feat: [PPANTT-216] configured gps domain for workload identity

src/domains/gps-app/02_namespace.tf

@@ -19,6 +19,23 @@ module "pod_identity" {
   secret_permissions = ["Get"]
 }
 
+# WL-IDENTITY
+# https://pagopa.atlassian.net/wiki/spaces/DEVOPS/pages/1227751458/Migrazione+pod+Identity+vs+workload+Identity#Init-workload-identity
+module "workload_identity" {
+  source = "./.terraform/modules/__v3__/kubernetes_workload_identity_configuration"
+
+  workload_identity_name_prefix         = var.domain
+  workload_identity_resource_group_name = data.azurerm_kubernetes_cluster.aks.resource_group_name
+  aks_name                              = data.azurerm_kubernetes_cluster.aks.name
+  aks_resource_group_name               = data.azurerm_kubernetes_cluster.aks.resource_group_name
+  namespace                             = var.domain
+
+  key_vault_id                      = data.azurerm_key_vault.kv.id
+  key_vault_certificate_permissions = ["Get"]
+  key_vault_key_permissions         = ["Get"]
+  key_vault_secret_permissions      = ["Get"]
+}
+
 resource "kubernetes_pod_disruption_budget_v1" "gps" {
 
   for_each = var.pod_disruption_budgets

src/domains/gps-app/06_aks_middleware_tools.tf

@@ -1,54 +1,53 @@
+# WL-IDENTITY
+# https://pagopa.atlassian.net/wiki/spaces/DEVOPS/pages/1227751458/Migrazione+pod+Identity+vs+workload+Identity#%F0%9F%94%AE-tls-cheker
 module "tls_checker" {
   source = "./.terraform/modules/__v3__/tls_checker"
 
-  https_endpoint                                            = local.gps_hostname
-  alert_name                                                = local.gps_hostname
-  alert_enabled                                             = true
-  helm_chart_present                                        = true
-  helm_chart_version                                        = var.tls_cert_check_helm.chart_version
-  namespace                                                 = kubernetes_namespace.namespace.metadata[0].name
-  helm_chart_image_name                                     = var.tls_cert_check_helm.image_name
-  helm_chart_image_tag                                      = var.tls_cert_check_helm.image_tag
-  location_string                                           = var.location_string
-  application_insights_resource_group                       = data.azurerm_resource_group.monitor_rg.name
-  application_insights_id                                   = data.azurerm_application_insights.application_insights.id
-  application_insights_action_group_ids                     = [data.azurerm_monitor_action_group.slack.id, data.azurerm_monitor_action_group.email.id]
-  keyvault_name                                             = data.azurerm_key_vault.gps_kv.name
-  keyvault_tenant_id                                        = data.azurerm_key_vault.gps_kv.tenant_id
+  https_endpoint = local.gps_hostname
+  alert_name = local.gps_hostname
+  alert_enabled = true
+  helm_chart_present = true
+  namespace = kubernetes_namespace.namespace.metadata[0].name
+  location_string = var.location_string
   kv_secret_name_for_application_insights_connection_string = "ai-${var.env_short}-connection-string"
+  application_insights_resource_group = data.azurerm_resource_group.monitor_rg.name
+  application_insights_id = data.azurerm_application_insights.application_insights.id
+  application_insights_action_group_ids = [data.azurerm_monitor_action_group.slack.id, data.azurerm_monitor_action_group.email.id]
+  keyvault_name = data.azurerm_key_vault.kv.name
+  keyvault_tenant_id = data.azurerm_client_config.current.tenant_id
+
+  workload_identity_enabled = true
+  workload_identity_service_account_name = module.workload_identity.workload_identity_service_account_name
+  workload_identity_client_id = module.workload_identity.workload_identity_client_id
+
+  depends_on = [module.workload_identity]
 }
 
-resource "helm_release" "cert_mounter" {
-  name         = "cert-mounter-blueprint"
-  repository   = "https://pagopa.github.io/aks-helm-cert-mounter-blueprint"
-  chart        = "cert-mounter-blueprint"
-  version      = "1.0.4"
-  namespace    = var.domain
-  timeout      = 120
-  force_update = true
-
-  values = [
-    "${
-      templatefile("${path.root}/helm/cert-mounter.yaml.tpl", {
-        NAMESPACE        = var.domain,
-        DOMAIN           = var.domain
-        CERTIFICATE_NAME = replace(local.gps_hostname, ".", "-"),
-        ENV_SHORT        = var.env_short,
-      })
-    }"
-  ]
+
+# WL-IDENTITY
+# https://pagopa.atlassian.net/wiki/spaces/DEVOPS/pages/1227751458/Migrazione+pod+Identity+vs+workload+Identity#%3Acertificate%3A-cert-mounter
+module "cert_mounter" {
+  source = "./.terraform/modules/__v3__/cert_mounter"
+
+  namespace = var.domain
+  certificate_name = replace(local.gps_hostname, ".", "-")
+  kv_name = data.azurerm_key_vault.kv.name
+  tenant_id = data.azurerm_subscription.current.tenant_id
+
+  workload_identity_enabled = true
+  workload_identity_service_account_name = module.workload_identity.workload_identity_service_account_name
+  workload_identity_client_id = module.workload_identity.workload_identity_client_id
+
+  depends_on = [module.workload_identity]
 }
 
 resource "helm_release" "reloader" {
   name       = "reloader"
   repository = "https://stakater.github.io/stakater-charts"
   chart      = "reloader"
-  version    = "v1.0.48"
+  version    = "v1.0.69"
   namespace  = kubernetes_namespace.namespace.metadata[0].name
 
-  # enabled it if you remove accidentally reloader
-  # force_update = true
-
   set {
     name  = "reloader.watchGlobally"
     value = "false"

src/domains/gps-app/99_main.tf

@@ -6,23 +6,23 @@ terraform {
     }
     azuread = {
       source  = "hashicorp/azuread"
-      version = "<= 2.21.0"
+      version = "<= 3.0.2"
     }
     azurerm = {
       source  = "hashicorp/azurerm"
       version = "<= 3.116.0"
     }
     helm = {
       source  = "hashicorp/helm"
-      version = "<= 2.12.1"
+      version = "<= 2.16.0"
     }
     kubernetes = {
       source  = "hashicorp/kubernetes"
-      version = "<= 2.11.0"
+      version = "<= 2.30.0"
     }
     null = {
       source  = "hashicorp/null"
-      version = "<= 3.2.1"
+      version = "<= 3.2.3"
     }
 
     kubectl = {

src/domains/gps-common/10_github_identity.tf

@@ -114,3 +114,13 @@ resource "null_resource" "github_runner_app_permissions_to_namespace_cd_01" {
     module.identity_cd_01
   ]
 }
+
+# WL-IDENTITY
+# https://pagopa.atlassian.net/wiki/spaces/DEVOPS/pages/1227751458/Migrazione+pod+Identity+vs+workload+Identity#Init-workload-identity
+module "workload_identity" {
+  source = "./.terraform/modules/__v3__/kubernetes_workload_identity_init"
+
+  workload_identity_name_prefix         = var.domain
+  workload_identity_resource_group_name = data.azurerm_kubernetes_cluster.aks.resource_group_name
+  workload_identity_location            = var.location
+}

src/domains/gps-common/99_main.tf

@@ -6,7 +6,7 @@ terraform {
     }
     azuread = {
       source  = "hashicorp/azuread"
-      version = "<= 2.47.0"
+      version = "<= 3.0.2"
     }
     azurerm = {
       source  = "hashicorp/azurerm"