@pagopa/dx-cli 0.18.6 → 0.18.8

package/README.md

@@ -178,13 +178,14 @@ dx savemoney [options]
 
 **Options:**
 
-| Option       | Alias | Description                                                           | Default      |
-| :----------- | :---- | :-------------------------------------------------------------------- | :----------- |
-| `--config`   | `-c`  | Path to a JSON configuration file.                                    | N/A          |
-| `--format`   | `-f`  | Report format (`table`, `json`, `detailed-json`).                     | `table`      |
-| `--days`     | `-d`  | Metric analysis period in days.                                       | `30`         |
-| `--location` | `-l`  | Preferred Azure location for resources.                               | `italynorth` |
-| `--verbose`  | `-v`  | Enable verbose mode with detailed logging for each resource analyzed. | `false`      |
+| Option       | Alias | Description                                                                                                                                  | Default      |
+| :----------- | :---- | :------------------------------------------------------------------------------------------------------------------------------------------- | :----------- |
+| `--config`   | `-c`  | Path to a YAML configuration file.                                                                                                           | N/A          |
+| `--format`   | `-f`  | Report format: `table`, `json`, `detailed-json`, or `lint`.                                                                                  | `table`      |
+| `--days`     | `-d`  | Metric analysis period in days (overrides config file).                                                                                      | `30`         |
+| `--location` | `-l`  | Preferred Azure location for resources (overrides config file).                                                                              | `italynorth` |
+| `--verbose`  | `-v`  | Enable verbose mode with detailed logging for each resource analyzed.                                                                        | `false`      |
+| `--tags`     | `-t`  | Filter resources by tags (`key=value key2=value2`). Only resources matching **all** specified tags are analyzed (variadic: space-separated). | N/A          |
 
 **Example usage:**
 
@@ -193,24 +194,38 @@ dx savemoney [options]
 dx savemoney
 
 # Use a configuration file
-dx savemoney --config config.json
+dx savemoney --config config.yaml
 
 # Output as JSON with verbose logging
 dx savemoney --format json --verbose
 
+# Linter-style output for CI pipelines
+dx savemoney --config config.yaml --format lint
+
+# Analyze only resources tagged environment=prod
+dx savemoney --config config.yaml --tags "environment=prod"
+
 # Analyze with specific timespan
 dx savemoney --days 60 --location italynorth
 ```
 
-**Configuration file example (`config.json`):**
-
-```json
-{
-  "tenantId": "your-tenant-id",
-  "subscriptionIds": ["subscription-1", "subscription-2"],
-  "preferredLocation": "italynorth",
-  "timespanDays": 30
-}
+**Configuration file example (`config.yaml`):**
+
+```yaml
+azure:
+  subscriptionIds:
+    - subscription-1
+    - subscription-2
+  preferredLocation: italynorth
+  timespanDays: 30
+  thresholds: # optional — omit to use built-in defaults
+    vm:
+      cpuPercent: 5
+    appService:
+      cpuPercent: 10
+      memoryPercent: 20
+    storage:
+      transactionsPerDay: 50
 ```
 
 **Analyzed Azure resources:**

package/dist/adapters/azure/__tests__/cloud-account-service.test.js

@@ -4,6 +4,12 @@ import { AzureCloudAccountService } from "../cloud-account-service.js";
 const { queryResources } = vi.hoisted(() => ({
     queryResources: vi.fn().mockRejectedValue(new Error("Not implemented")),
 }));
+const { mockProviderGet, mockProviderRegister } = vi.hoisted(() => ({
+    mockProviderGet: vi
+        .fn()
+        .mockResolvedValue({ registrationState: "Registered" }),
+    mockProviderRegister: vi.fn().mockResolvedValue({}),
+}));
 vi.mock("@azure/identity", () => ({
     DefaultAzureCredential: vi.fn(),
 }));
@@ -12,6 +18,14 @@ vi.mock("@azure/arm-resourcegraph", () => ({
         resources = queryResources;
     },
 }));
+vi.mock("@azure/arm-resources", () => ({
+    ResourceManagementClient: class {
+        providers = {
+            get: mockProviderGet,
+            register: mockProviderRegister,
+        };
+    },
+}));
 const test = baseTest.extend({
     // the empty pattern is required by vitest!!!
     // eslint-disable-next-line no-empty-pattern
@@ -94,11 +108,12 @@ describe("getTerraformBackend", () => {
     });
 });
 describe("isInitialized", () => {
-    test("returns true when both bootstrap identity and common Key Vault exist", async ({ cloudAccountService, }) => {
+    test("returns true when both bootstrap identity and common Key Vault exist and all providers are registered", async ({ cloudAccountService, }) => {
         // First call: identity query → found
         queryResources.mockResolvedValueOnce({ data: [], totalRecords: 1 });
         // Second call: key vault query → found
         queryResources.mockResolvedValueOnce({ data: [], totalRecords: 1 });
+        // Provider checks → all registered (default mock)
         const result = await cloudAccountService.isInitialized("sub-1", {
             name: "dev",
             prefix: "dx",
@@ -127,4 +142,18 @@ describe("isInitialized", () => {
         });
         expect(result).toBe(false);
     });
+    test("returns false when resources exist but a required provider is not registered", async ({ cloudAccountService, }) => {
+        // Both resources exist
+        queryResources.mockResolvedValueOnce({ data: [], totalRecords: 1 });
+        queryResources.mockResolvedValueOnce({ data: [], totalRecords: 1 });
+        // One provider is not registered
+        mockProviderGet.mockResolvedValueOnce({
+            registrationState: "NotRegistered",
+        });
+        const result = await cloudAccountService.isInitialized("sub-1", {
+            name: "dev",
+            prefix: "dx",
+        });
+        expect(result).toBe(false);
+    });
 });

package/dist/adapters/azure/cloud-account-service.js

@@ -33,6 +33,24 @@ const graphGroupMembershipResponseSchema = z.object({
 });
 export class AzureCloudAccountService {
     #credential;
+    #requiredResourceProviders = [
+        "Microsoft.Advisor",
+        "Microsoft.AlertsManagement",
+        "Microsoft.ApiManagement",
+        "Microsoft.App",
+        "Microsoft.Authorization",
+        "Microsoft.AzureTerraform",
+        "Microsoft.Cache",
+        "Microsoft.Cdn",
+        "Microsoft.ContainerInstance",
+        "Microsoft.CostManagement",
+        "Microsoft.DBforPostgreSQL",
+        "Microsoft.KeyVault",
+        "Microsoft.ServiceBus",
+        "Microsoft.Sql",
+        "Microsoft.Storage",
+        "Microsoft.Web",
+    ];
     #resourceGraphClient;
     constructor(credential) {
         this.#resourceGraphClient = new ResourceGraphClient(credential);
@@ -126,6 +144,8 @@ export class AzureCloudAccountService {
         assert.equal(cloudAccount.csp, "azure", "Cloud account must be Azure");
         assert.ok(isAzureLocation(cloudAccount.defaultLocation), "The default location of the cloud account is not a valid Azure location");
         const logger = getLogger(["gen", "env"]);
+        // Register required resource providers before creating any resources
+        await this.#registerProviders(cloudAccount.id);
         const resourceManagementClient = new ResourceManagementClient(this.#credential, cloudAccount.id);
         const short = {
             env: environmentShort[name],
@@ -210,7 +230,7 @@ export class AzureCloudAccountService {
              | where type == 'microsoft.keyvault/vaults'
              | where name matches regex @'${keyVaultResourceName}'
             `;
-        const [identityResult, keyVaultResult] = await Promise.all([
+        const [identityResult, keyVaultResult, areProvidersRegistered] = await Promise.all([
             this.#resourceGraphClient.resources({
                 query: identityQuery,
                 subscriptions: [cloudAccountId],
@@ -219,8 +239,11 @@ export class AzureCloudAccountService {
                 query: keyVaultQuery,
                 subscriptions: [cloudAccountId],
             }),
+            this.#areProvidersRegistered(cloudAccountId),
         ]);
-        const initialized = identityResult.totalRecords > 0 && keyVaultResult.totalRecords > 0;
+        const initialized = identityResult.totalRecords > 0 &&
+            keyVaultResult.totalRecords > 0 &&
+            areProvidersRegistered;
         const logger = getLogger(["gen", "env"]);
         logger.debug("subscription {subscriptionId} initialized: {initialized}", {
             initialized,
@@ -282,6 +305,14 @@ export class AzureCloudAccountService {
             type: "azurerm",
         });
     }
+    async #areProvidersRegistered(subscriptionId) {
+        const client = new ResourceManagementClient(this.#credential, subscriptionId);
+        const results = await Promise.all(this.#requiredResourceProviders.map(async (namespace) => {
+            const provider = await client.providers.get(namespace);
+            return provider.registrationState === "Registered";
+        }));
+        return results.every(Boolean);
+    }
     async #getCurrentPrincipalIds() {
         // Create Graph client with custom auth provider that fetches fresh tokens
         const graphClient = Client.init({
@@ -318,4 +349,14 @@ export class AzureCloudAccountService {
         const allPrincipalIds = new Set([userObjectId, ...groupIds]);
         return allPrincipalIds;
     }
+    async #registerProviders(subscriptionId) {
+        const logger = getLogger(["dx-cli", "register-providers"]);
+        const client = new ResourceManagementClient(this.#credential, subscriptionId);
+        logger.info("Registering {count} resource providers on subscription {subscriptionId}", { count: this.#requiredResourceProviders.length, subscriptionId });
+        await Promise.all(this.#requiredResourceProviders.map(async (namespace) => {
+            await client.providers.register(namespace);
+            logger.debug("Registered provider {namespace}", { namespace });
+        }));
+        logger.info("All resource providers registered on subscription {subscriptionId}", { subscriptionId });
+    }
 }

package/dist/adapters/commander/commands/savemoney.js

@@ -2,17 +2,21 @@ import { azure, loadConfig } from "@pagopa/dx-savemoney";
 import { Command } from "commander";
 export const makeSavemoneyCommand = () => new Command("savemoney")
     .description("Analyze Azure subscriptions and report unused or inefficient resources")
-    .option("-c, --config <path>", "Path to configuration file (JSON)")
-    .option("-f, --format <format>", "Report format: json, table, or detailed-json (default: table)", "table")
-    .option("-l, --location <string>", "Preferred Azure location for resources", "italynorth")
-    .option("-d, --days <number>", "Number of days for metrics analysis", "30")
+    .option("-c, --config <path>", "Path to YAML configuration file")
+    .option("-f, --format <format>", "Report format: json, table, detailed-json, or lint (default: table)", "table")
+    .option("-l, --location <string>", "Preferred Azure location for resources (overrides config file)", "italynorth")
+    .option("-d, --days <number>", "Number of days for metrics analysis (overrides config file)", "30")
     .option("-v, --verbose", "Enable verbose logging")
+    .option("-t, --tags <tags...>", "Filter resources by tags (key=value key2=value2). Only resources matching ALL specified tags are analyzed.")
     .action(async function (options) {
     try {
-        // Load configuration
+        // Load configuration from YAML (includes subscriptionIds, location, timespanDays, thresholds)
         const config = await loadConfig(options.config);
+        // Parse tag filter
+        const filterTags = parseTagsOption(options.tags);
         const finalConfig = {
             ...config,
+            filterTags,
             preferredLocation: options.location || config.preferredLocation,
             timespanDays: Number.parseInt(options.days, 10) || config.timespanDays,
             verbose: options.verbose || false,
@@ -24,3 +28,23 @@ export const makeSavemoneyCommand = () => new Command("savemoney")
         this.error(`Analysis failed: ${error instanceof Error ? error.message : error}`);
     }
 });
+/**
+ * Parses an array of "key=value" strings (from commander variadic option) into a Map<string, string>.
+ * Returns an empty Map when the option is not provided or empty.
+ * Supports values that contain "=" (only the first "=" is treated as separator).
+ */
+function parseTagsOption(tagsOption) {
+    const result = new Map();
+    if (!tagsOption || tagsOption.length === 0) {
+        return result;
+    }
+    for (const pair of tagsOption) {
+        const [rawKey, ...rest] = pair.split("=");
+        const key = rawKey?.trim();
+        const value = rest.join("=").trim();
+        if (key && rest.length > 0) {
+            result.set(key, value);
+        }
+    }
+    return result;
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pagopa/dx-cli",
-  "version": "0.18.6",
+  "version": "0.18.8",
   "type": "module",
   "description": "A CLI useful to manage DX tools.",
   "repository": {
@@ -47,7 +47,7 @@
     "semver": "^7.7.4",
     "yaml": "^2.8.2",
     "zod": "^4.3.6",
-    "@pagopa/dx-savemoney": "^0.1.6"
+    "@pagopa/dx-savemoney": "^0.2.0"
   },
   "devDependencies": {
     "@tsconfig/node24": "24.0.4",

package/templates/environment/bootstrapper/{{env.name}}/main.tf.hbs

@@ -103,6 +103,7 @@ module "azure-{{displayName}}_bootstrap" {
     key_vault = {
       name                = module.azure-{{displayName}}_core_values.common_key_vault.name
       resource_group_name = module.azure-{{displayName}}_core_values.common_key_vault.resource_group_name
+      use_rbac            = true
     }
     use_github_app = true
   }

package/templates/monorepo/.pre-commit-config.yaml.hbs

@@ -7,7 +7,7 @@ repos:
         exclude: ^.*/(_modules|modules|\.terraform)(/.*)?$
         files: infra/(resources/prod|repository)
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: "{{ preCommitTerraformVersion }}"
+    rev: v{{ preCommitTerraformVersion }}
     hooks:
       - id: terraform_tflint
         args: