Skip to content

Commit

Permalink
feat: adding ci identity to afm (#2742)
Browse files Browse the repository at this point in the history 
* feat: adding ci identity to afm

* adding pat token afm bot

* upd afm prod secrets

---------

Co-authored-by: pasqualespica <[email protected]>
Co-authored-by: Pasquale Spica <[email protected]>
  • Loading branch information
@FedericoRuzzier @pasqualespica
3 people authored Feb 3, 2025
1 parent 6de1e6d commit 41a0c86
Show file tree
Hide file tree
Showing 5 changed files with 53 additions and 6 deletions.
43 changes: 43 additions & 0 deletions src/domains/afm-common/10_github_identity.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,23 @@ locals {
]
}
}

environment_ci_roles = {
subscription = [
"Contributor",
]
resource_groups = {
"${local.product}-${var.domain}-sec-rg" = [
"Key Vault Reader",
],
"${local.product}-${var.location_short}-${var.env}-aks-rg" = [
"Contributor"
],
"${local.product}-${var.location_short}-shared-tst-dt-rg" = [
"Storage Blob Data Contributor",
],
}
}
}

# create a module for each 20 repos
Expand All @@ -62,6 +79,32 @@ module "identity_cd_01" {
data.azurerm_resource_group.identity_rg
]
}

# create a module for each 20 repos
module "identity_ci_01" {
count = var.env_short == "p" ? 0 : 1
source = "github.com/pagopa/terraform-azurerm-v3//github_federated_identity?ref=v7.45.0"
# pagopa-<ENV><DOMAIN>-<COUNTER>-github-<PERMS>-identity
prefix = var.prefix
env_short = var.env_short
domain = "${var.domain}-01"

identity_role = "ci"

github_federations = local.federations_01

ci_rbac_roles = {
subscription_roles = local.environment_ci_roles.subscription
resource_groups = local.environment_ci_roles.resource_groups
}

tags = var.tags

depends_on = [
data.azurerm_resource_group.identity_rg
]
}

resource "azurerm_key_vault_access_policy" "gha_iac_managed_identities" {
key_vault_id = module.key_vault.id
tenant_id = data.azurerm_client_config.current.tenant_id
Expand Down
5 changes: 3 additions & 2 deletions src/domains/afm-secrets/secret/weu-dev/noedit_secret_enc.json
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
{
"afm-fee-reporting-s3-key-id": "ENC[AES256_GCM,data:fjRcLLL+3HAkKdQ5vgWwika94kg=,iv:+ApyNnJWb7mXZK6vPjxms6D2MJP2fs/4BJQBGWadv4g=,tag:hlXrltSZKe6hQjjY2MIAOw==,type:str]",
"afm-fee-reporting-s3-key-secret": "ENC[AES256_GCM,data:944zMeqwn6Vz+4aAhsOmcwGewmv6fdcTcl84wb5b05Teydt2L35Wjw==,iv:+PruWCHmtgWTICdDwBqqdU5NGWsLX8Ma20e+lcnZ9gM=,tag:RSNYyyp+5y8nlJWz6+HKqg==,type:str]",
"pagopa-platform-domain-github-bot-cd-pat": "ENC[AES256_GCM,data:h9d4Q84fQVtEmHGmgA1QDt1S6md6XmOM3JL21i5RpDCjMWMbjRK98Q==,iv:3t0US8z2UkUcWvLOPN+CHfx602sbviB8niX2fot64dc=,tag:ye/e8CAs6tO2PJo+8OpTtQ==,type:str]",
"sops": {
"kms": null,
"gcp_kms": null,
Expand All @@ -15,8 +16,8 @@
],
"hc_vault": null,
"age": null,
"lastmodified": "2024-10-24T07:58:08Z",
"mac": "ENC[AES256_GCM,data:5r/dKSuh7LgjUofSdMe9U00R8bemAFCIjKjxqhXNAsTxGUqI8cbRy/j7GNlMERgqrToHHeBl7DXHdH06bHT4Z1BuLRe15znnbOxZxhCGxy7OZrHEZmqLpy9S1+x88kil5MCdSdt6TKz5zbKOALuIXLuBzCNOk6zECD9ZvoxtQWE=,iv:gg8SC6xdE8p//2CZ7sv4llMqt+fLsKycS0bi9qHR1bI=,tag:NUwP/P7ggpBMOmO1fkOEAA==,type:str]",
"lastmodified": "2025-01-29T08:54:59Z",
"mac": "ENC[AES256_GCM,data:Eu4qV1zCMtJvo8mXKYJhm62j5ov5/pUZ1/DxSBs0Sd99NoKWZ1ANCGRJ9ZYag5OkEkdQcW9YMNY1g1psoI5Xz+iyqPVsHIiHDPDxJlqIJqK3Z6TvfXDNE+ws+QoEQeOyMpQU2LK4uQOCHzrpyUi5ELkh1YzPTDqsc2fC/UAbpi4=,iv:gxGSZv4CI4YNwRH27N1HAdeETDNhpIej9f0+vD8L3Vs=,tag:35RdB3lLEqVSgy1o6alQGQ==,type:str]",
"pgp": null,
"unencrypted_suffix": "_unencrypted",
"version": "3.9.1"
Expand Down
6 changes: 4 additions & 2 deletions src/domains/afm-secrets/secret/weu-prod/noedit_secret_enc.json
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,8 @@
{
"afm-fee-reporting-s3-key-id": "ENC[AES256_GCM,data:Ti6eI6B5r82NNY8=,iv:qWDjXffOBF0CaOYKswAersR3a9s6nML1MBrANOgDfA8=,tag:dVTfhmUpiYpJVPM9BygZdQ==,type:str]",
"afm-fee-reporting-s3-key-secret": "ENC[AES256_GCM,data:W4cVp086XUD1FTw=,iv:UXDmOuIl3IRUElaYtXCoid7afwG/GyGspgpOKQ1Fcnw=,tag:rF4CAfrHaEUf3McIbr4z1w==,type:str]",
"pagopa-platform-domain-github-bot-cd-pat": "ENC[AES256_GCM,data:gVy2a3sHOXW4GsaSmNgrnLpb2MlEx+ZKamVQim7U+WEaqaGr5+IRkg==,iv:Flrk8vDbNyW+SoKY8Bt53fdGlR0zk06UoioAprU+tuQ=,tag:sd/8+O7P8fXJ017uUsQcQA==,type:str]",
"pagopa-platform-domain-github-bot-pwd": "ENC[AES256_GCM,data:7mHH8ax94iOIeUUEs7Lc1BumlMgk,iv:DjQRezc1gHu9Ko/ml4wu3+288MpWwwxpXQIecHQQh8w=,tag:T+S50jxAgcVCoNp5PyFtGg==,type:str]",
"sops": {
"kms": null,
"gcp_kms": null,
Expand All @@ -15,8 +17,8 @@
],
"hc_vault": null,
"age": null,
"lastmodified": "2024-10-24T10:23:36Z",
"mac": "ENC[AES256_GCM,data:x5x9kGb7VA34tuFS/79AXpENNxFLdTiR5YWAS/wFIQ1FjvysR92FpKMKgmv7//ZXSXqkfSNDH74hhe2AN3g/5d5RCwv0WMWj+KxNGjr2xCgk7hd1n0I0LBo0Cjkg3nqOe/mmNM6zNh63rzs+hisBEq/CPDVscu6NAgqK6dpIjRQ=,iv:1v82ZBm52YLMznsS9INQD3CQZ0FoDH8anUwCvoG1kEU=,tag:l9wIqKVGgPwjpP6/FIHTSA==,type:str]",
"lastmodified": "2025-02-03T17:14:52Z",
"mac": "ENC[AES256_GCM,data:1r+xgKyF/mOAsR+q8AWWSkEZkvYymSIOwrZb4BLcNfbSag6TNha5K466KPWIPN+aNqlFXq4aaXY7425CSVF9/7Yjnu2bLp39nIQc/zdJq2OwgUeVl3WQilZFypVlpAy+60AZfaBoR9aOd05Dry7eH2NDVTBC8ef0G50qiBHuFY0=,iv:qfnEr5e2OSjOPtyQHofErZI4iakHC62YSfLsJSxqr9c=,tag:/EF2uLJhcrvhZN7mCHBcuQ==,type:str]",
"pgp": null,
"unencrypted_suffix": "_unencrypted",
"version": "3.9.1"
Expand Down
5 changes: 3 additions & 2 deletions src/domains/afm-secrets/secret/weu-uat/noedit_secret_enc.json
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
{
"afm-fee-reporting-s3-key-id": "ENC[AES256_GCM,data:dsi+BRoW4OIyoxo=,iv:fn6X/QM4ac0Bh6pmkpVlQ5bgYm28MJZKeCg/hSYgh/4=,tag:yTGSpIc+MH6fd+v3+Zy1yw==,type:str]",
"afm-fee-reporting-s3-key-secret": "ENC[AES256_GCM,data:I8UDMX4184T989k=,iv:AzRl/rqHDNVf04+F9z1EXiMEhmQ3gtaIzNSU17bku8k=,tag:WTC3rBbA0Ab9W9kxF8J5uw==,type:str]",
"pagopa-platform-domain-github-bot-cd-pat": "ENC[AES256_GCM,data:C44TsCXOv0+NVidHi9nhsmbRlO1Go1GTCgm/3k1APfcDNg4WEzAFPQ==,iv:DFrfZaKRG0tOfWbu9wb+NoExftrPJwOKxWifyh2FoVk=,tag:luMYdfd+8K7XS/egVYUorA==,type:str]",
"sops": {
"kms": null,
"gcp_kms": null,
Expand All @@ -15,8 +16,8 @@
],
"hc_vault": null,
"age": null,
"lastmodified": "2024-10-24T10:22:17Z",
"mac": "ENC[AES256_GCM,data:q91G3ciPcYfFdAj3wT47UGi4H0nIYC0DvebPQMj9sd8phz0H4ApIvF+6O1/qbW/wsE7w021r41hFfa8YyLJ4d4p+cwGBgVjs24R2zHNCX7Z9M0o2pbuUp/2/uk6AnWVJNxpyzNFTAvc9yPRFXKTnR0kiGI1PdZ04RGTi1LBDGAM=,iv:fT/XCVdASdQZMwh4xKZyLTwAs9RW0KVkf+2GabiZJEM=,tag:9L82qBWR1VemReEtuMQ4eA==,type:str]",
"lastmodified": "2025-01-29T08:55:55Z",
"mac": "ENC[AES256_GCM,data:R9Fhehq9aSGOWSYz8EJvxtNpsa49UuLdQ3Q+zvtyqS0iXUxZn490x94SJQxyPx28Z4JBAzKs8vgpHGLpB3NS8qp1ioU2Gp1TW6rby2QvS5gLB68Mlm4dTZutd4mlmbrGrsmXDuzZEqtY6uPrjgfeEHP3ns7rHb68gNf6ZFep7GM=,iv:KYMcN9jUMIK4wmlb7hECpldAaC2189zKlqsEEItmy3M=,tag:xBpWx934ja1jIf6hJHOrBg==,type:str]",
"pgp": null,
"unencrypted_suffix": "_unencrypted",
"version": "3.9.1"
Expand Down
Empty file modified src/domains/afm-secrets/sops.sh
100644 → 100755
View file
Empty file.

0 comments on commit 41a0c86

Please sign in to comment.