Chores/add infra for register

[andreasisnes]

Add infrastructure for register

• Own Postgres server for Register

• Own Key Vault for Register (?)

• Two user assigned identities gets created (Both must be used with workload identity for AKS, not entirely sure if you can attach more than one identity)

  • First has access to key vault, service bus and database (non-admin, not granted through terraform)
  • Latter is postgres server admin

• Can possible add support for admin user and password. However, the password will be stored in state file, but it can be rotated for every infra deploy.

Remaining work

• vnet peering. platform vnet and auth vnet
• Strategy for using managed identity for postgres

Caveats

• postgres server is not accessable from internet. Why? Once database is public, you can make it private vice versa.

Verification

• [ ] Your code builds clean without any errors or warnings
• [ ] Manual testing done (required)
• [ ] Relevant automated test added (if you find this hard, leave it and we'll help out)
• [ ] All tests run green

Documentation

• [ ] User documentation is updated with a separate linked PR in altinn-studio-docs. (if applicable)

[github-actions[bot]]

Terraform environment at21

Format and Style 🖌success

Initialization ⚙️success

Validation 🤖success

Validation Output

``` Success! The configuration is valid. ```

Plan 📖success

Show Plan

``` [Lines containing Refreshing state removed] [Maybe further truncated see logs for complete plan output] Acquiring state lock. This may take a few moments... module.app_configuration.data.azurerm_client_config.current: Reading... module.app_configuration.data.azurerm_client_config.current: Read complete after 0s [id=Y2xpZW50Q29uZmlncy9jbGllbnRJZD03MjQ0YzE3OS1kZTg2LTRjMDYtYTY3YS0xMTQ3N2ExNGNhMzc7b2JqZWN0SWQ9NmVhZWQyM2UtZGY3Zi00NzA4LTljOGUtYTdmMzRkZWVhZGI0O3N1YnNjcmlwdGlvbklkPTQ1MTc3YTBhLWQyN2UtNDkwZi05ZjIzLWI0NzI2ZGU4Y2NjMTt0ZW5hbnRJZD1jZDAwMjZkOC0yODNiLTRhNTUtOWJmYS1kMGVmNGE4YmEyMWM=] module.application_gateway.data.azurerm_key_vault.cert: Reading... module.application_gateway.data.azurerm_user_assigned_identity.cert: Reading... module.application_gateway.data.azurerm_user_assigned_identity.cert: Read complete after 2s [id=/subscriptions/45177a0a-d27e-490f-9f23-b4726de8ccc1/resourceGroups/rgcert001at21/providers/Microsoft.ManagedIdentity/userAssignedIdentities/micert001at21] module.key_vault.data.azurerm_client_config.current: Reading... module.key_vault.data.azurerm_client_config.current: Read complete after 0s [id=Y2xpZW50Q29uZmlncy9jbGllbnRJZD03MjQ0YzE3OS1kZTg2LTRjMDYtYTY3YS0xMTQ3N2ExNGNhMzc7b2JqZWN0SWQ9NmVhZWQyM2UtZGY3Zi00NzA4LTljOGUtYTdmMzRkZWVhZGI0O3N1YnNjcmlwdGlvbklkPTQ1MTc3YTBhLWQyN2UtNDkwZi05ZjIzLWI0NzI2ZGU4Y2NjMTt0ZW5hbnRJZD1jZDAwMjZkOC0yODNiLTRhNTUtOWJmYS1kMGVmNGE4YmEyMWM=] module.application_gateway.data.azurerm_key_vault.cert: Read complete after 3s [id=/subscriptions/45177a0a-d27e-490f-9f23-b4726de8ccc1/resourceGroups/rgcert001at21/providers/Microsoft.KeyVault/vaults/kvaltinnauthcert001at21] module.application_gateway.data.azurerm_key_vault_certificate.cert: Reading... module.application_gateway.data.azurerm_key_vault_certificate.cert: Read complete after 2s [id=https://kvaltinnauthcert001at21.vault.azure.net/certificates/cert/234e40b053ee46d4b512b64b334adc67] Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: ~ update in-place -/+ destroy and then create replacement Terraform will perform the following actions: # module.app_configuration.azurerm_app_configuration_key.key["Sentinel"] will be updated in-place ~ resource "azurerm_app_configuration_key" "key" { id = "https://appconfaltinnauth001at21.azconfig.io/kv/Sentinel?label=default" tags = { "environment" = "at21" "instance" = "001" "name" = "auth" "repository" = "github.com/altinn/altinn-authorization" "suffix" = "auth001at21" } ~ value = "2024-10-08T13:44:09Z" -> (known after apply) # (6 unchanged attributes hidden) } # module.application_gateway.azurerm_application_gateway.appgw will be updated in-place ~ resource "azurerm_application_gateway" "appgw" { id = "/subscriptions/45177a0a-d27e-490f-9f23-b4726de8ccc1/resourceGroups/rgauth001at21/providers/Microsoft.Network/applicationGateways/appgwauth001at21" name = "appgwauth001at21" tags = { "environment" = "at21" "instance" = "001" "name" = "auth" "repository" = "github.com/altinn/altinn-authorization" "suffix" = "auth001at21" } # (7 unchanged attributes hidden) + backend_address_pool { + fqdns = [ + "bootstrapper.api.auth.at21.altinn.cloud", ] + id = (known after apply) + ip_addresses = [] + name = "backend_address_pool_container_app_api_bootstrapper" } - backend_http_settings { - cookie_based_affinity = "Disabled" -> null - id = "/subscriptions/45177a0a-d27e-490f-9f23-b4726de8ccc1/resourceGroups/rgauth001at21/providers/Microsoft.Network/applicationGateways/appgwauth001at21/backendHttpSettingsCollection/backend_http_settings_container_app_api_accesspackages" -> null - name = "backend_http_settings_container_app_api_accesspackages" -> null - pick_host_name_from_backend_address = true -> null - port = 80 -> null - probe_id = "/subscriptions/45177a0a-d27e-490f-9f23-b4726de8ccc1/resourceGroups/rgauth001at21/providers/Microsoft.Network/applicationGateways/appgwauth001at21/probes/probe_container_app_api_accesspackages" -> null - probe_name = "probe_container_app_api_accesspackages" -> null - protocol = "Http" -> null - request_timeout = 30 -> null - trusted_root_certificate_names = [] -> null } - backend_http_settings { - cookie_based_affinity = "Disabled" -> null - id = "/subscriptions/45177a0a-d27e-490f-9f23-b4726de8ccc1/resourceGroups/rgauth001at21/providers/Microsoft.Network/applicationGateways/appgwauth001at21/backendHttpSettingsCollection/backend_http_settings_container_app_frontend_index" -> null - name = "backend_http_settings_container_app_frontend_index" -> null - pick_host_name_from_backend_address = true -> null - port = 80 -> null - probe_id = "/subscriptions/45177a0a-d27e-490f-9f23-b4726de8ccc1/resourceGroups/rgauth001at21/providers/Microsoft.Network/applicationGateways/appgwauth001at21/probes/probe_container_app_frontend_index" -> null - probe_name = "probe_container_app_frontend_index" -> null - protocol = "Http" -> null - request_timeout = 30 -> null - trusted_root_certificate_names = [] -> null } - backend_http_settings { - cookie_based_affinity = "Disabled" -> null - id = "/subscriptions/45177a0a-d27e-490f-9f23-b4726de8ccc1/resourceGroups/rgauth001at21/providers/Microsoft.Network/applicationGateways/appgwauth001at21/backendHttpSettingsCollection/backend_http_settings_container_app_index" -> null - name = "backend_http_settings_container_app_index" -> null - pick_host_name_from_backend_address = true -> null - port = 80 -> null - probe_id = "/subscriptions/45177a0a-d27e-490f-9f23-b4726de8ccc1/resourceGroups/rgauth001at21/providers/Microsoft.Network/applicationGateways/appgwauth001at21/probes/probe_container_app_index" -> null - probe_name = "probe_container_app_index" -> null - protocol = "Http" -> null - request_timeout = 30 -> null - trusted_root_certificate_names = [] -> null } + backend_http_settings { + cookie_based_affinity = "Disabled" + id = (known after apply) + name = "backend_http_settings_container_app_api_bootstrapper" + pick_host_name_from_backend_address = true + port = 80 + probe_id = (known after apply) + probe_name = "probe_container_app_api_bootstrapper" + protocol = "Http" + request_timeout = 30 + trusted_root_certificate_names = [] } + backend_http_settings { + cookie_based_affinity = "Disabled" + id = "/subscriptions/45177a0a-d27e-490f-9f23-b4726de8ccc1/resourceGroups/rgauth001at21/providers/Microsoft.Network/applicationGateways/appgwauth001at21/backendHttpSettingsCollection/backend_http_settings_container_app_api_accesspackages" + name = "backend_http_settings_container_app_api_accesspackages" + pick_host_name_from_backend_address = true + port = 80 + probe_id = "/subscriptions/45177a0a-d27e-490f-9f23-b4726de8ccc1/resourceGroups/rgauth001at21/providers/Microsoft.Network/applicationGateways/appgwauth001at21/probes/probe_container_app_api_accesspackages" + probe_name = "probe_container_app_api_accesspackages" + protocol = "Http" + request_timeout = 30 + trusted_root_certificate_names = [] } + backend_http_settings { + cookie_based_affinity = "Disabled" + id = "/subscriptions/45177a0a-d27e-490f-9f23-b4726de8ccc1/resourceGroups/rgauth001at21/providers/Microsoft.Network/applicationGateways/appgwauth001at21/backendHttpSettingsCollection/backend_http_settings_container_app_frontend_index" + name = "backend_http_settings_container_app_frontend_index" + pick_host_name_from_backend_address = true + port = 80 + probe_id = "/subscriptions/45177a0a-d27e-490f-9f23-b4726de8ccc1/resourceGroups/rgauth001at21/providers/Microsoft.Network/applicationGateways/appgwauth001at21/probes/probe_container_app_frontend_index" + probe_name = "probe_container_app_frontend_index" + protocol = "Http" + request_timeout = 30 + trusted_root_certificate_names = [] } + backend_http_settings { + cookie_based_affinity = "Disabled" + id = "/subscriptions/45177a0a-d27e-490f-9f23-b4726de8ccc1/resourceGroups/rgauth001at21/providers/Microsoft.Network/applicationGateways/appgwauth001at21/backendHttpSettingsCollection/backend_http_settings_container_app_index" + name = "backend_http_settings_container_app_index" + pick_host_name_from_backend_address = true + port = 80 + probe_id = "/subscriptions/45177a0a-d27e-490f-9f23-b4726de8ccc1/resourceGroups/rgauth001at21/providers/Microsoft.Network/applicationGateways/appgwauth001at21/probes/probe_container_app_index" + probe_name = "probe_container_app_index" + protocol = "Http" + request_timeout = 30 + trusted_root_certificate_names = [] } - probe { - id = "/subscriptions/45177a0a-d27e-490f-9f23-b4726de8ccc1/resourceGroups/rgauth001at21/providers/Microsoft.Network/applicationGateways/appgwauth001at21/probes/probe_container_app_api_accesspackages" -> null - interval = 30 -> null - minimum_servers = 0 -> null - name = "probe_container_app_api_accesspackages" -> null - path = "/healthz" -> null - pick_host_name_from_backend_http_settings = true -> null - port = 0 -> null - protocol = "Http" -> null - timeout = 30 -> null - unhealthy_threshold = 3 -> null - match { - status_code = [ - "200", ] -> null } } - probe { - id = "/subscriptions/45177a0a-d27e-490f-9f23-b4726de8ccc1/resourceGroups/rgauth001at21/providers/Microsoft.Network/applicationGateways/appgwauth001at21/probes/probe_container_app_frontend_index" -> null - interval = 30 -> null - minimum_servers = 0 -> null - name = "probe_container_app_frontend_index" -> null - path = "/healthz" -> null - pick_host_name_from_backend_http_settings = true -> null - port = 0 -> null - protocol = "Http" -> null - timeout = 30 -> null - unhealthy_threshold = 3 -> null - match { - status_code = [ - "200", ] -> null } } - probe { - id = "/subscriptions/45177a0a-d27e-490f-9f23-b4726de8ccc1/resourceGroups/rgauth001at21/providers/Microsoft.Network/applicationGateways/appgwauth001at21/probes/probe_container_app_index" -> null - interval = 30 -> null - minimum_servers = 0 -> null - name = "probe_container_app_index" -> null - path = "/" -> null - pick_host_name_from_backend_http_settings = true -> null - port = 0 -> null - protocol = "Http" -> null - timeout = 30 -> null - unhealthy_threshold = 3 -> null - match { - status_code = [ - "200", ] -> null } } + probe { + id = (known after apply) + interval = 30 + minimum_servers = 0 + name = "probe_container_app_api_bootstrapper" + path = "/healthz" + pick_host_name_from_backend_http_settings = true + protocol = "Http" + timeout = 30 + unhealthy_threshold = 3 + match { + status_code = [ + "200", ] } } + probe { + id = "/subscriptions/45177a0a-d27e-490f-9f23-b4726de8ccc1/resourceGroups/rgauth001at21/providers/Microsoft.Network/applicationGateways/appgwauth001at21/probes/probe_container_app_api_accesspackages" + interval = 30 + minimum_servers = 0 + name = "probe_container_app_api_accesspackages" + path = "/healthz" + pick_host_name_from_backend_http_settings = true + protocol = "Http" + timeout = 30 + unhealthy_threshold = 3 + match { + status_code = [ + "200", ] } } + probe { + id = "/subscriptions/45177a0a-d27e-490f-9f23-b4726de8ccc1/resourceGroups/rgauth001at21/providers/Microsoft.Network/applicationGateways/appgwauth001at21/probes/probe_container_app_frontend_index" + interval = 30 + minimum_servers = 0 + name = "probe_container_app_frontend_index" + path = "/healthz" + pick_host_name_from_backend_http_settings = true + protocol = "Http" + timeout = 30 + unhealthy_threshold = 3 + match { + status_code = [ + "200", ] } } + probe { + id = "/subscriptions/45177a0a-d27e-490f-9f23-b4726de8ccc1/resourceGroups/rgauth001at21/providers/Microsoft.Network/applicationGateways/appgwauth001at21/probes/probe_container_app_index" + interval = 30 + minimum_servers = 0 + name = "probe_container_app_index" + path = "/" + pick_host_name_from_backend_http_settings = true + protocol = "Http" + timeout = 30 + unhealthy_threshold = 3 + match { + status_code = [ + "200", ] } } ~ url_path_map { id = "/subscriptions/45177a0a-d27e-490f-9f23-b4726de8ccc1/resourceGroups/rgauth001at21/providers/Microsoft.Network/applicationGateways/appgwauth001at21/urlPathMaps/url_path_map_container_app_api" name = "url_path_map_container_app_api" # (4 unchanged attributes hidden) + path_rule { + backend_address_pool_name = "backend_address_pool_container_app_api_bootstrapper" + backend_http_settings_name = "backend_http_settings_container_app_api_bootstrapper" + name = "path_rule_container_app_api_bootstrapper" + paths = [ + "/bootstrapper/*", + "/bootstrapper", ] } # (1 unchanged block hidden) } # (16 unchanged blocks hidden) } # module.key_vault.azurerm_role_assignment.key_vault_administrator["app"] must be replaced -/+ resource "azurerm_role_assignment" "key_vault_administrator" { ~ id = "/subscriptions/45177a0a-d27e-490f-9f23-b4726de8ccc1/resourceGroups/rgauth001at21/providers/Microsoft.KeyVault/vaults/kvaltinnauth001at21/providers/Microsoft.Authorization/roleAssignments/35f90372-ee1f-888a-634f-37f6cf26d9ee" -> (known after apply) ~ name = "35f90372-ee1f-888a-634f-37f6cf26d9ee" -> (known after apply) ~ principal_id = "1e93d640-decc-493d-bb8b-1eb715ff1a95" -> "app" # forces replacement ~ principal_type = "ServicePrincipal" -> (known after apply) ~ role_definition_id = "/subscriptions/45177a0a-d27e-490f-9f23-b4726de8ccc1/providers/Microsoft.Authorization/roleDefinitions/00482a5a-887f-4fb3-b363-3b7fe8e74483" -> (known after apply) + skip_service_principal_aad_check = (known after apply) # (2 unchanged attributes hidden) } # module.key_vault.azurerm_role_assignment.key_vault_administrator["current"] must be replaced -/+ resource "azurerm_role_assignment" "key_vault_administrator" { ~ id = "/subscriptions/45177a0a-d27e-490f-9f23-b4726de8ccc1/resourceGroups/rgauth001at21/providers/Microsoft.KeyVault/vaults/kvaltinnauth001at21/providers/Microsoft.Authorization/roleAssignments/f825c6b5-7c3e-6359-434f-355bb2e0e31d" -> (known after apply) ~ name = "f825c6b5-7c3e-6359-434f-355bb2e0e31d" -> (known after apply) ~ principal_id = "6eaed23e-df7f-4708-9c8e-a7f34deeadb4" -> "current" # forces replacement ~ principal_type = "ServicePrincipal" -> (known after apply) ~ role_definition_id = "/subscriptions/45177a0a-d27e-490f-9f23-b4726de8ccc1/providers/Microsoft.Authorization/roleDefinitions/00482a5a-887f-4fb3-b363-3b7fe8e74483" -> (known after apply) + skip_service_principal_aad_check = (known after apply) # (2 unchanged attributes hidden) } Plan: 2 to add, 2 to change, 2 to destroy. ───────────────────────────────────────────────────────────────────────────── Saved the plan to: tfplan.out To perform exactly these actions, run the following command to apply: terraform apply "tfplan.out" Releasing state lock. This may take a few moments... ```

Context	Values
Pusher	@andreasisnes
Action	workflow_dispatch
Working Directory	infra/deploy/auth
State File	github.com/altinn/altinn-authorization-tmp/environments/at21/auth.tfstate
Plan File	github.com_altinn_altinn-authorization-tmp_environments_at21_auth.tfstate.tfplan