pagopa · antonioT90 · Oct 25, 2021 · Oct 15, 2021 · Oct 18, 2021 · Oct 19, 2021
@@ -48,3 +48,6 @@ aks_max_pods     = 100
 # CosmosDb MongoDb
 cosmosdb_mongodb_enable_serverless             = true
 cosmosdb_mongodb_public_network_access_enabled = true
+
+# spid-testenv
+enable_spid_test = true
@@ -0,0 +1,13 @@
+module "spid-test-env" {
+  source = "../modules/spid_testenv"
+
+  enable_spid_test = var.enable_spid_test
+
+  name              = format("%s-spid-testenv", local.project)
+  location          = var.location
+  subscription_name = data.azurerm_subscription.current.display_name
+
+  hub_spid_login_metadata_url = format("https://api.%s.%s/hubspidloginms/metadata", var.dns_zone_prefix, var.external_domain)
+
+  tags = var.tags
+}
@@ -553,3 +553,10 @@ variable "cosmosdb_mongodb_max_throughput" {
   description = "The maximum throughput of the MongoDB database (RU/s). Must be between 4,000 and 1,000,000. Must be set in increments of 1,000. Conflicts with throughput"
   default     = 4000
 }
+
+# spid-testenv
+variable "enable_spid_test" {
+  type        = bool
+  description = "to provision italia/spid-testenv2:1.1.0"
+  default     = false
+}
@@ -0,0 +1,22 @@
+aks_private_fqdn=selc-d-aks-ac177aef.b6aa1c51-596c-47ea-8b2b-01ca33d73e21.privatelink.westeurope.azmk8s.io
+kube_config_path=~/.kube/config-selc-d-aks
+aks_private_fqdn=selc-d-aks-ac177aef.b6aa1c51-596c-47ea-8b2b-01ca33d73e21.privatelink.westeurope.azmk8s.io
+kube_config_path=~/.kube/config-selc-d-aks
+aks_private_fqdn=selc-d-aks-ac177aef.b6aa1c51-596c-47ea-8b2b-01ca33d73e21.privatelink.westeurope.azmk8s.io
+kube_config_path=~/.kube/config-selc-d-aks
+aks_private_fqdn=selc-d-aks-ac177aef.b6aa1c51-596c-47ea-8b2b-01ca33d73e21.privatelink.westeurope.azmk8s.io
+kube_config_path=~/.kube/config-selc-d-aks
+aks_private_fqdn=selc-d-aks-ac177aef.b6aa1c51-596c-47ea-8b2b-01ca33d73e21.privatelink.westeurope.azmk8s.io
+kube_config_path=~/.kube/config-selc-d-aks
+aks_private_fqdn=selc-d-aks-ac177aef.b6aa1c51-596c-47ea-8b2b-01ca33d73e21.privatelink.westeurope.azmk8s.io
+kube_config_path=~/.kube/config-selc-d-aks
+aks_private_fqdn=selc-d-aks-ac177aef.b6aa1c51-596c-47ea-8b2b-01ca33d73e21.privatelink.westeurope.azmk8s.io
+kube_config_path=~/.kube/config-selc-d-aks
+aks_private_fqdn=selc-d-aks-ac177aef.b6aa1c51-596c-47ea-8b2b-01ca33d73e21.privatelink.westeurope.azmk8s.io
+kube_config_path=~/.kube/config-selc-d-aks
+aks_private_fqdn=selc-d-aks-ac177aef.b6aa1c51-596c-47ea-8b2b-01ca33d73e21.privatelink.westeurope.azmk8s.io
+kube_config_path=~/.kube/config-selc-d-aks
+aks_private_fqdn=selc-d-aks-ac177aef.b6aa1c51-596c-47ea-8b2b-01ca33d73e21.privatelink.westeurope.azmk8s.io
+kube_config_path=~/.kube/config-selc-d-aks
+aks_private_fqdn=selc-d-aks-ac177aef.b6aa1c51-596c-47ea-8b2b-01ca33d73e21.privatelink.westeurope.azmk8s.io
+kube_config_path=~/.kube/config-selc-d-aks
@@ -0,0 +1,9 @@
+output "container_id" {
+  description = "The id of the spid_testenv container."
+  value       = var.enable_spid_test? azurerm_container_group.spid_testenv[0].id : null
+}
+
+output "spid_testenv_url" {
+  description = "The id of the spid_testenv container."
+  value       = var.enable_spid_test? azurerm_container_group.spid_testenv[0].fqdn : null
+}
@@ -0,0 +1,161 @@
+resource "azurerm_resource_group" "rg_spid_testenv" {
+  count    = var.enable_spid_test ? 1 : 0
+  name     = format("%s-rg", var.name)
+  location = var.location
+
+  tags = var.tags
+}
+
+# tfsec:ignore:azure-storage-default-action-deny
+resource "azurerm_storage_account" "spid_testenv_storage_account" {
+  count                     = var.enable_spid_test ? 1 : 0
+  name                      = replace(format("%s-sa-st", var.name), "-", "")
+  resource_group_name       = azurerm_resource_group.rg_spid_testenv[0].name
+  location                  = var.location
+  enable_https_traffic_only = true
+  min_tls_version           = "TLS1_2"
+  account_tier              = "Standard"
+
+  account_replication_type = "LRS"
+
+  tags = var.tags
+}
+
+resource "azurerm_storage_share" "spid_testenv_storage_share" {
+  count = var.enable_spid_test ? 1 : 0
+  name  = format("%s-share", var.name)
+
+  storage_account_name = azurerm_storage_account.spid_testenv_storage_account[0].name
+
+  quota = 1
+}
+
+resource "azurerm_storage_share" "spid_testenv_caddy_storage_share" {
+  count = var.enable_spid_test ? 1 : 0
+  name  = format("%s-caddy-share", var.name)
+
+  storage_account_name = azurerm_storage_account.spid_testenv_storage_account[0].name
+
+  quota = 1
+}
+
+resource "azurerm_container_group" "spid_testenv" {
+  count               = var.enable_spid_test ? 1 : 0
+  name                = var.name
+  location            = azurerm_resource_group.rg_spid_testenv[0].location
+  resource_group_name = azurerm_resource_group.rg_spid_testenv[0].name
+  ip_address_type     = "public"
+  dns_name_label      = var.name
+  os_type             = "Linux"
+
+  container {
+    name   = "spid-testenv2"
+    image  = "italia/spid-testenv2:1.1.0"
+    cpu    = "0.5"
+    memory = "0.5"
+
+    ports {
+      port     = 8088
+      protocol = "TCP"
+    }
+
+    environment_variables = {
+
+    }
+
+    readiness_probe {
+      http_get {
+        path   = "/"
+        port   = 8088
+        scheme = "Http"
+      }
+      initial_delay_seconds = 30
+      timeout_seconds       = 4
+    }
+
+    liveness_probe {
+      http_get {
+        path   = "/"
+        port   = 8088
+        scheme = "Http"
+      }
+      initial_delay_seconds = 900
+      timeout_seconds       = 4
+    }
+
+    volume {
+      mount_path = "/app/conf"
+      name       = "spid-testenv-conf"
+      read_only  = false
+      share_name = azurerm_storage_share.spid_testenv_storage_share[0].name
+
+      storage_account_key  = azurerm_storage_account.spid_testenv_storage_account[0].primary_access_key
+      storage_account_name = azurerm_storage_account.spid_testenv_storage_account[0].name
+    }
+
+  }
+
+  container {
+    name     = "caddy-ssl-server"
+    image    = "caddy:2"
+    cpu      = "0.5"
+    memory   = "0.5"
+    commands = ["caddy", "reverse-proxy", "--from", "${var.name}.${var.location}.azurecontainer.io", "--to", "localhost:8088"]
+
+    ports {
+      port     = 443
+      protocol = "TCP"
+    }
+
+    ports {
+      port     = 80
+      protocol = "TCP"
+    }
+
+    volume {
+      mount_path = "/data"
+      name       = "caddy-data"
+      read_only  = false
+      share_name = azurerm_storage_share.spid_testenv_caddy_storage_share[0].name
+
+      storage_account_key  = azurerm_storage_account.spid_testenv_storage_account[0].primary_access_key
+      storage_account_name = azurerm_storage_account.spid_testenv_storage_account[0].name
+    }
+  }
+
+  tags = var.tags
+}
+
+resource "local_file" "spid_testenv_config" {
+  count    = var.enable_spid_test ? 1 : 0
+  filename = "./spid_testenv_conf/config.yaml"
+  content = templatefile(
+    "${path.module}/spid_testenv_conf/config.yaml.tpl",
+    {
+      base_url                      = format("https://%s", trim(azurerm_container_group.spid_testenv[0].fqdn, "."))
+      service_provider_metadata_url = var.hub_spid_login_metadata_url
+  })
+}
+
+resource "null_resource" "upload_config_spid_testenv" {
+  count = var.enable_spid_test ? 1 : 0
+  triggers = {
+    "changes-in-config" : md5(local_file.spid_testenv_config[count.index].content)
+  }
+
+  provisioner "local-exec" {
+    command = <<EOT
+              az storage file upload \
+                --account-name ${azurerm_storage_account.spid_testenv_storage_account[0].name} \
+                --account-key ${azurerm_storage_account.spid_testenv_storage_account[0].primary_access_key} \
+                --share-name ${azurerm_storage_share.spid_testenv_storage_share[0].name} \
+                --source "./spid_testenv_conf/config.yaml" \
+                --path "config.yaml" && \
+              az login --service-principal --username $ARM_CLIENT_ID --password $ARM_CLIENT_SECRET --tenant $ARM_TENANT_ID && \
+              az account set -s ${var.subscription_name} && \
+              az container restart \
+                --name ${azurerm_container_group.spid_testenv[0].name} \
+                --resource-group  ${azurerm_resource_group.rg_spid_testenv[0].name}
+          EOT
+  }
+}
@@ -0,0 +1,57 @@
+---
+# Identity Provider (IdP)
+#########################
+
+# The base URL where spid-testenv2 is reachable at.
+base_url: "${base_url}"
+
+# Key and certificate used to sign SAML messages.
+key_file: "./conf/idp.key"
+cert_file: "./conf/idp.crt"
+
+# Service Providers
+###################
+
+# You can configure multiple Service Provider by specifying their XML metadata,
+# using different sources.
+metadata:
+  remote:
+    - "${service_provider_metadata_url}"
+
+
+# Application configuration
+###########################
+
+# Whether to enable debug mode. When enabled, the log will be more verbose.
+debug: true
+
+# Bind the webserver to the specified IP address (use 0.0.0.0 for all interfaces).
+host: "0.0.0.0"
+# Port the webserver listens on.
+port: 8088
+
+# Whether to enable HTTPS.
+https: false
+
+# The TLS key and certificate used for HTTPS, required if HTTPS is enabled.
+# https_key_file: "path/to/key"
+# https_cert_file: "path/to/cert"
+
+# File holding the identities of test users.
+# It will be automatically created if it doesn't exist.
+users_file: "conf/users.json"
+
+# PostgreSQL database holding the identities of test users.
+# If specified, it will override the "user_file" parameter.
+# The required tables will be automatically created if they don't exist.
+# users_db: 'postgresql+psycopg2://postgres:@localhost:5432/exampledb'
+
+# If enabled, allows to add new users from the UI.
+can_add_user: true
+
+# Whether to enable the UI to handle the data in the database.
+database_admin_interface: true
+
+# If enabled, allows the user to manipulate the response from the Identity Provider.
+# Useful to simulate errors in the response.
+show_response_options: true
@@ -0,0 +1,25 @@
+# General Variables
+variable "location" {
+  type = string
+}
+
+variable "name" {
+  type = string
+}
+
+variable "subscription_name" {
+  type = string
+}
+
+// spid-testenv specific variables
+variable "enable_spid_test" {
+  type = bool
+}
+
+variable "hub_spid_login_metadata_url" {
+  type = string
+}
+
+variable "tags" {
+  type = map(any)
+}