From 2af12615a22225cc45f4d650a772923aa7e2b7b8 Mon Sep 17 00:00:00 2001 From: Diego Lagos <92735530+diegolagospagopa@users.noreply.github.com> Date: Thu, 3 Oct 2024 16:13:43 +0200 Subject: [PATCH] feat: Added .identity (#61) * added github configurator * changed folder name from github-forge to identity * added git ignore .terraform * updated provider for identity * added secret for azure devops pat * pre-commit fixs --- .github/workflows/pr-title.yml | 2 +- .github/workflows/release.yml | 2 +- .github/workflows/trivy.yml | 2 +- .gitignore | 2 + .identity/.terraform.lock.hcl | 65 +++++++++++++++ .identity/00_data.tf | 17 ++++ .identity/01_github_environment.tf | 79 +++++++++++++++++++ .identity/99_main.tf | 32 ++++++++ .identity/99_variables.tf | 48 +++++++++++ .identity/env/dev/backend.ini | 1 + .identity/env/dev/backend.tfvars | 4 + .identity/env/dev/terraform.tfvars | 11 +++ .identity/env/prod/backend.ini | 1 + .identity/env/prod/backend.tfvars | 4 + .identity/env/prod/terraform.tfvars | 11 +++ .identity/env/uat/backend.ini | 1 + .identity/env/uat/backend.tfvars | 4 + .identity/env/uat/terraform.tfvars | 11 +++ .identity/terraform.sh | 69 ++++++++++++++++ .pre-commit-config.yaml | 47 +++++++++++ force-release | 2 +- .../springbootshowcase/MySystemLogs.java | 2 +- src/main/resources/application.properties | 6 +- src/main/resources/logback-spring.xml | 2 +- .../resources/templates/indexTemplate.html | 4 +- 25 files changed, 418 insertions(+), 11 deletions(-) create mode 100644 .identity/.terraform.lock.hcl create mode 100644 .identity/00_data.tf create mode 100644 .identity/01_github_environment.tf create mode 100644 .identity/99_main.tf create mode 100644 .identity/99_variables.tf create mode 100644 .identity/env/dev/backend.ini create mode 100644 .identity/env/dev/backend.tfvars create mode 100644 .identity/env/dev/terraform.tfvars create mode 100644 .identity/env/prod/backend.ini create mode 100644 .identity/env/prod/backend.tfvars create mode 100644 .identity/env/prod/terraform.tfvars create mode 100644 .identity/env/uat/backend.ini create mode 100644 .identity/env/uat/backend.tfvars create mode 100644 .identity/env/uat/terraform.tfvars create mode 100755 .identity/terraform.sh create mode 100644 .pre-commit-config.yaml diff --git a/.github/workflows/pr-title.yml b/.github/workflows/pr-title.yml index e620207..3262661 100644 --- a/.github/workflows/pr-title.yml +++ b/.github/workflows/pr-title.yml @@ -53,4 +53,4 @@ jobs: validateSingleCommit: false # Related to `validateSingleCommit` you can opt-in to validate that the PR # title matches a single commit to avoid confusion. - validateSingleCommitMatchesPrTitle: false \ No newline at end of file + validateSingleCommitMatchesPrTitle: false diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index a771f96..7f7ddca 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -45,4 +45,4 @@ jobs: # with: # azure-devops-project-url: 'https://dev.azure.com/organization/project-name' # azure-pipeline-name: 'your-pipeline-name' - # azure-devops-token: ${{ secrets.AZURE_DEVOPS_PAT }} \ No newline at end of file + # azure-devops-token: ${{ secrets.AZURE_DEVOPS_PAT }} diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index e039c2b..ceff89c 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -49,4 +49,4 @@ jobs: # from https://github.com/github/codeql-action/commits/main uses: github/codeql-action/upload-sarif@f0a12816612c7306b485a22cb164feb43c6df818 with: - sarif_file: 'trivy-results.sarif' \ No newline at end of file + sarif_file: 'trivy-results.sarif' diff --git a/.gitignore b/.gitignore index a2cf252..4672729 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,5 @@ +.terraform + charts* .DS_Store diff --git a/.identity/.terraform.lock.hcl b/.identity/.terraform.lock.hcl new file mode 100644 index 0000000..a9d9757 --- /dev/null +++ b/.identity/.terraform.lock.hcl @@ -0,0 +1,65 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/azuread" { + version = "2.50.0" + constraints = "2.50.0" + hashes = [ + "h1:9hS4fOOfMoJ769IJEmRuVbYzBPPo4TNVVCEk04Pqn14=", + "zh:0eb91d177d1d868dc50c006f07fb17905318555c5c7ff56ba5a8a623415e9342", + "zh:1baabaca448f4cab0cb31cbb1b564d1849a13ca4a6536d1a6f92097b88cd883d", + "zh:1c3e89cf19118fc07d7b04257251fc9897e722c16e0a0df7b07fcd261f8c12e7", + "zh:4fdd139514253128f389ac00b7942c4a4da10135b120ff4c0dc0fd8382c3b003", + "zh:6adb28fd81775a79b894d4c15dc292188ff2b1ff7f9d5bacd6db19ca75a71f92", + "zh:6bcd4d8ec7ad5b15b576defc803958948717d496b2c1356a77577eb6f86ac1b6", + "zh:8a4b65cb3f67199bf1a46f8061169373dcfb5619934ecf80eaf143d8a8b4f1db", + "zh:93c886fc940619b74610b88b067491d2b731e27e20550b08a44227c1b2e59022", + "zh:9a16a45fa544f0b777bf2f83b1e1156018b0737c9359c432c2d774451f168b59", + "zh:9b191e3496e8d461f612b1a767b44821d2ea62545f7f0363690c0b6fc73af37b", + "zh:e6575b9c6ca30c3adc6b39839f246be3d9d8ce883a111fb695f1618df3887574", + "zh:f5c5336948cd05a9dd64a5938c5edfb90adfda0df89d80e80da1a1fdb2c61816", + ] +} + +provider "registry.terraform.io/hashicorp/azurerm" { + version = "3.116.0" + constraints = "3.116.0" + hashes = [ + "h1:2QbjtN4oMXzdA++Nvrj/wSmWZTPgXKOSFGGQCLEMrb4=", + "zh:02b6606aff025fc2a962b3e568e000300abe959adac987183c24dac8eb057f4d", + "zh:2a23a8ce24ff9e885925ffee0c3ea7eadba7a702541d05869275778aa47bdea7", + "zh:57d10746384baeca4d5c56e88872727cdc150f437b8c5e14f0542127f7475e24", + "zh:59e3ebde1a2e1e094c671e179f231ead60684390dbf02d2b1b7fe67a228daa1a", + "zh:5f1f5c7d09efa2ee8ddf21bd9efbbf8286f6e90047556bef305c062fa0ac5880", + "zh:a40646aee3c9907276dab926e6123a8d70b1e56174836d4c59a9992034f88d70", + "zh:c21d40461bc5836cf56ad3d93d2fc47f61138574a55e972ad5ff1cb73bab66dc", + "zh:c56fb91a5ae66153ba0f737a26da1b3d4f88fdef7d41c63e06c5772d93b26953", + "zh:d1e60e85f51d12fc150aeab8e31d3f18f859c32f927f99deb5b74cb1e10087aa", + "zh:ed35e727e7d79e687cd3d148f52b442961ede286e7c5b4da1dcd9f0128009466", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + "zh:f6d2a4e7c58f44e7d04a4a9c73f35ed452f412c97c85def68c4b52814cbe03ab", + ] +} + +provider "registry.terraform.io/integrations/github" { + version = "6.3.0" + constraints = "6.3.0" + hashes = [ + "h1:smeAkyQqdvuOr8rtC/2+kdvWqS7YR92RWFrJL+k6z7A=", + "zh:04fe3b820fe8c247b98b9d6810b8bb84d3e8ac08054faf450c42489815ef4bfa", + "zh:24096b2d16208d1411a58bdb8df8cd9f0558fb9054ffeb95c4e7e90a9a34f976", + "zh:2b27332adf8d08fbdc08b5f55e87691bce02c311219e6deb39c08753bd93db6d", + "zh:335dd6c2d50fcdce2ef0cc194465fdf9df1f5fdecc805804c78df30a4eb2e11e", + "zh:383a6879565969dbdf5405b651cd870c09c615dbd3df2554e5574d39d161c98c", + "zh:4903038a6bc605f372e1569695db4a2e2862e1fc6cf4faf9e13c5f8f4fa2ed94", + "zh:4cc4dffbee8b28102d38abe855b7440d4f4226261b43fda2ec289b48c3de1537", + "zh:57c30c6fe0b64fa86906700ceb1691562b62f2b1ef0404952aeb4092acb6acb3", + "zh:7bf518396fb00e4f55c406f2ffb5583b43278682a92f0864a0c47e3a74627bbb", + "zh:93c2c5cb90f74ad3c0874b7f7d8a866f28a852f0eda736c6aef8ce65d4061f4d", + "zh:9562a82a6193a2db110fb34d1aceeedb27c0a640058dce9c31b37b17eeb5f4e7", + "zh:ac97f2d111703a219f27fcbf5e89460ea98f9168badcc0913c8b214a37f76814", + "zh:c882af4d33b761ec198cedac212ab1c114d97540119dc97daca38021ab3edd0a", + "zh:c9ffd0a37f07a93af02a1caa90bfbea27a952d3e5badf4aab866ec71cdb184a3", + "zh:fbd1fee2c9df3aa19cf8851ce134dea6e45ea01cb85695c1726670c285797e25", + ] +} diff --git a/.identity/00_data.tf b/.identity/00_data.tf new file mode 100644 index 0000000..e3488ac --- /dev/null +++ b/.identity/00_data.tf @@ -0,0 +1,17 @@ +data "github_organization_teams" "all" { + root_teams_only = true + summary_only = true +} + +data "azurerm_key_vault" "domain_key_vault" { + name = local.kv_domain_name + resource_group_name = local.kv_domain_resource_group_name +} + +# +# Secrets +# +data "azurerm_key_vault_secret" "azuredevops_pat_github_action" { + name = "azuredevops-pat-github-action" + key_vault_id = data.azurerm_key_vault.domain_key_vault.id +} diff --git a/.identity/01_github_environment.tf b/.identity/01_github_environment.tf new file mode 100644 index 0000000..b8953be --- /dev/null +++ b/.identity/01_github_environment.tf @@ -0,0 +1,79 @@ +resource "github_repository_environment" "github_repository_environment" { + environment = var.env + repository = local.github.repository + # filter teams reviewers from github_organization_teams + # if reviewers_teams is null no reviewers will be configured for environment + dynamic "reviewers" { + for_each = (var.github_repository_environment.reviewers_teams == null || var.env_short != "p" ? [] : [1]) + content { + teams = matchkeys( + data.github_organization_teams.all.teams.*.id, + data.github_organization_teams.all.teams.*.name, + var.github_repository_environment.reviewers_teams + ) + } + } + deployment_branch_policy { + protected_branches = var.github_repository_environment.protected_branches + custom_branch_policies = var.github_repository_environment.custom_branch_policies + } +} + +locals { + env_secrets = { + "TENANT_ID" : data.azurerm_client_config.current.tenant_id, + "SUBSCRIPTION_ID" : data.azurerm_subscription.current.subscription_id, + "AZUREDEVOPS_PAT" : data.azurerm_key_vault_secret.azuredevops_pat_github_action.value, + } + env_variables = { + } + repo_secrets = { + } + special_repo_secrets = { + } +} + +############### +# ENV Secrets # +############### + +resource "github_actions_environment_secret" "github_environment_runner_secrets" { + for_each = local.env_secrets + repository = local.github.repository + environment = var.env + secret_name = each.key + plaintext_value = each.value +} + +################# +# ENV Variables # +################# + + +resource "github_actions_environment_variable" "github_environment_runner_variables" { + for_each = local.env_variables + repository = local.github.repository + environment = var.env + variable_name = each.key + value = each.value +} + +############################# +# Secrets of the Repository # +############################# + + +resource "github_actions_secret" "repo_secrets" { + for_each = local.repo_secrets + repository = local.github.repository + secret_name = each.key + plaintext_value = each.value +} + + +resource "github_actions_secret" "special_repo_secrets" { + for_each = local.special_repo_secrets + repository = local.github.repository + secret_name = each.value.key + plaintext_value = each.value.value +} diff --git a/.identity/99_main.tf b/.identity/99_main.tf new file mode 100644 index 0000000..248479c --- /dev/null +++ b/.identity/99_main.tf @@ -0,0 +1,32 @@ +terraform { + required_version = ">=1.3.0" + + required_providers { + azuread = { + source = "hashicorp/azuread" + version = "2.50.0" + } + azurerm = { + source = "hashicorp/azurerm" + version = "3.116.0" + } + github = { + source = "integrations/github" + version = "6.3.0" + } + } + + backend "azurerm" {} +} + +provider "azurerm" { + features {} +} + +provider "github" { + owner = "pagopa" +} + +data "azurerm_subscription" "current" {} + +data "azurerm_client_config" "current" {} diff --git a/.identity/99_variables.tf b/.identity/99_variables.tf new file mode 100644 index 0000000..f6f0124 --- /dev/null +++ b/.identity/99_variables.tf @@ -0,0 +1,48 @@ +locals { + github = { + org = "pagopa" + repository = "devops-java-springboot-color" + } + + prefix = "dvopla" + domain = "diego" + location_short = "itn" + product = "${var.prefix}-${var.env_short}" + + kv_domain_name = "dvopla-d-itn-diego-kv" + kv_domain_resource_group_name = "dvopla-d-itn-diego-sec-rg" + +} + +variable "env" { + type = string +} + +variable "env_short" { + type = string +} + +variable "prefix" { + type = string + default = "pagopa" + validation { + condition = ( + length(var.prefix) <= 6 + ) + error_message = "Max length is 6 chars." + } +} + +variable "github_repository_environment" { + type = object({ + protected_branches = bool + custom_branch_policies = bool + reviewers_teams = list(string) + }) + description = "GitHub Continuous Integration roles" + default = { + protected_branches = false + custom_branch_policies = true + reviewers_teams = ["pagopa-team-core"] + } +} diff --git a/.identity/env/dev/backend.ini b/.identity/env/dev/backend.ini new file mode 100644 index 0000000..a017021 --- /dev/null +++ b/.identity/env/dev/backend.ini @@ -0,0 +1 @@ +subscription=devopslab diff --git a/.identity/env/dev/backend.tfvars b/.identity/env/dev/backend.tfvars new file mode 100644 index 0000000..7841ea8 --- /dev/null +++ b/.identity/env/dev/backend.tfvars @@ -0,0 +1,4 @@ +resource_group_name = "terraform-state-rg" +storage_account_name = "tfappdevopslab" +container_name = "terraform-state" +key = "devops-java-springboot-color-github-dev.tfstate" diff --git a/.identity/env/dev/terraform.tfvars b/.identity/env/dev/terraform.tfvars new file mode 100644 index 0000000..0502122 --- /dev/null +++ b/.identity/env/dev/terraform.tfvars @@ -0,0 +1,11 @@ +prefix = "pagopa" +env = "dev" +env_short = "d" + +tags = { + CreatedBy = "Terraform" + Environment = "Dev" + Owner = "pagoPA" + Source = "https://github.com/pagopa/pagopa-payment-options-service" + CostCenter = "TS310 - PAGAMENTI & SERVIZI" +} diff --git a/.identity/env/prod/backend.ini b/.identity/env/prod/backend.ini new file mode 100644 index 0000000..a017021 --- /dev/null +++ b/.identity/env/prod/backend.ini @@ -0,0 +1 @@ +subscription=devopslab diff --git a/.identity/env/prod/backend.tfvars b/.identity/env/prod/backend.tfvars new file mode 100644 index 0000000..ba4b76f --- /dev/null +++ b/.identity/env/prod/backend.tfvars @@ -0,0 +1,4 @@ +resource_group_name = "terraform-state-rg" +storage_account_name = "tfappdevopslab" +container_name = "terraform-state" +key = "devops-java-springboot-color-github-prod.tfstate" diff --git a/.identity/env/prod/terraform.tfvars b/.identity/env/prod/terraform.tfvars new file mode 100644 index 0000000..45896fa --- /dev/null +++ b/.identity/env/prod/terraform.tfvars @@ -0,0 +1,11 @@ +prefix = "pagopa" +env = "prod" +env_short = "p" + +tags = { + CreatedBy = "Terraform" + Environment = "Prod" + Owner = "pagoPA" + Source = "https://github.com/pagopa/pagopa-payment-options-service" + CostCenter = "TS310 - PAGAMENTI & SERVIZI" +} diff --git a/.identity/env/uat/backend.ini b/.identity/env/uat/backend.ini new file mode 100644 index 0000000..a017021 --- /dev/null +++ b/.identity/env/uat/backend.ini @@ -0,0 +1 @@ +subscription=devopslab diff --git a/.identity/env/uat/backend.tfvars b/.identity/env/uat/backend.tfvars new file mode 100644 index 0000000..a7e6752 --- /dev/null +++ b/.identity/env/uat/backend.tfvars @@ -0,0 +1,4 @@ +resource_group_name = "terraform-state-rg" +storage_account_name = "tfappdevopslab" +container_name = "terraform-state" +key = "devops-java-springboot-color-github-uat.tfstate" diff --git a/.identity/env/uat/terraform.tfvars b/.identity/env/uat/terraform.tfvars new file mode 100644 index 0000000..1cf9feb --- /dev/null +++ b/.identity/env/uat/terraform.tfvars @@ -0,0 +1,11 @@ +prefix = "pagopa" +env = "uat" +env_short = "u" + +tags = { + CreatedBy = "Terraform" + Environment = "Uat" + Owner = "pagoPA" + Source = "https://github.com/pagopa/pagopa-payment-options-service" + CostCenter = "TS310 - PAGAMENTI & SERVIZI" +} diff --git a/.identity/terraform.sh b/.identity/terraform.sh new file mode 100755 index 0000000..02fc806 --- /dev/null +++ b/.identity/terraform.sh @@ -0,0 +1,69 @@ +#!/bin/bash + +set -e + +ACTION=$1 +ENV=$2 +shift 2 +other="$@" +# must be subscription in lower case +subscription="" +BACKEND_CONFIG_PATH="./env/${ENV}/backend.tfvars" + +if [ -z "$ACTION" ]; then + echo "[ERROR] Missed ACTION: init, apply, plan" + exit 0 +fi + +if [ -z "$ENV" ]; then + echo "[ERROR] ENV should be: dev, uat or prod." + exit 0 +fi + +# +# 🏁 Source & init shell +# + +# shellcheck source=/dev/null +source "./env/$ENV/backend.ini" + +# Subscription set +az account set -s "${subscription}" + +# if using cygwin, we have to transcode the WORKDIR +if [[ $WORKDIR == /cygdrive/* ]]; then + WORKDIR=$(cygpath -w $WORKDIR) +fi + +# Helm +export HELM_DEBUG=1 +export TF_VAR_github_token="${GITHUB_TOKEN}" +# TODO set your PAT TOKEN as env var +if [ -z "$GITHUB_TOKEN" ]; then + echo "Error: Set an environment variable named GITHUB_TOKEN with your GitHub PAT Token" + exit 1 +fi + +# +# 🌎 Terraform +# +if echo "init plan apply refresh import output state taint destroy" | grep -w "$ACTION" > /dev/null; then + if [ "$ACTION" = "init" ]; then + echo "[INFO] init tf on ENV: ${ENV}" + terraform "$ACTION" -backend-config="${BACKEND_CONFIG_PATH}" $other + elif [ "$ACTION" = "output" ] || [ "$ACTION" = "state" ] || [ "$ACTION" = "taint" ]; then + # init terraform backend + terraform init -reconfigure -backend-config="${BACKEND_CONFIG_PATH}" + terraform "$ACTION" $other + else + # init terraform backend + echo "[INFO] init tf on ENV: ${ENV}" + terraform init -reconfigure -backend-config="${BACKEND_CONFIG_PATH}" + + echo "[INFO] run tf with: ${ACTION} on ENV: ${ENV} and other: >${other}<" + terraform "${ACTION}" -var-file="./env/${ENV}/terraform.tfvars" -compact-warnings $other + fi +else + echo "[ERROR] ACTION not allowed." + exit 1 +fi diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 0000000..df43ce2 --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,47 @@ +repos: + ## general + - repo: https://github.com/pre-commit/pre-commit-hooks + rev: v4.0.1 + hooks: + # Common errors + - id: end-of-file-fixer + exclude_types: [sql] + - id: trailing-whitespace + args: [--markdown-linebreak-ext=md] + exclude_types: [sql] + - id: check-yaml + - id: check-executables-have-shebangs + # Cross platform + - id: check-case-conflict + - id: mixed-line-ending + args: [--fix=lf] + exclude_types: [sql] + # Security + - id: detect-aws-credentials + args: ['--allow-missing-credentials'] + - id: detect-private-key + ## terraform + - repo: https://github.com/antonbabenko/pre-commit-terraform + rev: v1.96.1 + hooks: + - id: terraform_fmt + - id: terraform_docs + args: + - --hook-config=--path-to-file=README.md # Valid UNIX path. I.e. ../TFDOC.md or docs/README.md etc. + - --hook-config=--add-to-existing-file=true # Boolean. true or false + - --hook-config=--create-file-if-not-exist=true # Boolean. true or false + - --args=--hide providers + # - id: terraform_tfsec + - id: terraform_validate + args: + - --init-args=-lockfile=readonly + - --args=-json + - --args=-no-color + - --args=-compact-warnings + # - id: terraform_providers_lock + # args: + # - --args=-platform=windows_amd64 + # - --args=-platform=darwin_amd64 + # - --args=-platform=darwin_arm64 + # - --args=-platform=linux_amd64 + # - --args=-platform=linux_arm64 diff --git a/force-release b/force-release index bf6edd4..dcba252 100644 --- a/force-release +++ b/force-release @@ -1 +1 @@ -1634 \ No newline at end of file +1634 diff --git a/src/main/java/it/pagopa/devops/springbootshowcase/MySystemLogs.java b/src/main/java/it/pagopa/devops/springbootshowcase/MySystemLogs.java index c4c8d7a..48e9733 100644 --- a/src/main/java/it/pagopa/devops/springbootshowcase/MySystemLogs.java +++ b/src/main/java/it/pagopa/devops/springbootshowcase/MySystemLogs.java @@ -14,7 +14,7 @@ public void onStartup(ApplicationReadyEvent event) { } @EventListener - public void onShutdown(ContextStoppedEvent event) { + public void onShutdown(ContextStoppedEvent event) { System.out.println("⏾ Goodbye"); } } diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties index ace0993..9e0d788 100644 --- a/src/main/resources/application.properties +++ b/src/main/resources/application.properties @@ -1,10 +1,10 @@ logging.level.org.springframework=DEBUG - + #output to a temp_folder/file logging.file=${java.io.tmpdir}/application.log - + # Logging pattern for the console logging.pattern.console= %d{yyyy-MM-dd HH:mm:ss} - %msg%n - + # Logging pattern for file logging.pattern.file= %d{yyyy-MM-dd HH:mm:ss} [%thread] %-5level %logger{36} - %msg% diff --git a/src/main/resources/logback-spring.xml b/src/main/resources/logback-spring.xml index 20e761e..895561d 100644 --- a/src/main/resources/logback-spring.xml +++ b/src/main/resources/logback-spring.xml @@ -31,7 +31,7 @@ - + diff --git a/src/main/resources/templates/indexTemplate.html b/src/main/resources/templates/indexTemplate.html index 0fad4ab..2f4d95f 100644 --- a/src/main/resources/templates/indexTemplate.html +++ b/src/main/resources/templates/indexTemplate.html @@ -13,14 +13,14 @@
- +





- +