feat: Added .identity (#61)

* added github configurator * changed folder name from github-forge to identity * added git ignore .terraform * updated provider for identity * added secret for azure devops pat * pre-commit fixs
pagopa · Oct 3, 2024 · 2af1261 · 2af1261
1 parent 75859ec
commit 2af1261
Show file tree

Hide file tree

Showing 25 changed files with 418 additions and 11 deletions.
diff --git a/.github/workflows/pr-title.yml b/.github/workflows/pr-title.yml
@@ -53,4 +53,4 @@ jobs:
  validateSingleCommit: false
  # Related to `validateSingleCommit` you can opt-in to validate that the PR
  # title matches a single commit to avoid confusion.
- validateSingleCommitMatchesPrTitle: false
+ validateSingleCommitMatchesPrTitle: false
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -45,4 +45,4 @@ jobs:
  # with:
  # azure-devops-project-url: 'https://dev.azure.com/organization/project-name'
  # azure-pipeline-name: 'your-pipeline-name'
- # azure-devops-token: ${{ secrets.AZURE_DEVOPS_PAT }}
+ # azure-devops-token: ${{ secrets.AZURE_DEVOPS_PAT }}
diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml
@@ -49,4 +49,4 @@ jobs:
  # from https://github.com/github/codeql-action/commits/main
  uses: github/codeql-action/upload-sarif@f0a12816612c7306b485a22cb164feb43c6df818
  with:
- sarif_file: 'trivy-results.sarif'
+ sarif_file: 'trivy-results.sarif'
diff --git a/.gitignore b/.gitignore
@@ -1,3 +1,5 @@
+.terraform
+
 charts*
 .DS_Store
 

diff --git a/.identity/.terraform.lock.hcl b/.identity/.terraform.lock.hcl
diff --git a/.identity/00_data.tf b/.identity/00_data.tf
@@ -0,0 +1,17 @@
+data "github_organization_teams" "all" {
+ root_teams_only = true
+ summary_only = true
+}
+
+data "azurerm_key_vault" "domain_key_vault" {
+ name = local.kv_domain_name
+ resource_group_name = local.kv_domain_resource_group_name
+}
+
+#
+# Secrets
+#
+data "azurerm_key_vault_secret" "azuredevops_pat_github_action" {
+ name = "azuredevops-pat-github-action"
+ key_vault_id = data.azurerm_key_vault.domain_key_vault.id
+}
diff --git a/.identity/01_github_environment.tf b/.identity/01_github_environment.tf
@@ -0,0 +1,79 @@
+resource "github_repository_environment" "github_repository_environment" {
+ environment = var.env
+ repository = local.github.repository
+ # filter teams reviewers from github_organization_teams
+ # if reviewers_teams is null no reviewers will be configured for environment
+ dynamic "reviewers" {
+ for_each = (var.github_repository_environment.reviewers_teams == null || var.env_short != "p" ? [] : [1])
+ content {
+ teams = matchkeys(
+ data.github_organization_teams.all.teams.*.id,
+ data.github_organization_teams.all.teams.*.name,
+ var.github_repository_environment.reviewers_teams
+ )
+ }
+ }
+ deployment_branch_policy {
+ protected_branches = var.github_repository_environment.protected_branches
+ custom_branch_policies = var.github_repository_environment.custom_branch_policies
+ }
+}
+
+locals {
+ env_secrets = {
+ "TENANT_ID" : data.azurerm_client_config.current.tenant_id,
+ "SUBSCRIPTION_ID" : data.azurerm_subscription.current.subscription_id,
+ "AZUREDEVOPS_PAT" : data.azurerm_key_vault_secret.azuredevops_pat_github_action.value,
+ }
+ env_variables = {
+ }
+ repo_secrets = {
+ }
+ special_repo_secrets = {
+ }
+}
+
+###############
+# ENV Secrets #
+###############
+
+resource "github_actions_environment_secret" "github_environment_runner_secrets" {
+ for_each = local.env_secrets
+ repository = local.github.repository
+ environment = var.env
+ secret_name = each.key
+ plaintext_value = each.value
+}
+
+#################
+# ENV Variables #
+#################
+
+
+resource "github_actions_environment_variable" "github_environment_runner_variables" {
+ for_each = local.env_variables
+ repository = local.github.repository
+ environment = var.env
+ variable_name = each.key
+ value = each.value
+}
+
+#############################
+# Secrets of the Repository #
+#############################
+
+
+resource "github_actions_secret" "repo_secrets" {
+ for_each = local.repo_secrets
+ repository = local.github.repository
+ secret_name = each.key
+ plaintext_value = each.value
+}
+
+
+resource "github_actions_secret" "special_repo_secrets" {
+ for_each = local.special_repo_secrets
+ repository = local.github.repository
+ secret_name = each.value.key
+ plaintext_value = each.value.value
+}
diff --git a/.identity/99_main.tf b/.identity/99_main.tf
@@ -0,0 +1,32 @@
+terraform {
+ required_version = ">=1.3.0"
+
+ required_providers {
+ azuread = {
+ source = "hashicorp/azuread"
+ version = "2.50.0"
+ }
+ azurerm = {
+ source = "hashicorp/azurerm"
+ version = "3.116.0"
+ }
+ github = {
+ source = "integrations/github"
+ version = "6.3.0"
+ }
+ }
+
+ backend "azurerm" {}
+}
+
+provider "azurerm" {
+ features {}
+}
+
+provider "github" {
+ owner = "pagopa"
+}
+
+data "azurerm_subscription" "current" {}
+
+data "azurerm_client_config" "current" {}
diff --git a/.identity/99_variables.tf b/.identity/99_variables.tf
@@ -0,0 +1,48 @@
+locals {
+ github = {
+ org = "pagopa"
+ repository = "devops-java-springboot-color"
+ }
+
+ prefix = "dvopla"
+ domain = "diego"
+ location_short = "itn"
+ product = "${var.prefix}-${var.env_short}"
+
+ kv_domain_name = "dvopla-d-itn-diego-kv"
+ kv_domain_resource_group_name = "dvopla-d-itn-diego-sec-rg"
+
+}
+
+variable "env" {
+ type = string
+}
+
+variable "env_short" {
+ type = string
+}
+
+variable "prefix" {
+ type = string
+ default = "pagopa"
+ validation {
+ condition = (
+ length(var.prefix) <= 6
+ )
+ error_message = "Max length is 6 chars."
+ }
+}
+
+variable "github_repository_environment" {
+ type = object({
+ protected_branches = bool
+ custom_branch_policies = bool
+ reviewers_teams = list(string)
+ })
+ description = "GitHub Continuous Integration roles"
+ default = {
+ protected_branches = false
+ custom_branch_policies = true
+ reviewers_teams = ["pagopa-team-core"]
+ }
+}
diff --git a/.identity/env/dev/backend.ini b/.identity/env/dev/backend.ini
@@ -0,0 +1 @@
+subscription=devopslab
diff --git a/.identity/env/dev/backend.tfvars b/.identity/env/dev/backend.tfvars
@@ -0,0 +1,4 @@
+resource_group_name = "terraform-state-rg"
+storage_account_name = "tfappdevopslab"
+container_name = "terraform-state"
+key = "devops-java-springboot-color-github-dev.tfstate"
diff --git a/.identity/env/dev/terraform.tfvars b/.identity/env/dev/terraform.tfvars
@@ -0,0 +1,11 @@
+prefix = "pagopa"
+env = "dev"
+env_short = "d"
+
+tags = {
+ CreatedBy = "Terraform"
+ Environment = "Dev"
+ Owner = "pagoPA"
+ Source = "https://github.com/pagopa/pagopa-payment-options-service"
+ CostCenter = "TS310 - PAGAMENTI & SERVIZI"
+}
diff --git a/.identity/env/prod/backend.ini b/.identity/env/prod/backend.ini
@@ -0,0 +1 @@
+subscription=devopslab
diff --git a/.identity/env/prod/backend.tfvars b/.identity/env/prod/backend.tfvars
@@ -0,0 +1,4 @@
+resource_group_name = "terraform-state-rg"
+storage_account_name = "tfappdevopslab"
+container_name = "terraform-state"
+key = "devops-java-springboot-color-github-prod.tfstate"
diff --git a/.identity/env/prod/terraform.tfvars b/.identity/env/prod/terraform.tfvars
@@ -0,0 +1,11 @@
+prefix = "pagopa"
+env = "prod"
+env_short = "p"
+
+tags = {
+ CreatedBy = "Terraform"
+ Environment = "Prod"
+ Owner = "pagoPA"
+ Source = "https://github.com/pagopa/pagopa-payment-options-service"
+ CostCenter = "TS310 - PAGAMENTI & SERVIZI"
+}
diff --git a/.identity/env/uat/backend.ini b/.identity/env/uat/backend.ini
@@ -0,0 +1 @@
+subscription=devopslab
diff --git a/.identity/env/uat/backend.tfvars b/.identity/env/uat/backend.tfvars
@@ -0,0 +1,4 @@
+resource_group_name = "terraform-state-rg"
+storage_account_name = "tfappdevopslab"
+container_name = "terraform-state"
+key = "devops-java-springboot-color-github-uat.tfstate"
diff --git a/.identity/env/uat/terraform.tfvars b/.identity/env/uat/terraform.tfvars
@@ -0,0 +1,11 @@
+prefix = "pagopa"
+env = "uat"
+env_short = "u"
+
+tags = {
+ CreatedBy = "Terraform"
+ Environment = "Uat"
+ Owner = "pagoPA"
+ Source = "https://github.com/pagopa/pagopa-payment-options-service"
+ CostCenter = "TS310 - PAGAMENTI & SERVIZI"
+}
diff --git a/.identity/terraform.sh b/.identity/terraform.sh
@@ -0,0 +1,69 @@
+#!/bin/bash
+
+set -e
+
+ACTION=$1
+ENV=$2
+shift 2
+other="$@"
+# must be subscription in lower case
+subscription=""
+BACKEND_CONFIG_PATH="./env/${ENV}/backend.tfvars"
+
+if [ -z "$ACTION" ]; then
+ echo "[ERROR] Missed ACTION: init, apply, plan"
+ exit 0
+fi
+
+if [ -z "$ENV" ]; then
+ echo "[ERROR] ENV should be: dev, uat or prod."
+ exit 0
+fi
+
+#
+# 🏁 Source & init shell
+#
+
+# shellcheck source=/dev/null
+source "./env/$ENV/backend.ini"
+
+# Subscription set
+az account set -s "${subscription}"
+
+# if using cygwin, we have to transcode the WORKDIR
+if [[ $WORKDIR == /cygdrive/* ]]; then
+ WORKDIR=$(cygpath -w $WORKDIR)
+fi
+
+# Helm
+export HELM_DEBUG=1
+export TF_VAR_github_token="${GITHUB_TOKEN}"
+# TODO set your PAT TOKEN as env var
+if [ -z "$GITHUB_TOKEN" ]; then
+ echo "Error: Set an environment variable named GITHUB_TOKEN with your GitHub PAT Token"
+ exit 1
+fi
+
+#
+# 🌎 Terraform
+#
+if echo "init plan apply refresh import output state taint destroy" | grep -w "$ACTION" > /dev/null; then
+ if [ "$ACTION" = "init" ]; then
+ echo "[INFO] init tf on ENV: ${ENV}"
+ terraform "$ACTION" -backend-config="${BACKEND_CONFIG_PATH}" $other
+ elif [ "$ACTION" = "output" ] || [ "$ACTION" = "state" ] || [ "$ACTION" = "taint" ]; then
+ # init terraform backend
+ terraform init -reconfigure -backend-config="${BACKEND_CONFIG_PATH}"
+ terraform "$ACTION" $other
+ else
+ # init terraform backend
+ echo "[INFO] init tf on ENV: ${ENV}"
+ terraform init -reconfigure -backend-config="${BACKEND_CONFIG_PATH}"
+
+ echo "[INFO] run tf with: ${ACTION} on ENV: ${ENV} and other: >${other}<"
+ terraform "${ACTION}" -var-file="./env/${ENV}/terraform.tfvars" -compact-warnings $other
+ fi
+else
+ echo "[ERROR] ACTION not allowed."
+ exit 1
+fi