feat: GEC analytical_storage_enabled + Sops to afm domain (#2440)

* add sops to afm domain£ * fix perms * add perm * add cosmos key and s3 sops * upg terraform-azurerm-v3 cosmos vers v8.51.0 * fix * fix * add ref analytical_storage_enabled-2-cosmos * Revert "fix" This reverts commit 07ed2ce. * Revert "Revert "fix"" This reverts commit d6a9538. * Revert "add ref analytical_storage_enabled-2-cosmos" This reverts commit 301555f. * Revert "fix" This reverts commit be1ca3c. * Revert "fix" This reverts commit 07ed2ce. * Revert "upg terraform-azurerm-v3 cosmos vers v8.51.0" This reverts commit 7a9945a. * fix * fix * fix --------- Co-authored-by: Andrea Ferracci <[email protected]> Co-authored-by: Pasquale Spica <[email protected]>
pagopa · Nov 18, 2024 · c1c8aa2 · c1c8aa2
1 parent 61313a3
commit c1c8aa2
Show file tree

Hide file tree

Showing 35 changed files with 770 additions and 44 deletions.
diff --git a/src/domains/afm-common/00_azuread.tf b/src/domains/afm-common/00_azuread.tf
@@ -13,4 +13,9 @@ data "azuread_group" "adgroup_externals" {
 
 data "azuread_group" "adgroup_security" {
   display_name = "${local.product}-adgroup-security"
-}
+}
+
+data "azuread_group" "adgroup_tpm" { // tpm
+  display_name = "${local.product}-adgroup-technical-project-managers"
+}
+
diff --git a/src/domains/afm-common/02_keyvault.tf b/src/domains/afm-common/02_keyvault.tf
@@ -39,7 +39,7 @@ resource "azurerm_key_vault_access_policy" "adgroup_developers_policy" {
   tenant_id = data.azurerm_client_config.current.tenant_id
   object_id = data.azuread_group.adgroup_developers.object_id
 
-  key_permissions     = ["Get", "List", "Update", "Create", "Import", "Delete", ]
+  key_permissions     = ["Get", "List", "Update", "Create", "Import", "Delete", "Encrypt", "Decrypt", "GetRotationPolicy", "Purge", "Recover", "Restore"]
   secret_permissions  = ["Get", "List", "Set", "Delete", ]
   storage_permissions = []
   certificate_permissions = [
@@ -56,7 +56,24 @@ resource "azurerm_key_vault_access_policy" "adgroup_externals_policy" {
   tenant_id = data.azurerm_client_config.current.tenant_id
   object_id = data.azuread_group.adgroup_externals.object_id
 
-  key_permissions     = ["Get", "List", "Update", "Create", "Import", "Delete", ]
+  key_permissions     = ["Get", "List", "Update", "Create", "Import", "Delete", "Encrypt", "Decrypt"]
+  secret_permissions  = ["Get", "List", "Set", "Delete", ]
+  storage_permissions = []
+  certificate_permissions = [
+    "Get", "List", "Update", "Create", "Import",
+    "Delete", "Restore", "Purge", "Recover"
+  ]
+}
+
+resource "azurerm_key_vault_access_policy" "adgroup_tpm_policy" {
+  count = var.env_short != "p" ? 1 : 0
+
+  key_vault_id = module.key_vault.id
+
+  tenant_id = data.azurerm_client_config.current.tenant_id
+  object_id = data.azuread_group.adgroup_tpm.object_id
+
+  key_permissions     = ["Get", "List", "Update", "Create", "Import", "Delete", "Encrypt", "Decrypt", "GetRotationPolicy", "Purge", "Recover", "Restore"]
   secret_permissions  = ["Get", "List", "Set", "Delete", ]
   storage_permissions = []
   certificate_permissions = [
@@ -123,3 +140,28 @@ resource "azurerm_key_vault_secret" "afm_calculator_subscription_key" {
   }
 }
 
+data "azurerm_key_vault" "kv_nodo" {
+  name                = "pagopa-${var.env_short}-nodo-kv"
+  resource_group_name = "pagopa-${var.env_short}-nodo-sec-rg"
+}
+
+data "azurerm_key_vault_secret" "db_cfg_password_read_ndp" {
+  name         = "db-cfg-password-read"
+  key_vault_id = data.azurerm_key_vault.kv_nodo.id
+}
+
+resource "azurerm_key_vault_secret" "db_cfg_password_read_ndp_du" {
+  name         = "db-cfg-password-read"
+  value        = data.azurerm_key_vault_secret.db_cfg_password_read_ndp.value
+  content_type = "text/plain"
+
+  key_vault_id = module.key_vault.id
+}
+
+resource "azurerm_key_vault_secret" "afm_fee_reporting_cosmos_pkey" {
+  name         = "afm-fee-reporting-${var.env_short}-cosmos-pkey"
+  value        = module.afm_marketplace_cosmosdb_account.primary_key
+  content_type = "text/plain"
+
+  key_vault_id = module.key_vault.id
+}
diff --git a/src/domains/afm-common/03_cosmosdb_afm.tf b/src/domains/afm-common/03_cosmosdb_afm.tf
@@ -18,52 +18,49 @@ module "afm_marketplace_cosmosdb_snet" {
     "Microsoft.Web",
     "Microsoft.AzureCosmosDB",
     "Microsoft.Storage",
+    "Microsoft.EventHub"
   ]
 }
 
 module "afm_marketplace_cosmosdb_account" {
-  source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//cosmosdb_account?ref=v6.7.0"
-
-  name     = "${local.project}-marketplace-cosmos-account"
-  location = var.location
-  domain   = var.domain
+  source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//cosmosdb_account?ref=add-analytical_storage_enabled-2-cosmos"
 
+  name                = "${local.project}-marketplace-cosmos-account"
+  location            = var.location
   resource_group_name = azurerm_resource_group.afm_rg.name
-  offer_type          = var.afm_marketplace_cosmos_db_params.offer_type
-  kind                = var.afm_marketplace_cosmos_db_params.kind
+  domain              = var.domain
+
+  offer_type                 = var.afm_marketplace_cosmos_db_params.offer_type
+  kind                       = var.afm_marketplace_cosmos_db_params.kind
+  capabilities               = var.afm_marketplace_cosmos_db_params.capabilities
+  enable_free_tier           = var.afm_marketplace_cosmos_db_params.enable_free_tier
+  analytical_storage_enabled = var.afm_marketplace_cosmos_db_params.analytical_storage_enabled
+
+  private_endpoint_sql_name            = "${local.project}-marketplace-cosmos-sql-endpoint" # forced after update module vers
+  private_service_connection_sql_name  = "${local.project}-marketplace-cosmos-sql-endpoint" # forced after update module vers
+
+  public_network_access_enabled      = var.afm_marketplace_cosmos_db_params.public_network_access_enabled
+  private_endpoint_enabled           = var.afm_marketplace_cosmos_db_params.private_endpoint_enabled
+  subnet_id                          = module.afm_marketplace_cosmosdb_snet.id
+  private_dns_zone_sql_ids           = [data.azurerm_private_dns_zone.cosmos.id]
+  is_virtual_network_filter_enabled  = var.afm_marketplace_cosmos_db_params.is_virtual_network_filter_enabled
+  allowed_virtual_network_subnet_ids = var.afm_marketplace_cosmos_db_params.public_network_access_enabled ? [] : [data.azurerm_subnet.aks_subnet.id, data.azurerm_subnet.apiconfig_subnet.id]
 
-  public_network_access_enabled    = var.afm_marketplace_cosmos_db_params.public_network_access_enabled
+  consistency_policy               = var.afm_marketplace_cosmos_db_params.consistency_policy
+  main_geo_location_location       = var.location
   main_geo_location_zone_redundant = var.afm_marketplace_cosmos_db_params.main_geo_location_zone_redundant
+  additional_geo_locations         = var.afm_marketplace_cosmos_db_params.additional_geo_locations
 
-  enable_free_tier          = var.afm_marketplace_cosmos_db_params.enable_free_tier
+  backup_continuous_enabled = var.afm_marketplace_cosmos_db_params.backup_continuous_enabled
   enable_automatic_failover = true
-
-  capabilities       = var.afm_marketplace_cosmos_db_params.capabilities
-  consistency_policy = var.afm_marketplace_cosmos_db_params.consistency_policy
-
-  main_geo_location_location = var.location
-  additional_geo_locations   = var.afm_marketplace_cosmos_db_params.additional_geo_locations
-  backup_continuous_enabled  = var.afm_marketplace_cosmos_db_params.backup_continuous_enabled
-
-  is_virtual_network_filter_enabled = var.afm_marketplace_cosmos_db_params.is_virtual_network_filter_enabled
-
-  ip_range = ""
-
-  # add data.azurerm_subnet.<my_service>.id
-  allowed_virtual_network_subnet_ids = var.afm_marketplace_cosmos_db_params.public_network_access_enabled ? [] : [data.azurerm_subnet.aks_subnet.id, data.azurerm_subnet.apiconfig_subnet.id]
-
-  # private endpoint
-  private_endpoint_name    = "${local.project}-marketplace-cosmos-sql-endpoint"
-  private_endpoint_enabled = var.afm_marketplace_cosmos_db_params.private_endpoint_enabled
-  subnet_id                = module.afm_marketplace_cosmosdb_snet.id
-  private_dns_zone_ids     = [data.azurerm_private_dns_zone.cosmos.id]
+  ip_range                  = ""
 
   tags = var.tags
 }
 
 # cosmosdb database for marketplace
 module "afm_marketplace_cosmosdb_database" {
-  source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//cosmosdb_sql_database?ref=v6.7.0"
+  source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//cosmosdb_sql_database?ref=add-analytical_storage_enabled-2-cosmos"
 
   name                = "db"
   resource_group_name = azurerm_resource_group.afm_rg.name
@@ -79,99 +76,125 @@ locals {
       autoscale_settings = {
         max_throughput = 1000
       },
+      analytical_storage_ttl = -1,  # ingested_2_DL
+      partition_key_version  = null # 1,2
     },
     {
       name               = "archivedbundles",
       partition_key_path = "/idPsp",
       autoscale_settings = {
         max_throughput = 1000
       },
+      analytical_storage_ttl = null,
+      partition_key_version  = null
     },
     {
       name               = "cibundles",
       partition_key_path = "/ciFiscalCode",
       autoscale_settings = {
         max_throughput = 1000
       },
+      analytical_storage_ttl = -1,  # ingested_2_DL
+      partition_key_version  = null      
     },
     {
       name               = "archivedcibundles",
       partition_key_path = "/ciFiscalCode",
       autoscale_settings = {
         max_throughput = 1000
       },
+      analytical_storage_ttl = null,
+      partition_key_version  = null
     },
     {
       name               = "bundlerequests",
       partition_key_path = "/idPsp",
       autoscale_settings = {
         max_throughput = 1000
       },
+      analytical_storage_ttl = null,
+      partition_key_version  = null
     },
     {
       name               = "archivedbundlerequests",
       partition_key_path = "/idPsp",
       autoscale_settings = {
         max_throughput = 1000
       },
+      analytical_storage_ttl = null,
+      partition_key_version  = null
     },
     {
       name               = "bundleoffers",
       partition_key_path = "/ciFiscalCode",
       autoscale_settings = {
         max_throughput = 1000
       },
+      analytical_storage_ttl = null,
+      partition_key_version  = null
     },
     {
       name               = "archivedbundleoffers",
       partition_key_path = "/ciFiscalCode",
       autoscale_settings = {
         max_throughput = 1000
       },
+      analytical_storage_ttl = null,
+      partition_key_version  = null
     },
     {
       name               = "validbundles",
       partition_key_path = "/idPsp",
       autoscale_settings = {
         max_throughput = 1000
       },
+      analytical_storage_ttl = -1,
+      partition_key_version  = null # 1,2
     },
     {
       name               = "touchpoints",
       partition_key_path = "/name",
       autoscale_settings = {
         max_throughput = 1000
       },
+      analytical_storage_ttl = -1,  # ingested_2_DL
+      partition_key_version  = null
     },
     {
       name               = "paymenttypes",
       partition_key_path = "/name",
       autoscale_settings = {
         max_throughput = 1000
       },
+      analytical_storage_ttl = -1,  # ingested_2_DL
+      partition_key_version  = null
     },
     {
       name               = "cdis",
       partition_key_path = "/idPsp",
       autoscale_settings = {
         max_throughput = 1000
       },
+      analytical_storage_ttl = null,
+      partition_key_version  = null # 1,2
     }
   ]
 }
 
 # cosmosdb container for marketplace
 module "afm_marketplace_cosmosdb_containers" {
-  source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//cosmosdb_sql_container?ref=v6.7.0"
+  source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//cosmosdb_sql_container?ref=add-analytical_storage_enabled-2-cosmos"
 
   for_each = { for c in local.afm_marketplace_cosmosdb_containers : c.name => c }
 
-  name                = each.value.name
-  resource_group_name = azurerm_resource_group.afm_rg.name
-  account_name        = module.afm_marketplace_cosmosdb_account.name
-  database_name       = module.afm_marketplace_cosmosdb_database.name
-  partition_key_path  = each.value.partition_key_path
-  throughput          = lookup(each.value, "throughput", null)
+  name                   = each.value.name
+  resource_group_name    = azurerm_resource_group.afm_rg.name
+  account_name           = module.afm_marketplace_cosmosdb_account.name
+  database_name          = module.afm_marketplace_cosmosdb_database.name
+  partition_key_path     = each.value.partition_key_path
+  throughput             = lookup(each.value, "throughput", null)
+  analytical_storage_ttl = each.value.analytical_storage_ttl
+  partition_key_version  = each.value.partition_key_version
 
   autoscale_settings = contains(var.afm_marketplace_cosmos_db_params.capabilities, "EnableServerless") ? null : lookup(each.value, "autoscale_settings", null)
 }
@@ -202,4 +225,4 @@ module "afm_marketplace_cosmosdb_containers" {
 #   depends_on = [
 #     module.afm_marketplace_cosmosdb_account
 #   ]
-# }
+# }
diff --git a/src/domains/afm-common/99_variables.tf b/src/domains/afm-common/99_variables.tf
@@ -122,6 +122,7 @@ variable "afm_marketplace_cosmos_db_params" {
     public_network_access_enabled     = bool
     is_virtual_network_filter_enabled = bool
     backup_continuous_enabled         = bool
+    analytical_storage_enabled        = bool
   })
 }
 

diff --git a/src/domains/afm-common/README.md b/src/domains/afm-common/README.md
@@ -27,13 +27,15 @@
 | [azurerm_key_vault_access_policy.ad_group_policy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource |
 | [azurerm_key_vault_access_policy.adgroup_developers_policy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource |
 | [azurerm_key_vault_access_policy.adgroup_externals_policy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource |
+| [azurerm_key_vault_access_policy.adgroup_tpm_policy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource |
 | [azurerm_key_vault_access_policy.azdevops_iac_legacy_policies](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource |
 | [azurerm_key_vault_access_policy.azdevops_iac_managed_identities](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource |
 | [azurerm_key_vault_access_policy.gha_iac_managed_identities](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource |
 | [azurerm_key_vault_secret.afm_calculator_subscription_key](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource |
 | [azurerm_key_vault_secret.afm_marketplace_cosmos_pkey](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource |
 | [azurerm_key_vault_secret.afm_marketplace_subscription_key](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource |
 | [azurerm_key_vault_secret.ai_connection_string](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource |
+| [azurerm_key_vault_secret.db_cfg_password_read_ndp_du](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource |
 | [azurerm_key_vault_secret.storage_connection_string](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource |
 | [azurerm_private_dns_a_record.ingress](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/private_dns_a_record) | resource |
 | [azurerm_resource_group.afm_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource |
@@ -44,10 +46,13 @@
 | [azuread_group.adgroup_developers](https://registry.terraform.io/providers/hashicorp/azuread/2.38.0/docs/data-sources/group) | data source |
 | [azuread_group.adgroup_externals](https://registry.terraform.io/providers/hashicorp/azuread/2.38.0/docs/data-sources/group) | data source |
 | [azuread_group.adgroup_security](https://registry.terraform.io/providers/hashicorp/azuread/2.38.0/docs/data-sources/group) | data source |
+| [azuread_group.adgroup_tpm](https://registry.terraform.io/providers/hashicorp/azuread/2.38.0/docs/data-sources/group) | data source |
 | [azuread_service_principal.iac_deploy_legacy](https://registry.terraform.io/providers/hashicorp/azuread/2.38.0/docs/data-sources/service_principal) | data source |
 | [azuread_service_principal.iac_plan_legacy](https://registry.terraform.io/providers/hashicorp/azuread/2.38.0/docs/data-sources/service_principal) | data source |
 | [azurerm_application_insights.application_insights](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/application_insights) | data source |
 | [azurerm_client_config.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/client_config) | data source |
+| [azurerm_key_vault.kv_nodo](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault) | data source |
+| [azurerm_key_vault_secret.db_cfg_password_read_ndp](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_secret) | data source |
 | [azurerm_kubernetes_cluster.aks](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/kubernetes_cluster) | data source |
 | [azurerm_log_analytics_workspace.log_analytics](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/log_analytics_workspace) | data source |
 | [azurerm_monitor_action_group.email](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/monitor_action_group) | data source |

diff --git a/src/domains/afm-common/env/weu-dev/terraform.tfvars b/src/domains/afm-common/env/weu-dev/terraform.tfvars
@@ -49,6 +49,7 @@ afm_marketplace_cosmos_db_params = {
 
   backup_continuous_enabled = false
 
+  analytical_storage_enabled = true
 }
 
 cidr_subnet_afm_marketplace_cosmosdb = ["10.1.151.0/24"]

diff --git a/src/domains/afm-common/env/weu-prod/terraform.tfvars b/src/domains/afm-common/env/weu-prod/terraform.tfvars
@@ -35,9 +35,9 @@ afm_marketplace_cosmos_db_params = {
   capabilities = []
   offer_type   = "Standard"
   consistency_policy = {
-    consistency_level       = "BoundedStaleness"
-    max_interval_in_seconds = 300
-    max_staleness_prefix    = 100000
+    consistency_level       = "Strong" # "BoundedStaleness"
+    max_interval_in_seconds = 5 # 300
+    max_staleness_prefix    = 100 # 100000
   }
   server_version                   = "4.0"
   main_geo_location_zone_redundant = true
@@ -56,6 +56,7 @@ afm_marketplace_cosmos_db_params = {
 
   backup_continuous_enabled = true
 
+  analytical_storage_enabled = true
 }
 
 cidr_subnet_afm_marketplace_cosmosdb = ["10.1.151.0/24"]

diff --git a/src/domains/afm-common/env/weu-uat/terraform.tfvars b/src/domains/afm-common/env/weu-uat/terraform.tfvars
@@ -51,6 +51,7 @@ afm_marketplace_cosmos_db_params = {
 
   backup_continuous_enabled = false
 
+  analytical_storage_enabled = true
 }
 
 cidr_subnet_afm_marketplace_cosmosdb = ["10.1.151.0/24"]
-Original file line number
+Diff line change
@@ Expand Up / @@ -49,6 +49,7 @@ afm_marketplace_cosmos_db_params = { @@
       backup_continuous_enabled = false
+      analytical_storage_enabled = true
     }
     cidr_subnet_afm_marketplace_cosmosdb = ["10.1.151.0/24"]
@@ Expand Down @@