diff --git a/src/domains/afm-common/10_github_identity.tf b/src/domains/afm-common/10_github_identity.tf index 55f583fd0e..b4075a6d9f 100644 --- a/src/domains/afm-common/10_github_identity.tf +++ b/src/domains/afm-common/10_github_identity.tf @@ -37,6 +37,23 @@ locals { ] } } + + environment_ci_roles = { + subscription = [ + "Contributor", + ] + resource_groups = { + "${local.product}-${var.domain}-sec-rg" = [ + "Key Vault Reader", + ], + "${local.product}-${var.location_short}-${var.env}-aks-rg" = [ + "Contributor" + ], + "${local.product}-${var.location_short}-shared-tst-dt-rg" = [ + "Storage Blob Data Contributor", + ], + } + } } # create a module for each 20 repos @@ -62,6 +79,32 @@ module "identity_cd_01" { data.azurerm_resource_group.identity_rg ] } + +# create a module for each 20 repos +module "identity_ci_01" { + count = var.env_short == "p" ? 0 : 1 + source = "github.com/pagopa/terraform-azurerm-v3//github_federated_identity?ref=v7.45.0" + # pagopa---github--identity + prefix = var.prefix + env_short = var.env_short + domain = "${var.domain}-01" + + identity_role = "ci" + + github_federations = local.federations_01 + + ci_rbac_roles = { + subscription_roles = local.environment_ci_roles.subscription + resource_groups = local.environment_ci_roles.resource_groups + } + + tags = var.tags + + depends_on = [ + data.azurerm_resource_group.identity_rg + ] +} + resource "azurerm_key_vault_access_policy" "gha_iac_managed_identities" { key_vault_id = module.key_vault.id tenant_id = data.azurerm_client_config.current.tenant_id diff --git a/src/domains/afm-secrets/secret/weu-dev/noedit_secret_enc.json b/src/domains/afm-secrets/secret/weu-dev/noedit_secret_enc.json index 24cdd829dd..f1e295528f 100644 --- a/src/domains/afm-secrets/secret/weu-dev/noedit_secret_enc.json +++ b/src/domains/afm-secrets/secret/weu-dev/noedit_secret_enc.json @@ -1,6 +1,7 @@ { "afm-fee-reporting-s3-key-id": "ENC[AES256_GCM,data:fjRcLLL+3HAkKdQ5vgWwika94kg=,iv:+ApyNnJWb7mXZK6vPjxms6D2MJP2fs/4BJQBGWadv4g=,tag:hlXrltSZKe6hQjjY2MIAOw==,type:str]", "afm-fee-reporting-s3-key-secret": "ENC[AES256_GCM,data:944zMeqwn6Vz+4aAhsOmcwGewmv6fdcTcl84wb5b05Teydt2L35Wjw==,iv:+PruWCHmtgWTICdDwBqqdU5NGWsLX8Ma20e+lcnZ9gM=,tag:RSNYyyp+5y8nlJWz6+HKqg==,type:str]", + "pagopa-platform-domain-github-bot-cd-pat": "ENC[AES256_GCM,data:h9d4Q84fQVtEmHGmgA1QDt1S6md6XmOM3JL21i5RpDCjMWMbjRK98Q==,iv:3t0US8z2UkUcWvLOPN+CHfx602sbviB8niX2fot64dc=,tag:ye/e8CAs6tO2PJo+8OpTtQ==,type:str]", "sops": { "kms": null, "gcp_kms": null, @@ -15,8 +16,8 @@ ], "hc_vault": null, "age": null, - "lastmodified": "2024-10-24T07:58:08Z", - "mac": "ENC[AES256_GCM,data:5r/dKSuh7LgjUofSdMe9U00R8bemAFCIjKjxqhXNAsTxGUqI8cbRy/j7GNlMERgqrToHHeBl7DXHdH06bHT4Z1BuLRe15znnbOxZxhCGxy7OZrHEZmqLpy9S1+x88kil5MCdSdt6TKz5zbKOALuIXLuBzCNOk6zECD9ZvoxtQWE=,iv:gg8SC6xdE8p//2CZ7sv4llMqt+fLsKycS0bi9qHR1bI=,tag:NUwP/P7ggpBMOmO1fkOEAA==,type:str]", + "lastmodified": "2025-01-29T08:54:59Z", + "mac": "ENC[AES256_GCM,data:Eu4qV1zCMtJvo8mXKYJhm62j5ov5/pUZ1/DxSBs0Sd99NoKWZ1ANCGRJ9ZYag5OkEkdQcW9YMNY1g1psoI5Xz+iyqPVsHIiHDPDxJlqIJqK3Z6TvfXDNE+ws+QoEQeOyMpQU2LK4uQOCHzrpyUi5ELkh1YzPTDqsc2fC/UAbpi4=,iv:gxGSZv4CI4YNwRH27N1HAdeETDNhpIej9f0+vD8L3Vs=,tag:35RdB3lLEqVSgy1o6alQGQ==,type:str]", "pgp": null, "unencrypted_suffix": "_unencrypted", "version": "3.9.1" diff --git a/src/domains/afm-secrets/secret/weu-prod/noedit_secret_enc.json b/src/domains/afm-secrets/secret/weu-prod/noedit_secret_enc.json index 6e1748c4a6..cefc04d814 100644 --- a/src/domains/afm-secrets/secret/weu-prod/noedit_secret_enc.json +++ b/src/domains/afm-secrets/secret/weu-prod/noedit_secret_enc.json @@ -1,6 +1,8 @@ { "afm-fee-reporting-s3-key-id": "ENC[AES256_GCM,data:Ti6eI6B5r82NNY8=,iv:qWDjXffOBF0CaOYKswAersR3a9s6nML1MBrANOgDfA8=,tag:dVTfhmUpiYpJVPM9BygZdQ==,type:str]", "afm-fee-reporting-s3-key-secret": "ENC[AES256_GCM,data:W4cVp086XUD1FTw=,iv:UXDmOuIl3IRUElaYtXCoid7afwG/GyGspgpOKQ1Fcnw=,tag:rF4CAfrHaEUf3McIbr4z1w==,type:str]", + "pagopa-platform-domain-github-bot-cd-pat": "ENC[AES256_GCM,data:gVy2a3sHOXW4GsaSmNgrnLpb2MlEx+ZKamVQim7U+WEaqaGr5+IRkg==,iv:Flrk8vDbNyW+SoKY8Bt53fdGlR0zk06UoioAprU+tuQ=,tag:sd/8+O7P8fXJ017uUsQcQA==,type:str]", + "pagopa-platform-domain-github-bot-pwd": "ENC[AES256_GCM,data:7mHH8ax94iOIeUUEs7Lc1BumlMgk,iv:DjQRezc1gHu9Ko/ml4wu3+288MpWwwxpXQIecHQQh8w=,tag:T+S50jxAgcVCoNp5PyFtGg==,type:str]", "sops": { "kms": null, "gcp_kms": null, @@ -15,8 +17,8 @@ ], "hc_vault": null, "age": null, - "lastmodified": "2024-10-24T10:23:36Z", - "mac": "ENC[AES256_GCM,data:x5x9kGb7VA34tuFS/79AXpENNxFLdTiR5YWAS/wFIQ1FjvysR92FpKMKgmv7//ZXSXqkfSNDH74hhe2AN3g/5d5RCwv0WMWj+KxNGjr2xCgk7hd1n0I0LBo0Cjkg3nqOe/mmNM6zNh63rzs+hisBEq/CPDVscu6NAgqK6dpIjRQ=,iv:1v82ZBm52YLMznsS9INQD3CQZ0FoDH8anUwCvoG1kEU=,tag:l9wIqKVGgPwjpP6/FIHTSA==,type:str]", + "lastmodified": "2025-02-03T17:14:52Z", + "mac": "ENC[AES256_GCM,data:1r+xgKyF/mOAsR+q8AWWSkEZkvYymSIOwrZb4BLcNfbSag6TNha5K466KPWIPN+aNqlFXq4aaXY7425CSVF9/7Yjnu2bLp39nIQc/zdJq2OwgUeVl3WQilZFypVlpAy+60AZfaBoR9aOd05Dry7eH2NDVTBC8ef0G50qiBHuFY0=,iv:qfnEr5e2OSjOPtyQHofErZI4iakHC62YSfLsJSxqr9c=,tag:/EF2uLJhcrvhZN7mCHBcuQ==,type:str]", "pgp": null, "unencrypted_suffix": "_unencrypted", "version": "3.9.1" diff --git a/src/domains/afm-secrets/secret/weu-uat/noedit_secret_enc.json b/src/domains/afm-secrets/secret/weu-uat/noedit_secret_enc.json index 2639ca3204..ebb1832987 100644 --- a/src/domains/afm-secrets/secret/weu-uat/noedit_secret_enc.json +++ b/src/domains/afm-secrets/secret/weu-uat/noedit_secret_enc.json @@ -1,6 +1,7 @@ { "afm-fee-reporting-s3-key-id": "ENC[AES256_GCM,data:dsi+BRoW4OIyoxo=,iv:fn6X/QM4ac0Bh6pmkpVlQ5bgYm28MJZKeCg/hSYgh/4=,tag:yTGSpIc+MH6fd+v3+Zy1yw==,type:str]", "afm-fee-reporting-s3-key-secret": "ENC[AES256_GCM,data:I8UDMX4184T989k=,iv:AzRl/rqHDNVf04+F9z1EXiMEhmQ3gtaIzNSU17bku8k=,tag:WTC3rBbA0Ab9W9kxF8J5uw==,type:str]", + "pagopa-platform-domain-github-bot-cd-pat": "ENC[AES256_GCM,data:C44TsCXOv0+NVidHi9nhsmbRlO1Go1GTCgm/3k1APfcDNg4WEzAFPQ==,iv:DFrfZaKRG0tOfWbu9wb+NoExftrPJwOKxWifyh2FoVk=,tag:luMYdfd+8K7XS/egVYUorA==,type:str]", "sops": { "kms": null, "gcp_kms": null, @@ -15,8 +16,8 @@ ], "hc_vault": null, "age": null, - "lastmodified": "2024-10-24T10:22:17Z", - "mac": "ENC[AES256_GCM,data:q91G3ciPcYfFdAj3wT47UGi4H0nIYC0DvebPQMj9sd8phz0H4ApIvF+6O1/qbW/wsE7w021r41hFfa8YyLJ4d4p+cwGBgVjs24R2zHNCX7Z9M0o2pbuUp/2/uk6AnWVJNxpyzNFTAvc9yPRFXKTnR0kiGI1PdZ04RGTi1LBDGAM=,iv:fT/XCVdASdQZMwh4xKZyLTwAs9RW0KVkf+2GabiZJEM=,tag:9L82qBWR1VemReEtuMQ4eA==,type:str]", + "lastmodified": "2025-01-29T08:55:55Z", + "mac": "ENC[AES256_GCM,data:R9Fhehq9aSGOWSYz8EJvxtNpsa49UuLdQ3Q+zvtyqS0iXUxZn490x94SJQxyPx28Z4JBAzKs8vgpHGLpB3NS8qp1ioU2Gp1TW6rby2QvS5gLB68Mlm4dTZutd4mlmbrGrsmXDuzZEqtY6uPrjgfeEHP3ns7rHb68gNf6ZFep7GM=,iv:KYMcN9jUMIK4wmlb7hECpldAaC2189zKlqsEEItmy3M=,tag:xBpWx934ja1jIf6hJHOrBg==,type:str]", "pgp": null, "unencrypted_suffix": "_unencrypted", "version": "3.9.1" diff --git a/src/domains/afm-secrets/sops.sh b/src/domains/afm-secrets/sops.sh old mode 100644 new mode 100755