Merge branch 'main' into add-sops-to-afm-domain

.devops/aca-code-review-pipelines.yml

@@ -70,7 +70,7 @@ resources:
     - repository: terraform
       type: github
       name: pagopa/azure-pipeline-templates
-      ref: refs/heads/iac-fix
+      ref: refs/tags/v6.11.0
       endpoint: "io-azure-devops-github-ro"
 
 stages:

.devops/apiconfig-code-review-pipelines.yml

@@ -70,7 +70,7 @@ resources:
     - repository: terraform
       type: github
       name: pagopa/azure-pipeline-templates
-      ref: refs/heads/iac-fix
+      ref: refs/tags/v6.11.0
       endpoint: "io-azure-devops-github-ro"
 
 stages:

.devops/canoneunico-code-review-pipelines.yml

@@ -54,7 +54,7 @@ resources:
     - repository: terraform
       type: github
       name: pagopa/azure-pipeline-templates
-      ref: refs/heads/iac-fix
+      ref: refs/tags/v6.11.0
       endpoint: "io-azure-devops-github-ro"
 
 stages:

.devops/mock-code-review-pipelines.yml

@@ -70,7 +70,7 @@ resources:
     - repository: terraform
       type: github
       name: pagopa/azure-pipeline-templates
-      ref: refs/heads/iac-fix
+      ref: refs/tags/v6.11.0
       endpoint: "io-azure-devops-github-ro"
 
 stages:

.devops/observability-code-review-pipelines.yml

@@ -69,7 +69,7 @@ resources:
     - repository: terraform
       type: github
       name: pagopa/azure-pipeline-templates
-      ref: refs/heads/iac-fix
+      ref: refs/tags/v6.11.0
       endpoint: "io-azure-devops-github-ro"
 
 stages:

.devops/qi-code-review-pipelines.yml

@@ -72,7 +72,7 @@ resources:
     - repository: terraform
       type: github
       name: pagopa/azure-pipeline-templates
-      ref: refs/heads/iac-fix
+      ref: refs/tags/v6.11.0
       endpoint: "io-azure-devops-github-ro"
 
 stages:

.devops/qi-deploy-pipelines.yml

@@ -68,7 +68,7 @@ resources:
     - repository: terraform
       type: github
       name: pagopa/azure-pipeline-templates
-      ref: refs/heads/iac-fix
+      ref: refs/tags/v6.11.0
       endpoint: "io-azure-devops-github-ro"
 
 stages:

.devops/receipts-code-review-pipelines.yml

@@ -72,7 +72,7 @@ resources:
     - repository: terraform
       type: github
       name: pagopa/azure-pipeline-templates
-      ref: refs/heads/iac-fix
+      ref: refs/tags/v6.11.0
       endpoint: "io-azure-devops-github-ro"
 
 stages:

.devops/receipts-deploy-pipelines.yml

@@ -68,7 +68,7 @@ resources:
     - repository: terraform
       type: github
       name: pagopa/azure-pipeline-templates
-      ref: refs/heads/iac-fix
+      ref: refs/tags/v6.11.0
       endpoint: "io-azure-devops-github-ro"
 
 stages:

.github/workflows/static_analysis_pr.yml

@@ -13,90 +13,24 @@ jobs:
       - run: |
           rm -rf *
 
-      - name: ⏬ Checkout Repository
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-
       - name: 🔨 Get Modified Paths
         id: get-paths
-        run: |
-          #
-          # Discover only the paths changed inside src and src/domains, between my current branch and origin/main
-          #
-          echo "get current branch"
-          current_branch=${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}}
-          echo "current branch: $current_branch"
-          echo "get git diff"
-          git diff --name-only $current_branch origin/main --output=/tmp/diff.txt
-          echo "get modified paths from source"
-          # i'm using echo because using grep directly fails. it produces an invalid output that breaks the variable assignment
-          source_count=$(echo "$(grep -v 'domains' /tmp/diff.txt | wc -l )")
-          echo "source count: $source_count"
-          if [[ $source_count -eq 0 ]]
-          then
-            echo "in source if true"
-            modified_paths_source=""
-          else
-            echo "in source if false"
-            modified_paths_source=$(grep -v 'domains' /tmp/diff.txt | grep '/' | cut -d '/' -f 1,2 | uniq )
-          fi
-
-          echo "modified_paths_source: $modified_paths_source"
-
-          echo "get modified paths from domains"
-          # i'm using echo because using grep directly fails. it produces an invalid output that breaks the variable assignment
-          domains_count=$(echo "$(grep 'domains' /tmp/diff.txt | wc -l )")
-          echo "domains count: $domains_count"
-          if [ $domains_count -eq 0 ]
-          then
-            echo "in domains if true"
-            modified_paths_domains=""
-          else
-            echo "in domains if false"
-            modified_paths_domains=$( grep 'domains' /tmp/diff.txt | grep '/' | cut -d '/' -f 1,2,3 | uniq )
-          fi
-          echo "modified_paths_domains: $modified_paths_domains"
-
-          echo "merge paths"
-          modified_paths="$modified_paths_source $modified_paths_domains .github"
-          echo "📌 modified_paths"
-          #
-          # This is the only way to pass a string with paths to other step without error, usign env the paths force an error
-          #
-          echo "$modified_paths" > "/tmp/paths.txt"
-
-        shell: bash
-
-      - name: ⏬ Download only changed folders
-        id: download
-        shell: bash
-        run: |
-          #
-          # This allow to read all the paths and download only the changed folders
-          #
-          PAGOPA_MULTIPLE_FOLDERS=$(fold -w $(wc -L < "/tmp/paths.txt") < "/tmp/paths.txt")
-          echo $PAGOPA_MULTIPLE_FOLDERS
-          git sparse-checkout init --cone
-          git sparse-checkout set $PAGOPA_MULTIPLE_FOLDERS
-          git checkout
-
-#      - name: Checkout Modified Paths
-#        uses: actions/checkout@v4
-#        with:
-#          sparse-checkout: |
-#            $(fold -w $(wc -L < "/tmp/paths.txt") < "/tmp/paths.txt")
+        uses: pagopa/eng-github-actions-iac-template/global/[email protected]
+        with:
+          start_folder: "src"
+          default_end_folder_depth: 3
+          include_patterns: "src,domains"
 
       - name: 👀 See folders downloaded
+        if: env.dir_changes_detected == 'true'
         id: see
         shell: bash
         run: |
           ls -la
           du -h -d 3 .
 
       - name: Static Analysis
+        if: env.dir_changes_detected == 'true'
         uses: pagopa/eng-github-actions-iac-template/azure/[email protected]
         with:
           precommit_version: 'v1.89.1@sha256:1ea921bc4fe87651d41677218e537afdcdb8202e757e554b9866668eaba144c5'
-
-

src/aks-platform/04_rbac.tf

@@ -270,3 +270,25 @@ resource "kubernetes_cluster_role_binding" "view_binding" {
     module.aks
   ]
 }
+
+resource "kubernetes_cluster_role" "kube_system_reader" {
+  metadata {
+    name = "kube-system-reader"
+  }
+
+  rule {
+    api_groups = [""]
+    resources  = ["services"]
+    verbs      = ["get", "list", "watch", ]
+  }
+
+  rule {
+    api_groups = ["rbac.authorization.k8s.io"]
+    resources  = ["rolebindings"]
+    verbs      = ["get", "list", "watch", ]
+  }
+
+  depends_on = [
+    module.aks
+  ]
+}

src/aks-platform/99_main.tf

@@ -30,6 +30,7 @@ terraform {
 }
 
 provider "azurerm" {
+  skip_provider_registration = true
   features {
     key_vault {
       purge_soft_delete_on_destroy = false

src/aks-platform/README.md

@@ -35,6 +35,7 @@
 | [helm_release.monitoring_reloader](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
 | [kubernetes_cluster_role.cluster_deployer](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/cluster_role) | resource |
 | [kubernetes_cluster_role.edit_extra](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/cluster_role) | resource |
+| [kubernetes_cluster_role.kube_system_reader](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/cluster_role) | resource |
 | [kubernetes_cluster_role.system_cluster_deployer](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/cluster_role) | resource |
 | [kubernetes_cluster_role.view_extra](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/cluster_role) | resource |
 | [kubernetes_cluster_role_binding.edit_binding](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/cluster_role_binding) | resource |
@@ -75,31 +76,31 @@
 | <a name="input_aks_num_outbound_ips"></a> [aks\_num\_outbound\_ips](#input\_aks\_num\_outbound\_ips) | How many outbound ips allocate for AKS cluster | `number` | `1` | no |
 | <a name="input_aks_private_cluster_is_enabled"></a> [aks\_private\_cluster\_is\_enabled](#input\_aks\_private\_cluster\_is\_enabled) | Allow to configure the AKS, to be setup as a private cluster. To reach it, you need to use an internal VM or VPN | `bool` | `true` | no |
 | <a name="input_aks_sku_tier"></a> [aks\_sku\_tier](#input\_aks\_sku\_tier) | The SKU Tier that should be used for this Kubernetes Cluster. Possible values are Free and Paid (which includes the Uptime SLA). | `string` | n/a | yes |
-| <a name="input_aks_system_node_pool"></a> [aks\_system\_node\_pool](#input\_aks\_system\_node\_pool) | AKS node pool system configuration | <pre>object({<br>    name                         = string,<br>    vm_size                      = string,<br>    os_disk_type                 = string,<br>    os_disk_size_gb              = string,<br>    node_count_min               = number,<br>    node_count_max               = number,<br>    only_critical_addons_enabled = bool,<br>    node_labels                  = map(any),<br>    node_tags                    = map(any)<br>  })</pre> | n/a | yes |
-| <a name="input_aks_user_node_pool"></a> [aks\_user\_node\_pool](#input\_aks\_user\_node\_pool) | AKS node pool user configuration | <pre>object({<br>    enabled         = bool,<br>    name            = string,<br>    vm_size         = string,<br>    os_disk_type    = string,<br>    os_disk_size_gb = string,<br>    node_count_min  = number,<br>    node_count_max  = number,<br>    node_labels     = map(any),<br>    node_taints     = list(string),<br>    node_tags       = map(any)<br>  })</pre> | n/a | yes |
+| <a name="input_aks_system_node_pool"></a> [aks\_system\_node\_pool](#input\_aks\_system\_node\_pool) | AKS node pool system configuration | <pre>object({<br/>    name                         = string,<br/>    vm_size                      = string,<br/>    os_disk_type                 = string,<br/>    os_disk_size_gb              = string,<br/>    node_count_min               = number,<br/>    node_count_max               = number,<br/>    only_critical_addons_enabled = bool,<br/>    node_labels                  = map(any),<br/>    node_tags                    = map(any)<br/>  })</pre> | n/a | yes |
+| <a name="input_aks_user_node_pool"></a> [aks\_user\_node\_pool](#input\_aks\_user\_node\_pool) | AKS node pool user configuration | <pre>object({<br/>    enabled         = bool,<br/>    name            = string,<br/>    vm_size         = string,<br/>    os_disk_type    = string,<br/>    os_disk_size_gb = string,<br/>    node_count_min  = number,<br/>    node_count_max  = number,<br/>    node_labels     = map(any),<br/>    node_taints     = list(string),<br/>    node_tags       = map(any)<br/>  })</pre> | n/a | yes |
 | <a name="input_domain"></a> [domain](#input\_domain) | n/a | `string` | n/a | yes |
 | <a name="input_env"></a> [env](#input\_env) | n/a | `string` | n/a | yes |
 | <a name="input_env_short"></a> [env\_short](#input\_env\_short) | n/a | `string` | n/a | yes |
 | <a name="input_ingress_load_balancer_ip"></a> [ingress\_load\_balancer\_ip](#input\_ingress\_load\_balancer\_ip) | n/a | `string` | n/a | yes |
 | <a name="input_ingress_max_replica_count"></a> [ingress\_max\_replica\_count](#input\_ingress\_max\_replica\_count) | n/a | `string` | n/a | yes |
 | <a name="input_ingress_min_replica_count"></a> [ingress\_min\_replica\_count](#input\_ingress\_min\_replica\_count) | n/a | `string` | n/a | yes |
 | <a name="input_k8s_kube_config_path_prefix"></a> [k8s\_kube\_config\_path\_prefix](#input\_k8s\_kube\_config\_path\_prefix) | n/a | `string` | `"~/.kube"` | no |
-| <a name="input_keda_helm"></a> [keda\_helm](#input\_keda\_helm) | keda helm chart configuration | <pre>object({<br>    chart_version = string,<br>    keda = object({<br>      image_name = string,<br>      image_tag  = string,<br>    }),<br>    metrics_api_server = object({<br>      image_name = string,<br>      image_tag  = string,<br>    }),<br>  })</pre> | n/a | yes |
-| <a name="input_kube_prometheus_stack_helm"></a> [kube\_prometheus\_stack\_helm](#input\_kube\_prometheus\_stack\_helm) | kube-prometheus-stack helm chart configuration | <pre>object({<br>    chart_version = string,<br>    values_file   = string<br>  })</pre> | n/a | yes |
+| <a name="input_keda_helm"></a> [keda\_helm](#input\_keda\_helm) | keda helm chart configuration | <pre>object({<br/>    chart_version = string,<br/>    keda = object({<br/>      image_name = string,<br/>      image_tag  = string,<br/>    }),<br/>    metrics_api_server = object({<br/>      image_name = string,<br/>      image_tag  = string,<br/>    }),<br/>  })</pre> | n/a | yes |
+| <a name="input_kube_prometheus_stack_helm"></a> [kube\_prometheus\_stack\_helm](#input\_kube\_prometheus\_stack\_helm) | kube-prometheus-stack helm chart configuration | <pre>object({<br/>    chart_version = string,<br/>    values_file   = string<br/>  })</pre> | n/a | yes |
 | <a name="input_location"></a> [location](#input\_location) | One of westeurope, northeurope | `string` | n/a | yes |
 | <a name="input_location_short"></a> [location\_short](#input\_location\_short) | One of wue, neu | `string` | n/a | yes |
 | <a name="input_location_string"></a> [location\_string](#input\_location\_string) | One of West Europe, North Europe | `string` | n/a | yes |
 | <a name="input_lock_enable"></a> [lock\_enable](#input\_lock\_enable) | Apply locks to block accedentaly deletions. | `bool` | `false` | no |
 | <a name="input_log_analytics_workspace_name"></a> [log\_analytics\_workspace\_name](#input\_log\_analytics\_workspace\_name) | Specifies the name of the Log Analytics Workspace. | `string` | n/a | yes |
 | <a name="input_log_analytics_workspace_resource_group_name"></a> [log\_analytics\_workspace\_resource\_group\_name](#input\_log\_analytics\_workspace\_resource\_group\_name) | The name of the resource group in which the Log Analytics workspace is located in. | `string` | n/a | yes |
 | <a name="input_monitor_resource_group_name"></a> [monitor\_resource\_group\_name](#input\_monitor\_resource\_group\_name) | Monitor resource group name | `string` | n/a | yes |
-| <a name="input_nginx_helm"></a> [nginx\_helm](#input\_nginx\_helm) | nginx ingress helm chart configuration | <pre>object({<br>    version = string,<br>    controller = object({<br>      image = object({<br>        registry     = string,<br>        image        = string,<br>        tag          = string,<br>        digest       = string,<br>        digestchroot = string,<br>      }),<br>      resources = object({<br>        requests = object({<br>          memory : string<br>        })<br>      }),<br>      config = object({<br>        proxy-body-size : string<br>      })<br>    })<br>  })</pre> | n/a | yes |
+| <a name="input_nginx_helm"></a> [nginx\_helm](#input\_nginx\_helm) | nginx ingress helm chart configuration | <pre>object({<br/>    version = string,<br/>    controller = object({<br/>      image = object({<br/>        registry     = string,<br/>        image        = string,<br/>        tag          = string,<br/>        digest       = string,<br/>        digestchroot = string,<br/>      }),<br/>      resources = object({<br/>        requests = object({<br/>          memory : string<br/>        })<br/>      }),<br/>      config = object({<br/>        proxy-body-size : string<br/>      })<br/>    })<br/>  })</pre> | n/a | yes |
 | <a name="input_prefix"></a> [prefix](#input\_prefix) | n/a | `string` | n/a | yes |
 | <a name="input_prometheus_basic_auth_file"></a> [prometheus\_basic\_auth\_file](#input\_prometheus\_basic\_auth\_file) | n/a | `string` | n/a | yes |
-| <a name="input_reloader_helm"></a> [reloader\_helm](#input\_reloader\_helm) | reloader helm chart configuration | <pre>object({<br>    chart_version = string,<br>    image_name    = string,<br>    image_tag     = string<br>  })</pre> | n/a | yes |
-| <a name="input_tags"></a> [tags](#input\_tags) | n/a | `map(any)` | <pre>{<br>  "CreatedBy": "Terraform"<br>}</pre> | no |
-| <a name="input_tls_cert_check_helm"></a> [tls\_cert\_check\_helm](#input\_tls\_cert\_check\_helm) | tls cert helm chart configuration | <pre>object({<br>    chart_version = string,<br>    image_name    = string,<br>    image_tag     = string<br>  })</pre> | n/a | yes |
-| <a name="input_tls_checker_https_endpoints_to_check"></a> [tls\_checker\_https\_endpoints\_to\_check](#input\_tls\_checker\_https\_endpoints\_to\_check) | List of https endpoint to check ssl certificate and his alert name | <pre>list(object({<br>    https_endpoint = string<br>    # max 53 chars, alfanumeric and '-', and lower case<br>    alert_name    = string<br>    alert_enabled = bool<br>    helm_present  = bool<br>  }))</pre> | `[]` | no |
+| <a name="input_reloader_helm"></a> [reloader\_helm](#input\_reloader\_helm) | reloader helm chart configuration | <pre>object({<br/>    chart_version = string,<br/>    image_name    = string,<br/>    image_tag     = string<br/>  })</pre> | n/a | yes |
+| <a name="input_tags"></a> [tags](#input\_tags) | n/a | `map(any)` | <pre>{<br/>  "CreatedBy": "Terraform"<br/>}</pre> | no |
+| <a name="input_tls_cert_check_helm"></a> [tls\_cert\_check\_helm](#input\_tls\_cert\_check\_helm) | tls cert helm chart configuration | <pre>object({<br/>    chart_version = string,<br/>    image_name    = string,<br/>    image_tag     = string<br/>  })</pre> | n/a | yes |
+| <a name="input_tls_checker_https_endpoints_to_check"></a> [tls\_checker\_https\_endpoints\_to\_check](#input\_tls\_checker\_https\_endpoints\_to\_check) | List of https endpoint to check ssl certificate and his alert name | <pre>list(object({<br/>    https_endpoint = string<br/>    # max 53 chars, alfanumeric and '-', and lower case<br/>    alert_name    = string<br/>    alert_enabled = bool<br/>    helm_present  = bool<br/>  }))</pre> | `[]` | no |
 
 ## Outputs