add identities to repo

pagopa · Oct 8, 2024 · e37ba00 · e37ba00
1 parent 21a9865
commit e37ba00
Show file tree

Hide file tree

Showing 8 changed files with 153 additions and 24 deletions.
diff --git a/infra/identity/prod/main.tf b/infra/identity/prod/main.tf
@@ -102,3 +102,48 @@ resource "azurerm_key_vault_access_policy" "cd" {
 
   secret_permissions = ["Get", "List", "Set"]
 }
+
+module "opex_federated_identities" {
+  source = "github.com/pagopa/dx//infra/modules/azure_federated_identity_with_github?ref=main"
+
+  prefix    = local.prefix
+  env_short = local.env_short
+  env       = "opex-${local.env}"
+  domain    = "${local.domain}-opex"
+
+  repositories = [local.repo_name]
+
+  continuos_integration = {
+    enable = true
+    roles = {
+      subscription = ["Reader"]
+      resource_groups = {
+        dashboards = [
+          "Reader"
+        ],
+        terraform-state-rg = [
+          "Storage Blob Data Reader",
+          "Reader and Data Access"
+        ]
+      }
+    }
+  }
+
+  continuos_delivery = {
+    enable = true
+    roles = {
+      subscription = ["Reader"]
+      resource_groups = {
+        dashboards = [
+          "Contributor"
+        ],
+        terraform-state-rg = [
+          "Storage Blob Data Contributor",
+          "Reader and Data Access"
+        ]
+      }
+    }
+  }
+
+  tags = local.tags
+}
diff --git a/infra/repository/.terraform.lock.hcl b/infra/repository/.terraform.lock.hcl
diff --git a/infra/repository/data.tf b/infra/repository/data.tf
@@ -13,6 +13,16 @@ data "azurerm_user_assigned_identity" "identity_app_prod_cd" {
   resource_group_name = local.identity_resource_group_name
 }
 
+data "azurerm_user_assigned_identity" "identity_opex_prod_ci" {
+  name                = "${local.project}-wallet-opex-github-ci-identity"
+  resource_group_name = local.identity_resource_group_name
+}
+
+data "azurerm_user_assigned_identity" "identity_opex_prod_cd" {
+  name                = "${local.project}-wallet-opex-github-cd-identity"
+  resource_group_name = local.identity_resource_group_name
+}
+
 data "github_organization_teams" "all" {
   root_teams_only = true
   summary_only    = true

diff --git a/infra/repository/github_environment_cd.tf b/infra/repository/github_environment_cd.tf
@@ -34,6 +34,24 @@ resource "github_repository_environment" "github_repository_environment_app_prod
   }
 }
 
+resource "github_repository_environment" "github_repository_environment_opex_prod_cd" {
+  environment = "opex-prod-cd"
+  repository  = github_repository.this.name
+
+  deployment_branch_policy {
+    protected_branches     = false
+    custom_branch_policies = true
+  }
+
+  reviewers {
+    teams = matchkeys(
+      data.github_organization_teams.all.teams[*].id,
+      data.github_organization_teams.all.teams[*].slug,
+      local.cd_app.reviewers_teams
+    )
+  }
+}
+
 resource "github_actions_environment_secret" "env_prod_cd_secrets" {
   for_each = local.cd.secrets
 
@@ -51,3 +69,12 @@ resource "github_actions_environment_secret" "env_app_prod_cd_secrets" {
   secret_name     = each.key
   plaintext_value = each.value
 }
+
+resource "github_actions_environment_secret" "env_opex_prod_cd_secrets" {
+  for_each = local.cd_opex.secrets
+
+  repository      = github_repository.this.name
+  environment     = github_repository_environment.github_repository_environment_opex_prod_cd.environment
+  secret_name     = each.key
+  plaintext_value = each.value
+}
diff --git a/infra/repository/github_environment_ci.tf b/infra/repository/github_environment_ci.tf
@@ -8,11 +8,30 @@ resource "github_repository_environment" "github_repository_environment_prod_ci"
   }
 }
 
+resource "github_repository_environment" "github_repository_environment_opex_prod_ci" {
+  environment = "opex-prod-ci"
+  repository  = github_repository.this.name
+
+  deployment_branch_policy {
+    protected_branches     = false
+    custom_branch_policies = true
+  }
+}
+
 resource "github_actions_environment_secret" "env_prod_ci_secrets" {
   for_each = local.ci.secrets
 
   repository      = github_repository.this.name
   environment     = github_repository_environment.github_repository_environment_prod_ci.environment
   secret_name     = each.key
   plaintext_value = each.value
-}
+}
+
+resource "github_actions_environment_secret" "env_opex_prod_ci_secrets" {
+  for_each = local.ci_opex.secrets
+
+  repository      = github_repository.this.name
+  environment     = github_repository_environment.github_repository_environment_opex_prod_ci.environment
+  secret_name     = each.key
+  plaintext_value = each.value
+}
diff --git a/infra/repository/github_repository.tf b/infra/repository/github_repository.tf
@@ -25,4 +25,18 @@ resource "github_repository" "this" {
   vulnerability_alerts = true
 
   archive_on_destroy = true
-}
+
+  security_and_analysis {
+    secret_scanning {
+      status = "enabled"
+    }
+
+    secret_scanning_push_protection {
+      status = "enabled"
+    }
+
+    advanced_security {
+      status = "enabled"
+    }
+  }
+}
diff --git a/infra/repository/locals.tf b/infra/repository/locals.tf
@@ -27,4 +27,17 @@ locals {
     }
     reviewers_teams = ["io-wallet", "engineering-team-cloud-eng"]
   }
+
+  ci_opex = {
+    secrets = {
+      "ARM_CLIENT_ID" = data.azurerm_user_assigned_identity.identity_opex_prod_ci.client_id
+    }
+  }
+
+  cd_opex = {
+    secrets = {
+      "ARM_CLIENT_ID" = data.azurerm_user_assigned_identity.identity_opex_prod_cd.client_id
+    }
+    reviewers_teams = ["io-wallet", "engineering-team-cloud-eng"]
+  }
 }
diff --git a/infra/repository/main.tf b/infra/repository/main.tf
@@ -8,7 +8,7 @@ terraform {
 
     github = {
       source  = "integrations/github"
-      version = "6.1.0"
+      version = "6.3.0"
     }
   }
 
@@ -31,4 +31,4 @@ provider "github" {
 
 data "azurerm_client_config" "current" {}
 
-data "azurerm_subscription" "current" {}
+data "azurerm_subscription" "current" {}