feat: Qi common upgrade to v4 (#3637)

mamari90 · web-flow · commit 026a281519de · 2026-02-09T14:33:23.000+01:00
upgrade to v4
diff --git a/src/domains/qi-common/.terraform.lock.hcl b/src/domains/qi-common/.terraform.lock.hcl
diff --git a/src/domains/qi-common/00_azuread.tf b/src/domains/qi-common/00_azuread.tf
@@ -19,7 +19,7 @@ data "azuread_group" "adgroup_operations" {
   display_name = "${local.product}-adgroup-operations"
 }
 
-# Acccording to 
+# Acccording to
 # Application Insights API Keys are deprecated and will be retired in March 2026. Please consider using API Accesss with Azure AD. Learn more about API Access with Azure AD
 # https://learn.microsoft.com/en-us/azure/azure-monitor/app/azure-ad-authentication?tabs=aspnetcore
 
@@ -34,7 +34,7 @@ resource "azuread_application" "qi_app" {
 }
 
 resource "azuread_service_principal" "qi_sp" {
-  application_id = azuread_application.qi_app.application_id
+  client_id = azuread_application.qi_app.client_id
 }
 
 # https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#role-based-access-control-administrator
@@ -50,17 +50,17 @@ resource "time_rotating" "qi_application_time" {
 }
 
 resource "azuread_application_password" "qi_app_pwd" {
-  application_object_id = azuread_application.qi_app.object_id
-  display_name          = "managed by terraform"
-  end_date_relative     = "8640h" # 360 days
+  application_id    = azuread_application.qi_app.id
+  display_name      = "managed by terraform"
+  end_date_relative = "8640h" # 360 days
   rotate_when_changed = {
     rotation = time_rotating.qi_application_time.id
   }
 }
 
 resource "azurerm_key_vault_secret" "qi_service_principal_client_id" {
   name         = "${local.product}-qi-client-id"
-  value        = azuread_service_principal.qi_sp.application_id
+  value        = azuread_service_principal.qi_sp.client_id
   content_type = "text/plain"
 
   key_vault_id = module.key_vault.id
diff --git a/src/domains/qi-common/01_network.tf b/src/domains/qi-common/01_network.tf
@@ -50,23 +50,23 @@ data "azurerm_resource_group" "rg_event_private_dns_zone" {
 
 # all snet for each evh(s)
 resource "azurerm_subnet" "eventhub_qi_snet" {
-  name                 = "${local.project_itn}-evh-qi-snet"
-  resource_group_name  = data.azurerm_resource_group.rg_vnet_italy.name
-  virtual_network_name = data.azurerm_virtual_network.vnet_italy.name
-  address_prefixes     = var.cidr_subnet_qi_evh
+  name                              = "${local.project_itn}-evh-qi-snet"
+  resource_group_name               = data.azurerm_resource_group.rg_vnet_italy.name
+  virtual_network_name              = data.azurerm_virtual_network.vnet_italy.name
+  address_prefixes                  = var.cidr_subnet_qi_evh
+  private_endpoint_network_policies = "Enabled"
 }
 
 module "cosmosdb_qi_snet" {
-  source = "./.terraform/modules/__v3__/subnet"
+  source = "./.terraform/modules/__v4__/subnet"
 
   name                 = "${local.project}-cosmosb-snet"
   resource_group_name  = local.vnet_resource_group_name
   virtual_network_name = local.vnet_name
 
   address_prefixes = var.cidr_subnet_cosmosdb_qi
 
-  private_endpoint_network_policies_enabled = true
-
+  private_endpoint_network_policies = "Enabled"
   service_endpoints = [
     "Microsoft.Web",
     "Microsoft.AzureCosmosDB",
diff --git a/src/domains/qi-common/02_security.tf b/src/domains/qi-common/02_security.tf
@@ -6,7 +6,7 @@ resource "azurerm_resource_group" "sec_rg" {
 }
 
 module "key_vault" {
-  source = "./.terraform/modules/__v3__/key_vault"
+  source = "./.terraform/modules/__v4__/key_vault"
 
 
   name                       = "${local.product}-${var.domain}-kv"
@@ -182,7 +182,7 @@ resource "azurerm_key_vault_secret" "qi_azurewebjobsstorage" {
 # create json letsencrypt inside kv
 # requierd: Docker
 module "letsencrypt_qi" {
-  source = "./.terraform/modules/__v3__/letsencrypt_credential"
+  source = "./.terraform/modules/__v4__/letsencrypt_credential"
 
   prefix            = var.prefix
   env               = var.env_short
diff --git a/src/domains/qi-common/03_cosmosdb.tf b/src/domains/qi-common/03_cosmosdb.tf
@@ -7,7 +7,7 @@ resource "azurerm_resource_group" "cosmosdb_qi_rg" {
 
 module "cosmosdb_account_qi_mongodb" {
 
-  source = "./.terraform/modules/__v3__/cosmosdb_account"
+  source = "./.terraform/modules/__v4__/cosmosdb_account"
 
   name                = "${local.project}-cosmos-account"
   location            = var.location
@@ -85,7 +85,7 @@ locals {
 
 module "cosmosdb_accounting_reconciliation_collections" {
 
-  source   = "./.terraform/modules/__v3__/cosmosdb_mongodb_collection"
+  source   = "./.terraform/modules/__v4__/cosmosdb_mongodb_collection"
   for_each = { for index, coll in local.accounting_reconciliation_collections : coll.name => coll }
 
   name                = each.value.name
diff --git a/src/domains/qi-common/03_storage_account_fn.tf b/src/domains/qi-common/03_storage_account_fn.tf
@@ -6,7 +6,7 @@ resource "azurerm_resource_group" "qi_rg" {
 }
 
 module "qi_fn_sa" {
-  source = "./.terraform/modules/__v3__/storage_account"
+  source = "./.terraform/modules/__v4__/storage_account"
 
   name                       = replace(format("%s-fn-sa", local.project), "-", "")
   account_kind               = var.qi_storage_params.kind
diff --git a/src/domains/qi-common/06_evh_qi.tf b/src/domains/qi-common/06_evh_qi.tf
@@ -5,7 +5,7 @@ resource "azurerm_resource_group" "qi_evh_resource_group" {
 }
 
 module "eventhub_namespace_qi" {
-  source                   = "./.terraform/modules/__v3__/eventhub"
+  source                   = "./.terraform/modules/__v4__/eventhub"
   name                     = "${local.project_itn}-evh"
   location                 = var.location_itn
   resource_group_name      = azurerm_resource_group.qi_evh_resource_group.name
@@ -15,20 +15,13 @@ module "eventhub_namespace_qi" {
   maximum_throughput_units = var.ehns_maximum_throughput_units
   #zone_redundat is always true
 
-  virtual_network_ids           = [data.azurerm_virtual_network.vnet_italy.id]
   private_endpoint_subnet_id    = azurerm_subnet.eventhub_qi_snet.id
   public_network_access_enabled = var.ehns_public_network_access
   private_endpoint_created      = var.ehns_private_endpoint_is_present
 
   private_endpoint_resource_group_name = azurerm_resource_group.qi_evh_resource_group.name
+  private_dns_zones_ids                = [data.azurerm_private_dns_zone.eventhub.id]
 
-  private_dns_zones = {
-    id                  = [data.azurerm_private_dns_zone.eventhub.id]
-    name                = [data.azurerm_private_dns_zone.eventhub.name]
-    resource_group_name = data.azurerm_resource_group.rg_event_private_dns_zone.name
-  }
-
-  private_dns_zone_record_A_name = "${var.domain}.${var.location_short_itn}"
 
   action = [
     {
@@ -48,7 +41,7 @@ module "eventhub_namespace_qi" {
 }
 
 module "eventhub_qi_configuration" {
-  source = "./.terraform/modules/__v3__/eventhub_configuration"
+  source = "./.terraform/modules/__v4__/eventhub_configuration"
 
   event_hub_namespace_name                = module.eventhub_namespace_qi.name
   event_hub_namespace_resource_group_name = azurerm_resource_group.qi_evh_resource_group.name
diff --git a/src/domains/qi-common/10_github_identity.tf b/src/domains/qi-common/10_github_identity.tf
@@ -63,7 +63,7 @@ locals {
 
 # create a module for each 20 repos
 module "identity_cd_01" {
-  source = "github.com/pagopa/terraform-azurerm-v3//github_federated_identity"
+  source = "./.terraform/modules/__v4__/github_federated_identity"
   # pagopa-<ENV><DOMAIN>-<COUNTER>-github-<PERMS>-identity
   prefix    = var.prefix
   env_short = var.env_short
@@ -139,7 +139,7 @@ resource "null_resource" "github_runner_app_permissions_to_namespace_cd_01" {
 # WL-IDENTITY
 # https://pagopa.atlassian.net/wiki/spaces/DEVOPS/pages/1227751458/Migrazione+pod+Identity+vs+workload+Identity#Init-workload-identity
 module "workload_identity" {
-  source = "./.terraform/modules/__v3__/kubernetes_workload_identity_init"
+  source = "./.terraform/modules/__v4__/kubernetes_workload_identity_init"
 
   workload_identity_name_prefix         = var.domain
   workload_identity_resource_group_name = data.azurerm_kubernetes_cluster.aks.resource_group_name
diff --git a/src/domains/qi-common/99_main.tf b/src/domains/qi-common/99_main.tf
@@ -2,11 +2,11 @@ terraform {
   required_providers {
     azurerm = {
       source  = "hashicorp/azurerm"
-      version = "<= 3.116.0"
+      version = "~> 4.16"
     }
     azuread = {
       source  = "hashicorp/azuread"
-      version = "= 2.38.0"
+      version = "~> 3.1"
     }
     null = {
       source  = "hashicorp/null"
@@ -29,7 +29,7 @@ data "azurerm_subscription" "current" {}
 
 data "azurerm_client_config" "current" {}
 
-module "__v3__" {
-  # v8.62.1
-  source = "git::https://github.com/pagopa/terraform-azurerm-v3?ref=f3485105e35ce8c801209dcbb4ef72f3d944f0e5"
-}
+module "__v4__" {
+  # v8.5.3
+  source = "git::https://github.com/pagopa/terraform-azurerm-v4?ref=e014df915dd8cb6d112b3424abcf5252e78979c9"
+}
diff --git a/src/domains/qi-common/README.md b/src/domains/qi-common/README.md

Original file line number	Diff line number	Diff line change
`@@ -19,7 +19,7 @@ data "azuread_group" "adgroup_operations" {`
`19`	`19`	`display_name = "${local.product}-adgroup-operations"`
`20`	`20`	`}`
`21`	`21`
`22`		`-# Acccording to`
	`22`	`+# Acccording to`
`23`	`23`	`# Application Insights API Keys are deprecated and will be retired in March 2026. Please consider using API Accesss with Azure AD. Learn more about API Access with Azure AD`
`24`	`24`	`# https://learn.microsoft.com/en-us/azure/azure-monitor/app/azure-ad-authentication?tabs=aspnetcore`
`25`	`25`
`@@ -34,7 +34,7 @@ resource "azuread_application" "qi_app" {`
`34`	`34`	`}`
`35`	`35`
`36`	`36`	`resource "azuread_service_principal" "qi_sp" {`
`37`		`- application_id = azuread_application.qi_app.application_id`
	`37`	`+ client_id = azuread_application.qi_app.client_id`
`38`	`38`	`}`
`39`	`39`
`40`	`40`	`# https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#role-based-access-control-administrator`
`@@ -50,17 +50,17 @@ resource "time_rotating" "qi_application_time" {`
`50`	`50`	`}`
`51`	`51`
`52`	`52`	`resource "azuread_application_password" "qi_app_pwd" {`
`53`		`- application_object_id = azuread_application.qi_app.object_id`
`54`		`- display_name = "managed by terraform"`
`55`		`- end_date_relative = "8640h" # 360 days`
	`53`	`+ application_id = azuread_application.qi_app.id`
	`54`	`+ display_name = "managed by terraform"`
	`55`	`+ end_date_relative = "8640h" # 360 days`
`56`	`56`	`rotate_when_changed = {`
`57`	`57`	`rotation = time_rotating.qi_application_time.id`
`58`	`58`	`}`
`59`	`59`	`}`
`60`	`60`
`61`	`61`	`resource "azurerm_key_vault_secret" "qi_service_principal_client_id" {`
`62`	`62`	`name = "${local.product}-qi-client-id"`
`63`		`- value = azuread_service_principal.qi_sp.application_id`
	`63`	`+ value = azuread_service_principal.qi_sp.client_id`
`64`	`64`	`content_type = "text/plain"`
`65`	`65`
`66`	`66`	`key_vault_id = module.key_vault.id`
Original file line number	Diff line number	Diff line change
`@@ -6,7 +6,7 @@ resource "azurerm_resource_group" "qi_rg" {`
`6`	`6`	`}`
`7`	`7`
`8`	`8`	`module "qi_fn_sa" {`
`9`		`- source = "./.terraform/modules/__v3__/storage_account"`
	`9`	`+ source = "./.terraform/modules/__v4__/storage_account"`
`10`	`10`
`11`	`11`	`name = replace(format("%s-fn-sa", local.project), "-", "")`
`12`	`12`	`account_kind = var.qi_storage_params.kind`