Skip to content

Commit

Permalink
Container app now uses user managed identity instead of system one.
Browse files Browse the repository at this point in the history
  • Loading branch information
@antoniotarricone
antoniotarricone committed Oct 18, 2024
1 parent c0a0ffc commit 00d782e
Show file tree
Hide file tree
Showing 19 changed files with 61 additions and 86 deletions.
15 changes: 3 additions & 12 deletions .github/workflows/deploy.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -64,19 +64,10 @@ jobs:
else
IMAGE="ghcr.io/pagopa/mil-auth:$IMAGE_TAG"
fi
echo "*** [$IMAGE] will be deployed."
if [[ "$ENVIRONMENT" == "prod-cd" ]]; then
ENV_FOLDER="prod"
elif [[ "$ENVIRONMENT" == "uat-cd" ]]; then
ENV_FOLDER="uat"
else
ENV_FOLDER="dev"
fi
echo "*** [$ENV_FOLDER] folder will be used."
echo "[$IMAGE] will be deployed."
echo "Terraform init..."
terraform init -backend-config="env/$ENV_FOLDER/backend.tfvars" -backend-config="use_oidc=true" -reconfigure
terraform init -backend-config="env/$ENVIRONMENT/backend.tfvars" -reconfigure
echo "Terraform apply..."
terraform apply -var-file="env/$ENV_FOLDER/terraform.tfvars" -var="mil_auth_image=$IMAGE" -auto-approve -lock-timeout=300s
terraform apply -var-file="env/$ENVIRONMENT/terraform.tfvars" -var="mil_auth_image=$IMAGE" -auto-approve -lock-timeout=300s
23 changes: 17 additions & 6 deletions src/main/terraform/resource_container_app.tf → src/main/terraform/container_app.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -118,6 +118,11 @@ resource "azurerm_container_app" "auth" {
name = "mongodb.connection-string-2"
secret_name = "cosmosdb-account-mil-secondary-mongodb-connection-string"
}

env {
name = "IDENTITY_CLIENT_ID"
secret_name = "identity-client-id"
}
}

max_replicas = var.mil_auth_max_replicas
Expand All @@ -127,35 +132,41 @@ resource "azurerm_container_app" "auth" {
secret {
name = "cosmosdb-account-mil-primary-mongodb-connection-string"
key_vault_secret_id = "${data.azurerm_key_vault.general.vault_uri}secrets/cosmosdb-account-mil-primary-mongodb-connection-string"
identity = "System"
identity = data.azurerm_user_assigned_identity.auth.id
}

secret {
name = "cosmosdb-account-mil-secondary-mongodb-connection-string"
key_vault_secret_id = "${data.azurerm_key_vault.general.vault_uri}secrets/cosmosdb-account-mil-secondary-mongodb-connection-string"
identity = "System"
identity = data.azurerm_user_assigned_identity.auth.id
}

secret {
name = "storage-account-auth-primary-blob-endpoint"
key_vault_secret_id = "${data.azurerm_key_vault.general.vault_uri}secrets/storage-account-auth-primary-blob-endpoint"
identity = "System"
identity = data.azurerm_user_assigned_identity.auth.id
}

secret {
name = "key-vault-auth-vault-uri"
key_vault_secret_id = "${data.azurerm_key_vault.general.vault_uri}secrets/key-vault-auth-vault-uri"
identity = "System"
identity = data.azurerm_user_assigned_identity.auth.id
}

secret {
name = "application-insigths-mil-connection-string"
key_vault_secret_id = "${data.azurerm_key_vault.general.vault_uri}secrets/application-insigths-mil-connection-string"
identity = "System"
identity = data.azurerm_user_assigned_identity.auth.id
}

secret {
name = "identity-client-id"
value = "${data.azurerm_user_assigned_identity.auth.client_id}"
}

identity {
type = "SystemAssigned"
type = "UserAssigned"
identity_ids = [data.azurerm_user_assigned_identity.auth.id]
}

ingress {
Expand Down
39 changes: 39 additions & 0 deletions src/main/terraform/data.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
# ------------------------------------------------------------------------------
# Container Apps Environment.
# ------------------------------------------------------------------------------
data "azurerm_container_app_environment" "mil" {
name = "${local.project}-cae"
resource_group_name = "${local.project}-app-rg"
}

# ------------------------------------------------------------------------------
# Identity for this Container App.
# ------------------------------------------------------------------------------
data "azurerm_user_assigned_identity" "auth" {
resource_group_name = "${local.project}-identity-rg"
name = "${var.prefix}-${var.env_short}-auth-identity"
}

# ------------------------------------------------------------------------------
# General purpose key vault used to protect secrets.
# ------------------------------------------------------------------------------
data "azurerm_key_vault" "general" {
name = "${local.project}-general-kv"
resource_group_name = "${local.project}-sec-rg"
}

# ------------------------------------------------------------------------------
# Key vault for cryptographics operations.
# ------------------------------------------------------------------------------
data "azurerm_key_vault" "auth" {
name = "${local.project}-auth-kv"
resource_group_name = "${local.project}-sec-rg"
}

# ------------------------------------------------------------------------------
# Storage account containing configuration files.
# ------------------------------------------------------------------------------
data "azurerm_storage_account" "auth" {
name = "${var.prefix}${var.env_short}authst"
resource_group_name = "${local.project}-data-rg"
}
7 changes: 0 additions & 7 deletions src/main/terraform/data_container_app_environment.tf
View file

This file was deleted.

15 changes: 0 additions & 15 deletions src/main/terraform/data_key_vault.tf
View file

This file was deleted.

7 changes: 0 additions & 7 deletions src/main/terraform/data_storage_account.tf
View file

This file was deleted.

0 src/main/terraform/env/dev/backend.ini → src/main/terraform/env/dev-cd/backend.ini
View file
File renamed without changes.
0 src/main/terraform/env/dev/backend.tfvars → src/main/terraform/env/dev-cd/backend.tfvars
View file
File renamed without changes.
0 src/main/terraform/env/dev/terraform.tfvars → ...ain/terraform/env/dev-cd/terraform.tfvars
View file
File renamed without changes.
0 src/main/terraform/env/prod/backend.ini → src/main/terraform/env/prod-cd/backend.ini
View file
File renamed without changes.
0 src/main/terraform/env/prod/backend.tfvars → ...main/terraform/env/prod-cd/backend.tfvars
View file
File renamed without changes.
0 src/main/terraform/env/prod/terraform.tfvars → ...in/terraform/env/prod-cd/terraform.tfvars
View file
File renamed without changes.
0 src/main/terraform/env/uat/backend.ini → src/main/terraform/env/uat-cd/backend.ini
View file
File renamed without changes.
0 src/main/terraform/env/uat/backend.tfvars → src/main/terraform/env/uat-cd/backend.tfvars
View file
File renamed without changes.
0 src/main/terraform/env/uat/terraform.tfvars → ...ain/terraform/env/uat-cd/terraform.tfvars
View file
File renamed without changes.
3 changes: 1 addition & 2 deletions src/main/terraform/locals.tf
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,4 @@
locals {
project = "${var.prefix}-${var.env_short}"

domain = "mil"
}
}
6 changes: 1 addition & 5 deletions src/main/terraform/main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,10 +5,6 @@ terraform {
source = "hashicorp/azurerm"
version = "= 3.99.0"
}
azuread = {
source = "hashicorp/azuread"
version = "= 2.48.0"
}
}

backend "azurerm" {
Expand All @@ -31,4 +27,4 @@ provider "azurerm" {

data "azurerm_subscription" "current" {}

data "azurerm_client_config" "current" {}
data "azurerm_client_config" "current" {}
29 changes: 0 additions & 29 deletions src/main/terraform/resource_role_assignment.tf
View file

This file was deleted.

3 changes: 0 additions & 3 deletions src/main/terraform/variables.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -43,9 +43,6 @@ variable "location_short" {

variable "tags" {
type = map(any)
default = {
CreatedBy = "Terraform"
}
}

# ------------------------------------------------------------------------------
Expand Down

0 comments on commit 00d782e

Please sign in to comment.