } +} + +variable "domain" { + type = string + validation { + condition = ( + length(var.domain) <= 12 + ) + error_message = "Max length is 12 chars." + } +} + +variable "location" { + type = string + description = "One of westeurope, northeurope" +} + +variable "location_short" { + type = string + validation { + condition = ( + length(var.location_short) == 3 + ) + error_message = "Length must be 3 chars." + } + description = "One of weu, itn" +} + +variable "instance" { + type = string + description = "One of beta, prod01, prod02" +} + +variable "tags" { + type = map(any) + default = { + CreatedBy = "Terraform" + } +} + +### + +variable "input_file" { + type = string + description = "secret json file" +} + +variable "enable_iac_pipeline" { + type = bool + description = "If true create the key vault policy to allow used by azure devops iac pipelines." + default = false +} + + +variable "kv-key-permissions-read" { + type = list(string) + description = "List of read key permissions" + default = ["Get", "List"] +} + +variable "kv-secret-permissions-read" { + type = list(string) + description = "List of read secret permissions" + default = ["Get", "List"] +} + +variable "kv-certificate-permissions-read" { + type = list(string) + description = "List of read certificate permissions" + default = ["Get", "GetIssuers", "List", "ListIssuers"] +} + +variable "kv-storage-permissions-read" { + type = list(string) + description = "List of read storage permissions" + default = ["Get", "GetSAS", "List", "ListSAS"] +} diff --git a/src/domains/paymentoptions-secrets/env/itn-dev/backend.ini b/src/domains/paymentoptions-secrets/env/itn-dev/backend.ini new file mode 100644 index 0000000000..f3ea2d530c --- /dev/null +++ b/src/domains/paymentoptions-secrets/env/itn-dev/backend.ini @@ -0,0 +1 @@ +subscription=DEV-pagoPA \ No newline at end of file diff --git a/src/domains/paymentoptions-secrets/env/itn-dev/backend.tfvars b/src/domains/paymentoptions-secrets/env/itn-dev/backend.tfvars new file mode 100644 index 0000000000..324e5f4b9d --- /dev/null +++ b/src/domains/paymentoptions-secrets/env/itn-dev/backend.tfvars @@ -0,0 +1,4 @@ +resource_group_name = "terraform-state-rg" +storage_account_name = "tfinfdevpagopa" +container_name = "terraform-state" +key = "paymentoptions-secret-dev.terraform.tfstate" diff --git a/src/domains/paymentoptions-secrets/env/itn-dev/terraform.tfvars b/src/domains/paymentoptions-secrets/env/itn-dev/terraform.tfvars new file mode 100644 index 0000000000..4cb569abdb --- /dev/null +++ b/src/domains/paymentoptions-secrets/env/itn-dev/terraform.tfvars @@ -0,0 +1,30 @@ +prefix = "pagopa" +env_short = "d" +env = "dev" +domain = "payopt" +location = "italynorth" +location_short = "itn" +instance = "dev" + +tags = { + CreatedBy = "Terraform" + Environment = "Dev" + Owner = "pagoPA" + Source = "https://github.com/pagopa/pagopa-infra/tree/main/src/domains/paymentoptions-secrets" + CostCenter = "TS310 - PAGAMENTI & SERVIZI" +} + +### External resources + +monitor_italy_resource_group_name = "pagopa-d-itn-core-monitor-rg" +log_analytics_italy_workspace_name = "pagopa-d-itn-core-law" +log_analytics_italy_workspace_resource_group_name = "pagopa-d-itn-core-monitor-rg" + +input_file = "./secret/itn-dev/configs.json" + +enable_iac_pipeline = true + + + + + diff --git a/src/domains/paymentoptions-secrets/env/itn-prod/backend.ini b/src/domains/paymentoptions-secrets/env/itn-prod/backend.ini new file mode 100644 index 0000000000..6318425346 --- /dev/null +++ b/src/domains/paymentoptions-secrets/env/itn-prod/backend.ini @@ -0,0 +1 @@ +subscription=PROD-pagoPA diff --git a/src/domains/paymentoptions-secrets/env/itn-prod/backend.tfvars b/src/domains/paymentoptions-secrets/env/itn-prod/backend.tfvars new file mode 100644 index 0000000000..9b18697702 --- /dev/null +++ b/src/domains/paymentoptions-secrets/env/itn-prod/backend.tfvars @@ -0,0 +1,4 @@ +resource_group_name = "terraform-state-rg" +storage_account_name = "tfinfprodpagopa" +container_name = "terraform-state" +key = "paymentoptions-secret-prod.terraform.tfstate" diff --git a/src/domains/paymentoptions-secrets/env/itn-prod/terraform.tfvars b/src/domains/paymentoptions-secrets/env/itn-prod/terraform.tfvars new file mode 100644 index 0000000000..4e852fe9cf --- /dev/null +++ b/src/domains/paymentoptions-secrets/env/itn-prod/terraform.tfvars @@ -0,0 +1,30 @@ +prefix = "pagopa" +env_short = "p" +env = "prod" +domain = "paymentoptns" +location = "payopt" +location_short = "itn" +instance = "prod" + +tags = { + CreatedBy = "Terraform" + Environment = "Prod" + Owner = "pagoPA" + Source = "https://github.com/pagopa/pagopa-infra/tree/main/src/domains/paymentoptions-secrets" + CostCenter = "TS310 - PAGAMENTI & SERVIZI" +} + +### External resources + +monitor_italy_resource_group_name = "pagopa-d-itn-core-monitor-rg" +log_analytics_italy_workspace_name = "pagopa-d-itn-core-law" +log_analytics_italy_workspace_resource_group_name = "pagopa-d-itn-core-monitor-rg" + +input_file = "./secret/itn-prod/configs.json" + +enable_iac_pipeline = true + + + + + diff --git a/src/domains/paymentoptions-secrets/env/itn-uat/backend.ini b/src/domains/paymentoptions-secrets/env/itn-uat/backend.ini new file mode 100644 index 0000000000..1a014151dc --- /dev/null +++ b/src/domains/paymentoptions-secrets/env/itn-uat/backend.ini @@ -0,0 +1 @@ +subscription=UAT-pagoPA diff --git a/src/domains/paymentoptions-secrets/env/itn-uat/backend.tfvars b/src/domains/paymentoptions-secrets/env/itn-uat/backend.tfvars new file mode 100644 index 0000000000..2f949683b5 --- /dev/null +++ b/src/domains/paymentoptions-secrets/env/itn-uat/backend.tfvars @@ -0,0 +1,4 @@ +resource_group_name = "terraform-state-rg" +storage_account_name = "tfinfuatpagopa" +container_name = "terraform-state" +key = "paymentoptions-secret-uat.terraform.tfstate" diff --git a/src/domains/paymentoptions-secrets/env/itn-uat/terraform.tfvars b/src/domains/paymentoptions-secrets/env/itn-uat/terraform.tfvars new file mode 100644 index 0000000000..170edb7557 --- /dev/null +++ b/src/domains/paymentoptions-secrets/env/itn-uat/terraform.tfvars @@ -0,0 +1,27 @@ +prefix = "pagopa" +env_short = "u" +env = "uat" +domain = "payopt" +location = "italynorth" +location_short = "itn" +instance = "uat" + +tags = { + CreatedBy = "Terraform" + Environment = "Uat" + Owner = "pagoPA" + Source = "https://github.com/pagopa/pagopa-infra/tree/main/src/domains/paymentoptions-secrets" + CostCenter = "TS310 - PAGAMENTI & SERVIZI" +} + +### External resources + +monitor_italy_resource_group_name = "pagopa-d-itn-core-monitor-rg" +log_analytics_italy_workspace_name = "pagopa-d-itn-core-law" +log_analytics_italy_workspace_resource_group_name = "pagopa-d-itn-core-monitor-rg" + +input_file = "./secret/itn-uat/configs.json" + +enable_iac_pipeline = true + +force = "v1" diff --git a/src/domains/paymentoptions-secrets/secret/itn-dev/configs.json b/src/domains/paymentoptions-secrets/secret/itn-dev/configs.json new file mode 100644 index 0000000000..0967ef424b --- /dev/null +++ b/src/domains/paymentoptions-secrets/secret/itn-dev/configs.json @@ -0,0 +1 @@ +{} diff --git a/src/domains/paymentoptions-secrets/secret/itn-dev/secret.ini b/src/domains/paymentoptions-secrets/secret/itn-dev/secret.ini new file mode 100644 index 0000000000..067019d64d --- /dev/null +++ b/src/domains/paymentoptions-secrets/secret/itn-dev/secret.ini @@ -0,0 +1,3 @@ +file_crypted="noedit_secret_enc.json" +kv_name="pagopa-d-itn-paymentoptions-kv" +kv_sops_key_name="pagopa-d-paymentoptions-sops-key" diff --git a/src/domains/paymentoptions-secrets/secret/itn-prod/configs.json b/src/domains/paymentoptions-secrets/secret/itn-prod/configs.json new file mode 100644 index 0000000000..2c63c08510 --- /dev/null +++ b/src/domains/paymentoptions-secrets/secret/itn-prod/configs.json @@ -0,0 +1,2 @@ +{ +} diff --git a/src/domains/paymentoptions-secrets/secret/itn-prod/secret.ini b/src/domains/paymentoptions-secrets/secret/itn-prod/secret.ini new file mode 100644 index 0000000000..a83c6d693e --- /dev/null +++ b/src/domains/paymentoptions-secrets/secret/itn-prod/secret.ini @@ -0,0 +1,3 @@ +file_crypted="noedit_secret_enc.json" +kv_name="pagopa-p-itn-paymentoptions-kv" +kv_sops_key_name="pagopa-p-paymentoptions-sops-key" diff --git a/src/domains/paymentoptions-secrets/secret/itn-uat/configs.json b/src/domains/paymentoptions-secrets/secret/itn-uat/configs.json new file mode 100644 index 0000000000..2c63c08510 --- /dev/null +++ b/src/domains/paymentoptions-secrets/secret/itn-uat/configs.json @@ -0,0 +1,2 @@ +{ +} diff --git a/src/domains/paymentoptions-secrets/secret/itn-uat/secret.ini b/src/domains/paymentoptions-secrets/secret/itn-uat/secret.ini new file mode 100644 index 0000000000..e5b5471c37 --- /dev/null +++ b/src/domains/paymentoptions-secrets/secret/itn-uat/secret.ini @@ -0,0 +1,3 @@ +file_crypted="noedit_secret_enc.json" +kv_name="pagopa-u-itn-paymentoptions-kv" +kv_sops_key_name="pagopa-u-paymentoptions-sops-key" diff --git a/src/domains/paymentoptions-secrets/sops.sh b/src/domains/paymentoptions-secrets/sops.sh new file mode 100644 index 0000000000..347b11d0ef --- /dev/null +++ b/src/domains/paymentoptions-secrets/sops.sh @@ -0,0 +1,137 @@ +#!/bin/bash + +# set -x # Uncomment this line to enable debug mode + +# +# how to use `sh sops.sh` +# ℹ️ This script allows you to create a sops file with the relative azure key, +# it also allows you to edit the secrets and add them with the script. +# ℹ️ This script also uses an inventory file under the "./secret//secret.ini" +# directory to load environment variables. +# + +action=$1 +env=$2 +shift 2 +# shellcheck disable=SC2034 +other=( "$@" ) + +if [ -z "$action" ]; then + helpmessage=$(cat < -> decrypt json file in specified environment + example: ./sops.sh d itn-dev + example: ./sops.sh decrypt itn-dev + +./sops.sh s -> search in enc file in specified environment + example: ./sops.sh s itn-dev + example: ./sops.sh search itn-dev + +./sops.sh n -> create new file enc json template in specified environment + example: ./sops.sh n itn-dev + example: ./sops.sh new itn-dev + +./sops.sh a -> add new secret record to enc json in specified environment + example: ./sops.sh a itn-dev + example: ./sops.sh add itn-dev + +./sops.sh e -> edit enc json record in specified environment + example: ./sops.sh e itn-dev + example: ./sops.sh edit itn-dev + +./sops.sh f -> enc a json file in a specified environment + example: ./sops.sh f itn-dev + +EOF +) + echo "$helpmessage" + exit 0 +fi + +if [ -z "$env" ]; then + echo "env should be something like: itn-dev, itn-uat or itn-prod." + exit 0 +fi + +echo "🔨 Mandatory variables are correct" +file_crypted="" +kv_name="" +kv_sops_key_name="" + +# shellcheck disable=SC1090 +source "./secret/$env/secret.ini" + +echo "🔨 All variables loaded" + +# Check if kv_name and file_crypted variables are not empty +if [ -z "${kv_name}" ]; then + echo "❌ Error: kv_name variable is not defined correctly." + exit 1 +fi + +if [ -z "$file_crypted" ]; then + echo "❌ Error: file_crypted variable is not defined correctly." + exit 1 +fi + +encrypted_file_path="./secret/$env/$file_crypted" + +# Check if the key exists in the Key Vault +# shellcheck disable=SC2154 +kv_key_url=$(az keyvault key show --vault-name "$kv_name" --name "$kv_sops_key_name" --query "key.kid" -o tsv) +if [ -z "$kv_key_url" ]; then + echo "❌ The key does not exist." + exit 1 +fi +echo "[INFO] Key URL: $kv_key_url" + +echo "🔨 Key URL loaded correctly" + +if echo "d decrypt a add s search n new e edit f" | grep -w "$action" > /dev/null; then + case $action in + "d"|"decrypt") + sops --decrypt --azure-kv "$kv_key_url" "$encrypted_file_path" + if [ $? -eq 1 ]; then + echo "❌ File $encrypted_file_path NOT encrypted" + exit 0 + fi + ;; + "s"|"search") + read -r -p 'key: ' key + sops --decrypt --azure-kv "$kv_key_url" "$encrypted_file_path" | grep -i "$key" + ;; + "a"|"add") + read -r -p 'key: ' key + read -r -p 'value: ' value + sops -i --set '["'"$key"'"] "'"$value"'"' --azure-kv "$kv_key_url" "$encrypted_file_path" + echo "✅ Added key" + ;; + "n"|"new") + if [ -f "$encrypted_file_path" ]; then + echo "⚠️ file $encrypted_file_path already exists" + exit 0 + fi + echo "{}" > "$encrypted_file_path" + sops --encrypt -i --azure-kv "$kv_key_url" "$encrypted_file_path" + echo "✅ created new file for sops" + ;; + "e"|"edit") + if [ ! -f "$encrypted_file_path" ]; then + echo "⚠️ file $encrypted_file_path not found" + exit 1 + fi + + sops --azure-kv "$kv_key_url" "$encrypted_file_path" + echo "✅ edit file completed" + + ;; + "f") + read -r -p 'file: ' file + sops --encrypt --azure-kv "$kv_key_url" "./secret/$env/$file" > "$encrypted_file_path" + ;; + esac +else + echo "⚠️ Action not allowed." + exit 1 +fi diff --git a/src/domains/paymentoptions-secrets/terraform.sh b/src/domains/paymentoptions-secrets/terraform.sh new file mode 100755 index 0000000000..047a7512d0 --- /dev/null +++ b/src/domains/paymentoptions-secrets/terraform.sh @@ -0,0 +1,324 @@ +#!/bin/bash +############################################################ +# Terraform script for managing infrastructure on Azure +# Fingerprint: d2hhdHlvdXdhbnQ/Cg== +############################################################ +# Global variables +# Version format x.y accepted +vers="1.11" +script_name=$(basename "$0") +git_repo="https://raw.githubusercontent.com/pagopa/eng-common-scripts/main/azure/${script_name}" +tmp_file="${script_name}.new" +# Check if the third parameter exists and is a file +if [ -n "$3" ] && [ -f "$3" ]; then + FILE_ACTION=true +else + FILE_ACTION=false +fi + +# Define functions +function clean_environment() { + rm -rf .terraform + rm tfplan 2>/dev/null + echo "cleaned!" +} + +function download_tool() { + #default value + cpu_type="intel" + os_type=$(uname) + + # only on MacOS + if [ "$os_type" == "Darwin" ]; then + cpu_brand=$(sysctl -n machdep.cpu.brand_string) + if grep -q -i "intel" <<< "$cpu_brand"; then + cpu_type="intel" + else + cpu_type="arm" + fi + fi + + echo $cpu_type + tool=$1 + git_repo="https://raw.githubusercontent.com/pagopa/eng-common-scripts/main/golang/${tool}_${cpu_type}" + if ! command -v $tool &> /dev/null; then + if ! curl -sL "$git_repo" -o "$tool"; then + echo "Error downloading ${tool}" + return 1 + else + chmod +x $tool + echo "${tool} downloaded! Please note this tool WON'T be copied in your **/bin folder for safety reasons. +You need to do it yourself!" + read -p "Press enter to continue" + + + fi + fi +} + +function extract_resources() { + TF_FILE=$1 + ENV=$2 + TARGETS="" + + # Check if the file exists + if [ ! -f "$TF_FILE" ]; then + echo "File $TF_FILE does not exist." + exit 1 + fi + + # Check if the directory exists + if [ ! -d "./env/$ENV" ]; then + echo "Directory ./env/$ENV does not exist." + exit 1 + fi + + TMP_FILE=$(mktemp) + grep -E '^resource|^module' $TF_FILE > $TMP_FILE + + while read -r line ; do + TYPE=$(echo $line | cut -d '"' -f 1 | tr -d ' ') + if [ "$TYPE" == "module" ]; then + NAME=$(echo $line | cut -d '"' -f 2) + TARGETS+=" -target=\"$TYPE.$NAME\"" + else + NAME1=$(echo $line | cut -d '"' -f 2) + NAME2=$(echo $line | cut -d '"' -f 4) + TARGETS+=" -target=\"$NAME1.$NAME2\"" + fi + done < $TMP_FILE + + rm $TMP_FILE + + echo "./terraform.sh $action $ENV $TARGETS" +} + +function help_usage() { + echo "terraform.sh Version ${vers}" + echo + echo "Usage: ./script.sh [ACTION] [ENV] [OTHER OPTIONS]" + echo "es. ACTION: init, apply, plan, etc." + echo "es. ENV: dev, uat, prod, etc." + echo + echo "Available actions:" + echo " clean Remove .terraform* folders and tfplan files" + echo " help This help" + echo " list List every environment available" + echo " update Update this script if possible" + echo " summ Generate summary of Terraform plan" + echo " tflist Generate an improved output of terraform state list" + echo " tlock Generate or update the dependency lock file" + echo " * any terraform option" +} + +function init_terraform() { + if [ -n "$env" ]; then + terraform init -reconfigure -backend-config="./env/$env/backend.tfvars" + else + echo "ERROR: no env configured!" + exit 1 + fi +} + +function list_env() { + # Check if env directory exists + if [ ! -d "./env" ]; then + echo "No environment directory found" + exit 1 + fi + + # List subdirectories under env directory + env_list=$(ls -d ./env/*/ 2>/dev/null) + + # Check if there are any subdirectories + if [ -z "$env_list" ]; then + echo "No environments found" + exit 1 + fi + + # Print the list of environments + echo "Available environments:" + for env in $env_list; do + env_name=$(echo "$env" | sed 's#./env/##;s#/##') + echo "- $env_name" + done +} + +function other_actions() { + if [ -n "$env" ] && [ -n "$action" ]; then + terraform "$action" -var-file="./env/$env/terraform.tfvars" -compact-warnings $other + else + echo "ERROR: no env or action configured!" + exit 1 + fi +} + +function state_output_taint_actions() { + if [ "$action" == "tflist" ]; then + # If 'tflist' is not installed globally and there is no 'tflist' file in the current directory, + # attempt to download the 'tflist' tool + if ! command -v tflist &> /dev/null && [ ! -f "tflist" ]; then + download_tool "tflist" + if [ $? -ne 0 ]; then + echo "Error: Failed to download tflist!!" + exit 1 + else + echo "tflist downloaded!" + fi + fi + if command -v tflist &> /dev/null; then + terraform state list | tflist + else + terraform state list | ./tflist + fi + else + terraform $action $other + fi +} + + +function parse_tfplan_option() { + # Create an array to contain arguments that do not start with '-tfplan=' + local other_args=() + + # Loop over all arguments + for arg in "$@"; do + # If the argument starts with '-tfplan=', extract the file name + if [[ "$arg" =~ ^-tfplan= ]]; then + echo "${arg#*=}" + else + # If the argument does not start with '-tfplan=', add it to the other_args array + other_args+=("$arg") + fi + done + + # Print all arguments in other_args separated by spaces + echo "${other_args[@]}" +} + +function tfsummary() { + local plan_file + plan_file=$(parse_tfplan_option "$@") + if [ -z "$plan_file" ]; then + plan_file="tfplan" + fi + action="plan" + other="-out=${plan_file}" + other_actions + if [ -n "$(command -v tf-summarize)" ]; then + tf-summarize -tree "${plan_file}" + else + echo "tf-summarize is not installed" + fi + if [ "$plan_file" == "tfplan" ]; then + rm $plan_file + fi +} + +function update_script() { + # Check if the repository was cloned successfully + if ! curl -sL "$git_repo" -o "$tmp_file"; then + echo "Error cloning the repository" + rm "$tmp_file" 2>/dev/null + return 1 + fi + + # Check if a newer version exists + remote_vers=$(sed -n '8s/vers="\(.*\)"/\1/p' "$tmp_file") + if [ "$(printf '%s\n' "$vers" "$remote_vers" | sort -V | tail -n 1)" == "$vers" ]; then + echo "The local script version is equal to or newer than the remote version." + rm "$tmp_file" 2>/dev/null + return 0 + fi + + # Check the fingerprint + local_fingerprint=$(sed -n '4p' "$0") + remote_fingerprint=$(sed -n '4p' "$tmp_file") + + if [ "$local_fingerprint" != "$remote_fingerprint" ]; then + echo "The local and remote file fingerprints do not match." + rm "$tmp_file" 2>/dev/null + return 0 + fi + + # Show the current and available versions to the user + echo "Current script version: $vers" + echo "Available script version: $remote_vers" + + # Ask the user if they want to update the script + read -rp "Do you want to update the script to version $remote_vers? (y/n): " answer + + if [ "$answer" == "y" ] || [ "$answer" == "Y" ]; then + # Replace the local script with the updated version + cp "$tmp_file" "$script_name" + chmod +x "$script_name" + rm "$tmp_file" 2>/dev/null + + echo "Script successfully updated to version $remote_vers" + else + echo "Update canceled by the user" + fi + + rm "$tmp_file" 2>/dev/null +} + +# Check arguments number +if [ "$#" -lt 1 ]; then + help_usage + exit 0 +fi + +# Parse arguments +action=$1 +env=$2 +filetf=$3 +shift 2 +other=$@ + +if [ -n "$env" ]; then + # shellcheck source=/dev/null + source "./env/$env/backend.ini" + if [ -z "$(command -v az)" ]; then + echo "az not found, cannot proceed" + exit 1 + fi + az account set -s "${subscription}" +fi + +# Call appropriate function based on action +case $action in + clean) + clean_environment + ;; + ?|help|-h) + help_usage + ;; + init) + init_terraform "$other" + ;; + list) + list_env + ;; + output|state|taint|tflist) + init_terraform + state_output_taint_actions $other + ;; + summ) + init_terraform + tfsummary "$other" + ;; + tlock) + terraform providers lock -platform=windows_amd64 -platform=darwin_amd64 -platform=darwin_arm64 -platform=linux_amd64 + ;; + update) + update_script + ;; + *) + if [ "$FILE_ACTION" = true ]; then + extract_resources "$filetf" "$env" + else + init_terraform + other_actions "$other" + fi + ;; +esac diff --git a/src/domains/paymentoptions-secrets/terrasops.sh b/src/domains/paymentoptions-secrets/terrasops.sh new file mode 100644 index 0000000000..32be3bd04f --- /dev/null +++ b/src/domains/paymentoptions-secrets/terrasops.sh @@ -0,0 +1,29 @@ +#!/bin/bash +# set -x # Uncomment this line to enable debug mode + +# +# ℹ️ This script is used by terraform, to decrypt all secrets on sops and export them to json. +# This way it can loop through them and use them to insert them inside the KV +# ⚠️ Do not add additional echos to the script in case of golden path, +# as the script only needs to return a json +# + +eval "$(jq -r '@sh "export terrasops_env=\(.env)"')" + +# shellcheck disable=SC1090 +source "./secret/$terrasops_env/secret.ini" +encrypted_file_path="./secret/$terrasops_env/$file_crypted" + +if [ -f "$encrypted_file_path" ]; then + # Load the values of azure_kv.vault_url and azure_kv.name from the JSON file + azure_kv_vault_url=$(jq -r '.sops.azure_kv[0].vault_url' "$encrypted_file_path") + azure_kv_name=$(jq -r '.sops.azure_kv[0].name' "$encrypted_file_path") + + if [ -z "$azure_kv_vault_url" ] || [ -z "$azure_kv_name" ]; then + echo "❌ Error: Unable to load the values of azure_kv.vault_url and azure_kv.name from the JSON file" >&2 + exit 1 + fi + sops -d --azure-kv "azure_kv_vault_url" "$encrypted_file_path" | jq -c +else + echo "{}" | jq -c +fi From b5f7a5d4b31f4d7d97d4031caf681af77ba0e646 Mon Sep 17 00:00:00 2001 From: Simone infante <52280205+infantesimone@users.noreply.github.com> Date: Thu, 26 Sep 2024 14:53:39 +0200 Subject: [PATCH 03/41] feat: add x-frame-options waiting csp enabled for checkout (#2442) * feat: add x-frame-options waiting csp enabled for checkout * chore: bottom header frame-options --- src/domains/checkout-app/05_checkout_fe.tf | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/src/domains/checkout-app/05_checkout_fe.tf b/src/domains/checkout-app/05_checkout_fe.tf index 4a4f2b2e1a..d6f1be9e3e 100644 --- a/src/domains/checkout-app/05_checkout_fe.tf +++ b/src/domains/checkout-app/05_checkout_fe.tf @@ -86,7 +86,12 @@ module "checkout_cdn" { action = "Append" name = local.content_security_policy_header_name value = "style-src 'self' 'unsafe-inline'; worker-src www.recaptcha.net blob:;" - } + }, + { + action = "Overwrite" + name = "X-Frame-Options" + value = "SAMEORIGIN" + }, ] } From 790193a78dcd9a2d60e4b856cf24b06122099410 Mon Sep 17 00:00:00 2001 From: EmanueleBVtech Date: Thu, 26 Sep 2024 15:57:15 +0200 Subject: [PATCH 04/41] feat: [CHK-3244] Update open api v2 to include an optional "lang" header (#2426) * update: added createSession v2 with optional language header * fix: removed required on language header * fix: lang now required due to an issue with yarn generate wich produced a bug when generating code for a non required header. * fix: new transaction v2 now supports header lang * Update _openapi.json.tpl * Update _openapi.json.tpl * fix: updated open api * Update _openapi.json.tpl * fix: test removing explicit required label * Update _openapi.json.tpl * Update _openapi.json.tpl * fix: updated base policy --------- Co-authored-by: Simone infante <52280205+infantesimone@users.noreply.github.com> --- .../v1/_base_policy.xml.tpl | 1 + .../ecommerce-checkout/v1/_openapi.json.tpl | 22 +++++++++++++++++-- .../ecommerce-checkout/v2/_openapi.json.tpl | 2 +- 3 files changed, 22 insertions(+), 3 deletions(-) diff --git a/src/domains/ecommerce-app/api/ecommerce-checkout/v1/_base_policy.xml.tpl b/src/domains/ecommerce-app/api/ecommerce-checkout/v1/_base_policy.xml.tpl index ac160c2ee0..81bc0eb87c 100644 --- a/src/domains/ecommerce-app/api/ecommerce-checkout/v1/_base_policy.xml.tpl +++ b/src/domains/ecommerce-app/api/ecommerce-checkout/v1/_base_policy.xml.tpl @@ -15,6 +15,7 @@
Content-Type
Authorization
x-transaction-id-from-client
+
lang
diff --git a/src/domains/ecommerce-app/api/ecommerce-checkout/v1/_openapi.json.tpl b/src/domains/ecommerce-app/api/ecommerce-checkout/v1/_openapi.json.tpl index 465bb08d74..58c9f98f69 100644 --- a/src/domains/ecommerce-app/api/ecommerce-checkout/v1/_openapi.json.tpl +++ b/src/domains/ecommerce-app/api/ecommerce-checkout/v1/_openapi.json.tpl @@ -389,7 +389,16 @@ }, "required": true, "description": "Transaction ID" - } + }, + { + "in": "header", + "name": "lang", + "required": false, + "description": "Language requested by the user", + "schema": { + "type": "string", + } + }, ], "security": [ { @@ -661,6 +670,15 @@ "type": "string" } }, + { + "in": "header", + "name": "lang", + "required": false, + "description": "Language requested by the user", + "schema": { + "type": "string", + } + }, { "in": "query", "name": "recaptchaResponse", @@ -2557,4 +2575,4 @@ } } } -} \ No newline at end of file +} diff --git a/src/domains/ecommerce-app/api/ecommerce-checkout/v2/_openapi.json.tpl b/src/domains/ecommerce-app/api/ecommerce-checkout/v2/_openapi.json.tpl index 39e97775ef..78de87f7ef 100644 --- a/src/domains/ecommerce-app/api/ecommerce-checkout/v2/_openapi.json.tpl +++ b/src/domains/ecommerce-app/api/ecommerce-checkout/v2/_openapi.json.tpl @@ -1151,4 +1151,4 @@ } } } -} \ No newline at end of file +} From 9ad22bbe9aef9ab23ff5832798c2d87ee3782dc5 Mon Sep 17 00:00:00 2001 From: ciuffagianluca <113357981+ciuffagianluca@users.noreply.github.com> Date: Thu, 26 Sep 2024 18:34:31 +0200 Subject: [PATCH 05/41] feat: [CHK-3227] add lastPaymentMethodUsed openapi definition (#2422) * add userStats openapi definition * remove user id from path * fix api sign and description --------- Co-authored-by: Gianluca Ciuffa --- .../api/ecommerce-io/v2/_openapi.json.tpl | 133 +++++++++++++++++- 1 file changed, 132 insertions(+), 1 deletion(-) diff --git a/src/domains/ecommerce-app/api/ecommerce-io/v2/_openapi.json.tpl b/src/domains/ecommerce-app/api/ecommerce-io/v2/_openapi.json.tpl index d4fcd7d8be..df5da25672 100644 --- a/src/domains/ecommerce-app/api/ecommerce-io/v2/_openapi.json.tpl +++ b/src/domains/ecommerce-app/api/ecommerce-io/v2/_openapi.json.tpl @@ -32,6 +32,14 @@ "url": "https://pagopa.atlassian.net/wiki/spaces/I/pages/611516433/-servizio+payment+methods+service", "description": "Technical specifications" } + }, + { + "name": "wallets", + "description": "Api's for wallet operations" + }, + { + "name": "users", + "description": "Api's for users statistics" } ], "servers": [ @@ -530,7 +538,7 @@ } } }, - "422": { + "422": { "description": "Transaction cannot be processed", "content": { "application/json": { @@ -773,6 +781,66 @@ } } } + }, + "/user/lastPaymentMethodUsed": { + "get": { + "operationId": "getUserLastPaymentMethodUsed", + "description": "Retrieve the last payment method used by a user", + "security": [ + { + "pagoPAPlatformSessionToken": [] + } + ], + "tags": [ + "users" + ], + "summary": "Get user last payment method used, saved or guest", + "responses": { + "200": { + "description": "Successful response", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/UserLastPaymentMethodResponse" + } + } + } + }, + "400": { + "description": "Formally invalid input", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/ProblemJson" + } + } + } + }, + "401": { + "description": "Unauthorized, access token missing or invalid" + }, + "404": { + "description": "Cannot find the requested user by user id", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/ProblemJson" + } + } + } + }, + "500": { + "description": "Service unavailable", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/ProblemJson" + } + } + } + } + } + } } }, "components": { @@ -1996,6 +2064,69 @@ } } }, + "UserLastPaymentMethodResponse": { + "description": "Last usage data for wallet or payment method (guest)", + "oneOf": [ + { + "type": "object", + "description": "Last usage data for wallets.", + "properties": { + "walletId": { + "$ref": "#/components/schemas/WalletId" + }, + "date": { + "type": "string", + "format": "date-time" + }, + "type": { + "$ref": "#/components/schemas/WalletLastUsageType" + } + }, + "required": [ + "walletId", + "date", + "type" + ] + }, + { + "type": "object", + "description": "Last usage data for wallets", + "properties": { + "paymentMethodId": { + "type": "string", + "format": "uuid", + "description": "eCommerce payment method id associated to this last usage" + }, + "date": { + "type": "string", + "format": "date-time" + }, + "type": { + "$ref": "#/components/schemas/GuestMethodLastUsageType" + } + }, + "required": [ + "paymentMethodId", + "date", + "type" + ] + } + ] + }, + "WalletLastUsageType": { + "type": "string", + "description": "Discriminant type for last usage of a wallet", + "enum": [ + "wallet" + ] + }, + "GuestMethodLastUsageType": { + "type": "string", + "description": "Discriminant type for last usage of a guest (non-wallet) payment method", + "enum": [ + "guest" + ] + }, "WalletId": { "description": "Wallet identifier", "type": "string", From 834badaca65bdd470fa720b2ca1fe2c6d02bfd71 Mon Sep 17 00:00:00 2001 From: CianoDanilo Date: Fri, 27 Sep 2024 13:21:04 +0200 Subject: [PATCH 06/41] feat(retry-policy): [CHK-3228] add retry on backend failure to npg notification policies (#2435) * feat(retry-policy): add retry on backend failure to npg notification policies --- .../api/npg-notification/_npg_notifications_policy.xml.tpl | 7 +++++-- .../api/npg-notifications/v1/_base_policy.xml.tpl | 7 +++++-- 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/src/domains/ecommerce-app/api/npg-notification/_npg_notifications_policy.xml.tpl b/src/domains/ecommerce-app/api/npg-notification/_npg_notifications_policy.xml.tpl index 5136b438f6..f742e89dd1 100644 --- a/src/domains/ecommerce-app/api/npg-notification/_npg_notifications_policy.xml.tpl +++ b/src/domains/ecommerce-app/api/npg-notification/_npg_notifications_policy.xml.tpl @@ -119,7 +119,7 @@ bpayEndToEndId = (string)receivedAdditionalData["bpayEndToEndId"]; myBankEndToEndId = (string)receivedAdditionalData["myBankEndToEndId"]; } - string paymentEndToEndId = null; + string paymentEndToEndId = null; switch(paymentCircuit){ case "BANCOMATPAY": paymentEndToEndId = bpayEndToEndId; @@ -159,7 +159,10 @@ - + + + diff --git a/src/domains/pay-wallet-app/api/npg-notifications/v1/_base_policy.xml.tpl b/src/domains/pay-wallet-app/api/npg-notifications/v1/_base_policy.xml.tpl index 52fc651d69..0110805a1c 100644 --- a/src/domains/pay-wallet-app/api/npg-notifications/v1/_base_policy.xml.tpl +++ b/src/domains/pay-wallet-app/api/npg-notifications/v1/_base_policy.xml.tpl @@ -31,7 +31,7 @@ - + @{ JObject requestBody = (JObject)context.Variables["npgNotificationRequestBody"]; return "Bearer " + (string)requestBody["securityToken"]; @@ -87,7 +87,10 @@ - + + + From 356d834d4e4dcf3faf80dceb0ba1b7ac8e6a3867 Mon Sep 17 00:00:00 2001 From: gioelemella <128155546+gioelemella@users.noreply.github.com> Date: Mon, 30 Sep 2024 12:44:19 +0200 Subject: [PATCH 07/41] chore: [PPANTT-78] Configured the status page for Payment Options Service (#2411) * [PPANTT-78] configured the status page for payment options service * fix status page apim configuration for odp --------- Co-authored-by: Jacopo Carlini --- src/domains/shared-app/04_apim_statuspage.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/src/domains/shared-app/04_apim_statuspage.tf b/src/domains/shared-app/04_apim_statuspage.tf index ff9a2ff676..e989765424 100644 --- a/src/domains/shared-app/04_apim_statuspage.tf +++ b/src/domains/shared-app/04_apim_statuspage.tf @@ -155,6 +155,7 @@ module "apim_api_statuspage_api_v1" { "printpaymentnoticegenerator" = format("%s/pagopa-print-payment-notice-generator", format(local.aks_ita_path, "printit")) "printpaymentnoticefunctions" = format("%s/pagopa-print-payment-notice-functions", format(local.aks_ita_path, "printit")) "printpaymentnoticeservice" = format("%s/pagopa-print-payment-notice-service", format(local.aks_ita_path, "printit")) + "paymentoptionsservice" = format("%s/payment-options-service", format(local.aks_ita_path, "payopt")) }), "\"", "\\\"") }) } From a6f920229b1c8bdfb3835b2969a94a900e4dc1ea Mon Sep 17 00:00:00 2001 From: Pasquale Spica <36746022+pasqualespica@users.noreply.github.com> Date: Mon, 30 Sep 2024 13:20:48 +0200 Subject: [PATCH 08/41] chore: Add gh identity pagopa-afm-fee-reporting-service (#2449) add gh identity pagopa-afm-fee-reporting-service --- src/domains/afm-common/10_github_identity.tf | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/domains/afm-common/10_github_identity.tf b/src/domains/afm-common/10_github_identity.tf index 9c7e05b743..55f583fd0e 100644 --- a/src/domains/afm-common/10_github_identity.tf +++ b/src/domains/afm-common/10_github_identity.tf @@ -12,7 +12,8 @@ locals { repos_01 = [ "pagopa-afm-calculator", "pagopa-afm-marketplace-be", - "pagopa-afm-utils" + "pagopa-afm-utils", + "pagopa-afm-fee-reporting-service", ] federations_01 = [ From d510b7d83e36f68a09e13355db76687db66081cc Mon Sep 17 00:00:00 2001 From: re_sh_cloud_arch <94049389+re-sh-cloud-arch@users.noreply.github.com> Date: Mon, 30 Sep 2024 20:27:48 +0200 Subject: [PATCH 09/41] feat: remove softlab and add SMI to whitelist IP (#2451) * remove softlab and add SMI to whitelist IP * comment * remove flag on main --- src/next-core/env/prod/terraform.tfvars | 12 ++++++------ src/next-core/env/uat/terraform.tfvars | 12 ++++++------ 2 files changed, 12 insertions(+), 12 deletions(-) diff --git a/src/next-core/env/prod/terraform.tfvars b/src/next-core/env/prod/terraform.tfvars index 7459f7f9f3..c74986a557 100644 --- a/src/next-core/env/prod/terraform.tfvars +++ b/src/next-core/env/prod/terraform.tfvars @@ -805,15 +805,15 @@ app_gateway_allowed_paths_pagopa_onprem_only = { "93.63.219.230", # PagoPA on prem VPN "93.63.219.234", # PagoPA on prem VPN DR "20.86.161.243", # CSTAR - "213.215.138.80", # Softlab L1 Pagamenti VPN - "213.215.138.79", # Softlab L1 Pagamenti VPN - "82.112.220.178", # Softlab L1 Pagamenti VPN - "77.43.17.42", # Softlab L1 Pagamenti VPN - "151.2.45.1", # Softlab L1 Pagamenti VPN + "127.0.0.1", # Softlab L1 Pagamenti VPN DISMESSO dal 1/10/2024 + "127.0.0.1", # Softlab L1 Pagamenti VPN DISMESSO dal 1/10/2024 + "127.0.0.1", # Softlab L1 Pagamenti VPN DISMESSO dal 1/10/2024 + "127.0.0.1", # Softlab L1 Pagamenti VPN DISMESSO dal 1/10/2024 + "127.0.0.1", # Softlab L1 Pagamenti VPN DISMESSO dal 1/10/2024 "193.203.229.20", # VPN NEXI "193.203.230.22", # VPN NEXI "193.203.230.21", # VPN NEXI - "151.1.203.68" # Softlab backup support line + "2.33.87.3" # S.M.I. TECHNOLOGIES AND CONSULTING S.R.L attivo dal 1/10/2024 ] } diff --git a/src/next-core/env/uat/terraform.tfvars b/src/next-core/env/uat/terraform.tfvars index ecb9e6eaaa..a2a4fed1b4 100644 --- a/src/next-core/env/uat/terraform.tfvars +++ b/src/next-core/env/uat/terraform.tfvars @@ -743,15 +743,15 @@ app_gateway_allowed_paths_pagopa_onprem_only = { "93.63.219.230", # PagoPA on prem VPN "93.63.219.234", # PagoPA on prem VPN DR "20.93.160.60", # CSTAR - "213.215.138.80", # Softlab L1 Pagamenti VPN - "213.215.138.79", # Softlab L1 Pagamenti VPN - "82.112.220.178", # Softlab L1 Pagamenti VPN - "77.43.17.42", # Softlab L1 Pagamenti VPN - "151.2.45.1", # Softlab L1 Pagamenti VPN + "127.0.0.1", # Softlab L1 Pagamenti VPN DISMESSO + "127.0.0.1", # Softlab L1 Pagamenti VPN DSIMESSO + "127.0.0.1", # Softlab L1 Pagamenti VPN DISMESSO + "127.0.0.1", # Softlab L1 Pagamenti VPN DISMESSO + "127.0.0.1", # Softlab L1 Pagamenti VPN DISMESSO "193.203.229.20", # VPN NEXI "193.203.230.22", # VPN NEXI "193.203.230.21", # VPN NEXI - "151.1.203.68" # Softlab L1 backup + "2.33.87.3" # Nuovo senzanome ] } From 105c7567b8452315ffe9bab15c652ad5e116ef72 Mon Sep 17 00:00:00 2001 From: re_sh_cloud_arch <94049389+re-sh-cloud-arch@users.noreply.github.com> Date: Mon, 30 Sep 2024 22:17:53 +0200 Subject: [PATCH 10/41] feat: Core remove softlab add smi from ip whitelist (#2452) * remove softlab and add SMI to whitelist IP * comment * remove flag on main * whitelist SMI in core veriable --- src/core/env/prod/terraform.tfvars | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/src/core/env/prod/terraform.tfvars b/src/core/env/prod/terraform.tfvars index 22d7945610..44c779eed2 100644 --- a/src/core/env/prod/terraform.tfvars +++ b/src/core/env/prod/terraform.tfvars @@ -63,15 +63,15 @@ app_gateway_allowed_paths_pagopa_onprem_only = { "93.63.219.230", # PagoPA on prem VPN "93.63.219.234", # PagoPA on prem VPN DR "20.86.161.243", # CSTAR - "213.215.138.80", # Softlab L1 Pagamenti VPN - "213.215.138.79", # Softlab L1 Pagamenti VPN - "82.112.220.178", # Softlab L1 Pagamenti VPN - "77.43.17.42", # Softlab L1 Pagamenti VPN - "151.2.45.1", # Softlab L1 Pagamenti VPN + "127.0.0.1", # Softlab L1 Pagamenti VPN DISMESSO al 1/10/2024 + "127.0.0.1", # Softlab L1 Pagamenti VPN DISMESSO al 1/10/2024 + "127.0.0.1", # Softlab L1 Pagamenti VPN DISMESSO al 1/10/2024 + "127.0.0.1", # Softlab L1 Pagamenti VPN DISMESSO al 1/10/2024 + "127.0.0.1", # Softlab L1 Pagamenti VPN DISMESSO al 1/10/2024 "193.203.229.20", # VPN NEXI "193.203.230.22", # VPN NEXI "193.203.230.21", # VPN NEXI - "151.1.203.68" # Softlab backup support line + "2.33.87.3" # S.M.I. TECHNOLOGIES AND CONSULTING S.R.L attivo dal 1/10/2024 ] } From ab4a3f522c59fe8c6171a8f5838bc26d69b7cdc1 Mon Sep 17 00:00:00 2001 From: ffppa Date: Wed, 2 Oct 2024 09:55:24 +0200 Subject: [PATCH 11/41] fix: ffelici-fix-static-analysis-workflow-011024 (#2455) * Remove duplicate azurerm_monitor_action_group from GPS-APP 00_data.tf Signed-off-by: Fabio Felici * Run pre-commit hooks to validate and format the code Signed-off-by: Fabio Felici --------- Signed-off-by: Fabio Felici --- src/domains/gps-app/00_data.tf | 6 ------ src/domains/nodo-app/README.md | 2 ++ src/domains/nodo-common/06_service_bus_wisp_converter.tf | 8 ++++---- src/domains/nodo-common/README.md | 2 ++ 4 files changed, 8 insertions(+), 10 deletions(-) diff --git a/src/domains/gps-app/00_data.tf b/src/domains/gps-app/00_data.tf index d7b7b7a796..b92843b3f2 100644 --- a/src/domains/gps-app/00_data.tf +++ b/src/domains/gps-app/00_data.tf @@ -33,9 +33,3 @@ data "azurerm_postgresql_flexible_server" "postgres_flexible_server_private" { name = format("%s-gpd-pgflex", local.product) resource_group_name = format("%s-pgres-flex-rg", local.product) } - -data "azurerm_monitor_action_group" "opsgenie" { - count = var.env_short == "p" ? 1 : 0 - resource_group_name = var.monitor_resource_group_name - name = local.monitor_action_group_opsgenie_name -} diff --git a/src/domains/nodo-app/README.md b/src/domains/nodo-app/README.md index 5451446068..3cdf9d0ebf 100644 --- a/src/domains/nodo-app/README.md +++ b/src/domains/nodo-app/README.md @@ -101,6 +101,7 @@ | [azurerm_api_management_api_operation_policy.close_payment_api_v1_ndp](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/api_management_api_operation_policy) | resource | | [azurerm_api_management_api_operation_policy.close_payment_api_v1_replica_ndp](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/api_management_api_operation_policy) | resource | | [azurerm_api_management_api_operation_policy.close_payment_api_v2_ndp_wisp_policy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/api_management_api_operation_policy) | resource | +| [azurerm_api_management_api_operation_policy.delete_sessionId_api_v1](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/api_management_api_operation_policy) | resource | | [azurerm_api_management_api_operation_policy.nm3_activate_v2_verify_policy_ndp](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/api_management_api_operation_policy) | resource | | [azurerm_api_management_api_operation_policy.nm3_activate_verify_policy_ndp](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/api_management_api_operation_policy) | resource | | [azurerm_api_management_api_operation_policy.nodoInviaCarrelloRPT_api_v1_policy_ndp](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/api_management_api_operation_policy) | resource | @@ -217,6 +218,7 @@ | [kubernetes_role_binding.system_deployer_binding](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/role_binding) | resource | | [kubernetes_role_binding.system_deployer_binding_2](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/role_binding) | resource | | [kubernetes_service_account.azure_devops](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/service_account) | resource | +| [terraform_data.sha256_delete_sessionId_api_v1](https://registry.terraform.io/providers/hashicorp/terraform/latest/docs/resources/data) | resource | | [terraform_data.sha256_payments_api_v1](https://registry.terraform.io/providers/hashicorp/terraform/latest/docs/resources/data) | resource | | [terraform_data.sha256_save_cart_mapping_api_v1](https://registry.terraform.io/providers/hashicorp/terraform/latest/docs/resources/data) | resource | | [terraform_data.sha256_save_mapping_api_v1](https://registry.terraform.io/providers/hashicorp/terraform/latest/docs/resources/data) | resource | diff --git a/src/domains/nodo-common/06_service_bus_wisp_converter.tf b/src/domains/nodo-common/06_service_bus_wisp_converter.tf index 818ff891fb..36d8836275 100644 --- a/src/domains/nodo-common/06_service_bus_wisp_converter.tf +++ b/src/domains/nodo-common/06_service_bus_wisp_converter.tf @@ -22,10 +22,10 @@ locals { } ] ]) : "${qk.key_name}" => { - queue_name = qk.queue_name - listen = qk.listen - send = qk.send - manage = qk.manage + queue_name = qk.queue_name + listen = qk.listen + send = qk.send + manage = qk.manage } } diff --git a/src/domains/nodo-common/README.md b/src/domains/nodo-common/README.md index 82bc902f1d..5d10809ddd 100644 --- a/src/domains/nodo-common/README.md +++ b/src/domains/nodo-common/README.md @@ -87,6 +87,7 @@ | [azurerm_key_vault_secret.wisp_converter_re_sa_connection_string](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource | | [azurerm_key_vault_secret.wisp_paainviart_key](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource | | [azurerm_key_vault_secret.wisp_payment_timeout_key](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource | +| [azurerm_key_vault_secret.wisp_rpt_timeout_key](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource | | [azurerm_monitor_action_group.slack](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_action_group) | resource | | [azurerm_monitor_metric_alert.cosmos_wisp_normalized_ru_exceeded](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_metric_alert) | resource | | [azurerm_postgresql_flexible_server_configuration.nodo_db_flex_default_pool_size](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/postgresql_flexible_server_configuration) | resource | @@ -174,6 +175,7 @@ | [azurerm_servicebus_queue_authorization_rule.nodo_wisp_ecommerce_hang_timeout_queue](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/servicebus_queue_authorization_rule) | data source | | [azurerm_servicebus_queue_authorization_rule.wisp_paainviart_authorization](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/servicebus_queue_authorization_rule) | data source | | [azurerm_servicebus_queue_authorization_rule.wisp_payment_timeout_authorization](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/servicebus_queue_authorization_rule) | data source | +| [azurerm_servicebus_queue_authorization_rule.wisp_rpt_timeout_queue](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/servicebus_queue_authorization_rule) | data source | | [azurerm_subnet.aks_subnet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subnet) | data source | | [azurerm_subnet.nodo_re_to_datastore_function_snet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subnet) | data source | | [azurerm_subnet.private_endpoint_snet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subnet) | data source | From 2c73ac05aa1d7cc80de8dd746197065023a1233f Mon Sep 17 00:00:00 2001 From: Francesco Cesareo Date: Thu, 3 Oct 2024 13:03:18 +0200 Subject: [PATCH 12/41] chore: [PAGOPA-2230] WISP receipt dead letter (#2459) * improvements * Revert "improvements" This reverts commit 367d0415addbbb0630a53856115f6a4e3216740e. * added container --- src/domains/nodo-common/03_cosmosdb_wisp_converter.tf | 10 +++++++++- src/domains/nodo-common/99_variables.tf | 2 ++ src/domains/nodo-common/env/weu-dev/terraform.tfvars | 2 ++ src/domains/nodo-common/env/weu-prod/terraform.tfvars | 2 ++ src/domains/nodo-common/env/weu-uat/terraform.tfvars | 2 ++ 5 files changed, 17 insertions(+), 1 deletion(-) diff --git a/src/domains/nodo-common/03_cosmosdb_wisp_converter.tf b/src/domains/nodo-common/03_cosmosdb_wisp_converter.tf index c319e88193..d5d88d690f 100644 --- a/src/domains/nodo-common/03_cosmosdb_wisp_converter.tf +++ b/src/domains/nodo-common/03_cosmosdb_wisp_converter.tf @@ -62,13 +62,21 @@ locals { } }, { - name = "receipt", # contains all FAILED paInviaRT (not recevide) a.k.a. "receipts-failed" + name = "receipt", # contains all paaInviaRT to send partition_key_path = "/partitionKey", # contains 'yyyy-MM-dd' default_ttl = var.wisp_converter_cosmos_nosql_db_params.receipt_ttl autoscale_settings = { max_throughput = var.wisp_converter_cosmos_nosql_db_params.receipt_max_throughput } }, + { + name = "receipt-dead-letter", # contains all paaInviaRT sent but not accepted by EC and with fault code not in blacklist + partition_key_path = "/partitionKey", # contains 'yyyy-MM-dd' + default_ttl = var.wisp_converter_cosmos_nosql_db_params.receipt_dead_letter_ttl + autoscale_settings = { + max_throughput = var.wisp_converter_cosmos_nosql_db_params.receipt_dead_letter_max_throughput + } + }, { name = "idempotency_key", partition_key_path = "/partitionKey", # contains 'yyyy-MM-dd' diff --git a/src/domains/nodo-common/99_variables.tf b/src/domains/nodo-common/99_variables.tf index 7ebbb568db..18b4bdb8f4 100644 --- a/src/domains/nodo-common/99_variables.tf +++ b/src/domains/nodo-common/99_variables.tf @@ -375,6 +375,8 @@ variable "wisp_converter_cosmos_nosql_db_params" { re_max_throughput = number receipt_ttl = number receipt_max_throughput = number + receipt_dead_letter_ttl = number + receipt_dead_letter_max_throughput = number idempotency_ttl = number idempotency_max_throughput = number rt_ttl = number diff --git a/src/domains/nodo-common/env/weu-dev/terraform.tfvars b/src/domains/nodo-common/env/weu-dev/terraform.tfvars index 8455110c65..bd0a55d4c6 100644 --- a/src/domains/nodo-common/env/weu-dev/terraform.tfvars +++ b/src/domains/nodo-common/env/weu-dev/terraform.tfvars @@ -214,6 +214,8 @@ wisp_converter_cosmos_nosql_db_params = { re_max_throughput = 400 receipt_ttl = 259200 # 3 days in second receipt_max_throughput = 400 + receipt_dead_letter_ttl = 259200 # 3 days in second + receipt_dead_letter_max_throughput = 400 idempotency_ttl = 259200 # 3 days in second idempotency_max_throughput = 400 rt_ttl = 259200 # 3 days in second diff --git a/src/domains/nodo-common/env/weu-prod/terraform.tfvars b/src/domains/nodo-common/env/weu-prod/terraform.tfvars index b35fd7cade..e20c711e5d 100644 --- a/src/domains/nodo-common/env/weu-prod/terraform.tfvars +++ b/src/domains/nodo-common/env/weu-prod/terraform.tfvars @@ -226,6 +226,8 @@ wisp_converter_cosmos_nosql_db_params = { re_max_throughput = 5000 receipt_ttl = -1 # max receipt_max_throughput = 2000 + receipt_dead_letter_ttl = 7884000 # 3 months in second + receipt_dead_letter_max_throughput = 1000 idempotency_ttl = 604800 # 7 days in second idempotency_max_throughput = 2000 rt_ttl = 31536000 # 1 year in second diff --git a/src/domains/nodo-common/env/weu-uat/terraform.tfvars b/src/domains/nodo-common/env/weu-uat/terraform.tfvars index 26efedcaaa..d6ea7b3b6c 100644 --- a/src/domains/nodo-common/env/weu-uat/terraform.tfvars +++ b/src/domains/nodo-common/env/weu-uat/terraform.tfvars @@ -213,6 +213,8 @@ wisp_converter_cosmos_nosql_db_params = { re_max_throughput = 1000 receipt_ttl = 604800 # 7 days in second receipt_max_throughput = 1000 + receipt_dead_letter_ttl = 604800 # 7 days in second + receipt_dead_letter_max_throughput = 1000 idempotency_ttl = 604800 # 7 days in second idempotency_max_throughput = 1000 rt_ttl = 604800 # 7 days in second From e43d08245f95f45443e21e0d2cf888e311803af5 Mon Sep 17 00:00:00 2001 From: Alessio Cialini <63233981+alessio-cialini@users.noreply.github.com> Date: Thu, 3 Oct 2024 15:55:06 +0200 Subject: [PATCH 13/41] fix: 3.31.0 updated for cfg-partner with missing fields (#2444) * fix: 3.31.0 updated for cfg-partner with missing fields * fix: removed already defined property from cfg * fix: removed already defined property from cfg --- ...log-20240517000000_elenco_servizi_view.xml | 49 ++++++ ...og-20240517010000_cdi_preferences_view.xml | 29 ++++ ...0000_update_elenco_servizi_view_master.xml | 90 +++++++++++ ...changelog-20240605000000_update_float4.xml | 148 ++++++++++++++++++ ...changelog-20240711000000_add_field_aca.xml | 24 +++ ...gelog-20240711000001_add_field_standin.xml | 24 +++ ...000000_new_manutenzione_stazioni_table.xml | 96 ++++++++++++ ...0_add_is_payment_options_enabled_field.xml | 24 +++ ...20240910000001_add_rest_endpoint_field.xml | 22 +++ .../db.changelog-master-3.31.0.xml | 11 ++ 10 files changed, 517 insertions(+) create mode 100644 src/psql/nodo/liquibase/changelog/cfg-partner/3.31.0/db.changelog-20240517000000_elenco_servizi_view.xml create mode 100644 src/psql/nodo/liquibase/changelog/cfg-partner/3.31.0/db.changelog-20240517010000_cdi_preferences_view.xml create mode 100644 src/psql/nodo/liquibase/changelog/cfg-partner/3.31.0/db.changelog-20240527000000_update_elenco_servizi_view_master.xml create mode 100644 src/psql/nodo/liquibase/changelog/cfg-partner/3.31.0/db.changelog-20240605000000_update_float4.xml create mode 100644 src/psql/nodo/liquibase/changelog/cfg-partner/3.31.0/db.changelog-20240711000000_add_field_aca.xml create mode 100644 src/psql/nodo/liquibase/changelog/cfg-partner/3.31.0/db.changelog-20240711000001_add_field_standin.xml create mode 100644 src/psql/nodo/liquibase/changelog/cfg-partner/3.31.0/db.changelog-20240718000000_new_manutenzione_stazioni_table.xml create mode 100644 src/psql/nodo/liquibase/changelog/cfg-partner/3.31.0/db.changelog-20240910000000_add_is_payment_options_enabled_field.xml create mode 100644 src/psql/nodo/liquibase/changelog/cfg-partner/3.31.0/db.changelog-20240910000001_add_rest_endpoint_field.xml diff --git a/src/psql/nodo/liquibase/changelog/cfg-partner/3.31.0/db.changelog-20240517000000_elenco_servizi_view.xml b/src/psql/nodo/liquibase/changelog/cfg-partner/3.31.0/db.changelog-20240517000000_elenco_servizi_view.xml new file mode 100644 index 0000000000..cd6da38d59 --- /dev/null +++ b/src/psql/nodo/liquibase/changelog/cfg-partner/3.31.0/db.changelog-20240517000000_elenco_servizi_view.xml @@ -0,0 +1,49 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/src/psql/nodo/liquibase/changelog/cfg-partner/3.31.0/db.changelog-20240517010000_cdi_preferences_view.xml b/src/psql/nodo/liquibase/changelog/cfg-partner/3.31.0/db.changelog-20240517010000_cdi_preferences_view.xml new file mode 100644 index 0000000000..471047b6f6 --- /dev/null +++ b/src/psql/nodo/liquibase/changelog/cfg-partner/3.31.0/db.changelog-20240517010000_cdi_preferences_view.xml @@ -0,0 +1,29 @@ + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/src/psql/nodo/liquibase/changelog/cfg-partner/3.31.0/db.changelog-20240527000000_update_elenco_servizi_view_master.xml b/src/psql/nodo/liquibase/changelog/cfg-partner/3.31.0/db.changelog-20240527000000_update_elenco_servizi_view_master.xml new file mode 100644 index 0000000000..7397c26026 --- /dev/null +++ b/src/psql/nodo/liquibase/changelog/cfg-partner/3.31.0/db.changelog-20240527000000_update_elenco_servizi_view_master.xml @@ -0,0 +1,90 @@ + + + + + + + WITH cte AS ( + SELECT p_1.id_psp, + p_1.obj_id, + p_1.ragione_sociale AS psp_rag_soc, + p_1.abi, + max(m_1.obj_id) AS id_cdi_master, + p_1.codice_mybank + FROM cdi_master m_1, + psp p_1 + WHERE ((m_1.fk_psp = p_1.obj_id) AND (p_1.enabled = 'Y'::bpchar) AND (m_1.data_inizio_validita < (CURRENT_DATE + 1)) AND (p_1.enabled = 'Y'::bpchar)) + GROUP BY p_1.id_psp, p_1.obj_id, p_1.ragione_sociale, p_1.abi, p_1.codice_mybank + ) + SELECT row_number() OVER (ORDER BY m.obj_id, d.obj_id, cfcs.obj_id, cis.obj_id, pctv.obj_id, ctv.obj_id, c.obj_id, ip.obj_id, tv.obj_id) AS "OBJ_ID", + p.id_psp AS "PSP_ID", + (p.psp_rag_soc)::character varying(255) AS "PSP_RAG_SOC", + ( + CASE + WHEN (m.storno_pagamento = (0)::numeric) THEN 'N'::text + ELSE 'Y'::text + END)::character(1) AS "PSP_FLAG_STORNO", + ( + CASE + WHEN ((m.marca_bollo_digitale = (1)::numeric) AND (cn.marca_bollo_digitale = 'Y'::bpchar)) THEN 'Y'::text + ELSE 'N'::text + END)::character(1) AS "PSP_FLAG_BOLLO", + m.logo_psp AS "LOGO_PSP", + m.id_informativa_psp AS "FLUSSO_ID", + ip.id_intermediario_psp AS "INTM_ID", + c.id_canale AS "CANALE_ID", + (d.nome_servizio)::character varying(255) AS "NOME_SERVIZIO", + ( + CASE cn.modello_pagamento + WHEN 'IMMEDIATO'::text THEN 0 + WHEN 'IMMEDIATO_MULTIBENEFICIARIO'::text THEN 1 + WHEN 'DIFFERITO'::text THEN 2 + WHEN 'ATTIVATO_PRESSO_PSP'::text THEN 4 + ELSE NULL::integer + END)::numeric(1,0) AS "CANALE_MOD_PAG", + tv.tipo_versamento AS "TIPO_VERS_COD", + cis.codice_lingua AS "CODICE_LINGUA", + NULL::character varying(35) AS "INF_COND_EC_MAX", + cis.descrizione_servizio AS "INF_DESC_SERV", + cis.disponibilita_servizio AS "INF_DISP_SERV", + (cis.url_informazioni_canale)::character varying(140) AS "INF_URL_CANALE", + CURRENT_DATE AS "TIMESTAMP_INS", + (m.data_inizio_validita)::timestamp without time zone AS "DATA_VALIDITA", + (cfcs.importo_minimo)::double precision AS "IMPORTO_MINIMO", + (cfcs.importo_massimo)::double precision AS "IMPORTO_MASSIMO", + ((cfcs.costo_fisso + cfcs.valore_commissione))::double precision AS "COSTO_FISSO", + (d.tags)::character varying(255) AS "TAGS", + d.logo_servizio AS "LOGO_SERVIZIO", + ( + CASE + WHEN ((d.canale_app = (0)::numeric) OR (d.canale_app IS NULL)) THEN 'N'::text + ELSE 'Y'::text + END)::character(1) AS "CANALE_APP", + cn.on_us AS "ON_US", + cn.carrello_carte AS "CARRELLO_CARTE", + p.abi AS "CODICE_ABI", + p.codice_mybank AS "CODICE_MYBANK", + cfcs.codice_convenzione AS "CODICE_CONVENZIONE", + cn.flag_io AS "FLAG_IO" + FROM ((((((((((cdi_master m + JOIN cdi_detail d ON ((d.fk_cdi_master = m.obj_id))) + JOIN cdi_fascia_costo_servizio cfcs ON ((cfcs.fk_cdi_detail = d.obj_id))) + JOIN cdi_informazioni_servizio cis ON ((cis.fk_cdi_detail = d.obj_id))) + JOIN cte p ON ((m.obj_id = p.id_cdi_master))) + JOIN psp_canale_tipo_versamento pctv ON ((pctv.obj_id = d.fk_psp_canale_tipo_versamento))) + JOIN canale_tipo_versamento ctv ON ((ctv.obj_id = pctv.fk_canale_tipo_versamento))) + JOIN canali c ON ((c.obj_id = ctv.fk_canale))) + JOIN canali_nodo cn ON ((c.fk_canali_nodo = cn.obj_id))) + JOIN intermediari_psp ip ON ((c.fk_intermediario_psp = ip.obj_id))) + JOIN tipi_versamento tv ON ((ctv.fk_tipo_versamento = tv.obj_id))) + WHERE ((c.enabled = 'Y'::bpchar) AND (ip.enabled = 'Y'::bpchar)); + + + diff --git a/src/psql/nodo/liquibase/changelog/cfg-partner/3.31.0/db.changelog-20240605000000_update_float4.xml b/src/psql/nodo/liquibase/changelog/cfg-partner/3.31.0/db.changelog-20240605000000_update_float4.xml new file mode 100644 index 0000000000..e35c509c0c --- /dev/null +++ b/src/psql/nodo/liquibase/changelog/cfg-partner/3.31.0/db.changelog-20240605000000_update_float4.xml @@ -0,0 +1,148 @@ + + + + + + + + + + + + + + + WITH cte AS ( + SELECT p_1.id_psp, + p_1.obj_id, + p_1.ragione_sociale AS psp_rag_soc, + p_1.abi, + max(m_1.obj_id) AS id_cdi_master, + p_1.codice_mybank + FROM cdi_master m_1, + psp p_1 + WHERE ((m_1.fk_psp = p_1.obj_id) AND (p_1.enabled = 'Y'::bpchar) AND (m_1.data_inizio_validita < (CURRENT_DATE + 1)) AND (p_1.enabled = 'Y'::bpchar)) + GROUP BY p_1.id_psp, p_1.obj_id, p_1.ragione_sociale, p_1.abi, p_1.codice_mybank + ) + SELECT row_number() OVER (ORDER BY m.obj_id, d.obj_id, cfcs.obj_id, cis.obj_id, pctv.obj_id, ctv.obj_id, c.obj_id, ip.obj_id, tv.obj_id) AS "OBJ_ID", + p.id_psp AS "PSP_ID", + (p.psp_rag_soc)::character varying(255) AS "PSP_RAG_SOC", + ( + CASE + WHEN (m.storno_pagamento = (0)::numeric) THEN 'N'::text + ELSE 'Y'::text + END)::character(1) AS "PSP_FLAG_STORNO", + ( + CASE + WHEN ((m.marca_bollo_digitale = (1)::numeric) AND (cn.marca_bollo_digitale = 'Y'::bpchar)) THEN 'Y'::text + ELSE 'N'::text + END)::character(1) AS "PSP_FLAG_BOLLO", + m.logo_psp AS "LOGO_PSP", + m.id_informativa_psp AS "FLUSSO_ID", + ip.id_intermediario_psp AS "INTM_ID", + c.id_canale AS "CANALE_ID", + (d.nome_servizio)::character varying(255) AS "NOME_SERVIZIO", + ( + CASE cn.modello_pagamento + WHEN 'IMMEDIATO'::text THEN 0 + WHEN 'IMMEDIATO_MULTIBENEFICIARIO'::text THEN 1 + WHEN 'DIFFERITO'::text THEN 2 + WHEN 'ATTIVATO_PRESSO_PSP'::text THEN 4 + ELSE NULL::integer + END)::numeric(1,0) AS "CANALE_MOD_PAG", + tv.tipo_versamento AS "TIPO_VERS_COD", + cis.codice_lingua AS "CODICE_LINGUA", + NULL::character varying(35) AS "INF_COND_EC_MAX", + cis.descrizione_servizio AS "INF_DESC_SERV", + cis.disponibilita_servizio AS "INF_DISP_SERV", + (cis.url_informazioni_canale)::character varying(140) AS "INF_URL_CANALE", + CURRENT_DATE AS "TIMESTAMP_INS", + (m.data_inizio_validita)::timestamp without time zone AS "DATA_VALIDITA", + (cfcs.importo_minimo)::double precision AS "IMPORTO_MINIMO", + (cfcs.importo_massimo)::double precision AS "IMPORTO_MASSIMO", + ((cfcs.costo_fisso + cfcs.valore_commissione))::double precision AS "COSTO_FISSO", + (d.tags)::character varying(255) AS "TAGS", + d.logo_servizio AS "LOGO_SERVIZIO", + ( + CASE + WHEN ((d.canale_app = (0)::numeric) OR (d.canale_app IS NULL)) THEN 'N'::text + ELSE 'Y'::text + END)::character(1) AS "CANALE_APP", + cn.on_us AS "ON_US", + cn.carrello_carte AS "CARRELLO_CARTE", + p.abi AS "CODICE_ABI", + p.codice_mybank AS "CODICE_MYBANK", + cfcs.codice_convenzione AS "CODICE_CONVENZIONE", + cn.flag_io AS "FLAG_IO" + FROM ((((((((((cdi_master m + JOIN cdi_detail d ON ((d.fk_cdi_master = m.obj_id))) + JOIN cdi_fascia_costo_servizio cfcs ON ((cfcs.fk_cdi_detail = d.obj_id))) + JOIN cdi_informazioni_servizio cis ON ((cis.fk_cdi_detail = d.obj_id))) + JOIN cte p ON ((m.obj_id = p.id_cdi_master))) + JOIN psp_canale_tipo_versamento pctv ON ((pctv.obj_id = d.fk_psp_canale_tipo_versamento))) + JOIN canale_tipo_versamento ctv ON ((ctv.obj_id = pctv.fk_canale_tipo_versamento))) + JOIN canali c ON ((c.obj_id = ctv.fk_canale))) + JOIN canali_nodo cn ON ((c.fk_canali_nodo = cn.obj_id))) + JOIN intermediari_psp ip ON ((c.fk_intermediario_psp = ip.obj_id))) + JOIN tipi_versamento tv ON ((ctv.fk_tipo_versamento = tv.obj_id))) + WHERE ((c.enabled = 'Y'::bpchar) AND (ip.enabled = 'Y'::bpchar)); + + + + + + + + + + + + + + + + + + + + + + + diff --git a/src/psql/nodo/liquibase/changelog/cfg-partner/3.31.0/db.changelog-20240711000000_add_field_aca.xml b/src/psql/nodo/liquibase/changelog/cfg-partner/3.31.0/db.changelog-20240711000000_add_field_aca.xml new file mode 100644 index 0000000000..8fdefa577e --- /dev/null +++ b/src/psql/nodo/liquibase/changelog/cfg-partner/3.31.0/db.changelog-20240711000000_add_field_aca.xml @@ -0,0 +1,24 @@ + + + + + + + + + + + + + + + + + diff --git a/src/psql/nodo/liquibase/changelog/cfg-partner/3.31.0/db.changelog-20240711000001_add_field_standin.xml b/src/psql/nodo/liquibase/changelog/cfg-partner/3.31.0/db.changelog-20240711000001_add_field_standin.xml new file mode 100644 index 0000000000..4f04eff418 --- /dev/null +++ b/src/psql/nodo/liquibase/changelog/cfg-partner/3.31.0/db.changelog-20240711000001_add_field_standin.xml @@ -0,0 +1,24 @@ + + + + + + + + + + + + + + + + + diff --git a/src/psql/nodo/liquibase/changelog/cfg-partner/3.31.0/db.changelog-20240718000000_new_manutenzione_stazioni_table.xml b/src/psql/nodo/liquibase/changelog/cfg-partner/3.31.0/db.changelog-20240718000000_new_manutenzione_stazioni_table.xml new file mode 100644 index 0000000000..e8195709d4 --- /dev/null +++ b/src/psql/nodo/liquibase/changelog/cfg-partner/3.31.0/db.changelog-20240718000000_new_manutenzione_stazioni_table.xml @@ -0,0 +1,96 @@ + + + + + + + ANY + + + + + + + ANY + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + SELECT mequal.OBJ_ID::varchar(255) AS ID, mequal.DATA_ORA_INIZIO, mequal.DATA_ORA_FINE, ipa.ID_INTERMEDIARIO_PA AS INTERMEDIARIO_PA_CODICE_FISCALE + FROM MANUTENZIONE_STAZIONE mequal JOIN STAZIONI s ON mequal.FK_STAZIONE = s.OBJ_ID JOIN INTERMEDIARI_PA ipa ON s.FK_INTERMEDIARIO_PA = ipa.OBJ_ID + WHERE EXTRACT('year' FROM mequal.DATA_ORA_INIZIO) = EXTRACT('year' FROM mequal.DATA_ORA_FINE ) + UNION ALL + SELECT mdiffStart.OBJ_ID || 'start' AS ID, mdiffStart.DATA_ORA_INIZIO, (DATE_TRUNC('year', mdiffStart.DATA_ORA_INIZIO) + interval '1' year) AS DATA_ORA_FINE , ipa.ID_INTERMEDIARIO_PA AS INTERMEDIARIO_PA_CODICE_FISCALE + FROM MANUTENZIONE_STAZIONE mdiffStart JOIN STAZIONI s ON mdiffStart.FK_STAZIONE = s.OBJ_ID JOIN INTERMEDIARI_PA ipa ON s.FK_INTERMEDIARIO_PA = ipa.OBJ_ID + WHERE EXTRACT('year' FROM mdiffStart.DATA_ORA_INIZIO) != EXTRACT('year' FROM mdiffStart.DATA_ORA_FINE ) + UNION ALL + SELECT mdiffEnd.OBJ_ID || 'end' AS ID, (DATE_TRUNC('year', mdiffEnd.DATA_ORA_FINE )) AS DATA_ORA_INIZIO, mdiffEnd.DATA_ORA_FINE , ipa.ID_INTERMEDIARIO_PA AS INTERMEDIARIO_PA_CODICE_FISCALE + FROM MANUTENZIONE_STAZIONE mdiffEnd JOIN STAZIONI s ON mdiffEnd.FK_STAZIONE = s.OBJ_ID JOIN INTERMEDIARI_PA ipa ON s.FK_INTERMEDIARIO_PA = ipa.OBJ_ID + WHERE EXTRACT('year' FROM mdiffEnd.DATA_ORA_INIZIO) != EXTRACT('year' FROM mdiffEnd.DATA_ORA_FINE ); + + + + + + SELECT INTERMEDIARIO_PA_CODICE_FISCALE, TO_CHAR(DATE_TRUNC('year', DATA_ORA_INIZIO), 'YYYY') AS ANNO_MANUTENZIONE, + SUM(COALESCE( + ( + SELECT EXTRACT(epoch FROM DATA_ORA_FINE - DATA_ORA_INIZIO)/3600 + FROM MANUTENZIONE_STAZIONE_ESPANSA AS maintenanceForUsedHours + WHERE maintenanceForUsedHours.DATA_ORA_FINE < CURRENT_TIMESTAMP and maintenanceForUsedHours.ID = maintenanceBase.ID + ), 0)) AS ORE_UTILIZZATE, + SUM(COALESCE( + ( + SELECT EXTRACT(epoch FROM DATA_ORA_FINE - DATA_ORA_INIZIO)/3600 + FROM MANUTENZIONE_STAZIONE_ESPANSA AS maintenanceForScheduledHours + WHERE maintenanceForScheduledHours.DATA_ORA_INIZIO > CURRENT_TIMESTAMP and maintenanceForScheduledHours.ID = maintenanceBase.ID + ), 0)) AS ORE_PROGRAMMATE + FROM MANUTENZIONE_STAZIONE_ESPANSA AS maintenanceBase + GROUP BY INTERMEDIARIO_PA_CODICE_FISCALE, ANNO_MANUTENZIONE; + + + + + diff --git a/src/psql/nodo/liquibase/changelog/cfg-partner/3.31.0/db.changelog-20240910000000_add_is_payment_options_enabled_field.xml b/src/psql/nodo/liquibase/changelog/cfg-partner/3.31.0/db.changelog-20240910000000_add_is_payment_options_enabled_field.xml new file mode 100644 index 0000000000..87bab9fde8 --- /dev/null +++ b/src/psql/nodo/liquibase/changelog/cfg-partner/3.31.0/db.changelog-20240910000000_add_is_payment_options_enabled_field.xml @@ -0,0 +1,24 @@ + + + + + + + + + + + + + + + + + diff --git a/src/psql/nodo/liquibase/changelog/cfg-partner/3.31.0/db.changelog-20240910000001_add_rest_endpoint_field.xml b/src/psql/nodo/liquibase/changelog/cfg-partner/3.31.0/db.changelog-20240910000001_add_rest_endpoint_field.xml new file mode 100644 index 0000000000..8c7864b2e9 --- /dev/null +++ b/src/psql/nodo/liquibase/changelog/cfg-partner/3.31.0/db.changelog-20240910000001_add_rest_endpoint_field.xml @@ -0,0 +1,22 @@ + + + + + + + + + + + + + + + diff --git a/src/psql/nodo/liquibase/changelog/cfg-partner/db.changelog-master-3.31.0.xml b/src/psql/nodo/liquibase/changelog/cfg-partner/db.changelog-master-3.31.0.xml index b5eef6b685..dee9717e3c 100644 --- a/src/psql/nodo/liquibase/changelog/cfg-partner/db.changelog-master-3.31.0.xml +++ b/src/psql/nodo/liquibase/changelog/cfg-partner/db.changelog-master-3.31.0.xml @@ -5,4 +5,15 @@ + + + + + + + + + + + From 0a7fab15775ad379b17a1b8f4c704c51eb712244 Mon Sep 17 00:00:00 2001 From: Samuele Varianti <128470180+svariant@users.noreply.github.com> Date: Fri, 4 Oct 2024 10:45:24 +0200 Subject: [PATCH 14/41] feat: Add new feature flags for backoffice's Stations (#2462) * feat: Add new feature flags for backoffice's Stations * feat(selfcare iac permission): add secret permission to iac group * add comment trick --------- Co-authored-by: Jacopo Carlini Co-authored-by: pasqualespica <36746022+pasqualespica@users.noreply.github.com> --- .../selfcare-common/.terraform.lock.hcl | 6 +++- src/domains/selfcare-common/02_azdo.tf | 12 +++++-- .../04_app_configuration_feature.tf | 34 ++++++++++++++++++- src/domains/selfcare-common/README.md | 2 ++ 4 files changed, 50 insertions(+), 4 deletions(-) diff --git a/src/domains/selfcare-common/.terraform.lock.hcl b/src/domains/selfcare-common/.terraform.lock.hcl index 40a3103011..596667c6b1 100644 --- a/src/domains/selfcare-common/.terraform.lock.hcl +++ b/src/domains/selfcare-common/.terraform.lock.hcl @@ -5,6 +5,7 @@ provider "registry.terraform.io/hashicorp/azuread" { version = "2.30.0" constraints = "2.30.0" hashes = [ + "h1:Uw4TcmJBEJ71h+oCwwidlkk5jFpyFRDPAFCMs/bT/cw=", "h1:WnSPiREAFwnBUKREokMdHQ8Cjs47MzvS9pG8VS1ktec=", "zh:1c3e89cf19118fc07d7b04257251fc9897e722c16e0a0df7b07fcd261f8c12e7", "zh:2e62c193030e04ebb10cc0526119cf69824bf2d7e4ea5a2f45bd5d5fb7221d36", @@ -23,8 +24,9 @@ provider "registry.terraform.io/hashicorp/azuread" { provider "registry.terraform.io/hashicorp/azurerm" { version = "3.53.0" - constraints = ">= 3.30.0, >= 3.39.0, <= 3.53.0, <= 3.84.0" + constraints = ">= 3.30.0, ~> 3.30, >= 3.39.0, <= 3.53.0, <= 3.84.0" hashes = [ + "h1:NqV7ilkolM3jBsmAx5Bh6mA9zfUHCQh3hyjOPBUeWlo=", "h1:ocOIwGJG+K9hb22GdXhTdDiewSdeo9YO3BZ8cm8fUiE=", "zh:078ece8318ad7d6c1cd2e5f2044188e74af63921b93223c7f8d477539fa91888", "zh:1bdc98ff8c2d3f3e81a746762e03d39794b2f5c90dc478cdb23dcc3d3f9947b6", @@ -46,6 +48,7 @@ provider "registry.terraform.io/hashicorp/null" { constraints = "3.1.1" hashes = [ "h1:Pctug/s/2Hg5FJqjYcTM0kPyx3AoYK1MpRWO0T9V2ns=", + "h1:YvH6gTaQzGdNv+SKTZujU1O0bO+Pw6vJHOPhqgN8XNs=", "zh:063466f41f1d9fd0dd93722840c1314f046d8760b1812fa67c34de0afcba5597", "zh:08c058e367de6debdad35fc24d97131c7cf75103baec8279aba3506a08b53faf", "zh:73ce6dff935150d6ddc6ac4a10071e02647d10175c173cfe5dca81f3d13d8afe", @@ -65,6 +68,7 @@ provider "registry.terraform.io/hashicorp/time" { version = "0.11.1" hashes = [ "h1:UyhbtF79Wy4EVNrnvMcOPzmZLVQQyzM2ostfjs2l5PI=", + "h1:pQGSL9mdgw4qsLndFYsEF93mbsIxyxNoAyIbBqhS3Xo=", "zh:19a393db736ec4fd024d098d55aefaef07056c37a448ece3b55b3f5f4c2c7e4a", "zh:227fa1e221de2907f37be78d40c06ca6a6f7b243a1ec33ade014dfaf6d92cd9c", "zh:29970fecbf4a3ca23bacbb05d6b90cdd33dd379f90059fe39e08289951502d9f", diff --git a/src/domains/selfcare-common/02_azdo.tf b/src/domains/selfcare-common/02_azdo.tf index d4d7fc1f01..1514e5f31f 100644 --- a/src/domains/selfcare-common/02_azdo.tf +++ b/src/domains/selfcare-common/02_azdo.tf @@ -17,7 +17,9 @@ resource "azurerm_key_vault_access_policy" "azdevops_iac_managed_identities" { secret_permissions = ["Get", "List", "Set", ] - certificate_permissions = ["SetIssuers", "DeleteIssuers", "Purge", "List", "Get"] + certificate_permissions = [ + "SetIssuers", "DeleteIssuers", "Purge", "List", "Get" + ] storage_permissions = [] } @@ -45,9 +47,15 @@ resource "azurerm_key_vault_access_policy" "azdevops_iac_legacy_policies" { tenant_id = data.azurerm_client_config.current.tenant_id object_id = each.key + key_permissions = [ + "Get", "List", "Update", "Create", "Import", "Delete", "Encrypt", "Decrypt", + ] + secret_permissions = ["Get", "List", "Set", ] - certificate_permissions = ["SetIssuers", "DeleteIssuers", "Purge", "List", "Get"] + certificate_permissions = [ + "SetIssuers", "DeleteIssuers", "Purge", "List", "Get" + ] storage_permissions = [] } diff --git a/src/domains/selfcare-common/04_app_configuration_feature.tf b/src/domains/selfcare-common/04_app_configuration_feature.tf index d6808380a2..52560b6d1d 100644 --- a/src/domains/selfcare-common/04_app_configuration_feature.tf +++ b/src/domains/selfcare-common/04_app_configuration_feature.tf @@ -5,7 +5,9 @@ resource "azurerm_app_configuration" "selfcare_appconf" { sku = "standard" } - +# ⚠️⚠️⚠️ iif on apply receive error 409 already exist a tricky u be ⚠️⚠️⚠️ : +# 1. sh terraform.sh state weu- rm azurerm_role_assignment.selfcare_appconf_dataowner_sp +# 2. remove ✋ from portal pagopa--selfcare-appconfiguration > Role assignments > filter for "App Configuration Data Owner" and removed pagopa--seflcare resource "azurerm_role_assignment" "selfcare_appconf_dataowner" { scope = azurerm_app_configuration.selfcare_appconf.id role_definition_name = "App Configuration Data Owner" @@ -181,6 +183,36 @@ resource "azurerm_app_configuration_feature" "station_maintenances_flag" { name = "station-maintenances" enabled = false + lifecycle { + ignore_changes = [ + enabled, + targeting_filter, + timewindow_filter + ] + } +} + +resource "azurerm_app_configuration_feature" "station-rest-section" { + configuration_store_id = azurerm_app_configuration.selfcare_appconf.id + description = "It shows the REST endpoint section for Stations" + name = "station-rest-section" + enabled = false + + lifecycle { + ignore_changes = [ + enabled, + targeting_filter, + timewindow_filter + ] + } +} + +resource "azurerm_app_configuration_feature" "station-odp-service" { + configuration_store_id = azurerm_app_configuration.selfcare_appconf.id + description = "It shows the Payment Options service flag for Stations" + name = "station-odp-service" + enabled = false + lifecycle { ignore_changes = [ enabled, diff --git a/src/domains/selfcare-common/README.md b/src/domains/selfcare-common/README.md index 79e6171992..e4d38eedc0 100644 --- a/src/domains/selfcare-common/README.md +++ b/src/domains/selfcare-common/README.md @@ -39,6 +39,8 @@ | [azurerm_app_configuration_feature.maintenance_flag](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_configuration_feature) | resource | | [azurerm_app_configuration_feature.payment_notices_flag](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_configuration_feature) | resource | | [azurerm_app_configuration_feature.payments_receipts_flag](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_configuration_feature) | resource | +| [azurerm_app_configuration_feature.station-odp-service](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_configuration_feature) | resource | +| [azurerm_app_configuration_feature.station-rest-section](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_configuration_feature) | resource | | [azurerm_app_configuration_feature.station_maintenances_flag](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_configuration_feature) | resource | | [azurerm_app_configuration_feature.test_stations_flag](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_configuration_feature) | resource | | [azurerm_cosmosdb_mongo_database.pagopa_backoffice](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/cosmosdb_mongo_database) | resource | From 6007d2299a2648d0ee20eb38eaea2466f2565d69 Mon Sep 17 00:00:00 2001 From: Alessio Cialini <63233981+alessio-cialini@users.noreply.github.com> Date: Fri, 4 Oct 2024 12:15:17 +0200 Subject: [PATCH 15/41] feat: Introduced payment options mock (#2456) * feat: Introduced payment options mock * feat: Introduced payment options mock * fix --------- Co-authored-by: pasqualespica <36746022+pasqualespica@users.noreply.github.com> --- .../paymentoptions-app/.terraform.lock.hcl | 33 +- .../04_apim_payment_options_mock.tf | 74 +++ src/domains/paymentoptions-app/99_locals.tf | 2 + .../paymentoptions-app/99_variables.tf | 6 +- src/domains/paymentoptions-app/README.md | 104 ++++ .../api/payment-options-mock/_base_policy.xml | 14 + .../_get_payment_options_policy.xml | 444 ++++++++++++++++++ .../payment-options-mock/_openapi.json.tpl | 99 ++++ .../env/itn-dev/terraform.tfvars | 1 + .../env/itn-prod/terraform.tfvars | 1 + .../env/itn-uat/terraform.tfvars | 1 + src/domains/paymentoptions-secrets/sops.sh | 0 12 files changed, 758 insertions(+), 21 deletions(-) create mode 100644 src/domains/paymentoptions-app/04_apim_payment_options_mock.tf create mode 100644 src/domains/paymentoptions-app/README.md create mode 100644 src/domains/paymentoptions-app/api/payment-options-mock/_base_policy.xml create mode 100644 src/domains/paymentoptions-app/api/payment-options-mock/_get_payment_options_policy.xml create mode 100644 src/domains/paymentoptions-app/api/payment-options-mock/_openapi.json.tpl mode change 100644 => 100755 src/domains/paymentoptions-secrets/sops.sh diff --git a/src/domains/paymentoptions-app/.terraform.lock.hcl b/src/domains/paymentoptions-app/.terraform.lock.hcl index 949f808b96..97cef8e563 100644 --- a/src/domains/paymentoptions-app/.terraform.lock.hcl +++ b/src/domains/paymentoptions-app/.terraform.lock.hcl @@ -5,7 +5,6 @@ provider "registry.terraform.io/hashicorp/azuread" { version = "2.47.0" constraints = "<= 2.47.0" hashes = [ - "h1:g8+gBFM4QVOEQFqAEs5pR6iXpbGvgPvcEi1evHwziyw=", "h1:iRwDQBdXBpVBoYwM9au2RG01RQuJSm3TGQ2kioFVAas=", "zh:1372d81eb24ef3b4b00ea350fe87219f22da51691b8e42ce91d662f6c2a8af5e", "zh:1c3e89cf19118fc07d7b04257251fc9897e722c16e0a0df7b07fcd261f8c12e7", @@ -23,23 +22,22 @@ provider "registry.terraform.io/hashicorp/azuread" { } provider "registry.terraform.io/hashicorp/azurerm" { - version = "3.106.0" - constraints = "~> 3.30, <= 3.106.0" + version = "3.97.1" + constraints = ">= 3.30.0, ~> 3.30, <= 3.97.1, <= 3.106.0" hashes = [ - "h1:6t9Nz9tYAR9BfHZ8yc56m+GKRl0nriwjQ5DyA0/TnCs=", - "h1:Mxe1/I27IZK3BP6cm84Gt0+7PXd2EDaDUMxuljm/rUA=", - "zh:07980d6fdc40c0adb670c8413a5c667917d6dbb51fcedc467c35d64c2f3a1f47", - "zh:2e6e8491b1f089644b0d23f8da83398f1e10cf5a62b16efcef2b5454fe923038", - "zh:450dbd72821c5619cc3bcdc20fdd0e29515147e44b733f9c79d3a75851810055", - "zh:5e234c0a2f3c9677ea72b2a6e6ca90defb99fab29ae565f5d1f70728ba4ba78f", - "zh:83fd042ece6977429d79affd03d6ce963d2f122604dbf15a1abf203d7a7bbc8a", - "zh:93027e1f66b3bf83398d572d4e6f6e7777330c78c54da3226dadd50fd868ada9", - "zh:ae3d1dd66140c303df97d93c47a60f16735ce17cf156f45475dcee4a7360af5b", - "zh:daf9d2eb89e785458a76b88bf2ef0696c472094c77cc9cff3b3ea4b885c5a482", - "zh:dd46370141651e6549da6d85e25c7a6770c47581bbaaa27eda2886d41d849747", + "h1:LtwGbd4HEb5QCXmdxSvTjPSh8/Gp8eAQMYfiAKaubV4=", + "zh:15171efcc3aa3a37748c502c493cb16ecff603b81ada4499a843574976bac524", + "zh:2ca6c13a4a96f67763ecced0015c7b101ee02d54ea54b28a8df4ae06468071b1", + "zh:2e3c77dbfd8f760132ecef2d6117e939cbea26b96aba5e4d926e7f7f0f7afe72", + "zh:4bc346eece1622be93c73801d8256502b11fd7c2e7f7cea12d048bb9fc9fe900", + "zh:4f1042942ed8d0433680a367527289459d43b0894a51eaba83ac414e80d5187f", + "zh:63e674c31482ae3579ea84daf5b1ba066ce40cb23475f54e17b6b131320a1bec", + "zh:8327148766dcb7a174673729a832c8095d7e137d0e6c7e2a9a01da48b8b73fbe", + "zh:851b3ae417059a80c7813e7f0063298a590a42f056004f2c2558ea14061c207e", + "zh:ac081b48907139c121a422ae9b1f40fc72c6aaaeb05cbdbf848102a6a5f426f4", + "zh:dc1d663df2d95e4ba91070ceb20d3560b6ea5c465d39c57a5979319302643e41", + "zh:ed26457367cbbb94237e935d297cb31b5687f9abf697377da0ee46974480db9b", "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", - "zh:f77405c0d8f6e0d93d9da83256b3b02c164bad4c791ed9604310ff02ae086ad1", - "zh:ffa769147bda833aef8802e3a391bd175ec749862764d61cbdaa8200d5b8f893", ] } @@ -48,7 +46,6 @@ provider "registry.terraform.io/hashicorp/helm" { constraints = "~> 2.12, <= 2.12.1" hashes = [ "h1:7wfYOAeSEchHB8idNl+2jf+OkFi9zFSOLWkEZFuTCik=", - "h1:aBfcqM4cbywa7TAxfT1YoFS+Cst9waerlm4XErFmJlk=", "zh:1d623fb1662703f2feb7860e3c795d849c77640eecbc5a776784d08807b15004", "zh:253a5bc62ba2c4314875139e3fbd2feaad5ef6b0fb420302a474ab49e8e51a38", "zh:282358f4ad4f20d0ccaab670b8645228bfad1c03ac0d0df5889f0aea8aeac01a", @@ -68,7 +65,6 @@ provider "registry.terraform.io/hashicorp/kubernetes" { version = "2.29.0" constraints = "~> 2.27, <= 2.29.0" hashes = [ - "h1:7C1MinWhowW8EnlSYhhAFV3bte8x5YcSF5QxUPdoXDk=", "h1:Igs0JTtmzn5q7RHqrvrTMCD/DCSLPMinvUnhYZ2oITw=", "zh:3edd5dc319b95fe94e61b82d10c1ce7fb53a2f21b067ddb742f2d7d0d19dd113", "zh:4b9096e6d0cfa0efd4c89270e3d25fea49db570e2cfbe49c5d1de085a15f2578", @@ -90,7 +86,6 @@ provider "registry.terraform.io/hashicorp/null" { constraints = "~> 3.2, <= 3.2.1" hashes = [ "h1:tSj1mL6OQ8ILGqR2mDu7OYYYWf+hoir0pf9KAQ8IzO8=", - "h1:ydA0/SNRVB1o95btfshvYsmxA+jZFRZcvKzZSB+4S1M=", "zh:58ed64389620cc7b82f01332e27723856422820cfd302e304b5f6c3436fb9840", "zh:62a5cc82c3b2ddef7ef3a6f2fedb7b9b3deff4ab7b414938b08e51d6e8be87cb", "zh:63cff4de03af983175a7e37e52d4bd89d990be256b16b5c7f919aff5ad485aa5", diff --git a/src/domains/paymentoptions-app/04_apim_payment_options_mock.tf b/src/domains/paymentoptions-app/04_apim_payment_options_mock.tf new file mode 100644 index 0000000000..329281da0f --- /dev/null +++ b/src/domains/paymentoptions-app/04_apim_payment_options_mock.tf @@ -0,0 +1,74 @@ +locals { + apim_payment_options_mock_pagopa_api = { + display_name = "Mock Payment Options Product pagoPA" + description = "Mock API for Payment Options" + } +} + +module "apim_payment_options_mock_product" { + source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//api_management_product?ref=v8.18.0" + count = var.is_feature_enabled.paymentoptions_mock ? 1 : 0 + + product_id = "pagopa-payment-options-mock" + display_name = local.apim_payment_options_mock_pagopa_api.display_name + description = local.apim_payment_options_mock_pagopa_api.description + + api_management_name = local.pagopa_apim_name + resource_group_name = local.pagopa_apim_rg + + published = false + subscription_required = false + approval_required = false + # subscriptions_limit = 1000 + + policy_xml = file("./api_product/_base_policy.xml") +} + +resource "azurerm_api_management_api_version_set" "payment_options_mock_api" { + count = var.is_feature_enabled.paymentoptions_mock ? 1 : 0 + + name = format("%s-payment-options-mock-api", var.env_short) + resource_group_name = local.pagopa_apim_rg + api_management_name = local.pagopa_apim_name + display_name = "Payment Options Mock" + versioning_scheme = "Segment" +} + + +module "apim_api_pay_opt_mock_api" { + source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//api_management_api?ref=v8.18.0" + count = var.is_feature_enabled.paymentoptions_mock ? 1 : 0 + + name = format("%s-pay-opt-mock-api", local.project) + api_management_name = local.pagopa_apim_name + resource_group_name = local.pagopa_apim_rg + product_ids = [module.apim_payment_options_mock_product[0].product_id] + subscription_required = false + version_set_id = azurerm_api_management_api_version_set.payment_options_mock_api[0].id + api_version = "v1" + + description = local.apim_payment_options_mock_pagopa_api.description + display_name = local.apim_payment_options_mock_pagopa_api.display_name + path = "payopt-mock" + protocols = ["https"] + service_url = null + + content_format = "openapi" + content_value = templatefile("./api/payment-options-mock/_openapi.json.tpl", { + host = local.apim_hostname + }) + + xml_content = templatefile("./api/payment-options-mock/_base_policy.xml", { + hostname = local.hostname + }) + + api_operation_policies = [ + { + operation_id = "get-payment-options", + xml_content = templatefile("./api/payment-options-mock/_get_payment_options_policy.xml", { + hostname = local.hostname + }) + }, + ] + +} diff --git a/src/domains/paymentoptions-app/99_locals.tf b/src/domains/paymentoptions-app/99_locals.tf index cd17c927c9..9b8dffcb17 100644 --- a/src/domains/paymentoptions-app/99_locals.tf +++ b/src/domains/paymentoptions-app/99_locals.tf @@ -35,6 +35,8 @@ locals { pagopa_apim_rg = "${local.product}-api-rg" apim_hostname = "api.${var.apim_dns_zone_prefix}.${var.external_domain}" + hostname = var.env == "prod" ? "${var.domain}.itn.internal.platform.pagopa.it" : "${var.domain}.itn.internal.${var.env}.platform.pagopa.it" + evt_hub_location = "${local.location_short_weu}-core" diff --git a/src/domains/paymentoptions-app/99_variables.tf b/src/domains/paymentoptions-app/99_variables.tf index 0c2a945686..b2c2b38a27 100644 --- a/src/domains/paymentoptions-app/99_variables.tf +++ b/src/domains/paymentoptions-app/99_variables.tf @@ -71,10 +71,12 @@ variable "tags" { variable "is_feature_enabled" { type = object({ - paymentoptions = bool + paymentoptions = bool + paymentoptions_mock = bool }) default = { - paymentoptions = false + paymentoptions = false + paymentoptions_mock = false } } ### External resources diff --git a/src/domains/paymentoptions-app/README.md b/src/domains/paymentoptions-app/README.md new file mode 100644 index 0000000000..675d4f0be5 --- /dev/null +++ b/src/domains/paymentoptions-app/README.md @@ -0,0 +1,104 @@ +# paymentoptions-app + + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 1.6.0 | +| [azuread](#requirement\_azuread) | <= 2.47.0 | +| [azurerm](#requirement\_azurerm) | <= 3.106.0 | +| [helm](#requirement\_helm) | <= 2.12.1 | +| [kubernetes](#requirement\_kubernetes) | <= 2.29.0 | +| [null](#requirement\_null) | <= 3.2.1 | + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| [apim\_api\_pay\_opt\_mock\_api](#module\_apim\_api\_pay\_opt\_mock\_api) | git::https://github.com/pagopa/terraform-azurerm-v3.git//api_management_api | v8.18.0 | +| [apim\_payment\_options\_mock\_product](#module\_apim\_payment\_options\_mock\_product) | git::https://github.com/pagopa/terraform-azurerm-v3.git//api_management_product | v8.18.0 | +| [apim\_payment\_options\_product](#module\_apim\_payment\_options\_product) | git::https://github.com/pagopa/terraform-azurerm-v3.git//api_management_product | v8.18.0 | +| [kubernetes\_service\_account](#module\_kubernetes\_service\_account) | git::https://github.com/pagopa/terraform-azurerm-v3.git//kubernetes_service_account | v8.18.0 | +| [pod\_identity](#module\_pod\_identity) | git::https://github.com/pagopa/terraform-azurerm-v3.git//kubernetes_pod_identity | v8.18.0 | +| [tls\_checker](#module\_tls\_checker) | git::https://github.com/pagopa/terraform-azurerm-v3.git//tls_checker | v8.22.0 | + +## Resources + +| Name | Type | +|------|------| +| [azurerm_api_management_api_version_set.payment_options_mock_api](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/api_management_api_version_set) | resource | +| [azurerm_api_management_subscription.api_config_subkey](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/api_management_subscription) | resource | +| [azurerm_api_management_subscription.forwarder_subkey](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/api_management_subscription) | resource | +| [azurerm_key_vault_secret.aks_apiserver_url](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource | +| [azurerm_key_vault_secret.api_config_subscription_key](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource | +| [azurerm_key_vault_secret.application_insights_connection_string](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource | +| [azurerm_key_vault_secret.azure_devops_sa_cacrt](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource | +| [azurerm_key_vault_secret.azure_devops_sa_token](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource | +| [azurerm_key_vault_secret.ehub_nodo-dei-pagamenti-verify-ko_jaas_config](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource | +| [azurerm_key_vault_secret.ehub_nodo_pagamenti_cache_jaas_config](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource | +| [azurerm_key_vault_secret.ehub_payment-options-re_jaas_config](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource | +| [azurerm_key_vault_secret.forwarder_subscription_key](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource | +| [azurerm_key_vault_secret.tenant_id](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource | +| [azurerm_monitor_scheduled_query_rules_alert.pagopa-payment-options-rest-availability-upd](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_scheduled_query_rules_alert) | resource | +| [azurerm_monitor_scheduled_query_rules_alert.pagopa-payment-options-service-responsetime-upd](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_scheduled_query_rules_alert) | resource | +| [azurerm_private_dns_a_record.ingress](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/private_dns_a_record) | resource | +| [helm_release.cert_mounter](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource | +| [helm_release.reloader](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource | +| [kubernetes_namespace.namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource | +| [kubernetes_namespace.namespace_system](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource | +| [kubernetes_pod_disruption_budget_v1.payment_options](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod_disruption_budget_v1) | resource | +| [kubernetes_role_binding.deployer_binding](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/role_binding) | resource | +| [kubernetes_role_binding.system_deployer_binding](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/role_binding) | resource | +| [azurerm_api_management.apim](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/api_management) | data source | +| [azurerm_api_management_product.apim_api_config_product](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/api_management_product) | data source | +| [azurerm_api_management_product.apim_forwarder_product](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/api_management_product) | data source | +| [azurerm_application_insights.application_insights_italy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/application_insights) | data source | +| [azurerm_client_config.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/client_config) | data source | +| [azurerm_eventhub_authorization_rule.pagopa_weu_core_evh_ns04_nodo_dei_pagamenti_cache_sync_reader](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/eventhub_authorization_rule) | data source | +| [azurerm_eventhub_authorization_rule.pagopa_weu_core_evh_ns04_nodo_dei_pagamenti_verify_ko_writer](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/eventhub_authorization_rule) | data source | +| [azurerm_eventhub_authorization_rule.payment_options_re_authorization_rule_writer](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/eventhub_authorization_rule) | data source | +| [azurerm_key_vault.kv](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault) | data source | +| [azurerm_kubernetes_cluster.aks](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/kubernetes_cluster) | data source | +| [azurerm_log_analytics_workspace.log_analytics_italy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/log_analytics_workspace) | data source | +| [azurerm_monitor_action_group.email](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/monitor_action_group) | data source | +| [azurerm_monitor_action_group.opsgenie](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/monitor_action_group) | data source | +| [azurerm_monitor_action_group.slack](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/monitor_action_group) | data source | +| [azurerm_private_dns_zone.internal](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/private_dns_zone) | data source | +| [azurerm_resource_group.monitor_italy_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/resource_group) | data source | +| [azurerm_subnet.apim_vnet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subnet) | data source | +| [azurerm_subscription.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subscription) | data source | +| [azurerm_virtual_network.vnet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/virtual_network) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [apim\_dns\_zone\_prefix](#input\_apim\_dns\_zone\_prefix) | The dns subdomain for apim. | `string` | `null` | no | +| [dns\_zone\_internal\_prefix](#input\_dns\_zone\_internal\_prefix) | The dns subdomain. | `string` | `null` | no | +| [dns\_zone\_prefix](#input\_dns\_zone\_prefix) | The wallet dns subdomain. | `string` | `null` | no | +| [domain](#input\_domain) | n/a | `string` | n/a | yes | +| [env](#input\_env) | n/a | `string` | n/a | yes | +| [env\_short](#input\_env\_short) | n/a | `string` | n/a | yes | +| [external\_domain](#input\_external\_domain) | Domain for delegation | `string` | `null` | no | +| [ingress\_load\_balancer\_ip](#input\_ingress\_load\_balancer\_ip) | ## Aks | `string` | n/a | yes | +| [instance](#input\_instance) | One of beta, prod01, prod02 | `string` | n/a | yes | +| [is\_feature\_enabled](#input\_is\_feature\_enabled) | n/a | 
object({
    paymentoptions      = bool
    paymentoptions_mock = bool
  })
| 
{
  "paymentoptions": false,
  "paymentoptions_mock": false
}
| no | +| [k8s\_kube\_config\_path\_prefix](#input\_k8s\_kube\_config\_path\_prefix) | n/a | `string` | `"~/.kube"` | no | +| [location](#input\_location) | One of westeurope, northeurope | `string` | n/a | yes | +| [location\_short](#input\_location\_short) | One of wue, neu | `string` | n/a | yes | +| [location\_string](#input\_location\_string) | One of West Europe, North Europe | `string` | n/a | yes | +| [log\_analytics\_italy\_workspace\_name](#input\_log\_analytics\_italy\_workspace\_name) | Specifies the name of the Log Analytics Workspace Italy. | `string` | n/a | yes | +| [log\_analytics\_italy\_workspace\_resource\_group\_name](#input\_log\_analytics\_italy\_workspace\_resource\_group\_name) | The name of the resource group in which the Log Analytics workspace Italy is located in. | `string` | n/a | yes | +| [log\_analytics\_workspace\_name](#input\_log\_analytics\_workspace\_name) | Specifies the name of the Log Analytics Workspace. | `string` | n/a | yes | +| [log\_analytics\_workspace\_resource\_group\_name](#input\_log\_analytics\_workspace\_resource\_group\_name) | The name of the resource group in which the Log Analytics workspace is located in. | `string` | n/a | yes | +| [monitor\_italy\_resource\_group\_name](#input\_monitor\_italy\_resource\_group\_name) | Monitor Italy resource group name | `string` | n/a | yes | +| [monitor\_resource\_group\_name](#input\_monitor\_resource\_group\_name) | Monitor resource group name | `string` | n/a | yes | +| [pod\_disruption\_budgets](#input\_pod\_disruption\_budgets) | Pod disruption budget for domain namespace | 
map(object({
    name         = optional(string, null)
    minAvailable = optional(number, null)
    matchLabels  = optional(map(any), {})
  }))
| `{}` | no | +| [prefix](#input\_prefix) | n/a | `string` | n/a | yes | +| [tags](#input\_tags) | n/a | `map(any)` | 
{
  "CreatedBy": "Terraform"
}
| no | + +## Outputs + +No outputs. + diff --git a/src/domains/paymentoptions-app/api/payment-options-mock/_base_policy.xml b/src/domains/paymentoptions-app/api/payment-options-mock/_base_policy.xml new file mode 100644 index 0000000000..59ce29e724 --- /dev/null +++ b/src/domains/paymentoptions-app/api/payment-options-mock/_base_policy.xml @@ -0,0 +1,14 @@ + + + + + + + + + + + + + + diff --git a/src/domains/paymentoptions-app/api/payment-options-mock/_get_payment_options_policy.xml b/src/domains/paymentoptions-app/api/payment-options-mock/_get_payment_options_policy.xml new file mode 100644 index 0000000000..018a492ebf --- /dev/null +++ b/src/domains/paymentoptions-app/api/payment-options-mock/_get_payment_options_policy.xml @@ -0,0 +1,444 @@ + + + + + + + + + + + + + + application/json + + + + + { + "paTaxCode": "77777777777", + "paFullName": "EC", + "paOfficeName": "EC", + "paymentOptions": [ + { + "description": "Test PayOpt - Opzione 1 - Soluzione Unica", + "numberOfInstallments": 1, + "amount": 120, + "dueDate": "2024-10-30T23:59:59", + "validFrom":"2024-09-30T23:59:59", + "status":"PO_UNPAID", + "statusReason":"Non pagato", + "allCCP": "false", + "installments": [ + { + "nav": "311111111111111112", + "iuv": "11111111111111112", + "amount": 120, + "description": "Test Opt Inst - soluzione unica", + "dueDate": "2024-10-30T23:59:59", + "validFrom":"2024-09-30T23:59:59", + "status":"POI_UNPAID", + "statusReason":"Non pagato" + } + ] + }, + { + "description": "Test PayOpt - Opzione 2 - Piano Rateale", + "numberOfInstallments": 3, + "amount": 120, + "dueDate": "2024-12-31T23:59:59", + "validFrom":"2024-09-30T23:59:59", + "status":"PO_UNPAID", + "statusReason":"Non pagatp", + "allCCP": "false", + "installments": [ + { + "nav": "311111111111111113", + "iuv": "11111111111111113", + "amount": 40, + "description": "rata 1", + "dueDate": "2024-10-31T23:59:59", + "validFrom":"2024-09-30T23:59:59", + "status":"POI_UNPAID", + "statusReason":"Non pagato" + }, + { + "nav": "311111111111111114", + "iuv": "311111111111111114", + "amount": 40, + "description": "rata 2", + "dueDate": "2024-11-31T23:59:59", + "validFrom":"2024-09-30T23:59:59", + "status":"POI_UNPAID", + "statusReason":"Non pagato" + }, + { + "nav": "311111111111111115", + "iuv": "11111111111111115", + "amount": 40, + "description": "rata 3", + "dueDate": "2024-12-31T23:59:59", + "validFrom":"2024-09-30T23:59:59", + "status":"POI_UNPAID", + "statusReason":"Non pagato" + } + ] + } + ] + } + + + + + { + "paTaxCode": "99999000013", + "paFullName": "EC", + "paOfficeName": "EC", + "paymentOptions": [ + { + "description": "Test PayOpt - Opzione 1 - Soluzione Unica", + "numberOfInstallments": 1, + "amount": 120, + "dueDate": "2024-10-30T23:59:59", + "validFrom":"2024-09-30T23:59:59", + "status":"PO_UNPAID", + "statusReason":"Non pagato", + "allCCP": "false", + "installments": [ + { + "nav": "311111111111111112", + "iuv": "11111111111111112", + "amount": 120, + "description": "Test Opt Inst - soluzione unica", + "dueDate": "2024-10-30T23:59:59", + "validFrom":"2024-09-30T23:59:59", + "status":"POI_UNPAID", + "statusReason":"Non pagato" + } + ] + }, + { + "description": "Test PayOpt - Opzione 2 - Piano Rateale", + "numberOfInstallments": 3, + "amount": 120, + "dueDate": "2024-12-31T23:59:59", + "validFrom":"2024-09-30T23:59:59", + "status":"PO_UNPAID", + "statusReason":"Non pagatp", + "allCCP": "false", + "installments": [ + { + "nav": "311111111111111113", + "iuv": "11111111111111113", + "amount": 40, + "description": "rata 1", + "dueDate": "2024-10-31T23:59:59", + "validFrom":"2024-09-30T23:59:59", + "status":"POI_UNPAID", + "statusReason":"Non pagato" + }, + { + "nav": "311111111111111114", + "iuv": "311111111111111114", + "amount": 40, + "description": "rata 2", + "dueDate": "2024-11-31T23:59:59", + "validFrom":"2024-09-30T23:59:59", + "status":"POI_UNPAID", + "statusReason":"Non pagato" + }, + { + "nav": "311111111111111115", + "iuv": "11111111111111115", + "amount": 40, + "description": "rata 3", + "dueDate": "2024-12-31T23:59:59", + "validFrom":"2024-09-30T23:59:59", + "status":"POI_UNPAID", + "statusReason":"Non pagato" + } + ] + }, + { + "description": "Test PayOpt - Opzione 3 - Piano Rateale - 5 rate", + "numberOfInstallments": 5, + "amount": 90, + "dueDate": "2024-12-31T23:59:59", + "validFrom":"2024-09-30T23:59:59", + "status": "PO_UNPAID", + "statusReason": "Non pagato", + "allCCP": "false", + "installments": [ + { + "nav": "311111111111111120", + "iuv": "311111111111111120", + "amount": 18, + "description": "rata 1", + "dueDate": "2024-10-31T23:59:59", + "validFrom":"2024-09-30T23:59:59", + "status": "POI_UNPAID", + "statusReason": "Non pagato" + }, + { + "nav": "311111111111111121", + "iuv": "311111111111111121", + "amount": 18, + "description": "rata 2", + "dueDate": "2024-11-31T23:59:59", + "validFrom":"2024-09-30T23:59:59", + "status": "POI_UNPAID", + "statusReason": "Non pagato" + }, + { + "nav": "311111111111111122", + "iuv": "311111111111111122", + "amount": 18, + "description": "rata 3", + "dueDate": "2024-12-31T23:59:59", + "validFrom":"2024-09-30T23:59:59", + "status": "POI_UNPAID", + "statusReason": "Non pagato" + }, + { + "nav": "311111111111111123", + "iuv": "311111111111111123", + "amount": 18, + "description": "rata 4", + "dueDate": "2025-01-31T23:59:59", + "validFrom":"2024-09-30T23:59:59", + "status": "POI_UNPAID", + "statusReason": "Non pagato" + }, + { + "nav": "311111111111111124", + "iuv": "311111111111111124", + "amount": 18, + "description": "rata 5", + "dueDate": "2025-02-31T23:59:59", + "validFrom":"2024-09-30T23:59:59", + "status": "POI_UNPAID", + "statusReason": "Non pagato" + } + ] + } + ] + } + + + + { + "paTaxCode": "77777777777", + "paFullName": "EC", + "paOfficeName": "EC", + "paymentOptions": [ + { + "description": "Test PayOpt - unica opzione", + "numberOfInstallments": 1, + "amount": 120, + "dueDate": "2024-10-30T23:59:59", + "validFrom": "2024-09-30T23:59:59", + "status": "PO_UNPAID", + "statusReason": "Non Pagato", + "allCCP": "false", + "installments": [ + { + "nav": "311111111111111111", + "iuv": "311111111111111111", + "amount": 120, + "description": "Test Opt Inst - unica opzione", + "dueDate": "2024-10-30T23:59:59", + "validFrom": "2024-09-30T23:59:59", + "status": "POI_UNPAID", + "statusReason": "Non Pagato" + } + ] + } + ] + } + + + { + "paTaxCode": "99999000013", + "paFullName": "EC", + "paOfficeName": "EC", + "paymentOptions": [ + { + "description": "Test PayOpt - Opzione 1 - CO-Obbligato 1", + "numberOfInstallments": 1, + "amount": 120, + "dueDate": "2024-10-30T23:59:59", + "validFrom":"2024-09-30T23:59:59", + "status": "PO_UNPAID", + "statusReason": "Non pagato", + "allCCP": "false", + "installments": [ + { + "nav": "311111111111111125", + "iuv": "311111111111111125", + "amount": 120, + "description": "Test PayOpt - Opzione 1 - CO-Obbligato 1", + "dueDate": "2024-10-30T23:59:59", + "validFrom":"2024-09-30T23:59:59", + "status": "POI_UNPAID", + "statusReason": "Non pagato" + } + ] + }, + { + "description": "Test PayOpt - Opzione 2 - CO-Obbligato 2", + "numberOfInstallments": 1, + "amount": 120, + "dueDate": "2024-10-30T23:59:59", + "validFrom":"2024-09-30T23:59:59", + "status": "PO_UNPAID", + "statusReason": "Non pagato", + "allCCP": "false", + "installments": [ + { + "nav": "311111111111111126", + "iuv": "311111111111111126", + "amount": 120, + "description": "Test PayOpt - Opzione 2 - CO-Obbligato 2", + "dueDate": "2024-10-30T23:59:59", + "validFrom":"2024-09-30T23:59:59", + "status": "POI_UNPAID", + "statusReason": "Non pagato" + } + ] + } + ] + } + + + + { + "httpStatusCode": 400, + "httpStatusDescription": "ND", + "appErrorCode": "PAA_SINTASSI", + "timestamp": 1724425035, + "dateTime": "2024-08-23T14:57:15.635528", + "errorMessage": "Errore di sintassi del modello nella risposta" + } + + + + { + "httpStatusCode": 400, + "httpStatusDescription": "ND", + "appErrorCode": "PAA_PAGAMENTO_SCONOSCIUTO", + "timestamp": 1724425035, + "dateTime": "2024-08-23T14:57:15.635528", + "errorMessage": "Errore per pagamento sconosciuto" + } + + + + { + "httpStatusCode": 400, + "httpStatusDescription": "ND", + "appErrorCode": "PAA_ID_DOMINIO_ERRATO", + "timestamp": 1724425035, + "dateTime": "2024-08-23T14:57:15.635528", + "errorMessage": "Errore per id dominio errato" + } + + + + { + "httpStatusCode": 400, + "httpStatusDescription": "ND", + "appErrorCode": "PAA_ID_INTERMEDIARIO_ERRATO", + "timestamp": 1724425035, + "dateTime": "2024-08-23T14:57:15.635528", + "errorMessage": "Errore per id intermediario errato" + } + + + + { + "httpStatusCode": 400, + "httpStatusDescription": "ND", + "appErrorCode": "PAA_PAGAMENTO_ANNULLATO", + "timestamp": 1724425035, + "dateTime": "2024-08-23T14:57:15.635528", + "errorMessage": "Errore per pagamento annullato" + } + + + + { + "httpStatusCode": 400, + "httpStatusDescription": "ND", + "appErrorCode": "PAA_PAGAMENTO_DUPLICATO", + "timestamp": 1724425035, + "dateTime": "2024-08-23T14:57:15.635528", + "errorMessage": "Errore per pagamento duplicato" + } + + + + { + "httpStatusCode": 400, + "httpStatusDescription": "ND", + "appErrorCode": "PAA_PAGAMENTO_IN_CORSO", + "timestamp": 1724425035, + "dateTime": "2024-08-23T14:57:15.635528", + "errorMessage": "Errore per pagamento ancora in corso" + } + + + + { + "httpStatusCode": 400, + "httpStatusDescription": "ND", + "appErrorCode": "PAA_PAGAMENTO_SCADUTO", + "timestamp": 1724425035, + "dateTime": "2024-08-23T14:57:15.635528", + "errorMessage": "Errore per pagamento scaduto" + } + + + + { + "httpStatusCode": 400, + "httpStatusDescription": "ND", + "appErrorCode": "PAA_SEMANTICA", + "timestamp": 1724425035, + "dateTime": "2024-08-23T14:57:15.635528", + "errorMessage": "Errore semantica" + } + + + + { + "httpStatusCode": 400, + "httpStatusDescription": "ND", + "appErrorCode": "PAA_STAZIONE_INT_ERRATA", + "timestamp": 1724425035, + "dateTime": "2024-08-23T14:57:15.635528", + "errorMessage": "Errore per stazione errata" + } + + + + { + "httpStatusCode": 400, + "httpStatusDescription": "ND", + "appErrorCode": "PAA_SYSTEM_ERROR", + "timestamp": 1724425035, + "dateTime": "2024-08-23T14:57:15.635528", + "errorMessage": "Errore generico" + } + + + + + + + + diff --git a/src/domains/paymentoptions-app/api/payment-options-mock/_openapi.json.tpl b/src/domains/paymentoptions-app/api/payment-options-mock/_openapi.json.tpl new file mode 100644 index 0000000000..ef7b46e20a --- /dev/null +++ b/src/domains/paymentoptions-app/api/payment-options-mock/_openapi.json.tpl @@ -0,0 +1,99 @@ +{ + "openapi": "3.0.1", + "info": { + "title": "Mocker Payopts", + "description": "", + "version": "1.0" + }, + "servers": [ + { + "url": "https://api.dev.platform.pagopa.it/payopt-mock" + } + ], + "paths": { + "/payment-options/organizations/{fiscal-code}/notices/{notice-number}": { + "post": { + "summary": "Get Payment Options", + "operationId": "get-payment-options", + "parameters": [ + { + "name": "fiscal-code", + "in": "path", + "required": true, + "schema": { + "type": "" + } + }, + { + "name": "notice-number", + "in": "path", + "required": true, + "schema": { + "type": "" + } + } + ], + "responses": { + "200": { + "description": "Single Opt Response", + "content": { + "application/json": { + "example": { + "paTaxCode": "77777777777", + "paFullName": "EC", + "paOfficeName": "EC", + "paymentOptions": [ + { + "description": "Test PayOpt - unica opzione", + "numberOfInstallments": 1, + "amount": 120, + "dueDate": "2024-10-30T23:59:59.0000000+00:00", + "validFrom": "2024-09-30T23:59:59.0000000+00:00", + "status": "non pagato", + "status reason": "desc", + "allCCP": "false", + "installments": [ + { + "nav": "311111111111111111", + "iuv": "311111111111111111", + "amount": 120, + "description": "Test Opt Inst - unica opzione", + "dueDate": "2024-10-30T23:59:59.0000000+00:00", + "validFrom": "2024-09-30T23:59:59.0000000+00:00", + "status": "non pagato", + "status reason": "desc" + } + ] + } + ] + } + } + } + } + } + } + } + }, + "components": { + "securitySchemes": { + "apiKeyHeader": { + "type": "apiKey", + "name": "Ocp-Apim-Subscription-Key", + "in": "header" + }, + "apiKeyQuery": { + "type": "apiKey", + "name": "subscription-key", + "in": "query" + } + } + }, + "security": [ + { + "apiKeyHeader": [] + }, + { + "apiKeyQuery": [] + } + ] +} \ No newline at end of file diff --git a/src/domains/paymentoptions-app/env/itn-dev/terraform.tfvars b/src/domains/paymentoptions-app/env/itn-dev/terraform.tfvars index 0787a27660..0406f0622e 100644 --- a/src/domains/paymentoptions-app/env/itn-dev/terraform.tfvars +++ b/src/domains/paymentoptions-app/env/itn-dev/terraform.tfvars @@ -35,4 +35,5 @@ ingress_load_balancer_ip = "10.3.2.250" is_feature_enabled = { paymentoptions = true + paymentoptions_mock = true } diff --git a/src/domains/paymentoptions-app/env/itn-prod/terraform.tfvars b/src/domains/paymentoptions-app/env/itn-prod/terraform.tfvars index eff33890b2..93b75c946d 100644 --- a/src/domains/paymentoptions-app/env/itn-prod/terraform.tfvars +++ b/src/domains/paymentoptions-app/env/itn-prod/terraform.tfvars @@ -35,6 +35,7 @@ ingress_load_balancer_ip = "10.3.2.250" is_feature_enabled = { paymentoptions = true + paymentoptions_mock = false } pod_disruption_budgets = { diff --git a/src/domains/paymentoptions-app/env/itn-uat/terraform.tfvars b/src/domains/paymentoptions-app/env/itn-uat/terraform.tfvars index f9fef84f60..38f63671c5 100644 --- a/src/domains/paymentoptions-app/env/itn-uat/terraform.tfvars +++ b/src/domains/paymentoptions-app/env/itn-uat/terraform.tfvars @@ -35,4 +35,5 @@ ingress_load_balancer_ip = "10.3.2.250" is_feature_enabled = { paymentoptions = true + paymentoptions_mock = true } diff --git a/src/domains/paymentoptions-secrets/sops.sh b/src/domains/paymentoptions-secrets/sops.sh old mode 100644 new mode 100755 From 022e41b9fefc2e1b558190ab2162f8e7b410f54a Mon Sep 17 00:00:00 2001 From: Pasquale Spica <36746022+pasqualespica@users.noreply.github.com> Date: Fri, 4 Oct 2024 12:31:08 +0200 Subject: [PATCH 16/41] feat: Add opt key 4test (#2464) add opt key 4test --- src/domains/paymentoptions-app/05_subkey.tf | 13 +++++++++++++ src/domains/paymentoptions-app/06_keyvault.tf | 12 ++++++++++++ src/domains/paymentoptions-app/README.md | 2 ++ 3 files changed, 27 insertions(+) diff --git a/src/domains/paymentoptions-app/05_subkey.tf b/src/domains/paymentoptions-app/05_subkey.tf index a72efc1a5f..15fba182f4 100644 --- a/src/domains/paymentoptions-app/05_subkey.tf +++ b/src/domains/paymentoptions-app/05_subkey.tf @@ -15,3 +15,16 @@ resource "azurerm_api_management_subscription" "forwarder_subkey" { allow_tracing = false state = "active" } + +resource "azurerm_api_management_subscription" "service_payment_options_subkey" { + count = var.env_short != "p" ? 1 : 0 + + api_management_name = data.azurerm_api_management.apim.name + resource_group_name = data.azurerm_api_management.apim.resource_group_name + product_id = module.apim_payment_options_product[0].id + display_name = "Subscription for Payments Options APIM" + allow_tracing = false + state = "active" +} + + diff --git a/src/domains/paymentoptions-app/06_keyvault.tf b/src/domains/paymentoptions-app/06_keyvault.tf index d8e87d4494..83f09e182e 100644 --- a/src/domains/paymentoptions-app/06_keyvault.tf +++ b/src/domains/paymentoptions-app/06_keyvault.tf @@ -67,3 +67,15 @@ resource "azurerm_key_vault_secret" "forwarder_subscription_key" { key_vault_id = data.azurerm_key_vault.kv.id } +resource "azurerm_key_vault_secret" "service_payment_options_subscription_key" { + count = var.env_short != "p" ? 1 : 0 + + name = "apikey-service-payment-options" + value = azurerm_api_management_subscription.service_payment_options_subkey[0].primary_key + content_type = "text/plain" + + key_vault_id = data.azurerm_key_vault.kv.id +} + + + diff --git a/src/domains/paymentoptions-app/README.md b/src/domains/paymentoptions-app/README.md index 675d4f0be5..51e2d2e81e 100644 --- a/src/domains/paymentoptions-app/README.md +++ b/src/domains/paymentoptions-app/README.md @@ -30,6 +30,7 @@ | [azurerm_api_management_api_version_set.payment_options_mock_api](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/api_management_api_version_set) | resource | | [azurerm_api_management_subscription.api_config_subkey](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/api_management_subscription) | resource | | [azurerm_api_management_subscription.forwarder_subkey](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/api_management_subscription) | resource | +| [azurerm_api_management_subscription.service_payment_options_subkey](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/api_management_subscription) | resource | | [azurerm_key_vault_secret.aks_apiserver_url](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource | | [azurerm_key_vault_secret.api_config_subscription_key](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource | | [azurerm_key_vault_secret.application_insights_connection_string](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource | @@ -39,6 +40,7 @@ | [azurerm_key_vault_secret.ehub_nodo_pagamenti_cache_jaas_config](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource | | [azurerm_key_vault_secret.ehub_payment-options-re_jaas_config](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource | | [azurerm_key_vault_secret.forwarder_subscription_key](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource | +| [azurerm_key_vault_secret.service_payment_options_subscription_key](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource | | [azurerm_key_vault_secret.tenant_id](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource | | [azurerm_monitor_scheduled_query_rules_alert.pagopa-payment-options-rest-availability-upd](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_scheduled_query_rules_alert) | resource | | [azurerm_monitor_scheduled_query_rules_alert.pagopa-payment-options-service-responsetime-upd](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_scheduled_query_rules_alert) | resource | From 0cbfa168984424f4b002f52353b048a260ec799f Mon Sep 17 00:00:00 2001 From: Alessio Cialini <63233981+alessio-cialini@users.noreply.github.com> Date: Fri, 4 Oct 2024 18:23:28 +0200 Subject: [PATCH 17/41] fix: api-config-cache subkey (#2443) --- src/domains/paymentoptions-app/00_data.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/domains/paymentoptions-app/00_data.tf b/src/domains/paymentoptions-app/00_data.tf index 2e8642786e..1dc819d122 100644 --- a/src/domains/paymentoptions-app/00_data.tf +++ b/src/domains/paymentoptions-app/00_data.tf @@ -26,7 +26,7 @@ data "azurerm_api_management" "apim" { } data "azurerm_api_management_product" "apim_api_config_product" { - product_id = "product-api-config-auth" + product_id = "apiconfig-cache" api_management_name = local.pagopa_apim_name resource_group_name = local.pagopa_apim_rg } From 82d939d14efd589814c62a187e6e011e9917e7db Mon Sep 17 00:00:00 2001 From: ciuffagianluca <113357981+ciuffagianluca@users.noreply.github.com> Date: Tue, 8 Oct 2024 16:19:34 +0200 Subject: [PATCH 18/41] feat: [CHK-3298] add user stats api key in keyvault (#2465) * add user stats api key * fix: refactor secret name --------- Co-authored-by: Gianluca Ciuffa Co-authored-by: Pietro Tota <115724836+pietro-tota@users.noreply.github.com> Co-authored-by: Pietro Tota --- src/domains/ecommerce-common/02_security.tf | 13 +++++++++++++ src/domains/ecommerce-common/README.md | 13 +++++++------ 2 files changed, 20 insertions(+), 6 deletions(-) diff --git a/src/domains/ecommerce-common/02_security.tf b/src/domains/ecommerce-common/02_security.tf index 036ae0c1e1..ff7210c3a5 100644 --- a/src/domains/ecommerce-common/02_security.tf +++ b/src/domains/ecommerce-common/02_security.tf @@ -486,6 +486,19 @@ resource "azurerm_key_vault_secret" "transactions_service_auth_update_api_key" { } } + +resource "azurerm_key_vault_secret" "user_stats_for_event_dispatcher_api_key" { + name = "user-stats-for-event-dispatcher-api-key" + value = "" + key_vault_id = module.key_vault.id + + lifecycle { + ignore_changes = [ + value, + ] + } +} + resource "azurerm_key_vault_secret" "redirect_url_mapping" { name = "redirect-url-mapping" value = "" diff --git a/src/domains/ecommerce-common/README.md b/src/domains/ecommerce-common/README.md index bf92efc79a..b8b9cd1b03 100644 --- a/src/domains/ecommerce-common/README.md +++ b/src/domains/ecommerce-common/README.md @@ -72,6 +72,7 @@ | [azurerm_key_vault_secret.sessions_jwt_secret](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource | | [azurerm_key_vault_secret.touchpoint_mail](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource | | [azurerm_key_vault_secret.transactions_service_auth_update_api_key](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource | +| [azurerm_key_vault_secret.user_stats_for_event_dispatcher_api_key](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource | | [azurerm_key_vault_secret.wallet-api-key](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource | | [azurerm_key_vault_secret.wallet-token-test-key](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource | | [azurerm_key_vault_secret.wallet_storage_connection_string](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource | @@ -152,12 +153,12 @@ | [cidr\_subnet\_cosmosdb\_ecommerce](#input\_cidr\_subnet\_cosmosdb\_ecommerce) | Cosmos DB address space for ecommerce. | `list(string)` | n/a | yes | | [cidr\_subnet\_redis\_ecommerce](#input\_cidr\_subnet\_redis\_ecommerce) | Redis DB address space for ecommerce. | `list(string)` | n/a | yes | | [cidr\_subnet\_storage\_ecommerce](#input\_cidr\_subnet\_storage\_ecommerce) | Azure storage DB address space for ecommerce. | `list(string)` | n/a | yes | -| [cosmos\_mongo\_db\_ecommerce\_params](#input\_cosmos\_mongo\_db\_ecommerce\_params) | n/a | 
object({
    enable_serverless  = bool
    enable_autoscaling = bool
    throughput         = number
    max_throughput     = number
  })
| n/a | yes | -| [cosmos\_mongo\_db\_params](#input\_cosmos\_mongo\_db\_params) | n/a | 
object({
    enabled        = bool
    capabilities   = list(string)
    offer_type     = string
    server_version = string
    kind           = string
    consistency_policy = object({
      consistency_level       = string
      max_interval_in_seconds = number
      max_staleness_prefix    = number
    })
    enable_free_tier                 = bool
    main_geo_location_zone_redundant = bool
    additional_geo_locations = list(object({
      location          = string
      failover_priority = number
      zone_redundant    = bool
    }))
    private_endpoint_enabled                     = bool
    public_network_access_enabled                = bool
    is_virtual_network_filter_enabled            = bool
    backup_continuous_enabled                    = bool
    enable_provisioned_throughput_exceeded_alert = bool
  })
| n/a | yes | +| [cosmos\_mongo\_db\_ecommerce\_params](#input\_cosmos\_mongo\_db\_ecommerce\_params) | n/a | 
object({
    enable_serverless  = bool
    enable_autoscaling = bool
    throughput         = number
    max_throughput     = number
  })
| n/a | yes | +| [cosmos\_mongo\_db\_params](#input\_cosmos\_mongo\_db\_params) | n/a | 
object({
    enabled        = bool
    capabilities   = list(string)
    offer_type     = string
    server_version = string
    kind           = string
    consistency_policy = object({
      consistency_level       = string
      max_interval_in_seconds = number
      max_staleness_prefix    = number
    })
    enable_free_tier                 = bool
    main_geo_location_zone_redundant = bool
    additional_geo_locations = list(object({
      location          = string
      failover_priority = number
      zone_redundant    = bool
    }))
    private_endpoint_enabled                     = bool
    public_network_access_enabled                = bool
    is_virtual_network_filter_enabled            = bool
    backup_continuous_enabled                    = bool
    enable_provisioned_throughput_exceeded_alert = bool
  })
| n/a | yes | | [dns\_zone\_internal\_prefix](#input\_dns\_zone\_internal\_prefix) | The dns subdomain. | `string` | `null` | no | | [domain](#input\_domain) | n/a | `string` | n/a | yes | -| [ecommerce\_storage\_deadletter\_params](#input\_ecommerce\_storage\_deadletter\_params) | Azure storage DB params for ecommerce deadletter resources. | 
object({
    enabled                       = bool,
    kind                          = string,
    tier                          = string,
    account_replication_type      = string,
    advanced_threat_protection    = bool,
    retention_days                = number,
    public_network_access_enabled = bool,
  })
| 
{
  "account_replication_type": "LRS",
  "advanced_threat_protection": true,
  "enabled": false,
  "kind": "StorageV2",
  "public_network_access_enabled": false,
  "retention_days": 7,
  "tier": "Standard"
}
| no | -| [ecommerce\_storage\_transient\_params](#input\_ecommerce\_storage\_transient\_params) | Azure storage DB params for ecommerce transient resources. | 
object({
    enabled                       = bool,
    kind                          = string,
    tier                          = string,
    account_replication_type      = string,
    advanced_threat_protection    = bool,
    retention_days                = number,
    public_network_access_enabled = bool,
  })
| 
{
  "account_replication_type": "LRS",
  "advanced_threat_protection": true,
  "enabled": false,
  "kind": "StorageV2",
  "public_network_access_enabled": false,
  "retention_days": 7,
  "tier": "Standard"
}
| no | +| [ecommerce\_storage\_deadletter\_params](#input\_ecommerce\_storage\_deadletter\_params) | Azure storage DB params for ecommerce deadletter resources. | 
object({
    enabled                       = bool,
    kind                          = string,
    tier                          = string,
    account_replication_type      = string,
    advanced_threat_protection    = bool,
    retention_days                = number,
    public_network_access_enabled = bool,
  })
| 
{
  "account_replication_type": "LRS",
  "advanced_threat_protection": true,
  "enabled": false,
  "kind": "StorageV2",
  "public_network_access_enabled": false,
  "retention_days": 7,
  "tier": "Standard"
}
| no | +| [ecommerce\_storage\_transient\_params](#input\_ecommerce\_storage\_transient\_params) | Azure storage DB params for ecommerce transient resources. | 
object({
    enabled                       = bool,
    kind                          = string,
    tier                          = string,
    account_replication_type      = string,
    advanced_threat_protection    = bool,
    retention_days                = number,
    public_network_access_enabled = bool,
  })
| 
{
  "account_replication_type": "LRS",
  "advanced_threat_protection": true,
  "enabled": false,
  "kind": "StorageV2",
  "public_network_access_enabled": false,
  "retention_days": 7,
  "tier": "Standard"
}
| no | | [enable\_iac\_pipeline](#input\_enable\_iac\_pipeline) | If true create the key vault policy to allow used by azure devops iac pipelines. | `bool` | `false` | no | | [env](#input\_env) | n/a | `string` | n/a | yes | | [env\_short](#input\_env\_short) | n/a | `string` | n/a | yes | @@ -170,8 +171,8 @@ | [log\_analytics\_workspace\_resource\_group\_name](#input\_log\_analytics\_workspace\_resource\_group\_name) | The name of the resource group in which the Log Analytics workspace is located in. | `string` | n/a | yes | | [monitor\_resource\_group\_name](#input\_monitor\_resource\_group\_name) | Monitor resource group name | `string` | n/a | yes | | [prefix](#input\_prefix) | n/a | `string` | n/a | yes | -| [redis\_ecommerce\_params](#input\_redis\_ecommerce\_params) | n/a | 
object({
    capacity   = number
    sku_name   = string
    family     = string
    version    = string
    ha_enabled = bool
    zones      = list(number)
  })
| n/a | yes | -| [tags](#input\_tags) | n/a | `map(any)` | 
{
  "CreatedBy": "Terraform"
}
| no | +| [redis\_ecommerce\_params](#input\_redis\_ecommerce\_params) | n/a | 
object({
    capacity   = number
    sku_name   = string
    family     = string
    version    = string
    ha_enabled = bool
    zones      = list(number)
  })
| n/a | yes | +| [tags](#input\_tags) | n/a | `map(any)` | 
{
  "CreatedBy": "Terraform"
}
| no | ## Outputs From f4b90daaebafef3b607bf4a9c9e77fc3a2971795 Mon Sep 17 00:00:00 2001 From: Simone Caminati Date: Tue, 8 Oct 2024 16:51:19 +0200 Subject: [PATCH 19/41] feat: [CHK-3290] add user api policy into ecommerce-io (#2454) * feat: add user api policy into ecommerce-io * fix: change user hostname * fix: remove wrong user_hostname * fix: add more specific condition --------- Co-authored-by: Pietro Tota <115724836+pietro-tota@users.noreply.github.com> Co-authored-by: Simone infante <52280205+infantesimone@users.noreply.github.com> --- .../ecommerce-app/api/ecommerce-io/v2/_base_policy.xml.tpl | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/domains/ecommerce-app/api/ecommerce-io/v2/_base_policy.xml.tpl b/src/domains/ecommerce-app/api/ecommerce-io/v2/_base_policy.xml.tpl index 060b8fe260..551d9344ce 100644 --- a/src/domains/ecommerce-app/api/ecommerce-io/v2/_base_policy.xml.tpl +++ b/src/domains/ecommerce-app/api/ecommerce-io/v2/_base_policy.xml.tpl @@ -70,6 +70,9 @@ + + + From 3a0b054c54f907d72036bcc7fae0e83ac176cd48 Mon Sep 17 00:00:00 2001 From: Pietro Tota <115724836+pietro-tota@users.noreply.github.com> Date: Tue, 8 Oct 2024 17:01:16 +0200 Subject: [PATCH 20/41] feat(ecommerce user stats): [CHK-3293] add PUT user stats api V1 (#2457) * feat(ecommerce user stats): add POST user stats api V1 * fix: pre-commit * fix: user id as header parameter * fix: update openapi specs --------- Co-authored-by: Simone infante <52280205+infantesimone@users.noreply.github.com> --- .../ecommerce-app/04_apim_ecommerce.tf | 49 ++++ src/domains/ecommerce-app/README.md | 2 + .../v1/_base_policy.xml.tpl | 15 ++ .../v1/_openapi.json.tpl | 236 ++++++++++++++++++ 4 files changed, 302 insertions(+) create mode 100644 src/domains/ecommerce-app/api/ecommerce-user-stats-service/v1/_base_policy.xml.tpl create mode 100644 src/domains/ecommerce-app/api/ecommerce-user-stats-service/v1/_openapi.json.tpl diff --git a/src/domains/ecommerce-app/04_apim_ecommerce.tf b/src/domains/ecommerce-app/04_apim_ecommerce.tf index 650e9c7a8f..c978293c74 100644 --- a/src/domains/ecommerce-app/04_apim_ecommerce.tf +++ b/src/domains/ecommerce-app/04_apim_ecommerce.tf @@ -608,4 +608,53 @@ module "apim_pagopa_ecommerce_technical_helpdesk_service_api_v2" { xml_content = templatefile("./api/ecommerce-technical-helpdesk-api/v2/_base_policy.xml.tpl", { hostname = local.ecommerce_hostname }) +} + +############################## +## API user stats service ## +############################## +locals { + apim_ecommerce_user_stats_service_api = { + display_name = "ecommerce pagoPA - user stats API" + description = "API for handle user stats for transactions made on eCommerce" + path = "ecommerce/user-stats-service" + subscription_required = true + service_url = null + } +} + +# User stats APIs +resource "azurerm_api_management_api_version_set" "ecommerce_user_stats_service_api" { + name = format("%s-user-stats-service-api", local.project) + resource_group_name = local.pagopa_apim_rg + api_management_name = local.pagopa_apim_name + display_name = local.apim_ecommerce_user_stats_service_api.display_name + versioning_scheme = "Segment" +} + +module "apim_ecommerce_user_stats_service_api_v1" { + source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//api_management_api?ref=v6.6.0" + + name = format("%s-user-stats-service-api", local.project) + api_management_name = local.pagopa_apim_name + resource_group_name = local.pagopa_apim_rg + product_ids = [module.apim_ecommerce_product.product_id] + subscription_required = local.apim_ecommerce_user_stats_service_api.subscription_required + version_set_id = azurerm_api_management_api_version_set.ecommerce_user_stats_service_api.id + api_version = "v1" + + description = local.apim_ecommerce_user_stats_service_api.description + display_name = local.apim_ecommerce_user_stats_service_api.display_name + path = local.apim_ecommerce_user_stats_service_api.path + protocols = ["https"] + service_url = local.apim_ecommerce_user_stats_service_api.service_url + + content_format = "openapi" + content_value = templatefile("./api/ecommerce-user-stats-service/v1/_openapi.json.tpl", { + hostname = local.apim_hostname + }) + + xml_content = templatefile("./api/ecommerce-user-stats-service/v1/_base_policy.xml.tpl", { + hostname = local.ecommerce_hostname + }) } \ No newline at end of file diff --git a/src/domains/ecommerce-app/README.md b/src/domains/ecommerce-app/README.md index 2408049590..ded3b882ea 100644 --- a/src/domains/ecommerce-app/README.md +++ b/src/domains/ecommerce-app/README.md @@ -34,6 +34,7 @@ | [apim\_ecommerce\_transaction\_user\_receipts\_service\_api\_v1](#module\_apim\_ecommerce\_transaction\_user\_receipts\_service\_api\_v1) | git::https://github.com/pagopa/terraform-azurerm-v3.git//api_management_api | v6.6.0 | | [apim\_ecommerce\_transactions\_service\_api\_v1](#module\_apim\_ecommerce\_transactions\_service\_api\_v1) | git::https://github.com/pagopa/terraform-azurerm-v3.git//api_management_api | v6.6.0 | | [apim\_ecommerce\_transactions\_service\_api\_v2](#module\_apim\_ecommerce\_transactions\_service\_api\_v2) | git::https://github.com/pagopa/terraform-azurerm-v3.git//api_management_api | v6.6.0 | +| [apim\_ecommerce\_user\_stats\_service\_api\_v1](#module\_apim\_ecommerce\_user\_stats\_service\_api\_v1) | git::https://github.com/pagopa/terraform-azurerm-v3.git//api_management_api | v6.6.0 | | [apim\_ecommerce\_webview\_api\_v1](#module\_apim\_ecommerce\_webview\_api\_v1) | git::https://github.com/pagopa/terraform-azurerm-v3.git//api_management_api | v6.6.0 | | [apim\_ecommerce\_webview\_product](#module\_apim\_ecommerce\_webview\_product) | git::https://github.com/pagopa/terraform-azurerm-v3.git//api_management_product | v6.6.0 | | [apim\_pagopa\_ecommerce\_helpdesk\_commands\_service\_api\_v1](#module\_apim\_pagopa\_ecommerce\_helpdesk\_commands\_service\_api\_v1) | git::https://github.com/pagopa/terraform-azurerm-v3.git//api_management_api | v6.6.0 | @@ -112,6 +113,7 @@ | [azurerm_api_management_api_version_set.ecommerce_transaction_auth_requests_service_api](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/api_management_api_version_set) | resource | | [azurerm_api_management_api_version_set.ecommerce_transaction_user_receipts_service_api](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/api_management_api_version_set) | resource | | [azurerm_api_management_api_version_set.ecommerce_transactions_service_api](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/api_management_api_version_set) | resource | +| [azurerm_api_management_api_version_set.ecommerce_user_stats_service_api](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/api_management_api_version_set) | resource | | [azurerm_api_management_api_version_set.pagopa_ecommerce_helpdesk_commands_service_api](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/api_management_api_version_set) | resource | | [azurerm_api_management_api_version_set.pagopa_ecommerce_helpdesk_service_api](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/api_management_api_version_set) | resource | | [azurerm_api_management_api_version_set.pagopa_ecommerce_technical_helpdesk_service_api](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/api_management_api_version_set) | resource | diff --git a/src/domains/ecommerce-app/api/ecommerce-user-stats-service/v1/_base_policy.xml.tpl b/src/domains/ecommerce-app/api/ecommerce-user-stats-service/v1/_base_policy.xml.tpl new file mode 100644 index 0000000000..256b488337 --- /dev/null +++ b/src/domains/ecommerce-app/api/ecommerce-user-stats-service/v1/_base_policy.xml.tpl @@ -0,0 +1,15 @@ + + + + + + + + + + + + + + + diff --git a/src/domains/ecommerce-app/api/ecommerce-user-stats-service/v1/_openapi.json.tpl b/src/domains/ecommerce-app/api/ecommerce-user-stats-service/v1/_openapi.json.tpl new file mode 100644 index 0000000000..908917ee19 --- /dev/null +++ b/src/domains/ecommerce-app/api/ecommerce-user-stats-service/v1/_openapi.json.tpl @@ -0,0 +1,236 @@ +{ + "openapi": "3.0.0", + "info": { + "version": "0.0.1", + "title": "Pagopa eCommerce user stats service", + "description": "This microservice handles statistics for payment performed by an authenticated used on eCommerce", + "contact": { + "name": "pagoPA - Touchpoints team" + } + }, + "tags": [ + { + "name": "user-stats", + "description": "Api's for tracing and retrieve user statistics", + "externalDocs": { + "url": "TODO", + "description": "Technical specifications" + } + } + ], + "externalDocs": { + "url": "https://pagopa.atlassian.net/wiki/spaces/I/pages/492339720/pagoPA+eCommerce+Design+Review", + "description": "Design review" + }, + "servers": [ + { + "url": "https://${hostname}" + } + ], + "security": [ + { + "ApiKeyAuth": [] + } + ], + "paths": { + "/user/lastPaymentMethodUsed": { + "put": { + "operationId": "saveLastPaymentMethodUsed", + "tags": [ + "user-stats" + ], + "description": "Save last payment method used by an user to perform a transaction on eCommerce", + "summary": "Save last method used", + "requestBody": { + "$ref": "#/components/requestBodies/UserLastPaymentMethodRequest" + }, + "responses": { + "204": { + "description": "User last payment method used updated successfully" + }, + "400": { + "description": "Formally invalid input", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/ProblemJson" + } + } + } + }, + "401": { + "description": "Unauthorized, api key missing or invalid", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/ProblemJson" + } + } + } + }, + "500": { + "description": "Unexpected error updating user last used payment method", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/ProblemJson" + } + } + } + } + } + } + } + }, + "components": { + "schemas": { + "ProblemJson": { + "description": "Body definition for error responses containing failure details", + "type": "object", + "properties": { + "type": { + "type": "string", + "format": "uri", + "description": "An absolute URI that identifies the problem type. When dereferenced,\nit SHOULD provide human-readable documentation for the problem type\n(e.g., using HTML).", + "default": "about:blank", + "example": "https://example.com/problem/constraint-violation" + }, + "title": { + "type": "string", + "description": "A short, summary of the problem type. Written in english and readable\nfor engineers (usually not suited for non technical stakeholders and\nnot localized); example: Service Unavailable" + }, + "status": { + "$ref": "#/components/schemas/HttpStatusCode" + }, + "detail": { + "type": "string", + "description": "A human readable explanation specific to this occurrence of the\nproblem.", + "example": "There was an error processing the request" + }, + "instance": { + "type": "string", + "format": "uri", + "description": "An absolute URI that identifies the specific occurrence of the problem.\nIt may or may not yield further information if dereferenced." + } + } + }, + "HttpStatusCode": { + "type": "integer", + "format": "int32", + "description": "The HTTP status code generated by the origin server for this occurrence\nof the problem.", + "minimum": 100, + "maximum": 600, + "exclusiveMaximum": true, + "example": 200 + }, + "UserLastPaymentMethodRequest": { + "type": "object", + "description": "Request to update last payment method used by an user", + "properties": { + "userId": { + "type": "string", + "format": "uuid", + "description": "the user unique identifier" + }, + "details": { + "$ref": "#/components/schemas/UserLastPaymentMethodData" + } + }, + "required": [ + "userId", + "details" + ] + }, + "UserLastPaymentMethodData": { + "description": "Last usage data for wallet or payment method (guest)", + "oneOf": [ + { + "$ref": "#/components/schemas/WalletLastUsageData" + }, + { + "$ref": "#/components/schemas/GuestMethodLastUsageData" + } + ], + "discriminator": { + "propertyName": "type", + "mapping": { + "wallet": "#/components/schemas/WalletLastUsageData", + "guest": "#/components/schemas/GuestMethodLastUsageData" + } + } + }, + "WalletLastUsageData": { + "x-discriminator-value": "wallet", + "type": "object", + "description": "Last usage data for wallets.", + "properties": { + "walletId": { + "$ref": "#/components/schemas/WalletId" + }, + "date": { + "type": "string", + "format": "date-time" + }, + "type": { + "type": "string", + "description": "Discriminant type for last usage of a wallet, fixed value 'wallet'" + } + }, + "required": [ + "walletId", + "date", + "type" + ] + }, + "GuestMethodLastUsageData": { + "x-discriminator-value": "guest", + "type": "object", + "description": "Last usage data for guest method", + "properties": { + "paymentMethodId": { + "type": "string", + "format": "uuid", + "description": "eCommerce payment method id associated to this last usage" + }, + "date": { + "type": "string", + "format": "date-time" + }, + "type": { + "type": "string", + "description": "Discriminant type for last usage of a guest (non-wallet) payment method, fixed value 'guest'" + } + }, + "required": [ + "paymentMethodId", + "date", + "type" + ] + }, + "WalletId": { + "description": "Wallet identifier", + "type": "string", + "format": "uuid" + } + }, + "requestBodies": { + "UserLastPaymentMethodRequest": { + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/UserLastPaymentMethodRequest" + } + } + } + } + }, + "securitySchemes": { + "ApiKeyAuth": { + "type": "apiKey", + "name": "Ocp-Apim-Subscription-Key", + "in": "header" + } + } + } +} \ No newline at end of file From f7611978cd2c08ae7249f9154191b5df77b49ea0 Mon Sep 17 00:00:00 2001 From: ffppa Date: Tue, 8 Oct 2024 17:07:57 +0200 Subject: [PATCH 21/41] feat: [PAYMCLOUD-99] refactor static analysis with python (#2468) * test Signed-off-by: Fabio Felici * test Signed-off-by: Fabio Felici * Refactor static analysis workflow to use Python script Replaced shell script in `static_analysis_pr.yml` with a Python script for retrieving modified paths and determining the need for static analysis. Added steps for setting up Python and installing necessary packages. Improved clarity and maintainability of the workflow. Signed-off-by: Fabio Felici * Add test comment Signed-off-by: Fabio Felici * Remove commented-out code and cleanup TF data files Deleted unnecessary commented-out sections in workflow and Terraform data files to enhance readability. Adjusted whitespace and removed extraneous comments for a more streamlined codebase. Signed-off-by: Fabio Felici * Run pre-commit -a on repo Signed-off-by: Fabio Felici * Refactor path handling in static analysis workflow Updated the workflow to use pathlib for path manipulations and consolidated the get_modified_paths function call. This change also adjusts ignored paths, ensuring more accurate path detection and output. Signed-off-by: Fabio Felici * Update IGNORED_PATHS and enhance path detection logic Revised IGNORED_PATHS to include relevant directories and improved path detection by simplifying the unique path extraction. Added logging for modified paths in both 'src' and 'domains' directories for better debugging and clarity. Signed-off-by: Fabio Felici * Refactor static analysis workflow conditionals Streamline the workflow by adding conditionals to specified steps based on the 'run_static_analysis' environment variable. This ensures steps are only executed when necessary, eliminating redundant checks and improving efficiency. Signed-off-by: Fabio Felici * Refactor path handling and improve git sparse-checkout logic Refactored the path extraction logic to better handle "src" and "domains" directory structures. Enhanced the git sparse-checkout process to operate directory by directory and added a reapply step for stability. Commented out unused steps to streamline the workflow. Signed-off-by: Fabio Felici * Refactor path handling in static analysis workflow Modified the script to use the full path for `get_required_path`, ensuring the correct directories are processed. This change helps maintain accuracy in the static analysis step of the CI pipeline. Signed-off-by: Fabio Felici * Simplify sparse-checkout in static analysis workflow Refactor sparse-checkout to use a single command with variables. This change reduces code complexity and potential errors by avoiding loops. Additionally, uncomment a section to validate the downloaded folders during the workflow. Signed-off-by: Fabio Felici * Change path separator in GitHub action to newline Switched from space to newline for modified paths in the static analysis workflow. This change ensures better readability and handling of paths in multi-line contexts. Added an echo statement for debugging modified folders. Signed-off-by: Fabio Felici * Change path separator in GitHub action to newline Switched from space to newline for modified paths in the static analysis workflow. This change ensures better readability and handling of paths in multi-line contexts. Added an echo statement for debugging modified folders. Signed-off-by: Fabio Felici * Update static analysis workflow to include 'scripts' folder Modified the script to ensure the 'scripts' folder is always included in the list of directories checked out via sparse-checkout. This change enables more comprehensive analysis by guaranteeing that the 'scripts' directory is analyzed along with any other modified folders. Signed-off-by: Fabio Felici --------- Signed-off-by: Fabio Felici Co-authored-by: Marco Mari <130982006+mamari90@users.noreply.github.com> --- .github/workflows/static_analysis_pr.yml | 197 +++++++++++------- src/core/.terraform.lock.hcl | 10 +- src/domains/apiconfig-app/00_azuread.tf | 2 +- .../nodo-common/03_cosmosdb_wisp_converter.tf | 4 +- src/domains/nodo-common/99_variables.tf | 28 +-- src/domains/nodo-common/README.md | 2 +- .../nodo-common/env/weu-dev/terraform.tfvars | 28 +-- .../nodo-common/env/weu-prod/terraform.tfvars | 28 +-- .../nodo-common/env/weu-uat/terraform.tfvars | 28 +-- .../env/itn-dev/terraform.tfvars | 2 +- .../env/itn-prod/terraform.tfvars | 2 +- .../env/itn-uat/terraform.tfvars | 2 +- src/domains/paymentoptions-common/README.md | 90 ++++++++ src/domains/paymentoptions-secrets/README.md | 65 ++++++ src/synthetic-monitoring/.terraform.lock.hcl | 21 -- 15 files changed, 344 insertions(+), 165 deletions(-) create mode 100644 src/domains/paymentoptions-common/README.md create mode 100644 src/domains/paymentoptions-secrets/README.md diff --git a/.github/workflows/static_analysis_pr.yml b/.github/workflows/static_analysis_pr.yml index 6ad6651860..d5fe7ea749 100644 --- a/.github/workflows/static_analysis_pr.yml +++ b/.github/workflows/static_analysis_pr.yml @@ -18,86 +18,141 @@ jobs: with: fetch-depth: 0 + - name: Set up Python + uses: actions/setup-python@v5 + with: + python-version: '3.x' + + - name: Install necessary packages + run: python -m pip install --upgrade pip + - name: 🔨 Get Modified Paths id: get-paths run: | - # - # Discover only the paths changed inside src and src/domains, between my current branch and origin/main - # - ignored_path="domains|scripts|github|.devops" - echo "get current branch" - current_branch=${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}} - echo "current branch: $current_branch" - echo "get git diff" - git diff --name-only $current_branch origin/main --output=/tmp/diff.txt - echo "get modified paths from source" - # i'm using echo because using grep directly fails. it produces an invalid output that breaks the variable assignment - source_count=$(echo "$(egrep -v "$ignored_path" /tmp/diff.txt | wc -l )") - echo "source count: $source_count" - if [[ $source_count -eq 0 ]] - then - echo "in source if true" - modified_paths_source="" - else - echo "in source if false" - modified_paths_source=$(egrep -v "$ignored_path" /tmp/diff.txt | grep '/' | cut -d '/' -f 1,2 | uniq ) - fi - - echo "modified_paths_source: $modified_paths_source" - - echo "get modified paths from domains" - # i'm using echo because using grep directly fails. it produces an invalid output that breaks the variable assignment - domains_count=$(echo "$(grep 'domains' /tmp/diff.txt | wc -l )") - echo "domains count: $domains_count" - if [ $domains_count -eq 0 ] - then - echo "in domains if true" - modified_paths_domains="" - else - echo "in domains if false" - modified_paths_domains=$( grep 'domains' /tmp/diff.txt | grep '/' | cut -d '/' -f 1,2,3 | uniq ) - fi - echo "modified_paths_domains: $modified_paths_domains" - - echo "merge paths" - modified_paths="$modified_paths_source $modified_paths_domains" - echo "📌 modified_paths" - # - # This is the only way to pass a string with paths to other step without error, using env the paths force an error - # - echo "$modified_paths" > "/tmp/paths.txt" - - # Check if any of the modified files are in the 'src' directory - if echo "$modified_paths" | grep -q '^src/'; then - echo "src folder modified." - echo "run_static_analysis=true" >> $GITHUB_ENV - else - echo "src folder not modified." - echo "run_static_analysis=false" >> $GITHUB_ENV - fi - - shell: bash + import os + import subprocess + + IGNORED_PATHS = ["domains", "scripts", "github", ".devops"] + + def get_current_branch(): + result = subprocess.run(["git", "rev-parse", "--abbrev-ref", "HEAD"], capture_output=True, text=True) + return result.stdout.strip() + + def get_git_diff(current_branch): + subprocess.run(["git", "fetch", "origin"]) + result = subprocess.run(["git", "diff", "--name-only", current_branch, "origin/main"], capture_output=True, text=True) + with open('/tmp/diff.txt', 'w') as f: + f.write(result.stdout) + + def get_required_path(path): + # Split the path into its components + parts = path.split(os.sep) + + # Find the index of "src" and "domains" + try: + start_index = parts.index("src") # Find "src" + + # Check if "domains" is present and get up one higher level + if "domains" in parts[start_index:]: + domains_index = parts.index("domains", start_index) + if len(parts) > domains_index + 2: # Ensure there is a level after "domains" + end_index = 3 # Exclude the last part + # Include the parent of "domains" and all up to the second last part + return os.sep.join(parts[start_index:end_index]) + else: + return "" + else: # Handle paths not containing 'domains' + if len(parts) > start_index + 2: # Ensure there is enough depth + end_index = 2 # Exclude the last part + return os.sep.join(parts[start_index:end_index]) + else: + return "" + except (ValueError, IndexError) as e: + return "" + + + + def get_modified_paths(pattern, exclude_ignored=True): + with open('/tmp/diff.txt') as f: + lines = f.readlines() + if exclude_ignored: + paths = [ + line.strip() + for line in lines + if not any(ignored in line for ignored in IGNORED_PATHS) + ] + else: + paths = [line.strip() for line in lines if pattern in line] + # Removing duplicates and sorting + unique_paths = sorted(set([ + get_required_path(path) + for path in paths if path + ])) + return unique_paths + + def write_to_file(content, filepath): + with open(filepath, 'w') as f: + f.write(content) + + def main(): + current_branch = get_current_branch() + print(f"Current branch: {current_branch}") + + get_git_diff(current_branch) + + modified_paths_source = get_modified_paths('src/', exclude_ignored=True) + print(f"Modified paths in source: {modified_paths_source}") + + modified_paths_domains = get_modified_paths('domains', exclude_ignored=False) + print(f"Modified paths in domains: {modified_paths_domains}") + + modified_paths = "\n".join(modified_paths_source + modified_paths_domains) + print(f"📌 Modified paths: {modified_paths}") + + write_to_file(modified_paths, "/tmp/paths.txt") + + if any("src/" in path for path in modified_paths.split()): + print("src folder modified.") + with open(os.getenv('GITHUB_ENV'), 'a') as f: + f.write('run_static_analysis=true\n') + else: + print("src folder not modified.") + with open(os.getenv('GITHUB_ENV'), 'a') as f: + f.write('run_static_analysis=false\n') + if __name__ == "__main__": + main() + shell: python + + - name: Read modified paths + if: env.run_static_analysis == 'true' + id: read_paths + run: | + modified_paths=$(cat /tmp/paths.txt) + echo "Modified paths: $modified_paths" + echo "::set-output name=modified_paths::$modified_paths" - - name: ⏬ Download only changed folders - id: download + - name: ⏬ Download Modified Folders Only + if: env.run_static_analysis == 'true' + id: download_changed_folders shell: bash run: | - # - # This allow to read all the paths and download only the changed folders - # - PAGOPA_MULTIPLE_FOLDERS=$(fold -w $(wc -L < "/tmp/paths.txt") < "/tmp/paths.txt") - echo $PAGOPA_MULTIPLE_FOLDERS + # Read all paths and download only the modified folders + MODIFIED_FOLDERS=($(cat /tmp/paths.txt)) + + # Include 'scripts' in the list of directories to checkout + MODIFIED_FOLDERS+=("scripts") + + # Initialize git sparse-checkout git sparse-checkout init --cone - git sparse-checkout set $PAGOPA_MULTIPLE_FOLDERS - git checkout -# - name: Checkout Modified Paths -# uses: actions/checkout@v4 -# with: -# sparse-checkout: | -# $(fold -w $(wc -L < "/tmp/paths.txt") < "/tmp/paths.txt") + # Set each path in MODIFIED_FOLDERS for sparse-checkout + git sparse-checkout set "${MODIFIED_FOLDERS[@]}" + + # Checkout the latest changes + git checkout - name: 👀 See folders downloaded + if: env.run_static_analysis == 'true' id: see shell: bash run: | @@ -109,5 +164,3 @@ jobs: uses: pagopa/eng-github-actions-iac-template/azure/terraform-static-analysis@v1.14.1 with: precommit_version: 'v1.89.1@sha256:1ea921bc4fe87651d41677218e537afdcdb8202e757e554b9866668eaba144c5' - - diff --git a/src/core/.terraform.lock.hcl b/src/core/.terraform.lock.hcl index 7744bde454..fc78b76e6a 100644 --- a/src/core/.terraform.lock.hcl +++ b/src/core/.terraform.lock.hcl @@ -6,7 +6,6 @@ provider "registry.terraform.io/azure/azapi" { constraints = "<= 1.3.0" hashes = [ "h1:OWZNYEGEIunmpxEcbGveH+kkdELQfMCUYxLt1b25UOc=", - "h1:UTQiZ34OcSms4LZ2sAa1OarDXw31OtogqBj0SwZCoDY=", "h1:b4PzksrgRiHgOTVXIMTODOAlsvdj3uWSdCvA7lw+9ik=", "h1:h/ZVYAapVQ+W0R4P5IK/Mvsi84jiYTggmgJHZgfVbfg=", "h1:zpNS7i+p+MeA4h6xCbwXzcKtMeAn3je9k6J7DZQqReY=", @@ -29,7 +28,6 @@ provider "registry.terraform.io/hashicorp/azuread" { version = "2.6.0" constraints = "<= 2.6.0" hashes = [ - "h1:/TLx5zuskGl34jm/C+tq5TkxTKDoSLKjK+9Sfaajtrk=", "h1:5lT+b1kKoyop02xlv3WNVgb4khTRI4jHJ2+RaX5l4cc=", "h1:Zmsa6HlKVe+Kyx/3tlcKHTZemiF2f9ZiVhRATmcb9hk=", "h1:ae+PCUC7P4sruAUUrw7TqOZoaeNUpcquCe1OsjgxIYw=", @@ -52,7 +50,6 @@ provider "registry.terraform.io/hashicorp/azurerm" { version = "2.99.0" constraints = ">= 2.80.0, 2.99.0, <= 2.99.0" hashes = [ - "h1:/117tZcH4IXwcrMiZZ9eyTXkN1wF0Du1mJsnXeDln4U=", "h1:/M8yLHqv0uOm9IbHRa4yZvQORr9ir1QyJyIyjGs4ryQ=", "h1:/ZY1j8YgB5GeqPnjT8avyRFjUcGH3rCk1xGLKcUCtWc=", "h1:FXBB5TkvZpZA+ZRtofPvp5IHZpz4Atw7w9J8GDgMhvk=", @@ -76,7 +73,6 @@ provider "registry.terraform.io/hashicorp/local" { constraints = "<= 2.3.0" hashes = [ "h1:+l9ZTDGmGdwnuYI5ftUjwP8UgoLw4f4V9xoCzal4LW0=", - "h1:5/FNIrNdn6n33kZBXRjI9A6ci/1oUWtD9XLJdnd4wnw=", "h1:7y8CXQKtfyvrMCSWgCkCclNN9L161u6jO1dEGVaB5RQ=", "h1:QIfFmZI8Z9pjil7ikM17xG4+9B5+hCMlyA2HBeOLvq0=", "h1:U+DbBqKnXSIqC2z7qIko2dy8w6wwuZd89orPvfeqHk0=", @@ -97,12 +93,11 @@ provider "registry.terraform.io/hashicorp/local" { provider "registry.terraform.io/hashicorp/null" { version = "3.2.1" - constraints = ">= 3.0.0, <= 3.2.1" + constraints = "<= 3.2.1" hashes = [ "h1:FbGfc+muBsC17Ohy5g806iuI1hQc4SIexpYCrQHQd8w=", "h1:tSj1mL6OQ8ILGqR2mDu7OYYYWf+hoir0pf9KAQ8IzO8=", "h1:vUW21lLLsKlxtBf0QF7LKJreKxs0CM7YXGzqW1N/ODY=", - "h1:wqgRvlyVIbkCeCQs+5jj6zVuQL0KDxZZtNofGqqlSdI=", "h1:ydA0/SNRVB1o95btfshvYsmxA+jZFRZcvKzZSB+4S1M=", "zh:58ed64389620cc7b82f01332e27723856422820cfd302e304b5f6c3436fb9840", "zh:62a5cc82c3b2ddef7ef3a6f2fedb7b9b3deff4ab7b414938b08e51d6e8be87cb", @@ -123,7 +118,6 @@ provider "registry.terraform.io/hashicorp/random" { version = "3.4.3" constraints = "<= 3.4.3" hashes = [ - "h1:hV66lcagXXRwwCW3Y542bI1JgPo8z/taYKT7K+a2Z5U=", "h1:hXUPrH8igYBhatzatkp80RCeeUJGu9lQFDyKemOlsTo=", "h1:saZR+mhthL0OZl4SyHXZraxyaBNVMxiZzks78nWcZ2o=", "h1:tL3katm68lX+4lAncjQA9AXL4GR/VM+RPwqYf4D2X8Q=", @@ -150,7 +144,6 @@ provider "registry.terraform.io/hashicorp/time" { "h1:IkDriv5C9G+kQQ+mP+8QGIahwKgbQcw1/mzh9U6q+ZI=", "h1:UyhbtF79Wy4EVNrnvMcOPzmZLVQQyzM2ostfjs2l5PI=", "h1:bf7JCfBV8KHOJ0iicZ705maRJTeme0Br4QdBYnu1gMw=", - "h1:lRdsNTvt4IT3LGDrgQbepriDTbMKbIsbceTbM/bLGfw=", "h1:pQGSL9mdgw4qsLndFYsEF93mbsIxyxNoAyIbBqhS3Xo=", "zh:19a393db736ec4fd024d098d55aefaef07056c37a448ece3b55b3f5f4c2c7e4a", "zh:227fa1e221de2907f37be78d40c06ca6a6f7b243a1ec33ade014dfaf6d92cd9c", @@ -173,7 +166,6 @@ provider "registry.terraform.io/hashicorp/tls" { hashes = [ "h1:e4LBdJoZJNOQXPWgOAG0UuPBVhCStu98PieNlqJTmeU=", "h1:jb/Rg9inGYp4t8HtBoETESsQJgdmOHoe1bzzg2uNB3w=", - "h1:kcw9sNLNFMY2S0HIGOkjlwKtUc8lpqZsQGsC2SG9xEQ=", "h1:yLqz+skP3+EbU3yyvw8JqzflQTKDQGsC9QyZAg+S4dg=", "h1:zeG5RmggBZW/8JWIVrdaeSJa0OG62uFX5HY1eE8SjzY=", "zh:01cfb11cb74654c003f6d4e32bbef8f5969ee2856394a96d127da4949c65153e", diff --git a/src/domains/apiconfig-app/00_azuread.tf b/src/domains/apiconfig-app/00_azuread.tf index 14a0893a9f..b7f42c3c3b 100644 --- a/src/domains/apiconfig-app/00_azuread.tf +++ b/src/domains/apiconfig-app/00_azuread.tf @@ -13,4 +13,4 @@ data "azuread_group" "adgroup_externals" { data "azuread_group" "adgroup_security" { display_name = "${local.product}-adgroup-security" -} \ No newline at end of file +} diff --git a/src/domains/nodo-common/03_cosmosdb_wisp_converter.tf b/src/domains/nodo-common/03_cosmosdb_wisp_converter.tf index d5d88d690f..e1c9bf9192 100644 --- a/src/domains/nodo-common/03_cosmosdb_wisp_converter.tf +++ b/src/domains/nodo-common/03_cosmosdb_wisp_converter.tf @@ -70,8 +70,8 @@ locals { } }, { - name = "receipt-dead-letter", # contains all paaInviaRT sent but not accepted by EC and with fault code not in blacklist - partition_key_path = "/partitionKey", # contains 'yyyy-MM-dd' + name = "receipt-dead-letter", # contains all paaInviaRT sent but not accepted by EC and with fault code not in blacklist + partition_key_path = "/partitionKey", # contains 'yyyy-MM-dd' default_ttl = var.wisp_converter_cosmos_nosql_db_params.receipt_dead_letter_ttl autoscale_settings = { max_throughput = var.wisp_converter_cosmos_nosql_db_params.receipt_dead_letter_max_throughput diff --git a/src/domains/nodo-common/99_variables.tf b/src/domains/nodo-common/99_variables.tf index 18b4bdb8f4..cebbb2086c 100644 --- a/src/domains/nodo-common/99_variables.tf +++ b/src/domains/nodo-common/99_variables.tf @@ -369,20 +369,20 @@ variable "wisp_converter_cosmos_nosql_db_params" { is_virtual_network_filter_enabled = bool backup_continuous_enabled = bool - data_ttl = number - data_max_throughput = number - re_ttl = number - re_max_throughput = number - receipt_ttl = number - receipt_max_throughput = number - receipt_dead_letter_ttl = number - receipt_dead_letter_max_throughput = number - idempotency_ttl = number - idempotency_max_throughput = number - rt_ttl = number - rt_max_throughput = number - configuration_ttl = number - configuration_max_throughput = number + data_ttl = number + data_max_throughput = number + re_ttl = number + re_max_throughput = number + receipt_ttl = number + receipt_max_throughput = number + receipt_dead_letter_ttl = number + receipt_dead_letter_max_throughput = number + idempotency_ttl = number + idempotency_max_throughput = number + rt_ttl = number + rt_max_throughput = number + configuration_ttl = number + configuration_max_throughput = number }) } diff --git a/src/domains/nodo-common/README.md b/src/domains/nodo-common/README.md index 5d10809ddd..06d9741376 100644 --- a/src/domains/nodo-common/README.md +++ b/src/domains/nodo-common/README.md @@ -236,7 +236,7 @@ | [storage\_account\_snet\_private\_link\_service\_network\_policies\_enabled](#input\_storage\_account\_snet\_private\_link\_service\_network\_policies\_enabled) | If true, create a private link service | `bool` | `true` | no | | [tags](#input\_tags) | n/a | `map(any)` | 
{
  "CreatedBy": "Terraform"
}
| no | | [verifyko\_cosmos\_nosql\_db\_params](#input\_verifyko\_cosmos\_nosql\_db\_params) | n/a | 
object({
    capabilities   = list(string)
    offer_type     = string
    server_version = string
    kind           = string
    consistency_policy = object({
      consistency_level       = string
      max_interval_in_seconds = number
      max_staleness_prefix    = number
    })
    main_geo_location_zone_redundant = bool
    enable_free_tier                 = bool
    additional_geo_locations = list(object({
      location          = string
      failover_priority = number
      zone_redundant    = bool
    }))
    private_endpoint_enabled          = bool
    public_network_access_enabled     = bool
    is_virtual_network_filter_enabled = bool
    backup_continuous_enabled         = bool
    events_ttl                        = number
    max_throughput                    = number
  })
| n/a | yes | -| [wisp\_converter\_cosmos\_nosql\_db\_params](#input\_wisp\_converter\_cosmos\_nosql\_db\_params) | n/a | 
object({
    capabilities   = list(string)
    offer_type     = string
    server_version = string
    kind           = string
    consistency_policy = object({
      consistency_level       = string
      max_interval_in_seconds = number
      max_staleness_prefix    = number
    })
    main_geo_location_zone_redundant = bool
    enable_free_tier                 = bool
    additional_geo_locations = list(object({
      location          = string
      failover_priority = number
      zone_redundant    = bool
    }))
    private_endpoint_enabled          = bool
    public_network_access_enabled     = bool
    is_virtual_network_filter_enabled = bool
    backup_continuous_enabled         = bool

    data_ttl                     = number
    data_max_throughput          = number
    re_ttl                       = number
    re_max_throughput            = number
    receipt_ttl                  = number
    receipt_max_throughput       = number
    idempotency_ttl              = number
    idempotency_max_throughput   = number
    rt_ttl                       = number
    rt_max_throughput            = number
    configuration_ttl            = number
    configuration_max_throughput = number
  })
| n/a | yes | +| [wisp\_converter\_cosmos\_nosql\_db\_params](#input\_wisp\_converter\_cosmos\_nosql\_db\_params) | n/a | 
object({
    capabilities   = list(string)
    offer_type     = string
    server_version = string
    kind           = string
    consistency_policy = object({
      consistency_level       = string
      max_interval_in_seconds = number
      max_staleness_prefix    = number
    })
    main_geo_location_zone_redundant = bool
    enable_free_tier                 = bool
    additional_geo_locations = list(object({
      location          = string
      failover_priority = number
      zone_redundant    = bool
    }))
    private_endpoint_enabled          = bool
    public_network_access_enabled     = bool
    is_virtual_network_filter_enabled = bool
    backup_continuous_enabled         = bool

    data_ttl                           = number
    data_max_throughput                = number
    re_ttl                             = number
    re_max_throughput                  = number
    receipt_ttl                        = number
    receipt_max_throughput             = number
    receipt_dead_letter_ttl            = number
    receipt_dead_letter_max_throughput = number
    idempotency_ttl                    = number
    idempotency_max_throughput         = number
    rt_ttl                             = number
    rt_max_throughput                  = number
    configuration_ttl                  = number
    configuration_max_throughput       = number
  })
| n/a | yes | | [wisp\_converter\_storage\_account](#input\_wisp\_converter\_storage\_account) | n/a | 
object({
    account_kind                  = string
    account_tier                  = string
    account_replication_type      = string
    advanced_threat_protection    = bool
    blob_delete_retention_days    = number
    blob_versioning_enabled       = bool
    public_network_access_enabled = bool
    backup_enabled                = bool
    backup_retention_days         = number
  })
| n/a | yes | ## Outputs diff --git a/src/domains/nodo-common/env/weu-dev/terraform.tfvars b/src/domains/nodo-common/env/weu-dev/terraform.tfvars index bd0a55d4c6..78fd6d2096 100644 --- a/src/domains/nodo-common/env/weu-dev/terraform.tfvars +++ b/src/domains/nodo-common/env/weu-dev/terraform.tfvars @@ -208,20 +208,20 @@ wisp_converter_cosmos_nosql_db_params = { backup_continuous_enabled = false - data_ttl = 259200 # 3 days in second - data_max_throughput = 400 - re_ttl = 259200 # 3 days in second - re_max_throughput = 400 - receipt_ttl = 259200 # 3 days in second - receipt_max_throughput = 400 - receipt_dead_letter_ttl = 259200 # 3 days in second - receipt_dead_letter_max_throughput = 400 - idempotency_ttl = 259200 # 3 days in second - idempotency_max_throughput = 400 - rt_ttl = 259200 # 3 days in second - rt_max_throughput = 400 - configuration_ttl = -1 - configuration_max_throughput = 400 + data_ttl = 259200 # 3 days in second + data_max_throughput = 400 + re_ttl = 259200 # 3 days in second + re_max_throughput = 400 + receipt_ttl = 259200 # 3 days in second + receipt_max_throughput = 400 + receipt_dead_letter_ttl = 259200 # 3 days in second + receipt_dead_letter_max_throughput = 400 + idempotency_ttl = 259200 # 3 days in second + idempotency_max_throughput = 400 + rt_ttl = 259200 # 3 days in second + rt_max_throughput = 400 + configuration_ttl = -1 + configuration_max_throughput = 400 } cidr_subnet_cosmosdb_nodo_re = ["10.1.170.0/24"] diff --git a/src/domains/nodo-common/env/weu-prod/terraform.tfvars b/src/domains/nodo-common/env/weu-prod/terraform.tfvars index e20c711e5d..be0f054ce6 100644 --- a/src/domains/nodo-common/env/weu-prod/terraform.tfvars +++ b/src/domains/nodo-common/env/weu-prod/terraform.tfvars @@ -220,20 +220,20 @@ wisp_converter_cosmos_nosql_db_params = { backup_continuous_enabled = true - data_ttl = 10368000 # 120 days in second - data_max_throughput = 2000 - re_ttl = 31536000 # 1 year in second - re_max_throughput = 5000 - receipt_ttl = -1 # max - receipt_max_throughput = 2000 - receipt_dead_letter_ttl = 7884000 # 3 months in second - receipt_dead_letter_max_throughput = 1000 - idempotency_ttl = 604800 # 7 days in second - idempotency_max_throughput = 2000 - rt_ttl = 31536000 # 1 year in second - rt_max_throughput = 2000 - configuration_ttl = -1 # https://learn.microsoft.com/en-us/azure/cosmos-db/nosql/time-to-live#time-to-live-for-containers-and-items - configuration_max_throughput = 1000 + data_ttl = 10368000 # 120 days in second + data_max_throughput = 2000 + re_ttl = 31536000 # 1 year in second + re_max_throughput = 5000 + receipt_ttl = -1 # max + receipt_max_throughput = 2000 + receipt_dead_letter_ttl = 7884000 # 3 months in second + receipt_dead_letter_max_throughput = 1000 + idempotency_ttl = 604800 # 7 days in second + idempotency_max_throughput = 2000 + rt_ttl = 31536000 # 1 year in second + rt_max_throughput = 2000 + configuration_ttl = -1 # https://learn.microsoft.com/en-us/azure/cosmos-db/nosql/time-to-live#time-to-live-for-containers-and-items + configuration_max_throughput = 1000 } cidr_subnet_cosmosdb_nodo_re = ["10.1.170.0/24"] diff --git a/src/domains/nodo-common/env/weu-uat/terraform.tfvars b/src/domains/nodo-common/env/weu-uat/terraform.tfvars index d6ea7b3b6c..c13d047544 100644 --- a/src/domains/nodo-common/env/weu-uat/terraform.tfvars +++ b/src/domains/nodo-common/env/weu-uat/terraform.tfvars @@ -207,20 +207,20 @@ wisp_converter_cosmos_nosql_db_params = { backup_continuous_enabled = false - data_ttl = 604800 # 7 days in second - data_max_throughput = 1000 - re_ttl = 604800 # 7 days in second - re_max_throughput = 1000 - receipt_ttl = 604800 # 7 days in second - receipt_max_throughput = 1000 - receipt_dead_letter_ttl = 604800 # 7 days in second - receipt_dead_letter_max_throughput = 1000 - idempotency_ttl = 604800 # 7 days in second - idempotency_max_throughput = 1000 - rt_ttl = 604800 # 7 days in second - rt_max_throughput = 1000 - configuration_ttl = -1 # https://learn.microsoft.com/en-us/azure/cosmos-db/nosql/time-to-live#time-to-live-for-containers-and-items - configuration_max_throughput = 1000 + data_ttl = 604800 # 7 days in second + data_max_throughput = 1000 + re_ttl = 604800 # 7 days in second + re_max_throughput = 1000 + receipt_ttl = 604800 # 7 days in second + receipt_max_throughput = 1000 + receipt_dead_letter_ttl = 604800 # 7 days in second + receipt_dead_letter_max_throughput = 1000 + idempotency_ttl = 604800 # 7 days in second + idempotency_max_throughput = 1000 + rt_ttl = 604800 # 7 days in second + rt_max_throughput = 1000 + configuration_ttl = -1 # https://learn.microsoft.com/en-us/azure/cosmos-db/nosql/time-to-live#time-to-live-for-containers-and-items + configuration_max_throughput = 1000 } cidr_subnet_cosmosdb_nodo_re = ["10.1.170.0/24"] diff --git a/src/domains/paymentoptions-app/env/itn-dev/terraform.tfvars b/src/domains/paymentoptions-app/env/itn-dev/terraform.tfvars index 0406f0622e..a05aa001bb 100644 --- a/src/domains/paymentoptions-app/env/itn-dev/terraform.tfvars +++ b/src/domains/paymentoptions-app/env/itn-dev/terraform.tfvars @@ -34,6 +34,6 @@ apim_dns_zone_prefix = "dev.platform" ingress_load_balancer_ip = "10.3.2.250" is_feature_enabled = { - paymentoptions = true + paymentoptions = true paymentoptions_mock = true } diff --git a/src/domains/paymentoptions-app/env/itn-prod/terraform.tfvars b/src/domains/paymentoptions-app/env/itn-prod/terraform.tfvars index 93b75c946d..674ca7b069 100644 --- a/src/domains/paymentoptions-app/env/itn-prod/terraform.tfvars +++ b/src/domains/paymentoptions-app/env/itn-prod/terraform.tfvars @@ -34,7 +34,7 @@ apim_dns_zone_prefix = "platform" ingress_load_balancer_ip = "10.3.2.250" is_feature_enabled = { - paymentoptions = true + paymentoptions = true paymentoptions_mock = false } diff --git a/src/domains/paymentoptions-app/env/itn-uat/terraform.tfvars b/src/domains/paymentoptions-app/env/itn-uat/terraform.tfvars index 38f63671c5..c0219aa389 100644 --- a/src/domains/paymentoptions-app/env/itn-uat/terraform.tfvars +++ b/src/domains/paymentoptions-app/env/itn-uat/terraform.tfvars @@ -34,6 +34,6 @@ apim_dns_zone_prefix = "uat.platform" ingress_load_balancer_ip = "10.3.2.250" is_feature_enabled = { - paymentoptions = true + paymentoptions = true paymentoptions_mock = true } diff --git a/src/domains/paymentoptions-common/README.md b/src/domains/paymentoptions-common/README.md new file mode 100644 index 0000000000..2d8f16c513 --- /dev/null +++ b/src/domains/paymentoptions-common/README.md @@ -0,0 +1,90 @@ +# paymentoptions-common + + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 1.6 | +| [azuread](#requirement\_azuread) | <= 2.47.0 | +| [azurerm](#requirement\_azurerm) | <= 3.106.0 | +| [null](#requirement\_null) | <= 3.2.2 | + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| [eventhub\_namespace](#module\_eventhub\_namespace) | git::https://github.com/pagopa/terraform-azurerm-v3.git//eventhub | v8.22.0 | +| [eventhub\_paymentoptions\_configuration](#module\_eventhub\_paymentoptions\_configuration) | git::https://github.com/pagopa/terraform-azurerm-v3.git//eventhub_configuration | v8.22.0 | +| [identity\_cd\_01](#module\_identity\_cd\_01) | github.com/pagopa/terraform-azurerm-v3//github_federated_identity | v8.22.0 | +| [identity\_pr\_01](#module\_identity\_pr\_01) | github.com/pagopa/terraform-azurerm-v3//github_federated_identity | v8.22.0 | +| [identity\_ref\_01](#module\_identity\_ref\_01) | github.com/pagopa/terraform-azurerm-v3//github_federated_identity | v8.36.1 | + +## Resources + +| Name | Type | +|------|------| +| [azurerm_key_vault_access_policy.gha_iac_managed_identities](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource | +| [azurerm_key_vault_access_policy.gha_pr_iac_managed_identities](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource | +| [azurerm_key_vault_access_policy.gha_ref_iac_managed_identities](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource | +| [azurerm_private_dns_a_record.ingress](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/private_dns_a_record) | resource | +| [azurerm_resource_group.eventhub_ita_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource | +| [azurerm_subnet.eventhub_italy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/subnet) | resource | +| [null_resource.github_runner_app_permissions_to_namespace_cd_01](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource | +| [azurerm_application_insights.application_insights_italy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/application_insights) | data source | +| [azurerm_client_config.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/client_config) | data source | +| [azurerm_key_vault.key_vault](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault) | data source | +| [azurerm_key_vault.kv](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault) | data source | +| [azurerm_kubernetes_cluster.aks](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/kubernetes_cluster) | data source | +| [azurerm_log_analytics_workspace.log_analytics_italy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/log_analytics_workspace) | data source | +| [azurerm_monitor_action_group.email](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/monitor_action_group) | data source | +| [azurerm_monitor_action_group.slack](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/monitor_action_group) | data source | +| [azurerm_private_dns_zone.eventhub](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/private_dns_zone) | data source | +| [azurerm_private_dns_zone.internal](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/private_dns_zone) | data source | +| [azurerm_resource_group.identity_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/resource_group) | data source | +| [azurerm_resource_group.monitor_italy_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/resource_group) | data source | +| [azurerm_resource_group.rg_event_private_dns_zone](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/resource_group) | data source | +| [azurerm_resource_group.rg_vnet_italy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/resource_group) | data source | +| [azurerm_subnet.aks_subnet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subnet) | data source | +| [azurerm_subscription.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subscription) | data source | +| [azurerm_virtual_network.vnet_italy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/virtual_network) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [cidr\_paymentoptions\_eventhub\_italy](#input\_cidr\_paymentoptions\_eventhub\_italy) | Address prefixes for all evh accounts in italy. | `list(string)` | n/a | yes | +| [dns\_zone\_internal\_prefix](#input\_dns\_zone\_internal\_prefix) | The dns subdomain. | `string` | `null` | no | +| [dns\_zone\_platform](#input\_dns\_zone\_platform) | The platform dns subdomain. | `string` | `null` | no | +| [dns\_zone\_prefix](#input\_dns\_zone\_prefix) | The wallet dns subdomain. | `string` | `null` | no | +| [domain](#input\_domain) | n/a | `string` | n/a | yes | +| [ehns\_alerts\_enabled](#input\_ehns\_alerts\_enabled) | Event hub alerts enabled? | `bool` | n/a | yes | +| [ehns\_auto\_inflate\_enabled](#input\_ehns\_auto\_inflate\_enabled) | Is Auto Inflate enabled for the EventHub Namespace? | `bool` | n/a | yes | +| [ehns\_capacity](#input\_ehns\_capacity) | Specifies the Capacity / Throughput Units for a Standard SKU namespace. | `number` | n/a | yes | +| [ehns\_maximum\_throughput\_units](#input\_ehns\_maximum\_throughput\_units) | Specifies the maximum number of throughput units when Auto Inflate is Enabled | `number` | n/a | yes | +| [ehns\_metric\_alerts](#input\_ehns\_metric\_alerts) | Map of name = criteria objects | 
map(object({
    # criteria.*.aggregation to be one of [Average Count Minimum Maximum Total]
    aggregation = string
    metric_name = string
    description = string
    # criteria.0.operator to be one of [Equals NotEquals GreaterThan GreaterThanOrEqual LessThan LessThanOrEqual]
    operator  = string
    threshold = number
    # Possible values are PT1M, PT5M, PT15M, PT30M and PT1H
    frequency = string
    # Possible values are PT1M, PT5M, PT15M, PT30M, PT1H, PT6H, PT12H and P1D.
    window_size = string

    dimension = list(object(
      {
        name     = string
        operator = string
        values   = list(string)
      }
    ))
  }))
| `{}` | no | +| [ehns\_private\_endpoint\_is\_present](#input\_ehns\_private\_endpoint\_is\_present) | (Required) create private endpoint to the event hubs | `bool` | n/a | yes | +| [ehns\_public\_network\_access](#input\_ehns\_public\_network\_access) | (Required) enables public network access to the event hubs | `bool` | n/a | yes | +| [ehns\_sku\_name](#input\_ehns\_sku\_name) | Defines which tier to use. | `string` | n/a | yes | +| [ehns\_zone\_redundant](#input\_ehns\_zone\_redundant) | Specifies if the EventHub Namespace should be Zone Redundant (created across Availability Zones). | `bool` | n/a | yes | +| [env](#input\_env) | n/a | `string` | n/a | yes | +| [env\_short](#input\_env\_short) | n/a | `string` | n/a | yes | +| [external\_domain](#input\_external\_domain) | Domain for delegation | `string` | `null` | no | +| [ingress\_load\_balancer\_ip](#input\_ingress\_load\_balancer\_ip) | n/a | `string` | n/a | yes | +| [instance](#input\_instance) | One of beta, prod01, prod02 | `string` | n/a | yes | +| [is\_feature\_enabled](#input\_is\_feature\_enabled) | n/a | 
object({
    eventhub = bool
  })
| 
{
  "eventhub": false
}
| no | +| [location](#input\_location) | One of westeurope, northeurope | `string` | n/a | yes | +| [location\_short](#input\_location\_short) | One of wue, neu | `string` | `"itn"` | no | +| [log\_analytics\_italy\_workspace\_name](#input\_log\_analytics\_italy\_workspace\_name) | Specifies the name of the Log Analytics Workspace Italy. | `string` | n/a | yes | +| [log\_analytics\_italy\_workspace\_resource\_group\_name](#input\_log\_analytics\_italy\_workspace\_resource\_group\_name) | The name of the resource group in which the Log Analytics workspace Italy is located in. | `string` | n/a | yes | +| [log\_analytics\_workspace\_name](#input\_log\_analytics\_workspace\_name) | Specifies the name of the Log Analytics Workspace. | `string` | n/a | yes | +| [log\_analytics\_workspace\_resource\_group\_name](#input\_log\_analytics\_workspace\_resource\_group\_name) | The name of the resource group in which the Log Analytics workspace is located in. | `string` | n/a | yes | +| [monitor\_italy\_resource\_group\_name](#input\_monitor\_italy\_resource\_group\_name) | Monitor Italy resource group name | `string` | n/a | yes | +| [monitor\_resource\_group\_name](#input\_monitor\_resource\_group\_name) | Monitor resource group name | `string` | n/a | yes | +| [prefix](#input\_prefix) | general | `string` | n/a | yes | +| [tags](#input\_tags) | n/a | `map(any)` | 
{
  "CreatedBy": "Terraform"
}
| no | + +## Outputs + +No outputs. + diff --git a/src/domains/paymentoptions-secrets/README.md b/src/domains/paymentoptions-secrets/README.md new file mode 100644 index 0000000000..ccd6f2a60c --- /dev/null +++ b/src/domains/paymentoptions-secrets/README.md @@ -0,0 +1,65 @@ +# paymentoptions-secrets + + +## Requirements + +| Name | Version | +|------|---------| +| [azuread](#requirement\_azuread) | <= 2.47.0 | +| [azurerm](#requirement\_azurerm) | <= 3.106.0 | +| [external](#requirement\_external) | <= 2.2.3 | +| [kubernetes](#requirement\_kubernetes) | <= 2.16.1 | +| [null](#requirement\_null) | <= 3.2.1 | + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| [key\_vault](#module\_key\_vault) | git::https://github.com/pagopa/terraform-azurerm-v3.git//key_vault | v8.22.0 | +| [letsencrypt\_paymentoptions](#module\_letsencrypt\_paymentoptions) | git::https://github.com/pagopa/terraform-azurerm-v3.git///letsencrypt_credential | v8.44.0 | + +## Resources + +| Name | Type | +|------|------| +| [azurerm_key_vault_access_policy.ad_group_policy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource | +| [azurerm_key_vault_access_policy.adgroup_developers_policy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource | +| [azurerm_key_vault_access_policy.adgroup_externals_policy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource | +| [azurerm_key_vault_access_policy.azdevops_iac_managed_identities](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource | +| [azurerm_key_vault_access_policy.azdevops_iac_policy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource | +| [azurerm_key_vault_key.sops_key](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_key) | resource | +| [azurerm_key_vault_secret.secret](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource | +| [azurerm_resource_group.sec_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource | +| [azuread_group.adgroup_admin](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source | +| [azuread_group.adgroup_developers](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source | +| [azuread_group.adgroup_externals](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source | +| [azuread_group.adgroup_security](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source | +| [azuread_service_principal.iac_principal](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/service_principal) | data source | +| [azurerm_client_config.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/client_config) | data source | +| [azurerm_subscription.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subscription) | data source | +| [azurerm_user_assigned_identity.iac_federated_azdo](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/user_assigned_identity) | data source | +| [external_external.terrasops](https://registry.terraform.io/providers/hashicorp/external/latest/docs/data-sources/external) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [domain](#input\_domain) | n/a | `string` | n/a | yes | +| [enable\_iac\_pipeline](#input\_enable\_iac\_pipeline) | If true create the key vault policy to allow used by azure devops iac pipelines. | `bool` | `false` | no | +| [env](#input\_env) | n/a | `string` | n/a | yes | +| [env\_short](#input\_env\_short) | n/a | `string` | n/a | yes | +| [input\_file](#input\_input\_file) | secret json file | `string` | n/a | yes | +| [instance](#input\_instance) | One of beta, prod01, prod02 | `string` | n/a | yes | +| [kv-certificate-permissions-read](#input\_kv-certificate-permissions-read) | List of read certificate permissions | `list(string)` | 
[
  "Get",
  "GetIssuers",
  "List",
  "ListIssuers"
]
| no | +| [kv-key-permissions-read](#input\_kv-key-permissions-read) | List of read key permissions | `list(string)` | 
[
  "Get",
  "List"
]
| no | +| [kv-secret-permissions-read](#input\_kv-secret-permissions-read) | List of read secret permissions | `list(string)` | 
[
  "Get",
  "List"
]
| no | +| [kv-storage-permissions-read](#input\_kv-storage-permissions-read) | List of read storage permissions | `list(string)` | 
[
  "Get",
  "GetSAS",
  "List",
  "ListSAS"
]
| no | +| [location](#input\_location) | One of westeurope, northeurope | `string` | n/a | yes | +| [location\_short](#input\_location\_short) | One of weu, itn | `string` | n/a | yes | +| [prefix](#input\_prefix) | n/a | `string` | n/a | yes | +| [tags](#input\_tags) | n/a | `map(any)` | 
{
  "CreatedBy": "Terraform"
}
| no | + +## Outputs + +No outputs. + diff --git a/src/synthetic-monitoring/.terraform.lock.hcl b/src/synthetic-monitoring/.terraform.lock.hcl index af0b201716..546970ef91 100644 --- a/src/synthetic-monitoring/.terraform.lock.hcl +++ b/src/synthetic-monitoring/.terraform.lock.hcl @@ -5,7 +5,6 @@ provider "registry.terraform.io/azure/azapi" { version = "1.11.0" constraints = "<= 1.11.0" hashes = [ - "h1:2XdCfYLngkv4Y9iPTKl4sLq9xEk3yDexcHyfY9rRbCk=", "h1:8pru4tJQouV7lc+fVH9jnhxxOPu8O7VQU4wuiySdl5Q=", "h1:PQmjPwDURyBD1CZDl/3Nv9oK3AXD6JUbRLITqRFdMP4=", "h1:nxSbPf052jbk91vEmlJ6JxV7AhJzyxRclLQAiDXORek=", @@ -32,7 +31,6 @@ provider "registry.terraform.io/hashicorp/azuread" { "h1:9gG6SWoUZZmmXbYBv6ra2RF5NYpamB9tGjsuBxrasFQ=", "h1:KbY8dRdbfTwTzEBcdOFdD50JX8CUG5Mni25D2+k1rGc=", "h1:akcofWscEl0ecIbf7lyEqRvPfOdA5q75EZvK8uSum1c=", - "h1:p9epRqujcxIMeT9THP0oNLGe4jjMBLjT5a7RntnFDaA=", "h1:qHYbB6LJsYPVUcd7QkZ5tU+IX+10VcUG4NzsmIuWdlE=", "zh:18c56e0478e8b3849f6d52f7e0ee495538e7fce66f22fc84a79599615e50ad1c", "zh:1b95ba8dddc46c744b2d2be7da6fafaa8ebd8368d46ff77416a95cb7d622251e", @@ -54,7 +52,6 @@ provider "registry.terraform.io/hashicorp/azurerm" { constraints = ">= 3.30.0, <= 3.85.0" hashes = [ "h1:BX6+m8KJATrpqlwBSyA63Fmwjvgwcs/v1qwB7B5GLCU=", - "h1:JLkmrm6Jcy4m0a3SrT26EU7b0njwFuhfflBZWUij7mA=", "h1:UW2HuNrkVexKwNYbkI1Xr/B3ip/cCgizIjfKN+ulpPs=", "h1:vPlaTsywMaTyPPYPy0t8twBwrYOGckDFg4kQ5yyJG0U=", "h1:wcPRNQKHyR5boMFYQblUqVCbPyxuLlXpVgzMK3cLAPo=", @@ -80,7 +77,6 @@ provider "registry.terraform.io/hashicorp/null" { "h1:FbGfc+muBsC17Ohy5g806iuI1hQc4SIexpYCrQHQd8w=", "h1:tSj1mL6OQ8ILGqR2mDu7OYYYWf+hoir0pf9KAQ8IzO8=", "h1:vUW21lLLsKlxtBf0QF7LKJreKxs0CM7YXGzqW1N/ODY=", - "h1:wqgRvlyVIbkCeCQs+5jj6zVuQL0KDxZZtNofGqqlSdI=", "h1:ydA0/SNRVB1o95btfshvYsmxA+jZFRZcvKzZSB+4S1M=", "zh:58ed64389620cc7b82f01332e27723856422820cfd302e304b5f6c3436fb9840", "zh:62a5cc82c3b2ddef7ef3a6f2fedb7b9b3deff4ab7b414938b08e51d6e8be87cb", @@ -96,20 +92,3 @@ provider "registry.terraform.io/hashicorp/null" { "zh:fca01a623d90d0cad0843102f9b8b9fe0d3ff8244593bd817f126582b52dd694", ] } - -provider "registry.terraform.io/hashicorp/template" { - version = "2.2.0" - hashes = [ - "h1:0wlehNaxBX7GJQnPfQwTNvvAf38Jm0Nv7ssKGMaG6Og=", - "zh:01702196f0a0492ec07917db7aaa595843d8f171dc195f4c988d2ffca2a06386", - "zh:09aae3da826ba3d7df69efeb25d146a1de0d03e951d35019a0f80e4f58c89b53", - "zh:09ba83c0625b6fe0a954da6fbd0c355ac0b7f07f86c91a2a97849140fea49603", - "zh:0e3a6c8e16f17f19010accd0844187d524580d9fdb0731f675ffcf4afba03d16", - "zh:45f2c594b6f2f34ea663704cc72048b212fe7d16fb4cfd959365fa997228a776", - "zh:77ea3e5a0446784d77114b5e851c970a3dde1e08fa6de38210b8385d7605d451", - "zh:8a154388f3708e3df5a69122a23bdfaf760a523788a5081976b3d5616f7d30ae", - "zh:992843002f2db5a11e626b3fc23dc0c87ad3729b3b3cff08e32ffb3df97edbde", - "zh:ad906f4cebd3ec5e43d5cd6dc8f4c5c9cc3b33d2243c89c5fc18f97f7277b51d", - "zh:c979425ddb256511137ecd093e23283234da0154b7fa8b21c2687182d9aea8b2", - ] -} From f1f25708aeec3efc76028771333ffcc9de2adba3 Mon Sep 17 00:00:00 2001 From: EmanueleBVtech Date: Tue, 8 Oct 2024 18:52:43 +0200 Subject: [PATCH 22/41] feat: [CHK-3277] Generated new queue for CDC walled ingestion (#2461) * feat: generated new queue for CDC walled ingestion * Update _base_policy.xml.tpl * fix: docs --------- Co-authored-by: Simone infante <52280205+infantesimone@users.noreply.github.com> Co-authored-by: Simone Infante --- src/domains/ecommerce-common/README.md | 12 ++++++------ src/domains/pay-wallet-common/03_storage.tf | 12 ++++++++++++ src/domains/pay-wallet-common/README.md | 2 ++ 3 files changed, 20 insertions(+), 6 deletions(-) diff --git a/src/domains/ecommerce-common/README.md b/src/domains/ecommerce-common/README.md index b8b9cd1b03..9db290738c 100644 --- a/src/domains/ecommerce-common/README.md +++ b/src/domains/ecommerce-common/README.md @@ -153,12 +153,12 @@ | [cidr\_subnet\_cosmosdb\_ecommerce](#input\_cidr\_subnet\_cosmosdb\_ecommerce) | Cosmos DB address space for ecommerce. | `list(string)` | n/a | yes | | [cidr\_subnet\_redis\_ecommerce](#input\_cidr\_subnet\_redis\_ecommerce) | Redis DB address space for ecommerce. | `list(string)` | n/a | yes | | [cidr\_subnet\_storage\_ecommerce](#input\_cidr\_subnet\_storage\_ecommerce) | Azure storage DB address space for ecommerce. | `list(string)` | n/a | yes | -| [cosmos\_mongo\_db\_ecommerce\_params](#input\_cosmos\_mongo\_db\_ecommerce\_params) | n/a | 
object({
    enable_serverless  = bool
    enable_autoscaling = bool
    throughput         = number
    max_throughput     = number
  })
| n/a | yes | -| [cosmos\_mongo\_db\_params](#input\_cosmos\_mongo\_db\_params) | n/a | 
object({
    enabled        = bool
    capabilities   = list(string)
    offer_type     = string
    server_version = string
    kind           = string
    consistency_policy = object({
      consistency_level       = string
      max_interval_in_seconds = number
      max_staleness_prefix    = number
    })
    enable_free_tier                 = bool
    main_geo_location_zone_redundant = bool
    additional_geo_locations = list(object({
      location          = string
      failover_priority = number
      zone_redundant    = bool
    }))
    private_endpoint_enabled                     = bool
    public_network_access_enabled                = bool
    is_virtual_network_filter_enabled            = bool
    backup_continuous_enabled                    = bool
    enable_provisioned_throughput_exceeded_alert = bool
  })
| n/a | yes | +| [cosmos\_mongo\_db\_ecommerce\_params](#input\_cosmos\_mongo\_db\_ecommerce\_params) | n/a | 
object({
    enable_serverless  = bool
    enable_autoscaling = bool
    throughput         = number
    max_throughput     = number
  })
| n/a | yes | +| [cosmos\_mongo\_db\_params](#input\_cosmos\_mongo\_db\_params) | n/a | 
object({
    enabled        = bool
    capabilities   = list(string)
    offer_type     = string
    server_version = string
    kind           = string
    consistency_policy = object({
      consistency_level       = string
      max_interval_in_seconds = number
      max_staleness_prefix    = number
    })
    enable_free_tier                 = bool
    main_geo_location_zone_redundant = bool
    additional_geo_locations = list(object({
      location          = string
      failover_priority = number
      zone_redundant    = bool
    }))
    private_endpoint_enabled                     = bool
    public_network_access_enabled                = bool
    is_virtual_network_filter_enabled            = bool
    backup_continuous_enabled                    = bool
    enable_provisioned_throughput_exceeded_alert = bool
  })
| n/a | yes | | [dns\_zone\_internal\_prefix](#input\_dns\_zone\_internal\_prefix) | The dns subdomain. | `string` | `null` | no | | [domain](#input\_domain) | n/a | `string` | n/a | yes | -| [ecommerce\_storage\_deadletter\_params](#input\_ecommerce\_storage\_deadletter\_params) | Azure storage DB params for ecommerce deadletter resources. | 
object({
    enabled                       = bool,
    kind                          = string,
    tier                          = string,
    account_replication_type      = string,
    advanced_threat_protection    = bool,
    retention_days                = number,
    public_network_access_enabled = bool,
  })
| 
{
  "account_replication_type": "LRS",
  "advanced_threat_protection": true,
  "enabled": false,
  "kind": "StorageV2",
  "public_network_access_enabled": false,
  "retention_days": 7,
  "tier": "Standard"
}
| no | -| [ecommerce\_storage\_transient\_params](#input\_ecommerce\_storage\_transient\_params) | Azure storage DB params for ecommerce transient resources. | 
object({
    enabled                       = bool,
    kind                          = string,
    tier                          = string,
    account_replication_type      = string,
    advanced_threat_protection    = bool,
    retention_days                = number,
    public_network_access_enabled = bool,
  })
| 
{
  "account_replication_type": "LRS",
  "advanced_threat_protection": true,
  "enabled": false,
  "kind": "StorageV2",
  "public_network_access_enabled": false,
  "retention_days": 7,
  "tier": "Standard"
}
| no | +| [ecommerce\_storage\_deadletter\_params](#input\_ecommerce\_storage\_deadletter\_params) | Azure storage DB params for ecommerce deadletter resources. | 
object({
    enabled                       = bool,
    kind                          = string,
    tier                          = string,
    account_replication_type      = string,
    advanced_threat_protection    = bool,
    retention_days                = number,
    public_network_access_enabled = bool,
  })
| 
{
  "account_replication_type": "LRS",
  "advanced_threat_protection": true,
  "enabled": false,
  "kind": "StorageV2",
  "public_network_access_enabled": false,
  "retention_days": 7,
  "tier": "Standard"
}
| no | +| [ecommerce\_storage\_transient\_params](#input\_ecommerce\_storage\_transient\_params) | Azure storage DB params for ecommerce transient resources. | 
object({
    enabled                       = bool,
    kind                          = string,
    tier                          = string,
    account_replication_type      = string,
    advanced_threat_protection    = bool,
    retention_days                = number,
    public_network_access_enabled = bool,
  })
| 
{
  "account_replication_type": "LRS",
  "advanced_threat_protection": true,
  "enabled": false,
  "kind": "StorageV2",
  "public_network_access_enabled": false,
  "retention_days": 7,
  "tier": "Standard"
}
| no | | [enable\_iac\_pipeline](#input\_enable\_iac\_pipeline) | If true create the key vault policy to allow used by azure devops iac pipelines. | `bool` | `false` | no | | [env](#input\_env) | n/a | `string` | n/a | yes | | [env\_short](#input\_env\_short) | n/a | `string` | n/a | yes | @@ -171,8 +171,8 @@ | [log\_analytics\_workspace\_resource\_group\_name](#input\_log\_analytics\_workspace\_resource\_group\_name) | The name of the resource group in which the Log Analytics workspace is located in. | `string` | n/a | yes | | [monitor\_resource\_group\_name](#input\_monitor\_resource\_group\_name) | Monitor resource group name | `string` | n/a | yes | | [prefix](#input\_prefix) | n/a | `string` | n/a | yes | -| [redis\_ecommerce\_params](#input\_redis\_ecommerce\_params) | n/a | 
object({
    capacity   = number
    sku_name   = string
    family     = string
    version    = string
    ha_enabled = bool
    zones      = list(number)
  })
| n/a | yes | -| [tags](#input\_tags) | n/a | `map(any)` | 
{
  "CreatedBy": "Terraform"
}
| no | +| [redis\_ecommerce\_params](#input\_redis\_ecommerce\_params) | n/a | 
object({
    capacity   = number
    sku_name   = string
    family     = string
    version    = string
    ha_enabled = bool
    zones      = list(number)
  })
| n/a | yes | +| [tags](#input\_tags) | n/a | `map(any)` | 
{
  "CreatedBy": "Terraform"
}
| no | ## Outputs diff --git a/src/domains/pay-wallet-common/03_storage.tf b/src/domains/pay-wallet-common/03_storage.tf index 202e45b2be..2f03134a1e 100644 --- a/src/domains/pay-wallet-common/03_storage.tf +++ b/src/domains/pay-wallet-common/03_storage.tf @@ -80,6 +80,18 @@ resource "azurerm_storage_queue" "pay_wallet_wallet_expiration_queue_blue" { storage_account_name = module.pay_wallet_storage[0].name } +resource "azurerm_storage_queue" "pay_wallet_cdc_queue" { + name = "${local.project}-cdc-queue" + storage_account_name = module.pay_wallet_storage[0].name +} + +//storage queue for blue deployment +resource "azurerm_storage_queue" "pay_wallet_cdc_queue_blue" { + count = var.env_short == "u" ? 1 : 0 + name = "${local.project}-cdc-queue-b" + storage_account_name = module.pay_wallet_storage[0].name +} + # wallet queue alert diagnostic settings resource "azurerm_monitor_diagnostic_setting" "pay_wallet_queue_diagnostics" { count = var.is_feature_enabled.storage && var.env_short == "p" ? 1 : 0 diff --git a/src/domains/pay-wallet-common/README.md b/src/domains/pay-wallet-common/README.md index 8565ff67e5..e64c0e166f 100644 --- a/src/domains/pay-wallet-common/README.md +++ b/src/domains/pay-wallet-common/README.md @@ -77,6 +77,8 @@ | [azurerm_resource_group.sec_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource | | [azurerm_resource_group.storage_pay_wallet_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource | | [azurerm_resource_group.wallet_fe_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource | +| [azurerm_storage_queue.pay_wallet_cdc_queue](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_queue) | resource | +| [azurerm_storage_queue.pay_wallet_cdc_queue_blue](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_queue) | resource | | [azurerm_storage_queue.pay_wallet_usage_update_queue](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_queue) | resource | | [azurerm_storage_queue.pay_wallet_usage_update_queue_blue](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_queue) | resource | | [azurerm_storage_queue.pay_wallet_wallet_expiration_queue](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_queue) | resource | From f325f7400d57767f7420b2c750219acfed0a12ba Mon Sep 17 00:00:00 2001 From: Marco Mari <130982006+mamari90@users.noreply.github.com> Date: Wed, 9 Oct 2024 12:12:09 +0200 Subject: [PATCH 23/41] feat: Added 2 new ips to prod net gw (#2448) --- src/next-core/08_natgateway.tf | 33 ++++++++++++++++++++++--- src/next-core/99_main.tf | 1 + src/next-core/README.md | 44 ++++++++++++++++++---------------- 3 files changed, 54 insertions(+), 24 deletions(-) diff --git a/src/next-core/08_natgateway.tf b/src/next-core/08_natgateway.tf index 06ae98fa43..de1c14eeba 100644 --- a/src/next-core/08_natgateway.tf +++ b/src/next-core/08_natgateway.tf @@ -2,19 +2,46 @@ locals { subnet_in_nat_gw_ids = var.is_feature_enabled.node_forwarder_ha_enabled ? [] : [ module.node_forwarder_snet[0].id #pagopa-node-forwarder ( aka GAD replacemnet ) ] + + zones = ["1"] +} + +resource "azurerm_public_ip" "nat_ip_03" { + count = var.env == "p" ? 1 : 0 + name = "${local.product}-natgw-pip-03" + location = azurerm_resource_group.rg_vnet.location + resource_group_name = azurerm_resource_group.rg_vnet.name + allocation_method = "Static" + sku = "Standard" + zones = local.zones + + tags = var.tags +} + +resource "azurerm_public_ip" "nat_ip_04" { + count = var.env == "p" ? 1 : 0 + name = "${local.product}-natgw-pip-04" + location = azurerm_resource_group.rg_vnet.location + resource_group_name = azurerm_resource_group.rg_vnet.name + allocation_method = "Static" + sku = "Standard" + zones = local.zones + + tags = var.tags } module "nat_gw" { count = var.nat_gateway_enabled ? 1 : 0 - source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//nat_gateway?ref=v7.50.0" + source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//nat_gateway?ref=v8.47.0" name = format("%s-natgw", local.product) resource_group_name = azurerm_resource_group.rg_vnet.name location = azurerm_resource_group.rg_vnet.location public_ips_count = var.nat_gateway_public_ips - zones = ["1"] + zones = local.zones subnet_ids = local.subnet_in_nat_gw_ids - + # commented out, waiting for EC to allow the new ips + # additional_public_ip_ids = var.env == "p" ? [azurerm_public_ip.nat_ip_03[0].id, azurerm_public_ip.nat_ip_04[0].id] : [] tags = var.tags } diff --git a/src/next-core/99_main.tf b/src/next-core/99_main.tf index 46804b7ad9..19703f62ee 100644 --- a/src/next-core/99_main.tf +++ b/src/next-core/99_main.tf @@ -30,6 +30,7 @@ terraform { provider "azurerm" { features {} + skip_provider_registration = true } data "azurerm_subscription" "current" {} diff --git a/src/next-core/README.md b/src/next-core/README.md index 8e9bfaadd4..f151efcbb9 100644 --- a/src/next-core/README.md +++ b/src/next-core/README.md @@ -40,7 +40,7 @@ | [key\_vault](#module\_key\_vault) | git::https://github.com/pagopa/terraform-azurerm-v3.git//key_vault | v8.22.0 | | [loadtest\_agent\_snet](#module\_loadtest\_agent\_snet) | git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet | v8.13.0 | | [logos\_donation\_flows\_sa](#module\_logos\_donation\_flows\_sa) | git::https://github.com/pagopa/terraform-azurerm-v3.git//storage_account | v7.50.0 | -| [nat\_gw](#module\_nat\_gw) | git::https://github.com/pagopa/terraform-azurerm-v3.git//nat_gateway | v7.50.0 | +| [nat\_gw](#module\_nat\_gw) | git::https://github.com/pagopa/terraform-azurerm-v3.git//nat_gateway | v8.47.0 | | [node\_forwarder\_app\_service](#module\_node\_forwarder\_app\_service) | git::https://github.com/pagopa/terraform-azurerm-v3.git//app_service | v7.69.1 | | [node\_forwarder\_ha\_snet](#module\_node\_forwarder\_ha\_snet) | git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet | v7.69.1 | | [node\_forwarder\_slot\_staging](#module\_node\_forwarder\_slot\_staging) | git::https://github.com/pagopa/terraform-azurerm-v3.git//app_service_slot | v7.60.0 | @@ -228,6 +228,8 @@ | [azurerm_public_ip.apim_pip](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/public_ip) | resource | | [azurerm_public_ip.appgateway_public_ip](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/public_ip) | resource | | [azurerm_public_ip.integration_appgateway_public_ip](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/public_ip) | resource | +| [azurerm_public_ip.nat_ip_03](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/public_ip) | resource | +| [azurerm_public_ip.nat_ip_04](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/public_ip) | resource | | [azurerm_resource_group.assets_cdn_platform_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource | | [azurerm_resource_group.azdo_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource | | [azurerm_resource_group.container_registry_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource | @@ -325,15 +327,15 @@ | [apim\_enable\_nm3\_decoupler\_switch](#input\_apim\_enable\_nm3\_decoupler\_switch) | Enable switch backend address in NM3 algorithm logic | `bool` | `false` | no | | [apim\_enable\_routing\_decoupler\_switch](#input\_apim\_enable\_routing\_decoupler\_switch) | Enable switch backend address in Routing algorithm logic | `bool` | `false` | no | | [apim\_v2\_alerts\_enabled](#input\_apim\_v2\_alerts\_enabled) | Enable alerts | `bool` | `true` | no | -| [apim\_v2\_autoscale](#input\_apim\_v2\_autoscale) | Configure Apim autoscale on capacity metric | 
object(
    {
      enabled                       = bool
      default_instances             = number
      minimum_instances             = number
      maximum_instances             = number
      scale_out_capacity_percentage = number
      scale_out_time_window         = string
      scale_out_value               = string
      scale_out_cooldown            = string
      scale_in_capacity_percentage  = number
      scale_in_time_window          = string
      scale_in_value                = string
      scale_in_cooldown             = string
    }
  )
| 
{
  "default_instances": 1,
  "enabled": false,
  "maximum_instances": 5,
  "minimum_instances": 1,
  "scale_in_capacity_percentage": 30,
  "scale_in_cooldown": "PT30M",
  "scale_in_time_window": "PT30M",
  "scale_in_value": "1",
  "scale_out_capacity_percentage": 60,
  "scale_out_cooldown": "PT45M",
  "scale_out_time_window": "PT10M",
  "scale_out_value": "2"
}
| no | +| [apim\_v2\_autoscale](#input\_apim\_v2\_autoscale) | Configure Apim autoscale on capacity metric | 
object(
    {
      enabled                       = bool
      default_instances             = number
      minimum_instances             = number
      maximum_instances             = number
      scale_out_capacity_percentage = number
      scale_out_time_window         = string
      scale_out_value               = string
      scale_out_cooldown            = string
      scale_in_capacity_percentage  = number
      scale_in_time_window          = string
      scale_in_value                = string
      scale_in_cooldown             = string
    }
  )
| 
{
  "default_instances": 1,
  "enabled": false,
  "maximum_instances": 5,
  "minimum_instances": 1,
  "scale_in_capacity_percentage": 30,
  "scale_in_cooldown": "PT30M",
  "scale_in_time_window": "PT30M",
  "scale_in_value": "1",
  "scale_out_capacity_percentage": 60,
  "scale_out_cooldown": "PT45M",
  "scale_out_time_window": "PT10M",
  "scale_out_value": "2"
}
| no | | [apim\_v2\_publisher\_name](#input\_apim\_v2\_publisher\_name) | n/a | `string` | n/a | yes | | [apim\_v2\_sku](#input\_apim\_v2\_sku) | n/a | `string` | n/a | yes | | [apim\_v2\_subnet\_nsg\_security\_rules](#input\_apim\_v2\_subnet\_nsg\_security\_rules) | Network security rules for APIM subnet | `list(any)` | n/a | yes | -| [apim\_v2\_zones](#input\_apim\_v2\_zones) | (Optional) Zones in which the apim will be deployed | `list(string)` | 
[
  "1"
]
| no | +| [apim\_v2\_zones](#input\_apim\_v2\_zones) | (Optional) Zones in which the apim will be deployed | `list(string)` | 
[
  "1"
]
| no | | [app\_gateway\_alerts\_enabled](#input\_app\_gateway\_alerts\_enabled) | Enable alerts | `bool` | `true` | no | -| [app\_gateway\_allowed\_fdr\_soap\_action](#input\_app\_gateway\_allowed\_fdr\_soap\_action) | Allowed SOAPAction header for upload platform fqdn | `list(string)` | 
[
  "nodoInviaFlussoRendicontazione",
  "nodoChiediFlussoRendicontazione",
  "nodoChiediElencoFlussiRendicontazione"
]
| no | -| [app\_gateway\_allowed\_paths\_pagopa\_onprem\_only](#input\_app\_gateway\_allowed\_paths\_pagopa\_onprem\_only) | Allowed paths from pagopa onprem only | 
object({
    paths = list(string)
    ips   = list(string)
  })
| n/a | yes | -| [app\_gateway\_allowed\_paths\_upload](#input\_app\_gateway\_allowed\_paths\_upload) | Allowed paths from pagopa for upload platform fqdn | `list(string)` | 
[
  "/upload/gpd/.*",
  "/nodo-auth/node-for-psp/.*",
  "/nodo-auth/nodo-per-psp/.*",
  "/nodo/nodo-per-psp/.*",
  "/fdr-legacy/nodo-per-pa/.*",
  "/nodo/nodo-per-pa/.*",
  "/nodo-auth/nodo-per-pa/.*",
  "/nodo-auth/node-for-pa/.*",
  "/nodo/node-for-psp/.*"
]
| no | +| [app\_gateway\_allowed\_fdr\_soap\_action](#input\_app\_gateway\_allowed\_fdr\_soap\_action) | Allowed SOAPAction header for upload platform fqdn | `list(string)` | 
[
  "nodoInviaFlussoRendicontazione",
  "nodoChiediFlussoRendicontazione",
  "nodoChiediElencoFlussiRendicontazione"
]
| no | +| [app\_gateway\_allowed\_paths\_pagopa\_onprem\_only](#input\_app\_gateway\_allowed\_paths\_pagopa\_onprem\_only) | Allowed paths from pagopa onprem only | 
object({
    paths = list(string)
    ips   = list(string)
  })
| n/a | yes | +| [app\_gateway\_allowed\_paths\_upload](#input\_app\_gateway\_allowed\_paths\_upload) | Allowed paths from pagopa for upload platform fqdn | `list(string)` | 
[
  "/upload/gpd/.*",
  "/nodo-auth/node-for-psp/.*",
  "/nodo-auth/nodo-per-psp/.*",
  "/nodo/nodo-per-psp/.*",
  "/fdr-legacy/nodo-per-pa/.*",
  "/nodo/nodo-per-pa/.*",
  "/nodo-auth/nodo-per-pa/.*",
  "/nodo-auth/node-for-pa/.*",
  "/nodo/node-for-psp/.*"
]
| no | | [app\_gateway\_api\_certificate\_name](#input\_app\_gateway\_api\_certificate\_name) | Application gateway api certificate name on Key Vault | `string` | n/a | yes | | [app\_gateway\_deny\_paths](#input\_app\_gateway\_deny\_paths) | Deny paths on app gateway | `list(string)` | `[]` | no | | [app\_gateway\_deny\_paths\_2](#input\_app\_gateway\_deny\_paths\_2) | Deny paths on app gateway | `list(string)` | `[]` | no | @@ -379,14 +381,14 @@ | [cidr\_subnet\_eventhub](#input\_cidr\_subnet\_eventhub) | Address prefixes subnet eventhub | `list(string)` | `null` | no | | [cidr\_subnet\_loadtest\_agent](#input\_cidr\_subnet\_loadtest\_agent) | LoadTest Agent Pool address space | `list(string)` | `null` | no | | [cidr\_subnet\_node\_forwarder](#input\_cidr\_subnet\_node\_forwarder) | Address prefixes subnet node forwarder | `list(string)` | `null` | no | -| [cidr\_subnet\_redis](#input\_cidr\_subnet\_redis) | Redis network address space. | `list(string)` | 
[
  "10.1.163.0/24"
]
| no | +| [cidr\_subnet\_redis](#input\_cidr\_subnet\_redis) | Redis network address space. | `list(string)` | 
[
  "10.1.163.0/24"
]
| no | | [cidr\_subnet\_tools\_cae](#input\_cidr\_subnet\_tools\_cae) | Tool container app env, network address space. | `list(string)` | n/a | yes | -| [cidr\_subnet\_vpn](#input\_cidr\_subnet\_vpn) | VPN network address space. | `list(string)` | 
[
  ""
]
| no | +| [cidr\_subnet\_vpn](#input\_cidr\_subnet\_vpn) | VPN network address space. | `list(string)` | 
[
  ""
]
| no | | [cidr\_vnet](#input\_cidr\_vnet) | Virtual network address space. | `list(string)` | n/a | yes | | [cidr\_vnet\_integration](#input\_cidr\_vnet\_integration) | Virtual network to peer with sia subscription. It should host apim | `list(string)` | n/a | yes | | [cidr\_vnet\_italy](#input\_cidr\_vnet\_italy) | Address prefixes for vnet in italy. | `list(string)` | n/a | yes | | [create\_redis\_multiaz](#input\_create\_redis\_multiaz) | (Optional) true if a multi az premium instance of redis is required | `bool` | `false` | no | -| [ddos\_protection\_plan](#input\_ddos\_protection\_plan) | Network | 
object({
    id     = string
    enable = bool
  })
| `null` | no | +| [ddos\_protection\_plan](#input\_ddos\_protection\_plan) | Network | 
object({
    id     = string
    enable = bool
  })
| `null` | no | | [default\_node\_id](#input\_default\_node\_id) | Default NodeId according to default base url | `string` | n/a | yes | | [devops\_agent\_balance\_zones](#input\_devops\_agent\_balance\_zones) | (Optional) True if the devops agent instances must be evenly balanced between the configured zones | `bool` | `false` | no | | [devops\_agent\_zones](#input\_devops\_agent\_zones) | (Optional) List of zones in which the scale set for azdo agent will be deployed | `list(number)` | `null` | no | @@ -407,18 +409,18 @@ | [ehns\_auto\_inflate\_enabled](#input\_ehns\_auto\_inflate\_enabled) | Is Auto Inflate enabled for the EventHub Namespace? | `bool` | `false` | no | | [ehns\_capacity](#input\_ehns\_capacity) | Specifies the Capacity / Throughput Units for a Standard SKU namespace. | `number` | `null` | no | | [ehns\_maximum\_throughput\_units](#input\_ehns\_maximum\_throughput\_units) | Specifies the maximum number of throughput units when Auto Inflate is Enabled | `number` | `null` | no | -| [ehns\_metric\_alerts](#input\_ehns\_metric\_alerts) | Map of name = criteria objects | 
map(object({
    # criteria.*.aggregation to be one of [Average Count Minimum Maximum Total]
    aggregation = string
    metric_name = string
    description = string
    # criteria.0.operator to be one of [Equals NotEquals GreaterThan GreaterThanOrEqual LessThan LessThanOrEqual]
    operator  = string
    threshold = number
    # Possible values are PT1M, PT5M, PT15M, PT30M and PT1H
    frequency = string
    # Possible values are PT1M, PT5M, PT15M, PT30M, PT1H, PT6H, PT12H and P1D.
    window_size = string

    dimension = list(object(
      {
        name     = string
        operator = string
        values   = list(string)
      }
    ))
  }))
| `{}` | no | +| [ehns\_metric\_alerts](#input\_ehns\_metric\_alerts) | Map of name = criteria objects | 
map(object({
    # criteria.*.aggregation to be one of [Average Count Minimum Maximum Total]
    aggregation = string
    metric_name = string
    description = string
    # criteria.0.operator to be one of [Equals NotEquals GreaterThan GreaterThanOrEqual LessThan LessThanOrEqual]
    operator  = string
    threshold = number
    # Possible values are PT1M, PT5M, PT15M, PT30M and PT1H
    frequency = string
    # Possible values are PT1M, PT5M, PT15M, PT30M, PT1H, PT6H, PT12H and P1D.
    window_size = string

    dimension = list(object(
      {
        name     = string
        operator = string
        values   = list(string)
      }
    ))
  }))
| `{}` | no | | [ehns\_public\_network\_access](#input\_ehns\_public\_network\_access) | (Required) enables public network access to the event hubs | `bool` | n/a | yes | | [ehns\_sku\_name](#input\_ehns\_sku\_name) | Defines which tier to use. | `string` | `"Standard"` | no | | [ehns\_zone\_redundant](#input\_ehns\_zone\_redundant) | Specifies if the EventHub Namespace should be Zone Redundant (created across Availability Zones). | `bool` | `false` | no | | [enable\_logos\_backup](#input\_enable\_logos\_backup) | (Optional) Enables nodo sftp storage account backup | `bool` | `true` | no | | [env](#input\_env) | n/a | `string` | n/a | yes | | [env\_short](#input\_env\_short) | n/a | `string` | n/a | yes | -| [eventhubs\_03](#input\_eventhubs\_03) | A list of event hubs to add to namespace. | 
list(object({
    name              = string
    partitions        = number
    message_retention = number
    consumers         = list(string)
    keys = list(object({
      name   = string
      listen = bool
      send   = bool
      manage = bool
    }))
  }))
| `[]` | no | -| [eventhubs\_04](#input\_eventhubs\_04) | A list of event hubs to add to namespace. | 
list(object({
    name              = string
    partitions        = number
    message_retention = number
    consumers         = list(string)
    keys = list(object({
      name   = string
      listen = bool
      send   = bool
      manage = bool
    }))
  }))
| `[]` | no | +| [eventhubs\_03](#input\_eventhubs\_03) | A list of event hubs to add to namespace. | 
list(object({
    name              = string
    partitions        = number
    message_retention = number
    consumers         = list(string)
    keys = list(object({
      name   = string
      listen = bool
      send   = bool
      manage = bool
    }))
  }))
| `[]` | no | +| [eventhubs\_04](#input\_eventhubs\_04) | A list of event hubs to add to namespace. | 
list(object({
    name              = string
    partitions        = number
    message_retention = number
    consumers         = list(string)
    keys = list(object({
      name   = string
      listen = bool
      send   = bool
      manage = bool
    }))
  }))
| `[]` | no | | [external\_domain](#input\_external\_domain) | Domain for delegation | `string` | `"pagopa.it"` | no | | [geo\_replica\_cidr\_vnet](#input\_geo\_replica\_cidr\_vnet) | (Required) Cidr block for replica vnet address space | `list(string)` | `null` | no | -| [geo\_replica\_ddos\_protection\_plan](#input\_geo\_replica\_ddos\_protection\_plan) | n/a | 
object({
    id     = string
    enable = bool
  })
| `null` | no | +| [geo\_replica\_ddos\_protection\_plan](#input\_geo\_replica\_ddos\_protection\_plan) | n/a | 
object({
    id     = string
    enable = bool
  })
| `null` | no | | [geo\_replica\_enabled](#input\_geo\_replica\_enabled) | (Optional) True if geo replica should be active for key data components i.e. PostgreSQL Flexible servers | `bool` | `false` | no | | [geo\_replica\_location](#input\_geo\_replica\_location) | (Optional) Location of the geo replica | `string` | `"northeurope"` | no | | [geo\_replica\_location\_short](#input\_geo\_replica\_location\_short) | (Optional) Short Location of the geo replica | `string` | `"neu"` | no | @@ -437,7 +439,7 @@ | [integration\_appgateway\_private\_ip](#input\_integration\_appgateway\_private\_ip) | Integration app gateway private ip | `string` | n/a | yes | | [integration\_appgateway\_zones](#input\_integration\_appgateway\_zones) | Integration app gateway private ip | `list(number)` | n/a | yes | | [ip\_nodo](#input\_ip\_nodo) | Nodo pagamenti ip | `string` | n/a | yes | -| [is\_feature\_enabled](#input\_is\_feature\_enabled) | Features enabled in this domain | 
object({
    vnet_ita                  = bool,
    container_app_tools_cae   = optional(bool, false),
    node_forwarder_ha_enabled = bool
    vpn                       = optional(bool, false)
    dns_forwarder_lb          = optional(bool, false)
    postgres_private_dns      = bool
    azdoa                     = optional(bool, true)
    apim_core_import          = optional(bool, false)
    use_new_apim              = optional(bool, false)
    azdoa_extension           = optional(bool, false)
  })
| n/a | yes | +| [is\_feature\_enabled](#input\_is\_feature\_enabled) | Features enabled in this domain | 
object({
    vnet_ita                  = bool,
    container_app_tools_cae   = optional(bool, false),
    node_forwarder_ha_enabled = bool
    vpn                       = optional(bool, false)
    dns_forwarder_lb          = optional(bool, false)
    postgres_private_dns      = bool
    azdoa                     = optional(bool, true)
    apim_core_import          = optional(bool, false)
    use_new_apim              = optional(bool, false)
    azdoa_extension           = optional(bool, false)
  })
| n/a | yes | | [law\_daily\_quota\_gb](#input\_law\_daily\_quota\_gb) | The workspace daily quota for ingestion in GB. | `number` | `-1` | no | | [law\_retention\_in\_days](#input\_law\_retention\_in\_days) | The workspace data retention in days | `number` | `30` | no | | [law\_sku](#input\_law\_sku) | Sku of the Log Analytics Workspace | `string` | `"PerGB2018"` | no | @@ -451,7 +453,7 @@ | [log\_analytics\_workspace\_resource\_group\_name](#input\_log\_analytics\_workspace\_resource\_group\_name) | The name of the resource group in which the Log Analytics workspace is located in. | `string` | n/a | yes | | [logos\_backup\_retention](#input\_logos\_backup\_retention) | (Optional) Blob backup retention | `number` | `7` | no | | [logos\_donations\_storage\_account\_replication\_type](#input\_logos\_donations\_storage\_account\_replication\_type) | (Optional) Logos donations storage account replication type | `string` | `"LRS"` | no | -| [monitor\_env\_test\_urls](#input\_monitor\_env\_test\_urls) | (Optional) Environment specific standard web tests urls to be created in addition to locals.test\_urls | 
list(object({
    host          = string
    path          = string
    alert_enabled = optional(bool, true)
  }))
| `[]` | no | +| [monitor\_env\_test\_urls](#input\_monitor\_env\_test\_urls) | (Optional) Environment specific standard web tests urls to be created in addition to locals.test\_urls | 
list(object({
    host          = string
    path          = string
    alert_enabled = optional(bool, true)
  }))
| `[]` | no | | [monitor\_resource\_group\_name](#input\_monitor\_resource\_group\_name) | Monitor resource group name | `string` | n/a | yes | | [nat\_gateway\_enabled](#input\_nat\_gateway\_enabled) | Nat Gateway enabled | `bool` | `true` | no | | [nat\_gateway\_public\_ips](#input\_nat\_gateway\_public\_ips) | Number of public outbound ips | `number` | `1` | no | @@ -464,20 +466,20 @@ | [nodo\_pagamenti\_ec](#input\_nodo\_pagamenti\_ec) | EC' black list nodo pagamenti (separate comma list). | `string` | `","` | no | | [nodo\_pagamenti\_psp](#input\_nodo\_pagamenti\_psp) | PSP' white list nodo pagamenti (separate comma list) . | `string` | `","` | no | | [nodo\_pagamenti\_url](#input\_nodo\_pagamenti\_url) | Nodo pagamenti url | `string` | `"https://"` | no | -| [platform\_private\_dns\_zone\_records](#input\_platform\_private\_dns\_zone\_records) | List of records to add into the platform.pagopa.it dns private | `list(string)` | 
[
  "api",
  "portal",
  "management"
]
| no | +| [platform\_private\_dns\_zone\_records](#input\_platform\_private\_dns\_zone\_records) | List of records to add into the platform.pagopa.it dns private | `list(string)` | 
[
  "api",
  "portal",
  "management"
]
| no | | [prefix](#input\_prefix) | n/a | `string` | n/a | yes | | [private\_dns\_zone\_db\_nodo\_pagamenti](#input\_private\_dns\_zone\_db\_nodo\_pagamenti) | n/a | `string` | `"dev.db-nodo-pagamenti.com"` | no | | [redis\_cache\_enabled](#input\_redis\_cache\_enabled) | redis cache enabled | `bool` | `false` | no | -| [redis\_cache\_params](#input\_redis\_cache\_params) | # Redis cache | 
object({
    public_access = bool
    capacity      = number
    sku_name      = string
    family        = string
  })
| 
{
  "capacity": 1,
  "family": "C",
  "public_access": false,
  "sku_name": "Basic"
}
| no | +| [redis\_cache\_params](#input\_redis\_cache\_params) | # Redis cache | 
object({
    public_access = bool
    capacity      = number
    sku_name      = string
    family        = string
  })
| 
{
  "capacity": 1,
  "family": "C",
  "public_access": false,
  "sku_name": "Basic"
}
| no | | [redis\_private\_endpoint\_enabled](#input\_redis\_private\_endpoint\_enabled) | Enable private endpoints for redis instances? | `bool` | `true` | no | | [redis\_version](#input\_redis\_version) | The version of Redis to use: 4 (deprecated) or 6 | `string` | `"6"` | no | -| [redis\_zones](#input\_redis\_zones) | (Optional) Zone list where redis will be deployed | `list(string)` | 
[
  "1"
]
| no | -| [route\_table\_peering\_sia\_additional\_routes](#input\_route\_table\_peering\_sia\_additional\_routes) | (Optional) additional routes for route table peering sia | 
list(object({
    address_prefix         = string
    name                   = string
    next_hop_in_ip_address = string
    next_hop_type          = string
    }
  ))
| `[]` | no | +| [redis\_zones](#input\_redis\_zones) | (Optional) Zone list where redis will be deployed | `list(string)` | 
[
  "1"
]
| no | +| [route\_table\_peering\_sia\_additional\_routes](#input\_route\_table\_peering\_sia\_additional\_routes) | (Optional) additional routes for route table peering sia | 
list(object({
    address_prefix         = string
    name                   = string
    next_hop_in_ip_address = string
    next_hop_type          = string
    }
  ))
| `[]` | no | | [schema\_ip\_nexi](#input\_schema\_ip\_nexi) | Nodo Pagamenti Nexi schema://ip | `string` | n/a | yes | | [storage\_queue\_private\_endpoint\_enabled](#input\_storage\_queue\_private\_endpoint\_enabled) | Whether private endpoint for Azure Storage Queues is enabled | `bool` | `true` | no | -| [tags](#input\_tags) | n/a | `map(any)` | 
{
  "CreatedBy": "Terraform"
}
| no | +| [tags](#input\_tags) | n/a | `map(any)` | 
{
  "CreatedBy": "Terraform"
}
| no | | [upload\_endpoint\_enabled](#input\_upload\_endpoint\_enabled) | Enable upload for heavy payload size on appgw | `bool` | `true` | no | -| [vnet\_ita\_ddos\_protection\_plan](#input\_vnet\_ita\_ddos\_protection\_plan) | n/a | 
object({
    id     = string
    enable = bool
  })
| `null` | no | +| [vnet\_ita\_ddos\_protection\_plan](#input\_vnet\_ita\_ddos\_protection\_plan) | n/a | 
object({
    id     = string
    enable = bool
  })
| `null` | no | | [vpn\_gw\_pip\_allocation\_method](#input\_vpn\_gw\_pip\_allocation\_method) | VPN GW PIP ALLOCATION METHOD | `string` | `"Dynamic"` | no | | [vpn\_gw\_pip\_sku](#input\_vpn\_gw\_pip\_sku) | VPN GW PIP SKU | `string` | `"Basic"` | no | | [vpn\_random\_specials\_char](#input\_vpn\_random\_specials\_char) | Enable random special characters in VPN gateway's pip name | `bool` | `true` | no | From d14d6cda1ecd7683a6190a6d0ab1f650fba5ffc7 Mon Sep 17 00:00:00 2001 From: Andrea Ferracci Date: Wed, 9 Oct 2024 14:52:31 +0200 Subject: [PATCH 24/41] feat: policy mock pn integration (#2447) * add mock for pn integration * add futher fields to mock output * minor fix --------- Co-authored-by: pasqualespica <36746022+pasqualespica@users.noreply.github.com> --- src/domains/gps-app/04_apim_gpd_for_pn_aca.tf | 23 ++- src/domains/gps-app/README.md | 2 + .../api/pn-integration/_base_policy.xml | 36 ++-- .../api/pn-integration/_base_policy_mock.xml | 173 ++++++++++++++++++ 4 files changed, 221 insertions(+), 13 deletions(-) create mode 100644 src/domains/gps-app/api/pn-integration/_base_policy_mock.xml diff --git a/src/domains/gps-app/04_apim_gpd_for_pn_aca.tf b/src/domains/gps-app/04_apim_gpd_for_pn_aca.tf index 6499155e06..e3dd755382 100644 --- a/src/domains/gps-app/04_apim_gpd_for_pn_aca.tf +++ b/src/domains/gps-app/04_apim_gpd_for_pn_aca.tf @@ -1,3 +1,24 @@ +resource "azurerm_api_management_subscription" "afm_pn_subkey_test" { + count = var.env_short != "p" ? 1 : 0 + + resource_group_name = local.pagopa_apim_rg + api_management_name = local.pagopa_apim_name + product_id = module.apim_pn_integration_product.id + display_name = "Subscription for PN GDP notifcation fee test" + allow_tracing = false + state = "active" +} + +resource "azurerm_api_management_named_value" "afm_pn_sub_key_test_apim_nv" { + count = var.env_short != "p" ? 1 : 0 + + name = "afm-pn-sub-key-test" + api_management_name = local.pagopa_apim_name + resource_group_name = local.pagopa_apim_rg + display_name = "afm-pn-sub-key-test" + value = azurerm_api_management_subscription.afm_pn_subkey_test[0].primary_key +} + #################### ## Local variables # #################### @@ -99,6 +120,6 @@ module "apim_api_pn_integration_gpd_api_v1" { service = local.apim_pn_integration_rest_api.gpd_service.path }) - xml_content = templatefile("./api/pn-integration/_base_policy.xml", { + xml_content = templatefile("./api/pn-integration/_base_policy${var.env_short != "p" ? "_mock" : ""}.xml", { }) } diff --git a/src/domains/gps-app/README.md b/src/domains/gps-app/README.md index 3769feeffa..d6d71c6ba8 100644 --- a/src/domains/gps-app/README.md +++ b/src/domains/gps-app/README.md @@ -70,8 +70,10 @@ | [azurerm_api_management_api_version_set.api_gps_enrollments_api](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/api_management_api_version_set) | resource | | [azurerm_api_management_api_version_set.api_pn_integration_api](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/api_management_api_version_set) | resource | | [azurerm_api_management_api_version_set.apim_gpd_upload_api](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/api_management_api_version_set) | resource | +| [azurerm_api_management_named_value.afm_pn_sub_key_test_apim_nv](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/api_management_named_value) | resource | | [azurerm_api_management_product_api.apim_api_gpd_payments_soap_product_api_v1](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/api_management_product_api) | resource | | [azurerm_api_management_product_api.apim_api_gpd_payments_soap_product_nodo_api_v1](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/api_management_product_api) | resource | +| [azurerm_api_management_subscription.afm_pn_subkey_test](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/api_management_subscription) | resource | | [azurerm_app_service_plan.gpd_reporting_service_plan](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service_plan) | resource | | [azurerm_key_vault_secret.aks_apiserver_url](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource | | [azurerm_key_vault_secret.azure_devops_sa_cacrt](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource | diff --git a/src/domains/gps-app/api/pn-integration/_base_policy.xml b/src/domains/gps-app/api/pn-integration/_base_policy.xml index bd68076e5a..ce1df461e7 100644 --- a/src/domains/gps-app/api/pn-integration/_base_policy.xml +++ b/src/domains/gps-app/api/pn-integration/_base_policy.xml @@ -1,14 +1,26 @@ + - - - - - - - - - - - - + + + + + + + + + + + + diff --git a/src/domains/gps-app/api/pn-integration/_base_policy_mock.xml b/src/domains/gps-app/api/pn-integration/_base_policy_mock.xml new file mode 100644 index 0000000000..94fbd46d3c --- /dev/null +++ b/src/domains/gps-app/api/pn-integration/_base_policy_mock.xml @@ -0,0 +1,173 @@ + + + + + + + + + + + + + + + + + + + + + + ("nav").StartsWith("302011"))"> + + + + application/json + + + mocked update notification fee + + @{ + + string currentDate = DateTime.UtcNow.ToString("yyyy-MM-ddTHH:mm:ss.fff").ToString(); + string nav = context.Request.MatchedParameters["nav"].ToString(); + string iuv = nav.Substring(1); + + JObject data = new JObject(); + data.Add("nav", nav); + data.Add("iuv", iuv); + data.Add("organizationFiscalCode", context.Request.MatchedParameters["organizationFiscalCode"].ToString()); + data.Add("amount", 100); + data.Add("isPartialPayment", true); + data.Add("dueDate", "2024-12-28T22:12:47.989Z"); + data.Add("retentionDate", "2024-12-31T22:12:47.989Z"); + data.Add("insertedDate", "2024-09-28T22:12:47.989Z"); + data.Add("paymentDate", null); + data.Add("reportingDate", null); + data.Add("paymentMethod", null); + data.Add("pspCompany", null); + data.Add("idReceipt", null); + data.Add("idFlowReporting", null); + data.Add("fee", 0); + data.Add("notificationFee", context.Request.Body.As(true)["notificationFee"].Value()); + data.Add("status", "PO_UNPAID"); + data.Add("lastUpdatedDate", currentDate); + data.Add("lastUpdatedDateNotificationFee", currentDate); + data.Add("paymentOptionMetadata", new JArray()); + + JObject transfer = new JObject(); + transfer.Add("organizationFiscalCode", context.Request.MatchedParameters["organizationFiscalCode"].ToString()); + transfer.Add("idTransfer", "01"); + transfer.Add("amount", 100); + transfer.Add("remittanceInformation", "test payment"); + transfer.Add("category", "9/0301100TS/"); + transfer.Add("iban", "IT12A1234512345123456789012"); + transfer.Add("postalIban", null); + transfer.Add("stamp", null); + transfer.Add("insertedDate", "2024-09-28T22:12:47.989Z"); + transfer.Add("status", "T_UNREPORTED"); + transfer.Add("lastUpdatedDate", currentDate); + transfer.Add("transferMetadata", new JArray()); + + JArray list = new JArray(transfer); + data.Add("transfer", list); + return data.ToString(); + } + + + + ("nav").StartsWith("302011"))"> + + + + application/json + + + mocked get payment option + + @{ + + string currentDate = DateTime.UtcNow.ToString("yyyy-MM-ddTHH:mm:ss.fff").ToString(); + string nav = context.Request.MatchedParameters["nav"].ToString(); + string iuv = nav.Substring(1); + + JObject data = new JObject(); + data.Add("nav", nav); + data.Add("iuv", iuv); + data.Add("organizationFiscalCode", context.Request.MatchedParameters["organizationFiscalCode"].ToString()); + data.Add("amount", 100); + data.Add("isPartialPayment", true); + data.Add("dueDate", "2024-12-28T22:12:47.989Z"); + data.Add("retentionDate", "2024-12-31T22:12:47.989Z"); + data.Add("insertedDate", "2024-09-28T22:12:47.989Z"); + data.Add("paymentDate", null); + data.Add("reportingDate", null); + data.Add("paymentMethod", null); + data.Add("pspCompany", null); + data.Add("idReceipt", null); + data.Add("idFlowReporting", null); + data.Add("fee", 0); + data.Add("notificationFee", 0); + data.Add("status", "PO_UNPAID"); + data.Add("lastUpdatedDate", currentDate); + data.Add("lastUpdatedDateNotificationFee", currentDate); + data.Add("paymentOptionMetadata", new JArray()); + data.Add("iupd", "77777777777-64c8e41bfec846e02000000000000010"); + data.Add("type", "F"); + data.Add("fiscalCode", "SMNRDN75R05H501F"); + data.Add("fullName", "Simone Rondinella"); + data.Add("streetName", null); + data.Add("civicNumber", null); + data.Add("postalCode", null); + data.Add("city", null); + data.Add("province", null); + data.Add("region", null); + data.Add("country", null); + data.Add("email", null); + data.Add("phone", null); + data.Add("companyName", "Piattaforma Notifiche"); + data.Add("officeName", null); + data.Add("debtPositionStatus", "VALID"); + + JObject transfer = new JObject(); + transfer.Add("organizationFiscalCode", context.Request.MatchedParameters["organizationFiscalCode"].ToString()); + transfer.Add("idTransfer", "01"); + transfer.Add("amount", 100); + transfer.Add("remittanceInformation", "test payment"); + transfer.Add("category", "9/0301100TS/"); + transfer.Add("iban", "IT12A1234512345123456789012"); + transfer.Add("postalIban", null); + transfer.Add("stamp", null); + transfer.Add("insertedDate", "2024-09-28T22:12:47.989Z"); + transfer.Add("status", "T_UNREPORTED"); + transfer.Add("lastUpdatedDate", currentDate); + transfer.Add("transferMetadata", new JArray()); + + JArray list = new JArray(transfer); + data.Add("transfer", list); + return data.ToString(); + } + + + + + + + + + + + + + + + + + + + \ No newline at end of file From e2b40b5d877e117c8623a9978ed47fc50d640d4c Mon Sep 17 00:00:00 2001 From: Andrea De Rinaldis <117269497+andrea-deri@users.noreply.github.com> Date: Wed, 9 Oct 2024 16:31:14 +0200 Subject: [PATCH 25/41] fix: [PAGOPA-2263] temporarily added `/fdr-psp` under AppGW's upload domain (#2470) * [PAGOPA-2263] fix: added fdr-psp under AppGW's upload domain --- src/next-core/env/uat/terraform.tfvars | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/src/next-core/env/uat/terraform.tfvars b/src/next-core/env/uat/terraform.tfvars index a2a4fed1b4..6ca519e4da 100644 --- a/src/next-core/env/uat/terraform.tfvars +++ b/src/next-core/env/uat/terraform.tfvars @@ -784,3 +784,16 @@ monitor_env_test_urls = [ path = "", } ] + +app_gateway_allowed_paths_upload = [ + "/upload/gpd/.*", + "/nodo-auth/node-for-psp/.*", + "/nodo-auth/nodo-per-psp/.*", + "/nodo/nodo-per-psp/.*", + "/nodo/nodo-per-pa/.*", + "/nodo-auth/nodo-per-pa/.*", + "/nodo-auth/node-for-pa/.*", + "/nodo/node-for-psp/.*", + "/fdr-legacy/nodo-per-pa/.*", + "/fdr-psp/.*" # Added temporarily as workaround for bug https://pagopa.atlassian.net/browse/PAGOPA-2263 +] \ No newline at end of file From 768e2692a566437c8cc08dc3518b487ffcc9c3ff Mon Sep 17 00:00:00 2001 From: Simone Caminati Date: Wed, 9 Oct 2024 17:20:02 +0200 Subject: [PATCH 26/41] feat: [CHK-3284] add user-stats collection (#2453) * feat: add user-stats collection * fix: shard_key * fix: add ttl --------- Co-authored-by: Pietro Tota Co-authored-by: Pietro Tota <115724836+pietro-tota@users.noreply.github.com> Co-authored-by: Simone infante <52280205+infantesimone@users.noreply.github.com> --- src/domains/ecommerce-common/03_cosmosdb.tf | 29 ++++++++++++++++----- 1 file changed, 22 insertions(+), 7 deletions(-) diff --git a/src/domains/ecommerce-common/03_cosmosdb.tf b/src/domains/ecommerce-common/03_cosmosdb.tf index a5e8a2555d..453a29c448 100644 --- a/src/domains/ecommerce-common/03_cosmosdb.tf +++ b/src/domains/ecommerce-common/03_cosmosdb.tf @@ -86,7 +86,8 @@ locals { unique = true } ] - shard_key = null + shard_key = null, + default_ttl_seconds = null }, { name = "eventstore" @@ -99,7 +100,8 @@ locals { unique = false } ] - shard_key = "transactionId" + shard_key = "transactionId", + default_ttl_seconds = null }, { name = "transactions-view" @@ -124,7 +126,8 @@ locals { unique = false } ] - shard_key = "_id" + shard_key = "_id", + default_ttl_seconds = null }, { name = "dead-letter-events" @@ -141,7 +144,18 @@ locals { unique = false } ] - shard_key = "_id" + shard_key = "_id", + default_ttl_seconds = null + }, + { + name = "user-stats" + indexes = [{ + keys = ["_id"] + unique = true + } + ] + shard_key = "_id", + default_ttl_seconds = "31536000" #1 year }, ] } @@ -162,9 +176,10 @@ module "cosmosdb_ecommerce_collections" { cosmosdb_mongo_account_name = module.cosmosdb_account_mongodb.name cosmosdb_mongo_database_name = azurerm_cosmosdb_mongo_database.ecommerce.name - indexes = each.value.indexes - shard_key = each.value.shard_key - lock_enable = var.env_short == "d" ? false : true + indexes = each.value.indexes + shard_key = each.value.shard_key + default_ttl_seconds = each.value.default_ttl_seconds + lock_enable = var.env_short == "d" ? false : true } # ----------------------------------------------- From 3601124564769ff7795b920af75489d78079aa03 Mon Sep 17 00:00:00 2001 From: Pasquale Spica <36746022+pasqualespica@users.noreply.github.com> Date: Thu, 10 Oct 2024 12:40:49 +0200 Subject: [PATCH 27/41] add: Cfg perf test ppull (#2473) fix --- src/domains/gps-app/02_security.tf | 22 ++++++++++++++++ src/domains/gps-app/04_apim_gpd_core.tf | 11 +++++--- src/domains/gps-app/04_apim_payments_pull.tf | 27 ++++++++++++++++++++ src/domains/gps-app/README.md | 3 +++ 4 files changed, 59 insertions(+), 4 deletions(-) diff --git a/src/domains/gps-app/02_security.tf b/src/domains/gps-app/02_security.tf index 72e31421e0..e43ef22713 100644 --- a/src/domains/gps-app/02_security.tf +++ b/src/domains/gps-app/02_security.tf @@ -44,3 +44,25 @@ resource "azurerm_key_vault_secret" "gpd_subscription_key" { ] } } + +// apikey test apim_gpd_payments_pull_product_and_debt_positions_product_test and save keys on KV +resource "azurerm_api_management_subscription" "test_gpd_payments_pull_and_debt_positions_subkey" { + count = var.env_short != "p" ? 1 : 0 + api_management_name = local.pagopa_apim_name + resource_group_name = local.pagopa_apim_rg + + product_id = module.apim_gpd_payments_pull_product_and_debt_positions_product_test[0].id + display_name = "TEST gpd-payments-pull and debt-positions" + allow_tracing = false + state = "active" +} + +resource "azurerm_key_vault_secret" "test_gpd_payments_pull_and_debt_positions_subkey_kv" { + count = var.env_short != "p" ? 1 : 0 + depends_on = [azurerm_api_management_subscription.test_gpd_payments_pull_and_debt_positions_subkey[0]] + name = "integration-test-subkey" # "tst-gpd-ppull-debt-position-key" + value = azurerm_api_management_subscription.test_gpd_payments_pull_and_debt_positions_subkey[0].primary_key + content_type = "text/plain" + + key_vault_id = data.azurerm_key_vault.kv.id +} \ No newline at end of file diff --git a/src/domains/gps-app/04_apim_gpd_core.tf b/src/domains/gps-app/04_apim_gpd_core.tf index 9c56da0bb6..14e5e63ceb 100644 --- a/src/domains/gps-app/04_apim_gpd_core.tf +++ b/src/domains/gps-app/04_apim_gpd_core.tf @@ -119,10 +119,13 @@ resource "azurerm_api_management_api_version_set" "api_debt_positions_api" { module "apim_api_debt_positions_api_v1" { source = "git::https://github.com/pagopa/terraform-azurerm-v3//api_management_api?ref=v6.11.2" - name = format("%s-debt-positions-service-api", local.product) - api_management_name = local.pagopa_apim_name - resource_group_name = local.pagopa_apim_rg - product_ids = [module.apim_debt_positions_product.product_id, module.apim_aca_integration_product.product_id, module.apim_gpd_integration_product.product_id] + name = format("%s-debt-positions-service-api", local.product) + api_management_name = local.pagopa_apim_name + resource_group_name = local.pagopa_apim_rg + product_ids = concat( + [module.apim_debt_positions_product.product_id, module.apim_aca_integration_product.product_id, module.apim_gpd_integration_product.product_id], + var.env_short == "p" ? [] : [module.apim_gpd_payments_pull_product_and_debt_positions_product_test[0].product_id]) + subscription_required = local.apim_debt_positions_service_api.subscription_required version_set_id = azurerm_api_management_api_version_set.api_debt_positions_api.id api_version = "v1" diff --git a/src/domains/gps-app/04_apim_payments_pull.tf b/src/domains/gps-app/04_apim_payments_pull.tf index d496c8ceee..b4114bcc54 100644 --- a/src/domains/gps-app/04_apim_payments_pull.tf +++ b/src/domains/gps-app/04_apim_payments_pull.tf @@ -20,3 +20,30 @@ module "apim_gpd_payments_pull_product" { policy_xml = file("./api_product/payments-pull/_base_policy.xml") } + +###################################################### +## GPD Payments Pull Test Products ## +## 1. product_id = "gpd-payments-pull ## +## 2. product_id = "debt-positions" ## +###################################################### + + +module "apim_gpd_payments_pull_product_and_debt_positions_product_test" { + count = var.env_short != "p" ? 1 : 0 + source = "git::https://github.com/pagopa/terraform-azurerm-v3//api_management_product?ref=v6.11.2" + + product_id = "test-gpd-payments-pull-and-debt-positions" + display_name = "TEST GPD Payments Pull & GPD Debt Positions for organizations" + description = "TEST GPD Payments Pull & GPD Debt Positions for organizations" + + api_management_name = local.pagopa_apim_name + resource_group_name = local.pagopa_apim_rg + + published = false + subscription_required = true + approval_required = false + subscriptions_limit = 1 # only for test + + policy_xml = file("./api_product/payments-pull/_base_policy.xml") + +} diff --git a/src/domains/gps-app/README.md b/src/domains/gps-app/README.md index d6d71c6ba8..aa69eda115 100644 --- a/src/domains/gps-app/README.md +++ b/src/domains/gps-app/README.md @@ -33,6 +33,7 @@ | [apim\_gpd\_enrollment\_product](#module\_apim\_gpd\_enrollment\_product) | git::https://github.com/pagopa/terraform-azurerm-v3.git//api_management_product | v6.4.1 | | [apim\_gpd\_integration\_product](#module\_apim\_gpd\_integration\_product) | git::https://github.com/pagopa/terraform-azurerm-v3//api_management_product | v6.11.2 | | [apim\_gpd\_payments\_pull\_product](#module\_apim\_gpd\_payments\_pull\_product) | git::https://github.com/pagopa/terraform-azurerm-v3//api_management_product | v6.11.2 | +| [apim\_gpd\_payments\_pull\_product\_and\_debt\_positions\_product\_test](#module\_apim\_gpd\_payments\_pull\_product\_and\_debt\_positions\_product\_test) | git::https://github.com/pagopa/terraform-azurerm-v3//api_management_product | v6.11.2 | | [apim\_gpd\_payments\_rest\_external\_product](#module\_apim\_gpd\_payments\_rest\_external\_product) | git::https://github.com/pagopa/terraform-azurerm-v3.git//api_management_product | v6.4.1 | | [apim\_gpd\_payments\_soap\_product](#module\_apim\_gpd\_payments\_soap\_product) | git::https://github.com/pagopa/terraform-azurerm-v3.git//api_management_product | v6.4.1 | | [apim\_gpd\_product](#module\_apim\_gpd\_product) | git::https://github.com/pagopa/terraform-azurerm-v3//api_management_product | v6.11.2 | @@ -74,11 +75,13 @@ | [azurerm_api_management_product_api.apim_api_gpd_payments_soap_product_api_v1](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/api_management_product_api) | resource | | [azurerm_api_management_product_api.apim_api_gpd_payments_soap_product_nodo_api_v1](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/api_management_product_api) | resource | | [azurerm_api_management_subscription.afm_pn_subkey_test](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/api_management_subscription) | resource | +| [azurerm_api_management_subscription.test_gpd_payments_pull_and_debt_positions_subkey](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/api_management_subscription) | resource | | [azurerm_app_service_plan.gpd_reporting_service_plan](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service_plan) | resource | | [azurerm_key_vault_secret.aks_apiserver_url](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource | | [azurerm_key_vault_secret.azure_devops_sa_cacrt](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource | | [azurerm_key_vault_secret.azure_devops_sa_token](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource | | [azurerm_key_vault_secret.gpd_subscription_key](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource | +| [azurerm_key_vault_secret.test_gpd_payments_pull_and_debt_positions_subkey_kv](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource | | [azurerm_monitor_autoscale_setting.reporting_function](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_autoscale_setting) | resource | | [azurerm_monitor_scheduled_query_rules_alert.opex_pagopa-gpd-core-external-availability-upd](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_scheduled_query_rules_alert) | resource | | [azurerm_monitor_scheduled_query_rules_alert.opex_pagopa-gpd-core-external-responsetime-upd](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_scheduled_query_rules_alert) | resource | From 89ee869552b30a728c36c35989547e6c892a422c Mon Sep 17 00:00:00 2001 From: Marco Mari <130982006+mamari90@users.noreply.github.com> Date: Thu, 10 Oct 2024 13:14:29 +0200 Subject: [PATCH 28/41] feat: Added kube system reader role in nodo-app (#2474) * added kube system reader role in nodo-app * precommit --- src/aks-platform/04_rbac.tf | 22 ++++++++++++ src/aks-platform/99_main.tf | 1 + src/aks-platform/README.md | 19 +++++----- src/domains/mock-app/02_namespace.tf | 4 +-- src/domains/mock-app/02_security.tf | 2 +- .../03_serviceaccounts_azure_devops.tf | 14 ++++---- .../mock-app/06_aks_middleware_tools.tf | 6 ++-- src/domains/mock-app/99_variables.tf | 7 ++++ src/domains/mock-app/README.md | 7 ++-- .../mock-app/env/weu-dev/terraform.tfvars | 3 ++ .../mock-app/env/weu-uat/terraform.tfvars | 2 ++ .../03_serviceaccounts_azure_devops.tf | 21 ++++++++++- src/domains/nodo-app/README.md | 35 ++++++++++--------- 13 files changed, 100 insertions(+), 43 deletions(-) diff --git a/src/aks-platform/04_rbac.tf b/src/aks-platform/04_rbac.tf index 0bf97cb94a..07f4997a1a 100644 --- a/src/aks-platform/04_rbac.tf +++ b/src/aks-platform/04_rbac.tf @@ -270,3 +270,25 @@ resource "kubernetes_cluster_role_binding" "view_binding" { module.aks ] } + +resource "kubernetes_cluster_role" "kube_system_reader" { + metadata { + name = "kube-system-reader" + } + + rule { + api_groups = [""] + resources = ["services"] + verbs = ["get", "list", "watch", ] + } + + rule { + api_groups = ["rbac.authorization.k8s.io"] + resources = ["rolebindings"] + verbs = ["get", "list", "watch", ] + } + + depends_on = [ + module.aks + ] +} diff --git a/src/aks-platform/99_main.tf b/src/aks-platform/99_main.tf index b8fc413f35..6cf45da964 100644 --- a/src/aks-platform/99_main.tf +++ b/src/aks-platform/99_main.tf @@ -30,6 +30,7 @@ terraform { } provider "azurerm" { + skip_provider_registration = true features { key_vault { purge_soft_delete_on_destroy = false diff --git a/src/aks-platform/README.md b/src/aks-platform/README.md index 621f4f34c0..b3f9fe5880 100644 --- a/src/aks-platform/README.md +++ b/src/aks-platform/README.md @@ -35,6 +35,7 @@ | [helm_release.monitoring_reloader](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource | | [kubernetes_cluster_role.cluster_deployer](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/cluster_role) | resource | | [kubernetes_cluster_role.edit_extra](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/cluster_role) | resource | +| [kubernetes_cluster_role.kube_system_reader](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/cluster_role) | resource | | [kubernetes_cluster_role.system_cluster_deployer](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/cluster_role) | resource | | [kubernetes_cluster_role.view_extra](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/cluster_role) | resource | | [kubernetes_cluster_role_binding.edit_binding](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/cluster_role_binding) | resource | @@ -75,8 +76,8 @@ | [aks\_num\_outbound\_ips](#input\_aks\_num\_outbound\_ips) | How many outbound ips allocate for AKS cluster | `number` | `1` | no | | [aks\_private\_cluster\_is\_enabled](#input\_aks\_private\_cluster\_is\_enabled) | Allow to configure the AKS, to be setup as a private cluster. To reach it, you need to use an internal VM or VPN | `bool` | `true` | no | | [aks\_sku\_tier](#input\_aks\_sku\_tier) | The SKU Tier that should be used for this Kubernetes Cluster. Possible values are Free and Paid (which includes the Uptime SLA). | `string` | n/a | yes | -| [aks\_system\_node\_pool](#input\_aks\_system\_node\_pool) | AKS node pool system configuration | 
object({
    name                         = string,
    vm_size                      = string,
    os_disk_type                 = string,
    os_disk_size_gb              = string,
    node_count_min               = number,
    node_count_max               = number,
    only_critical_addons_enabled = bool,
    node_labels                  = map(any),
    node_tags                    = map(any)
  })
| n/a | yes | -| [aks\_user\_node\_pool](#input\_aks\_user\_node\_pool) | AKS node pool user configuration | 
object({
    enabled         = bool,
    name            = string,
    vm_size         = string,
    os_disk_type    = string,
    os_disk_size_gb = string,
    node_count_min  = number,
    node_count_max  = number,
    node_labels     = map(any),
    node_taints     = list(string),
    node_tags       = map(any)
  })
| n/a | yes | +| [aks\_system\_node\_pool](#input\_aks\_system\_node\_pool) | AKS node pool system configuration | 
object({
    name                         = string,
    vm_size                      = string,
    os_disk_type                 = string,
    os_disk_size_gb              = string,
    node_count_min               = number,
    node_count_max               = number,
    only_critical_addons_enabled = bool,
    node_labels                  = map(any),
    node_tags                    = map(any)
  })
| n/a | yes | +| [aks\_user\_node\_pool](#input\_aks\_user\_node\_pool) | AKS node pool user configuration | 
object({
    enabled         = bool,
    name            = string,
    vm_size         = string,
    os_disk_type    = string,
    os_disk_size_gb = string,
    node_count_min  = number,
    node_count_max  = number,
    node_labels     = map(any),
    node_taints     = list(string),
    node_tags       = map(any)
  })
| n/a | yes | | [domain](#input\_domain) | n/a | `string` | n/a | yes | | [env](#input\_env) | n/a | `string` | n/a | yes | | [env\_short](#input\_env\_short) | n/a | `string` | n/a | yes | @@ -84,8 +85,8 @@ | [ingress\_max\_replica\_count](#input\_ingress\_max\_replica\_count) | n/a | `string` | n/a | yes | | [ingress\_min\_replica\_count](#input\_ingress\_min\_replica\_count) | n/a | `string` | n/a | yes | | [k8s\_kube\_config\_path\_prefix](#input\_k8s\_kube\_config\_path\_prefix) | n/a | `string` | `"~/.kube"` | no | -| [keda\_helm](#input\_keda\_helm) | keda helm chart configuration | 
object({
    chart_version = string,
    keda = object({
      image_name = string,
      image_tag  = string,
    }),
    metrics_api_server = object({
      image_name = string,
      image_tag  = string,
    }),
  })
| n/a | yes | -| [kube\_prometheus\_stack\_helm](#input\_kube\_prometheus\_stack\_helm) | kube-prometheus-stack helm chart configuration | 
object({
    chart_version = string,
    values_file   = string
  })
| n/a | yes | +| [keda\_helm](#input\_keda\_helm) | keda helm chart configuration | 
object({
    chart_version = string,
    keda = object({
      image_name = string,
      image_tag  = string,
    }),
    metrics_api_server = object({
      image_name = string,
      image_tag  = string,
    }),
  })
| n/a | yes | +| [kube\_prometheus\_stack\_helm](#input\_kube\_prometheus\_stack\_helm) | kube-prometheus-stack helm chart configuration | 
object({
    chart_version = string,
    values_file   = string
  })
| n/a | yes | | [location](#input\_location) | One of westeurope, northeurope | `string` | n/a | yes | | [location\_short](#input\_location\_short) | One of wue, neu | `string` | n/a | yes | | [location\_string](#input\_location\_string) | One of West Europe, North Europe | `string` | n/a | yes | @@ -93,13 +94,13 @@ | [log\_analytics\_workspace\_name](#input\_log\_analytics\_workspace\_name) | Specifies the name of the Log Analytics Workspace. | `string` | n/a | yes | | [log\_analytics\_workspace\_resource\_group\_name](#input\_log\_analytics\_workspace\_resource\_group\_name) | The name of the resource group in which the Log Analytics workspace is located in. | `string` | n/a | yes | | [monitor\_resource\_group\_name](#input\_monitor\_resource\_group\_name) | Monitor resource group name | `string` | n/a | yes | -| [nginx\_helm](#input\_nginx\_helm) | nginx ingress helm chart configuration | 
object({
    version = string,
    controller = object({
      image = object({
        registry     = string,
        image        = string,
        tag          = string,
        digest       = string,
        digestchroot = string,
      }),
      resources = object({
        requests = object({
          memory : string
        })
      }),
      config = object({
        proxy-body-size : string
      })
    })
  })
| n/a | yes | +| [nginx\_helm](#input\_nginx\_helm) | nginx ingress helm chart configuration | 
object({
    version = string,
    controller = object({
      image = object({
        registry     = string,
        image        = string,
        tag          = string,
        digest       = string,
        digestchroot = string,
      }),
      resources = object({
        requests = object({
          memory : string
        })
      }),
      config = object({
        proxy-body-size : string
      })
    })
  })
| n/a | yes | | [prefix](#input\_prefix) | n/a | `string` | n/a | yes | | [prometheus\_basic\_auth\_file](#input\_prometheus\_basic\_auth\_file) | n/a | `string` | n/a | yes | -| [reloader\_helm](#input\_reloader\_helm) | reloader helm chart configuration | 
object({
    chart_version = string,
    image_name    = string,
    image_tag     = string
  })
| n/a | yes | -| [tags](#input\_tags) | n/a | `map(any)` | 
{
  "CreatedBy": "Terraform"
}
| no | -| [tls\_cert\_check\_helm](#input\_tls\_cert\_check\_helm) | tls cert helm chart configuration | 
object({
    chart_version = string,
    image_name    = string,
    image_tag     = string
  })
| n/a | yes | -| [tls\_checker\_https\_endpoints\_to\_check](#input\_tls\_checker\_https\_endpoints\_to\_check) | List of https endpoint to check ssl certificate and his alert name | 
list(object({
    https_endpoint = string
    # max 53 chars, alfanumeric and '-', and lower case
    alert_name    = string
    alert_enabled = bool
    helm_present  = bool
  }))
| `[]` | no | +| [reloader\_helm](#input\_reloader\_helm) | reloader helm chart configuration | 
object({
    chart_version = string,
    image_name    = string,
    image_tag     = string
  })
| n/a | yes | +| [tags](#input\_tags) | n/a | `map(any)` | 
{
  "CreatedBy": "Terraform"
}
| no | +| [tls\_cert\_check\_helm](#input\_tls\_cert\_check\_helm) | tls cert helm chart configuration | 
object({
    chart_version = string,
    image_name    = string,
    image_tag     = string
  })
| n/a | yes | +| [tls\_checker\_https\_endpoints\_to\_check](#input\_tls\_checker\_https\_endpoints\_to\_check) | List of https endpoint to check ssl certificate and his alert name | 
list(object({
    https_endpoint = string
    # max 53 chars, alfanumeric and '-', and lower case
    alert_name    = string
    alert_enabled = bool
    helm_present  = bool
  }))
| `[]` | no | ## Outputs diff --git a/src/domains/mock-app/02_namespace.tf b/src/domains/mock-app/02_namespace.tf index 23cf79c744..f8581cf38a 100644 --- a/src/domains/mock-app/02_namespace.tf +++ b/src/domains/mock-app/02_namespace.tf @@ -1,12 +1,12 @@ resource "kubernetes_namespace" "namespace" { - count = var.env_short == "d" ? 1 : 0 + count = var.mock_enabled ? 1 : 0 metadata { name = var.domain } } module "pod_identity" { - count = var.env_short == "d" ? 1 : 0 + count = var.mock_enabled ? 1 : 0 source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//kubernetes_pod_identity?ref=v6.4.1" resource_group_name = local.aks_resource_group_name diff --git a/src/domains/mock-app/02_security.tf b/src/domains/mock-app/02_security.tf index dd38836aa7..823e832bc8 100644 --- a/src/domains/mock-app/02_security.tf +++ b/src/domains/mock-app/02_security.tf @@ -18,7 +18,7 @@ data "azurerm_key_vault_secret" "monitor_notification_slack_email" { # create json letsencrypt inside kv # requierd: Docker module "letsencrypt_mock" { - count = var.env_short == "d" ? 1 : 0 + count = var.mock_enabled ? 1 : 0 source = "git::https://github.com/pagopa/azurerm.git//letsencrypt_credential?ref=v3.8.1" prefix = var.prefix diff --git a/src/domains/mock-app/03_serviceaccounts_azure_devops.tf b/src/domains/mock-app/03_serviceaccounts_azure_devops.tf index ebb2c96417..a578c4f810 100644 --- a/src/domains/mock-app/03_serviceaccounts_azure_devops.tf +++ b/src/domains/mock-app/03_serviceaccounts_azure_devops.tf @@ -1,12 +1,12 @@ resource "kubernetes_namespace" "namespace_system" { - count = var.env_short == "d" ? 1 : 0 + count = var.mock_enabled ? 1 : 0 metadata { name = "${var.domain}-system" } } resource "kubernetes_service_account" "azure_devops" { - count = var.env_short == "d" ? 1 : 0 + count = var.mock_enabled ? 1 : 0 metadata { name = "azure-devops" @@ -16,7 +16,7 @@ resource "kubernetes_service_account" "azure_devops" { } data "kubernetes_secret" "azure_devops_secret" { - count = var.env_short == "d" ? 1 : 0 + count = var.mock_enabled ? 1 : 0 metadata { name = kubernetes_service_account.azure_devops[0].default_secret_name namespace = kubernetes_namespace.namespace_system[0].metadata[0].name @@ -29,7 +29,7 @@ data "kubernetes_secret" "azure_devops_secret" { #tfsec:ignore:AZU023 resource "azurerm_key_vault_secret" "azure_devops_sa_token" { - count = var.env_short == "d" ? 1 : 0 + count = var.mock_enabled ? 1 : 0 depends_on = [kubernetes_service_account.azure_devops] name = "${local.aks_name}-azure-devops-sa-token" value = data.kubernetes_secret.azure_devops_secret[0].binary_data["token"] # base64 value @@ -40,7 +40,7 @@ resource "azurerm_key_vault_secret" "azure_devops_sa_token" { #tfsec:ignore:AZU023 resource "azurerm_key_vault_secret" "azure_devops_sa_cacrt" { - count = var.env_short == "d" ? 1 : 0 + count = var.mock_enabled ? 1 : 0 depends_on = [kubernetes_service_account.azure_devops] name = "${local.aks_name}-azure-devops-sa-cacrt" value = data.kubernetes_secret.azure_devops_secret[0].binary_data["ca.crt"] # base64 value @@ -55,7 +55,7 @@ resource "azurerm_key_vault_secret" "azure_devops_sa_cacrt" { # resource "kubernetes_role_binding" "deployer_binding" { - count = var.env_short == "d" ? 1 : 0 + count = var.mock_enabled ? 1 : 0 metadata { name = "deployer-binding" namespace = kubernetes_namespace.namespace[0].metadata[0].name @@ -73,7 +73,7 @@ resource "kubernetes_role_binding" "deployer_binding" { } resource "kubernetes_role_binding" "system_deployer_binding" { - count = var.env_short == "d" ? 1 : 0 + count = var.mock_enabled ? 1 : 0 metadata { name = "system-deployer-binding" namespace = kubernetes_namespace.namespace_system[0].metadata[0].name diff --git a/src/domains/mock-app/06_aks_middleware_tools.tf b/src/domains/mock-app/06_aks_middleware_tools.tf index 30ed4421a1..6e3ec35c92 100644 --- a/src/domains/mock-app/06_aks_middleware_tools.tf +++ b/src/domains/mock-app/06_aks_middleware_tools.tf @@ -1,6 +1,6 @@ module "tls_checker" { - count = var.env_short == "d" ? 1 : 0 + count = var.mock_enabled ? 1 : 0 source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//tls_checker?ref=v6.7.0" https_endpoint = local.mock_hostname @@ -21,7 +21,7 @@ module "tls_checker" { } resource "helm_release" "cert_mounter" { - count = var.env_short == "d" ? 1 : 0 + count = var.mock_enabled ? 1 : 0 name = "cert-mounter-blueprint" repository = "https://pagopa.github.io/aks-helm-cert-mounter-blueprint" chart = "cert-mounter-blueprint" @@ -43,7 +43,7 @@ resource "helm_release" "cert_mounter" { } resource "helm_release" "reloader" { - count = var.env_short == "d" ? 1 : 0 + count = var.mock_enabled ? 1 : 0 name = "reloader" repository = "https://stakater.github.io/stakater-charts" chart = "reloader" diff --git a/src/domains/mock-app/99_variables.tf b/src/domains/mock-app/99_variables.tf index 43298b05a6..44442278c1 100644 --- a/src/domains/mock-app/99_variables.tf +++ b/src/domains/mock-app/99_variables.tf @@ -215,3 +215,10 @@ variable "lb_aks" { description = "IP load balancer AKS Nexi/SIA" default = "0.0.0.0" } + + +variable "mock_enabled" { + type = bool + description = "mock enabled on this environment" + default = false +} diff --git a/src/domains/mock-app/README.md b/src/domains/mock-app/README.md index 1cd335b581..f2e0ce9a78 100644 --- a/src/domains/mock-app/README.md +++ b/src/domains/mock-app/README.md @@ -99,7 +99,7 @@ | [apim\_dns\_zone\_prefix](#input\_apim\_dns\_zone\_prefix) | The dns subdomain for apim. | `string` | `null` | no | | [cidr\_subnet\_mock\_ec](#input\_cidr\_subnet\_mock\_ec) | Address prefixes subnet mock ec | `list(string)` | `null` | no | | [cidr\_subnet\_mock\_payment\_gateway](#input\_cidr\_subnet\_mock\_payment\_gateway) | Address prefixes subnet mock payment\_gateway | `list(string)` | `null` | no | -| [ddos\_protection\_plan](#input\_ddos\_protection\_plan) | Network | 
object({
    id     = string
    enable = bool
  })
| `null` | no | +| [ddos\_protection\_plan](#input\_ddos\_protection\_plan) | Network | 
object({
    id     = string
    enable = bool
  })
| `null` | no | | [dns\_zone\_internal\_prefix](#input\_dns\_zone\_internal\_prefix) | The dns internal subdomain. | `string` | `null` | no | | [dns\_zone\_prefix](#input\_dns\_zone\_prefix) | The dns subdomain. | `string` | `null` | no | | [domain](#input\_domain) | n/a | `string` | n/a | yes | @@ -119,6 +119,7 @@ | [mock\_ec\_secondary\_enabled](#input\_mock\_ec\_secondary\_enabled) | Mock Secondary EC enabled | `bool` | `false` | no | | [mock\_ec\_size](#input\_mock\_ec\_size) | Mock EC Plan size | `string` | `"S1"` | no | | [mock\_ec\_tier](#input\_mock\_ec\_tier) | Mock EC Plan tier | `string` | `"Standard"` | no | +| [mock\_enabled](#input\_mock\_enabled) | mock enabled on this environment | `bool` | `false` | no | | [mock\_payment\_gateway\_always\_on](#input\_mock\_payment\_gateway\_always\_on) | Mock payment gateway always on property | `bool` | `false` | no | | [mock\_payment\_gateway\_enabled](#input\_mock\_payment\_gateway\_enabled) | Mock payment gateway enabled | `bool` | `false` | no | | [mock\_payment\_gateway\_size](#input\_mock\_payment\_gateway\_size) | Mock payment gateway Plan size | `string` | `"S1"` | no | @@ -127,8 +128,8 @@ | [mock\_psp\_service\_enabled](#input\_mock\_psp\_service\_enabled) | Mock PSP service Nexi | `bool` | `false` | no | | [monitor\_resource\_group\_name](#input\_monitor\_resource\_group\_name) | Monitor resource group name | `string` | n/a | yes | | [prefix](#input\_prefix) | n/a | `string` | n/a | yes | -| [tags](#input\_tags) | n/a | `map(any)` | 
{
  "CreatedBy": "Terraform"
}
| no | -| [tls\_cert\_check\_helm](#input\_tls\_cert\_check\_helm) | tls cert helm chart configuration | 
object({
    chart_version = string,
    image_name    = string,
    image_tag     = string
  })
| n/a | yes | +| [tags](#input\_tags) | n/a | `map(any)` | 
{
  "CreatedBy": "Terraform"
}
| no | +| [tls\_cert\_check\_helm](#input\_tls\_cert\_check\_helm) | tls cert helm chart configuration | 
object({
    chart_version = string,
    image_name    = string,
    image_tag     = string
  })
| n/a | yes | ## Outputs diff --git a/src/domains/mock-app/env/weu-dev/terraform.tfvars b/src/domains/mock-app/env/weu-dev/terraform.tfvars index 60d0e54222..9bcacbbd14 100644 --- a/src/domains/mock-app/env/weu-dev/terraform.tfvars +++ b/src/domains/mock-app/env/weu-dev/terraform.tfvars @@ -45,3 +45,6 @@ tls_cert_check_helm = { image_name = "ghcr.io/pagopa/infra-ssl-check" image_tag = "v1.2.2@sha256:22f4b53177cc8891bf10cbd0deb39f60e1cd12877021c3048a01e7738f63e0f9" } + + +mock_enabled = true diff --git a/src/domains/mock-app/env/weu-uat/terraform.tfvars b/src/domains/mock-app/env/weu-uat/terraform.tfvars index 97a83522d1..0eefa22e92 100644 --- a/src/domains/mock-app/env/weu-uat/terraform.tfvars +++ b/src/domains/mock-app/env/weu-uat/terraform.tfvars @@ -47,3 +47,5 @@ tls_cert_check_helm = { image_name = "ghcr.io/pagopa/infra-ssl-check" image_tag = "v1.2.2@sha256:22f4b53177cc8891bf10cbd0deb39f60e1cd12877021c3048a01e7738f63e0f9" } + +mock_enabled = false diff --git a/src/domains/nodo-app/03_serviceaccounts_azure_devops.tf b/src/domains/nodo-app/03_serviceaccounts_azure_devops.tf index e6f9093d60..5a6a40bd4e 100644 --- a/src/domains/nodo-app/03_serviceaccounts_azure_devops.tf +++ b/src/domains/nodo-app/03_serviceaccounts_azure_devops.tf @@ -64,7 +64,7 @@ resource "kubernetes_role_binding" "deployer_binding" { resource "kubernetes_role_binding" "deployer_binding_2" { metadata { name = "deployer-binding-2" - namespace = "nodo-cron" # kubernetes_namespace.namespace.metadata[0].name + namespace = "nodo-cron" # kubernetes_namespace.namespace.metadata[0].name } role_ref { api_group = "rbac.authorization.k8s.io" @@ -110,3 +110,22 @@ resource "kubernetes_role_binding" "system_deployer_binding_2" { namespace = kubernetes_namespace.namespace_system.metadata[0].name } } + +resource "kubernetes_role_binding" "kube_system_reader_binding" { + metadata { + name = "kube-system-reader-${var.domain}" + namespace = "kube-system" + } + role_ref { + api_group = "rbac.authorization.k8s.io" + kind = "ClusterRole" + name = "kube-system-reader" + } + subject { + kind = "ServiceAccount" + name = "azure-devops" + namespace = kubernetes_namespace.namespace_system.metadata[0].name + } +} + + diff --git a/src/domains/nodo-app/README.md b/src/domains/nodo-app/README.md index 3cdf9d0ebf..a2a4bbe887 100644 --- a/src/domains/nodo-app/README.md +++ b/src/domains/nodo-app/README.md @@ -215,6 +215,7 @@ | [kubernetes_pod_disruption_budget_v1.nodo](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod_disruption_budget_v1) | resource | | [kubernetes_role_binding.deployer_binding](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/role_binding) | resource | | [kubernetes_role_binding.deployer_binding_2](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/role_binding) | resource | +| [kubernetes_role_binding.kube_system_reader_binding](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/role_binding) | resource | | [kubernetes_role_binding.system_deployer_binding](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/role_binding) | resource | | [kubernetes_role_binding.system_deployer_binding_2](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/role_binding) | resource | | [kubernetes_service_account.azure_devops](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/service_account) | resource | @@ -282,7 +283,7 @@ | [apim\_dns\_zone\_prefix](#input\_apim\_dns\_zone\_prefix) | The dns subdomain for apim. | `string` | `null` | no | | [apim\_nodo\_auth\_decoupler\_enable](#input\_apim\_nodo\_auth\_decoupler\_enable) | Apply decoupler to nodo-auth product apim policy | `bool` | `true` | no | | [apim\_nodo\_decoupler\_enable](#input\_apim\_nodo\_decoupler\_enable) | Apply decoupler to nodo product apim policy | `bool` | `true` | no | -| [app\_gateway\_allowed\_paths\_pagopa\_onprem\_only](#input\_app\_gateway\_allowed\_paths\_pagopa\_onprem\_only) | Allowed paths from pagopa onprem only | 
object({
    paths = list(string)
    ips   = list(string)
  })
| n/a | yes | +| [app\_gateway\_allowed\_paths\_pagopa\_onprem\_only](#input\_app\_gateway\_allowed\_paths\_pagopa\_onprem\_only) | Allowed paths from pagopa onprem only | 
object({
    paths = list(string)
    ips   = list(string)
  })
| n/a | yes | | [cidr\_subnet\_vmss](#input\_cidr\_subnet\_vmss) | VMSS network address space. | `list(string)` | n/a | yes | | [cname\_record\_name](#input\_cname\_record\_name) | n/a | `string` | `"config"` | no | | [create\_wisp\_converter](#input\_create\_wisp\_converter) | CREATE WISP dismantling system infra | `bool` | `false` | no | @@ -309,37 +310,37 @@ | [nodo\_pagamenti\_auth\_password](#input\_nodo\_pagamenti\_auth\_password) | Default password used for nodo-auth | `string` | `"PLACEHOLDER"` | no | | [nodo\_pagamenti\_subkey\_required](#input\_nodo\_pagamenti\_subkey\_required) | Enabled subkeys for nodo dei pagamenti api | `bool` | `false` | no | | [nodo\_pagamenti\_x\_forwarded\_for](#input\_nodo\_pagamenti\_x\_forwarded\_for) | X-Forwarded-For IP address used for nodo-auth | `string` | n/a | yes | -| [nodo\_re\_to\_datastore\_function](#input\_nodo\_re\_to\_datastore\_function) | Nodo RE to datastore function | 
object({
    always_on                    = bool
    kind                         = string
    sku_size                     = string
    sku_tier                     = string
    maximum_elastic_worker_count = number
  })
| 
{
  "always_on": true,
  "kind": "Linux",
  "maximum_elastic_worker_count": 1,
  "sku_size": "B1",
  "sku_tier": "Basic"
}
| no | +| [nodo\_re\_to\_datastore\_function](#input\_nodo\_re\_to\_datastore\_function) | Nodo RE to datastore function | 
object({
    always_on                    = bool
    kind                         = string
    sku_size                     = string
    sku_tier                     = string
    maximum_elastic_worker_count = number
  })
| 
{
  "always_on": true,
  "kind": "Linux",
  "maximum_elastic_worker_count": 1,
  "sku_size": "B1",
  "sku_tier": "Basic"
}
| no | | [nodo\_re\_to\_datastore\_function\_app\_image\_tag](#input\_nodo\_re\_to\_datastore\_function\_app\_image\_tag) | Nodo RE to Datastore function app docker image tag. Defaults to 'latest' | `string` | `"latest"` | no | -| [nodo\_re\_to\_datastore\_function\_autoscale](#input\_nodo\_re\_to\_datastore\_function\_autoscale) | Nodo RE functions autoscaling parameters | 
object({
    default = number
    minimum = number
    maximum = number
  })
| n/a | yes | +| [nodo\_re\_to\_datastore\_function\_autoscale](#input\_nodo\_re\_to\_datastore\_function\_autoscale) | Nodo RE functions autoscaling parameters | 
object({
    default = number
    minimum = number
    maximum = number
  })
| n/a | yes | | [nodo\_re\_to\_datastore\_function\_subnet](#input\_nodo\_re\_to\_datastore\_function\_subnet) | Address prefixes subnet | `list(string)` | `null` | no | | [nodo\_re\_to\_datastore\_network\_policies\_enabled](#input\_nodo\_re\_to\_datastore\_network\_policies\_enabled) | Network policies enabled | `bool` | `false` | no | -| [nodo\_re\_to\_tablestorage\_function](#input\_nodo\_re\_to\_tablestorage\_function) | Nodo RE to datastore function | 
object({
    always_on                    = bool
    kind                         = string
    sku_size                     = string
    sku_tier                     = string
    maximum_elastic_worker_count = number
  })
| n/a | yes | +| [nodo\_re\_to\_tablestorage\_function](#input\_nodo\_re\_to\_tablestorage\_function) | Nodo RE to datastore function | 
object({
    always_on                    = bool
    kind                         = string
    sku_size                     = string
    sku_tier                     = string
    maximum_elastic_worker_count = number
  })
| n/a | yes | | [nodo\_re\_to\_tablestorage\_function\_app\_image\_tag](#input\_nodo\_re\_to\_tablestorage\_function\_app\_image\_tag) | Nodo RE to Table Storage function app docker image tag. Defaults to 'latest' | `string` | `"latest"` | no | -| [nodo\_re\_to\_tablestorage\_function\_autoscale](#input\_nodo\_re\_to\_tablestorage\_function\_autoscale) | Nodo RE functions autoscaling parameters | 
object({
    default = number
    minimum = number
    maximum = number
  })
| n/a | yes | +| [nodo\_re\_to\_tablestorage\_function\_autoscale](#input\_nodo\_re\_to\_tablestorage\_function\_autoscale) | Nodo RE functions autoscaling parameters | 
object({
    default = number
    minimum = number
    maximum = number
  })
| n/a | yes | | [nodo\_re\_to\_tablestorage\_function\_subnet](#input\_nodo\_re\_to\_tablestorage\_function\_subnet) | Address prefixes subnet | `list(string)` | `null` | no | | [nodo\_re\_to\_tablestorage\_network\_policies\_enabled](#input\_nodo\_re\_to\_tablestorage\_network\_policies\_enabled) | Network policies enabled | `bool` | `false` | no | -| [nodo\_user\_node\_pool](#input\_nodo\_user\_node\_pool) | AKS node pool user configuration | 
object({
    enabled            = bool,
    name               = string,
    vm_size            = string,
    os_disk_type       = string,
    os_disk_size_gb    = string,
    node_count_min     = number,
    node_count_max     = number,
    node_labels        = map(any),
    node_taints        = list(string),
    node_tags          = map(any),
    nodo_pool_max_pods = number,
  })
| n/a | yes | -| [nodo\_verifyko\_to\_datastore\_function](#input\_nodo\_verifyko\_to\_datastore\_function) | Nodo Verify KO events to datastore function | 
object({
    always_on                    = bool
    kind                         = string
    sku_size                     = string
    sku_tier                     = string
    maximum_elastic_worker_count = number
    zone_balancing_enabled       = bool
  })
| n/a | yes | +| [nodo\_user\_node\_pool](#input\_nodo\_user\_node\_pool) | AKS node pool user configuration | 
object({
    enabled            = bool,
    name               = string,
    vm_size            = string,
    os_disk_type       = string,
    os_disk_size_gb    = string,
    node_count_min     = number,
    node_count_max     = number,
    node_labels        = map(any),
    node_taints        = list(string),
    node_tags          = map(any),
    nodo_pool_max_pods = number,
  })
| n/a | yes | +| [nodo\_verifyko\_to\_datastore\_function](#input\_nodo\_verifyko\_to\_datastore\_function) | Nodo Verify KO events to datastore function | 
object({
    always_on                    = bool
    kind                         = string
    sku_size                     = string
    sku_tier                     = string
    maximum_elastic_worker_count = number
    zone_balancing_enabled       = bool
  })
| n/a | yes | | [nodo\_verifyko\_to\_datastore\_function\_app\_image\_tag](#input\_nodo\_verifyko\_to\_datastore\_function\_app\_image\_tag) | Nodo Verify KO to Datastore function app docker image tag. Defaults to 'latest' | `string` | `"latest"` | no | -| [nodo\_verifyko\_to\_datastore\_function\_autoscale](#input\_nodo\_verifyko\_to\_datastore\_function\_autoscale) | Nodo Verify KO event functions autoscaling parameters | 
object({
    default = number
    minimum = number
    maximum = number
  })
| n/a | yes | +| [nodo\_verifyko\_to\_datastore\_function\_autoscale](#input\_nodo\_verifyko\_to\_datastore\_function\_autoscale) | Nodo Verify KO event functions autoscaling parameters | 
object({
    default = number
    minimum = number
    maximum = number
  })
| n/a | yes | | [nodo\_verifyko\_to\_datastore\_function\_subnet](#input\_nodo\_verifyko\_to\_datastore\_function\_subnet) | Address prefixes subnet | `list(string)` | `null` | no | | [nodo\_verifyko\_to\_datastore\_network\_policies\_enabled](#input\_nodo\_verifyko\_to\_datastore\_network\_policies\_enabled) | Network policies enabled | `bool` | `false` | no | -| [nodo\_verifyko\_to\_tablestorage\_function](#input\_nodo\_verifyko\_to\_tablestorage\_function) | Nodo Verify KO events to table storage function | 
object({
    always_on                    = bool
    kind                         = string
    sku_size                     = string
    sku_tier                     = string
    maximum_elastic_worker_count = number
    zone_balancing_enabled       = bool
  })
| n/a | yes | +| [nodo\_verifyko\_to\_tablestorage\_function](#input\_nodo\_verifyko\_to\_tablestorage\_function) | Nodo Verify KO events to table storage function | 
object({
    always_on                    = bool
    kind                         = string
    sku_size                     = string
    sku_tier                     = string
    maximum_elastic_worker_count = number
    zone_balancing_enabled       = bool
  })
| n/a | yes | | [nodo\_verifyko\_to\_tablestorage\_function\_app\_image\_tag](#input\_nodo\_verifyko\_to\_tablestorage\_function\_app\_image\_tag) | Nodo Verify KO events to Table Storage function app docker image tag. Defaults to 'latest' | `string` | `"latest"` | no | -| [nodo\_verifyko\_to\_tablestorage\_function\_autoscale](#input\_nodo\_verifyko\_to\_tablestorage\_function\_autoscale) | Nodo Verify KO events to Table Storage functions autoscaling parameters | 
object({
    default = number
    minimum = number
    maximum = number
  })
| n/a | yes | +| [nodo\_verifyko\_to\_tablestorage\_function\_autoscale](#input\_nodo\_verifyko\_to\_tablestorage\_function\_autoscale) | Nodo Verify KO events to Table Storage functions autoscaling parameters | 
object({
    default = number
    minimum = number
    maximum = number
  })
| n/a | yes | | [nodo\_verifyko\_to\_tablestorage\_function\_subnet](#input\_nodo\_verifyko\_to\_tablestorage\_function\_subnet) | Address prefixes subnet | `list(string)` | `null` | no | | [nodo\_verifyko\_to\_tablestorage\_network\_policies\_enabled](#input\_nodo\_verifyko\_to\_tablestorage\_network\_policies\_enabled) | Network policies enabled | `bool` | `false` | no | -| [pod\_disruption\_budgets](#input\_pod\_disruption\_budgets) | Pod disruption budget for domain namespace | 
map(object({
    name         = optional(string, null)
    minAvailable = optional(number, null)
    matchLabels  = optional(map(any), {})
  }))
| `{}` | no | +| [pod\_disruption\_budgets](#input\_pod\_disruption\_budgets) | Pod disruption budget for domain namespace | 
map(object({
    name         = optional(string, null)
    minAvailable = optional(number, null)
    matchLabels  = optional(map(any), {})
  }))
| `{}` | no | | [prefix](#input\_prefix) | n/a | `string` | n/a | yes | -| [route\_aks](#input\_route\_aks) | AKS routing table | 
list(object({
    name                   = string
    address_prefix         = string
    next_hop_type          = string
    next_hop_in_ip_address = string
  }))
| n/a | yes | -| [storage\_account\_info](#input\_storage\_account\_info) | Storage account | 
object({
    account_kind                      = string
    account_tier                      = string
    account_replication_type          = string
    access_tier                       = string
    advanced_threat_protection_enable = bool
  })
| 
{
  "access_tier": "Hot",
  "account_kind": "StorageV2",
  "account_replication_type": "LRS",
  "account_tier": "Standard",
  "advanced_threat_protection_enable": true
}
| no | -| [tags](#input\_tags) | n/a | `map(any)` | 
{
  "CreatedBy": "Terraform"
}
| no | -| [tls\_cert\_check\_helm](#input\_tls\_cert\_check\_helm) | tls cert helm chart configuration | 
object({
    chart_version = string,
    image_name    = string,
    image_tag     = string
  })
| n/a | yes | +| [route\_aks](#input\_route\_aks) | AKS routing table | 
list(object({
    name                   = string
    address_prefix         = string
    next_hop_type          = string
    next_hop_in_ip_address = string
  }))
| n/a | yes | +| [storage\_account\_info](#input\_storage\_account\_info) | Storage account | 
object({
    account_kind                      = string
    account_tier                      = string
    account_replication_type          = string
    access_tier                       = string
    advanced_threat_protection_enable = bool
  })
| 
{
  "access_tier": "Hot",
  "account_kind": "StorageV2",
  "account_replication_type": "LRS",
  "account_tier": "Standard",
  "advanced_threat_protection_enable": true
}
| no | +| [tags](#input\_tags) | n/a | `map(any)` | 
{
  "CreatedBy": "Terraform"
}
| no | +| [tls\_cert\_check\_helm](#input\_tls\_cert\_check\_helm) | tls cert helm chart configuration | 
object({
    chart_version = string,
    image_name    = string,
    image_tag     = string
  })
| n/a | yes | | [vmss\_instance\_number](#input\_vmss\_instance\_number) | availability zones for vmss | `number` | n/a | yes | | [vmss\_zones](#input\_vmss\_zones) | availability zones for vmss | `list(string)` | n/a | yes | -| [wfesp\_dismantling](#input\_wfesp\_dismantling) | n/a | 
object({
    channel_list    = string
    wfesp_fixed_url = string
  })
| n/a | yes | -| [wisp\_converter](#input\_wisp\_converter) | n/a | 
object({
    enable_apim_switch                  = bool # enable WISP dismantling
    brokerPSP_whitelist                 = string
    channel_whitelist                   = string
    nodoinviarpt_paymenttype_whitelist  = string
    dismantling_primitives              = string
    dismantling_rt_primitives           = string
    checkout_predefined_expiration_time = number
    wisp_ecommerce_channels             = string
  })
| n/a | yes | +| [wfesp\_dismantling](#input\_wfesp\_dismantling) | n/a | 
object({
    channel_list    = string
    wfesp_fixed_url = string
  })
| n/a | yes | +| [wisp\_converter](#input\_wisp\_converter) | n/a | 
object({
    enable_apim_switch                  = bool # enable WISP dismantling
    brokerPSP_whitelist                 = string
    channel_whitelist                   = string
    nodoinviarpt_paymenttype_whitelist  = string
    dismantling_primitives              = string
    dismantling_rt_primitives           = string
    checkout_predefined_expiration_time = number
    wisp_ecommerce_channels             = string
  })
| n/a | yes | ## Outputs From 8a02559567e2e74bb9f260b115c44e3bfb4402b0 Mon Sep 17 00:00:00 2001 From: Pasquale Spica <36746022+pasqualespica@users.noreply.github.com> Date: Thu, 10 Oct 2024 16:05:35 +0200 Subject: [PATCH 29/41] add: Fix perf-test-env-paymentopt (#2476) fix-perf-test-env-paymentopt --- src/domains/gps-app/04_apim_gpd_core.tf | 24 +++++++++++--------- src/domains/gps-app/04_apim_payments_pull.tf | 2 +- 2 files changed, 14 insertions(+), 12 deletions(-) diff --git a/src/domains/gps-app/04_apim_gpd_core.tf b/src/domains/gps-app/04_apim_gpd_core.tf index 14e5e63ceb..77f295edd8 100644 --- a/src/domains/gps-app/04_apim_gpd_core.tf +++ b/src/domains/gps-app/04_apim_gpd_core.tf @@ -26,10 +26,12 @@ module "apim_gpd_product" { module "apim_api_gpd_api" { source = "git::https://github.com/pagopa/terraform-azurerm-v3//api_management_api?ref=v6.11.2" - name = format("%s-api-gpd-api", var.env_short) - api_management_name = local.pagopa_apim_name - resource_group_name = local.pagopa_apim_rg - product_ids = [module.apim_gpd_product.product_id] + name = format("%s-api-gpd-api", var.env_short) + api_management_name = local.pagopa_apim_name + resource_group_name = local.pagopa_apim_rg + product_ids = concat([module.apim_gpd_product.product_id], + var.env_short == "p" ? [] : [module.apim_gpd_payments_pull_product_and_debt_positions_product_test[0].product_id]) + subscription_required = false api_version = "v1" version_set_id = azurerm_api_management_api_version_set.api_gpd_api.id @@ -51,10 +53,12 @@ module "apim_api_gpd_api" { module "apim_api_gpd_api_v2" { source = "git::https://github.com/pagopa/terraform-azurerm-v3//api_management_api?ref=v6.11.2" - name = "${var.env_short}-api-gpd-api" - api_management_name = local.pagopa_apim_name - resource_group_name = local.pagopa_apim_rg - product_ids = [module.apim_gpd_product.product_id] + name = "${var.env_short}-api-gpd-api" + api_management_name = local.pagopa_apim_name + resource_group_name = local.pagopa_apim_rg + product_ids = concat([module.apim_gpd_product.product_id], + var.env_short == "p" ? [] : [module.apim_gpd_payments_pull_product_and_debt_positions_product_test[0].product_id]) + subscription_required = false api_version = "v2" version_set_id = azurerm_api_management_api_version_set.api_gpd_api.id @@ -122,9 +126,7 @@ module "apim_api_debt_positions_api_v1" { name = format("%s-debt-positions-service-api", local.product) api_management_name = local.pagopa_apim_name resource_group_name = local.pagopa_apim_rg - product_ids = concat( - [module.apim_debt_positions_product.product_id, module.apim_aca_integration_product.product_id, module.apim_gpd_integration_product.product_id], - var.env_short == "p" ? [] : [module.apim_gpd_payments_pull_product_and_debt_positions_product_test[0].product_id]) + product_ids = [module.apim_debt_positions_product.product_id, module.apim_aca_integration_product.product_id, module.apim_gpd_integration_product.product_id] subscription_required = local.apim_debt_positions_service_api.subscription_required version_set_id = azurerm_api_management_api_version_set.api_debt_positions_api.id diff --git a/src/domains/gps-app/04_apim_payments_pull.tf b/src/domains/gps-app/04_apim_payments_pull.tf index b4114bcc54..d5d0c2b864 100644 --- a/src/domains/gps-app/04_apim_payments_pull.tf +++ b/src/domains/gps-app/04_apim_payments_pull.tf @@ -24,7 +24,7 @@ module "apim_gpd_payments_pull_product" { ###################################################### ## GPD Payments Pull Test Products ## ## 1. product_id = "gpd-payments-pull ## -## 2. product_id = "debt-positions" ## +## 2. product_id = "product-gpd" ## ###################################################### From a1dc93fd7810b26b421faa5fc3ef7722859b7e32 Mon Sep 17 00:00:00 2001 From: FedericoRuzzier <49512050+FedericoRuzzier@users.noreply.github.com> Date: Thu, 10 Oct 2024 17:18:53 +0200 Subject: [PATCH 30/41] PAGOPA-2127 removing company name from input (#2441) * PAGOPA-2127 removing company name from input * [PAGOPA-2128] feat: Add payStandIn param * [PAGOPA-2128] feat: Update payStandIn param * fix2 --------- Co-authored-by: AngeloCaporaso Co-authored-by: pasqualespica <36746022+pasqualespica@users.noreply.github.com> --- src/domains/aca-app/api/aca/v1/_openapi.json.tpl | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/src/domains/aca-app/api/aca/v1/_openapi.json.tpl b/src/domains/aca-app/api/aca/v1/_openapi.json.tpl index 36f8c2e179..84922004b6 100644 --- a/src/domains/aca-app/api/aca/v1/_openapi.json.tpl +++ b/src/domains/aca-app/api/aca/v1/_openapi.json.tpl @@ -213,7 +213,6 @@ "type": "object", "required": [ "paFiscalCode", - "companyName", "entityType", "entityFiscalCode", "entityFullName", @@ -230,12 +229,6 @@ "minLength": 11, "maxLength": 11 }, - "companyName": { - "type": "string", - "example": "Company name", - "minLength": 1, - "maxLength": 140 - }, "entityType": { "type": "string", "example": "G", @@ -297,6 +290,11 @@ "type": "boolean", "example": true, "default": false + }, + "payStandIn": { + "type": "boolean", + "example": true, + "default": true } } }, @@ -350,7 +348,7 @@ } }, "AmountEuroCents": { - "description": "Amount for payments, in euro cents", + "description": "Amount for payments, in eurocents", "type": "integer", "example": 100, "minimum": 0, From 540069059bc42d45d3a051324f922426498ec060 Mon Sep 17 00:00:00 2001 From: ffppa Date: Fri, 11 Oct 2024 11:04:47 +0200 Subject: [PATCH 31/41] feat: [PAYMCLOUD-101] add new GitHub action template to sparse checkout modified folders (#2475) * Simplify static analysis workflow using GitHub action Replaced custom Python script with a standardized GitHub action template to determine modified folders for sparse checkout. Ensures consistency, reduces complexity, and leverages improved functionality for path management. Signed-off-by: Fabio Felici * Test Signed-off-by: Fabio Felici * Update conditions for static analysis trigger Replaced the 'run_static_analysis' environment variable with 'dir_changes_detected' to conditionally trigger static analysis. Also, removed a commented-out test line from the loadbalancer.yaml.tpl file. Signed-off-by: Fabio Felici * Update GitHub Action for modified paths Updated the GitHub Action to use a stable version for getting modified paths. This replaces the previous usage with a specific branch reference, ensuring consistency and predictability. Signed-off-by: Fabio Felici * Update GitHub Action for modified paths Updated the GitHub Action to use a specific branch reference for getting modified paths. This replaces the previous stable version, ensuring consistency and predictability. Signed-off-by: Fabio Felici * Update folder depth parameters in workflow Changed 'starting_index' to 'start_folder' and 'default_end_index' to 'default_end_folder_depth' for better clarity and consistency in the static analysis workflow configuration. This improves readability and ensures that the folder depth parameters are more intuitive. Signed-off-by: Fabio Felici * Update action version in static_analysis_pr.yml Changed the action for getting modified paths to use version v1.19.0. This ensures better compatibility and stability compared to the previously referenced custom branch. Signed-off-by: Fabio Felici --------- Signed-off-by: Fabio Felici --- .github/workflows/static_analysis_pr.yml | 144 ++--------------------- 1 file changed, 7 insertions(+), 137 deletions(-) diff --git a/.github/workflows/static_analysis_pr.yml b/.github/workflows/static_analysis_pr.yml index d5fe7ea749..fd183cee12 100644 --- a/.github/workflows/static_analysis_pr.yml +++ b/.github/workflows/static_analysis_pr.yml @@ -13,146 +13,16 @@ jobs: - run: | rm -rf * - - name: ⏬ Checkout Repository - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - - name: Set up Python - uses: actions/setup-python@v5 - with: - python-version: '3.x' - - - name: Install necessary packages - run: python -m pip install --upgrade pip - - name: 🔨 Get Modified Paths id: get-paths - run: | - import os - import subprocess - - IGNORED_PATHS = ["domains", "scripts", "github", ".devops"] - - def get_current_branch(): - result = subprocess.run(["git", "rev-parse", "--abbrev-ref", "HEAD"], capture_output=True, text=True) - return result.stdout.strip() - - def get_git_diff(current_branch): - subprocess.run(["git", "fetch", "origin"]) - result = subprocess.run(["git", "diff", "--name-only", current_branch, "origin/main"], capture_output=True, text=True) - with open('/tmp/diff.txt', 'w') as f: - f.write(result.stdout) - - def get_required_path(path): - # Split the path into its components - parts = path.split(os.sep) - - # Find the index of "src" and "domains" - try: - start_index = parts.index("src") # Find "src" - - # Check if "domains" is present and get up one higher level - if "domains" in parts[start_index:]: - domains_index = parts.index("domains", start_index) - if len(parts) > domains_index + 2: # Ensure there is a level after "domains" - end_index = 3 # Exclude the last part - # Include the parent of "domains" and all up to the second last part - return os.sep.join(parts[start_index:end_index]) - else: - return "" - else: # Handle paths not containing 'domains' - if len(parts) > start_index + 2: # Ensure there is enough depth - end_index = 2 # Exclude the last part - return os.sep.join(parts[start_index:end_index]) - else: - return "" - except (ValueError, IndexError) as e: - return "" - - - - def get_modified_paths(pattern, exclude_ignored=True): - with open('/tmp/diff.txt') as f: - lines = f.readlines() - if exclude_ignored: - paths = [ - line.strip() - for line in lines - if not any(ignored in line for ignored in IGNORED_PATHS) - ] - else: - paths = [line.strip() for line in lines if pattern in line] - # Removing duplicates and sorting - unique_paths = sorted(set([ - get_required_path(path) - for path in paths if path - ])) - return unique_paths - - def write_to_file(content, filepath): - with open(filepath, 'w') as f: - f.write(content) - - def main(): - current_branch = get_current_branch() - print(f"Current branch: {current_branch}") - - get_git_diff(current_branch) - - modified_paths_source = get_modified_paths('src/', exclude_ignored=True) - print(f"Modified paths in source: {modified_paths_source}") - - modified_paths_domains = get_modified_paths('domains', exclude_ignored=False) - print(f"Modified paths in domains: {modified_paths_domains}") - - modified_paths = "\n".join(modified_paths_source + modified_paths_domains) - print(f"📌 Modified paths: {modified_paths}") - - write_to_file(modified_paths, "/tmp/paths.txt") - - if any("src/" in path for path in modified_paths.split()): - print("src folder modified.") - with open(os.getenv('GITHUB_ENV'), 'a') as f: - f.write('run_static_analysis=true\n') - else: - print("src folder not modified.") - with open(os.getenv('GITHUB_ENV'), 'a') as f: - f.write('run_static_analysis=false\n') - if __name__ == "__main__": - main() - shell: python - - - name: Read modified paths - if: env.run_static_analysis == 'true' - id: read_paths - run: | - modified_paths=$(cat /tmp/paths.txt) - echo "Modified paths: $modified_paths" - echo "::set-output name=modified_paths::$modified_paths" - - - name: ⏬ Download Modified Folders Only - if: env.run_static_analysis == 'true' - id: download_changed_folders - shell: bash - run: | - # Read all paths and download only the modified folders - MODIFIED_FOLDERS=($(cat /tmp/paths.txt)) - - # Include 'scripts' in the list of directories to checkout - MODIFIED_FOLDERS+=("scripts") - - # Initialize git sparse-checkout - git sparse-checkout init --cone - - # Set each path in MODIFIED_FOLDERS for sparse-checkout - git sparse-checkout set "${MODIFIED_FOLDERS[@]}" - - # Checkout the latest changes - git checkout + uses: pagopa/eng-github-actions-iac-template/global/get-modifed-folders@v1.19.0 + with: + start_folder: "src" + default_end_folder_depth: 3 + include_patterns: "src,domains" - name: 👀 See folders downloaded - if: env.run_static_analysis == 'true' + if: env.dir_changes_detected == 'true' id: see shell: bash run: | @@ -160,7 +30,7 @@ jobs: du -h -d 3 . - name: Static Analysis - if: env.run_static_analysis == 'true' + if: env.dir_changes_detected == 'true' uses: pagopa/eng-github-actions-iac-template/azure/terraform-static-analysis@v1.14.1 with: precommit_version: 'v1.89.1@sha256:1ea921bc4fe87651d41677218e537afdcdb8202e757e554b9866668eaba144c5' From 3f515b0266f41a833e78b994d9290b4ebf2c959d Mon Sep 17 00:00:00 2001 From: ciuffagianluca <113357981+ciuffagianluca@users.noreply.github.com> Date: Mon, 14 Oct 2024 09:17:46 +0200 Subject: [PATCH 32/41] feat: (alerts) CHK-3231 Modify the query to make availability traffic-dependent (#2446) * edit query to make availability parametric by the request number * set low traffic availability to 90% * remove toint function applied to availability * set availability high traffic to 99 percent * fix availability params --------- Co-authored-by: Gianluca Ciuffa Co-authored-by: Simone infante <52280205+infantesimone@users.noreply.github.com> --- src/domains/ecommerce-common/00_alerts.tf | 22 ++++++++- src/domains/pay-wallet-common/00_alerts.tf | 57 +++++++++++++++++++--- 2 files changed, 71 insertions(+), 8 deletions(-) diff --git a/src/domains/ecommerce-common/00_alerts.tf b/src/domains/ecommerce-common/00_alerts.tf index da86f6f4a8..d91ceeddc7 100644 --- a/src/domains/ecommerce-common/00_alerts.tf +++ b/src/domains/ecommerce-common/00_alerts.tf @@ -48,14 +48,23 @@ resource "azurerm_monitor_scheduled_query_rules_alert" "ecommerce_for_checkout_a description = "eCommerce Availability less than or equal 99%" enabled = true query = (<<-QUERY +let thresholdTrafficMin = 150; +let thresholdTrafficLinear = 400; +let lowTrafficAvailability = 96; +let highTrafficAvailability = 99; +let thresholdDelta = thresholdTrafficLinear - thresholdTrafficMin; +let availabilityDelta = highTrafficAvailability - lowTrafficAvailability; AzureDiagnostics | where url_s startswith 'https://api.platform.pagopa.it/ecommerce/checkout/' | summarize Total=count(), Success=countif(responseCode_d < 500 or url_s startswith "https://api.platform.pagopa.it/ecommerce/checkout/v1/payment-requests" and ( responseCode_d == 502 or responseCode_d == 504)) by Time = bin(TimeGenerated, 15m) +| extend trafficUp = Total-thresholdTrafficMin +| extend deltaRatio = todouble(todouble(trafficUp)/todouble(thresholdDelta)) +| extend expectedAvailability = iff(Total >= thresholdTrafficLinear, toreal(highTrafficAvailability), iff(Total <= thresholdTrafficMin, toreal(lowTrafficAvailability), (deltaRatio*(availabilityDelta))+lowTrafficAvailability)) | extend Availability=((Success * 1.0) / Total) * 100 -| where toint(Availability) < 90 +| where Availability < expectedAvailability QUERY ) severity = 1 @@ -219,14 +228,23 @@ resource "azurerm_monitor_scheduled_query_rules_alert" "ecommerce_for_app_io_v2_ description = "eCommerce api for app IO V2 availability less than 99% in the last 30 minutes detected" enabled = true query = (<<-QUERY +let thresholdTrafficMin = 200; +let thresholdTrafficLinear = 500; +let lowTrafficAvailability = 94; +let highTrafficAvailability = 98; +let thresholdDelta = thresholdTrafficLinear - thresholdTrafficMin; +let availabilityDelta = highTrafficAvailability - lowTrafficAvailability; AzureDiagnostics | where url_s startswith 'https://api.platform.pagopa.it/ecommerce/io/v2' | summarize Total=count(), Success=countif(responseCode_d < 500 and DurationMs < 10000) by Time = bin(TimeGenerated, 15m) +| extend trafficUp = Total-thresholdTrafficMin +| extend deltaRatio = todouble(todouble(trafficUp)/todouble(thresholdDelta)) +| extend expectedAvailability = iff(Total >= thresholdTrafficLinear, toreal(highTrafficAvailability), iff(Total <= thresholdTrafficMin, toreal(lowTrafficAvailability), (deltaRatio*(availabilityDelta))+lowTrafficAvailability)) | extend Availability=((Success * 1.0) / Total) * 100 -| where toint(Availability) < 99 +| where Availability < expectedAvailability QUERY ) severity = 1 diff --git a/src/domains/pay-wallet-common/00_alerts.tf b/src/domains/pay-wallet-common/00_alerts.tf index f239db694c..a2692ee456 100644 --- a/src/domains/pay-wallet-common/00_alerts.tf +++ b/src/domains/pay-wallet-common/00_alerts.tf @@ -48,14 +48,23 @@ resource "azurerm_monitor_scheduled_query_rules_alert" "payment_wallet_for_io_av description = "Payment Wallet for IO - Availability less than 99% in the last 30 minutes" enabled = true query = (<<-QUERY +let thresholdTrafficMin = 50; +let thresholdTrafficLinear = 100; +let lowTrafficAvailability = 94; +let highTrafficAvailability = 98; +let thresholdDelta = thresholdTrafficLinear - thresholdTrafficMin; +let availabilityDelta = highTrafficAvailability - lowTrafficAvailability; AzureDiagnostics | where url_s startswith 'https://api.platform.pagopa.it/io-payment-wallet/v1' | summarize Total=count(), Success=countif(responseCode_d < 500 and DurationMs < 250) by Time = bin(TimeGenerated, 15m) +| extend trafficUp = Total-thresholdTrafficMin +| extend deltaRatio = todouble(todouble(trafficUp)/todouble(thresholdDelta)) +| extend expectedAvailability = iff(Total >= thresholdTrafficLinear, toreal(highTrafficAvailability), iff(Total <= thresholdTrafficMin, toreal(lowTrafficAvailability), (deltaRatio*(availabilityDelta))+lowTrafficAvailability)) | extend Availability=((Success * 1.0) / Total) * 100 -| where toint(Availability) < 99 +| where Availability < expectedAvailability QUERY ) severity = 1 @@ -85,14 +94,23 @@ resource "azurerm_monitor_scheduled_query_rules_alert" "payment_wallet_for_webvi description = "Payment Wallet for Webview - Availability less than 99% in the last 30 minutes" enabled = true query = (<<-QUERY +let thresholdTrafficMin = 50; +let thresholdTrafficLinear = 150; +let lowTrafficAvailability = 90; +let highTrafficAvailability = 99; +let thresholdDelta = thresholdTrafficLinear - thresholdTrafficMin; +let availabilityDelta = highTrafficAvailability - lowTrafficAvailability; AzureDiagnostics | where url_s startswith 'https://api.platform.pagopa.it/webview-payment-wallet/v1' | summarize Total=count(), Success=countif(responseCode_d < 500 and DurationMs < 2000) by Time = bin(TimeGenerated, 15m) +| extend trafficUp = Total-thresholdTrafficMin +| extend deltaRatio = todouble(todouble(trafficUp)/todouble(thresholdDelta)) +| extend expectedAvailability = iff(Total >= thresholdTrafficLinear, toreal(highTrafficAvailability), iff(Total <= thresholdTrafficMin, toreal(lowTrafficAvailability), (deltaRatio*(availabilityDelta))+lowTrafficAvailability)) | extend Availability=((Success * 1.0) / Total) * 100 -| where toint(Availability) < 99 +| where Availability < expectedAvailability QUERY ) severity = 1 @@ -125,14 +143,23 @@ resource "azurerm_monitor_scheduled_query_rules_alert" "payment_wallet_for_ecomm description = "Payment Wallet for eCommerce V1 - Availability less than 99% in the last 30 minutes" enabled = true query = (<<-QUERY +let thresholdTrafficMin = 20; +let thresholdTrafficLinear = 80; +let lowTrafficAvailability = 90; +let highTrafficAvailability = 99; +let thresholdDelta = thresholdTrafficLinear - thresholdTrafficMin; +let availabilityDelta = highTrafficAvailability - lowTrafficAvailability; AzureDiagnostics | where url_s startswith 'https://api.platform.pagopa.it/payment-wallet-for-ecommerce/v1' | summarize Total=count(), Success=countif(responseCode_d < 500 and DurationMs < 250) by Time = bin(TimeGenerated, 15m) +| extend trafficUp = Total-thresholdTrafficMin +| extend deltaRatio = todouble(todouble(trafficUp)/todouble(thresholdDelta)) +| extend expectedAvailability = iff(Total >= thresholdTrafficLinear, toreal(highTrafficAvailability), iff(Total <= thresholdTrafficMin, toreal(lowTrafficAvailability), (deltaRatio*(availabilityDelta))+lowTrafficAvailability)) | extend Availability=((Success * 1.0) / Total) * 100 -| where toint(Availability) < 99 +| where Availability < expectedAvailability QUERY ) severity = 1 @@ -161,14 +188,23 @@ resource "azurerm_monitor_scheduled_query_rules_alert" "payment_wallet_npg_notif description = "Payment Wallet NPG Notifications - Availability less than 99% in the last 30 minutes" enabled = true query = (<<-QUERY +let thresholdTrafficMin = 5; +let thresholdTrafficLinear = 20; +let lowTrafficAvailability = 80; +let highTrafficAvailability = 99; +let thresholdDelta = thresholdTrafficLinear - thresholdTrafficMin; +let availabilityDelta = highTrafficAvailability - lowTrafficAvailability; AzureDiagnostics | where url_s startswith 'https://api.platform.pagopa.it/payment-wallet-notifications/v1' | summarize Total=count(), - Success=countif(responseCode_d < 500 and DurationMs < 250) + Success=countif(responseCode_d < 500 and DurationMs < 350) by Time = bin(TimeGenerated, 15m) +| extend trafficUp = Total-thresholdTrafficMin +| extend deltaRatio = todouble(todouble(trafficUp)/todouble(thresholdDelta)) +| extend expectedAvailability = iff(Total >= thresholdTrafficLinear, toreal(highTrafficAvailability), iff(Total <= thresholdTrafficMin, toreal(lowTrafficAvailability), (deltaRatio*(availabilityDelta))+lowTrafficAvailability)) | extend Availability=((Success * 1.0) / Total) * 100 -| where toint(Availability) < 99 +| where Availability < expectedAvailability QUERY ) severity = 1 @@ -197,14 +233,23 @@ resource "azurerm_monitor_scheduled_query_rules_alert" "payment_wallet_outcomes_ description = "Payment Wallet redirection outcomes - Availability less than 99% in the last 30 minutes" enabled = true query = (<<-QUERY +let thresholdTrafficMin = 50; +let thresholdTrafficLinear = 100; +let lowTrafficAvailability = 90; +let highTrafficAvailability = 99; +let thresholdDelta = thresholdTrafficLinear - thresholdTrafficMin; +let availabilityDelta = highTrafficAvailability - lowTrafficAvailability; AzureDiagnostics | where url_s startswith 'https://api.platform.pagopa.it/payment-wallet-outcomes/v1' | summarize Total=count(), Success=countif(responseCode_d < 500 and DurationMs < 100) by Time = bin(TimeGenerated, 15m) +| extend trafficUp = Total-thresholdTrafficMin +| extend deltaRatio = todouble(todouble(trafficUp)/todouble(thresholdDelta)) +| extend expectedAvailability = iff(Total >= thresholdTrafficLinear, toreal(highTrafficAvailability), iff(Total <= thresholdTrafficMin, toreal(lowTrafficAvailability), (deltaRatio*(availabilityDelta))+lowTrafficAvailability)) | extend Availability=((Success * 1.0) / Total) * 100 -| where toint(Availability) < 99 +| where Availability < expectedAvailability QUERY ) severity = 1 From 747187e7cfb91a4d8d58b42290d8a5df41c083b2 Mon Sep 17 00:00:00 2001 From: Angelo Caporaso <56113767+cap-ang@users.noreply.github.com> Date: Mon, 14 Oct 2024 18:45:49 +0200 Subject: [PATCH 33/41] chore: [PAGOPA-2249] feat(decoupler-outbound): Add sessionId when createTimer (#2472) * [PAGOPA-2128] feat(decoupler-outbound): Add sessionId when createTimer * chore(wisp-cosmos): Upgrade RU --- .../decoupler/decoupler-activate-outbound.xml | 8 +++++--- src/domains/nodo-common/env/weu-prod/terraform.tfvars | 2 +- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/src/core/api_product/nodo_pagamenti_api/decoupler/decoupler-activate-outbound.xml b/src/core/api_product/nodo_pagamenti_api/decoupler/decoupler-activate-outbound.xml index 81ea964950..b061905443 100644 --- a/src/core/api_product/nodo_pagamenti_api/decoupler/decoupler-activate-outbound.xml +++ b/src/core/api_product/nodo_pagamenti_api/decoupler/decoupler-activate-outbound.xml @@ -64,10 +64,12 @@ var noticeNumber = requestData.ContainsKey("noticeNumber") ? (string) requestData["noticeNumber"] : ""; var ci = requestData.ContainsKey("ci") ? (string) requestData["ci"] : ""; var paymentToken = (string)context.Variables["paymentToken"]; - return new JObject( + var sessionId = context.Variables.ContainsKey("wisp_ecommerce_paymentNote") ? (string)context.Variables["wisp_ecommerce_paymentNote"] : ""; + return new JObject( new JProperty("fiscalCode", ci), new JProperty("noticeNumber", noticeNumber), - new JProperty("paymentToken", paymentToken) + new JProperty("paymentToken", paymentToken), + new JProperty("sessionId", sessionId) ).ToString(); }" /> @@ -116,7 +118,7 @@ var noticeNumber = requestData.ContainsKey("noticeNumber") ? (string) requestData["noticeNumber"] : ""; var ci = requestData.ContainsKey("ci") ? (string) requestData["ci"] : ""; string error = "[WRN-DASH-WISP] " + - "noticeNumer :" + noticeNumber + " ci: "+ ci; + "noticeNumber :" + noticeNumber + " ci: "+ ci; return error; } diff --git a/src/domains/nodo-common/env/weu-prod/terraform.tfvars b/src/domains/nodo-common/env/weu-prod/terraform.tfvars index be0f054ce6..ec1cf7bf1c 100644 --- a/src/domains/nodo-common/env/weu-prod/terraform.tfvars +++ b/src/domains/nodo-common/env/weu-prod/terraform.tfvars @@ -223,7 +223,7 @@ wisp_converter_cosmos_nosql_db_params = { data_ttl = 10368000 # 120 days in second data_max_throughput = 2000 re_ttl = 31536000 # 1 year in second - re_max_throughput = 5000 + re_max_throughput = 10000 receipt_ttl = -1 # max receipt_max_throughput = 2000 receipt_dead_letter_ttl = 7884000 # 3 months in second From e77452f3aa74abad86c19c6aaf42f3e93721a367 Mon Sep 17 00:00:00 2001 From: Pasquale Spica <36746022+pasqualespica@users.noreply.github.com> Date: Tue, 15 Oct 2024 18:28:35 +0200 Subject: [PATCH 34/41] feat: Add cfg pert test ppull for prod (#2487) add cfg pert test ppull for prod --- src/domains/gps-app/02_security.tf | 4 ++-- src/domains/gps-app/04_apim_gpd_core.tf | 4 ++-- src/domains/gps-app/04_apim_payments_pull.tf | 2 +- src/domains/gps-app/README.md | 12 ++++++------ 4 files changed, 11 insertions(+), 11 deletions(-) diff --git a/src/domains/gps-app/02_security.tf b/src/domains/gps-app/02_security.tf index e43ef22713..84f88ec374 100644 --- a/src/domains/gps-app/02_security.tf +++ b/src/domains/gps-app/02_security.tf @@ -47,7 +47,7 @@ resource "azurerm_key_vault_secret" "gpd_subscription_key" { // apikey test apim_gpd_payments_pull_product_and_debt_positions_product_test and save keys on KV resource "azurerm_api_management_subscription" "test_gpd_payments_pull_and_debt_positions_subkey" { - count = var.env_short != "p" ? 1 : 0 + count = 1 # var.env_short != "p" ? 1 : 0 # ppull-prod-test api_management_name = local.pagopa_apim_name resource_group_name = local.pagopa_apim_rg @@ -58,7 +58,7 @@ resource "azurerm_api_management_subscription" "test_gpd_payments_pull_and_debt_ } resource "azurerm_key_vault_secret" "test_gpd_payments_pull_and_debt_positions_subkey_kv" { - count = var.env_short != "p" ? 1 : 0 + count = 1 # var.env_short != "p" ? 1 : 0 # ppull-prod-test depends_on = [azurerm_api_management_subscription.test_gpd_payments_pull_and_debt_positions_subkey[0]] name = "integration-test-subkey" # "tst-gpd-ppull-debt-position-key" value = azurerm_api_management_subscription.test_gpd_payments_pull_and_debt_positions_subkey[0].primary_key diff --git a/src/domains/gps-app/04_apim_gpd_core.tf b/src/domains/gps-app/04_apim_gpd_core.tf index 77f295edd8..1c93be29ce 100644 --- a/src/domains/gps-app/04_apim_gpd_core.tf +++ b/src/domains/gps-app/04_apim_gpd_core.tf @@ -30,7 +30,7 @@ module "apim_api_gpd_api" { api_management_name = local.pagopa_apim_name resource_group_name = local.pagopa_apim_rg product_ids = concat([module.apim_gpd_product.product_id], - var.env_short == "p" ? [] : [module.apim_gpd_payments_pull_product_and_debt_positions_product_test[0].product_id]) + var.env_short == "-" ? [] : [module.apim_gpd_payments_pull_product_and_debt_positions_product_test[0].product_id]) # ppull-prod-test subscription_required = false api_version = "v1" @@ -57,7 +57,7 @@ module "apim_api_gpd_api_v2" { api_management_name = local.pagopa_apim_name resource_group_name = local.pagopa_apim_rg product_ids = concat([module.apim_gpd_product.product_id], - var.env_short == "p" ? [] : [module.apim_gpd_payments_pull_product_and_debt_positions_product_test[0].product_id]) + var.env_short == "-" ? [] : [module.apim_gpd_payments_pull_product_and_debt_positions_product_test[0].product_id]) # ppull-prod-test subscription_required = false api_version = "v2" diff --git a/src/domains/gps-app/04_apim_payments_pull.tf b/src/domains/gps-app/04_apim_payments_pull.tf index d5d0c2b864..19a7db87bd 100644 --- a/src/domains/gps-app/04_apim_payments_pull.tf +++ b/src/domains/gps-app/04_apim_payments_pull.tf @@ -29,7 +29,7 @@ module "apim_gpd_payments_pull_product" { module "apim_gpd_payments_pull_product_and_debt_positions_product_test" { - count = var.env_short != "p" ? 1 : 0 + count = 1 # var.env_short != "p" ? 1 : 0 # ppull-prod-test source = "git::https://github.com/pagopa/terraform-azurerm-v3//api_management_product?ref=v6.11.2" product_id = "test-gpd-payments-pull-and-debt-positions" diff --git a/src/domains/gps-app/README.md b/src/domains/gps-app/README.md index aa69eda115..6204815f43 100644 --- a/src/domains/gps-app/README.md +++ b/src/domains/gps-app/README.md @@ -152,7 +152,7 @@ | [cidr\_subnet\_reporting\_functions](#input\_cidr\_subnet\_reporting\_functions) | Address prefixes subnet reporting\_common function | `list(string)` | `null` | no | | [cname\_record\_name](#input\_cname\_record\_name) | n/a | `string` | n/a | yes | | [create\_wisp\_converter](#input\_create\_wisp\_converter) | CREATE WISP dismantling system infra | `bool` | `false` | no | -| [ddos\_protection\_plan](#input\_ddos\_protection\_plan) | Network | 
object({
    id     = string
    enable = bool
  })
| `null` | no | +| [ddos\_protection\_plan](#input\_ddos\_protection\_plan) | Network | 
object({
    id     = string
    enable = bool
  })
| `null` | no | | [dns\_zone\_internal\_prefix](#input\_dns\_zone\_internal\_prefix) | The dns subdomain. | `string` | `null` | no | | [domain](#input\_domain) | n/a | `string` | n/a | yes | | [enable\_client\_retry](#input\_enable\_client\_retry) | Enable client retry | `bool` | `false` | no | @@ -160,7 +160,7 @@ | [env\_short](#input\_env\_short) | n/a | `string` | n/a | yes | | [external\_domain](#input\_external\_domain) | Domain for delegation | `string` | `null` | no | | [flag\_responsetime\_alert](#input\_flag\_responsetime\_alert) | Flag to enable if payments-pull response time alert is available | `number` | `0` | no | -| [fn\_app\_storage\_account\_info](#input\_fn\_app\_storage\_account\_info) | n/a | 
object({
    account_kind                      = optional(string, "StorageV2")
    account_tier                      = optional(string, "Standard")
    account_replication_type          = optional(string, "LRS")
    advanced_threat_protection_enable = optional(bool, true)
    access_tier                       = optional(string, "Hot")
  })
| 
{
  "access_tier": "Hot",
  "account_kind": "StorageV2",
  "account_replication_type": "LRS",
  "account_tier": "Standard",
  "advanced_threat_protection_enable": true
}
| no | +| [fn\_app\_storage\_account\_info](#input\_fn\_app\_storage\_account\_info) | n/a | 
object({
    account_kind                      = optional(string, "StorageV2")
    account_tier                      = optional(string, "Standard")
    account_replication_type          = optional(string, "LRS")
    advanced_threat_protection_enable = optional(bool, true)
    access_tier                       = optional(string, "Hot")
  })
| 
{
  "access_tier": "Hot",
  "account_kind": "StorageV2",
  "account_replication_type": "LRS",
  "account_tier": "Standard",
  "advanced_threat_protection_enable": true
}
| no | | [gpd\_always\_on](#input\_gpd\_always\_on) | Always on property | `bool` | `true` | no | | [gpd\_autoscale\_default](#input\_gpd\_autoscale\_default) | The number of instances that are available for scaling if metrics are not available for evaluation. | `number` | `1` | no | | [gpd\_autoscale\_maximum](#input\_gpd\_autoscale\_maximum) | The maximum number of instances for this resource. | `number` | `3` | no | @@ -193,7 +193,7 @@ | [monitor\_resource\_group\_name](#input\_monitor\_resource\_group\_name) | Monitor resource group name | `string` | `"pagopa-p-monitor-rg"` | no | | [multiplier](#input\_multiplier) | Multiplier for the client backoff procedure | `number` | `1.5` | no | | [pgbouncer\_enabled](#input\_pgbouncer\_enabled) | Built-in connection pooling solution | `bool` | `false` | no | -| [pod\_disruption\_budgets](#input\_pod\_disruption\_budgets) | Pod disruption budget for domain namespace | 
map(object({
    name         = optional(string, null)
    minAvailable = optional(number, null)
    matchLabels  = optional(map(any), {})
  }))
| `{}` | no | +| [pod\_disruption\_budgets](#input\_pod\_disruption\_budgets) | Pod disruption budget for domain namespace | 
map(object({
    name         = optional(string, null)
    minAvailable = optional(number, null)
    matchLabels  = optional(map(any), {})
  }))
| `{}` | no | | [prefix](#input\_prefix) | n/a | `string` | n/a | yes | | [randomization\_factor](#input\_randomization\_factor) | Randomization factor for the backoff procedure | `number` | `0.5` | no | | [reporting\_analysis\_dotnet\_version](#input\_reporting\_analysis\_dotnet\_version) | n/a | `string` | `null` | no | @@ -207,12 +207,12 @@ | [reporting\_function\_autoscale\_default](#input\_reporting\_function\_autoscale\_default) | The number of instances that are available for scaling if metrics are not available for evaluation. | `number` | `5` | no | | [reporting\_function\_autoscale\_maximum](#input\_reporting\_function\_autoscale\_maximum) | The maximum number of instances for this resource. | `number` | `10` | no | | [reporting\_function\_autoscale\_minimum](#input\_reporting\_function\_autoscale\_minimum) | The minimum number of instances for this resource. | `number` | `1` | no | -| [reporting\_functions\_app\_sku](#input\_reporting\_functions\_app\_sku) | Reporting functions app plan SKU | 
object({
    kind     = string
    sku_tier = string
    sku_size = string
  })
| n/a | yes | +| [reporting\_functions\_app\_sku](#input\_reporting\_functions\_app\_sku) | Reporting functions app plan SKU | 
object({
    kind     = string
    sku_tier = string
    sku_size = string
  })
| n/a | yes | | [reporting\_service\_dotnet\_version](#input\_reporting\_service\_dotnet\_version) | n/a | `string` | `null` | no | | [reporting\_service\_function\_always\_on](#input\_reporting\_service\_function\_always\_on) | Always on property | `bool` | `false` | no | | [reporting\_service\_image](#input\_reporting\_service\_image) | reporting\_service\_function docker image | `string` | `""` | no | -| [tags](#input\_tags) | n/a | `map(any)` | 
{
  "CreatedBy": "Terraform"
}
| no | -| [tls\_cert\_check\_helm](#input\_tls\_cert\_check\_helm) | tls cert helm chart configuration | 
object({
    chart_version = string,
    image_name    = string,
    image_tag     = string
  })
| n/a | yes | +| [tags](#input\_tags) | n/a | `map(any)` | 
{
  "CreatedBy": "Terraform"
}
| no | +| [tls\_cert\_check\_helm](#input\_tls\_cert\_check\_helm) | tls cert helm chart configuration | 
object({
    chart_version = string,
    image_name    = string,
    image_tag     = string
  })
| n/a | yes | ## Outputs From 62429811b7b6b1bf7e5cd232ef20d6bc37b7e1d9 Mon Sep 17 00:00:00 2001 From: Jacopo Carlini Date: Wed, 16 Oct 2024 10:05:23 +0200 Subject: [PATCH 35/41] feat(status page): Proxy Github (#2486) * feat(statu page): add new operation in the statusPage product to do a proxy call to github * fix --------- Co-authored-by: Pasquale Spica <36746022+pasqualespica@users.noreply.github.com> --- src/domains/shared-app/04_apim_statuspage.tf | 111 ++++++++-------- ...ase_policy.xml => _healthcheck_policy.xml} | 0 .../status-page-service/v1/_openapi.json.tpl | 118 ++++++++++-------- .../v1/_proxygithub_policy.xml | 35 ++++++ 4 files changed, 162 insertions(+), 102 deletions(-) rename src/domains/shared-app/api/status-page-service/v1/{_base_policy.xml => _healthcheck_policy.xml} (100%) create mode 100644 src/domains/shared-app/api/status-page-service/v1/_proxygithub_policy.xml diff --git a/src/domains/shared-app/04_apim_statuspage.tf b/src/domains/shared-app/04_apim_statuspage.tf index e989765424..6a495eaf61 100644 --- a/src/domains/shared-app/04_apim_statuspage.tf +++ b/src/domains/shared-app/04_apim_statuspage.tf @@ -109,53 +109,66 @@ module "apim_api_statuspage_api_v1" { host = local.apim_hostname }) - xml_content = templatefile("./api/status-page-service/v1/_base_policy.xml", { - hostname = local.shared_hostname - services = replace(jsonencode({ - "afmcalculator" = format("%s/pagopa-afm-calculator-service", format(local.aks_path, "afm")) - "afmmarketplace" = format("%s/pagopa-afm-marketplace-service", format(local.aks_path, "afm")) - "afmutils" = format("%s/pagopa-afm-utils-service", format(local.aks_path, "afm")) - "apiconfig" = format("%s/{{apicfg-core-service-path}}", format(local.aks_path, "apiconfig")) // show status only one instances Ora OR Pgflex - "apiconfig-fe" = format("%s", local.fe_apiconfig_path) - "apiconfigcacheo" = format("%s/api-config-cache/o", format(local.aks_path, "apiconfig")) - "apiconfigcachep" = format("%s/api-config-cache/p", format(local.aks_path, "apiconfig")) - "apiconfigselfcare" = format("%s/{{apicfg-selfcare-integ-service-path}}", format(local.aks_path, "apiconfig")) // show status only one instances Ora OR Pgflex - "authorizer" = format("%s//authorizer-functions", format(local.aks_path, "shared")) - "authorizerconfig" = format("%s//authorizer-config", format(local.aks_path, "shared")) - "bizevents" = format("%s/pagopa-biz-events-service", format(local.aks_path, "bizevents")) - "bizeventsdatastoreneg" = format("%s/pagopa-negative-biz-events-datastore-service", format(local.aks_path, "bizevents")) - "bizeventsdatastorepos" = format("%s/pagopa-biz-events-datastore-service", format(local.aks_path, "bizevents")) - "backofficepagopa" = format("%s/selfcare/pagopa/v1", format(local.aks_path, "selfcare")) - "backofficepagopa-fe" = format("%s", local.fe_backoffice_path) - "backofficeexternalpagopa" = format("%s/backoffice-external", format(local.aks_path, "selfcare")) - "canoneunico" = format("%s/", data.azurerm_function_app.canone_unico.default_hostname) - "fdrndpnew" = format("%s/pagopa-fdr-service", format(local.aks_path, "fdr")) - "wispconverter" = format("%s/pagopa-wisp-converter", format(local.aks_path, "nodo")) - "wispsoapconverter" = format("%s/wisp-soap-converter", format(local.aks_path, "nodo")) - "wispconverterts" = format("%s/pagopa-wisp-converter-technical-support", format(local.aks_path, "nodo")) - "gpd" = format("%s/pagopa-gpd-core", format(local.aks_path, "gps")) - "gpdpayments" = format("%s/pagopa-gpd-payments", format(local.aks_path, "gps")) - "gpdpaymentspull" = format("%s/pagopa-gpd-payments-pull", format(local.aks_path, "gps")) - "gpdenrollment" = format("%s/pagopa-gpd-reporting-orgs-enrollment", format(local.aks_path, "gps")) - "gpdupload" = format("%s/pagopa-gpd-upload", format(local.aks_path, "gps")) - "gpdreportinganalysis" = format("%s/", data.azurerm_function_app.reporting_analysis.default_hostname) - "gpdreportingbatch" = format("%s/api/", data.azurerm_function_app.reporting_batch.default_hostname) - "gpdreportingservice" = format("%s/api/", data.azurerm_function_app.reporting_service.default_hostname) - "gps" = format("%s/pagopa-spontaneous-payments-service", format(local.aks_path, "gps")) - "gpsdonation" = format("%s/pagopa-gps-donation-service", format(local.aks_path, "gps")) - "mockec" = var.env_short != "p" ? format("%s/", data.azurerm_linux_function_app.mockec[0].default_hostname) : "NA" - "mockconfig" = var.env_short != "p" ? format("%s/pagopa-mock-config-be", format(local.aks_path, "mock")) : "NA" - "mocker" = var.env_short != "p" ? format("%s/pagopa-mocker/mocker", format(local.aks_path, "mock")) : "NA" - "pdfengine" = format("%s/", data.azurerm_linux_web_app.pdf_engine.default_hostname) - "receiptpdfdatastore" = format("%s/pagopa-receipt-pdf-datastore", format(local.aks_path, "receipts")) - "receiptpdfgenerator" = format("%s/pagopa-receipt-pdf-generator", format(local.aks_path, "receipts")) - "receiptpdfnotifier" = format("%s/pagopa-receipt-pdf-notifier", format(local.aks_path, "receipts")) - "receiptpdfservice" = format("%s/pagopa-receipt-pdf-service", format(local.aks_path, "receipts")) - "receiptpdfhelpdesk" = format("%s/pagopa-receipt-pdf-helpdesk", format(local.aks_path, "receipts")), - "printpaymentnoticegenerator" = format("%s/pagopa-print-payment-notice-generator", format(local.aks_ita_path, "printit")) - "printpaymentnoticefunctions" = format("%s/pagopa-print-payment-notice-functions", format(local.aks_ita_path, "printit")) - "printpaymentnoticeservice" = format("%s/pagopa-print-payment-notice-service", format(local.aks_ita_path, "printit")) - "paymentoptionsservice" = format("%s/payment-options-service", format(local.aks_ita_path, "payopt")) - }), "\"", "\\\"") - }) + api_operation_policies = [ + { + operation_id = "proxyGithub", + xml_content = templatefile("./api/status-page-service/v1/_proxygithub_policy.xml", {}) + }, + { + operation_id = "healthCheck", + xml_content = templatefile("./api/status-page-service/v1/_healthcheck_policy.xml", { + hostname = local.shared_hostname + services = replace(jsonencode({ + "afmcalculator" = format("%s/pagopa-afm-calculator-service", format(local.aks_path, "afm")) + "afmmarketplace" = format("%s/pagopa-afm-marketplace-service", format(local.aks_path, "afm")) + "afmutils" = format("%s/pagopa-afm-utils-service", format(local.aks_path, "afm")) + "apiconfig" = format("%s/{{apicfg-core-service-path}}", format(local.aks_path, "apiconfig")) + // show status only one instances Ora OR Pgflex + "apiconfig-fe" = format("%s", local.fe_apiconfig_path) + "apiconfigcacheo" = format("%s/api-config-cache/o", format(local.aks_path, "apiconfig")) + "apiconfigcachep" = format("%s/api-config-cache/p", format(local.aks_path, "apiconfig")) + "apiconfigselfcare" = format("%s/{{apicfg-selfcare-integ-service-path}}", format(local.aks_path, "apiconfig")) + // show status only one instances Ora OR Pgflex + "authorizer" = format("%s//authorizer-functions", format(local.aks_path, "shared")) + "authorizerconfig" = format("%s//authorizer-config", format(local.aks_path, "shared")) + "bizevents" = format("%s/pagopa-biz-events-service", format(local.aks_path, "bizevents")) + "bizeventsdatastoreneg" = format("%s/pagopa-negative-biz-events-datastore-service", format(local.aks_path, "bizevents")) + "bizeventsdatastorepos" = format("%s/pagopa-biz-events-datastore-service", format(local.aks_path, "bizevents")) + "backofficepagopa" = format("%s/selfcare/pagopa/v1", format(local.aks_path, "selfcare")) + "backofficepagopa-fe" = format("%s", local.fe_backoffice_path) + "backofficeexternalpagopa" = format("%s/backoffice-external", format(local.aks_path, "selfcare")) + "canoneunico" = format("%s/", data.azurerm_function_app.canone_unico.default_hostname) + "fdrndpnew" = format("%s/pagopa-fdr-service", format(local.aks_path, "fdr")) + "wispconverter" = format("%s/pagopa-wisp-converter", format(local.aks_path, "nodo")) + "wispsoapconverter" = format("%s/wisp-soap-converter", format(local.aks_path, "nodo")) + "wispconverterts" = format("%s/pagopa-wisp-converter-technical-support", format(local.aks_path, "nodo")) + "gpd" = format("%s/pagopa-gpd-core", format(local.aks_path, "gps")) + "gpdpayments" = format("%s/pagopa-gpd-payments", format(local.aks_path, "gps")) + "gpdpaymentspull" = format("%s/pagopa-gpd-payments-pull", format(local.aks_path, "gps")) + "gpdenrollment" = format("%s/pagopa-gpd-reporting-orgs-enrollment", format(local.aks_path, "gps")) + "gpdupload" = format("%s/pagopa-gpd-upload", format(local.aks_path, "gps")) + "gpdreportinganalysis" = format("%s/", data.azurerm_function_app.reporting_analysis.default_hostname) + "gpdreportingbatch" = format("%s/api/", data.azurerm_function_app.reporting_batch.default_hostname) + "gpdreportingservice" = format("%s/api/", data.azurerm_function_app.reporting_service.default_hostname) + "gps" = format("%s/pagopa-spontaneous-payments-service", format(local.aks_path, "gps")) + "gpsdonation" = format("%s/pagopa-gps-donation-service", format(local.aks_path, "gps")) + "mockec" = var.env_short != "p" ? format("%s/", data.azurerm_linux_function_app.mockec[0].default_hostname) : "NA" + "mockconfig" = var.env_short != "p" ? format("%s/pagopa-mock-config-be", format(local.aks_path, "mock")) : "NA" + "mocker" = var.env_short != "p" ? format("%s/pagopa-mocker/mocker", format(local.aks_path, "mock")) : "NA" + "pdfengine" = format("%s/", data.azurerm_linux_web_app.pdf_engine.default_hostname) + "receiptpdfdatastore" = format("%s/pagopa-receipt-pdf-datastore", format(local.aks_path, "receipts")) + "receiptpdfgenerator" = format("%s/pagopa-receipt-pdf-generator", format(local.aks_path, "receipts")) + "receiptpdfnotifier" = format("%s/pagopa-receipt-pdf-notifier", format(local.aks_path, "receipts")) + "receiptpdfservice" = format("%s/pagopa-receipt-pdf-service", format(local.aks_path, "receipts")) + "receiptpdfhelpdesk" = format("%s/pagopa-receipt-pdf-helpdesk", format(local.aks_path, "receipts")), + "printpaymentnoticegenerator" = format("%s/pagopa-print-payment-notice-generator", format(local.aks_ita_path, "printit")) + "printpaymentnoticefunctions" = format("%s/pagopa-print-payment-notice-functions", format(local.aks_ita_path, "printit")) + "printpaymentnoticeservice" = format("%s/pagopa-print-payment-notice-service", format(local.aks_ita_path, "printit")) + "paymentoptionsservice" = format("%s/payment-options-service", format(local.aks_ita_path, "payopt")) + }), "\"", "\\\"") + }) + } + ] + + } diff --git a/src/domains/shared-app/api/status-page-service/v1/_base_policy.xml b/src/domains/shared-app/api/status-page-service/v1/_healthcheck_policy.xml similarity index 100% rename from src/domains/shared-app/api/status-page-service/v1/_base_policy.xml rename to src/domains/shared-app/api/status-page-service/v1/_healthcheck_policy.xml diff --git a/src/domains/shared-app/api/status-page-service/v1/_openapi.json.tpl b/src/domains/shared-app/api/status-page-service/v1/_openapi.json.tpl index 89f6c5ed0b..88663faa63 100644 --- a/src/domains/shared-app/api/status-page-service/v1/_openapi.json.tpl +++ b/src/domains/shared-app/api/status-page-service/v1/_openapi.json.tpl @@ -1,58 +1,70 @@ { - "openapi": "3.0.1", - "info": { - "title": "OpenAPI definition - Status Page", - "version": "0.0.1" - }, - "servers": [ - { - "url": "${host}/shared/status-page-service/v1", - "description": "Generated server url" - } - ], - "paths": { - "/info": { - "get": { - "tags": [ - "Home" - ], - "summary": "Health Check", - "description": "Return OK if application is started", - "operationId": "healthCheck", - "responses": { - "200": { - "description": "OK", - "content": { - "application/json": {} + "openapi": "3.0.1", + "info": { + "title": "Status Page - API", + "description": "API to Status Page", + "version": "v1" + }, + "servers": [ + { + "url": "https://api.dev.platform.pagopa.it/shared/statuspage/v1" + } + ], + "paths": { + "/info": { + "get": { + "tags": [ + "Home" + ], + "summary": "Health Check", + "description": "Return OK if application is started", + "operationId": "healthCheck", + "parameters": [ + { + "name": "product", + "in": "query", + "description": "It identifies the product to retrive info about.", + "schema": { + "type": "string" + } + } + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": {} + } + }, + "401": { + "description": "Unauthorized" + }, + "403": { + "description": "Forbidden" + }, + "429": { + "description": "Too many requests" + }, + "500": { + "description": "Service unavailable", + "content": { + "application/json": {} + } + } + } } - }, - "401": { - "description": "Unauthorized" - }, - "403": { - "description": "Forbidden" - }, - "429": { - "description": "Too many requests" - }, - "500": { - "description": "Service unavailable", - "content": { - "application/json": {} + }, + "/github/*": { + "get": { + "summary": "Proxy GitHub", + "operationId": "proxyGithub", + "responses": { + "200": { + "description": "OK" + } + } } - } - } - }, - "parameters": [ - { - "name": "product", - "in": "query", - "description": "It identifies the product to retrive info about.", - "schema": { - "type": "string" - } } - ] - } - } + }, + "components": {} } diff --git a/src/domains/shared-app/api/status-page-service/v1/_proxygithub_policy.xml b/src/domains/shared-app/api/status-page-service/v1/_proxygithub_policy.xml new file mode 100644 index 0000000000..c5c0db3296 --- /dev/null +++ b/src/domains/shared-app/api/status-page-service/v1/_proxygithub_policy.xml @@ -0,0 +1,35 @@ + + + + + + + + * + + + GET + POST + + + + + + + + + + + + + + + + + + + From 4a0c4c470fe474b2eec4bddb4398956f110b22a1 Mon Sep 17 00:00:00 2001 From: FedericoRuzzier <49512050+FedericoRuzzier@users.noreply.github.com> Date: Wed, 16 Oct 2024 16:22:53 +0200 Subject: [PATCH 36/41] fix: sync call to rpt timer WISP Conv PAGOPA-2292 (#2490) * fix: sync call to rpt timer WISP Conv PAGOPA-2292 * PAGOPA-2292 set ignore error * PAGOPA-2292 inserting timeout at 8s * PAGOPA-2292 changing timeout value * PAGOPA-2292 update alert remove WIC-1300 * PAGOPA-2292 removing sec --- ...wisp_nodoInviaRPT_nodoInviaCarrelloRPT_outbound_policy.xml | 4 ++-- src/domains/nodo-app/00_alert_wisp_dismantling.tf | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/core/api/nodopagamenti_api/nodoPerPa/v1/wisp_nodoInviaRPT_nodoInviaCarrelloRPT_outbound_policy.xml b/src/core/api/nodopagamenti_api/nodoPerPa/v1/wisp_nodoInviaRPT_nodoInviaCarrelloRPT_outbound_policy.xml index 4378587dd5..a95f95106e 100644 --- a/src/core/api/nodopagamenti_api/nodoPerPa/v1/wisp_nodoInviaRPT_nodoInviaCarrelloRPT_outbound_policy.xml +++ b/src/core/api/nodopagamenti_api/nodoPerPa/v1/wisp_nodoInviaRPT_nodoInviaCarrelloRPT_outbound_policy.xml @@ -24,7 +24,7 @@ - + {{wisp-dismantling-converter-base-url}}/rpt/timer POST @@ -37,7 +37,7 @@ ).ToString(); } - + diff --git a/src/domains/nodo-app/00_alert_wisp_dismantling.tf b/src/domains/nodo-app/00_alert_wisp_dismantling.tf index 5de811b25d..d6aa1ff63a 100644 --- a/src/domains/nodo-app/00_alert_wisp_dismantling.tf +++ b/src/domains/nodo-app/00_alert_wisp_dismantling.tf @@ -123,7 +123,7 @@ resource "azurerm_monitor_scheduled_query_rules_alert" "opex_pagopa-wisp-convert description = "Errors for wisp-converter API WIC-ERROR is greater than 1 - https://portal.azure.com/?l=en.en-us#@pagopait.onmicrosoft.com/dashboard/arm/subscriptions/b9fc9419-6097-45fe-9f74-ba0641c91912/resourcegroups/dashboards/providers/microsoft.portal/dashboards/0287abc9-da26-40fa-b261-f1634ee649aa" enabled = true query = (<<-QUERY -let errorsToExclude = dynamic(["WIC-3004"]); +let errorsToExclude = dynamic(["WIC-3004","WIC-1300"]); traces | where cloud_RoleName == "pagopawispconverter" | where message contains "WIC-" From e2a254cd559b620a133c9fbcfbc2c7ab0cb5c9bb Mon Sep 17 00:00:00 2001 From: Pietro Tota Date: Thu, 17 Oct 2024 15:48:25 +0200 Subject: [PATCH 37/41] fix: remove unsafe-inline in src policy --- src/domains/checkout-app/05_checkout_fe.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/domains/checkout-app/05_checkout_fe.tf b/src/domains/checkout-app/05_checkout_fe.tf index d6f1be9e3e..7fae838240 100644 --- a/src/domains/checkout-app/05_checkout_fe.tf +++ b/src/domains/checkout-app/05_checkout_fe.tf @@ -80,7 +80,7 @@ module "checkout_cdn" { { action = "Append" name = local.content_security_policy_header_name - value = "script-src 'self' 'unsafe-inline' https://www.google.com https://www.gstatic.com https://cdn.cookielaw.org https://geolocation.onetrust.com https://www.recaptcha.net https://recaptcha.net https://www.gstatic.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://${local.npg_sdk_hostname};" + value = "script-src 'self' https://www.google.com https://www.gstatic.com https://cdn.cookielaw.org https://geolocation.onetrust.com https://www.recaptcha.net https://recaptcha.net https://www.gstatic.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://${local.npg_sdk_hostname};" }, { action = "Append" From 3d59cf37beb88b7453bcd9e8c1bfad3ca67645af Mon Sep 17 00:00:00 2001 From: Marco Mari <130982006+mamari90@users.noreply.github.com> Date: Thu, 17 Oct 2024 16:28:54 +0200 Subject: [PATCH 38/41] fix: Pipeline template reference (#2493) fix pipeline template reference --- .devops/aca-code-review-pipelines.yml | 2 +- .devops/apiconfig-code-review-pipelines.yml | 2 +- .devops/canoneunico-code-review-pipelines.yml | 2 +- .devops/mock-code-review-pipelines.yml | 2 +- .devops/observability-code-review-pipelines.yml | 2 +- .devops/qi-code-review-pipelines.yml | 2 +- .devops/qi-deploy-pipelines.yml | 2 +- .devops/receipts-code-review-pipelines.yml | 2 +- .devops/receipts-deploy-pipelines.yml | 2 +- 9 files changed, 9 insertions(+), 9 deletions(-) diff --git a/.devops/aca-code-review-pipelines.yml b/.devops/aca-code-review-pipelines.yml index e27731e439..d7e993cb32 100644 --- a/.devops/aca-code-review-pipelines.yml +++ b/.devops/aca-code-review-pipelines.yml @@ -70,7 +70,7 @@ resources: - repository: terraform type: github name: pagopa/azure-pipeline-templates - ref: refs/heads/iac-fix + ref: refs/tags/v6.11.0 endpoint: "io-azure-devops-github-ro" stages: diff --git a/.devops/apiconfig-code-review-pipelines.yml b/.devops/apiconfig-code-review-pipelines.yml index 703153231e..038693df27 100644 --- a/.devops/apiconfig-code-review-pipelines.yml +++ b/.devops/apiconfig-code-review-pipelines.yml @@ -70,7 +70,7 @@ resources: - repository: terraform type: github name: pagopa/azure-pipeline-templates - ref: refs/heads/iac-fix + ref: refs/tags/v6.11.0 endpoint: "io-azure-devops-github-ro" stages: diff --git a/.devops/canoneunico-code-review-pipelines.yml b/.devops/canoneunico-code-review-pipelines.yml index 709535017b..a2eaef3361 100644 --- a/.devops/canoneunico-code-review-pipelines.yml +++ b/.devops/canoneunico-code-review-pipelines.yml @@ -54,7 +54,7 @@ resources: - repository: terraform type: github name: pagopa/azure-pipeline-templates - ref: refs/heads/iac-fix + ref: refs/tags/v6.11.0 endpoint: "io-azure-devops-github-ro" stages: diff --git a/.devops/mock-code-review-pipelines.yml b/.devops/mock-code-review-pipelines.yml index ebfa5da829..083d06d567 100644 --- a/.devops/mock-code-review-pipelines.yml +++ b/.devops/mock-code-review-pipelines.yml @@ -70,7 +70,7 @@ resources: - repository: terraform type: github name: pagopa/azure-pipeline-templates - ref: refs/heads/iac-fix + ref: refs/tags/v6.11.0 endpoint: "io-azure-devops-github-ro" stages: diff --git a/.devops/observability-code-review-pipelines.yml b/.devops/observability-code-review-pipelines.yml index aa3ccac5ee..1861cb9a43 100644 --- a/.devops/observability-code-review-pipelines.yml +++ b/.devops/observability-code-review-pipelines.yml @@ -69,7 +69,7 @@ resources: - repository: terraform type: github name: pagopa/azure-pipeline-templates - ref: refs/heads/iac-fix + ref: refs/tags/v6.11.0 endpoint: "io-azure-devops-github-ro" stages: diff --git a/.devops/qi-code-review-pipelines.yml b/.devops/qi-code-review-pipelines.yml index 640669c511..319f21f5cd 100644 --- a/.devops/qi-code-review-pipelines.yml +++ b/.devops/qi-code-review-pipelines.yml @@ -72,7 +72,7 @@ resources: - repository: terraform type: github name: pagopa/azure-pipeline-templates - ref: refs/heads/iac-fix + ref: refs/tags/v6.11.0 endpoint: "io-azure-devops-github-ro" stages: diff --git a/.devops/qi-deploy-pipelines.yml b/.devops/qi-deploy-pipelines.yml index d4b70b625c..65fea38f7c 100644 --- a/.devops/qi-deploy-pipelines.yml +++ b/.devops/qi-deploy-pipelines.yml @@ -68,7 +68,7 @@ resources: - repository: terraform type: github name: pagopa/azure-pipeline-templates - ref: refs/heads/iac-fix + ref: refs/tags/v6.11.0 endpoint: "io-azure-devops-github-ro" stages: diff --git a/.devops/receipts-code-review-pipelines.yml b/.devops/receipts-code-review-pipelines.yml index e9213ca996..9bcc83d90b 100644 --- a/.devops/receipts-code-review-pipelines.yml +++ b/.devops/receipts-code-review-pipelines.yml @@ -72,7 +72,7 @@ resources: - repository: terraform type: github name: pagopa/azure-pipeline-templates - ref: refs/heads/iac-fix + ref: refs/tags/v6.11.0 endpoint: "io-azure-devops-github-ro" stages: diff --git a/.devops/receipts-deploy-pipelines.yml b/.devops/receipts-deploy-pipelines.yml index ddeec78aad..a927cabffa 100644 --- a/.devops/receipts-deploy-pipelines.yml +++ b/.devops/receipts-deploy-pipelines.yml @@ -68,7 +68,7 @@ resources: - repository: terraform type: github name: pagopa/azure-pipeline-templates - ref: refs/heads/iac-fix + ref: refs/tags/v6.11.0 endpoint: "io-azure-devops-github-ro" stages: From b0f0f84384612d5579c544993edb713671b68f34 Mon Sep 17 00:00:00 2001 From: Marco Mari <130982006+mamari90@users.noreply.github.com> Date: Fri, 18 Oct 2024 10:36:54 +0200 Subject: [PATCH 39/41] feat: Added apim secret reader permission (#2495) added apim secret reader permission --- src/next-core/01_custom_roles.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/src/next-core/01_custom_roles.tf b/src/next-core/01_custom_roles.tf index 56a5b5d294..64013d5d69 100644 --- a/src/next-core/01_custom_roles.tf +++ b/src/next-core/01_custom_roles.tf @@ -109,6 +109,7 @@ resource "azurerm_role_definition" "iac_reader" { # "Microsoft.DataFactory/factories/datasets/read", "Microsoft.ApiManagement/service/portalsettings/listSecrets/action", "Microsoft.ApiManagement/service/tenant/listSecrets/action", + "Microsoft.ApiManagement/service/subscriptions/listSecrets/action", "Microsoft.Compute/virtualMachineScaleSets/write", #scale the VMSS "Microsoft.AppConfiguration/configurationStores/*/read", "Microsoft.AppConfiguration/configurationStores/*/action" From 458ac94e0f2a1e967a2c8e0bc592608148146e1b Mon Sep 17 00:00:00 2001 From: Pasquale Spica <36746022+pasqualespica@users.noreply.github.com> Date: Fri, 18 Oct 2024 12:11:02 +0200 Subject: [PATCH 40/41] =?UTF-8?q?feat:=20Add=20evh=20=F0=9F=87=AE?= =?UTF-8?q?=F0=9F=87=B9=204=20DL=20related=20to=20GEC=20data=20(#2483)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * draff * evh + storage 4 observability ingestion * fix --- src/domains/afm-common/03_cosmosdb_afm.tf | 28 +++ src/domains/afm-common/README.md | 6 +- src/domains/observability/.terraform.lock.hcl | 14 +- src/domains/observability/00_monitor.tf | 12 + src/domains/observability/01_network.tf | 37 +++ src/domains/observability/03_eventhub_msg.tf | 62 +++++ .../observability/03_storage_account.tf | 110 ++++++++ src/domains/observability/99_locals.tf | 35 +-- src/domains/observability/99_variables.tf | 167 +++++++++++++ src/domains/observability/README.md | 47 +++- .../env/{weu-dev => dev}/backend.ini | 0 .../env/{weu-dev => dev}/backend.tfvars | 0 .../observability/env/dev/terraform.tfvars | 236 ++++++++++++++++++ .../env/{weu-prod => prod}/backend.ini | 0 .../env/{weu-prod => prod}/backend.tfvars | 0 .../observability/env/prod/terraform.tfvars | 235 +++++++++++++++++ .../env/{weu-uat => uat}/backend.ini | 0 .../env/{weu-uat => uat}/backend.tfvars | 0 .../observability/env/uat/terraform.tfvars | 235 +++++++++++++++++ .../env/weu-dev/terraform.tfvars | 52 ---- .../env/weu-prod/terraform.tfvars | 51 ---- .../env/weu-uat/terraform.tfvars | 53 ---- 22 files changed, 1181 insertions(+), 199 deletions(-) create mode 100644 src/domains/observability/01_network.tf create mode 100644 src/domains/observability/03_eventhub_msg.tf create mode 100644 src/domains/observability/03_storage_account.tf rename src/domains/observability/env/{weu-dev => dev}/backend.ini (100%) rename src/domains/observability/env/{weu-dev => dev}/backend.tfvars (100%) create mode 100644 src/domains/observability/env/dev/terraform.tfvars rename src/domains/observability/env/{weu-prod => prod}/backend.ini (100%) rename src/domains/observability/env/{weu-prod => prod}/backend.tfvars (100%) create mode 100644 src/domains/observability/env/prod/terraform.tfvars rename src/domains/observability/env/{weu-uat => uat}/backend.ini (100%) rename src/domains/observability/env/{weu-uat => uat}/backend.tfvars (100%) create mode 100644 src/domains/observability/env/uat/terraform.tfvars delete mode 100644 src/domains/observability/env/weu-dev/terraform.tfvars delete mode 100644 src/domains/observability/env/weu-prod/terraform.tfvars delete mode 100644 src/domains/observability/env/weu-uat/terraform.tfvars diff --git a/src/domains/afm-common/03_cosmosdb_afm.tf b/src/domains/afm-common/03_cosmosdb_afm.tf index 903d32aa93..0c46464898 100644 --- a/src/domains/afm-common/03_cosmosdb_afm.tf +++ b/src/domains/afm-common/03_cosmosdb_afm.tf @@ -175,3 +175,31 @@ module "afm_marketplace_cosmosdb_containers" { autoscale_settings = contains(var.afm_marketplace_cosmos_db_params.capabilities, "EnableServerless") ? null : lookup(each.value, "autoscale_settings", null) } + +# private_endpoint subresource_names analytical +# resource "azurerm_private_endpoint" "afm_cosmos_analytical_private_endpoint" { +# count = var.env_short == "d" ? 0 : 1 + +# name = format("%s-analytical-private-endpoint", local.project) +# location = var.location +# resource_group_name = azurerm_resource_group.afm_rg.name +# subnet_id = module.afm_marketplace_cosmosdb_snet.id + +# private_dns_zone_group { +# name = "${local.project}-analytical-cosmos-private-dns-zone-group" +# private_dns_zone_ids = [data.azurerm_private_dns_zone.cosmos.id] +# } + +# private_service_connection { +# name = "${local.project}-analytical-cosmos-private-service-connection" +# private_connection_resource_id = module.afm_marketplace_cosmosdb_account.id +# is_manual_connection = false +# subresource_names = ["Analytical"] +# } + +# tags = var.tags + +# depends_on = [ +# module.afm_marketplace_cosmosdb_account +# ] +# } \ No newline at end of file diff --git a/src/domains/afm-common/README.md b/src/domains/afm-common/README.md index 5f23a37e38..a13665e366 100644 --- a/src/domains/afm-common/README.md +++ b/src/domains/afm-common/README.md @@ -66,8 +66,8 @@ | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [afm\_marketplace\_cosmos\_db\_params](#input\_afm\_marketplace\_cosmos\_db\_params) | n/a | 
object({
    kind           = string
    capabilities   = list(string)
    offer_type     = string
    server_version = string
    consistency_policy = object({
      consistency_level       = string
      max_interval_in_seconds = number
      max_staleness_prefix    = number
    })
    main_geo_location_zone_redundant = bool
    enable_free_tier                 = bool
    additional_geo_locations = list(object({
      location          = string
      failover_priority = number
      zone_redundant    = bool
    }))
    private_endpoint_enabled          = bool
    public_network_access_enabled     = bool
    is_virtual_network_filter_enabled = bool
    backup_continuous_enabled         = bool
  })
| n/a | yes | -| [afm\_storage\_params](#input\_afm\_storage\_params) | n/a | 
object({
    enable_backup                 = optional(bool, false)
    enabled                       = bool,
    kind                          = string,
    tier                          = string,
    account_replication_type      = string,
    advanced_threat_protection    = bool,
    retention_days                = number,
    public_network_access_enabled = bool,
    backup_retention_days         = optional(number, 0)
  })
| 
{
  "account_replication_type": "LRS",
  "advanced_threat_protection": false,
  "backup_retention_days": 0,
  "enable_backup": false,
  "enabled": false,
  "kind": "StorageV2",
  "public_network_access_enabled": false,
  "retention_days": 30,
  "tier": "Standard"
}
| no | +| [afm\_marketplace\_cosmos\_db\_params](#input\_afm\_marketplace\_cosmos\_db\_params) | n/a | 
object({
    kind           = string
    capabilities   = list(string)
    offer_type     = string
    server_version = string
    consistency_policy = object({
      consistency_level       = string
      max_interval_in_seconds = number
      max_staleness_prefix    = number
    })
    main_geo_location_zone_redundant = bool
    enable_free_tier                 = bool
    additional_geo_locations = list(object({
      location          = string
      failover_priority = number
      zone_redundant    = bool
    }))
    private_endpoint_enabled          = bool
    public_network_access_enabled     = bool
    is_virtual_network_filter_enabled = bool
    backup_continuous_enabled         = bool
  })
| n/a | yes | +| [afm\_storage\_params](#input\_afm\_storage\_params) | n/a | 
object({
    enable_backup                 = optional(bool, false)
    enabled                       = bool,
    kind                          = string,
    tier                          = string,
    account_replication_type      = string,
    advanced_threat_protection    = bool,
    retention_days                = number,
    public_network_access_enabled = bool,
    backup_retention_days         = optional(number, 0)
  })
| 
{
  "account_replication_type": "LRS",
  "advanced_threat_protection": false,
  "backup_retention_days": 0,
  "enable_backup": false,
  "enabled": false,
  "kind": "StorageV2",
  "public_network_access_enabled": false,
  "retention_days": 30,
  "tier": "Standard"
}
| no | | [application\_insights\_name](#input\_application\_insights\_name) | Specifies the name of the Application Insights. | `string` | n/a | yes | | [cidr\_subnet\_afm\_marketplace\_cosmosdb](#input\_cidr\_subnet\_afm\_marketplace\_cosmosdb) | Cosmos DB address space | `list(string)` | `null` | no | | [dns\_zone\_internal\_prefix](#input\_dns\_zone\_internal\_prefix) | The dns subdomain. | `string` | `null` | no | @@ -84,7 +84,7 @@ | [log\_analytics\_workspace\_resource\_group\_name](#input\_log\_analytics\_workspace\_resource\_group\_name) | The name of the resource group in which the Log Analytics workspace is located in. | `string` | n/a | yes | | [monitor\_resource\_group\_name](#input\_monitor\_resource\_group\_name) | Monitor resource group name | `string` | n/a | yes | | [prefix](#input\_prefix) | n/a | `string` | n/a | yes | -| [tags](#input\_tags) | n/a | `map(any)` | 
{
  "CreatedBy": "Terraform"
}
| no | +| [tags](#input\_tags) | n/a | `map(any)` | 
{
  "CreatedBy": "Terraform"
}
| no | ## Outputs diff --git a/src/domains/observability/.terraform.lock.hcl b/src/domains/observability/.terraform.lock.hcl index f375909165..60c6529ded 100644 --- a/src/domains/observability/.terraform.lock.hcl +++ b/src/domains/observability/.terraform.lock.hcl @@ -5,10 +5,6 @@ provider "registry.terraform.io/hashicorp/azuread" { version = "2.21.0" constraints = "2.21.0" hashes = [ - "h1:9gG6SWoUZZmmXbYBv6ra2RF5NYpamB9tGjsuBxrasFQ=", - "h1:KbY8dRdbfTwTzEBcdOFdD50JX8CUG5Mni25D2+k1rGc=", - "h1:akcofWscEl0ecIbf7lyEqRvPfOdA5q75EZvK8uSum1c=", - "h1:p9epRqujcxIMeT9THP0oNLGe4jjMBLjT5a7RntnFDaA=", "h1:qHYbB6LJsYPVUcd7QkZ5tU+IX+10VcUG4NzsmIuWdlE=", "zh:18c56e0478e8b3849f6d52f7e0ee495538e7fce66f22fc84a79599615e50ad1c", "zh:1b95ba8dddc46c744b2d2be7da6fafaa8ebd8368d46ff77416a95cb7d622251e", @@ -27,13 +23,9 @@ provider "registry.terraform.io/hashicorp/azuread" { provider "registry.terraform.io/hashicorp/azurerm" { version = "3.53.0" - constraints = "3.53.0" + constraints = ">= 3.30.0, ~> 3.39, 3.53.0, <= 3.53.0, <= 3.71.0" hashes = [ - "h1:NqV7ilkolM3jBsmAx5Bh6mA9zfUHCQh3hyjOPBUeWlo=", - "h1:bK70LV1NldhodSm58cUpawKwdUL1A5AKKglAV2wZ/QY=", "h1:ocOIwGJG+K9hb22GdXhTdDiewSdeo9YO3BZ8cm8fUiE=", - "h1:vXyTtRE9MC/6pNTxrvYTJRwxQVsLxZdopz/xLXT18Ts=", - "h1:whOsp6yHx6/QVHci8z2K+ntZmpuC2Rvvn6rrZ0qsIzk=", "zh:078ece8318ad7d6c1cd2e5f2044188e74af63921b93223c7f8d477539fa91888", "zh:1bdc98ff8c2d3f3e81a746762e03d39794b2f5c90dc478cdb23dcc3d3f9947b6", "zh:20b51cfc0ffc4ff368e6eb2eaece0b6bb99ade09e4b91b3444b50e94fc54c119", @@ -53,11 +45,7 @@ provider "registry.terraform.io/hashicorp/null" { version = "3.1.1" constraints = "3.1.1" hashes = [ - "h1:1J3nqAREzuaLE7x98LEELCCaMV6BRiawHSg9MmFvfQo=", - "h1:71sNUDvmiJcijsvfXpiLCz0lXIBSsEJjMxljt7hxMhw=", "h1:Pctug/s/2Hg5FJqjYcTM0kPyx3AoYK1MpRWO0T9V2ns=", - "h1:YvH6gTaQzGdNv+SKTZujU1O0bO+Pw6vJHOPhqgN8XNs=", - "h1:ZD4wyZ0KJzt5s2mD0xD7paJlVONNicLvZKdgtezz02I=", "zh:063466f41f1d9fd0dd93722840c1314f046d8760b1812fa67c34de0afcba5597", "zh:08c058e367de6debdad35fc24d97131c7cf75103baec8279aba3506a08b53faf", "zh:73ce6dff935150d6ddc6ac4a10071e02647d10175c173cfe5dca81f3d13d8afe", diff --git a/src/domains/observability/00_monitor.tf b/src/domains/observability/00_monitor.tf index 45205741d0..3db02cab98 100644 --- a/src/domains/observability/00_monitor.tf +++ b/src/domains/observability/00_monitor.tf @@ -2,3 +2,15 @@ data "azurerm_resource_group" "monitor_rg" { name = var.monitor_resource_group_name } +# +# Action Groups +# +data "azurerm_monitor_action_group" "slack" { + resource_group_name = var.monitor_resource_group_name + name = local.monitor_action_group_slack_name +} + +data "azurerm_monitor_action_group" "email" { + resource_group_name = var.monitor_resource_group_name + name = local.monitor_action_group_email_name +} \ No newline at end of file diff --git a/src/domains/observability/01_network.tf b/src/domains/observability/01_network.tf new file mode 100644 index 0000000000..5c0b2c0393 --- /dev/null +++ b/src/domains/observability/01_network.tf @@ -0,0 +1,37 @@ +data "azurerm_virtual_network" "vnet" { + name = local.vnet_name + resource_group_name = local.vnet_resource_group_name +} + +data "azurerm_private_dns_zone" "storage" { + name = local.storage_blob_dns_zone_name + resource_group_name = local.storage_blob_resource_group_name +} + +data "azurerm_virtual_network" "vnet_italy" { + name = local.vnet_italy_name + resource_group_name = local.vnet_italy_resource_group_name +} + +data "azurerm_resource_group" "rg_vnet_italy" { + name = local.vnet_italy_resource_group_name +} + +# +# Eventhub +# +data "azurerm_private_dns_zone" "eventhub" { + name = "privatelink.servicebus.windows.net" + resource_group_name = local.msg_resource_group_name +} + +data "azurerm_resource_group" "rg_event_private_dns_zone" { + name = local.msg_resource_group_name +} + +resource "azurerm_subnet" "eventhub_observability_snet" { + name = "${local.project_itn}-evh-observability-snet" + resource_group_name = data.azurerm_resource_group.rg_vnet_italy.name + virtual_network_name = data.azurerm_virtual_network.vnet_italy.name + address_prefixes = var.cidr_subnet_observability_evh +} diff --git a/src/domains/observability/03_eventhub_msg.tf b/src/domains/observability/03_eventhub_msg.tf new file mode 100644 index 0000000000..1a4ec12fd4 --- /dev/null +++ b/src/domains/observability/03_eventhub_msg.tf @@ -0,0 +1,62 @@ +resource "azurerm_resource_group" "eventhub_observability_rg" { + name = local.eventhub_resource_group_name + location = var.location_itn + + tags = var.tags +} + +module "eventhub_namespace_observability" { + source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//eventhub?ref=v8.22.0" + name = "${local.project}-evh" + location = var.location_itn + resource_group_name = azurerm_resource_group.eventhub_observability_rg.name + auto_inflate_enabled = var.ehns_auto_inflate_enabled + sku = var.ehns_sku_name + capacity = var.ehns_capacity + maximum_throughput_units = var.ehns_maximum_throughput_units + #zone_redundat is always true + + virtual_network_ids = [data.azurerm_virtual_network.vnet_italy.id] + private_endpoint_subnet_id = azurerm_subnet.eventhub_observability_snet.id + public_network_access_enabled = var.ehns_public_network_access + private_endpoint_created = var.ehns_private_endpoint_is_present + + private_endpoint_resource_group_name = azurerm_resource_group.eventhub_observability_rg.name + + private_dns_zones = { + id = [data.azurerm_private_dns_zone.eventhub.id] + name = [data.azurerm_private_dns_zone.eventhub.name] + resource_group_name = data.azurerm_resource_group.rg_event_private_dns_zone.name + } + + private_dns_zone_record_A_name = "${var.domain}.${var.location_short_itn}" + + action = [ + { + action_group_id = data.azurerm_monitor_action_group.slack.id + webhook_properties = null + }, + { + action_group_id = data.azurerm_monitor_action_group.email.id + webhook_properties = null + } + ] + + metric_alerts_create = var.ehns_alerts_enabled + metric_alerts = var.ehns_metric_alerts + + tags = var.tags +} + +# +# CONFIGURATION +# +module "eventhub_observability_configuration" { + source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//eventhub_configuration?ref=v8.22.0" + + event_hub_namespace_name = module.eventhub_namespace_observability.name + event_hub_namespace_resource_group_name = azurerm_resource_group.eventhub_observability_rg.name + + eventhubs = var.eventhubs +} + diff --git a/src/domains/observability/03_storage_account.tf b/src/domains/observability/03_storage_account.tf new file mode 100644 index 0000000000..0ec74d5ab1 --- /dev/null +++ b/src/domains/observability/03_storage_account.tf @@ -0,0 +1,110 @@ +resource "azurerm_resource_group" "st_observability_rg" { + name = "${local.project_itn}-st-rg" + location = var.location_itn + tags = var.tags +} + +module "observability_st_snet" { + source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet?ref=v6.7.0" + + name = "${local.project_itn}-observability-st-net" + address_prefixes = var.cidr_subnet_observability_storage + resource_group_name = local.vnet_italy_resource_group_name + virtual_network_name = local.vnet_italy_name + + private_endpoint_network_policies_enabled = true + + service_endpoints = [ + "Microsoft.Storage", + ] +} + +resource "azurerm_private_endpoint" "observability_storage_private_endpoint" { + count = var.env_short != "d" ? 1 : 0 + + name = "${local.project_itn}-storage-private-endpoint" + location = var.location_itn + resource_group_name = azurerm_resource_group.st_observability_rg.name + subnet_id = module.observability_st_snet.id + + private_dns_zone_group { + name = "${local.project_itn}-storage-private-dns-zone-group" + private_dns_zone_ids = [data.azurerm_private_dns_zone.storage.id] + } + + private_service_connection { + name = "${local.project_itn}-storage-private-service-connection" + private_connection_resource_id = module.observability_sa.id + is_manual_connection = false + subresource_names = ["blob"] + } + + tags = var.tags +} + + + +module "observability_sa" { + source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//storage_account?ref=v7.18.0" + + name = replace(format("%s-sa", local.project_itn), "-", "") + account_kind = "StorageV2" + account_tier = "Standard" + account_replication_type = var.observability_storage_account_replication_type + access_tier = "Hot" + blob_versioning_enabled = var.enable_sa_backup + resource_group_name = azurerm_resource_group.st_observability_rg.name + location = var.location_itn + advanced_threat_protection = var.observability_sa_advanced_threat_protection + + allow_nested_items_to_be_public = false + public_network_access_enabled = true + + blob_delete_retention_days = var.observability_sa_delete_retention_days + tags = var.tags + + blob_last_access_time_enabled = true + + + blob_change_feed_enabled = var.enable_sa_backup + blob_change_feed_retention_in_days = var.enable_sa_backup ? var.observability_sa_backup_retention_days + 1 : null + blob_container_delete_retention_days = var.observability_sa_backup_retention_days + blob_storage_policy = { + enable_immutability_policy = false + blob_restore_policy_days = var.observability_sa_backup_retention_days + } + +} + + +## blob container attachments +resource "azurerm_storage_container" "blob-observability-st" { + name = "${local.project_itn}-az-blob-observability-container" + storage_account_name = module.observability_sa.name + container_access_type = "private" +} + +# resource "azurerm_storage_management_policy" "st_blob_observability_management_policy" { +# storage_account_id = module.observability_sa.id + +# rule { +# name = "tier-to-cool-policy" +# enabled = true +# filters { +# prefix_match = [format("%s/", azurerm_storage_container.blob-observability-st.name)] +# blob_types = ["blockBlob"] +# } + +# # https://docs.microsoft.com/en-us/azure/storage/blobs/access-tiers-overview +# actions { +# # https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_management_policy#delete_after_days_since_modification_greater_than +# base_blob { +# tier_to_cool_after_days_since_last_access_time_greater_than = var.observability_sa_tier_to_cool_after_last_access +# tier_to_archive_after_days_since_last_access_time_greater_than = var.observability_tier_to_archive_after_days_since_last_access_time_greater_than +# delete_after_days_since_last_access_time_greater_than = var.observability_sa_delete_after_last_access +# auto_tier_to_hot_from_cool_enabled = true +# } +# } +# } + +# } diff --git a/src/domains/observability/99_locals.tf b/src/domains/observability/99_locals.tf index 2ddb6bcefa..89c0ed13b2 100644 --- a/src/domains/observability/99_locals.tf +++ b/src/domains/observability/99_locals.tf @@ -1,38 +1,27 @@ locals { project = "${var.prefix}-${var.env_short}-${var.location_short}-${var.domain}" + project_itn = "${var.prefix}-${var.env_short}-${var.location_short_itn}-${var.domain}" project_legacy = "${var.prefix}-${var.env_short}" product = "${var.prefix}-${var.env_short}" apim_hostname = "api.${var.apim_dns_zone_prefix}.${var.external_domain}" + monitor_action_group_slack_name = "SlackPagoPA" + monitor_action_group_email_name = "PagoPA" + pagopa_apim_name = "${local.product}-apim" pagopa_apim_rg = "${local.product}-api-rg" pagopa_apim_snet = "${local.product}-apim-snet" - # app_insights_ips_west_europe = [ - # "51.144.56.96/28", - # "51.144.56.112/28", - # "51.144.56.128/28", - # "51.144.56.144/28", - # "51.144.56.160/28", - # "51.144.56.176/28", - # ] - - # monitor_action_group_slack_name = "SlackPagoPA" - # monitor_action_group_email_name = "PagoPA" - - # vnet_name = "${local.product}-vnet" - # vnet_resource_group_name = "${local.product}-vnet-rg" - - # acr_name = replace("${local.product}commonacr", "-", "") - # acr_resource_group_name = "${local.product}-container-registry-rg" + vnet_name = "${local.product}-vnet" + vnet_resource_group_name = "${local.product}-vnet-rg" - # ingress_hostname = "${var.location_short}${var.instance}.${var.domain}" - # internal_dns_zone_name = "${var.dns_zone_internal_prefix}.${var.external_domain}" - # internal_dns_zone_resource_group_name = "${local.product}-vnet-rg" + storage_blob_dns_zone_name = "privatelink.blob.core.windows.net" + storage_blob_resource_group_name = "${local.product}-vnet-rg" - # cosmos_dns_zone_name = "privatelink.documents.azure.com" - # cosmos_dns_zone_resource_group_name = "${local.product}-vnet-rg" + msg_resource_group_name = "${local.product}-msg-rg" + eventhub_resource_group_name = "${local.project_itn}-evh-rg" - # aks_subnet_name = "${var.prefix}-${var.env_short}-${var.location_short}-${var.env}-aks-snet" + vnet_italy_name = "${local.product}-itn-vnet" + vnet_italy_resource_group_name = "${local.product}-itn-vnet-rg" } diff --git a/src/domains/observability/99_variables.tf b/src/domains/observability/99_variables.tf index 56ef5b67e0..3f13914893 100644 --- a/src/domains/observability/99_variables.tf +++ b/src/domains/observability/99_variables.tf @@ -49,6 +49,21 @@ variable "location_short" { } description = "One of wue, neu" } +variable "location_itn" { + type = string + description = "italynorth" +} + +variable "location_short_itn" { + type = string + validation { + condition = ( + length(var.location_short_itn) == 3 + ) + error_message = "Length must be 3 chars." + } + description = "itn" +} variable "instance" { type = string @@ -121,4 +136,156 @@ variable "apim_dns_zone_prefix" { type = string default = null description = "The dns subdomain for apim." +} + +// observability +variable "observability_storage_account_replication_type" { + type = string + default = "LRS" + description = "(Optional) observability datastore storage account replication type" +} + +variable "enable_sa_backup" { + type = bool + description = "(Optional) enables storage account point in time recovery" + default = false +} + +variable "observability_sa_advanced_threat_protection" { + type = bool + description = "Enable contract threat advanced protection" + default = false +} + +variable "observability_sa_delete_retention_days" { + type = number + description = "Number of days to retain deleted." + default = 0 +} + +variable "observability_sa_backup_retention_days" { + type = number + description = "Number of days to retain backups." + default = 0 +} + +variable "observability_sa_tier_to_cool_after_last_access" { + type = number + description = "Number of days since last access to blob before moving to cool tier" + default = 183 +} + +variable "observability_tier_to_archive_after_days_since_last_access_time_greater_than" { + type = number + description = "Number of days since last access to blob before moving to archive tier" + default = 730 +} + +variable "observability_sa_delete_after_last_access" { + type = number + description = "Number of days since modification to blob before deleting" + default = 3650 +} + +variable "cidr_subnet_observability_storage" { + type = list(string) + description = "Storage address space" + default = null +} + + +# +# Eventhub +# + +variable "ehns_public_network_access" { + type = bool + description = "(Required) enables public network access to the event hubs" +} + +variable "ehns_private_endpoint_is_present" { + type = bool + description = "(Required) create private endpoint to the event hubs" +} + +variable "ehns_sku_name" { + type = string + description = "Defines which tier to use." +} + +variable "ehns_capacity" { + type = number + description = "Specifies the Capacity / Throughput Units for a Standard SKU namespace." +} + +variable "ehns_maximum_throughput_units" { + type = number + description = "Specifies the maximum number of throughput units when Auto Inflate is Enabled" +} + +variable "ehns_auto_inflate_enabled" { + type = bool + description = "Is Auto Inflate enabled for the EventHub Namespace?" +} + +variable "ehns_zone_redundant" { + type = bool + description = "Specifies if the EventHub Namespace should be Zone Redundant (created across Availability Zones)." +} + +variable "ehns_alerts_enabled" { + type = bool + description = "Event hub alerts enabled?" +} + +variable "ehns_metric_alerts" { + default = {} + + description = < [apim\_app\_forwarder\_product](#module\_apim\_app\_forwarder\_product) | git::https://github.com/pagopa/terraform-azurerm-v3.git//api_management_product | v6.4.1 | | [app\_forwarder\_app\_service](#module\_app\_forwarder\_app\_service) | git::https://github.com/pagopa/terraform-azurerm-v3.git//app_service | v8.12.2 | | [app\_forwarder\_slot\_staging](#module\_app\_forwarder\_slot\_staging) | git::https://github.com/pagopa/terraform-azurerm-v3.git//app_service_slot | v8.12.2 | +| [eventhub\_namespace\_observability](#module\_eventhub\_namespace\_observability) | git::https://github.com/pagopa/terraform-azurerm-v3.git//eventhub | v8.22.0 | +| [eventhub\_observability\_configuration](#module\_eventhub\_observability\_configuration) | git::https://github.com/pagopa/terraform-azurerm-v3.git//eventhub_configuration | v8.22.0 | +| [observability\_sa](#module\_observability\_sa) | git::https://github.com/pagopa/terraform-azurerm-v3.git//storage_account | v7.18.0 | +| [observability\_st\_snet](#module\_observability\_st\_snet) | git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet | v6.7.0 | ## Resources @@ -65,6 +69,11 @@ | [azurerm_kusto_database.re_db](https://registry.terraform.io/providers/hashicorp/azurerm/3.53.0/docs/resources/kusto_database) | resource | | [azurerm_kusto_database_principal_assignment.qi_principal_assignment](https://registry.terraform.io/providers/hashicorp/azurerm/3.53.0/docs/resources/kusto_database_principal_assignment) | resource | | [azurerm_kusto_eventhub_data_connection.eventhub_connection_for_re_event](https://registry.terraform.io/providers/hashicorp/azurerm/3.53.0/docs/resources/kusto_eventhub_data_connection) | resource | +| [azurerm_private_endpoint.observability_storage_private_endpoint](https://registry.terraform.io/providers/hashicorp/azurerm/3.53.0/docs/resources/private_endpoint) | resource | +| [azurerm_resource_group.eventhub_observability_rg](https://registry.terraform.io/providers/hashicorp/azurerm/3.53.0/docs/resources/resource_group) | resource | +| [azurerm_resource_group.st_observability_rg](https://registry.terraform.io/providers/hashicorp/azurerm/3.53.0/docs/resources/resource_group) | resource | +| [azurerm_storage_container.blob-observability-st](https://registry.terraform.io/providers/hashicorp/azurerm/3.53.0/docs/resources/storage_container) | resource | +| [azurerm_subnet.eventhub_observability_snet](https://registry.terraform.io/providers/hashicorp/azurerm/3.53.0/docs/resources/subnet) | resource | | [azurerm_client_config.current](https://registry.terraform.io/providers/hashicorp/azurerm/3.53.0/docs/data-sources/client_config) | data source | | [azurerm_container_registry.acr](https://registry.terraform.io/providers/hashicorp/azurerm/3.53.0/docs/data-sources/container_registry) | data source | | [azurerm_cosmosdb_account.bizevent_cosmos_account](https://registry.terraform.io/providers/hashicorp/azurerm/3.53.0/docs/data-sources/cosmosdb_account) | data source | @@ -75,11 +84,19 @@ | [azurerm_key_vault.kv_shared](https://registry.terraform.io/providers/hashicorp/azurerm/3.53.0/docs/data-sources/key_vault) | data source | | [azurerm_key_vault_secret.certificate_crt_app_forwarder](https://registry.terraform.io/providers/hashicorp/azurerm/3.53.0/docs/data-sources/key_vault_secret) | data source | | [azurerm_key_vault_secret.certificate_key_app_forwarder](https://registry.terraform.io/providers/hashicorp/azurerm/3.53.0/docs/data-sources/key_vault_secret) | data source | +| [azurerm_monitor_action_group.email](https://registry.terraform.io/providers/hashicorp/azurerm/3.53.0/docs/data-sources/monitor_action_group) | data source | +| [azurerm_monitor_action_group.slack](https://registry.terraform.io/providers/hashicorp/azurerm/3.53.0/docs/data-sources/monitor_action_group) | data source | +| [azurerm_private_dns_zone.eventhub](https://registry.terraform.io/providers/hashicorp/azurerm/3.53.0/docs/data-sources/private_dns_zone) | data source | +| [azurerm_private_dns_zone.storage](https://registry.terraform.io/providers/hashicorp/azurerm/3.53.0/docs/data-sources/private_dns_zone) | data source | | [azurerm_resource_group.monitor_rg](https://registry.terraform.io/providers/hashicorp/azurerm/3.53.0/docs/data-sources/resource_group) | data source | +| [azurerm_resource_group.rg_event_private_dns_zone](https://registry.terraform.io/providers/hashicorp/azurerm/3.53.0/docs/data-sources/resource_group) | data source | | [azurerm_resource_group.rg_node_forwarder](https://registry.terraform.io/providers/hashicorp/azurerm/3.53.0/docs/data-sources/resource_group) | data source | +| [azurerm_resource_group.rg_vnet_italy](https://registry.terraform.io/providers/hashicorp/azurerm/3.53.0/docs/data-sources/resource_group) | data source | | [azurerm_subnet.subnet_apim](https://registry.terraform.io/providers/hashicorp/azurerm/3.53.0/docs/data-sources/subnet) | data source | | [azurerm_subnet.subnet_node_forwarder](https://registry.terraform.io/providers/hashicorp/azurerm/3.53.0/docs/data-sources/subnet) | data source | | [azurerm_subscription.current](https://registry.terraform.io/providers/hashicorp/azurerm/3.53.0/docs/data-sources/subscription) | data source | +| [azurerm_virtual_network.vnet](https://registry.terraform.io/providers/hashicorp/azurerm/3.53.0/docs/data-sources/virtual_network) | data source | +| [azurerm_virtual_network.vnet_italy](https://registry.terraform.io/providers/hashicorp/azurerm/3.53.0/docs/data-sources/virtual_network) | data source | ## Inputs @@ -87,19 +104,41 @@ |------|-------------|------|---------|:--------:| | [apim\_dns\_zone\_prefix](#input\_apim\_dns\_zone\_prefix) | The dns subdomain for apim. | `string` | `null` | no | | [app\_forwarder\_enabled](#input\_app\_forwarder\_enabled) | Enable app\_forwarder | `bool` | `false` | no | -| [dexp\_db](#input\_dexp\_db) | n/a | 
object({
    enable             = bool
    hot_cache_period   = string
    soft_delete_period = string
  })
| n/a | yes | -| [dexp\_params](#input\_dexp\_params) | n/a | 
object({
    enabled = bool
    sku = object({
      name     = string
      capacity = number
    })
    autoscale = object({
      enabled       = bool
      min_instances = number
      max_instances = number
    })
    public_network_access_enabled = bool
    double_encryption_enabled     = bool
    disk_encryption_enabled       = bool
    purge_enabled                 = bool
  })
| n/a | yes | -| [dexp\_re\_db\_linkes\_service](#input\_dexp\_re\_db\_linkes\_service) | n/a | 
object({
    enable = bool
  })
| n/a | yes | +| [cidr\_subnet\_observability\_evh](#input\_cidr\_subnet\_observability\_evh) | Address prefixes evh | `list(string)` | n/a | yes | +| [cidr\_subnet\_observability\_storage](#input\_cidr\_subnet\_observability\_storage) | Storage address space | `list(string)` | `null` | no | +| [dexp\_db](#input\_dexp\_db) | n/a | 
object({
    enable             = bool
    hot_cache_period   = string
    soft_delete_period = string
  })
| n/a | yes | +| [dexp\_params](#input\_dexp\_params) | n/a | 
object({
    enabled = bool
    sku = object({
      name     = string
      capacity = number
    })
    autoscale = object({
      enabled       = bool
      min_instances = number
      max_instances = number
    })
    public_network_access_enabled = bool
    double_encryption_enabled     = bool
    disk_encryption_enabled       = bool
    purge_enabled                 = bool
  })
| n/a | yes | +| [dexp\_re\_db\_linkes\_service](#input\_dexp\_re\_db\_linkes\_service) | n/a | 
object({
    enable = bool
  })
| n/a | yes | | [domain](#input\_domain) | n/a | `string` | n/a | yes | +| [ehns\_alerts\_enabled](#input\_ehns\_alerts\_enabled) | Event hub alerts enabled? | `bool` | n/a | yes | +| [ehns\_auto\_inflate\_enabled](#input\_ehns\_auto\_inflate\_enabled) | Is Auto Inflate enabled for the EventHub Namespace? | `bool` | n/a | yes | +| [ehns\_capacity](#input\_ehns\_capacity) | Specifies the Capacity / Throughput Units for a Standard SKU namespace. | `number` | n/a | yes | +| [ehns\_maximum\_throughput\_units](#input\_ehns\_maximum\_throughput\_units) | Specifies the maximum number of throughput units when Auto Inflate is Enabled | `number` | n/a | yes | +| [ehns\_metric\_alerts](#input\_ehns\_metric\_alerts) | Map of name = criteria objects | 
map(object({
    # criteria.*.aggregation to be one of [Average Count Minimum Maximum Total]
    aggregation = string
    metric_name = string
    description = string
    # criteria.0.operator to be one of [Equals NotEquals GreaterThan GreaterThanOrEqual LessThan LessThanOrEqual]
    operator  = string
    threshold = number
    # Possible values are PT1M, PT5M, PT15M, PT30M and PT1H
    frequency = string
    # Possible values are PT1M, PT5M, PT15M, PT30M, PT1H, PT6H, PT12H and P1D.
    window_size = string

    dimension = list(object(
      {
        name     = string
        operator = string
        values   = list(string)
      }
    ))
  }))
| `{}` | no | +| [ehns\_private\_endpoint\_is\_present](#input\_ehns\_private\_endpoint\_is\_present) | (Required) create private endpoint to the event hubs | `bool` | n/a | yes | +| [ehns\_public\_network\_access](#input\_ehns\_public\_network\_access) | (Required) enables public network access to the event hubs | `bool` | n/a | yes | +| [ehns\_sku\_name](#input\_ehns\_sku\_name) | Defines which tier to use. | `string` | n/a | yes | +| [ehns\_zone\_redundant](#input\_ehns\_zone\_redundant) | Specifies if the EventHub Namespace should be Zone Redundant (created across Availability Zones). | `bool` | n/a | yes | +| [enable\_sa\_backup](#input\_enable\_sa\_backup) | (Optional) enables storage account point in time recovery | `bool` | `false` | no | | [env](#input\_env) | n/a | `string` | n/a | yes | | [env\_short](#input\_env\_short) | n/a | `string` | n/a | yes | +| [eventhubs](#input\_eventhubs) | A list of event hubs to add to namespace. | 
list(object({
    name              = string
    partitions        = number
    message_retention = number
    consumers         = list(string)
    keys = list(object({
      name   = string
      listen = bool
      send   = bool
      manage = bool
    }))
  }))
| `[]` | no | | [external\_domain](#input\_external\_domain) | Domain for delegation | `string` | `null` | no | | [instance](#input\_instance) | One of beta, prod01, prod02 | `string` | n/a | yes | | [location](#input\_location) | One of westeurope, northeurope | `string` | n/a | yes | +| [location\_itn](#input\_location\_itn) | italynorth | `string` | n/a | yes | | [location\_short](#input\_location\_short) | One of wue, neu | `string` | n/a | yes | +| [location\_short\_itn](#input\_location\_short\_itn) | itn | `string` | n/a | yes | | [monitor\_resource\_group\_name](#input\_monitor\_resource\_group\_name) | Monitor resource group name | `string` | n/a | yes | +| [observability\_sa\_advanced\_threat\_protection](#input\_observability\_sa\_advanced\_threat\_protection) | Enable contract threat advanced protection | `bool` | `false` | no | +| [observability\_sa\_backup\_retention\_days](#input\_observability\_sa\_backup\_retention\_days) | Number of days to retain backups. | `number` | `0` | no | +| [observability\_sa\_delete\_after\_last\_access](#input\_observability\_sa\_delete\_after\_last\_access) | Number of days since modification to blob before deleting | `number` | `3650` | no | +| [observability\_sa\_delete\_retention\_days](#input\_observability\_sa\_delete\_retention\_days) | Number of days to retain deleted. | `number` | `0` | no | +| [observability\_sa\_tier\_to\_cool\_after\_last\_access](#input\_observability\_sa\_tier\_to\_cool\_after\_last\_access) | Number of days since last access to blob before moving to cool tier | `number` | `183` | no | +| [observability\_storage\_account\_replication\_type](#input\_observability\_storage\_account\_replication\_type) | (Optional) observability datastore storage account replication type | `string` | `"LRS"` | no | +| [observability\_tier\_to\_archive\_after\_days\_since\_last\_access\_time\_greater\_than](#input\_observability\_tier\_to\_archive\_after\_days\_since\_last\_access\_time\_greater\_than) | Number of days since last access to blob before moving to archive tier | `number` | `730` | no | | [prefix](#input\_prefix) | n/a | `string` | n/a | yes | -| [tags](#input\_tags) | n/a | `map(any)` | 
{
  "CreatedBy": "Terraform"
}
| no | +| [tags](#input\_tags) | n/a | `map(any)` | 
{
  "CreatedBy": "Terraform"
}
| no | ## Outputs diff --git a/src/domains/observability/env/weu-dev/backend.ini b/src/domains/observability/env/dev/backend.ini similarity index 100% rename from src/domains/observability/env/weu-dev/backend.ini rename to src/domains/observability/env/dev/backend.ini diff --git a/src/domains/observability/env/weu-dev/backend.tfvars b/src/domains/observability/env/dev/backend.tfvars similarity index 100% rename from src/domains/observability/env/weu-dev/backend.tfvars rename to src/domains/observability/env/dev/backend.tfvars diff --git a/src/domains/observability/env/dev/terraform.tfvars b/src/domains/observability/env/dev/terraform.tfvars new file mode 100644 index 0000000000..52a02a86fb --- /dev/null +++ b/src/domains/observability/env/dev/terraform.tfvars @@ -0,0 +1,236 @@ +prefix = "pagopa" +env_short = "d" +env = "dev" +domain = "observ" +location = "westeurope" # weu +location_short = "weu" # weu +location_itn = "italynorth" # itn +location_short_itn = "itn" # itn +instance = "dev" + +tags = { + CreatedBy = "Terraform" + Environment = "Dev" + Owner = "pagoPA" + Source = "https://github.com/pagopa/pagopa-infra/tree/main/src/observability" + CostCenter = "TS310 - PAGAMENTI & SERVIZI" +} + +### External resources + +monitor_resource_group_name = "pagopa-d-monitor-rg" + +# Data Explorer +dexp_params = { + enabled = true + sku = { + name = "Dev(No SLA)_Standard_E2a_v4" + capacity = 1 + } + autoscale = { + enabled = false + min_instances = 2 + max_instances = 3 + } + public_network_access_enabled = true + double_encryption_enabled = false + disk_encryption_enabled = true + purge_enabled = false +} + +dexp_db = { + enable = true + hot_cache_period = "P5D" + soft_delete_period = "P30D" // P1M +} + +dexp_re_db_linkes_service = { + enable = true +} + +app_forwarder_enabled = true + +external_domain = "pagopa.it" +apim_dns_zone_prefix = "dev.platform" + +# observability Ingestion cfg +cidr_subnet_observability_storage = ["10.3.14.0/27"] +cidr_subnet_observability_evh = ["10.3.14.32/27"] +# = ["10.3.14.64/27"] +# = ["10.3.14.96/27"] +# = ["10.3.14.128/27"] +# = ["10.3.14.160/27"] + + +# +# EventHub +# +ehns_sku_name = "Standard" + +# to avoid https://docs.microsoft.com/it-it/azure/event-hubs/event-hubs-messaging-exceptions#error-code-50002 +ehns_auto_inflate_enabled = false +ehns_maximum_throughput_units = 5 +ehns_capacity = 1 +ehns_alerts_enabled = false +ehns_zone_redundant = false + +ehns_public_network_access = true +ehns_private_endpoint_is_present = false + +eventhubs = [ + { + name = "gec-ingestion-bundles-dl" + partitions = 1 + message_retention = 1 + consumers = ["gec-ingestion-bundles-evt-rx", "gec-ingestion-bundles-evt-rx-pdnd"] + keys = [ + { + name = "gec-ingestion-bundles-evt-tx" + listen = false + send = true + manage = false + }, + { + name = "gec-ingestion-bundles-evt-rx" + listen = true + send = false + manage = false + }, + { + name = "gec-ingestion-bundles-evt-rx-pdnd" + listen = true + send = false + manage = false + } + ] + }, + { + name = "gec-ingestion-cibundles-dl" + partitions = 1 + message_retention = 1 + consumers = ["gec-ingestion-cibundles-evt-rx", "gec-ingestion-cibundles-evt-rx-pdnd"] + keys = [ + { + name = "gec-ingestion-cibundles-evt-tx" + listen = false + send = true + manage = false + }, + { + name = "gec-ingestion-cibundles-evt-rx" + listen = true + send = false + manage = false + }, + { + name = "gec-ingestion-cibundles-evt-rx-pdnd" + listen = true + send = false + manage = false + } + ] + }, + { + name = "gec-ingestion-paymenttypes-dl" + partitions = 1 + message_retention = 1 + consumers = ["gec-ingestion-paymenttypes-evt-rx", "gec-ingestion-paymenttypes-evt-rx-pdnd"] + keys = [ + { + name = "gec-ingestion-paymenttypes-evt-tx" + listen = false + send = true + manage = false + }, + { + name = "gec-ingestion-paymenttypes-evt-rx" + listen = true + send = false + manage = false + }, + { + name = "gec-ingestion-paymenttypes-evt-rx-pdnd" + listen = true + send = false + manage = false + } + ] + }, + { + name = "gec-ingestion-touchpoints-dl" + partitions = 1 + message_retention = 1 + consumers = ["gec-ingestion-touchpoints-evt-rx", "gec-ingestion-touchpoints-evt-rx-pdnd"] + keys = [ + { + name = "gec-ingestion-touchpoints-evt-tx" + listen = false + send = true + manage = false + }, + { + name = "gec-ingestion-touchpoints-evt-rx" + listen = true + send = false + manage = false + }, + { + name = "gec-ingestion-touchpoints-evt-rx-pdnd" + listen = true + send = false + manage = false + } + ] + } +] + +# alert evh +ehns_metric_alerts = { + no_trx = { + aggregation = "Total" + metric_name = "IncomingMessages" + description = "No transactions received from acquirer in the last 24h" + operator = "LessThanOrEqual" + threshold = 1000 + frequency = "PT1H" + window_size = "P1D" + dimension = [ + { + name = "EntityName" + operator = "Include" + values = ["gec-ingestion-bundles-evt-tx", "gec-ingestion-cibundles-evt-tx", "gec-ingestion-paymenttypes-evt-tx", "gec-ingestion-touchpoints-evt-tx"] + } + ], + }, + active_connections = { + aggregation = "Average" + metric_name = "ActiveConnections" + description = null + operator = "LessThanOrEqual" + threshold = 0 + frequency = "PT5M" + window_size = "PT15M" + dimension = [], + }, + error_trx = { + aggregation = "Total" + metric_name = "IncomingMessages" + description = "Transactions rejected from one acquirer file received. trx write on eventhub. check immediately" + operator = "GreaterThan" + threshold = 0 + frequency = "PT5M" + window_size = "PT30M" + dimension = [ + { + name = "EntityName" + operator = "Include" + values = [ + "gec-ingestion-bundles-evt-rx-pdnd", + "gec-ingestion-cibundles-evt-rx-pdnd", + "gec-ingestion-paymenttypes-evt-rx-pdnd", + "gec-ingestion-touchpoints-evt-rx-pdnd" + ] + } + ], + }, +} diff --git a/src/domains/observability/env/weu-prod/backend.ini b/src/domains/observability/env/prod/backend.ini similarity index 100% rename from src/domains/observability/env/weu-prod/backend.ini rename to src/domains/observability/env/prod/backend.ini diff --git a/src/domains/observability/env/weu-prod/backend.tfvars b/src/domains/observability/env/prod/backend.tfvars similarity index 100% rename from src/domains/observability/env/weu-prod/backend.tfvars rename to src/domains/observability/env/prod/backend.tfvars diff --git a/src/domains/observability/env/prod/terraform.tfvars b/src/domains/observability/env/prod/terraform.tfvars new file mode 100644 index 0000000000..450ae45295 --- /dev/null +++ b/src/domains/observability/env/prod/terraform.tfvars @@ -0,0 +1,235 @@ +prefix = "pagopa" +env_short = "p" +env = "prod" +domain = "observ" +location = "westeurope" # weu +location_short = "weu" # weu +location_itn = "italynorth" # itn +location_short_itn = "itn" # itn +instance = "prod" + +tags = { + CreatedBy = "Terraform" + Environment = "Prod" + Owner = "pagoPA" + Source = "https://github.com/pagopa/pagopa-infra/tree/main/src/observability" + CostCenter = "TS310 - PAGAMENTI & SERVIZI" +} + +### External resources + +monitor_resource_group_name = "pagopa-p-monitor-rg" + +# Data Explorer +dexp_params = { + enabled = true + sku = { + name = "Standard_D11_v2" + capacity = 2 + } + autoscale = { + enabled = true + min_instances = 2 + max_instances = 5 + } + public_network_access_enabled = true + double_encryption_enabled = true + disk_encryption_enabled = true + purge_enabled = false +} + +dexp_db = { + enable = true + hot_cache_period = "P5D" + soft_delete_period = "P365D" // "P1Y" +} + +dexp_re_db_linkes_service = { + enable = true +} + +external_domain = "NOT_USED" +apim_dns_zone_prefix = "NOT_USED" + +# observability Ingestion cfg +# observability_storage_account_replication_type = "GZRS" # Standard_GZRS, Kind: StorageV2 is not available in zone. +enable_sa_backup = true +cidr_subnet_observability_storage = ["10.3.14.0/27"] +cidr_subnet_observability_evh = ["10.3.14.32/27"] +# = ["10.3.14.64/27"] +# = ["10.3.14.96/27"] +# = ["10.3.14.128/27"] +# = ["10.3.14.160/27"] + +# +# EventHub +# +ehns_sku_name = "Standard" + +# to avoid https://docs.microsoft.com/it-it/azure/event-hubs/event-hubs-messaging-exceptions#error-code-50002 +ehns_auto_inflate_enabled = true +ehns_maximum_throughput_units = 5 +ehns_capacity = 5 +ehns_alerts_enabled = true +ehns_zone_redundant = true + +ehns_public_network_access = false +ehns_private_endpoint_is_present = true + +eventhubs = [ + { + name = "gec-ingestion-bundles-dl" + partitions = 32 + message_retention = 7 + consumers = ["gec-ingestion-bundles-evt-rx", "gec-ingestion-bundles-evt-rx-pdnd"] + keys = [ + { + name = "gec-ingestion-bundles-evt-tx" + listen = false + send = true + manage = false + }, + { + name = "gec-ingestion-bundles-evt-rx" + listen = true + send = false + manage = false + }, + { + name = "gec-ingestion-bundles-evt-rx-pdnd" + listen = true + send = false + manage = false + } + ] + }, + { + name = "gec-ingestion-cibundles-dl" + partitions = 32 + message_retention = 7 + consumers = ["gec-ingestion-cibundles-evt-rx", "gec-ingestion-cibundles-evt-rx-pdnd"] + keys = [ + { + name = "gec-ingestion-cibundles-evt-tx" + listen = false + send = true + manage = false + }, + { + name = "gec-ingestion-cibundles-evt-rx" + listen = true + send = false + manage = false + }, + { + name = "gec-ingestion-cibundles-evt-rx-pdnd" + listen = true + send = false + manage = false + } + ] + }, + { + name = "gec-ingestion-paymenttypes-dl" + partitions = 32 + message_retention = 7 + consumers = ["gec-ingestion-paymenttypes-evt-rx", "gec-ingestion-paymenttypes-evt-rx-pdnd"] + keys = [ + { + name = "gec-ingestion-paymenttypes-evt-tx" + listen = false + send = true + manage = false + }, + { + name = "gec-ingestion-paymenttypes-evt-rx" + listen = true + send = false + manage = false + }, + { + name = "gec-ingestion-paymenttypes-evt-rx-pdnd" + listen = true + send = false + manage = false + } + ] + }, + { + name = "gec-ingestion-touchpoints-dl" + partitions = 1 + message_retention = 1 + consumers = ["gec-ingestion-touchpoints-evt-rx", "gec-ingestion-touchpoints-evt-rx-pdnd"] + keys = [ + { + name = "gec-ingestion-touchpoints-evt-tx" + listen = false + send = true + manage = false + }, + { + name = "gec-ingestion-touchpoints-evt-rx" + listen = true + send = false + manage = false + }, + { + name = "gec-ingestion-touchpoints-evt-rx-pdnd" + listen = true + send = false + manage = false + } + ] + } +] + +# alert evh +ehns_metric_alerts = { + no_trx = { + aggregation = "Total" + metric_name = "IncomingMessages" + description = "No transactions received from acquirer in the last 24h" + operator = "LessThanOrEqual" + threshold = 1000 + frequency = "PT1H" + window_size = "P1D" + dimension = [ + { + name = "EntityName" + operator = "Include" + values = ["gec-ingestion-bundles-evt-tx", "gec-ingestion-cibundles-evt-tx", "gec-ingestion-paymenttypes-evt-tx", "gec-ingestion-touchpoints-evt-tx"] + } + ], + }, + active_connections = { + aggregation = "Average" + metric_name = "ActiveConnections" + description = null + operator = "LessThanOrEqual" + threshold = 0 + frequency = "PT5M" + window_size = "PT15M" + dimension = [], + }, + error_trx = { + aggregation = "Total" + metric_name = "IncomingMessages" + description = "Transactions rejected from one acquirer file received. trx write on eventhub. check immediately" + operator = "GreaterThan" + threshold = 0 + frequency = "PT5M" + window_size = "PT30M" + dimension = [ + { + name = "EntityName" + operator = "Include" + values = [ + "gec-ingestion-bundles-evt-rx-pdnd", + "gec-ingestion-cibundles-evt-rx-pdnd", + "gec-ingestion-paymenttypes-evt-rx-pdnd", + "gec-ingestion-touchpoints-evt-rx-pdnd" + ] + } + ], + }, +} diff --git a/src/domains/observability/env/weu-uat/backend.ini b/src/domains/observability/env/uat/backend.ini similarity index 100% rename from src/domains/observability/env/weu-uat/backend.ini rename to src/domains/observability/env/uat/backend.ini diff --git a/src/domains/observability/env/weu-uat/backend.tfvars b/src/domains/observability/env/uat/backend.tfvars similarity index 100% rename from src/domains/observability/env/weu-uat/backend.tfvars rename to src/domains/observability/env/uat/backend.tfvars diff --git a/src/domains/observability/env/uat/terraform.tfvars b/src/domains/observability/env/uat/terraform.tfvars new file mode 100644 index 0000000000..6e18263145 --- /dev/null +++ b/src/domains/observability/env/uat/terraform.tfvars @@ -0,0 +1,235 @@ +prefix = "pagopa" +env_short = "u" +env = "uat" +domain = "observ" +location = "westeurope" # weu +location_short = "weu" # weu +location_itn = "italynorth" # itn +location_short_itn = "itn" # itn +instance = "uat" + +tags = { + CreatedBy = "Terraform" + Environment = "Uat" + Owner = "pagoPA" + Source = "https://github.com/pagopa/pagopa-infra/tree/main/src/observability" + CostCenter = "TS310 - PAGAMENTI & SERVIZI" +} + +### External resources + +monitor_resource_group_name = "pagopa-u-monitor-rg" + +# Data Explorer +dexp_params = { + enabled = true + sku = { + name = "Dev(No SLA)_Standard_E2a_v4" + capacity = 1 + } + autoscale = { + enabled = false + min_instances = 2 + max_instances = 3 + } + public_network_access_enabled = true + double_encryption_enabled = false + disk_encryption_enabled = true + purge_enabled = false +} + +dexp_db = { + enable = true + hot_cache_period = "P5D" + soft_delete_period = "P90D" +} + +dexp_re_db_linkes_service = { + enable = true +} + +app_forwarder_enabled = true + +external_domain = "pagopa.it" +apim_dns_zone_prefix = "uat.platform" + +# observability Ingestion cfg +cidr_subnet_observability_storage = ["10.3.14.0/27"] +cidr_subnet_observability_evh = ["10.3.14.32/27"] +# = ["10.3.14.64/27"] +# = ["10.3.14.96/27"] +# = ["10.3.14.128/27"] +# = ["10.3.14.160/27"] + +# +# EventHub +# +ehns_sku_name = "Standard" + +# to avoid https://docs.microsoft.com/it-it/azure/event-hubs/event-hubs-messaging-exceptions#error-code-50002 +ehns_auto_inflate_enabled = true +ehns_maximum_throughput_units = 5 +ehns_capacity = 1 +ehns_alerts_enabled = false +ehns_zone_redundant = false + +ehns_public_network_access = false +ehns_private_endpoint_is_present = true + +eventhubs = [ + { + name = "gec-ingestion-bundles-dl" + partitions = 1 + message_retention = 1 + consumers = ["gec-ingestion-bundles-evt-rx", "gec-ingestion-bundles-evt-rx-pdnd"] + keys = [ + { + name = "gec-ingestion-bundles-evt-tx" + listen = false + send = true + manage = false + }, + { + name = "gec-ingestion-bundles-evt-rx" + listen = true + send = false + manage = false + }, + { + name = "gec-ingestion-bundles-evt-rx-pdnd" + listen = true + send = false + manage = false + } + ] + }, + { + name = "gec-ingestion-cibundles-dl" + partitions = 1 + message_retention = 1 + consumers = ["gec-ingestion-cibundles-evt-rx", "gec-ingestion-cibundles-evt-rx-pdnd"] + keys = [ + { + name = "gec-ingestion-cibundles-evt-tx" + listen = false + send = true + manage = false + }, + { + name = "gec-ingestion-cibundles-evt-rx" + listen = true + send = false + manage = false + }, + { + name = "gec-ingestion-cibundles-evt-rx-pdnd" + listen = true + send = false + manage = false + } + ] + }, + { + name = "gec-ingestion-paymenttypes-dl" + partitions = 1 + message_retention = 1 + consumers = ["gec-ingestion-paymenttypes-evt-rx", "gec-ingestion-paymenttypes-evt-rx-pdnd"] + keys = [ + { + name = "gec-ingestion-paymenttypes-evt-tx" + listen = false + send = true + manage = false + }, + { + name = "gec-ingestion-paymenttypes-evt-rx" + listen = true + send = false + manage = false + }, + { + name = "gec-ingestion-paymenttypes-evt-rx-pdnd" + listen = true + send = false + manage = false + } + ] + }, + { + name = "gec-ingestion-touchpoints-dl" + partitions = 1 + message_retention = 1 + consumers = ["gec-ingestion-touchpoints-evt-rx", "gec-ingestion-touchpoints-evt-rx-pdnd"] + keys = [ + { + name = "gec-ingestion-touchpoints-evt-tx" + listen = false + send = true + manage = false + }, + { + name = "gec-ingestion-touchpoints-evt-rx" + listen = true + send = false + manage = false + }, + { + name = "gec-ingestion-touchpoints-evt-rx-pdnd" + listen = true + send = false + manage = false + } + ] + } +] + +# alert evh +ehns_metric_alerts = { + no_trx = { + aggregation = "Total" + metric_name = "IncomingMessages" + description = "No transactions received from acquirer in the last 24h" + operator = "LessThanOrEqual" + threshold = 1000 + frequency = "PT1H" + window_size = "P1D" + dimension = [ + { + name = "EntityName" + operator = "Include" + values = ["gec-ingestion-bundles-evt-tx", "gec-ingestion-cibundles-evt-tx", "gec-ingestion-paymenttypes-evt-tx", "gec-ingestion-touchpoints-evt-tx"] + } + ], + }, + active_connections = { + aggregation = "Average" + metric_name = "ActiveConnections" + description = null + operator = "LessThanOrEqual" + threshold = 0 + frequency = "PT5M" + window_size = "PT15M" + dimension = [], + }, + error_trx = { + aggregation = "Total" + metric_name = "IncomingMessages" + description = "Transactions rejected from one acquirer file received. trx write on eventhub. check immediately" + operator = "GreaterThan" + threshold = 0 + frequency = "PT5M" + window_size = "PT30M" + dimension = [ + { + name = "EntityName" + operator = "Include" + values = [ + "gec-ingestion-bundles-evt-rx-pdnd", + "gec-ingestion-cibundles-evt-rx-pdnd", + "gec-ingestion-paymenttypes-evt-rx-pdnd", + "gec-ingestion-touchpoints-evt-rx-pdnd" + ] + } + ], + }, +} diff --git a/src/domains/observability/env/weu-dev/terraform.tfvars b/src/domains/observability/env/weu-dev/terraform.tfvars deleted file mode 100644 index de346562fb..0000000000 --- a/src/domains/observability/env/weu-dev/terraform.tfvars +++ /dev/null @@ -1,52 +0,0 @@ -prefix = "pagopa" -env_short = "d" -env = "dev" -domain = "observ" -location = "westeurope" -location_short = "weu" -instance = "dev" - -tags = { - CreatedBy = "Terraform" - Environment = "Dev" - Owner = "pagoPA" - Source = "https://github.com/pagopa/pagopa-infra/tree/main/src/observability" - CostCenter = "TS310 - PAGAMENTI & SERVIZI" -} - -### External resources - -monitor_resource_group_name = "pagopa-d-monitor-rg" - -# Data Explorer -dexp_params = { - enabled = true - sku = { - name = "Dev(No SLA)_Standard_E2a_v4" - capacity = 1 - } - autoscale = { - enabled = false - min_instances = 2 - max_instances = 3 - } - public_network_access_enabled = true - double_encryption_enabled = false - disk_encryption_enabled = true - purge_enabled = false -} - -dexp_db = { - enable = true - hot_cache_period = "P5D" - soft_delete_period = "P30D" // P1M -} - -dexp_re_db_linkes_service = { - enable = true -} - -app_forwarder_enabled = true - -external_domain = "pagopa.it" -apim_dns_zone_prefix = "dev.platform" \ No newline at end of file diff --git a/src/domains/observability/env/weu-prod/terraform.tfvars b/src/domains/observability/env/weu-prod/terraform.tfvars deleted file mode 100644 index 63d3d29f00..0000000000 --- a/src/domains/observability/env/weu-prod/terraform.tfvars +++ /dev/null @@ -1,51 +0,0 @@ -prefix = "pagopa" -env_short = "p" -env = "prod" -domain = "observ" -location = "westeurope" -location_short = "weu" -instance = "prod" - -tags = { - CreatedBy = "Terraform" - Environment = "Prod" - Owner = "pagoPA" - Source = "https://github.com/pagopa/pagopa-infra/tree/main/src/observability" - CostCenter = "TS310 - PAGAMENTI & SERVIZI" -} - -### External resources - -monitor_resource_group_name = "pagopa-p-monitor-rg" - - -# Data Explorer -dexp_params = { - enabled = true - sku = { - name = "Standard_D11_v2" - capacity = 2 - } - autoscale = { - enabled = true - min_instances = 2 - max_instances = 5 - } - public_network_access_enabled = true - double_encryption_enabled = true - disk_encryption_enabled = true - purge_enabled = false -} - -dexp_db = { - enable = true - hot_cache_period = "P5D" - soft_delete_period = "P365D" // "P1Y" -} - -dexp_re_db_linkes_service = { - enable = true -} - -external_domain = "NOT_USED" -apim_dns_zone_prefix = "NOT_USED" \ No newline at end of file diff --git a/src/domains/observability/env/weu-uat/terraform.tfvars b/src/domains/observability/env/weu-uat/terraform.tfvars deleted file mode 100644 index ed775c5bb8..0000000000 --- a/src/domains/observability/env/weu-uat/terraform.tfvars +++ /dev/null @@ -1,53 +0,0 @@ -prefix = "pagopa" -env_short = "u" -env = "uat" -domain = "observ" -location = "westeurope" -location_short = "weu" -instance = "uat" - -tags = { - CreatedBy = "Terraform" - Environment = "Uat" - Owner = "pagoPA" - Source = "https://github.com/pagopa/pagopa-infra/tree/main/src/observability" - CostCenter = "TS310 - PAGAMENTI & SERVIZI" -} - -### External resources - -monitor_resource_group_name = "pagopa-u-monitor-rg" - - -# Data Explorer -dexp_params = { - enabled = true - sku = { - name = "Dev(No SLA)_Standard_E2a_v4" - capacity = 1 - } - autoscale = { - enabled = false - min_instances = 2 - max_instances = 3 - } - public_network_access_enabled = true - double_encryption_enabled = false - disk_encryption_enabled = true - purge_enabled = false -} - -dexp_db = { - enable = true - hot_cache_period = "P5D" - soft_delete_period = "P90D" -} - -dexp_re_db_linkes_service = { - enable = true -} - -app_forwarder_enabled = true - -external_domain = "pagopa.it" -apim_dns_zone_prefix = "uat.platform" \ No newline at end of file From f2d0160dbdd34f05e8835ab4963b23a0dbb87724 Mon Sep 17 00:00:00 2001 From: Pietro Tota Date: Fri, 18 Oct 2024 14:22:49 +0200 Subject: [PATCH 41/41] Revert "fix: remove unsafe-inline in src policy" This reverts commit e2a254cd559b620a133c9fbcfbc2c7ab0cb5c9bb. --- src/domains/checkout-app/05_checkout_fe.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/domains/checkout-app/05_checkout_fe.tf b/src/domains/checkout-app/05_checkout_fe.tf index 7fae838240..d6f1be9e3e 100644 --- a/src/domains/checkout-app/05_checkout_fe.tf +++ b/src/domains/checkout-app/05_checkout_fe.tf @@ -80,7 +80,7 @@ module "checkout_cdn" { { action = "Append" name = local.content_security_policy_header_name - value = "script-src 'self' https://www.google.com https://www.gstatic.com https://cdn.cookielaw.org https://geolocation.onetrust.com https://www.recaptcha.net https://recaptcha.net https://www.gstatic.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://${local.npg_sdk_hostname};" + value = "script-src 'self' 'unsafe-inline' https://www.google.com https://www.gstatic.com https://cdn.cookielaw.org https://geolocation.onetrust.com https://www.recaptcha.net https://recaptcha.net https://www.gstatic.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://${local.npg_sdk_hostname};" }, { action = "Append"