[#IOPID-1262] Add opex dashboard for api_public.yaml (#1044)

pagopa · Dec 15, 2023 · 019e70a · 019e70a
1 parent 9af1a7c
commit 019e70a
Show file tree

Hide file tree

Showing 25 changed files with 442 additions and 3 deletions.
diff --git a/.github/workflows/opex_api_public.yml b/.github/workflows/opex_api_public.yml
@@ -0,0 +1,66 @@
+name: Opex Dashboard api_public
+
+# Controls when the workflow will run
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - master
+    paths:
+      - 'api_public.yaml'
+      - '.github/workflows/opex_api_public.yml'
+      - '.opex/api_public/**'
+  pull_request:
+    types:
+      - opened
+      - edited
+      - synchronize
+      - reopened
+    paths:
+      - 'api_public.yaml'
+      - '.github/workflows/opex_api_public.yml'
+      - '.opex/api_public/**'
+
+env:
+  # opex-demo client_id
+  # CLIENT_ID: 10ab3c51-f734-4782-abe9-3e998a1a2e84
+  CLIENT_ID: 712582b4-1e38-4329-bfd2-5cd186e82529
+  TENANT_ID: 7788edaf-0346-4068-9d79-c868aed15b3d
+  SUBSCRIPTION_ID: ec285037-c673-4f58-b594-d7c480da4e8b
+  API_NAME: api_public
+
+permissions:
+  id-token: write
+  contents: read
+
+# A workflow run is made up of one or more jobs that can run sequentially or in parallel
+jobs:
+  build:
+    # The type of runner that the job will run on
+    runs-on: ubuntu-22.04
+
+    strategy:
+      matrix:
+        environment: [prod]
+
+    # Steps represent a sequence of tasks that will be executed as part of the job
+    steps:
+      - name: Checkout
+        id: checkout
+        # from https://github.com/actions/checkout/commits/main
+        uses: actions/checkout@1f9a0c22da41e6ebfa534300ef656657ea2c6707
+        with:
+          persist-credentials: false
+          fetch-depth: 0
+
+      # from https://github.com/pagopa/opex-dashboard-azure-action/
+      - uses: pagopa/opex-dashboard-azure-action@v1.1.2
+        with:
+          environment: ${{ matrix.environment }}
+          api-name: ${{ env.API_NAME }}
+          config: .opex/${{ env.API_NAME }}/env/${{ matrix.environment }}/config.yaml
+          client-id: ${{ env.CLIENT_ID }}
+          tenant-id: ${{ env.TENANT_ID }}
+          subscription-id: ${{ env.SUBSCRIPTION_ID }}
+          # from https://github.com/pagopa/opex-dashboard-azure-action/pkgs/container/opex-dashboard-azure-action
+          docker-version: sha256:e4245954566cd3470e1b5527d33bb58ca132ce7493eac01be9e808fd25a11c8d
diff --git a/.gitignore b/.gitignore
@@ -42,7 +42,7 @@ dist
 local.*
 
 # Exclude .npmrc file
-.npmrc 
+.npmrc
 
 # Exclude Codetour plugin folder
 .tours

diff --git a/.identity/.gitignore b/.identity/.gitignore
@@ -0,0 +1,23 @@
+# Local .terraform directories
+**/.terraform/*
+
+# .tfstate files
+*.tfstate
+*.tfstate.*
+*.tfsec
+
+# Crash log files
+crash.log
+
+# Ignore any .tfvars files that are generated automatically for each Terraform run. Most
+# .tfvars files are managed as part of configuration and so should be included in
+# version control.
+#
+# example.tfvars
+
+# Ignore override files as they are usually used to override resources locally and so
+# are not checked in
+override.tf
+override.tf.json
+*_override.tf
+*_override.tf.json
diff --git a/.identity/.terraform-version b/.identity/.terraform-version
@@ -0,0 +1 @@
+1.3.6
diff --git a/.identity/.terraform.lock.hcl b/.identity/.terraform.lock.hcl
diff --git a/.identity/00_locals.tf b/.identity/00_locals.tf
@@ -0,0 +1,6 @@
+locals {
+  github = {
+    org        = "pagopa"
+    repository = "io-backend"
+  }
+}
diff --git a/.identity/00_main.tf b/.identity/00_main.tf
@@ -0,0 +1,24 @@
+terraform {
+  required_version = ">=1.3.0"
+
+  required_providers {
+    azuread = {
+      source  = "hashicorp/azuread"
+      version = "2.30.0"
+    }
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = "3.33.0"
+    }
+  }
+
+  backend "azurerm" {}
+}
+
+provider "azurerm" {
+  features {}
+}
+
+data "azurerm_subscription" "current" {}
+
+data "azurerm_client_config" "current" {}
diff --git a/.identity/00_main.tf.ci b/.identity/00_main.tf.ci
@@ -0,0 +1,22 @@
+terraform {
+  required_version = ">=1.3.0"
+
+  required_providers {
+    azuread = {
+      source  = "hashicorp/azuread"
+      version = "2.30.0"
+    }
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = "3.33.0"
+    }
+  }
+}
+
+provider "azurerm" {
+  features {}
+}
+
+data "azurerm_subscription" "current" {}
+
+data "azurerm_client_config" "current" {}
diff --git a/.identity/00_variables.tf b/.identity/00_variables.tf
diff --git a/.identity/01_data.tf b/.identity/01_data.tf
@@ -0,0 +1,8 @@
+data "azurerm_storage_account" "tfstate_app" {
+  name                = "tfapp${lower(replace(data.azurerm_subscription.current.display_name, "-", ""))}"
+  resource_group_name = "terraform-state-rg"
+}
+
+data "azurerm_resource_group" "dashboards" {
+  name = "dashboards"
+}
diff --git a/.identity/02_application_master.tf b/.identity/02_application_master.tf
@@ -0,0 +1,28 @@
+resource "azuread_application" "master" {
+  display_name = "github-${local.github.org}-${local.github.repository}-master"
+}
+
+resource "azuread_service_principal" "master" {
+  application_id = azuread_application.master.application_id
+}
+
+resource "azuread_application_federated_identity_credential" "master" {
+  application_object_id = azuread_application.master.object_id
+  display_name          = "github-federated"
+  description           = "github-federated"
+  audiences             = ["api://AzureADTokenExchange"]
+  issuer                = "https://token.actions.githubusercontent.com"
+  subject               = "repo:${local.github.org}/${local.github.repository}:ref:refs/heads/master"
+}
+
+output "azure_master_client_id" {
+  value = azuread_service_principal.master.application_id
+}
+
+output "azure_master_application_id" {
+  value = azuread_service_principal.master.application_id
+}
+
+output "azure_master_object_id" {
+  value = azuread_service_principal.master.object_id
+}
diff --git a/.identity/02_application_master_auth.tf b/.identity/02_application_master_auth.tf
@@ -0,0 +1,17 @@
+resource "azurerm_role_assignment" "master_terraform_subscription" {
+  scope                = data.azurerm_subscription.current.id
+  role_definition_name = "Reader"
+  principal_id         = azuread_service_principal.master.object_id
+}
+
+resource "azurerm_role_assignment" "master_terraform_storage_account_tfstate_app" {
+  scope                = data.azurerm_storage_account.tfstate_app.id
+  role_definition_name = "Contributor"
+  principal_id         = azuread_service_principal.master.object_id
+}
+
+resource "azurerm_role_assignment" "master_terraform_resource_group_dashboards" {
+  scope                = data.azurerm_resource_group.dashboards.id
+  role_definition_name = "Contributor"
+  principal_id         = azuread_service_principal.master.object_id
+}
diff --git a/.identity/02_application_pullrequest.tf b/.identity/02_application_pullrequest.tf
@@ -0,0 +1,28 @@
+resource "azuread_application" "pullrequest" {
+  display_name = "github-${local.github.org}-${local.github.repository}-pullrequest"
+}
+
+resource "azuread_service_principal" "pullrequest" {
+  application_id = azuread_application.pullrequest.application_id
+}
+
+resource "azuread_application_federated_identity_credential" "pullrequest" {
+  application_object_id = azuread_application.pullrequest.object_id
+  display_name          = "github-federated"
+  description           = "github-federated"
+  audiences             = ["api://AzureADTokenExchange"]
+  issuer                = "https://token.actions.githubusercontent.com"
+  subject               = "repo:${local.github.org}/${local.github.repository}:pull_request"
+}
+
+output "azure_pullrequest_client_id" {
+  value = azuread_service_principal.pullrequest.application_id
+}
+
+output "azure_pullrequest_application_id" {
+  value = azuread_service_principal.pullrequest.application_id
+}
+
+output "azure_pullrequest_object_id" {
+  value = azuread_service_principal.pullrequest.object_id
+}
diff --git a/.identity/02_application_pullrequest_auth.tf b/.identity/02_application_pullrequest_auth.tf
@@ -0,0 +1,17 @@
+resource "azurerm_role_assignment" "pullrequest_terraform_subscription" {
+  scope                = data.azurerm_subscription.current.id
+  role_definition_name = "Reader"
+  principal_id         = azuread_service_principal.pullrequest.object_id
+}
+
+resource "azurerm_role_assignment" "pullrequest_terraform_storage_account_tfstate_app" {
+  scope                = data.azurerm_storage_account.tfstate_app.id
+  role_definition_name = "Contributor"
+  principal_id         = azuread_service_principal.pullrequest.object_id
+}
+
+resource "azurerm_role_assignment" "pullrequest_terraform_resource_group_dashboards" {
+  scope                = data.azurerm_resource_group.dashboards.id
+  role_definition_name = "Contributor"
+  principal_id         = azuread_service_principal.pullrequest.object_id
+}
diff --git a/.identity/99_outputs.tf b/.identity/99_outputs.tf
@@ -0,0 +1,7 @@
+output "tenant_id" {
+  value = data.azurerm_client_config.current.tenant_id
+}
+
+output "subscription_id" {
+  value = data.azurerm_subscription.current.subscription_id
+}
diff --git a/.identity/env/prod/backend.ini b/.identity/env/prod/backend.ini
@@ -0,0 +1 @@
+subscription=PROD-IO
diff --git a/.identity/env/prod/backend.tfvars b/.identity/env/prod/backend.tfvars
@@ -0,0 +1,4 @@
+resource_group_name  = "terraform-state-rg"
+storage_account_name = "tfappprodio"
+container_name       = "terraform-state"
+key                  = "io-backend.tfstate"
diff --git a/.identity/env/prod/terraform.tfvars b/.identity/env/prod/terraform.tfvars
@@ -0,0 +1,10 @@
+prefix    = "io"
+env_short = "p"
+
+tags = {
+  CreatedBy   = "Terraform"
+  Environment = "Prod"
+  Owner       = "io"
+  Source      = "https://github.com/pagopa/io-backend"
+  CostCenter  = "TS310 - PAGAMENTI & SERVIZI"
+}
diff --git a/.identity/terraform.sh b/.identity/terraform.sh
@@ -0,0 +1,63 @@
+#!/bin/bash
+
+set -e
+
+ACTION=$1
+ENV=$2
+shift 2
+other="$@"
+# must be subscription in lower case
+subscription=""
+BACKEND_CONFIG_PATH="./env/${ENV}/backend.tfvars"
+
+if [ -z "$ACTION" ]; then
+  echo "[ERROR] Missed ACTION: init, apply, plan"
+  exit 0
+fi
+
+if [ -z "$ENV" ]; then
+  echo "[ERROR] ENV should be: dev, uat or prod."
+  exit 0
+fi
+
+#
+# 🏁 Source & init shell
+#
+
+# shellcheck source=/dev/null
+source "./env/$ENV/backend.ini"
+
+# Subscription set
+az account set -s "${subscription}"
+
+# if using cygwin, we have to transcode the WORKDIR
+if [[ $WORKDIR == /cygdrive/* ]]; then
+  WORKDIR=$(cygpath -w $WORKDIR)
+fi
+
+# Helm
+export HELM_DEBUG=1
+
+#
+# 🌎 Terraform
+#
+if echo "init plan apply refresh import output state taint destroy" | grep -w "$ACTION" > /dev/null; then
+  if [ "$ACTION" = "init" ]; then
+    echo "[INFO] init tf on ENV: ${ENV}"
+    terraform "$ACTION" -backend-config="${BACKEND_CONFIG_PATH}" $other
+  elif [ "$ACTION" = "output" ] || [ "$ACTION" = "state" ] || [ "$ACTION" = "taint" ]; then
+    # init terraform backend
+    terraform init -reconfigure -backend-config="${BACKEND_CONFIG_PATH}"
+    terraform "$ACTION" $other
+  else
+    # init terraform backend
+    echo "[INFO] init tf on ENV: ${ENV}"
+    terraform init -reconfigure -backend-config="${BACKEND_CONFIG_PATH}"
+
+    echo "[INFO] run tf with: ${ACTION} on ENV: ${ENV} and other: >${other}<"
+    terraform "${ACTION}" -var-file="./env/${ENV}/terraform.tfvars" -compact-warnings $other
+  fi
+else
+    echo "[ERROR] ACTION not allowed."
+    exit 1
+fi