From 016a5da1a3a21ca82fdc3667f034fd72e9f7ce03 Mon Sep 17 00:00:00 2001 From: anttorre Date: Thu, 28 Oct 2021 20:08:28 +0200 Subject: [PATCH 1/6] private blobstorage to store party contracts --- src/core/storage.tf | 53 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 53 insertions(+) create mode 100644 src/core/storage.tf diff --git a/src/core/storage.tf b/src/core/storage.tf new file mode 100644 index 000000000..e73501f67 --- /dev/null +++ b/src/core/storage.tf @@ -0,0 +1,53 @@ +resource "azurerm_resource_group" "rg_storage" { + name = format("%s-storage-rg", local.project) + location = var.location + tags = var.tags +} + +## Storage account to save blob +module "selc-blob-storage" { + source = "git::https://github.com/pagopa/azurerm.git//storage_account?ref=v1.0.60" + + name = replace(format("%s-blobstorage", local.project), "-", "") + account_kind = "StorageV2" + account_tier = "Standard" + account_replication_type = "LRS" + access_tier = "Hot" + enable_versioning = false + resource_group_name = azurerm_resource_group.rg_storage.name + location = var.location + advanced_threat_protection = false + allow_blob_public_access = false + + network_rules = { + default_action = "Deny" + ip_rules = [] + bypass = [ + "Logging", + "Metrics", + "AzureServices", + ] + virtual_network_subnet_ids = [ + module.apim_snet.id, + module.k8s_snet.id + ] + } + + tags = var.tags +} + +# Container parties contracts +resource "azurerm_storage_container" "selc-contracts" { + name = format("%s-contracts-blob", local.project) + storage_account_name = module.selc-blob-storage.name + container_access_type = "blob" +} + +#tfsec:ignore:AZU023 +resource "azurerm_key_vault_secret" "cstar_blobstorage_key" { + name = "blobstorage-access-key" + value = module.selc-blob-storage.primary_access_key + content_type = "text/plain" + + key_vault_id = module.key_vault.id +} From 5b8b3c45243b211f7c88f54aa06977d8c30c4e92 Mon Sep 17 00:00:00 2001 From: anttorre Date: Thu, 28 Oct 2021 20:18:12 +0200 Subject: [PATCH 2/6] using last azurerm version for new storage account --- src/core/storage.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/core/storage.tf b/src/core/storage.tf index e73501f67..800a96a9d 100644 --- a/src/core/storage.tf +++ b/src/core/storage.tf @@ -6,7 +6,7 @@ resource "azurerm_resource_group" "rg_storage" { ## Storage account to save blob module "selc-blob-storage" { - source = "git::https://github.com/pagopa/azurerm.git//storage_account?ref=v1.0.60" + source = "git::https://github.com/pagopa/azurerm.git//storage_account?ref=v1.0.79" name = replace(format("%s-blobstorage", local.project), "-", "") account_kind = "StorageV2" From b63048051222597cd0fdecf82581a6d546c6933a Mon Sep 17 00:00:00 2001 From: anttorre Date: Fri, 29 Oct 2021 09:31:30 +0200 Subject: [PATCH 3/6] fixed cstar reference --- src/core/storage.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/core/storage.tf b/src/core/storage.tf index 800a96a9d..d24e3d065 100644 --- a/src/core/storage.tf +++ b/src/core/storage.tf @@ -44,7 +44,7 @@ resource "azurerm_storage_container" "selc-contracts" { } #tfsec:ignore:AZU023 -resource "azurerm_key_vault_secret" "cstar_blobstorage_key" { +resource "azurerm_key_vault_secret" "selc_blobstorage_key" { name = "blobstorage-access-key" value = module.selc-blob-storage.primary_access_key content_type = "text/plain" From 6e9d598bc020f986ac85780cfdd2ceaa575fa547 Mon Sep 17 00:00:00 2001 From: anttorre Date: Fri, 29 Oct 2021 13:13:43 +0200 Subject: [PATCH 4/6] removed network rules --- src/core/storage.tf | 17 ++--------------- 1 file changed, 2 insertions(+), 15 deletions(-) diff --git a/src/core/storage.tf b/src/core/storage.tf index d24e3d065..147a0f041 100644 --- a/src/core/storage.tf +++ b/src/core/storage.tf @@ -5,6 +5,7 @@ resource "azurerm_resource_group" "rg_storage" { } ## Storage account to save blob +#tfsec:ignore:azure-storage-default-action-deny module "selc-blob-storage" { source = "git::https://github.com/pagopa/azurerm.git//storage_account?ref=v1.0.79" @@ -19,20 +20,6 @@ module "selc-blob-storage" { advanced_threat_protection = false allow_blob_public_access = false - network_rules = { - default_action = "Deny" - ip_rules = [] - bypass = [ - "Logging", - "Metrics", - "AzureServices", - ] - virtual_network_subnet_ids = [ - module.apim_snet.id, - module.k8s_snet.id - ] - } - tags = var.tags } @@ -40,7 +27,7 @@ module "selc-blob-storage" { resource "azurerm_storage_container" "selc-contracts" { name = format("%s-contracts-blob", local.project) storage_account_name = module.selc-blob-storage.name - container_access_type = "blob" + container_access_type = "private" } #tfsec:ignore:AZU023 From 421aee15dc8b7638947897721f38fdbc1ae480d8 Mon Sep 17 00:00:00 2001 From: anttorre Date: Tue, 2 Nov 2021 17:31:00 +0100 Subject: [PATCH 5/6] applied suggestion from PR --- src/core/dns_private.tf | 21 +++++++++ src/core/env/dev/terraform.tfvars | 1 + src/core/env/prod/terraform.tfvars | 4 ++ src/core/env/uat/terraform.tfvars | 1 + src/core/storage.tf | 40 ---------------- src/core/storage_contracts.tf | 74 ++++++++++++++++++++++++++++++ src/core/variables.tf | 13 ++++++ 7 files changed, 114 insertions(+), 40 deletions(-) delete mode 100644 src/core/storage.tf create mode 100644 src/core/storage_contracts.tf diff --git a/src/core/dns_private.tf b/src/core/dns_private.tf index 0d72cbf36..8d5d15145 100644 --- a/src/core/dns_private.tf +++ b/src/core/dns_private.tf @@ -1,3 +1,5 @@ +# cosmos + resource "azurerm_private_dns_zone" "privatelink_documents_azure_com" { name = "privatelink.documents.azure.com" resource_group_name = azurerm_resource_group.rg_vnet.name @@ -31,3 +33,22 @@ resource "azurerm_private_dns_zone_virtual_network_link" "privatelink_mongo_cosm tags = var.tags } + +# contracts storage + +resource "azurerm_private_dns_zone" "privatelink_blob_core_windows_net" { + name = "privatelink.blob.core.windows.net" + resource_group_name = azurerm_resource_group.rg_vnet.name + + tags = var.tags +} + +resource "azurerm_private_dns_zone_virtual_network_link" "privatelink_blob_core_windows_net_vnet" { + name = module.vnet.name + resource_group_name = azurerm_resource_group.rg_vnet.name + private_dns_zone_name = azurerm_private_dns_zone.privatelink_blob_core_windows_net.name + virtual_network_id = module.vnet.id + registration_enabled = false + + tags = var.tags +} \ No newline at end of file diff --git a/src/core/env/dev/terraform.tfvars b/src/core/env/dev/terraform.tfvars index 3017cb74e..e2f226465 100644 --- a/src/core/env/dev/terraform.tfvars +++ b/src/core/env/dev/terraform.tfvars @@ -23,6 +23,7 @@ cidr_subnet_vpn = ["10.1.133.0/24"] cidr_subnet_dnsforwarder = ["10.1.134.0/29"] cidr_subnet_cosmosdb_mongodb = ["10.1.135.0/24"] cidr_subnet_apim = ["10.1.136.0/24"] +cidr_subnet_contract_storage = ["10.1.137.0/24"] # dns external_domain = "pagopa.it" diff --git a/src/core/env/prod/terraform.tfvars b/src/core/env/prod/terraform.tfvars index ac53414eb..4317cc56b 100644 --- a/src/core/env/prod/terraform.tfvars +++ b/src/core/env/prod/terraform.tfvars @@ -23,6 +23,7 @@ cidr_subnet_vpn = ["10.1.133.0/24"] cidr_subnet_dnsforwarder = ["10.1.134.0/29"] cidr_subnet_cosmosdb_mongodb = ["10.1.135.0/24"] cidr_subnet_apim = ["10.1.136.0/24"] +cidr_subnet_contract_storage = ["10.1.137.0/24"] # dns external_domain = "pagopa.it" @@ -80,3 +81,6 @@ postgres_configuration = { log_checkpoints = "on" connection_throttling = "on" } + +# contracts storage +contracts_delete_retention_days = 7 // TODO \ No newline at end of file diff --git a/src/core/env/uat/terraform.tfvars b/src/core/env/uat/terraform.tfvars index 1244d8097..96e4dc955 100644 --- a/src/core/env/uat/terraform.tfvars +++ b/src/core/env/uat/terraform.tfvars @@ -23,6 +23,7 @@ cidr_subnet_vpn = ["10.1.133.0/24"] cidr_subnet_dnsforwarder = ["10.1.134.0/29"] cidr_subnet_cosmosdb_mongodb = ["10.1.135.0/24"] cidr_subnet_apim = ["10.1.136.0/24"] +cidr_subnet_contract_storage = ["10.1.137.0/24"] # dns diff --git a/src/core/storage.tf b/src/core/storage.tf deleted file mode 100644 index 147a0f041..000000000 --- a/src/core/storage.tf +++ /dev/null @@ -1,40 +0,0 @@ -resource "azurerm_resource_group" "rg_storage" { - name = format("%s-storage-rg", local.project) - location = var.location - tags = var.tags -} - -## Storage account to save blob -#tfsec:ignore:azure-storage-default-action-deny -module "selc-blob-storage" { - source = "git::https://github.com/pagopa/azurerm.git//storage_account?ref=v1.0.79" - - name = replace(format("%s-blobstorage", local.project), "-", "") - account_kind = "StorageV2" - account_tier = "Standard" - account_replication_type = "LRS" - access_tier = "Hot" - enable_versioning = false - resource_group_name = azurerm_resource_group.rg_storage.name - location = var.location - advanced_threat_protection = false - allow_blob_public_access = false - - tags = var.tags -} - -# Container parties contracts -resource "azurerm_storage_container" "selc-contracts" { - name = format("%s-contracts-blob", local.project) - storage_account_name = module.selc-blob-storage.name - container_access_type = "private" -} - -#tfsec:ignore:AZU023 -resource "azurerm_key_vault_secret" "selc_blobstorage_key" { - name = "blobstorage-access-key" - value = module.selc-blob-storage.primary_access_key - content_type = "text/plain" - - key_vault_id = module.key_vault.id -} diff --git a/src/core/storage_contracts.tf b/src/core/storage_contracts.tf new file mode 100644 index 000000000..d7cfd1b92 --- /dev/null +++ b/src/core/storage_contracts.tf @@ -0,0 +1,74 @@ +## Storage account to save contracts + +resource "azurerm_resource_group" "rg_contracts_storage" { + name = format("%s-contracts-storage-rg", local.project) + location = var.location + tags = var.tags +} + +#tfsec:ignore:azure-storage-default-action-deny +module "selc-contracts-storage" { + source = "git::https://github.com/pagopa/azurerm.git//storage_account?ref=v1.0.79" + + name = replace(format("%s-contracts-storage", local.project), "-", "") + account_kind = "StorageV2" + account_tier = "Standard" + account_replication_type = var.env_short == "p" ? "RA-GZRS" : "LRS" + access_tier = "Hot" + enable_versioning = var.env_short == "p" ? true : false + resource_group_name = azurerm_resource_group.rg_contracts_storage.name + location = var.location + advanced_threat_protection = var.env_short == "p" ? true : false + allow_blob_public_access = false + + blob_properties_delete_retention_policy_days = var.contracts_delete_retention_days + + tags = var.tags +} + +#tfsec:ignore:AZU023 +resource "azurerm_key_vault_secret" "selc_contracts_storage_access_key" { + name = "contracts-storage-access-key" + value = module.selc-contracts-storage.primary_access_key + content_type = "text/plain" + + key_vault_id = module.key_vault.id +} + +resource "azurerm_storage_container" "selc-contracts-container" { + name = format("%s-contracts-blob", local.project) + storage_account_name = module.selc-contracts-storage.name + container_access_type = "private" +} + +module "contracts_storage_snet" { + source = "git::https://github.com/pagopa/azurerm.git//subnet?ref=v1.0.60" + name = format("%s-contracts-storage-snet", local.project) + address_prefixes = var.cidr_subnet_contract_storage + resource_group_name = azurerm_resource_group.rg_vnet.name + virtual_network_name = module.vnet.name + enforce_private_link_endpoint_network_policies = true + + service_endpoints = [ + "Microsoft.Storage", + ] +} + +resource "azurerm_private_endpoint" "contracts_storage" { + name = format("%s-contracts_storage", local.project) + location = var.location + resource_group_name = azurerm_resource_group.rg_contracts_storage.name + subnet_id = module.contracts_storage_snet.id + + private_service_connection { + name = format("%s-contracts_storage-private-endpoint", local.project) + private_connection_resource_id = module.selc-contracts-storage.id + is_manual_connection = false + subresource_names = ["Blob"] + } + + private_dns_zone_group { + name = "private-dns-zone-group" + private_dns_zone_ids = [azurerm_private_dns_zone.privatelink_blob_core_windows_net.id] + } +} diff --git a/src/core/variables.tf b/src/core/variables.tf index 8373c764a..7d107159e 100644 --- a/src/core/variables.tf +++ b/src/core/variables.tf @@ -410,6 +410,11 @@ variable "cidr_subnet_postgres" { description = "Database network address space." } +variable "cidr_subnet_contract_storage" { + type = list(string) + description = "Contracts storage address space." +} + # DNS variable "dns_default_ttl_sec" { type = number @@ -725,3 +730,11 @@ variable "enable_spid_test" { description = "to provision italia/spid-testenv2:1.1.0" default = false } + +# contracts storage +variable "contracts_delete_retention_days" { + type = number + description = "Number of days to retain deleted contracts" + default = 1 +} + From e13d00e3bc6790dcfce8eeed74983ac7ca18a968 Mon Sep 17 00:00:00 2001 From: anttorre Date: Thu, 4 Nov 2021 11:49:01 +0100 Subject: [PATCH 6/6] using variable to set env specific configuration --- src/core/env/prod/terraform.tfvars | 5 ++++- src/core/storage_contracts.tf | 6 +++--- src/core/variables.tf | 18 ++++++++++++++++++ 3 files changed, 25 insertions(+), 4 deletions(-) diff --git a/src/core/env/prod/terraform.tfvars b/src/core/env/prod/terraform.tfvars index 4317cc56b..d2ba7e75c 100644 --- a/src/core/env/prod/terraform.tfvars +++ b/src/core/env/prod/terraform.tfvars @@ -83,4 +83,7 @@ postgres_configuration = { } # contracts storage -contracts_delete_retention_days = 7 // TODO \ No newline at end of file +contracts_account_replication_type = "RA-GZRS" +contracts_delete_retention_days = 7 // TODO +contracts_enable_versioning = true +contracts_advanced_threat_protection = true \ No newline at end of file diff --git a/src/core/storage_contracts.tf b/src/core/storage_contracts.tf index d7cfd1b92..e7d69c491 100644 --- a/src/core/storage_contracts.tf +++ b/src/core/storage_contracts.tf @@ -13,12 +13,12 @@ module "selc-contracts-storage" { name = replace(format("%s-contracts-storage", local.project), "-", "") account_kind = "StorageV2" account_tier = "Standard" - account_replication_type = var.env_short == "p" ? "RA-GZRS" : "LRS" + account_replication_type = var.contracts_account_replication_type access_tier = "Hot" - enable_versioning = var.env_short == "p" ? true : false + enable_versioning = var.contracts_enable_versioning resource_group_name = azurerm_resource_group.rg_contracts_storage.name location = var.location - advanced_threat_protection = var.env_short == "p" ? true : false + advanced_threat_protection = var.contracts_advanced_threat_protection allow_blob_public_access = false blob_properties_delete_retention_policy_days = var.contracts_delete_retention_days diff --git a/src/core/variables.tf b/src/core/variables.tf index 11a8913c0..1cdd76709 100644 --- a/src/core/variables.tf +++ b/src/core/variables.tf @@ -750,9 +750,27 @@ variable "spa" { ] } # contracts storage +variable "contracts_account_replication_type" { + type = string + description = "Contracts replication type" + default = "LRS" +} + variable "contracts_delete_retention_days" { type = number description = "Number of days to retain deleted contracts" default = 1 } +variable "contracts_enable_versioning" { + type = bool + description = "Enable contract versioning" + default = false +} + +variable "contracts_advanced_threat_protection" { + type = bool + description = "Enable contract threat advanced protection" + default = false +} +