From 75ed7bc68e67508a3a20bf7b54d8539764b184fe Mon Sep 17 00:00:00 2001
From: gioelemella <128155546+gioelemella@users.noreply.github.com>
Date: Thu, 13 Feb 2025 08:14:49 +0100
Subject: [PATCH] fix: [PIDM-167] Added missing permissions for receipt GHA
 identity (#2788)

* [PIDM-167] added missing permissions for receipt gha identity

* fix

---------

Co-authored-by: pasqualespica <pasqualespica@gmail.com>
---
 .../receipts-common/10_github_identity.tf     | 23 ++++++++++++++++++-
 .../env/weu-prod/terraform.tfvars             |  2 +-
 2 files changed, 23 insertions(+), 2 deletions(-)

diff --git a/src/domains/receipts-common/10_github_identity.tf b/src/domains/receipts-common/10_github_identity.tf
index dbde5159c6..315d6a421d 100644
--- a/src/domains/receipts-common/10_github_identity.tf
+++ b/src/domains/receipts-common/10_github_identity.tf
@@ -7,6 +7,11 @@ data "azurerm_kubernetes_cluster" "aks" {
   resource_group_name = "${local.product}-${var.location_short}-${var.instance}-aks-rg"
 }
 
+data "azurerm_key_vault" "key_vault" {
+  name                = "${local.product}-${var.domain}-kv"
+  resource_group_name = "${local.product}-${var.domain}-sec-rg"
+}
+
 # repos must be lower than 20 items
 locals {
   repos_01 = [
@@ -36,7 +41,7 @@ locals {
       # ],
       # "${local.product}-${var.location_short}-bizevents-rg" = [
       #   "Contributor"
-      # ],      
+      # ],
       "${local.product}-${var.domain}-sec-rg" = [
         "Key Vault Reader"
       ],
@@ -71,6 +76,22 @@ module "identity_cd_01" {
   ]
 }
 
+
+resource "azurerm_key_vault_access_policy" "gha_iac_managed_identities" {
+  key_vault_id = data.azurerm_key_vault.key_vault.id
+  tenant_id    = data.azurerm_client_config.current.tenant_id
+  object_id    = module.identity_cd_01.identity_principal_id
+
+  secret_permissions = ["Get", "List", "Set", ]
+
+  certificate_permissions = ["SetIssuers", "DeleteIssuers", "Purge", "List", "Get"]
+  key_permissions = [
+    "Get", "List", "Update", "Create", "Import", "Delete", "Encrypt", "Decrypt", "GetRotationPolicy"
+  ]
+
+  storage_permissions = []
+}
+
 resource "null_resource" "github_runner_app_permissions_to_namespace_cd_01" {
   triggers = {
     aks_id               = data.azurerm_kubernetes_cluster.aks.id
diff --git a/src/domains/receipts-common/env/weu-prod/terraform.tfvars b/src/domains/receipts-common/env/weu-prod/terraform.tfvars
index e24dc689a3..503b6845d6 100644
--- a/src/domains/receipts-common/env/weu-prod/terraform.tfvars
+++ b/src/domains/receipts-common/env/weu-prod/terraform.tfvars
@@ -56,7 +56,7 @@ receipts_datastore_cosmos_db_params = {
 
   container_default_ttl = 315576000 # 10 year in second
 
-  max_throughput     = 20000
+  max_throughput     = 40000 # increase before 20k
   max_throughput_alt = 2000
 }