Initial commit

.devops/deploy-pipelines.yml

@@ -0,0 +1,182 @@
+# Build and push image to Azure Container Registry; Deploy to Azure Kubernetes Service
+# https://docs.microsoft.com/azure/devops/pipelines/languages/docker
+
+parameters:
+  - name: 'executeBuild'
+    displayName: 'Launch docker build'
+    type: boolean
+    default: true
+
+trigger:
+  branches:
+    include:
+      - develop
+      - uat
+      - main
+  paths:
+    include:
+      - src/*
+      - build.gradle.kts
+      - helm/*
+      - Dockerfile
+      - settings.gradle.kts
+
+pr: none
+
+resources:
+  - repo: self
+
+variables:
+
+  #  vmImageNameDefault: 'ubuntu-latest'
+  vmImageNameDefault: ubuntu-22.04
+
+  imageRepository: '$(K8S_IMAGE_REPOSITORY_NAME)'
+  deployNamespace: '$(DEPLOY_NAMESPACE)'
+  helmReleaseName : '$(HELM_RELEASE_NAME)'
+  canDeploy: true
+
+  ${{ if eq(variables['Build.SourceBranch'], 'refs/heads/uat') }}:
+    environment: 'UAT'
+    dockerRegistryName: '$(UAT_CONTAINER_REGISTRY_NAME)'
+    dockerRegistryServiceConnection: '$(UAT_CONTAINER_REGISTRY_SERVICE_CONN)'
+    kubernetesServiceConnection: '$(UAT_KUBERNETES_SERVICE_CONN)'
+    containerRegistry: '$(UAT_CONTAINER_REGISTRY_NAME)'
+    selfHostedAgentPool: $(UAT_AGENT_POOL)
+    postmanEnvFile: p4pa_UAT.postman_environment.json
+
+  ${{ elseif eq(variables['Build.SourceBranch'], 'refs/heads/main') }}:
+    environment: 'PROD'
+    dockerRegistryName: '$(PROD_CONTAINER_REGISTRY_NAME)'
+    dockerRegistryServiceConnection: '$(PROD_CONTAINER_REGISTRY_SERVICE_CONN)'
+    kubernetesServiceConnection: '$(PROD_KUBERNETES_SERVICE_CONN)'
+    containerRegistry: '$(PROD_CONTAINER_REGISTRY_NAME)'
+    selfHostedAgentPool: $(PROD_AGENT_POOL)
+    postmanEnvFile: p4pa_PROD.postman_environment.json #Not used
+
+  ${{ else }}:
+    environment: 'DEV'
+    dockerRegistryName: '$(DEV_CONTAINER_REGISTRY_NAME)'
+    dockerRegistryServiceConnection: '$(DEV_CONTAINER_REGISTRY_SERVICE_CONN)'
+    kubernetesServiceConnection: '$(DEV_KUBERNETES_SERVICE_CONN)'
+    containerRegistry: '$(DEV_CONTAINER_REGISTRY_NAME)'
+    selfHostedAgentPool: $(DEV_AGENT_POOL)
+    postmanEnvFile: p4pa_DEV.postman_environment.json
+
+stages:
+  - stage: stage_build
+    condition: eq(variables.canDeploy, true)
+    displayName: 'Build and publish image to ${{ variables.environment }} registry'
+    jobs:
+      - job: job_build
+        displayName: Build
+        pool:
+          vmImage: $(vmImageNameDefault)
+        steps:
+          - task: Bash@3
+            displayName: Get app version
+            name: getAppVersion
+            condition: and(succeeded(), eq(variables.canDeploy, true))
+            inputs:
+              targetType: 'inline'
+              script: |
+                version=$(cat build.gradle.kts | grep "version = '.*'" | cut -d"'" -f2)
+                echo "Building $version version"
+                echo "##vso[task.setvariable variable=appVersion;isOutput=true]$version"
+              failOnStderr: true
+
+          - task: Docker@2
+            condition: and(succeeded(), ${{ parameters.executeBuild }})
+            displayName: 'Build and publish $(imageRepository) image'
+            inputs:
+              containerRegistry: '$(dockerRegistryServiceConnection)'
+              repository: '$(imageRepository)'
+              command: 'buildAndPush'
+              tags: |
+                latest
+                $(Build.SourceVersion)
+                $(getAppVersion.appVersion)
+
+          - task: PublishPipelineArtifact@1
+            displayName: 'Publish manifests into pipeline artifacts'
+            condition: succeeded()
+            inputs:
+              targetPath: '$(Build.Repository.LocalPath)/helm'
+              artifact: 'helm'
+              publishLocation: 'pipeline'
+          - task: 'Bash@3'
+            displayName: 'Send message on Slack'
+            condition: in(variables['Agent.JobStatus'], 'SucceededWithIssues', 'Failed')
+            inputs:
+              targetType: 'inline'
+              script: >
+                curl -X POST \
+                  -H "Content-type: application/json" \
+                  --data '{"text": "*Attention: There is an error in pipeline $(System.DefinitionName) in step _build_!*\nCheck the logs for more details $(System.CollectionUri)$(System.TeamProject)/_build/results?buildId=$(Build.BuildId) to view the build results."}' \
+                  $(SLACK_WEBHOOK_URL)
+  - stage: stage_deploy
+    displayName: 'Deploy to ${{ variables.environment }} K8S'
+    dependsOn: [ stage_build ]
+    variables:
+      appVersion: $[ stageDependencies.stage_build.job_build.outputs['getAppVersion.appVersion'] ]
+    condition: and(succeeded(), eq(variables.canDeploy, true))
+    jobs:
+      - deployment: job_deploy
+        displayName: 'Deploy'
+        pool:
+          name: $(selfHostedAgentPool)
+        environment: '$(environment)'
+        strategy:
+          runOnce:
+            deploy:
+              steps:
+                - download: none
+                - task: DownloadPipelineArtifact@2
+                  inputs:
+                    buildType: 'current'
+                    artifactName: 'helm'
+                    targetPath: '$(Pipeline.Workspace)/helm'
+                - task: KubectlInstaller@0
+                - task: Bash@3
+                  name: helm_dependency_build
+                  displayName: Helm dependency build
+                  inputs:
+                    workingDirectory: '$(Pipeline.Workspace)/helm'
+                    targetType: 'inline'
+                    script: |
+                      helm repo add pagopa-microservice https://pagopa.github.io/aks-microservice-chart-blueprint
+                      helm dep build
+                    failOnStderr: true
+                - bash: |
+                    echo 'microservice-chart:
+                       podAnnotations:
+                          "build/buildNumber": "$(Build.BuildNumber)"
+                          "build/appVersion": "$(appVersion)"
+                          "build/sourceVersion": "$(Build.SourceVersion)"' > buildMetadata.yaml
+                  displayName: Writing build metadata
+
+                - task: HelmDeploy@0
+                  displayName: Helm upgrade
+                  inputs:
+                    kubernetesServiceEndpoint: ${{ variables.kubernetesServiceConnection }}
+                    namespace: '$(deployNamespace)'
+                    command: upgrade
+                    chartType: filepath
+                    chartPath: $(Pipeline.Workspace)/helm
+                    chartName: ${{ variables.helmReleaseName }}
+                    releaseName: ${{ variables.helmReleaseName }}
+                    valueFile: "$(Pipeline.Workspace)/helm/values-${{ lower(variables.environment) }}.yaml"
+                    install: true
+                    waitForExecution: true
+                    arguments: --timeout 5m0s
+                      --values buildMetadata.yaml
+                - task: 'Bash@3'
+                  displayName: 'Send message on Slack'
+                  condition: in(variables['Agent.JobStatus'], 'SucceededWithIssues', 'Failed')
+                  inputs:
+                    targetType: 'inline'
+                    script: >
+                      curl -X POST \
+                        -H "Content-type: application/json" \
+                        --data '{"text": "*Attention: There is an error in pipeline $(System.DefinitionName) in step _deploy_!*\nCheck the logs for more details $(System.CollectionUri)$(System.TeamProject)/_build/results?buildId=$(Build.BuildId) to view the build results."}' \
+                        $(SLACK_WEBHOOK_URL)

.editorconfig

@@ -0,0 +1,30 @@
+# EditorConfig is awesome: http://EditorConfig.org
+# Uses editorconfig to maintain consistent coding styles
+
+# top-most EditorConfig file
+root = true
+
+# Unix-style newlines with a newline ending every file
+[*]
+charset = utf-8
+end_of_line = lf
+indent_size = 2
+indent_style = space
+insert_final_newline = true
+max_line_length = 80
+trim_trailing_whitespace = true
+
+[*.{tf,tfvars}]
+indent_size = 2
+indent_style = space
+
+[*.md]
+max_line_length = 0
+trim_trailing_whitespace = false
+
+[Makefile]
+tab_width = 2
+indent_style = tab
+
+[COMMIT_EDITMSG]
+max_line_length = 0

.github/CODEOWNERS

@@ -0,0 +1,2 @@
+# Add the repository's code owners here
+* @pagopa/p4pa-admins @pagopa/payments-cloud-admin

.github/PULL_REQUEST_TEMPLATE.md

@@ -0,0 +1,39 @@
+#### Description
+<!--- Please always add a PR description as if nobody knows anything about the context these changes come from. -->
+<!--- Even if we are all from our internal team, we may not be on the same page. -->
+<!--- Write this PR as you were contributing to a public OSS project, where nobody knows you and you have to earn their trust. -->
+<!--- This will improve our projects in the long run! Thanks. -->
+
+#### List of Changes
+<!--- Describe your changes in detail -->
+
+#### Motivation and Context
+<!--- Why is this change required? What problem does it solve? -->
+
+#### How Has This Been Tested?
+<!--- Please describe in detail how you tested your changes. -->
+<!--- Include details of your testing environment, tests ran to see how -->
+<!--- your change affects other areas of the code, etc. -->
+- Pre-Deploy Test
+  - [ ] Unit
+  - [ ] Integration (Narrow)
+- Post-Deploy Test
+  - [ ] Isolated Microservice
+  - [ ] Broader Integration
+  - [ ] Acceptance
+  - [ ] Performance & Load
+
+#### Types of changes
+<!--- What types of changes does your code introduce? Put an `x` in all the boxes that apply: -->
+
+- [ ] PATCH - Bug fix (backwards compatible bug fixes)
+- [ ] MINOR - New feature (add functionality in a backwards compatible manner)
+- [ ] MAJOR - Breaking change (fix or feature that would cause existing functionality to not work as expected)
+- [ ] CHORE - Minor Change (fix or feature that don't impact the functionality e.g. Documentation or lint configuration)
+
+#### Checklist:
+<!--- Go over all the following points, and put an `x` in all the boxes that apply. -->
+<!--- If you're unsure about any of these, don't hesitate to ask. We're here to help! -->
+
+- [ ] My change requires a change to the documentation.
+- [ ] I have updated the documentation accordingly.

.github/terraform/00_data.tf

@@ -0,0 +1,17 @@
+# KV Core
+data "azurerm_key_vault" "key_vault_core" {
+  name                = "${var.prefix}-${var.env_short}-${var.location_short}-core-kv"
+  resource_group_name = "${var.prefix}-${var.env_short}-${var.location_short}-core-sec-rg"
+}
+
+# Kv Domain
+data "azurerm_key_vault" "key_vault_domain" {
+  name                = "${var.prefix}-${var.env_short}-${var.location_short}-${var.domain}-kv"
+  resource_group_name = "${var.prefix}-${var.env_short}-${var.location_short}-${var.domain}-sec-rg"
+}
+
+# Github
+data "github_organization_teams" "all" {
+  root_teams_only = true
+  summary_only    = true
+}

.github/terraform/03_github_environment.tf

@@ -0,0 +1,86 @@
+#################################
+# Repository Environment        #
+#################################
+resource "github_repository_environment" "github_repository_environment" {
+  environment = var.env
+  repository  = local.github.repository
+  # filter teams reviewers from github_organization_teams
+  # if reviewers_teams is null no reviewers will be configured for environment
+  dynamic "reviewers" {
+    for_each = (var.github_repository_environment.reviewers_teams == null || var.env_short != "p" ? [] : [1])
+    content {
+      teams = matchkeys(
+        data.github_organization_teams.all.teams.*.id,
+        data.github_organization_teams.all.teams.*.name,
+        var.github_repository_environment.reviewers_teams
+      )
+    }
+  }
+  deployment_branch_policy {
+    protected_branches     = var.github_repository_environment.protected_branches
+    custom_branch_policies = var.github_repository_environment.custom_branch_policies
+  }
+}
+
+
+###############
+# ENV Secrets #
+###############
+
+resource "github_actions_environment_secret" "environment_secrets" {
+  for_each = local.env_secrets
+
+  repository      = local.github.repository
+  environment     = var.env
+  secret_name     = each.key
+  plaintext_value = each.value
+}
+
+#################
+# ENV Variables #
+#################
+
+resource "github_actions_environment_variable" "environment_variables" {
+  for_each = local.env_variables
+
+  repository    = local.github.repository
+  environment   = var.env
+  variable_name = each.key
+  value         = each.value
+}
+
+#################################
+# Environment Deployment Policy #
+#################################
+
+resource "github_repository_environment_deployment_policy" "this" {
+  repository     = local.github.repository
+  environment    = var.env
+  branch_pattern = local.map_repo[var.env]
+
+  depends_on = [
+    github_repository_environment.github_repository_environment
+  ]
+}
+
+##########################################
+# Environment Variable of the Repository #
+##########################################
+resource "github_actions_variable" "repo_env" {
+  for_each = var.env_short == "p" ? local.repo_env : {}
+
+  repository    = local.github.repository
+  variable_name = each.key
+  value         = each.value
+}
+
+#############################
+# Secrets of the Repository #
+#############################
+resource "github_actions_secret" "repo_secrets" {
+  for_each = var.env_short == "p" ? local.repo_secrets : {}
+
+  repository      = local.github.repository
+  secret_name     = each.key
+  plaintext_value = each.value
+}

.github/terraform/99_locals.tf

@@ -0,0 +1,36 @@
+locals {
+  # Common Tags:
+  common_tags = {
+    CreatedBy   = "Terraform"
+    Environment = var.env
+    Owner       = upper(var.prefix)
+    Source      = "" # Repository URL
+    CostCenter  = ""
+  }
+
+  # Repo
+  github = {
+    org        = "pagopa"
+    repository = "" # Repository Name
+  }
+
+  env_secrets = {
+    ENV_SECRET = "data.azurerm_key_vault_secret.CHANGE_ME.value"
+  }
+  env_variables = {
+    ENV_VARIABLE = "ENV_VARIABLE"
+  }
+
+  repo_secrets = var.env_short == "p" ? {
+    SECRET = "SECRET"
+  } : {}
+  repo_env = var.env_short == "p" ? {
+    ENV_VARIABLE = "ENV_VARIABLE"
+  } : {}
+
+  map_repo = {
+    "dev" : "*",
+    "uat" : "uat"
+    "prod" : "main"
+  }
+}