[DEVEX-179] Add a TF module to make mono-repository setup easier #148

Krusty93 · 2024-10-28T15:38:57Z

List of changes

This PR adds a new Terraform module with to make the mono-repository (with single Azure env) setup simpler.

This module includes:

an Azure resource group for the entire mono-repository
managed identities federated with GitHub for:
- "infra" pipelines
- "app" pipelines
- "opex" pipelines
IAM management for:
- AD teams
  - team admins
  - team developers
  - (eventually) team external members
- Managed identities mentioned above
GitHub runner

If a team needs more resource groups, they can be defined and managed into the resources configuration. However, all roles on that scope must be defined there as well.

Constraints:

Versions constraints are intentionally high.

Azurerm pretends >= v4
Terraform versions should be >= 1.9.x

Requirements:

Before using this module, team must ensure to have at least two AD groups (admins, devs and eventually externals) with different subscription roles

Motivation and context

Two main reasons brought the creation of this module:

devs can't manage locks on their own resources and this is a bottleneck. With this module, team admins will be able to do it
currently, each dev can add, modify and destroy resources of other teams, but the only reason why a member of a team would do it is a mistake. In fact, this is not a need but only a consequence of the current management. Adopting patterns induced by this module, permissions will shifts to a read-only approach

Moreover, it avoids manual setup for "apps" and "opex" managed identities as the actual module uses "infra" roles as defaults.

This module completes the following setup:

	Subscription	Team Resource Group	Private Endpoints	DNS Zone	APIM	Team KeyVault	Resource Group IAM	Resource Lock
ID Infra CI	Reader	√ (Reader)	√ (Reader)	PagoPA DNS Zone Reader	√ (Reader)	Secrets, Keys, Certificates	X	X
ID Infra CD	Reader	Contributor	Network Contributor	Private DNS Zone Contributor	API Management Service Contributor	Secrets, Keys, Certificates	Role Based Access Control Administrator	User Access Administrator
ID App	Reader	Contributor	√ (Contributor)	√ (Contributor)	√ (Contributor)	X	X	X
ID Opex	Reader	Opex Contributor	X	X	X	X	X	X
AD Admins	Contributor	Owner	√ (Contributor)	√ (Contributor)	√ (Contributor)	Secrets, Keys, Certificates	X	√ (Owner)
AD Developers	Reader	Contributor	X	X	X	Secrets	X	X
AD Externals	Reader	√ (Reader)	X	X	X	X	X	X

Why now?

Patterns and needs are clearer now, then making assumptions is easier

Type of changes

Add new resources
Update configuration to existing resources
Remove existing resources

Does this introduce a change to production resources with possible user impact?

Yes, users may be impacted applying this change
No

Other information

changeset-bot · 2024-10-28T15:39:01Z

⚠️ No Changeset found

Latest commit: 9adf5a4

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

infra/modules/azure_monorepo_single_env_starter_pack/variables.tf

infra/modules/azure_monorepo_single_env_starter_pack/container_app_job_runner.tf

infra/modules/azure_monorepo_single_env_starter_pack/github_branch_rules.tf

gunzip · 2024-11-07T08:10:32Z

infra/modules/azure_monorepo_single_env_starter_pack/github_branch_rules.tf

+  pattern       = "main"
+
+  required_status_checks {
+    strict   = false


I don't see any value in having the branch up to date before merging as CI pipelines run over the merge commit

can you elaborate a little bit more?

As we're talking about monorepository (aka a single, potentially large repository), there is an high possibility that PR's branch is not up to date with main as other people are working on the same code base. I don't see this as an issue because the delta does not affect the validity of CI checks nor "manual" review as changes are on different paths. On the other hand, if changes are on the same files it is likely to have conflicts and PR cannot be merged

let's see what @pagopa/engineering-team-devex thinks about this

infra/modules/azure_monorepo_single_env_starter_pack/github_branch_rules.tf

infra/modules/azure_monorepo_single_env_starter_pack/github_environments_cd.tf

infra/modules/azure_monorepo_single_env_starter_pack/github_repository.tf

gunzip · 2024-11-07T08:20:39Z

infra/modules/azure_monorepo_single_env_starter_pack/github_repository.tf

+    advanced_security {
+      status = "enabled"
+    }
+  }


we should add a validation to set required tags (team name / domain)

Can you explain it a little more?

I mean: tags shouldn't ever be an empty map, but contains at least the team / domain.

Which tags? I don't follow you :)

the usual ones Owner , Source, ... aren't required?

GitHub resources don't have the concept of tags, which is strictly related to Azure

infra/modules/azure_monorepo_single_env_starter_pack/id_app.tf

infra/modules/azure_monorepo_single_env_starter_pack/id_infra.tf

infra/modules/azure_monorepo_single_env_starter_pack/id_opex.tf

infra/modules/azure_monorepo_single_env_starter_pack/locals.tf

infra/modules/azure_monorepo_single_env_starter_pack/rbac_ad.tf

gunzip

minor improvements

Krusty93 changed the title ~~[DEVEX-179] Add a TF module for mono-repository setup~~ [DEVEX-179] Add a TF module to make mono-repository setup easier Oct 29, 2024

Krusty93 marked this pull request as ready for review November 5, 2024 11:28

Krusty93 requested review from a team as code owners November 5, 2024 11:28