Merge branch 'master' into revert-to-managed-identity-cosmos

Author: silvicir

infra/core/psn/hub/prod/appgw.tf

@@ -48,8 +48,8 @@ resource "azurerm_application_gateway" "hub" {
   }
 
   autoscale_configuration {
-    min_capacity = 1
-    max_capacity = 2
+    min_capacity = 5
+    max_capacity = 20
   }
 
   gateway_ip_configuration {

infra/core/psn/spoke/prod/iam.tf

@@ -4,3 +4,15 @@ resource "azurerm_role_assignment" "itwallet_rg_terraform_blob_owner" {
   principal_id         = data.azuread_group.itwallet.object_id
   description          = "Allow the group to read and write Terraform state"
 }
+
+data "azurerm_user_assigned_identity" "infra_cd" {
+  name                = "iw-p-itn-infra-github-cd-id-01"
+  resource_group_name = "iw-p-itn-github-identities-rg-01"
+}
+
+resource "azurerm_role_assignment" "infra_cd_pep_subnet_network_contributor" {
+  role_definition_name = "Network Contributor"
+  scope                = azurerm_subnet.pep.id
+  principal_id         = data.azurerm_user_assigned_identity.infra_cd.principal_id
+  description          = "Grant Network Contributor to infra CD pipeline on pep subnet"
+}

infra/resources/_modules/cdn/README.md

@@ -21,7 +21,6 @@ No modules.
 | Name | Type |
 |------|------|
 | [azurerm_cdn_endpoint.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/cdn_endpoint) | resource |
-| [azurerm_cdn_endpoint_custom_domain.cdn](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/cdn_endpoint_custom_domain) | resource |
 | [azurerm_cdn_profile.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/cdn_profile) | resource |
 | [azurerm_monitor_diagnostic_setting.cdn_profile](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_diagnostic_setting) | resource |
 | [azurerm_monitor_metric_alert.storage_account_low_availability](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_metric_alert) | resource |

infra/resources/_modules/function_apps/README.md

@@ -60,6 +60,7 @@ No requirements.
 | <a name="input_health_check_path_support"></a> [health\_check\_path\_support](#input\_health\_check\_path\_support) | Health check path for support function app | `string` | n/a | yes |
 | <a name="input_health_check_path_user"></a> [health\_check\_path\_user](#input\_health\_check\_path\_user) | Health check path for user function app | `string` | n/a | yes |
 | <a name="input_health_check_path_user_uat"></a> [health\_check\_path\_user\_uat](#input\_health\_check\_path\_user\_uat) | Health check path for user uat function app | `string` | n/a | yes |
+| <a name="input_is_psn"></a> [is\_psn](#input\_is\_psn) | Temporary variable to manage both IO and PSN resources | `bool` | `false` | no |
 | <a name="input_key_vault_id"></a> [key\_vault\_id](#input\_key\_vault\_id) | Id of the common Key Vault where save secrets in | `string` | n/a | yes |
 | <a name="input_key_vault_wallet_id"></a> [key\_vault\_wallet\_id](#input\_key\_vault\_wallet\_id) | Id of the wallet Key Vault where save secrets | `string` | n/a | yes |
 | <a name="input_key_vault_wallet_name"></a> [key\_vault\_wallet\_name](#input\_key\_vault\_wallet\_name) | Name of the wallet Key Vault where save secrets | `string` | n/a | yes |
@@ -78,6 +79,10 @@ No requirements.
 | <a name="input_virtual_network"></a> [virtual\_network](#input\_virtual\_network) | Virtual network to create subnet in | <pre>object({<br/>    name                = string<br/>    resource_group_name = string<br/>  })</pre> | n/a | yes |
 | <a name="input_wallet_instance_creation_email_queue_name"></a> [wallet\_instance\_creation\_email\_queue\_name](#input\_wallet\_instance\_creation\_email\_queue\_name) | Send Email on Wallet Instance Creation Queue Name | `string` | n/a | yes |
 | <a name="input_wallet_instance_revocation_email_queue_name"></a> [wallet\_instance\_revocation\_email\_queue\_name](#input\_wallet\_instance\_revocation\_email\_queue\_name) | Send Email on Wallet Instance Revocation Queue Name | `string` | n/a | yes |
+| <a name="input_wallet_instance_storage_account_name"></a> [wallet\_instance\_storage\_account\_name](#input\_wallet\_instance\_storage\_account\_name) | The name of the Wallet Instance Storage Account | `string` | n/a | yes |
+| <a name="input_wallet_instance_storage_account_uat_name"></a> [wallet\_instance\_storage\_account\_uat\_name](#input\_wallet\_instance\_storage\_account\_uat\_name) | The name of the Wallet Instance Storage Account UAT | `string` | n/a | yes |
+| <a name="input_wallet_instance_storage_account_uat_url"></a> [wallet\_instance\_storage\_account\_uat\_url](#input\_wallet\_instance\_storage\_account\_uat\_url) | The URL of the Wallet Instance Storage Account UAT | `string` | n/a | yes |
+| <a name="input_wallet_instance_storage_account_url"></a> [wallet\_instance\_storage\_account\_url](#input\_wallet\_instance\_storage\_account\_url) | The URL of the Wallet Instance Storage Account | `string` | n/a | yes |
 
 ## Outputs
 

infra/resources/_modules/function_apps/locals.tf

@@ -40,6 +40,7 @@ No modules.
 | <a name="input_action_group_id"></a> [action\_group\_id](#input\_action\_group\_id) | Id of the alert action group | `string` | n/a | yes |
 | <a name="input_customer_managed_key_url"></a> [customer\_managed\_key\_url](#input\_customer\_managed\_key\_url) | URL of the customer managed key to encrypt the Storage Account | `string` | `null` | no |
 | <a name="input_environment"></a> [environment](#input\_environment) | n/a | <pre>object({<br/>    prefix          = string<br/>    environment     = string<br/>    location        = string<br/>    name            = string<br/>    instance_number = string<br/>  })</pre> | n/a | yes |
+| <a name="input_is_psn"></a> [is\_psn](#input\_is\_psn) | Temporary variable to manage both IO and PSN resources | `bool` | `false` | no |
 | <a name="input_key_vault_wallet_id"></a> [key\_vault\_wallet\_id](#input\_key\_vault\_wallet\_id) | Id of the wallet Key Vault where storage account saves secrets | `string` | `null` | no |
 | <a name="input_private_endpoint"></a> [private\_endpoint](#input\_private\_endpoint) | Configuration for the Private Endpoints | <pre>object({<br/>    subnet_pep_id             = string<br/>    blob_private_dns_zone_id  = string<br/>    queue_private_dns_zone_id = string<br/>  })</pre> | `null` | no |
 | <a name="input_resource_group_name"></a> [resource\_group\_name](#input\_resource\_group\_name) | Name of the resource group where resources will be created | `string` | n/a | yes |

infra/resources/_modules/storage_accounts/README.md

@@ -38,14 +38,16 @@
 |------|------|
 | [azurerm_api_management_api.wallet_user_ioapp_v1](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/api_management_api) | resource |
 | [azurerm_api_management_api.wallet_user_uat_ioapp_v1](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/api_management_api) | resource |
+| [azurerm_api_management_api_operation_policy.health_check_policy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/api_management_api_operation_policy) | resource |
+| [azurerm_api_management_api_operation_policy.health_check_uat_policy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/api_management_api_operation_policy) | resource |
 | [azurerm_api_management_api_policy.wallet_user_uat_v1](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/api_management_api_policy) | resource |
 | [azurerm_api_management_api_policy.wallet_user_v1](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/api_management_api_policy) | resource |
 | [azurerm_api_management_api_tag.wallet_user](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/api_management_api_tag) | resource |
 | [azurerm_api_management_api_tag.wallet_user_uat](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/api_management_api_tag) | resource |
 | [azurerm_api_management_api_version_set.wallet_user_ioapp](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/api_management_api_version_set) | resource |
 | [azurerm_api_management_api_version_set.wallet_user_uat_ioapp](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/api_management_api_version_set) | resource |
-| [azurerm_api_management_backend.psn](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/api_management_backend) | resource |
-| [azurerm_api_management_policy_fragment.wallet_authentication](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/api_management_policy_fragment) | resource |
+| [azurerm_api_management_backend.wallet_user_psn](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/api_management_backend) | resource |
+| [azurerm_api_management_backend.wallet_user_uat_psn](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/api_management_backend) | resource |
 | [azurerm_api_management_product.wallet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/api_management_product) | resource |
 | [azurerm_api_management_product_api.wallet_user_uat_v1](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/api_management_product_api) | resource |
 | [azurerm_api_management_product_api.wallet_user_v1](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/api_management_product_api) | resource |

infra/resources/prod/README.md

@@ -16,12 +16,8 @@ resource "azurerm_api_management_backend" "wallet_user_uat_psn" {
   url                 = "https://api.internal.wallet.io.pagopa.it/api/wallet/uat/v1/"
 }
 
-resource "azurerm_api_management_policy_fragment" "wallet_authentication" {
-  name              = "io-wallet-app-session-fragment"
-  description       = "Handle authentication session for IO app"
-  api_management_id = data.azurerm_api_management.platform_api_gateway.id
-  format            = "rawxml"
-  value             = file("${path.module}/fragments/io-wallet-app-session-fragment.xml")
+locals {
+  wallet_authentication_fragment_name = "ioapp-authenticated"
 }
 
 resource "azurerm_api_management_product" "wallet" {
@@ -131,7 +127,11 @@ resource "azurerm_api_management_api_policy" "wallet_user_v1" {
   xml_content         = <<XML
 <policies>
   <inbound>
-      <include-fragment fragment-id="${azurerm_api_management_policy_fragment.wallet_authentication.name}" />
+      <choose>
+          <when condition="@(!context.Variables.ContainsKey(&quot;skipSessionFragment&quot;))">
+            <include-fragment fragment-id="${local.wallet_authentication_fragment_name}" />
+          </when>
+      </choose>
       <base />
       <set-backend-service backend-id="${azurerm_api_management_backend.wallet_user_psn.name}" />
   </inbound>
@@ -146,7 +146,11 @@ resource "azurerm_api_management_api_policy" "wallet_user_uat_v1" {
   xml_content         = <<XML
 <policies>
   <inbound>
-      <include-fragment fragment-id="${azurerm_api_management_policy_fragment.wallet_authentication.name}" />
+      <choose>
+          <when condition="@(!context.Variables.ContainsKey(&quot;skipSessionFragment&quot;))">
+            <include-fragment fragment-id="${local.wallet_authentication_fragment_name}" />
+          </when>
+      </choose>
       <base />
       <set-backend-service backend-id="${azurerm_api_management_backend.wallet_user_uat_psn.name}" />
   </inbound>

infra/resources/prod/apim_platform.tf

@@ -0,0 +1 @@
+{}