@pagopa/dx-cli 0.15.2 → 0.15.3

package/dist/use-cases/__tests__/apply-codemod.test.js

@@ -0,0 +1,73 @@
+import { errAsync, okAsync } from "neverthrow";
+import { describe, expect, it, vi } from "vitest";
+import { applyCodemodById } from "../apply-codemod.js";
+const info = vi.fn().mockResolvedValue({
+    packageManager: "npm",
+});
+describe("applyCodemodById", () => {
+    it("applies the codemod when found", async () => {
+        const apply = vi.fn().mockResolvedValue(undefined);
+        const codemod = {
+            apply,
+            description: "test codemod",
+            id: "foo",
+        };
+        const registry = {
+            getAll: vi.fn(),
+            getById: vi
+                .fn()
+                .mockReturnValue(okAsync(codemod)),
+        };
+        const result = await applyCodemodById(registry, info)("foo");
+        expect(result.isOk()).toBe(true);
+        expect(apply).toHaveBeenCalledTimes(1);
+    });
+    it("returns an error when codemod is not found", async () => {
+        const registry = {
+            getAll: vi.fn(),
+            getById: vi
+                .fn()
+                .mockReturnValue(okAsync(undefined)),
+        };
+        const result = await applyCodemodById(registry, info)("missing-id");
+        expect(result.isErr()).toBe(true);
+        if (result.isErr()) {
+            expect(result.error).toBeInstanceOf(Error);
+            expect(result.error.message).toBe("Codemod with id missing-id not found");
+        }
+    });
+    it("propagates getById errors", async () => {
+        const registryError = new Error("registry failed");
+        const registry = {
+            getAll: vi.fn(),
+            getById: vi
+                .fn()
+                .mockReturnValue(errAsync(registryError)),
+        };
+        const result = await applyCodemodById(registry, info)("foo");
+        expect(result.isErr()).toBe(true);
+        if (result.isErr()) {
+            expect(result.error.message).toContain(registryError.message);
+        }
+    });
+    it("propagates apply errors", async () => {
+        const applyError = new Error("apply failed");
+        const codemod = {
+            apply: vi.fn().mockRejectedValue(applyError),
+            description: "test codemod",
+            id: "foo",
+        };
+        const registry = {
+            getAll: vi.fn(),
+            getById: vi
+                .fn()
+                .mockReturnValue(okAsync(codemod)),
+        };
+        const result = await applyCodemodById(registry, info)("foo");
+        expect(result.isErr()).toBe(true);
+        if (result.isErr()) {
+            expect(result.error).toBeInstanceOf(Error);
+            expect(result.error.message).toContain(applyError.message);
+        }
+    });
+});

package/dist/use-cases/__tests__/list-codemods.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/use-cases/__tests__/list-codemods.test.js

@@ -0,0 +1,38 @@
+import { errAsync, okAsync } from "neverthrow";
+import { describe, expect, it, vi } from "vitest";
+import { listCodemods } from "../list-codemods.js";
+describe("listCodemods", () => {
+    it("returns codemods from the registry", async () => {
+        const codemods = [
+            {
+                apply: vi.fn().mockResolvedValue(undefined),
+                description: "a",
+                id: "a",
+            },
+            {
+                apply: vi.fn().mockResolvedValue(undefined),
+                description: "b",
+                id: "b",
+            },
+        ];
+        const registry = {
+            getAll: vi.fn().mockReturnValue(okAsync(codemods)),
+            getById: vi.fn(),
+        };
+        const result = await listCodemods(registry)();
+        expect(result.isOk()).toBe(true);
+        expect(registry.getAll).toHaveBeenCalledTimes(1);
+    });
+    it("propagates registry errors", async () => {
+        const error = new Error("boom");
+        const registry = {
+            getAll: vi.fn().mockReturnValue(errAsync(error)),
+            getById: vi.fn(),
+        };
+        const result = await listCodemods(registry)();
+        expect(result.isErr()).toBe(true);
+        if (result.isErr()) {
+            expect(result.error).toBe(error);
+        }
+    });
+});

package/dist/use-cases/apply-codemod.d.ts

@@ -0,0 +1,5 @@
+import { ResultAsync } from "neverthrow";
+import { CodemodRegistry } from "../domain/codemod.js";
+import { GetInfo } from "../domain/info.js";
+export type ApplyCodemodById = (id: string) => ResultAsync<void, Error>;
+export declare const applyCodemodById: (registry: CodemodRegistry, getInfo: GetInfo) => ApplyCodemodById;

package/dist/use-cases/apply-codemod.js

@@ -0,0 +1,14 @@
+import { errAsync, okAsync, ResultAsync } from "neverthrow";
+const getCodemodById = (registry, id) => registry
+    .getById(id)
+    .andThen((codemod) => codemod
+    ? okAsync(codemod)
+    : errAsync(new Error(`Codemod with id ${id} not found`)));
+const safeGetInfo = (getInfo) => ResultAsync.fromPromise(getInfo(), (error) => new Error("Failed to get info", { cause: error }));
+export const applyCodemodById = (registry, getInfo) => (id) => ResultAsync.combine([
+    safeGetInfo(getInfo),
+    getCodemodById(registry, id),
+]).andThen(([info, codemod]) => ResultAsync.fromPromise(codemod.apply(info), (error) => {
+    const message = error instanceof Error ? `: ${error.message}` : "";
+    return new Error("Failed to apply codemod" + message, { cause: error });
+}));

package/dist/use-cases/list-codemods.d.ts

@@ -0,0 +1,4 @@
+import { ResultAsync } from "neverthrow";
+import { Codemod, CodemodRegistry } from "../domain/codemod.js";
+export type ListCodemods = () => ResultAsync<Codemod[], Error>;
+export declare const listCodemods: (registry: CodemodRegistry) => ListCodemods;

package/dist/use-cases/list-codemods.js

@@ -0,0 +1 @@
+export const listCodemods = (registry) => () => registry.getAll();

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pagopa/dx-cli",
-  "version": "0.15.2",
+  "version": "0.15.3",
   "type": "module",
   "description": "A CLI useful to manage DX tools.",
   "repository": {
@@ -13,38 +13,50 @@
     "CLI"
   ],
   "files": [
-    "bin"
+    "bin",
+    "dist",
+    "templates"
   ],
   "bin": {
     "dx": "./bin/index.js"
   },
   "dependencies": {
+    "@azure/arm-authorization": "^9.0.0",
+    "@azure/arm-msi": "^2.2.0",
+    "@azure/arm-resourcegraph": "^4.2.1",
+    "@azure/arm-resources": "^7.0.0",
+    "@azure/arm-resources-subscriptions": "^2.1.0",
+    "@azure/arm-storage": "^19.1.0",
+    "@azure/identity": "^4.13.0",
+    "@azure/storage-blob": "^12.29.1",
     "@logtape/logtape": "^1.3.4",
+    "@microsoft/microsoft-graph-client": "^3.0.7",
     "chalk": "^5.6.2",
     "commander": "^14.0.2",
     "core-js": "^3.47.0",
     "execa": "^9.6.1",
     "glob": "^11.1.0",
+    "inquirer": "^9.3.8",
     "neverthrow": "^8.2.0",
-    "node-plop": "^0.32.3",
     "octokit": "^5.0.5",
     "ora": "^9.0.0",
     "replace-in-file": "^8.4.0",
     "semver": "^7.7.2",
     "yaml": "^2.8.2",
     "zod": "^4.2.1",
-    "@pagopa/dx-savemoney": "^0.1.4",
-    "@pagopa/monorepo-generator": "^0.15.1"
+    "@pagopa/dx-savemoney": "^0.1.4"
   },
   "devDependencies": {
     "@tsconfig/node22": "22.0.2",
+    "@types/inquirer": "^9.0.9",
     "@types/node": "^22.19.1",
     "@types/semver": "^7.7.1",
     "@vitest/coverage-v8": "^3.2.4",
     "eslint": "^9.39.2",
     "memfs": "^4.51.1",
+    "node-plop": "^0.32.3",
+    "plop": "^4.0.4",
     "prettier": "3.6.2",
-    "tsup": "^8.5.1",
     "typescript": "~5.8.3",
     "vitest": "^3.2.4",
     "vitest-mock-extended": "^3.1.0",
@@ -54,9 +66,8 @@
     "node": ">=22.0.0"
   },
   "scripts": {
-    "build": "tsup",
     "format": "prettier --write .",
     "format:check": "prettier --check .",
-    "typecheck": "tsc --noEmit"
+    "plop": "plop"
   }
 }

package/templates/environment/bootstrapper/{{env.name}}/data.tf.hbs

@@ -0,0 +1,13 @@
+{{#with cloudAccountsByCsp.azure}}
+data "azuread_group" "admins" {
+  display_name = "{{resourcePrefix @root}}-adgroup-admin"
+}
+
+data "azuread_group" "developers" {
+  display_name = "{{resourcePrefix @root}}-adgroup-developers"
+}
+
+data "azuread_group" "externals" {
+  display_name = "{{resourcePrefix @root}}-adgroup-externals"
+}
+{{/with}}

package/templates/environment/bootstrapper/{{env.name}}/main.tf.hbs

@@ -0,0 +1,70 @@
+{{#with cloudAccountsByCsp.azure}}
+{{#each this}}
+module "azure-{{displayName}}_core_values" {
+  source  = "pagopa-dx/azure-core-values-exporter/azurerm"
+  version = "~> 0.0"
+
+  providers = {
+    azurerm = azurerm.{{displayName}}
+  }
+
+  core_state = {
+    resource_group_name  = "{{@root.terraform.backend.resourceGroupName}}"
+    storage_account_name = "{{@root.terraform.backend.storageAccountName}}"
+    subscription_id      = "{{@root.terraform.backend.subscriptionId}}"
+    container_name       = "terraform-state"
+    key                  = "{{@root.env.prefix}}.core.{{@root.env.name}}.tfstate"
+  }
+}
+
+module "azure-{{displayName}}_bootstrap" {
+  source  = "pagopa-dx/azure-github-environment-bootstrap/azurerm"
+  version = "~> 3.0"
+
+  providers = {
+    azurerm = azurerm.{{displayName}}
+  }
+
+  environment = merge(local.environment, local.azure_accounts.{{displayName}})
+
+  subscription_id = module.azure-{{displayName}}_core_values.subscription_id
+  tenant_id       = module.azure-{{displayName}}_core_values.tenant_id
+
+  entraid_groups = {
+    admins_object_id    = data.azuread_group.admins.object_id
+    devs_object_id      = data.azuread_group.developers.object_id
+    externals_object_id = data.azuread_group.externals.object_id
+  }
+
+  terraform_storage_account = {
+    name                = "{{@root.terraform.backend.storageAccountName}}"
+    resource_group_name = "{{@root.terraform.backend.resourceGroupName}}"
+  }
+
+  repository = {
+    owner = "{{@root.github.owner}}"
+    name  = "{{@root.github.repo}}"
+  }
+
+  github_private_runner = {
+    container_app_environment_id       = module.azure-{{displayName}}_core_values.github_runner.environment_id
+    container_app_environment_location = local.azure_accounts.{{displayName}}.location
+    labels = [
+      "{{@root.env.name}}"
+    ]
+    key_vault = {
+      name                = module.azure-{{displayName}}_core_values.common_key_vault.name
+      resource_group_name = module.azure-{{displayName}}_core_values.common_key_vault.resource_group_name
+    }
+  }
+
+  pep_vnet_id                        = module.azure-{{displayName}}_core_values.common_vnet.id
+  private_dns_zone_resource_group_id = module.azure-{{displayName}}_core_values.network_resource_group_id
+  opex_resource_group_id             = module.azure-{{displayName}}_core_values.opex_resource_group_id
+
+  tags = local.tags
+}
+{{/each}}
+{{/with}}
+
+

package/templates/environment/bootstrapper/{{env.name}}/providers.tf.hbs

@@ -0,0 +1,26 @@
+terraform {
+  required_providers {
+    {{#with cloudAccountsByCsp.azure}}
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = "~> 4.0"
+    }
+
+    azuread = {
+      source  = "hashicorp/azuread"
+      version = "~> 2.0"
+    }
+    {{/with}}
+  }
+}
+
+{{#with cloudAccountsByCsp.azure}}
+{{#each this}}
+provider "azurerm" {
+  features {}
+  storage_use_azuread = true
+  subscription_id     = "{{id}}"
+  alias               = "{{displayName}}"
+}
+{{/each}}
+{{/with}}

package/templates/environment/core/{{env.name}}/main.tf.hbs

@@ -0,0 +1,21 @@
+{{#with cloudAccountsByCsp.azure}}
+{{#each this}}
+module "azure-{{displayName}}_core" {
+  source  = "pagopa-dx/azure-core-infra/azurerm"
+  version = "~> 2.0"
+
+  providers = {
+    azurerm = azurerm.{{displayName}}
+  }
+
+  environment = merge(local.environment, local.azure_accounts.{{displayName}}, {
+    app_name = "core"
+  })
+
+  tags = local.tags
+}
+
+{{/each}}
+{{/with}}
+
+

package/templates/environment/core/{{env.name}}/outputs.tf.hbs

@@ -0,0 +1,8 @@
+
+output "values" {
+  value = {
+    {{#each cloudAccountsByCsp.azure}}
+    "{{id}}" = module.azure-{{displayName}}_core
+    {{/each}}
+  }
+}

package/templates/environment/core/{{env.name}}/providers.tf.hbs

@@ -0,0 +1,21 @@
+terraform {
+  required_providers {
+    {{#with cloudAccountsByCsp.azure}}
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = "~> 4.0"
+    }
+    {{/with}}
+  }
+}
+
+{{#with cloudAccountsByCsp.azure}}
+{{#each this}}
+provider "azurerm" {
+  features {}
+  storage_use_azuread = true
+  subscription_id     = "{{id}}"
+  alias               = "{{displayName}}"
+}
+{{/each}}
+{{/with}}

package/templates/environment/shared/backend.tf.hbs

@@ -0,0 +1,14 @@
+{{#*inline "azurerm"}}
+backend "azurerm" {
+  resource_group_name  = "{{resourceGroupName}}"
+  storage_account_name = "{{storageAccountName}}"
+  container_name       = "terraform-state"
+  key                  = "{{key}}"
+  subscription_id      = "{{subscriptionId}}"
+  use_azuread_auth     = true
+}
+{{/inline}}
+
+terraform {
+  {{> (lookup terraform.backend 'type') terraform.backend key=terraformBackendKey  }}
+}

package/templates/environment/shared/locals.tf.hbs

@@ -0,0 +1,26 @@
+locals {
+  environment = {
+    prefix          = "{{@root.env.prefix}}"
+    env_short       = "{{envShort @root.env.name}}"
+    domain          = "{{@root.workspace.domain}}"
+    instance_number = "01"
+  }
+
+  {{#with cloudAccountsByCsp.azure}}
+  azure_accounts = {
+  {{#each this}}
+    {{displayName}} = {
+      location = "{{this.defaultLocation}}"
+    }
+  {{/each}}
+  }
+  {{/with}}
+
+  tags = {
+    CreatedBy   = "Terraform"
+    Environment = "{{env.name}}"
+    {{#each tags}}
+    {{@key}}    = "{{this}}"
+    {{/each}}
+  }
+}

package/templates/monorepo/.editorconfig

@@ -0,0 +1,8 @@
+[*]
+charset = utf-8
+insert_final_newline = true
+end_of_line = lf
+indent_style = space
+indent_size = 2
+max_line_length = 80
+trim_trailing_whitespace = true

package/templates/monorepo/.node-version.hbs

@@ -0,0 +1 @@
+{{ nodeVersion }}

package/templates/monorepo/.pre-commit-config.yaml.hbs

@@ -0,0 +1,34 @@
+repos:
+  - repo: https://github.com/pagopa/dx
+    rev: pre_commit_scripts@0.1.0
+    hooks:
+      - id: terraform_providers_lock_staged
+      - id: lock_modules
+        exclude: ^.*/(_modules|modules|\.terraform)(/.*)?$
+        files: infra/(resources/prod|repository)
+  - repo: https://github.com/antonbabenko/pre-commit-terraform
+    rev: "{{ preCommitTerraformVersion }}"
+    hooks:
+      - id: terraform_tflint
+        args:
+          - --args=--config=__GIT_WORKING_DIR__/.tflint.hcl
+      - id: terraform_fmt
+      - id: terraform_docs
+        name: terraform_docs on resources
+        args:
+          - --hook-config=--create-file-if-not-exist=true
+        exclude: |
+          (?x)^(
+            src\/(?:.*\/)?(?:_?modules)\/.*
+          )$
+      - id: terraform_validate
+        exclude: '(\/_?modules\/.*)'
+        args:
+          - --args=-json
+          - --args=-no-color
+          - --hook-config=--retry-once-with-cleanup=true
+      - id: terraform_trivy
+        files: ^src/
+        args:
+          - --args=--skip-dirs="**/.terraform"
+          - --args=--ignorefile=__GIT_WORKING_DIR__/.trivyignore

package/templates/monorepo/.prettierignore

@@ -0,0 +1,5 @@
+# Ignore all files with a .hbs extension
+**/*.hbs
+
+# Ignore built files
+dist

package/templates/monorepo/.terraform-version.hbs

@@ -0,0 +1 @@
+{{ terraformVersion }}

package/templates/monorepo/.trivyignore

@@ -0,0 +1,16 @@
+# https://avd.aquasec.com/misconfig/azure/
+
+# GitHub repository shouldn’t be public.
+AVD-GIT-0001
+
+# GitHub branch protection does not require signed commits.
+AVD-GIT-0004
+
+# LOW: Secret should have an expiry date specified
+AVD-AZU-0017
+
+# LOW: Secret does not have a content-type specified
+AVD-AZU-0015
+
+# CRITICAL: Vault network ACL does not block access by default
+AVD-AZU-0013

package/templates/monorepo/README.md.hbs

@@ -0,0 +1,163 @@
+# {{ repoName }}
+
+{{ repoDescription }}
+
+## Getting Started
+
+### Using Devcontainer
+
+The preferred way to setup your development environment is to use [Devcontainer](https://containers.dev) ([Host system requirements](https://code.visualstudio.com/docs/devcontainers/containers#_system-requirements)).
+
+> [!TIP]
+> If you are on macOS we recommend using [Rancher Desktop](https://rancherdesktop.io/) configured to use `VZ` as _Virtual Machine Type_ and `virtiofs` as volume _Mount Type_.
+
+#### Visual Studio Code
+
+1. Make sure `docker` is available and running in your host system
+2. Install the [Devcontainer Extension](https://marketplace.visualstudio.com/items?itemName=ms-vscode-remote.remote-containers)
+3. Open the project root folder and select `Dev Containers: Reopen in Container` from the command palette
+4. Visual Studio Code will build the devcontainer image and then open the project inside the container, with all the needed tools and extension configured
+
+#### Console
+
+If you use a code editor that doesn't support Dev Container, you can still run it in your terminal.
+
+1. Follow the instructions of the following chapter ("Using local machine") to setup your local environment
+2. Run devcontainer from your terminal
+```bash
+pnpm devcontainer up --workspace-folder .
+pnpm devcontainer exec --workspace-folder . /bin/bash
+```
+
+### Using local machine
+
+This project uses specific versions of `node`, `pnpm` and `terraform`. To make sure your development setup matches with production follow the recommended installation methods.
+
+1. Install and configure the following tools in your machine
+
+- [nodenv](https://github.com/nodenv/nodenv) - Node version manager
+- [tfenv](https://github.com/tfutils/tfenv) - Terraform version manager
+- [terraform-docs](https://terraform-docs.io/user-guide/installation/) - Generate Terraform modules documentation in various formats
+- [tflint](https://github.com/terraform-linters/tflint) - A Pluggable Terraform Linter
+- [pre-commit](https://pre-commit.com/) - A framework for managing and maintaining multi-language pre-commit hooks
+
+2. Install `node` at the right version used by this project
+
+```bash
+cd {{ repoName }}
+nodenv install
+```
+
+3. Build all the workspaces contained by this repo
+```bash
+pnpm build
+```
+
+## Release management
+
+We use [changesets](https://github.com/changesets/changesets) to automate package versioning and releases.
+
+Each Pull Request that includes changes that require a version bump must include a _changeset file_ that describes the introduced changes.
+
+To create a _changeset file_ run the following command and follow the instructions.
+
+```bash
+pnpm changeset
+```
+
+## Useful commands
+
+This project uses `pnpm` and `turbo` with workspaces to manage projects and dependencies. Here is a list of useful commands to work in this repo.
+
+### Work with workspaces
+
+```bash
+# build all the workspaces using turbo
+pnpm build
+# or
+pnpm turbo build
+
+# to execute COMMAND on WORKSPACE_NAME
+pnpm --filter WORKSPACE_NAME COMMAND
+# to execute COMMAND on all workspaces
+pnpm -r COMMAND
+
+# run the typecheck script on all workspaces
+pnpm -r typecheck
+```
+
+### Add dependencies
+
+```bash
+# add a dependency to the workspace root
+pnpm -w add turbo
+
+# add vitest as devDependency on citizen-func
+pnpm --filter citizen-func add -D vitest
+
+# add zod as dependency on each workspace
+pnpm -r add zod
+```
+
+## Folder structure
+
+### `/apps`
+
+It contains the applications included in the project.
+Each folder is meant to produce a deployable artifact; how and where to deploy it is demanded to a single application.
+
+Each sub-folder is a workspace.
+
+### `/packages`
+
+Packages are reusable modules that implement a specific logic of the project. They are meant for sharing implementations across other apps and packages of the same projects, as well as being published in public registries.
+
+Packages that are meant for internal code sharing have `private: true` in their `package.json` file; all the others are meant to be published into the public registry.
+
+Each sub-folder is a workspace.
+
+### `/infra`
+
+It contains the _infrastructure-as-code_ project that defines the resources for the project as well as the execution environments. Database schemas and migrations are defined here too, in case they are needed.
+
+### `/docs`
+
+Technical documentation about the project. Topics that may be included are architecture overviews, [ADRs](https://adr.github.io/), coding standards, and anything that can be relevant for a developer approaching the project as a contributor or as an auditor.
+
+User documentation doesn't usually go in here. For public packages, it must go in the package's `README` file so that it will also be uploaded to the registry; user-faced documentation websites, when needed by the project, go under the `/apps` folder as they are treated as end-user applications.
+
+## Releases
+
+Releases are handled using [Changeset](https://github.com/changesets/changesets).
+Changeset takes care of bumping packages, updating the changelog, and tagging the repository accordingly.
+
+#### How it works
+
+- When opening a Pull Request with a change intended to be published, [add a changeset file](https://github.com/changesets/changesets/blob/main/docs/adding-a-changeset.md) to the proposed changes.
+- Once the Pull Request is merged, a new Pull Request named `Version Packages` will be automatically opened with all the release changes such as version bumping for each involved app or package and changelog update; if an open `Version Packages` PR already exists, it will be updated and the package versions calculated accordingly (see https://github.com/changesets/changesets/blob/main/docs/decisions.md#how-changesets-are-combined).
+Only apps and packages mentioned in the changeset files will be bumped.
+- Review the `Version Packages` PR and merge it when ready. Changeset files will be deleted.
+- A Release entry is created for each app or package whose version has been bumped.
+
+### Folder structure
+
+The IaC template contains the following projects:
+
+#### repository
+
+Set up the current repository settings.
+It's intended to be executed once on a local machine at project initialization.
+
+```sh
+cd infra/repository
+
+# Substitute subscription_name with the actual subscription name if you selected Azure as CSP
+az account set --name <subscription_name>
+
+terraform init
+terraform plan
+terraform apply
+```
+### Workflow automation
+
+The workflow `infra_plan.yaml` is executed on every PR that edits the `infra/resources` folder or the workflow definition itself. It executes a `terraform plan` and comments the PR with the result. If the plan fails, the workflow fails.