From 032220ba21a4978449207bf1f7a9bfdda98c7fee Mon Sep 17 00:00:00 2001 From: Simone infante <52280205+infantesimone@users.noreply.github.com> Date: Mon, 23 Dec 2024 10:50:33 +0100 Subject: [PATCH 1/3] feat: PPABV-106 add secret for fdr-kpi (#2691) feat: add secret for fdr-kpi --- src/domains/qi-app/README.md | 3 +++ src/domains/qi-common/02_security.tf | 28 ++++++++++++++++++++++++++++ src/domains/qi-common/README.md | 2 ++ 3 files changed, 33 insertions(+) diff --git a/src/domains/qi-app/README.md b/src/domains/qi-app/README.md index 207cb88214..3afe6b10d8 100644 --- a/src/domains/qi-app/README.md +++ b/src/domains/qi-app/README.md @@ -18,8 +18,10 @@ |------|--------|---------| | [\_\_v3\_\_](#module\_\_\_v3\_\_) | git::https://github.com/pagopa/terraform-azurerm-v3 | 3fc1dafaf4354e24ca8673005ec0caf4106343a3 | | [apim\_pagopa\_qi\_fdr\_kpi\_service\_api](#module\_apim\_pagopa\_qi\_fdr\_kpi\_service\_api) | ./.terraform/modules/__v3__/api_management_api | n/a | +| [apim\_pagopa\_qi\_smo\_jira\_tickets\_service\_api](#module\_apim\_pagopa\_qi\_smo\_jira\_tickets\_service\_api) | ./.terraform/modules/__v3__/api_management_api | n/a | | [apim\_qi\_fdr\_product](#module\_apim\_qi\_fdr\_product) | ./.terraform/modules/__v3__/api_management_product | n/a | | [apim\_qi\_product](#module\_apim\_qi\_product) | ./.terraform/modules/__v3__/api_management_product | n/a | +| [apim\_qi\_smo\_jira\_tickets\_product](#module\_apim\_qi\_smo\_jira\_tickets\_product) | ./.terraform/modules/__v3__/api_management_product | n/a | | [pod\_identity](#module\_pod\_identity) | ./.terraform/modules/__v3__/kubernetes_pod_identity | n/a | | [tls\_checker](#module\_tls\_checker) | ./.terraform/modules/__v3__/tls_checker | n/a | @@ -28,6 +30,7 @@ | Name | Type | |------|------| | [azurerm_api_management_api_version_set.pagopa_qi_fdr_kpi_service_api](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/api_management_api_version_set) | resource | +| [azurerm_api_management_api_version_set.pagopa_qi_smo_jira_tickets_service_api](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/api_management_api_version_set) | resource | | [azurerm_key_vault_secret.aks_apiserver_url](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource | | [azurerm_key_vault_secret.azure_devops_sa_cacrt](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource | | [azurerm_key_vault_secret.azure_devops_sa_token](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource | diff --git a/src/domains/qi-common/02_security.tf b/src/domains/qi-common/02_security.tf index 62aa1ef5d9..39c5dbd39b 100644 --- a/src/domains/qi-common/02_security.tf +++ b/src/domains/qi-common/02_security.tf @@ -170,3 +170,31 @@ module "letsencrypt_qi" { key_vault_name = "${local.product}-${var.domain}-kv" subscription_name = local.subscription_name } + +### TODO migrate in SOPS +resource "azurerm_key_vault_secret" "azure_data_explorer_re_client_id" { + name = "azure-data-explorer-re-client-id" + value = "" + content_type = "text/plain" + key_vault_id = module.key_vault.id + + lifecycle { + ignore_changes = [ + value, + ] + } +} + +### TODO migrate in SOPS +resource "azurerm_key_vault_secret" "azure_data_explorer_re_application_key" { + name = "azure-data-explorer-re-application-key" + value = "" + content_type = "text/plain" + key_vault_id = module.key_vault.id + + lifecycle { + ignore_changes = [ + value, + ] + } +} diff --git a/src/domains/qi-common/README.md b/src/domains/qi-common/README.md index 005bc3cefc..4b73f15e72 100644 --- a/src/domains/qi-common/README.md +++ b/src/domains/qi-common/README.md @@ -27,6 +27,8 @@ | [azurerm_key_vault_access_policy.azdevops_iac_managed_identities](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource | | [azurerm_key_vault_access_policy.azdevops_iac_policy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource | | [azurerm_key_vault_secret.ai_connection_string](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource | +| [azurerm_key_vault_secret.azure_data_explorer_re_application_key](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource | +| [azurerm_key_vault_secret.azure_data_explorer_re_client_id](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource | | [azurerm_key_vault_secret.ehub_alert_qi_rx_connection_string](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource | | [azurerm_key_vault_secret.ehub_alert_qi_rx_debug_connection_string](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource | | [azurerm_key_vault_secret.ehub_alert_qi_rx_pdnd_connection_string](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource | From 1b97b96ce39726cee3729df7e277018777f64f33 Mon Sep 17 00:00:00 2001 From: Simone infante <52280205+infantesimone@users.noreply.github.com> Date: Mon, 23 Dec 2024 11:08:41 +0100 Subject: [PATCH 2/3] chore(secret-fdr-kpi-elk): PPABV-106 add secret for elk integration - qi domain (#2692) * feat: add new secret for elk * chore: update docs --- src/domains/ecommerce-app/README.md | 10 +++++----- src/domains/ecommerce-common/README.md | 14 +++++++------- src/domains/qi-common/02_security.tf | 13 +++++++++++++ src/domains/qi-common/README.md | 1 + 4 files changed, 26 insertions(+), 12 deletions(-) diff --git a/src/domains/ecommerce-app/README.md b/src/domains/ecommerce-app/README.md index 7045d5b712..8a2798a451 100644 --- a/src/domains/ecommerce-app/README.md +++ b/src/domains/ecommerce-app/README.md @@ -201,13 +201,13 @@ | [log\_analytics\_workspace\_name](#input\_log\_analytics\_workspace\_name) | Specifies the name of the Log Analytics Workspace. | `string` | n/a | yes | | [log\_analytics\_workspace\_resource\_group\_name](#input\_log\_analytics\_workspace\_resource\_group\_name) | The name of the resource group in which the Log Analytics workspace is located in. | `string` | n/a | yes | | [monitor\_resource\_group\_name](#input\_monitor\_resource\_group\_name) | Monitor resource group name | `string` | n/a | yes | -| [pagopa\_vpn](#input\_pagopa\_vpn) | pagoPA on prem VPN | 
object({
    ips = list(string)
  })
| n/a | yes | -| [pagopa\_vpn\_dr](#input\_pagopa\_vpn\_dr) | pagoPA on prem VPN DR | 
object({
    ips = list(string)
  })
| n/a | yes | +| [pagopa\_vpn](#input\_pagopa\_vpn) | pagoPA on prem VPN | 
object({
    ips = list(string)
  })
| n/a | yes | +| [pagopa\_vpn\_dr](#input\_pagopa\_vpn\_dr) | pagoPA on prem VPN DR | 
object({
    ips = list(string)
  })
| n/a | yes | | [pdv\_api\_base\_path](#input\_pdv\_api\_base\_path) | Personal data vault api base path | `string` | `null` | no | -| [pod\_disruption\_budgets](#input\_pod\_disruption\_budgets) | Pod disruption budget for domain namespace | 
map(object({
    name         = optional(string, null)
    minAvailable = optional(number, null)
    matchLabels  = optional(map(any), {})
  }))
| `{}` | no | +| [pod\_disruption\_budgets](#input\_pod\_disruption\_budgets) | Pod disruption budget for domain namespace | 
map(object({
    name         = optional(string, null)
    minAvailable = optional(number, null)
    matchLabels  = optional(map(any), {})
  }))
| `{}` | no | | [prefix](#input\_prefix) | n/a | `string` | n/a | yes | -| [tags](#input\_tags) | n/a | `map(any)` | 
{
  "CreatedBy": "Terraform"
}
| no | -| [tls\_cert\_check\_helm](#input\_tls\_cert\_check\_helm) | tls cert helm chart configuration | 
object({
    chart_version = string,
    image_name    = string,
    image_tag     = string
  })
| n/a | yes | +| [tags](#input\_tags) | n/a | `map(any)` | 
{
  "CreatedBy": "Terraform"
}
| no | +| [tls\_cert\_check\_helm](#input\_tls\_cert\_check\_helm) | tls cert helm chart configuration | 
object({
    chart_version = string,
    image_name    = string,
    image_tag     = string
  })
| n/a | yes | ## Outputs diff --git a/src/domains/ecommerce-common/README.md b/src/domains/ecommerce-common/README.md index 2f2e98d435..badaaf8f69 100644 --- a/src/domains/ecommerce-common/README.md +++ b/src/domains/ecommerce-common/README.md @@ -158,13 +158,13 @@ | [cidr\_subnet\_cosmosdb\_ecommerce](#input\_cidr\_subnet\_cosmosdb\_ecommerce) | Cosmos DB address space for ecommerce. | `list(string)` | n/a | yes | | [cidr\_subnet\_redis\_ecommerce](#input\_cidr\_subnet\_redis\_ecommerce) | Redis DB address space for ecommerce. | `list(string)` | n/a | yes | | [cidr\_subnet\_storage\_ecommerce](#input\_cidr\_subnet\_storage\_ecommerce) | Azure storage DB address space for ecommerce. | `list(string)` | n/a | yes | -| [cosmos\_mongo\_db\_ecommerce\_history\_params](#input\_cosmos\_mongo\_db\_ecommerce\_history\_params) | n/a | 
object({
    enable_serverless  = bool
    enable_autoscaling = bool
    throughput         = number
    max_throughput     = number
  })
| n/a | yes | -| [cosmos\_mongo\_db\_ecommerce\_params](#input\_cosmos\_mongo\_db\_ecommerce\_params) | n/a | 
object({
    enable_serverless  = bool
    enable_autoscaling = bool
    throughput         = number
    max_throughput     = number
  })
| n/a | yes | -| [cosmos\_mongo\_db\_params](#input\_cosmos\_mongo\_db\_params) | n/a | 
object({
    enabled        = bool
    capabilities   = list(string)
    offer_type     = string
    server_version = string
    kind           = string
    consistency_policy = object({
      consistency_level       = string
      max_interval_in_seconds = number
      max_staleness_prefix    = number
    })
    enable_free_tier                 = bool
    main_geo_location_zone_redundant = bool
    additional_geo_locations = list(object({
      location          = string
      failover_priority = number
      zone_redundant    = bool
    }))
    private_endpoint_enabled                     = bool
    public_network_access_enabled                = bool
    is_virtual_network_filter_enabled            = bool
    backup_continuous_enabled                    = bool
    enable_provisioned_throughput_exceeded_alert = bool
  })
| n/a | yes | +| [cosmos\_mongo\_db\_ecommerce\_history\_params](#input\_cosmos\_mongo\_db\_ecommerce\_history\_params) | n/a | 
object({
    enable_serverless  = bool
    enable_autoscaling = bool
    throughput         = number
    max_throughput     = number
  })
| n/a | yes | +| [cosmos\_mongo\_db\_ecommerce\_params](#input\_cosmos\_mongo\_db\_ecommerce\_params) | n/a | 
object({
    enable_serverless  = bool
    enable_autoscaling = bool
    throughput         = number
    max_throughput     = number
  })
| n/a | yes | +| [cosmos\_mongo\_db\_params](#input\_cosmos\_mongo\_db\_params) | n/a | 
object({
    enabled        = bool
    capabilities   = list(string)
    offer_type     = string
    server_version = string
    kind           = string
    consistency_policy = object({
      consistency_level       = string
      max_interval_in_seconds = number
      max_staleness_prefix    = number
    })
    enable_free_tier                 = bool
    main_geo_location_zone_redundant = bool
    additional_geo_locations = list(object({
      location          = string
      failover_priority = number
      zone_redundant    = bool
    }))
    private_endpoint_enabled                     = bool
    public_network_access_enabled                = bool
    is_virtual_network_filter_enabled            = bool
    backup_continuous_enabled                    = bool
    enable_provisioned_throughput_exceeded_alert = bool
  })
| n/a | yes | | [dns\_zone\_internal\_prefix](#input\_dns\_zone\_internal\_prefix) | The dns subdomain. | `string` | `null` | no | | [domain](#input\_domain) | n/a | `string` | n/a | yes | -| [ecommerce\_storage\_deadletter\_params](#input\_ecommerce\_storage\_deadletter\_params) | Azure storage DB params for ecommerce deadletter resources. | 
object({
    enabled                       = bool,
    kind                          = string,
    tier                          = string,
    account_replication_type      = string,
    advanced_threat_protection    = bool,
    retention_days                = number,
    public_network_access_enabled = bool,
  })
| 
{
  "account_replication_type": "LRS",
  "advanced_threat_protection": true,
  "enabled": false,
  "kind": "StorageV2",
  "public_network_access_enabled": false,
  "retention_days": 7,
  "tier": "Standard"
}
| no | -| [ecommerce\_storage\_transient\_params](#input\_ecommerce\_storage\_transient\_params) | Azure storage DB params for ecommerce transient resources. | 
object({
    enabled                       = bool,
    kind                          = string,
    tier                          = string,
    account_replication_type      = string,
    advanced_threat_protection    = bool,
    retention_days                = number,
    public_network_access_enabled = bool,
  })
| 
{
  "account_replication_type": "LRS",
  "advanced_threat_protection": true,
  "enabled": false,
  "kind": "StorageV2",
  "public_network_access_enabled": false,
  "retention_days": 7,
  "tier": "Standard"
}
| no | +| [ecommerce\_storage\_deadletter\_params](#input\_ecommerce\_storage\_deadletter\_params) | Azure storage DB params for ecommerce deadletter resources. | 
object({
    enabled                       = bool,
    kind                          = string,
    tier                          = string,
    account_replication_type      = string,
    advanced_threat_protection    = bool,
    retention_days                = number,
    public_network_access_enabled = bool,
  })
| 
{
  "account_replication_type": "LRS",
  "advanced_threat_protection": true,
  "enabled": false,
  "kind": "StorageV2",
  "public_network_access_enabled": false,
  "retention_days": 7,
  "tier": "Standard"
}
| no | +| [ecommerce\_storage\_transient\_params](#input\_ecommerce\_storage\_transient\_params) | Azure storage DB params for ecommerce transient resources. | 
object({
    enabled                       = bool,
    kind                          = string,
    tier                          = string,
    account_replication_type      = string,
    advanced_threat_protection    = bool,
    retention_days                = number,
    public_network_access_enabled = bool,
  })
| 
{
  "account_replication_type": "LRS",
  "advanced_threat_protection": true,
  "enabled": false,
  "kind": "StorageV2",
  "public_network_access_enabled": false,
  "retention_days": 7,
  "tier": "Standard"
}
| no | | [enable\_iac\_pipeline](#input\_enable\_iac\_pipeline) | If true create the key vault policy to allow used by azure devops iac pipelines. | `bool` | `false` | no | | [env](#input\_env) | n/a | `string` | n/a | yes | | [env\_short](#input\_env\_short) | n/a | `string` | n/a | yes | @@ -177,8 +177,8 @@ | [log\_analytics\_workspace\_resource\_group\_name](#input\_log\_analytics\_workspace\_resource\_group\_name) | The name of the resource group in which the Log Analytics workspace is located in. | `string` | n/a | yes | | [monitor\_resource\_group\_name](#input\_monitor\_resource\_group\_name) | Monitor resource group name | `string` | n/a | yes | | [prefix](#input\_prefix) | n/a | `string` | n/a | yes | -| [redis\_ecommerce\_params](#input\_redis\_ecommerce\_params) | n/a | 
object({
    capacity   = number
    sku_name   = string
    family     = string
    version    = string
    ha_enabled = bool
    zones      = list(number)
  })
| n/a | yes | -| [tags](#input\_tags) | n/a | `map(any)` | 
{
  "CreatedBy": "Terraform"
}
| no | +| [redis\_ecommerce\_params](#input\_redis\_ecommerce\_params) | n/a | 
object({
    capacity   = number
    sku_name   = string
    family     = string
    version    = string
    ha_enabled = bool
    zones      = list(number)
  })
| n/a | yes | +| [tags](#input\_tags) | n/a | `map(any)` | 
{
  "CreatedBy": "Terraform"
}
| no | ## Outputs diff --git a/src/domains/qi-common/02_security.tf b/src/domains/qi-common/02_security.tf index 39c5dbd39b..b4d8050b2b 100644 --- a/src/domains/qi-common/02_security.tf +++ b/src/domains/qi-common/02_security.tf @@ -198,3 +198,16 @@ resource "azurerm_key_vault_secret" "azure_data_explorer_re_application_key" { ] } } + +### TODO migrate in SOPS +resource "azurerm_key_vault_secret" "elastic_otel_token_header" { + name = "elastic-otel-token-header" + value = "" + key_vault_id = module.key_vault.id + + lifecycle { + ignore_changes = [ + value, + ] + } +} \ No newline at end of file diff --git a/src/domains/qi-common/README.md b/src/domains/qi-common/README.md index 4b73f15e72..ae5b26fd98 100644 --- a/src/domains/qi-common/README.md +++ b/src/domains/qi-common/README.md @@ -33,6 +33,7 @@ | [azurerm_key_vault_secret.ehub_alert_qi_rx_debug_connection_string](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource | | [azurerm_key_vault_secret.ehub_alert_qi_rx_pdnd_connection_string](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource | | [azurerm_key_vault_secret.ehub_alert_qi_tx_connection_string](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource | +| [azurerm_key_vault_secret.elastic_otel_token_header](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource | | [azurerm_key_vault_secret.qi_azurewebjobsstorage](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource | | [azurerm_private_dns_a_record.ingress](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/private_dns_a_record) | resource | | [azurerm_resource_group.qi_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource | From 6babcaf88b075930ff2f748e63d0f8f457206841 Mon Sep 17 00:00:00 2001 From: ffppa Date: Mon, 23 Dec 2024 12:11:35 +0100 Subject: [PATCH 3/3] feat: [PAYMCLOUD-191] Upgrade aks platform module to v8.66.1 (#2693) Update AKS module version to v8.66.1 to enanche default metrics alerts. Upgraded the Terraform module for the Kubernetes cluster from v8.58.0 to v8.66.1. This ensures the use of the latest features, bug fixes, and improvements from the module. Signed-off-by: Fabio Felici --- src/aks-platform/02_aks.tf | 2 +- src/aks-platform/README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/aks-platform/02_aks.tf b/src/aks-platform/02_aks.tf index 8094c2ff90..43e4c17330 100644 --- a/src/aks-platform/02_aks.tf +++ b/src/aks-platform/02_aks.tf @@ -7,7 +7,7 @@ resource "azurerm_resource_group" "aks_rg" { module "aks" { - source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//kubernetes_cluster?ref=v8.58.0" + source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//kubernetes_cluster?ref=v8.66.1" name = local.aks_name location = var.location diff --git a/src/aks-platform/README.md b/src/aks-platform/README.md index a2101f84cc..ccde185147 100644 --- a/src/aks-platform/README.md +++ b/src/aks-platform/README.md @@ -15,7 +15,7 @@ | Name | Source | Version | |------|--------|---------| -| [aks](#module\_aks) | git::https://github.com/pagopa/terraform-azurerm-v3.git//kubernetes_cluster | v8.58.0 | +| [aks](#module\_aks) | git::https://github.com/pagopa/terraform-azurerm-v3.git//kubernetes_cluster | v8.66.1 | | [aks\_snet](#module\_aks\_snet) | git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet | v8.53.0 | | [keda\_pod\_identity](#module\_keda\_pod\_identity) | git::https://github.com/pagopa/terraform-azurerm-v3.git//kubernetes_pod_identity | v8.53.0 | | [monitoring\_pod\_identity](#module\_monitoring\_pod\_identity) | git::https://github.com/pagopa/terraform-azurerm-v3.git//kubernetes_pod_identity | v8.53.0 |