@pagopa/dx-cli 0.20.0 → 0.20.2

package/dist/adapters/azure/__tests__/cloud-account-service.test.js

@@ -1,5 +1,5 @@
 import { DefaultAzureCredential } from "@azure/identity";
-import { test as baseTest, describe, expect, vi } from "vitest";
+import { test as baseTest, beforeEach, describe, expect, vi } from "vitest";
 import { AzureCloudAccountService } from "../cloud-account-service.js";
 const { queryResources } = vi.hoisted(() => ({
     queryResources: vi.fn().mockRejectedValue(new Error("Not implemented")),
@@ -10,6 +10,50 @@ const { mockProviderGet, mockProviderRegister } = vi.hoisted(() => ({
         .mockResolvedValue({ registrationState: "Registered" }),
     mockProviderRegister: vi.fn().mockResolvedValue({}),
 }));
+const { mockRoleAssignmentsCreate, mockRoleAssignmentsListForScope } = vi.hoisted(() => ({
+    mockRoleAssignmentsCreate: vi.fn().mockResolvedValue({}),
+    mockRoleAssignmentsListForScope: vi.fn(),
+}));
+const { mockCreateFederatedIdentityCredential, mockCreateIdentity, mockCreateKeyVault, mockCreateResourceGroup, mockDeleteResourceGroup, mockGetSubscription, mockKeyVaultNameAvailability, mockSetSecret, } = vi.hoisted(() => ({
+    mockCreateFederatedIdentityCredential: vi.fn().mockResolvedValue({}),
+    mockCreateIdentity: vi
+        .fn()
+        .mockResolvedValue({ clientId: "client-1", principalId: "principal-1" }),
+    mockCreateKeyVault: vi.fn().mockResolvedValue({}),
+    mockCreateResourceGroup: vi.fn().mockResolvedValue({}),
+    mockDeleteResourceGroup: vi.fn().mockResolvedValue({}),
+    mockGetSubscription: vi.fn().mockResolvedValue({ tenantId: "tenant-1" }),
+    mockKeyVaultNameAvailability: vi.fn().mockResolvedValue({
+        nameAvailable: true,
+    }),
+    mockSetSecret: vi.fn().mockResolvedValue({}),
+}));
+vi.mock("@azure/arm-authorization", () => ({
+    AuthorizationManagementClient: class {
+        roleAssignments = {
+            create: mockRoleAssignmentsCreate,
+            listForScope: mockRoleAssignmentsListForScope,
+        };
+    },
+}));
+vi.mock("@azure/arm-keyvault", () => ({
+    KeyVaultManagementClient: class {
+        vaults = {
+            beginCreateOrUpdateAndWait: mockCreateKeyVault,
+            checkNameAvailability: mockKeyVaultNameAvailability,
+        };
+    },
+}));
+vi.mock("@azure/arm-msi", () => ({
+    ManagedServiceIdentityClient: class {
+        federatedIdentityCredentials = {
+            createOrUpdate: mockCreateFederatedIdentityCredential,
+        };
+        userAssignedIdentities = {
+            createOrUpdate: mockCreateIdentity,
+        };
+    },
+}));
 vi.mock("@azure/identity", () => ({
     DefaultAzureCredential: vi.fn(),
 }));
@@ -24,6 +68,22 @@ vi.mock("@azure/arm-resources", () => ({
             get: mockProviderGet,
             register: mockProviderRegister,
         };
+        resourceGroups = {
+            beginDeleteAndWait: mockDeleteResourceGroup,
+            createOrUpdate: mockCreateResourceGroup,
+        };
+    },
+}));
+vi.mock("@azure/arm-resources-subscriptions", () => ({
+    SubscriptionClient: class {
+        subscriptions = {
+            get: mockGetSubscription,
+        };
+    },
+}));
+vi.mock("@azure/keyvault-secrets", () => ({
+    SecretClient: class {
+        setSecret = mockSetSecret;
     },
 }));
 const test = baseTest.extend({
@@ -34,6 +94,29 @@ const test = baseTest.extend({
         await use(cloudAccountService);
     },
 });
+beforeEach(() => {
+    queryResources.mockReset();
+    queryResources.mockResolvedValue({ data: [], totalRecords: 0 });
+    mockCreateFederatedIdentityCredential.mockClear();
+    mockCreateIdentity.mockClear();
+    mockCreateIdentity.mockResolvedValue({
+        clientId: "client-1",
+        principalId: "principal-1",
+    });
+    mockCreateKeyVault.mockClear();
+    mockCreateResourceGroup.mockClear();
+    mockDeleteResourceGroup.mockClear();
+    mockGetSubscription.mockClear();
+    mockGetSubscription.mockResolvedValue({ tenantId: "tenant-1" });
+    mockKeyVaultNameAvailability.mockClear();
+    mockKeyVaultNameAvailability.mockResolvedValue({ nameAvailable: true });
+    mockProviderGet.mockClear();
+    mockProviderGet.mockResolvedValue({ registrationState: "Registered" });
+    mockProviderRegister.mockClear();
+    mockRoleAssignmentsCreate.mockClear();
+    mockRoleAssignmentsListForScope.mockReset();
+    mockSetSecret.mockClear();
+});
 describe("getTerraformBackend", () => {
     test("returns undefined when no matching storage account is found", async ({ cloudAccountService, }) => {
         queryResources.mockResolvedValueOnce({
@@ -157,3 +240,51 @@ describe("isInitialized", () => {
         expect(result).toBe(false);
     });
 });
+describe("initialize", () => {
+    test("assigns bootstrap roles to the bootstrap identity", async ({ cloudAccountService, }) => {
+        await cloudAccountService.initialize({
+            csp: "azure",
+            defaultLocation: "italynorth",
+            displayName: "Test subscription",
+            id: "sub-1",
+        }, {
+            name: "dev",
+            prefix: "dx",
+        }, {
+            id: "app-id",
+            installationId: "installation-id",
+            key: "private-key\n",
+        }, {
+            owner: "pagopa",
+            repo: "dx",
+        }, {
+            createBranch: vi.fn(),
+            createOrUpdateEnvironmentSecret: vi.fn().mockResolvedValue(undefined),
+            createPullRequest: vi.fn(),
+            getFileContent: vi.fn(),
+            getRepository: vi.fn(),
+            updateFile: vi.fn(),
+        });
+        expect(mockRoleAssignmentsCreate).toHaveBeenCalledTimes(3);
+        expect(mockRoleAssignmentsCreate).toHaveBeenCalledWith("/subscriptions/sub-1", expect.any(String), expect.objectContaining({
+            principalId: "principal-1",
+            principalType: "ServicePrincipal",
+            roleDefinitionId: "/subscriptions/sub-1/providers/Microsoft.Authorization/roleDefinitions/f58310d9-a9f6-439a-9e8d-f62e7b41a168",
+        }));
+        expect(mockRoleAssignmentsCreate).toHaveBeenCalledWith("/subscriptions/sub-1", expect.any(String), expect.objectContaining({
+            principalId: "principal-1",
+            principalType: "ServicePrincipal",
+            roleDefinitionId: "/subscriptions/sub-1/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c",
+        }));
+        expect(mockRoleAssignmentsCreate).toHaveBeenCalledWith("/subscriptions/sub-1", expect.any(String), expect.objectContaining({
+            principalId: "principal-1",
+            principalType: "ServicePrincipal",
+            roleDefinitionId: "/subscriptions/sub-1/providers/Microsoft.Authorization/roleDefinitions/ba92f5b4-2d11-453d-a403-e96b0029c9fe",
+        }));
+        expect(mockCreateFederatedIdentityCredential).toHaveBeenCalledWith("dx-d-itn-common-rg-01", "dx-d-itn-bootstrap-id-01", "bootstrapper-dev-cd", {
+            audiences: ["api://AzureADTokenExchange"],
+            issuer: "https://token.actions.githubusercontent.com",
+            subject: "repo:pagopa/dx:environment:bootstrapper-dev-cd",
+        });
+    });
+});

package/dist/adapters/azure/cloud-account-service.d.ts

@@ -2,7 +2,8 @@ import type { TokenCredential } from "@azure/identity";
 import { z } from "zod/v4";
 import { CloudAccount, type CloudAccountService } from "../../domain/cloud-account.js";
 import { type EnvironmentId } from "../../domain/environment.js";
-import { GitHubAppCredentials } from "../../domain/github.js";
+import { type GitHubRepo } from "../../domain/github-repo.js";
+import { GitHubAppCredentials, type GitHubService } from "../../domain/github.js";
 import { type TerraformBackend } from "../../domain/remote-backend.js";
 export declare const resourceGraphDataSchema: z.ZodObject<{
     location: z.ZodEnum<{
@@ -17,7 +18,7 @@ export declare class AzureCloudAccountService implements CloudAccountService {
     constructor(credential: TokenCredential);
     getTerraformBackend(cloudAccountId: CloudAccount["id"], { name, prefix }: EnvironmentId): Promise<TerraformBackend | undefined>;
     hasUserPermissionToInitialize(cloudAccountId: CloudAccount["id"]): Promise<boolean>;
-    initialize(cloudAccount: CloudAccount, { name, prefix }: EnvironmentId, runnerAppCredentials: GitHubAppCredentials, tags?: Record<string, string>): Promise<void>;
+    initialize(cloudAccount: CloudAccount, { name, prefix }: EnvironmentId, runnerAppCredentials: GitHubAppCredentials, github: GitHubRepo, gitHubService: GitHubService, tags?: Record<string, string>): Promise<void>;
     isInitialized(cloudAccountId: CloudAccount["id"], { name, prefix }: EnvironmentId): Promise<boolean>;
     provisionTerraformBackend(cloudAccount: CloudAccount, { name, prefix }: EnvironmentId, tags?: Record<string, string>): Promise<TerraformBackend>;
 }

package/dist/adapters/azure/cloud-account-service.js

@@ -10,6 +10,7 @@ import { BlobServiceClient } from "@azure/storage-blob";
 import { getLogger } from "@logtape/logtape";
 import { Client } from "@microsoft/microsoft-graph-client";
 import * as assert from "node:assert/strict";
+import { createHash } from "node:crypto";
 import { z } from "zod/v4";
 import { environmentShort, } from "../../domain/environment.js";
 import { terraformBackendSchema, } from "../../domain/remote-backend.js";
@@ -31,6 +32,19 @@ const graphGroupMembershipResponseSchema = z.object({
     "@odata.nextLink": z.string().optional(),
     value: z.array(graphGroupMembershipItemSchema),
 });
+const builtInRoleDefinitionIds = {
+    contributor: "b24988ac-6180-42a0-ab88-20f7382dd24c",
+    keyVaultSecretsOfficer: "b86a8fe4-44ce-4948-aee5-eccb2c155cd7",
+    owner: "8e3af657-a8ff-443c-a75c-2fe8c4bcb635",
+    roleBasedAccessControlAdministrator: "f58310d9-a9f6-439a-9e8d-f62e7b41a168",
+    storageBlobDataContributor: "ba92f5b4-2d11-453d-a403-e96b0029c9fe",
+};
+const bootstrapIdentityRoleDefinitionIds = [
+    // These roles let the bootstrap identity run the bootstrapper module from GitHub Actions without extra manual grants.
+    builtInRoleDefinitionIds.roleBasedAccessControlAdministrator,
+    builtInRoleDefinitionIds.contributor,
+    builtInRoleDefinitionIds.storageBlobDataContributor,
+];
 export class AzureCloudAccountService {
     #credential;
     #requiredResourceProviders = [
@@ -101,9 +115,9 @@ export class AzureCloudAccountService {
             // Get role assignments for the subscription
             const authClient = new AuthorizationManagementClient(this.#credential, cloudAccountId);
             const requiredRoles = [
-                "8e3af657-a8ff-443c-a75c-2fe8c4bcb635", // Owner
-                "ba92f5b4-2d11-453d-a403-e96b0029c9fe", // Storage Blob Data Contributor
-                "b86a8fe4-44ce-4948-aee5-eccb2c155cd7", // Key Vault Secrets Officer
+                builtInRoleDefinitionIds.owner, // Owner
+                builtInRoleDefinitionIds.storageBlobDataContributor, // Storage Blob Data Contributor
+                builtInRoleDefinitionIds.keyVaultSecretsOfficer, // Key Vault Secrets Officer
             ];
             const scope = `/subscriptions/${cloudAccountId}`;
             // Collect all role definition IDs assigned to the user or their groups
@@ -140,7 +154,7 @@ export class AzureCloudAccountService {
             throw error;
         }
     }
-    async initialize(cloudAccount, { name, prefix }, runnerAppCredentials, tags = {}) {
+    async initialize(cloudAccount, { name, prefix }, runnerAppCredentials, github, gitHubService, tags = {}) {
         assert.equal(cloudAccount.csp, "azure", "Cloud account must be Azure");
         assert.ok(isAzureLocation(cloudAccount.defaultLocation), "The default location of the cloud account is not a valid Azure location");
         const logger = getLogger(["gen", "env"]);
@@ -164,46 +178,67 @@ export class AzureCloudAccountService {
         try {
             const identityName = `${prefix}-${short.env}-${short.location}-bootstrap-id-01`;
             const msiClient = new ManagedServiceIdentityClient(this.#credential, cloudAccount.id);
-            await msiClient.userAssignedIdentities.createOrUpdate(resourceGroupName, identityName, parameters);
+            const identity = await msiClient.userAssignedIdentities.createOrUpdate(resourceGroupName, identityName, parameters);
+            assert.ok(identity.principalId, "Managed identity principal ID is undefined");
+            const identityPrincipalId = identity.principalId;
+            assert.ok(identity.clientId, "Managed identity client ID is undefined");
+            const identityClientId = identity.clientId;
             logger.debug("Created identity {identityName} in subscription {subscriptionId}", { identityName, subscriptionId: cloudAccount.id });
-            // Retrieve tenant ID from the subscription
-            const subscriptionClient = new SubscriptionClient(this.#credential);
-            const subscription = await subscriptionClient.subscriptions.get(cloudAccount.id);
-            assert.ok(subscription.tenantId, "Subscription tenant ID is undefined");
-            const kvClient = new KeyVaultManagementClient(this.#credential, cloudAccount.id);
-            const keyVaultName = `${prefix}-${short.env}-${short.location}-common-kv-01`;
-            const secretsProtectionEnabled = short.env === "p";
-            const result = await kvClient.vaults.checkNameAvailability({
-                name: keyVaultName,
-                type: "Microsoft.KeyVault/vaults",
+            const authorizationManagementClient = new AuthorizationManagementClient(this.#credential, cloudAccount.id);
+            const subscriptionScope = `/subscriptions/${cloudAccount.id}`;
+            // Grant the bootstrap identity the Azure permissions it needs to operate autonomously in the bootstrap workflow.
+            await Promise.all(bootstrapIdentityRoleDefinitionIds.map((roleDefinitionId) => authorizationManagementClient.roleAssignments.create(subscriptionScope, this.#createRoleAssignmentName(subscriptionScope, identityPrincipalId, roleDefinitionId), {
+                principalId: identityPrincipalId,
+                principalType: "ServicePrincipal",
+                roleDefinitionId: this.#createRoleDefinitionResourceId(cloudAccount.id, roleDefinitionId),
+            })));
+            logger.debug("Assigned bootstrap roles to identity {identityName} in subscription {subscriptionId}", { identityName, subscriptionId: cloudAccount.id });
+            const githubEnvironmentName = `bootstrapper-${name}-cd`;
+            // Federate the bootstrap identity with the GitHub environment so workflows can exchange their OIDC token for Azure access.
+            await msiClient.federatedIdentityCredentials.createOrUpdate(resourceGroupName, identityName, githubEnvironmentName, {
+                audiences: ["api://AzureADTokenExchange"],
+                issuer: "https://token.actions.githubusercontent.com",
+                subject: `repo:${github.owner}/${github.repo}:environment:${githubEnvironmentName}`,
             });
-            await kvClient.vaults.beginCreateOrUpdateAndWait(resourceGroupName, keyVaultName, {
-                location: cloudAccount.defaultLocation,
-                properties: {
-                    createMode: result.nameAvailable ? "default" : "recover",
-                    enabledForDiskEncryption: true,
-                    enablePurgeProtection: secretsProtectionEnabled ? true : undefined,
-                    enableRbacAuthorization: true,
-                    sku: {
-                        family: "A",
-                        name: "standard",
-                    },
-                    softDeleteRetentionInDays: secretsProtectionEnabled ? 14 : 7,
-                    tenantId: subscription.tenantId,
-                },
-                tags: {
-                    Environment: name,
-                    ...tags,
-                },
+            logger.debug("Configured federated identity credential {credentialName} for identity {identityName} in subscription {subscriptionId}", {
+                credentialName: githubEnvironmentName,
+                identityName,
+                subscriptionId: cloudAccount.id,
             });
-            logger.debug("Created key vault {keyVaultName} in subscription {subscriptionId}", { keyVaultName, subscriptionId: cloudAccount.id });
-            const secretClient = new SecretClient(`https://${keyVaultName}.vault.azure.net/`, this.#credential);
+            // These secrets let the GitHub workflow target the bootstrap identity and subscription without extra setup.
             await Promise.all([
-                secretClient.setSecret("github-runner-app-id", runnerAppCredentials.id),
-                secretClient.setSecret("github-runner-app-installation-id", runnerAppCredentials.installationId),
-                secretClient.setSecret("github-runner-app-key", runnerAppCredentials.key.trimEnd()),
+                gitHubService.createOrUpdateEnvironmentSecret({
+                    environmentName: githubEnvironmentName,
+                    owner: github.owner,
+                    repo: github.repo,
+                    secretName: "ARM_CLIENT_ID",
+                    secretValue: identityClientId,
+                }),
+                gitHubService.createOrUpdateEnvironmentSecret({
+                    environmentName: githubEnvironmentName,
+                    owner: github.owner,
+                    repo: github.repo,
+                    secretName: "ARM_SUBSCRIPTION_ID",
+                    secretValue: cloudAccount.id,
+                }),
             ]);
-            logger.debug("Created secrets in key vault {keyVaultName} in subscription {subscriptionId}", { keyVaultName, subscriptionId: cloudAccount.id });
+            logger.debug("Set GitHub environment secrets for {environmentName}", {
+                environmentName: githubEnvironmentName,
+            });
+            const keyVaultName = await this.#createCommonKeyVault({
+                cloudAccount,
+                name,
+                prefix,
+                resourceGroupName,
+                shortEnv: short.env,
+                shortLocation: short.location,
+                tags,
+            });
+            await this.#storeRunnerAppSecrets({
+                cloudAccountId: cloudAccount.id,
+                keyVaultName,
+                runnerAppCredentials,
+            });
         }
         catch (cause) {
             // Cleanup resource group if initialization fails
@@ -313,6 +348,49 @@ export class AzureCloudAccountService {
         }));
         return results.every(Boolean);
     }
+    async #createCommonKeyVault({ cloudAccount, name, prefix, resourceGroupName, shortEnv, shortLocation, tags, }) {
+        const logger = getLogger(["gen", "env"]);
+        const subscriptionClient = new SubscriptionClient(this.#credential);
+        const subscription = await subscriptionClient.subscriptions.get(cloudAccount.id);
+        assert.ok(subscription.tenantId, "Subscription tenant ID is undefined");
+        const kvClient = new KeyVaultManagementClient(this.#credential, cloudAccount.id);
+        const keyVaultName = `${prefix}-${shortEnv}-${shortLocation}-common-kv-01`;
+        const secretsProtectionEnabled = shortEnv === "p";
+        const result = await kvClient.vaults.checkNameAvailability({
+            name: keyVaultName,
+            type: "Microsoft.KeyVault/vaults",
+        });
+        await kvClient.vaults.beginCreateOrUpdateAndWait(resourceGroupName, keyVaultName, {
+            location: cloudAccount.defaultLocation,
+            properties: {
+                createMode: result.nameAvailable ? "default" : "recover",
+                enabledForDiskEncryption: true,
+                enablePurgeProtection: secretsProtectionEnabled ? true : undefined,
+                enableRbacAuthorization: true,
+                sku: {
+                    family: "A",
+                    name: "standard",
+                },
+                softDeleteRetentionInDays: secretsProtectionEnabled ? 14 : 7,
+                tenantId: subscription.tenantId,
+            },
+            tags: {
+                Environment: name,
+                ...tags,
+            },
+        });
+        logger.debug("Created key vault {keyVaultName} in subscription {subscriptionId}", { keyVaultName, subscriptionId: cloudAccount.id });
+        return keyVaultName;
+    }
+    #createRoleAssignmentName(scope, principalId, roleDefinitionId) {
+        const hash = createHash("sha256")
+            .update(`${scope}:${principalId}:${roleDefinitionId}`)
+            .digest("hex");
+        return `${hash.slice(0, 8)}-${hash.slice(8, 12)}-${hash.slice(12, 16)}-${hash.slice(16, 20)}-${hash.slice(20, 32)}`;
+    }
+    #createRoleDefinitionResourceId(subscriptionId, roleDefinitionId) {
+        return `/subscriptions/${subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/${roleDefinitionId}`;
+    }
     async #getCurrentPrincipalIds() {
         // Create Graph client with custom auth provider that fetches fresh tokens
         const graphClient = Client.init({
@@ -359,4 +437,14 @@ export class AzureCloudAccountService {
         }));
         logger.info("All resource providers registered on subscription {subscriptionId}", { subscriptionId });
     }
+    async #storeRunnerAppSecrets({ cloudAccountId, keyVaultName, runnerAppCredentials, }) {
+        const logger = getLogger(["gen", "env"]);
+        const secretClient = new SecretClient(`https://${keyVaultName}.vault.azure.net/`, this.#credential);
+        await Promise.all([
+            secretClient.setSecret("github-runner-app-id", runnerAppCredentials.id),
+            secretClient.setSecret("github-runner-app-installation-id", runnerAppCredentials.installationId),
+            secretClient.setSecret("github-runner-app-key", runnerAppCredentials.key.trimEnd()),
+        ]);
+        logger.debug("Created secrets in key vault {keyVaultName} in subscription {subscriptionId}", { keyVaultName, subscriptionId: cloudAccountId });
+    }
 }

package/dist/adapters/commander/commands/add.d.ts

@@ -11,11 +11,13 @@ import { Command } from "commander";
 import { ResultAsync } from "neverthrow";
 import type { Payload as EnvironmentPayload } from "../../plop/generators/environment/index.js";
 import { AuthorizationResult, AuthorizationService } from "../../../domain/authorization.js";
+import { type GitHubService } from "../../../domain/github.js";
 /**
  * Authorize a Cloud Account (Azure Subscription, AWS Account, ...), creating a Pull Request for each account that requires authorization.
  */
 export declare const authorizeCloudAccounts: (authorizationService: AuthorizationService) => (envPayload: EnvironmentPayload) => ResultAsync<AuthorizationResult[], never>;
 export type AddCommandDependencies = {
     authorizationService: AuthorizationService;
+    gitHubService: GitHubService;
 };
 export declare const makeAddCommand: (deps: AddCommandDependencies) => Command;

package/dist/adapters/commander/commands/add.js

@@ -69,9 +69,9 @@ const displaySummary = (result) => {
     }
     console.log(`${step}. Visit ${chalk.underline("https://dx.pagopa.it/getting-started")} to deploy your first project\n`);
 };
-const addEnvironmentAction = (authorizationService) => checkPreconditions()
+const addEnvironmentAction = (authorizationService, gitHubService) => checkPreconditions()
     .andThen(() => ResultAsync.fromPromise(getPlopInstance(), () => new Error("Failed to initialize plop")))
-    .andThen((plop) => ResultAsync.fromPromise(runDeploymentEnvironmentGenerator(plop), () => new Error("Failed to run the deployment environment generator")))
+    .andThen((plop) => ResultAsync.fromPromise(runDeploymentEnvironmentGenerator(plop, gitHubService), () => new Error("Failed to run the deployment environment generator")))
     .andThen((payload) => authorizeCloudAccounts(authorizationService)(payload).map((authorizationPrs) => ({
     authorizationPrs,
 })));
@@ -81,7 +81,7 @@ export const makeAddCommand = (deps) => new Command()
     .addCommand(new Command("environment")
     .description("Add a new deployment environment")
     .action(async function () {
-    const result = await addEnvironmentAction(deps.authorizationService);
+    const result = await addEnvironmentAction(deps.authorizationService, deps.gitHubService);
     if (result.isErr()) {
         this.error(result.error.message);
     }

package/dist/adapters/octokit/index.d.ts

@@ -1,6 +1,6 @@
 import { ResultAsync } from "neverthrow";
 import { Octokit } from "octokit";
-import { CreateBranchParams, FileContent, GetFileContentParams, GitHubService, PullRequest, Repository, UpdateFileParams } from "../../domain/github.js";
+import { CreateBranchParams, CreateOrUpdateEnvironmentSecretParams, FileContent, GetFileContentParams, GitHubService, PullRequest, Repository, UpdateFileParams } from "../../domain/github.js";
 type GitHubReleaseParam = {
     client: Octokit;
     owner: string;
@@ -10,6 +10,7 @@ export declare class OctokitGitHubService implements GitHubService {
     #private;
     constructor(octokit: Octokit);
     createBranch(params: CreateBranchParams): Promise<void>;
+    createOrUpdateEnvironmentSecret(params: CreateOrUpdateEnvironmentSecretParams): Promise<void>;
     createPullRequest(params: {
         base: string;
         body: string;

package/dist/adapters/octokit/index.js

@@ -1,4 +1,5 @@
 import { $ } from "execa";
+import sodium from "libsodium-wrappers";
 import { ResultAsync } from "neverthrow";
 import { RequestError } from "octokit";
 import semverParse from "semver/functions/parse.js";
@@ -31,6 +32,38 @@ export class OctokitGitHubService {
             });
         }
     }
+    async createOrUpdateEnvironmentSecret(params) {
+        try {
+            // GitHub requires environment secrets to be encrypted client-side with libsodium.
+            await sodium.ready;
+            // Ensure the target environment exists before resolving its public key and storing secrets.
+            await this.#octokit.request("PUT /repos/{owner}/{repo}/environments/{environment_name}", {
+                environment_name: params.environmentName,
+                owner: params.owner,
+                repo: params.repo,
+            });
+            const { data: publicKeyData } = await this.#octokit.rest.actions.getEnvironmentPublicKey({
+                environment_name: params.environmentName,
+                owner: params.owner,
+                repo: params.repo,
+            });
+            const publicKeyBytes = sodium.from_base64(publicKeyData.key, sodium.base64_variants.ORIGINAL);
+            const secretBytes = sodium.from_string(params.secretValue);
+            const encryptedBytes = sodium.crypto_box_seal(secretBytes, publicKeyBytes);
+            const encryptedValue = sodium.to_base64(encryptedBytes, sodium.base64_variants.ORIGINAL);
+            await this.#octokit.rest.actions.createOrUpdateEnvironmentSecret({
+                encrypted_value: encryptedValue,
+                environment_name: params.environmentName,
+                key_id: publicKeyData.key_id,
+                owner: params.owner,
+                repo: params.repo,
+                secret_name: params.secretName,
+            });
+        }
+        catch (error) {
+            throw new Error(`Failed to create or update secret ${params.secretName} in environment ${params.environmentName}`, { cause: error });
+        }
+    }
     async createPullRequest(params) {
         try {
             const { data } = await this.#octokit.rest.pulls.create({

package/dist/adapters/plop/actions/__tests__/init-cloud-accounts.test.js

@@ -1,5 +1,13 @@
 import { describe, expect, it, vi } from "vitest";
 import { initCloudAccounts } from "../init-cloud-accounts.js";
+const createMockGitHubService = () => ({
+    createBranch: vi.fn(),
+    createOrUpdateEnvironmentSecret: vi.fn().mockResolvedValue(undefined),
+    createPullRequest: vi.fn(),
+    getFileContent: vi.fn(),
+    getRepository: vi.fn(),
+    updateFile: vi.fn(),
+});
 const createMockCloudAccountService = (overrides = {}) => ({
     getTerraformBackend: vi.fn().mockResolvedValue(undefined),
     hasUserPermissionToInitialize: vi.fn().mockResolvedValue(true),
@@ -68,18 +76,24 @@ describe("initCloudAccounts", () => {
                 },
             },
         });
-        await initCloudAccounts(payload, mockService);
+        await initCloudAccounts(payload, mockService, createMockGitHubService());
         expect(initializeMock).toHaveBeenCalledTimes(2);
         expect(initializeMock).toHaveBeenCalledWith(cloudAccount1, expect.objectContaining({ name: "prod", prefix: "io" }), {
             id: "test-app-id",
             installationId: "test-installation-id",
             key: "test-private-key",
-        }, {});
+        }, {
+            owner: "pagopa",
+            repo: "dx",
+        }, expect.any(Object), {});
         expect(initializeMock).toHaveBeenCalledWith(cloudAccount2, expect.objectContaining({ name: "prod", prefix: "io" }), {
             id: "test-app-id",
             installationId: "test-installation-id",
             key: "test-private-key",
-        }, {});
+        }, {
+            owner: "pagopa",
+            repo: "dx",
+        }, expect.any(Object), {});
     });
     it("should not call initialize when cloudAccountsToInitialize is empty", async () => {
         const initializeMock = vi.fn().mockResolvedValue(undefined);
@@ -99,7 +113,7 @@ describe("initCloudAccounts", () => {
                 },
             },
         });
-        await initCloudAccounts(payload, mockService);
+        await initCloudAccounts(payload, mockService, createMockGitHubService());
         expect(initializeMock).not.toHaveBeenCalled();
     });
     it("should not call initialize when payload.init is undefined", async () => {
@@ -110,7 +124,7 @@ describe("initCloudAccounts", () => {
         const payload = createMockPayload({
             init: undefined,
         });
-        await initCloudAccounts(payload, mockService);
+        await initCloudAccounts(payload, mockService, createMockGitHubService());
         expect(initializeMock).not.toHaveBeenCalled();
     });
     it("should use prefix and environment name from payload.env", async () => {
@@ -137,11 +151,14 @@ describe("initCloudAccounts", () => {
                 },
             },
         });
-        await initCloudAccounts(payload, mockService);
+        await initCloudAccounts(payload, mockService, createMockGitHubService());
         expect(initializeMock).toHaveBeenCalledWith(cloudAccount, expect.objectContaining({ name: "uat", prefix: "pagopa" }), {
             id: "test-app-id",
             installationId: "test-installation-id",
             key: "test-private-key",
-        }, {});
+        }, {
+            owner: "pagopa",
+            repo: "dx",
+        }, expect.any(Object), {});
     });
 });

package/dist/adapters/plop/actions/init-cloud-accounts.d.ts

@@ -1,5 +1,6 @@
 import { type NodePlopAPI } from "node-plop";
 import { CloudAccountService } from "../../../domain/cloud-account.js";
+import { type GitHubService } from "../../../domain/github.js";
 import { type Payload } from "../generators/environment/prompts.js";
-export declare const initCloudAccounts: (payload: Payload, cloudAccountService: CloudAccountService) => Promise<void>;
-export default function (plop: NodePlopAPI, cloudAccountService: CloudAccountService): void;
+export declare const initCloudAccounts: (payload: Payload, cloudAccountService: CloudAccountService, gitHubService: GitHubService) => Promise<void>;
+export default function (plop: NodePlopAPI, cloudAccountService: CloudAccountService, gitHubService: GitHubService): void;

package/dist/adapters/plop/actions/init-cloud-accounts.js

@@ -1,16 +1,16 @@
 import assert from "node:assert/strict";
 import { payloadSchema, } from "../generators/environment/prompts.js";
-export const initCloudAccounts = async (payload, cloudAccountService) => {
+export const initCloudAccounts = async (payload, cloudAccountService, gitHubService) => {
     if (payload.init && payload.init.cloudAccountsToInitialize.length > 0) {
         const { runnerAppCredentials } = payload.init;
         assert.ok(runnerAppCredentials, "Runner app credentials are required");
-        await Promise.all(payload.init.cloudAccountsToInitialize.map((cloudAccount) => cloudAccountService.initialize(cloudAccount, payload.env, runnerAppCredentials, payload.tags)));
+        await Promise.all(payload.init.cloudAccountsToInitialize.map((cloudAccount) => cloudAccountService.initialize(cloudAccount, payload.env, runnerAppCredentials, payload.github, gitHubService, payload.tags)));
     }
 };
-export default function (plop, cloudAccountService) {
+export default function (plop, cloudAccountService, gitHubService) {
     plop.setActionType("initCloudAccounts", async (data) => {
         const payload = payloadSchema.parse(data);
-        await initCloudAccounts(payload, cloudAccountService);
+        await initCloudAccounts(payload, cloudAccountService, gitHubService);
         return "Cloud Accounts Initialized";
     });
 }

package/dist/adapters/plop/generators/environment/__tests__/actions.test.js

@@ -46,7 +46,12 @@ describe("actions", () => {
             payload: getPayload(false),
         },
     ])("correct order of actions", ({ payload }) => {
-        const actionsOrder = ["getTerraformBackend", "addMany", "addMany"];
+        const actionsOrder = [
+            "getTerraformBackend",
+            "addMany",
+            "addMany",
+            "addMany",
+        ];
         if (payload.init) {
             actionsOrder.unshift("initCloudAccounts", "provisionTerraformBackend");
             actionsOrder.push("addMany", "addMany");

package/dist/adapters/plop/generators/environment/actions.js

@@ -29,6 +29,17 @@ const addModule = (env, templatesPath, init = false) => {
         },
     ];
 };
+const addWorkflowModule = (templatesPath) => {
+    const cwd = process.cwd();
+    return {
+        base: path.join(templatesPath, "workflow"),
+        destination: path.join(cwd, ".github", "workflows"),
+        force: true,
+        templateFiles: path.join(templatesPath, "workflow"),
+        type: "addMany",
+        verbose: true,
+    };
+};
 export default function getActions(templatesPath) {
     return (payload) => {
         const logger = getLogger(["gen", "env"]);
@@ -39,6 +50,7 @@ export default function getActions(templatesPath) {
             {
                 type: "getTerraformBackend",
             },
+            addWorkflowModule(templatesPath),
             ...addEnvironmentModule("bootstrapper", `${github.repo}.bootstrapper.${env.name}.tfstate`),
         ];
         if (init) {

package/dist/adapters/plop/generators/environment/index.d.ts

@@ -1,7 +1,8 @@
 import { type NodePlopAPI } from "node-plop";
 import { CloudAccountRepository, CloudAccountService } from "../../../../domain/cloud-account.js";
 import { GitHubRepo } from "../../../../domain/github-repo.js";
+import { type GitHubService } from "../../../../domain/github.js";
 import { Payload, payloadSchema } from "./prompts.js";
 export declare const PLOP_ENVIRONMENT_GENERATOR_NAME = "DX_DeploymentEnvironment";
 export { Payload, payloadSchema };
-export default function (plop: NodePlopAPI, templatesPath: string, cloudAccountRepository: CloudAccountRepository, cloudAccountService: CloudAccountService, github?: GitHubRepo): void;
+export default function (plop: NodePlopAPI, templatesPath: string, cloudAccountRepository: CloudAccountRepository, cloudAccountService: CloudAccountService, gitHubService: GitHubService, github?: GitHubRepo): void;

package/dist/adapters/plop/generators/environment/index.js

@@ -8,13 +8,13 @@ import getActions from "./actions.js";
 import getPrompts, { payloadSchema } from "./prompts.js";
 export const PLOP_ENVIRONMENT_GENERATOR_NAME = "DX_DeploymentEnvironment";
 export { payloadSchema };
-export default function (plop, templatesPath, cloudAccountRepository, cloudAccountService, github) {
+export default function (plop, templatesPath, cloudAccountRepository, cloudAccountService, gitHubService, github) {
     setEnvShortHelper(plop);
     setResourcePrefixHelper(plop);
     setEqHelper(plop);
     setGetTerraformBackend(plop, cloudAccountService);
     setProvisionTerraformBackendAction(plop, cloudAccountService);
-    setInitCloudAccountsAction(plop, cloudAccountService);
+    setInitCloudAccountsAction(plop, cloudAccountService, gitHubService);
     plop.setGenerator(PLOP_ENVIRONMENT_GENERATOR_NAME, {
         actions: getActions(templatesPath),
         description: "Generate a new deployment environment",

package/dist/adapters/plop/index.d.ts

@@ -14,7 +14,7 @@ export declare const runMonorepoGenerator: (plop: NodePlopAPI, githubService: Gi
  *                 uses the explicitly passed repository. When omitted (by add command),
  *                 the generator infers it from the local git context.
  */
-export declare const runDeploymentEnvironmentGenerator: (plop: NodePlopAPI, github?: GitHubRepo) => Promise<EnvironmentPayload>;
+export declare const runDeploymentEnvironmentGenerator: (plop: NodePlopAPI, gitHubService: GitHubService, github?: GitHubRepo) => Promise<EnvironmentPayload>;
 /**
  * Configure the deployment environment generator
  *
@@ -23,4 +23,4 @@ export declare const runDeploymentEnvironmentGenerator: (plop: NodePlopAPI, gith
  *                 uses the explicitly passed repository. When omitted (by add command),
  *                 the generator infers it from the local git context.
  */
-export declare const setDeploymentEnvironmentGenerator: (plop: NodePlopAPI, github?: GitHubRepo) => void;
+export declare const setDeploymentEnvironmentGenerator: (plop: NodePlopAPI, gitHubService: GitHubService, github?: GitHubRepo) => void;

package/dist/adapters/plop/index.js

@@ -62,8 +62,8 @@ export const runMonorepoGenerator = async (plop, githubService) => {
  *                 uses the explicitly passed repository. When omitted (by add command),
  *                 the generator infers it from the local git context.
  */
-export const runDeploymentEnvironmentGenerator = async (plop, github) => {
-    setDeploymentEnvironmentGenerator(plop, github);
+export const runDeploymentEnvironmentGenerator = async (plop, gitHubService, github) => {
+    setDeploymentEnvironmentGenerator(plop, gitHubService, github);
     const generator = plop.getGenerator(PLOP_ENVIRONMENT_GENERATOR_NAME);
     const answers = await generator.runPrompts();
     const payload = environmentPayloadSchema.parse(answers);
@@ -82,10 +82,10 @@ export const runDeploymentEnvironmentGenerator = async (plop, github) => {
  *                 uses the explicitly passed repository. When omitted (by add command),
  *                 the generator infers it from the local git context.
  */
-export const setDeploymentEnvironmentGenerator = (plop, github) => {
+export const setDeploymentEnvironmentGenerator = (plop, gitHubService, github) => {
     const credential = new AzureCliCredential();
     const cloudAccountRepository = new AzureSubscriptionRepository(credential);
     const cloudAccountService = new AzureCloudAccountService(credential);
     const templatesPath = path.join(import.meta.dirname, "../../../templates/environment");
-    createDeploymentEnvironmentGenerator(plop, templatesPath, cloudAccountRepository, cloudAccountService, github);
+    createDeploymentEnvironmentGenerator(plop, templatesPath, cloudAccountRepository, cloudAccountService, gitHubService, github);
 };

package/dist/domain/cloud-account.d.ts

@@ -1,6 +1,7 @@
 import { z } from "zod/v4";
 import { type EnvironmentId } from "./environment.js";
-import { type GitHubAppCredentials } from "./github.js";
+import { type GitHubRepo } from "./github-repo.js";
+import { type GitHubAppCredentials, type GitHubService } from "./github.js";
 import { TerraformBackend } from "./remote-backend.js";
 export declare const cloudAccountSchema: z.ZodObject<{
     csp: z.ZodDefault<z.ZodEnum<{
@@ -17,7 +18,7 @@ export type CloudAccountRepository = {
 export type CloudAccountService = {
     getTerraformBackend(cloudAccountId: CloudAccount["id"], environment: EnvironmentId): Promise<TerraformBackend | undefined>;
     hasUserPermissionToInitialize(cloudAccountId: CloudAccount["id"]): Promise<boolean>;
-    initialize(cloudAccount: CloudAccount, environment: EnvironmentId, runnerAppCredentials: GitHubAppCredentials, tags?: Record<string, string>): Promise<void>;
+    initialize(cloudAccount: CloudAccount, environment: EnvironmentId, runnerAppCredentials: GitHubAppCredentials, github: GitHubRepo, gitHubService: GitHubService, tags?: Record<string, string>): Promise<void>;
     isInitialized(cloudAccountId: CloudAccount["id"], environment: EnvironmentId): Promise<boolean>;
     provisionTerraformBackend(cloudAccount: CloudAccount, environment: EnvironmentId, tags?: Record<string, string>): Promise<TerraformBackend>;
 };

package/dist/domain/github.d.ts

@@ -5,6 +5,13 @@ export type CreateBranchParams = {
     owner: string;
     repo: string;
 };
+export type CreateOrUpdateEnvironmentSecretParams = {
+    environmentName: string;
+    owner: string;
+    repo: string;
+    secretName: string;
+    secretValue: string;
+};
 export type FileContent = {
     content: string;
     sha: string;
@@ -21,6 +28,12 @@ export interface GitHubService {
      * @throws Error if branch creation fails
      */
     createBranch(params: CreateBranchParams): Promise<void>;
+    /**
+     * Creates or updates a secret in a GitHub repository environment.
+     * The value is automatically encrypted using the environment's public key.
+     * @throws Error if secret creation fails
+     */
+    createOrUpdateEnvironmentSecret(params: CreateOrUpdateEnvironmentSecretParams): Promise<void>;
     /**
      * Creates a pull request in a GitHub repository.
      * @throws Error if pull request creation fails

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pagopa/dx-cli",
-  "version": "0.20.0",
+  "version": "0.20.2",
   "type": "module",
   "description": "A CLI useful to manage DX tools.",
   "repository": {
@@ -39,6 +39,7 @@
     "execa": "^9.6.1",
     "glob": "^11.1.0",
     "inquirer": "^9.3.8",
+    "libsodium-wrappers": "^0.8.2",
     "neverthrow": "^8.2.0",
     "node-plop": "^0.32.3",
     "octokit": "^5.0.5",
@@ -52,6 +53,7 @@
   "devDependencies": {
     "@tsconfig/node24": "24.0.4",
     "@types/inquirer": "^9.0.9",
+    "@types/libsodium-wrappers": "^0.8.2",
     "@types/node": "^22.19.17",
     "@types/semver": "^7.7.1",
     "@vitest/coverage-v8": "^3.2.4",

package/templates/environment/core/{{env.name}}/main.tf.hbs

@@ -2,7 +2,7 @@
 {{#each this}}
 module "azure-{{displayName}}_core" {
   source  = "pagopa-dx/azure-core-infra/azurerm"
-  version = "~> 3.0"
+  version = "~> 4.0"
 
   providers = {
     azurerm = azurerm.{{displayName}}
@@ -12,8 +12,6 @@ module "azure-{{displayName}}_core" {
     app_name = "core"
   })
 
-  vpn_enabled = true
-
   tags = merge(local.tags, {
     Source = "https://github.com/{{@root.github.owner}}/{{@root.github.repo}}/blob/main/infra/core/{{@root.env.name}}"
   })

package/templates/environment/workflow/_release-terraform-apply-bootstrapper-{{env.name}}.yaml.hbs

@@ -0,0 +1,19 @@
+name: Release Bootstrapper Infrastructure - {{@root.env.name}}
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - main
+    paths:
+      - "infra/bootstrapper/**"
+
+permissions:
+  contents: read
+
+jobs:
+  release:
+    uses: pagopa/dx/.github/workflows/release-terraform-bootstrapper-v1.yaml@main
+    name: Release Bootstrapper ({{@root.env.name}})
+    secrets: inherit
+    with:
+      environment: '{{@root.env.name}}'