Merge pull request #2 from pagopa/PAGOPA-1360-sviluppo-massive-upload…

…-service

feat: Massive Upload APIs [PAGOPA-1360]

.github/workflows/code_review.yml

@@ -18,7 +18,7 @@ on:
   workflow_dispatch:
 
 env:
-  PROJECT_KEY: # TODO
+  PROJECT_KEY: pagopa_pagopa-gpd-upload
 
 permissions:
   id-token: write
@@ -35,13 +35,14 @@ jobs:
     # Steps represent a sequence of tasks that will be executed as part of the job
     steps:
       - name: Code Review
-        uses: pagopa/github-actions-template/maven-code-review@v1.4.2
+        uses: pagopa/github-actions-template/maven-code-review@v1.10.4
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
           sonar_token: ${{ secrets.SONAR_TOKEN }}
           project_key: ${{env.PROJECT_KEY}}
           coverage_exclusions: "**/config/*,**/*Mock*,**/model/**,**/entity/*"
           cpd_exclusions: "**/model/**,**/entity/*"
+          java_version: 17
 
   smoke-test:
     name: Smoke Test

.github/workflows/deploy_with_github_runner.yml

@@ -9,7 +9,7 @@ on:
         type: string
 
 env:
-  APP_NAME: # TODO
+  APP_NAME: gpd-upload
 
 
 permissions:

.github/workflows/release_deploy.yml

@@ -100,12 +100,13 @@ jobs:
     steps:
       - name: Make Release
         id: release
-        uses: pagopa/github-actions-template/maven-release@v1.6.8
+        uses: pagopa/github-actions-template/maven-release@main
         with:
           semver: ${{ needs.setup.outputs.semver }}
           github_token: ${{ secrets.BOT_TOKEN_GITHUB }}
           beta: ${{ inputs.beta }}
           skip_ci: false
+          jdk_version: 17
 
   image:
     needs: [ setup, release ]

.gitignore

@@ -38,3 +38,4 @@ hs_err_pid*
 # Helm
 /helm/charts/*
 **/.terraform/
+/helm/Chart.lock

.identity/02_application_action.tf

@@ -1,21 +1,21 @@
-module "github_runner_app" {
-  source = "git::https://github.com/pagopa/github-actions-tf-modules.git//app-github-runner-creator?ref=main"
-
-  app_name = local.app_name
-
-  subscription_id = data.azurerm_subscription.current.id
-
-  github_org              = local.github.org
-  github_repository       = local.github.repository
-  github_environment_name = var.env
-
-  container_app_github_runner_env_rg = local.container_app_environment.resource_group
-}
+#module "github_runner_app" {
+#  source = "git::https://github.com/pagopa/github-actions-tf-modules.git//app-github-runner-creator?ref=main"
+#
+#  app_name = local.app_name
+#
+#  subscription_id = data.azurerm_subscription.current.id
+#
+#  github_org              = local.github.org
+#  github_repository       = local.github.repository
+#  github_environment_name = var.env
+#
+#  container_app_github_runner_env_rg = local.container_app_environment.resource_group
+#}
 
 resource "null_resource" "github_runner_app_permissions_to_namespace" {
   triggers = {
     aks_id               = data.azurerm_kubernetes_cluster.aks.id
-    service_principal_id = module.github_runner_app.client_id
+    service_principal_id = module.identity_cd.identity_client_id
     namespace            = local.domain
     version              = "v2"
   }
@@ -41,56 +41,56 @@ resource "null_resource" "github_runner_app_permissions_to_namespace" {
   }
 }
 
-resource "azurerm_role_assignment" "environment_terraform_storage_account" {
-  scope                = data.azurerm_storage_account.tf_storage_account.id
-  role_definition_name = "Contributor"
-  principal_id         = module.github_runner_app.object_id
-}
-
-resource "azurerm_role_assignment" "environment_terraform_resource_group_apim" {
-  scope                = data.azurerm_resource_group.apim_resource_group.id
-  role_definition_name = "Contributor"
-  principal_id         = module.github_runner_app.object_id
-}
-
-resource "azurerm_role_assignment" "environment_terraform_resource_group_dashboards" {
-  scope                = data.azurerm_resource_group.dashboards.id
-  role_definition_name = "Contributor"
-  principal_id         = module.github_runner_app.object_id
-}
-
-resource "azurerm_role_assignment" "environment_key_vault" {
-  scope                = data.azurerm_key_vault.key_vault.id
-  role_definition_name = "Reader"
-  principal_id         = module.github_runner_app.object_id
-}
-
-resource "azurerm_role_assignment" "environment_key_vault_domain" {
-  scope                = data.azurerm_key_vault.domain_key_vault.id
-  role_definition_name = "Reader"
-  principal_id         = module.github_runner_app.object_id
-}
-
-resource "azurerm_key_vault_access_policy" "ad_kv_group_policy" {
-  key_vault_id = data.azurerm_key_vault.key_vault.id
-
-  tenant_id = data.azurerm_client_config.current.tenant_id
-  object_id = module.github_runner_app.object_id
-
-  key_permissions         = []
-  secret_permissions      = ["Get", "List"]
-  storage_permissions     = []
-  certificate_permissions = []
-}
-
-resource "azurerm_key_vault_access_policy" "ad_domain_kv_group_policy" {
-  key_vault_id = data.azurerm_key_vault.domain_key_vault.id
-
-  tenant_id = data.azurerm_client_config.current.tenant_id
-  object_id = module.github_runner_app.object_id
-
-  key_permissions         = []
-  secret_permissions      = ["Get", "List"]
-  storage_permissions     = []
-  certificate_permissions = []
-}
+#resource "azurerm_role_assignment" "environment_terraform_storage_account" {
+#  scope                = data.azurerm_storage_account.tf_storage_account.id
+#  role_definition_name = "Contributor"
+#  principal_id         = module.github_runner_app.object_id
+#}
+#
+#resource "azurerm_role_assignment" "environment_terraform_resource_group_apim" {
+#  scope                = data.azurerm_resource_group.apim_resource_group.id
+#  role_definition_name = "Contributor"
+#  principal_id         = module.github_runner_app.object_id
+#}
+#
+#resource "azurerm_role_assignment" "environment_terraform_resource_group_dashboards" {
+#  scope                = data.azurerm_resource_group.dashboards.id
+#  role_definition_name = "Contributor"
+#  principal_id         = module.github_runner_app.object_id
+#}
+#
+#resource "azurerm_role_assignment" "environment_key_vault" {
+#  scope                = data.azurerm_key_vault.key_vault.id
+#  role_definition_name = "Reader"
+#  principal_id         = module.github_runner_app.object_id
+#}
+#
+#resource "azurerm_role_assignment" "environment_key_vault_domain" {
+#  scope                = data.azurerm_key_vault.domain_key_vault.id
+#  role_definition_name = "Reader"
+#  principal_id         = module.github_runner_app.object_id
+#}
+#
+#resource "azurerm_key_vault_access_policy" "ad_kv_group_policy" {
+#  key_vault_id = data.azurerm_key_vault.key_vault.id
+#
+#  tenant_id = data.azurerm_client_config.current.tenant_id
+#  object_id = module.github_runner_app.object_id
+#
+#  key_permissions         = []
+#  secret_permissions      = ["Get", "List"]
+#  storage_permissions     = []
+#  certificate_permissions = []
+#}
+#
+#resource "azurerm_key_vault_access_policy" "ad_domain_kv_group_policy" {
+#  key_vault_id = data.azurerm_key_vault.domain_key_vault.id
+#
+#  tenant_id = data.azurerm_client_config.current.tenant_id
+#  object_id = module.github_runner_app.object_id
+#
+#  key_permissions         = []
+#  secret_permissions      = ["Get", "List"]
+#  storage_permissions     = []
+#  certificate_permissions = []
+#}

.identity/03_github_environment.tf

@@ -21,7 +21,7 @@ resource "github_repository_environment" "github_repository_environment" {
 
 locals {
   env_secrets = {
-    "CLIENT_ID" : module.github_runner_app.application_id,
+    "CLIENT_ID" : module.identity_cd.identity_client_id,
     "TENANT_ID" : data.azurerm_client_config.current.tenant_id,
     "SUBSCRIPTION_ID" : data.azurerm_subscription.current.subscription_id,
     "SUBKEY" : data.azurerm_key_vault_secret.key_vault_integration_test_subkey.value,

.identity/04_github_identity.tf

@@ -0,0 +1,28 @@
+resource "azurerm_resource_group" "identity_rg" {
+  name     = "${local.product}-identity-rg"
+  location = var.location
+
+  tags = var.tags
+}
+
+module "identity_cd" {
+  source = "github.com/pagopa/terraform-azurerm-v3//github_federated_identity?ref=v7.28.0"
+
+  prefix    = var.prefix
+  env_short = var.env_short
+
+  identity_role = "cd"
+
+  github_federations = var.cd_github_federations
+
+  cd_rbac_roles = {
+    subscription_roles = var.environment_cd_roles.subscription
+    resource_groups    = var.environment_cd_roles.resource_groups
+  }
+
+  tags = var.tags
+
+  depends_on = [
+    azurerm_resource_group.identity_rg
+  ]
+}

.identity/99_variables.tf

@@ -1,11 +1,11 @@
 locals {
   github = {
     org        = "pagopa"
-    repository = "TODO" #TODO
+    repository = "pagopa-gpd-upload"
   }
 
   prefix         = "pagopa"
-  domain         = "TODO" #TODO
+  domain         = "gps"
   location_short = "weu"
   product        = "${var.prefix}-${var.env_short}"
 
@@ -22,6 +22,10 @@ locals {
   }
 }
 
+variable "location" {
+  type = string
+}
+
 variable "env" {
   type = string
 }
@@ -41,6 +45,23 @@ variable "prefix" {
   }
 }
 
+variable "cd_github_federations" {
+  type = list(object({
+    repository        = string
+    credentials_scope = optional(string, "environment")
+    subject           = string
+  }))
+  description = "GitHub Organization, repository name and scope permissions"
+}
+
+variable "environment_cd_roles" {
+  type = object({
+    subscription    = list(string)
+    resource_groups = map(list(string))
+  })
+  description = "GitHub Continous Delivery roles"
+}
+
 variable "github_repository_environment" {
   type = object({
     protected_branches     = bool
@@ -54,3 +75,14 @@ variable "github_repository_environment" {
     reviewers_teams        = ["pagopa-team-core"]
   }
 }
+
+variable "tags" {
+  type = map(any)
+  default = {
+    CreatedBy   = "Terraform"
+    Environment = "PROD"
+    Owner       = "pagoPA"
+    Source      = "https://github.com/pagopa/pagopa-gpd-upload"
+    CostCenter  = "TS310 - PAGAMENTI & SERVIZI"
+  }
+}

.identity/env/dev/backend.tfvars

@@ -1,4 +1,4 @@
 resource_group_name  = "io-infra-rg"
 storage_account_name = "pagopainfraterraformdev"
 container_name       = "azurermstate"
-key                  = "<your-repo-name>.tfstate" # TODO
+key                  = "pagopa-gpd-upload.tfstate"