pagopa · Krusty93 · Oct 17, 2024 · Oct 17, 2024 · Oct 25, 2024 · Oct 28, 2024
@@ -0,0 +1 @@
+# azure_monorepo_single_env_starter_pack
@@ -0,0 +1,32 @@
+# subscription roles defined in `eng-azure-authorization` repo
+
+# Resource Group
+resource "azurerm_role_assignment" "admins_group_rg" {
+  scope                = azurerm_resource_group.main.id
+  role_definition_name = "Owner"
+  principal_id         = var.entraid_groups.admins_object_id
+  description          = "Allow ${var.repository.name} AD Admin group the complete ownership at monorepository resource group scope"
+}
+
+# Storage Account - Terraform state file
+resource "azurerm_role_assignment" "admins_group_st_tf" {
+  scope                = local.tf_storage_account.id
+  role_definition_name = "Storage Blob Data Contributor"
+  principal_id         = var.entraid_groups.admins_object_id
+  description          = "Allow ${var.repository.name} AD Admin group to apply changes to the Terraform state file Storage Account scope"
+}
+
+# Key Vault
+resource "azurerm_role_assignment" "admins_group_rg_kv_data" {
+  scope                = azurerm_resource_group.main.id
+  role_definition_name = "Key Vault Data Access Administrator"
+  principal_id         = var.entraid_groups.admins_object_id
+  description          = "Allow ${var.repository.name} AD Admin group to changes to apply changes to KeyVault's data at monorepository resource group scope"
+}
+
+resource "azurerm_role_assignment" "admins_group_rg_kv_admin" {
+  scope                = azurerm_resource_group.main.id
+  role_definition_name = "Key Vault Administrator"
+  principal_id         = var.entraid_groups.admins_object_id
+  description          = "Allow ${var.repository.name} AD Admin group to changes to apply changes to KeyVault at monorepository resource group scope"
+}
@@ -0,0 +1,23 @@
+# Resource Group
+resource "azurerm_role_assignment" "devs_group_rg" {
+  scope                = azurerm_resource_group.main.id
+  role_definition_name = "Contributor"
+  principal_id         = var.entraid_groups.devs_object_id
+  description          = "Allow ${var.repository.name} AD Dev group to apply changes at monorepository resource group scope"
+}
+
+# Storage Account - Terraform state file
+resource "azurerm_role_assignment" "devs_group_tf_st" {
+  scope                = local.tf_storage_account.id
+  role_definition_name = "Storage Blob Data Contributor"
+  principal_id         = var.entraid_groups.devs_object_id
+  description          = "Allow ${var.repository.name} AD Dev group to apply changes to the Terraform state file Storage Account scope"
+}
+
+# Key Vault
+resource "azurerm_role_assignment" "devs_group_tf_rg_kv_secr" {
+  scope                = azurerm_resource_group.main.id
+  role_definition_name = "Key Vault Secrets Officer"
+  principal_id         = var.entraid_groups.devs_object_id
+  description          = "Allow ${var.repository.name} AD Dev group to changes to KeyVault's secrets at monorepository resource group scope"
+}
@@ -0,0 +1,19 @@
+# Resource Group
+resource "azurerm_role_assignment" "externals_group_rg" {
+  count = var.entraid_groups.externals_object_id == null ? 0 : 1
+
+  scope                = azurerm_resource_group.main.id
+  role_definition_name = "Reader"
+  principal_id         = var.entraid_groups.externals_object_id
+  description          = "Allow ${var.repository.name} AD external group to read resources at resource group scope"
+}
+
+# Storage Account - Terraform state file
+resource "azurerm_role_assignment" "externals_group_tf_rg" {
+  count = var.entraid_groups.externals_object_id == null ? 0 : 1
+
+  scope                = local.tf_storage_account.id
+  role_definition_name = "Storage Blob Data Reader"
+  principal_id         = var.entraid_groups.externals_object_id
+  description          = "Allow ${var.repository.name} AD external group to read blobs at the Terraform state file Storage Account scope"
+}
@@ -0,0 +1,93 @@
+
+resource "azurerm_container_app_job" "github_runner" {
+  container_app_environment_id = var.github_private_runner.container_app_environment_id
+  name                         = local.container_apps.job_name
+  location                     = var.github_private_runner.container_app_environment_location
+  resource_group_name          = azurerm_resource_group.main.name
+
+  identity {
+    type = "SystemAssigned"
+  }
+
+  replica_timeout_in_seconds = 1800
+  replica_retry_limit        = 1
+
+  event_trigger_config {
+    parallelism              = 1
+    replica_completion_count = 1
+
+    scale {
+      max_executions              = var.github_private_runner.max_instances
+      min_executions              = var.github_private_runner.min_instances
+      polling_interval_in_seconds = var.github_private_runner.polling_interval_in_seconds
+
+      rules {
+        name             = "github-runner-rule"
+        custom_rule_type = "github-runner"
+        metadata = merge({
+          owner                     = var.repository.owner
+          runnerScope               = "repo"
+          repos                     = var.repository.name
+          targetWorkflowQueueLength = "1"
+          github-runner             = "https://api.github.com"
+        }, length(var.github_private_runner.labels) > 0 ? { labels = join(",", var.github_private_runner.labels) } : {})
+
+        authentication {
+          secret_name       = local.container_apps.secret_name
+          trigger_parameter = "personalAccessToken"
+        }
+      }
+    }
+  }
+
+  secret {
+    key_vault_secret_id = "${data.azurerm_key_vault.runner.vault_uri}secrets/${var.github_private_runner.key_vault.secret_name}" # no versioning
+
+    identity = "System"
+    name     = local.container_apps.secret_name
+  }
+
+  template {
+    container {
+      cpu    = var.github_private_runner.cpu
+      image  = "ghcr.io/pagopa/github-self-hosted-runner-azure:latest"
+      memory = var.github_private_runner.memory
+      name   = "github-runner"
+
+      dynamic "env" {
+        for_each = var.github_private_runner.labels
+        content {
+          name  = "LABELS"
+          value = join(",", var.github_private_runner.labels)
+        }
+      }
+
+      env {
+        name  = "REPO_URL"
+        value = "https://github.com/${var.repository.owner}/${var.repository.name}"
+      }
+
+      env {
+        name  = "REGISTRATION_TOKEN_API_URL"
+        value = "https://api.github.com/repos/${var.repository.owner}/${var.repository.name}/actions/runners/registration-token"
+      }
+
+      env {
+        name        = "GITHUB_PAT"
+        secret_name = local.container_apps.secret_name
+      }
+    }
+  }
+
+  tags = var.tags
+}
+
+resource "azurerm_key_vault_access_policy" "keyvault_containerapp" {
+  key_vault_id = data.azurerm_key_vault.runner.id
+  tenant_id    = azurerm_container_app_job.github_runner.identity[0].tenant_id
+  object_id    = azurerm_container_app_job.github_runner.identity[0].principal_id
+
+  secret_permissions = [
+    "Get",
+  ]
+}
@@ -0,0 +1,9 @@
+data "github_organization_teams" "all" {
+  root_teams_only = true
+  summary_only    = true
+}
+
+data "azurerm_key_vault" "runner" {
+  name                = var.github_private_runner.key_vault.name
+  resource_group_name = var.github_private_runner.key_vault.resource_group_name
+}
@@ -0,0 +1,31 @@
+resource "github_branch_default" "main" {
+  repository = github_repository.this.name
+  branch     = var.repository.default_branch_name
+}
+
+resource "github_branch_protection" "main" {
+  repository_id = github_repository.this.name
+  pattern       = var.repository.default_branch_name
+
+  required_status_checks {
+    strict   = false
+    contexts = []
+  }
+
+  require_conversation_resolution = true
+  enforce_admins                  = true
+  require_signed_commits          = false
+  allows_force_pushes             = false
+  allows_deletions                = false
+
+  required_pull_request_reviews {
+    dismiss_stale_reviews           = false
+    require_code_owner_reviews      = true
+    required_approving_review_count = 1
+    restrict_dismissals             = true
+  }
+
+  lifecycle {
+    prevent_destroy = true
+  }
+}
@@ -0,0 +1,128 @@
+resource "github_repository_environment" "infra_prod_cd" {
+  environment = "infra-prod-cd"
+  repository  = github_repository.this.name
+
+  deployment_branch_policy {
+    protected_branches     = false
+    custom_branch_policies = true
+  }
+
+  reviewers {
+    teams = matchkeys(
+      data.github_organization_teams.all.teams[*].id,
+      data.github_organization_teams.all.teams[*].slug,
+      local.infra_cd.reviewers_teams
+    )
+  }
+}
+
+resource "github_repository_environment" "app_prod_cd" {
+  environment = "app-prod-cd"
+  repository  = github_repository.this.name
+
+  deployment_branch_policy {
+    protected_branches     = false
+    custom_branch_policies = true
+  }
+
+  reviewers {
+    teams = matchkeys(
+      data.github_organization_teams.all.teams[*].id,
+      data.github_organization_teams.all.teams[*].slug,
+      local.app_cd.reviewers_teams
+    )
+  }
+}
+
+resource "github_repository_environment" "opex_prod_cd" {
+  environment = "opex-prod-cd"
+  repository  = github_repository.this.name
+
+  deployment_branch_policy {
+    protected_branches     = false
+    custom_branch_policies = true
+  }
+
+  reviewers {
+    teams = matchkeys(
+      data.github_organization_teams.all.teams[*].id,
+      data.github_organization_teams.all.teams[*].slug,
+      local.app_cd.reviewers_teams
+    )
+  }
+}
+
+resource "github_repository_environment_deployment_policy" "infra_prod_cd_branch" {
+  for_each = var.repository.infra_cd_policy_branches
+
+  repository     = github_repository.this.name
+  environment    = github_repository_environment.infra_prod_cd.environment
+  branch_pattern = each.value
+}
+
+resource "github_repository_environment_deployment_policy" "app_prod_cd_branch" {
+  for_each = var.repository.app_cd_policy_branches
+
+  repository     = github_repository.this.name
+  environment    = github_repository_environment.app_prod_cd.environment
+  branch_pattern = each.value
+}
+
+resource "github_repository_environment_deployment_policy" "opex_prod_cd_branch" {
+  for_each = var.repository.opex_cd_policy_branches
+
+  repository     = github_repository.this.name
+  environment    = github_repository_environment.opex_prod_cd.environment
+  branch_pattern = each.value
+}
+
+resource "github_repository_environment_deployment_policy" "infra_prod_cd_tag" {
+  for_each = var.repository.infra_cd_policy_tags
+
+  repository  = github_repository.this.name
+  environment = github_repository_environment.infra_prod_cd.environment
+  tag_pattern = each.value
+}
+
+resource "github_repository_environment_deployment_policy" "app_prod_cd_tag" {
+  for_each = var.repository.app_cd_policy_tags
+
+  repository  = github_repository.this.name
+  environment = github_repository_environment.app_prod_cd.environment
+  tag_pattern = each.value
+}
+
+resource "github_repository_environment_deployment_policy" "opex_prod_cd_tag" {
+  for_each = var.repository.opex_cd_policy_tags
+
+  repository  = github_repository.this.name
+  environment = github_repository_environment.opex_prod_cd.environment
+  tag_pattern = each.value
+}
+
+resource "github_actions_environment_secret" "infra_prod_cd" {
+  for_each = local.infra_cd.secrets
+
+  repository      = github_repository.this.name
+  environment     = github_repository_environment.infra_prod_cd.environment
+  secret_name     = each.key
+  plaintext_value = each.value
+}
+
+resource "github_actions_environment_secret" "app_prod_cd" {
+  for_each = local.app_cd.secrets
+
+  repository      = github_repository.this.name
+  environment     = github_repository_environment.app_prod_cd.environment
+  secret_name     = each.key
+  plaintext_value = each.value
+}
+
+resource "github_actions_environment_secret" "opex_prod_cd" {
+  for_each = local.opex_cd.secrets
+
+  repository      = github_repository.this.name
+  environment     = github_repository_environment.opex_prod_cd.environment
+  secret_name     = each.key
+  plaintext_value = each.value
+}
@@ -0,0 +1,38 @@
+resource "github_repository_environment" "infra_prod_ci" {
+  environment = "infra-prod-ci"
+  repository  = github_repository.this.name
+
+  deployment_branch_policy {
+    protected_branches     = false
+    custom_branch_policies = true
+  }
+}
+
+resource "github_repository_environment" "opex_prod_ci" {
+  environment = "opex-prod-ci"
+  repository  = github_repository.this.name
+
+  deployment_branch_policy {
+    protected_branches     = false
+    custom_branch_policies = true
+  }
+}
+
+resource "github_actions_environment_secret" "infra_prod_ci" {
+  for_each = local.infra_ci.secrets
+
+  repository      = github_repository.this.name
+  environment     = github_repository_environment.infra_prod_ci.environment
+  secret_name     = each.key
+  plaintext_value = each.value
+}
+
+resource "github_actions_environment_secret" "opex_prod_ci" {
+  for_each = local.opex_ci.secrets
+
+  repository      = github_repository.this.name
+  environment     = github_repository_environment.opex_prod_ci.environment
+  secret_name     = each.key
+  plaintext_value = each.value
+}
+