ops: infrastructure azure functions for onboarding (#51)

* infra onboarding functions

* app settings

* workflow deploy functions

* remove properties for deploy

* env azure functions

* set env azure functions to workflow

* fix secrets.AZURE_CLIENT_ID_CD

* fix deploy step

* install dependencies

* fix env github uat subscription

* set app name on building

* fix env mail

* upgrade azurerm 3.71

* upgrade terraform-azurerm 7.28

* remove unsued steps

.functions/onboarding-functions/env/dev/backend.ini

@@ -0,0 +1 @@
+subscription=DEV-SelfCare

.functions/onboarding-functions/env/dev/backend.tfvars

@@ -0,0 +1,4 @@
+resource_group_name  = "terraform-state-rg"
+storage_account_name = "tfappdevselfcare"
+container_name       = "terraform-state"
+key                  = "onboarding-fn.tfstate"

.functions/onboarding-functions/env/dev/terraform.tfvars

@@ -0,0 +1,54 @@
+prefix    = "selc"
+env_short = "d"
+location  = "westeurope"
+
+tags = {
+  CreatedBy   = "Terraform"
+  Environment = "Dev"
+  Owner       = "SelfCare"
+  Source      = "https://github.com/pagopa/selfcare-onboarding"
+  CostCenter  = "TS310 - PAGAMENTI & SERVIZI"
+}
+
+key_vault = {
+  resource_group_name = "selc-d-sec-rg"
+  name                = "selc-d-kv"
+}
+
+
+cidr_subnet_selc_onboarding_fn        = ["10.1.144.0/24"]
+
+function_always_on = false
+
+app_service_plan_info = {
+  kind                         = "Linux"
+  sku_size                     = "P1v3"
+  sku_tier                     = "PremiumV3"
+  maximum_elastic_worker_count = 1
+  worker_count                 = 1
+  zone_balancing_enabled       = false
+}
+
+storage_account_info = {
+  account_kind                      = "StorageV2"
+  account_tier                      = "Standard"
+  account_replication_type          = "LRS"
+  access_tier                       = "Hot"
+  advanced_threat_protection_enable = false
+}
+
+app_settings = {
+  "USER_REGISTRY_URL" = "https://api.uat.pdv.pagopa.it/user-registry/v1",
+  "MONGODB_CONNECTION_URI" = "@Microsoft.KeyVault(SecretUri=https://selc-d-kv.vault.azure.net/secrets/mongodb-connection-string/)",
+  "USER_REGISTRY_API_KEY" = "@Microsoft.KeyVault(SecretUri=https://selc-d-kv.vault.azure.net/secrets/user-registry-api-key/)",
+  "BLOB_STORAGE_CONN_STRING_PRODUCT" = "@Microsoft.KeyVault(SecretUri=https://selc-d-kv.vault.azure.net/secrets/blob-storage-product-connection-string/)",
+  "STORAGE_CONTAINER_CONTRACT" = "selc-d-contracts-blob",
+  "STORAGE_CONTAINER_PRODUCT" = "selc-d-product",
+  "BLOB_STORAGE_CONN_STRING_CONTRACT" = "@Microsoft.KeyVault(SecretUri=https://selc-d-kv.vault.azure.net/secrets/contracts-storage-blob-connection-string/)",
+  "MAIL_DESTINATION_TEST_ADDRESS" = "[email protected]",
+  "MAIL_TEMPLATE_REGISTRATION_REQUEST_PT_PATH" = "contracts/template/mail/registration-request-pt/1.0.0.json",
+  "MAIL_SERVER_USERNAME" = "@Microsoft.KeyVault(SecretUri=https://selc-d-kv.vault.azure.net/secrets/smtp-not-pec-usr/)",
+  "MAIL_SERVER_PASSWORD" = "@Microsoft.KeyVault(SecretUri=https://selc-d-kv.vault.azure.net/secrets/smtp-not-pec-psw/)",
+  "MAIL_TEMPLATE_REGISTRATION_NOTIFICATION_ADMIN_PATH" = "contracts/template/mail/registration-notification-admin/1.0.0.json",
+  "MAIL_TEMPLATE_NOTIFICATION_PATH" = "contracts/template/mail/onboarding-notification/1.0.0.json"
+}

.functions/onboarding-functions/env/uat/backend.ini

@@ -0,0 +1 @@
+subscription=UAT-SelfCare

.functions/onboarding-functions/env/uat/backend.tfvars

@@ -0,0 +1,4 @@
+resource_group_name  = "terraform-state-rg"
+storage_account_name = "tfappuatselfcare"
+container_name       = "terraform-state"
+key                  = "onboarding-fn.tfstate"

.functions/onboarding-functions/env/uat/terraform.tfvars

@@ -0,0 +1,54 @@
+prefix    = "selc"
+env_short = "u"
+location  = "westeurope"
+
+tags = {
+  CreatedBy   = "Terraform"
+  Environment = "Uat"
+  Owner       = "SelfCare"
+  Source      = "https://github.com/pagopa/selfcare-onboarding"
+  CostCenter  = "TS310 - PAGAMENTI & SERVIZI"
+}
+
+key_vault = {
+  resource_group_name = "selc-u-sec-rg"
+  name                = "selc-u-kv"
+}
+
+
+cidr_subnet_selc_onboarding_fn        = ["10.1.144.0/24"]
+
+function_always_on = false
+
+app_service_plan_info = {
+  kind                         = "Linux"
+  sku_size                     = "P1v3"
+  sku_tier                     = "PremiumV3"
+  maximum_elastic_worker_count = 1
+  worker_count                 = 1
+  zone_balancing_enabled       = false
+}
+
+storage_account_info = {
+  account_kind                      = "StorageV2"
+  account_tier                      = "Standard"
+  account_replication_type          = "LRS"
+  access_tier                       = "Hot"
+  advanced_threat_protection_enable = false
+}
+
+app_settings = {
+  "USER_REGISTRY_URL" = "https://api.uat.pdv.pagopa.it/user-registry/v1",
+  "MONGODB_CONNECTION_URI" = "@Microsoft.KeyVault(SecretUri=https://selc-u-kv.vault.azure.net/secrets/mongodb-connection-string/)",
+  "USER_REGISTRY_API_KEY" = "@Microsoft.KeyVault(SecretUri=https://selc-u-kv.vault.azure.net/secrets/user-registry-api-key/)",
+  "BLOB_STORAGE_CONN_STRING_PRODUCT" = "@Microsoft.KeyVault(SecretUri=https://selc-u-kv.vault.azure.net/secrets/blob-storage-product-connection-string/)",
+  "STORAGE_CONTAINER_CONTRACT" = "selc-u-contracts-blob",
+  "STORAGE_CONTAINER_PRODUCT" = "selc-u-product",
+  "BLOB_STORAGE_CONN_STRING_CONTRACT" = "@Microsoft.KeyVault(SecretUri=https://selc-u-kv.vault.azure.net/secrets/contracts-storage-blob-connection-string/)",
+  "MAIL_DESTINATION_TEST_ADDRESS" = "[email protected]",
+  "MAIL_TEMPLATE_REGISTRATION_REQUEST_PT_PATH" = "contracts/template/mail/registration-request-pt/1.0.0.json",
+  "MAIL_SERVER_USERNAME" = "@Microsoft.KeyVault(SecretUri=https://selc-u-kv.vault.azure.net/secrets/smtp-usr/)",
+  "MAIL_SERVER_PASSWORD" = "@Microsoft.KeyVault(SecretUri=https://selc-u-kv.vault.azure.net/secrets/smtp-psw/)",
+  "MAIL_TEMPLATE_REGISTRATION_NOTIFICATION_ADMIN_PATH" = "contracts/template/mail/registration-notification-admin/1.0.0.json",
+  "MAIL_TEMPLATE_NOTIFICATION_PATH" = "contracts/template/mail/onboarding-notification/1.0.0.json"
+}

.functions/onboarding-functions/functions.tf

@@ -0,0 +1,85 @@
+
+data "azurerm_resource_group" "rg_vnet" {
+  name = format("%s-vnet-rg", local.project)
+}
+
+data "azurerm_resource_group" "rg_monitor" {
+  name = local.monitor_rg_name
+}
+
+data "azurerm_application_insights" "application_insights" {
+  name                = local.monitor_appinsights_name
+  resource_group_name = data.azurerm_resource_group.rg_monitor.name
+}
+
+data "azurerm_virtual_network" "vnet" {
+  name                 = format("%s-vnet", local.project)
+  resource_group_name  = data.azurerm_resource_group.rg_vnet.name
+}
+
+resource "azurerm_resource_group" "onboarding_fn_rg" {
+  name     = "${local.project}-onboarding-fn-rg"
+  location = var.location
+
+  tags = var.tags
+}
+
+
+# subnet
+module "onboarding_fn_snet" {
+  count                = var.cidr_subnet_selc_onboarding_fn != null ? 1 : 0
+  source               = "git::https://github.com/pagopa/terraform-azurerm-v3.git//subnet?ref=v7.28.0"
+  name                 = format("%s-onboarding-fn-snet", local.project)
+  resource_group_name  = data.azurerm_resource_group.rg_vnet.name
+  virtual_network_name = data.azurerm_virtual_network.vnet.name
+  address_prefixes     = var.cidr_subnet_selc_onboarding_fn
+
+  delegation = {
+    name = "default"
+    service_delegation = {
+      name    = "Microsoft.Web/serverFarms"
+      actions = ["Microsoft.Network/virtualNetworks/subnets/action"]
+    }
+  }
+}
+
+module "selc_onboarding_fn" {
+  source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//function_app?ref=v7.28.0"
+
+  name                = format("%s-onboarding-fn", local.project)
+  location            = azurerm_resource_group.onboarding_fn_rg.location
+  resource_group_name = azurerm_resource_group.onboarding_fn_rg.name
+
+  health_check_path                        = "/api/v1/info"
+  always_on                                = var.function_always_on
+  subnet_id                                = module.onboarding_fn_snet[0].id
+  application_insights_instrumentation_key = data.azurerm_application_insights.application_insights.instrumentation_key
+  java_version                             = "17"
+  runtime_version                          = "~4"
+
+  system_identity_enabled = true
+
+  storage_account_name = replace(format("%s-onboarding-fn-storage", local.project), "-", "")
+
+  app_service_plan_info = var.app_service_plan_info
+  storage_account_info = var.storage_account_info
+
+  app_settings = var.app_settings
+
+  tags = var.tags
+}
+
+data "azurerm_key_vault" "key_vault" {
+  resource_group_name = var.key_vault.resource_group_name
+  name                = var.key_vault.name
+}
+
+resource "azurerm_key_vault_access_policy" "keyvault_functions_access_policy" {
+  key_vault_id = data.azurerm_key_vault.key_vault.id
+  tenant_id    = data.azurerm_client_config.current.tenant_id
+  object_id    = module.selc_onboarding_fn.system_identity_principal
+
+  secret_permissions = [
+    "Get",
+  ]
+}

.functions/onboarding-functions/locals.tf

@@ -0,0 +1,7 @@
+locals {
+  project  = "${var.prefix}-${var.env_short}"
+  app_name = "onboarding-functions"
+
+  monitor_rg_name  = "${local.project}-monitor-rg"
+  monitor_appinsights_name = "${local.project}-appinsights"
+}

.functions/onboarding-functions/main.tf

@@ -0,0 +1,32 @@
+terraform {
+  required_version = ">=1.3.0"
+
+  required_providers {
+    azuread = {
+      source  = "hashicorp/azuread"
+      version = "2.30.0"
+    }
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = "3.71.0"
+    }
+    github = {
+      source  = "integrations/github"
+      version = "5.18.3"
+    }
+  }
+
+  backend "azurerm" {}
+}
+
+provider "azurerm" {
+  features {}
+}
+
+provider "github" {
+  owner = "pagopa"
+}
+
+data "azurerm_subscription" "current" {}
+
+data "azurerm_client_config" "current" {}