feat: ArgoCD RBAC for projects (#163)

* feat: enable admin login and configure global tolerations for ArgoCD, and configure Tiers

* merge all datasources

* upgrate providers and modules to version 4

* upgrate providers and modules to version 4

* better argocd projects names

* added external RBAC configuration

* pre-commit fixs

Author: diegoitaliait

src/aks-platform/10_argocd.tf

@@ -47,7 +47,26 @@ module "argocd" {
   internal_dns_zone_resource_group_name = local.internal_dns_zone_resource_group_name
   ingress_load_balancer_ip              = var.ingress_load_balancer_ip
   dns_record_name_for_ingress           = local.ingress_hostname_prefix
+  enable_admin_login                    = true
   admin_password                        = data.azurerm_key_vault_secret.argocd_admin_password.value
+  tier                                  = "dev"
+  global_tolerations = [
+    {
+      key      = "dedicated"
+      operator = "Equal"
+      value    = "argocd"
+      effect   = "NoSchedule"
+    }
+  ]
+  global_affinity_match_expressions = [
+    {
+      key      = "node_type"
+      operator = "In"
+      values   = ["user"]
+    }
+  ]
+
+  entra_admin_group_object_ids = [data.azuread_group.adgroup_admin.id]
 
   depends_on = [
     module.aks,

src/domains/diego-app/.terraform.lock.hcl

@@ -0,0 +1,83 @@
+#---------------------------------------------------------------
+# AKS Cluster Data Source
+#---------------------------------------------------------------
+data "azurerm_kubernetes_cluster" "aks" {
+  name                = var.aks_name
+  resource_group_name = var.aks_resource_group_name
+}
+
+#---------------------------------------------------------------
+# Azure AD Groups Data Sources
+#---------------------------------------------------------------
+data "azuread_group" "adgroup_admin" {
+  display_name = "${local.product}-adgroup-admin"
+}
+
+data "azuread_group" "adgroup_developers" {
+  display_name = "${local.product}-adgroup-developers"
+}
+
+data "azuread_group" "adgroup_externals" {
+  display_name = "${local.product}-adgroup-externals"
+}
+
+data "azuread_group" "adgroup_security" {
+  display_name = "${local.product}-adgroup-security"
+}
+
+#---------------------------------------------------------------
+# Key Vault Data Source
+#---------------------------------------------------------------
+data "azurerm_key_vault" "kv_domain" {
+  name                = local.key_vault_domain_name
+  resource_group_name = local.key_vault_domain_resource_group
+}
+
+data "azurerm_key_vault_secret" "argocd_admin_username" {
+  name         = "argocd-admin-username"
+  key_vault_id = data.azurerm_key_vault.kv_domain.id
+}
+
+data "azurerm_key_vault_secret" "argocd_admin_password" {
+  name         = "argocd-admin-password"
+  key_vault_id = data.azurerm_key_vault.kv_domain.id
+}
+
+#---------------------------------------------------------------
+# Monitoring Data Sources
+#---------------------------------------------------------------
+data "azurerm_resource_group" "monitor_rg" {
+  name = var.monitor_resource_group_name
+}
+
+data "azurerm_log_analytics_workspace" "log_analytics" {
+  name                = var.log_analytics_workspace_name
+  resource_group_name = var.log_analytics_workspace_resource_group_name
+}
+
+data "azurerm_application_insights" "application_insights" {
+  name                = local.monitor_appinsights_name
+  resource_group_name = data.azurerm_resource_group.monitor_rg.name
+}
+
+data "azurerm_monitor_action_group" "slack" {
+  resource_group_name = var.monitor_resource_group_name
+  name                = local.monitor_action_group_slack_name
+}
+
+data "azurerm_monitor_action_group" "email" {
+  resource_group_name = var.monitor_resource_group_name
+  name                = local.monitor_action_group_email_name
+}
+
+#---------------------------------------------------------------
+# Network Data Sources
+#---------------------------------------------------------------
+data "azurerm_virtual_network" "vnet_core" {
+  name                = local.vnet_core_name
+  resource_group_name = local.vnet_core_resource_group_name
+}
+
+data "azurerm_resource_group" "rg_vnet_core" {
+  name = local.vnet_core_resource_group_name
+}

src/domains/diego-app/00_aks.tf

@@ -1,5 +1,6 @@
 module "workload_identity" {
-  source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//kubernetes_workload_identity_configuration?ref=v8.42.1"
+  # source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//kubernetes_workload_identity_configuration?ref=v8.42.1"
+  source = "./.terraform/modules/__v4__/kubernetes_workload_identity_configuration"
 
   workload_identity_name_prefix         = var.domain
   workload_identity_resource_group_name = data.azurerm_kubernetes_cluster.aks.resource_group_name