From 19ff4a5547fc61c42d6c34bdeb5f66e5f3cac6f9 Mon Sep 17 00:00:00 2001 From: Alessio Cialini Date: Mon, 30 Oct 2023 15:17:00 +0100 Subject: [PATCH 1/2] [PRDP-175] feat: migrate to federated identity --- .github/maven_code_review/action.yml | 101 ++++++++++++++++++++++++++ .identity/00_data.tf | 5 ++ .identity/02_application_main.tf | 16 ++++ .identity/02_application_main_auth.tf | 22 ++++++ 4 files changed, 144 insertions(+) create mode 100644 .github/maven_code_review/action.yml create mode 100644 .identity/02_application_main.tf create mode 100644 .identity/02_application_main_auth.tf diff --git a/.github/maven_code_review/action.yml b/.github/maven_code_review/action.yml new file mode 100644 index 00000000..a2689590 --- /dev/null +++ b/.github/maven_code_review/action.yml @@ -0,0 +1,101 @@ +name: Maven Code Review +description: "Code Review for Pull Request" + +inputs: + github_token: + required: true + type: string + description: Github Token + sonar_token: + required: true + type: string + description: Sonar Token for the login + project_key: + required: true + type: string + description: Key of the project on SonarCloud + coverage_exclusions: + required: false + type: string + description: Files to exclude from coverage + default: '**/config/*,**/*Mock*,**/model/**,**/entity/*' + cpd_exclusions: + required: false + type: string + description: Files to exclude from code duplication + default: '**/model/**,**/entity/*' + jdk_version: + required: true + type: string + description: JDK version + default: 11 + maven_version: + required: true + type: string + description: Maven version + default: 3.8.2 + +runs: + using: "composite" + steps: + - uses: actions/checkout@v2 + + - name: Set up JDK + uses: actions/setup-java@v1 + with: + java-version: ${{ inputs.jdk_version }} + + - name: Set up Maven + uses: stCarolas/setup-maven@v4.5 + with: + maven-version: ${{ inputs.maven_version }} + + - name: Cache Maven packages + uses: actions/cache@v1 + with: + path: ~/.m2 + key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }} + restore-keys: ${{ runner.os }}-m2 + + - name: Cache SonarCloud packages + uses: actions/cache@v1 + with: + path: ~/.sonar-project.properties/cache + key: ${{ runner.os }}-sonar-project.properties + restore-keys: ${{ runner.os }}-sonar-project.properties + + - name: Build and analyze on Pull Requests + if: ${{ github.event_name == 'pull_request' }} + shell: bash + run: mvn -B verify org.sonarsource.scanner.maven:sonar-maven-plugin:sonar + -Dsonar.organization=pagopa + -Dsonar.projectKey=${{ env.PROJECT_KEY }} + -Dsonar.coverage.jacoco.xmlReportPaths=./target/jacoco-report/jacoco.xml + -Dsonar.coverage.exclusions=${{inputs.coverage_exclusions}} + -Dsonar.cpd.exclusions=${{inputs.cpd_exclusions}} + -Dsonar.host.url=https://sonarcloud.io + -Dsonar.login=${{ inputs.sonar_token }} + -Dsonar.pullrequest.key=${{ github.event.pull_request.number }} + -Dsonar.pullrequest.branch=${{ github.head_ref }} + -Dsonar.pullrequest.base=${{ github.base_ref }} + env: + # Needed to get some information about the pull request, if any + GITHUB_TOKEN: ${{ inputs.github_token }} + # SonarCloud access token should be generated from https://sonarcloud.io/account/security/ + SONAR_TOKEN: ${{ inputs.sonar_token }} + + - name: Build and analyze on Push main + if: ${{ github.event_name != 'pull_request' }} + shell: bash + env: + GITHUB_TOKEN: ${{ inputs.github_token }} + SONAR_TOKEN: ${{ inputs.sonar_token }} + run: mvn -B verify org.sonarsource.scanner.maven:sonar-maven-plugin:sonar + -Dsonar.organization=pagopa + -Dsonar.projectKey=${{ env.PROJECT_KEY }} + -Dsonar.coverage.jacoco.xmlReportPaths=./target/site/jacoco/jacoco.xml + -Dsonar.coverage.exclusions=${{inputs.coverage_exclusions}} + -Dsonar.cpd.exclusions=${{inputs.cpd_exclusions}} + -Dsonar.branch.name=${{ github.head_ref }} + -Dsonar.host.url=https://sonarcloud.io + -Dsonar.login=${{ inputs.sonar_token }} \ No newline at end of file diff --git a/.identity/00_data.tf b/.identity/00_data.tf index a45b3790..014b062d 100644 --- a/.identity/00_data.tf +++ b/.identity/00_data.tf @@ -2,6 +2,11 @@ data "azurerm_resource_group" "dashboards" { name = "dashboards" } +data "azurerm_storage_account" "tfstate_app" { + name = "pagopainfraterraform${var.env}" + resource_group_name = "io-infra-rg" +} + data "azurerm_kubernetes_cluster" "aks" { name = local.aks_cluster.name resource_group_name = local.aks_cluster.resource_group_name diff --git a/.identity/02_application_main.tf b/.identity/02_application_main.tf new file mode 100644 index 00000000..01eb057b --- /dev/null +++ b/.identity/02_application_main.tf @@ -0,0 +1,16 @@ +resource "azuread_application" "main" { + display_name = "${local.app_name}-main" +} + +resource "azuread_service_principal" "main" { + application_id = azuread_application.main.application_id +} + +resource "azuread_application_federated_identity_credential" "main" { + application_object_id = azuread_application.main.object_id + display_name = "github-federated" + description = "github-federated" + audiences = ["api://AzureADTokenExchange"] + issuer = "https://token.actions.githubusercontent.com" + subject = "repo:${local.github.org}/${local.github.repository}:environment:${var.env}" +} \ No newline at end of file diff --git a/.identity/02_application_main_auth.tf b/.identity/02_application_main_auth.tf new file mode 100644 index 00000000..ef810610 --- /dev/null +++ b/.identity/02_application_main_auth.tf @@ -0,0 +1,22 @@ +resource "azurerm_role_assignment" "main_terraform_subscription" { + scope = data.azurerm_subscription.current.id + role_definition_name = "Reader" + principal_id = azuread_service_principal.main.object_id +} + +resource "azurerm_role_assignment" "main_terraform_storage_account_tfstate_app" { + scope = data.azurerm_storage_account.tfstate_app.id + role_definition_name = "Contributor" + principal_id = azuread_service_principal.main.object_id +} +resource "azurerm_role_assignment" "main_terraform_storage_account_tfstate_app_github_aks" { + scope = data.azurerm_storage_account.tfstate_app.id + role_definition_name = "Contributor" + principal_id = module.github_runner_app.object_id +} + +resource "azurerm_role_assignment" "main_terraform_resource_group_dashboards" { + scope = data.azurerm_resource_group.dashboards.id + role_definition_name = "Contributor" + principal_id = azuread_service_principal.main.object_id +} \ No newline at end of file From f4f4a3e13281b93198f6445176bd92021d33ea6e Mon Sep 17 00:00:00 2001 From: Alessio Cialini Date: Mon, 30 Oct 2023 15:32:45 +0100 Subject: [PATCH 2/2] [PRDP-175] feat: migrate to federated identity --- .github/maven_code_review/action.yml | 101 --------------------------- 1 file changed, 101 deletions(-) delete mode 100644 .github/maven_code_review/action.yml diff --git a/.github/maven_code_review/action.yml b/.github/maven_code_review/action.yml deleted file mode 100644 index a2689590..00000000 --- a/.github/maven_code_review/action.yml +++ /dev/null @@ -1,101 +0,0 @@ -name: Maven Code Review -description: "Code Review for Pull Request" - -inputs: - github_token: - required: true - type: string - description: Github Token - sonar_token: - required: true - type: string - description: Sonar Token for the login - project_key: - required: true - type: string - description: Key of the project on SonarCloud - coverage_exclusions: - required: false - type: string - description: Files to exclude from coverage - default: '**/config/*,**/*Mock*,**/model/**,**/entity/*' - cpd_exclusions: - required: false - type: string - description: Files to exclude from code duplication - default: '**/model/**,**/entity/*' - jdk_version: - required: true - type: string - description: JDK version - default: 11 - maven_version: - required: true - type: string - description: Maven version - default: 3.8.2 - -runs: - using: "composite" - steps: - - uses: actions/checkout@v2 - - - name: Set up JDK - uses: actions/setup-java@v1 - with: - java-version: ${{ inputs.jdk_version }} - - - name: Set up Maven - uses: stCarolas/setup-maven@v4.5 - with: - maven-version: ${{ inputs.maven_version }} - - - name: Cache Maven packages - uses: actions/cache@v1 - with: - path: ~/.m2 - key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }} - restore-keys: ${{ runner.os }}-m2 - - - name: Cache SonarCloud packages - uses: actions/cache@v1 - with: - path: ~/.sonar-project.properties/cache - key: ${{ runner.os }}-sonar-project.properties - restore-keys: ${{ runner.os }}-sonar-project.properties - - - name: Build and analyze on Pull Requests - if: ${{ github.event_name == 'pull_request' }} - shell: bash - run: mvn -B verify org.sonarsource.scanner.maven:sonar-maven-plugin:sonar - -Dsonar.organization=pagopa - -Dsonar.projectKey=${{ env.PROJECT_KEY }} - -Dsonar.coverage.jacoco.xmlReportPaths=./target/jacoco-report/jacoco.xml - -Dsonar.coverage.exclusions=${{inputs.coverage_exclusions}} - -Dsonar.cpd.exclusions=${{inputs.cpd_exclusions}} - -Dsonar.host.url=https://sonarcloud.io - -Dsonar.login=${{ inputs.sonar_token }} - -Dsonar.pullrequest.key=${{ github.event.pull_request.number }} - -Dsonar.pullrequest.branch=${{ github.head_ref }} - -Dsonar.pullrequest.base=${{ github.base_ref }} - env: - # Needed to get some information about the pull request, if any - GITHUB_TOKEN: ${{ inputs.github_token }} - # SonarCloud access token should be generated from https://sonarcloud.io/account/security/ - SONAR_TOKEN: ${{ inputs.sonar_token }} - - - name: Build and analyze on Push main - if: ${{ github.event_name != 'pull_request' }} - shell: bash - env: - GITHUB_TOKEN: ${{ inputs.github_token }} - SONAR_TOKEN: ${{ inputs.sonar_token }} - run: mvn -B verify org.sonarsource.scanner.maven:sonar-maven-plugin:sonar - -Dsonar.organization=pagopa - -Dsonar.projectKey=${{ env.PROJECT_KEY }} - -Dsonar.coverage.jacoco.xmlReportPaths=./target/site/jacoco/jacoco.xml - -Dsonar.coverage.exclusions=${{inputs.coverage_exclusions}} - -Dsonar.cpd.exclusions=${{inputs.cpd_exclusions}} - -Dsonar.branch.name=${{ github.head_ref }} - -Dsonar.host.url=https://sonarcloud.io - -Dsonar.login=${{ inputs.sonar_token }} \ No newline at end of file