feat: Apim migration (#2076)

* prepared apim import on next-core

* new apim migration

* integrated new apim in dev

* precommit

src/core/appgateway.tf

@@ -235,7 +235,7 @@ locals {
       protocol                    = "Https"
       host                        = trim(azurerm_dns_a_record.dns_a_api.fqdn, ".")
       port                        = 443
-      ip_addresses                = var.enabled_features.apim_v2 ? concat(module.apim.private_ip_addresses, data.azurerm_api_management.apim_v2[0].private_ip_addresses) : module.apim.private_ip_addresses
+      ip_addresses                = var.enabled_features.apim_v2 ? data.azurerm_api_management.apim_v2[0].private_ip_addresses : module.apim.private_ip_addresses
       fqdns                       = [azurerm_dns_a_record.dns_a_api.fqdn]
       probe                       = "/status-0123456789abcdef"
       probe_name                  = "probe-apim"
@@ -247,7 +247,7 @@ locals {
       protocol                    = "Https"
       host                        = trim(azurerm_dns_a_record.dns_a_portal.fqdn, ".")
       port                        = 443
-      ip_addresses                = var.enabled_features.apim_v2 ? concat(module.apim.private_ip_addresses, data.azurerm_api_management.apim_v2[0].private_ip_addresses) : module.apim.private_ip_addresses
+      ip_addresses                = var.enabled_features.apim_v2 ? data.azurerm_api_management.apim_v2[0].private_ip_addresses : module.apim.private_ip_addresses
       fqdns                       = [azurerm_dns_a_record.dns_a_portal.fqdn]
       probe                       = "/signin"
       probe_name                  = "probe-portal"
@@ -259,7 +259,7 @@ locals {
       protocol     = "Https"
       host         = trim(azurerm_dns_a_record.dns_a_management.fqdn, ".")
       port         = 443
-      ip_addresses = var.enabled_features.apim_v2 ? concat(module.apim.private_ip_addresses, data.azurerm_api_management.apim_v2[0].private_ip_addresses) : module.apim.private_ip_addresses
+      ip_addresses = var.enabled_features.apim_v2 ? data.azurerm_api_management.apim_v2[0].private_ip_addresses : module.apim.private_ip_addresses
       fqdns        = [azurerm_dns_a_record.dns_a_management.fqdn]
 
       probe                       = "/ServiceStatus"
@@ -286,7 +286,7 @@ locals {
       protocol                    = "Https"
       host                        = trim(var.upload_endpoint_enabled ? azurerm_dns_a_record.dns_a_upload[0].fqdn : "", ".")
       port                        = 443
-      ip_addresses                = var.enabled_features.apim_v2 ? concat(module.apim.private_ip_addresses, data.azurerm_api_management.apim_v2[0].private_ip_addresses) : module.apim.private_ip_addresses
+      ip_addresses                = var.enabled_features.apim_v2 ? data.azurerm_api_management.apim_v2[0].private_ip_addresses : module.apim.private_ip_addresses
       fqdns                       = var.upload_endpoint_enabled ? [azurerm_dns_a_record.dns_a_upload[0].fqdn] : []
       probe                       = "/status-0123456789abcdef"
       probe_name                  = "probe-apim"

src/next-core/03_apim.tf

@@ -1,4 +1,4 @@
-# APIM subnet
+# APIM v2 subnet
 module "apimv2_snet" {
   source               = "git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet?ref=v7.50.0"
   name                 = "${local.project}-apimv2-snet"
@@ -817,3 +817,188 @@ resource "azurerm_api_management_redis_cache" "apimv2_external_cache_redis" {
   redis_cache_id    = module.redis[0].id
   cache_location    = var.location
 }
+
+
+#############################
+# apim v1 updated
+#############################
+data "azurerm_subnet" "apim_snet" {
+  name                 = "${local.product}-apim-snet"
+  resource_group_name  = data.azurerm_resource_group.rg_vnet.name
+  virtual_network_name = data.azurerm_virtual_network.vnet_integration.name
+}
+
+#TODO check names
+resource "azurerm_public_ip" "apim_pip" {
+  count               = var.is_feature_enabled.apim_core_import ? 1 : 0
+  name                = "${local.product}-apim-pip"
+  resource_group_name = data.azurerm_resource_group.rg_vnet_integration.name
+  location            = data.azurerm_resource_group.rg_vnet_integration.location
+  sku                 = "Standard"
+  domain_name_label   = "apim-${var.env_short}-pagopa"
+  allocation_method   = "Static"
+
+  zones = var.apim_v2_zones
+
+  tags = var.tags
+}
+
+
+resource "azurerm_network_security_group" "apim_snet_nsg" {
+  count               = var.is_feature_enabled.apim_core_import ? 1 : 0
+  name                = "${local.product}-apim-snet-nsg"
+  location            = var.location
+  resource_group_name = data.azurerm_resource_group.rg_vnet_integration.name
+}
+
+resource "azurerm_network_security_rule" "apim_snet_nsg_rules" {
+  count = var.is_feature_enabled.apim_core_import ? length(var.apim_v2_subnet_nsg_security_rules) : 0
+
+  network_security_group_name = azurerm_network_security_group.apim_snet_nsg[0].name
+  name                        = var.apim_v2_subnet_nsg_security_rules[count.index].name
+  resource_group_name         = data.azurerm_resource_group.rg_vnet_integration.name
+  priority                    = var.apim_v2_subnet_nsg_security_rules[count.index].priority
+  direction                   = var.apim_v2_subnet_nsg_security_rules[count.index].direction
+  access                      = var.apim_v2_subnet_nsg_security_rules[count.index].access
+  protocol                    = var.apim_v2_subnet_nsg_security_rules[count.index].protocol
+  source_port_range           = var.apim_v2_subnet_nsg_security_rules[count.index].source_port_range
+  destination_port_range      = var.apim_v2_subnet_nsg_security_rules[count.index].destination_port_range
+  source_address_prefix       = var.apim_v2_subnet_nsg_security_rules[count.index].source_address_prefix
+  destination_address_prefix  = var.apim_v2_subnet_nsg_security_rules[count.index].destination_address_prefix
+}
+
+resource "azurerm_subnet_network_security_group_association" "apim_snet_sg_association" {
+  count                     = var.is_feature_enabled.apim_core_import ? 1 : 0
+  subnet_id                 = data.azurerm_subnet.apim_subnet.id
+  network_security_group_id = azurerm_network_security_group.apim_snet_nsg[0].id
+}
+
+module "apim" {
+  count               = var.is_feature_enabled.apim_core_import ? 1 : 0
+  source              = "git::https://github.com/pagopa/terraform-azurerm-v3.git//api_management?ref=v7.67.1"
+  subnet_id           = data.azurerm_subnet.apim_subnet.id
+  location            = data.azurerm_resource_group.rg_api.location
+  name                = "${local.product}-apim"
+  resource_group_name = data.azurerm_resource_group.rg_api.name
+  publisher_name      = var.apim_v2_publisher_name
+  publisher_email     = data.azurerm_key_vault_secret.apim_publisher_email.value
+  sku_name            = var.apim_v2_sku
+
+  public_ip_address_id = azurerm_public_ip.apim_pip[0].id
+
+  virtual_network_type = "Internal"
+
+  redis_cache_enabled     = var.redis_cache_enabled
+  redis_connection_string = var.redis_cache_enabled ? local.redis_connection_string : null
+  redis_cache_id          = var.redis_cache_enabled ? local.redis_cache_id : null
+
+  application_insights = {
+    enabled             = true
+    instrumentation_key = data.azurerm_application_insights.application_insights.instrumentation_key
+  }
+  zones = startswith(var.apim_v2_sku, "Premium") ? var.apim_v2_zones : null
+
+
+
+  # This enables the Username and Password Identity Provider
+  sign_up_enabled = false
+
+  lock_enable = false
+
+  xml_content = templatefile("./api/base_policy.tpl", {
+    portal-domain         = local.portal_domain
+    management-api-domain = local.management_domain
+    apim-name             = "${local.product}-apim"
+  })
+
+  autoscale = var.apim_v2_autoscale
+
+  alerts_enabled = var.apim_v2_alerts_enabled
+
+  action = [
+    {
+      action_group_id    = data.azurerm_monitor_action_group.slack.id
+      webhook_properties = null
+    },
+    {
+      action_group_id    = data.azurerm_monitor_action_group.email.id
+      webhook_properties = null
+    }
+  ]
+
+  # metrics docs
+  # https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/metrics-supported#microsoftapimanagementservice
+  metric_alerts = {
+    capacity = {
+      description   = "Apim used capacity is too high"
+      frequency     = "PT5M"
+      window_size   = "PT5M"
+      severity      = 1
+      auto_mitigate = true
+
+      criteria = [{
+        metric_namespace       = "Microsoft.ApiManagement/service"
+        metric_name            = "Capacity"
+        aggregation            = "Average"
+        operator               = "GreaterThan"
+        threshold              = 50
+        skip_metric_validation = false
+        dimension              = []
+      }]
+      dynamic_criteria = []
+    }
+
+    duration = {
+      description   = "Apim abnormal response time"
+      frequency     = "PT5M"
+      window_size   = "PT5M"
+      severity      = 2
+      auto_mitigate = true
+
+      criteria = []
+
+      dynamic_criteria = [{
+        metric_namespace         = "Microsoft.ApiManagement/service"
+        metric_name              = "Duration"
+        aggregation              = "Average"
+        operator                 = "GreaterThan"
+        alert_sensitivity        = "High"
+        evaluation_total_count   = 2
+        evaluation_failure_count = 2
+        skip_metric_validation   = false
+        ignore_data_before       = "2021-01-01T00:00:00Z" # sample data
+        dimension                = []
+      }]
+    }
+
+    requests_failed = {
+      description   = "Apim abnormal failed requests"
+      frequency     = "PT5M"
+      window_size   = "PT5M"
+      severity      = 2
+      auto_mitigate = true
+
+      criteria = []
+
+      dynamic_criteria = [{
+        metric_namespace         = "Microsoft.ApiManagement/service"
+        metric_name              = "Requests"
+        aggregation              = "Total"
+        operator                 = "GreaterThan"
+        alert_sensitivity        = "High"
+        evaluation_total_count   = 2
+        evaluation_failure_count = 2
+        skip_metric_validation   = false
+        ignore_data_before       = "2021-01-01T00:00:00Z" # sample data
+        dimension = [{
+          name     = "BackendResponseCode"
+          operator = "Include"
+          values   = ["5xx"]
+        }]
+      }]
+    }
+  }
+
+  tags = var.tags
+
+}

src/next-core/04_appgw_integration.tf

@@ -65,7 +65,7 @@ module "app_gw_integration" {
       protocol                    = "Https"
       host                        = "api.${var.dns_zone_prefix}.${var.external_domain}"
       port                        = 443
-      ip_addresses                = data.azurerm_api_management.apim.private_ip_addresses
+      ip_addresses                = var.is_feature_enabled.use_new_apim ? module.apimv2.private_ip_addresses : data.azurerm_api_management.apim.private_ip_addresses
       fqdns                       = ["api.${var.dns_zone_prefix}.${var.external_domain}."]
       probe                       = "/status-0123456789abcdef"
       probe_name                  = "probe-apim"

src/next-core/99_variables.tf

@@ -649,6 +649,8 @@ variable "is_feature_enabled" {
     dns_forwarder_lb          = optional(bool, false)
     postgres_private_dns      = bool
     azdoa                     = optional(bool, true)
+    apim_core_import          = optional(bool, false)
+    use_new_apim              = optional(bool, false)
     azdoa_extension           = optional(bool, false)
   })
   description = "Features enabled in this domain"

src/next-core/README.md

@@ -14,6 +14,7 @@
 
 | Name | Source | Version |
 |------|--------|---------|
+| <a name="module_apim"></a> [apim](#module\_apim) | git::https://github.com/pagopa/terraform-azurerm-v3.git//api_management | v7.67.1 |
 | <a name="module_apimv2"></a> [apimv2](#module\_apimv2) | git::https://github.com/pagopa/terraform-azurerm-v3.git//api_management | v7.67.1 |
 | <a name="module_apimv2_snet"></a> [apimv2\_snet](#module\_apimv2\_snet) | git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet | v7.50.0 |
 | <a name="module_app_gw_integration"></a> [app\_gw\_integration](#module\_app\_gw\_integration) | git::https://github.com/pagopa/terraform-azurerm-v3.git//app_gateway | v7.50.0 |
@@ -109,10 +110,13 @@
 | [azurerm_monitor_autoscale_setting.node_forwarder_app_service_autoscale](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_autoscale_setting) | resource |
 | [azurerm_monitor_metric_alert.app_service_over_cpu_usage](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_metric_alert) | resource |
 | [azurerm_monitor_metric_alert.app_service_over_mem_usage](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_metric_alert) | resource |
+| [azurerm_network_security_group.apim_snet_nsg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_security_group) | resource |
 | [azurerm_network_security_group.apimv2_snet_nsg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_security_group) | resource |
+| [azurerm_network_security_rule.apim_snet_nsg_rules](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_security_rule) | resource |
 | [azurerm_network_security_rule.apimv2_snet_nsg_rules](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_security_rule) | resource |
 | [azurerm_private_dns_zone.private_db_dns_zone](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/private_dns_zone) | resource |
 | [azurerm_private_dns_zone_virtual_network_link.private_db_zone_to_core_vnet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/private_dns_zone_virtual_network_link) | resource |
+| [azurerm_public_ip.apim_pip](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/public_ip) | resource |
 | [azurerm_public_ip.apimv2_public_ip](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/public_ip) | resource |
 | [azurerm_public_ip.integration_appgateway_public_ip](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/public_ip) | resource |
 | [azurerm_resource_group.azdo_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource |
@@ -127,6 +131,7 @@
 | [azurerm_storage_container.donation_logo8](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_container) | resource |
 | [azurerm_storage_container.donation_logo9](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_container) | resource |
 | [azurerm_subnet.tools_cae_subnet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/subnet) | resource |
+| [azurerm_subnet_network_security_group_association.apim_snet_sg_association](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/subnet_network_security_group_association) | resource |
 | [azurerm_subnet_network_security_group_association.apim_stv2_snet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/subnet_network_security_group_association) | resource |
 | [azurerm_subnet_route_table_association.rt_sia_for_apim_v2](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/subnet_route_table_association) | resource |
 | [azurerm_subnet_route_table_association.rt_sia_for_appgw_integration](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/subnet_route_table_association) | resource |
@@ -185,6 +190,7 @@
 | [azurerm_route_table.rt_sia](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/route_table) | data source |
 | [azurerm_storage_account.fdr_flows_sa](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/storage_account) | data source |
 | [azurerm_storage_container.fdr_rend_flow](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/storage_container) | data source |
+| [azurerm_subnet.apim_snet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subnet) | data source |
 | [azurerm_subnet.apim_subnet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subnet) | data source |
 | [azurerm_subnet.eventhub_snet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subnet) | data source |
 | [azurerm_subnet.node_forwarder_snet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subnet) | data source |
@@ -272,7 +278,7 @@
 | <a name="input_integration_appgateway_private_ip"></a> [integration\_appgateway\_private\_ip](#input\_integration\_appgateway\_private\_ip) | Integration app gateway private ip | `string` | n/a | yes |
 | <a name="input_integration_appgateway_zones"></a> [integration\_appgateway\_zones](#input\_integration\_appgateway\_zones) | Integration app gateway private ip | `list(number)` | n/a | yes |
 | <a name="input_ip_nodo"></a> [ip\_nodo](#input\_ip\_nodo) | Nodo pagamenti ip | `string` | n/a | yes |
-| <a name="input_is_feature_enabled"></a> [is\_feature\_enabled](#input\_is\_feature\_enabled) | Features enabled in this domain | <pre>object({<br>    vnet_ita                  = bool,<br>    container_app_tools_cae   = optional(bool, false),<br>    node_forwarder_ha_enabled = bool<br>    vpn                       = optional(bool, false)<br>    dns_forwarder_lb          = optional(bool, false)<br>    postgres_private_dns      = bool<br>    azdoa                     = optional(bool, true)<br>    azdoa_extension           = optional(bool, false)<br>  })</pre> | n/a | yes |
+| <a name="input_is_feature_enabled"></a> [is\_feature\_enabled](#input\_is\_feature\_enabled) | Features enabled in this domain | <pre>object({<br>    vnet_ita                  = bool,<br>    container_app_tools_cae   = optional(bool, false),<br>    node_forwarder_ha_enabled = bool<br>    vpn                       = optional(bool, false)<br>    dns_forwarder_lb          = optional(bool, false)<br>    postgres_private_dns      = bool<br>    azdoa                     = optional(bool, true)<br>    apim_core_import          = optional(bool, false)<br>    use_new_apim              = optional(bool, false)<br>  })</pre> | n/a | yes |
 | <a name="input_lb_aks"></a> [lb\_aks](#input\_lb\_aks) | IP load balancer AKS Nexi/SIA | `string` | `"0.0.0.0"` | no |
 | <a name="input_location"></a> [location](#input\_location) | One of westeurope, northeurope | `string` | n/a | yes |
 | <a name="input_location_ita"></a> [location\_ita](#input\_location\_ita) | Main location | `string` | `"italynorth"` | no |

src/next-core/env/dev/terraform.tfvars

@@ -23,8 +23,10 @@ is_feature_enabled = {
   container_app_tools_cae   = true,
   node_forwarder_ha_enabled = true,
   vpn                       = true,
-  dns_forwarder_lb          = true
-  postgres_private_dns      = true
+  dns_forwarder_lb          = true,
+  postgres_private_dns      = true,
+  apim_core_import          = false,
+  use_new_apim              = true
 }
 
 ### Network west europe

src/next-core/env/prod/terraform.tfvars

@@ -24,7 +24,9 @@ is_feature_enabled = {
   node_forwarder_ha_enabled = false,
   vpn                       = false,
   dns_forwarder_lb          = true,
-  postgres_private_dns      = true
+  postgres_private_dns      = true,
+  apim_core_import          = false
+
 }
 
 #

src/next-core/env/uat/terraform.tfvars

@@ -24,7 +24,9 @@ is_feature_enabled = {
   node_forwarder_ha_enabled = false,
   vpn                       = false,
   dns_forwarder_lb          = true,
-  postgres_private_dns      = true
+  postgres_private_dns      = true,
+  apim_core_import          = false
+
 }
 
 #