@pagopa/dx-cli 0.16.3 → 0.18.0

package/dist/adapters/pagopa-technology/__tests__/authorization.test.js

@@ -0,0 +1,170 @@
+/**
+ * Tests for the PagoPA technology authorization adapter.
+ */
+import { describe, expect, it } from "vitest";
+import { mock } from "vitest-mock-extended";
+import { AuthorizationResult, IdentityAlreadyExistsError, InvalidAuthorizationFileFormatError, requestAuthorizationInputSchema, } from "../../../domain/authorization.js";
+import { FileNotFoundError, PullRequest, } from "../../../domain/github.js";
+import { makeAuthorizationService } from "../authorization.js";
+const makeEnv = () => {
+    const gitHubService = mock();
+    const authorizationService = makeAuthorizationService(gitHubService);
+    return {
+        authorizationService,
+        gitHubService,
+    };
+};
+const makeSampleInput = () => requestAuthorizationInputSchema.parse({
+    bootstrapIdentityId: "test-bootstrap-identity-id",
+    subscriptionName: "test-subscription",
+});
+// eslint-disable-next-line max-lines-per-function
+describe("PagoPA AuthorizationService", () => {
+    describe("happy path", () => {
+        it("should create a pull request when all steps succeed", async () => {
+            const { authorizationService, gitHubService } = makeEnv();
+            const input = makeSampleInput();
+            const originalContent = `
+directory_readers = {
+  service_principals_name = []
+}
+`.trim();
+            gitHubService.createBranch.mockResolvedValue(undefined);
+            gitHubService.getFileContent.mockResolvedValue({
+                content: originalContent,
+                sha: "original-sha-123",
+            });
+            gitHubService.updateFile.mockResolvedValue(undefined);
+            gitHubService.createPullRequest.mockResolvedValue(new PullRequest("https://github.com/pagopa/eng-azure-authorization/pull/42"));
+            const result = await authorizationService.requestAuthorization(input);
+            expect(result.isOk()).toBe(true);
+            const authResult = result._unsafeUnwrap();
+            expect(authResult).toBeInstanceOf(AuthorizationResult);
+            expect(authResult.url).toBe("https://github.com/pagopa/eng-azure-authorization/pull/42");
+            expect(gitHubService.createBranch).toHaveBeenCalledWith({
+                branchName: "feats/add-test-subscription-bootstrap-identity",
+                fromRef: "main",
+                owner: "pagopa",
+                repo: "eng-azure-authorization",
+            });
+            expect(gitHubService.getFileContent).toHaveBeenCalledWith({
+                owner: "pagopa",
+                path: "src/azure-subscriptions/subscriptions/test-subscription/terraform.tfvars",
+                ref: "feats/add-test-subscription-bootstrap-identity",
+                repo: "eng-azure-authorization",
+            });
+            expect(gitHubService.updateFile).toHaveBeenCalledWith(expect.objectContaining({
+                branch: "feats/add-test-subscription-bootstrap-identity",
+                message: "Add directory reader for test-subscription",
+                owner: "pagopa",
+                path: "src/azure-subscriptions/subscriptions/test-subscription/terraform.tfvars",
+                repo: "eng-azure-authorization",
+                sha: "original-sha-123",
+            }));
+            expect(gitHubService.createPullRequest).toHaveBeenCalledWith({
+                base: "main",
+                body: "This PR adds the bootstrap identity `test-bootstrap-identity-id` to the directory readers for subscription `test-subscription`.",
+                head: "feats/add-test-subscription-bootstrap-identity",
+                owner: "pagopa",
+                repo: "eng-azure-authorization",
+                title: "Add directory reader for test-subscription",
+            });
+        });
+    });
+    describe("error handling", () => {
+        it("should return error when file is not found", async () => {
+            const { authorizationService, gitHubService } = makeEnv();
+            const input = makeSampleInput();
+            gitHubService.createBranch.mockResolvedValue(undefined);
+            gitHubService.getFileContent.mockRejectedValue(new FileNotFoundError("src/azure-subscriptions/subscriptions/test-subscription/terraform.tfvars"));
+            const result = await authorizationService.requestAuthorization(input);
+            expect(result.isErr()).toBe(true);
+            const error = result._unsafeUnwrapErr();
+            expect(error.message).toContain("Unable to get");
+            expect(error.message).toContain("test-subscription/terraform.tfvars");
+            expect(gitHubService.updateFile).not.toHaveBeenCalled();
+        });
+        it("should return error when identity already exists", async () => {
+            const { authorizationService, gitHubService } = makeEnv();
+            const input = makeSampleInput();
+            const content = `
+directory_readers = {
+  service_principals_name = [
+    "test-bootstrap-identity-id"
+  ]
+}
+`.trim();
+            gitHubService.createBranch.mockResolvedValue(undefined);
+            gitHubService.getFileContent.mockResolvedValue({
+                content,
+                sha: "sha-123",
+            });
+            const result = await authorizationService.requestAuthorization(input);
+            expect(result.isErr()).toBe(true);
+            expect(result._unsafeUnwrapErr()).toBeInstanceOf(IdentityAlreadyExistsError);
+            expect(gitHubService.updateFile).not.toHaveBeenCalled();
+        });
+        it("should return error when tfvars format is invalid", async () => {
+            const { authorizationService, gitHubService } = makeEnv();
+            const input = makeSampleInput();
+            const invalidContent = "invalid content without directory_readers";
+            gitHubService.createBranch.mockResolvedValue(undefined);
+            gitHubService.getFileContent.mockResolvedValue({
+                content: invalidContent,
+                sha: "sha-123",
+            });
+            const result = await authorizationService.requestAuthorization(input);
+            expect(result.isErr()).toBe(true);
+            expect(result._unsafeUnwrapErr()).toBeInstanceOf(InvalidAuthorizationFileFormatError);
+            expect(gitHubService.updateFile).not.toHaveBeenCalled();
+        });
+        it("should return error when branch creation fails", async () => {
+            const { authorizationService, gitHubService } = makeEnv();
+            const input = makeSampleInput();
+            gitHubService.createBranch.mockRejectedValue(new Error("Failed to create branch: branch already exists"));
+            const result = await authorizationService.requestAuthorization(input);
+            expect(result.isErr()).toBe(true);
+            expect(result._unsafeUnwrapErr().message).toContain("Unable to create branch");
+            expect(gitHubService.getFileContent).not.toHaveBeenCalled();
+            expect(gitHubService.updateFile).not.toHaveBeenCalled();
+        });
+        it("should return error when file update fails", async () => {
+            const { authorizationService, gitHubService } = makeEnv();
+            const input = makeSampleInput();
+            const content = `
+directory_readers = {
+  service_principals_name = []
+}
+`.trim();
+            gitHubService.createBranch.mockResolvedValue(undefined);
+            gitHubService.getFileContent.mockResolvedValue({
+                content,
+                sha: "sha-123",
+            });
+            gitHubService.updateFile.mockRejectedValue(new Error("Failed to update file: conflict"));
+            const result = await authorizationService.requestAuthorization(input);
+            expect(result.isErr()).toBe(true);
+            expect(result._unsafeUnwrapErr().message).toContain("Unable to update");
+            expect(gitHubService.createPullRequest).not.toHaveBeenCalled();
+        });
+        it("should return error when PR creation fails", async () => {
+            const { authorizationService, gitHubService } = makeEnv();
+            const input = makeSampleInput();
+            const content = `
+directory_readers = {
+  service_principals_name = []
+}
+`.trim();
+            gitHubService.createBranch.mockResolvedValue(undefined);
+            gitHubService.getFileContent.mockResolvedValue({
+                content,
+                sha: "sha-123",
+            });
+            gitHubService.updateFile.mockResolvedValue(undefined);
+            gitHubService.createPullRequest.mockRejectedValue(new Error("Failed to create pull request"));
+            const result = await authorizationService.requestAuthorization(input);
+            expect(result.isErr()).toBe(true);
+            expect(result._unsafeUnwrapErr().message).toContain("Unable to create pull request");
+        });
+    });
+});

package/dist/adapters/pagopa-technology/authorization.d.ts

@@ -0,0 +1,11 @@
+/**
+ * PagoPA Technology Authorization Adapter
+ *
+ * Implements the AuthorizationService interface for the PagoPA Azure
+ * authorization workflow. Encapsulates all platform-specific details:
+ * the target GitHub repository, file paths, branch naming, HCL file
+ * parsing, and pull request creation.
+ */
+import { AuthorizationService } from "../../domain/authorization.js";
+import { GitHubService } from "../../domain/github.js";
+export declare const makeAuthorizationService: (gitHubService: GitHubService) => AuthorizationService;

package/dist/adapters/pagopa-technology/authorization.js

@@ -0,0 +1,104 @@
+/**
+ * PagoPA Technology Authorization Adapter
+ *
+ * Implements the AuthorizationService interface for the PagoPA Azure
+ * authorization workflow. Encapsulates all platform-specific details:
+ * the target GitHub repository, file paths, branch naming, HCL file
+ * parsing, and pull request creation.
+ */
+import { getLogger } from "@logtape/logtape";
+import { err, errAsync, ok, okAsync, ResultAsync } from "neverthrow";
+import { AuthorizationError, AuthorizationResult, IdentityAlreadyExistsError, InvalidAuthorizationFileFormatError, } from "../../domain/authorization.js";
+// Matches the service_principals_name list inside the directory_readers block.
+const DIRECTORY_READERS_REGEX = /(directory_readers\s*=\s*\{[\s\S]*?service_principals_name\s*=\s*\[)([\s\S]*?)(][\s\S]*?})/;
+const addIdentity = (content, identityId) => {
+    const match = content.match(DIRECTORY_READERS_REGEX);
+    if (!match) {
+        return err(new InvalidAuthorizationFileFormatError("Could not find directory_readers.service_principals_name list"));
+    }
+    const [, prefix, existingItems, suffix] = match;
+    if (existingItems.includes(`"${identityId}"`)) {
+        return err(new IdentityAlreadyExistsError(identityId));
+    }
+    // Build the new list content following HCL formatting rules:
+    // - Items are indented with 4 spaces; the LAST item must NOT have a trailing comma
+    const newListContent = existingItems.trim().length > 0
+        ? `${existingItems.replace(/,?\s*$/, "")},\n    "${identityId}"\n  `
+        : `\n    "${identityId}"\n  `;
+    return ok(content.replace(DIRECTORY_READERS_REGEX, `${prefix}${newListContent}${suffix}`));
+};
+const REPO_OWNER = "pagopa";
+const REPO_NAME = "eng-azure-authorization";
+const BASE_BRANCH = "main";
+export const makeAuthorizationService = (gitHubService) => ({
+    requestAuthorization(input) {
+        const logger = getLogger(["dx-cli", "pagopa-authorization"]);
+        const { bootstrapIdentityId, subscriptionName } = input;
+        const filePath = `src/azure-subscriptions/subscriptions/${subscriptionName}/terraform.tfvars`;
+        const branchName = `feats/add-${subscriptionName}-bootstrap-identity`;
+        return (
+        // Step 1: Create branch first to avoid race condition with main branch updates
+        ResultAsync.fromPromise(gitHubService.createBranch({
+            branchName,
+            fromRef: BASE_BRANCH,
+            owner: REPO_OWNER,
+            repo: REPO_NAME,
+        }), () => new AuthorizationError(`Unable to create branch ${branchName} in ${REPO_OWNER}/${REPO_NAME}`))
+            .orTee((error) => {
+            logger.error(error.message);
+        })
+            // Step 2: Fetch file content from the newly created branch
+            .andThen(() => ResultAsync.fromPromise(gitHubService.getFileContent({
+            owner: REPO_OWNER,
+            path: filePath,
+            ref: branchName,
+            repo: REPO_NAME,
+        }), () => new AuthorizationError(`Unable to get ${filePath} in ${REPO_OWNER}/${REPO_NAME}`)))
+            .orTee((error) => {
+            logger.error(error.message);
+        })
+            // Modify the file content, detecting duplicates and format errors
+            .andThen(({ content, sha }) => addIdentity(content, bootstrapIdentityId)
+            .mapErr((error) => {
+            if (error instanceof IdentityAlreadyExistsError) {
+                logger.warn("Identity already exists", {
+                    identityId: bootstrapIdentityId,
+                    subscription: subscriptionName,
+                });
+            }
+            else {
+                logger.error("Failed to modify tfvars", {
+                    error: error.message,
+                });
+            }
+            return error;
+        })
+            .match((updatedContent) => okAsync({ sha, updatedContent }), (error) => errAsync(error)))
+            // Update the file on the new branch
+            .andThen(({ sha, updatedContent }) => ResultAsync.fromPromise(gitHubService.updateFile({
+            branch: branchName,
+            content: updatedContent,
+            message: `Add directory reader for ${subscriptionName}`,
+            owner: REPO_OWNER,
+            path: filePath,
+            repo: REPO_NAME,
+            sha,
+        }), () => new AuthorizationError(`Unable to update ${filePath} on branch ${branchName} in ${REPO_OWNER}/${REPO_NAME}`)))
+            .orTee((error) => {
+            logger.error(error.message);
+        })
+            // Create a pull request for review
+            .andThen(() => ResultAsync.fromPromise(gitHubService.createPullRequest({
+            base: BASE_BRANCH,
+            body: `This PR adds the bootstrap identity \`${bootstrapIdentityId}\` to the directory readers for subscription \`${subscriptionName}\`.`,
+            head: branchName,
+            owner: REPO_OWNER,
+            repo: REPO_NAME,
+            title: `Add directory reader for ${subscriptionName}`,
+        }), () => new AuthorizationError(`Unable to create pull request from ${branchName} to ${BASE_BRANCH} in ${REPO_OWNER}/${REPO_NAME}`)))
+            .orTee((error) => {
+            logger.error(error.message);
+        })
+            .map((pr) => new AuthorizationResult(pr.url)));
+    },
+});

package/dist/adapters/plop/actions/__tests__/init-cloud-accounts.test.js

@@ -27,6 +27,11 @@ const createMockPayload = (overrides = {}) => ({
     },
     init: {
         cloudAccountsToInitialize: [],
+        runnerAppCredentials: {
+            id: "test-app-id",
+            installationId: "test-installation-id",
+            key: "test-private-key",
+        },
         terraformBackend: {
             cloudAccount: createMockCloudAccount(),
         },
@@ -53,6 +58,11 @@ describe("initCloudAccounts", () => {
             },
             init: {
                 cloudAccountsToInitialize: [cloudAccount1, cloudAccount2],
+                runnerAppCredentials: {
+                    id: "test-app-id",
+                    installationId: "test-installation-id",
+                    key: "test-private-key",
+                },
                 terraformBackend: {
                     cloudAccount: createMockCloudAccount(),
                 },
@@ -60,8 +70,16 @@ describe("initCloudAccounts", () => {
         });
         await initCloudAccounts(payload, mockService);
         expect(initializeMock).toHaveBeenCalledTimes(2);
-        expect(initializeMock).toHaveBeenCalledWith(cloudAccount1, expect.objectContaining({ name: "prod", prefix: "io" }), {});
-        expect(initializeMock).toHaveBeenCalledWith(cloudAccount2, expect.objectContaining({ name: "prod", prefix: "io" }), {});
+        expect(initializeMock).toHaveBeenCalledWith(cloudAccount1, expect.objectContaining({ name: "prod", prefix: "io" }), {
+            id: "test-app-id",
+            installationId: "test-installation-id",
+            key: "test-private-key",
+        }, {});
+        expect(initializeMock).toHaveBeenCalledWith(cloudAccount2, expect.objectContaining({ name: "prod", prefix: "io" }), {
+            id: "test-app-id",
+            installationId: "test-installation-id",
+            key: "test-private-key",
+        }, {});
     });
     it("should not call initialize when cloudAccountsToInitialize is empty", async () => {
         const initializeMock = vi.fn().mockResolvedValue(undefined);
@@ -71,6 +89,11 @@ describe("initCloudAccounts", () => {
         const payload = createMockPayload({
             init: {
                 cloudAccountsToInitialize: [],
+                runnerAppCredentials: {
+                    id: "test-app-id",
+                    installationId: "test-installation-id",
+                    key: "test-private-key",
+                },
                 terraformBackend: {
                     cloudAccount: createMockCloudAccount(),
                 },
@@ -104,12 +127,21 @@ describe("initCloudAccounts", () => {
             },
             init: {
                 cloudAccountsToInitialize: [cloudAccount],
+                runnerAppCredentials: {
+                    id: "test-app-id",
+                    installationId: "test-installation-id",
+                    key: "test-private-key",
+                },
                 terraformBackend: {
                     cloudAccount: createMockCloudAccount(),
                 },
             },
         });
         await initCloudAccounts(payload, mockService);
-        expect(initializeMock).toHaveBeenCalledWith(cloudAccount, expect.objectContaining({ name: "uat", prefix: "pagopa" }), {});
+        expect(initializeMock).toHaveBeenCalledWith(cloudAccount, expect.objectContaining({ name: "uat", prefix: "pagopa" }), {
+            id: "test-app-id",
+            installationId: "test-installation-id",
+            key: "test-private-key",
+        }, {});
     });
 });

package/dist/adapters/plop/actions/__tests__/provision-terraform-backend.test.js

@@ -34,6 +34,11 @@ const createMockPayload = (overrides = {}) => ({
     },
     init: {
         cloudAccountsToInitialize: [],
+        runnerAppCredentials: {
+            id: "test-app-id",
+            installationId: "test-installation-id",
+            key: "test-private-key",
+        },
         terraformBackend: {
             cloudAccount: createMockCloudAccount(),
         },
@@ -71,6 +76,11 @@ describe("provisionTerraformBackend", () => {
             },
             init: {
                 cloudAccountsToInitialize: [],
+                runnerAppCredentials: {
+                    id: "test-app-id",
+                    installationId: "test-installation-id",
+                    key: "test-private-key",
+                },
                 terraformBackend: {
                     cloudAccount,
                 },
@@ -105,6 +115,11 @@ describe("provisionTerraformBackend", () => {
             },
             init: {
                 cloudAccountsToInitialize: [],
+                runnerAppCredentials: {
+                    id: "test-app-id",
+                    installationId: "test-installation-id",
+                    key: "test-private-key",
+                },
                 terraformBackend: {
                     cloudAccount: backendCloudAccount,
                 },

package/dist/adapters/plop/actions/init-cloud-accounts.js

@@ -1,7 +1,10 @@
+import assert from "node:assert/strict";
 import { payloadSchema, } from "../generators/environment/prompts.js";
 export const initCloudAccounts = async (payload, cloudAccountService) => {
-    if (payload.init) {
-        await Promise.all(payload.init.cloudAccountsToInitialize.map((cloudAccount) => cloudAccountService.initialize(cloudAccount, payload.env, payload.tags)));
+    if (payload.init && payload.init.cloudAccountsToInitialize.length > 0) {
+        const { runnerAppCredentials } = payload.init;
+        assert.ok(runnerAppCredentials, "Runner app credentials are required");
+        await Promise.all(payload.init.cloudAccountsToInitialize.map((cloudAccount) => cloudAccountService.initialize(cloudAccount, payload.env, runnerAppCredentials, payload.tags)));
     }
 };
 export default function (plop, cloudAccountService) {

package/dist/adapters/plop/generators/environment/__tests__/actions.test.js

@@ -25,6 +25,11 @@ export const getPayload = (includeInit = false) => {
     if (includeInit) {
         payload.init = {
             cloudAccountsToInitialize: [cloudAccount],
+            runnerAppCredentials: {
+                id: "test-app-id",
+                installationId: "test-installation-id",
+                key: "test-private-key",
+            },
             terraformBackend: {
                 cloudAccount,
             },

package/dist/adapters/plop/generators/environment/prompts.d.ts

@@ -1,6 +1,7 @@
 import inquirer from "inquirer";
 import { type DynamicPromptsFunction } from "node-plop";
 import { CloudAccount, CloudAccountRepository, CloudAccountService, CloudRegion } from "../../../../domain/cloud-account.js";
+import { EnvironmentInitStatus } from "../../../../domain/environment.js";
 type InquirerChoice<T> = inquirer.Separator | {
     name: string;
     value: T;
@@ -40,6 +41,11 @@ export declare const payloadSchema: z.ZodObject<{
             displayName: z.ZodString;
             id: z.ZodString;
         }, z.core.$strip>>;
+        runnerAppCredentials: z.ZodOptional<z.ZodObject<{
+            id: z.ZodString;
+            installationId: z.ZodString;
+            key: z.ZodString;
+        }, z.core.$strip>>;
         terraformBackend: z.ZodOptional<z.ZodObject<{
             cloudAccount: z.ZodObject<{
                 csp: z.ZodDefault<z.ZodEnum<{
@@ -65,4 +71,12 @@ export type PromptsDependencies = {
 declare const prompts: (deps: PromptsDependencies) => DynamicPromptsFunction;
 export declare const getCloudAccountChoices: (cloudAccounts: CloudAccount[]) => InquirerChoice<CloudAccount>[];
 export declare const getCloudLocationChoices: (regions: CloudRegion[]) => InquirerChoice<CloudRegion["name"]>[];
+export declare const getCloudAccountToInitialize: (initStatus: EnvironmentInitStatus & {
+    initialized: false;
+}) => {
+    csp: "azure";
+    defaultLocation: string;
+    displayName: string;
+    id: string;
+}[];
 export default prompts;

package/dist/adapters/plop/generators/environment/prompts.js

@@ -5,9 +5,11 @@ import * as azure from "../../../azure/locations.js";
 import { getLogger } from "@logtape/logtape";
 import { z } from "zod/v4";
 import { githubRepoSchema, } from "../../../../domain/github-repo.js";
+import { githubAppCredentialsSchema } from "../../../../domain/github.js";
 import { getGithubRepo } from "../../../github/github-repo.js";
 const initSchema = z.object({
     cloudAccountsToInitialize: z.array(cloudAccountSchema),
+    runnerAppCredentials: githubAppCredentialsSchema.optional(),
     terraformBackend: z
         .object({
         cloudAccount: cloudAccountSchema,
@@ -25,6 +27,7 @@ export const payloadSchema = z.object({
     tags: tagsSchema,
     workspace: workspaceSchema,
 });
+/* eslint-disable max-lines-per-function */
 const prompts = (deps) => async (inquirer) => {
     const logger = getLogger(["gen", "env"]);
     const github = deps.github ?? (await getGithubRepo());
@@ -93,16 +96,16 @@ const prompts = (deps) => async (inquirer) => {
                 : "Please select a Cost Center.",
         },
         {
+            filter: (value) => value.trim(),
             message: "Business unit",
             name: "tags.BusinessUnit",
-            transformer: (value) => value.trim(),
-            validate: (value) => value.trim().length > 0 ? true : "Business Unit cannot be empty.",
+            validate: (value) => value.length > 0 ? true : "Business Unit cannot be empty.",
         },
         {
+            filter: (value) => value.trim(),
             message: "Management team",
             name: "tags.ManagementTeam",
-            transformer: (value) => value.trim(),
-            validate: (value) => value.trim().length > 0 ? true : "Management Team cannot be empty.",
+            validate: (value) => value.length > 0 ? true : "Management Team cannot be empty.",
         },
     ]);
     const payload = payloadSchema.parse({ ...answers, github });
@@ -124,36 +127,66 @@ const prompts = (deps) => async (inquirer) => {
     if (initStatus.initialized) {
         return payload;
     }
+    const initConfirm = await inquirer.prompt({
+        default: true,
+        message: "The environment is not initialized. Do you want to initialize it now?",
+        name: "init",
+        type: "confirm",
+    });
+    assert.ok(initConfirm.init, "Can't proceed without initialization");
     assert.ok(await hasUserPermissionToInitialize(deps.cloudAccountService, payload.env), "You don't have permission to initialize this environment. Ask your Engineering Leader to initialize it for you.");
     const missingRemoteBackend = initStatus.issues.some((issue) => issue.type === "MISSING_REMOTE_BACKEND");
-    const initInput = await inquirer.prompt([
-        {
-            default: true,
-            message: "The environment is not initialized. Do you want to initialize it now?",
-            name: "init",
-            type: "confirm",
-        },
-        {
-            choices: getCloudAccountChoices(payload.env.cloudAccounts),
-            message: "Cloud Account to use for the remote Terraform backend",
-            name: "terraformBackend.cloudAccount",
-            type: "list",
-            when: (answers) => answers.init &&
-                missingRemoteBackend &&
-                payload.env.cloudAccounts.length > 1,
-        },
-    ]);
-    assert.ok(initInput.init, "Can't proceed without initialization");
+    const questions = [];
+    let terraformBackend;
+    if (missingRemoteBackend) {
+        if (payload.env.cloudAccounts.length === 1) {
+            terraformBackend = {
+                cloudAccount: payload.env.cloudAccounts[0],
+            };
+        }
+        else {
+            questions.push({
+                choices: getCloudAccountChoices(payload.env.cloudAccounts),
+                message: "Cloud Account to use for the remote Terraform backend",
+                name: "terraformBackend.cloudAccount",
+                type: "list",
+            });
+        }
+    }
+    const cloudAccountsNotInitialized = initStatus.issues.some((issue) => issue.type === "CLOUD_ACCOUNT_NOT_INITIALIZED");
+    let runnerAppCredentials;
+    if (cloudAccountsNotInitialized) {
+        questions.push({
+            filter: (value) => value.trim(),
+            message: "GitHub Runner App ID",
+            name: "runnerAppCredentials.id",
+            type: "input",
+            validate: (value) => value.length > 0,
+        }, {
+            filter: (value) => value.trim(),
+            message: "GitHub Runner App Installation ID",
+            name: "runnerAppCredentials.installationId",
+            type: "input",
+            validate: (value) => value.length > 0,
+        }, {
+            filter: (value) => value.trim(),
+            message: "GitHub Runner App Private Key",
+            name: "runnerAppCredentials.key",
+            type: "editor",
+            validate: (value) => value.length > 0,
+        });
+    }
+    const initInput = await inquirer.prompt(questions);
+    if (initInput.runnerAppCredentials) {
+        runnerAppCredentials = initInput.runnerAppCredentials;
+    }
+    if (initInput.terraformBackend) {
+        terraformBackend = initInput.terraformBackend;
+    }
     payload.init = payloadSchema.shape.init.parse({
-        cloudAccountsToInitialize: initStatus.issues
-            .filter((issue) => issue.type === "CLOUD_ACCOUNT_NOT_INITIALIZED")
-            .map((issue) => issue.cloudAccount),
-        terraformBackend: missingRemoteBackend
-            ? {
-                cloudAccount: initInput.terraformBackend?.cloudAccount ||
-                    payload.env.cloudAccounts[0],
-            }
-            : undefined,
+        cloudAccountsToInitialize: getCloudAccountToInitialize(initStatus),
+        runnerAppCredentials,
+        terraformBackend,
     });
     return payload;
 };
@@ -163,4 +196,7 @@ export const getCloudAccountChoices = (cloudAccounts) => cloudAccounts.map((acco
     value: account,
 }));
 export const getCloudLocationChoices = (regions) => regions.map((r) => ({ name: r.displayName, value: r.name }));
+export const getCloudAccountToInitialize = (initStatus) => initStatus.issues
+    .filter((issue) => issue.type === "CLOUD_ACCOUNT_NOT_INITIALIZED")
+    .map((issue) => issue.cloudAccount);
 export default prompts;

package/dist/adapters/plop/index.d.ts

@@ -5,5 +5,21 @@ import { Payload as MonorepoPayload } from "../plop/generators/monorepo/index.js
 export declare const setMonorepoGenerator: (plop: NodePlopAPI) => void;
 export declare const getPlopInstance: () => Promise<NodePlopAPI>;
 export declare const runMonorepoGenerator: (plop: NodePlopAPI, githubService: GitHubService) => Promise<MonorepoPayload>;
-export declare const runDeploymentEnvironmentGenerator: (plop: NodePlopAPI, github: GitHubRepo) => Promise<void>;
-export declare const setDeploymentEnvironmentGenerator: (plop: NodePlopAPI, github: GitHubRepo) => void;
+/**
+ * Run the deployment environment generator
+ *
+ * @param plop - The plop instance
+ * @param github - Optional GitHub repository info. When provided (by init command),
+ *                 uses the explicitly passed repository. When omitted (by add command),
+ *                 the generator infers it from the local git context.
+ */
+export declare const runDeploymentEnvironmentGenerator: (plop: NodePlopAPI, github?: GitHubRepo) => Promise<void>;
+/**
+ * Configure the deployment environment generator
+ *
+ * @param plop - The plop instance
+ * @param github - Optional GitHub repository info. When provided (by init command),
+ *                 uses the explicitly passed repository. When omitted (by add command),
+ *                 the generator infers it from the local git context.
+ */
+export declare const setDeploymentEnvironmentGenerator: (plop: NodePlopAPI, github?: GitHubRepo) => void;

package/dist/adapters/plop/index.js

@@ -54,6 +54,14 @@ export const runMonorepoGenerator = async (plop, githubService) => {
     });
     return payload;
 };
+/**
+ * Run the deployment environment generator
+ *
+ * @param plop - The plop instance
+ * @param github - Optional GitHub repository info. When provided (by init command),
+ *                 uses the explicitly passed repository. When omitted (by add command),
+ *                 the generator infers it from the local git context.
+ */
 export const runDeploymentEnvironmentGenerator = async (plop, github) => {
     setDeploymentEnvironmentGenerator(plop, github);
     const generator = plop.getGenerator(PLOP_ENVIRONMENT_GENERATOR_NAME);
@@ -64,6 +72,14 @@ export const runDeploymentEnvironmentGenerator = async (plop, github) => {
         text: "Creating environment...",
     });
 };
+/**
+ * Configure the deployment environment generator
+ *
+ * @param plop - The plop instance
+ * @param github - Optional GitHub repository info. When provided (by init command),
+ *                 uses the explicitly passed repository. When omitted (by add command),
+ *                 the generator infers it from the local git context.
+ */
 export const setDeploymentEnvironmentGenerator = (plop, github) => {
     const credential = new AzureCliCredential();
     const cloudAccountRepository = new AzureSubscriptionRepository(credential);