From a867f059ebc83471b9209226d2dcd3389b72e537 Mon Sep 17 00:00:00 2001
From: Andrea De Rinaldis <andrea.derinaldis@pagopa.it>
Date: Wed, 5 Jun 2024 14:59:27 +0200
Subject: [PATCH] [NOD-933] fix: migrated to new identity procedure

---
 .gitignore                         |  3 +
 .identity/.terraform.lock.hcl      | 83 +++++++++++++++++++++++++++
 .identity/00_data.tf               | 15 +++--
 .identity/02_application_action.tf | 90 ------------------------------
 .identity/03_github_environment.tf |  5 +-
 5 files changed, 100 insertions(+), 96 deletions(-)
 create mode 100644 .identity/.terraform.lock.hcl
 delete mode 100644 .identity/02_application_action.tf

diff --git a/.gitignore b/.gitignore
index ab23ace..a7339e4 100644
--- a/.gitignore
+++ b/.gitignore
@@ -33,6 +33,9 @@ hs_err_pid*
 # macOS
 .DS_Store
 
+# Terraform
+**/.terraform/
+
 # Azure Functions
 local.settings.json
 bin/
diff --git a/.identity/.terraform.lock.hcl b/.identity/.terraform.lock.hcl
new file mode 100644
index 0000000..f9092d3
--- /dev/null
+++ b/.identity/.terraform.lock.hcl
@@ -0,0 +1,83 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/azuread" {
+  version     = "2.30.0"
+  constraints = "2.30.0"
+  hashes = [
+    "h1:Uw4TcmJBEJ71h+oCwwidlkk5jFpyFRDPAFCMs/bT/cw=",
+    "zh:1c3e89cf19118fc07d7b04257251fc9897e722c16e0a0df7b07fcd261f8c12e7",
+    "zh:2e62c193030e04ebb10cc0526119cf69824bf2d7e4ea5a2f45bd5d5fb7221d36",
+    "zh:2f3c7a35257332d68b778cefc5201a5f044e4914dd03794a4da662ddfe756483",
+    "zh:35d0d3a1b58fdb8b8c4462d6b7e7016042da43ea9cc734ce897f52a73407d9b0",
+    "zh:47ede0cd0206ec953d40bf4a80aa6e59af64e26cbbd877614ac424533dbb693b",
+    "zh:48c190307d4d42ea67c9b8cc544025024753f46cef6ea64db84735e7055a72da",
+    "zh:6fff9b2c6a962252a70a15b400147789ab369b35a781e9d21cce3804b04d29af",
+    "zh:7646980cf3438bff29c91ffedb74458febbb00a996638751fbd204ab1c628c9b",
+    "zh:77aa2fa7ca6d5446afa71d4ff83cb87b70a2f3b72110fc442c339e8e710b2928",
+    "zh:e20b2b2c37175b89dd0db058a096544d448032e28e3b56e2db368343533a9684",
+    "zh:eab175b1dfe9865ad9404dccb6d5542899f8c435095aa7c679314b811c717ce7",
+    "zh:efc862bd78c55d2ff089729e2a34c1831ab4b0644fc11b36ee4ebed00a4797ba",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/azurerm" {
+  version     = "3.45.0"
+  constraints = "3.45.0"
+  hashes = [
+    "h1:VQWxV5+qelZeUCjpdLvZ7iAom4RvG+fVVgK6ELvw/cs=",
+    "zh:04c5dbb8845366ce5eb0dc2d55e151270cc2c0ace20993867fdae9af43b953ad",
+    "zh:2589585da615ccae341400d45d672ee3fae413fdd88449b5befeff12a85a44b2",
+    "zh:603869ed98fff5d9bf841a51afd9e06b628533c59356c8433aef4b15df63f5f7",
+    "zh:853fecab9c987b6772c8d9aa10362675f6c626b60ebc7118aa33ce91366fcc38",
+    "zh:979848c45e8e058862c36ba3a661457f7c81ef26ebb6634f479600de9c203d65",
+    "zh:9b512c8588ecc9c1b803b746a3a8517422561a918f0dfb0faaa707ed53ef1760",
+    "zh:a9601ffb58043426bcff1220662d6d137f0b2857a24f2dcf180aeac2c9cea688",
+    "zh:d52d2652328f0ed3ba202561d88cb9f43c174edbfaab1abf69f772125dbfe15e",
+    "zh:d92d91ca597c47f575bf3ae129f4b723be9b7dcb71b906ec6ec740fac29b1aaa",
+    "zh:ded73b730e4197b70fda9e83447c119f92f75dc37be3ff2ed45730c8f0348c28",
+    "zh:ec37ac332d50f8ca5827f97198346b0f8ecbf470e2e3ba1e027bb389d826b902",
+    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/null" {
+  version = "3.2.2"
+  hashes = [
+    "h1:IMVAUHKoydFrlPrl9OzasDnw/8ntZFerCC9iXw1rXQY=",
+    "zh:3248aae6a2198f3ec8394218d05bd5e42be59f43a3a7c0b71c66ec0df08b69e7",
+    "zh:32b1aaa1c3013d33c245493f4a65465eab9436b454d250102729321a44c8ab9a",
+    "zh:38eff7e470acb48f66380a73a5c7cdd76cc9b9c9ba9a7249c7991488abe22fe3",
+    "zh:4c2f1faee67af104f5f9e711c4574ff4d298afaa8a420680b0cb55d7bbc65606",
+    "zh:544b33b757c0b954dbb87db83a5ad921edd61f02f1dc86c6186a5ea86465b546",
+    "zh:696cf785090e1e8cf1587499516b0494f47413b43cb99877ad97f5d0de3dc539",
+    "zh:6e301f34757b5d265ae44467d95306d61bef5e41930be1365f5a8dcf80f59452",
+    "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
+    "zh:913a929070c819e59e94bb37a2a253c228f83921136ff4a7aa1a178c7cce5422",
+    "zh:aa9015926cd152425dbf86d1abdbc74bfe0e1ba3d26b3db35051d7b9ca9f72ae",
+    "zh:bb04798b016e1e1d49bcc76d62c53b56c88c63d6f2dfe38821afef17c416a0e1",
+    "zh:c23084e1b23577de22603cff752e59128d83cfecc2e6819edadd8cf7a10af11e",
+  ]
+}
+
+provider "registry.terraform.io/integrations/github" {
+  version     = "5.18.3"
+  constraints = "5.18.3"
+  hashes = [
+    "h1:WbZvLB2qXKVoh4BvOOwFfEds+SZQrkINfSAWPnWFxGo=",
+    "zh:050b37d96628cb7451137755929ca8d21ea546bc46d11a715652584070e83ff2",
+    "zh:053051061f1b7f7673b0ceffac1f239ba28b0e5b375999206fd39976e85d9f2b",
+    "zh:0c300a977ca66d0347ed62bb116fd8fc9abb376a554d4c192d14f3ea71c83500",
+    "zh:1d5a1a5243eba78819d2f92ff2d504ebf9a9008a6670fb5f5660f44eb6a156d8",
+    "zh:a13ac15d251ebf4e7dc40acb0e40df066f443f4c7799186a29e2e44addc7d8e7",
+    "zh:a316d94b885953c036ebc9fba64a23da93974746bc3ac9d207462a6f02d44540",
+    "zh:a658a00373bff5979cc227052c693cbde8ca4c8f9fef1bc8094a3516f2e2a96d",
+    "zh:a7bfc6ad8465d5dc11b6f19d6805364de87fffe27622bb4f37da2319bb1c4956",
+    "zh:d7379a76861f1a6bfc36eca7a20f1f477711247563b105744d69d7bd1f365fad",
+    "zh:de1cd959fd4821248e8d21570601193408648474e74f49597f1d0c43185a4ab7",
+    "zh:e0b281240dd6f2aa405b2d6fe329bc15ab877161affe163fb150d1efca2fccdb",
+    "zh:e372c171358757a983d7aa878abfd05a84484fb4d22167e45c9c1267e78ed060",
+    "zh:f6d3116526030b3f6905f530cd6c04b23d42890d973fa2abe10ce9c89cb1db80",
+    "zh:f99eec731e03cc6a28996c875bd435887cd7ea75ec07cc77b9e768bb12da2227",
+  ]
+}
diff --git a/.identity/00_data.tf b/.identity/00_data.tf
index d797098..32da4c7 100644
--- a/.identity/00_data.tf
+++ b/.identity/00_data.tf
@@ -1,3 +1,8 @@
+data "azurerm_user_assigned_identity" "identity_cd" {
+  resource_group_name = "${local.product}-identity-rg"
+  name                = "${local.product}-${local.domain}-01-github-cd-identity"
+}
+
 data "azurerm_resource_group" "dashboards" {
   name = "dashboards"
 }
@@ -22,6 +27,10 @@ data "azurerm_key_vault" "domain_key_vault" {
   resource_group_name = "pagopa-${var.env_short}-${local.domain}-sec-rg"
 }
 
+data "azurerm_resource_group" "apim_resource_group" {
+  name = "${local.product}-api-rg"
+}
+
 data "azurerm_key_vault_secret" "key_vault_sonar" {
   name         = "sonar-token"
   key_vault_id = data.azurerm_key_vault.key_vault.id
@@ -35,8 +44,4 @@ data "azurerm_key_vault_secret" "key_vault_bot_token" {
 data "azurerm_key_vault_secret" "key_vault_slack_webhook_url" {
   name         = "slack-webhook-url"
   key_vault_id = data.azurerm_key_vault.domain_key_vault.id
-}
-
-data "azurerm_resource_group" "nodo_verifyko_rg" {
-  name  = "pagopa-${var.env_short}-${local.location_short}-nodo-verifyko-to-datastore-rg"
-}
+}
\ No newline at end of file
diff --git a/.identity/02_application_action.tf b/.identity/02_application_action.tf
deleted file mode 100644
index dd36e0f..0000000
--- a/.identity/02_application_action.tf
+++ /dev/null
@@ -1,90 +0,0 @@
-module "github_runner_app" {
-  source = "git::https://github.com/pagopa/github-actions-tf-modules.git//app-github-runner-creator?ref=main"
-
-  app_name = local.app_name
-
-  subscription_id = data.azurerm_subscription.current.id
-
-  github_org              = local.github.org
-  github_repository       = local.github.repository
-  github_environment_name = var.env
-
-  container_app_github_runner_env_rg = local.container_app_environment.resource_group
-}
-
-resource "null_resource" "github_runner_app_permissions_to_namespace" {
-  triggers = {
-    aks_id               = data.azurerm_kubernetes_cluster.aks.id
-    service_principal_id = module.github_runner_app.client_id
-    namespace            = local.domain
-    version              = "v2"
-  }
-
-  provisioner "local-exec" {
-    command = <<EOT
-      az role assignment create --role "Azure Kubernetes Service RBAC Admin" \
-      --assignee ${self.triggers.service_principal_id} \
-      --scope ${self.triggers.aks_id}/namespaces/${self.triggers.namespace}
-
-      az role assignment list --role "Azure Kubernetes Service RBAC Admin"  \
-      --scope ${self.triggers.aks_id}/namespaces/${self.triggers.namespace}
-    EOT
-  }
-
-  provisioner "local-exec" {
-    when    = destroy
-    command = <<EOT
-      az role assignment delete --role "Azure Kubernetes Service RBAC Admin" \
-      --assignee ${self.triggers.service_principal_id} \
-      --scope ${self.triggers.aks_id}/namespaces/${self.triggers.namespace}
-    EOT
-  }
-}
-
-resource "azurerm_role_assignment" "environment_function" {
-  scope                = data.azurerm_resource_group.nodo_verifyko_rg.id
-  role_definition_name = "Contributor"
-  principal_id         = module.github_runner_app.object_id
-}
-
-resource "azurerm_role_assignment" "environment_terraform_resource_group_dashboards" {
-  scope                = data.azurerm_resource_group.dashboards.id
-  role_definition_name = "Contributor"
-  principal_id         = module.github_runner_app.object_id
-}
-
-resource "azurerm_role_assignment" "environment_key_vault" {
-  scope                = data.azurerm_key_vault.key_vault.id
-  role_definition_name = "Reader"
-  principal_id         = module.github_runner_app.object_id
-}
-
-resource "azurerm_role_assignment" "environment_key_vault_domain" {
-  scope                = data.azurerm_key_vault.domain_key_vault.id
-  role_definition_name = "Reader"
-  principal_id         = module.github_runner_app.object_id
-}
-
-resource "azurerm_key_vault_access_policy" "ad_kv_group_policy" {
-  key_vault_id = data.azurerm_key_vault.key_vault.id
-
-  tenant_id = data.azurerm_client_config.current.tenant_id
-  object_id = module.github_runner_app.object_id
-
-  key_permissions         = []
-  secret_permissions      = ["Get", "List"]
-  storage_permissions     = []
-  certificate_permissions = []
-}
-
-resource "azurerm_key_vault_access_policy" "ad_domain_kv_group_policy" {
-  key_vault_id = data.azurerm_key_vault.domain_key_vault.id
-
-  tenant_id = data.azurerm_client_config.current.tenant_id
-  object_id = module.github_runner_app.object_id
-
-  key_permissions         = []
-  secret_permissions      = ["Get", "List"]
-  storage_permissions     = []
-  certificate_permissions = []
-}
diff --git a/.identity/03_github_environment.tf b/.identity/03_github_environment.tf
index 221b2bf..a7dd773 100644
--- a/.identity/03_github_environment.tf
+++ b/.identity/03_github_environment.tf
@@ -21,7 +21,7 @@ resource "github_repository_environment" "github_repository_environment" {
 
 locals {
   env_secrets = {
-    "CLIENT_ID" : module.github_runner_app.application_id,
+    "CD_CLIENT_ID" : data.azurerm_user_assigned_identity.identity_cd.client_id,
     "TENANT_ID" : data.azurerm_client_config.current.tenant_id,
     "SUBSCRIPTION_ID" : data.azurerm_subscription.current.subscription_id,
   }
@@ -59,6 +59,7 @@ resource "github_actions_environment_secret" "github_environment_runner_secrets"
 # ENV Variables #
 #################
 
+
 resource "github_actions_environment_variable" "github_environment_runner_variables" {
   for_each      = local.env_variables
   repository    = local.github.repository
@@ -79,6 +80,7 @@ resource "github_actions_secret" "repo_secrets" {
   plaintext_value = each.value
 }
 
+
 ############
 ## Labels ##
 ############
@@ -93,3 +95,4 @@ resource "github_issue_label" "ignore_for_release" {
   name       = "ignore-for-release"
   color      = "008000"
 }
+