siesa-agents 2.1.72-qa.2 → 2.1.72-qa.21
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/bmad/bmm/config.yaml +33 -0
- package/claude/skills/sa-agent-sre-sentinel/SKILL.md +180 -0
- package/claude/skills/sa-aplicar/SKILL.md +268 -0
- package/claude/skills/sa-auditar-servicio/SKILL.md +255 -0
- package/claude/skills/sa-nueva-transversal/SKILL.md +317 -0
- package/claude/skills/sa-nuevo-ambiente/SKILL.md +147 -0
- package/claude/skills/sa-nuevo-servicio/SKILL.md +530 -0
- package/claude/skills/sa-onboard-db/SKILL.md +122 -0
- package/claude/skills/sa-qa-data-generator/SKILL.md +200 -51
- package/claude/skills/sa-quality-process/SKILL.md +6 -0
- package/claude/skills/sa-registrar-permisos/SKILL.md +233 -0
- package/package.json +1 -1
- package/siesa-agents/bmm/workflows/3-solutioning/quality-process/prompts/prompt_design_test.md +1037 -60
- package/siesa-agents/bmm/workflows/3-solutioning/quality-process/prompts/prompt_dor_gate.md +419 -379
- package/siesa-agents/bmm/workflows/3-solutioning/quality-process/prompts/prompt_e2e_executor.md +273 -0
- package/siesa-agents/bmm/workflows/3-solutioning/quality-process/prompts/prompt_playwright_impl.md +359 -355
- package/siesa-agents/bmm/workflows/3-solutioning/quality-process/prompts/prompt_test_plan.md +73 -111
- package/siesa-agents/bmm/workflows/3-solutioning/quality-process/workflow.md +1320 -997
- package/siesa-agents/resources/playwright-kit/.env.example +42 -0
- package/siesa-agents/resources/playwright-kit/README.md +228 -0
- package/siesa-agents/resources/playwright-kit/allure/categories.json +26 -0
- package/siesa-agents/resources/playwright-kit/global-setup.ts +34 -0
- package/siesa-agents/resources/playwright-kit/helpers/blazor-e2e-helpers.ts +417 -0
- package/siesa-agents/resources/playwright-kit/helpers/react-e2e-helpers.ts +297 -0
- package/siesa-agents/resources/playwright-kit/package-lock.json +850 -0
- package/siesa-agents/resources/playwright-kit/package.json +27 -0
- package/siesa-agents/resources/playwright-kit/playwright.config.ts +60 -0
- package/siesa-agents/resources/playwright-kit/proposed/.gitkeep +0 -0
- package/siesa-agents/resources/playwright-kit/reporters/agiletest-reporter.ts +252 -0
- package/siesa-agents/resources/playwright-kit/specs/.gitkeep +0 -0
- package/siesa-agents/resources/playwright-kit/specs/architecture-brief-siesa-erp.md +85 -0
- package/siesa-agents/resources/playwright-kit/specs/architecture-brief-siesa-react.md +109 -0
- package/siesa-agents/resources/playwright-kit/specs/architecture-brief-template.md +69 -0
- package/siesa-agents/resources/playwright-kit/tests/seed-example.spec.ts +95 -0
- package/siesa-agents/resources/playwright-kit/tools/locator-overlay.js +1306 -0
- package/siesa-agents/resources/playwright-kit/tools/locator-recorder.spec.ts +986 -0
- package/siesa-agents/scripts/__pycache__/bmad_to_agiletest.cpython-36.pyc +0 -0
- package/siesa-agents/scripts/bmad_to_agiletest.py +352 -337
- package/siesa-agents/scripts/converters/convert_csv_to_test_design.py +327 -0
- package/siesa-agents/scripts/converters/convert_excel_to_test_design.py +360 -0
- package/siesa-agents/scripts/converters/convert_md_to_test_design.py +359 -0
- package/siesa-agents/scripts/converters/convert_pdf_to_test_design.py +412 -0
- package/siesa-agents/scripts/converters/export_yaml_to_csv.py +149 -0
- package/siesa-agents/scripts/converters/export_yaml_to_excel.py +233 -0
- package/siesa-agents/scripts/converters/export_yaml_to_markdown.py +172 -0
- package/siesa-agents/scripts/converters/export_yaml_to_pdf.py +297 -0
- package/siesa-agents/scripts/merge_test_design.py +106 -106
- package/siesa-agents/scripts/playwright/yaml-to-playwright-spec.ts +203 -0
- package/siesa-agents/scripts/requirements.txt +7 -0
|
@@ -0,0 +1,255 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: sa-auditar-servicio
|
|
3
|
+
description: 'Audits an existing service in this transversal, verifying every deploy-repo artifact is present and correct, detects architectural drift, and generates an updated ci-pipeline.yml aligned with the current standard. Use whenever the user wants to check whether a deployed services artifacts match the current standard or asks for a service audit.'
|
|
4
|
+
---
|
|
5
|
+
|
|
6
|
+
> **Contexto de ejecución:** este skill asume que el cwd está dentro de la carpeta del workspace de despliegue (`_siesa-agents/devops/` en Siesa-Agents tras correr `/sa-init-devops`, o la raíz de un clon directo de `architecture-sa-devops`). Las rutas relativas (`environments/`, `terraform/`, `k8s/`, `scripts/`, etc.) se resuelven contra ese cwd.
|
|
7
|
+
|
|
8
|
+
Audita un servicio existente en esta transversal. Verifica que todos los artefactos en el repo de deploy estén presentes y correctos, detecta desalineaciones arquitectónicas y genera el `ci-pipeline.yml` alineado con el estándar actual. Al finalizar pregunta si corregir los gaps encontrados.
|
|
9
|
+
|
|
10
|
+
**Uso:** `/sa-auditar-servicio {nombre} [--no-mfe]`
|
|
11
|
+
|
|
12
|
+
**Ejemplos:**
|
|
13
|
+
- `/sa-auditar-servicio segments`
|
|
14
|
+
- `/sa-auditar-servicio liquid-tax --no-mfe`
|
|
15
|
+
|
|
16
|
+
---
|
|
17
|
+
|
|
18
|
+
## Instrucciones
|
|
19
|
+
|
|
20
|
+
Los argumentos son: `$ARGUMENTS`
|
|
21
|
+
|
|
22
|
+
Parsea:
|
|
23
|
+
- `NOMBRE` = primer argumento (ej: `segments`)
|
|
24
|
+
- `HAS_MFE` = `false` si `--no-mfe` está presente, `true` en caso contrario
|
|
25
|
+
|
|
26
|
+
Lee `environments/dev.yaml` para obtener:
|
|
27
|
+
- `PROJECT_ID` = `.gcp.project_id`
|
|
28
|
+
- `PROJECT_NUM` = `.gcp.project_number`
|
|
29
|
+
- `REGION` = `.gcp.region`
|
|
30
|
+
- `GKE_CLUSTER` = `.gke.cluster_name`
|
|
31
|
+
- `WORKER_POOL` = `.cloud_build.worker_pool`
|
|
32
|
+
- `SUITE` = `.naming.product_suite`
|
|
33
|
+
- `BUSINESS_UNIT` = `.naming.business_unit`
|
|
34
|
+
- `GATEWAY_NAME` = `.gateway.name`
|
|
35
|
+
- `DOMAIN` = `.dns.domain`
|
|
36
|
+
- `VITE_MODE` = `.frontend.vite_mode`
|
|
37
|
+
|
|
38
|
+
Lee `environments/shared.yaml` para obtener:
|
|
39
|
+
- `HUB_PROJECT` = `.hub.project_id` (puede no existir — ver G-S3)
|
|
40
|
+
- `WIF_POOL` = `.wif.pool_name`
|
|
41
|
+
|
|
42
|
+
Calcula:
|
|
43
|
+
- `SA_SHORT` = `NOMBRE` sin hyphens, truncado a 10 caracteres
|
|
44
|
+
- `SA_NAME` = `sa-sie-{SUITE}-{SA_SHORT}-cicd`
|
|
45
|
+
- `GITHUB_REPO` = `SiesaTeams/business-{BUSINESS_UNIT}-{NOMBRE}-service`
|
|
46
|
+
|
|
47
|
+
---
|
|
48
|
+
|
|
49
|
+
## Fase 1 — Auditoría de artefactos en el deploy repo
|
|
50
|
+
|
|
51
|
+
Verifica la existencia de cada archivo con Read (intenta leer; si falla → MISSING):
|
|
52
|
+
|
|
53
|
+
### Dapr Components
|
|
54
|
+
|
|
55
|
+
| Archivo | Estado |
|
|
56
|
+
|---|---|
|
|
57
|
+
| `k8s/overlays/dev/dapr/{NOMBRE}/pubsub.yaml` | PASS / MISSING |
|
|
58
|
+
| `k8s/overlays/dev/dapr/{NOMBRE}/secretstore.yaml` | PASS / MISSING |
|
|
59
|
+
|
|
60
|
+
Para cada archivo que existe, verifica que `projectId` sea `{PROJECT_ID}`. Si no coincide → DRIFT.
|
|
61
|
+
|
|
62
|
+
### Gateway Route
|
|
63
|
+
|
|
64
|
+
| Archivo | Estado |
|
|
65
|
+
|---|---|
|
|
66
|
+
| `k8s/overlays/dev/routes/{NOMBRE}-route.yaml` | PASS / MISSING |
|
|
67
|
+
|
|
68
|
+
Si existe, verifica:
|
|
69
|
+
- `parentRefs[0].name` = `{GATEWAY_NAME}`
|
|
70
|
+
- Regla `/api/{NOMBRE}` tiene URLRewrite a `/api/v1`
|
|
71
|
+
- Si HAS_MFE: regla `/mfe/{NOMBRE}` presente
|
|
72
|
+
|
|
73
|
+
### Health Checks
|
|
74
|
+
|
|
75
|
+
| Archivo | Estado |
|
|
76
|
+
|---|---|
|
|
77
|
+
| `k8s/overlays/dev/healthcheck/{NOMBRE}-api-hc.yaml` | PASS / MISSING |
|
|
78
|
+
| `k8s/overlays/dev/healthcheck/{NOMBRE}-mfe-hc.yaml` (si MFE) | PASS / MISSING / N/A |
|
|
79
|
+
|
|
80
|
+
### environments/dev.yaml
|
|
81
|
+
|
|
82
|
+
Lee `environments/dev.yaml`. Verifica:
|
|
83
|
+
- `services.{NOMBRE}` existe → PASS / MISSING
|
|
84
|
+
- `{NOMBRE}` está en la lista `namespaces:` → PASS / MISSING
|
|
85
|
+
- Si existe el servicio, `sa_name` = `{SA_NAME}` y `github_repo` = `{GITHUB_REPO}` → PASS / DRIFT
|
|
86
|
+
|
|
87
|
+
### environments/shared.yaml
|
|
88
|
+
|
|
89
|
+
Lee `environments/shared.yaml`. Verifica:
|
|
90
|
+
- `services.{NOMBRE}` existe → PASS / MISSING
|
|
91
|
+
- Tiene los 11 roles estándar (cloudbuild.builds.editor, artifactregistry.writer, container.developer, secretmanager.secretAccessor, cloudsql.client, cloudbuild.workerPoolUser, clouddeploy.releaser, iam.serviceAccountUser, storage.admin, pubsub.publisher, pubsub.subscriber) → PASS / MISSING_ROLES
|
|
92
|
+
- `hub.project_id` existe en el archivo → PASS / MISSING (G-S3)
|
|
93
|
+
|
|
94
|
+
### Import Map (solo si HAS_MFE)
|
|
95
|
+
|
|
96
|
+
| Archivo | Estado |
|
|
97
|
+
|---|---|
|
|
98
|
+
| `k8s/overlays/dev/import-map/import-map.yaml` contiene `@siesa/{NOMBRE}` | PASS / MISSING |
|
|
99
|
+
|
|
100
|
+
---
|
|
101
|
+
|
|
102
|
+
## Fase 2 — Auditoría arquitectónica CI/CD
|
|
103
|
+
|
|
104
|
+
Evalúa los puntos conocidos de desalineación comparando contra el estándar del repo. No se lee el archivo del servicio (repo separado) — se audita contra los valores correctos y se genera la versión alineada.
|
|
105
|
+
|
|
106
|
+
### G-C1 — Cluster name
|
|
107
|
+
El pipeline debe usar `GKE_CLUSTER: {GKE_CLUSTER}` (valor del dev.yaml).
|
|
108
|
+
- WARN: mostrar el valor correcto — confirmar que el pipeline del servicio lo tenga exactamente así.
|
|
109
|
+
|
|
110
|
+
### G-C2 — Image URL (Hub vs Spoke)
|
|
111
|
+
- Si `HUB_PROJECT` existe en shared.yaml: el pipeline DEBE usar `HUB_PROJECT_ID: {HUB_PROJECT}` para la URL de imagen → WARN si no está.
|
|
112
|
+
- Si `HUB_PROJECT` NO existe (financiero actual): imagen va a `PROJECT_ID` (Spoke) — documentado como deuda técnica → INFO.
|
|
113
|
+
|
|
114
|
+
### G-C3 — Smoke test pattern
|
|
115
|
+
El template estándar usa `sleep 60` fijo. El patrón recomendado es un retry loop de 15s hasta 5 min (evita fallos cuando Dapr sidecar o NEGs tardan más de 60s).
|
|
116
|
+
- WARN siempre: mostrar el patrón correcto de retry loop.
|
|
117
|
+
|
|
118
|
+
### G-C4 — Concurrency group
|
|
119
|
+
El pipeline debe tener:
|
|
120
|
+
```yaml
|
|
121
|
+
concurrency:
|
|
122
|
+
group: deploy-gke-${{ github.repository }}
|
|
123
|
+
cancel-in-progress: false
|
|
124
|
+
```
|
|
125
|
+
- WARN: verificar que el pipeline del servicio lo tenga.
|
|
126
|
+
|
|
127
|
+
### G-C5 — GitHub environment
|
|
128
|
+
Debe usar `environment: dev` (no `sandbox`). El environment `sandbox` fue eliminado.
|
|
129
|
+
- WARN: confirmar que no use `sandbox`.
|
|
130
|
+
|
|
131
|
+
### G-C6 — WIF permissions
|
|
132
|
+
Debe tener:
|
|
133
|
+
```yaml
|
|
134
|
+
permissions:
|
|
135
|
+
contents: read
|
|
136
|
+
id-token: write
|
|
137
|
+
```
|
|
138
|
+
- WARN: verificar que estén presentes.
|
|
139
|
+
|
|
140
|
+
### G-C7 — SA name formula
|
|
141
|
+
El SA debe seguir el patrón `sa-sie-{SUITE}-{SA_SHORT}-cicd`.
|
|
142
|
+
- Mostrar: `{SA_NAME}` — confirmar que coincide con el pipeline del servicio.
|
|
143
|
+
|
|
144
|
+
---
|
|
145
|
+
|
|
146
|
+
## Fase 3 — Resumen de auditoría
|
|
147
|
+
|
|
148
|
+
Muestra el reporte consolidado:
|
|
149
|
+
|
|
150
|
+
```
|
|
151
|
+
════════════════════════════════════════════════════════
|
|
152
|
+
AUDITORÍA DE SERVICIO: {NOMBRE}
|
|
153
|
+
Transversal: {BUSINESS_UNIT} | Suite: {SUITE} | Repo: {GITHUB_REPO}
|
|
154
|
+
════════════════════════════════════════════════════════
|
|
155
|
+
|
|
156
|
+
ARTEFACTOS EN DEPLOY REPO:
|
|
157
|
+
[PASS/MISSING/DRIFT] k8s/overlays/dev/dapr/{NOMBRE}/pubsub.yaml
|
|
158
|
+
[PASS/MISSING/DRIFT] k8s/overlays/dev/dapr/{NOMBRE}/secretstore.yaml
|
|
159
|
+
[PASS/MISSING] k8s/overlays/dev/routes/{NOMBRE}-route.yaml
|
|
160
|
+
[PASS/MISSING] k8s/overlays/dev/healthcheck/{NOMBRE}-api-hc.yaml
|
|
161
|
+
[PASS/MISSING/N/A] k8s/overlays/dev/healthcheck/{NOMBRE}-mfe-hc.yaml
|
|
162
|
+
[PASS/MISSING] environments/dev.yaml → services.{NOMBRE}
|
|
163
|
+
[PASS/MISSING] environments/dev.yaml → namespaces
|
|
164
|
+
[PASS/MISSING/DRIFT] environments/shared.yaml → services.{NOMBRE}
|
|
165
|
+
[PASS/MISSING] environments/shared.yaml → hub.project_id
|
|
166
|
+
[PASS/MISSING/N/A] import-map → @siesa/{NOMBRE}
|
|
167
|
+
|
|
168
|
+
CI/CD PIPELINE (verificar en {GITHUB_REPO}):
|
|
169
|
+
[WARN/INFO] G-C1 Cluster name: debe ser {GKE_CLUSTER}
|
|
170
|
+
[WARN/INFO] G-C2 Image URL: {mensaje según Hub o Spoke}
|
|
171
|
+
[WARN] G-C3 Smoke test: usar retry loop, no sleep fijo
|
|
172
|
+
[WARN] G-C4 Concurrency group: verificar presente
|
|
173
|
+
[WARN] G-C5 GitHub environment: debe ser "dev", no "sandbox"
|
|
174
|
+
[WARN] G-C6 WIF permissions: id-token: write requerido
|
|
175
|
+
[INFO] G-C7 SA name esperado: {SA_NAME}
|
|
176
|
+
|
|
177
|
+
────────────────────────────────────────────────────────
|
|
178
|
+
RESUMEN:
|
|
179
|
+
Artefactos faltantes : N
|
|
180
|
+
Artefactos con drift : N
|
|
181
|
+
Advertencias CI/CD : N
|
|
182
|
+
════════════════════════════════════════════════════════
|
|
183
|
+
```
|
|
184
|
+
|
|
185
|
+
---
|
|
186
|
+
|
|
187
|
+
## Fase 4 — Corrección interactiva
|
|
188
|
+
|
|
189
|
+
Tras mostrar el resumen, pregunta:
|
|
190
|
+
|
|
191
|
+
```
|
|
192
|
+
¿Qué deseas corregir?
|
|
193
|
+
|
|
194
|
+
[1] Crear artefactos faltantes en deploy repo (K8s, Dapr, routes, healthcheck)
|
|
195
|
+
[2] Corregir artefactos con drift (projectId, sa_name, github_repo)
|
|
196
|
+
[3] Agregar servicio a environments/dev.yaml y/o shared.yaml
|
|
197
|
+
[4] Generar ci-pipeline.yml alineado para copiar a {GITHUB_REPO}
|
|
198
|
+
[5] Todo lo anterior
|
|
199
|
+
[0] Nada — solo quería ver el reporte
|
|
200
|
+
|
|
201
|
+
Responde con los números separados por coma (ej: 1,3,4) o 5 para todo:
|
|
202
|
+
```
|
|
203
|
+
|
|
204
|
+
Espera la respuesta del usuario y ejecuta solo las correcciones seleccionadas:
|
|
205
|
+
|
|
206
|
+
### Si incluye [1] — Crear artefactos faltantes
|
|
207
|
+
Genera los archivos MISSING usando el mismo formato que `/sa-nuevo-servicio` (Pasos 1-5 y 8).
|
|
208
|
+
|
|
209
|
+
### Si incluye [2] — Corregir drift
|
|
210
|
+
Lee el archivo con drift, actualiza los valores incorrectos y guarda.
|
|
211
|
+
|
|
212
|
+
### Si incluye [3] — Agregar a environments
|
|
213
|
+
Agrega la entrada del servicio en `dev.yaml` (services + namespaces) y `shared.yaml` (services + roles), si faltan.
|
|
214
|
+
|
|
215
|
+
### Si incluye [4] — Generar ci-pipeline.yml alineado
|
|
216
|
+
Lee `cicd-templates/.github/workflows/ci-pipeline.yml` para obtener la plantilla base completa y actual. Es la fuente de verdad del pipeline — no regenerar desde cero.
|
|
217
|
+
|
|
218
|
+
Sustituye únicamente la sección `env:` y corrige los puntos de desalineación encontrados en Fase 2:
|
|
219
|
+
- `GKE_CLUSTER: {GKE_CLUSTER}` (del dev.yaml — G-C1)
|
|
220
|
+
- `WORKER_POOL: {WORKER_POOL}` (del dev.yaml)
|
|
221
|
+
- `PROJECT_ID: {PROJECT_ID}` y (si aplica) `HUB_PROJECT_ID: {HUB_PROJECT}` (G-C2)
|
|
222
|
+
- `SERVICE_NAME: {NOMBRE}` y `NAMESPACE: {NOMBRE}`
|
|
223
|
+
- `BUILD_MFE: "{HAS_MFE}"`
|
|
224
|
+
- `VITE_MODE: {VITE_MODE}`
|
|
225
|
+
- Smoke test con retry loop de 15s hasta 5 min en lugar de `sleep` fijo (G-C3)
|
|
226
|
+
- Concurrency group correcto (G-C4)
|
|
227
|
+
- `environment: dev` (no `sandbox`) (G-C5)
|
|
228
|
+
- `permissions: id-token: write` presente (G-C6)
|
|
229
|
+
- SA name: `{SA_NAME}@{PROJECT_ID}.iam.gserviceaccount.com` (G-C7)
|
|
230
|
+
|
|
231
|
+
Muestra el archivo completo resultante listo para copiar a `.github/workflows/ci-pipeline.yml` del repo `{GITHUB_REPO}`.
|
|
232
|
+
|
|
233
|
+
### Si incluye [5] — Todo
|
|
234
|
+
Ejecuta 1, 2, 3 y 4 en ese orden.
|
|
235
|
+
|
|
236
|
+
---
|
|
237
|
+
|
|
238
|
+
## Smoke test — patrón correcto (usar en [4])
|
|
239
|
+
|
|
240
|
+
```yaml
|
|
241
|
+
- name: Smoke test
|
|
242
|
+
run: |
|
|
243
|
+
DEADLINE=$((SECONDS+300))
|
|
244
|
+
until [ $SECONDS -ge $DEADLINE ]; do
|
|
245
|
+
STATUS=$(curl -sk -o /dev/null -w "%{http_code}" https://{DOMAIN}/api/{NOMBRE}/health)
|
|
246
|
+
if [ "$STATUS" = "200" ]; then
|
|
247
|
+
echo "Smoke test passed: HTTP $STATUS"
|
|
248
|
+
exit 0
|
|
249
|
+
fi
|
|
250
|
+
echo " Waiting... HTTP $STATUS ($(( DEADLINE - SECONDS ))s restantes)"
|
|
251
|
+
sleep 15
|
|
252
|
+
done
|
|
253
|
+
echo "Smoke test failed: timeout 5 min"
|
|
254
|
+
exit 1
|
|
255
|
+
```
|
|
@@ -0,0 +1,317 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: sa-nueva-transversal
|
|
3
|
+
description: 'Generates the full scaffolding for a new transversal deploy repo (e.g. comercial, manufactura). Produces every base file the new business-{name}-deploy repo needs, with zero financial-specific content. Use whenever the user is setting up a brand-new transversal and needs the deploy-repo skeleton.'
|
|
4
|
+
---
|
|
5
|
+
|
|
6
|
+
> **Contexto de ejecución:** este skill asume que el cwd está dentro de la carpeta del workspace de despliegue (`_siesa-agents/devops/` en Siesa-Agents tras correr `/sa-init-devops`, o la raíz de un clon directo de `architecture-sa-devops`). Las rutas relativas (`environments/`, `terraform/`, `k8s/`, `scripts/`, etc.) se resuelven contra ese cwd.
|
|
7
|
+
|
|
8
|
+
Genera el scaffolding completo para un nuevo repo de transversal (ej: comercial, manufactura). Produce los archivos base que deben ir en el nuevo repo `business-{nombre}-deploy`, sin nada específico de financiero.
|
|
9
|
+
|
|
10
|
+
**Uso:** `/sa-nueva-transversal {nombre} {suite} {project-id-dev}`
|
|
11
|
+
|
|
12
|
+
**Ejemplo:** `/sa-nueva-transversal comercial com prj-sie-com-comercial-dev`
|
|
13
|
+
|
|
14
|
+
---
|
|
15
|
+
|
|
16
|
+
## Instrucciones
|
|
17
|
+
|
|
18
|
+
Los argumentos son: `$ARGUMENTS`
|
|
19
|
+
|
|
20
|
+
Parsea los argumentos:
|
|
21
|
+
- `NOMBRE` = primer argumento (ej: `comercial`)
|
|
22
|
+
- `SUITE` = segundo argumento, 2-4 caracteres (ej: `com`)
|
|
23
|
+
- `PROJECT_ID` = tercer argumento (ej: `prj-sie-com-comercial-dev`)
|
|
24
|
+
|
|
25
|
+
Deriva:
|
|
26
|
+
- `REPO_NAME` = `business-{NOMBRE}-deploy`
|
|
27
|
+
- `REGION` = `us-east1` (default para todos los proyectos Siesa)
|
|
28
|
+
- `HUB_PROJECT` = `prj-sie-sb-{NOMBRE}-common`
|
|
29
|
+
- `STATE_BUCKET` = `bkt-sie-{SUITE}-iac-state-{PROJECT_ID}`
|
|
30
|
+
|
|
31
|
+
**Valores que debes obtener antes de generar archivos** (usar Bash — son lecturas de solo lectura, no modifican infraestructura):
|
|
32
|
+
|
|
33
|
+
```bash
|
|
34
|
+
# Project number — necesario para WIF provider URL y ARs IAM members
|
|
35
|
+
gcloud projects describe {PROJECT_ID} --format='value(projectNumber)'
|
|
36
|
+
```
|
|
37
|
+
|
|
38
|
+
Si el comando falla (proyecto no existe aún), usa `<PLACEHOLDER: project_number>` y avisa al usuario.
|
|
39
|
+
Guarda el resultado como `PROJECT_NUM`.
|
|
40
|
+
|
|
41
|
+
---
|
|
42
|
+
|
|
43
|
+
### Paso 0 — Validación inicial (Gate)
|
|
44
|
+
|
|
45
|
+
**Naming convention:** Verifica que `PROJECT_ID` siga el patrón `{type}-sie-{bu}-{workload}-{env}` (regex: `^[a-z]+-sie-[a-z]+-[a-z]+-[a-z]+$`). Si no cumple, detente y muestra el error con el valor recibido.
|
|
46
|
+
|
|
47
|
+
**GCS state prefix:** Muestra el bucket calculado `{STATE_BUCKET}` y advierte que debe ser único — no puede existir otro estado con el mismo nombre. Pide confirmación antes de continuar.
|
|
48
|
+
|
|
49
|
+
---
|
|
50
|
+
|
|
51
|
+
### Paso 1 — Verificación Hub Project
|
|
52
|
+
|
|
53
|
+
Informa al usuario y detente hasta recibir confirmación:
|
|
54
|
+
|
|
55
|
+
```
|
|
56
|
+
🔍 HUB PROJECT CHECK
|
|
57
|
+
|
|
58
|
+
Verifica si el proyecto Hub ya existe:
|
|
59
|
+
gcloud projects describe {HUB_PROJECT} 2>&1
|
|
60
|
+
|
|
61
|
+
Si NO existe, crearlo primero:
|
|
62
|
+
gcloud projects create {HUB_PROJECT} \
|
|
63
|
+
--name="SIESA {NOMBRE} Common" \
|
|
64
|
+
--folder=<FOLDER_ID_BU>
|
|
65
|
+
|
|
66
|
+
# Habilitar APIs del Hub:
|
|
67
|
+
gcloud services enable \
|
|
68
|
+
artifactregistry.googleapis.com \
|
|
69
|
+
cloudbuild.googleapis.com \
|
|
70
|
+
clouddeploy.googleapis.com \
|
|
71
|
+
--project={HUB_PROJECT}
|
|
72
|
+
|
|
73
|
+
⚠️ El Hub project debe existir antes de vender Spokes (Hub-First Mandate).
|
|
74
|
+
Confirma que existe para continuar.
|
|
75
|
+
```
|
|
76
|
+
|
|
77
|
+
---
|
|
78
|
+
|
|
79
|
+
### Paso 2 — Asignación IP desde ip-plan.md
|
|
80
|
+
|
|
81
|
+
Lee `docs/devops-org/ip-plan.md`.
|
|
82
|
+
|
|
83
|
+
**A. Identificar el siguiente Slice Index libre** en la tabla §3.1 (fila con `FREE SLOT` o índice no asignado).
|
|
84
|
+
Sea `INDEX` el índice libre identificado.
|
|
85
|
+
|
|
86
|
+
**B. Calcular CIDRs para Development** usando la fórmula de §4:
|
|
87
|
+
- `PRIMARY_CIDR` = `10.4.{INDEX*8}.0/21`
|
|
88
|
+
- `PODS_CIDR` = `100.{64 + floor(INDEX*64/256)}.{(INDEX*64) mod 256}.0/18`
|
|
89
|
+
- `SERVICES_CIDR` = `100.100.{INDEX*8}.0/21`
|
|
90
|
+
- `MASTER_CIDR` = `172.16.{INDEX}.0/28` (Dev Env Octet = 16, fórmula §5.1)
|
|
91
|
+
|
|
92
|
+
**C. Validar zero-overlap:** Confirma que ninguno de los 3 CIDRs se superpone con rangos existentes en §3.1. Si hay overlap, seleccionar el siguiente índice libre.
|
|
93
|
+
|
|
94
|
+
**D. Proponer actualización de ip-plan.md — REGISTRY-FIRST:**
|
|
95
|
+
|
|
96
|
+
Muestra el bloque markdown a insertar en la tabla §3.1:
|
|
97
|
+
```
|
|
98
|
+
| {INDEX} | **{SUITE}** | {NOMBRE} | `us-east1` | `{PRIMARY_CIDR}` | `{PODS_CIDR}` | `{SERVICES_CIDR}` |
|
|
99
|
+
```
|
|
100
|
+
|
|
101
|
+
Detente y solicita confirmación:
|
|
102
|
+
```
|
|
103
|
+
⚠️ REGISTRY-FIRST: Agrega la fila anterior a docs/devops-org/ip-plan.md §3.1
|
|
104
|
+
y haz commit antes de continuar. Ningún código Terraform puede generarse
|
|
105
|
+
sin una reserva de IP registrada.
|
|
106
|
+
```
|
|
107
|
+
|
|
108
|
+
---
|
|
109
|
+
|
|
110
|
+
### Qué generar y qué NO generar
|
|
111
|
+
|
|
112
|
+
(solo continuar si el usuario confirmó Pasos 0, 1 y 2)
|
|
113
|
+
|
|
114
|
+
**NO generar** (específico de financiero, construir desde cero):
|
|
115
|
+
- Ningún archivo de `k8s/overlays/dev/`
|
|
116
|
+
- Ningún servicio en `environments/dev.yaml` ni `environments/shared.yaml`
|
|
117
|
+
- Ningún contenido de `docs/`
|
|
118
|
+
|
|
119
|
+
**SÍ generar:**
|
|
120
|
+
- `environments/dev.yaml`
|
|
121
|
+
- `environments/shared.yaml`
|
|
122
|
+
- `environments/staging.yaml`
|
|
123
|
+
- `environments/prod.yaml`
|
|
124
|
+
- `terraform/environments/dev/main.tf`
|
|
125
|
+
- `terraform/environments/shared/main.tf`
|
|
126
|
+
- `.github/workflows/infra-pipeline-dev.yml`
|
|
127
|
+
- `.github/workflows/infra-pipeline-shared.yml`
|
|
128
|
+
|
|
129
|
+
---
|
|
130
|
+
|
|
131
|
+
### Archivo 1 — `environments/dev.yaml` para {REPO_NAME}
|
|
132
|
+
|
|
133
|
+
Usa como base `environments/dev.yaml` de este repo. Reemplaza:
|
|
134
|
+
- `financiero` → `{NOMBRE}`
|
|
135
|
+
- `fin` (product_suite) → `{SUITE}`
|
|
136
|
+
- `prj-sie-fin-financiero-dev` → `{PROJECT_ID}`
|
|
137
|
+
- `gke-sie-fin-sandbox-dev` → `gke-sie-{SUITE}-{NOMBRE}-dev`
|
|
138
|
+
- `pgsql-fin-sandbox-dev` → `pgsql-{SUITE}-{NOMBRE}-dev`
|
|
139
|
+
- `finance-dev` → `{NOMBRE}-dev`
|
|
140
|
+
- `finance.siesacloud.dev` → `{NOMBRE}.siesacloud.dev`
|
|
141
|
+
- `financiero-dev-gateway` → `{NOMBRE}-dev-gateway`
|
|
142
|
+
- `finance-siesacloud-dev-cert` → `{NOMBRE}-siesacloud-dev-cert`
|
|
143
|
+
- `finance-siesacloud-dev-map` → `{NOMBRE}-siesacloud-dev-map`
|
|
144
|
+
- `bkt-sie-fin-iac-state-prj-sie-fin-financiero-dev` → `{STATE_BUCKET}`
|
|
145
|
+
- `sa-sie-fin-sandbox-dev-cicd` → `sa-sie-{SUITE}-{NOMBRE}-dev-cicd`
|
|
146
|
+
- `financiero-pool` → `{NOMBRE}-pool`
|
|
147
|
+
- Vaciar `services:` y `namespaces:` (solo gateway-infra, app-shell, observability)
|
|
148
|
+
- Grupos IAM → `<PLACEHOLDER: group:g-gcp-fld-sie-bus-{NOMBRE}-dev-admins@siesacloud.com>`
|
|
149
|
+
- `alert_email` → `<PLACEHOLDER: alertas-{NOMBRE}@siesa.com>`
|
|
150
|
+
|
|
151
|
+
Agrega la sección de red con los CIDRs calculados en el Paso 2:
|
|
152
|
+
```yaml
|
|
153
|
+
network:
|
|
154
|
+
primary_cidr: "{PRIMARY_CIDR}"
|
|
155
|
+
pods_cidr: "{PODS_CIDR}"
|
|
156
|
+
services_cidr: "{SERVICES_CIDR}"
|
|
157
|
+
master_cidr: "{MASTER_CIDR}"
|
|
158
|
+
shared_vpc_host: "prj-sie-com-vpc-host-dev"
|
|
159
|
+
subnetwork: "<PLACEHOLDER: snt-sie-{SUITE}-use1-01-dev>"
|
|
160
|
+
```
|
|
161
|
+
|
|
162
|
+
### Archivo 2 — `environments/shared.yaml` para {REPO_NAME}
|
|
163
|
+
|
|
164
|
+
Mismo proceso de reemplazo que dev.yaml pero con estructura de `environments/shared.yaml`. Sección `services:` vacía.
|
|
165
|
+
|
|
166
|
+
**Agrega obligatoriamente la sección `hub:`** con el proyecto Hub donde vivirá el Artifact Registry. Esto permite que dev, QA y PROD compartan las mismas imágenes:
|
|
167
|
+
|
|
168
|
+
```yaml
|
|
169
|
+
# --- Hub Project (Artifact Registry centralizado) ---
|
|
170
|
+
# Las imágenes Docker se publican aquí para ser compartidas entre ambientes.
|
|
171
|
+
# NUNCA crear AR repos en el Spoke — impediría promoción de imágenes entre entornos.
|
|
172
|
+
hub:
|
|
173
|
+
project_id: "{HUB_PROJECT}"
|
|
174
|
+
```
|
|
175
|
+
|
|
176
|
+
**Modifica también la sección `gcp:` del shared.yaml:** el `project_id` es el Spoke dev (donde viven WIF pool, SAs, Worker Pool). El Hub solo aplica para AR repos:
|
|
177
|
+
|
|
178
|
+
```yaml
|
|
179
|
+
gcp:
|
|
180
|
+
project_id: "{PROJECT_ID}" # Spoke dev — WIF, SAs, Worker Pool
|
|
181
|
+
region: "{REGION}"
|
|
182
|
+
|
|
183
|
+
hub:
|
|
184
|
+
project_id: "{HUB_PROJECT}" # Hub — Artifact Registry repos (compartido entre ambientes)
|
|
185
|
+
```
|
|
186
|
+
|
|
187
|
+
### Archivo 3 — `terraform/environments/dev/main.tf` para {REPO_NAME}
|
|
188
|
+
|
|
189
|
+
Lee `terraform/environments/dev/main.tf`. Reemplaza:
|
|
190
|
+
- Bucket de estado → `{STATE_BUCKET}`
|
|
191
|
+
- Comentarios que mencionen "financiero" → `{NOMBRE}`
|
|
192
|
+
|
|
193
|
+
**Agrega mandatory labels** en el bloque `locals`:
|
|
194
|
+
```hcl
|
|
195
|
+
locals {
|
|
196
|
+
common_labels = {
|
|
197
|
+
business-unit = var.config.naming.business_unit
|
|
198
|
+
product-suite = var.config.naming.product_suite
|
|
199
|
+
environment = "dev"
|
|
200
|
+
cost-center = "${var.config.naming.product_suite}-dev"
|
|
201
|
+
}
|
|
202
|
+
}
|
|
203
|
+
```
|
|
204
|
+
|
|
205
|
+
**Agrega referencia al Shared VPC Host** en el módulo GKE (solo como referencia, no modificar el Host VPC):
|
|
206
|
+
```hcl
|
|
207
|
+
# Shared VPC — solo referenciar, NUNCA modificar recursos del Host project
|
|
208
|
+
# Host project Dev: prj-sie-com-vpc-host-dev
|
|
209
|
+
network = "projects/${var.config.network.shared_vpc_host}/global/networks/vpc-sie-com-shared-host-dev"
|
|
210
|
+
subnetwork = "projects/${var.config.network.shared_vpc_host}/regions/${var.config.gcp.region}/subnetworks/${var.config.network.subnetwork}"
|
|
211
|
+
```
|
|
212
|
+
|
|
213
|
+
### Archivo 4 — `terraform/environments/shared/main.tf` para {REPO_NAME}
|
|
214
|
+
|
|
215
|
+
Igual pero con estructura del shared, reemplazando el bucket de estado.
|
|
216
|
+
|
|
217
|
+
### Archivo 5 — `.github/workflows/infra-pipeline-dev.yml` para {REPO_NAME}
|
|
218
|
+
|
|
219
|
+
Lee `.github/workflows/infra-pipeline-dev.yml` de este repo. Reemplaza:
|
|
220
|
+
- `Infrastructure Pipeline — Dev` → `Infrastructure Pipeline — Dev ({NOMBRE})`
|
|
221
|
+
|
|
222
|
+
**Agrega los siguientes steps al job `terraform-plan`, DESPUÉS de `terraform validate` y ANTES de `terraform plan`:**
|
|
223
|
+
|
|
224
|
+
```yaml
|
|
225
|
+
- name: Security SAST — tfsec
|
|
226
|
+
run: |
|
|
227
|
+
curl -s https://raw.githubusercontent.com/aquasecurity/tfsec/master/scripts/install_linux.sh | bash
|
|
228
|
+
tfsec terraform/environments/dev/ --no-color --soft-fail
|
|
229
|
+
|
|
230
|
+
- name: Security SAST — checkov
|
|
231
|
+
run: |
|
|
232
|
+
pip install checkov --quiet
|
|
233
|
+
checkov -d terraform/environments/dev/ --quiet --compact --soft-fail
|
|
234
|
+
|
|
235
|
+
- name: SIESA Guard — Host VPC inviolability
|
|
236
|
+
run: |
|
|
237
|
+
HOST_VPC_PROJECTS=(
|
|
238
|
+
"prj-sie-com-vpc-host-dev" "prj-sie-com-vpc-host-qa" "prj-sie-com-vpc-host-prod"
|
|
239
|
+
"prj-sie-sde-vpc-host-dev" "prj-sie-sde-vpc-host-qa" "prj-sie-sde-vpc-host-prod"
|
|
240
|
+
"prj-sie-sde-leg-vpc-host-dev" "prj-sie-sde-leg-vpc-host-qa" "prj-sie-sde-leg-vpc-host-prod"
|
|
241
|
+
"prj-sie-leg-vpc-host-dev" "prj-sie-leg-vpc-host-qa" "prj-sie-leg-vpc-host-prod"
|
|
242
|
+
)
|
|
243
|
+
PLAN_OUT=$(terraform -chdir=terraform/environments/dev show -no-color tfplan 2>/dev/null || echo "")
|
|
244
|
+
for HOST in "${HOST_VPC_PROJECTS[@]}"; do
|
|
245
|
+
if echo "$PLAN_OUT" | grep -q "\"$HOST\""; then
|
|
246
|
+
echo "❌ GUARD VIOLATION: el plan muta recursos en Host VPC project: $HOST"
|
|
247
|
+
exit 1
|
|
248
|
+
fi
|
|
249
|
+
done
|
|
250
|
+
echo "✅ SIESA Guard: sin mutaciones en Host VPC projects."
|
|
251
|
+
```
|
|
252
|
+
|
|
253
|
+
### Archivo 6 — `.github/workflows/infra-pipeline-shared.yml` para {REPO_NAME}
|
|
254
|
+
|
|
255
|
+
Igual que el dev con los mismos steps de seguridad, apuntando a `terraform/environments/shared/`.
|
|
256
|
+
|
|
257
|
+
---
|
|
258
|
+
|
|
259
|
+
### Paso final — Mostrar checklist de bootstrap
|
|
260
|
+
|
|
261
|
+
```
|
|
262
|
+
📦 SCAFFOLDING GENERADO para {REPO_NAME}
|
|
263
|
+
|
|
264
|
+
IP RESERVADA (agregar a docs/devops-org/ip-plan.md §3.1 si aún no se hizo):
|
|
265
|
+
Slice Index: {INDEX}
|
|
266
|
+
Primary: {PRIMARY_CIDR}
|
|
267
|
+
Pods: {PODS_CIDR}
|
|
268
|
+
Services: {SERVICES_CIDR}
|
|
269
|
+
Master /28: {MASTER_CIDR}
|
|
270
|
+
Shared VPC: prj-sie-com-vpc-host-dev
|
|
271
|
+
|
|
272
|
+
ESTRUCTURA A COPIAR DE business-financiero-deploy (sin cambios):
|
|
273
|
+
terraform/bootstrap/ → copiar completo
|
|
274
|
+
terraform/modules/ → copiar completo
|
|
275
|
+
k8s/base/ → copiar completo
|
|
276
|
+
cicd-templates/ → copiar completo
|
|
277
|
+
scripts/ → copiar completo
|
|
278
|
+
|
|
279
|
+
ARCHIVOS GENERADOS:
|
|
280
|
+
environments/dev.yaml ← incluye CIDRs calculados + Shared VPC ref
|
|
281
|
+
environments/shared.yaml
|
|
282
|
+
environments/staging.yaml (copiar de financiero sin cambios)
|
|
283
|
+
environments/prod.yaml (copiar de financiero sin cambios)
|
|
284
|
+
terraform/environments/dev/main.tf ← mandatory labels + Shared VPC
|
|
285
|
+
terraform/environments/shared/main.tf
|
|
286
|
+
.github/workflows/infra-pipeline-dev.yml ← tfsec + checkov + SIESA Guard
|
|
287
|
+
.github/workflows/infra-pipeline-shared.yml
|
|
288
|
+
|
|
289
|
+
PASOS PARA ACTIVAR EL NUEVO REPO:
|
|
290
|
+
|
|
291
|
+
0. Confirmar Hub project {HUB_PROJECT} existe (Paso 1).
|
|
292
|
+
Si no: crear + habilitar AR, Cloud Build, Cloud Deploy APIs.
|
|
293
|
+
|
|
294
|
+
1. Crear repo GitHub: SiesaTeams/{REPO_NAME}
|
|
295
|
+
|
|
296
|
+
2. Crear proyecto GCP Spoke:
|
|
297
|
+
gcloud projects create {PROJECT_ID} --name="SIESA {NOMBRE} Dev"
|
|
298
|
+
|
|
299
|
+
3. Ejecutar bootstrap:
|
|
300
|
+
cd terraform/bootstrap
|
|
301
|
+
terraform init && terraform apply -var="project_id={PROJECT_ID}"
|
|
302
|
+
|
|
303
|
+
4. Completar <PLACEHOLDER> en environments/dev.yaml:
|
|
304
|
+
- project_number:
|
|
305
|
+
gcloud projects describe {PROJECT_ID} --format='value(projectNumber)'
|
|
306
|
+
- network.subnetwork: coordinar con Cloud Admin — Shared VPC Host
|
|
307
|
+
- dev_access groups: crear en Google Workspace
|
|
308
|
+
|
|
309
|
+
5. Crear SA de deploy:
|
|
310
|
+
gcloud iam service-accounts create sa-sie-{SUITE}-{NOMBRE}-dev-cicd \
|
|
311
|
+
--project={PROJECT_ID}
|
|
312
|
+
|
|
313
|
+
6. Primer push a main → pipelines se disparan automáticamente.
|
|
314
|
+
tfsec + checkov + SIESA Guard corren en cada PR.
|
|
315
|
+
|
|
316
|
+
7. Agregar servicios con /sa-nuevo-servicio
|
|
317
|
+
```
|