ops: fix workflow deploy ms (#92)

* fix: deploy onboarding ms DIR * labeler * GITHUB token * github_identity_ci_policy * dynamic deployment_branch_policy * fix identity role
pagopa · Jan 18, 2024 · 4b3aa4c · 4b3aa4c
1 parent b2be39b
commit 4b3aa4c
Show file tree

Hide file tree

Showing 13 changed files with 127 additions and 22 deletions.
diff --git a/.github/labeler.yml b/.github/labeler.yml
@@ -9,7 +9,7 @@ libs:
 
 ops:
 - .github/**
-- .container_apps/**
+- infra/**
 - .identity/**
 
 docs:

diff --git a/.github/workflows/deploy_onboarding_functions.yml b/.github/workflows/deploy_onboarding_functions.yml
@@ -22,12 +22,6 @@ on:
           - prod
 
 env:
-  #DIR: "./.container_apps/onboarding-ms"
-  # This condition (that unfortunately must be replicated for the first job)
-  # sets the environment depending on the current context for manually
-  # started workflows, it picks up the value coming from the UI; otherwise,
-  # it sets prod or uat depending on the current branch.
-  # Ternary operator is not supported
   ENV_NAME: "${{ inputs.environment != null && inputs.environment || (github.base_ref == 'main' && 'prod' || (github.base_ref == 'develop' && 'uat' || 'dev')) }}"
 
 jobs:

diff --git a/.github/workflows/deploy_onboarding_ms.yml b/.github/workflows/deploy_onboarding_ms.yml
@@ -22,7 +22,7 @@ on:
           - prod
 
 env:
-  DIR: "./.container_apps/onboarding-ms"
+  DIR: "./infra/container_apps/onboarding-ms"
   # This condition (that unfortunately must be replicated for the first job)
   # sets the environment depending on the current context for manually
   # started workflows, it picks up the value coming from the UI; otherwise,
@@ -125,6 +125,7 @@ jobs:
           azure_environment: ${{ steps.setenv.outputs.environment }}
         env:
           TF_VAR_image_tag: ${{ steps.setsha.outputs.short_sha }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
       - name: "Upload Terraform Plan as Artifact"
         uses: actions/upload-artifact@v3

diff --git a/.identity/env/dev/backend.ini b/.identity/env/dev/backend.ini
@@ -0,0 +1 @@
+subscription=DEV-SelfCare
diff --git a/.identity/env/dev/terraform.tfvars b/.identity/env/dev/terraform.tfvars
@@ -27,16 +27,22 @@ cd_github_federations = [
 ]
 
 environment_ci_roles = {
-  subscription = ["Reader"]
+  subscription = [
+    "Reader",
+    "Key Vault Secrets User"
+  ]
   resource_groups = {
     "terraform-state-rg" = [
-      "Storage Blob Data Reader"
+      "Storage Blob Data Contributor"
     ]
   }
 }
 
 environment_cd_roles = {
-  subscription = ["Reader"]
+  subscription = [
+    "Reader",
+    "Contributor"
+  ]
   resource_groups = {
     "terraform-state-rg" = [
       "Storage Blob Data Contributor"
@@ -50,7 +56,7 @@ github_repository_environment_ci = {
 }
 
 github_repository_environment_cd = {
-  protected_branches     = true
+  protected_branches     = false
   custom_branch_policies = false
   reviewers_teams        = ["selfcare-contributors"]
 }
diff --git a/.identity/env/prod/backend.ini b/.identity/env/prod/backend.ini
@@ -0,0 +1 @@
+subscription=PROD-SelfCare
diff --git a/.identity/env/prod/terraform.tfvars b/.identity/env/prod/terraform.tfvars
@@ -27,16 +27,22 @@ cd_github_federations = [
 ]
 
 environment_ci_roles = {
-  subscription = ["Reader"]
+  subscription = [
+    "Reader",
+    "Key Vault Secrets User"
+  ]
   resource_groups = {
     "terraform-state-rg" = [
-      "Storage Blob Data Reader"
+      "Storage Blob Data Contributor"
     ]
   }
 }
 
 environment_cd_roles = {
-  subscription = ["Reader"]
+  subscription = [
+    "Reader",
+    "Contributor"
+  ]
   resource_groups = {
     "terraform-state-rg" = [
       "Storage Blob Data Contributor"

diff --git a/.identity/env/uat/backend.ini b/.identity/env/uat/backend.ini
@@ -0,0 +1 @@
+subscription=UAT-SelfCare
diff --git a/.identity/env/uat/terraform.tfvars b/.identity/env/uat/terraform.tfvars
@@ -27,16 +27,22 @@ cd_github_federations = [
 ]
 
 environment_ci_roles = {
-  subscription = ["Reader"]
+  subscription = [
+    "Reader",
+    "Key Vault Secrets User"
+  ]
   resource_groups = {
     "terraform-state-rg" = [
-      "Storage Blob Data Reader"
+      "Storage Blob Data Contributor"
     ]
   }
 }
 
 environment_cd_roles = {
-  subscription = ["Reader"]
+  subscription = [
+    "Reader",
+    "Contributor"
+  ]
   resource_groups = {
     "terraform-state-rg" = [
       "Storage Blob Data Contributor"

diff --git a/.identity/github_environment_cd.tf b/.identity/github_environment_cd.tf
@@ -12,9 +12,13 @@ resource "github_repository_environment" "github_repository_environment_cd" {
       )
     }
   }
-  deployment_branch_policy {
-    protected_branches     = var.github_repository_environment_cd.protected_branches
-    custom_branch_policies = var.github_repository_environment_cd.custom_branch_policies
+
+  dynamic "deployment_branch_policy" {
+    for_each = var.github_repository_environment_cd.protected_branches ? [1] : []
+    content {
+      protected_branches     = var.github_repository_environment_cd.protected_branches
+      custom_branch_policies = var.github_repository_environment_cd.custom_branch_policies
+    }
   }
 }
 

diff --git a/.identity/github_managed_identity_ci.tf b/.identity/github_managed_identity_ci.tf
@@ -15,4 +15,20 @@ module "identity_ci" {
   }
 
   tags = var.tags
+}
+
+resource "azurerm_key_vault_access_policy" "github_identity_ci_policy" {
+  key_vault_id = data.azurerm_key_vault.key_vault.id
+  tenant_id    = data.azurerm_client_config.current.tenant_id
+  object_id    = module.identity_ci.identity_principal_id
+
+  secret_permissions = [
+    "Get",
+    "List",
+  ]
+
+  certificate_permissions = [
+    "Get",
+    "List"
+  ]
 }
diff --git a/.identity/terraform.sh b/.identity/terraform.sh
@@ -0,0 +1,69 @@
+#!/bin/bash
+
+set -e
+
+ACTION=$1
+ENV=$2
+shift 2
+other="$@"
+# must be subscription in lower case
+subscription=""
+BACKEND_CONFIG_PATH="./env/${ENV}/backend.tfvars"
+
+if [ -z "$ACTION" ]; then
+  echo "[ERROR] Missed ACTION: init, apply, plan"
+  exit 0
+fi
+
+if [ -z "$ENV" ]; then
+  echo "[ERROR] ENV should be: dev, uat or prod."
+  exit 0
+fi
+
+#
+# 🏁 Source & init shell
+#
+
+# shellcheck source=/dev/null
+source "./env/$ENV/backend.ini"
+
+# Subscription set
+az account set -s "${subscription}"
+
+# if using cygwin, we have to transcode the WORKDIR
+if [[ $WORKDIR == /cygdrive/* ]]; then
+  WORKDIR=$(cygpath -w $WORKDIR)
+fi
+
+# Helm
+export HELM_DEBUG=1
+export TF_VAR_github_token="${GITHUB_TOKEN}"
+# TODO set your PAT TOKEN as env var
+if [ -z "$GITHUB_TOKEN" ]; then
+  echo "Error: Set an environment variable named GITHUB_TOKEN with your GitHub PAT Token"
+  exit 1
+fi
+
+#
+# 🌎 Terraform
+#
+if echo "init plan apply refresh import output state taint destroy" | grep -w "$ACTION" > /dev/null; then
+  if [ "$ACTION" = "init" ]; then
+    echo "[INFO] init tf on ENV: ${ENV}"
+    terraform "$ACTION" -backend-config="${BACKEND_CONFIG_PATH}" $other
+  elif [ "$ACTION" = "output" ] || [ "$ACTION" = "state" ] || [ "$ACTION" = "taint" ]; then
+    # init terraform backend
+    terraform init -reconfigure -backend-config="${BACKEND_CONFIG_PATH}"
+    terraform "$ACTION" $other
+  else
+    # init terraform backend
+    echo "[INFO] init tf on ENV: ${ENV}"
+    terraform init -reconfigure -backend-config="${BACKEND_CONFIG_PATH}"
+
+    echo "[INFO] run tf with: ${ACTION} on ENV: ${ENV} and other: >${other}<"
+    terraform "${ACTION}" -var-file="./env/${ENV}/terraform.tfvars" -compact-warnings $other
+  fi
+else
+    echo "[ERROR] ACTION not allowed."
+    exit 1
+fi
diff --git a/README.md b/README.md
@@ -24,7 +24,7 @@ Look at single README module for more information.
 
 ## Infrastructure
 
-The [`.container_apps/`] sub folder contains terraform files for deploying infrastructure as container apps in Azure.
+The [`.infra/`] sub folder contains terraform files for deploying infrastructure such as container apps or functions in Azure.
 
 
 ## Continous integration