@pagopa/dx-cli 0.18.7 → 0.18.8

package/dist/adapters/azure/__tests__/cloud-account-service.test.js

@@ -4,6 +4,12 @@ import { AzureCloudAccountService } from "../cloud-account-service.js";
 const { queryResources } = vi.hoisted(() => ({
     queryResources: vi.fn().mockRejectedValue(new Error("Not implemented")),
 }));
+const { mockProviderGet, mockProviderRegister } = vi.hoisted(() => ({
+    mockProviderGet: vi
+        .fn()
+        .mockResolvedValue({ registrationState: "Registered" }),
+    mockProviderRegister: vi.fn().mockResolvedValue({}),
+}));
 vi.mock("@azure/identity", () => ({
     DefaultAzureCredential: vi.fn(),
 }));
@@ -12,6 +18,14 @@ vi.mock("@azure/arm-resourcegraph", () => ({
         resources = queryResources;
     },
 }));
+vi.mock("@azure/arm-resources", () => ({
+    ResourceManagementClient: class {
+        providers = {
+            get: mockProviderGet,
+            register: mockProviderRegister,
+        };
+    },
+}));
 const test = baseTest.extend({
     // the empty pattern is required by vitest!!!
     // eslint-disable-next-line no-empty-pattern
@@ -94,11 +108,12 @@ describe("getTerraformBackend", () => {
     });
 });
 describe("isInitialized", () => {
-    test("returns true when both bootstrap identity and common Key Vault exist", async ({ cloudAccountService, }) => {
+    test("returns true when both bootstrap identity and common Key Vault exist and all providers are registered", async ({ cloudAccountService, }) => {
         // First call: identity query → found
         queryResources.mockResolvedValueOnce({ data: [], totalRecords: 1 });
         // Second call: key vault query → found
         queryResources.mockResolvedValueOnce({ data: [], totalRecords: 1 });
+        // Provider checks → all registered (default mock)
         const result = await cloudAccountService.isInitialized("sub-1", {
             name: "dev",
             prefix: "dx",
@@ -127,4 +142,18 @@ describe("isInitialized", () => {
         });
         expect(result).toBe(false);
     });
+    test("returns false when resources exist but a required provider is not registered", async ({ cloudAccountService, }) => {
+        // Both resources exist
+        queryResources.mockResolvedValueOnce({ data: [], totalRecords: 1 });
+        queryResources.mockResolvedValueOnce({ data: [], totalRecords: 1 });
+        // One provider is not registered
+        mockProviderGet.mockResolvedValueOnce({
+            registrationState: "NotRegistered",
+        });
+        const result = await cloudAccountService.isInitialized("sub-1", {
+            name: "dev",
+            prefix: "dx",
+        });
+        expect(result).toBe(false);
+    });
 });

package/dist/adapters/azure/cloud-account-service.js

@@ -33,6 +33,24 @@ const graphGroupMembershipResponseSchema = z.object({
 });
 export class AzureCloudAccountService {
     #credential;
+    #requiredResourceProviders = [
+        "Microsoft.Advisor",
+        "Microsoft.AlertsManagement",
+        "Microsoft.ApiManagement",
+        "Microsoft.App",
+        "Microsoft.Authorization",
+        "Microsoft.AzureTerraform",
+        "Microsoft.Cache",
+        "Microsoft.Cdn",
+        "Microsoft.ContainerInstance",
+        "Microsoft.CostManagement",
+        "Microsoft.DBforPostgreSQL",
+        "Microsoft.KeyVault",
+        "Microsoft.ServiceBus",
+        "Microsoft.Sql",
+        "Microsoft.Storage",
+        "Microsoft.Web",
+    ];
     #resourceGraphClient;
     constructor(credential) {
         this.#resourceGraphClient = new ResourceGraphClient(credential);
@@ -126,6 +144,8 @@ export class AzureCloudAccountService {
         assert.equal(cloudAccount.csp, "azure", "Cloud account must be Azure");
         assert.ok(isAzureLocation(cloudAccount.defaultLocation), "The default location of the cloud account is not a valid Azure location");
         const logger = getLogger(["gen", "env"]);
+        // Register required resource providers before creating any resources
+        await this.#registerProviders(cloudAccount.id);
         const resourceManagementClient = new ResourceManagementClient(this.#credential, cloudAccount.id);
         const short = {
             env: environmentShort[name],
@@ -210,7 +230,7 @@ export class AzureCloudAccountService {
              | where type == 'microsoft.keyvault/vaults'
              | where name matches regex @'${keyVaultResourceName}'
             `;
-        const [identityResult, keyVaultResult] = await Promise.all([
+        const [identityResult, keyVaultResult, areProvidersRegistered] = await Promise.all([
             this.#resourceGraphClient.resources({
                 query: identityQuery,
                 subscriptions: [cloudAccountId],
@@ -219,8 +239,11 @@ export class AzureCloudAccountService {
                 query: keyVaultQuery,
                 subscriptions: [cloudAccountId],
             }),
+            this.#areProvidersRegistered(cloudAccountId),
         ]);
-        const initialized = identityResult.totalRecords > 0 && keyVaultResult.totalRecords > 0;
+        const initialized = identityResult.totalRecords > 0 &&
+            keyVaultResult.totalRecords > 0 &&
+            areProvidersRegistered;
         const logger = getLogger(["gen", "env"]);
         logger.debug("subscription {subscriptionId} initialized: {initialized}", {
             initialized,
@@ -282,6 +305,14 @@ export class AzureCloudAccountService {
             type: "azurerm",
         });
     }
+    async #areProvidersRegistered(subscriptionId) {
+        const client = new ResourceManagementClient(this.#credential, subscriptionId);
+        const results = await Promise.all(this.#requiredResourceProviders.map(async (namespace) => {
+            const provider = await client.providers.get(namespace);
+            return provider.registrationState === "Registered";
+        }));
+        return results.every(Boolean);
+    }
     async #getCurrentPrincipalIds() {
         // Create Graph client with custom auth provider that fetches fresh tokens
         const graphClient = Client.init({
@@ -318,4 +349,14 @@ export class AzureCloudAccountService {
         const allPrincipalIds = new Set([userObjectId, ...groupIds]);
         return allPrincipalIds;
     }
+    async #registerProviders(subscriptionId) {
+        const logger = getLogger(["dx-cli", "register-providers"]);
+        const client = new ResourceManagementClient(this.#credential, subscriptionId);
+        logger.info("Registering {count} resource providers on subscription {subscriptionId}", { count: this.#requiredResourceProviders.length, subscriptionId });
+        await Promise.all(this.#requiredResourceProviders.map(async (namespace) => {
+            await client.providers.register(namespace);
+            logger.debug("Registered provider {namespace}", { namespace });
+        }));
+        logger.info("All resource providers registered on subscription {subscriptionId}", { subscriptionId });
+    }
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pagopa/dx-cli",
-  "version": "0.18.7",
+  "version": "0.18.8",
   "type": "module",
   "description": "A CLI useful to manage DX tools.",
   "repository": {

package/templates/environment/bootstrapper/{{env.name}}/main.tf.hbs

@@ -103,6 +103,7 @@ module "azure-{{displayName}}_bootstrap" {
     key_vault = {
       name                = module.azure-{{displayName}}_core_values.common_key_vault.name
       resource_group_name = module.azure-{{displayName}}_core_values.common_key_vault.resource_group_name
+      use_rbac            = true
     }
     use_github_app = true
   }

package/templates/monorepo/.pre-commit-config.yaml.hbs

@@ -7,7 +7,7 @@ repos:
         exclude: ^.*/(_modules|modules|\.terraform)(/.*)?$
         files: infra/(resources/prod|repository)
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: "{{ preCommitTerraformVersion }}"
+    rev: v{{ preCommitTerraformVersion }}
     hooks:
       - id: terraform_tflint
         args: