From 9d4795f1e680ae1a1f67ae392aeb4cb382ec8182 Mon Sep 17 00:00:00 2001 From: Andrea Grillo Date: Tue, 23 Jan 2024 17:35:40 +0100 Subject: [PATCH] [EC-98] Adapt ms deployment pipeline to GitHub flow (#109) --- .github/workflows/call_release_ms.yml | 175 ++++++++++++++++ .github/workflows/deploy_onboarding_ms.yml | 187 ------------------ .github/workflows/release_ms.yml | 39 ++++ .identity/github_environment_cd.tf | 2 +- .../onboarding-ms/.terraform.lock.hcl | 34 ++-- .../onboarding-ms/container_app.tf | 10 +- infra/container_apps/onboarding-ms/main.tf | 2 +- .../onboarding-ms/private_dns.tf | 7 + .../container_apps/onboarding-ms/variables.tf | 5 +- 9 files changed, 244 insertions(+), 217 deletions(-) create mode 100644 .github/workflows/call_release_ms.yml delete mode 100644 .github/workflows/deploy_onboarding_ms.yml create mode 100644 .github/workflows/release_ms.yml create mode 100644 infra/container_apps/onboarding-ms/private_dns.tf diff --git a/.github/workflows/call_release_ms.yml b/.github/workflows/call_release_ms.yml new file mode 100644 index 000000000..668a7d982 --- /dev/null +++ b/.github/workflows/call_release_ms.yml @@ -0,0 +1,175 @@ +on: + workflow_call: + inputs: + environment: + type: string + required: true + +env: + DIR: "./infra/container_apps/onboarding-ms" + ARM_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} + ARM_USE_OIDC: true + ARM_USE_AZUREAD: true + ARM_STORAGE_USE_AZUREAD: true + +jobs: + + build: + name: 'Build Docker image' + runs-on: ubuntu-20.04 + environment: ${{ inputs.environment }}-cd + permissions: + packages: write + + steps: + + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + name: Checkout + + - name: Setup Docker buildx + uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 + + - name: Login to GitHub Container Registry + uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Docker Meta + id: meta + uses: docker/metadata-action@dbef88086f6cef02e264edb7dbf63250c17cef6c # v5.5.0 + with: + images: ghcr.io/${{ github.repository }}-ms + tags: | + type=raw,value=latest,enable={{is_default_branch}} + type=ref,event=branch + type=sha + labels: + org.opencontainers.image.title=${{ github.repository }}-ms + org.opencontainers.image.description=SelfCare onboarding microservice + org.opencontainers.image.authors=PagoPA + org.opencontainers.image.url=github.com/pagopa/${{ github.repository }} + org.opencontainers.image.source=https://github.com/${{ github.repository }} + + - name: Build and Push Image + uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0 + with: + context: . + file: ./apps/onboarding-ms/Dockerfile + push: true + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + cache-from: type=gha + cache-to: type=gha,mode=min + + tf_plan: + name: 'Terraform Plan' + runs-on: ubuntu-20.04 + environment: ${{ inputs.environment }}-ci + permissions: + id-token: write + contents: read + outputs: + terraform_version: ${{ steps.set-terraform-version.outputs.terraform_version}} + image_tag: ${{ steps.setsha.outputs.short_sha }} + + steps: + + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + name: Checkout + + - name: Set Short Git Commit SHA + id: setsha + run: | + calculatedSha=$(git rev-parse --short ${{ github.sha }}) + echo "short_sha=sha-$calculatedSha" >> $GITHUB_OUTPUT + + - name: Set Terraform Version + id: set-terraform-version + run: | + echo "terraform_version=$(cat .terraform-version)" >> $GITHUB_OUTPUT + + - uses: hashicorp/setup-terraform@a1502cd9e758c50496cc9ac5308c4843bcd56d36 # v3.0.0 + name: Setup Terraform + with: + terraform_version: ${{ steps.set-terraform-version.outputs.terraform_version}} + + - name: Terraform Plan + uses: pagopa/terraform-preapply-azure-action@54ded8cda3437c3f6a9f46baf69cb321ce82f5cd + with: + client_id: ${{ secrets.AZURE_CLIENT_ID_CI }} + tenant_id: ${{ secrets.AZURE_TENANT_ID }} + subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + dir: ${{ env.DIR }} + azure_environment: ${{ inputs.environment }} + env: + TF_VAR_image_tag: ${{ steps.setsha.outputs.short_sha }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + - name: "Upload Terraform Plan as Artifact" + uses: actions/upload-artifact@694cdabd8bdb0f10b2cea11669e1bf5453eed0a6 # v4.2.0 + with: + name: tfplan + path: ${{ env.DIR }}/tfplan-${{ inputs.environment }}-${{ github.sha }} + if-no-files-found: error + retention-days: 14 + + release: + name: 'Release' + runs-on: ubuntu-latest + needs: [build, tf_plan] + environment: ${{ inputs.environment }}-cd + permissions: + id-token: write + contents: read + env: + ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID_CD }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + steps: + + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + name: Checkout + + - name: Azure Login + uses: azure/login@cb79c773a3cfa27f31f25eb3f677781210c9ce3d # v1.6.1 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID_CD }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + + - name: Download Terraform Plan as Artifact + uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1 + with: + name: tfplan + path: ${{ env.DIR }} + + - name: Retrieve Terraform Modules from Cache + id: cache-terraform-modules + uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4.0.0 + with: + path: ${{ env.DIR }}/.terraform + key: terraform-${{ env.DIR }}-${{ github.sha }} + restore-keys: | + terraform-${{ env.DIR }} + + - uses: hashicorp/setup-terraform@a1502cd9e758c50496cc9ac5308c4843bcd56d36 # v3.0.0 + name: Setup Terraform + with: + terraform_version: ${{ needs.tf_plan.outputs.terraform_version }} + + - name: Terraform Init + shell: bash + working-directory: ${{ env.DIR }} + run: | + bash ./terraform.sh init ${{ inputs.environment }} + + - name: Terraform Apply + shell: bash + working-directory: ${{ env.DIR }} + run: | + terraform apply -lock-timeout=3000s -auto-approve -input=false tfplan-${{ inputs.environment }}-${{ github.sha }} + env: + TF_VAR_image_tag: ${{ needs.tf_plan.outputs.image_tag }} diff --git a/.github/workflows/deploy_onboarding_ms.yml b/.github/workflows/deploy_onboarding_ms.yml deleted file mode 100644 index f3b5eff41..000000000 --- a/.github/workflows/deploy_onboarding_ms.yml +++ /dev/null @@ -1,187 +0,0 @@ -name: Deploy onboarding ms - -on: - pull_request: - branches: - - main - types: [closed] - paths: - - "apps/onboarding-ms/**" - - "apps/pom.xml" - # deploy UAT when create a new branch release*, condition below contains() permit to execute worflow only for 'release' branch - create: - - workflow_dispatch: - inputs: - environment: - required: true - type: choice - description: Select the Environment - options: - - dev - - uat - - prod - -env: - DIR: "./infra/container_apps/onboarding-ms" - # This condition (that unfortunately must be replicated for the first job) - # sets the environment depending on the current context for manually - # started workflows, it picks up the value coming from the UI; otherwise, - # it sets prod or uat depending on the current branch. - # Ternary operator is not supported - ENV_NAME: "${{ inputs.environment != null && inputs.environment || (github.base_ref == 'main' && 'dev' || (contains(github.ref_name, 'release') && 'uat' || 'dev')) }}" - -jobs: - build: - name: Build Onboarding Microservice - runs-on: ubuntu-latest - if: ${{ (github.event_name == 'workflow_dispatch' || github.event.pull_request.merged == true || contains(github.ref_name, 'release')) }} - environment: "${{ inputs.environment != null && inputs.environment || (github.base_ref == 'main' && 'dev' || (contains(github.ref_name, 'release') && 'uat' || 'dev')) }}-ci" - outputs: - environment: ${{ steps.setenv.outputs.environment }} - short_sha: ${{ steps.setsha.outputs.short_sha }} - permissions: - packages: write - contents: write - id-token: write - - steps: - - uses: actions/checkout@v4 - name: Checkout - with: - ref: ${{ github.ref_name }} - - # this workaround is necessary to pass the environment value to the next job - # unexpectly, global env vars cannot be read to set the environment and I don't - # want to repeat that complex expression (already repeated twice) - - name: Read Environment - id: setenv - shell: bash - run: | - echo "environment=$ENV_NAME" >> $GITHUB_OUTPUT - - # github doesn't provide a short sha anymore - - name: Set Short Git Commit SHA - id: setsha - run: | - calculatedSha=$(git rev-parse --short ${{ github.sha }}) - echo "short_sha=sha-$calculatedSha" >> $GITHUB_OUTPUT - - - name: Setup Docker buildx - uses: docker/setup-buildx-action@v3.0.0 - - - name: Login to GitHub Container Registry - uses: docker/login-action@v3 - with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Docker Meta - id: meta - uses: docker/metadata-action@v4.3.0 - with: - images: ghcr.io/${{ github.repository }}-ms - tags: | - type=raw,value=latest,enable={{is_default_branch}} - type=ref,event=branch - type=sha - labels: - org.opencontainers.image.title=${{ github.repository }}-ms - org.opencontainers.image.description=SelfCare onboarding microservice - org.opencontainers.image.authors=PagoPA - org.opencontainers.image.url=github.com/pagopa/${{ github.repository }} - org.opencontainers.image.source=https://github.com/${{ github.repository }} - - - name: Build and Push Image - uses: docker/build-push-action@v5 - with: - context: . - file: ./apps/onboarding-ms/Dockerfile - push: true - tags: ${{ steps.meta.outputs.tags }} - labels: ${{ steps.meta.outputs.labels }} - secrets: | - GH_TOKEN=${{ secrets.READ_PACKAGES_TOKEN }} - cache-from: type=gha - cache-to: type=gha,mode=min - - - name: Set Terraform Version - id: set-terraform-version - run: | - echo "terraform_version=$(cat .terraform-version)" >> $GITHUB_OUTPUT - - - uses: hashicorp/setup-terraform@v2 - name: Setup Terraform - with: - terraform_version: ${{ steps.set-terraform-version.outputs.terraform_version}} - - - name: Terraform Plan - uses: pagopa/terraform-preapply-azure-action@54ded8cda3437c3f6a9f46baf69cb321ce82f5cd - with: - client_id: ${{ secrets.AZURE_CLIENT_ID_CI }} - tenant_id: ${{ secrets.AZURE_TENANT_ID }} - subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - dir: ${{ env.DIR }} - azure_environment: ${{ steps.setenv.outputs.environment }} - env: - TF_VAR_image_tag: ${{ steps.setsha.outputs.short_sha }} - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - - name: "Upload Terraform Plan as Artifact" - uses: actions/upload-artifact@v3 - with: - name: tfplan - path: ${{ env.DIR }}/tfplan-${{ steps.setenv.outputs.environment }}-${{ github.sha }} - if-no-files-found: error - retention-days: 1 - - deploy: - name: Deploy microservice - runs-on: ubuntu-latest - needs: [build] - environment: ${{ needs.build.outputs.environment }}-cd - permissions: - id-token: write - - steps: - - uses: actions/checkout@v4 - name: Checkout - with: - ref: ${{ github.ref_name }} - - - name: Download Terraform Plan as Artifact - uses: actions/download-artifact@v3 - with: - name: tfplan - path: ${{ env.DIR }} - - - name: Retrieve Terraform Modules from Cache - id: cache-terraform-modules - uses: actions/cache@6fd2d4538ca777f67fccddb233cf1a8ff1339012 - with: - path: ${{ env.DIR }}/.terraform - key: terraform-${{ env.DIR }}-${{ github.sha }} - restore-keys: | - terraform-${{ env.DIR }} - - - name: Set Terraform Version - id: set-terraform-version - run: | - echo "terraform_version=$(cat .terraform-version)" >> $GITHUB_OUTPUT - - - uses: hashicorp/setup-terraform@v2 - name: Setup Terraform - with: - terraform_version: ${{ steps.set-terraform-version.outputs.terraform_version}} - - - name: Terraform Apply - uses: pagopa/terraform-apply-azure-action@87efc4aa9b093b99ae5fd1915977e29cd80861ab - with: - client_id: ${{ secrets.AZURE_CLIENT_ID_CD }} - tenant_id: ${{ secrets.AZURE_TENANT_ID }} - subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - dir: ${{ env.DIR }} - azure_environment: ${{ needs.build.outputs.environment }} - env: - TF_VAR_image_tag: ${{ needs.build.outputs.short_sha }} diff --git a/.github/workflows/release_ms.yml b/.github/workflows/release_ms.yml new file mode 100644 index 000000000..619641c65 --- /dev/null +++ b/.github/workflows/release_ms.yml @@ -0,0 +1,39 @@ +name: Deploy onboarding ms + +on: + push: + branches: + - main + - releases/* + paths: + - "apps/onboarding-ms/**" + - "apps/pom.xml" + - "pom.xml" + + workflow_dispatch: + +jobs: + + release_dev: + uses: ./.github/workflows/call_release_ms.yml + name: '[Dev] OnBoarding ms Release' + if: github.ref_name == 'main' + secrets: inherit + with: + environment: dev + + release_uat: + uses: ./.github/workflows/call_release_ms.yml + name: '[UAT] OnBoarding ms Release' + if: startsWith(github.ref_name, 'releases/') + secrets: inherit + with: + environment: uat + + release_prod: + uses: ./.github/workflows/call_release_ms.yml + name: '[Prod] OnBoarding ms Release' + if: startsWith(github.ref_name, 'releases/') + secrets: inherit + with: + environment: prod diff --git a/.identity/github_environment_cd.tf b/.identity/github_environment_cd.tf index 96869a71d..3cb62a283 100644 --- a/.identity/github_environment_cd.tf +++ b/.identity/github_environment_cd.tf @@ -12,7 +12,7 @@ resource "github_repository_environment" "github_repository_environment_cd" { ) } } - + dynamic "deployment_branch_policy" { for_each = var.github_repository_environment_cd.protected_branches ? [1] : [] content { diff --git a/infra/container_apps/onboarding-ms/.terraform.lock.hcl b/infra/container_apps/onboarding-ms/.terraform.lock.hcl index 228c1c73b..d43a6d762 100644 --- a/infra/container_apps/onboarding-ms/.terraform.lock.hcl +++ b/infra/container_apps/onboarding-ms/.terraform.lock.hcl @@ -25,24 +25,24 @@ provider "registry.terraform.io/azure/azapi" { } provider "registry.terraform.io/hashicorp/azurerm" { - version = "3.86.0" - constraints = "<= 3.86.0" + version = "3.88.0" + constraints = "<= 3.88.0" hashes = [ - "h1:OYk3njsOIMuSK4pbbOr5qbssIHBSzb/Fmfsg9AYeyCo=", - "h1:l8f2nCtiTdLMstfjDbPVqFYpdQAhim1wDTRUfCTRhGQ=", - "h1:rMBvc1zYiiv/wHc0D8ry8SPxqMiqqwUEt8zndCVPZx4=", - "h1:y+kGEfUoR81RNTeJkcohwvFtIyS3c/VxIjwN6cT9lCk=", - "zh:10473870b663b3becca1127687ed0d002d61f417c279e7daac546d265ff1f3db", - "zh:1dfe2446d7530cd082f817a8d37ec9fb0260b275085978bd81ba0e8167aa6f7c", - "zh:31712a4d9727a5970354eb3c26b4d6dc45b5103c6599cb97c2bd3f9915062baf", - "zh:51dcb102e17e49d675d6865f1ca9eaa8a2aa566ba56a93bb77aab703112d1de5", - "zh:54d5053cd88ed99e804c7b4d72f91ec1bab5fe8b6769db5c120d60b5e6a653dc", - "zh:58388274d406a55c84199d1a22b8143b47321b7b508a18ddeed9e824a864cb5d", - "zh:7b8afa8d62431512197aa5aed4e902b06bce3f8362d6ddf2c841e03c2658f4a7", - "zh:b7d3c1e8bfdd4e099e174724be41cdbc916868a7ca637bcf8682a57ef3453f7f", - "zh:ea0cc2751ef9a15b48e42d6ae62f4329c567335e348f57e577ce727d8167c29f", - "zh:f3a48fdf58a34deae9221923f30112b18ce1ab6cabb46d6c38e1a3234340cfd0", + "h1:9y4lEOavyzDQDTRGOFX8Pa4Y+Me/CUkIjMOt0FJfTJc=", + "h1:Xp9L7Udmm/rHC38IYDQyD5quXAqGjo4xalyqzE66kQU=", + "h1:eTZ0mol7zQjTqtkSc9LrebOpv4/Gk4L1t76a7MyjcZ8=", + "h1:gPUPgFN57YebQCj1M6K1mVPRTj6MXcx/DgbmubijW7k=", + "zh:1b62ac2ac6b9457a1c873199835008e26b95424f78039b0419d41de20cf0f6ac", + "zh:2088e6c4c54b85fe5fd95b3040c314a6b06948541d523982fed5164dab9cb59f", + "zh:26c9af23de38b9fa4b560ab00e1a47bd26bf70fd00655d15ef2b6e1ba71dfed4", + "zh:289e2367f6f39caa63c8d29e7958ceea47e81e4692a2cac801a495129aa7dd8f", + "zh:77e407fab882ed4a0c3ed42db02f18994c93603302f28fc9bac194ba526de96a", + "zh:90cf1f652f8d51a8a26c697c940b8587a15a6a44c7025b619cb3c9aaab051e5d", + "zh:91016c5a3e1e0c2fcc495c2c50ca300180d0f03cfbeb40224154acd86ea9dd0f", + "zh:943aadacc3e3a95daa735a42dc7e6302502f2a3cf28701dce5de8a83d97978c5", + "zh:9dbb63d5d7a75b1ba56d394c512984c192dc13f325766f4f4c9f9a7d7214accc", + "zh:af74a4ae56c58da9262776da902ff7a9493666f96e3e18dff73189741a750de8", "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", - "zh:fbd1d24b6bc67d5c370f2a3934da70ea3b93d612fe83b71e0dae592b48d030ce", + "zh:ff509c05f074f57b9dd8cc55b167522815815d7c21011212cec7e1d2fa161f67", ] } diff --git a/infra/container_apps/onboarding-ms/container_app.tf b/infra/container_apps/onboarding-ms/container_app.tf index 0dff3e6b8..0fbac198d 100644 --- a/infra/container_apps/onboarding-ms/container_app.tf +++ b/infra/container_apps/onboarding-ms/container_app.tf @@ -15,7 +15,7 @@ resource "azapi_resource" "container_app_onboarding_ms" { configuration = { activeRevisionsMode = "Single" ingress = { - allowInsecure = true + allowInsecure = false external = true traffic = [ { @@ -60,11 +60,3 @@ resource "azurerm_key_vault_access_policy" "keyvault_containerapp_access_policy" "Get", ] } - -resource "azurerm_private_dns_a_record" "private_dns_record_a_azurecontainerapps_io" { - name = "${azapi_resource.container_app_onboarding_ms.name}.${trimsuffix(data.azurerm_container_app_environment.container_app_environment.default_domain, ".${local.container_app_environment_dns_zone_name}")}" - zone_name = data.azurerm_private_dns_zone.private_azurecontainerapps_io.name - resource_group_name = data.azurerm_resource_group.rg_vnet.name - ttl = 3600 - records = [data.azurerm_container_app_environment.container_app_environment.static_ip_address] -} diff --git a/infra/container_apps/onboarding-ms/main.tf b/infra/container_apps/onboarding-ms/main.tf index b83f37f3a..0ec4d279a 100644 --- a/infra/container_apps/onboarding-ms/main.tf +++ b/infra/container_apps/onboarding-ms/main.tf @@ -4,7 +4,7 @@ terraform { required_providers { azurerm = { source = "hashicorp/azurerm" - version = "<= 3.86.0" + version = "<= 3.88.0" } azapi = { diff --git a/infra/container_apps/onboarding-ms/private_dns.tf b/infra/container_apps/onboarding-ms/private_dns.tf new file mode 100644 index 000000000..7930a6c66 --- /dev/null +++ b/infra/container_apps/onboarding-ms/private_dns.tf @@ -0,0 +1,7 @@ +resource "azurerm_private_dns_a_record" "private_dns_record_a_azurecontainerapps_io" { + name = "${azapi_resource.container_app_onboarding_ms.name}.${trimsuffix(data.azurerm_container_app_environment.container_app_environment.default_domain, ".${local.container_app_environment_dns_zone_name}")}" + zone_name = data.azurerm_private_dns_zone.private_azurecontainerapps_io.name + resource_group_name = data.azurerm_resource_group.rg_vnet.name + ttl = 3600 + records = [data.azurerm_container_app_environment.container_app_environment.static_ip_address] +} diff --git a/infra/container_apps/onboarding-ms/variables.tf b/infra/container_apps/onboarding-ms/variables.tf index 878618cd0..19d10a25d 100644 --- a/infra/container_apps/onboarding-ms/variables.tf +++ b/infra/container_apps/onboarding-ms/variables.tf @@ -45,8 +45,9 @@ variable "container_app" { } variable "image_tag" { - type = string - default = "latest" + type = string + default = "latest" + description = "Image tag to use for the container" } variable "app_settings" {