From 54e0c438449112796fea7657d3b4212eb5fcd374 Mon Sep 17 00:00:00 2001 From: Jacopo Date: Thu, 30 May 2024 09:46:10 +0200 Subject: [PATCH] identity --- .../workflows/deploy_with_github_runner.yml | 46 ++++++++++++- .identity/00_data.tf | 5 ++ .identity/01_github_environment.tf | 25 +++++++ .identity/terraform.sh | 69 +++++++++++++++++++ 4 files changed, 143 insertions(+), 2 deletions(-) create mode 100755 .identity/terraform.sh diff --git a/.github/workflows/deploy_with_github_runner.yml b/.github/workflows/deploy_with_github_runner.yml index a1f0c66..924b170 100644 --- a/.github/workflows/deploy_with_github_runner.yml +++ b/.github/workflows/deploy_with_github_runner.yml @@ -41,7 +41,7 @@ jobs: container_app_environment_name: ${{ vars.CONTAINER_APP_ENVIRONMENT_NAME }} resource_group_name: ${{ vars.CONTAINER_APP_ENVIRONMENT_RESOURCE_GROUP_NAME }} # RG of the runner pat_token: ${{ secrets.BOT_TOKEN_GITHUB }} - # self_hosted_runner_image_tag: "v1.4.1" + self_hosted_runner_image_tag: "v3.0.0" deploy: needs: [ create_runner ] @@ -63,6 +63,7 @@ jobs: resource_group: ${{ vars.CLUSTER_RESOURCE_GROUP }} app_name: ${{ env.APP_NAME }} helm_upgrade_options: "--debug" + timeout: "10m0s" cleanup_runner: name: Cleanup Runner @@ -81,4 +82,45 @@ jobs: subscription_id: ${{ secrets.SUBSCRIPTION_ID }} resource_group_name: ${{ vars.CONTAINER_APP_ENVIRONMENT_RESOURCE_GROUP_NAME }} runner_name: ${{ needs.create_runner.outputs.runner_name }} - pat_token: ${{ secrets.BOT_TOKEN_GITHUB }} \ No newline at end of file + pat_token: ${{ secrets.BOT_TOKEN_GITHUB }} + + update_openapi: + needs: [ deploy ] + runs-on: ubuntu-latest + name: Update OpenAPI + environment: ${{ inputs.environment }} + steps: + - name: Checkout + id: checkout + # from https://github.com/actions/checkout/commits/main + uses: actions/checkout@1f9a0c22da41e6ebfa534300ef656657ea2c6707 + with: + persist-credentials: false + + - name: Setup Terraform + # from https://github.com/hashicorp/setup-terraform/commits/main + uses: hashicorp/setup-terraform@8feba2b913ea459066180f9cb177f58a881cf146 + with: + terraform_version: "1.3.6" + + - name: Login + id: login + # from https://github.com/Azure/login/commits/master + uses: azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2 + with: + client-id: ${{ secrets.CD_CLIENT_ID }} + tenant-id: ${{ secrets.TENANT_ID }} + subscription-id: ${{ secrets.SUBSCRIPTION_ID }} + + + - name: Terraform Apply + shell: bash + run: | + cd ./infra + export ARM_CLIENT_ID="${{ secrets.CD_CLIENT_ID }}" + export ARM_SUBSCRIPTION_ID=$(az account show --query id --output tsv) + export ARM_TENANT_ID=$(az account show --query tenantId --output tsv) + export ARM_USE_OIDC=true + export ARM_ACCESS_KEY=$(az storage account keys list --resource-group io-infra-rg --account-name pagopainfraterraform${{inputs.environment}} --query '[0].value' -o tsv) + bash ./terraform.sh init ${{ inputs.environment }} + bash ./terraform.sh apply ${{ inputs.environment }} -auto-approve diff --git a/.identity/00_data.tf b/.identity/00_data.tf index 9e17ced..6b89389 100644 --- a/.identity/00_data.tf +++ b/.identity/00_data.tf @@ -22,6 +22,11 @@ data "azurerm_user_assigned_identity" "identity_cd_01" { resource_group_name = "${local.prefix}-${var.env_short}-identity-rg" } +data "azurerm_user_assigned_identity" "identity_pr_01" { + name = "${local.prefix}-${var.env_short}-${local.domain}-01-pr-github-cd-identity" + resource_group_name = "${local.prefix}-${var.env_short}-identity-rg" +} + data "azurerm_key_vault" "key_vault" { name = "pagopa-${var.env_short}-kv" resource_group_name = "pagopa-${var.env_short}-sec-rg" diff --git a/.identity/01_github_environment.tf b/.identity/01_github_environment.tf index ec4caad..d570189 100644 --- a/.identity/01_github_environment.tf +++ b/.identity/01_github_environment.tf @@ -38,6 +38,24 @@ locals { "BOT_TOKEN_GITHUB" : data.azurerm_key_vault_secret.key_vault_bot_token.value, "CUCUMBER_PUBLISH_TOKEN" : data.azurerm_key_vault_secret.key_vault_cucumber_token.value, } + special_repo_secrets = { + "CLIENT_ID" : { + "key" : "${upper(var.env)}_CLIENT_ID", + "value" : data.azurerm_user_assigned_identity.identity_pr_01.client_id + }, + "TENANT_ID" : { + "key" : "${upper(var.env)}_TENANT_ID", + "value" : data.azurerm_user_assigned_identity.identity_pr_01.tenant_id + }, + "SUBSCRIPTION_ID" : { + "key" : "${upper(var.env)}_SUBSCRIPTION_ID", + "value" : data.azurerm_subscription.current.subscription_id + }, + "SUBKEY" : { + "key" : "${upper(var.env)}_SUBKEY", + "value" : data.azurerm_key_vault_secret.key_vault_integration_test_subkey.value + }, + } } ############### @@ -77,3 +95,10 @@ resource "github_actions_secret" "repo_secrets" { plaintext_value = each.value } + +resource "github_actions_secret" "special_repo_secrets" { + for_each = local.special_repo_secrets + repository = local.github.repository + secret_name = each.value.key + plaintext_value = each.value.value +} diff --git a/.identity/terraform.sh b/.identity/terraform.sh new file mode 100755 index 0000000..02fc806 --- /dev/null +++ b/.identity/terraform.sh @@ -0,0 +1,69 @@ +#!/bin/bash + +set -e + +ACTION=$1 +ENV=$2 +shift 2 +other="$@" +# must be subscription in lower case +subscription="" +BACKEND_CONFIG_PATH="./env/${ENV}/backend.tfvars" + +if [ -z "$ACTION" ]; then + echo "[ERROR] Missed ACTION: init, apply, plan" + exit 0 +fi + +if [ -z "$ENV" ]; then + echo "[ERROR] ENV should be: dev, uat or prod." + exit 0 +fi + +# +# 🏁 Source & init shell +# + +# shellcheck source=/dev/null +source "./env/$ENV/backend.ini" + +# Subscription set +az account set -s "${subscription}" + +# if using cygwin, we have to transcode the WORKDIR +if [[ $WORKDIR == /cygdrive/* ]]; then + WORKDIR=$(cygpath -w $WORKDIR) +fi + +# Helm +export HELM_DEBUG=1 +export TF_VAR_github_token="${GITHUB_TOKEN}" +# TODO set your PAT TOKEN as env var +if [ -z "$GITHUB_TOKEN" ]; then + echo "Error: Set an environment variable named GITHUB_TOKEN with your GitHub PAT Token" + exit 1 +fi + +# +# 🌎 Terraform +# +if echo "init plan apply refresh import output state taint destroy" | grep -w "$ACTION" > /dev/null; then + if [ "$ACTION" = "init" ]; then + echo "[INFO] init tf on ENV: ${ENV}" + terraform "$ACTION" -backend-config="${BACKEND_CONFIG_PATH}" $other + elif [ "$ACTION" = "output" ] || [ "$ACTION" = "state" ] || [ "$ACTION" = "taint" ]; then + # init terraform backend + terraform init -reconfigure -backend-config="${BACKEND_CONFIG_PATH}" + terraform "$ACTION" $other + else + # init terraform backend + echo "[INFO] init tf on ENV: ${ENV}" + terraform init -reconfigure -backend-config="${BACKEND_CONFIG_PATH}" + + echo "[INFO] run tf with: ${ACTION} on ENV: ${ENV} and other: >${other}<" + terraform "${ACTION}" -var-file="./env/${ENV}/terraform.tfvars" -compact-warnings $other + fi +else + echo "[ERROR] ACTION not allowed." + exit 1 +fi