feat: PAYMCLOUD-231 argocd now use v4 module (#161)

* creazione modulo argocd

* minor fix

* update modulo

* update versione

* completed argocd module

* completed argocd module

* rollback

* added tags configuration

* updated terraform to version 1.12

* added module for argocd entra

* added tags to argocd entra apps

* added tags to argocd entra apps

* reorder data

* updated module and provider for azurerm v4

* changed module to version v4

* disabled velero

* updated aks module to minor fix

* argocd use remote model

* aks: added missing properties

* keda updated to 2.17.2

* pre-commit fixs

* updated static analysis

* removed temp module

* Potential fix for code scanning alert no. 7: Workflow does not contain permissions

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* Potential fix for code scanning alert no. 6: Workflow does not contain permissions

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* pre-commit fixs

---------

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

Author: diegoitaliait

.github/workflows/static_analysis.yml

@@ -1,4 +1,6 @@
-name: Static Analysis
+name: 🔍 Static Analysis MA
+permissions:
+  contents: read
 
 on:
   push:
@@ -7,10 +9,92 @@ on:
 
 jobs:
   static_analysis:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-latest
+    env:
+      TF_PLUGIN_CACHE_DIR: /tmp/.terraform.d/plugin-cache
 
     steps:
-      - name: Static Analysis
-        uses: pagopa/eng-github-actions-iac-template/azure/terraform-static-analysis@59c12b7a846423d62c27c9905686a7a1fd71c003 # v1.7.0
+      - name: ⚡ Checkout code
+        uses: actions/checkout@v4.1.1
+
+      - name: 📖 Read Terraform version
+        run: |
+          echo "TERRAFORM_VERSION=$(cat .terraform-version)" >> $GITHUB_ENV
+
+      - name: 🔨 Setup Terraform
+        uses: hashicorp/setup-terraform@v3.1.0
+        with:
+          terraform_version: "${{ env.TERRAFORM_VERSION }}"
+
+      - name: 💾 Cache Terraform plugins
+        uses: actions/cache@v4
         with:
-          precommit_version: 'v1.99.0@sha256:73239e93f97c005ed16189f3ca523f78d666af0902f3621a1eff8db22b7bb18c'
+          path: $TF_PLUGIN_CACHE_DIR
+          key: ${{ runner.os }}-terraform-${{ env.TERRAFORM_VERSION }}-${{ hashFiles('**/.terraform.lock.hcl') }}
+          restore-keys: |
+            ${{ runner.os }}-terraform-${{ env.TERRAFORM_VERSION }}-
+            ${{ runner.os }}-terraform-
+
+      - name: 🔧 Setup Terraform plugin cache
+        run: |
+          mkdir -p $TF_PLUGIN_CACHE_DIR
+          echo 'plugin_cache_dir = "/tmp/.terraform.d/plugin-cache"' > ~/.terraformrc
+
+      - name: 🏁 Init Terraform folders
+        shell: bash
+        run: |
+          echo "📢 Show space"
+          df -h
+
+          echo -e "\n+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-"
+          echo    "+ 🏁 INIT TERRAFORM FOLDERS 🏁   +"
+          echo -e "+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-\n"
+
+          # Generate a unique list of folders containing `.tf` files, excluding the 90_aws folder
+          FOLDERS=$(find . -type f -name "*.tf" ! -path "*/.terraform/*" ! -path "*/90_aws/*" -exec dirname {} \; | sort -u)
+          echo "FOLDERS=${FOLDERS}"
+
+          for f in $FOLDERS; do
+            echo -e "\n📂 Processing: ${f}"
+            (
+              cd "${f}" || exit
+              # Check for any necessary changes to backend configurations
+              if [[ -f "99_main.tf" ]]; then
+                sed -i -e 's/  backend "azurerm" {}//g' 99_main.tf || true
+              fi
+              # Initialize Terraform and lock providers for all platforms
+              terraform init -upgrade -lockfile=true &&
+              terraform providers lock \
+                -platform=darwin_arm64 \
+                -platform=darwin_amd64 \
+                -platform=linux_amd64 \
+                -platform=linux_arm64
+            ) || echo "⚠️ Initialization failed for ${f}"
+          done
+
+      - name: Show precommit version
+        shell: bash
+        run: |
+          echo -e "\n+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+"
+          echo    "+ 1️⃣  SHOW PRECOMMIT VERSION 1️⃣  +"
+          echo -e "+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\n"
+
+          TAG=v1.99.2@sha256:34f6cef8b944d571ea22be316a960d8353fcc0571adea35302cbd9ab80bf2758
+          docker run --rm --entrypoint cat ghcr.io/antonbabenko/pre-commit-terraform:$TAG /usr/bin/tools_versions_info
+
+      - name: 🚨 Run precommit
+        shell: bash
+        run: |
+          echo -e "\n+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+"
+          echo    "+- 🚨 PRECOMMIT TERRAFORM 🚨 -+"
+          echo -e "+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\n"
+
+          TARGET_FILES=$(find . -type f -name "*.tf" ! -path "*/.terraform/*" ! -path "./src/90_aws/*")
+
+          TAG=v1.99.2@sha256:34f6cef8b944d571ea22be316a960d8353fcc0571adea35302cbd9ab80bf2758
+          docker run \
+            -v "$(pwd)":/lint \
+            -v /tmp/.terraform.d/plugin-cache:/tmp/.terraform.d/plugin-cache \
+            -w /lint \
+            ghcr.io/antonbabenko/pre-commit-terraform:$TAG \
+            run --files $TARGET_FILES --show-diff-on-failure

.github/workflows/static_analysis_pr.yml

@@ -1,4 +1,6 @@
-name: Static Analysis PR
+name: 🛃 Static Analysis PR
+permissions:
+  contents: read
 
 on:
   push:
@@ -7,19 +9,31 @@ on:
 
 jobs:
   static_analysis:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-latest
 
     steps:
+      - run: |
+          rm -rf *
+
       - name: 🔨 Get Modified Paths
         id: get-paths
-        uses: pagopa/eng-github-actions-iac-template/global/get-modifed-folders@6cc78fc1c578c0fdfc8ba739bef634b21e8e35b4 # v1.19.0
+        uses: pagopa/eng-github-actions-iac-template/global/get-modifed-folders@f10814b649ecd6e5d97c489084d2a107e2f1b2ee #v1.22.3
         with:
+          ignore_patterns: ".github,.devops,.vscode,.terraform-version,90_aws"
           start_folder: "src"
-          default_end_folder_depth: 3
-          include_patterns: "src,domains"
+          include_folders: "tag_config"
+          include_patterns: "src"
+          stopper_folders: "env,tests,api,api_product,helm,argocd,secrets"
+
+      - name: 👀 See folders downloaded
+        if: env.dir_changes_detected == 'true'
+        id: see
+        shell: bash
+        run: |
+          tree -R -d -a .
 
       - name: Static Analysis
         if: env.dir_changes_detected == 'true'
-        uses: pagopa/eng-github-actions-iac-template/azure/terraform-static-analysis@6b8192a09750c44dde5a9a8d9ed72648547071c5 # v1.14.1
+        uses: pagopa/eng-github-actions-iac-template/azure/terraform-static-analysis@159289e1e23d0783533d1dd83e1b7cf0a5a565d9 #v1.24.0
         with:
-          precommit_version: 'v1.99.0@sha256:73239e93f97c005ed16189f3ca523f78d666af0902f3621a1eff8db22b7bb18c'
+          precommit_version: 'v1.99.2@sha256:34f6cef8b944d571ea22be316a960d8353fcc0571adea35302cbd9ab80bf2758'

.terraform-version

@@ -1 +1 @@
-1.10.5
+1.12.2

src/0_entra/01_tags.tf

@@ -0,0 +1,5 @@
+module "tag_config" {
+  source      = "../tag_config"
+  domain      = var.domain
+  environment = var.env
+}

src/0_entra/10_argocd_entra.tf

@@ -1,110 +1,18 @@
-# ⚠️
-# ⚠️ The grant admin for pagopa.it consent step must be performed manually in the Azure Portal after applying this configuration.
-# ⚠️ In App > API permissions > Microsoft Graph > User.Read > Grant admin consent for pagopa.it
-# ⚠️
-
-# -----------------------------------------------------------------------------
-# Application Registration & Service Principal
-# -----------------------------------------------------------------------------
-
-resource "azuread_application" "argocd" {
-  display_name = "${var.prefix}-${var.env}-argocd"
-  owners       = data.azuread_users.argocd_application_owners.object_ids
-
-  web {
-    redirect_uris = ["https://${local.argocd_hostname}/auth/callback"]
-    logout_url    = "https://${local.argocd_hostname}/logout"
-  }
-
-  # This configures the "Mobile and desktop applications" platform in Entra ID.
-  public_client {
-    redirect_uris = ["http://localhost:8085/auth/callback"]
-  }
-
-  group_membership_claims = [
-    "ApplicationGroup"
-  ]
-
-  # MODIFICATION: Explicitly define ALL required delegated permissions for the OIDC flow.
-  required_resource_access {
-    resource_app_id = data.azuread_service_principal.graph.client_id
-
-    # Permission: User.Read
-    resource_access {
-      # Allows the app to sign in users and read their basic profile.
-      id   = "e1fe6dd8-ba31-4d61-89e7-88639da4683d" # User.Read
-      type = "Scope"
-    }
-  }
-
-  optional_claims {
-    id_token {
-      name      = "groups"
-      essential = true
-      source    = null
-    }
-  }
-}
-
-resource "azuread_service_principal" "sp_argocd" {
-  client_id = azuread_application.argocd.client_id
-  owners    = data.azuread_users.argocd_application_owners.object_ids
-}
-
-# -----------------------------------------------------------------------------
-# Permissions and Consent
-# -----------------------------------------------------------------------------
-
-# The claim_values list must now match all the permissions defined above.
-resource "azuread_service_principal_delegated_permission_grant" "argocd_user_read_consent" {
-  # The Object ID of the Service Principal receiving the grant.
-  service_principal_object_id = azuread_service_principal.sp_argocd.object_id
-
-  # The Object ID of the API being granted access to (Microsoft Graph).
-  resource_service_principal_object_id = data.azuread_service_principal.graph.object_id
-
-  # The list of permissions (scopes) to grant. Must match what was requested.
-  claim_values = ["User.Read"]
-
-  # The Object ID of the user/principal granting the consent.
-  user_object_id = data.azurerm_client_config.current.object_id
-}
-
-# Assigns the specified Entra ID groups to the ArgoCD Enterprise Application.
-# This is required because 'group_membership_claims' is set to 'ApplicationGroup'.
-resource "azuread_app_role_assignment" "argocd_group_assignments" {
-  for_each = data.azuread_group.argocd_groups
-
-  app_role_id         = "00000000-0000-0000-0000-000000000000"
-  principal_object_id = each.value.object_id
-  resource_object_id  = azuread_service_principal.sp_argocd.object_id
-}
-
-# -----------------------------------------------------------------------------
-# Workload Identity Federation
-# -----------------------------------------------------------------------------
-
-resource "azuread_application_federated_identity_credential" "argocd" {
-  application_id = azuread_application.argocd.id
-  display_name   = "${local.project}-argocd-server-federated-credential"
-  description    = "Federated credential for the ArgoCD server service account"
-  audiences      = ["api://AzureADTokenExchange"]
-  issuer         = data.azurerm_kubernetes_cluster.aks.oidc_issuer_url
-  subject        = "system:serviceaccount:${local.argocd_namespace}:${local.argocd_service_account_name}"
-}
-
-# -----------------------------------------------------------------------------
-# Key Vault Secrets
-# -----------------------------------------------------------------------------
-
-resource "azurerm_key_vault_secret" "argocd_entra_app_client_id" {
-  key_vault_id = data.azurerm_key_vault.kv_core_ita.id
-  name         = "argocd-entra-app-workload-client-id"
-  value        = azuread_application.argocd.client_id
-}
-
-resource "azurerm_key_vault_secret" "argocd_entra_app_service_account_name" {
-  key_vault_id = data.azurerm_key_vault.kv_core_ita.id
-  name         = "argocd-entra-app-workload-service-account-name"
-  value        = local.argocd_service_account_name
+// ⚠️ Manual step required after apply:
+// App > API permissions > Microsoft Graph > User.Read > Grant admin consent
+
+module "argocd_entra" {
+  source = "git::https://github.com/pagopa/terraform-azurerm-v4.git//kubernetes_argocd_entra?ref=PAYMCLOUD-231-argocd-creazione-modulo"
+
+  name_identifier             = local.project
+  argocd_hostname             = local.argocd_hostname
+  entra_app_owners_object_ids = data.azuread_users.argocd_application_owners.object_ids
+  entra_group_display_names   = var.argocd_entra_groups_allowed
+  aks_name                    = local.kubernetes_cluster_name
+  aks_resource_group_name     = local.kubernetes_cluster_resource_group_name
+  argocd_namespace            = local.argocd_namespace
+  argocd_service_account_name = local.argocd_service_account_name
+  key_vault_id                = data.azurerm_key_vault.kv_core_ita.id
+
+  tags = module.tag_config.tags
 }

src/0_entra/99_main.tf

@@ -3,11 +3,11 @@ terraform {
   required_providers {
     azuread = {
       source  = "hashicorp/azuread"
-      version = "<= 3.4.0"
+      version = "~> 3"
     }
     azurerm = {
       source  = "hashicorp/azurerm"
-      version = "<= 4.38.0"
+      version = "~> 4"
     }
   }
 

src/0_entra/99_variables.tf

@@ -58,13 +58,6 @@ variable "lock_enable" {
   description = "Apply locks to block accedentaly deletions."
 }
 
-variable "tags" {
-  type = map(any)
-  default = {
-    CreatedBy = "Terraform"
-  }
-}
-
 # Definizione della variabile per i nomi dei gruppi Entra ID
 variable "argocd_entra_groups_allowed" {
   type = list(string)

src/0_entra/README.md

@@ -29,24 +29,20 @@ Re-enable all the resource, commented before to complete the procedure
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >=1.8.0 |
-| <a name="requirement_azuread"></a> [azuread](#requirement\_azuread) | <= 3.4.0 |
-| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | <= 4.38.0 |
+| <a name="requirement_azuread"></a> [azuread](#requirement\_azuread) | ~> 3 |
+| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | ~> 4 |
 
 ## Modules
 
-No modules.
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_argocd_entra"></a> [argocd\_entra](#module\_argocd\_entra) | git::https://github.com/pagopa/terraform-azurerm-v4.git//kubernetes_argocd_entra | PAYMCLOUD-231-argocd-creazione-modulo |
+| <a name="module_tag_config"></a> [tag\_config](#module\_tag\_config) | ../tag_config | n/a |
 
 ## Resources
 
 | Name | Type |
 |------|------|
-| [azuread_app_role_assignment.argocd_group_assignments](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/app_role_assignment) | resource |
-| [azuread_application.argocd](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/application) | resource |
-| [azuread_application_federated_identity_credential.argocd](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/application_federated_identity_credential) | resource |
-| [azuread_service_principal.sp_argocd](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/service_principal) | resource |
-| [azuread_service_principal_delegated_permission_grant.argocd_user_read_consent](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/service_principal_delegated_permission_grant) | resource |
-| [azurerm_key_vault_secret.argocd_entra_app_client_id](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource |
-| [azurerm_key_vault_secret.argocd_entra_app_service_account_name](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource |
 | [azuread_group.argocd_groups](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source |
 | [azuread_service_principal.graph](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/service_principal) | data source |
 | [azuread_users.argocd_application_owners](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/users) | data source |
@@ -68,7 +64,6 @@ No modules.
 | <a name="input_location_westeurope"></a> [location\_westeurope](#input\_location\_westeurope) | n/a | `string` | n/a | yes |
 | <a name="input_lock_enable"></a> [lock\_enable](#input\_lock\_enable) | Apply locks to block accedentaly deletions. | `bool` | `false` | no |
 | <a name="input_prefix"></a> [prefix](#input\_prefix) | n/a | `string` | `"cstar"` | no |
-| <a name="input_tags"></a> [tags](#input\_tags) | n/a | `map(any)` | <pre>{<br/>  "CreatedBy": "Terraform"<br/>}</pre> | no |
 
 ## Outputs
 

src/0_entra/env/itn-dev/terraform.tfvars

@@ -7,13 +7,4 @@ location            = "italynorth"
 location_short      = "itn"
 location_westeurope = "westeurope"
 
-tags = {
-  CreatedBy   = "Terraform"
-  Environment = "Dev"
-  Owner       = "DevOps"
-  Source      = "https://github.com/pagopa/devopslab-infra"
-  CostCenter  = "TS310 - PAGAMENTI & SERVIZI"
-}
-
-
 argocd_entra_groups_allowed = ["dvopla-d-adgroup-admin", "dvopla-d-adgroup-developers", "dvopla-d-adgroup-externals"]