[CES-741] Add roles to associate subnets with NAT Gateways to Infra i…

…dentities (#284)
pagopa · Feb 12, 2025 · 9673a34 · 9673a34
1 parent ef3e043
commit 9673a34
Show file tree

Hide file tree

Showing 7 changed files with 77 additions and 30 deletions.
diff --git a/.changeset/curly-donkeys-retire.md b/.changeset/curly-donkeys-retire.md
@@ -0,0 +1,5 @@
+---
+"azure_github_environment_bootstrap": patch
+---
+
+Add roles to associate NAT Gateways and subnets to GitHub App CD identity
diff --git a/infra/modules/azure_github_environment_bootstrap/README.md b/infra/modules/azure_github_environment_bootstrap/README.md
@@ -41,9 +41,11 @@
 | [azurerm_role_assignment.infra_cd_apim_service_contributor](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
 | [azurerm_role_assignment.infra_cd_rg_contributor](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
 | [azurerm_role_assignment.infra_cd_rg_ext_network_contributor](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
+| [azurerm_role_assignment.infra_cd_rg_ext_network_dns_zone_contributor](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
 | [azurerm_role_assignment.infra_cd_rg_kv_cert](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
 | [azurerm_role_assignment.infra_cd_rg_kv_crypto](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
 | [azurerm_role_assignment.infra_cd_rg_kv_secr](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
+| [azurerm_role_assignment.infra_cd_rg_nat_gw_network_contributor](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
 | [azurerm_role_assignment.infra_cd_rg_rbac_admin](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
 | [azurerm_role_assignment.infra_cd_rg_st_blob_contributor](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
 | [azurerm_role_assignment.infra_cd_rg_user_access_admin](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
@@ -110,6 +112,7 @@
 | <a name="input_environment"></a> [environment](#input\_environment) | Values which are used to generate resource names and location short names. They are all mandatory except for domain, which should not be used only in the case of a resource used by multiple domains. | <pre>object({<br/>    prefix          = string<br/>    env_short       = string<br/>    location        = string<br/>    domain          = string<br/>    instance_number = string<br/>  })</pre> | n/a | yes |
 | <a name="input_github_private_runner"></a> [github\_private\_runner](#input\_github\_private\_runner) | n/a | <pre>object({<br/>    container_app_environment_id       = string<br/>    container_app_environment_location = string<br/>    polling_interval_in_seconds        = optional(number, 30)<br/>    min_instances                      = optional(number, 0)<br/>    max_instances                      = optional(number, 30)<br/>    labels                             = optional(list(string), [])<br/>    key_vault = object({<br/>      name                = string<br/>      resource_group_name = string<br/>      secret_name         = optional(string, "github-runner-pat")<br/>    })<br/>    cpu    = optional(number, 0.5)<br/>    memory = optional(string, "1Gi")<br/>  })</pre> | n/a | yes |
 | <a name="input_keyvault_common_ids"></a> [keyvault\_common\_ids](#input\_keyvault\_common\_ids) | Id of the KeyVault containing common secrets | `list(string)` | `[]` | no |
+| <a name="input_nat_gateway_resource_group_id"></a> [nat\_gateway\_resource\_group\_id](#input\_nat\_gateway\_resource\_group\_id) | Id of the resource group hosting NAT Gateways | `string` | n/a | yes |
 | <a name="input_opex_resource_group_id"></a> [opex\_resource\_group\_id](#input\_opex\_resource\_group\_id) | Id of the resource group containing Opex dashboards | `string` | n/a | yes |
 | <a name="input_pep_vnet_id"></a> [pep\_vnet\_id](#input\_pep\_vnet\_id) | ID of the VNet holding Private Endpoint-dedicated subnet | `string` | n/a | yes |
 | <a name="input_repository"></a> [repository](#input\_repository) | Information about this repository | <pre>object({<br/>    owner                    = optional(string, "pagopa")<br/>    name                     = string<br/>    description              = string<br/>    topics                   = list(string)<br/>    reviewers_teams          = list(string)<br/>    default_branch_name      = optional(string, "main")<br/>    infra_cd_policy_branches = optional(set(string), ["main"])<br/>    opex_cd_policy_branches  = optional(set(string), ["main"])<br/>    app_cd_policy_branches   = optional(set(string), ["main"])<br/>    infra_cd_policy_tags     = optional(set(string), [])<br/>    opex_cd_policy_tags      = optional(set(string), [])<br/>    app_cd_policy_tags       = optional(set(string), [])<br/>  })</pre> | n/a | yes |

diff --git a/infra/modules/azure_github_environment_bootstrap/id_infra_cd_iam.tf b/infra/modules/azure_github_environment_bootstrap/id_infra_cd_iam.tf
@@ -44,13 +44,28 @@ resource "azurerm_role_assignment" "infra_cd_vnet_network_contributor" {
 }
 
 # DNS Zone
-resource "azurerm_role_assignment" "infra_cd_rg_ext_network_contributor" {
+resource "azurerm_role_assignment" "infra_cd_rg_ext_network_dns_zone_contributor" {
   scope                = var.dns_zone_resource_group_id
   role_definition_name = "Private DNS Zone Contributor"
   principal_id         = azurerm_user_assigned_identity.infra_cd.principal_id
   description          = "Allow ${var.repository.name} Infra CD identity to manage DNS Zones at resource group level"
 }
 
+resource "azurerm_role_assignment" "infra_cd_rg_ext_network_contributor" {
+  scope                = var.dns_zone_resource_group_id
+  role_definition_name = "Network Contributor"
+  principal_id         = azurerm_user_assigned_identity.infra_cd.principal_id
+  description          = "Allow ${var.repository.name} Infra CD identity to associate DNS Zones and private endpoints at resource group level"
+}
+
+# NAT Gateway
+resource "azurerm_role_assignment" "infra_cd_rg_nat_gw_network_contributor" {
+  scope                = var.nat_gateway_resource_group_id
+  role_definition_name = "Network Contributor"
+  principal_id         = azurerm_user_assigned_identity.infra_cd.principal_id
+  description          = "Allow ${var.repository.name} Infra CD identity to associate NAT Gateways to subnets"
+}
+
 # Api Management
 resource "azurerm_role_assignment" "infra_cd_apim_service_contributor" {
   count = local.has_apim

diff --git a/infra/modules/azure_github_environment_bootstrap/tests/mono_repo.tftest.hcl b/infra/modules/azure_github_environment_bootstrap/tests/mono_repo.tftest.hcl
@@ -63,9 +63,10 @@ run "validate_github_repository" {
       }
     }
 
-    pep_vnet_id                = run.setup_tests.pep_vnet_id
-    dns_zone_resource_group_id = run.setup_tests.dns_zone_resource_group_id
-    opex_resource_group_id     = run.setup_tests.opex_resource_group_id
+    pep_vnet_id                   = run.setup_tests.pep_vnet_id
+    dns_zone_resource_group_id    = run.setup_tests.dns_zone_resource_group_id
+    opex_resource_group_id        = run.setup_tests.opex_resource_group_id
+    nat_gateway_resource_group_id = run.setup_tests.dns_zone_resource_group_id
 
     tags = run.setup_tests.tags
   }
@@ -156,9 +157,10 @@ run "validate_github_branch_protection" {
       }
     }
 
-    pep_vnet_id                = run.setup_tests.pep_vnet_id
-    dns_zone_resource_group_id = run.setup_tests.dns_zone_resource_group_id
-    opex_resource_group_id     = run.setup_tests.opex_resource_group_id
+    pep_vnet_id                   = run.setup_tests.pep_vnet_id
+    dns_zone_resource_group_id    = run.setup_tests.dns_zone_resource_group_id
+    opex_resource_group_id        = run.setup_tests.opex_resource_group_id
+    nat_gateway_resource_group_id = run.setup_tests.dns_zone_resource_group_id
 
     tags = run.setup_tests.tags
   }
@@ -180,7 +182,7 @@ run "validate_github_branch_protection" {
 }
 
 run "validate_github_default_branch_override" {
-    command = plan
+  command = plan
 
   plan_options {
     target = [
@@ -213,10 +215,10 @@ run "validate_github_default_branch_override" {
     }
 
     repository = {
-      name               = run.setup_tests.repository.name
-      description        = run.setup_tests.repository.description
-      topics             = run.setup_tests.repository.topics
-      reviewers_teams    = run.setup_tests.repository.reviewers_teams
+      name                = run.setup_tests.repository.name
+      description         = run.setup_tests.repository.description
+      topics              = run.setup_tests.repository.topics
+      reviewers_teams     = run.setup_tests.repository.reviewers_teams
       default_branch_name = "master"
     }
 
@@ -229,9 +231,10 @@ run "validate_github_default_branch_override" {
       }
     }
 
-    pep_vnet_id                = run.setup_tests.pep_vnet_id
-    dns_zone_resource_group_id = run.setup_tests.dns_zone_resource_group_id
-    opex_resource_group_id     = run.setup_tests.opex_resource_group_id
+    pep_vnet_id                   = run.setup_tests.pep_vnet_id
+    dns_zone_resource_group_id    = run.setup_tests.dns_zone_resource_group_id
+    opex_resource_group_id        = run.setup_tests.opex_resource_group_id
+    nat_gateway_resource_group_id = run.setup_tests.dns_zone_resource_group_id
 
     tags = run.setup_tests.tags
   }
@@ -296,9 +299,10 @@ run "validate_github_id_app" {
       }
     }
 
-    pep_vnet_id                = run.setup_tests.pep_vnet_id
-    dns_zone_resource_group_id = run.setup_tests.dns_zone_resource_group_id
-    opex_resource_group_id     = run.setup_tests.opex_resource_group_id
+    pep_vnet_id                   = run.setup_tests.pep_vnet_id
+    dns_zone_resource_group_id    = run.setup_tests.dns_zone_resource_group_id
+    opex_resource_group_id        = run.setup_tests.opex_resource_group_id
+    nat_gateway_resource_group_id = run.setup_tests.dns_zone_resource_group_id
 
     tags = run.setup_tests.tags
   }
@@ -363,7 +367,9 @@ run "validate_github_id_infra" {
       azurerm_role_assignment.infra_cd_rg_kv_crypto,
       azurerm_role_assignment.infra_cd_rg_st_blob_contributor,
       azurerm_role_assignment.infra_ci_rg_st_queue_contributor,
+      azurerm_role_assignment.infra_cd_rg_ext_network_dns_zone_contributor,
       azurerm_role_assignment.infra_cd_rg_ext_network_contributor,
+      azurerm_role_assignment.infra_cd_rg_nat_gw_network_contributor,
       azurerm_key_vault_access_policy.infra_cd_kv_common,
     ]
   }
@@ -409,9 +415,10 @@ run "validate_github_id_infra" {
       }
     }
 
-    pep_vnet_id                = run.setup_tests.pep_vnet_id
-    dns_zone_resource_group_id = run.setup_tests.dns_zone_resource_group_id
-    opex_resource_group_id     = run.setup_tests.opex_resource_group_id
+    pep_vnet_id                   = run.setup_tests.pep_vnet_id
+    dns_zone_resource_group_id    = run.setup_tests.dns_zone_resource_group_id
+    opex_resource_group_id        = run.setup_tests.opex_resource_group_id
+    nat_gateway_resource_group_id = run.setup_tests.dns_zone_resource_group_id
 
     tags = run.setup_tests.tags
   }
@@ -562,10 +569,20 @@ run "validate_github_id_infra" {
   }
 
   assert {
-    condition     = azurerm_role_assignment.infra_cd_rg_ext_network_contributor != null
+    condition     = azurerm_role_assignment.infra_cd_rg_ext_network_dns_zone_contributor != null
     error_message = "The Infra CD managed identity can't apply changes to DNS zone configurations at resource group scope"
   }
 
+  assert {
+    condition     = azurerm_role_assignment.infra_cd_rg_ext_network_contributor != null
+    error_message = "The Infra CD managed identity can't associate DNS zone and private endpoints at resource group scope"
+  }
+
+  assert {
+    condition     = azurerm_role_assignment.infra_cd_rg_nat_gw_network_contributor != null
+    error_message = "The Infra CD managed identity can't associate NAT Gateways with subnets at resource group scope"
+  }
+
   assert {
     condition     = length(azurerm_key_vault_access_policy.infra_cd_kv_common) == 0
     error_message = "The Infra CD managed identity is not allowed to write to common Key Vaults"
@@ -627,9 +644,10 @@ run "validate_rbac_entraid" {
       }
     }
 
-    pep_vnet_id                = run.setup_tests.pep_vnet_id
-    dns_zone_resource_group_id = run.setup_tests.dns_zone_resource_group_id
-    opex_resource_group_id     = run.setup_tests.opex_resource_group_id
+    pep_vnet_id                   = run.setup_tests.pep_vnet_id
+    dns_zone_resource_group_id    = run.setup_tests.dns_zone_resource_group_id
+    opex_resource_group_id        = run.setup_tests.opex_resource_group_id
+    nat_gateway_resource_group_id = run.setup_tests.dns_zone_resource_group_id
 
     tags = run.setup_tests.tags
   }
@@ -710,9 +728,10 @@ run "validate_github_id_opex" {
       }
     }
 
-    pep_vnet_id                = run.setup_tests.pep_vnet_id
-    dns_zone_resource_group_id = run.setup_tests.dns_zone_resource_group_id
-    opex_resource_group_id     = run.setup_tests.opex_resource_group_id
+    pep_vnet_id                   = run.setup_tests.pep_vnet_id
+    dns_zone_resource_group_id    = run.setup_tests.dns_zone_resource_group_id
+    opex_resource_group_id        = run.setup_tests.opex_resource_group_id
+    nat_gateway_resource_group_id = run.setup_tests.dns_zone_resource_group_id
 
     tags = run.setup_tests.tags
   }

diff --git a/infra/modules/azure_github_environment_bootstrap/tests/setup/README.md b/infra/modules/azure_github_environment_bootstrap/tests/setup/README.md
@@ -6,7 +6,7 @@
 | Name | Version |
 |------|---------|
 | <a name="requirement_azuread"></a> [azuread](#requirement\_azuread) | ~>2 |
-| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | >= 3.100.0, < 5.0 |
+| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | ~>4 |
 | <a name="requirement_github"></a> [github](#requirement\_github) | ~>6 |
 
 ## Modules

diff --git a/infra/modules/azure_github_environment_bootstrap/tests/setup/main.tf b/infra/modules/azure_github_environment_bootstrap/tests/setup/main.tf
@@ -2,7 +2,7 @@ terraform {
   required_providers {
     azurerm = {
       source  = "hashicorp/azurerm"
-      version = ">= 3.100.0, < 5.0"
+      version = "~>4"
     }
 
     azuread = {

diff --git a/infra/modules/azure_github_environment_bootstrap/variables.tf b/infra/modules/azure_github_environment_bootstrap/variables.tf
@@ -50,6 +50,11 @@ variable "dns_zone_resource_group_id" {
   description = "Id of the resource group holding public DNS zone"
 }
 
+variable "nat_gateway_resource_group_id" {
+  type        = string
+  description = "Id of the resource group hosting NAT Gateways"
+}
+
 variable "opex_resource_group_id" {
   type        = string
   description = "Id of the resource group containing Opex dashboards"