fix opex roles

infra/modules/azure_monorepo_single_env_starter_pack/README.md

@@ -60,6 +60,7 @@
 | [azurerm_role_assignment.infra_ci_subscription_pagopa_iac_reader](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
 | [azurerm_role_assignment.infra_ci_subscription_reader](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
 | [azurerm_role_assignment.infra_ci_tf_st_blob_contributor](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
+| [azurerm_role_assignment.opex_cd_rg_monitoring_contributor](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
 | [azurerm_role_assignment.opex_cd_rg_opex_contributor](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
 | [azurerm_role_assignment.opex_cd_subscription_reader](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
 | [azurerm_role_assignment.opex_cd_tf_rg_blob_contributor](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
@@ -97,12 +98,13 @@
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_apim_id"></a> [apim\_id](#input\_apim\_id) | ID of the APIM instance | `string` | n/a | yes |
+| <a name="input_dns_zone_resource_group_id"></a> [dns\_zone\_resource\_group\_id](#input\_dns\_zone\_resource\_group\_id) | Id of the resource group holding public DNS zone | `string` | n/a | yes |
 | <a name="input_entraid_groups"></a> [entraid\_groups](#input\_entraid\_groups) | Azure Entra Id groups to give role to | <pre>object({<br>    admins_object_id    = string<br>    devs_object_id      = string<br>    externals_object_id = optional(string, null)<br>  })</pre> | n/a | yes |
 | <a name="input_environment"></a> [environment](#input\_environment) | Values which are used to generate resource names and location short names. They are all mandatory except for domain, which should not be used only in the case of a resource used by multiple domains. | <pre>object({<br>    prefix          = string<br>    env_short       = string<br>    location        = string<br>    domain          = string<br>    instance_number = string<br>  })</pre> | n/a | yes |
 | <a name="input_github_private_runner"></a> [github\_private\_runner](#input\_github\_private\_runner) | n/a | <pre>object({<br>    container_app_environment_id       = string<br>    container_app_environment_location = string<br>    polling_interval_in_seconds        = optional(number, 30)<br>    min_instances                      = optional(number, 0)<br>    max_instances                      = optional(number, 30)<br>    labels                             = optional(list(string), [])<br>    key_vault = object({<br>      name                = string<br>      resource_group_name = string<br>      secret_name         = optional(string, "github-runner-pat")<br>    })<br>    cpu    = optional(number, 0.5)<br>    memory = optional(string, "1Gi")<br>  })</pre> | n/a | yes |
+| <a name="input_opex_resource_group_id"></a> [opex\_resource\_group\_id](#input\_opex\_resource\_group\_id) | Id of the resource group containing Opex dashboards | `string` | n/a | yes |
 | <a name="input_pep_vnet_id"></a> [pep\_vnet\_id](#input\_pep\_vnet\_id) | ID of the VNet holding Private Endpoint-dedicated subnet | `string` | n/a | yes |
 | <a name="input_repository"></a> [repository](#input\_repository) | Information about this repository | <pre>object({<br>    owner           = optional(string, "pagopa")<br>    name            = string<br>    description     = string<br>    topics          = list(string)<br>    reviewers_teams = list(string)<br>  })</pre> | n/a | yes |
-| <a name="input_resource_group_dns_zone_id"></a> [resource\_group\_dns\_zone\_id](#input\_resource\_group\_dns\_zone\_id) | Id of the resource group holding public DNS zone | `string` | n/a | yes |
 | <a name="input_subscription_id"></a> [subscription\_id](#input\_subscription\_id) | The subscription ID where resources are created | `string` | n/a | yes |
 | <a name="input_tags"></a> [tags](#input\_tags) | Resources tags | `map(string)` | n/a | yes |
 | <a name="input_tenant_id"></a> [tenant\_id](#input\_tenant\_id) | The tenant ID where resources are created | `string` | n/a | yes |

infra/modules/azure_monorepo_single_env_starter_pack/github_branch_rules.tf

@@ -23,7 +23,7 @@ resource "github_branch_protection" "main" {
     require_code_owner_reviews      = true
     required_approving_review_count = 1
     # dismissal_restrictions          = ["admins"]
-    restrict_dismissals             = true
+    restrict_dismissals = true
   }
 
   lifecycle {

infra/modules/azure_monorepo_single_env_starter_pack/id_infra.tf

@@ -82,7 +82,7 @@ resource "azurerm_role_assignment" "infra_ci_rg_kv_cert" {
 }
 
 resource "azurerm_role_assignment" "infra_ci_rg_ext_pagopa_dns_reader" {
-  scope                = var.resource_group_dns_zone_id
+  scope                = var.dns_zone_resource_group_id
   role_definition_name = "PagoPA DNS Zone Reader"
   principal_id         = azurerm_user_assigned_identity.infra_ci.principal_id
   description          = "Allow ${var.repository.name} Infra CI identity to read DNS Zone records at resource group level"
@@ -145,7 +145,7 @@ resource "azurerm_role_assignment" "infra_cd_rg_kv_cert" {
 }
 
 resource "azurerm_role_assignment" "infra_cd_rg_ext_network_contributor" {
-  scope                = var.resource_group_dns_zone_id
+  scope                = var.dns_zone_resource_group_id
   role_definition_name = "Network Contributor"
   principal_id         = azurerm_user_assigned_identity.infra_cd.principal_id
   description          = "Allow ${var.repository.name} Infra CD identity to manage DNS Zones at resource group level"

infra/modules/azure_monorepo_single_env_starter_pack/id_opex.tf

@@ -75,8 +75,16 @@ resource "azurerm_role_assignment" "opex_cd_tf_rg_blob_data_access" {
 }
 
 resource "azurerm_role_assignment" "opex_cd_rg_opex_contributor" {
-  scope                = azurerm_resource_group.main.id
+  scope                = var.opex_resource_group_id
   role_definition_name = "PagoPA Opex Dashboards Contributor"
   principal_id         = azurerm_user_assigned_identity.opex_cd.principal_id
-  description          = "Allow ${var.repository.name} Opex CD identity to apply changes to Opex dashboards at monorepository resource group scope"
+  description          = "Allow ${var.repository.name} Opex CD identity to apply changes to Opex dashboards at shared resource group scope"
+}
+
+
+resource "azurerm_role_assignment" "opex_cd_rg_monitoring_contributor" {
+  scope                = var.opex_resource_group_id
+  role_definition_name = "Monitoring Contributor"
+  principal_id         = azurerm_user_assigned_identity.opex_cd.principal_id
+  description          = "Allow ${var.repository.name} Opex CD identity to query logs for Opex dashboards at shared resource group scope"
 }

infra/modules/azure_monorepo_single_env_starter_pack/variables.tf

@@ -44,11 +44,16 @@ variable "apim_id" {
   description = "ID of the APIM instance"
 }
 
-variable "resource_group_dns_zone_id" {
+variable "dns_zone_resource_group_id" {
   type        = string
   description = "Id of the resource group holding public DNS zone"
 }
 
+variable "opex_resource_group_id" {
+  type        = string
+  description = "Id of the resource group containing Opex dashboards"
+}
+
 variable "subscription_id" {
   type        = string
   description = "The subscription ID where resources are created"