changes after PR

pagopa · Nov 19, 2024 · 716a96a · 716a96a
1 parent 92f6838
commit 716a96a
Show file tree

Hide file tree

Showing 9 changed files with 61 additions and 15 deletions.
diff --git a/infra/modules/azure_monorepo_single_env_starter_pack/README.md b/infra/modules/azure_monorepo_single_env_starter_pack/README.md
@@ -64,7 +64,7 @@
 | [azurerm_role_assignment.opex_cd_tf_rg_blob_data_access](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
 | [azurerm_role_assignment.opex_ci_subscription_data_access](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
 | [azurerm_role_assignment.opex_ci_subscription_reader](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
-| [azurerm_role_assignment.opex_ci_tf_rg_blob_reader](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
+| [azurerm_role_assignment.opex_ci_tf_rg_blob_contributor](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
 | [azurerm_user_assigned_identity.app_cd](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/user_assigned_identity) | resource |
 | [azurerm_user_assigned_identity.infra_cd](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/user_assigned_identity) | resource |
 | [azurerm_user_assigned_identity.infra_ci](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/user_assigned_identity) | resource |
@@ -101,7 +101,7 @@
 | <a name="input_pep_vnet_id"></a> [pep\_vnet\_id](#input\_pep\_vnet\_id) | ID of the VNet holding Private Endpoint-dedicated subnet | `string` | n/a | yes |
 | <a name="input_repository"></a> [repository](#input\_repository) | Information about this repository | <pre>object({<br/>    owner           = optional(string, "pagopa")<br/>    name            = string<br/>    description     = string<br/>    topics          = list(string)<br/>    reviewers_teams = list(string)<br/>  })</pre> | n/a | yes |
 | <a name="input_subscription_id"></a> [subscription\_id](#input\_subscription\_id) | The subscription ID where resources are created | `string` | n/a | yes |
-| <a name="input_tags"></a> [tags](#input\_tags) | Resources tags | `map(any)` | n/a | yes |
+| <a name="input_tags"></a> [tags](#input\_tags) | Resources tags | `map(string)` | n/a | yes |
 | <a name="input_tenant_id"></a> [tenant\_id](#input\_tenant\_id) | The tenant ID where resources are created | `string` | n/a | yes |
 | <a name="input_terraform_storage_account"></a> [terraform\_storage\_account](#input\_terraform\_storage\_account) | Name and resource group name of the Storage Account hosting the Terraform state file | <pre>object({<br/>    resource_group_name = string<br/>    name                = string<br/>  })</pre> | n/a | yes |
 

diff --git a/infra/modules/azure_monorepo_single_env_starter_pack/github_branch_rules.tf b/infra/modules/azure_monorepo_single_env_starter_pack/github_branch_rules.tf
@@ -13,13 +13,20 @@ resource "github_branch_protection" "main" {
   }
 
   require_conversation_resolution = true
-  require_signed_commits          = false
+  enforce_admins                  = true
+  require_signed_commits          = true
+  allows_force_pushes             = false
+  allows_deletions                = false
 
   required_pull_request_reviews {
     dismiss_stale_reviews           = false
     require_code_owner_reviews      = true
     required_approving_review_count = 1
+    dismissal_restrictions          = ["admins"]
+    restrict_dismissals             = true
   }
 
-  allows_deletions = false
+  lifecycle {
+    prevent_destroy = true
+  }
 }
diff --git a/infra/modules/azure_monorepo_single_env_starter_pack/github_environments_cd.tf b/infra/modules/azure_monorepo_single_env_starter_pack/github_environments_cd.tf
@@ -3,8 +3,8 @@ resource "github_repository_environment" "infra_prod_cd" {
   repository  = github_repository.this.name
 
   deployment_branch_policy {
-    protected_branches     = false
-    custom_branch_policies = true
+    protected_branches     = true
+    custom_branch_policies = false
   }
 
   reviewers {
@@ -21,8 +21,8 @@ resource "github_repository_environment" "app_prod_cd" {
   repository  = github_repository.this.name
 
   deployment_branch_policy {
-    protected_branches     = false
-    custom_branch_policies = true
+    protected_branches     = true
+    custom_branch_policies = false
   }
 
   reviewers {
@@ -39,8 +39,8 @@ resource "github_repository_environment" "opex_prod_cd" {
   repository  = github_repository.this.name
 
   deployment_branch_policy {
-    protected_branches     = false
-    custom_branch_policies = true
+    protected_branches     = true
+    custom_branch_policies = false
   }
 
   reviewers {
@@ -97,4 +97,3 @@ resource "github_actions_environment_secret" "opex_prod_cd" {
   secret_name     = each.key
   plaintext_value = each.value
 }
-
diff --git a/infra/modules/azure_monorepo_single_env_starter_pack/id_app.tf b/infra/modules/azure_monorepo_single_env_starter_pack/id_app.tf
@@ -19,16 +19,19 @@ resource "azurerm_role_assignment" "app_cd_subscription_reader" {
   scope                = var.subscription_id
   role_definition_name = "Reader"
   principal_id         = azurerm_user_assigned_identity.app_cd.principal_id
+  description          = "Allow ${var.repository.name} App CD identity to read resources at subscription scope"
 }
 
 resource "azurerm_role_assignment" "app_cd_rg_contributor" {
   scope                = azurerm_resource_group.main.id
   role_definition_name = "Contributor"
   principal_id         = azurerm_user_assigned_identity.app_cd.principal_id
+  description          = "Allow ${var.repository.name} App CD identity to apply changes to resources at monorepository resource group scope"
 }
 
 resource "azurerm_role_assignment" "app_cd_tf_rg_blob_contributor" {
   scope                = local.tf_storage_account.id
   role_definition_name = "Storage Blob Data Contributor"
   principal_id         = azurerm_user_assigned_identity.app_cd.principal_id
+  description          = "Allow ${var.repository.name} App CD identity to apply changes to the Terraform state file Storage Account scope"
 }
diff --git a/infra/modules/azure_monorepo_single_env_starter_pack/id_infra.tf b/infra/modules/azure_monorepo_single_env_starter_pack/id_infra.tf
@@ -36,89 +36,103 @@ resource "azurerm_role_assignment" "infra_ci_subscription_reader" {
   scope                = var.subscription_id
   role_definition_name = "Reader"
   principal_id         = azurerm_user_assigned_identity.infra_ci.principal_id
+  description          = "Allow ${var.repository.name} Infra CI identity to read resources at subscription scope"
 }
 
 resource "azurerm_role_assignment" "infra_ci_subscription_data_access" {
   scope                = var.subscription_id
   role_definition_name = "Reader and Data Access"
   principal_id         = azurerm_user_assigned_identity.infra_ci.principal_id
+  description          = "Allow ${var.repository.name} Infra CI identity to read resources' keys and data at subscription scope"
 }
 
 resource "azurerm_role_assignment" "infra_ci_subscription_pagopa_iac_reader" {
   scope                = var.subscription_id
   role_definition_name = "PagoPA IaC Reader"
   principal_id         = azurerm_user_assigned_identity.infra_ci.principal_id
+  description          = "Allow ${var.repository.name} Infra CI identity to read resources configuration at subscription scope"
 }
 
 resource "azurerm_role_assignment" "infra_ci_subscription_cosmos_contributor" {
   scope                = var.subscription_id
   role_definition_name = "DocumentDB Account Contributor"
   principal_id         = azurerm_user_assigned_identity.infra_ci.principal_id
+  description          = "Allow ${var.repository.name} Infra CI identity to read Cosmos DB configuration at subscription scope"
 }
 
 resource "azurerm_role_assignment" "infra_ci_tf_st_blob_contributor" {
   scope                = local.tf_storage_account.id
   role_definition_name = "Storage Blob Data Contributor"
   principal_id         = azurerm_user_assigned_identity.infra_ci.principal_id
+  description          = "Allow ${var.repository.name} Infra CI identity to apply changes to the Terraform state file Storage Account scope"
 }
 
 resource "azurerm_role_assignment" "infra_ci_rg_kv_secr" {
   scope                = azurerm_resource_group.main.id
   role_definition_name = "Key Vault Secrets User"
   principal_id         = azurerm_user_assigned_identity.infra_ci.principal_id
+  description          = "Allow ${var.repository.name} Infra CI identity to read KeyVault's secrets at monorepository resource group scope"
 }
 
 resource "azurerm_role_assignment" "infra_ci_rg_kv_cert" {
   scope                = azurerm_resource_group.main.id
   role_definition_name = "Key Vault Certificate User"
   principal_id         = azurerm_user_assigned_identity.infra_ci.principal_id
+  description          = "Allow ${var.repository.name} Infra CI identity to read KeyVault's certificates at monorepository resource group scope"
 }
 
 resource "azurerm_role_assignment" "infra_cd_subscription_reader" {
   scope                = var.subscription_id
   role_definition_name = "Reader"
   principal_id         = azurerm_user_assigned_identity.infra_cd.principal_id
+  description          = "Allow ${var.repository.name} Infra CD identity to read resources at subscription scope"
 }
 
 resource "azurerm_role_assignment" "infra_cd_rg_contributor" {
   scope                = azurerm_resource_group.main.id
   role_definition_name = "Contributor"
   principal_id         = azurerm_user_assigned_identity.infra_cd.principal_id
+  description          = "Allow ${var.repository.name} Infra CD identity to apply changes to resources at monorepository resource group scope"
 }
 
 resource "azurerm_role_assignment" "infra_cd_vnet_network_contributor" {
   scope                = var.pep_vnet_id
   role_definition_name = "Network Contributor"
   principal_id         = azurerm_user_assigned_identity.infra_cd.principal_id
+  description          = "Allow ${var.repository.name} Infra CD identity to manage Private Endpoints at VNet scope"
 }
 
 resource "azurerm_role_assignment" "infra_cd_apim_service_contributor" {
   scope                = var.apim_id
   role_definition_name = "API Management Service Contributor"
   principal_id         = azurerm_user_assigned_identity.infra_cd.principal_id
+  description          = "Allow ${var.repository.name} Infra CD identity to manage configuration at APIM scope"
 }
 
 resource "azurerm_role_assignment" "infra_cd_st_tf_blob_contributor" {
   scope                = local.tf_storage_account.id
   role_definition_name = "Storage Blob Data Contributor"
   principal_id         = azurerm_user_assigned_identity.infra_cd.principal_id
+  description          = "Allow ${var.repository.name} Infra CD identity to apply changes to the Terraform state file Storage Account scope"
 }
 
 resource "azurerm_role_assignment" "infra_cd_rg_rbac_admin" {
   scope                = azurerm_resource_group.main.id
   role_definition_name = "Role Based Access Control Administrator"
   principal_id         = azurerm_user_assigned_identity.infra_cd.principal_id
+  description          = "Allow ${var.repository.name} Infra CD identity to manage IAM configuration at monorepository resource group scope"
 }
 
 resource "azurerm_role_assignment" "infra_cd_rg_kv_secr" {
   scope                = azurerm_resource_group.main.id
   role_definition_name = "Key Vault Secrets Officer"
   principal_id         = azurerm_user_assigned_identity.infra_cd.principal_id
+  description          = "Allow ${var.repository.name} Infra CI identity to changes to KeyVault's secrets at monorepository resource group scope"
 }
 
 resource "azurerm_role_assignment" "infra_cd_rg_kv_cert" {
   scope                = azurerm_resource_group.main.id
   role_definition_name = "Key Vault Certificates Officer"
   principal_id         = azurerm_user_assigned_identity.infra_cd.principal_id
+  description          = "Allow ${var.repository.name} Infra CI identity to change KeyVault's certificates at monorepository resource group scope"
 }
-
diff --git a/infra/modules/azure_monorepo_single_env_starter_pack/id_opex.tf b/infra/modules/azure_monorepo_single_env_starter_pack/id_opex.tf
@@ -36,40 +36,47 @@ resource "azurerm_role_assignment" "opex_ci_subscription_reader" {
   scope                = var.subscription_id
   role_definition_name = "Reader"
   principal_id         = azurerm_user_assigned_identity.opex_ci.principal_id
+  description          = "Allow ${var.repository.name} Opex CI identity to read resources at subscription scope"
 }
 
-resource "azurerm_role_assignment" "opex_ci_tf_rg_blob_reader" {
+resource "azurerm_role_assignment" "opex_ci_tf_rg_blob_contributor" {
   scope                = local.tf_storage_account.id
-  role_definition_name = "Storage Blob Data Reader"
+  role_definition_name = "Storage Blob Data Contributor"
   principal_id         = azurerm_user_assigned_identity.opex_ci.principal_id
+  description          = "Allow ${var.repository.name} Opex CI identity to apply changes to the Terraform state file Storage Account scope"
 }
 
 resource "azurerm_role_assignment" "opex_ci_subscription_data_access" {
   scope                = var.subscription_id
   role_definition_name = "Reader and Data Access"
   principal_id         = azurerm_user_assigned_identity.opex_ci.principal_id
+  description          = "Allow ${var.repository.name} Opex CI identity to read resources' keys and data at subscription scope"
 }
 
 resource "azurerm_role_assignment" "opex_cd_subscription_reader" {
   scope                = var.subscription_id
   role_definition_name = "Reader"
   principal_id         = azurerm_user_assigned_identity.opex_cd.principal_id
+  description          = "Allow ${var.repository.name} Opex CD identity to read resources at subscription scope"
 }
 
 resource "azurerm_role_assignment" "opex_cd_tf_rg_blob_contributor" {
   scope                = local.tf_storage_account.id
   role_definition_name = "Storage Blob Data Contributor"
   principal_id         = azurerm_user_assigned_identity.opex_cd.principal_id
+  description          = "Allow ${var.repository.name} Opex CD identity to apply changes to the Terraform state file Storage Account scope"
 }
 
 resource "azurerm_role_assignment" "opex_cd_tf_rg_blob_data_access" {
   scope                = local.tf_storage_account.id
   role_definition_name = "Reader and Data Access"
   principal_id         = azurerm_user_assigned_identity.opex_cd.principal_id
+  description          = "Allow ${var.repository.name} Opex CD identity to read resources' keys at the Terraform state file Storage Account scope"
 }
 
 resource "azurerm_role_assignment" "opex_cd_rg_opex_contributor" {
   scope                = azurerm_resource_group.main.id
   role_definition_name = "PagoPA Opex Dashboards Contributor"
   principal_id         = azurerm_user_assigned_identity.opex_cd.principal_id
+  description          = "Allow ${var.repository.name} Opex CD identity to apply changes to Opex dashboards at monorepository resource group scope"
 }
diff --git a/infra/modules/azure_monorepo_single_env_starter_pack/locals.tf b/infra/modules/azure_monorepo_single_env_starter_pack/locals.tf
@@ -9,11 +9,14 @@ locals {
     secret_name = "personal-access-token"
   }
 
+  # %s is replaced by `ci` or `cd`
   ids = {
+    #e.g. io-p-itn-ipatente-app-github-cd-id-01
     infra_name = "${module.naming_convention.prefix}-infra-github-%s-id-${module.naming_convention.suffix}"
     app_name   = "${module.naming_convention.prefix}-app-github-%s-id-${module.naming_convention.suffix}"
     opex_name  = "${module.naming_convention.prefix}-opex-github-%s-id-${module.naming_convention.suffix}"
 
+    # e.g. infra-prod-cd
     infra_environment_name = "infra-${module.naming_convention.env_name}-%s"
     app_environment_name   = "app-${module.naming_convention.env_name}-%s"
     opex_environment_name  = "opex-${module.naming_convention.env_name}-%s"

diff --git a/infra/modules/azure_monorepo_single_env_starter_pack/rbac_ad.tf b/infra/modules/azure_monorepo_single_env_starter_pack/rbac_ad.tf
@@ -4,66 +4,77 @@ resource "azurerm_role_assignment" "admins_group_rg" {
   scope                = azurerm_resource_group.main.id
   role_definition_name = "Owner"
   principal_id         = var.entraid_groups.admins_object_id
+  description          = "Allow ${var.repository.name} AD Admin group the complete ownership at monorepository resource group scope"
 }
 
 resource "azurerm_role_assignment" "admins_group_st_tf" {
   scope                = local.tf_storage_account.id
   role_definition_name = "Storage Blob Data Contributor"
   principal_id         = var.entraid_groups.admins_object_id
+  description          = "Allow ${var.repository.name} AD Admin group to apply changes to the Terraform state file Storage Account scope"
 }
 
 resource "azurerm_role_assignment" "admins_vnet_network_contributor" {
   scope                = var.pep_vnet_id
   role_definition_name = "Network Contributor"
   principal_id         = var.entraid_groups.admins_object_id
+  description          = "Allow ${var.repository.name} AD Admin group to manage Private Endpoints at VNet scope"
 }
 
 resource "azurerm_role_assignment" "admins_apim_service_contributor" {
   scope                = var.apim_id
   role_definition_name = "API Management Service Contributor"
   principal_id         = var.entraid_groups.admins_object_id
+  description          = "Allow ${var.repository.name} AD Admin group to manage configuration at APIM scope"
 }
 
 resource "azurerm_role_assignment" "admins_group_rg_kv_data" {
   scope                = azurerm_resource_group.main.id
   role_definition_name = "Key Vault Data Access Administrator"
   principal_id         = var.entraid_groups.admins_object_id
+  description          = "Allow ${var.repository.name} AD Admin group to changes to apply changes to KeyVault's data at monorepository resource group scope"
 }
 
 resource "azurerm_role_assignment" "admins_group_rg_kv_admin" {
   scope                = azurerm_resource_group.main.id
   role_definition_name = "Key Vault Administrator"
   principal_id         = var.entraid_groups.admins_object_id
+  description          = "Allow ${var.repository.name} AD Admin group to changes to apply changes to KeyVault at monorepository resource group scope"
 }
 
 resource "azurerm_role_assignment" "devs_group_rg" {
   scope                = azurerm_resource_group.main.id
   role_definition_name = "Contributor"
   principal_id         = var.entraid_groups.devs_object_id
+  description          = "Allow ${var.repository.name} AD Dev group to apply changes at monorepository resource group scope"
 }
 
 resource "azurerm_role_assignment" "devs_group_tf_st" {
   scope                = local.tf_storage_account.id
   role_definition_name = "Storage Blob Data Contributor"
   principal_id         = var.entraid_groups.devs_object_id
+  description          = "Allow ${var.repository.name} AD Dev group to apply changes to the Terraform state file Storage Account scope"
 }
 
 resource "azurerm_role_assignment" "devs_apim_service_contributor" {
   scope                = var.apim_id
   role_definition_name = "API Management Service Contributor"
   principal_id         = var.entraid_groups.devs_object_id
+  description          = "Allow ${var.repository.name} AD Dev group to manage configuration at APIM scope"
 }
 
 resource "azurerm_role_assignment" "devs_group_tf_rg_kv_secr" {
   scope                = local.tf_storage_account.id
   role_definition_name = "Key Vault Secrets Officer"
   principal_id         = var.entraid_groups.devs_object_id
+  description          = "Allow ${var.repository.name} AD Dev group to changes to KeyVault's secrets at monorepository resource group scope"
 }
 
 resource "azurerm_role_assignment" "devs_group_tf_rg_kv_cert" {
   scope                = local.tf_storage_account.id
   role_definition_name = "Key Vault Certificates Officer"
   principal_id         = var.entraid_groups.devs_object_id
+  description          = "Allow ${var.repository.name} AD Dev group to change KeyVault's certificates at monorepository resource group scope"
 }
 
 resource "azurerm_role_assignment" "externals_group_rg" {
@@ -72,6 +83,7 @@ resource "azurerm_role_assignment" "externals_group_rg" {
   scope                = azurerm_resource_group.main.id
   role_definition_name = "Reader"
   principal_id         = var.entraid_groups.externals_object_id
+  description          = "Allow ${var.repository.name} AD external group to read resources at subscription scope"
 }
 
 resource "azurerm_role_assignment" "externals_group_tf_rg" {
@@ -80,4 +92,5 @@ resource "azurerm_role_assignment" "externals_group_tf_rg" {
   scope                = local.tf_storage_account.id
   role_definition_name = "Storage Blob Data Reader"
   principal_id         = var.entraid_groups.externals_object_id
+  description          = "Allow ${var.repository.name} AD external group to read blobs at the Terraform state file Storage Account scope"
 }
diff --git a/infra/modules/azure_monorepo_single_env_starter_pack/variables.tf b/infra/modules/azure_monorepo_single_env_starter_pack/variables.tf
@@ -1,5 +1,5 @@
 variable "tags" {
-  type        = map(any)
+  type        = map(string)
   description = "Resources tags"
 }