feat: Added .identity (#61)

* added github configurator

* changed folder name from github-forge to identity

* added git ignore .terraform

* updated provider for identity

* added secret for azure devops pat

* pre-commit fixs

.github/workflows/pr-title.yml

@@ -53,4 +53,4 @@ jobs:
           validateSingleCommit: false
           # Related to `validateSingleCommit` you can opt-in to validate that the PR
           # title matches a single commit to avoid confusion.
-          validateSingleCommitMatchesPrTitle: false
+          validateSingleCommitMatchesPrTitle: false

.github/workflows/release.yml

@@ -45,4 +45,4 @@ jobs:
       #   with:
       #     azure-devops-project-url: 'https://dev.azure.com/organization/project-name'
       #     azure-pipeline-name: 'your-pipeline-name'
-      #     azure-devops-token: ${{ secrets.AZURE_DEVOPS_PAT }}
+      #     azure-devops-token: ${{ secrets.AZURE_DEVOPS_PAT }}

.github/workflows/trivy.yml

@@ -49,4 +49,4 @@ jobs:
         # from https://github.com/github/codeql-action/commits/main
         uses: github/codeql-action/upload-sarif@f0a12816612c7306b485a22cb164feb43c6df818
         with:
-          sarif_file: 'trivy-results.sarif'
+          sarif_file: 'trivy-results.sarif'

.gitignore

@@ -1,3 +1,5 @@
+.terraform
+
 charts*
 .DS_Store
 

.identity/00_data.tf

@@ -0,0 +1,17 @@
+data "github_organization_teams" "all" {
+  root_teams_only = true
+  summary_only    = true
+}
+
+data "azurerm_key_vault" "domain_key_vault" {
+  name                = local.kv_domain_name
+  resource_group_name = local.kv_domain_resource_group_name
+}
+
+#
+# Secrets
+#
+data "azurerm_key_vault_secret" "azuredevops_pat_github_action" {
+  name         = "azuredevops-pat-github-action"
+  key_vault_id = data.azurerm_key_vault.domain_key_vault.id
+}

.identity/01_github_environment.tf

@@ -0,0 +1,79 @@
+resource "github_repository_environment" "github_repository_environment" {
+  environment = var.env
+  repository  = local.github.repository
+  # filter teams reviewers from github_organization_teams
+  # if reviewers_teams is null no reviewers will be configured for environment
+  dynamic "reviewers" {
+    for_each = (var.github_repository_environment.reviewers_teams == null || var.env_short != "p" ? [] : [1])
+    content {
+      teams = matchkeys(
+        data.github_organization_teams.all.teams.*.id,
+        data.github_organization_teams.all.teams.*.name,
+        var.github_repository_environment.reviewers_teams
+      )
+    }
+  }
+  deployment_branch_policy {
+    protected_branches     = var.github_repository_environment.protected_branches
+    custom_branch_policies = var.github_repository_environment.custom_branch_policies
+  }
+}
+
+locals {
+  env_secrets = {
+    "TENANT_ID" : data.azurerm_client_config.current.tenant_id,
+    "SUBSCRIPTION_ID" : data.azurerm_subscription.current.subscription_id,
+    "AZUREDEVOPS_PAT" : data.azurerm_key_vault_secret.azuredevops_pat_github_action.value,
+  }
+  env_variables = {
+  }
+  repo_secrets = {
+  }
+  special_repo_secrets = {
+  }
+}
+
+###############
+# ENV Secrets #
+###############
+
+resource "github_actions_environment_secret" "github_environment_runner_secrets" {
+  for_each        = local.env_secrets
+  repository      = local.github.repository
+  environment     = var.env
+  secret_name     = each.key
+  plaintext_value = each.value
+}
+
+#################
+# ENV Variables #
+#################
+
+
+resource "github_actions_environment_variable" "github_environment_runner_variables" {
+  for_each      = local.env_variables
+  repository    = local.github.repository
+  environment   = var.env
+  variable_name = each.key
+  value         = each.value
+}
+
+#############################
+# Secrets of the Repository #
+#############################
+
+
+resource "github_actions_secret" "repo_secrets" {
+  for_each        = local.repo_secrets
+  repository      = local.github.repository
+  secret_name     = each.key
+  plaintext_value = each.value
+}
+
+
+resource "github_actions_secret" "special_repo_secrets" {
+  for_each        = local.special_repo_secrets
+  repository      = local.github.repository
+  secret_name     = each.value.key
+  plaintext_value = each.value.value
+}

.identity/99_main.tf

@@ -0,0 +1,32 @@
+terraform {
+  required_version = ">=1.3.0"
+
+  required_providers {
+    azuread = {
+      source  = "hashicorp/azuread"
+      version = "2.50.0"
+    }
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = "3.116.0"
+    }
+    github = {
+      source  = "integrations/github"
+      version = "6.3.0"
+    }
+  }
+
+  backend "azurerm" {}
+}
+
+provider "azurerm" {
+  features {}
+}
+
+provider "github" {
+  owner = "pagopa"
+}
+
+data "azurerm_subscription" "current" {}
+
+data "azurerm_client_config" "current" {}

.identity/99_variables.tf

@@ -0,0 +1,48 @@
+locals {
+  github = {
+    org        = "pagopa"
+    repository = "devops-java-springboot-color"
+  }
+
+  prefix         = "dvopla"
+  domain         = "diego"
+  location_short = "itn"
+  product        = "${var.prefix}-${var.env_short}"
+
+  kv_domain_name                = "dvopla-d-itn-diego-kv"
+  kv_domain_resource_group_name = "dvopla-d-itn-diego-sec-rg"
+
+}
+
+variable "env" {
+  type = string
+}
+
+variable "env_short" {
+  type = string
+}
+
+variable "prefix" {
+  type    = string
+  default = "pagopa"
+  validation {
+    condition = (
+      length(var.prefix) <= 6
+    )
+    error_message = "Max length is 6 chars."
+  }
+}
+
+variable "github_repository_environment" {
+  type = object({
+    protected_branches     = bool
+    custom_branch_policies = bool
+    reviewers_teams        = list(string)
+  })
+  description = "GitHub Continuous Integration roles"
+  default = {
+    protected_branches     = false
+    custom_branch_policies = true
+    reviewers_teams        = ["pagopa-team-core"]
+  }
+}

.identity/env/dev/backend.ini

@@ -0,0 +1 @@
+subscription=devopslab

.identity/env/dev/backend.tfvars

@@ -0,0 +1,4 @@
+resource_group_name  = "terraform-state-rg"
+storage_account_name = "tfappdevopslab"
+container_name       = "terraform-state"
+key                  = "devops-java-springboot-color-github-dev.tfstate"

.identity/env/dev/terraform.tfvars

@@ -0,0 +1,11 @@
+prefix    = "pagopa"
+env       = "dev"
+env_short = "d"
+
+tags = {
+  CreatedBy   = "Terraform"
+  Environment = "Dev"
+  Owner       = "pagoPA"
+  Source      = "https://github.com/pagopa/pagopa-payment-options-service"
+  CostCenter  = "TS310 - PAGAMENTI & SERVIZI"
+}

.identity/env/prod/backend.ini

@@ -0,0 +1 @@
+subscription=devopslab

.identity/env/prod/backend.tfvars

@@ -0,0 +1,4 @@
+resource_group_name  = "terraform-state-rg"
+storage_account_name = "tfappdevopslab"
+container_name       = "terraform-state"
+key                  = "devops-java-springboot-color-github-prod.tfstate"

.identity/env/prod/terraform.tfvars

@@ -0,0 +1,11 @@
+prefix    = "pagopa"
+env       = "prod"
+env_short = "p"
+
+tags = {
+  CreatedBy   = "Terraform"
+  Environment = "Prod"
+  Owner       = "pagoPA"
+  Source      = "https://github.com/pagopa/pagopa-payment-options-service"
+  CostCenter  = "TS310 - PAGAMENTI & SERVIZI"
+}

.identity/env/uat/backend.ini

@@ -0,0 +1 @@
+subscription=devopslab

.identity/env/uat/backend.tfvars

@@ -0,0 +1,4 @@
+resource_group_name  = "terraform-state-rg"
+storage_account_name = "tfappdevopslab"
+container_name       = "terraform-state"
+key                  = "devops-java-springboot-color-github-uat.tfstate"

.identity/env/uat/terraform.tfvars

@@ -0,0 +1,11 @@
+prefix    = "pagopa"
+env       = "uat"
+env_short = "u"
+
+tags = {
+  CreatedBy   = "Terraform"
+  Environment = "Uat"
+  Owner       = "pagoPA"
+  Source      = "https://github.com/pagopa/pagopa-payment-options-service"
+  CostCenter  = "TS310 - PAGAMENTI & SERVIZI"
+}

.identity/terraform.sh

@@ -0,0 +1,69 @@
+#!/bin/bash
+
+set -e
+
+ACTION=$1
+ENV=$2
+shift 2
+other="$@"
+# must be subscription in lower case
+subscription=""
+BACKEND_CONFIG_PATH="./env/${ENV}/backend.tfvars"
+
+if [ -z "$ACTION" ]; then
+  echo "[ERROR] Missed ACTION: init, apply, plan"
+  exit 0
+fi
+
+if [ -z "$ENV" ]; then
+  echo "[ERROR] ENV should be: dev, uat or prod."
+  exit 0
+fi
+
+#
+# 🏁 Source & init shell
+#
+
+# shellcheck source=/dev/null
+source "./env/$ENV/backend.ini"
+
+# Subscription set
+az account set -s "${subscription}"
+
+# if using cygwin, we have to transcode the WORKDIR
+if [[ $WORKDIR == /cygdrive/* ]]; then
+  WORKDIR=$(cygpath -w $WORKDIR)
+fi
+
+# Helm
+export HELM_DEBUG=1
+export TF_VAR_github_token="${GITHUB_TOKEN}"
+# TODO set your PAT TOKEN as env var
+if [ -z "$GITHUB_TOKEN" ]; then
+  echo "Error: Set an environment variable named GITHUB_TOKEN with your GitHub PAT Token"
+  exit 1
+fi
+
+#
+# 🌎 Terraform
+#
+if echo "init plan apply refresh import output state taint destroy" | grep -w "$ACTION" > /dev/null; then
+  if [ "$ACTION" = "init" ]; then
+    echo "[INFO] init tf on ENV: ${ENV}"
+    terraform "$ACTION" -backend-config="${BACKEND_CONFIG_PATH}" $other
+  elif [ "$ACTION" = "output" ] || [ "$ACTION" = "state" ] || [ "$ACTION" = "taint" ]; then
+    # init terraform backend
+    terraform init -reconfigure -backend-config="${BACKEND_CONFIG_PATH}"
+    terraform "$ACTION" $other
+  else
+    # init terraform backend
+    echo "[INFO] init tf on ENV: ${ENV}"
+    terraform init -reconfigure -backend-config="${BACKEND_CONFIG_PATH}"
+
+    echo "[INFO] run tf with: ${ACTION} on ENV: ${ENV} and other: >${other}<"
+    terraform "${ACTION}" -var-file="./env/${ENV}/terraform.tfvars" -compact-warnings $other
+  fi
+else
+    echo "[ERROR] ACTION not allowed."
+    exit 1
+fi