add new repo config

pagopa · Feb 7, 2025 · 89b7eaf · 89b7eaf
1 parent 4ef9cd7
commit 89b7eaf
Show file tree

Hide file tree

Showing 5 changed files with 361 additions and 0 deletions.
diff --git a/infra/repository/.terraform.lock.hcl b/infra/repository/.terraform.lock.hcl
diff --git a/infra/repository/README.md b/infra/repository/README.md
@@ -0,0 +1,49 @@
+# IO Auth n Identity Domain - Repository Setup
+
+<!-- markdownlint-disable -->
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_azuread"></a> [azuread](#requirement\_azuread) | ~>3 |
+| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | ~>4 |
+| <a name="requirement_github"></a> [github](#requirement\_github) | ~>6 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_azuread"></a> [azuread](#provider\_azuread) | 3.1.0 |
+| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | 4.17.0 |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_repo"></a> [repo](#module\_repo) | pagopa/dx-azure-github-environment-bootstrap/azurerm | ~>0 |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [azuread_group.admins](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source |
+| [azuread_group.developers](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source |
+| [azuread_group.externals](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source |
+| [azurerm_api_management.apim](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/api_management) | data source |
+| [azurerm_client_config.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/client_config) | data source |
+| [azurerm_container_app_environment.runner](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/container_app_environment) | data source |
+| [azurerm_key_vault.common](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault) | data source |
+| [azurerm_resource_group.dashboards](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/resource_group) | data source |
+| [azurerm_resource_group.external](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/resource_group) | data source |
+| [azurerm_subscription.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subscription) | data source |
+| [azurerm_virtual_network.common](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/virtual_network) | data source |
+
+## Inputs
+
+No inputs.
+
+## Outputs
+
+No outputs.
+<!-- END_TF_DOCS -->
diff --git a/infra/repository/locals.tf b/infra/repository/locals.tf
@@ -0,0 +1,66 @@
+locals {
+  prefix          = "io"
+  env_short       = "p"
+  location        = "italynorth"
+  domain          = "auth"
+  instance_number = "01"
+
+  adgroups = {
+    admins_name    = "io-p-adgroup-auth-admins"
+    devs_name      = "io-p-adgroup-auth-developers"
+    externals_name = "io-p-adgroup-auth-externals"
+  }
+
+  runner = {
+    cae_name                = "${local.prefix}-${local.env_short}-itn-github-runner-cae-01"
+    cae_resource_group_name = "${local.prefix}-${local.env_short}-itn-github-runner-rg-01"
+    secret = {
+      kv_name                = "${local.prefix}-${local.env_short}-kv-common"
+      kv_resource_group_name = "${local.prefix}-${local.env_short}-rg-common"
+    }
+  }
+
+  apim = {
+    name                = "${local.prefix}-${local.env_short}-apim-v2-api"
+    resource_group_name = "${local.prefix}-${local.env_short}-rg-internal"
+  }
+
+  vnet = {
+    name                = "${local.prefix}-${local.env_short}-itn-common-vnet-01"
+    resource_group_name = "${local.prefix}-${local.env_short}-itn-common-rg-01"
+  }
+
+  dns = {
+    resource_group_name = "${local.prefix}-${local.env_short}-rg-external"
+  }
+
+  tf_storage_account = {
+    name                = "iopitntfst001"
+    resource_group_name = "terraform-state-rg"
+  }
+
+  repository = {
+    name                     = "io-auth-n-identity-domain"
+    description              = "Auth&Identity Monorepo"
+    topics                   = ["auth", "io"]
+    reviewers_teams          = ["io-auth-n-identity-backend", "engineering-team-cloud-eng"]
+    default_branch_name      = "main"
+    infra_cd_policy_branches = ["main"]
+    opex_cd_policy_branches  = ["main"]
+    app_cd_policy_branches   = ["main"]
+  }
+
+  key_vault = {
+    name                = "io-p-kv-common"
+    resource_group_name = "io-p-rg-common"
+  }
+
+  tags = {
+    CreatedBy      = "Terraform"
+    Environment    = "Prod"
+    BusinessUnit   = "App IO"
+    ManagementTeam = "IO Autenticazione"
+    Source         = "https://github.com/pagopa/io-auth-n-identity-domain/blob/main/infra/repository"
+    CostCenter     = "TS000 - Tecnologia e Servizi"
+  }
+}
diff --git a/infra/repository/main.tf b/infra/repository/main.tf
@@ -0,0 +1,168 @@
+terraform {
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = "~>4"
+    }
+
+    azuread = {
+      source  = "hashicorp/azuread"
+      version = "~>3"
+    }
+
+    github = {
+      source  = "integrations/github"
+      version = "~>6"
+    }
+  }
+
+  backend "azurerm" {
+    resource_group_name  = "terraform-state-rg"
+    storage_account_name = "iopitntfst001"
+    container_name       = "terraform-state"
+    key                  = "io-auth-n-identity-domain.repository.tfstate"
+    use_azuread_auth     = true
+  }
+}
+
+provider "azurerm" {
+  features {}
+  storage_use_azuread = true
+}
+
+provider "github" {
+  owner = "pagopa"
+}
+
+data "azurerm_subscription" "current" {}
+
+data "azurerm_client_config" "current" {}
+
+data "azurerm_container_app_environment" "runner" {
+  name                = local.runner.cae_name
+  resource_group_name = local.runner.cae_resource_group_name
+}
+
+data "azurerm_api_management" "apim" {
+  name                = local.apim.name
+  resource_group_name = local.apim.resource_group_name
+}
+
+data "azurerm_key_vault" "common" {
+  name                = local.key_vault.name
+  resource_group_name = local.key_vault.resource_group_name
+}
+
+data "azurerm_virtual_network" "common" {
+  name                = local.vnet.name
+  resource_group_name = local.vnet.resource_group_name
+}
+
+data "azurerm_resource_group" "external" {
+  name = local.dns.resource_group_name
+}
+
+data "azurerm_resource_group" "dashboards" {
+  name = "dashboards"
+}
+
+data "azuread_group" "admins" {
+  display_name = local.adgroups.admins_name
+}
+
+data "azuread_group" "developers" {
+  display_name = local.adgroups.devs_name
+}
+
+data "azuread_group" "externals" {
+  display_name = local.adgroups.externals_name
+}
+
+import {
+  to = module.repo.github_branch_default.main
+  id = "io-auth-n-identity-domain"
+}
+
+import {
+  to = module.repo.github_repository.this
+  id = "io-auth-n-identity-domain"
+}
+
+import {
+  to = module.repo.github_repository_environment.opex_prod_cd
+  id = "io-auth-n-identity-domain:opex-prod-cd"
+}
+
+import {
+  to = module.repo.github_repository_environment.opex_prod_ci
+  id = "io-auth-n-identity-domain:opex-prod-ci"
+}
+
+import {
+  to = module.repo.github_actions_secret.repo_secrets["ARM_TENANT_ID"]
+  id = "io-auth-n-identity-domain/ARM_TENANT_ID"
+}
+
+import {
+  to = module.repo.github_actions_secret.repo_secrets["ARM_SUBSCRIPTION_ID"]
+  id = "io-auth-n-identity-domain/ARM_SUBSCRIPTION_ID"
+}
+
+module "repo" {
+  source  = "pagopa/dx-azure-github-environment-bootstrap/azurerm"
+  version = "~>0"
+
+  environment = {
+    prefix          = local.prefix
+    env_short       = local.env_short
+    location        = local.location
+    domain          = local.domain
+    instance_number = local.instance_number
+  }
+
+  subscription_id = data.azurerm_subscription.current.id
+  tenant_id       = data.azurerm_client_config.current.tenant_id
+
+  entraid_groups = {
+    admins_object_id    = data.azuread_group.admins.object_id
+    devs_object_id      = data.azuread_group.developers.object_id
+    externals_object_id = data.azuread_group.externals.object_id
+  }
+
+  terraform_storage_account = {
+    name                = local.tf_storage_account.name
+    resource_group_name = local.tf_storage_account.resource_group_name
+  }
+
+  repository = {
+    name                     = local.repository.name
+    description              = local.repository.description
+    topics                   = local.repository.topics
+    reviewers_teams          = local.repository.reviewers_teams
+    default_branch_name      = local.repository.default_branch_name
+    infra_cd_policy_branches = local.repository.infra_cd_policy_branches
+    opex_cd_policy_branches  = local.repository.opex_cd_policy_branches
+    app_cd_policy_branches   = local.repository.app_cd_policy_branches
+  }
+
+  github_private_runner = {
+    container_app_environment_id       = data.azurerm_container_app_environment.runner.id
+    container_app_environment_location = data.azurerm_container_app_environment.runner.location
+    key_vault = {
+      name                = local.runner.secret.kv_name
+      resource_group_name = local.runner.secret.kv_resource_group_name
+    }
+    cpu    = 1
+    memory = "2Gi"
+  }
+
+  apim_id                    = data.azurerm_api_management.apim.id
+  pep_vnet_id                = data.azurerm_virtual_network.common.id
+  dns_zone_resource_group_id = data.azurerm_resource_group.external.id
+  opex_resource_group_id     = data.azurerm_resource_group.dashboards.id
+  keyvault_common_ids = [
+    data.azurerm_key_vault.common.id
+  ]
+
+  tags = local.tags
+}
diff --git a/infra/repository/tfmodules.lock.json b/infra/repository/tfmodules.lock.json
@@ -0,0 +1,4 @@
+{
+  "repo": "39e0c38ca3bbbcd0c771c87db98066902eba55f48b81a5ca4b37c327668298bc",
+  "repo.naming_convention": "5b1d21788783dcf33e17a9842f9f7c874c8c5f736c82e70979eb9c8785a74ce4"
+}