From cb11242269df126f4102383437a60749eb720488 Mon Sep 17 00:00:00 2001 From: Andrea Grillo Date: Fri, 9 Feb 2024 18:14:08 +0100 Subject: [PATCH] [EC-138] Add Terraform configuration to manage repository settings (#253) --- .github/workflows/opex_api.yml | 17 +--- .github/workflows/opex_api_pnpg.yml | 17 +--- .github/workflows/pr_ms.yml | 37 ++++++++ .github/workflows/release_ms.yml | 46 ++++++++++ .github/workflows/release_open_api.yml | 3 +- .gitignore | 11 ++- .identity/.terraform-version | 1 - .identity/.terraform.lock.hcl | 64 -------------- .identity/00_data.tf | 14 --- .identity/03_github_environment.tf | 107 ---------------------- .identity/99_main.tf | 32 ------- .identity/99_outputs.tf | 7 -- .identity/99_variables.tf | 66 -------------- .identity/env/prod/backend.ini | 1 - .identity/env/prod/backend.tfvars | 4 - .identity/env/prod/terraform.tfvars | 20 ----- .identity/terraform.sh | 69 --------------- .pre-commit-config.yaml | 10 +++ .terraform-version | 1 + Dockerfile.new | 20 +++++ Dockerfile.new.dockerignore | 117 +++++++++++++++++++++++++ infra/repository/.terraform.lock.hcl | 50 +++++++++++ infra/repository/README.md | 43 +++++++++ infra/repository/backend.tfvars | 4 + infra/repository/main.tf | 17 ++++ pom.xml | 1 + 26 files changed, 363 insertions(+), 416 deletions(-) create mode 100644 .github/workflows/pr_ms.yml create mode 100644 .github/workflows/release_ms.yml delete mode 100644 .identity/.terraform-version delete mode 100644 .identity/.terraform.lock.hcl delete mode 100644 .identity/00_data.tf delete mode 100644 .identity/03_github_environment.tf delete mode 100644 .identity/99_main.tf delete mode 100644 .identity/99_outputs.tf delete mode 100644 .identity/99_variables.tf delete mode 100644 .identity/env/prod/backend.ini delete mode 100644 .identity/env/prod/backend.tfvars delete mode 100644 .identity/env/prod/terraform.tfvars delete mode 100755 .identity/terraform.sh create mode 100644 .pre-commit-config.yaml create mode 100644 .terraform-version create mode 100644 Dockerfile.new create mode 100644 Dockerfile.new.dockerignore create mode 100644 infra/repository/.terraform.lock.hcl create mode 100644 infra/repository/README.md create mode 100644 infra/repository/backend.tfvars create mode 100644 infra/repository/main.tf diff --git a/.github/workflows/opex_api.yml b/.github/workflows/opex_api.yml index 187909fe..9ee45646 100644 --- a/.github/workflows/opex_api.yml +++ b/.github/workflows/opex_api.yml @@ -1,6 +1,5 @@ name: Opex Dashboard B4f Onboarding -# Controls when the workflow will run on: push: branches: @@ -12,10 +11,6 @@ on: env: TEMPLATE_DIR: azure-dashboard - ARM_USE_OIDC: true - ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID_CD }} - ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} - ARM_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }} API_NAME: api-selfcare-onboarding DOCKER_IMAGE_TAG: sha256:04d8ead53c772d23b094c2a395292dc159e6f2905e1b13b5f828f31eac6eb27f @@ -23,19 +18,14 @@ permissions: id-token: write contents: read -# A workflow run is made up of one or more jobs that can run sequentially or in parallel jobs: build: - # The type of runner that the job will run on runs-on: ubuntu-22.04 - environment: 'prod-cd' - # Steps represent a sequence of tasks that will be executed as part of the job steps: - name: Checkout id: checkout - # from https://github.com/actions/checkout/commits/main uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 with: persist-credentials: false @@ -48,7 +38,6 @@ jobs: echo "TERRAFORM_VERSION=`cat .terraform-version`" >> $GITHUB_ENV - name: Setup Terraform - # from https://github.com/hashicorp/setup-terraform/commits/main uses: hashicorp/setup-terraform@69c00852f1304c321337f45a105731218c2d5544 with: terraform_version: ${{ env.TERRAFORM_VERSION }} @@ -58,7 +47,7 @@ jobs: environment: prod api-name: ${{ env.API_NAME }} config: .opex/${{ env.API_NAME }}/env/prod/config.yaml - client-id: ${{ secrets.AZURE_CLIENT_ID_CD }} - tenant-id: ${{ secrets.AZURE_TENANT_ID }} - subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + client-id: ${{ secrets.ARM_CLIENT_ID }} + tenant-id: ${{ vars.ARM_TENANT_ID }} + subscription-id: ${{ vars.ARM_SUBSCRIPTION_ID }} docker-version: ${{ env.DOCKER_IMAGE_TAG }} diff --git a/.github/workflows/opex_api_pnpg.yml b/.github/workflows/opex_api_pnpg.yml index 82c5e98f..a7eb2d38 100644 --- a/.github/workflows/opex_api_pnpg.yml +++ b/.github/workflows/opex_api_pnpg.yml @@ -1,6 +1,5 @@ name: Opex Dashboard B4f Onboarding PNPG -# Controls when the workflow will run on: push: branches: @@ -12,10 +11,6 @@ on: env: TEMPLATE_DIR: azure-dashboard - ARM_USE_OIDC: true - ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID_CD }} - ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} - ARM_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }} API_NAME: api-selfcare-onboarding-pnpg DOCKER_IMAGE_TAG: sha256:04d8ead53c772d23b094c2a395292dc159e6f2905e1b13b5f828f31eac6eb27f @@ -23,19 +18,14 @@ permissions: id-token: write contents: read -# A workflow run is made up of one or more jobs that can run sequentially or in parallel jobs: build: - # The type of runner that the job will run on runs-on: ubuntu-22.04 - environment: 'prod-cd' - # Steps represent a sequence of tasks that will be executed as part of the job steps: - name: Checkout id: checkout - # from https://github.com/actions/checkout/commits/main uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 with: persist-credentials: false @@ -48,7 +38,6 @@ jobs: echo "TERRAFORM_VERSION=`cat .terraform-version`" >> $GITHUB_ENV - name: Setup Terraform - # from https://github.com/hashicorp/setup-terraform/commits/main uses: hashicorp/setup-terraform@69c00852f1304c321337f45a105731218c2d5544 with: terraform_version: ${{ env.TERRAFORM_VERSION }} @@ -58,7 +47,7 @@ jobs: environment: prod api-name: ${{ env.API_NAME }} config: .opex/${{ env.API_NAME }}/env/prod/config.yaml - client-id: ${{ secrets.AZURE_CLIENT_ID_CD }} - tenant-id: ${{ secrets.AZURE_TENANT_ID }} - subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + client-id: ${{ secrets.ARM_CLIENT_ID }} + tenant-id: ${{ vars.ARM_TENANT_ID }} + subscription-id: ${{ vars.ARM_SUBSCRIPTION_ID }} docker-version: ${{ env.DOCKER_IMAGE_TAG }} diff --git a/.github/workflows/pr_ms.yml b/.github/workflows/pr_ms.yml new file mode 100644 index 00000000..af1be6fb --- /dev/null +++ b/.github/workflows/pr_ms.yml @@ -0,0 +1,37 @@ +name: Code Review onboarding-backend +on: + workflow_dispatch: + + pull_request: + types: + - synchronize + - reopened + - ready_for_review + paths: + - '.github/workflows/pr_ms.yml' + - '.github/workflows/release_ms.yml' + - '.github/workflows/release_ms_pnpg.yml' + - '!.devops/**' + - '!helm/**' + - '!**.md' + - '!**ignore' + - '!infra/**' + - '!.terraform-version' + - '!CODEOWNERS' + +jobs: + + code_review: + uses: pagopa/selfcare-commons/.github/workflows/call_code_review_spring.yml@EC-149-template-git-hub-workflows + name: 'Code Review' + secrets: inherit + if: github.base_ref == 'main' && github.event_name == 'pull_request' + with: + pr_number: ${{ github.event.pull_request.number }} + source_branch: ${{ github.head_ref }} + target_branch: ${{ github.base_ref }} + sonar_key: 'pagopa_selfcare-onboarding-backend' + + docker_build: + uses: pagopa/selfcare-commons/.github/workflows/call_code_review_docker.yml@EC-149-template-git-hub-workflows + name: 'Docker' \ No newline at end of file diff --git a/.github/workflows/release_ms.yml b/.github/workflows/release_ms.yml new file mode 100644 index 00000000..206ea052 --- /dev/null +++ b/.github/workflows/release_ms.yml @@ -0,0 +1,46 @@ +name: Release ms-onboarding-backend + +on: + workflow_dispatch: + + push: + branches: + - main + - releases/* + paths: + - '!.devops/**' + - '!helm/**' + - '!**.md' + - '!**ignore' + - '!infra/**' + - '!.terraform-version' + - '!CODEOWNERS' + +jobs: + + release_dev: + uses: pagopa/selfcare-commons/.github/workflows/call_release_docker.yml@EC-149-template-git-hub-workflows + name: '[Dev] OnboardingBackend ms Release' + if: startsWith(github.ref_name, 'releases/') != true + secrets: inherit + with: + environment: dev + dir: 'infra' + + release_uat: + uses: pagopa/selfcare-commons/.github/workflows/call_release_docker.yml@EC-149-template-git-hub-workflows + name: '[UAT] OnboardingBackend ms Release' + if: startsWith(github.ref_name, 'releases/') + secrets: inherit + with: + environment: uat + dir: 'infra' + + release_prod: + uses: pagopa/selfcare-commons/.github/workflows/call_release_docker.yml@EC-149-template-git-hub-workflows + name: '[Prod] OnboardingBackend ms Release' + if: startsWith(github.ref_name, 'releases/') + secrets: inherit + with: + environment: prod + dir: 'infra' \ No newline at end of file diff --git a/.github/workflows/release_open_api.yml b/.github/workflows/release_open_api.yml index ec5a597b..ed98ee78 100644 --- a/.github/workflows/release_open_api.yml +++ b/.github/workflows/release_open_api.yml @@ -4,14 +4,13 @@ on: branches: - release-dev types: [ opened, synchronize, reopened ] - workflow_dispatch: #allow to run github action manually + workflow_dispatch: permissions: contents: write jobs: build: runs-on: ubuntu-latest permissions: write-all - #if: github.event.pull_request.merged == true steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 - name: Set up JDK 17 diff --git a/.gitignore b/.gitignore index 82f0672b..c6501a05 100644 --- a/.gitignore +++ b/.gitignore @@ -40,4 +40,13 @@ build/ ### VS Code ### .vscode/ -.DS_Store \ No newline at end of file +.DS_Store + +**/.terraform/* +*.tfstate +*.tfstate.* +**/.tfsec/* +override.tf +override.tf.json +*_override.tf +*_override.tf.json \ No newline at end of file diff --git a/.identity/.terraform-version b/.identity/.terraform-version deleted file mode 100644 index ec70f755..00000000 --- a/.identity/.terraform-version +++ /dev/null @@ -1 +0,0 @@ -1.6.6 diff --git a/.identity/.terraform.lock.hcl b/.identity/.terraform.lock.hcl deleted file mode 100644 index 06e38ff8..00000000 --- a/.identity/.terraform.lock.hcl +++ /dev/null @@ -1,64 +0,0 @@ -# This file is maintained automatically by "terraform init". -# Manual edits may be lost in future updates. - -provider "registry.terraform.io/hashicorp/azuread" { - version = "2.30.0" - constraints = "2.30.0" - hashes = [ - "h1:WnSPiREAFwnBUKREokMdHQ8Cjs47MzvS9pG8VS1ktec=", - "zh:1c3e89cf19118fc07d7b04257251fc9897e722c16e0a0df7b07fcd261f8c12e7", - "zh:2e62c193030e04ebb10cc0526119cf69824bf2d7e4ea5a2f45bd5d5fb7221d36", - "zh:2f3c7a35257332d68b778cefc5201a5f044e4914dd03794a4da662ddfe756483", - "zh:35d0d3a1b58fdb8b8c4462d6b7e7016042da43ea9cc734ce897f52a73407d9b0", - "zh:47ede0cd0206ec953d40bf4a80aa6e59af64e26cbbd877614ac424533dbb693b", - "zh:48c190307d4d42ea67c9b8cc544025024753f46cef6ea64db84735e7055a72da", - "zh:6fff9b2c6a962252a70a15b400147789ab369b35a781e9d21cce3804b04d29af", - "zh:7646980cf3438bff29c91ffedb74458febbb00a996638751fbd204ab1c628c9b", - "zh:77aa2fa7ca6d5446afa71d4ff83cb87b70a2f3b72110fc442c339e8e710b2928", - "zh:e20b2b2c37175b89dd0db058a096544d448032e28e3b56e2db368343533a9684", - "zh:eab175b1dfe9865ad9404dccb6d5542899f8c435095aa7c679314b811c717ce7", - "zh:efc862bd78c55d2ff089729e2a34c1831ab4b0644fc11b36ee4ebed00a4797ba", - ] -} - -provider "registry.terraform.io/hashicorp/azurerm" { - version = "3.86.0" - constraints = "<= 3.86.0" - hashes = [ - "h1:y+kGEfUoR81RNTeJkcohwvFtIyS3c/VxIjwN6cT9lCk=", - "zh:10473870b663b3becca1127687ed0d002d61f417c279e7daac546d265ff1f3db", - "zh:1dfe2446d7530cd082f817a8d37ec9fb0260b275085978bd81ba0e8167aa6f7c", - "zh:31712a4d9727a5970354eb3c26b4d6dc45b5103c6599cb97c2bd3f9915062baf", - "zh:51dcb102e17e49d675d6865f1ca9eaa8a2aa566ba56a93bb77aab703112d1de5", - "zh:54d5053cd88ed99e804c7b4d72f91ec1bab5fe8b6769db5c120d60b5e6a653dc", - "zh:58388274d406a55c84199d1a22b8143b47321b7b508a18ddeed9e824a864cb5d", - "zh:7b8afa8d62431512197aa5aed4e902b06bce3f8362d6ddf2c841e03c2658f4a7", - "zh:b7d3c1e8bfdd4e099e174724be41cdbc916868a7ca637bcf8682a57ef3453f7f", - "zh:ea0cc2751ef9a15b48e42d6ae62f4329c567335e348f57e577ce727d8167c29f", - "zh:f3a48fdf58a34deae9221923f30112b18ce1ab6cabb46d6c38e1a3234340cfd0", - "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", - "zh:fbd1d24b6bc67d5c370f2a3934da70ea3b93d612fe83b71e0dae592b48d030ce", - ] -} - -provider "registry.terraform.io/integrations/github" { - version = "5.42.0" - constraints = "5.42.0" - hashes = [ - "h1:CZUAXhUhMIuIyTPm9VDcvOZgM1Lsl9tuKm5wW9tBEsM=", - "zh:0f97039c6b70295c4a82347bc8a0bcea700b3fb3df0e0be53585da025584bb7c", - "zh:12e78898580cc2a72b5f2a77e191b158f88e974b0500489b691f34842288745c", - "zh:23660933e4f00293c0d4d6cd6b4d72e382c0df46b70cecf22b5c4c090d3b61e3", - "zh:74119174b46d8d197dd209a246bf8b5db113c66467e02c831e68a8ceea312d3e", - "zh:829c4c0c202fc646eb0e1759eb9c8f0757df5295be2d3344b8fd6ca8ce9ef33b", - "zh:92043e667f520aee4e08a10a183ad5abe5487f3e9c8ad5a55ea1358b14b17b1a", - "zh:998909806b4ff42cf480fcd359ec1f12b868846f89284b991987f55de24876b7", - "zh:9f758447db3bf386516562abd6da1e54d22ddc207bda25961d2b5b049f32da0f", - "zh:a6259215612d4d6a281c671b2d5aa3a0a0b0a3ae92ed60b633998bb692e922d3", - "zh:ad7d78056beb44191911db9443bf5eec41a3d60e7b01def2a9e608d1c4288d27", - "zh:b697e7b0abef3000e1db482c897b82cd455621b488bb6c4cd3d270763d7b08ac", - "zh:db8e849eded8aebff780f89ab7e1339053d2f15c1c8f94103d70266a090527ad", - "zh:e5bdbb85fb148dd75877a7b94b595d4e8680e495c241db02c4b12b91e9d08953", - "zh:ee812c5fd77d3817fb688f720e5eb42d7ff04db67a125de48b05458c9f657483", - ] -} diff --git a/.identity/00_data.tf b/.identity/00_data.tf deleted file mode 100644 index ece9bd0a..00000000 --- a/.identity/00_data.tf +++ /dev/null @@ -1,14 +0,0 @@ -data "github_organization_teams" "all" { - root_teams_only = true - summary_only = true -} - -data "azurerm_key_vault" "key_vault" { - name = "${local.prefix}-${var.env_short}-kv" - resource_group_name = "${local.prefix}-${var.env_short}-sec-rg" -} - -data "azurerm_key_vault_secret" "sonar_token" { - name = "sonar-token" - key_vault_id = data.azurerm_key_vault.key_vault.id -} diff --git a/.identity/03_github_environment.tf b/.identity/03_github_environment.tf deleted file mode 100644 index 2c155cfe..00000000 --- a/.identity/03_github_environment.tf +++ /dev/null @@ -1,107 +0,0 @@ -data "azurerm_resource_group" "dashboards" { - name = "dashboards" -} - -data "azurerm_resource_group" "identity_rg" { - name = "${local.project}-identity-rg" -} - -data "azurerm_user_assigned_identity" "identity_ci" { - name = "${local.project}-ms-github-ci-identity" - resource_group_name = data.azurerm_resource_group.identity_rg.name -} - -data "azurerm_user_assigned_identity" "identity_cd" { - name = "${local.project}-ms-github-cd-identity" - resource_group_name = data.azurerm_resource_group.identity_rg.name -} - -resource "github_repository_environment" "environment_ci" { - environment = "${var.env}-ci" - repository = local.github.repository -} - - -resource "github_repository_environment" "environment_cd" { - environment = "${var.env}-cd" - repository = local.github.repository - - # filter teams reviewers from github_organization_teams - # if reviewers_teams is null no reviewers will be configured for environment - dynamic "reviewers" { - for_each = (var.github_repository_environment.reviewers_teams == null || var.env_short == "d" ? [] : [1]) - content { - teams = matchkeys( - data.github_organization_teams.all.teams.*.id, - data.github_organization_teams.all.teams.*.name, - var.github_repository_environment.reviewers_teams - ) - } - } -} - -locals { - env_secrets_ci = { - "AZURE_CLIENT_ID_CI" : data.azurerm_user_assigned_identity.identity_ci.client_id, - "AZURE_TENANT_ID" : data.azurerm_client_config.current.tenant_id, - "AZURE_SUBSCRIPTION_ID" : data.azurerm_subscription.current.subscription_id - } - env_secrets_cd = { - "AZURE_CLIENT_ID_CD" : data.azurerm_user_assigned_identity.identity_cd.client_id, - "AZURE_TENANT_ID" : data.azurerm_client_config.current.tenant_id, - "AZURE_SUBSCRIPTION_ID" : data.azurerm_subscription.current.subscription_id - } - env_variables = { - - } - repo_secrets = { - "SONAR_TOKEN" : data.azurerm_key_vault_secret.sonar_token.value, - "AZURE_CLIENT_ID" : data.azurerm_user_assigned_identity.identity_cd.client_id, - "AZURE_TENANT_ID" : data.azurerm_client_config.current.tenant_id, - "AZURE_SUBSCRIPTION_ID" : data.azurerm_subscription.current.subscription_id - } -} - -############### -# ENV Secrets # -############### - -resource "github_actions_environment_secret" "github_environment_ci_secrets" { - for_each = local.env_secrets_ci - repository = local.github.repository - environment = github_repository_environment.environment_ci.environment - secret_name = each.key - plaintext_value = each.value -} - -resource "github_actions_environment_secret" "github_environment_cd_secrets" { - for_each = local.env_secrets_cd - repository = local.github.repository - environment = github_repository_environment.environment_cd.environment - secret_name = each.key - plaintext_value = each.value -} - -################# -# ENV Variables # -################# - -resource "github_actions_environment_variable" "github_environment_cd_variables" { - for_each = local.env_variables - repository = local.github.repository - environment = github_repository_environment.environment_cd.environment - variable_name = each.key - value = each.value -} - -############################# -# Secrets of the Repository # -############################# - - -resource "github_actions_secret" "repo_secrets" { - for_each = local.repo_secrets - repository = local.github.repository - secret_name = each.key - plaintext_value = each.value -} diff --git a/.identity/99_main.tf b/.identity/99_main.tf deleted file mode 100644 index b13f079a..00000000 --- a/.identity/99_main.tf +++ /dev/null @@ -1,32 +0,0 @@ -terraform { - required_version = ">=1.6.0" - - required_providers { - azuread = { - source = "hashicorp/azuread" - version = "2.30.0" - } - azurerm = { - source = "hashicorp/azurerm" - version = "<= 3.86.0" - } - github = { - source = "integrations/github" - version = "5.42.0" - } - } - - backend "azurerm" {} -} - -provider "azurerm" { - features {} -} - -provider "github" { - owner = "pagopa" -} - -data "azurerm_subscription" "current" {} - -data "azurerm_client_config" "current" {} \ No newline at end of file diff --git a/.identity/99_outputs.tf b/.identity/99_outputs.tf deleted file mode 100644 index 468f12d8..00000000 --- a/.identity/99_outputs.tf +++ /dev/null @@ -1,7 +0,0 @@ -output "tenant_id" { - value = data.azurerm_client_config.current.tenant_id -} - -output "subscription_id" { - value = data.azurerm_subscription.current.subscription_id -} diff --git a/.identity/99_variables.tf b/.identity/99_variables.tf deleted file mode 100644 index 6700d1a3..00000000 --- a/.identity/99_variables.tf +++ /dev/null @@ -1,66 +0,0 @@ -locals { - github = { - org = "pagopa" - repository = "selfcare-onboarding-backend" - } - - prefix = "selc" - domain = "b4f-onboarding" - location_short = "weu" - location = "westeurope" - project = "${var.prefix}-${var.env_short}" -} - -variable "env" { - type = string -} - -variable "env_short" { - type = string -} - -variable "domain" { - type = string -} - -variable "prefix" { - type = string - default = "selc" - validation { - condition = ( - length(var.prefix) <= 6 - ) - error_message = "Max length is 6 chars." - } -} - -variable "cd_github_federations" { - type = list(object({ - repository = string - credentials_scope = optional(string, "environment") - subject = string - })) - description = "GitHub Organization, repository name and scope permissions" -} - -variable "environment_cd_roles" { - type = object({ - subscription = list(string) - resource_groups = map(list(string)) - }) - description = "Continous Delivery roles for managed identity" -} - -variable "github_repository_environment" { - type = object({ - protected_branches = bool - custom_branch_policies = bool - reviewers_teams = list(string) - }) - description = "GitHub Continuous Integration roles" - default = { - protected_branches = false - custom_branch_policies = true - reviewers_teams = ["selfcare-contributors"] - } -} diff --git a/.identity/env/prod/backend.ini b/.identity/env/prod/backend.ini deleted file mode 100644 index dc3318a8..00000000 --- a/.identity/env/prod/backend.ini +++ /dev/null @@ -1 +0,0 @@ -subscription=PROD-SelfCare diff --git a/.identity/env/prod/backend.tfvars b/.identity/env/prod/backend.tfvars deleted file mode 100644 index 771755f9..00000000 --- a/.identity/env/prod/backend.tfvars +++ /dev/null @@ -1,4 +0,0 @@ -resource_group_name = "terraform-state-rg" -storage_account_name = "tfappprodselfcare" -container_name = "terraform-state" -key = "b4f-onboarding.identity.tfstate" diff --git a/.identity/env/prod/terraform.tfvars b/.identity/env/prod/terraform.tfvars deleted file mode 100644 index cb447f5d..00000000 --- a/.identity/env/prod/terraform.tfvars +++ /dev/null @@ -1,20 +0,0 @@ -prefix = "selc" -env = "prod" -env_short = "p" -domain = "b4f-dashboard" - -cd_github_federations = [ - { - repository = "selfcare-onboarding-backend" - subject = "prod-cd" - } -] - -environment_cd_roles = { - subscription = ["Contributor"] - resource_groups = { - "terraform-state-rg" = [ - "Storage Blob Data Contributor" - ] - } -} diff --git a/.identity/terraform.sh b/.identity/terraform.sh deleted file mode 100755 index 885fa6ce..00000000 --- a/.identity/terraform.sh +++ /dev/null @@ -1,69 +0,0 @@ -#!/bin/bash - -set -e - -ACTION=$1 -ENV=$2 -shift 2 -other="$@" -# must be subscription in lower case -subscription="" -BACKEND_CONFIG_PATH="./env/${ENV}/backend.tfvars" - -if [ -z "$ACTION" ]; then - echo "[ERROR] Missed ACTION: init, apply, plan" - exit 0 -fi - -if [ -z "$ENV" ]; then - echo "[ERROR] ENV should be: dev, uat or prod." - exit 0 -fi - -# -# 🏁 Source & init shell -# - -# shellcheck source=/dev/null -source "./env/$ENV/backend.ini" - -# Subscription set -az account set -s "${subscription}" - -# if using cygwin, we have to transcode the WORKDIR -if [[ $WORKDIR == /cygdrive/* ]]; then - WORKDIR=$(cygpath -w $WORKDIR) -fi - -# Helm -export HELM_DEBUG=1 -export TF_VAR_github_token="${GITHUB_TOKEN}" -# TODO set your PAT TOKEN as env var -if [ -z "$GITHUB_TOKEN" ]; then - echo "Error: Set an environment variable named GITHUB_TOKEN with your GitHub PAT Token" - exit 1 -fi - -# -# 🌎 Terraform -# -if echo "init plan apply refresh import output state taint destroy" | grep -w "$ACTION" > /dev/null; then - if [ "$ACTION" = "init" ]; then - echo "[INFO] init tf on ENV: ${ENV}" - terraform "$ACTION" -backend-config="${BACKEND_CONFIG_PATH}" $other - elif [ "$ACTION" = "output" ] || [ "$ACTION" = "state" ] || [ "$ACTION" = "taint" ]; then - # init terraform backend - terraform init -reconfigure -backend-config="${BACKEND_CONFIG_PATH}" - terraform "$ACTION" $other - else - # init terraform backend - echo "[INFO] init tf on ENV: ${ENV}" - terraform init -reconfigure -backend-config="${BACKEND_CONFIG_PATH}" - - echo "[INFO] run tf with: ${ACTION} on ENV: ${ENV} and other: >${other}<" - terraform "${ACTION}" -var-file="./env/${ENV}/terraform.tfvars" -compact-warnings $other - fi -else - echo "[ERROR] ACTION not allowed." - exit 1 -fi \ No newline at end of file diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 00000000..e991df9b --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,10 @@ +repos: + - repo: https://github.com/antonbabenko/pre-commit-terraform + rev: v1.86.0 + hooks: + - id: terraform_fmt + - id: terraform_docs + - id: terraform_validate + args: + - --args=-json + - --args=-no-color \ No newline at end of file diff --git a/.terraform-version b/.terraform-version new file mode 100644 index 00000000..83d1a5eb --- /dev/null +++ b/.terraform-version @@ -0,0 +1 @@ +1.6.6 \ No newline at end of file diff --git a/Dockerfile.new b/Dockerfile.new new file mode 100644 index 00000000..13dc1062 --- /dev/null +++ b/Dockerfile.new @@ -0,0 +1,20 @@ +FROM maven:3-eclipse-temurin-17 AS builder + +COPY . . + +RUN mvn clean package -DskipTests=true + +FROM openjdk:17-jdk AS runtime + +ENV LANG='en_US.UTF-8' LANGUAGE='en_US:en' + +WORKDIR /app + +COPY --from=builder ./target/*.jar ./app.jar + +ADD https://github.com/microsoft/ApplicationInsights-Java/releases/download/3.1.1/applicationinsights-agent-3.1.1.jar /applicationinsights-agent.jar + +EXPOSE 8080 +USER 1001 + +ENTRYPOINT ["java", "-jar", "app.jar"] \ No newline at end of file diff --git a/Dockerfile.new.dockerignore b/Dockerfile.new.dockerignore new file mode 100644 index 00000000..427b8ce4 --- /dev/null +++ b/Dockerfile.new.dockerignore @@ -0,0 +1,117 @@ +**/.dockerignore +**/.git +**/bin +**/docker-compose* +**/Dockerfile* +**/node_modules +**/npm-debug.log +**/obj +**/secrets.dev.yaml +**/values.dev.yaml +LICENSE +README.md + +**/.idea +.idea +**/.mvn +.mvn + +**/target + +# Created by .ignore support plugin (hsz.mobi) +### Maven template +target/ +pom.xml.tag +pom.xml.releaseBackup +pom.xml.versionsBackup +pom.xml.next +release.properties +dependency-reduced-pom.xml +buildNumber.properties +.mvn/timing.properties +.mvn/wrapper/maven-wrapper.jar +### Java template +# Compiled class file +*.class + +# Log file +*.log + +# BlueJ files +*.ctxt + +# Mobile Tools for Java (J2ME) +.mtj.tmp/ + +# Package Files # +*.jar +*.war +*.nar +*.ear +*.zip +*.tar.gz +*.rar + +# virtual machine crash logs, see http://www.java.com/en/download/help/error_hotspot.xml +hs_err_pid* +### JetBrains template +# Covers JetBrains IDEs: IntelliJ, RubyMine, PhpStorm, AppCode, PyCharm, CLion, Android Studio and WebStorm +# Reference: https://intellij-support.jetbrains.com/hc/en-us/articles/206544839 + +# User-specific stuff +.idea/**/workspace.xml +.idea/**/tasks.xml +.idea/**/usage.statistics.xml +.idea/**/dictionaries +.idea/**/shelf + +# Sensitive or high-churn files +.idea/**/dataSources/ +.idea/**/dataSources.ids +.idea/**/dataSources.local.xml +.idea/**/sqlDataSources.xml +.idea/**/dynamic.xml +.idea/**/uiDesigner.xml +.idea/**/dbnavigator.xml + +# Gradle +.idea/**/gradle.xml +.idea/**/libraries + +# Gradle and Maven with auto-import +# When using Gradle or Maven with auto-import, you should exclude module files, +# since they will be recreated, and may cause churn. Uncomment if using +# auto-import. +# .idea/modules.xml +# .idea/*.iml +# .idea/modules + +# CMake +cmake-build-*/ + +# Mongo Explorer plugin +.idea/**/mongoSettings.xml + +# File-based project format +*.iws + +# IntelliJ +out/ + +# mpeltonen/sbt-idea plugin +.idea_modules/ + +# JIRA plugin +atlassian-ide-plugin.xml + +# Cursive Clojure plugin +.idea/replstate.xml + +# Crashlytics plugin (for Android Studio and IntelliJ) +com_crashlytics_export_strings.xml +crashlytics.properties +crashlytics-build.properties +fabric.properties + +# Editor-based Rest Client +.idea/httpRequests \ No newline at end of file diff --git a/infra/repository/.terraform.lock.hcl b/infra/repository/.terraform.lock.hcl new file mode 100644 index 00000000..30e3c99f --- /dev/null +++ b/infra/repository/.terraform.lock.hcl @@ -0,0 +1,50 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/azurerm" { + version = "3.91.0" + constraints = ">= 3.90.0" + hashes = [ + "h1:8hMFuaTQsZIV69D0J/W+6hSlhRRDzYSpC0Eg9yWYF0o=", + "h1:FEDNnFv/uKI2+FQ+nDoyswEI3trJ3d7Fx2Cy7Ff4Rq8=", + "h1:Iv9CR+7491iozaK2AkCSAK2u4a2rPyJDQpyHijClj6Y=", + "h1:t0I5G4canK6UdlgHGfMV4rUNBPGdrMiIB01VGizlXB8=", + "zh:13928b71b1235783f3f877a799e28fb91e50512b051eb8ccb370500fc140cf3f", + "zh:3264341657e9ff3963d69b0fa088f64665349e2a29b2f3aeb4deee6d9d7584b7", + "zh:467a2ddd2eee26353db65e949bfbe533481ca0fb53c152724380b63a308f11b9", + "zh:6133e57087167b163180df3a77fab0c63b3e11609d139d39db8d3be3d6ec7ccd", + "zh:6df24730bc9247647ffb44832c3c64e45ab731dd83a3592d33d28235a453235a", + "zh:775aae148223a4a86e2dd25533a95a5fea4817085b6c5e643a7192453270cd68", + "zh:89d51148c7c123685d3e2f7e291888a3af009656e5c0ad66235a7c686ecb19d2", + "zh:9c89552051226eeb7c0fc66ad5aa57d1d0f5acc1d56afad06b6596707ae6c85e", + "zh:c4f3bc269837fa3b6ad803de2c7d1125dd791d78a521dcad2e7a63b905a13a53", + "zh:e48f05de1ffdcc998c5ff915570fb0557c7ac1d3af971dd76aff82e66d45bf06", + "zh:f1945716c7b9c23c25ca9fb4a68f27b6cfa25f5d235112c31f9412eba47f93c6", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} + +provider "registry.terraform.io/integrations/github" { + version = "5.45.0" + constraints = "5.45.0" + hashes = [ + "h1:6nxolUZ963kZ3squxzUbO1F+WPXKUxtpuiVsVtbaY7U=", + "h1:cP5uEN9jpePr+/Kc7OyAZMhysbDhQoLGpLqgQpLFewg=", + "h1:mX5tPDK7RNmtEjSoaI47oimBJBnujcAI7REnhpGqZhg=", + "h1:sP/Er9osOsz4vhKZAul+GeV0c5XdvMblJBMiP+T5tWc=", + "zh:2afb8ee5b847071e51d5a39bcad5cf466c4d22452450d37c44a5f9d2eb9879e5", + "zh:38d087b88c86ddd63b60d14d613f86a5885d154048098c0484266a9a69018b16", + "zh:3e6a787e3e40f1535d85f8dc5f2e8c90242ab8237feebd027f696fa154261394", + "zh:55dac5a813b3774b48ca45b8a797c32e6d787d4f282b43b622155cad3daac46a", + "zh:563f2782f3c4c584b249c5fa0628951a57b4593f3c5805a4efb6d494f8686716", + "zh:677180ec9376d5f926286592998e2864c85f06d6b416c1d89031d817a285c72e", + "zh:80eec141fa47131e8f60a6478e51b3a5920efe803444e684f9605fca09a24e34", + "zh:8b9f1e1f4b42b51e53767f4f927eabdcefe55fb0369e996ac2a0063148b5e48d", + "zh:95627f75848561830f8c20949f024f902a2100a022c68aa8d84320f43e75cc46", + "zh:95ac41b99dfca3ce556092e036bb04dc03367d0779071112e59d4bf11259a89d", + "zh:9e966482729ba8214b480bdd786aff9a15234e9c093c5406b56ce89ccb07dcab", + "zh:b7a9d563613f1b9a233f8f285848cc9d8c08c556aad7ea57cd63e0abb19b10cf", + "zh:ce56bb7ca876f47f5beee01de3ab84d27964b972c9adceb8e2f7824891e05c27", + "zh:f73e063ad5b84f1943eafb8a52a26dd805d06ac11d6c951175ac76c07187f553", + ] +} diff --git a/infra/repository/README.md b/infra/repository/README.md new file mode 100644 index 00000000..b9c2ba0d --- /dev/null +++ b/infra/repository/README.md @@ -0,0 +1,43 @@ +# Repository Settings + +Define settings of this GitHub repository. + +## How to use + +Make sure your PAT has access to this repository. Then, follow these steps: + +- set the subscription: `az account set --subscription "PROD-SelfCare"` +- run `terraform init -backend-config="backend.tfvars"` +- run `terraform plan` +- run `terraform apply` + + + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 1.6.0 | + +## Providers + +No providers. + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| [repository](#module\_repository) | github.com/pagopa/selfcare-commons//infra/terraform-modules/github_repository_settings | main | + +## Resources + +No resources. + +## Inputs + +No inputs. + +## Outputs + +No outputs. + \ No newline at end of file diff --git a/infra/repository/backend.tfvars b/infra/repository/backend.tfvars new file mode 100644 index 00000000..c8c0e191 --- /dev/null +++ b/infra/repository/backend.tfvars @@ -0,0 +1,4 @@ +resource_group_name = "terraform-state-rg" +storage_account_name = "tfinfprodselfcare" +container_name = "terraform-state" +key = "selfcare-onboarding-backend.repository.tfstate" \ No newline at end of file diff --git a/infra/repository/main.tf b/infra/repository/main.tf new file mode 100644 index 00000000..7408e0d2 --- /dev/null +++ b/infra/repository/main.tf @@ -0,0 +1,17 @@ +terraform { + required_version = ">= 1.6.0" + + backend "azurerm" {} +} + +provider "azurerm" { + features {} +} + +module "repository" { + source = "github.com/pagopa/selfcare-commons//infra/terraform-modules/github_repository_settings?ref=main" + + github = { + repository = "selfcare-onboarding-backend" + } +} \ No newline at end of file diff --git a/pom.xml b/pom.xml index 201a5088..5573324a 100644 --- a/pom.xml +++ b/pom.xml @@ -23,6 +23,7 @@ 2.5.1 + https://sonarcloud.io/