feat: PAYMCLOUD-464 argocd rbac setup (#160)

* minimi privilegi

* minor fix

* added roles for project

* updated argocd provider

* updated argocd provider

* project with rbac

* minor fix

* test reader project

* enhance terraform script with new features and improved error handling

* pre

Author: diegoitaliait

src/aks-platform/10_argocd.tf

@@ -27,13 +27,16 @@ resource "helm_release" "argocd" {
 
   values = [
     templatefile("${path.module}/argocd/argocd_helm_setup_values.yaml", {
-      ARGOCD_APPLICATION_NAMESPACES  = var.argocd_application_namespaces
-      TENANT_ID                      = data.azurerm_subscription.current.tenant_id
-      APP_CLIENT_ID                  = data.azurerm_key_vault_secret.argocd_entra_app_client_id.value
-      ENTRA_ADMIN_GROUP_OBJECT_ID    = data.azuread_group.adgroup_admin.object_id
-      ARGOCD_INTERNAL_URL            = local.argocd_internal_url
-      ARGOCD_INGRESS_TLS_SECRET_NAME = replace(local.argocd_internal_url, ".", "-", )
-      FORCE_REINSTALL                = var.argocd_force_reinstall_version
+      ARGOCD_APPLICATION_NAMESPACES    = var.argocd_application_namespaces
+      TENANT_ID                        = data.azurerm_subscription.current.tenant_id
+      APP_CLIENT_ID                    = data.azurerm_key_vault_secret.argocd_entra_app_client_id.value
+      ENTRA_ADMIN_GROUP_OBJECT_IDS     = []
+      ENTRA_DEVELOPER_GROUP_OBJECT_IDS = []
+      ENTRA_READER_GROUP_OBJECT_IDS    = []
+      ENTRA_GUEST_GROUP_OBJECT_IDS     = []
+      ARGOCD_INTERNAL_URL              = local.argocd_internal_url
+      ARGOCD_INGRESS_TLS_SECRET_NAME   = replace(local.argocd_internal_url, ".", "-", )
+      FORCE_REINSTALL                  = var.argocd_force_reinstall_version
     })
   ]
 

src/aks-platform/argocd/argocd_helm_setup_values.yaml

@@ -49,40 +49,64 @@ configs:
     server.rbac.disableApplicationFineGrainedRBACInheritance: "false"
   rbac:
     policy.default: role:guest
+    scopes: "[preferred_username, email, groups]"
     policy.csv: |
-      # --- Admin role
+      # ------------------------------------------------------------------------
+      # Macro‑roles hierarchy
+      #   admin     – full access to everything
+      #   developer – manage applications only (CRUD + sync)
+      #   reader    – read‑only on applications
+      #   guest     – can log‑in, sees nothing
+      # ------------------------------------------------------------------------
+      # --- Admin role ---------------------------------------------------------
       p, role:admin, *, *, */*, allow
       p, role:admin, logs, get, */*, allow
 
-      # --- Developer role
+      # --- Developer role -----------------------------------------------------
       p, role:developer, applications, get, */*, allow
       p, role:developer, applications, create, */*, allow
       p, role:developer, applications, update, */*, allow
+      p, role:developer, applications, delete, */*, allow
       p, role:developer, applications, sync, */*, allow
       p, role:developer, applications, override, */*, allow
-      p, role:developer, projects, get, *, allow
-      p, role:developer, clusters, get, *, allow
-      p, role:developer, repositories, get, *, allow
-      p, role:developer, accounts, get, *, allow
       p, role:developer, logs, get, */*, allow
+      # Note: NO access to projects, clusters, repositories, accounts
 
-      # --- Reader role
+      # --- Reader role --------------------------------------------------------
       p, role:reader, applications, get, */*, allow
       p, role:reader, applications, logs, */*, allow
-      p, role:reader, projects, get, *, allow
       p, role:reader, applications, get, */secrets, deny
+      # Note: NO access to projects, clusters, repositories, accounts
 
-      # --- Guest role
+      # --- Guest role ---------------------------------------------------------
       p, role:guest, applications, get, */*, deny
-      p, role:guest, projects, get, *, deny
-      p, role:guest, repositories, get, *, deny
-      p, role:guest, clusters, get, *, deny
       p, role:guest, accounts, get, *, deny
 
-      # Assign users to roles
-      g, ${ENTRA_ADMIN_GROUP_OBJECT_ID}, role:admin
+      # ------------------------------------------------------------------------
+      # Group bindings (Azure Entra ID object IDs)
+      # ------------------------------------------------------------------------
+%{ if ENTRA_ADMIN_GROUP_OBJECT_IDS != null && length(ENTRA_ADMIN_GROUP_OBJECT_IDS) > 0 ~}
+%{   for group_id in ENTRA_ADMIN_GROUP_OBJECT_IDS ~}
+      g, ${group_id}, role:admin
+%{   endfor ~}
+%{ endif ~}
+%{ if ENTRA_DEVELOPER_GROUP_OBJECT_IDS != null && length(ENTRA_DEVELOPER_GROUP_OBJECT_IDS) > 0 ~}
+%{   for group_id in ENTRA_DEVELOPER_GROUP_OBJECT_IDS ~}
+      g, ${group_id}, role:developer
+%{   endfor ~}
+%{ endif ~}
+%{ if ENTRA_READER_GROUP_OBJECT_IDS != null && length(ENTRA_READER_GROUP_OBJECT_IDS) > 0 ~}
+%{   for group_id in ENTRA_READER_GROUP_OBJECT_IDS ~}
+      g, ${group_id}, role:reader
+%{   endfor ~}
+%{ endif ~}
+%{ if ENTRA_GUEST_GROUP_OBJECT_IDS != null && length(ENTRA_GUEST_GROUP_OBJECT_IDS) > 0 ~}
+%{   for group_id in ENTRA_GUEST_GROUP_OBJECT_IDS ~}
+      g, ${group_id}, role:guest
+%{   endfor ~}
+%{ endif ~}
+
 
-    scopes: "[preferred_username, email, groups]"
 
 #
 # Server configuration

src/aks-platform/env/itn-dev/terraform.tfvars

@@ -131,4 +131,4 @@ reloader_helm = {
 # https://github.com/argoproj/argo-helm/releases
 argocd_helm_release_version    = "8.2.4" #3.0.5+
 argocd_application_namespaces  = ["argocd", "testit", "diego", "keda"]
-argocd_force_reinstall_version = "v20250805_1"
+argocd_force_reinstall_version = "v20250806_1"

src/domains/diego-app/.terraform.lock.hcl

@@ -1,40 +1,42 @@
+locals {
+  project_name = "${var.domain}-project"
+}
+
 #
 # Terraform argocd project
 #
-resource "argocd_project" "project" {
+resource "argocd_project" "argocd_project_diego" {
   metadata {
-    name      = "${var.domain}-project"
+    name      = local.project_name # e.g. "diego-project"
     namespace = "argocd"
+
     labels = {
       acceptance = "true"
     }
   }
 
   spec {
-    description = "${var.domain}-project"
+    description = local.project_name
 
-    source_namespaces = ["argocd", var.domain]
+    # Restrict manifest sources to this domain's repos
+    source_namespaces = [var.domain]
     source_repos      = ["*"]
 
     destination {
       server    = "https://kubernetes.default.svc"
       namespace = var.domain
     }
-    destination {
-      server    = "https://kubernetes.default.svc"
-      namespace = "argocd"
-    }
 
-    #     cluster_resource_blacklist {
-    #       group = "*"
-    #       kind  = "*"
-    #     }
+    # ───────────────── Security Guards ─────────────────
+    cluster_resource_blacklist {
+      group = ""
+      kind  = "Namespace"
+    }
 
     cluster_resource_whitelist {
       group = "*"
       kind  = "*"
     }
-
     namespace_resource_whitelist {
       group = "*"
       kind  = "*"
@@ -44,14 +46,49 @@ resource "argocd_project" "project" {
       warn = true
     }
 
-    # role {
-    #   name = "project-admin"
-    #   policies = [
-    #   ]
-    # }
+    # ──────────────────── ROLES ───────────────────────
+    # Admin → pieno controllo + modifica AppProject
+    role {
+      name   = "admin"
+      groups = []
+      policies = [
+        "p, proj:${local.project_name}:admin, applications, *, ${local.project_name}/*, allow",
+        "p, proj:${local.project_name}:admin, applicationsets, *, ${local.project_name}/*, allow",
+        "p, proj:${local.project_name}:admin, logs, get, ${local.project_name}/*, allow",
+        "p, proj:${local.project_name}:admin, exec, create, ${local.project_name}/*, allow",
+      ]
+    }
+
+    # Developer → sola lettura sul Project, pieno controllo sulle app
+    role {
+      name   = "developer"
+      groups = []
+      policies = [
+        "p, proj:${local.project_name}:developer, applications, get, ${local.project_name}/*, allow",
+        "p, proj:${local.project_name}:developer, applications, create, ${local.project_name}/*, allow",
+        "p, proj:${local.project_name}:developer, applications, update, ${local.project_name}/*, allow",
+        "p, proj:${local.project_name}:developer, applications, delete, ${local.project_name}/*, allow",
+        "p, proj:${local.project_name}:developer, applications, sync, ${local.project_name}/*, allow",
+        "p, proj:${local.project_name}:developer, applicationsets, *, ${local.project_name}/*, allow",
+        "p, proj:${local.project_name}:developer, logs, get, ${local.project_name}/*, allow",
+      ]
+    }
+
+    # Reader → read‑only su app + project; può visualizzare ConfigMaps tramite tree
+    role {
+      name   = "reader"
+      groups = [data.azuread_group.adgroup_admin.object_id]
+      policies = [
+        "p, proj:${local.project_name}:reader, applications, get, ${local.project_name}/*, allow",
+        "p, proj:${local.project_name}:reader, logs, get, ${local.project_name}/*, allow",
+      ]
+    }
   }
 }
 
+
+
+
 locals {
   argocd_applications = {
     "top" = {
@@ -98,7 +135,7 @@ resource "argocd_application" "diego_applications" {
   }
 
   spec {
-    project = argocd_project.project.metadata[0].name
+    project = argocd_project.argocd_project_diego.metadata[0].name
 
     destination {
       server    = "https://kubernetes.default.svc"