add: Sops apiconfig (#2662)

* add sops apiconfig

* fix

Author: pasqualespica

src/domains/apiconfig-app/02_security.tf

@@ -8,15 +8,6 @@ data "azurerm_key_vault" "core_kv" {
   resource_group_name = "${local.product}-sec-rg"
 }
 
-resource "azurerm_key_vault_secret" "apiconfig_client_secret" {
-  name         = "apiconfig-core-client-secret"
-  value        = "TODO" # TODO
-  content_type = "text/plain"
-
-  key_vault_id = data.azurerm_key_vault.kv.id
-}
-
-
 #tfsec:ignore:azure-keyvault-ensure-secret-expiry tfsec:ignore:azure-keyvault-content-type-for-secret
 resource "azurerm_key_vault_secret" "db_nodo_usr" {
   name         = "db-nodo-usr"

src/domains/apiconfig-app/04_apim_api_config.tf

@@ -101,7 +101,7 @@ resource "azurerm_api_management_authorization_server" "apiconfig-oauth2" {
   default_scope = format("%s/%s",
     data.azuread_application.apiconfig-be.identifier_uris[0],
   "access-apiconfig-be")
-  client_secret = azurerm_key_vault_secret.apiconfig_client_secret.value
+  # client_secret = azurerm_key_vault_secret.apiconfig_client_secret.value
 
   bearer_token_sending_methods = ["authorizationHeader"]
   client_authentication_method = ["Body"]

src/domains/apiconfig-common/02_azdo.tf

@@ -11,12 +11,12 @@ data "azurerm_user_assigned_identity" "iac_federated_azdo" {
 resource "azurerm_key_vault_access_policy" "azdevops_iac_managed_identities" {
   for_each = local.azdo_iac_managed_identities
 
-  key_vault_id = module.key_vault.id
+  key_vault_id = data.azurerm_key_vault.key_vault.id
   tenant_id    = data.azurerm_client_config.current.tenant_id
   object_id    = data.azurerm_user_assigned_identity.iac_federated_azdo[each.key].principal_id
 
-  secret_permissions = ["Get", "List", "Set", ]
-
+  key_permissions         = ["Get", "GetRotationPolicy", "Decrypt"]
+  secret_permissions      = ["Get", "List", "Set", ]
   certificate_permissions = ["SetIssuers", "DeleteIssuers", "Purge", "List", "Get"]
 
   storage_permissions = []
@@ -41,7 +41,7 @@ resource "azurerm_key_vault_access_policy" "azdevops_iac_legacy_policies" {
     data.azuread_service_principal.iac_plan_legacy.object_id,
     data.azuread_service_principal.iac_deploy_legacy.object_id
   ])
-  key_vault_id = module.key_vault.id
+  key_vault_id = data.azurerm_key_vault.key_vault.id
   tenant_id    = data.azurerm_client_config.current.tenant_id
   object_id    = each.key
 

src/domains/apiconfig-common/02_security.tf

@@ -1,25 +1,11 @@
-resource "azurerm_resource_group" "sec_rg" {
-  name     = "${local.product}-${var.domain}-sec-rg"
-  location = var.location
-
-  tags = var.tags
-}
-
-module "key_vault" {
-  source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//key_vault?ref=v4.1.17"
-
-  name                       = "${local.product}-${var.domain}-kv"
-  location                   = azurerm_resource_group.sec_rg.location
-  resource_group_name        = azurerm_resource_group.sec_rg.name
-  tenant_id                  = data.azurerm_client_config.current.tenant_id
-  soft_delete_retention_days = 90
-
-  tags = var.tags
+data "azurerm_key_vault" "key_vault" {
+  name                = "${local.product}-${var.domain}-kv"
+  resource_group_name = "${local.product}-${var.domain}-sec-rg"
 }
 
 ## ad group policy ##
 resource "azurerm_key_vault_access_policy" "ad_group_policy" {
-  key_vault_id = module.key_vault.id
+  key_vault_id = data.azurerm_key_vault.key_vault.id
 
   tenant_id = data.azurerm_client_config.current.tenant_id
   object_id = data.azuread_group.adgroup_admin.object_id
@@ -34,12 +20,12 @@ resource "azurerm_key_vault_access_policy" "ad_group_policy" {
 resource "azurerm_key_vault_access_policy" "adgroup_developers_policy" {
   count = var.env_short != "p" ? 1 : 0
 
-  key_vault_id = module.key_vault.id
+  key_vault_id = data.azurerm_key_vault.key_vault.id
 
   tenant_id = data.azurerm_client_config.current.tenant_id
   object_id = data.azuread_group.adgroup_developers.object_id
 
-  key_permissions     = ["Get", "List", "Update", "Create", "Import", "Delete", ]
+  key_permissions     = ["Get", "List", "Update", "Create", "Import", "Delete", "Encrypt", "Decrypt", "GetRotationPolicy" ]
   secret_permissions  = ["Get", "List", "Set", "Delete", ]
   storage_permissions = []
   certificate_permissions = [
@@ -51,12 +37,12 @@ resource "azurerm_key_vault_access_policy" "adgroup_developers_policy" {
 resource "azurerm_key_vault_access_policy" "adgroup_externals_policy" {
   count = var.env_short == "d" ? 1 : 0
 
-  key_vault_id = module.key_vault.id
+  key_vault_id = data.azurerm_key_vault.key_vault.id
 
   tenant_id = data.azurerm_client_config.current.tenant_id
   object_id = data.azuread_group.adgroup_externals.object_id
 
-  key_permissions     = ["Get", "List", "Update", "Create", "Import", "Delete", ]
+  key_permissions     = ["Get", "List", "Update", "Create", "Import", "Delete", "Encrypt", "Decrypt" ]
   secret_permissions  = ["Get", "List", "Set", "Delete", ]
   storage_permissions = []
   certificate_permissions = [
@@ -73,7 +59,7 @@ data "azuread_service_principal" "iac_principal" {
 
 resource "azurerm_key_vault_access_policy" "azdevops_iac_policy" {
   count        = var.enable_iac_pipeline ? 1 : 0
-  key_vault_id = module.key_vault.id
+  key_vault_id = data.azurerm_key_vault.key_vault.id
   tenant_id    = data.azurerm_client_config.current.tenant_id
   object_id    = data.azuread_service_principal.iac_principal[0].object_id
 
@@ -93,115 +79,7 @@ resource "azurerm_key_vault_secret" "ai_connection_string" {
   value        = data.azurerm_application_insights.application_insights.connection_string
   content_type = "text/plain"
 
-  key_vault_id = module.key_vault.id
-}
-
-#tfsec:ignore:azure-keyvault-ensure-secret-expiry tfsec:ignore:azure-keyvault-content-type-for-secret
-resource "azurerm_key_vault_secret" "afm_marketplace_subscription_key" {
-  name         = "afm-marketplace-subscription-key"
-  value        = "<TO_UPDATE_MANUALLY_BY_PORTAL>"
-  content_type = "text/plain"
-
-  key_vault_id = module.key_vault.id
-
-  lifecycle {
-    ignore_changes = [
-      value,
-    ]
-  }
-}
-
-#tfsec:ignore:azure-keyvault-ensure-secret-expiry tfsec:ignore:azure-keyvault-content-type-for-secret
-resource "azurerm_key_vault_secret" "afm_utils_subscription_key" {
-  name         = "afm-utils-subscription-key"
-  value        = "<TO_UPDATE_MANUALLY_BY_PORTAL>"
-  content_type = "text/plain"
-
-  key_vault_id = module.key_vault.id
-
-  lifecycle {
-    ignore_changes = [
-      value,
-    ]
-  }
-}
-
-
-#tfsec:ignore:azure-keyvault-ensure-secret-expiry tfsec:ignore:azure-keyvault-content-type-for-secret
-resource "azurerm_key_vault_secret" "afm_cosmos_key" {
-  name         = "afm-cosmos-key"
-  value        = "<TO_UPDATE_MANUALLY_BY_PORTAL>"
-  content_type = "text/plain"
-
-  key_vault_id = module.key_vault.id
-
-  lifecycle {
-    ignore_changes = [
-      value,
-    ]
-  }
-}
-
-#tfsec:ignore:azure-keyvault-ensure-secret-expiry tfsec:ignore:azure-keyvault-content-type-for-secret
-resource "azurerm_key_vault_secret" "oracle_db_cfg_password" {
-  name         = "oracle-db-cfg-password"
-  value        = "<TO_UPDATE_MANUALLY_BY_PORTAL>"
-  content_type = "text/plain"
-
-  key_vault_id = module.key_vault.id
-
-  lifecycle {
-    ignore_changes = [
-      value,
-    ]
-  }
-}
-
-#tfsec:ignore:azure-keyvault-ensure-secret-expiry tfsec:ignore:azure-keyvault-content-type-for-secret
-resource "azurerm_key_vault_secret" "oracle_db_cfg_dev_nexi_password" {
-  count        = var.env_short == "d" ? 1 : 0
-  name         = "oracle-db-cfg-dev-password"
-  value        = "<TO_UPDATE_MANUALLY_BY_PORTAL>"
-  content_type = "text/plain"
-
-  key_vault_id = module.key_vault.id
-
-  lifecycle {
-    ignore_changes = [
-      value,
-    ]
-  }
-}
-
-#tfsec:ignore:azure-keyvault-ensure-secret-expiry tfsec:ignore:azure-keyvault-content-type-for-secret
-resource "azurerm_key_vault_secret" "oracle_db_cfg_prf_nexi_password" {
-  count        = var.env_short == "u" ? 1 : 0
-  name         = "oracle-db-cfg-prf-password"
-  value        = "<TO_UPDATE_MANUALLY_BY_PORTAL>"
-  content_type = "text/plain"
-
-  key_vault_id = module.key_vault.id
-
-  lifecycle {
-    ignore_changes = [
-      value,
-    ]
-  }
-}
-
-#tfsec:ignore:azure-keyvault-ensure-secret-expiry tfsec:ignore:azure-keyvault-content-type-for-secret
-resource "azurerm_key_vault_secret" "postgresql_db_cfg_password" {
-  name         = "postgresql-db-cfg-password"
-  value        = "<TO_UPDATE_MANUALLY_BY_PORTAL>"
-  content_type = "text/plain"
-
-  key_vault_id = module.key_vault.id
-
-  lifecycle {
-    ignore_changes = [
-      value,
-    ]
-  }
+  key_vault_id = data.azurerm_key_vault.key_vault.id
 }
 
 data "azurerm_redis_cache" "redis_cache" {
@@ -215,45 +93,15 @@ resource "azurerm_key_vault_secret" "redis_password" {
   value        = data.azurerm_redis_cache.redis_cache.primary_access_key
   content_type = "text/plain"
 
-  key_vault_id = module.key_vault.id
+  key_vault_id = data.azurerm_key_vault.key_vault.id
 }
 
 resource "azurerm_key_vault_secret" "redis_hostname" {
   name         = "redis-hostname"
   value        = data.azurerm_redis_cache.redis_cache.hostname
   content_type = "text/plain"
 
-  key_vault_id = module.key_vault.id
-}
-
-#tfsec:ignore:azure-keyvault-ensure-secret-expiry tfsec:ignore:azure-keyvault-content-type-for-secret
-resource "azurerm_key_vault_secret" "github_token_read_packages" {
-  name         = "github-token-read-packages"
-  value        = "<TO_UPDATE_MANUALLY_BY_PORTAL>"
-  content_type = "text/plain"
-
-  key_vault_id = module.key_vault.id
-
-  lifecycle {
-    ignore_changes = [
-      value,
-    ]
-  }
-}
-
-#tfsec:ignore:azure-keyvault-ensure-secret-expiry tfsec:ignore:azure-keyvault-content-type-for-secret
-resource "azurerm_key_vault_secret" "apiconfig_selfcare_integration_api_subscription-key" {
-  name         = "apiconfig-selfcare-integration-api-subscription-key"
-  value        = "<TO_UPDATE_MANUALLY_BY_PORTAL>"
-  content_type = "text/plain"
-
-  key_vault_id = module.key_vault.id
-
-  lifecycle {
-    ignore_changes = [
-      value,
-    ]
-  }
+  key_vault_id = data.azurerm_key_vault.key_vault.id
 }
 
 # create json letsencrypt inside kv
@@ -274,91 +122,11 @@ resource "azurerm_key_vault_secret" "storage_connection_string" {
   value        = data.azurerm_storage_account.api_config_ica_sa.primary_connection_string
   content_type = "text/plain"
 
-  key_vault_id = module.key_vault.id
-}
-
-#tfsec:ignore:azure-keyvault-ensure-secret-expiry tfsec:ignore:azure-keyvault-content-type-for-secret
-resource "azurerm_key_vault_secret" "nodo5_slack_webhook_url" {
-  name         = "nodo5-slack-webhook-url"
-  value        = "<TO UPDATE MANUALLY ON PORTAL>"
-  key_vault_id = module.key_vault.id
-
-  lifecycle {
-    ignore_changes = [
-      value,
-    ]
-  }
-}
-
-#tfsec:ignore:azure-keyvault-ensure-secret-expiry tfsec:ignore:azure-keyvault-content-type-for-secret
-resource "azurerm_key_vault_secret" "apicfg_cache_subscription_key" {
-  name         = "api-config-cache-subscription-key"
-  value        = "<TO UPDATE MANUALLY ON PORTAL>"
-  key_vault_id = module.key_vault.id
-
-  lifecycle {
-    ignore_changes = [
-      value,
-    ]
-  }
+  key_vault_id = data.azurerm_key_vault.key_vault.id
 }
 
 resource "azurerm_key_vault_secret" "apicfg_cache_tx_connection_string" {
   name         = "nodo-dei-pagamenti-cache-tx-connection-string-key"
   value        = data.azurerm_eventhub_authorization_rule.nodo_dei_pagamenti_cache_tx.primary_connection_string
-  key_vault_id = module.key_vault.id
-}
-
-#tfsec:ignore:azure-keyvault-ensure-secret-expiry tfsec:ignore:azure-keyvault-content-type-for-secret
-resource "azurerm_key_vault_secret" "cfg_for_node_subscription_key" {
-  name         = "cfg-for-node-subscription-key"
-  value        = "<TO UPDATE MANUALLY ON PORTAL>"
-  key_vault_id = module.key_vault.id
-
-  lifecycle {
-    ignore_changes = [
-      value,
-    ]
-  }
-}
-
-#tfsec:ignore:azure-keyvault-ensure-secret-expiry tfsec:ignore:azure-keyvault-content-type-for-secret
-resource "azurerm_key_vault_secret" "db_postgres_nexi_cfg_password" {
-  count        = var.env_short == "p" ? 0 : 1
-  name         = "db-postgres-nexi-cfg-password"
-  value        = "<TO UPDATE MANUALLY ON PORTAL>"
-  key_vault_id = module.key_vault.id
-
-  lifecycle {
-    ignore_changes = [
-      value,
-    ]
-  }
-}
-
-#tfsec:ignore:azure-keyvault-ensure-secret-expiry tfsec:ignore:azure-keyvault-content-type-for-secret
-resource "azurerm_key_vault_secret" "db_postgres_nexi_cfg_password_prf" {
-  count        = var.env_short == "u" ? 1 : 0
-  name         = "db-postgres-nexi-cfg-password-prf"
-  value        = "<TO UPDATE MANUALLY ON PORTAL>"
-  key_vault_id = module.key_vault.id
-
-  lifecycle {
-    ignore_changes = [
-      value,
-    ]
-  }
-}
-
-#tfsec:ignore:azure-keyvault-ensure-secret-expiry tfsec:ignore:azure-keyvault-content-type-for-secret
-resource "azurerm_key_vault_secret" "encrypted_github_token_read_packages_bot" {
-  name         = "encrypted-github-token-read-packages-bot"
-  value        = "<TO UPDATE MANUALLY ON PORTAL>"
-  key_vault_id = module.key_vault.id
-
-  lifecycle {
-    ignore_changes = [
-      value,
-    ]
-  }
+  key_vault_id = data.azurerm_key_vault.key_vault.id
 }