feat: Subkey printit (#2048)

* tmp

* secrets

* kv

src/domains/printit-app/06_keyvault.tf

@@ -20,6 +20,17 @@ resource "azurerm_key_vault_secret" "application_insights_connection_string" {
   key_vault_id = data.azurerm_key_vault.kv.id
 }
 
+
+resource "azurerm_key_vault_secret" "tenant_id" {
+  name         = "tenant-id"
+  value        = data.azurerm_subscription.current.tenant_id
+  content_type = "text/plain"
+  key_vault_id = data.azurerm_key_vault.kv.id
+}
+
+
+# Mongo DB
+
 resource "azurerm_key_vault_secret" "notices_mongo_connection_string" {
   name         = "notices-mongo-connection-string"
   value        = data.azurerm_cosmosdb_account.notices_cosmos_account.primary_mongodb_connection_string
@@ -34,6 +45,15 @@ resource "azurerm_key_vault_secret" "notices_mongo_primary_key" {
   key_vault_id = data.azurerm_key_vault.kv.id
 }
 
+# Notices
+
+resource "azurerm_key_vault_secret" "notices_storage_account_endpoint" {
+  name         = "notices-storage-account-blob-endpoint"
+  value        = data.azurerm_storage_account.notices_storage_sa.primary_blob_endpoint
+  content_type = "text/plain"
+  key_vault_id = data.azurerm_key_vault.kv.id
+}
+
 resource "azurerm_key_vault_secret" "notices_storage_account_connection_string" {
   name         = "notices-storage-account-connection-string"
   value        = data.azurerm_storage_account.notices_storage_sa.primary_connection_string
@@ -48,6 +68,8 @@ resource "azurerm_key_vault_secret" "notices_storage_account_pkey" {
   key_vault_id = data.azurerm_key_vault.kv.id
 }
 
+# Templates
+
 resource "azurerm_key_vault_secret" "templates_storage_account_connection_string" {
   name         = "templates-storage-account-connection-string"
   value        = data.azurerm_storage_account.templates_storage_sa.primary_connection_string
@@ -62,6 +84,8 @@ resource "azurerm_key_vault_secret" "templates_storage_account_pkey" {
   key_vault_id = data.azurerm_key_vault.kv.id
 }
 
+# Institutions
+
 resource "azurerm_key_vault_secret" "institutions_storage_account_connection_string" {
   name         = "institutions-storage-account-connection-string"
   value        = data.azurerm_storage_account.institutions_storage_sa.primary_connection_string
@@ -76,6 +100,7 @@ resource "azurerm_key_vault_secret" "institutions_storage_account_pkey" {
   key_vault_id = data.azurerm_key_vault.kv.id
 }
 
+# Event Hub
 resource "azurerm_key_vault_secret" "ehub_notice_connection_string" {
   name         = "ehub-${var.env_short}-notice-connection-string"
   value        = data.azurerm_eventhub_authorization_rule.notices_evt_authorization_rule.primary_connection_string
@@ -104,6 +129,7 @@ resource "azurerm_key_vault_secret" "ehub_notice_jaas_config" {
   key_vault_id = data.azurerm_key_vault.kv.id
 }
 
+
 resource "azurerm_key_vault_secret" "ehub_notice_errors_jaas_config" {
   name         = "ehub-${var.env_short}-notice-errors-jaas-config"
   value        = "org.apache.kafka.common.security.plain.PlainLoginModule required username=\"$ConnectionString\" password=\"${data.azurerm_eventhub_authorization_rule.notices_evt_authorization_rule.primary_connection_string}\";"
@@ -118,6 +144,8 @@ resource "azurerm_key_vault_secret" "ehub_notice_complete_jaas_config" {
   key_vault_id = data.azurerm_key_vault.kv.id
 }
 
+# SubKey
+
 resource "azurerm_key_vault_secret" "pdf_engine_node_subkey_secret" {
   count        = var.is_feature_enabled.pdf_engine ? 1 : 0
   name         = "pdf-engine-node-subkey"

src/domains/printit-app/README.md

@@ -165,11 +165,13 @@ No outputs.
 | [azurerm_key_vault_secret.notices_mongo_connection_string](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource |
 | [azurerm_key_vault_secret.notices_mongo_primary_key](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource |
 | [azurerm_key_vault_secret.notices_storage_account_connection_string](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource |
+| [azurerm_key_vault_secret.notices_storage_account_endpoint](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource |
 | [azurerm_key_vault_secret.notices_storage_account_pkey](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource |
 | [azurerm_key_vault_secret.pdf_engine_node_subkey_secret](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource |
 | [azurerm_key_vault_secret.pdf_engine_subkey_secret](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource |
 | [azurerm_key_vault_secret.templates_storage_account_connection_string](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource |
 | [azurerm_key_vault_secret.templates_storage_account_pkey](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource |
+| [azurerm_key_vault_secret.tenant_id](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource |
 | [azurerm_monitor_autoscale_setting.autoscale_app_service_printit_pdf_engine_autoscale](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_autoscale_setting) | resource |
 | [azurerm_monitor_autoscale_setting.autoscale_app_service_printit_pdf_engine_java_autoscale](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_autoscale_setting) | resource |
 | [azurerm_private_dns_a_record.ingress](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/private_dns_a_record) | resource |

src/domains/printit-common/03_storage_account_notices.tf

@@ -103,9 +103,6 @@ resource "azurerm_storage_management_policy" "st_blob_receipts_management_policy
 
 }
 
-
-
-
 resource "azurerm_user_assigned_identity" "identity_blob_storage_pdf" {
   resource_group_name = data.azurerm_resource_group.identity_rg.name
   location            = data.azurerm_resource_group.identity_rg.location

src/domains/printit-common/10_github_identity.tf

@@ -26,6 +26,14 @@ locals {
     }
   ]
 
+  federations_01_pr = [
+    for repo in local.repos_01 : {
+      repository = repo
+      subject    = "pull_request"
+    }
+  ]
+
+
   # to avoid subscription Contributor -> https://github.com/microsoft/azure-container-apps/issues/35
   environment_cd_roles = {
     subscription = [
@@ -114,3 +122,43 @@ resource "null_resource" "github_runner_app_permissions_to_namespace_cd_01" {
     module.identity_cd_01
   ]
 }
+
+
+# create a module for each 20 repos
+module "identity_pr_01" {
+  source    = "github.com/pagopa/terraform-azurerm-v3//github_federated_identity?ref=fix-github-federated-identity"
+  prefix    = var.prefix
+  env_short = var.env_short
+  domain    = "${var.domain}-01-pr"
+
+  identity_role = "cd"
+
+  github_federations = local.federations_01_pr
+
+  cd_rbac_roles = {
+    subscription_roles = local.environment_cd_roles.subscription
+    resource_groups    = local.environment_cd_roles.resource_groups
+  }
+
+  tags = var.tags
+
+  depends_on = [
+    data.azurerm_resource_group.identity_rg
+  ]
+}
+
+
+resource "azurerm_key_vault_access_policy" "gha_pr_iac_managed_identities" {
+  key_vault_id = data.azurerm_key_vault.key_vault.id
+  tenant_id    = data.azurerm_client_config.current.tenant_id
+  object_id    = module.identity_pr_01.identity_principal_id
+
+  secret_permissions = ["Get", "List", "Set", ]
+
+  certificate_permissions = ["SetIssuers", "DeleteIssuers", "Purge", "List", "Get"]
+  key_permissions = [
+    "Get", "List", "Update", "Create", "Import", "Delete", "Encrypt", "Decrypt", "GetRotationPolicy"
+  ]
+
+  storage_permissions = []
+}

src/domains/printit-common/README.md

@@ -121,6 +121,7 @@ No outputs.
 | <a name="module_cosmosdb_notices_collections"></a> [cosmosdb\_notices\_collections](#module\_cosmosdb\_notices\_collections) | git::https://github.com/pagopa/terraform-azurerm-v3.git//cosmosdb_mongodb_collection | v8.9.1 |
 | <a name="module_eventhub_printit"></a> [eventhub\_printit](#module\_eventhub\_printit) | git::https://github.com/pagopa/terraform-azurerm-v3.git//eventhub_configuration | v8.9.1 |
 | <a name="module_identity_cd_01"></a> [identity\_cd\_01](#module\_identity\_cd\_01) | github.com/pagopa/terraform-azurerm-v3//github_federated_identity | v8.9.1 |
+| <a name="module_identity_pr_01"></a> [identity\_pr\_01](#module\_identity\_pr\_01) | github.com/pagopa/terraform-azurerm-v3//github_federated_identity | fix-github-federated-identity |
 | <a name="module_institutions_sa"></a> [institutions\_sa](#module\_institutions\_sa) | git::https://github.com/pagopa/terraform-azurerm-v3.git//storage_account | v8.9.1 |
 | <a name="module_notices_sa"></a> [notices\_sa](#module\_notices\_sa) | git::https://github.com/pagopa/terraform-azurerm-v3.git//storage_account | v8.9.1 |
 | <a name="module_templates_sa"></a> [templates\_sa](#module\_templates\_sa) | git::https://github.com/pagopa/terraform-azurerm-v3.git//storage_account | v8.9.1 |
@@ -131,6 +132,7 @@ No outputs.
 |------|------|
 | [azurerm_cosmosdb_mongo_database.notices_mongo_db](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/cosmosdb_mongo_database) | resource |
 | [azurerm_key_vault_access_policy.gha_iac_managed_identities](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource |
+| [azurerm_key_vault_access_policy.gha_pr_iac_managed_identities](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource |
 | [azurerm_key_vault_secret.blob_storage_pdf_client_id](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource |
 | [azurerm_private_dns_a_record.ingress](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/private_dns_a_record) | resource |
 | [azurerm_private_endpoint.institutions_blob_private_endpoint](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/private_endpoint) | resource |