@pagopa/dx-cli 0.21.0 → 0.21.2

package/dist/adapters/azure/__tests__/cloud-account-service.test.js

@@ -241,7 +241,10 @@ describe("isInitialized", () => {
     });
 });
 describe("initialize", () => {
-    test("assigns bootstrap roles to the bootstrap identity", async ({ cloudAccountService, }) => {
+    test("assigns bootstrap roles and creates bootstrap environment secrets", async ({ cloudAccountService, }) => {
+        const createOrUpdateEnvironmentSecret = vi
+            .fn()
+            .mockResolvedValue(undefined);
         await cloudAccountService.initialize({
             csp: "azure",
             defaultLocation: "italynorth",
@@ -259,7 +262,7 @@ describe("initialize", () => {
             repo: "dx",
         }, {
             createBranch: vi.fn(),
-            createOrUpdateEnvironmentSecret: vi.fn().mockResolvedValue(undefined),
+            createOrUpdateEnvironmentSecret,
             createPullRequest: vi.fn(),
             getFileContent: vi.fn(),
             getRepository: vi.fn(),
@@ -286,5 +289,48 @@ describe("initialize", () => {
             issuer: "https://token.actions.githubusercontent.com",
             subject: "repo:pagopa/dx:environment:bootstrapper-dev-cd",
         });
+        expect(createOrUpdateEnvironmentSecret).toHaveBeenCalledTimes(6);
+        expect(createOrUpdateEnvironmentSecret).toHaveBeenCalledWith({
+            environmentName: "bootstrapper-dev-cd",
+            owner: "pagopa",
+            repo: "dx",
+            secretName: "ARM_CLIENT_ID",
+            secretValue: "client-1",
+        });
+        expect(createOrUpdateEnvironmentSecret).toHaveBeenCalledWith({
+            environmentName: "bootstrapper-dev-cd",
+            owner: "pagopa",
+            repo: "dx",
+            secretName: "ARM_TENANT_ID",
+            secretValue: "tenant-1",
+        });
+        expect(createOrUpdateEnvironmentSecret).toHaveBeenCalledWith({
+            environmentName: "bootstrapper-dev-cd",
+            owner: "pagopa",
+            repo: "dx",
+            secretName: "ARM_SUBSCRIPTION_ID",
+            secretValue: "sub-1",
+        });
+        expect(createOrUpdateEnvironmentSecret).toHaveBeenCalledWith({
+            environmentName: "bootstrapper-dev-cd",
+            owner: "pagopa",
+            repo: "dx",
+            secretName: "GH_APP_ID",
+            secretValue: "app-id",
+        });
+        expect(createOrUpdateEnvironmentSecret).toHaveBeenCalledWith({
+            environmentName: "bootstrapper-dev-cd",
+            owner: "pagopa",
+            repo: "dx",
+            secretName: "GH_APP_INSTALLATION_ID",
+            secretValue: "installation-id",
+        });
+        expect(createOrUpdateEnvironmentSecret).toHaveBeenCalledWith({
+            environmentName: "bootstrapper-dev-cd",
+            owner: "pagopa",
+            repo: "dx",
+            secretName: "GH_APP_KEY",
+            secretValue: "private-key",
+        });
     });
 });

package/dist/adapters/azure/cloud-account-service.js

@@ -169,6 +169,7 @@ export class AzureCloudAccountService {
         const parameters = {
             location: cloudAccount.defaultLocation,
             tags: {
+                CreatedBy: "DX CLI",
                 Environment: name,
                 ...tags,
             },
@@ -185,6 +186,10 @@ export class AzureCloudAccountService {
             const identityClientId = identity.clientId;
             logger.debug("Created identity {identityName} in subscription {subscriptionId}", { identityName, subscriptionId: cloudAccount.id });
             const authorizationManagementClient = new AuthorizationManagementClient(this.#credential, cloudAccount.id);
+            const subscriptionClient = new SubscriptionClient(this.#credential);
+            const subscription = await subscriptionClient.subscriptions.get(cloudAccount.id);
+            assert.ok(subscription.tenantId, "Subscription tenant ID is undefined");
+            const tenantId = subscription.tenantId;
             const subscriptionScope = `/subscriptions/${cloudAccount.id}`;
             // Grant the bootstrap identity the Azure permissions it needs to operate autonomously in the bootstrap workflow.
             await Promise.all(bootstrapIdentityRoleDefinitionIds.map((roleDefinitionId) => authorizationManagementClient.roleAssignments.create(subscriptionScope, this.#createRoleAssignmentName(subscriptionScope, identityPrincipalId, roleDefinitionId), {
@@ -205,25 +210,14 @@ export class AzureCloudAccountService {
                 identityName,
                 subscriptionId: cloudAccount.id,
             });
-            // These secrets let the GitHub workflow target the bootstrap identity and subscription without extra setup.
-            await Promise.all([
-                gitHubService.createOrUpdateEnvironmentSecret({
-                    environmentName: githubEnvironmentName,
-                    owner: github.owner,
-                    repo: github.repo,
-                    secretName: "ARM_CLIENT_ID",
-                    secretValue: identityClientId,
-                }),
-                gitHubService.createOrUpdateEnvironmentSecret({
-                    environmentName: githubEnvironmentName,
-                    owner: github.owner,
-                    repo: github.repo,
-                    secretName: "ARM_SUBSCRIPTION_ID",
-                    secretValue: cloudAccount.id,
-                }),
-            ]);
-            logger.debug("Set GitHub environment secrets for {environmentName}", {
-                environmentName: githubEnvironmentName,
+            await this.#storeBootstrapperEnvironmentSecrets({
+                cloudAccountId: cloudAccount.id,
+                github,
+                githubEnvironmentName,
+                gitHubService,
+                identityClientId,
+                runnerAppCredentials,
+                tenantId,
             });
             const keyVaultName = await this.#createCommonKeyVault({
                 cloudAccount,
@@ -233,6 +227,7 @@ export class AzureCloudAccountService {
                 shortEnv: short.env,
                 shortLocation: short.location,
                 tags,
+                tenantId,
             });
             await this.#storeRunnerAppSecrets({
                 cloudAccountId: cloudAccount.id,
@@ -348,11 +343,8 @@ export class AzureCloudAccountService {
         }));
         return results.every(Boolean);
     }
-    async #createCommonKeyVault({ cloudAccount, name, prefix, resourceGroupName, shortEnv, shortLocation, tags, }) {
+    async #createCommonKeyVault({ cloudAccount, name, prefix, resourceGroupName, shortEnv, shortLocation, tags, tenantId, }) {
         const logger = getLogger(["gen", "env"]);
-        const subscriptionClient = new SubscriptionClient(this.#credential);
-        const subscription = await subscriptionClient.subscriptions.get(cloudAccount.id);
-        assert.ok(subscription.tenantId, "Subscription tenant ID is undefined");
         const kvClient = new KeyVaultManagementClient(this.#credential, cloudAccount.id);
         const keyVaultName = `${prefix}-${shortEnv}-${shortLocation}-common-kv-01`;
         const secretsProtectionEnabled = shortEnv === "p";
@@ -372,7 +364,7 @@ export class AzureCloudAccountService {
                     name: "standard",
                 },
                 softDeleteRetentionInDays: secretsProtectionEnabled ? 14 : 7,
-                tenantId: subscription.tenantId,
+                tenantId,
             },
             tags: {
                 Environment: name,
@@ -437,6 +429,57 @@ export class AzureCloudAccountService {
         }));
         logger.info("All resource providers registered on subscription {subscriptionId}", { subscriptionId });
     }
+    async #storeBootstrapperEnvironmentSecrets({ cloudAccountId, github, githubEnvironmentName, gitHubService, identityClientId, runnerAppCredentials, tenantId, }) {
+        const logger = getLogger(["gen", "env"]);
+        await Promise.all([
+            gitHubService.createOrUpdateEnvironmentSecret({
+                environmentName: githubEnvironmentName,
+                owner: github.owner,
+                repo: github.repo,
+                secretName: "ARM_CLIENT_ID",
+                secretValue: identityClientId,
+            }),
+            gitHubService.createOrUpdateEnvironmentSecret({
+                environmentName: githubEnvironmentName,
+                owner: github.owner,
+                repo: github.repo,
+                secretName: "ARM_TENANT_ID",
+                secretValue: tenantId,
+            }),
+            gitHubService.createOrUpdateEnvironmentSecret({
+                environmentName: githubEnvironmentName,
+                owner: github.owner,
+                repo: github.repo,
+                secretName: "ARM_SUBSCRIPTION_ID",
+                secretValue: cloudAccountId,
+            }),
+            gitHubService.createOrUpdateEnvironmentSecret({
+                environmentName: githubEnvironmentName,
+                owner: github.owner,
+                repo: github.repo,
+                secretName: "GH_APP_ID",
+                secretValue: runnerAppCredentials.id,
+            }),
+            gitHubService.createOrUpdateEnvironmentSecret({
+                environmentName: githubEnvironmentName,
+                owner: github.owner,
+                repo: github.repo,
+                secretName: "GH_APP_INSTALLATION_ID",
+                secretValue: runnerAppCredentials.installationId,
+            }),
+            gitHubService.createOrUpdateEnvironmentSecret({
+                environmentName: githubEnvironmentName,
+                owner: github.owner,
+                repo: github.repo,
+                secretName: "GH_APP_KEY",
+                secretValue: runnerAppCredentials.key.trimEnd(),
+            }),
+        ]);
+        logger.debug("Set GitHub environment secrets for {environmentName}", {
+            environmentName: githubEnvironmentName,
+            subscriptionId: cloudAccountId,
+        });
+    }
     async #storeRunnerAppSecrets({ cloudAccountId, keyVaultName, runnerAppCredentials, }) {
         const logger = getLogger(["gen", "env"]);
         const secretClient = new SecretClient(`https://${keyVaultName}.vault.azure.net/`, this.#credential);

package/dist/adapters/commander/commands/__tests__/init.test.d.ts

@@ -0,0 +1,4 @@
+/**
+ * Tests for confirmGitHubRepoCreation in the init command.
+ */
+export {};

package/dist/adapters/commander/commands/__tests__/init.test.js

@@ -0,0 +1,48 @@
+/**
+ * Tests for confirmGitHubRepoCreation in the init command.
+ */
+import inquirer from "inquirer";
+import { afterEach, describe, expect, it, vi } from "vitest";
+import { confirmGitHubRepoCreation } from "../init.js";
+vi.mock("inquirer");
+const makePayload = (overrides = {}) => ({
+    repoDescription: "A test repo",
+    repoName: "test-repo",
+    repoOwner: "pagopa",
+    ...overrides,
+});
+describe("confirmGitHubRepoCreation", () => {
+    afterEach(() => {
+        vi.restoreAllMocks();
+    });
+    it("returns true when the user confirms", async () => {
+        vi.mocked(inquirer.prompt).mockResolvedValue({ confirm: true });
+        const result = await confirmGitHubRepoCreation(makePayload());
+        expect(result.isOk()).toBe(true);
+        expect(result._unsafeUnwrap()).toBe(true);
+    });
+    it("returns false when the user declines", async () => {
+        vi.mocked(inquirer.prompt).mockResolvedValue({ confirm: false });
+        const result = await confirmGitHubRepoCreation(makePayload());
+        expect(result.isOk()).toBe(true);
+        expect(result._unsafeUnwrap()).toBe(false);
+    });
+    it("prompts with the correct repository name and owner", async () => {
+        vi.mocked(inquirer.prompt).mockResolvedValue({ confirm: true });
+        const payload = makePayload({ repoName: "my-repo", repoOwner: "my-org" });
+        await confirmGitHubRepoCreation(payload);
+        expect(inquirer.prompt).toHaveBeenCalledWith(expect.objectContaining({
+            message: expect.stringContaining("my-org/my-repo"),
+            type: "confirm",
+        }));
+    });
+    it("returns an error result when the prompt rejects", async () => {
+        const cause = new Error("non-interactive TTY");
+        vi.mocked(inquirer.prompt).mockRejectedValue(cause);
+        const result = await confirmGitHubRepoCreation(makePayload());
+        expect(result.isErr()).toBe(true);
+        const err = result._unsafeUnwrapErr();
+        expect(err).toBeInstanceOf(Error);
+        expect(err.cause).toBe(cause);
+    });
+});

package/dist/adapters/commander/commands/__tests__/preconditions.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/adapters/commander/commands/__tests__/preconditions.test.js

@@ -0,0 +1,32 @@
+import { beforeEach, describe, expect, it, vi } from "vitest";
+const mocks = vi.hoisted(() => ({
+    oraPromise: vi.fn((promise) => promise),
+    tf$: vi.fn(async (...args) => {
+        void args;
+        return { stdout: '{"user":{"name":"test@example.com"}}' };
+    }),
+}));
+vi.mock("ora", () => ({ oraPromise: mocks.oraPromise }));
+vi.mock("../../../execa/terraform.js", () => ({ tf$: mocks.tf$ }));
+import { checkAddEnvironmentPreconditions, checkInitPreconditions, } from "../init.js";
+const calledCommands = () => mocks.tf$.mock.calls.map(([strings, ...values]) => strings.reduce((command, part, index) => command + part + String(values[index] ?? ""), ""));
+describe("init preconditions", () => {
+    beforeEach(() => {
+        vi.clearAllMocks();
+    });
+    it("checkInitPreconditions does not require Azure login", async () => {
+        const result = await checkInitPreconditions();
+        expect(result.isOk()).toBe(true);
+        expect(calledCommands()).toEqual(["terraform -version", "corepack -v"]);
+    });
+    it("checkAddEnvironmentPreconditions requires Azure login", async () => {
+        const result = await checkAddEnvironmentPreconditions();
+        expect(result.isOk()).toBe(true);
+        expect(calledCommands()).toEqual([
+            "terraform -version",
+            "az account show",
+            "az group list",
+            "corepack -v",
+        ]);
+    });
+});

package/dist/adapters/commander/commands/add.js

@@ -16,7 +16,7 @@ import { environmentShort } from "../../../domain/environment.js";
 import { isAzureLocation, locationShort } from "../../azure/locations.js";
 import { getPlopInstance, runDeploymentEnvironmentGenerator, } from "../../plop/index.js";
 import { exitWithError } from "../index.js";
-import { checkPreconditions } from "./init.js";
+import { checkAddEnvironmentPreconditions } from "./init.js";
 /**
  * Authorize a Cloud Account (Azure Subscription, AWS Account, ...), creating a Pull Request for each account that requires authorization.
  */
@@ -70,7 +70,7 @@ const displaySummary = (result) => {
     }
     console.log(`${step}. Visit ${chalk.underline("https://dx.pagopa.it/getting-started")} to deploy your first project\n`);
 };
-const addEnvironmentAction = (authorizationService, gitHubService) => checkPreconditions()
+const addEnvironmentAction = (authorizationService, gitHubService) => checkAddEnvironmentPreconditions()
     .andThen(() => ResultAsync.fromPromise(getPlopInstance(), (cause) => new Error("Failed to initialize plop", { cause })))
     .andThen((plop) => ResultAsync.fromPromise(runDeploymentEnvironmentGenerator(plop, gitHubService), (cause) => new Error("Failed to run the deployment environment generator", {
     cause,

package/dist/adapters/commander/commands/init.d.ts

@@ -1,7 +1,8 @@
 import { Command } from "commander";
 import { ResultAsync } from "neverthrow";
 import { GitHubService } from "../../../domain/github.js";
-export declare const checkPreconditions: () => ResultAsync<import("execa").Result<{
+import { Payload as MonorepoPayload } from "../../plop/generators/monorepo/index.js";
+export declare const checkInitPreconditions: () => ResultAsync<import("execa").Result<{
     environment: {
         NO_COLOR: string;
         TF_IN_AUTOMATION: string;
@@ -9,6 +10,15 @@ export declare const checkPreconditions: () => ResultAsync<import("execa").Resul
     };
     shell: true;
 }>, Error>;
+export declare const checkAddEnvironmentPreconditions: () => ResultAsync<import("execa").Result<{
+    environment: {
+        NO_COLOR: string;
+        TF_IN_AUTOMATION: string;
+        TF_INPUT: string;
+    };
+    shell: true;
+}>, Error>;
+export declare const confirmGitHubRepoCreation: (payload: MonorepoPayload) => ResultAsync<boolean, Error>;
 type InitCommandDependencies = {
     gitHubService: GitHubService;
 };

package/dist/adapters/commander/commands/init.js

@@ -2,6 +2,7 @@ import { getLogger } from "@logtape/logtape";
 import chalk from "chalk";
 import { Command } from "commander";
 import { $, ExecaError } from "execa";
+import inquirer from "inquirer";
 import { okAsync, ResultAsync } from "neverthrow";
 import * as path from "node:path";
 import { oraPromise } from "ora";
@@ -10,13 +11,28 @@ import { Repository, } from "../../../domain/github.js";
 import { tf$ } from "../../execa/terraform.js";
 import { getPlopInstance, runMonorepoGenerator } from "../../plop/index.js";
 import { exitWithError } from "../index.js";
+const isGitHubRepoCreationSkipped = (input) => "gitHubRepoCreationSkipped" in input;
 const withSpinner = (text, successText, failText, promise) => ResultAsync.fromPromise(oraPromise(promise, {
     failText,
     successText,
     text,
 }), (cause) => new Error(failText, { cause }));
-const displaySummary = (initResult) => {
-    const { pr, repository } = initResult;
+const displaySummary = (input) => {
+    const docsUrl = "https://dx.pagopa.it/getting-started";
+    if (isGitHubRepoCreationSkipped(input)) {
+        const { payload } = input;
+        console.log(chalk.yellow.bold("\nGitHub repository creation skipped."));
+        console.log(`The workspace files have been scaffolded in ${chalk.cyan(payload.repoName + "/")}.`);
+        console.log(chalk.bold("\nTo finish the setup manually:"));
+        let step = 1;
+        console.log(`${step++}. Create the GitHub repository by applying the Terraform config scaffolded at ${chalk.cyan(`${payload.repoName}/infra/repository`)}:`);
+        console.log(`       ${chalk.cyan(`cd ${payload.repoName}/infra/repository && terraform init && terraform apply`)}`);
+        console.log(`${step++}. Push the scaffolded code to the newly created repository:`);
+        console.log(`       ${chalk.cyan(`cd ${payload.repoName} && git init && git remote add origin <url> && git push`)}`);
+        console.log(`${step}. Visit ${chalk.underline(docsUrl)} to deploy your first project\n`);
+        return;
+    }
+    const { pr, repository } = input;
     console.log(chalk.green.bold("\nWorkspace created successfully!"));
     if (repository) {
         console.log(`- Name: ${chalk.cyan(repository.name)}`);
@@ -29,7 +45,7 @@ const displaySummary = (initResult) => {
         let step = 1;
         console.log(chalk.green.bold("\nNext Steps:"));
         console.log(`${step++}. Review the Pull Request in the GitHub repository: ${chalk.underline(pr.url)}`);
-        console.log(`${step}. Visit ${chalk.underline("https://dx.pagopa.it/getting-started")} to deploy your first project\n`);
+        console.log(`${step}. Visit ${chalk.underline(docsUrl)} to deploy your first project\n`);
     }
     else {
         console.log(chalk.yellow(`\n⚠️ There was an error during Pull Request creation.`));
@@ -54,7 +70,8 @@ const ensureAzLogin = async () => {
 };
 const checkAzLogin = () => withSpinner("Check Azure login status...", (userName) => `You are logged in to Azure (${userName})`, "Please log in to Azure CLI using `az login` before running this command.", ensureAzLogin());
 // TODO(CES-1810): Make these checks concurrent to speed up the preconditions check phase
-export const checkPreconditions = () => checkTerraformCliIsInstalled()
+export const checkInitPreconditions = () => checkTerraformCliIsInstalled().andThen(() => checkCorepackIsInstalled());
+export const checkAddEnvironmentPreconditions = () => checkTerraformCliIsInstalled()
     .andThen(() => checkAzLogin())
     .andThen(() => checkCorepackIsInstalled());
 const createRemoteRepository = ({ repoName, repoOwner, }) => {
@@ -117,16 +134,26 @@ const handleGeneratorError = (err) => {
     }
     return new Error("Failed to run the generator", { cause: err });
 };
+export const confirmGitHubRepoCreation = (payload) => ResultAsync.fromPromise(inquirer
+    .prompt({
+    default: true,
+    message: `The project is created on ${chalk.green(payload.repoName)}. Would you like to publish it to GitHub at ${chalk.green(`${payload.repoOwner}/${payload.repoName}`)} now?`,
+    name: "confirm",
+    type: "confirm",
+})
+    .then(({ confirm }) => confirm), (cause) => new Error("Failed to read GitHub publish confirmation", { cause }));
 export const makeInitCommand = ({ gitHubService, }) => new Command()
     .name("init")
     .description("Initialize a new DX workspace")
     .action(async function () {
-    await checkPreconditions()
+    await checkInitPreconditions()
         .andThen(() => ResultAsync.fromPromise(getPlopInstance(), (cause) => new Error("Failed to initialize plop", { cause })))
         .andThen((plop) => ResultAsync.fromPromise(runMonorepoGenerator(plop, gitHubService), handleGeneratorError))
         .andTee((payload) => {
         process.chdir(payload.repoName);
     })
-        .andThen((payload) => handleNewGitHubRepository(gitHubService)(payload))
+        .andThen((payload) => confirmGitHubRepoCreation(payload).andThen((confirmed) => confirmed
+        ? handleNewGitHubRepository(gitHubService)(payload)
+        : okAsync({ gitHubRepoCreationSkipped: true, payload })))
         .match(displaySummary, exitWithError(this));
 });

package/dist/adapters/plop/generators/environment/__tests__/prompts.test.js

@@ -1,6 +1,6 @@
 // Tests for workspaceSchema transforms (lowercase and trim on domain).
 import { describe, expect, it } from "vitest";
-import { workspaceSchema } from "../prompts.js";
+import { formatInitializationDetails, workspaceSchema } from "../prompts.js";
 describe("workspaceSchema — domain transforms", () => {
     it("lowercases an uppercase domain", () => {
         const result = workspaceSchema.safeParse({ domain: "API" });
@@ -23,3 +23,63 @@ describe("workspaceSchema — domain transforms", () => {
         expect(result.success && result.data.domain).toBe("");
     });
 });
+describe("formatInitializationDetails", () => {
+    const account = (overrides = {}) => ({
+        csp: "azure",
+        defaultLocation: "italynorth",
+        displayName: "DEV-FooBar",
+        id: "sub-123",
+        ...overrides,
+    });
+    const notInitializedStatus = (issues) => ({
+        initialized: false,
+        issues,
+    });
+    it("lists each uninitialized cloud account by displayName", () => {
+        const status = notInitializedStatus([
+            {
+                cloudAccount: account({ displayName: "DEV-A" }),
+                type: "CLOUD_ACCOUNT_NOT_INITIALIZED",
+            },
+            {
+                cloudAccount: account({ displayName: "DEV-B" }),
+                type: "CLOUD_ACCOUNT_NOT_INITIALIZED",
+            },
+        ]);
+        const output = formatInitializationDetails(status);
+        expect(output).toContain('Azure subscription "DEV-A"');
+        expect(output).toContain('Azure subscription "DEV-B"');
+        expect(output).toContain("managed identity");
+        expect(output).toContain("OIDC");
+        expect(output).toContain("ARM_CLIENT_ID");
+        expect(output).toContain("ARM_SUBSCRIPTION_ID");
+        expect(output).not.toContain("ARM_TENANT_ID");
+        expect(output).toContain("Key Vault");
+    });
+    it("includes the Terraform backend section when MISSING_REMOTE_BACKEND issue is present", () => {
+        const status = notInitializedStatus([
+            { cloudAccount: account(), type: "CLOUD_ACCOUNT_NOT_INITIALIZED" },
+            { type: "MISSING_REMOTE_BACKEND" },
+        ]);
+        const output = formatInitializationDetails(status);
+        expect(output).toContain("Terraform remote backend");
+        expect(output).toContain("Storage Account");
+    });
+    it("omits the Terraform backend section when no MISSING_REMOTE_BACKEND issue is present", () => {
+        const status = notInitializedStatus([
+            { cloudAccount: account(), type: "CLOUD_ACCOUNT_NOT_INITIALIZED" },
+        ]);
+        const output = formatInitializationDetails(status);
+        expect(output).not.toContain("Terraform remote backend");
+    });
+    it("omits the cloud account section when no CLOUD_ACCOUNT_NOT_INITIALIZED issues are present", () => {
+        const status = notInitializedStatus([{ type: "MISSING_REMOTE_BACKEND" }]);
+        const output = formatInitializationDetails(status);
+        expect(output).not.toContain("Azure subscription");
+        expect(output).toContain("Terraform remote backend");
+    });
+    it("returns an empty string when there are no relevant issues", () => {
+        const status = notInitializedStatus([]);
+        expect(formatInitializationDetails(status)).toBe("");
+    });
+});

package/dist/adapters/plop/generators/environment/prompts.d.ts

@@ -79,4 +79,13 @@ export declare const getCloudAccountToInitialize: (initStatus: EnvironmentInitSt
     displayName: string;
     id: string;
 }[];
+/**
+ * Build a human-readable description of the resources that will be created
+ * when initializing an environment, so users see the side effects before
+ * confirming. The exact resource names are intentionally omitted to avoid
+ * coupling the prompt copy to internal naming conventions.
+ */
+export declare const formatInitializationDetails: (initStatus: EnvironmentInitStatus & {
+    initialized: false;
+}) => string;
 export default prompts;

package/dist/adapters/plop/generators/environment/prompts.js

@@ -1,3 +1,4 @@
+import chalk from "chalk";
 import * as assert from "node:assert/strict";
 import { cloudAccountSchema, } from "../../../../domain/cloud-account.js";
 import { environmentSchema, getInitializationStatus, hasUserPermissionToInitialize, } from "../../../../domain/environment.js";
@@ -126,9 +127,10 @@ const prompts = (deps) => async (inquirer) => {
     if (initStatus.initialized) {
         return payload;
     }
+    console.log(formatInitializationDetails(initStatus));
     const initConfirm = await inquirer.prompt({
         default: true,
-        message: "The environment is not initialized. Do you want to initialize it now?",
+        message: `The environment "${payload.env.name}" is not initialized. Proceed with the setup above?`,
         name: "init",
         type: "confirm",
     });
@@ -198,4 +200,40 @@ export const getCloudLocationChoices = (regions) => regions.map((r) => ({ name:
 export const getCloudAccountToInitialize = (initStatus) => initStatus.issues
     .filter((issue) => issue.type === "CLOUD_ACCOUNT_NOT_INITIALIZED")
     .map((issue) => issue.cloudAccount);
+/**
+ * Build a human-readable description of the resources that will be created
+ * when initializing an environment, so users see the side effects before
+ * confirming. The exact resource names are intentionally omitted to avoid
+ * coupling the prompt copy to internal naming conventions.
+ */
+export const formatInitializationDetails = (initStatus) => {
+    const accountsToInit = getCloudAccountToInitialize(initStatus);
+    const missingBackend = initStatus.issues.some((issue) => issue.type === "MISSING_REMOTE_BACKEND");
+    const sections = [];
+    for (const account of accountsToInit) {
+        sections.push([
+            chalk.bold.cyan(`  Azure subscription "${account.displayName}":`),
+            `    • Bootstrap resource group and managed identity with subscription-scoped roles`,
+            `    • GitHub OIDC federated identity credential`,
+            `    • GitHub environment secrets (ARM_CLIENT_ID, ARM_SUBSCRIPTION_ID)`,
+            `    • Common Key Vault storing the GitHub runner app credentials`,
+        ].join("\n"));
+    }
+    if (missingBackend) {
+        sections.push([
+            chalk.bold.cyan(`  Terraform remote backend:`),
+            `    • Azure resource group and Storage Account for the Terraform state`,
+        ].join("\n"));
+    }
+    if (sections.length === 0) {
+        return "";
+    }
+    return [
+        "",
+        chalk.bold("The following resources will be created:"),
+        "",
+        ...sections,
+        "",
+    ].join("\n");
+};
 export default prompts;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pagopa/dx-cli",
-  "version": "0.21.0",
+  "version": "0.21.2",
   "type": "module",
   "description": "A CLI useful to manage DX tools.",
   "repository": {
@@ -31,7 +31,7 @@
     "@azure/identity": "^4.13.1",
     "@azure/keyvault-secrets": "^4.11.1",
     "@azure/storage-blob": "^12.31.0",
-    "@logtape/logtape": "^1.3.7",
+    "@logtape/logtape": "^1.3.8",
     "@microsoft/microsoft-graph-client": "^3.0.7",
     "chalk": "^5.6.2",
     "commander": "^14.0.3",
@@ -39,16 +39,16 @@
     "execa": "^9.6.1",
     "glob": "^11.1.0",
     "inquirer": "^9.3.8",
-    "libsodium-wrappers": "^0.8.2",
+    "libsodium-wrappers": "^0.8.4",
     "neverthrow": "^8.2.0",
     "node-plop": "^0.32.3",
     "octokit": "^5.0.5",
-    "ora": "^9.3.0",
+    "ora": "^9.4.0",
     "replace-in-file": "^8.4.0",
     "semver": "^7.7.4",
-    "yaml": "^2.8.3",
-    "zod": "^4.3.6",
-    "@pagopa/dx-savemoney": "^0.2.4"
+    "yaml": "^2.8.4",
+    "zod": "^4.4.2",
+    "@pagopa/dx-savemoney": "^0.2.5"
   },
   "devDependencies": {
     "@tsconfig/node24": "24.0.4",
@@ -57,14 +57,14 @@
     "@types/node": "^22.19.17",
     "@types/semver": "^7.7.1",
     "@vitest/coverage-v8": "^3.2.4",
-    "eslint": "^10.2.1",
-    "memfs": "^4.57.1",
+    "eslint": "^10.3.0",
+    "memfs": "^4.57.2",
     "plop": "^4.0.5",
     "prettier": "3.8.3",
     "typescript": "~5.9.3",
     "vitest": "^3.2.4",
     "vitest-mock-extended": "^3.1.1",
-    "@pagopa/eslint-config": "^6.0.3"
+    "@pagopa/eslint-config": "^6.0.4"
   },
   "engines": {
     "node": ">=22.0.0"

package/templates/environment/workflow/_release-terraform-apply-bootstrapper-{{env.name}}.yaml.hbs

@@ -9,6 +9,7 @@ on:
 
 permissions:
   contents: read
+  id-token: write
 
 jobs:
   release:

package/templates/monorepo/.prettierignore

@@ -2,4 +2,5 @@
 **/*.hbs
 
 # Ignore built files
-dist
+dist
+CHANGELOG.md