From 0898cf7c26848ee0e343778941f282934845713c Mon Sep 17 00:00:00 2001 From: petretiandrea Date: Wed, 3 Apr 2024 09:33:49 +0200 Subject: [PATCH 1/6] chore(migration): Enable migration API on UAT (#1884) --- src/domains/wallet-app/env/weu-uat/terraform.tfvars | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/domains/wallet-app/env/weu-uat/terraform.tfvars b/src/domains/wallet-app/env/weu-uat/terraform.tfvars index fe23ab4dfb..f644e4fbb1 100644 --- a/src/domains/wallet-app/env/weu-uat/terraform.tfvars +++ b/src/domains/wallet-app/env/weu-uat/terraform.tfvars @@ -38,3 +38,5 @@ tls_cert_check_helm = { payment_wallet_with_pm_enabled = true pdv_api_base_path = "https://api.uat.tokenizer.pdv.pagopa.it/tokenizer/v1" io_backend_base_path = "http://{{aks-lb-nexi}}/pmmockservice/pmmockserviceapi" + +payment_wallet_migrations_enabled = true \ No newline at end of file From 409f52070526ce67ae64e8f13fa08684568a317b Mon Sep 17 00:00:00 2001 From: Pietro Tota <115724836+pietro-tota@users.noreply.github.com> Date: Wed, 3 Apr 2024 09:38:23 +0200 Subject: [PATCH 2/6] fix: NPG wallet cards policy (#1880) --- .../wallet-app/api/npg-notifications/v1/_base_policy.xml.tpl | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/domains/wallet-app/api/npg-notifications/v1/_base_policy.xml.tpl b/src/domains/wallet-app/api/npg-notifications/v1/_base_policy.xml.tpl index ab140e241a..6bdc37160e 100644 --- a/src/domains/wallet-app/api/npg-notifications/v1/_base_policy.xml.tpl +++ b/src/domains/wallet-app/api/npg-notifications/v1/_base_policy.xml.tpl @@ -52,12 +52,13 @@ cardId4 = (string)((JObject)additionalData)["cardId4"]; } string paymentCircuit = (string)operation["paymentCircuit"]; + string paymentMethod = (string)operation["paymentMethod"]; JObject details = null; if(paymentCircuit == "PAYPAL"){ details = new JObject(); details["type"] = "PAYPAL"; details["maskedEmail"] = (string)operation["paymentInstrumentInfo"]; - } else if(paymentCircuit == "CARD"){ + } else if(paymentMethod == "CARD"){ details = new JObject(); details["type"] = "CARD"; details["paymentInstrumentGatewayId"] = cardId4; From fbdb88e9c875365a8c5fdd1b058307696bb3331f Mon Sep 17 00:00:00 2001 From: Pasquale Spica <36746022+pasqualespica@users.noreply.github.com> Date: Wed, 3 Apr 2024 10:16:21 +0200 Subject: [PATCH 3/6] chore: Fix biz slack secret (#1886) --- src/domains/bizevents-common/02_security.tf | 16 ++++++++++++++++ src/domains/bizevents-common/README.md | 1 + 2 files changed, 17 insertions(+) diff --git a/src/domains/bizevents-common/02_security.tf b/src/domains/bizevents-common/02_security.tf index 78ffca40c6..89972f412a 100644 --- a/src/domains/bizevents-common/02_security.tf +++ b/src/domains/bizevents-common/02_security.tf @@ -255,3 +255,19 @@ resource "azurerm_key_vault_secret" "tokenizer_api_key" { ] } } + +#tfsec:ignore:azure-keyvault-ensure-secret-expiry tfsec:ignore:azure-keyvault-content-type-for-secret +resource "azurerm_key_vault_secret" "webhook-slack-token" { + count = var.env_short != "p" ? 1 : 0 + name = "webhook-slack" + value = "" + content_type = "text/plain" + + key_vault_id = module.key_vault.id + + lifecycle { + ignore_changes = [ + value, + ] + } +} diff --git a/src/domains/bizevents-common/README.md b/src/domains/bizevents-common/README.md index 1dd59b9a06..5290eb8108 100644 --- a/src/domains/bizevents-common/README.md +++ b/src/domains/bizevents-common/README.md @@ -52,6 +52,7 @@ | [azurerm_key_vault_secret.payment_manager_subscription_key](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource | | [azurerm_key_vault_secret.redis_password](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource | | [azurerm_key_vault_secret.tokenizer_api_key](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource | +| [azurerm_key_vault_secret.webhook-slack-token](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource | | [azurerm_private_dns_a_record.ingress](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/private_dns_a_record) | resource | | [azurerm_resource_group.bizevents_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource | | [azurerm_resource_group.sec_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource | From 207b510e40619b0c156226b4e17ecb0e71576d12 Mon Sep 17 00:00:00 2001 From: Marco Mari <130982006+mamari90@users.noreply.github.com> Date: Wed, 3 Apr 2024 11:03:18 +0200 Subject: [PATCH 4/6] feat: Added redis ecommerce params in secrets (#1887) --- src/domains/ecommerce-common/02_security.tf | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/src/domains/ecommerce-common/02_security.tf b/src/domains/ecommerce-common/02_security.tf index a915a350dc..f26f25e4d1 100644 --- a/src/domains/ecommerce-common/02_security.tf +++ b/src/domains/ecommerce-common/02_security.tf @@ -221,6 +221,19 @@ resource "azurerm_key_vault_secret" "redis_ecommerce_password" { } } + +resource "azurerm_key_vault_secret" "redis_ecommerce_access_key" { + name = "redis-ecommerce-access-key" + value = module.pagopa_ecommerce_redis.primary_access_key + key_vault_id = module.key_vault.id +} + +resource "azurerm_key_vault_secret" "redis_ecommerce_hostname" { + name = "redis-ecommerce-hostname" + value = module.pagopa_ecommerce_redis.hostname + key_vault_id = module.key_vault.id +} + resource "azurerm_key_vault_secret" "nodo_connection_string" { name = "nodo-connection-string" value = "" From 4c2e5defe08b8420a1872a805c7a1b14fbc9c84f Mon Sep 17 00:00:00 2001 From: Marco Mari <130982006+mamari90@users.noreply.github.com> Date: Wed, 3 Apr 2024 12:53:44 +0200 Subject: [PATCH 5/6] feat: Postgres private dns dev (#1890) --- src/domains/fdr-common/env/weu-dev/terraform.tfvars | 2 +- src/domains/gps-common/env/weu-dev/terraform.tfvars | 2 +- src/domains/nodo-common/env/weu-dev/terraform.tfvars | 2 +- src/next-core/01_network_dns_private.tf | 4 ++-- src/next-core/99_variables.tf | 8 ++------ src/next-core/env/dev/terraform.tfvars | 4 ++-- src/next-core/env/prod/terraform.tfvars | 4 ++-- src/next-core/env/uat/terraform.tfvars | 4 ++-- 8 files changed, 13 insertions(+), 17 deletions(-) diff --git a/src/domains/fdr-common/env/weu-dev/terraform.tfvars b/src/domains/fdr-common/env/weu-dev/terraform.tfvars index 9d98225ce9..733f3a88c2 100644 --- a/src/domains/fdr-common/env/weu-dev/terraform.tfvars +++ b/src/domains/fdr-common/env/weu-dev/terraform.tfvars @@ -207,5 +207,5 @@ fdr_history_storage_account = { # replica settings # geo_replica_enabled = false -postgres_dns_registration_enabled = false +postgres_dns_registration_enabled = true diff --git a/src/domains/gps-common/env/weu-dev/terraform.tfvars b/src/domains/gps-common/env/weu-dev/terraform.tfvars index 62b3570190..9cdad9d9c4 100644 --- a/src/domains/gps-common/env/weu-dev/terraform.tfvars +++ b/src/domains/gps-common/env/weu-dev/terraform.tfvars @@ -67,7 +67,7 @@ pgres_flex_params = { pgbouncer_enabled = true alerts_enabled = false max_connections = 1000 - enable_private_dns_registration = false + enable_private_dns_registration = true } cidr_subnet_gps_cosmosdb = ["10.1.149.0/24"] diff --git a/src/domains/nodo-common/env/weu-dev/terraform.tfvars b/src/domains/nodo-common/env/weu-dev/terraform.tfvars index 04cf3f26c1..40e543e50e 100644 --- a/src/domains/nodo-common/env/weu-dev/terraform.tfvars +++ b/src/domains/nodo-common/env/weu-dev/terraform.tfvars @@ -52,7 +52,7 @@ pgres_flex_params = { pgres_flex_pgbouncer_enabled = true pgres_flex_diagnostic_settings_enabled = false max_connections = 1700 - enable_private_dns_registration = false + enable_private_dns_registration = true } sftp_account_replication_type = "LRS" diff --git a/src/next-core/01_network_dns_private.tf b/src/next-core/01_network_dns_private.tf index 7395228e31..31dee347aa 100644 --- a/src/next-core/01_network_dns_private.tf +++ b/src/next-core/01_network_dns_private.tf @@ -1,7 +1,7 @@ # db dns resource "azurerm_private_dns_zone" "private_db_dns_zone" { - count = var.postgres_private_dns_enabled ? 1 : 0 + count = var.is_feature_enabled.postgres_private_dns ? 1 : 0 name = "${var.env_short}.internal.postgresql.pagopa.it" resource_group_name = data.azurerm_resource_group.rg_vnet_core.name @@ -9,7 +9,7 @@ resource "azurerm_private_dns_zone" "private_db_dns_zone" { } resource "azurerm_private_dns_zone_virtual_network_link" "private_db_zone_to_core_vnet" { - count = var.postgres_private_dns_enabled ? 1 : 0 + count = var.is_feature_enabled.postgres_private_dns ? 1 : 0 name = data.azurerm_virtual_network.vnet_core.name resource_group_name = data.azurerm_resource_group.rg_vnet_core.name diff --git a/src/next-core/99_variables.tf b/src/next-core/99_variables.tf index 16f464bbb4..59ed2d6d3c 100644 --- a/src/next-core/99_variables.tf +++ b/src/next-core/99_variables.tf @@ -194,11 +194,6 @@ variable "geo_replica_ddos_protection_plan" { default = null } -variable "postgres_private_dns_enabled" { - type = bool - description = "(Optional) If true creates a private dns that can be used to access the postgres databases" - default = false -} variable "logos_donations_storage_account_replication_type" { @@ -648,7 +643,8 @@ variable "is_feature_enabled" { type = object({ vnet_ita = bool, container_app_tools_cae = optional(bool, false), - node_forwarder_ha_enabled = bool + node_forwarder_ha_enabled = bool, + postgres_private_dns = bool }) description = "Features enabled in this domain" } diff --git a/src/next-core/env/dev/terraform.tfvars b/src/next-core/env/dev/terraform.tfvars index 8419eef466..472fbe8af4 100644 --- a/src/next-core/env/dev/terraform.tfvars +++ b/src/next-core/env/dev/terraform.tfvars @@ -21,7 +21,8 @@ tags = { is_feature_enabled = { vnet_ita = true, container_app_tools_cae = true, - node_forwarder_ha_enabled = true + node_forwarder_ha_enabled = true, + postgres_private_dns = true } ### Network @@ -48,7 +49,6 @@ dns_forwarder_backup_is_enabled = false # replica settings # geo_replica_enabled = false -postgres_private_dns_enabled = false # diff --git a/src/next-core/env/prod/terraform.tfvars b/src/next-core/env/prod/terraform.tfvars index d033a22ddf..9ad221dd0a 100644 --- a/src/next-core/env/prod/terraform.tfvars +++ b/src/next-core/env/prod/terraform.tfvars @@ -21,7 +21,8 @@ tags = { is_feature_enabled = { vnet_ita = false, container_app_tools_cae = false, - node_forwarder_ha_enabled = false + node_forwarder_ha_enabled = false, + postgres_private_dns = true } # @@ -61,7 +62,6 @@ geo_replica_ddos_protection_plan = { enable = true } -postgres_private_dns_enabled = true enable_logos_backup = true logos_backup_retention = 30 diff --git a/src/next-core/env/uat/terraform.tfvars b/src/next-core/env/uat/terraform.tfvars index ba44121dc1..0ea030880e 100644 --- a/src/next-core/env/uat/terraform.tfvars +++ b/src/next-core/env/uat/terraform.tfvars @@ -21,7 +21,8 @@ tags = { is_feature_enabled = { vnet_ita = false, container_app_tools_cae = true, - node_forwarder_ha_enabled = false + node_forwarder_ha_enabled = false, + postgres_private_dns = true } # @@ -53,7 +54,6 @@ dns_forwarder_vm_image_name = "pagopa-u-dns-forwarder-ubuntu2204-image-v4" # replica settings # geo_replica_enabled = false -postgres_private_dns_enabled = true # # apim v2 From 89ffb63e02d633b25a65ecae8de89d60cadf7c99 Mon Sep 17 00:00:00 2001 From: Giovanni Berti Date: Wed, 3 Apr 2024 14:39:02 +0200 Subject: [PATCH 6/6] [CHK-2650] feat(wallet): add storage account + queues for pagoPA wallet (#1875) Co-authored-by: Pietro Tota <115724836+pietro-tota@users.noreply.github.com> --- src/domains/wallet-common/00_alerts.tf | 27 +++ src/domains/wallet-common/01_network.tf | 4 + src/domains/wallet-common/03_storage.tf | 228 ++++++++++++++++++ src/domains/wallet-common/99_locals.tf | 3 + src/domains/wallet-common/99_variables.tf | 27 +++ src/domains/wallet-common/README.md | 15 ++ .../env/weu-dev/terraform.tfvars | 11 + .../env/weu-prod/terraform.tfvars | 11 + .../env/weu-uat/terraform.tfvars | 11 + 9 files changed, 337 insertions(+) create mode 100644 src/domains/wallet-common/00_alerts.tf create mode 100644 src/domains/wallet-common/03_storage.tf diff --git a/src/domains/wallet-common/00_alerts.tf b/src/domains/wallet-common/00_alerts.tf new file mode 100644 index 0000000000..00454345df --- /dev/null +++ b/src/domains/wallet-common/00_alerts.tf @@ -0,0 +1,27 @@ +resource "azurerm_resource_group" "rg_wallet_alerts" { + count = var.env_short == "p" ? 1 : 0 + name = "${local.project}-alerts-rg" + location = var.location + tags = var.tags +} + +data "azurerm_key_vault_secret" "monitor_wallet_opsgenie_webhook_key" { + count = var.env_short == "p" ? 1 : 0 + name = "wallet-opsgenie-webhook-token" + key_vault_id = module.key_vault.id +} + +resource "azurerm_monitor_action_group" "wallet_opsgenie" { + count = var.env_short == "p" ? 1 : 0 + name = "WalletAlerts" + resource_group_name = azurerm_resource_group.rg_wallet_alerts[0].name + short_name = "WalletAlerts" + + webhook_receiver { + name = "walletOpsgenieWebhook" + service_uri = "https://api.opsgenie.com/v1/json/azure?apiKey=${data.azurerm_key_vault_secret.monitor_wallet_opsgenie_webhook_key[0].value}" + use_common_alert_schema = true + } + + tags = var.tags +} diff --git a/src/domains/wallet-common/01_network.tf b/src/domains/wallet-common/01_network.tf index 4f7b43560b..06f1eabb67 100644 --- a/src/domains/wallet-common/01_network.tf +++ b/src/domains/wallet-common/01_network.tf @@ -36,3 +36,7 @@ data "azurerm_private_dns_zone" "privatelink_documents_azure_com" { resource_group_name = local.vnet_resource_group_name } +data "azurerm_private_dns_zone" "storage" { + name = local.storage_queue_dns_zone_name + resource_group_name = local.storage_dns_zone_resource_group_name +} diff --git a/src/domains/wallet-common/03_storage.tf b/src/domains/wallet-common/03_storage.tf new file mode 100644 index 0000000000..38fc916230 --- /dev/null +++ b/src/domains/wallet-common/03_storage.tf @@ -0,0 +1,228 @@ +resource "azurerm_resource_group" "storage_wallet_rg" { + name = "${local.project}-storage-rg" + location = var.location + tags = var.tags +} + + +module "wallet_storage_snet" { + source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet?ref=v6.7.0" + + name = "${local.project}-storage-snet" + address_prefixes = var.cidr_subnet_storage_wallet + resource_group_name = local.vnet_resource_group_name + virtual_network_name = local.vnet_name + + private_endpoint_network_policies_enabled = true + + service_endpoints = [ + "Microsoft.Storage", + ] +} + + +resource "azurerm_private_endpoint" "storage_private_endpoint" { + count = var.env_short != "d" ? 1 : 0 + + name = "${local.project}-tr-storage-private-endpoint" + location = var.location + resource_group_name = azurerm_resource_group.storage_wallet_rg.name + subnet_id = module.wallet_storage_snet.id + private_dns_zone_group { + name = "${local.project}-storage-private-dns-zone-group" + private_dns_zone_ids = [data.azurerm_private_dns_zone.storage.id] + } + + private_service_connection { + name = "${local.project}-storage-private-service-connection" + private_connection_resource_id = module.wallet_storage.id + is_manual_connection = false + subresource_names = ["queue"] + } + + tags = var.tags +} + +module "wallet_storage" { + source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//storage_account?ref=v6.7.0" + + + name = replace("${local.project}-sa", "-", "") + account_kind = var.wallet_storage_params.kind + account_tier = var.wallet_storage_params.tier + account_replication_type = var.wallet_storage_params.account_replication_type + access_tier = "Hot" + blob_versioning_enabled = true + resource_group_name = azurerm_resource_group.storage_wallet_rg.name + location = var.location + advanced_threat_protection = var.wallet_storage_params.advanced_threat_protection + allow_nested_items_to_be_public = false + public_network_access_enabled = var.wallet_storage_params.public_network_access_enabled + + blob_delete_retention_days = var.wallet_storage_params.retention_days + + network_rules = var.env_short != "d" ? { + default_action = "Deny" + ip_rules = [] + virtual_network_subnet_ids = [module.wallet_storage_snet.id] + bypass = ["AzureServices"] + } : null + tags = var.tags +} + +resource "azurerm_storage_queue" "wallet_usage_update_queue" { + name = "${local.project}-usage-update-queue" + storage_account_name = module.wallet_storage.name +} + +//storage queue for blue deployment +resource "azurerm_storage_queue" "wallet_usage_update_queue_blue" { + count = var.env_short == "u" ? 1 : 0 + name = "${local.project}-usage-update-queue-b" + storage_account_name = module.wallet_storage.name +} + +# wallet queue alert diagnostic settings +resource "azurerm_monitor_diagnostic_setting" "wallet_queue_diagnostics" { + count = var.env_short == "p" ? 1 : 0 + name = "${module.wallet_storage.name}-diagnostics" + target_resource_id = "${module.wallet_storage.id}/queueServices/default/" + log_analytics_workspace_id = data.azurerm_log_analytics_workspace.log_analytics.id + + enabled_log { + category = "StorageWrite" + + retention_policy { + enabled = true + days = 3 + } + } + metric { + category = "Capacity" + enabled = false + + retention_policy { + days = 0 + enabled = false + } + } + metric { + category = "Transaction" + enabled = false + + retention_policy { + days = 0 + enabled = false + } + } + + + enabled_log { + category = "StorageDelete" + + retention_policy { + enabled = true + days = 3 + } + } +} + +locals { + queue_alert_props = var.env_short == "p" ? [ + { + "queue_key" = "usage-update-queue" + "severity" = 1 + "time_window" = 30 + "frequency" = 15 + "threshold" = 10 + }, + ] : [] +} + +# Queue size: wallet - wallet queues enqueues rate alert +resource "azurerm_monitor_scheduled_query_rules_alert" "wallet_enqueue_rate_alert" { + for_each = { for q in local.queue_alert_props : q.queue_key => q } + name = "${local.project}-${each.value.queue_key}-rate-alert" + resource_group_name = azurerm_resource_group.storage_wallet_rg.name + location = var.location + + action { + action_group = [data.azurerm_monitor_action_group.email.id, data.azurerm_monitor_action_group.slack.id, azurerm_monitor_action_group.wallet_opsgenie[0].id] + email_subject = "Email Header" + custom_webhook_payload = "{}" + } + data_source_id = module.wallet_storage.id + description = format("Enqueuing rate for queue %s > ${each.value.threshold} during last ${each.value.time_window} minutes", replace("${each.value.queue_key}", "-", " ")) + enabled = true + query = format(<<-QUERY + let OpCountForQueue = (operation: string, queueKey: string) { + StorageQueueLogs + | where OperationName == operation and ObjectKey startswith queueKey + | summarize count() + }; + let MessageRateForQueue = (queueKey: string) { + OpCountForQueue("PutMessage", queueKey) + | join kind=fullouter OpCountForQueue("DeleteMessage", queueKey) on count_ + | project name = queueKey, Count = count_ - count_1 + }; + MessageRateForQueue("%s") + | where Count > ${each.value.threshold} + QUERY + , "/${module.wallet_storage.name}/${local.project}-${each.value.queue_key}" + ) + severity = each.value.severity + frequency = each.value.frequency + time_window = each.value.time_window + trigger { + operator = "GreaterThan" + threshold = 0 + } +} + +locals { + storage_accounts_queue_message_count_alert_props = var.env_short == "p" ? [ + { + "storage_account_id" = "${module.wallet_storage.id}" + "storage_account_name" = "${module.wallet_storage.name}" + "severity" = 1 + "time_window" = "PT1H" + "frequency" = "PT15M" + "threshold" = 1000 + }, + ] : [] +} + +resource "azurerm_monitor_metric_alert" "queue_storage_account_average_message_count" { + for_each = { for q in local.storage_accounts_queue_message_count_alert_props : q.storage_account_id => q } + + action { + action_group_id = data.azurerm_monitor_action_group.email.id + } + + action { + action_group_id = data.azurerm_monitor_action_group.slack.id + } + + action { + action_group_id = azurerm_monitor_action_group.wallet_opsgenie[0].id + } + + name = "[${var.domain != null ? "${var.domain} | " : ""}${each.value.storage_account_name}] Queue message count average exceeds ${each.value.threshold}" + resource_group_name = azurerm_resource_group.storage_wallet_rg.name + scopes = ["${each.value.storage_account_id}/queueServices/default"] + description = "Queue message count average exceeds ${each.value.threshold} for the storage" + severity = each.value.severity + window_size = each.value.time_window + frequency = each.value.frequency + auto_mitigate = false + # Metric info + # https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/metrics-supported#microsoftclassicstoragestorageaccountsqueueservices + criteria { + metric_namespace = "Microsoft.Storage/storageAccounts/queueServices" + metric_name = "QueueMessageCount" + aggregation = "Average" + operator = "GreaterThan" + threshold = each.value.threshold + skip_metric_validation = false + } +} diff --git a/src/domains/wallet-common/99_locals.tf b/src/domains/wallet-common/99_locals.tf index 6a5e9d96ab..b5054a8813 100644 --- a/src/domains/wallet-common/99_locals.tf +++ b/src/domains/wallet-common/99_locals.tf @@ -28,6 +28,9 @@ locals { cosmos_dns_zone_name = "privatelink.mongo.cosmos.azure.com" cosmos_dns_zone_resource_group_name = "${local.product}-vnet-rg" + storage_queue_dns_zone_name = "privatelink.queue.core.windows.net" + storage_dns_zone_resource_group_name = "${local.product}-vnet-rg" + aks_subnet_name = "${var.prefix}-${var.env_short}-${var.location_short}-${var.env}-aks-snet" azdo_managed_identity_rg_name = "pagopa-${var.env_short}-identity-rg" diff --git a/src/domains/wallet-common/99_variables.tf b/src/domains/wallet-common/99_variables.tf index 86e990898a..fe82be465b 100644 --- a/src/domains/wallet-common/99_variables.tf +++ b/src/domains/wallet-common/99_variables.tf @@ -177,3 +177,30 @@ variable "redis_wallet_params" { zones = list(number) }) } + +variable "wallet_storage_params" { + type = object({ + enabled = bool, + kind = string, + tier = string, + account_replication_type = string, + advanced_threat_protection = bool, + retention_days = number, + public_network_access_enabled = bool, + }) + default = { + enabled = false, + kind = "StorageV2" + tier = "Standard", + account_replication_type = "LRS", + advanced_threat_protection = true, + retention_days = 7, + public_network_access_enabled = false, + } + description = "Azure storage DB params for pagoPA wallet resources." +} + +variable "cidr_subnet_storage_wallet" { + type = list(string) + description = "Azure storage DB address space for pagoPA wallet." +} diff --git a/src/domains/wallet-common/README.md b/src/domains/wallet-common/README.md index 0cf948fbfd..fd7a256d1d 100644 --- a/src/domains/wallet-common/README.md +++ b/src/domains/wallet-common/README.md @@ -21,6 +21,8 @@ | [pagopa\_wallet\_redis](#module\_pagopa\_wallet\_redis) | git::https://github.com/pagopa/terraform-azurerm-v3.git//redis_cache | v7.72.1 | | [pagopa\_wallet\_redis\_snet](#module\_pagopa\_wallet\_redis\_snet) | git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet | v6.7.0 | | [wallet\_fe\_cdn](#module\_wallet\_fe\_cdn) | git::https://github.com/pagopa/terraform-azurerm-v3.git//cdn | v6.15.2 | +| [wallet\_storage](#module\_wallet\_storage) | git::https://github.com/pagopa/terraform-azurerm-v3.git//storage_account | v6.7.0 | +| [wallet\_storage\_snet](#module\_wallet\_storage\_snet) | git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet | v6.7.0 | | [web\_test\_availability\_alert\_rules\_for\_api](#module\_web\_test\_availability\_alert\_rules\_for\_api) | git::https://github.com/pagopa/terraform-azurerm-v3.git//application_insights_web_test_preview | v6.20.2 | ## Resources @@ -49,13 +51,22 @@ | [azurerm_key_vault_secret.redis_wallet_password](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource | | [azurerm_key_vault_secret.wallet-jwt-signing-key](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource | | [azurerm_key_vault_secret.wallet-token-test-key](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource | +| [azurerm_monitor_action_group.wallet_opsgenie](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_action_group) | resource | +| [azurerm_monitor_diagnostic_setting.wallet_queue_diagnostics](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_diagnostic_setting) | resource | | [azurerm_monitor_metric_alert.cosmos_db_normalized_ru_exceeded](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_metric_alert) | resource | +| [azurerm_monitor_metric_alert.queue_storage_account_average_message_count](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_metric_alert) | resource | | [azurerm_monitor_metric_alert.redis_cache_used_memory_exceeded](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_metric_alert) | resource | +| [azurerm_monitor_scheduled_query_rules_alert.wallet_enqueue_rate_alert](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_scheduled_query_rules_alert) | resource | | [azurerm_private_dns_a_record.ingress](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/private_dns_a_record) | resource | +| [azurerm_private_endpoint.storage_private_endpoint](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/private_endpoint) | resource | | [azurerm_resource_group.cosmosdb_wallet_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource | | [azurerm_resource_group.redis_wallet_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource | +| [azurerm_resource_group.rg_wallet_alerts](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource | | [azurerm_resource_group.sec_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource | +| [azurerm_resource_group.storage_wallet_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource | | [azurerm_resource_group.wallet_fe_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource | +| [azurerm_storage_queue.wallet_usage_update_queue](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_queue) | resource | +| [azurerm_storage_queue.wallet_usage_update_queue_blue](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_queue) | resource | | [azuread_group.adgroup_admin](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source | | [azuread_group.adgroup_developers](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source | | [azuread_group.adgroup_externals](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source | @@ -65,12 +76,14 @@ | [azuread_service_principal.iac_principal](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/service_principal) | data source | | [azurerm_application_insights.application_insights](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/application_insights) | data source | | [azurerm_client_config.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/client_config) | data source | +| [azurerm_key_vault_secret.monitor_wallet_opsgenie_webhook_key](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_secret) | data source | | [azurerm_log_analytics_workspace.log_analytics](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/log_analytics_workspace) | data source | | [azurerm_monitor_action_group.email](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/monitor_action_group) | data source | | [azurerm_monitor_action_group.slack](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/monitor_action_group) | data source | | [azurerm_private_dns_zone.cosmos](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/private_dns_zone) | data source | | [azurerm_private_dns_zone.internal](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/private_dns_zone) | data source | | [azurerm_private_dns_zone.privatelink_documents_azure_com](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/private_dns_zone) | data source | +| [azurerm_private_dns_zone.storage](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/private_dns_zone) | data source | | [azurerm_resource_group.monitor_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/resource_group) | data source | | [azurerm_resource_group.rg_vnet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/resource_group) | data source | | [azurerm_subnet.aks_subnet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subnet) | data source | @@ -84,6 +97,7 @@ |------|-------------|------|---------|:--------:| | [cidr\_subnet\_cosmosdb\_wallet](#input\_cidr\_subnet\_cosmosdb\_wallet) | Cosmos DB address space for wallet. | `list(string)` | n/a | yes | | [cidr\_subnet\_redis\_wallet](#input\_cidr\_subnet\_redis\_wallet) | Redis DB address space for wallet. | `list(string)` | n/a | yes | +| [cidr\_subnet\_storage\_wallet](#input\_cidr\_subnet\_storage\_wallet) | Azure storage DB address space for pagoPA wallet. | `list(string)` | n/a | yes | | [cosmos\_mongo\_db\_params](#input\_cosmos\_mongo\_db\_params) | n/a | 
object({
    enabled        = bool
    capabilities   = list(string)
    offer_type     = string
    server_version = string
    kind           = string
    consistency_policy = object({
      consistency_level       = string
      max_interval_in_seconds = number
      max_staleness_prefix    = number
    })
    enable_free_tier                 = bool
    main_geo_location_zone_redundant = bool
    additional_geo_locations = list(object({
      location          = string
      failover_priority = number
      zone_redundant    = bool
    }))
    private_endpoint_enabled          = bool
    public_network_access_enabled     = bool
    is_virtual_network_filter_enabled = bool
    backup_continuous_enabled         = bool
  })
| n/a | yes | | [cosmos\_mongo\_db\_wallet\_params](#input\_cosmos\_mongo\_db\_wallet\_params) | n/a | 
object({
    enable_serverless  = bool
    enable_autoscaling = bool
    throughput         = number
    max_throughput     = number
  })
| n/a | yes | | [dns\_default\_ttl\_sec](#input\_dns\_default\_ttl\_sec) | The DNS default TTL in seconds | `number` | `3600` | no | @@ -105,6 +119,7 @@ | [prefix](#input\_prefix) | n/a | `string` | n/a | yes | | [redis\_wallet\_params](#input\_redis\_wallet\_params) | n/a | 
object({
    capacity = number
    sku_name = string
    family   = string
    version  = string
    zones    = list(number)
  })
| n/a | yes | | [tags](#input\_tags) | n/a | `map(any)` | 
{
  "CreatedBy": "Terraform"
}
| no | +| [wallet\_storage\_params](#input\_wallet\_storage\_params) | Azure storage DB params for pagoPA wallet resources. | 
object({
    enabled                       = bool,
    kind                          = string,
    tier                          = string,
    account_replication_type      = string,
    advanced_threat_protection    = bool,
    retention_days                = number,
    public_network_access_enabled = bool,
  })
| 
{
  "account_replication_type": "LRS",
  "advanced_threat_protection": true,
  "enabled": false,
  "kind": "StorageV2",
  "public_network_access_enabled": false,
  "retention_days": 7,
  "tier": "Standard"
}
| no | ## Outputs diff --git a/src/domains/wallet-common/env/weu-dev/terraform.tfvars b/src/domains/wallet-common/env/weu-dev/terraform.tfvars index bcf2a3385f..1305f2acc1 100644 --- a/src/domains/wallet-common/env/weu-dev/terraform.tfvars +++ b/src/domains/wallet-common/env/weu-dev/terraform.tfvars @@ -58,6 +58,7 @@ cosmos_mongo_db_params = { cidr_subnet_cosmosdb_wallet = ["10.1.169.0/24"] cidr_subnet_redis_wallet = ["10.1.174.0/24"] +cidr_subnet_storage_wallet = ["10.1.175.0/24"] cosmos_mongo_db_wallet_params = { enable_serverless = true @@ -75,3 +76,13 @@ redis_wallet_params = { } enable_iac_pipeline = true + +wallet_storage_params = { + enabled = true + tier = "Standard" + kind = "StorageV2" + account_replication_type = "LRS", + advanced_threat_protection = true, + retention_days = 7, + public_network_access_enabled = true, +} \ No newline at end of file diff --git a/src/domains/wallet-common/env/weu-prod/terraform.tfvars b/src/domains/wallet-common/env/weu-prod/terraform.tfvars index d33ba1c4f7..202fa0487f 100644 --- a/src/domains/wallet-common/env/weu-prod/terraform.tfvars +++ b/src/domains/wallet-common/env/weu-prod/terraform.tfvars @@ -58,6 +58,7 @@ cosmos_mongo_db_params = { cidr_subnet_cosmosdb_wallet = ["10.1.169.0/24"] cidr_subnet_redis_wallet = ["10.1.174.0/24"] +cidr_subnet_storage_wallet = ["10.1.175.0/24"] cosmos_mongo_db_wallet_params = { enable_serverless = false @@ -75,3 +76,13 @@ redis_wallet_params = { } enable_iac_pipeline = true + +wallet_storage_params = { + enabled = true + tier = "Standard" + kind = "StorageV2" + account_replication_type = "GZRS", + advanced_threat_protection = true, + retention_days = 7, + public_network_access_enabled = false, +} diff --git a/src/domains/wallet-common/env/weu-uat/terraform.tfvars b/src/domains/wallet-common/env/weu-uat/terraform.tfvars index 077dc493a2..6ee05b12cf 100644 --- a/src/domains/wallet-common/env/weu-uat/terraform.tfvars +++ b/src/domains/wallet-common/env/weu-uat/terraform.tfvars @@ -58,6 +58,7 @@ cosmos_mongo_db_params = { cidr_subnet_cosmosdb_wallet = ["10.1.169.0/24"] cidr_subnet_redis_wallet = ["10.1.174.0/24"] +cidr_subnet_storage_wallet = ["10.1.175.0/24"] cosmos_mongo_db_wallet_params = { enable_serverless = false @@ -75,3 +76,13 @@ redis_wallet_params = { version = 6 zones = [] } + +wallet_storage_params = { + enabled = true + tier = "Standard" + kind = "StorageV2" + account_replication_type = "LRS", + advanced_threat_protection = true, + retention_days = 7, + public_network_access_enabled = false, +} \ No newline at end of file