diff --git a/.devops/code-review-pipelines.yml b/.devops/code-review-pipelines.yml
deleted file mode 100644
index ee63c66..0000000
--- a/.devops/code-review-pipelines.yml
+++ /dev/null
@@ -1,64 +0,0 @@
-# Maven
-# Build your Java project and run tests with Apache Maven.
-# Add steps that analyze code, save build artifacts, deploy, and more:
-# https://docs.microsoft.com/azure/devops/pipelines/languages/java
-
-# Automatically triggered on PR
-# https://docs.microsoft.com/en-us/azure/devops/pipelines/yaml-schema?view=azure-devops&tabs=schema%2Cparameter-schema#pr-trigger
-trigger:
-  - main
-pr:
-  - main
-
-pool:
-  vmImage: ubuntu-latest
-
-variables:
-  MAVEN_CACHE_FOLDER: $(Pipeline.Workspace)/.m2/repository
-  MAVEN_OPTS: '-Dmaven.repo.local=$(MAVEN_CACHE_FOLDER)'
-
-steps:
-  - task: Cache@2
-    inputs:
-      key: 'maven | "$(Agent.OS)" | pom.xml'
-      restoreKeys: |
-        maven | "$(Agent.OS)"
-        maven
-      path: $(MAVEN_CACHE_FOLDER)
-    displayName: Cache Maven local repo
-
-  - task: SonarCloudPrepare@1
-    displayName: 'Prepare SonarCloud analysis configuration'
-    inputs:
-      SonarCloud: '$(SONARCLOUD_SERVICE_CONN)'
-      organization: '$(SONARCLOUD_ORG)'
-      scannerMode: Other
-      extraProperties: |
-        sonar.projectKey=$(SONARCLOUD_PROJECT_KEY)
-        sonar.projectName=$(SONARCLOUD_PROJECT_NAME)
-        sonar.coverage.exclusions=**/config/*,**/*Mock*,**/model/**,**/entity/*
-        sonar.cpd.exclusions=**/model/**,**/entity/*
-      
-
-  - task: Maven@3
-    displayName: 'Run Junit Test'
-    inputs:
-      mavenPomFile: 'pom.xml'
-      mavenOptions: '-Xmx3072m $(MAVEN_OPTS)'
-      mavenVersionOption: 'Default'
-      mavenAuthenticateFeed: false
-      javaHomeOption: 'JDKVersion'
-      jdkVersionOption: '1.11'
-      publishJUnitResults: true
-      testResultsFiles: '**/surefire-reports/TEST-*.xml'
-      goals: 'clean verify'
-      sonarQubeRunAnalysis: true
-      codeCoverageToolOption: 'JaCoCo'
-      effectivePomSkip: false
-      isJacocoCoverageReportXML: true
-      sqMavenPluginVersionChoice: 'latest'
-
-  - task: SonarCloudPublish@1
-    displayName: 'Publish SonarCloud results on build summary'
-    inputs:
-      pollingTimeoutSec: '300'
diff --git a/.devops/deploy-pipelines.yml b/.devops/deploy-pipelines.yml
deleted file mode 100644
index 51c57fc..0000000
--- a/.devops/deploy-pipelines.yml
+++ /dev/null
@@ -1,308 +0,0 @@
-parameters:
-  - name: ENV
-    displayName: Target Environment
-    type: string
-    default: dev
-    values:
-      - dev
-      - uat
-      - prod
-  - name: SEMVER
-    displayName: "When packing a release, define the version bump to apply. Use only buildNumber or skip for manual deployment"
-    type: string
-    values:
-      - major
-      - minor
-      - patch
-      - buildNumber
-      - skip
-    default: skip
-  - name: TEST
-    displayName: Run integration tests
-    type: boolean
-    default: false
-  - name: "FORCE_REPLACE_DOCKER_IMAGE"
-    displayName: "Force the existing docker image to be replaced"
-    type: boolean
-    default: False
-    values:
-      - False
-      - True
-
-variables:
-  imageRepository: '$(IMAGE_REPOSITORY_NAME)'
-
-  ${{ if eq(parameters['ENV'], 'dev') }}:
-    poolImage: 'pagopa-dev-linux'
-    AZURE_SUBSCRIPTION: $(DEV_AZURE_SUBSCRIPTION)
-    APP_NAME: $(DEV_WEB_APP_NAME)
-    STAGE: "d"
-    RESOURCE_GROUP: 'pagopa-d-weu-shared-rg'
-    CONTAINER_REGISTRY_SERVICE_CONN: $(DEV_CONTAINER_REGISTRY_SERVICE_CONN)
-    CONTAINER_NAMESPACE: $(DEV_CONTAINER_NAMESPACE)
-    # integration tests variables
-    COSMOSDB_URI: $(DEV_AUTH_COSMOS_URI)
-    COSMOSDB_KEY: $(DEV_AUTH_COSMOS_KEY)
-    INTEGRTEST_EXT_SUBSCRIPTION_KEY: $(DEV_INTEGRTEST_EXT_SUBSCRIPTION_KEY)
-    INTEGRTEST_VALID_SUBKEY: $(DEV_INTEGRTEST_VALID_SUBKEY)
-    INTEGRTEST_INVALID_SUBKEY: $(DEV_INTEGRTEST_INVALID_SUBKEY)
-
-  ${{ if eq(parameters['ENV'], 'uat') }}:
-    poolImage: 'pagopa-uat-loadtest-linux'
-    AZURE_SUBSCRIPTION: $(UAT_AZURE_SUBSCRIPTION)
-    APP_NAME: $(UAT_WEB_APP_NAME)
-    STAGE: "u"
-    RESOURCE_GROUP: 'pagopa-u-weu-shared-rg'
-    CONTAINER_REGISTRY_SERVICE_CONN: $(UAT_CONTAINER_REGISTRY_SERVICE_CONN)
-    CONTAINER_NAMESPACE: $(UAT_CONTAINER_NAMESPACE)
-    # integration tests variables
-    COSMOSDB_URI: $(UAT_AUTH_COSMOS_URI)
-    COSMOSDB_KEY: $(UAT_AUTH_COSMOS_KEY)
-    INTEGRTEST_EXT_SUBSCRIPTION_KEY: $(UAT_INTEGRTEST_EXT_SUBSCRIPTION_KEY)
-    INTEGRTEST_VALID_SUBKEY: $(UAT_INTEGRTEST_VALID_SUBKEY)
-    INTEGRTEST_INVALID_SUBKEY: $(UAT_INTEGRTEST_INVALID_SUBKEY)
-
-  ${{ if eq(parameters['ENV'], 'prod') }}:
-    poolImage: 'pagopa-prod-linux'
-    AZURE_SUBSCRIPTION: $(PROD_AZURE_SUBSCRIPTION)
-    APP_NAME: $(PROD_WEB_APP_NAME)
-    STAGE: "p"
-    RESOURCE_GROUP: 'pagopa-p-weu-shared-rg'
-    CONTAINER_REGISTRY_SERVICE_CONN: $(PROD_CONTAINER_REGISTRY_SERVICE_CONN)
-    CONTAINER_NAMESPACE: $(PROD_CONTAINER_NAMESPACE)
-
-  ${{ if eq(variables['Build.SourceBranchName'], 'merge') }}:
-    SOURCE_BRANCH: "main" # force to main branch
-  ${{ if ne(variables['Build.SourceBranchName'], 'merge') }}:
-    SOURCE_BRANCH: ${{ variables['Build.SourceBranchName'] }}
-
-
-
-  MAVEN_CACHE_FOLDER: $(Pipeline.Workspace)/.m2/repository
-  MAVEN_OPTS: "-Dmaven.repo.local=$(MAVEN_CACHE_FOLDER)"
-  title: ""
-  sha: ""
-  tag: ""
-
-# Only manual triggers
-trigger: none
-pr: none
-
-pool:
-  vmImage: ubuntu-latest
-
-resources:
-  repositories:
-    - repository: pagopaCommons
-      type: github
-      name: pagopa/azure-pipeline-templates
-      ref: refs/tags/v2.10.1
-      endpoint: 'io-azure-devops-github-ro'
-
-stages:
-
-  # Create a release on GitHub
-  - stage: Release
-    jobs:
-      - job: make_release
-        steps:
-          - checkout: self
-            clean: true
-            persistCredentials: true
-
-          - ${{ if ne(parameters.SEMVER, 'skip') }}:
-              - template: templates/maven-github-release/template.yaml@pagopaCommons
-                parameters:
-                  release_branch: $(SOURCE_BRANCH)
-                  gitEmail: $(GIT_EMAIL)
-                  gitUsername: $(GIT_USERNAME)
-                  gitHubConnection: $(GITHUB_CONNECTION)
-                  ${{ if ne(parameters.SEMVER, 'skip') }}:
-                    semver: '${{ parameters.SEMVER }}'
-                  ${{ if eq(parameters.SEMVER, 'skip') }}:
-                    semver: 'buildNumber' # this case is impossible due to main condition, but it is necessary to work property
-
-          - template: templates/maven-github-current-version/template.yaml@pagopaCommons
-
-  # Build and Push Docker Image
-  - stage: Build
-    dependsOn: Release
-    variables:
-      current_version: $[ stageDependencies.Release.make_release.outputs['current_version.value'] ]
-    jobs:
-      - job: "build"
-        steps:
-          - checkout: self
-            persistCredentials: true
-
-          - script: |
-              git checkout $(SOURCE_BRANCH)
-            displayName: Checkout and update branch
-
-          - template: templates/docker-release/template.yaml@pagopaCommons
-            parameters:
-              CONTAINER_REGISTRY_SERVICE_CONN: $(CONTAINER_REGISTRY_SERVICE_CONN)
-              CONTAINER_REGISTRY_FQDN: $(CONTAINER_NAMESPACE)
-              DOCKER_IMAGE_NAME: $(imageRepository)
-              DOCKER_IMAGE_TAG: $(current_version)
-              FORCE_REPLACE_DOCKER_IMAGE: ${{ parameters.FORCE_REPLACE_DOCKER_IMAGE }}
-
-  # Deploy on Azure
-  - stage: deploy
-    variables:
-      current_version: $[ stageDependencies.Release.make_release.outputs['current_version.value'] ]
-    condition: not(failed('releaseService'))
-    pool:
-      vmImage: "ubuntu-latest"
-    jobs:
-      - job: deployJava
-        steps:
-
-          - script: |
-              echo ${{variables['Build.SourceBranchName']}}        
-              echo $(SOURCE_BRANCH)
-              echo $(TEST)
-
-          - checkout: self
-            clean: true
-            persistCredentials: true
-            submodules: true
-
-          - script: |
-              echo "Checkout on $(SOURCE_BRANCH)"
-              git checkout $(SOURCE_BRANCH)
-            displayName: Checkout on source branch
-
-          - task: Cache@2
-            inputs:
-              key: 'maven | "$(Agent.OS)" | pom.xml'
-              restoreKeys: |
-                maven | "$(Agent.OS)"
-                maven
-              path: $(MAVEN_CACHE_FOLDER)
-            displayName: Set Maven Cache
-
-          - task: Bash@3
-            # When the maven task is installed, mvn can be used in a script
-            name: pomversion
-            inputs:
-              targetType: "inline"
-              script: |
-                version=$(mvn -f pom.xml help:evaluate -Dexpression=project.version -q -DforceStdout)
-                echo "##vso[task.setvariable variable=next;isOutput=true]$version"
-              failOnStderr: true
-
-          - task: Maven@3
-            inputs:
-              mavenPomFile: 'pom.xml'
-              publishJUnitResults: false
-              javaHomeOption: 'JDKVersion'
-              jdkVersionOption: '1.11'
-              mavenVersionOption: 'Default'
-              mavenOptions: '-Xmx3072m $(MAVEN_OPTS)'
-              mavenAuthenticateFeed: false
-              effectivePomSkip: false
-              sonarQubeRunAnalysis: false
-
-          # deploy function on dev/uat environment
-          - task: AzureFunctionAppContainer@1
-            displayName: Deploy Function App [DEV|UAT]
-            condition: in('${{ parameters.ENV }}', 'dev', 'uat')
-            inputs:
-              azureSubscription: $(AZURE_SUBSCRIPTION)
-              appName: "${{variables.APP_NAME}}-shared-authorizer-fn"
-              imageName: "${{variables.CONTAINER_NAMESPACE}}/${{ variables.imageRepository }}:latest"
-              slotName: production
-              resourceGroupName: $(RESOURCE_GROUP)
-
-          # deploy function on production environment
-          - task: AzureFunctionAppContainer@1
-            displayName: Deploy Function App [PROD] staging
-            condition: eq('${{ parameters.ENV }}', 'prod')
-            inputs:
-              azureSubscription: $(AZURE_SUBSCRIPTION)
-              appName: "${{variables.APP_NAME}}-shared-authorizer-fn"
-              imageName: "${{variables.CONTAINER_NAMESPACE}}/${{ variables.imageRepository }}:latest"
-              deployToSlotOrASE: true
-              slotName: staging
-              resourceGroupName: $(RESOURCE_GROUP)
-
-          - script: |
-              echo "##vso[task.setvariable variable=version;isOutput=true]$(pomversion.next)"
-            name: dockerTag
-
-  - stage: deployApprovalPROD
-    condition: eq('${{ parameters.ENV }}', 'prod')
-    dependsOn: deploy
-    pool:
-      vmImage: "ubuntu-latest"
-    jobs:
-      - job: waitForApprovalPROD
-        displayName: waiting for approval
-        pool: server
-        timeoutInMinutes: 4320 # 3 days
-        steps:
-          - task: ManualValidation@0
-            displayName: Manual Approval
-            inputs:
-              onTimeout: "reject"
-
-      - job: completeProdDeployFn
-        displayName: Complete function deploy on production environment
-        dependsOn: waitForApprovalPROD
-        steps:
-          # deploy functions - swap
-          - task: AzureAppServiceManage@0
-            displayName: Swapping App Service Deploy
-            inputs:
-              ConnectedServiceName: $(AZURE_SUBSCRIPTION)
-              WebAppName: "${{variables.APP_NAME}}-shared-authorizer-fn"
-              ResourceGroupName: $(RESOURCE_GROUP)
-              SourceSlot: staging
-              SwapWithProduction: true
-              Slot: production
-
-  # Run test
-  - stage: test
-    # run this stage only if 'test' is enabled and is not deploying in prod
-    condition: and(and(not(failed('deployJava')), eq('${{ parameters.TEST }}', 'true')), ne('${{ parameters.ENV }}', 'prod'))
-
-    pool:
-      vmImage: "ubuntu-latest"
-    jobs:
-      # is needed to wait for startup of application
-      - job: waitStartup
-        pool: Server
-        steps:
-          - task: Delay@1
-            inputs:
-              delayForMinutes: '5'
-
-      - job: integrationTests
-        dependsOn: waitStartup
-        pool:
-          name: $(poolImage)
-        steps:
-          - checkout: self
-            persistCredentials: true
-
-          - script: |
-              git checkout $(SOURCE_BRANCH)
-              git pull
-            displayName: Checkout and update branch
-
-          - task: Docker@2
-            displayName: "Docker login"
-            inputs:
-              containerRegistry: "$(CONTAINER_REGISTRY_SERVICE_CONN)"
-              command: "login"
-
-          - script: |
-              cd ./integration-test
-              export COSMOSDB_URI=$(COSMOSDB_URI)
-              export COSMOSDB_KEY=$(COSMOSDB_KEY)
-              export INTEGRTEST_EXT_SUBSCRIPTION_KEY=$(INTEGRTEST_EXT_SUBSCRIPTION_KEY)
-              export INTEGRTEST_VALID_SUBKEY=$(INTEGRTEST_VALID_SUBKEY)
-              export INTEGRTEST_INVALID_SUBKEY=$(INTEGRTEST_INVALID_SUBKEY)
-              sh run_integration_test.sh ${{ parameters.ENV }}
-            displayName: Run integration test
diff --git a/.github/workflows/release_deploy.yml b/.github/workflows/release_deploy.yml
index 5d29b09..c84feb0 100644
--- a/.github/workflows/release_deploy.yml
+++ b/.github/workflows/release_deploy.yml
@@ -1,10 +1,8 @@
-name: Release And Deploy
+name: Release And Deploy Azure Function
 
 # Controls when the workflow will run
 on:
   pull_request:
-    branches:
-      - main
     types: [ closed ]
 
   # Allows you to run this workflow manually from the Actions tab
@@ -19,36 +17,15 @@ on:
           - uat
           - prod
           - all
-      semver:
-        required: true
-        type: choice
-        description: Select the new Semantic Version
-        options:
-          - major
-          - minor
-          - patch
-          - buildNumber
-          - skip
-        default: skip
       beta:
         required: false
         type: boolean
-        description: deploy beta version
+        description: deploy beta function version on Azure
         default: false
-
-  workflow_call:
-    inputs:
-      environment:
-        required: true
-        type: string
-      semver:
-        required: true
-        type: string
-        default: skip
-      beta:
+      skip_release:
         required: false
         type: boolean
-        description: deploy beta version
+        description: skip the release. Only deploy
         default: false
 
 permissions:
@@ -58,6 +35,8 @@ permissions:
   id-token: write
   actions: read
 
+env:
+  ENV_SHORT: ${{ (contains(github.event.inputs.environment,'dev') && 'd') || (contains(github.event.inputs.environment, 'uat') && 'u') || (contains(github.event.inputs.environment,'prod') && 'p') }}
 
 # A workflow run is made up of one or more jobs that can run sequentially or in parallel
 jobs:
@@ -66,29 +45,45 @@ jobs:
     runs-on: ubuntu-latest
     outputs:
       semver: ${{ steps.get_semver.outputs.semver }}
-      environment: ${{ steps.output.outputs.environment }}
+      environment: ${{ steps.get_env.outputs.environment }}
     steps:
-      - name: Get semver
-        id: get_semver
-        uses: pagopa/github-actions-template/semver-setup@v1.3.0
+      - name: pull request rejected
+        if: github.event_name == 'pull_request' && github.event.action == 'closed' && github.event.pull_request.merged != true
+        run: |
+          echo "❌ PR was closed without a merge"
+          exit 1
 
-      - if: ${{ github.event.inputs.environment == null || github.event.inputs.environment == 'dev' }}
-        run: echo "ENVIRNOMENT=dev" >> $GITHUB_ENV
+      # Set Semvar
+      - run: echo "SEMVER=patch" >> $GITHUB_ENV
 
-      - if: ${{ github.event.inputs.environment == 'uat' }}
-        run: echo "ENVIRNOMENT=uat" >> $GITHUB_ENV
+      - if: ${{ (github.event.pull_request.merged && contains(github.event.pull_request.labels.*.name, 'breaking-change ')) }}
+        run: echo "SEMVER=major" >> $GITHUB_ENV
 
-      - if: ${{ github.event.inputs.environment == 'prod' }}
-        run: echo "ENVIRNOMENT=prod" >> $GITHUB_ENV
+      - if: ${{ inputs.environment == 'uat' }}
+        run: echo "SEMVER=minor" >> $GITHUB_ENV
 
-      - if: ${{ github.event.inputs.environment == 'all' }}
-        run: echo "ENVIRNOMENT=all" >> $GITHUB_ENV
+      - if: ${{ inputs.environment == 'prod' }}
+        run: echo "SEMVER=skip" >> $GITHUB_ENV
 
-      - id: output
+      - if: ${{ github.ref_name != 'main' }}
+        run: echo "SEMVER=buildNumber" >> $GITHUB_ENV
+
+      - if: ${{ inputs.skip_release }}
+        run: echo "SEMVER=skip" >> $GITHUB_ENV
+
+      - id: get_semver
         name: Set Output
-        run: |
-          echo "environment=${{env.ENVIRNOMENT}}" >> $GITHUB_OUTPUT
+        run: echo "semver=${{env.SEMVER}}" >> $GITHUB_OUTPUT
 
+      # Set Environment
+      - run: echo "ENVIRNOMENT=${{ inputs.environment}}" >> $GITHUB_ENV
+
+      - if: ${{ inputs.environment == null }}
+        run: echo "ENVIRNOMENT=dev" >> $GITHUB_ENV
+
+      - id: get_env
+        name: Set Output
+        run: echo "environment=${{env.ENVIRNOMENT}}" >> $GITHUB_OUTPUT
 
   release:
     name: Create a New Release
@@ -106,28 +101,27 @@ jobs:
           beta: ${{ inputs.beta }}
           skip_ci: ${{ inputs.beta }}
 
-  image:
+  build-and-push:
     needs: [ setup, release ]
     name: Build and Push Docker Image
     runs-on: ubuntu-latest
     if: ${{ inputs.semver != 'skip' }}
+    environment: ${{ inputs.environment }}
     steps:
       - name: Build and Push
         id: semver
-        uses: pagopa/github-actions-template/ghcr-build-push@v1.4.1
+        uses: pagopa/github-actions-template/ghcr-build-push@v1.5.4
         with:
+          branch: ${{ github.ref_name}}
           github_token: ${{ secrets.GITHUB_TOKEN }}
           tag: ${{ needs.release.outputs.version }}
 
   deploy_azure_fn:
     name: Deploy Azure function
+    environment: ${{ inputs.environment }}
     needs: [ setup, release, build-and-push ]
+    runs-on: ubuntu-latest
     if: ${{ always() && !contains(needs.*.result, 'failure') && !contains(needs.*.result, 'cancelled') }}
-    env:
-      ENV_SHORT: ${{ (contains(github.event.inputs.environment,'dev') && 'd') || (contains(github.event.inputs.environment, 'uat') && 'u') || (contains(github.event.inputs.environment,'prod') && 'p') }}
-      RESOURCE_GROUP: 'pagopa-${{ env.ENV_SHORT }}-weu-shared-rg'
-      APP_NAME: 'pagopa-${{ env.ENV_SHORT }}-weu-shared-authorizer-fn'
-      REGISTRY_IMAGE: 'ghcr.io/pagopa/pagopa-platform-authorizer:${{needs.release.outputs.version}}'
 
     steps:
       - name: 'Checkout GitHub Action'
@@ -140,6 +134,13 @@ jobs:
           tenant-id: ${{ secrets.TENANT_ID }}
           subscription-id: ${{ secrets.SUBSCRIPTION_ID }}
 
+      - name: Set env variables
+        run: |
+          echo "RESOURCE_GROUP=pagopa-${{env.ENV_SHORT}}-weu-shared-rg" >> $GITHUB_ENV
+          echo "APP_NAME=pagopa-${{env.ENV_SHORT}}-weu-shared-authorizer-fn" >> $GITHUB_ENV
+          echo "REGISTRY_IMAGE=ghcr.io/pagopa/pagopa-platform-authorizer:${{needs.release.outputs.version}}" >> $GITHUB_ENV
+
+
       - name: 'Azure CLI script: start staging slot'
         uses: azure/CLI@v1
         if: ${{ contains(github.event.inputs.environment, 'prod') }}
@@ -185,21 +186,21 @@ jobs:
         run: |
           az logout
 
-#  notify:
-#    needs: [ deploy ]
-#    runs-on: ubuntu-latest
-#    name: Notify
-#    if: always()
-#    steps:
-#      - name: Report Status
-#        if: always()
-#        uses: ravsamhq/notify-slack-action@v2
-#        with:
-#          status: ${{ needs.deploy.result }}
-#          token: ${{ secrets.GITHUB_TOKEN }}
-#          notify_when: 'failure,skipped'
-#          notification_title: '{workflow} has {status_message}'
-#          message_format: '{emoji} <{workflow_url}|{workflow}> {status_message} in <{repo_url}|{repo}>'
-#          footer: 'Linked to Repo <{repo_url}|{repo}>'
-#        env:
-#          SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+##  notify:
+##    needs: [ deploy ]
+##    runs-on: ubuntu-latest
+##    name: Notify
+##    if: always()
+##    steps:
+##      - name: Report Status
+##        if: always()
+##        uses: ravsamhq/notify-slack-action@v2
+##        with:
+##          status: ${{ needs.deploy.result }}
+##          token: ${{ secrets.GITHUB_TOKEN }}
+##          notify_when: 'failure,skipped'
+##          notification_title: '{workflow} has {status_message}'
+##          message_format: '{emoji} <{workflow_url}|{workflow}> {status_message} in <{repo_url}|{repo}>'
+##          footer: 'Linked to Repo <{repo_url}|{repo}>'
+##        env:
+##          SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
diff --git a/.gitignore b/.gitignore
index e159f14..e72ef74 100644
--- a/.gitignore
+++ b/.gitignore
@@ -46,4 +46,5 @@ bin/
 **/application-azure.properties
 .cache_ggshield
 *azure.properties
-**/node_modules
\ No newline at end of file
+**/node_modules
+**/.terraform/
\ No newline at end of file
diff --git a/.identity/.terraform.lock.hcl b/.identity/.terraform.lock.hcl
new file mode 100644
index 0000000..8a81fd0
--- /dev/null
+++ b/.identity/.terraform.lock.hcl
@@ -0,0 +1,87 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/azuread" {
+  version     = "2.30.0"
+  constraints = "2.30.0"
+  hashes = [
+    "h1:Uw4TcmJBEJ71h+oCwwidlkk5jFpyFRDPAFCMs/bT/cw=",
+    "h1:WnSPiREAFwnBUKREokMdHQ8Cjs47MzvS9pG8VS1ktec=",
+    "zh:1c3e89cf19118fc07d7b04257251fc9897e722c16e0a0df7b07fcd261f8c12e7",
+    "zh:2e62c193030e04ebb10cc0526119cf69824bf2d7e4ea5a2f45bd5d5fb7221d36",
+    "zh:2f3c7a35257332d68b778cefc5201a5f044e4914dd03794a4da662ddfe756483",
+    "zh:35d0d3a1b58fdb8b8c4462d6b7e7016042da43ea9cc734ce897f52a73407d9b0",
+    "zh:47ede0cd0206ec953d40bf4a80aa6e59af64e26cbbd877614ac424533dbb693b",
+    "zh:48c190307d4d42ea67c9b8cc544025024753f46cef6ea64db84735e7055a72da",
+    "zh:6fff9b2c6a962252a70a15b400147789ab369b35a781e9d21cce3804b04d29af",
+    "zh:7646980cf3438bff29c91ffedb74458febbb00a996638751fbd204ab1c628c9b",
+    "zh:77aa2fa7ca6d5446afa71d4ff83cb87b70a2f3b72110fc442c339e8e710b2928",
+    "zh:e20b2b2c37175b89dd0db058a096544d448032e28e3b56e2db368343533a9684",
+    "zh:eab175b1dfe9865ad9404dccb6d5542899f8c435095aa7c679314b811c717ce7",
+    "zh:efc862bd78c55d2ff089729e2a34c1831ab4b0644fc11b36ee4ebed00a4797ba",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/azurerm" {
+  version     = "3.45.0"
+  constraints = "3.45.0"
+  hashes = [
+    "h1:VQWxV5+qelZeUCjpdLvZ7iAom4RvG+fVVgK6ELvw/cs=",
+    "h1:gQLNY1I5e9kcle1p/VYEWb0eteQ/t5kUfnqVu2/GBNY=",
+    "zh:04c5dbb8845366ce5eb0dc2d55e151270cc2c0ace20993867fdae9af43b953ad",
+    "zh:2589585da615ccae341400d45d672ee3fae413fdd88449b5befeff12a85a44b2",
+    "zh:603869ed98fff5d9bf841a51afd9e06b628533c59356c8433aef4b15df63f5f7",
+    "zh:853fecab9c987b6772c8d9aa10362675f6c626b60ebc7118aa33ce91366fcc38",
+    "zh:979848c45e8e058862c36ba3a661457f7c81ef26ebb6634f479600de9c203d65",
+    "zh:9b512c8588ecc9c1b803b746a3a8517422561a918f0dfb0faaa707ed53ef1760",
+    "zh:a9601ffb58043426bcff1220662d6d137f0b2857a24f2dcf180aeac2c9cea688",
+    "zh:d52d2652328f0ed3ba202561d88cb9f43c174edbfaab1abf69f772125dbfe15e",
+    "zh:d92d91ca597c47f575bf3ae129f4b723be9b7dcb71b906ec6ec740fac29b1aaa",
+    "zh:ded73b730e4197b70fda9e83447c119f92f75dc37be3ff2ed45730c8f0348c28",
+    "zh:ec37ac332d50f8ca5827f97198346b0f8ecbf470e2e3ba1e027bb389d826b902",
+    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/null" {
+  version = "3.2.1"
+  hashes = [
+    "h1:tSj1mL6OQ8ILGqR2mDu7OYYYWf+hoir0pf9KAQ8IzO8=",
+    "h1:ydA0/SNRVB1o95btfshvYsmxA+jZFRZcvKzZSB+4S1M=",
+    "zh:58ed64389620cc7b82f01332e27723856422820cfd302e304b5f6c3436fb9840",
+    "zh:62a5cc82c3b2ddef7ef3a6f2fedb7b9b3deff4ab7b414938b08e51d6e8be87cb",
+    "zh:63cff4de03af983175a7e37e52d4bd89d990be256b16b5c7f919aff5ad485aa5",
+    "zh:74cb22c6700e48486b7cabefa10b33b801dfcab56f1a6ac9b6624531f3d36ea3",
+    "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
+    "zh:79e553aff77f1cfa9012a2218b8238dd672ea5e1b2924775ac9ac24d2a75c238",
+    "zh:a1e06ddda0b5ac48f7e7c7d59e1ab5a4073bbcf876c73c0299e4610ed53859dc",
+    "zh:c37a97090f1a82222925d45d84483b2aa702ef7ab66532af6cbcfb567818b970",
+    "zh:e4453fbebf90c53ca3323a92e7ca0f9961427d2f0ce0d2b65523cc04d5d999c2",
+    "zh:e80a746921946d8b6761e77305b752ad188da60688cfd2059322875d363be5f5",
+    "zh:fbdb892d9822ed0e4cb60f2fedbdbb556e4da0d88d3b942ae963ed6ff091e48f",
+    "zh:fca01a623d90d0cad0843102f9b8b9fe0d3ff8244593bd817f126582b52dd694",
+  ]
+}
+
+provider "registry.terraform.io/integrations/github" {
+  version     = "5.18.3"
+  constraints = "5.18.3"
+  hashes = [
+    "h1:WbZvLB2qXKVoh4BvOOwFfEds+SZQrkINfSAWPnWFxGo=",
+    "h1:rv3mwpUeJ0n13sY+KZMI25WAVCSeipX4n8JMWKD1XcE=",
+    "zh:050b37d96628cb7451137755929ca8d21ea546bc46d11a715652584070e83ff2",
+    "zh:053051061f1b7f7673b0ceffac1f239ba28b0e5b375999206fd39976e85d9f2b",
+    "zh:0c300a977ca66d0347ed62bb116fd8fc9abb376a554d4c192d14f3ea71c83500",
+    "zh:1d5a1a5243eba78819d2f92ff2d504ebf9a9008a6670fb5f5660f44eb6a156d8",
+    "zh:a13ac15d251ebf4e7dc40acb0e40df066f443f4c7799186a29e2e44addc7d8e7",
+    "zh:a316d94b885953c036ebc9fba64a23da93974746bc3ac9d207462a6f02d44540",
+    "zh:a658a00373bff5979cc227052c693cbde8ca4c8f9fef1bc8094a3516f2e2a96d",
+    "zh:a7bfc6ad8465d5dc11b6f19d6805364de87fffe27622bb4f37da2319bb1c4956",
+    "zh:d7379a76861f1a6bfc36eca7a20f1f477711247563b105744d69d7bd1f365fad",
+    "zh:de1cd959fd4821248e8d21570601193408648474e74f49597f1d0c43185a4ab7",
+    "zh:e0b281240dd6f2aa405b2d6fe329bc15ab877161affe163fb150d1efca2fccdb",
+    "zh:e372c171358757a983d7aa878abfd05a84484fb4d22167e45c9c1267e78ed060",
+    "zh:f6d3116526030b3f6905f530cd6c04b23d42890d973fa2abe10ce9c89cb1db80",
+    "zh:f99eec731e03cc6a28996c875bd435887cd7ea75ec07cc77b9e768bb12da2227",
+  ]
+}
diff --git a/.identity/00_data.tf b/.identity/00_data.tf
new file mode 100644
index 0000000..a85f720
--- /dev/null
+++ b/.identity/00_data.tf
@@ -0,0 +1,56 @@
+data "azurerm_storage_account" "tf_storage_account"{
+  name                = "pagopainfraterraform${var.env}"
+  resource_group_name = "io-infra-rg"
+}
+
+data "azurerm_resource_group" "dashboards" {
+  name = "dashboards"
+}
+
+data "azurerm_kubernetes_cluster" "aks" {
+  name                = local.aks_cluster.name
+  resource_group_name = local.aks_cluster.resource_group_name
+}
+
+data "github_organization_teams" "all" {
+  root_teams_only = true
+  summary_only    = true
+}
+
+data "azurerm_key_vault" "key_vault" {
+  name                = "pagopa-${var.env_short}-kv"
+  resource_group_name = "pagopa-${var.env_short}-sec-rg"
+}
+
+data "azurerm_key_vault" "domain_key_vault" {
+  name                = "pagopa-${var.env_short}-${local.domain}-kv"
+  resource_group_name = "pagopa-${var.env_short}-${local.domain}-sec-rg"
+}
+
+data "azurerm_resource_group" "shared_rg" {
+  name  = "pagopa-${var.env_short}-weu-shared-rg"
+}
+
+data "azurerm_resource_group" "apim_resource_group" {
+  name = "${local.product}-api-rg"
+}
+
+data "azurerm_key_vault_secret" "key_vault_sonar" {
+  name         = "sonar-token"
+  key_vault_id = data.azurerm_key_vault.key_vault.id
+}
+
+data "azurerm_key_vault_secret" "key_vault_bot_token" {
+  name         = "bot-token-github"
+  key_vault_id = data.azurerm_key_vault.key_vault.id
+}
+
+data "azurerm_key_vault_secret" "key_vault_cucumber_token" {
+  name         = "cucumber-token"
+  key_vault_id = data.azurerm_key_vault.key_vault.id
+}
+
+data "azurerm_key_vault_secret" "key_vault_integration_test_subkey" {
+  name         = "integration-test-subkey"
+  key_vault_id = data.azurerm_key_vault.key_vault.id
+}
\ No newline at end of file
diff --git a/.identity/02_application_action.tf b/.identity/02_application_action.tf
new file mode 100644
index 0000000..deca70c
--- /dev/null
+++ b/.identity/02_application_action.tf
@@ -0,0 +1,102 @@
+module "github_runner_app" {
+  source = "git::https://github.com/pagopa/github-actions-tf-modules.git//app-github-runner-creator?ref=main"
+
+  app_name = local.app_name
+
+  subscription_id = data.azurerm_subscription.current.id
+
+  github_org              = local.github.org
+  github_repository       = local.github.repository
+  github_environment_name = var.env
+
+  container_app_github_runner_env_rg = local.container_app_environment.resource_group
+}
+
+resource "null_resource" "github_runner_app_permissions_to_namespace" {
+  triggers = {
+    aks_id               = data.azurerm_kubernetes_cluster.aks.id
+    service_principal_id = module.github_runner_app.client_id
+    namespace            = local.domain
+    version              = "v2"
+  }
+
+  provisioner "local-exec" {
+    command = <<EOT
+      az role assignment create --role "Azure Kubernetes Service RBAC Admin" \
+      --assignee ${self.triggers.service_principal_id} \
+      --scope ${self.triggers.aks_id}/namespaces/${self.triggers.namespace}
+
+      az role assignment list --role "Azure Kubernetes Service RBAC Admin"  \
+      --scope ${self.triggers.aks_id}/namespaces/${self.triggers.namespace}
+    EOT
+  }
+
+  provisioner "local-exec" {
+    when    = destroy
+    command = <<EOT
+      az role assignment delete --role "Azure Kubernetes Service RBAC Admin" \
+      --assignee ${self.triggers.service_principal_id} \
+      --scope ${self.triggers.aks_id}/namespaces/${self.triggers.namespace}
+    EOT
+  }
+}
+
+resource "azurerm_role_assignment" "environment_terraform_storage_account" {
+  scope                = data.azurerm_storage_account.tf_storage_account.id
+  role_definition_name = "Contributor"
+  principal_id         = module.github_runner_app.object_id
+}
+
+resource "azurerm_role_assignment" "environment_terraform_resource_group_apim" {
+  scope                = data.azurerm_resource_group.apim_resource_group.id
+  role_definition_name = "Contributor"
+  principal_id         = module.github_runner_app.object_id
+}
+
+resource "azurerm_role_assignment" "environment_terraform_resource_group_dashboards" {
+  scope                = data.azurerm_resource_group.dashboards.id
+  role_definition_name = "Contributor"
+  principal_id         = module.github_runner_app.object_id
+}
+
+resource "azurerm_role_assignment" "environment_function" {
+  scope                = data.azurerm_resource_group.shared_rg.id
+  role_definition_name = "Contributor"
+  principal_id         = module.github_runner_app.object_id
+}
+
+resource "azurerm_role_assignment" "environment_key_vault" {
+  scope                = data.azurerm_key_vault.key_vault.id
+  role_definition_name = "Reader"
+  principal_id         = module.github_runner_app.object_id
+}
+
+resource "azurerm_role_assignment" "environment_key_vault_domain" {
+  scope                = data.azurerm_key_vault.domain_key_vault.id
+  role_definition_name = "Reader"
+  principal_id         = module.github_runner_app.object_id
+}
+
+resource "azurerm_key_vault_access_policy" "ad_kv_group_policy" {
+  key_vault_id = data.azurerm_key_vault.key_vault.id
+
+  tenant_id = data.azurerm_client_config.current.tenant_id
+  object_id = module.github_runner_app.object_id
+
+  key_permissions         = []
+  secret_permissions      = ["Get", "List"]
+  storage_permissions     = []
+  certificate_permissions = []
+}
+
+resource "azurerm_key_vault_access_policy" "ad_domain_kv_group_policy" {
+  key_vault_id = data.azurerm_key_vault.domain_key_vault.id
+
+  tenant_id = data.azurerm_client_config.current.tenant_id
+  object_id = module.github_runner_app.object_id
+
+  key_permissions         = []
+  secret_permissions      = ["Get", "List"]
+  storage_permissions     = []
+  certificate_permissions = []
+}
\ No newline at end of file
diff --git a/.identity/03_github_environment.tf b/.identity/03_github_environment.tf
new file mode 100644
index 0000000..5ca4777
--- /dev/null
+++ b/.identity/03_github_environment.tf
@@ -0,0 +1,78 @@
+resource "github_repository_environment" "github_repository_environment" {
+  environment = var.env
+  repository  = local.github.repository
+  # filter teams reviewers from github_organization_teams
+  # if reviewers_teams is null no reviewers will be configured for environment
+  dynamic "reviewers" {
+    for_each = (var.github_repository_environment.reviewers_teams == null || var.env_short != "p" ? [] : [1])
+    content {
+      teams = matchkeys(
+        data.github_organization_teams.all.teams.*.id,
+        data.github_organization_teams.all.teams.*.name,
+        var.github_repository_environment.reviewers_teams
+      )
+    }
+  }
+  deployment_branch_policy {
+    protected_branches     = var.github_repository_environment.protected_branches
+    custom_branch_policies = var.github_repository_environment.custom_branch_policies
+  }
+}
+
+locals {
+  env_secrets = {
+    "CLIENT_ID" : module.github_runner_app.application_id,
+    "TENANT_ID" : data.azurerm_client_config.current.tenant_id,
+    "SUBSCRIPTION_ID" : data.azurerm_subscription.current.subscription_id,
+    "SUBKEY" : data.azurerm_key_vault_secret.key_vault_integration_test_subkey.value,
+  }
+  env_variables = {
+    "CONTAINER_APP_ENVIRONMENT_NAME" : local.container_app_environment.name,
+    "CONTAINER_APP_ENVIRONMENT_RESOURCE_GROUP_NAME" : local.container_app_environment.resource_group,
+    "CLUSTER_NAME" : local.aks_cluster.name,
+    "CLUSTER_RESOURCE_GROUP" : local.aks_cluster.resource_group_name,
+    "NAMESPACE" : local.domain,
+  }
+  repo_secrets = {
+    "SONAR_TOKEN" : data.azurerm_key_vault_secret.key_vault_sonar.value,
+    "BOT_TOKEN_GITHUB" : data.azurerm_key_vault_secret.key_vault_bot_token.value,
+    "CUCUMBER_PUBLISH_TOKEN" : data.azurerm_key_vault_secret.key_vault_cucumber_token.value,
+  }
+}
+
+###############
+# ENV Secrets #
+###############
+
+resource "github_actions_environment_secret" "github_environment_runner_secrets" {
+  for_each        = local.env_secrets
+  repository      = local.github.repository
+  environment     = var.env
+  secret_name     = each.key
+  plaintext_value = each.value
+}
+
+#################
+# ENV Variables #
+#################
+
+
+resource "github_actions_environment_variable" "github_environment_runner_variables" {
+  for_each      = local.env_variables
+  repository    = local.github.repository
+  environment   = var.env
+  variable_name = each.key
+  value         = each.value
+}
+
+#############################
+# Secrets of the Repository #
+#############################
+
+
+resource "github_actions_secret" "repo_secrets" {
+  for_each        = local.repo_secrets
+  repository      = local.github.repository
+  secret_name     = each.key
+  plaintext_value = each.value
+}
diff --git a/.identity/99_main.tf b/.identity/99_main.tf
new file mode 100644
index 0000000..701c022
--- /dev/null
+++ b/.identity/99_main.tf
@@ -0,0 +1,32 @@
+terraform {
+  required_version = ">=1.3.0"
+
+  required_providers {
+    azuread = {
+      source  = "hashicorp/azuread"
+      version = "2.30.0"
+    }
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = "3.45.0"
+    }
+    github = {
+      source  = "integrations/github"
+      version = "5.18.3"
+    }
+  }
+
+  backend "azurerm" {}
+}
+
+provider "azurerm" {
+  features {}
+}
+
+provider "github" {
+  owner = "pagopa"
+}
+
+data "azurerm_subscription" "current" {}
+
+data "azurerm_client_config" "current" {}
\ No newline at end of file
diff --git a/.identity/99_variables.tf b/.identity/99_variables.tf
new file mode 100644
index 0000000..e7bb77d
--- /dev/null
+++ b/.identity/99_variables.tf
@@ -0,0 +1,56 @@
+locals {
+  github = {
+    org        = "pagopa"
+    repository = "pagopa-platform-authorizer"
+  }
+
+  prefix         = "pagopa"
+  domain         = "shared"
+  location_short = "weu"
+  product        = "${var.prefix}-${var.env_short}"
+
+  app_name = "github-${local.github.org}-${local.github.repository}-${var.prefix}-${local.domain}-${var.env}-aks"
+
+  aks_cluster = {
+    name                = "${local.product}-${local.location_short}-${var.env}-aks"
+    resource_group_name = "${local.product}-${local.location_short}-${var.env}-aks-rg"
+  }
+
+  container_app_environment = {
+    name           = "${local.prefix}-${var.env_short}-${local.location_short}-github-runner-cae",
+    resource_group = "${local.prefix}-${var.env_short}-${local.location_short}-github-runner-rg",
+  }
+}
+
+variable "env" {
+  type = string
+}
+
+variable "env_short" {
+  type = string
+}
+
+variable "prefix" {
+  type    = string
+  default = "pagopa"
+  validation {
+    condition = (
+    length(var.prefix) <= 6
+    )
+    error_message = "Max length is 6 chars."
+  }
+}
+
+variable "github_repository_environment" {
+  type = object({
+    protected_branches     = bool
+    custom_branch_policies = bool
+    reviewers_teams        = list(string)
+  })
+  description = "GitHub Continuous Integration roles"
+  default = {
+    protected_branches     = false
+    custom_branch_policies = true
+    reviewers_teams        = ["pagopa-team-core"]
+  }
+}
diff --git a/.identity/env/dev/backend.ini b/.identity/env/dev/backend.ini
new file mode 100644
index 0000000..f3ea2d5
--- /dev/null
+++ b/.identity/env/dev/backend.ini
@@ -0,0 +1 @@
+subscription=DEV-pagoPA
\ No newline at end of file
diff --git a/.identity/env/dev/backend.tfvars b/.identity/env/dev/backend.tfvars
new file mode 100644
index 0000000..1bebe4f
--- /dev/null
+++ b/.identity/env/dev/backend.tfvars
@@ -0,0 +1,4 @@
+resource_group_name  = "io-infra-rg"
+storage_account_name = "pagopainfraterraformdev"
+container_name       = "azurermstate"
+key                  = "pagopa-platform-authorizer.tfstate"
\ No newline at end of file
diff --git a/.identity/env/dev/terraform.tfvars b/.identity/env/dev/terraform.tfvars
new file mode 100644
index 0000000..e8bd528
--- /dev/null
+++ b/.identity/env/dev/terraform.tfvars
@@ -0,0 +1,11 @@
+prefix    = "pagopa"
+env       = "dev"
+env_short = "d"
+
+tags = {
+  CreatedBy   = "Terraform"
+  Environment = "Dev"
+  Owner       = "pagoPA"
+  Source      = "https://github.com/pagopa/pagopa-platform-authorizer"
+  CostCenter  = "TS310 - PAGAMENTI & SERVIZI"
+}
diff --git a/.identity/env/prod/backend.ini b/.identity/env/prod/backend.ini
new file mode 100644
index 0000000..432abea
--- /dev/null
+++ b/.identity/env/prod/backend.ini
@@ -0,0 +1 @@
+subscription=PROD-pagoPA
\ No newline at end of file
diff --git a/.identity/env/prod/backend.tfvars b/.identity/env/prod/backend.tfvars
new file mode 100644
index 0000000..66a345e
--- /dev/null
+++ b/.identity/env/prod/backend.tfvars
@@ -0,0 +1,4 @@
+resource_group_name  = "io-infra-rg"
+storage_account_name = "pagopainfraterraformprod"
+container_name       = "azurermstate"
+key                  = "pagopa-platform-authorizer.tfstate"
\ No newline at end of file
diff --git a/.identity/env/prod/terraform.tfvars b/.identity/env/prod/terraform.tfvars
new file mode 100644
index 0000000..2fdc440
--- /dev/null
+++ b/.identity/env/prod/terraform.tfvars
@@ -0,0 +1,11 @@
+prefix    = "pagopa"
+env       = "prod"
+env_short = "p"
+
+tags = {
+  CreatedBy   = "Terraform"
+  Environment = "Prod"
+  Owner       = "pagoPA"
+  Source      = "https://github.com/pagopa/pagopa-platform-authorizer"
+  CostCenter  = "TS310 - PAGAMENTI & SERVIZI"
+}
\ No newline at end of file
diff --git a/.identity/env/uat/backend.ini b/.identity/env/uat/backend.ini
new file mode 100644
index 0000000..1759a0c
--- /dev/null
+++ b/.identity/env/uat/backend.ini
@@ -0,0 +1 @@
+subscription=UAT-pagoPA
\ No newline at end of file
diff --git a/.identity/env/uat/backend.tfvars b/.identity/env/uat/backend.tfvars
new file mode 100644
index 0000000..5226ed5
--- /dev/null
+++ b/.identity/env/uat/backend.tfvars
@@ -0,0 +1,4 @@
+resource_group_name  = "io-infra-rg"
+storage_account_name = "pagopainfraterraformuat"
+container_name       = "azurermstate"
+key                  = "pagopa-platform-authorizer.tfstate"
\ No newline at end of file
diff --git a/.identity/env/uat/terraform.tfvars b/.identity/env/uat/terraform.tfvars
new file mode 100644
index 0000000..b0c1913
--- /dev/null
+++ b/.identity/env/uat/terraform.tfvars
@@ -0,0 +1,11 @@
+prefix    = "pagopa"
+env       = "uat"
+env_short = "u"
+
+tags = {
+  CreatedBy   = "Terraform"
+  Environment = "Uat"
+  Owner       = "pagoPA"
+  Source      = "https://github.com/pagopa/pagopa-platform-authorizer"
+  CostCenter  = "TS310 - PAGAMENTI & SERVIZI"
+}
diff --git a/.identity/terraform.sh b/.identity/terraform.sh
new file mode 100644
index 0000000..885fa6c
--- /dev/null
+++ b/.identity/terraform.sh
@@ -0,0 +1,69 @@
+#!/bin/bash
+
+set -e
+
+ACTION=$1
+ENV=$2
+shift 2
+other="$@"
+# must be subscription in lower case
+subscription=""
+BACKEND_CONFIG_PATH="./env/${ENV}/backend.tfvars"
+
+if [ -z "$ACTION" ]; then
+  echo "[ERROR] Missed ACTION: init, apply, plan"
+  exit 0
+fi
+
+if [ -z "$ENV" ]; then
+  echo "[ERROR] ENV should be: dev, uat or prod."
+  exit 0
+fi
+
+#
+# 🏁 Source & init shell
+#
+
+# shellcheck source=/dev/null
+source "./env/$ENV/backend.ini"
+
+# Subscription set
+az account set -s "${subscription}"
+
+# if using cygwin, we have to transcode the WORKDIR
+if [[ $WORKDIR == /cygdrive/* ]]; then
+  WORKDIR=$(cygpath -w $WORKDIR)
+fi
+
+# Helm
+export HELM_DEBUG=1
+export TF_VAR_github_token="${GITHUB_TOKEN}"
+# TODO set your PAT TOKEN as env var
+if [ -z "$GITHUB_TOKEN" ]; then
+  echo "Error: Set an environment variable named GITHUB_TOKEN with your GitHub PAT Token"
+  exit 1
+fi
+
+#
+# 🌎 Terraform
+#
+if echo "init plan apply refresh import output state taint destroy" | grep -w "$ACTION" > /dev/null; then
+  if [ "$ACTION" = "init" ]; then
+    echo "[INFO] init tf on ENV: ${ENV}"
+    terraform "$ACTION" -backend-config="${BACKEND_CONFIG_PATH}" $other
+  elif [ "$ACTION" = "output" ] || [ "$ACTION" = "state" ] || [ "$ACTION" = "taint" ]; then
+    # init terraform backend
+    terraform init -reconfigure -backend-config="${BACKEND_CONFIG_PATH}"
+    terraform "$ACTION" $other
+  else
+    # init terraform backend
+    echo "[INFO] init tf on ENV: ${ENV}"
+    terraform init -reconfigure -backend-config="${BACKEND_CONFIG_PATH}"
+
+    echo "[INFO] run tf with: ${ACTION} on ENV: ${ENV} and other: >${other}<"
+    terraform "${ACTION}" -var-file="./env/${ENV}/terraform.tfvars" -compact-warnings $other
+  fi
+else
+    echo "[ERROR] ACTION not allowed."
+    exit 1
+fi
\ No newline at end of file
diff --git a/openapi/openapi.json b/openapi/openapi.json
index 2de8d9a..2bc651a 100644
--- a/openapi/openapi.json
+++ b/openapi/openapi.json
@@ -2,7 +2,7 @@
   "openapi": "3.0.1",
   "info": {
     "title": "OpenAPI definition - Enrolled EC",
-    "version": "0.2.1"
+    "version": "0.2.1-2-github-action-fix"
   },
   "servers": [
     {
diff --git a/pom.xml b/pom.xml
index 180b231..dbcf5a9 100644
--- a/pom.xml
+++ b/pom.xml
@@ -5,7 +5,7 @@
 
     <groupId>it.gov.pagopa.authorizer</groupId>
     <artifactId>platform-authorizer</artifactId>
-    <version>0.2.1</version>
+    <version>0.2.1-2-github-action-fix</version>
     <packaging>jar</packaging>
 
     <name>Azure Authorizer cache Fn</name>