add roles to dns zone rg

pagopa · Nov 19, 2024 · ceee0f6 · ceee0f6
1 parent 716a96a
commit ceee0f6
Show file tree

Hide file tree

Showing 3 changed files with 27 additions and 5 deletions.
diff --git a/infra/modules/azure_monorepo_single_env_starter_pack/README.md b/infra/modules/azure_monorepo_single_env_starter_pack/README.md
@@ -45,12 +45,14 @@
 | [azurerm_role_assignment.externals_group_tf_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
 | [azurerm_role_assignment.infra_cd_apim_service_contributor](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
 | [azurerm_role_assignment.infra_cd_rg_contributor](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
+| [azurerm_role_assignment.infra_cd_rg_ext_network_contributor](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
 | [azurerm_role_assignment.infra_cd_rg_kv_cert](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
 | [azurerm_role_assignment.infra_cd_rg_kv_secr](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
 | [azurerm_role_assignment.infra_cd_rg_rbac_admin](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
 | [azurerm_role_assignment.infra_cd_st_tf_blob_contributor](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
 | [azurerm_role_assignment.infra_cd_subscription_reader](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
 | [azurerm_role_assignment.infra_cd_vnet_network_contributor](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
+| [azurerm_role_assignment.infra_ci_rg_ext_pagopa_dns_reader](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
 | [azurerm_role_assignment.infra_ci_rg_kv_cert](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
 | [azurerm_role_assignment.infra_ci_rg_kv_secr](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
 | [azurerm_role_assignment.infra_ci_subscription_cosmos_contributor](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
@@ -95,15 +97,16 @@
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_apim_id"></a> [apim\_id](#input\_apim\_id) | ID of the APIM instance | `string` | n/a | yes |
-| <a name="input_entraid_groups"></a> [entraid\_groups](#input\_entraid\_groups) | Azure Entra Id groups to give role to | <pre>object({<br/>    admins_object_id    = string<br/>    devs_object_id      = string<br/>    externals_object_id = optional(string, null)<br/>  })</pre> | n/a | yes |
-| <a name="input_environment"></a> [environment](#input\_environment) | Values which are used to generate resource names and location short names. They are all mandatory except for domain, which should not be used only in the case of a resource used by multiple domains. | <pre>object({<br/>    prefix          = string<br/>    env_short       = string<br/>    location        = string<br/>    domain          = string<br/>    instance_number = string<br/>  })</pre> | n/a | yes |
-| <a name="input_github_private_runner"></a> [github\_private\_runner](#input\_github\_private\_runner) | n/a | <pre>object({<br/>    container_app_environment_id       = string<br/>    container_app_environment_location = string<br/>    polling_interval_in_seconds        = optional(number, 30)<br/>    min_instances                      = optional(number, 0)<br/>    max_instances                      = optional(number, 30)<br/>    labels                             = optional(list(string), [])<br/>    key_vault = object({<br/>      name                = string<br/>      resource_group_name = string<br/>      secret_name         = optional(string, "github-runner-pat")<br/>    })<br/>    cpu    = optional(number, 0.5)<br/>    memory = optional(string, "1Gi")<br/>  })</pre> | n/a | yes |
+| <a name="input_entraid_groups"></a> [entraid\_groups](#input\_entraid\_groups) | Azure Entra Id groups to give role to | <pre>object({<br>    admins_object_id    = string<br>    devs_object_id      = string<br>    externals_object_id = optional(string, null)<br>  })</pre> | n/a | yes |
+| <a name="input_environment"></a> [environment](#input\_environment) | Values which are used to generate resource names and location short names. They are all mandatory except for domain, which should not be used only in the case of a resource used by multiple domains. | <pre>object({<br>    prefix          = string<br>    env_short       = string<br>    location        = string<br>    domain          = string<br>    instance_number = string<br>  })</pre> | n/a | yes |
+| <a name="input_github_private_runner"></a> [github\_private\_runner](#input\_github\_private\_runner) | n/a | <pre>object({<br>    container_app_environment_id       = string<br>    container_app_environment_location = string<br>    polling_interval_in_seconds        = optional(number, 30)<br>    min_instances                      = optional(number, 0)<br>    max_instances                      = optional(number, 30)<br>    labels                             = optional(list(string), [])<br>    key_vault = object({<br>      name                = string<br>      resource_group_name = string<br>      secret_name         = optional(string, "github-runner-pat")<br>    })<br>    cpu    = optional(number, 0.5)<br>    memory = optional(string, "1Gi")<br>  })</pre> | n/a | yes |
 | <a name="input_pep_vnet_id"></a> [pep\_vnet\_id](#input\_pep\_vnet\_id) | ID of the VNet holding Private Endpoint-dedicated subnet | `string` | n/a | yes |
-| <a name="input_repository"></a> [repository](#input\_repository) | Information about this repository | <pre>object({<br/>    owner           = optional(string, "pagopa")<br/>    name            = string<br/>    description     = string<br/>    topics          = list(string)<br/>    reviewers_teams = list(string)<br/>  })</pre> | n/a | yes |
+| <a name="input_repository"></a> [repository](#input\_repository) | Information about this repository | <pre>object({<br>    owner           = optional(string, "pagopa")<br>    name            = string<br>    description     = string<br>    topics          = list(string)<br>    reviewers_teams = list(string)<br>  })</pre> | n/a | yes |
+| <a name="input_resource_group_dns_zone_id"></a> [resource\_group\_dns\_zone\_id](#input\_resource\_group\_dns\_zone\_id) | Id of the resource group holding public DNS zone | `string` | n/a | yes |
 | <a name="input_subscription_id"></a> [subscription\_id](#input\_subscription\_id) | The subscription ID where resources are created | `string` | n/a | yes |
 | <a name="input_tags"></a> [tags](#input\_tags) | Resources tags | `map(string)` | n/a | yes |
 | <a name="input_tenant_id"></a> [tenant\_id](#input\_tenant\_id) | The tenant ID where resources are created | `string` | n/a | yes |
-| <a name="input_terraform_storage_account"></a> [terraform\_storage\_account](#input\_terraform\_storage\_account) | Name and resource group name of the Storage Account hosting the Terraform state file | <pre>object({<br/>    resource_group_name = string<br/>    name                = string<br/>  })</pre> | n/a | yes |
+| <a name="input_terraform_storage_account"></a> [terraform\_storage\_account](#input\_terraform\_storage\_account) | Name and resource group name of the Storage Account hosting the Terraform state file | <pre>object({<br>    resource_group_name = string<br>    name                = string<br>  })</pre> | n/a | yes |
 
 ## Outputs
 

diff --git a/infra/modules/azure_monorepo_single_env_starter_pack/id_infra.tf b/infra/modules/azure_monorepo_single_env_starter_pack/id_infra.tf
@@ -81,6 +81,13 @@ resource "azurerm_role_assignment" "infra_ci_rg_kv_cert" {
   description          = "Allow ${var.repository.name} Infra CI identity to read KeyVault's certificates at monorepository resource group scope"
 }
 
+resource "azurerm_role_assignment" "infra_ci_rg_ext_pagopa_dns_reader" {
+  scope                = var.resource_group_dns_zone_id
+  role_definition_name = "PagoPA DNS Zone Reader"
+  principal_id         = azurerm_user_assigned_identity.infra_ci.principal_id
+  description          = "Allow ${var.repository.name} Infra CI identity to read DNS Zone records at resource group level"
+}
+
 resource "azurerm_role_assignment" "infra_cd_subscription_reader" {
   scope                = var.subscription_id
   role_definition_name = "Reader"
@@ -136,3 +143,10 @@ resource "azurerm_role_assignment" "infra_cd_rg_kv_cert" {
   principal_id         = azurerm_user_assigned_identity.infra_cd.principal_id
   description          = "Allow ${var.repository.name} Infra CI identity to change KeyVault's certificates at monorepository resource group scope"
 }
+
+resource "azurerm_role_assignment" "infra_cd_rg_ext_network_contributor" {
+  scope                = var.resource_group_dns_zone_id
+  role_definition_name = "Network Contributor"
+  principal_id         = azurerm_user_assigned_identity.infra_cd.principal_id
+  description          = "Allow ${var.repository.name} Infra CD identity to manage DNS Zones at resource group level"
+}
diff --git a/infra/modules/azure_monorepo_single_env_starter_pack/variables.tf b/infra/modules/azure_monorepo_single_env_starter_pack/variables.tf
@@ -44,6 +44,11 @@ variable "apim_id" {
   description = "ID of the APIM instance"
 }
 
+variable "resource_group_dns_zone_id" {
+  type        = string
+  description = "Id of the resource group holding public DNS zone"
+}
+
 variable "subscription_id" {
   type        = string
   description = "The subscription ID where resources are created"