pagopa · uolter · Jun 22, 2025 · Jun 23, 2025 · Jun 24, 2025 · Jun 24, 2025
@@ -22,6 +22,8 @@ dns_domain_name = "dev.developer.pagopa.it"
 
 use_custom_certificate = true
 
+next_open_telemetry_enabled = true
+
 # CMS Strapi DNS
 dns_domain_name_cms = {
   "cms.dev.developer.pagopa.it" = {

@@ -97,6 +97,8 @@ module "website" {
   hosted_zone_id               = module.core.hosted_zone_id
   ses_domain_identity_arn      = module.core.ses_domain_identity_arn
 
+  next_open_telemetry_enabled = var.next_open_telemetry_enabled
+
   website_is_standalone = var.website_is_standalone
   nextjs_version        = "13.4.19"
   create_chatbot        = var.create_chatbot

@@ -140,14 +140,4 @@ module "secret_cms_access_key_secret" {
   name        = "/cms/access_key_secret"
   value       = module.iam_user_cms.iam_access_key_secret
   secure_type = true
-}
-
-module "secret_chb_strapi_api_key" {
-  source = "git::https://github.com/terraform-aws-modules/terraform-aws-ssm-parameter.git?ref=28784d318fcb1d5b632e38a4c1f567dd138fcd83" # v1.1.2
-
-  name        = "/chatbot/chb_strapi_api_key"
-  value       = "update-me"
-  secure_type = true
-  # Ignore changes to value, because the value is updated manually
-  ignore_value_changes = "true"
 }
@@ -74,6 +74,7 @@
 | [aws_acm_certificate.auth](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/acm_certificate) | resource |
 | [aws_acm_certificate.opennext](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/acm_certificate) | resource |
 | [aws_acm_certificate.static_contents](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/acm_certificate) | resource |
+| [aws_acm_certificate.static_website](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/acm_certificate) | resource |
 | [aws_acm_certificate.website](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/acm_certificate) | resource |
 | [aws_cloudfront_distribution.static_contents](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_distribution) | resource |
 | [aws_cloudfront_distribution.website](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_distribution) | resource |
@@ -99,7 +100,6 @@
 | [aws_iam_role_policy_attachment.deploy_website](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_route53_record.certificate](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource |
 | [aws_route53_record.devportal_cognito_A](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource |
-| [aws_route53_record.opennext](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource |
 | [aws_route53_record.static_contents](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource |
 | [aws_route53_record.website](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource |
 | [aws_route53_record.www_website](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource |

@@ -33,6 +33,20 @@ resource "aws_acm_certificate" "static_contents" {
     create_before_destroy = true
   }
 
+  # TLS certificate generated in us-east because it is related to the CDN which is a global resource
+  provider = aws.us-east-1
+}
+
+
+resource "aws_acm_certificate" "static_website" {
+  domain_name               = local.domain_name_static_website
+  subject_alternative_names = [format("www.%s", local.domain_name_static_website), ]
+  validation_method         = "DNS"
+
+  lifecycle {
+    create_before_destroy = true
+  }
+
   # TLS certificate generated in us-east because it is related to the CDN which is a global resource
   provider = aws.us-east-1
 }
@@ -65,7 +65,7 @@ resource "aws_cloudfront_distribution" "website" {
   comment             = "CloudFront distribution for the static website."
   default_root_object = "index.html"
 
-  aliases = var.use_custom_certificate && var.dns_domain_name != "" ? [format("www.%s", var.dns_domain_name), var.dns_domain_name] : []
+  aliases = var.use_custom_certificate ? [format("www.%s", local.domain_name_static_website), local.domain_name_static_website] : []
 
   custom_error_response {
     error_code         = 404
@@ -107,7 +107,7 @@ resource "aws_cloudfront_distribution" "website" {
 
   viewer_certificate {
     cloudfront_default_certificate = var.use_custom_certificate ? false : true
-    acm_certificate_arn            = var.use_custom_certificate ? aws_acm_certificate.website.arn : null
+    acm_certificate_arn            = var.use_custom_certificate ? aws_acm_certificate.static_website.arn : null
     ssl_support_method             = var.use_custom_certificate ? "sni-only" : null
     minimum_protocol_version       = var.use_custom_certificate ? "TLSv1.2_2021" : null
   }
@@ -134,7 +134,7 @@ resource "aws_cloudfront_response_headers_policy" "static_content_cors" {
 
 
     access_control_allow_origins {
-      items = ["https://${local.opennext_domain}"]
+      items = ["https://${var.dns_domain_name}"]
     }
 
     origin_override = true

@@ -194,7 +194,7 @@ resource "aws_cognito_user_pool_client" "devportal_website" {
 }
 
 resource "aws_cognito_user_pool_domain" "devportal" {
-  depends_on      = [aws_route53_record.website]
+  depends_on      = [module.opennext]
   domain          = aws_acm_certificate.auth.domain_name
   certificate_arn = aws_acm_certificate.auth.arn
   user_pool_id    = aws_cognito_user_pool.devportal.id

@@ -1,5 +1,9 @@
 locals {
+
   opennext_domain = "open-next.${var.dns_domain_name}"
 
   dns_domain_name_static_contents = format("static-contents.%s", var.dns_domain_name)
+
+  # This is the temporary domain name for the old static website.
+  domain_name_static_website = format("static.%s", var.dns_domain_name)
 }
@@ -1,10 +1,3 @@
-/*
-  environment_variables = {
-
-  }
-
-*/
-
 resource "aws_acm_certificate" "opennext" {
 
   provider = aws.us-east-1
@@ -21,6 +14,7 @@ resource "aws_acm_certificate" "opennext" {
   }
 }
 
+/*
 resource "aws_route53_record" "opennext" {
   for_each = {
     for dvo in aws_acm_certificate.opennext.domain_validation_options : dvo.domain_name => {
@@ -37,7 +31,7 @@ resource "aws_route53_record" "opennext" {
   type            = each.value.type
   zone_id         = var.hosted_zone_id
 }
-
+*/
 
 resource "aws_ssm_parameter" "cookie_domain_script" {
   name        = "COOKIE_DOMAIN_SCRIPT"
@@ -69,20 +63,32 @@ resource "aws_ssm_parameter" "strapi_api_token" {
 }
 
 
+resource "aws_lambda_layer_version" "opentelemetry" {
+  count      = var.next_open_telemetry_enabled ? 1 : 0
+  filename   = "../../lib/opentelemetry/layer.zip"
+  layer_name = "opentelemetry-layer"
+
+  compatible_runtimes = ["nodejs20.x", "nodejs18.x", "nodejs22.x"]
+}
+
+
 module "opennext" {
   source = "github.com/pagopa/dx//infra/modules/aws_open_next?ref=opennext-module"
 
   custom_domain = {
-    domain_name         = local.opennext_domain
-    acm_certificate_arn = aws_acm_certificate.opennext.arn
+    domain_name         = var.dns_domain_name
+    acm_certificate_arn = aws_acm_certificate.website.arn
     hosted_zone_id      = var.hosted_zone_id
   }
 
   are_previews_enabled = true
   environment          = var.environment_information
 
   server = {
-    environment_variables = {
+
+    lambda_layers = var.next_open_telemetry_enabled ? [aws_lambda_layer_version.opentelemetry[0].arn] : []
+
+    environment_variables = merge({
       ENVIRONMENT                                 = var.environment
       FETCH_FROM_STRAPI                           = "true"
       NEXT_PUBLIC_CHATBOT_ACTIVE                  = var.create_chatbot ? "true" : "false"
@@ -109,7 +115,12 @@ module "opennext" {
       S3_RELEASE_NOTES_METADATA_JSON_PATH         = "release-notes-metadata.json"
       S3_SOLUTIONS_METADATA_JSON_PATH             = "solutions-metadata.json"
       STATIC_CONTENTS_URL                         = format("https://static-contents.%s", var.dns_domain_name)
-    }
+      },
+      var.next_open_telemetry_enabled ? {
+        AWS_LAMBDA_EXEC_WRAPPER            = "/opt/otel-handler"
+        OPENTELEMETRY_COLLECTOR_CONFIG_URI = "file:/var/task/collector.yaml"
+      } : {}
+    )
   }
 
   enable_alarms  = true

@@ -3,6 +3,7 @@ locals {
     aws_acm_certificate.website.domain_validation_options,
     aws_acm_certificate.auth.domain_validation_options,
     aws_acm_certificate.static_contents.domain_validation_options,
+    aws_acm_certificate.static_website.domain_validation_options,
   )
 }
 
@@ -24,9 +25,10 @@ resource "aws_route53_record" "certificate" {
 }
 
 // This Route53 record will point at our CloudFront distribution.
+
 resource "aws_route53_record" "www_website" {
   zone_id = var.hosted_zone_id
-  name    = format("www.%s", var.dns_domain_name)
+  name    = format("www.%s", local.domain_name_static_website)
   type    = "A"
 
   alias {
@@ -38,7 +40,7 @@ resource "aws_route53_record" "www_website" {
 
 resource "aws_route53_record" "website" {
   zone_id = var.hosted_zone_id
-  name    = var.dns_domain_name
+  name    = local.domain_name_static_website
   type    = "A"
 
   alias {

@@ -123,4 +123,12 @@ variable "next_public_soap_api_page_active" {
   type        = bool
   description = "Defines if the SOAP API page should be active"
   default     = false
+}
+
+// Refer to the open telemetry documentation to build the layer zip file
+// https://github.com/open-telemetry/opentelemetry-lambda/tree/main/nodejs
+variable "next_open_telemetry_enabled" {
+  type        = bool
+  description = "Defines if OpenTelemetry should be enabled for the Next.js application"
+  default     = false
 }
@@ -194,4 +194,11 @@ variable "website_is_standalone" {
   type        = bool
   description = "If true, the website will be deployed in standalone mode (Amplify), otherwise static deployment is used (S3 + Cloudfront)"
   default     = false
+}
+
+variable "next_open_telemetry_enabled" {
+  type        = bool
+  description = "Defines if OpenNext OTLP is enabled"
+  default     = false
+
 }
@@ -0,0 +1,42 @@
+receivers:
+  otlp:
+    protocols:
+      grpc:
+        endpoint: 0.0.0.0:4317
+      http:
+        endpoint: 0.0.0.0:4318
+
+exporters:
+  otlphttp/logs:
+    compression: gzip
+    logs_endpoint: https://logs.eu-south-1.amazonaws.com/v1/logs
+    headers: 
+      x-aws-log-group: /aws/lambda/devportal-d-website-opnext-server-lambda-01
+      x-aws-log-stream: instrumentation
+    auth:
+      authenticator: sigv4auth/logs
+
+  otlphttp/traces:
+    compression: gzip
+    traces_endpoint: https://xray.eu-south-1.amazonaws.com/v1/traces
+    auth:
+      authenticator: sigv4auth/traces
+
+extensions:
+  sigv4auth/logs:
+    region: "eu-south-1"
+    service: "logs"
+  sigv4auth/traces:
+    region: "eu-south-1"
+    service: "xray"
+
+service:
+  telemetry:
+  extensions: [sigv4auth/logs, sigv4auth/traces]
+  pipelines:
+    logs:
+      receivers: [otlp]
+      exporters: [otlphttp/logs]
+    traces:
+      receivers: [otlp]
+      exporters: [otlphttp/traces]
@@ -0,0 +1,12 @@
+import { registerOTel } from '@vercel/otel';
+import { AWSXRayPropagator } from '@opentelemetry/propagator-aws-xray';
+import { AlwaysOnSampler } from '@opentelemetry/sdk-trace-node';
+
+export function register() {
+  const telemetry = registerOTel({
+    serviceName: 'next-app',
+    propagators: [new AWSXRayPropagator()],
+    traceSampler: new AlwaysOnSampler(),
+    traceExporter: 'auto',
+  });
+}
@@ -27,9 +27,19 @@
     "@mui/material": "5.14.5",
     "@mui/utils": "5.14.5",
     "@opennextjs/aws": "^3.6.3",
+    "@opentelemetry/api-logs": "^0.57.2",
+    "@opentelemetry/exporter-trace-otlp-http": "^0.202.0",
+    "@opentelemetry/instrumentation": "^0.57.2",
+    "@opentelemetry/propagator-aws-xray": "^2.1.0",
+    "@opentelemetry/resources": "^2.0.1",
+    "@opentelemetry/sdk-logs": "^0.57.2",
+    "@opentelemetry/sdk-node": "^0.202.0",
+    "@opentelemetry/sdk-trace-node": "^2.0.1",
+    "@opentelemetry/semantic-conventions": "^1.34.0",
     "@pagopa/mui-italia": "1.0.1",
     "@stoplight/elements": "^7.9.0",
     "@strapi/blocks-react-renderer": "^1.0.1",
+    "@vercel/otel": "^1.13.0",
     "aws-amplify": "^5.3.11",
     "dompurify": "^3.2.5",
     "fp-ts": "^2.13.1",