feat: add ff to enable/disable settings menu (#3622)

pietro-tota · web-flow · commit 307fb89ccd9a · 2026-02-06T12:45:34.000+01:00
* feat: add ff to enable/disable settings menu

* fix: app configuration permission to dev and admins
diff --git a/src/domains/selfcare-common/00_azuread.tf b/src/domains/selfcare-common/00_azuread.tf
@@ -41,3 +41,11 @@ resource "azurerm_key_vault_secret" "selfcare_service_principal_client_secret" {
 
   key_vault_id = data.azurerm_key_vault.key_vault.id
 }
+
+data "azuread_group" "adgroup_admin" {
+  display_name = "${local.product}-adgroup-admin"
+}
+
+data "azuread_group" "adgroup_developers" {
+  display_name = "${local.product}-adgroup-developers"
+}
diff --git a/src/domains/selfcare-common/04_app_configuration_feature.tf b/src/domains/selfcare-common/04_app_configuration_feature.tf
@@ -5,19 +5,23 @@ resource "azurerm_app_configuration" "selfcare_appconf" {
   sku                 = "standard"
 }
 
-# ⚠️⚠️⚠️ iif on apply receive error 409 already exist a tricky u be ⚠️⚠️⚠️ :
-# 1. sh terraform.sh state weu-<ENV> rm azurerm_role_assignment.selfcare_appconf_dataowner_sp
-# 2. remove ✋ from portal pagopa-<ENV>-selfcare-appconfiguration > Role assignments > filter for "App Configuration Data Owner" and removed pagopa-<ENB>-seflcare
-resource "azurerm_role_assignment" "selfcare_appconf_dataowner" {
+resource "azurerm_role_assignment" "selfcare_appconf_dataowner_sp" {
   scope                = azurerm_app_configuration.selfcare_appconf.id
   role_definition_name = "App Configuration Data Owner"
-  principal_id         = data.azurerm_client_config.current.object_id
+  principal_id         = azuread_service_principal.selfcare.object_id
 }
 
-resource "azurerm_role_assignment" "selfcare_appconf_dataowner_sp" {
+resource "azurerm_role_assignment" "appconf_dataowner_adgroup_developers" {
+  count                = var.env_short != "p" ? 1 : 0
   scope                = azurerm_app_configuration.selfcare_appconf.id
   role_definition_name = "App Configuration Data Owner"
-  principal_id         = azuread_service_principal.selfcare.object_id
+  principal_id         = data.azuread_group.adgroup_developers.object_id
+}
+
+resource "azurerm_role_assignment" "appconf_dataowner_adgroup_admin" {
+  scope                = azurerm_app_configuration.selfcare_appconf.id
+  role_definition_name = "App Configuration Data Owner"
+  principal_id         = data.azuread_group.adgroup_admin.object_id
 }
 
 resource "azurerm_app_configuration_feature" "maintenance_banner_flag" {
@@ -251,3 +255,18 @@ resource "azurerm_app_configuration_feature" "quicksight_product_free_trial" {
     ]
   }
 }
+
+resource "azurerm_app_configuration_feature" "settings_section" {
+  configuration_store_id = azurerm_app_configuration.selfcare_appconf.id
+  description            = "Feature flag used to enable/disable settings f.e. section"
+  name                   = "settings-section"
+  enabled                = false
+
+  lifecycle {
+    ignore_changes = [
+      enabled,
+      targeting_filter,
+      timewindow_filter
+    ]
+  }
+}
diff --git a/src/domains/selfcare-common/README.md b/src/domains/selfcare-common/README.md
@@ -44,6 +44,7 @@
 | [azurerm_app_configuration_feature.payments_receipts_flag](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/app_configuration_feature) | resource |
 | [azurerm_app_configuration_feature.quicksight_dashboard_flag](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/app_configuration_feature) | resource |
 | [azurerm_app_configuration_feature.quicksight_product_free_trial](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/app_configuration_feature) | resource |
+| [azurerm_app_configuration_feature.settings_section](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/app_configuration_feature) | resource |
 | [azurerm_app_configuration_feature.station-odp-service](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/app_configuration_feature) | resource |
 | [azurerm_app_configuration_feature.station-rest-section](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/app_configuration_feature) | resource |
 | [azurerm_app_configuration_feature.station_maintenances_flag](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/app_configuration_feature) | resource |
@@ -59,11 +60,14 @@
 | [azurerm_management_lock.mongodb_pagopa_backoffice](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/management_lock) | resource |
 | [azurerm_private_dns_a_record.ingress](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/private_dns_a_record) | resource |
 | [azurerm_resource_group.bopagopa_rg](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/resource_group) | resource |
+| [azurerm_role_assignment.appconf_dataowner_adgroup_admin](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/role_assignment) | resource |
+| [azurerm_role_assignment.appconf_dataowner_adgroup_developers](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/role_assignment) | resource |
 | [azurerm_role_assignment.selfcare_apim_contributor](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/role_assignment) | resource |
-| [azurerm_role_assignment.selfcare_appconf_dataowner](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/role_assignment) | resource |
 | [azurerm_role_assignment.selfcare_appconf_dataowner_sp](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/resources/role_assignment) | resource |
 | [null_resource.github_runner_app_permissions_to_namespace_cd_01](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
 | [time_rotating.selfcare_application](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/rotating) | resource |
+| [azuread_group.adgroup_admin](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source |
+| [azuread_group.adgroup_developers](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source |
 | [azurerm_api_management.apim](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/data-sources/api_management) | data source |
 | [azurerm_application_insights.application_insights](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/data-sources/application_insights) | data source |
 | [azurerm_client_config.current](https://registry.terraform.io/providers/hashicorp/azurerm/3.116.0/docs/data-sources/client_config) | data source |
