Merge pull request #19 from pagopa/PAGOPA-763-reperibilita-opex-dashb…

…oard-alert-monitoring-servizio [PAGOPA-763] Opex Dashboard
pagopa · Mar 15, 2023 · 65d4e8a · 65d4e8a
2 parents 3a41ca9 + ef99ec2
commit 65d4e8a
Show file tree

Hide file tree

Showing 37 changed files with 582 additions and 4 deletions.
diff --git a/.github/workflows/create_dashboard.yaml b/.github/workflows/create_dashboard.yaml
@@ -55,9 +55,9 @@ jobs:
         # from https://github.com/Azure/login/commits/master
         uses: azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2
         with:
-          client-id: ${{ vars.CLIENT_ID }}
-          tenant-id: ${{ vars.TENANT_ID }}
-          subscription-id: ${{ vars.SUBSCRIPTION_ID }}
+          client-id: ${{ secrets.CLIENT_ID }}
+          tenant-id: ${{ secrets.TENANT_ID }}
+          subscription-id: ${{ secrets.SUBSCRIPTION_ID }}
 
       # this action create a folder named /azure-dashboard
       - uses: pagopa/opex-dashboard-action@main
@@ -74,7 +74,7 @@ jobs:
         shell: bash
         run: |
           cd ./${TEMPLATE_DIR}
-          export ARM_CLIENT_ID="${{ vars.CLIENT_ID }}"
+          export ARM_CLIENT_ID="${{ secrets.CLIENT_ID }}"
           export ARM_SUBSCRIPTION_ID=$(az account show --query id --output tsv)
           export ARM_TENANT_ID=$(az account show --query tenantId --output tsv)
           export ARM_USE_OIDC=true

diff --git a/.gitignore b/.gitignore
@@ -36,3 +36,4 @@ hs_err_pid*
 scripts/*.pem
 *.pagopa
 *.DS_Store
+**/.terraform
diff --git a/.identity/.terraform.lock.hcl b/.identity/.terraform.lock.hcl
diff --git a/.identity/00_locals.tf b/.identity/00_locals.tf
@@ -0,0 +1,7 @@
+locals {
+  github = {
+    org        = "pagopa"
+    repository = "pagopa-node-forwarder"
+  }
+
+}
diff --git a/.identity/00_main.tf b/.identity/00_main.tf
@@ -0,0 +1,35 @@
+terraform {
+  required_version = ">=1.3.0"
+
+  required_providers {
+    azuread = {
+      source  = "hashicorp/azuread"
+      version = "2.30.0"
+    }
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = "3.33.0"
+    }
+    github = {
+      source  = "integrations/github"
+      version = "5.12.0"
+    }
+  }
+
+  backend "azurerm" {}
+}
+
+provider "azurerm" {
+  features {}
+}
+
+provider "github" {
+  owner          = "pagopa"
+  write_delay_ms = "200"
+  read_delay_ms  = "200"
+}
+
+data "azurerm_subscription" "current" {}
+
+data "azurerm_client_config" "current" {}
+
diff --git a/.identity/00_variables.tf b/.identity/00_variables.tf
@@ -0,0 +1,29 @@
+variable "env" {
+  type = string
+}
+
+variable "env_short" {
+  type = string
+}
+
+
+variable "github_repository_environment" {
+  type = object({
+    protected_branches     = bool
+    custom_branch_policies = bool
+    reviewers_teams        = list(string)
+  })
+  description = "GitHub Continuous Integration roles"
+  default     = {
+    protected_branches     = false
+    custom_branch_policies = true
+    reviewers_teams        = ["pagopa-tech"]
+  }
+
+}
+
+
+variable "k8s_kube_config_path_prefix" {
+  type    = string
+  default = "~/.kube"
+}
diff --git a/.identity/01_data.tf b/.identity/01_data.tf
@@ -0,0 +1,29 @@
+data "azurerm_storage_account" "tfstate_app" {
+  name                = "pagopainfraterraform${var.env}"
+  resource_group_name = "io-infra-rg"
+}
+
+data "azurerm_resource_group" "dashboards" {
+  name = "dashboards"
+}
+
+data "azurerm_key_vault" "key_vault" {
+  count  = var.env_short == "d" ? 1 : 0
+
+  name = "pagopa-${var.env_short}-kv"
+  resource_group_name = "pagopa-${var.env_short}-sec-rg"
+}
+
+data "azurerm_key_vault_secret" "key_vault_sonar" {
+  count  = var.env_short == "d" ? 1 : 0
+
+  name = "sonar-token"
+  key_vault_id = data.azurerm_key_vault.key_vault[0].id
+}
+
+data "azurerm_key_vault_secret" "key_vault_bot_token" {
+  count  = var.env_short == "d" ? 1 : 0
+
+  name = "bot-token-github"
+  key_vault_id = data.azurerm_key_vault.key_vault[0].id
+}
diff --git a/.identity/02_application_action.tf b/.identity/02_application_action.tf
@@ -0,0 +1,28 @@
+resource "azuread_application" "action" {
+  display_name = "github-${local.github.org}-${local.github.repository}-${var.env}"
+}
+
+resource "azuread_service_principal" "action" {
+  application_id = azuread_application.action.application_id
+}
+
+resource "azuread_application_federated_identity_credential" "environment" {
+  application_object_id = azuread_application.action.object_id
+  display_name          = "github-federated"
+  description           = "github-federated"
+  audiences             = ["api://AzureADTokenExchange"]
+  issuer                = "https://token.actions.githubusercontent.com"
+  subject               = "repo:${local.github.org}/${local.github.repository}:environment:${var.env}"
+}
+
+output "azure_action_client_id" {
+  value = azuread_service_principal.action.application_id
+}
+
+output "azure_action_application_id" {
+  value = azuread_service_principal.action.application_id
+}
+
+output "azure_action_object_id" {
+  value = azuread_service_principal.action.object_id
+}
diff --git a/.identity/02_application_action_auth.tf b/.identity/02_application_action_auth.tf
@@ -0,0 +1,17 @@
+resource "azurerm_role_assignment" "environment_terraform_subscription" {
+  scope                = data.azurerm_subscription.current.id
+  role_definition_name = "Reader"
+  principal_id         = azuread_service_principal.action.object_id
+}
+
+resource "azurerm_role_assignment" "environment_terraform_storage_account_tfstate_app" {
+  scope                = data.azurerm_storage_account.tfstate_app.id
+  role_definition_name = "Contributor"
+  principal_id         = azuread_service_principal.action.object_id
+}
+
+resource "azurerm_role_assignment" "environment_terraform_resource_group_dashboards" {
+  scope                = data.azurerm_resource_group.dashboards.id
+  role_definition_name = "Contributor"
+  principal_id         = azuread_service_principal.action.object_id
+}
diff --git a/.identity/02_application_master.tf b/.identity/02_application_master.tf
@@ -0,0 +1,28 @@
+resource "azuread_application" "master" {
+  display_name = "github-${local.github.org}-${local.github.repository}-master"
+}
+
+resource "azuread_service_principal" "master" {
+  application_id = azuread_application.master.application_id
+}
+
+resource "azuread_application_federated_identity_credential" "master" {
+  application_object_id = azuread_application.master.object_id
+  display_name          = "github-federated"
+  description           = "github-federated"
+  audiences             = ["api://AzureADTokenExchange"]
+  issuer                = "https://token.actions.githubusercontent.com"
+  subject               = "repo:${local.github.org}/${local.github.repository}:ref:refs/heads/main"
+}
+
+output "azure_master_client_id" {
+  value = azuread_service_principal.master.application_id
+}
+
+output "azure_master_application_id" {
+  value = azuread_service_principal.master.application_id
+}
+
+output "azure_master_object_id" {
+  value = azuread_service_principal.master.object_id
+}
diff --git a/.identity/02_application_master_auth.tf b/.identity/02_application_master_auth.tf
@@ -0,0 +1,17 @@
+resource "azurerm_role_assignment" "master_terraform_subscription" {
+  scope                = data.azurerm_subscription.current.id
+  role_definition_name = "Reader"
+  principal_id         = azuread_service_principal.master.object_id
+}
+
+resource "azurerm_role_assignment" "master_terraform_storage_account_tfstate_app" {
+  scope                = data.azurerm_storage_account.tfstate_app.id
+  role_definition_name = "Contributor"
+  principal_id         = azuread_service_principal.master.object_id
+}
+
+resource "azurerm_role_assignment" "master_terraform_resource_group_dashboards" {
+  scope                = data.azurerm_resource_group.dashboards.id
+  role_definition_name = "Contributor"
+  principal_id         = azuread_service_principal.master.object_id
+}
diff --git a/.identity/02_application_pullrequest.tf b/.identity/02_application_pullrequest.tf
@@ -0,0 +1,28 @@
+resource "azuread_application" "pullrequest" {
+  display_name = "github-${local.github.org}-${local.github.repository}-pullrequest"
+}
+
+resource "azuread_service_principal" "pullrequest" {
+  application_id = azuread_application.pullrequest.application_id
+}
+
+resource "azuread_application_federated_identity_credential" "pullrequest" {
+  application_object_id = azuread_application.pullrequest.object_id
+  display_name          = "github-federated"
+  description           = "github-federated"
+  audiences             = ["api://AzureADTokenExchange"]
+  issuer                = "https://token.actions.githubusercontent.com"
+  subject               = "repo:${local.github.org}/${local.github.repository}:pull_request"
+}
+
+output "azure_pullrequest_client_id" {
+  value = azuread_service_principal.pullrequest.application_id
+}
+
+output "azure_pullrequest_application_id" {
+  value = azuread_service_principal.pullrequest.application_id
+}
+
+output "azure_pullrequest_object_id" {
+  value = azuread_service_principal.pullrequest.object_id
+}
diff --git a/.identity/02_application_pullrequest_auth.tf b/.identity/02_application_pullrequest_auth.tf
@@ -0,0 +1,17 @@
+resource "azurerm_role_assignment" "pullrequest_terraform_subscription" {
+  scope                = data.azurerm_subscription.current.id
+  role_definition_name = "Reader"
+  principal_id         = azuread_service_principal.pullrequest.object_id
+}
+
+resource "azurerm_role_assignment" "pullrequest_terraform_storage_account_tfstate_app" {
+  scope                = data.azurerm_storage_account.tfstate_app.id
+  role_definition_name = "Contributor"
+  principal_id         = azuread_service_principal.pullrequest.object_id
+}
+
+resource "azurerm_role_assignment" "pullrequest_terraform_resource_group_dashboards" {
+  scope                = data.azurerm_resource_group.dashboards.id
+  role_definition_name = "Reader"
+  principal_id         = azuread_service_principal.pullrequest.object_id
+}