Mcp server infrastructure

[christian-calabrese]

This PR implements the infrastructure needed to expose the PoC of the DX MCP Server
The terraform changes have already been applied to verify they're working correctly. The MCP server is already reachable here: https://api.dev.dx.pagopa.it/mcp

[changeset-bot]

⚠️ No Changeset found

Latest commit: d00e926

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[gunzip]

suggestion: add comments that clarify the purpose of resources

[lucacavallaro]

@christian-calabrese if you want, you can merge these changes into the PR with the mcp server code

[Krusty93]

There some wrong configuration wrong. Here you're adding the provider version, while in the other readme you're removing it. I believe keeping them is the right one?

[christian-calabrese]

True, there shouldn't be the version here (in local modules) cause providers are inherited from the root module.

I opened a PR to remove this section from modules #1001

[github-actions]

Tip

✅ All Terraform module locks are up to date

No module changes detected - everything is in sync!

📋 Pre-commit Output Log

[INFO] Initializing environment for https://github.com/antonbabenko/pre-commit-terraform.
Lock Terraform Registry modules..........................................Passed

_{Generated on Thu Oct 16 16:02:49 UTC 2025
Run lock_modules on folder: infra/resources//prod/}

[github-actions]

Tip

✅ All Terraform module locks are up to date

No module changes detected - everything is in sync!

📋 Pre-commit Output Log

[INFO] Initializing environment for https://github.com/antonbabenko/pre-commit-terraform.
Lock Terraform Registry modules..........................................Passed

_{Generated on Thu Oct 16 16:02:56 UTC 2025
Run lock_modules on folder: infra/resources//dev/}

[github-actions]

Tip

✅ All Terraform module locks are up to date

No module changes detected - everything is in sync!

📋 Pre-commit Output Log

[INFO] Initializing environment for https://github.com/antonbabenko/pre-commit-terraform.
Lock Terraform Registry modules......................................................Passed
Terraform Providers Lock (on staged .terraform.lock.hcl files).......................Passed
- hook id: terraform_providers_lock_staged
- duration: 0.02s

No .terraform.lock.hcl files to process.

Terraform fmt........................................................................Passed
terraform_docs on modules........................................(no files to check)Skipped
terraform_docs on resources..........................................................Failed
- hook id: terraform_docs
- files were modified by this hook
Terraform validate with tflint.......................................................Passed
Terraform validate...................................................................Passed
Terraform validate with trivy........................................................Passed
All changes made by hooks:
diff --git a/infra/resources/_modules/mcp_server/README.md b/infra/resources/_modules/mcp_server/README.md
index 8a1ab602..d87990b0 100644
--- a/infra/resources/_modules/mcp_server/README.md
+++ b/infra/resources/_modules/mcp_server/README.md
@@ -9,8 +9,8 @@ No requirements.
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 0.1.3 |
-| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | 4.48.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | n/a |
+| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | n/a |
 
 ## Modules
 

_{Generated on Thu Oct 16 16:03:04 UTC 2025
Run all checks on modified files}

[github-actions]

📖 Terraform Plan (infra/resources//prod) - success

Show Plan

  # module.dx_website.azurerm_static_web_app_custom_domain.this has changed
  ~ resource "azurerm_static_web_app_custom_domain" "this" {
        id                = "/subscriptions/02a23258-2e41-433c-8e9a-465b99e77bca/resourceGroups/dx-p-itn-common-rg-01/providers/Microsoft.Web/staticSites/dx-p-itn-website-stapp-01/customDomains/dx.pagopa.it"
      - validation_token  = (sensitive value) -> null
        # (3 unchanged attributes hidden)
    }


Unless you have made equivalent changes to your configuration, or ignored the
relevant attributes using ignore_changes, the following plan may include
actions to undo or respond to these changes.

─────────────────────────────────────────────────────────────────────────────

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # module.dx_website.azurerm_dns_txt_record.validation will be updated in-place
  ~ resource "azurerm_dns_txt_record" "validation" {
        id                  = "/subscriptions/02a23258-2e41-433c-8e9a-465b99e77bca/resourceGroups/dx-p-itn-network-rg-01/providers/Microsoft.Network/dnsZones/dx.pagopa.it/TXT/_dnsauth.dx.pagopa.it"
        name                = "_dnsauth.dx.pagopa.it"
        tags                = {}
        # (4 unchanged attributes hidden)

      - record {
          # At least one attribute in this block is (or was) sensitive,
          # so its contents will not be displayed.
        }
      + record {
          # At least one attribute in this block is (or was) sensitive,
          # so its contents will not be displayed.
        }
    }

  # module.dx_website.azurerm_static_web_app.this will be updated in-place
  ~ resource "azurerm_static_web_app" "this" {
        id                                 = "/subscriptions/02a23258-2e41-433c-8e9a-465b99e77bca/resourceGroups/dx-p-itn-common-rg-01/providers/Microsoft.Web/staticSites/dx-p-itn-website-stapp-01"
        name                               = "dx-p-itn-website-stapp-01"
      - repository_branch                  = "main" -> null
      - repository_url                     = "https://github.com/pagopa/dx" -> null
      ~ sku_tier                           = "Standard" -> "Free"
        tags                               = {
            "CostCenter"     = "TS000 - Tecnologia e Servizi"
            "CreatedBy"      = "Terraform"
            "Environment"    = "Prod"
            "ManagementTeam" = "Developer Experience"
            "Owner"          = "DevEx"
            "Source"         = "https://github.com/pagopa/dx/blob/main/infra/resources/prod"
        }
        # (10 unchanged attributes hidden)
    }

Plan: 0 to add, 2 to change, 0 to destroy.

[github-actions]

📖 Terraform Plan (infra/resources//dev) - success

Show Plan

  # module.mcp_server.aws_lambda_function.server will be updated in-place
  ~ resource "aws_lambda_function" "server" {
        id                             = "dx-p-euc1-mcp-server-lambda-01"
        tags                           = {
            "CostCenter"     = "TS000 - Tecnologia e Servizi"
            "CreatedBy"      = "Terraform"
            "Environment"    = "Prod"
            "ManagementTeam" = "Developer Experience"
            "Owner"          = "DevEx"
            "Source"         = "https://github.com/pagopa/dx/blob/main/infra/resources/dev"
        }
        # (28 unchanged attributes hidden)

      ~ environment {
          ~ variables = {
              - "LOG_LEVEL"                 = "debug" -> null
                # (1 unchanged element hidden)
            }
        }

        # (3 unchanged blocks hidden)
    }

  # module.testing.azurerm_subnet_network_security_group_association.common_runner_to_tests_pep["/subscriptions/35e6e3b2-4388-470e-a1b9-ad3bc34326d1/resourceGroups/dx-d-itn-network-rg-01/providers/Microsoft.Network/virtualNetworks/dx-d-itn-common-vnet-01/subnets/dx-d-itn-modules-test-cae-snet-02"] will be created
  + resource "azurerm_subnet_network_security_group_association" "common_runner_to_tests_pep" {
      + id                        = (known after apply)
      + network_security_group_id = "/subscriptions/35e6e3b2-4388-470e-a1b9-ad3bc34326d1/resourceGroups/dx-d-itn-network-rg-01/providers/Microsoft.Network/networkSecurityGroups/dx-d-itn-common-vnet-nsg-01"
      + subnet_id                 = "/subscriptions/35e6e3b2-4388-470e-a1b9-ad3bc34326d1/resourceGroups/dx-d-itn-network-rg-01/providers/Microsoft.Network/virtualNetworks/dx-d-itn-common-vnet-01/subnets/dx-d-itn-modules-test-cae-snet-02"
    }

Plan: 1 to add, 1 to change, 0 to destroy.

Warning: Reference to undefined provider

  on aws.tf line 11, in module "mcp_server":
  11:     aws           = aws.eu-central-1

There is no explicit declaration for local provider name "aws" in
module.mcp_server, so Terraform is assuming you mean to pass a configuration
for "hashicorp/aws".

If you also control the child module, add a required_providers entry named
"aws" with the source address "hashicorp/aws".

(and 2 more similar warnings elsewhere)