feat: Prod apim start migration (#2170)

* prepared apim migration * scaled app gw * scaled app gw subnet * added domains apimv2 alerts * added missing alerts * fix alert names nodo-app * updated apim v2 autoscale * commented app gw rewrite rule
pagopa · Jun 18, 2024 · 5bd48f5 · 5bd48f5
1 parent 3cbebb5
commit 5bd48f5
Show file tree

Hide file tree

Showing 39 changed files with 1,499 additions and 2,737 deletions.
diff --git a/src/core/alert_node_forwarder_apimv2.tf b/src/core/alert_node_forwarder_apimv2.tf
@@ -0,0 +1,73 @@
+
+
+resource "azurerm_monitor_scheduled_query_rules_alert" "opex_pagopa-node-forwarder-responsetime-upd-v2" {
+  count               = var.env_short == "p" ? 1 : 0
+  resource_group_name = "dashboards"
+  name                = "pagopa-${var.env_short}-opex_pagopa-node-forwarder-responsetime @ _forward2-v2"
+  location            = var.location
+
+  action {
+    action_group           = [azurerm_monitor_action_group.email.id, azurerm_monitor_action_group.slack.id, azurerm_monitor_action_group.mo_email.id, azurerm_monitor_action_group.new_conn_srv_opsgenie[0].id]
+    email_subject          = "Email Header"
+    custom_webhook_payload = "{}"
+  }
+  data_source_id = data.azurerm_api_management.apim_v2[0].id
+  description    = "Response time for /forward is less than or equal to 9s - https://portal.azure.com/#@pagopait.onmicrosoft.com/dashboard/arm/subscriptions/b9fc9419-6097-45fe-9f74-ba0641c91912/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/pagopa-p-opex_pagopa-node-forwarder"
+  enabled        = true
+  query = (<<-QUERY
+let threshold = 9000;
+AzureDiagnostics
+| where url_s matches regex "/forward"
+| summarize
+    watermark=threshold,
+    duration_percentile_95=percentiles(DurationMs, 95) by bin(TimeGenerated, 5m)
+| where duration_percentile_95 > threshold
+  QUERY
+  )
+  severity    = 1
+  frequency   = 5
+  time_window = 5
+  trigger {
+    operator  = "GreaterThanOrEqual"
+    threshold = 1
+  }
+
+}
+
+resource "azurerm_monitor_scheduled_query_rules_alert" "opex_pagopa-node-forwarder-availability-upd-v2" {
+  count               = var.env_short == "p" ? 1 : 0
+  resource_group_name = "dashboards"
+  name                = "pagopa-${var.env_short}-opex_pagopa-node-forwarder-availability @ _forward2-v2"
+  location            = var.location
+
+  action {
+    action_group           = [azurerm_monitor_action_group.email.id, azurerm_monitor_action_group.slack.id, azurerm_monitor_action_group.mo_email.id, azurerm_monitor_action_group.new_conn_srv_opsgenie[0].id]
+    email_subject          = "Email Header"
+    custom_webhook_payload = "{}"
+  }
+  data_source_id = data.azurerm_api_management.apim_v2[0].id
+  description    = "Availability for /forward is less than or equal to 99% - https://portal.azure.com/#@pagopait.onmicrosoft.com/dashboard/arm/subscriptions/b9fc9419-6097-45fe-9f74-ba0641c91912/resourceGroups/dashboards/providers/Microsoft.Portal/dashboards/pagopa-p-opex_pagopa-node-forwarder"
+  enabled        = true
+  query = (<<-QUERY
+let threshold = 0.99;
+AzureDiagnostics
+| where url_s matches regex "/forward"
+| summarize
+    Total=count(),
+    Success=count(responseCode_d < 500)
+    by bin(TimeGenerated, 5m)
+| extend availability=toreal(Success) / Total
+| where availability < threshold
+  QUERY
+  )
+  severity    = 1
+  frequency   = 5
+  time_window = 5
+  trigger {
+    operator  = "GreaterThanOrEqual"
+    threshold = 1
+  }
+
+}
+
+
diff --git a/src/core/appgateway.tf b/src/core/appgateway.tf
@@ -239,7 +239,7 @@ locals {
       fqdns                       = [azurerm_dns_a_record.dns_a_api.fqdn]
       probe                       = "/status-0123456789abcdef"
       probe_name                  = "probe-apim"
-      request_timeout             = 30
+      request_timeout             = 120
       pick_host_name_from_backend = false
     }
 
@@ -463,60 +463,60 @@ module "app_gw" {
           response_header_configurations = []
           url                            = null
         },
-        {
-          name          = "http-deny-path-only-to-upload-allowed-path"
-          rule_sequence = 4
-          conditions = [
-            {
-              variable    = "var_host"
-              pattern     = format("upload.%s.%s", var.dns_zone_prefix, var.external_domain)
-              ignore_case = true
-              negate      = false
-            },
-            {
-              variable    = "var_uri_path"
-              pattern     = join("|", var.app_gateway_allowed_paths_upload)
-              ignore_case = true
-              negate      = true
-            },
-          ]
-          request_header_configurations  = []
-          response_header_configurations = []
-          url = {
-            path         = "notfound"
-            query_string = null
-          }
-        },
-        {
-          name          = "http-deny-path-only-upload-soap-fdr"
-          rule_sequence = 4
-          conditions = [
-            {
-              variable    = "var_host"
-              pattern     = format("upload.%s.%s", var.dns_zone_prefix, var.external_domain)
-              ignore_case = true
-              negate      = false
-            },
-            {
-              variable    = "http_req_Content-Type"
-              pattern     = "application/xml"
-              ignore_case = true
-              negate      = false
-            },
-            {
-              variable    = "http_req_SOAPAction"
-              pattern     = join("|", var.app_gateway_allowed_fdr_soap_action)
-              ignore_case = true
-              negate      = true
-            },
-          ]
-          request_header_configurations  = []
-          response_header_configurations = []
-          url = {
-            path         = "notfound"
-            query_string = null
-          }
-        },
+#        {
+#          name          = "http-deny-path-only-to-upload-allowed-path"
+#          rule_sequence = 4
+#          conditions = [
+#            {
+#              variable    = "var_host"
+#              pattern     = format("upload.%s.%s", var.dns_zone_prefix, var.external_domain)
+#              ignore_case = true
+#              negate      = false
+#            },
+#            {
+#              variable    = "var_uri_path"
+#              pattern     = join("|", var.app_gateway_allowed_paths_upload)
+#              ignore_case = true
+#              negate      = true
+#            },
+#          ]
+#          request_header_configurations  = []
+#          response_header_configurations = []
+#          url = {
+#            path         = "notfound"
+#            query_string = null
+#          }
+#        },
+#        {
+#          name          = "http-deny-path-only-upload-soap-fdr"
+#          rule_sequence = 4
+#          conditions = [
+#            {
+#              variable    = "var_host"
+#              pattern     = format("upload.%s.%s", var.dns_zone_prefix, var.external_domain)
+#              ignore_case = true
+#              negate      = false
+#            },
+#            {
+#              variable    = "http_req_Content-Type"
+#              pattern     = "application/xml"
+#              ignore_case = true
+#              negate      = false
+#            },
+#            {
+#              variable    = "http_req_SOAPAction"
+#              pattern     = join("|", var.app_gateway_allowed_fdr_soap_action)
+#              ignore_case = true
+#              negate      = true
+#            },
+#          ]
+#          request_header_configurations  = []
+#          response_header_configurations = []
+#          url = {
+#            path         = "notfound"
+#            query_string = null
+#          }
+#        },
       ]
     },
     {

diff --git a/src/core/env/prod/terraform.tfvars b/src/core/env/prod/terraform.tfvars
@@ -18,10 +18,12 @@ tags = {
 # Feature flag
 #
 enabled_features = {
-  apim_v2  = false
+  apim_v2  = true
   vnet_ita = false
+  apim_migrated = false
 }
 
+upload_endpoint_enabled = false
 lock_enable = true
 
 # monitoring