feat: Fix app service ha prod (#2177)

* prepared node-forwarder prod release, fix pdf engine app service * fix dns forwarder * wip * change rg * created node fw snet * enabled node forwarder ha uat * changed pdf engine resource group * prepared switch * fixed ha app service
pagopa · Jun 19, 2024 · 5379f21 · 5379f21
1 parent e2efcba
commit 5379f21
Show file tree

Hide file tree

Showing 22 changed files with 160 additions and 37 deletions.
diff --git a/scripts/tf_target.py b/scripts/tf_target.py
@@ -0,0 +1,39 @@
+import re
+import argparse
+
+
+def get_target_from_file(file_path):
+  with open(file_path, 'r') as file:
+    content = file.read()
+
+  # resource regex
+  pattern_resource = r'resource\s+"([^"]+)"\s+"([^"]+)"'
+  resources = re.findall(pattern_resource, content)
+
+  # Regex per trovare i moduli
+  pattern_module = r'module\s+"([^"]+)"'
+  modules = re.findall(pattern_module, content)
+
+  # generate target list
+  target = []
+  for r_type, r_name in resources:
+    target.append(f'"{r_type}.{r_name}"')
+  for m_name in modules:
+    target.append(f'"module.{m_name}"')
+
+  return target
+
+
+def main():
+  parser = argparse.ArgumentParser(description='Get target from terraform file')
+  parser.add_argument('file_path', help='Path to tf file')
+  args = parser.parse_args()
+
+  target_list = get_target_from_file(args.file_path)
+
+  # print all targets on a single line
+  print(' '.join([f'-target={target}' for target in target_list]))
+
+
+if __name__ == '__main__':
+  main()
diff --git a/src/core/00_node_forwarder_ha.tf b/src/core/00_node_forwarder_ha.tf
@@ -0,0 +1,8 @@
+data "azurerm_app_service" "node_forwarder_ha" {
+  count               = var.enabled_features.node_forwarder_ha ? 1 : 0
+  name                = "${local.project}-${var.location_short}-core-app-node-forwarder-ha"
+  resource_group_name = "${local.project}-node-forwarder-rg"
+}
+
+
+
diff --git a/src/core/99_locals.tf b/src/core/99_locals.tf
@@ -20,4 +20,8 @@ locals {
   vnet_ita_name                = "pagopa-${var.env_short}-itn-vnet"
   vnet_ita_resource_group_name = "pagopa-${var.env_short}-itn-vnet-rg"
 
+
+  pagopa_apim_v2_snet        = "${local.project}-weu-core-apimv2-snet"
+  pagopa_vnet_integration = "pagopa-${var.env_short}-vnet-integration"
+  pagopa_vnet_rg          = "pagopa-${var.env_short}-vnet-rg"
 }
diff --git a/src/core/99_variables.tf b/src/core/99_variables.tf
@@ -93,7 +93,8 @@ variable "enabled_features" {
   type = object({
     apim_v2       = bool
     apim_migrated = optional(bool, false)
-    vnet_ita      = bool
+    vnet_ita = bool
+    node_forwarder_ha = optional(bool, false)
   })
   default = {
     apim_v2  = false

diff --git a/src/core/apim_node_forwarder.tf b/src/core/apim_node_forwarder.tf
@@ -46,15 +46,15 @@ module "apim_node_forwarder_api" {
   path         = "pagopa-node-forwarder/api"
   protocols    = ["https"]
 
-  service_url = "https://${module.node_forwarder_app_service.default_site_hostname}"
+  service_url = var.enabled_features.node_forwarder_ha ? "https://${data.azurerm_app_service.node_forwarder_ha[0].default_site_hostname}" : "https://${module.node_forwarder_app_service.default_site_hostname}"
 
   content_format = "openapi"
   content_value = templatefile("./api/node_forwarder_api/v1/_openapi.json.tpl", {
     host = azurerm_api_management_custom_domain.api_custom_domain.proxy[0].host_name
   })
 
   xml_content = templatefile("./api/node_forwarder_api/v1/_base_policy.xml", {
-    node_forwarder_host_path = "https://${module.node_forwarder_app_service.default_site_hostname}"
+    node_forwarder_host_path = var.enabled_features.node_forwarder_ha ? "https://${data.azurerm_app_service.node_forwarder_ha[0].default_site_hostname}" : "https://${module.node_forwarder_app_service.default_site_hostname}"
   })
 
   depends_on = [

diff --git a/src/core/env/prod/terraform.tfvars b/src/core/env/prod/terraform.tfvars
@@ -20,6 +20,7 @@ tags = {
 enabled_features = {
   apim_v2  = true
   vnet_ita = false
+  node_forwarder_ha = true
   apim_migrated = false
 }
 

diff --git a/src/core/env/uat/terraform.tfvars b/src/core/env/uat/terraform.tfvars
@@ -21,6 +21,7 @@ enabled_features = {
   apim_v2       = false
   vnet_ita      = false
   apim_migrated = true
+  node_forwarder_ha = true
 }
 
 lock_enable = true

diff --git a/src/core/node_forwarder.tf b/src/core/node_forwarder.tf
@@ -56,6 +56,12 @@ resource "azurerm_resource_group" "node_forwarder_rg" {
   tags = var.tags
 }
 
+data "azurerm_subnet" "apim_v2_snet" {
+  name                 = local.pagopa_apim_v2_snet
+  resource_group_name  = local.pagopa_vnet_rg
+  virtual_network_name = local.pagopa_vnet_integration
+}
+
 # Subnet to host the node forwarder
 module "node_forwarder_snet" {
   source                                         = "git::https://github.com/pagopa/azurerm.git//subnet?ref=v1.0.90"
@@ -97,7 +103,7 @@ module "node_forwarder_app_service" {
 
   app_settings = local.node_forwarder_app_settings
 
-  allowed_subnets = [module.apim_snet.id]
+  allowed_subnets = [module.apim_snet.id, data.azurerm_subnet.apim_v2_snet.id]
   allowed_ips     = []
 
   subnet_id = module.node_forwarder_snet.id

diff --git a/src/domains/shared-app/00_network.tf b/src/domains/shared-app/00_network.tf
@@ -9,6 +9,12 @@ data "azurerm_subnet" "apim_vnet" {
   virtual_network_name = local.pagopa_vnet_integration
 }
 
+data "azurerm_subnet" "apim_v2_vnet" {
+  name                 = local.pagopa_apim_v2_snet
+  resource_group_name  = local.pagopa_vnet_rg
+  virtual_network_name = local.pagopa_vnet_integration
+}
+
 data "azurerm_dns_zone" "public" {
   name = join(".", [var.apim_dns_zone_prefix, var.external_domain])
 }

diff --git a/src/domains/shared-app/01_app_service_pdf_engine.tf b/src/domains/shared-app/01_app_service_pdf_engine.tf
@@ -39,7 +39,7 @@ module "shared_pdf_engine_app_service" {
 
   app_settings = local.shared_pdf_engine_app_settings
 
-  allowed_subnets = [data.azurerm_subnet.apim_vnet.id]
+  allowed_subnets = [data.azurerm_subnet.apim_vnet.id, data.azurerm_subnet.apim_v2_vnet.id]
   allowed_ips     = []
 
   subnet_id = module.shared_pdf_engine_app_service_snet.id
@@ -97,7 +97,7 @@ resource "azurerm_monitor_autoscale_setting" "autoscale_app_service_shared_pdf_e
       maximum = 12
     }
 
-    # Requests 
+    # Requests
     rule {
       metric_trigger {
         metric_name              = "Requests"
@@ -142,9 +142,9 @@ resource "azurerm_monitor_autoscale_setting" "autoscale_app_service_shared_pdf_e
       }
     }
 
-    # HttpResponseTime 
+    # HttpResponseTime
 
-    # Supported metrics for Microsoft.Web/sites 
+    # Supported metrics for Microsoft.Web/sites
     # 👀 https://learn.microsoft.com/en-us/azure/azure-monitor/reference/supported-metrics/microsoft-web-sites-metrics
     rule {
       metric_trigger {
@@ -190,9 +190,9 @@ resource "azurerm_monitor_autoscale_setting" "autoscale_app_service_shared_pdf_e
       }
     }
 
-    # CpuPercentage 
+    # CpuPercentage
 
-    # Supported metrics for Microsoft.Web/sites 
+    # Supported metrics for Microsoft.Web/sites
     # 👀 https://learn.microsoft.com/en-us/azure/azure-monitor/reference/supported-metrics/microsoft-web-sites-metrics
     rule {
       metric_trigger {
@@ -270,7 +270,7 @@ module "shared_pdf_engine_app_service_java" {
 
   app_settings = local.shared_pdf_engine_app_settings_java
 
-  allowed_subnets = [data.azurerm_subnet.apim_vnet.id]
+  allowed_subnets = [data.azurerm_subnet.apim_vnet.id, data.azurerm_subnet.apim_v2_vnet.id]
   allowed_ips     = []
 
   subnet_id = module.shared_pdf_engine_app_service_snet.id
@@ -328,7 +328,7 @@ resource "azurerm_monitor_autoscale_setting" "autoscale_app_service_shared_pdf_e
       maximum = 12
     }
 
-    # Requests 
+    # Requests
     rule {
       metric_trigger {
         metric_name              = "Requests"
@@ -373,9 +373,9 @@ resource "azurerm_monitor_autoscale_setting" "autoscale_app_service_shared_pdf_e
       }
     }
 
-    # HttpResponseTime 
+    # HttpResponseTime
 
-    # Supported metrics for Microsoft.Web/sites 
+    # Supported metrics for Microsoft.Web/sites
     # 👀 https://learn.microsoft.com/en-us/azure/azure-monitor/reference/supported-metrics/microsoft-web-sites-metrics
     rule {
       metric_trigger {
@@ -421,9 +421,9 @@ resource "azurerm_monitor_autoscale_setting" "autoscale_app_service_shared_pdf_e
       }
     }
 
-    # CpuPercentage 
+    # CpuPercentage
 
-    # Supported metrics for Microsoft.Web/sites 
+    # Supported metrics for Microsoft.Web/sites
     # 👀 https://learn.microsoft.com/en-us/azure/azure-monitor/reference/supported-metrics/microsoft-web-sites-metrics
     rule {
       metric_trigger {

diff --git a/src/domains/shared-app/01_app_service_pdf_engine_ha.tf b/src/domains/shared-app/01_app_service_pdf_engine_ha.tf
@@ -2,12 +2,17 @@
 # node
 ################
 
+resource "azurerm_resource_group" "pdf_engine_ha_rg" {
+  count = var.pdf_engine_app_ha_enabled ? 1 : 0
+  name     = "${local.project}-ha-rg"
+  location = var.location
+}
 
 module "shared_pdf_engine_app_service_ha" {
   source              = "git::https://github.com/pagopa/terraform-azurerm-v3.git//app_service?ref=v7.69.1"
-  count               = var.pdf_engine_app_ha_enabled ? 1 : 0
+  count = var.pdf_engine_app_ha_enabled ? 1 : 0
   vnet_integration    = false
-  resource_group_name = azurerm_resource_group.shared_pdf_engine_app_service_rg.name
+  resource_group_name = azurerm_resource_group.pdf_engine_ha_rg[0].name
   location            = var.location
 
   # App service plan vars
@@ -26,8 +31,8 @@ module "shared_pdf_engine_app_service_ha" {
 
   app_settings = local.shared_pdf_engine_app_settings
 
-
-  allowed_subnets = [data.azurerm_subnet.apim_vnet.id]
+  zone_balancing_enabled = var.pdf_engine_zone_balancing_enabled
+  allowed_subnets = [data.azurerm_subnet.apim_vnet.id, data.azurerm_subnet.apim_v2_vnet.id]
   allowed_ips     = []
 
   subnet_id = module.shared_pdf_engine_app_service_snet.id
@@ -47,7 +52,7 @@ module "shared_pdf_engine_slot_staging_ha" {
 
   # App service
   name                = "staging"
-  resource_group_name = azurerm_resource_group.shared_pdf_engine_app_service_rg.name
+  resource_group_name = azurerm_resource_group.pdf_engine_ha_rg[0].name
   location            = var.location
 
   always_on = true
@@ -71,8 +76,8 @@ resource "azurerm_monitor_autoscale_setting" "autoscale_app_service_shared_pdf_e
   count = var.env_short != "d" && var.pdf_engine_app_ha_enabled ? 1 : 0
 
   name                = format("%s-autoscale-pdf-engine-ha", local.project)
-  resource_group_name = azurerm_resource_group.shared_pdf_engine_app_service_rg.name
-  location            = azurerm_resource_group.shared_pdf_engine_app_service_rg.location
+  resource_group_name = azurerm_resource_group.pdf_engine_ha_rg[0].name
+  location            = azurerm_resource_group.pdf_engine_ha_rg[0].location
   target_resource_id  = module.shared_pdf_engine_app_service_ha[0].plan_id
   enabled             = var.app_service_pdf_engine_autoscale_enabled
 
@@ -238,12 +243,13 @@ module "shared_pdf_engine_app_service_java_ha" {
   source              = "git::https://github.com/pagopa/terraform-azurerm-v3.git//app_service?ref=v7.69.1"
   count               = var.pdf_engine_app_ha_enabled ? 1 : 0
   vnet_integration    = false
-  resource_group_name = azurerm_resource_group.shared_pdf_engine_app_service_rg.name
+  resource_group_name = azurerm_resource_group.pdf_engine_ha_rg[0].name
   location            = var.location
 
   # App service plan vars
   plan_name = format("%s-plan-pdf-engine-java-ha", local.project)
   sku_name  = var.app_service_pdf_engine_sku_name_java
+  zone_balancing_enabled = var.pdf_engine_zone_balancing_enabled
 
   # App service plan
   name                = format("%s-app-pdf-engine-java-ha", local.project)
@@ -257,7 +263,7 @@ module "shared_pdf_engine_app_service_java_ha" {
 
   app_settings = local.shared_pdf_engine_app_settings_java
 
-  allowed_subnets = [data.azurerm_subnet.apim_vnet.id]
+  allowed_subnets = [data.azurerm_subnet.apim_vnet.id, data.azurerm_subnet.apim_v2_vnet.id]
   allowed_ips     = []
 
   subnet_id = module.shared_pdf_engine_app_service_snet.id
@@ -277,7 +283,7 @@ module "shared_pdf_engine_java_slot_staging_ha" {
 
   # App service
   name                = "staging"
-  resource_group_name = azurerm_resource_group.shared_pdf_engine_app_service_rg.name
+  resource_group_name = azurerm_resource_group.pdf_engine_ha_rg[0].name
   location            = var.location
 
   always_on = true
@@ -301,8 +307,8 @@ resource "azurerm_monitor_autoscale_setting" "autoscale_app_service_shared_pdf_e
   count = var.env_short != "d" && var.pdf_engine_app_ha_enabled ? 1 : 0
 
   name                = format("%s-autoscale-pdf-engine-java-ha", local.project)
-  resource_group_name = azurerm_resource_group.shared_pdf_engine_app_service_rg.name
-  location            = azurerm_resource_group.shared_pdf_engine_app_service_rg.location
+  resource_group_name = azurerm_resource_group.pdf_engine_ha_rg[0].name
+  location            = azurerm_resource_group.pdf_engine_ha_rg[0].location
   target_resource_id  = module.shared_pdf_engine_app_service_java_ha[0].plan_id
   enabled             = var.app_service_pdf_engine_autoscale_enabled
 

diff --git a/src/domains/shared-app/99_locals.tf b/src/domains/shared-app/99_locals.tf
@@ -32,6 +32,7 @@ locals {
   pagopa_apim_rg   = "${local.product}-api-rg"
 
   pagopa_apim_snet        = "${local.product}-apim-snet"
+  pagopa_apim_v2_snet        = "${local.product}-weu-core-apimv2-snet"
   pagopa_vnet_integration = "pagopa-${var.env_short}-vnet-integration"
   pagopa_vnet_rg          = "pagopa-${var.env_short}-vnet-rg"
 

diff --git a/src/domains/shared-app/99_variables.tf b/src/domains/shared-app/99_variables.tf
@@ -318,8 +318,14 @@ variable "pdv_api_base_path" {
   description = "Personal data vault api base path"
 }
 
+variable "pdf_engine_zone_balancing_enabled" {
+  type = bool
+  description = "(Required) if true, enables zone balancing to pdf engine app service plans"
+}
+
+
 variable "ecommerce_io_pm_enabled" {
   type        = bool
   description = "eCommerce vs pm enabled"
   default     = false
-}
+}
diff --git a/src/domains/shared-app/env/weu-dev/terraform.tfvars b/src/domains/shared-app/env/weu-dev/terraform.tfvars
@@ -70,6 +70,7 @@ cidr_subnet_pdf_engine_app_service = ["10.1.187.0/24"]
 
 robots_indexed_paths      = []
 pdf_engine_app_ha_enabled = false
+pdf_engine_zone_balancing_enabled = false
 
 // wallet session token
 io_backend_base_path = "http://{{aks-lb-nexi}}/pmmockservice/pmmockserviceapi"

diff --git a/src/domains/shared-app/env/weu-prod/terraform.tfvars b/src/domains/shared-app/env/weu-prod/terraform.tfvars
@@ -90,6 +90,7 @@ pod_disruption_budgets = {
 pagopa_shared_toolbox_enabled = false
 robots_indexed_paths          = []
 pdf_engine_app_ha_enabled     = true
+pdf_engine_zone_balancing_enabled = true
 
 // wallet session token
 io_backend_base_path = "https://disabled"

diff --git a/src/domains/shared-app/env/weu-uat/terraform.tfvars b/src/domains/shared-app/env/weu-uat/terraform.tfvars
@@ -71,6 +71,7 @@ app_service_pdf_engine_sku_name_java = "P1v3"
 
 robots_indexed_paths      = []
 pdf_engine_app_ha_enabled = false
+pdf_engine_zone_balancing_enabled = false
 
 // wallet session token
 io_backend_base_path = "https://api-app.io.pagopa.it"

diff --git a/src/next-core/00_network.tf b/src/next-core/00_network.tf
@@ -40,3 +40,9 @@ data "azurerm_private_dns_zone" "postgres" {
   name                = "private.postgres.database.azure.com"
   resource_group_name = data.azurerm_resource_group.rg_vnet.name
 }
+
+data "azurerm_nat_gateway" "nat_gw" {
+  name                = "${local.product}-natgw"
+  resource_group_name = data.azurerm_resource_group.rg_vnet.name
+}
+