fix: [PIDM-167] Added missing permissions for receipt GHA identity (#…

…2788)

* [PIDM-167] added missing permissions for receipt gha identity

* fix

---------

Co-authored-by: pasqualespica <[email protected]>

src/domains/receipts-common/10_github_identity.tf

@@ -7,6 +7,11 @@ data "azurerm_kubernetes_cluster" "aks" {
   resource_group_name = "${local.product}-${var.location_short}-${var.instance}-aks-rg"
 }
 
+data "azurerm_key_vault" "key_vault" {
+  name                = "${local.product}-${var.domain}-kv"
+  resource_group_name = "${local.product}-${var.domain}-sec-rg"
+}
+
 # repos must be lower than 20 items
 locals {
   repos_01 = [
@@ -36,7 +41,7 @@ locals {
       # ],
       # "${local.product}-${var.location_short}-bizevents-rg" = [
       #   "Contributor"
-      # ],      
+      # ],
       "${local.product}-${var.domain}-sec-rg" = [
         "Key Vault Reader"
       ],
@@ -71,6 +76,22 @@ module "identity_cd_01" {
   ]
 }
 
+
+resource "azurerm_key_vault_access_policy" "gha_iac_managed_identities" {
+  key_vault_id = data.azurerm_key_vault.key_vault.id
+  tenant_id    = data.azurerm_client_config.current.tenant_id
+  object_id    = module.identity_cd_01.identity_principal_id
+
+  secret_permissions = ["Get", "List", "Set", ]
+
+  certificate_permissions = ["SetIssuers", "DeleteIssuers", "Purge", "List", "Get"]
+  key_permissions = [
+    "Get", "List", "Update", "Create", "Import", "Delete", "Encrypt", "Decrypt", "GetRotationPolicy"
+  ]
+
+  storage_permissions = []
+}
+
 resource "null_resource" "github_runner_app_permissions_to_namespace_cd_01" {
   triggers = {
     aks_id               = data.azurerm_kubernetes_cluster.aks.id

src/domains/receipts-common/env/weu-prod/terraform.tfvars

@@ -56,7 +56,7 @@ receipts_datastore_cosmos_db_params = {
 
   container_default_ttl = 315576000 # 10 year in second
 
-  max_throughput     = 20000
+  max_throughput     = 40000 # increase before 20k
   max_throughput_alt = 2000
 }