Skip to content

Commit

Permalink
identity
Browse files Browse the repository at this point in the history
  • Loading branch information
jacopocarlini committed May 30, 2024
1 parent d9b6053 commit 54e0c43
Show file tree
Hide file tree
Showing 4 changed files with 143 additions and 2 deletions.
46 changes: 44 additions & 2 deletions .github/workflows/deploy_with_github_runner.yml
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,7 @@ jobs:
container_app_environment_name: ${{ vars.CONTAINER_APP_ENVIRONMENT_NAME }}
resource_group_name: ${{ vars.CONTAINER_APP_ENVIRONMENT_RESOURCE_GROUP_NAME }} # RG of the runner
pat_token: ${{ secrets.BOT_TOKEN_GITHUB }}
# self_hosted_runner_image_tag: "v1.4.1"
self_hosted_runner_image_tag: "v3.0.0"

deploy:
needs: [ create_runner ]
Expand All @@ -63,6 +63,7 @@ jobs:
resource_group: ${{ vars.CLUSTER_RESOURCE_GROUP }}
app_name: ${{ env.APP_NAME }}
helm_upgrade_options: "--debug"
timeout: "10m0s"

cleanup_runner:
name: Cleanup Runner
Expand All @@ -81,4 +82,45 @@ jobs:
subscription_id: ${{ secrets.SUBSCRIPTION_ID }}
resource_group_name: ${{ vars.CONTAINER_APP_ENVIRONMENT_RESOURCE_GROUP_NAME }}
runner_name: ${{ needs.create_runner.outputs.runner_name }}
pat_token: ${{ secrets.BOT_TOKEN_GITHUB }}
pat_token: ${{ secrets.BOT_TOKEN_GITHUB }}

update_openapi:
needs: [ deploy ]
runs-on: ubuntu-latest
name: Update OpenAPI
environment: ${{ inputs.environment }}
steps:
- name: Checkout
id: checkout
# from https://github.com/actions/checkout/commits/main
uses: actions/checkout@1f9a0c22da41e6ebfa534300ef656657ea2c6707
with:
persist-credentials: false

- name: Setup Terraform
# from https://github.com/hashicorp/setup-terraform/commits/main
uses: hashicorp/setup-terraform@8feba2b913ea459066180f9cb177f58a881cf146
with:
terraform_version: "1.3.6"

- name: Login
id: login
# from https://github.com/Azure/login/commits/master
uses: azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2
with:
client-id: ${{ secrets.CD_CLIENT_ID }}
tenant-id: ${{ secrets.TENANT_ID }}
subscription-id: ${{ secrets.SUBSCRIPTION_ID }}


- name: Terraform Apply
shell: bash
run: |
cd ./infra
export ARM_CLIENT_ID="${{ secrets.CD_CLIENT_ID }}"
export ARM_SUBSCRIPTION_ID=$(az account show --query id --output tsv)
export ARM_TENANT_ID=$(az account show --query tenantId --output tsv)
export ARM_USE_OIDC=true
export ARM_ACCESS_KEY=$(az storage account keys list --resource-group io-infra-rg --account-name pagopainfraterraform${{inputs.environment}} --query '[0].value' -o tsv)
bash ./terraform.sh init ${{ inputs.environment }}
bash ./terraform.sh apply ${{ inputs.environment }} -auto-approve
5 changes: 5 additions & 0 deletions .identity/00_data.tf
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,11 @@ data "azurerm_user_assigned_identity" "identity_cd_01" {
resource_group_name = "${local.prefix}-${var.env_short}-identity-rg"
}

data "azurerm_user_assigned_identity" "identity_pr_01" {
name = "${local.prefix}-${var.env_short}-${local.domain}-01-pr-github-cd-identity"
resource_group_name = "${local.prefix}-${var.env_short}-identity-rg"
}

data "azurerm_key_vault" "key_vault" {
name = "pagopa-${var.env_short}-kv"
resource_group_name = "pagopa-${var.env_short}-sec-rg"
Expand Down
25 changes: 25 additions & 0 deletions .identity/01_github_environment.tf
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,24 @@ locals {
"BOT_TOKEN_GITHUB" : data.azurerm_key_vault_secret.key_vault_bot_token.value,
"CUCUMBER_PUBLISH_TOKEN" : data.azurerm_key_vault_secret.key_vault_cucumber_token.value,
}
special_repo_secrets = {
"CLIENT_ID" : {
"key" : "${upper(var.env)}_CLIENT_ID",
"value" : data.azurerm_user_assigned_identity.identity_pr_01.client_id
},
"TENANT_ID" : {
"key" : "${upper(var.env)}_TENANT_ID",
"value" : data.azurerm_user_assigned_identity.identity_pr_01.tenant_id
},
"SUBSCRIPTION_ID" : {
"key" : "${upper(var.env)}_SUBSCRIPTION_ID",
"value" : data.azurerm_subscription.current.subscription_id
},
"SUBKEY" : {
"key" : "${upper(var.env)}_SUBKEY",
"value" : data.azurerm_key_vault_secret.key_vault_integration_test_subkey.value
},
}
}

###############
Expand Down Expand Up @@ -77,3 +95,10 @@ resource "github_actions_secret" "repo_secrets" {
plaintext_value = each.value
}


resource "github_actions_secret" "special_repo_secrets" {
for_each = local.special_repo_secrets
repository = local.github.repository
secret_name = each.value.key
plaintext_value = each.value.value
}
69 changes: 69 additions & 0 deletions .identity/terraform.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,69 @@
#!/bin/bash

set -e

ACTION=$1
ENV=$2
shift 2
other="$@"
# must be subscription in lower case
subscription=""
BACKEND_CONFIG_PATH="./env/${ENV}/backend.tfvars"

if [ -z "$ACTION" ]; then
echo "[ERROR] Missed ACTION: init, apply, plan"
exit 0
fi

if [ -z "$ENV" ]; then
echo "[ERROR] ENV should be: dev, uat or prod."
exit 0
fi

#
# 🏁 Source & init shell
#

# shellcheck source=/dev/null
source "./env/$ENV/backend.ini"

# Subscription set
az account set -s "${subscription}"

# if using cygwin, we have to transcode the WORKDIR
if [[ $WORKDIR == /cygdrive/* ]]; then
WORKDIR=$(cygpath -w $WORKDIR)
fi

# Helm
export HELM_DEBUG=1
export TF_VAR_github_token="${GITHUB_TOKEN}"
# TODO set your PAT TOKEN as env var
if [ -z "$GITHUB_TOKEN" ]; then
echo "Error: Set an environment variable named GITHUB_TOKEN with your GitHub PAT Token"
exit 1
fi

#
# 🌎 Terraform
#
if echo "init plan apply refresh import output state taint destroy" | grep -w "$ACTION" > /dev/null; then
if [ "$ACTION" = "init" ]; then
echo "[INFO] init tf on ENV: ${ENV}"
terraform "$ACTION" -backend-config="${BACKEND_CONFIG_PATH}" $other
elif [ "$ACTION" = "output" ] || [ "$ACTION" = "state" ] || [ "$ACTION" = "taint" ]; then
# init terraform backend
terraform init -reconfigure -backend-config="${BACKEND_CONFIG_PATH}"
terraform "$ACTION" $other
else
# init terraform backend
echo "[INFO] init tf on ENV: ${ENV}"
terraform init -reconfigure -backend-config="${BACKEND_CONFIG_PATH}"

echo "[INFO] run tf with: ${ACTION} on ENV: ${ENV} and other: >${other}<"
terraform "${ACTION}" -var-file="./env/${ENV}/terraform.tfvars" -compact-warnings $other
fi
else
echo "[ERROR] ACTION not allowed."
exit 1
fi

0 comments on commit 54e0c43

Please sign in to comment.