feat: [PAYMCLOUD-541] Update ClouDO module, add runbooks, and improve AKS integrations (#3635)

* Add `.terraform.lock.hcl` file to version control to lock provider versions.

Signed-off-by: Fabio Felici <fabio.felici@pagopa.it>

* Initial setup for `ClouDO` infrastructure, including Terraform configurations, environment variables, and required modules.

Signed-off-by: Fabio Felici <fabio.felici@pagopa.it>

* Update Terraform module source and Azure provider version

Signed-off-by: Fabio Felici <fabio.felici@pagopa.it>

* Add new runbooks, update Terraform resources, and include encrypted secrets for ClouDO

- Added multiple runbook scripts for AKS scaling, rollouts, system checks, and App Gateway metrics.
- Updated Terraform modules and configurations, including new data sources and parameters.
- Included encrypted `cloudo-slack-token` and `opsgenie_token` secrets.
- Modified schemas and updated Docker image tags.

Signed-off-by: Fabio Felici <fabio.felici@pagopa.it>

* Update `aks-increate-max-keda-pod-scaling.sh` to remove unused arguments and simplify usage.

Signed-off-by: Fabio Felici <fabio.felici@pagopa.it>

* Adjust `aks-increate-max-keda-pod-scaling.sh` to conditionally decrement `maxReplicaCount` when `MONITOR_CONDITION` is resolved.

Signed-off-by: Fabio Felici <fabio.felici@pagopa.it>

* Ensure `maxReplicaCount` does not decrease below 1 when `MONITOR_CONDITION` is resolved.

Signed-off-by: Fabio Felici <fabio.felici@pagopa.it>

* Fix missing `fi` statement in `aks-increate-max-keda-pod-scaling.sh`.

Signed-off-by: Fabio Felici <fabio.felici@pagopa.it>

* Update Azure provider to 4.50.0, add new AKS scaling runbook, and enhance node pool scaling logic

- Upgraded `azurerm` provider in `.terraform.lock.hcl` to version `4.50.0`.
- Introduced `scale-pagopa-d-aks-user01-nodepool` runbook for managing DEV environment node pools.
- Enhanced `aks-scale-node-pool.sh` to handle autoscaling node pools.

Signed-off-by: Fabio Felici <fabio.felici@pagopa.it>

* Log current node pool mode in `aks-scale-node-pool.sh`.

Signed-off-by: Fabio Felici <fabio.felici@pagopa.it>

* Refactor `aks-scale-node-pool.sh` to enhance scaling logic and accommodate autoscaling adjustments.

Signed-off-by: Fabio Felici <fabio.felici@pagopa.it>

* Simplify `aks-scale-node-pool.sh` by removing

Signed-off-by: Fabio Felici <fabio.felici@pagopa.it>

* Align variable names in `aks-scale-node-pool

Signed-off-by: Fabio Felici <fabio.felici@pagopa.it>

* Fix typo in `--min-count` parameter for `aks-scale-node-pool.sh`.

Signed-off-by: Fabio Felici <fabio.felici@pagopa.it>

* Add log to display min and max node pool values during scaling

Signed-off-by: Fabio Felici <fabio.felici@pagopa.it>

* Enable `--update-cluster-autoscaler` flag in `aks-scale-node-pool.sh`.

Signed-off-by: Fabio Felici <fabio.felici@pagopa.it>

* Add log message to indicate node pool scaling operation in `aks-scale-node-pool.sh`.

Signed-off-by: Fabio Felici <fabio.felici@pagopa.it>

* Add missing log messages to indicate node pool scaling operations in `aks-scale-node-pool.sh`.

Signed-off-by: Fabio Felici <fabio.felici@pagopa.it>

* Add `aks-info.py` runbook to retrieve AKS namespace details and update DEV schemas configuration

- Introduced a new runbook `aks-info.py` for fetching namespace details, resource quotas, pod counts, and deployment status in AKS.
- Updated `schemas.json.tpl` to include the `aks-info-dev` runbook entry.

Signed-off-by: Fabio Felici <fabio.felici@pagopa.it>

* Refactor `aks-info.py` to improve command execution with `run_kubectl` helper and enhance error handling and logging.

Signed-off-by: Fabio Felici <fabio.felici@pagopa.it>

* Remove unnecessary print statements and unused namespace information parsing in `aks-info.py`.

Signed-off-by: Fabio Felici <fabio.felici@pagopa.it>

* Remove unused resource quota handling in `aks-info.py`.

Signed-off-by: Fabio Felici <fabio.felici@pagopa.it>

* Add return statement in `aks-info.py` to indicate successful execution.

Signed-off-by: Fabio Felici <fabio.felici@pagopa.it>

* wip

Signed-off-by: Fabio Felici <fabio.felici@pagopa.it>

* Update `aks-deployments-rollout.sh` and DEV schemas

- Add fallback for deployment name and monitor condition check in `aks-deployments-rollout.sh`.
- Introduce `restart-pod` runbook entry in DEV `schemas.json.tpl`.

Signed-off-by: Fabio Felici <fabio.felici@pagopa.it>

* Introduce ClouDO container configuration variables

- Add `cloudo_orchestrator` and `cloudo_worker` variables for container image and registry configuration.
- Replace hardcoded values with variable references in Terraform definitions.
- Update `terraform.tfvars`, `01_cloudo.tf`, and `99_variables.tf` accordingly.

Signed-off-by: Fabio Felici <fabio.felici@pagopa.it>

* wip

Signed-off-by: ffppa <fabio.felici@pagopa.it>

* wip

Signed-off-by: ffppa <fabio.felici@pagopa.it>

* wip

Signed-off-by: ffppa <fabio.felici@pagopa.it>

* wip

Signed-off-by: ffppa <fabio.felici@pagopa.it>

* wip

Signed-off-by: ffppa <fabio.felici@pagopa.it>

* wip

Signed-off-by: ffppa <fabio.felici@pagopa.it>

* wip

Signed-off-by: ffppa <fabio.felici@pagopa.it>

* wip

Signed-off-by: ffppa <fabio.felici@pagopa.it>

* wip

Signed-off-by: ffppa <fabio.felici@pagopa.it>

* wip

Signed-off-by: ffppa <fabio.felici@pagopa.it>

* wip

Signed-off-by: ffppa <fabio.felici@pagopa.it>

* wip

Signed-off-by: ffppa <fabio.felici@pagopa.it>

* wip

Signed-off-by: ffppa <fabio.felici@pagopa.it>

* Update schemas and dependencies for ClouDO deployment adjustments.

Signed-off-by: ffppa <fabio.felici@pagopa.it>

* wip

Signed-off-by: ffppa <fabio.felici@pagopa.it>

* wip

Signed-off-by: ffppa <fabio.felici@pagopa.it>

* Update ClouDO configuration with UI parameters, network data sources, and Terraform dependencies adjustments.

Signed-off-by: ffppa <fabio.felici@pagopa.it>

* Remove unused App Service configuration parameters in ClouDO module.

Signed-off-by: ffppa <fabio.felici@pagopa.it>

* Update ClouDO module reference, remove unused UI tier, and add approval runbook configuration.

Signed-off-by: ffppa <fabio.felici@pagopa.it>

* Add AKS pod crash analysis runbook, enable ClouDO UI, and update network data sources.

Signed-off-by: ffppa <fabio.felici@pagopa.it>

* Add AKS runbooks for event retrieval, node status checks, pod logs, pod restarts, and enhance existing scripts with error handling.

Signed-off-by: ffppa <fabio.felici@pagopa.it>

* Add AKS runbook to check pod CPU and Memory usage with threshold validations.

Signed-off-by: ffppa <fabio.felici@pagopa.it>

* Enhance AKS resource usage runbook with fallback for missing metrics-server, detailed resource requests/limits, and improved validations.

Signed-off-by: ffppa <fabio.felici@pagopa.it>

* Add runbooks for Azure Application Gateway health, Storage Account checks, and VPN Gateway connection status

Signed-off-by: ffppa <fabio.felici@pagopa.it>

* Update Azure Application Gateway health runbook to support positional parameters for resource group and gateway name

Signed-off-by: ffppa <fabio.felici@pagopa.it>

* Replace AKS namespace info script with FDR-specific health check runbook to consolidate Pod status, log checks, and mitigation via PostgreSQL cache restart.

Signed-off-by: ffppa <fabio.felici@pagopa.it>

* Enhance AKS runbooks with CPU/memory unit parsing functions for consistent resource conversion and fix node status output formatting.

Signed-off-by: ffppa <fabio.felici@pagopa.it>

* Refactor AKS resource usage runbook to replace `bc` dependency with `awk` for CPU/memory unit conversion, improving portability and efficiency.

Signed-off-by: ffppa <fabio.felici@pagopa.it>

* Enhance AKS resource usage runbook to support filtering by specific pod, improve error messaging, and refine CPU/memory usage handling.

Signed-off-by: ffppa <fabio.felici@pagopa.it>

* Update ClouDO module references, refine Slack channel naming, add Google SSO integration, and improve schema structure/clarity. Upgrade dependencies (Terraform provider, SOPs).

Signed-off-by: ffppa <fabio.felici@pagopa.it>

* Update ClouDO module reference to latest commit hash

Signed-off-by: ffppa <fabio.felici@pagopa.it>

---------

Signed-off-by: Fabio Felici <fabio.felici@pagopa.it>
Signed-off-by: ffppa <fabio.felici@pagopa.it>

Author: ffppa

src/cloudo/.terraform.lock.hcl

@@ -0,0 +1,44 @@
+
+data "azurerm_key_vault" "key_vault" {
+  name                = "${local.product}-kv"
+  resource_group_name = "${local.product}-sec-rg"
+}
+
+data "azurerm_key_vault_secret" "github_pat" {
+  name         = "payments-cloud-github-bot-pat"
+  key_vault_id = data.azurerm_key_vault.key_vault.id
+}
+
+data "azurerm_key_vault_secret" "cloudo_slack_token" {
+  name         = "cloudo-slack-token"
+  key_vault_id = data.azurerm_key_vault.key_vault.id
+
+}
+
+data "azurerm_key_vault_secret" "opsgenie_token" {
+  count        = var.env_short == "p" ? 1 : 0
+  name         = "opsgenie-webhook-token"
+  key_vault_id = data.azurerm_key_vault.key_vault.id
+}
+
+
+data "azurerm_application_insights" "app_insight" {
+  name                = var.application_insisght_name
+  resource_group_name = var.application_insisght_resource_group_name
+}
+
+
+data "azurerm_kubernetes_cluster" "aks_weu" {
+  name                = "${local.product_region}-${var.env}-aks"
+  resource_group_name = "${local.product_region}-${var.env}-aks-rg"
+}
+
+data "azurerm_kubernetes_cluster" "aks_itn" {
+  name                = "${local.product_ita}-${var.env}-aks"
+  resource_group_name = "${local.product_ita}-${var.env}-aks-rg"
+}
+
+data "azurerm_virtual_network" "network_tools_vnet" {
+  name                = "${var.prefix}-${var.env_short}-${var.location_short_ita}-spoke-tools-vnet"
+  resource_group_name = "${var.prefix}-${var.env_short}-${var.location_short_ita}-network-hub-spoke-rg"
+}

src/cloudo/00_data.tf

@@ -0,0 +1,16 @@
+data "azurerm_subnet" "vpn_subnet" {
+  name                 = "GatewaySubnet"
+  resource_group_name  = "${local.product}-vnet-rg"
+  virtual_network_name = "${local.product}-vnet"
+}
+
+data "azurerm_private_dns_zone" "private_endpoint_dns_zone" {
+  name                = "privatelink.azurewebsites.net"
+  resource_group_name = "${local.product}-vnet-rg"
+}
+
+data "azurerm_subnet" "private_endpoint_snet" {
+  name                 = "${local.product}-common-private-endpoint-snet"
+  resource_group_name  = "${local.product}-vnet-rg"
+  virtual_network_name = "${local.product}-vnet"
+}

src/cloudo/01_networks.tf

@@ -0,0 +1,5 @@
+
+data "azurerm_key_vault_secret" "google_client_id" {
+  key_vault_id = data.azurerm_key_vault.key_vault.id
+  name         = "cloudo-google-client-id"
+}

src/cloudo/01_secrets.tf

@@ -0,0 +1,5 @@
+module "tag_config" {
+  source      = "../tag_config"
+  domain      = "cloudo"
+  environment = var.env
+}

src/cloudo/01_tags.tf

@@ -0,0 +1,86 @@
+
+resource "azurerm_resource_group" "rg" {
+  name     = "${var.prefix}-${var.env_short}-${var.location_short_ita}-cloudo-rg"
+  location = var.location_ita
+
+  tags = module.tag_config.tags
+}
+
+module "cloudo" {
+  source = "git::https://github.com/pagopa/payments-ClouDO.git//src/core/iac?ref=47479c40b3161ff9348ae3f114ce19c7d4a8a7d9"
+
+  prefix                    = local.product
+  product_name              = var.prefix
+  env                       = var.env
+  location                  = var.location_ita
+  resource_group_name       = azurerm_resource_group.rg.name
+  application_insights_name = data.azurerm_application_insights.app_insight.name
+  application_insights_rg   = data.azurerm_application_insights.app_insight.resource_group_name
+  subscription_id           = data.azurerm_subscription.current.subscription_id
+  vnet_name                 = data.azurerm_virtual_network.network_tools_vnet.name
+  vnet_rg                   = data.azurerm_virtual_network.network_tools_vnet.resource_group_name
+
+  vpn_subnet_id                  = data.azurerm_subnet.vpn_subnet.id
+  private_endpoint_dns_zone_name = data.azurerm_private_dns_zone.private_endpoint_dns_zone.name
+
+  cloudo_google_sso_integration_client_id = data.azurerm_key_vault_secret.google_client_id.value
+
+  github_repo_info = {
+    repo_name    = "pagopa/pagopa-infra"
+    repo_branch  = "main"
+    runbook_path = "src/cloudo/runbooks"
+  }
+
+  aks_integration = {
+    weu = {
+      cluster_id = data.azurerm_kubernetes_cluster.aks_weu.id
+    },
+    itn = {
+      cluster_id = data.azurerm_kubernetes_cluster.aks_itn.id
+    }
+  }
+
+  approval_runbook = {
+    ttl_min = "120"
+  }
+
+  slack_integration = {
+    channel = "#cloudo-${var.prefix}-${var.env}"
+    token   = data.azurerm_key_vault_secret.cloudo_slack_token.value
+  }
+
+  opsgenie_api_key = var.env_short == "p" ? data.azurerm_key_vault_secret.opsgenie_token.0.value : ""
+
+  schemas = file("${path.module}/env/${var.env}/schemas.json.tpl")
+
+  orchestrator_image = {
+    image_name        = var.cloudo_orchestrator.image_name
+    image_tag         = var.cloudo_orchestrator.image_tag
+    registry_url      = var.cloudo_orchestrator.registry_url
+    registry_username = var.cloudo_orchestrator.registry_username
+    registry_password = data.azurerm_key_vault_secret.github_pat.value
+  }
+
+  workers_config = {
+    workers = {
+      "generic-worker" = "generic"
+    }
+    image_name        = var.cloudo_worker.image_name
+    image_tag         = var.cloudo_worker.image_tag
+    registry_url      = var.cloudo_worker.registry_url
+    registry_username = var.cloudo_worker.registry_username
+    registry_password = data.azurerm_key_vault_secret.github_pat.value
+  }
+
+  enable_ui = true
+  ui_image = {
+    image_name        = var.cloudo_ui.image_name
+    image_tag         = var.cloudo_ui.image_tag
+    registry_url      = var.cloudo_ui.registry_url
+    registry_username = var.cloudo_ui.registry_username
+    registry_password = data.azurerm_key_vault_secret.github_pat.value
+  }
+
+  tags = module.tag_config.tags
+}
+

src/cloudo/02_cloudo.tf

@@ -0,0 +1,6 @@
+
+locals {
+  product        = "${var.prefix}-${var.env_short}"
+  product_region = "${var.prefix}-${var.env_short}-${var.location_short}"
+  product_ita    = "${var.prefix}-${var.env_short}-${var.location_short_ita}"
+}

src/cloudo/99_locals.tf

@@ -0,0 +1,24 @@
+terraform {
+  required_version = ">= 1.9.0"
+
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = ">= 4"
+    }
+  }
+  backend "azurerm" {}
+}
+
+provider "azurerm" {
+  features {
+    key_vault {
+      purge_soft_delete_on_destroy = false
+    }
+    resource_group {
+      prevent_deletion_if_contains_resources = false
+    }
+  }
+}
+
+data "azurerm_subscription" "current" {}

src/cloudo/99_main.tf

@@ -0,0 +1,108 @@
+variable "prefix" {
+  type = string
+  validation {
+    condition = (
+      length(var.prefix) <= 6
+    )
+    error_message = "Max length is 6 chars."
+  }
+}
+
+variable "env" {
+  type = string
+}
+
+variable "env_short" {
+  type = string
+  validation {
+    condition = (
+      length(var.env_short) == 1
+    )
+    error_message = "Length must be 1 chars."
+  }
+}
+
+#
+# location
+#
+variable "location" {
+  type        = string
+  description = "One of westeurope, northeurope"
+}
+
+variable "location_short" {
+  type = string
+  validation {
+    condition = (
+      length(var.location_short) == 3
+    )
+    error_message = "Length must be 3 chars."
+  }
+  description = "One of wue, neu"
+}
+
+### Italy location
+variable "location_ita" {
+  type        = string
+  description = "Main location"
+  default     = "italynorth"
+}
+
+variable "location_short_ita" {
+  type = string
+  validation {
+    condition = (
+      length(var.location_short_ita) == 3
+    )
+    error_message = "Length must be 3 chars."
+  }
+  description = "Location short for italy: itn"
+  default     = "itn"
+}
+
+
+variable "application_insisght_name" {
+  type        = string
+  description = "The name of the Application Insights resource for monitoring and alerting"
+}
+
+variable "application_insisght_resource_group_name" {
+  type        = string
+  description = "The name of the resource group where the Application Insights resource is located"
+}
+
+###################
+### ClouDO Vars ###
+###################
+variable "cloudo_orchestrator" {
+  type = object({
+    image_name        = optional(string, "pagopa/cloudo-orchestrator")
+    image_tag         = optional(string, "0.0.0")
+    registry_url      = optional(string, "https://ghcr.io")
+    registry_username = optional(string)
+    registry_password = optional(string)
+  })
+  description = "Configuration for the ClouDO orchestrator container, including container image details and registry authentication."
+}
+
+variable "cloudo_ui" {
+  type = object({
+    image_name        = optional(string, "pagopa/cloudo-ui")
+    image_tag         = optional(string, "0.0.0")
+    registry_url      = optional(string, "https://ghcr.io")
+    registry_username = optional(string)
+    registry_password = optional(string)
+  })
+  description = "Configuration for the ClouDO UI App Service, including container image details and registry authentication."
+}
+
+variable "cloudo_worker" {
+  type = object({
+    image_name        = optional(string, "pagopa/cloudo-worker")
+    image_tag         = optional(string, "0.0.0")
+    registry_url      = optional(string, "https://ghcr.io")
+    registry_username = optional(string)
+    registry_password = optional(string)
+  })
+  description = "Configuration for the ClouDO worker container, including container image details and registry authentication."
+}