add fixtures

Author: Krusty93

infra/modules/azure_app_configuration/examples/network_access/README.md

@@ -7,23 +7,40 @@
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.13.0 |
 | <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | ~> 4.0 |
-| <a name="requirement_pagopa-dx"></a> [pagopa-dx](#requirement\_pagopa-dx) | ~> 0.8 |
+| <a name="requirement_dx"></a> [dx](#requirement\_dx) | ~> 0.8 |
 | <a name="requirement_random"></a> [random](#requirement\_random) | ~> 3.7 |
 
 ## Modules
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_private_appcs"></a> [private\_appcs](#module\_private\_appcs) | pagopa-dx/azure-app-configuration/azurerm | ~> 0.0 |
+| <a name="module_integration_github_roles"></a> [integration\_github\_roles](#module\_integration\_github\_roles) | pagopa-dx/azure-role-assignments/azurerm | ~> 1.0 |
+| <a name="module_private_appcs"></a> [private\_appcs](#module\_private\_appcs) | ../../ | n/a |
+| <a name="module_role_appcs_private"></a> [role\_appcs\_private](#module\_role\_appcs\_private) | pagopa-dx/azure-role-assignments/azurerm | ~> 1.0 |
+| <a name="module_role_appcs_public"></a> [role\_appcs\_public](#module\_role\_appcs\_public) | pagopa-dx/azure-role-assignments/azurerm | ~> 1.0 |
 
 ## Resources
 
 | Name | Type |
 |------|------|
+| [azurerm_app_configuration_key.test_secret](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_configuration_key) | resource |
+| [azurerm_app_configuration_key.test_setting](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_configuration_key) | resource |
+| [azurerm_container_group.private_app](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/container_group) | resource |
+| [azurerm_container_group.public_app](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/container_group) | resource |
+| [azurerm_key_vault.kv](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault) | resource |
+| [azurerm_key_vault_secret.test_secret](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource |
+| [azurerm_private_endpoint.kv](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/private_endpoint) | resource |
 | [azurerm_resource_group.e2e_appcs](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource |
+| [azurerm_subnet.private_app](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/subnet) | resource |
+| [dx_available_subnet_cidr.private_app](https://registry.terraform.io/providers/pagopa-dx/azure/latest/docs/resources/available_subnet_cidr) | resource |
 | [random_integer.appcs_instance](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/integer) | resource |
+| [azurerm_client_config.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/client_config) | data source |
+| [azurerm_log_analytics_workspace.e2e](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/log_analytics_workspace) | data source |
+| [azurerm_private_dns_zone.kv](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/private_dns_zone) | data source |
 | [azurerm_resource_group.network](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/resource_group) | data source |
 | [azurerm_subnet.pep](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subnet) | data source |
+| [azurerm_subscription.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subscription) | data source |
+| [azurerm_user_assigned_identity.integration_github](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/user_assigned_identity) | data source |
 | [azurerm_virtual_network.e2e](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/virtual_network) | data source |
 
 ## Inputs
@@ -35,4 +52,6 @@ No inputs.
 | Name | Description |
 |------|-------------|
 | <a name="output_name"></a> [name](#output\_name) | n/a |
+| <a name="output_private_app_ip_address"></a> [private\_app\_ip\_address](#output\_private\_app\_ip\_address) | n/a |
+| <a name="output_public_app_ip_address"></a> [public\_app\_ip\_address](#output\_public\_app\_ip\_address) | n/a |
 <!-- END_TF_DOCS -->

infra/modules/azure_app_configuration/examples/network_access/data.tf

@@ -1,10 +1,28 @@
+data "azurerm_client_config" "current" {}
+
+data "azurerm_subscription" "current" {}
+
+data "azurerm_log_analytics_workspace" "e2e" {
+  name                = local.e2e_log_analytics_workspace.name
+  resource_group_name = local.e2e_virtual_network.resource_group_name
+}
+
+data "azurerm_private_dns_zone" "kv" {
+  name                = "privatelink.vaultcore.azure.net"
+  resource_group_name = data.azurerm_resource_group.network.name
+}
+
+data "azurerm_user_assigned_identity" "integration_github" {
+  name                = "dx-d-itn-devex-integration-id-01"
+  resource_group_name = "dx-d-itn-devex-rg-01"
+}
 data "azurerm_virtual_network" "e2e" {
   name                = local.e2e_virtual_network.name
   resource_group_name = local.e2e_virtual_network.resource_group_name
 }
 
 data "azurerm_subnet" "pep" {
-  name = provider::pagopa-dx::resource_name(merge(local.naming_config, {
+  name = provider::dx::resource_name(merge(local.naming_config, {
     name          = "pep",
     resource_type = "subnet"
   }))
@@ -13,7 +31,7 @@ data "azurerm_subnet" "pep" {
 }
 
 data "azurerm_resource_group" "network" {
-  name = provider::pagopa-dx::resource_name(merge(local.naming_config, {
+  name = provider::dx::resource_name(merge(local.naming_config, {
     name          = "network"
     resource_type = "resource_group"
   }))

infra/modules/azure_app_configuration/examples/network_access/fixtures.tf

@@ -1,5 +1,5 @@
 resource "azurerm_resource_group" "e2e_appcs" {
-  name = provider::pagopa-dx::resource_name(merge(local.naming_config, {
+  name = provider::dx::resource_name(merge(local.naming_config, {
     domain        = "e2e"
     name          = "appcs",
     resource_type = "resource_group"
@@ -8,3 +8,217 @@ resource "azurerm_resource_group" "e2e_appcs" {
 
   tags = local.tags
 }
+
+resource "azurerm_container_group" "public_app" {
+  name = provider::dx::resource_name(
+    merge(local.naming_config, { name = "appcs-public", resource_type = "container_instance" })
+  )
+  location            = local.environment.location
+  resource_group_name = azurerm_resource_group.e2e_appcs.name
+
+  identity { type = "SystemAssigned" }
+
+  os_type = "Linux"
+
+  container {
+    name   = "network-access"
+    image  = local.docker_image
+    cpu    = "0.5"
+    memory = "1.5"
+    ports {
+      port = 8080
+    }
+  }
+
+  diagnostics {
+    log_analytics {
+      workspace_id  = data.azurerm_log_analytics_workspace.e2e.workspace_id
+      workspace_key = data.azurerm_log_analytics_workspace.e2e.primary_shared_key
+    }
+  }
+
+  tags = local.tags
+}
+
+resource "dx_available_subnet_cidr" "private_app" {
+  virtual_network_id = data.azurerm_virtual_network.e2e.id
+  prefix_length      = 26
+}
+
+resource "azurerm_subnet" "private_app" {
+  name = provider::dx::resource_name(merge(local.naming_config, {
+    name          = "appcs-private",
+    resource_type = "container_instance_subnet"
+  }))
+  resource_group_name  = local.e2e_virtual_network.resource_group_name
+  virtual_network_name = local.e2e_virtual_network.name
+  address_prefixes     = [dx_available_subnet_cidr.private_app.cidr_block]
+
+  delegation {
+    name = "Microsoft.ContainerInstance/containerGroups"
+
+    service_delegation {
+      name = "Microsoft.ContainerInstance/containerGroups"
+      actions = [
+        "Microsoft.Network/virtualNetworks/subnets/action",
+      ]
+    }
+  }
+}
+
+resource "azurerm_container_group" "private_app" {
+  name = provider::dx::resource_name(
+    merge(local.naming_config, { name = "appcs-private", resource_type = "container_instance" })
+  )
+  location            = local.environment.location
+  resource_group_name = azurerm_resource_group.e2e_appcs.name
+
+  identity { type = "SystemAssigned" }
+
+  os_type = "Linux"
+
+  container {
+    name   = "network-access"
+    image  = local.docker_image
+    cpu    = "0.5"
+    memory = "1.5"
+    ports {
+      port = 8080
+    }
+  }
+
+  ip_address_type = "Private"
+
+  subnet_ids = [
+    azurerm_subnet.private_app.id
+  ]
+
+  diagnostics {
+    log_analytics {
+      workspace_id  = data.azurerm_log_analytics_workspace.e2e.workspace_id
+      workspace_key = data.azurerm_log_analytics_workspace.e2e.primary_shared_key
+    }
+  }
+
+  tags = local.tags
+}
+
+#trivy:ignore:AVD-AZU-0016
+resource "azurerm_key_vault" "kv" {
+  name                          = provider::dx::resource_name(merge(local.naming_config, { resource_type = "key_vault", instance_number = random_integer.appcs_instance.result }))
+  location                      = azurerm_resource_group.e2e_appcs.location
+  resource_group_name           = azurerm_resource_group.e2e_appcs.name
+  tenant_id                     = data.azurerm_client_config.current.tenant_id
+  rbac_authorization_enabled    = true
+  sku_name                      = "standard"
+  purge_protection_enabled      = false
+  public_network_access_enabled = false
+
+  network_acls {
+    bypass         = "AzureServices"
+    default_action = "Deny"
+  }
+
+  tags = local.tags
+}
+
+#trivy:ignore:AVD-AZU-0015
+#trivy:ignore:AVD-AZU-0017
+resource "azurerm_key_vault_secret" "test_secret" {
+  name         = "secret-key"
+  key_vault_id = azurerm_key_vault.kv.id
+  value        = "secret-value"
+
+  depends_on = [
+    module.integration_github_roles
+  ]
+}
+
+resource "azurerm_private_endpoint" "kv" {
+  name                = provider::dx::resource_name(merge(local.naming_config, { resource_type = "key_vault_private_endpoint", instance_number = random_integer.appcs_instance.result }))
+  location            = azurerm_resource_group.e2e_appcs.location
+  resource_group_name = azurerm_resource_group.e2e_appcs.name
+  subnet_id           = data.azurerm_subnet.pep.id
+
+  private_service_connection {
+    name                           = provider::dx::resource_name(merge(local.naming_config, { resource_type = "key_vault_private_endpoint", instance_number = random_integer.appcs_instance.result }))
+    private_connection_resource_id = azurerm_key_vault.kv.id
+    is_manual_connection           = false
+    subresource_names              = ["vault"]
+  }
+
+  private_dns_zone_group {
+    name                 = "private-dns-zone-group"
+    private_dns_zone_ids = [data.azurerm_private_dns_zone.kv.id]
+  }
+
+  tags = local.tags
+}
+
+module "role_appcs_private" {
+  source  = "pagopa-dx/azure-role-assignments/azurerm"
+  version = "~> 1.0"
+
+  principal_id    = azurerm_container_group.private_app.identity[0].principal_id
+  subscription_id = data.azurerm_subscription.current.subscription_id
+
+  app_config = [
+    {
+      name                = module.private_appcs.name
+      resource_group_name = module.private_appcs.resource_group_name
+      description         = "Allow private Container Instance to read from App Configuration"
+      role                = "reader"
+    }
+  ]
+
+  # key_vault = {
+  #   name                = module.private_keyvault.key_vault_name
+  #   resource_group_name = module.private_keyvault.resource_group_name
+  #   has_rbac_enabled    = true
+  # }
+}
+
+module "role_appcs_public" {
+  source  = "pagopa-dx/azure-role-assignments/azurerm"
+  version = "~> 1.0"
+
+  principal_id    = azurerm_container_group.public_app.identity[0].principal_id
+  subscription_id = data.azurerm_subscription.current.subscription_id
+
+  app_config = [
+    {
+      name                = module.private_appcs.name
+      resource_group_name = module.private_appcs.resource_group_name
+      description         = "Allow public Container Instance to read from App Configuration"
+      role                = "reader"
+    }
+  ]
+}
+
+module "integration_github_roles" {
+  source  = "pagopa-dx/azure-role-assignments/azurerm"
+  version = "~> 1.0"
+
+  principal_id    = data.azurerm_user_assigned_identity.integration_github.principal_id
+  subscription_id = data.azurerm_subscription.current.subscription_id
+
+  app_config = [
+    {
+      name                = module.private_appcs.name
+      resource_group_name = module.private_appcs.resource_group_name
+      description         = "Allow GitHub to write settings on App Configuration"
+      role                = "writer"
+    }
+  ]
+
+  key_vault = [
+    {
+      name                = azurerm_key_vault.kv.name
+      resource_group_name = azurerm_key_vault.kv.resource_group_name
+      description         = "Allow GitHub to write secrets on Key Vault"
+      roles = {
+        secrets = "writer"
+      }
+    }
+  ]
+}

infra/modules/azure_app_configuration/examples/network_access/locals.tf

@@ -26,13 +26,22 @@ locals {
   }
 
   e2e_virtual_network = {
-    name = provider::pagopa-dx::resource_name(merge(local.naming_config, {
+    name = provider::dx::resource_name(merge(local.naming_config, {
       name          = "e2e",
       resource_type = "virtual_network"
     }))
-    resource_group_name = provider::pagopa-dx::resource_name(merge(local.naming_config, {
+    resource_group_name = provider::dx::resource_name(merge(local.naming_config, {
       name          = "e2e",
       resource_type = "resource_group"
     }))
   }
+
+  e2e_log_analytics_workspace = {
+    name = provider::dx::resource_name(merge(local.naming_config, {
+      name          = "e2e",
+      resource_type = "log_analytics"
+    }))
+  }
+
+  docker_image = "ghcr.io/pagopa/e2e-appconfiguration-all-scenarios:latest"
 }

infra/modules/azure_app_configuration/examples/network_access/mut.tf

@@ -4,8 +4,9 @@ resource "random_integer" "appcs_instance" {
 }
 
 module "private_appcs" {
-  source  = "pagopa-dx/azure-app-configuration/azurerm"
-  version = "~> 0.0"
+  # source  = "pagopa-dx/azure-app-configuration/azurerm"
+  # version = "~> 0.0"
+  source = "../../"
 
   environment         = (merge(local.environment, { instance_number = random_integer.appcs_instance.result }))
   resource_group_name = azurerm_resource_group.e2e_appcs.name
@@ -20,3 +21,26 @@ module "private_appcs" {
   private_dns_zone_resource_group_name = data.azurerm_resource_group.network.name
   tags                                 = local.tags
 }
+
+resource "azurerm_app_configuration_key" "test_setting" {
+  configuration_store_id = module.private_appcs.id
+  key                    = "Setting:test-key"
+  value                  = "test value"
+  content_type           = "application/json"
+
+  depends_on = [
+    module.integration_github_roles
+  ]
+}
+
+resource "azurerm_app_configuration_key" "test_secret" {
+  configuration_store_id = module.private_appcs.id
+  key                    = "Secret:secret-key"
+  type                   = "vault"
+  vault_key_reference    = azurerm_key_vault_secret.test_secret.versionless_id
+
+  depends_on = [
+    module.integration_github_roles,
+    azurerm_key_vault_secret.test_secret
+  ]
+}

infra/modules/azure_app_configuration/examples/network_access/outputs.tf

@@ -1,3 +1,11 @@
 output "name" {
   value = module.private_appcs.name
 }
+
+output "public_app_ip_address" {
+  value = azurerm_container_group.public_app.ip_address
+}
+
+output "private_app_ip_address" {
+  value = azurerm_container_group.private_app.ip_address
+}