vpn review (#90)

Co-authored-by: pasqualedevita <>
pagopa · Dec 16, 2021 · 669328d · 669328d
1 parent b4405d1
commit 669328d
Show file tree

Hide file tree

Showing 9 changed files with 91 additions and 243 deletions.
diff --git a/src/core/dnsforwarder.tf b/src/core/dnsforwarder.tf
diff --git a/src/core/env/dev/terraform.tfvars b/src/core/env/dev/terraform.tfvars
@@ -20,7 +20,7 @@ cidr_subnet_postgres         = ["10.1.129.0/24"]
 cidr_subnet_azdoa            = ["10.1.130.0/24"]
 cidr_subnet_redis            = ["10.1.132.0/24"]
 cidr_subnet_vpn              = ["10.1.133.0/24"]
-cidr_subnet_dnsforwarder     = ["10.1.134.0/29"]
+cidr_subnet_dns_forwarder    = ["10.1.134.0/29"]
 cidr_subnet_cosmosdb_mongodb = ["10.1.135.0/24"]
 cidr_subnet_apim             = ["10.1.136.0/24"]
 cidr_subnet_contract_storage = ["10.1.137.0/24"]

diff --git a/src/core/env/prod/terraform.tfvars b/src/core/env/prod/terraform.tfvars
@@ -20,7 +20,7 @@ cidr_subnet_postgres         = ["10.1.129.0/24"]
 cidr_subnet_azdoa            = ["10.1.130.0/24"]
 cidr_subnet_redis            = ["10.1.132.0/24"]
 cidr_subnet_vpn              = ["10.1.133.0/24"]
-cidr_subnet_dnsforwarder     = ["10.1.134.0/29"]
+cidr_subnet_dns_forwarder    = ["10.1.134.0/29"]
 cidr_subnet_cosmosdb_mongodb = ["10.1.135.0/24"]
 cidr_subnet_apim             = ["10.1.136.0/24"]
 cidr_subnet_contract_storage = ["10.1.137.0/24"]

diff --git a/src/core/env/uat/terraform.tfvars b/src/core/env/uat/terraform.tfvars
@@ -20,7 +20,7 @@ cidr_subnet_postgres         = ["10.1.129.0/24"]
 cidr_subnet_azdoa            = ["10.1.130.0/24"]
 cidr_subnet_redis            = ["10.1.132.0/24"]
 cidr_subnet_vpn              = ["10.1.133.0/24"]
-cidr_subnet_dnsforwarder     = ["10.1.134.0/29"]
+cidr_subnet_dns_forwarder    = ["10.1.134.0/29"]
 cidr_subnet_cosmosdb_mongodb = ["10.1.135.0/24"]
 cidr_subnet_apim             = ["10.1.136.0/24"]
 cidr_subnet_contract_storage = ["10.1.137.0/24"]

diff --git a/src/core/network.tf b/src/core/network.tf
@@ -15,54 +15,3 @@ module "vnet" {
 
   tags = var.tags
 }
-
-
-## VPN subnet
-module "vpn_snet" {
-  source                                         = "git::https://github.com/pagopa/azurerm.git//subnet?ref=v1.0.58"
-  name                                           = "GatewaySubnet"
-  address_prefixes                               = var.cidr_subnet_vpn
-  resource_group_name                            = azurerm_resource_group.rg_vnet.name
-  virtual_network_name                           = module.vnet.name
-  service_endpoints                              = []
-  enforce_private_link_endpoint_network_policies = true
-}
-
-data "azuread_application" "vpn_app" {
-  display_name = format("%s-app-vpn", local.project)
-}
-
-module "vpn" {
-  source = "git::https://github.com/pagopa/azurerm.git//vpn_gateway?ref=v1.0.36"
-
-  depends_on = [
-    azurerm_log_analytics_workspace.log_analytics_workspace
-  ]
-
-  name                = format("%s-vpn", local.project)
-  location            = var.location
-  resource_group_name = azurerm_resource_group.rg_vnet.name
-  sku                 = var.vpn_sku
-  pip_sku             = var.vpn_pip_sku
-  subnet_id           = module.vpn_snet.id
-
-  # TODO uncomment when security team will allow this project
-  #log_analytics_workspace_id = var.env_short == "p" ? data.azurerm_key_vault_secret.sec_workspace_id[0].value : null
-  #log_storage_account_id     = var.env_short == "p" ? data.azurerm_key_vault_secret.sec_storage_id[0].value : null
-
-  vpn_client_configuration = [
-    {
-      address_space         = ["172.16.1.0/24"],
-      vpn_client_protocols  = ["OpenVPN"],
-      aad_audience          = data.azuread_application.vpn_app.application_id
-      aad_issuer            = format("https://sts.windows.net/%s/", data.azurerm_subscription.current.tenant_id)
-      aad_tenant            = format("https://login.microsoftonline.com/%s", data.azurerm_subscription.current.tenant_id)
-      radius_server_address = null
-      radius_server_secret  = null
-      revoked_certificate   = []
-      root_certificate      = []
-    }
-  ]
-
-  tags = var.tags
-}
diff --git a/src/core/variables.tf b/src/core/variables.tf
@@ -419,7 +419,7 @@ variable "cidr_subnet_vpn" {
   description = "VPN network address space."
 }
 
-variable "cidr_subnet_dnsforwarder" {
+variable "cidr_subnet_dns_forwarder" {
   type        = list(string)
   description = "DNS Forwarder network address space."
 }

diff --git a/src/core/vpn.tf b/src/core/vpn.tf
@@ -0,0 +1,73 @@
+## VPN subnet
+module "vpn_snet" {
+  source                                         = "git::https://github.com/pagopa/azurerm.git//subnet?ref=v1.0.58"
+  name                                           = "GatewaySubnet"
+  address_prefixes                               = var.cidr_subnet_vpn
+  resource_group_name                            = azurerm_resource_group.rg_vnet.name
+  virtual_network_name                           = module.vnet.name
+  service_endpoints                              = []
+  enforce_private_link_endpoint_network_policies = true
+}
+
+data "azuread_application" "vpn_app" {
+  display_name = format("%s-app-vpn", local.project)
+}
+
+module "vpn" {
+  source = "git::https://github.com/pagopa/azurerm.git//vpn_gateway?ref=v2.0.11"
+
+  name                = format("%s-vpn", local.project)
+  location            = var.location
+  resource_group_name = azurerm_resource_group.rg_vnet.name
+  sku                 = var.vpn_sku
+  pip_sku             = var.vpn_pip_sku
+  subnet_id           = module.vpn_snet.id
+
+  vpn_client_configuration = [
+    {
+      address_space         = ["172.16.1.0/24"],
+      vpn_client_protocols  = ["OpenVPN"],
+      aad_audience          = data.azuread_application.vpn_app.application_id
+      aad_issuer            = format("https://sts.windows.net/%s/", data.azurerm_subscription.current.tenant_id)
+      aad_tenant            = format("https://login.microsoftonline.com/%s", data.azurerm_subscription.current.tenant_id)
+      radius_server_address = null
+      radius_server_secret  = null
+      revoked_certificate   = []
+      root_certificate      = []
+    }
+  ]
+
+  # Security Logs
+  sec_log_analytics_workspace_id = var.env_short == "p" ? data.azurerm_key_vault_secret.sec_workspace_id[0].value : null
+  sec_storage_id                 = var.env_short == "p" ? data.azurerm_key_vault_secret.sec_storage_id[0].value : null
+
+  tags = var.tags
+}
+
+## DNS Forwarder
+module "dns_forwarder_snet" {
+  source                                         = "git::https://github.com/pagopa/azurerm.git//subnet?ref=v2.0.3"
+  name                                           = format("%s-dns-forwarder-snet", local.project)
+  address_prefixes                               = var.cidr_subnet_dns_forwarder
+  resource_group_name                            = azurerm_resource_group.rg_vnet.name
+  virtual_network_name                           = module.vnet.name
+  enforce_private_link_endpoint_network_policies = true
+
+  delegation = {
+    name = "delegation"
+    service_delegation = {
+      name    = "Microsoft.ContainerInstance/containerGroups"
+      actions = ["Microsoft.Network/virtualNetworks/subnets/action"]
+    }
+  }
+}
+
+module "dns_forwarder" {
+  source              = "git::https://github.com/pagopa/azurerm.git//dns_forwarder?ref=v2.0.8"
+  name                = format("%s-dns-forwarder", local.project)
+  location            = azurerm_resource_group.rg_vnet.location
+  resource_group_name = azurerm_resource_group.rg_vnet.name
+  subnet_id           = module.dns_forwarder_snet.id
+
+  tags = var.tags
+}
diff --git a/src/k8s/selc_configmaps.tf b/src/k8s/selc_configmaps.tf
@@ -180,9 +180,9 @@ resource "kubernetes_config_map" "uservice-party-process" {
     MAIL_TEMPLATE_PATH            = "contracts/template/mail/1.0.0.json"
     WELL_KNOWN_URL                = format("%s/.well-known/jwks.json", var.cdn_storage_url)
     # URL of the european List Of Trusted List see https://esignature.ec.europa.eu/efda/tl-browser/#/screen/tl/EU
-    EU_LIST_OF_TRUSTED_LISTS_URL  = "https://ec.europa.eu/tools/lotl/eu-lotl.xml"
+    EU_LIST_OF_TRUSTED_LISTS_URL = "https://ec.europa.eu/tools/lotl/eu-lotl.xml"
     # URL of the Official Journal URL where the EU trusted certificates are listed see https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.C_.2019.276.01.0001.01.ENG
-    EU_OFFICIAL_JOURNAL_URL       = "https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.C_.2019.276.01.0001.01.ENG"
+    EU_OFFICIAL_JOURNAL_URL = "https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.C_.2019.276.01.0001.01.ENG"
     },
     var.configmaps_uservice-party-process
   )

diff --git a/src/k8s/selc_secrets.tf b/src/k8s/selc_secrets.tf
@@ -91,18 +91,18 @@ resource "kubernetes_secret" "mail" {
   }
 
   data = merge({
-            SMTP_HOST           = "smtps.pec.aruba.it"
-            SMTP_PORT           = 465
-            SMTP_USR            = module.key_vault_secrets_query.values["smtp-usr"].value
-            SMTP_PSW            = module.key_vault_secrets_query.values["smtp-psw"].value
-            MAIL_SENDER_ADDRESS = module.key_vault_secrets_query.values["smtp-usr"].value
-          },
-          var.env_short != "p"
-          ? {
-            DESTINATION_MAILS   = module.key_vault_secrets_query.values["smtp-usr"].value
-          }
-          : {}
-          )
+    SMTP_HOST           = "smtps.pec.aruba.it"
+    SMTP_PORT           = 465
+    SMTP_USR            = module.key_vault_secrets_query.values["smtp-usr"].value
+    SMTP_PSW            = module.key_vault_secrets_query.values["smtp-psw"].value
+    MAIL_SENDER_ADDRESS = module.key_vault_secrets_query.values["smtp-usr"].value
+    },
+    var.env_short != "p"
+    ? {
+      DESTINATION_MAILS = module.key_vault_secrets_query.values["smtp-usr"].value
+    }
+    : {}
+  )
 
   type = "Opaque"
 }