pagopa · antonioT90 · Nov 4, 2021 · Oct 28, 2021 · Oct 28, 2021 · Oct 28, 2021
@@ -1,3 +1,5 @@
+# cosmos
+
 resource "azurerm_private_dns_zone" "privatelink_documents_azure_com" {
   name                = "privatelink.documents.azure.com"
   resource_group_name = azurerm_resource_group.rg_vnet.name
@@ -31,3 +33,22 @@ resource "azurerm_private_dns_zone_virtual_network_link" "privatelink_mongo_cosm
 
   tags = var.tags
 }
+
+# contracts storage
+
+resource "azurerm_private_dns_zone" "privatelink_blob_core_windows_net" {
+  name                = "privatelink.blob.core.windows.net"
+  resource_group_name = azurerm_resource_group.rg_vnet.name
+
+  tags = var.tags
+}
+
+resource "azurerm_private_dns_zone_virtual_network_link" "privatelink_blob_core_windows_net_vnet" {
+  name                  = module.vnet.name
+  resource_group_name   = azurerm_resource_group.rg_vnet.name
+  private_dns_zone_name = azurerm_private_dns_zone.privatelink_blob_core_windows_net.name
+  virtual_network_id    = module.vnet.id
+  registration_enabled  = false
+
+  tags = var.tags
+}
@@ -23,6 +23,7 @@ cidr_subnet_vpn              = ["10.1.133.0/24"]
 cidr_subnet_dnsforwarder     = ["10.1.134.0/29"]
 cidr_subnet_cosmosdb_mongodb = ["10.1.135.0/24"]
 cidr_subnet_apim             = ["10.1.136.0/24"]
+cidr_subnet_contract_storage = ["10.1.137.0/24"]
 
 # dns
 external_domain = "pagopa.it"

@@ -23,6 +23,7 @@ cidr_subnet_vpn              = ["10.1.133.0/24"]
 cidr_subnet_dnsforwarder     = ["10.1.134.0/29"]
 cidr_subnet_cosmosdb_mongodb = ["10.1.135.0/24"]
 cidr_subnet_apim             = ["10.1.136.0/24"]
+cidr_subnet_contract_storage = ["10.1.137.0/24"]
 
 # dns
 external_domain = "pagopa.it"
@@ -80,3 +81,9 @@ postgres_configuration = {
   log_checkpoints             = "on"
   connection_throttling       = "on"
 }
+
+# contracts storage
+contracts_account_replication_type   = "RA-GZRS"
+contracts_delete_retention_days      = 7 // TODO
+contracts_enable_versioning          = true
+contracts_advanced_threat_protection = true
@@ -23,6 +23,7 @@ cidr_subnet_vpn              = ["10.1.133.0/24"]
 cidr_subnet_dnsforwarder     = ["10.1.134.0/29"]
 cidr_subnet_cosmosdb_mongodb = ["10.1.135.0/24"]
 cidr_subnet_apim             = ["10.1.136.0/24"]
+cidr_subnet_contract_storage = ["10.1.137.0/24"]
 
 
 # dns

@@ -0,0 +1,74 @@
+## Storage account to save contracts
+
+resource "azurerm_resource_group" "rg_contracts_storage" {
+  name     = format("%s-contracts-storage-rg", local.project)
+  location = var.location
+  tags     = var.tags
+}
+
+#tfsec:ignore:azure-storage-default-action-deny
+module "selc-contracts-storage" {
+  source = "git::https://github.com/pagopa/azurerm.git//storage_account?ref=v1.0.79"
+
+  name                       = replace(format("%s-contracts-storage", local.project), "-", "")
+  account_kind               = "StorageV2"
+  account_tier               = "Standard"
+  account_replication_type   = var.contracts_account_replication_type
+  access_tier                = "Hot"
+  enable_versioning          = var.contracts_enable_versioning
+  resource_group_name        = azurerm_resource_group.rg_contracts_storage.name
+  location                   = var.location
+  advanced_threat_protection = var.contracts_advanced_threat_protection
+  allow_blob_public_access   = false
+
+  blob_properties_delete_retention_policy_days = var.contracts_delete_retention_days
+
+  tags = var.tags
+}
+
+#tfsec:ignore:AZU023
+resource "azurerm_key_vault_secret" "selc_contracts_storage_access_key" {
+  name         = "contracts-storage-access-key"
+  value        = module.selc-contracts-storage.primary_access_key
+  content_type = "text/plain"
+
+  key_vault_id = module.key_vault.id
+}
+
+resource "azurerm_storage_container" "selc-contracts-container" {
+  name                  = format("%s-contracts-blob", local.project)
+  storage_account_name  = module.selc-contracts-storage.name
+  container_access_type = "private"
+}
+
+module "contracts_storage_snet" {
+  source                                         = "git::https://github.com/pagopa/azurerm.git//subnet?ref=v1.0.60"
+  name                                           = format("%s-contracts-storage-snet", local.project)
+  address_prefixes                               = var.cidr_subnet_contract_storage
+  resource_group_name                            = azurerm_resource_group.rg_vnet.name
+  virtual_network_name                           = module.vnet.name
+  enforce_private_link_endpoint_network_policies = true
+
+  service_endpoints = [
+    "Microsoft.Storage",
+  ]
+}
+
+resource "azurerm_private_endpoint" "contracts_storage" {
+  name                = format("%s-contracts_storage", local.project)
+  location            = var.location
+  resource_group_name = azurerm_resource_group.rg_contracts_storage.name
+  subnet_id           = module.contracts_storage_snet.id
+
+  private_service_connection {
+    name                           = format("%s-contracts_storage-private-endpoint", local.project)
+    private_connection_resource_id = module.selc-contracts-storage.id
+    is_manual_connection           = false
+    subresource_names              = ["Blob"]
+  }
+
+  private_dns_zone_group {
+    name = "private-dns-zone-group"
+    private_dns_zone_ids = [azurerm_private_dns_zone.privatelink_blob_core_windows_net.id]
+  }
+}
@@ -410,6 +410,11 @@ variable "cidr_subnet_postgres" {
   description = "Database network address space."
 }
 
+variable "cidr_subnet_contract_storage" {
+  type        = list(string)
+  description = "Contracts storage address space."
+}
+
 # DNS
 variable "dns_default_ttl_sec" {
   type        = number
@@ -743,4 +748,29 @@ variable "spa" {
     "onboarding",
     "dashboard"
   ]
-}
+}
+# contracts storage
+variable "contracts_account_replication_type" {
+  type        = string
+  description = "Contracts replication type"
+  default     = "LRS"
+}
+
+variable "contracts_delete_retention_days" {
+  type        = number
+  description = "Number of days to retain deleted contracts"
+  default     = 1
+}
+
+variable "contracts_enable_versioning" {
+  type        = bool
+  description = "Enable contract versioning"
+  default     = false
+}
+
+variable "contracts_advanced_threat_protection" {
+  type        = bool
+  description = "Enable contract threat advanced protection"
+  default     = false
+}
+