[PRDP-175] feat: migrate to federated identity

.github/maven_code_review/action.yml

@@ -0,0 +1,101 @@
+name: Maven Code Review
+description: "Code Review for Pull Request"
+
+inputs:
+  github_token:
+    required: true
+    type: string
+    description: Github Token
+  sonar_token:
+    required: true
+    type: string
+    description: Sonar Token for the login
+  project_key:
+    required: true
+    type: string
+    description: Key of the project on SonarCloud
+  coverage_exclusions:
+    required: false
+    type: string
+    description: Files to exclude from coverage
+    default: '**/config/*,**/*Mock*,**/model/**,**/entity/*'
+  cpd_exclusions:
+    required: false
+    type: string
+    description: Files to exclude from code duplication
+    default: '**/model/**,**/entity/*'
+  jdk_version:
+    required: true
+    type: string
+    description: JDK version
+    default: 11
+  maven_version:
+    required: true
+    type: string
+    description: Maven version
+    default: 3.8.2
+
+runs:
+  using: "composite"
+  steps:
+    - uses: actions/checkout@v2
+
+    - name: Set up JDK
+      uses: actions/setup-java@v1
+      with:
+        java-version: ${{ inputs.jdk_version }}
+
+    - name: Set up Maven
+      uses: stCarolas/[email protected]
+      with:
+        maven-version: ${{ inputs.maven_version }}
+
+    - name: Cache Maven packages
+      uses: actions/cache@v1
+      with:
+        path: ~/.m2
+        key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
+        restore-keys: ${{ runner.os }}-m2
+
+    - name: Cache SonarCloud packages
+      uses: actions/cache@v1
+      with:
+        path: ~/.sonar-project.properties/cache
+        key: ${{ runner.os }}-sonar-project.properties
+        restore-keys: ${{ runner.os }}-sonar-project.properties
+
+    - name: Build and analyze on Pull Requests
+      if: ${{ github.event_name == 'pull_request' }}
+      shell: bash
+      run: mvn -B verify org.sonarsource.scanner.maven:sonar-maven-plugin:sonar
+        -Dsonar.organization=pagopa
+        -Dsonar.projectKey=${{ env.PROJECT_KEY }}
+        -Dsonar.coverage.jacoco.xmlReportPaths=./target/jacoco-report/jacoco.xml
+        -Dsonar.coverage.exclusions=${{inputs.coverage_exclusions}}
+        -Dsonar.cpd.exclusions=${{inputs.cpd_exclusions}}
+        -Dsonar.host.url=https://sonarcloud.io
+        -Dsonar.login=${{ inputs.sonar_token }}
+        -Dsonar.pullrequest.key=${{ github.event.pull_request.number }}
+        -Dsonar.pullrequest.branch=${{ github.head_ref }}
+        -Dsonar.pullrequest.base=${{ github.base_ref }}
+      env:
+        # Needed to get some information about the pull request, if any
+        GITHUB_TOKEN: ${{ inputs.github_token }}
+        # SonarCloud access token should be generated from https://sonarcloud.io/account/security/
+        SONAR_TOKEN: ${{ inputs.sonar_token }}
+
+    - name: Build and analyze on Push main
+      if: ${{ github.event_name != 'pull_request' }}
+      shell: bash
+      env:
+        GITHUB_TOKEN: ${{ inputs.github_token }}
+        SONAR_TOKEN: ${{ inputs.sonar_token }}
+      run: mvn -B verify org.sonarsource.scanner.maven:sonar-maven-plugin:sonar
+        -Dsonar.organization=pagopa
+        -Dsonar.projectKey=${{ env.PROJECT_KEY }}
+        -Dsonar.coverage.jacoco.xmlReportPaths=./target/site/jacoco/jacoco.xml
+        -Dsonar.coverage.exclusions=${{inputs.coverage_exclusions}}
+        -Dsonar.cpd.exclusions=${{inputs.cpd_exclusions}}
+        -Dsonar.branch.name=${{ github.head_ref }}
+        -Dsonar.host.url=https://sonarcloud.io
+        -Dsonar.login=${{ inputs.sonar_token }}

.identity/00_data.tf

@@ -2,6 +2,11 @@ data "azurerm_resource_group" "dashboards" {
   name = "dashboards"
 }
 
+data "azurerm_storage_account" "tfstate_app" {
+  name                = "pagopainfraterraform${var.env}"
+  resource_group_name = "io-infra-rg"
+}
+
 data "azurerm_kubernetes_cluster" "aks" {
   name                = local.aks_cluster.name
   resource_group_name = local.aks_cluster.resource_group_name

.identity/02_application_main.tf

@@ -0,0 +1,16 @@
+resource "azuread_application" "main" {
+  display_name = "${local.app_name}-main"
+}
+
+resource "azuread_service_principal" "main" {
+  application_id = azuread_application.main.application_id
+}
+
+resource "azuread_application_federated_identity_credential" "main" {
+  application_object_id = azuread_application.main.object_id
+  display_name          = "github-federated"
+  description           = "github-federated"
+  audiences             = ["api://AzureADTokenExchange"]
+  issuer                = "https://token.actions.githubusercontent.com"
+  subject               = "repo:${local.github.org}/${local.github.repository}:environment:${var.env}"
+}

.identity/02_application_main_auth.tf

@@ -0,0 +1,22 @@
+resource "azurerm_role_assignment" "main_terraform_subscription" {
+  scope                = data.azurerm_subscription.current.id
+  role_definition_name = "Reader"
+  principal_id         = azuread_service_principal.main.object_id
+}
+
+resource "azurerm_role_assignment" "main_terraform_storage_account_tfstate_app" {
+  scope                = data.azurerm_storage_account.tfstate_app.id
+  role_definition_name = "Contributor"
+  principal_id         = azuread_service_principal.main.object_id
+}
+resource "azurerm_role_assignment" "main_terraform_storage_account_tfstate_app_github_aks" {
+  scope                = data.azurerm_storage_account.tfstate_app.id
+  role_definition_name = "Contributor"
+  principal_id         = module.github_runner_app.object_id
+}
+
+resource "azurerm_role_assignment" "main_terraform_resource_group_dashboards" {
+  scope                = data.azurerm_resource_group.dashboards.id
+  role_definition_name = "Contributor"
+  principal_id         = azuread_service_principal.main.object_id
+}