From 804399bae0c355661dc998dcfe5977dbd0a7f545 Mon Sep 17 00:00:00 2001
From: Pietro Tota <115724836+pietro-tota@users.noreply.github.com>
Date: Thu, 20 Feb 2025 14:37:44 +0100
Subject: [PATCH] feat: update cert mounter and tls checker to use wl identity
 (#2811)

* feat(payment-wallet): create workload identity

* feat(payment-wallet): create workload identity

* fix: pre-commit

* feat: update cert mounter and tls checker to use wl identity

---------

Co-authored-by: Simone infante <52280205+infantesimone@users.noreply.github.com>
---
 .../pay-wallet-app/05_aks_middleware_tools.tf | 30 ++++++++-----------
 src/domains/pay-wallet-app/README.md          |  2 +-
 2 files changed, 14 insertions(+), 18 deletions(-)

diff --git a/src/domains/pay-wallet-app/05_aks_middleware_tools.tf b/src/domains/pay-wallet-app/05_aks_middleware_tools.tf
index afc71f6170..78f2ba3bbe 100644
--- a/src/domains/pay-wallet-app/05_aks_middleware_tools.tf
+++ b/src/domains/pay-wallet-app/05_aks_middleware_tools.tf
@@ -16,25 +16,21 @@ module "tls_checker" {
   application_insights_action_group_ids                     = [data.azurerm_monitor_action_group.slack.id, data.azurerm_monitor_action_group.email.id]
   keyvault_name                                             = data.azurerm_key_vault.kv.name
   keyvault_tenant_id                                        = data.azurerm_client_config.current.tenant_id
+  workload_identity_enabled                                 = true
+  workload_identity_service_account_name                    = module.workload_identity.workload_identity_service_account_name
+  workload_identity_client_id                               = module.workload_identity.workload_identity_client_id
 }
 
-resource "helm_release" "cert_mounter" {
-  name         = "cert-mounter-blueprint"
-  repository   = "https://pagopa.github.io/aks-helm-cert-mounter-blueprint"
-  chart        = "cert-mounter-blueprint"
-  version      = "1.0.4"
-  namespace    = var.domain
-  timeout      = 120
-  force_update = true
-
-  values = [
-    templatefile("${path.root}/helm/cert-mounter.yaml.tpl", {
-      NAMESPACE        = var.domain,
-      DOMAIN           = var.domain
-      CERTIFICATE_NAME = replace(local.payment_wallet_hostname, ".", "-"),
-      ENV_SHORT        = var.env_short,
-    })
-  ]
+module "cert_mounter" {
+  source                                 = "./.terraform/modules/__v3__/cert_mounter"
+  namespace                              = var.domain
+  certificate_name                       = replace(local.payment_wallet_hostname, ".", "-")
+  kv_name                                = data.azurerm_key_vault.kv.name
+  tenant_id                              = data.azurerm_subscription.current.tenant_id
+  workload_identity_enabled              = true
+  workload_identity_service_account_name = module.workload_identity.workload_identity_service_account_name
+  workload_identity_client_id            = module.workload_identity.workload_identity_client_id
+  depends_on                             = [module.workload_identity]
 }
 
 resource "helm_release" "reloader" {
diff --git a/src/domains/pay-wallet-app/README.md b/src/domains/pay-wallet-app/README.md
index 75527880d7..5cf9cd99dc 100644
--- a/src/domains/pay-wallet-app/README.md
+++ b/src/domains/pay-wallet-app/README.md
@@ -28,6 +28,7 @@
 | <a name="module_apim_payment_wallet_product"></a> [apim\_payment\_wallet\_product](#module\_apim\_payment\_wallet\_product) | ./.terraform/modules/__v3__/api_management_product | n/a |
 | <a name="module_apim_wallet_service_notifications_api_v1"></a> [apim\_wallet\_service\_notifications\_api\_v1](#module\_apim\_wallet\_service\_notifications\_api\_v1) | ./.terraform/modules/__v3__/api_management_api | n/a |
 | <a name="module_apim_webview_payment_wallet_api_v1"></a> [apim\_webview\_payment\_wallet\_api\_v1](#module\_apim\_webview\_payment\_wallet\_api\_v1) | ./.terraform/modules/__v3__/api_management_api | n/a |
+| <a name="module_cert_mounter"></a> [cert\_mounter](#module\_cert\_mounter) | ./.terraform/modules/__v3__/cert_mounter | n/a |
 | <a name="module_kubernetes_service_account"></a> [kubernetes\_service\_account](#module\_kubernetes\_service\_account) | ./.terraform/modules/__v3__/kubernetes_service_account | n/a |
 | <a name="module_pod_identity"></a> [pod\_identity](#module\_pod\_identity) | ./.terraform/modules/__v3__/kubernetes_pod_identity | n/a |
 | <a name="module_tls_checker"></a> [tls\_checker](#module\_tls\_checker) | ./.terraform/modules/__v3__/tls_checker | n/a |
@@ -61,7 +62,6 @@
 | [azurerm_key_vault_secret.aks_apiserver_url](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource |
 | [azurerm_key_vault_secret.azure_devops_sa_cacrt](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource |
 | [azurerm_key_vault_secret.azure_devops_sa_token](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource |
-| [helm_release.cert_mounter](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
 | [helm_release.reloader](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
 | [kubernetes_namespace.namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
 | [kubernetes_namespace.namespace_system](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |