[EC-101] PR and Release pipelines for TF configurations (#112)

.github/workflows/call_code_review_infra.yml

@@ -0,0 +1,68 @@
+on:
+  workflow_call:
+    inputs:
+      environment:
+        type: string
+        required: true
+      dir:
+        type: string
+        required: true
+      env_vars:
+        type: string
+        required: false
+        description: List of environment variables to set up, given in env=value format.
+
+env:
+  ARM_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+  ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
+  ARM_USE_OIDC: true
+  ARM_USE_AZUREAD: true
+  ARM_STORAGE_USE_AZUREAD: true
+
+jobs:
+  tf_plan:
+    name: 'Terraform Plan'
+    runs-on: ubuntu-20.04
+    environment: ${{ inputs.environment }}-ci
+    permissions:
+      id-token: write
+      contents: read
+    env:
+      ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID_CI }}
+      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+    steps:
+
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        name: Checkout
+
+      - name: Set Environment Variables
+        if: ${{ inputs.env_vars }}
+        run: |
+          for i in "${{ inputs.env_vars }}"
+          do
+            printf "%s\n" $i >> $GITHUB_ENV
+          done
+
+      - name: Azure Login
+        uses: azure/login@cb79c773a3cfa27f31f25eb3f677781210c9ce3d # v1.6.1
+        with:
+          client-id: ${{ secrets.AZURE_CLIENT_ID_CI }}
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+
+      - name: Set Terraform Version
+        id: set-terraform-version
+        run: |
+          echo "terraform_version=$(cat .terraform-version)" >> $GITHUB_OUTPUT
+
+      - uses: hashicorp/setup-terraform@a1502cd9e758c50496cc9ac5308c4843bcd56d36 # v3.0.0
+        name: Setup Terraform
+        with:
+          terraform_version: ${{ steps.set-terraform-version.outputs.terraform_version }}
+
+      - name: Terraform Plan
+        working-directory: ${{ inputs.dir }}
+        shell: bash
+        run: |
+          bash ./terraform.sh plan ${{ inputs.environment }}

.github/workflows/call_release_infra.yml

@@ -0,0 +1,130 @@
+on:
+  workflow_call:
+    inputs:
+      environment:
+        type: string
+        required: true
+      dir:
+        type: string
+        required: true
+      env_vars:
+        type: string
+        required: false
+        description: List of environment variables to set up, given in env=value format.
+
+env:
+  ARM_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+  ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
+  ARM_USE_OIDC: true
+  ARM_USE_AZUREAD: true
+  ARM_STORAGE_USE_AZUREAD: true
+
+jobs:
+
+  tf_plan:
+    name: 'Terraform Plan'
+    runs-on: ubuntu-20.04
+    environment: ${{ inputs.environment }}-ci
+    permissions:
+      id-token: write
+      contents: read
+    outputs:
+      terraform_version: ${{ steps.set-terraform-version.outputs.terraform_version }}
+
+    steps:
+
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        name: Checkout
+
+      - name: Set Environment Variables
+        if: ${{ inputs.env_vars }}
+        run: |
+          for i in "${{ inputs.env_vars }}"
+          do
+            printf "%s\n" $i >> $GITHUB_ENV
+          done
+
+      - name: Set Terraform Version
+        id: set-terraform-version
+        run: |
+          echo "terraform_version=$(cat .terraform-version)" >> $GITHUB_OUTPUT
+
+      - uses: hashicorp/setup-terraform@a1502cd9e758c50496cc9ac5308c4843bcd56d36 # v3.0.0
+        name: Setup Terraform
+        with:
+          terraform_version: ${{ steps.set-terraform-version.outputs.terraform_version }}
+
+      - name: Terraform Plan
+        uses: pagopa/terraform-preapply-azure-action@54ded8cda3437c3f6a9f46baf69cb321ce82f5cd
+        with:
+          client_id: ${{ secrets.AZURE_CLIENT_ID_CI }}
+          tenant_id: ${{ secrets.AZURE_TENANT_ID }}
+          subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+          dir: ${{ inputs.dir }}
+          azure_environment: ${{ inputs.environment }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: "Upload Terraform Plan as Artifact"
+        uses: actions/upload-artifact@694cdabd8bdb0f10b2cea11669e1bf5453eed0a6 # v4.2.0
+        with:
+          name: tfplan
+          path: ${{ inputs.dir }}/tfplan-${{ inputs.environment }}-${{ github.sha }}
+          if-no-files-found: error
+          retention-days: 14
+
+  apply:
+    name: 'Terraform Apply'
+    runs-on: ubuntu-20.04
+    needs: [tf_plan]
+    environment: ${{ inputs.environment }}-cd
+    permissions:
+      id-token: write
+      contents: read
+    env:
+      ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID_CD }}
+      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+    steps:
+
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        name: Checkout
+
+      - name: Azure Login
+        uses: azure/login@cb79c773a3cfa27f31f25eb3f677781210c9ce3d # v1.6.1
+        with:
+          client-id: ${{ secrets.AZURE_CLIENT_ID_CD }}
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+
+      - name: Download Terraform Plan as Artifact
+        uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1
+        with:
+          name: tfplan
+          path: ${{ inputs.dir }}
+
+      - name: Retrieve Terraform Modules from Cache
+        id: cache-terraform-modules
+        uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4.0.0
+        with:
+          path: ${{ inputs.dir }}/.terraform
+          key: terraform-${{ inputs.dir }}-${{ github.sha }}
+          restore-keys: |
+            terraform-${{ inputs.dir }}
+
+      - uses: hashicorp/setup-terraform@a1502cd9e758c50496cc9ac5308c4843bcd56d36 # v3.0.0
+        name: Setup Terraform
+        with:
+          terraform_version: ${{ needs.tf_plan.outputs.terraform_version }}
+
+      - name: Terraform Init
+        shell: bash
+        working-directory: ${{ inputs.dir }}
+        run: |
+          bash ./terraform.sh init ${{ inputs.environment }}
+
+      - name: Terraform Apply
+        shell: bash
+        working-directory: ${{ inputs.dir }}
+        run: |
+          terraform apply -lock-timeout=3000s -auto-approve -input=false tfplan-${{ inputs.environment }}-${{ github.sha }}

.github/workflows/call_release_ms.yml

@@ -118,7 +118,7 @@ jobs:
 
   release:
     name: 'Release'
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-20.04
     needs: [build, tf_plan]
     environment: ${{ inputs.environment }}-cd
     permissions:

.github/workflows/pr_container_apps_infra.yml

@@ -0,0 +1,51 @@
+name: Code Review container app infra
+
+on:
+  workflow_dispatch:
+
+  pull_request:
+    branches:
+      - main
+      - releases/*
+    types:
+      - opened
+      - edited
+      - synchronize
+      - reopened
+      - ready_for_review
+    paths:
+      - './infra/container_apps/onboarding-ms/**'
+      - './.github/workflows/pr_container_apps_infra.yml'
+      - './.github/workflows/call_code_review_infra.yml'
+
+jobs:
+  code_review_dev:
+    uses: ./.github/workflows/call_code_review_infra.yml
+    name: '[DEV] Container Apps Infra Code Review'
+    if: ${{ !startsWith(github.ref_name, 'releases/') }}
+    secrets: inherit
+    with:
+      environment: dev
+      dir: ./infra/container_apps/onboarding-ms
+      env_vars: |
+        TF_VAR_image_tag=sha-$(git rev-parse --short ${{ github.sha }})
+
+  code_review_uat:
+    uses: ./.github/workflows/call_code_review_infra.yml
+    name: '[UAT] Container Apps Infra Code Review'
+    secrets: inherit
+    with:
+      environment: uat
+      dir: ./infra/container_apps/onboarding-ms
+      env_vars: |
+        TF_VAR_image_tag=sha-$(git rev-parse --short ${{ github.sha }})
+
+  code_review_prod:
+    uses: ./.github/workflows/call_code_review_infra.yml
+    name: '[PROD] Container Apps Infra Code Review'
+    secrets: inherit
+    with:
+      environment: prod
+      dir: ./infra/container_apps/onboarding-ms
+      env_vars: |
+        TF_VAR_image_tag=sha-$(git rev-parse --short ${{ github.sha }})

.github/workflows/pr_functions_infra.yml

@@ -0,0 +1,45 @@
+name: Code Review functions infra
+
+on:
+  workflow_dispatch:
+
+  pull_request:
+    branches:
+      - main
+      - releases/*
+    types:
+      - opened
+      - edited
+      - synchronize
+      - reopened
+      - ready_for_review
+    paths:
+      - './infra/functions/onboarding-functions/**'
+      - './.github/workflows/pr_functions_infra.yml'
+      - './.github/workflows/call_code_review_infra.yml'
+
+jobs:
+  code_review_dev:
+    uses: ./.github/workflows/call_code_review_infra.yml
+    name: '[DEV] Functions Infra Code Review'
+    if: ${{ !startsWith(github.ref_name, 'releases/') }}
+    secrets: inherit
+    with:
+      environment: dev
+      dir: ./infra/functions/onboarding-functions
+
+  code_review_uat:
+    uses: ./.github/workflows/call_code_review_infra.yml
+    name: '[UAT] Functions Infra Code Review'
+    secrets: inherit
+    with:
+      environment: uat
+      dir: ./infra/functions/onboarding-functions
+
+  code_review_prod:
+    uses: ./.github/workflows/call_code_review_infra.yml
+    name: '[PROD] Functions Infra Code Review'
+    secrets: inherit
+    with:
+      environment: prod
+      dir: ./infra/functions/onboarding-functions

.github/workflows/pr_mongo_infra.yml

@@ -0,0 +1,37 @@
+name: Code Review mongo infra
+
+on:
+  workflow_dispatch:
+
+  pull_request:
+    branches:
+      - main
+      - releases/*
+    types:
+      - opened
+      - edited
+      - synchronize
+      - reopened
+      - ready_for_review
+    paths:
+      - './infra/mongo/**'
+      - './.github/workflows/pr_mongo_infra.yml'
+      - './.github/workflows/call_code_review_infra.yml'
+
+jobs:
+  code_review_dev:
+    uses: ./.github/workflows/call_code_review_infra.yml
+    name: '[DEV] Mongo Infra Code Review'
+    if: ${{ !startsWith(github.ref_name, 'releases/') }}
+    secrets: inherit
+    with:
+      environment: dev
+      dir: ./infra/mongo
+
+  code_review_uat:
+    uses: ./.github/workflows/call_code_review_infra.yml
+    name: '[UAT] Mongo Infra Code Review'
+    secrets: inherit
+    with:
+      environment: uat
+      dir: ./infra/mongo

.github/workflows/release_container_apps_infra.yml

@@ -0,0 +1,46 @@
+name: Deploy Container Apps infra
+
+on:
+  push:
+    branches:
+      - main
+      - releases/*
+    paths:
+      - './infra/container_apps/onboarding-ms/**'
+
+  workflow_dispatch:
+
+jobs:
+
+  release_dev:
+    uses: ./.github/workflows/call_release_infra.yml
+    name: '[Dev] Container Apps Infra Release'
+    if: github.ref_name == 'main'
+    secrets: inherit
+    with:
+      environment: dev
+      dir: ./infra/container_apps/onboarding-ms
+      env_vars: |
+        TF_VAR_image_tag=sha-$(git rev-parse --short ${{ github.sha }})
+
+  release_uat:
+    uses: ./.github/workflows/call_release_infra.yml
+    name: '[UAT] Container Apps Infra Release'
+    if: startsWith(github.ref_name, 'releases/')
+    secrets: inherit
+    with:
+      environment: uat
+      dir: ./infra/container_apps/onboarding-ms
+      env_vars: |
+        TF_VAR_image_tag=sha-$(git rev-parse --short ${{ github.sha }})
+
+  release_prod:
+    uses: ./.github/workflows/call_release_infra.yml
+    name: '[Prod] Container Apps Infra Release'
+    if: startsWith(github.ref_name, 'releases/')
+    secrets: inherit
+    with:
+      environment: prod
+      dir: ./infra/container_apps/onboarding-ms
+      env_vars: |
+        TF_VAR_image_tag=sha-$(git rev-parse --short ${{ github.sha }})