[EC-45] Setup managed identities + general upgrades (#1085)

.identity/.terraform-version

@@ -1 +1 @@
-1.3.6
+1.6.6

.identity/00_locals.tf

@@ -3,4 +3,19 @@ locals {
     org        = "pagopa"
     repository = "io-backend"
   }
+
+  project = "${var.prefix}-${var.env_short}-${var.domain}"
+
+  env_secrets = {
+    "AZURE_SUBSCRIPTION_ID" = data.azurerm_subscription.current.subscription_id
+    "AZURE_TENANT_ID"       = data.azurerm_subscription.current.tenant_id
+  }
+
+  env_secrets_ci = {
+    "AZURE_CLIENT_ID_CI" = module.identity_ci.identity_client_id
+  }
+
+  env_secrets_cd = {
+    "AZURE_CLIENT_ID_CD" = module.identity_cd.identity_client_id
+  }
 }

.identity/00_main.tf

@@ -8,7 +8,11 @@ terraform {
     }
     azurerm = {
       source  = "hashicorp/azurerm"
-      version = "3.33.0"
+      version = "<=3.84.0"
+    }
+    github = {
+      source  = "integrations/github"
+      version = "5.42.0"
     }
   }
 
@@ -19,6 +23,10 @@ provider "azurerm" {
   features {}
 }
 
+provider "github" {
+  owner = "pagopa"
+}
+
 data "azurerm_subscription" "current" {}
 
 data "azurerm_client_config" "current" {}

.identity/00_variables.tf

@@ -0,0 +1,53 @@
+variable "tags" {
+  type = map(any)
+}
+
+variable "prefix" {
+  type = string
+}
+
+variable "env" {
+  type = string
+}
+
+variable "env_short" {
+  type = string
+}
+
+variable "domain" {
+  type = string
+}
+
+variable "ci_github_federations" {
+  type = list(object({
+    repository        = string
+    credentials_scope = optional(string, "environment")
+    subject           = string
+  }))
+  description = "GitHub Organization, repository name and scope permissions"
+}
+
+variable "environment_ci_roles" {
+  type = object({
+    subscription    = list(string)
+    resource_groups = map(list(string))
+  })
+  description = "GitHub Continous Delivery roles"
+}
+
+variable "cd_github_federations" {
+  type = list(object({
+    repository        = string
+    credentials_scope = optional(string, "environment")
+    subject           = string
+  }))
+  description = "GitHub Organization, repository name and scope permissions"
+}
+
+variable "environment_cd_roles" {
+  type = object({
+    subscription    = list(string)
+    resource_groups = map(list(string))
+  })
+  description = "GitHub Continous Delivery roles"
+}

.identity/01_data.tf

@@ -6,3 +6,7 @@ data "azurerm_storage_account" "tfstate_app" {
 data "azurerm_resource_group" "dashboards" {
   name = "dashboards"
 }
+
+data "azurerm_resource_group" "identity_rg" {
+  name = "${var.prefix}-${var.env_short}-identity-rg"
+}

.identity/03_managed_identity_cd.tf

@@ -0,0 +1,18 @@
+module "identity_cd" {
+  source = "github.com/pagopa/terraform-azurerm-v3//github_federated_identity?ref=v7.34.0"
+
+  prefix    = var.prefix
+  env_short = var.env_short
+  domain    = var.domain
+
+  identity_role = "cd"
+
+  github_federations = var.cd_github_federations
+
+  cd_rbac_roles = {
+    subscription_roles = var.environment_cd_roles.subscription
+    resource_groups    = var.environment_cd_roles.resource_groups
+  }
+
+  tags = var.tags
+}

.identity/03_managed_identity_ci.tf

@@ -0,0 +1,18 @@
+module "identity_ci" {
+  source = "github.com/pagopa/terraform-azurerm-v3//github_federated_identity?ref=v7.34.0"
+
+  prefix    = var.prefix
+  env_short = var.env_short
+  domain    = var.domain
+
+  identity_role = "ci"
+
+  github_federations = var.ci_github_federations
+
+  cd_rbac_roles = {
+    subscription_roles = var.environment_ci_roles.subscription
+    resource_groups    = var.environment_ci_roles.resource_groups
+  }
+
+  tags = var.tags
+}

.identity/04_github_environment.tf

@@ -0,0 +1,32 @@
+resource "github_repository_environment" "prod_ci" {
+  environment = "${var.env}-ci"
+  repository  = local.github.repository
+}
+
+resource "github_repository_environment" "prod_cd" {
+  environment = "${var.env}-cd"
+  repository  = local.github.repository
+}
+
+resource "github_actions_secret" "repo_secrets" {
+  for_each        = local.env_secrets
+  repository      = local.github.repository
+  secret_name     = each.key
+  plaintext_value = each.value
+}
+
+resource "github_actions_environment_secret" "github_environment_ci_secrets" {
+  for_each        = local.env_secrets_ci
+  repository      = local.github.repository
+  environment     = github_repository_environment.prod_ci.environment
+  secret_name     = each.key
+  plaintext_value = each.value
+}
+
+resource "github_actions_environment_secret" "github_environment_cd_secrets" {
+  for_each        = local.env_secrets_cd
+  repository      = local.github.repository
+  environment     = github_repository_environment.prod_cd.environment
+  secret_name     = each.key
+  plaintext_value = each.value
+}

.identity/env/prod/terraform.tfvars

@@ -1,5 +1,7 @@
 prefix    = "io"
+env       = "prod"
 env_short = "p"
+domain    = "io-backend"
 
 tags = {
   CreatedBy   = "Terraform"
@@ -8,3 +10,41 @@ tags = {
   Source      = "https://github.com/pagopa/io-backend"
   CostCenter  = "TS310 - PAGAMENTI & SERVIZI"
 }
+
+ci_github_federations = [
+  {
+    repository = "io-backend"
+    subject    = "prod-ci"
+  }
+]
+
+cd_github_federations = [
+  {
+    repository = "io-backend"
+    subject    = "prod-cd"
+  }
+]
+
+environment_ci_roles = {
+  subscription = ["Reader"]
+  resource_groups = {
+    "terraform-state-rg" = [
+      "Storage Blob Data Reader"
+    ],
+    "dashboards" = [
+      "Reader"
+    ]
+  }
+}
+
+environment_cd_roles = {
+  subscription = ["Reader"]
+  resource_groups = {
+    "terraform-state-rg" = [
+      "Storage Blob Data Contributor"
+    ],
+    "dashboards" = [
+      "Contributor"
+    ]
+  }
+}