feat: [PAYMCLOUD-83]: new pipeline code review next core secrets (#361)

pagopa · Sep 20, 2024 · c439ecf · c439ecf
1 parent d418665
commit c439ecf
Show file tree

Hide file tree

Showing 5 changed files with 300 additions and 1 deletion.
diff --git a/azure-devops/iac/00_secrets_kv.tf b/azure-devops/iac/00_secrets_kv.tf
@@ -0,0 +1,62 @@
+#
+# pagopa KEYVAULT
+#
+
+module "dev_secrets" {
+  source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//key_vault_secrets_query?ref=v7.48.0"
+
+  for_each = { for d in local.definitions : d.name => d if contains(d.envs, "d") && try(d.kv_name, "") != "" }
+
+  providers = {
+    azurerm = azurerm.dev
+  }
+
+  resource_group = format(each.value.rg_name, "d")
+  key_vault_name = format(each.value.kv_name, "d")
+
+  secrets = [
+    "pagopa-d-weu-dev-aks-azure-devops-sa-token",
+    "pagopa-d-weu-dev-aks-azure-devops-sa-cacrt",
+    "pagopa-d-weu-dev-aks-apiserver-url"
+  ]
+}
+
+module "uat_secrets" {
+  source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//key_vault_secrets_query?ref=v7.48.0"
+
+  for_each = { for d in local.definitions : d.name => d if contains(d.envs, "u") && try(d.kv_name, "") != "" }
+
+  providers = {
+    azurerm = azurerm.uat
+  }
+
+  resource_group = format(each.value.rg_name, "u")
+  key_vault_name = format(each.value.kv_name, "u")
+
+
+  secrets = [
+    "pagopa-d-weu-uat-aks-azure-devops-sa-token",
+    "pagopa-d-weu-uat-aks-azure-devops-sa-cacrt",
+    "pagopa-d-weu-uat-aks-apiserver-url"
+  ]
+}
+
+module "prod_secrets" {
+  source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//key_vault_secrets_query?ref=v7.48.0"
+
+  for_each = { for d in local.definitions : d.name => d if contains(d.envs, "p") && try(d.kv_name, "") != "" }
+
+  providers = {
+    azurerm = azurerm.prod
+  }
+
+  resource_group = format(each.value.rg_name, "p")
+  key_vault_name = format(each.value.kv_name, "p")
+
+
+  secrets = [
+    "pagopa-p-weu-prod-aks-azure-devops-sa-token",
+    "pagopa-d-weu-prod-aks-azure-devops-sa-cacrt",
+    "pagopa-d-weu-prod-aks-apiserver-url"
+  ]
+}
diff --git a/azure-devops/iac/04_iac.tf b/azure-devops/iac/04_iac.tf
@@ -0,0 +1,142 @@
+locals {
+  default_repository = {
+    organization   = "pagopa"
+    name           = "pagopa-infra"
+    branch_name    = "refs/heads/main"
+    pipelines_path = ".devops"
+  }
+
+  code_review_domains = [for d in local.definitions : d if d.code_review == true]
+  deploy_domains      = [for d in local.definitions : d if d.deploy == true]
+
+
+  base_iac_variables = {
+    tf_aks_dev_name  = var.aks_dev_platform_name
+    tf_aks_uat_name  = var.aks_uat_platform_name
+    tf_aks_prod_name = var.aks_prod_platform_name
+
+    TF_POOL_NAME_DEV  = "pagopa-dev-linux-infra",
+    TF_POOL_NAME_UAT  = "pagopa-uat-linux-infra",
+    TF_POOL_NAME_PROD = "pagopa-prod-linux-infra",
+    #PLAN
+    TF_AZURE_SERVICE_CONNECTION_PLAN_NAME_DEV  = module.DEV-AZURERM-IAC-PLAN-SERVICE-CONN.service_endpoint_name,
+    TF_AZURE_SERVICE_CONNECTION_PLAN_NAME_UAT  = module.UAT-AZURERM-IAC-PLAN-SERVICE-CONN.service_endpoint_name,
+    TF_AZURE_SERVICE_CONNECTION_PLAN_NAME_PROD = module.PROD-AZURERM-IAC-PLAN-SERVICE-CONN.service_endpoint_name,
+    #APPLY
+    TF_AZURE_SERVICE_CONNECTION_APPLY_NAME_DEV  = module.DEV-AZURERM-IAC-DEPLOY-SERVICE-CONN.service_endpoint_name,
+    TF_AZURE_SERVICE_CONNECTION_APPLY_NAME_UAT  = module.UAT-AZURERM-IAC-DEPLOY-SERVICE-CONN.service_endpoint_name,
+    TF_AZURE_SERVICE_CONNECTION_APPLY_NAME_PROD = module.PROD-AZURERM-IAC-DEPLOY-SERVICE-CONN.service_endpoint_name,
+  }
+
+  # code review vars
+  base_iac_variables_code_review = {}
+  # code review secrets
+  base_iac_variables_secret = {}
+  # deploy vars
+  base_iac_variables_deploy = {}
+  # deploy secrets
+  base_aca_iac_variables_secret_deploy = {}
+}
+
+
+##################################################
+# HOW TO DEFINE A PIPELINE FOR A NEW DOMAIN?     #
+# have a look at README.md                       #
+##################################################
+module "iac_code_review" {
+  source   = "git::https://github.com/pagopa/azuredevops-tf-modules.git//azuredevops_build_definition_code_review?ref=v7.0.0"
+  for_each = { for d in local.code_review_domains : d.name => d }
+  path     = each.value.pipeline_path
+
+  project_id                   = azuredevops_project.project.id
+  repository                   = merge(local.default_repository, each.value.repository)
+  github_service_connection_id = azuredevops_serviceendpoint_github.azure-devops-github-pr.id
+
+  pipeline_name_prefix = each.value.pipeline_prefix
+
+  variables = merge(
+    local.base_iac_variables,
+    contains(each.value.envs, "d") && try(each.value.kv_name, "") != "" ? {
+      tf_dev_aks_apiserver_url         = module.dev_secrets[each.value.name].values["pagopa-d-weu-dev-aks-apiserver-url"].value,
+      tf_dev_aks_azure_devops_sa_cacrt = module.dev_secrets[each.value.name].values["pagopa-d-weu-dev-aks-azure-devops-sa-cacrt"].value,
+      tf_dev_aks_azure_devops_sa_token = base64decode(module.dev_secrets[each.value.name].values["pagopa-d-weu-dev-aks-azure-devops-sa-token"].value),
+    } : {},
+    contains(each.value.envs, "u") && try(each.value.kv_name, "") != "" ? {
+      tf_uat_aks_apiserver_url         = module.uat_secrets[each.value.name].values["pagopa-u-weu-uat-aks-apiserver-url"].value,
+      tf_uat_aks_azure_devops_sa_cacrt = module.uat_secrets[each.value.name].values["pagopa-u-weu-uat-aks-azure-devops-sa-cacrt"].value,
+      tf_uat_aks_azure_devops_sa_token = base64decode(module.uat_secrets[each.value.name].values["pagopa-u-weu-uat-aks-azure-devops-sa-token"].value),
+    } : {},
+    contains(each.value.envs, "p") && try(each.value.kv_name, "") != "" ? {
+      tf_prod_aks_apiserver_url         = module.prod_secrets[each.value.name].values["pagopa-p-weu-prod-aks-azure-devops-sa-cacrt"].value,
+      tf_prod_aks_azure_devops_sa_cacrt = module.prod_secrets[each.value.name].values["pagopa-p-weu-prod-aks-azure-devops-sa-cacrt"].value,
+      tf_prod_aks_azure_devops_sa_token = base64decode(module.prod_secrets[each.value.name].values["pagopa-p-weu-prod-aks-azure-devops-sa-token"].value),
+    } : {},
+    local.base_iac_variables_code_review,
+    try(local.definitions_variables[each.value.name].iac_variables_cr, {})
+  )
+
+  variables_secret = merge(
+    local.base_iac_variables_secret,
+    try(local.definitions_variables[each.value.name].iac_variables_secrets_cr, {})
+  )
+
+  service_connection_ids_authorization = [
+    azuredevops_serviceendpoint_github.azure-devops-github-ro.id,
+    module.DEV-AZURERM-IAC-PLAN-SERVICE-CONN.service_endpoint_id,
+    module.UAT-AZURERM-IAC-PLAN-SERVICE-CONN.service_endpoint_id,
+    module.PROD-AZURERM-IAC-PLAN-SERVICE-CONN.service_endpoint_id,
+  ]
+}
+
+##################################################
+# HOW TO DEFINE A PIPELINE FOR A NEW DOMAIN?     #
+# have a look at README.md                       #
+##################################################
+module "iac_deploy" {
+  source   = "git::https://github.com/pagopa/azuredevops-tf-modules.git//azuredevops_build_definition_code_review?ref=v7.0.0"
+  for_each = { for d in local.deploy_domains : d.name => d }
+  path     = each.value.pipeline_path
+
+  project_id                   = azuredevops_project.project.id
+  repository                   = merge(local.default_repository, each.value.repository)
+  github_service_connection_id = azuredevops_serviceendpoint_github.azure-devops-github-pr.id
+
+  pipeline_name_prefix = each.value.pipeline_prefix
+
+  variables = merge(
+    local.base_iac_variables,
+    contains(each.value.envs, "d") && try(each.value.kv_name, "") != "" ? {
+      tf_dev_aks_apiserver_url         = module.dev_secrets[each.value.name].values["pagopa-d-weu-dev-aks-apiserver-url"].value,
+      tf_dev_aks_azure_devops_sa_cacrt = module.dev_secrets[each.value.name].values["pagopa-d-weu-dev-aks-azure-devops-sa-cacrt"].value,
+      tf_dev_aks_azure_devops_sa_token = base64decode(module.dev_secrets[each.value.name].values["pagopa-d-weu-dev-aks-azure-devops-sa-token"].value),
+    } : {},
+    contains(each.value.envs, "u") && try(each.value.kv_name, "") != "" ? {
+      tf_uat_aks_apiserver_url         = module.uat_secrets[each.value.name].values["pagopa-u-weu-uat-aks-apiserver-url"].value,
+      tf_uat_aks_azure_devops_sa_cacrt = module.uat_secrets[each.value.name].values["pagopa-u-weu-uat-aks-azure-devops-sa-cacrt"].value,
+      tf_uat_aks_azure_devops_sa_token = base64decode(module.uat_secrets[each.value.name].values["pagopa-u-weu-uat-aks-azure-devops-sa-token"].value),
+    } : {},
+    contains(each.value.envs, "p") && try(each.value.kv_name, "") != "" ? {
+      tf_prod_aks_apiserver_url         = module.prod_secrets[each.value.name].values["pagopa-p-weu-prod-aks-azure-devops-sa-cacrt"].value,
+      tf_prod_aks_azure_devops_sa_cacrt = module.prod_secrets[each.value.name].values["pagopa-p-weu-prod-aks-azure-devops-sa-cacrt"].value,
+      tf_prod_aks_azure_devops_sa_token = base64decode(module.prod_secrets[each.value.name].values["pagopa-p-weu-prod-aks-azure-devops-sa-token"].value),
+    } : {},
+    local.base_iac_variables_deploy,
+    try(local.definitions_variables[each.value.name].iac_variables_deploy, {})
+  )
+
+  variables_secret = merge(
+    local.base_iac_variables_secret,
+    try(local.definitions_variables[each.value.name].iac_variables_secrets_deploy, {})
+  )
+
+  service_connection_ids_authorization = [
+    azuredevops_serviceendpoint_github.azure-devops-github-ro.id,
+    module.DEV-AZURERM-IAC-PLAN-SERVICE-CONN.service_endpoint_id,
+    module.UAT-AZURERM-IAC-PLAN-SERVICE-CONN.service_endpoint_id,
+    module.PROD-AZURERM-IAC-PLAN-SERVICE-CONN.service_endpoint_id,
+
+    module.DEV-AZURERM-IAC-DEPLOY-SERVICE-CONN.service_endpoint_id,
+    module.UAT-AZURERM-IAC-DEPLOY-SERVICE-CONN.service_endpoint_id,
+    module.PROD-AZURERM-IAC-DEPLOY-SERVICE-CONN.service_endpoint_id,
+  ]
+}
diff --git a/azure-devops/iac/99_locals.tf b/azure-devops/iac/99_locals.tf
@@ -0,0 +1,19 @@
+locals {
+  definitions = [
+    {
+      name : "next-core-secrets",
+      envs : ["d", "u", "p"],
+      kv_name : "",
+      rg_name : "",
+      code_review : true,
+      deploy : false,
+      pipeline_prefix : "next-core-secrets",
+      pipeline_path : "next-core-infra",
+      repository : {
+        yml_prefix_name : "next-core-secrets"
+      }
+    },
+  ]
+
+  definitions_variables = {}
+}
diff --git a/azure-devops/iac/README.md b/azure-devops/iac/README.md
@@ -1,4 +1,75 @@
 <!-- markdownlint-disable -->
+# IaC pipeline definition
+
+This module defines the iac pipelines (code review and deploy)
+
+The creation of pipeline definition is based on a configuration structure defined in `99_locals.tf` described below
+
+```hcl
+definitions =  [
+    {
+      name: "payhub",
+      envs: ["d"],
+      kv_name: "p4pa-%s-payhub-kv",
+      rg_name: "p4pa-%s-itn-payhub-sec-rg",
+      code_review: true,
+      deploy: true,
+      pipeline_prefix: "payhub-infra",
+      pipeline_path: "payhub-infrastructure",
+      repository: {
+        yml_prefix_name: "payhub"
+        branch_name     = "azdo-iac-pipelines"
+      }
+    },
+  ]
+
+  definitions_variables = {
+    payhub = {
+      iac_variables_cr: {},
+      iac_variables_secrets_cr: {},
+      iac_variables_deploy: {},
+      iac_variables_secrets_deploy: {}
+    }
+  }
+```
+
+## definitions
+The `definitions` section defines the definitions for which the pipelines definitions have to be created:
+
+- **name**: name of the domain
+- **envs**: list of environments (initials) in which the domain resource are available {`d`, `u`, `p`}. Used to avoid failures when a domain keyvault has not been created on a certain environment
+- **kv_name**: name of the domain keyvault. must contain the placeholder string `%s` in place of the environment; will be resolved at run time
+- **rg_name**: resource group name of the domain keyvault. must contain the placeholder string `%s` in place of the environment; will be resolved at run time
+- **code_review**: if true, enables the creation of the code review pipeline
+- **deploy**: if true, enables the creation of the deploy pipeline
+- **pipeline_prefix**: prefix assigned to the pipelines being created
+- **pipeline_path**: AZDO folder path in which the pipelines will be created
+- **repository**: overrides the default respository defined in `04_iac.tf`
+  - **yml_prefix_name**: REQUIRED. prefix used to identify this domain `yaml` files.
+    the default repository configuration is the following:
+```hcl
+default_repository = {
+    organization    = "pagopa"
+    name            = "p4pa-infra"
+    branch_name     = "refs/heads/main"
+    pipelines_path  = ".devops"
+  }
+```
+any field can be overwritten in the `repository` field
+
+To create pipelines for a new domain simply add the domain configuration to the list and apply the terraform configuration
+
+## definitions_variables
+
+If a definitions requires additional variables, they can be defined using the `definitions_variables` structure; it allows defining different variables and secrets for the code review (`cr`) and deploy pipelines
+
+the structure is the following:
+
+- **<definitions_name>**: matches the definitions name defined in `definitions`
+  - **iac_variables_cr**: variables for code review
+  - **iac_variables_secrets_cr**: secrets for code review
+  - **iac_variables_deploy**: variables for deploy
+  - **iac_variables_secrets_deploy**: secrets for deploy<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 ## Requirements
 
@@ -44,6 +115,7 @@
 | <a name="module_bizevents_uat_secrets"></a> [bizevents\_uat\_secrets](#module\_bizevents\_uat\_secrets) | git::https://github.com/pagopa/terraform-azurerm-v3.git//key_vault_secrets_query | v7.48.0 |
 | <a name="module_canoneunico_iac_code_review"></a> [canoneunico\_iac\_code\_review](#module\_canoneunico\_iac\_code\_review) | git::https://github.com/pagopa/azuredevops-tf-modules.git//azuredevops_build_definition_code_review | v7.0.0 |
 | <a name="module_canoneunico_iac_deploy"></a> [canoneunico\_iac\_deploy](#module\_canoneunico\_iac\_deploy) | git::https://github.com/pagopa/azuredevops-tf-modules.git//azuredevops_build_definition_deploy | v7.0.0 |
+| <a name="module_dev_secrets"></a> [dev\_secrets](#module\_dev\_secrets) | git::https://github.com/pagopa/terraform-azurerm-v3.git//key_vault_secrets_query | v7.48.0 |
 | <a name="module_disaster_recovery"></a> [disaster\_recovery](#module\_disaster\_recovery) | git::https://github.com/pagopa/azuredevops-tf-modules.git//azuredevops_build_definition_generic | v7.1.0 |
 | <a name="module_ecommerce_dev_secrets"></a> [ecommerce\_dev\_secrets](#module\_ecommerce\_dev\_secrets) | git::https://github.com/pagopa/terraform-azurerm-v3.git//key_vault_secrets_query | v7.48.0 |
 | <a name="module_ecommerce_iac_code_review"></a> [ecommerce\_iac\_code\_review](#module\_ecommerce\_iac\_code\_review) | git::https://github.com/pagopa/azuredevops-tf-modules.git//azuredevops_build_definition_code_review | v7.0.0 |
@@ -64,8 +136,10 @@
 | <a name="module_gps_uat_secrets"></a> [gps\_uat\_secrets](#module\_gps\_uat\_secrets) | git::https://github.com/pagopa/terraform-azurerm-v3.git//key_vault_secrets_query | v7.48.0 |
 | <a name="module_iac_checkout_code_review"></a> [iac\_checkout\_code\_review](#module\_iac\_checkout\_code\_review) | git::https://github.com/pagopa/azuredevops-tf-modules.git//azuredevops_build_definition_code_review | v7.0.0 |
 | <a name="module_iac_checkout_deploy"></a> [iac\_checkout\_deploy](#module\_iac\_checkout\_deploy) | git::https://github.com/pagopa/azuredevops-tf-modules.git//azuredevops_build_definition_deploy | v7.0.0 |
+| <a name="module_iac_code_review"></a> [iac\_code\_review](#module\_iac\_code\_review) | git::https://github.com/pagopa/azuredevops-tf-modules.git//azuredevops_build_definition_code_review | v7.0.0 |
 | <a name="module_iac_core_code_review"></a> [iac\_core\_code\_review](#module\_iac\_core\_code\_review) | git::https://github.com/pagopa/azuredevops-tf-modules.git//azuredevops_build_definition_code_review | v7.0.0 |
 | <a name="module_iac_core_deploy"></a> [iac\_core\_deploy](#module\_iac\_core\_deploy) | git::https://github.com/pagopa/azuredevops-tf-modules.git//azuredevops_build_definition_deploy | v7.0.0 |
+| <a name="module_iac_deploy"></a> [iac\_deploy](#module\_iac\_deploy) | git::https://github.com/pagopa/azuredevops-tf-modules.git//azuredevops_build_definition_code_review | v7.0.0 |
 | <a name="module_iac_next_core_code_review"></a> [iac\_next\_core\_code\_review](#module\_iac\_next\_core\_code\_review) | git::https://github.com/pagopa/azuredevops-tf-modules.git//azuredevops_build_definition_code_review | v7.0.0 |
 | <a name="module_iac_next_core_deploy"></a> [iac\_next\_core\_deploy](#module\_iac\_next\_core\_deploy) | git::https://github.com/pagopa/azuredevops-tf-modules.git//azuredevops_build_definition_deploy | v7.0.0 |
 | <a name="module_iac_resource_switcher"></a> [iac\_resource\_switcher](#module\_iac\_resource\_switcher) | git::https://github.com/pagopa/azuredevops-tf-modules.git//azuredevops_build_definition_resource_switcher | v7.0.0 |
@@ -93,6 +167,7 @@
 | <a name="module_printit_dev_secrets"></a> [printit\_dev\_secrets](#module\_printit\_dev\_secrets) | git::https://github.com/pagopa/terraform-azurerm-v3.git//key_vault_secrets_query | v8.13.0 |
 | <a name="module_printit_prod_secrets"></a> [printit\_prod\_secrets](#module\_printit\_prod\_secrets) | git::https://github.com/pagopa/terraform-azurerm-v3.git//key_vault_secrets_query | v8.13.0 |
 | <a name="module_printit_uat_secrets"></a> [printit\_uat\_secrets](#module\_printit\_uat\_secrets) | git::https://github.com/pagopa/terraform-azurerm-v3.git//key_vault_secrets_query | v8.13.0 |
+| <a name="module_prod_secrets"></a> [prod\_secrets](#module\_prod\_secrets) | git::https://github.com/pagopa/terraform-azurerm-v3.git//key_vault_secrets_query | v7.48.0 |
 | <a name="module_qi_dev_secrets"></a> [qi\_dev\_secrets](#module\_qi\_dev\_secrets) | git::https://github.com/pagopa/terraform-azurerm-v3.git//key_vault_secrets_query | v7.48.0 |
 | <a name="module_qi_iac_code_review"></a> [qi\_iac\_code\_review](#module\_qi\_iac\_code\_review) | git::https://github.com/pagopa/azuredevops-tf-modules.git//azuredevops_build_definition_code_review | v7.0.0 |
 | <a name="module_qi_iac_deploy"></a> [qi\_iac\_deploy](#module\_qi\_iac\_deploy) | git::https://github.com/pagopa/azuredevops-tf-modules.git//azuredevops_build_definition_deploy | v7.0.0 |
@@ -114,6 +189,7 @@
 | <a name="module_shared_iac_deploy"></a> [shared\_iac\_deploy](#module\_shared\_iac\_deploy) | git::https://github.com/pagopa/azuredevops-tf-modules.git//azuredevops_build_definition_deploy | v7.0.0 |
 | <a name="module_shared_prod_secrets"></a> [shared\_prod\_secrets](#module\_shared\_prod\_secrets) | git::https://github.com/pagopa/terraform-azurerm-v3.git//key_vault_secrets_query | v7.48.0 |
 | <a name="module_shared_uat_secrets"></a> [shared\_uat\_secrets](#module\_shared\_uat\_secrets) | git::https://github.com/pagopa/terraform-azurerm-v3.git//key_vault_secrets_query | v7.48.0 |
+| <a name="module_uat_secrets"></a> [uat\_secrets](#module\_uat\_secrets) | git::https://github.com/pagopa/terraform-azurerm-v3.git//key_vault_secrets_query | v7.48.0 |
 | <a name="module_wallet_dev_secrets"></a> [wallet\_dev\_secrets](#module\_wallet\_dev\_secrets) | git::https://github.com/pagopa/terraform-azurerm-v3.git//key_vault_secrets_query | v7.48.0 |
 | <a name="module_wallet_uat_secrets"></a> [wallet\_uat\_secrets](#module\_wallet\_uat\_secrets) | git::https://github.com/pagopa/terraform-azurerm-v3.git//key_vault_secrets_query | v7.48.0 |