Add PSN GitHub environments and secrets with Managed Identities (#603)

This pull request introduces significant enhancements to the
infrastructure provisioning for the production environment, primarily to
support a new "psn-prod" environment.
The changes add a new Azure subscription/provider configuration, manage
new user-assigned identities and federated credentials, and automate the
creation of GitHub Actions environment secrets for the "psn-prod"
environment.
Additionally, the repository module is configured to recognize the new
environment.

Resolves: CES-1567

Author: mamu0

.github/workflows/release_psn_infra.yaml

@@ -2,6 +2,22 @@ name: PR PSN Infrastructure Release - Prod
 
 on:
   workflow_dispatch:
+    inputs:
+      hub:
+        description: 'Plan in Hub'
+        required: false
+        type: boolean
+        default: false
+      spoke:
+        description: 'Plan in Spoke'
+        required: false
+        type: boolean
+        default: false
+      resources:
+        description: 'Plan in Resources PSN'
+        required: false
+        type: boolean
+        default: false
   # TBD: Uncomment after permissions are set on identity
   # push:
   #   branches:
@@ -47,11 +63,25 @@ jobs:
         if: github.event_name == 'workflow_dispatch'
         id: all
         run: |
-          echo 'changes=["core/psn/hub", "core/psn/spoke", "resources/psn"]' >> $GITHUB_OUTPUT
+          modules=()
+          if [ "${{ inputs.hub }}" == "true" ]; then
+            modules+=("core/psn/hub")
+          fi
+          if [ "${{ inputs.spoke }}" == "true" ]; then
+            modules+=("core/psn/spoke")
+          fi
+          if [ "${{ inputs.resources }}" == "true" ]; then
+            modules+=("resources/psn")
+          fi
+          if [ ${#modules[@]} -eq 0 ]; then
+            modules=("core/psn/hub" "core/psn/spoke" "resources/psn")
+          fi
+          json_array=$(printf '%s\n' "${modules[@]}" | jq -R . | jq -s -c .)
+          echo "changes=$json_array" >> $GITHUB_OUTPUT
 
   release_prod:
     needs: changes
-    uses: pagopa/dx/.github/workflows/infra_apply.yaml@support/psn-adaptation #main - Temporary, to be removed when using specific psn environment
+    uses: pagopa/dx/.github/workflows/infra_apply.yaml@main
     name: Infrastructure Release
     secrets: inherit
 
@@ -64,6 +94,6 @@ jobs:
       environment: prod
       base_path: infra/${{ matrix.infra }}
       use_private_agent: true
-      override_github_environment: infra-prod
+      override_github_environment: infra-psn-prod
       use_labels: true
       override_labels: psn

.github/workflows/support_function_deploy_psn.yaml

@@ -16,11 +16,11 @@ permissions:
 jobs:
   deploy:
     name: Deploy
-    uses: pagopa/dx/.github/workflows/release-azure-appsvc-v1.yaml@support/psn-adaptation #main - Temporary, to be removed when using specific psn environment
+    uses: pagopa/dx/.github/workflows/release-azure-appsvc-v1.yaml@main
     secrets: inherit
     with:
       workspace_name: io-wallet-support-func
-      environment: app-prod
+      environment: app-psn-prod
       resource_group_name: iw-p-itn-wallet-rg-01
       web_app_name: iw-p-itn-support-func-01
       disable_auto_staging_deploy: true

.github/workflows/user_function_deploy_psn.yaml

@@ -16,11 +16,11 @@ permissions:
 jobs:
   deploy:
     name: Deploy
-    uses: pagopa/dx/.github/workflows/release-azure-appsvc-v1.yaml@support/psn-adaptation #main - Temporary, to be removed when using specific psn environment
+    uses: pagopa/dx/.github/workflows/release-azure-appsvc-v1.yaml@main
     secrets: inherit
     with:
       workspace_name: io-wallet-user-func
-      environment: app-prod
+      environment: app-psn-prod
       resource_group_name: iw-p-itn-wallet-rg-01
       web_app_name: iw-p-itn-user-func-01
       disable_auto_staging_deploy: true

.github/workflows/user_uat_function_deploy_psn.yaml

@@ -16,11 +16,11 @@ permissions:
 jobs:
   deploy:
     name: Deploy
-    uses: pagopa/dx/.github/workflows/release-azure-appsvc-v1.yaml@support/psn-adaptation #main - Temporary, to be removed when using specific psn environment
+    uses: pagopa/dx/.github/workflows/release-azure-appsvc-v1.yaml@main
     secrets: inherit
     with:
       workspace_name: io-wallet-user-func
-      environment: app-prod
+      environment: app-psn-prod
       resource_group_name: iw-p-itn-wallet-rg-01
       web_app_name: iw-u-itn-user-func-01
       disable_auto_staging_deploy: true

.github/workflows/validate_psn_infra.yaml

@@ -2,6 +2,22 @@ name: PR PSN Infrastructure Plan - Prod
 
 on:
   workflow_dispatch:
+    inputs:
+      hub:
+        description: 'Plan in Hub'
+        required: false
+        type: boolean
+        default: false
+      spoke:
+        description: 'Plan in Spoke'
+        required: false
+        type: boolean
+        default: false
+      resources:
+        description: 'Plan in Resources PSN'
+        required: false
+        type: boolean
+        default: false
   # TBD: Uncomment after permissions are set on identity
   # pull_request:
   #   types:
@@ -48,11 +64,25 @@ jobs:
         if: github.event_name == 'workflow_dispatch'
         id: all
         run: |
-          echo 'changes=["core/psn/hub", "core/psn/spoke", "resources/psn"]' >> $GITHUB_OUTPUT # removed for tests
+          modules=()
+          if [ "${{ inputs.hub }}" == "true" ]; then
+            modules+=("core/psn/hub")
+          fi
+          if [ "${{ inputs.spoke }}" == "true" ]; then
+            modules+=("core/psn/spoke")
+          fi
+          if [ "${{ inputs.resources }}" == "true" ]; then
+            modules+=("resources/psn")
+          fi
+          if [ ${#modules[@]} -eq 0 ]; then
+            modules=("core/psn/hub" "core/psn/spoke" "resources/psn")
+          fi
+          json_array=$(printf '%s\n' "${modules[@]}" | jq -R . | jq -s -c .)
+          echo "changes=$json_array" >> $GITHUB_OUTPUT
 
   plan_prod:
     needs: changes
-    uses: pagopa/dx/.github/workflows/infra_plan.yaml@support/psn-adaptation #main - Temporary, to be removed when using specific psn environment
+    uses: pagopa/dx/.github/workflows/infra_plan.yaml@main
     name: Infrastructure Plan
     secrets: inherit
 
@@ -66,6 +96,6 @@ jobs:
       environment: prod
       base_path: infra/${{ matrix.infra }}
       use_private_agent: true
-      override_github_environment: infra-prod
+      override_github_environment: infra-psn-prod
       use_labels: true
       override_labels: psn

infra/bootstrapper/prod/README.md

@@ -16,6 +16,8 @@
 |------|---------|
 | <a name="provider_azuread"></a> [azuread](#provider\_azuread) | 3.1.0 |
 | <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | 4.21.1 |
+| <a name="provider_azurerm.psn"></a> [azurerm.psn](#provider\_azurerm.psn) | 4.21.1 |
+| <a name="provider_github"></a> [github](#provider\_github) | 6.6.0 |
 
 ## Modules
 
@@ -27,16 +29,40 @@
 
 | Name | Type |
 |------|------|
+| [azurerm_federated_identity_credential.github_app_psn_cd](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/federated_identity_credential) | resource |
+| [azurerm_federated_identity_credential.github_app_psn_ci](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/federated_identity_credential) | resource |
+| [azurerm_federated_identity_credential.github_infra_cd](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/federated_identity_credential) | resource |
+| [azurerm_federated_identity_credential.github_infra_ci](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/federated_identity_credential) | resource |
+| [azurerm_federated_identity_credential.github_infra_psn_cd](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/federated_identity_credential) | resource |
+| [azurerm_federated_identity_credential.github_infra_psn_ci](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/federated_identity_credential) | resource |
+| [azurerm_federated_identity_credential.github_opex_psn_cd](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/federated_identity_credential) | resource |
+| [azurerm_federated_identity_credential.github_opex_psn_ci](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/federated_identity_credential) | resource |
+| [azurerm_user_assigned_identity.app_psn_cd](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/user_assigned_identity) | resource |
+| [azurerm_user_assigned_identity.app_psn_ci](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/user_assigned_identity) | resource |
+| [azurerm_user_assigned_identity.infra_psn_cd](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/user_assigned_identity) | resource |
+| [azurerm_user_assigned_identity.infra_psn_ci](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/user_assigned_identity) | resource |
+| [azurerm_user_assigned_identity.opex_psn_cd](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/user_assigned_identity) | resource |
+| [azurerm_user_assigned_identity.opex_psn_ci](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/user_assigned_identity) | resource |
+| [github_actions_environment_secret.app_psn_cd](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_environment_secret) | resource |
+| [github_actions_environment_secret.app_psn_ci](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_environment_secret) | resource |
+| [github_actions_environment_secret.infra_cd](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_environment_secret) | resource |
+| [github_actions_environment_secret.infra_ci](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_environment_secret) | resource |
+| [github_actions_environment_secret.infra_psn_cd](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_environment_secret) | resource |
+| [github_actions_environment_secret.infra_psn_ci](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_environment_secret) | resource |
+| [github_actions_environment_secret.opex_psn_cd](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_environment_secret) | resource |
+| [github_actions_environment_secret.opex_psn_ci](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_environment_secret) | resource |
 | [azuread_group.admins](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source |
 | [azuread_group.developers](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source |
 | [azurerm_api_management.apim](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/api_management) | data source |
 | [azurerm_client_config.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/client_config) | data source |
+| [azurerm_client_config.psn](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/client_config) | data source |
 | [azurerm_container_app_environment.runner](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/container_app_environment) | data source |
 | [azurerm_key_vault.common](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault) | data source |
 | [azurerm_resource_group.common_itn](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/resource_group) | data source |
 | [azurerm_resource_group.dashboards](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/resource_group) | data source |
 | [azurerm_resource_group.dns_zones](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/resource_group) | data source |
 | [azurerm_subscription.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subscription) | data source |
+| [azurerm_subscription.psn](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subscription) | data source |
 | [azurerm_virtual_network.common](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/virtual_network) | data source |
 
 ## Inputs

infra/bootstrapper/prod/main.tf

@@ -31,6 +31,14 @@ provider "azurerm" {
   storage_use_azuread = true
 }
 
+provider "azurerm" {
+  features {}
+  alias                           = "psn"
+  storage_use_azuread             = true
+  resource_provider_registrations = "none"
+  subscription_id                 = "725dede2-879b-45c5-82fa-eb816875b10c"
+}
+
 provider "github" {
   owner = "pagopa"
 }