From 4609839493bdd84e5a6096cd7387b1fb600e55a1 Mon Sep 17 00:00:00 2001 From: Michael Disaro Date: Tue, 2 Apr 2024 16:45:56 +0200 Subject: [PATCH 01/41] added github action to release and deploy --- .github/workflows/deploy_func.yaml | 13 +++++++++++ .github/workflows/release.yaml | 35 ++++++++++++++++++++++++++++++ 2 files changed, 48 insertions(+) create mode 100644 .github/workflows/deploy_func.yaml create mode 100644 .github/workflows/release.yaml diff --git a/.github/workflows/deploy_func.yaml b/.github/workflows/deploy_func.yaml new file mode 100644 index 00000000..1758954e --- /dev/null +++ b/.github/workflows/deploy_func.yaml @@ -0,0 +1,13 @@ +name: Deploy (io-p-messages-sending-func) + +on: + workflow_dispatch: {} + +jobs: + deploy_workspace_to_azure: + name: Deploy + uses: pagopa/io-std/.github/workflows/deploy-workspace.yaml@main + with: + environment: io-p-messages-sending-func + workspace-name: io-p-messages-sending-func + secrets: inherit \ No newline at end of file diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml new file mode 100644 index 00000000..4a9f9a7d --- /dev/null +++ b/.github/workflows/release.yaml @@ -0,0 +1,35 @@ +name: Release + +on: + push: + branches: + - main + +jobs: + release: + name: Release + runs-on: ubuntu-latest + steps: + - name: Checkout Repo + uses: actions/checkout@v3 + with: + fetch-depth: 0 + + - name: Setup Node.js environment + uses: actions/setup-node@v3 + with: + node-version-file: ".node-version" + cache: "yarn" + cache-dependency-path: "yarn.lock" + + - name: Install dependencies + run: yarn install --immutable + + - name: Create Release Pull Request or Tag + id: changesets + uses: changesets/action@v1 + with: + version: yarn run version + publish: yarn run release + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} \ No newline at end of file From 49b83f63de6060bcee0640eed861cfb1c78265fa Mon Sep 17 00:00:00 2001 From: Michael Disaro Date: Wed, 3 Apr 2024 16:32:08 +0200 Subject: [PATCH 02/41] made github actions --- .github/workflows/actions/build.yaml | 25 ++++++ .../workflows/actions/create-artifact.yaml | 27 +++++++ .github/workflows/actions/deploy.yaml | 76 +++++++++++++++++++ .github/workflows/deploy_func.yaml | 8 +- 4 files changed, 131 insertions(+), 5 deletions(-) create mode 100644 .github/workflows/actions/build.yaml create mode 100644 .github/workflows/actions/create-artifact.yaml create mode 100644 .github/workflows/actions/deploy.yaml diff --git a/.github/workflows/actions/build.yaml b/.github/workflows/actions/build.yaml new file mode 100644 index 00000000..3463aafb --- /dev/null +++ b/.github/workflows/actions/build.yaml @@ -0,0 +1,25 @@ +name: "Build workspace" + +inputs: + workspace-name: + required: true + +runs: + using: "composite" + steps: + - name: Setup Node.js + uses: actions/setup-node@v3 + with: + node-version-file: ".node-version" + cache: "yarn" + cache-dependency-path: "./out/yarn.lock" + + - name: Install dependencies + run: yarn install --frozen-lockfile + shell: bash + working-directory: ./out + + - name: Build ${{ inputs.workspace-name }} + run: yarn build + shell: bash + working-directory: ./out \ No newline at end of file diff --git a/.github/workflows/actions/create-artifact.yaml b/.github/workflows/actions/create-artifact.yaml new file mode 100644 index 00000000..f604da4a --- /dev/null +++ b/.github/workflows/actions/create-artifact.yaml @@ -0,0 +1,27 @@ +name: "Make workspace artifact" +description: "This action creates an artifact for the selected workspace." + +inputs: + workspace-name: + description: The name of the workspace to create the artifact for" + required: true + +outputs: + artifact-path: + description: The path to the created artifact + value: ${{ steps[format('make-{0}-artifact', steps.detect-workspace-type.outputs.workspace-type)].outputs.artifact-path }} + +runs: + using: "composite" + steps: + - name: Make the azure function app artifact + id: make-function-app-artifact + run: | + npm pkg set --json "bundledDependencies"=true + npm pkg set --json "files"='["**/function.json", "dist", "host.json","extensions.csproj"]' + npx npm-pack-zip + echo "artifact-path=$(realpath ${{ inputs.workspace-name }}.zip)" >> "$GITHUB_OUTPUT" + shell: bash + working-directory: ./out + + \ No newline at end of file diff --git a/.github/workflows/actions/deploy.yaml b/.github/workflows/actions/deploy.yaml new file mode 100644 index 00000000..3383bb0f --- /dev/null +++ b/.github/workflows/actions/deploy.yaml @@ -0,0 +1,76 @@ +name: Deploy workspace + +on: + workflow_call: + inputs: + workspace-name: + required: true + type: string + environment: + required: true + type: string + +jobs: + build: + name: Build + runs-on: ubuntu-latest + steps: + - name: Checkout repo + uses: actions/checkout@v3 + with: + fetch-depth: 3 + + - name: Build workspace + uses: "./build.yaml" + with: + workspace-name: ${{ inputs.workspace-name }} + + - name: Make workspace artifact + id: make_artifact + uses: "./create-artifact.yaml" + with: + workspace-name: ${{ inputs.workspace-name }} + + - name: Upload workspace artifact + uses: actions/upload-artifact@v3 + with: + name: ${{ inputs.workspace-name }} + path: ${{ steps.make_artifact.outputs.artifact-path }} + + deploy: + name: Deploy + if: ${{ !github.event.act }} + needs: [build] + runs-on: self-hosted + environment: production + + permissions: + id-token: write + contents: read + + steps: + - name: Download workspace artifact + uses: actions/download-artifact@v3 + with: + name: ${{ inputs.workspace-name }} + + - name: Login to Azure + uses: azure/login@v1 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + + - name: Deploy to ${{ vars.AZURE_WEB_APP_NAME }} staging slot + uses: azure/webapps-deploy@v2 + with: + resource-group-name: ${{ vars.AZURE_WEB_APP_RESOURCE_GROUP }} + app-name: ${{ vars.AZURE_WEB_APP_NAME }} + slot-name: staging + package: ${{ inputs.workspace-name }}.zip + + - name: Check staging health + run: curl --retry 5 --retry-max-time 120 --retry-all-errors -f 'https://${{ vars.AZURE_WEB_APP_NAME }}-staging.azurewebsites.net${{ vars.HEALTH_CHECK_PATH }}' + + - name: Swap staging slot with production + run: az webapp deployment slot swap -g ${{ vars.AZURE_WEB_APP_RESOURCE_GROUP }} -n ${{ vars.AZURE_WEB_APP_NAME }} --slot staging --target-slot production \ No newline at end of file diff --git a/.github/workflows/deploy_func.yaml b/.github/workflows/deploy_func.yaml index 1758954e..5c0c932d 100644 --- a/.github/workflows/deploy_func.yaml +++ b/.github/workflows/deploy_func.yaml @@ -1,13 +1,11 @@ -name: Deploy (io-p-messages-sending-func) - +name: Deploy (io-functions-service-messages) on: workflow_dispatch: {} jobs: deploy_workspace_to_azure: name: Deploy - uses: pagopa/io-std/.github/workflows/deploy-workspace.yaml@main + uses: ./actions/deploy.yaml with: - environment: io-p-messages-sending-func - workspace-name: io-p-messages-sending-func + workspace-name: io-functions-service-messages secrets: inherit \ No newline at end of file From 290f5c384b8bf4ebe44939d4b901ab7a2433bae6 Mon Sep 17 00:00:00 2001 From: Michael Disaro Date: Wed, 3 Apr 2024 16:36:14 +0200 Subject: [PATCH 03/41] removed wrong release action --- .github/workflows/release.yaml | 35 ---------------------------------- 1 file changed, 35 deletions(-) delete mode 100644 .github/workflows/release.yaml diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml deleted file mode 100644 index 4a9f9a7d..00000000 --- a/.github/workflows/release.yaml +++ /dev/null @@ -1,35 +0,0 @@ -name: Release - -on: - push: - branches: - - main - -jobs: - release: - name: Release - runs-on: ubuntu-latest - steps: - - name: Checkout Repo - uses: actions/checkout@v3 - with: - fetch-depth: 0 - - - name: Setup Node.js environment - uses: actions/setup-node@v3 - with: - node-version-file: ".node-version" - cache: "yarn" - cache-dependency-path: "yarn.lock" - - - name: Install dependencies - run: yarn install --immutable - - - name: Create Release Pull Request or Tag - id: changesets - uses: changesets/action@v1 - with: - version: yarn run version - publish: yarn run release - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} \ No newline at end of file From d1fe991dac5b60ca2b7cc3e191dc090f8a5ae091 Mon Sep 17 00:00:00 2001 From: Michael Disaro Date: Wed, 3 Apr 2024 16:45:53 +0200 Subject: [PATCH 04/41] fixed paths --- .github/workflows/actions/build.yaml | 4 +--- .github/workflows/actions/create-artifact.yaml | 2 -- .github/workflows/actions/deploy.yaml | 3 --- .github/workflows/{deploy_func.yaml => deploy-func.yaml} | 0 4 files changed, 1 insertion(+), 8 deletions(-) rename .github/workflows/{deploy_func.yaml => deploy-func.yaml} (100%) diff --git a/.github/workflows/actions/build.yaml b/.github/workflows/actions/build.yaml index 3463aafb..d0399f0d 100644 --- a/.github/workflows/actions/build.yaml +++ b/.github/workflows/actions/build.yaml @@ -12,14 +12,12 @@ runs: with: node-version-file: ".node-version" cache: "yarn" - cache-dependency-path: "./out/yarn.lock" + cache-dependency-path: "./yarn.lock" - name: Install dependencies run: yarn install --frozen-lockfile shell: bash - working-directory: ./out - name: Build ${{ inputs.workspace-name }} run: yarn build shell: bash - working-directory: ./out \ No newline at end of file diff --git a/.github/workflows/actions/create-artifact.yaml b/.github/workflows/actions/create-artifact.yaml index f604da4a..fc7a8430 100644 --- a/.github/workflows/actions/create-artifact.yaml +++ b/.github/workflows/actions/create-artifact.yaml @@ -22,6 +22,4 @@ runs: npx npm-pack-zip echo "artifact-path=$(realpath ${{ inputs.workspace-name }}.zip)" >> "$GITHUB_OUTPUT" shell: bash - working-directory: ./out - \ No newline at end of file diff --git a/.github/workflows/actions/deploy.yaml b/.github/workflows/actions/deploy.yaml index 3383bb0f..d7039fe7 100644 --- a/.github/workflows/actions/deploy.yaml +++ b/.github/workflows/actions/deploy.yaml @@ -6,9 +6,6 @@ on: workspace-name: required: true type: string - environment: - required: true - type: string jobs: build: diff --git a/.github/workflows/deploy_func.yaml b/.github/workflows/deploy-func.yaml similarity index 100% rename from .github/workflows/deploy_func.yaml rename to .github/workflows/deploy-func.yaml From 8aed0acdf09ea28407b88ce8b04d9f2c899ea737 Mon Sep 17 00:00:00 2001 From: Michael Disaro Date: Wed, 3 Apr 2024 16:50:11 +0200 Subject: [PATCH 05/41] fixed folders structure and paths --- .github/{workflows => }/actions/build.yaml | 0 .github/{workflows => }/actions/create-artifact.yaml | 0 .github/{workflows => }/actions/deploy.yaml | 4 ++-- 3 files changed, 2 insertions(+), 2 deletions(-) rename .github/{workflows => }/actions/build.yaml (100%) rename .github/{workflows => }/actions/create-artifact.yaml (100%) rename .github/{workflows => }/actions/deploy.yaml (95%) diff --git a/.github/workflows/actions/build.yaml b/.github/actions/build.yaml similarity index 100% rename from .github/workflows/actions/build.yaml rename to .github/actions/build.yaml diff --git a/.github/workflows/actions/create-artifact.yaml b/.github/actions/create-artifact.yaml similarity index 100% rename from .github/workflows/actions/create-artifact.yaml rename to .github/actions/create-artifact.yaml diff --git a/.github/workflows/actions/deploy.yaml b/.github/actions/deploy.yaml similarity index 95% rename from .github/workflows/actions/deploy.yaml rename to .github/actions/deploy.yaml index d7039fe7..62986e6f 100644 --- a/.github/workflows/actions/deploy.yaml +++ b/.github/actions/deploy.yaml @@ -18,13 +18,13 @@ jobs: fetch-depth: 3 - name: Build workspace - uses: "./build.yaml" + uses: "./.github/actions/build.yaml" with: workspace-name: ${{ inputs.workspace-name }} - name: Make workspace artifact id: make_artifact - uses: "./create-artifact.yaml" + uses: "./.github/actions/create-artifact.yaml" with: workspace-name: ${{ inputs.workspace-name }} From 90a888d29762e91a52acb677b66dafdd026e7be9 Mon Sep 17 00:00:00 2001 From: Michael Disaro Date: Wed, 3 Apr 2024 16:52:21 +0200 Subject: [PATCH 06/41] fix --- .github/workflows/deploy-func.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/deploy-func.yaml b/.github/workflows/deploy-func.yaml index 5c0c932d..ba046f62 100644 --- a/.github/workflows/deploy-func.yaml +++ b/.github/workflows/deploy-func.yaml @@ -5,7 +5,7 @@ on: jobs: deploy_workspace_to_azure: name: Deploy - uses: ./actions/deploy.yaml + uses: ./.github/actions/deploy.yaml with: workspace-name: io-functions-service-messages secrets: inherit \ No newline at end of file From 1e94bf162d4bd083b1711d338b0452a3d0d3cb65 Mon Sep 17 00:00:00 2001 From: Michael Disaro Date: Wed, 3 Apr 2024 16:53:56 +0200 Subject: [PATCH 07/41] fixed workflow --- .github/workflows/deploy-func.yaml | 2 +- .github/{actions => workflows}/deploy.yaml | 0 2 files changed, 1 insertion(+), 1 deletion(-) rename .github/{actions => workflows}/deploy.yaml (100%) diff --git a/.github/workflows/deploy-func.yaml b/.github/workflows/deploy-func.yaml index ba046f62..82148664 100644 --- a/.github/workflows/deploy-func.yaml +++ b/.github/workflows/deploy-func.yaml @@ -5,7 +5,7 @@ on: jobs: deploy_workspace_to_azure: name: Deploy - uses: ./.github/actions/deploy.yaml + uses: ./.github/workflows/deploy.yaml with: workspace-name: io-functions-service-messages secrets: inherit \ No newline at end of file diff --git a/.github/actions/deploy.yaml b/.github/workflows/deploy.yaml similarity index 100% rename from .github/actions/deploy.yaml rename to .github/workflows/deploy.yaml From 3790d36fe0aae8ff50d08eaa3219da53b6752b30 Mon Sep 17 00:00:00 2001 From: Michael Disaro Date: Wed, 3 Apr 2024 17:00:23 +0200 Subject: [PATCH 08/41] added push trigger --- .github/workflows/deploy-func.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/deploy-func.yaml b/.github/workflows/deploy-func.yaml index 82148664..a87fee05 100644 --- a/.github/workflows/deploy-func.yaml +++ b/.github/workflows/deploy-func.yaml @@ -1,5 +1,8 @@ name: Deploy (io-functions-service-messages) on: + push: + branches: + - "iocom-1221" workflow_dispatch: {} jobs: From b44e7e6b179ec06afc16f2e9197ec54f329d8dfe Mon Sep 17 00:00:00 2001 From: Michael Disaro Date: Wed, 3 Apr 2024 17:05:48 +0200 Subject: [PATCH 09/41] fixed actions --- .github/actions/{build.yaml => build/action.yml} | 3 +++ .../{create-artifact.yaml => create-artifact/action.yml} | 0 .github/workflows/deploy.yaml | 4 ++-- 3 files changed, 5 insertions(+), 2 deletions(-) rename .github/actions/{build.yaml => build/action.yml} (79%) rename .github/actions/{create-artifact.yaml => create-artifact/action.yml} (100%) diff --git a/.github/actions/build.yaml b/.github/actions/build/action.yml similarity index 79% rename from .github/actions/build.yaml rename to .github/actions/build/action.yml index d0399f0d..24d919a9 100644 --- a/.github/actions/build.yaml +++ b/.github/actions/build/action.yml @@ -1,7 +1,10 @@ name: "Build workspace" +description: "This action builds the project." + inputs: workspace-name: + description: The name of the workspace to create the artifact for" required: true runs: diff --git a/.github/actions/create-artifact.yaml b/.github/actions/create-artifact/action.yml similarity index 100% rename from .github/actions/create-artifact.yaml rename to .github/actions/create-artifact/action.yml diff --git a/.github/workflows/deploy.yaml b/.github/workflows/deploy.yaml index 62986e6f..6a73f4ac 100644 --- a/.github/workflows/deploy.yaml +++ b/.github/workflows/deploy.yaml @@ -18,13 +18,13 @@ jobs: fetch-depth: 3 - name: Build workspace - uses: "./.github/actions/build.yaml" + uses: "./.github/actions/build" with: workspace-name: ${{ inputs.workspace-name }} - name: Make workspace artifact id: make_artifact - uses: "./.github/actions/create-artifact.yaml" + uses: "./.github/actions/create-artifact" with: workspace-name: ${{ inputs.workspace-name }} From d2ea072cb5314a4723a72f390d6e366012dafbdc Mon Sep 17 00:00:00 2001 From: Michael Disaro Date: Wed, 3 Apr 2024 17:11:44 +0200 Subject: [PATCH 10/41] fix try to npm pack --- .github/actions/create-artifact/action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/actions/create-artifact/action.yml b/.github/actions/create-artifact/action.yml index fc7a8430..3ce2df6a 100644 --- a/.github/actions/create-artifact/action.yml +++ b/.github/actions/create-artifact/action.yml @@ -19,7 +19,7 @@ runs: run: | npm pkg set --json "bundledDependencies"=true npm pkg set --json "files"='["**/function.json", "dist", "host.json","extensions.csproj"]' - npx npm-pack-zip + npm-pack-zip echo "artifact-path=$(realpath ${{ inputs.workspace-name }}.zip)" >> "$GITHUB_OUTPUT" shell: bash \ No newline at end of file From 9909bf6881b37f16e1b5e04da1a36590b829b08c Mon Sep 17 00:00:00 2001 From: Michael Disaro Date: Wed, 3 Apr 2024 17:16:36 +0200 Subject: [PATCH 11/41] installed npm-pack-zip --- .github/actions/create-artifact/action.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/actions/create-artifact/action.yml b/.github/actions/create-artifact/action.yml index 3ce2df6a..3a88d223 100644 --- a/.github/actions/create-artifact/action.yml +++ b/.github/actions/create-artifact/action.yml @@ -17,6 +17,7 @@ runs: - name: Make the azure function app artifact id: make-function-app-artifact run: | + npm install --save-dev npm-pack-zip npm pkg set --json "bundledDependencies"=true npm pkg set --json "files"='["**/function.json", "dist", "host.json","extensions.csproj"]' npm-pack-zip From f7654ee31ecde12bd867943992969903941d92b7 Mon Sep 17 00:00:00 2001 From: Michael Disaro Date: Wed, 3 Apr 2024 17:27:52 +0200 Subject: [PATCH 12/41] zipped whole dir --- .github/actions/create-artifact/action.yml | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/.github/actions/create-artifact/action.yml b/.github/actions/create-artifact/action.yml index 3a88d223..7964fdb9 100644 --- a/.github/actions/create-artifact/action.yml +++ b/.github/actions/create-artifact/action.yml @@ -17,10 +17,7 @@ runs: - name: Make the azure function app artifact id: make-function-app-artifact run: | - npm install --save-dev npm-pack-zip - npm pkg set --json "bundledDependencies"=true - npm pkg set --json "files"='["**/function.json", "dist", "host.json","extensions.csproj"]' - npm-pack-zip + zip -r ${{ inputs.workspace-name }}.zip . echo "artifact-path=$(realpath ${{ inputs.workspace-name }}.zip)" >> "$GITHUB_OUTPUT" shell: bash \ No newline at end of file From 9dc511c2758901fbeb2a50f8a491ade07f82aa64 Mon Sep 17 00:00:00 2001 From: Michael Disaro Date: Wed, 3 Apr 2024 17:34:04 +0200 Subject: [PATCH 13/41] fixed output --- .github/actions/create-artifact/action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/actions/create-artifact/action.yml b/.github/actions/create-artifact/action.yml index 7964fdb9..ded7e505 100644 --- a/.github/actions/create-artifact/action.yml +++ b/.github/actions/create-artifact/action.yml @@ -9,7 +9,7 @@ inputs: outputs: artifact-path: description: The path to the created artifact - value: ${{ steps[format('make-{0}-artifact', steps.detect-workspace-type.outputs.workspace-type)].outputs.artifact-path }} + value: ${{ steps[make-function-app-artifact].outputs.artifact-path }} runs: using: "composite" From c1cdfc6bceae0a6bba31eb5cc9e029e0b28ca816 Mon Sep 17 00:00:00 2001 From: Michael Disaro Date: Wed, 3 Apr 2024 17:36:12 +0200 Subject: [PATCH 14/41] fixed name --- .github/actions/create-artifact/action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/actions/create-artifact/action.yml b/.github/actions/create-artifact/action.yml index ded7e505..ad39fc88 100644 --- a/.github/actions/create-artifact/action.yml +++ b/.github/actions/create-artifact/action.yml @@ -9,7 +9,7 @@ inputs: outputs: artifact-path: description: The path to the created artifact - value: ${{ steps[make-function-app-artifact].outputs.artifact-path }} + value: ${{ steps['make-function-app-artifact'].outputs.artifact-path }} runs: using: "composite" From 555cf3c64c1e558db33d8b06f4cb2fa0868b98ae Mon Sep 17 00:00:00 2001 From: Michael Disaro Date: Mon, 8 Apr 2024 16:55:45 +0200 Subject: [PATCH 15/41] added infra for github envs --- .identity/.gitignore | 48 ++++++++++++++++ .identity/.terraform-version | 1 + .identity/.terraform.lock.hcl | 73 ++++++++++++++++++++++++ .identity/01_data.tf | 3 + .identity/99_locals.tf | 18 ++++++ .identity/99_main.tf | 34 +++++++++++ .identity/99_outputs.tf | 14 +++++ .identity/99_variables.tf | 64 +++++++++++++++++++++ .identity/github_environment_web_apps.tf | 35 ++++++++++++ .identity/github_repo_secrets.tf | 6 ++ .identity/identity_web_apps.tf | 18 ++++++ .identity/terraform.sh | 44 ++++++++++++++ 12 files changed, 358 insertions(+) create mode 100644 .identity/.gitignore create mode 100644 .identity/.terraform-version create mode 100644 .identity/.terraform.lock.hcl create mode 100644 .identity/01_data.tf create mode 100644 .identity/99_locals.tf create mode 100644 .identity/99_main.tf create mode 100644 .identity/99_outputs.tf create mode 100644 .identity/99_variables.tf create mode 100644 .identity/github_environment_web_apps.tf create mode 100644 .identity/github_repo_secrets.tf create mode 100644 .identity/identity_web_apps.tf create mode 100755 .identity/terraform.sh diff --git a/.identity/.gitignore b/.identity/.gitignore new file mode 100644 index 00000000..45544ad9 --- /dev/null +++ b/.identity/.gitignore @@ -0,0 +1,48 @@ +# Local .terraform directories +**/.terraform/* + +# .tfstate files +*.tfstate +*.tfstate.* + +# Crash log files +crash.log + +# Ignore any .tfvars files that are generated automatically for each Terraform run. Most +# .tfvars files are managed as part of configuration and so should be included in +# version control. +# +# example.tfvars + +# Ignore override files as they are usually used to override resources locally and so +# are not checked in +override.tf +override.tf.json +*_override.tf +*_override.tf.json + +# Include override files you do wish to add to version control using negated pattern +# +# !example_override.tf + +# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan +# example: *tfplan* + +**/.tfsec/* +**/.ignore/* + +*.DS_Store +*.log +*.h2.db +settings.json +__TMP +.metals/ +*.log +*.h2.db +settings.json +__TMP +.metals/ +__azurite_* +/.idea + +**/modules/**/.terraform.lock.hcl diff --git a/.identity/.terraform-version b/.identity/.terraform-version new file mode 100644 index 00000000..ec70f755 --- /dev/null +++ b/.identity/.terraform-version @@ -0,0 +1 @@ +1.6.6 diff --git a/.identity/.terraform.lock.hcl b/.identity/.terraform.lock.hcl new file mode 100644 index 00000000..3e3655f5 --- /dev/null +++ b/.identity/.terraform.lock.hcl @@ -0,0 +1,73 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/azuread" { + version = "2.33.0" + constraints = "2.33.0" + hashes = [ + "h1:PDiZA9QpXCkaSuWu6jiCRcjVtKJETqjcOZq4I434zfE=", + "h1:QAQe2+WSqGnHYAVoA+NN4Oeuoqg5sXq3U9Qmj6S1P5M=", + "h1:XIvCW3Nl4bW1bc9f8jyGhft+fQjaed4yy/LFzDAeVJ8=", + "h1:Z28tjly5UfKOE+HL/oALxCPhmCuBwUgZ4uaYt68VR3M=", + "zh:0602d03d7d7e38819f78dc377e64f365427496edf1065bfbb113e3921ab1c34e", + "zh:08843838f4fe146084592472648d4ea7191931eabe042a96c3b3c6eaf8ddfb43", + "zh:1c3e89cf19118fc07d7b04257251fc9897e722c16e0a0df7b07fcd261f8c12e7", + "zh:26a0d8a186e3b47ea0b7217a8e420b03fda59b7a680bb3ea52cf7d3e6d965ef3", + "zh:352a1cacaacd39e796de15a52d192ab0e6eb98dd36b5fbf8ebddd37e6dafa4ac", + "zh:3702ad4c534e67e2e07b060bfe5e6edc244c59c911906c8b15b96e7fecb0ff2c", + "zh:93b5248d26bdd44845b2ab051a2168c7edad788ae9836f62ea5fb632fd59d7ea", + "zh:a7b880155f4a67b52a5bfe78de33dc55254ef80006234f00e36aaf6533b1de4a", + "zh:a7cf0829364127c9bca26ec01ea3d66988b43987b2d26a3290487d1fc0da50eb", + "zh:b1f82b0d30af733b36a2f849799e0b1ed6a72888fa32a438c829c4e5cff88e20", + "zh:b6c2b23770852de8f56b549579c2f5a82afd84a9ca0616d53a25d48488f7aaf0", + "zh:d87dfbdfe8ab9d3a2e33f210333d40f211ea7d33bfa671063e6807c6ddd85a52", + ] +} + +provider "registry.terraform.io/hashicorp/azurerm" { + version = "3.84.0" + constraints = ">= 3.30.0, 3.84.0, <= 3.84.0" + hashes = [ + "h1:1Ucponuagrx5kNeIlcZwG2urqoRXBCTddDKqL265+xM=", + "h1:3KYwbI62e6u2f7ob9Ps8yahnIaNHkE56UsF0130zRzE=", + "h1:aoqNC2sfLKyblgQh0SfQW0BHl3UP1mMAUJLYLGG3PxE=", + "h1:y/NWRLvnJmyJ5lf/AnLFy25jfyJqp6xwwxLxZnvovAs=", + "zh:14a96daf672541dbc27137d9cc0a96a737710597262ecaaa64a328eb1174e5df", + "zh:16d8e794fdd87ed8e64291fe8a617f420d8263f21672033333a020d06f4c9618", + "zh:64e5cd1bb6a81bccffff0d1f77790286ab46179cf12442134c3f3bca722afc1b", + "zh:7010ada67fbae971ac8b7204a30b1317aee7ccac7227afc6ac27277c642996a1", + "zh:77c2616ecd29685d2a4dc3ec3e9771e5ecf652e127946767d9b7ef19bbf58a21", + "zh:861922cfae724eacf1bd915efd5dbf6c23e4e762a2bbe60993099648e64aedb5", + "zh:8fb797c98bb08e7342995317810d28c41bb519fbc128adaa170896356b9eaebd", + "zh:982e85a4a9d282e3c8f7d7836037ccc98ff3ef50af246fad2e04684a81d16201", + "zh:a2ef29ff907cf6622e58afa0a27e23a3160ba3d70d531795b4d9a6c42c354630", + "zh:c46ccc4eecb79d096bcb652af0cffe300ec480d80a13a5b302c71b1aac9f9f1c", + "zh:cc6a06bf6d5e811fe8c0d9ad652e143b4e94bd16a03fb8a86f5086f0ae5abfa9", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} + +provider "registry.terraform.io/integrations/github" { + version = "5.39.0" + constraints = "5.39.0" + hashes = [ + "h1:AMn+8x91H4L0bNXgfGA4mEmjumfd7lslBRNsf+Z3J9Q=", + "h1:B2pPhXlLR5IHfoO6MQ70EgfavVLUlFd8FQw2zxy04RM=", + "h1:EsDsxcxdtvQ6D64PNbkGG6PbAC2l2ECeCryGPw6uKIw=", + "h1:mpO68ifHJruMIuSvOuCa4PQt841arZr50O+uCxjhVak=", + "zh:1bd8eae3b590ca0d765af0d316fe5500b6a55cc75b84997aed38549fef3f3e3e", + "zh:3fb718473bcf42ce48f71ad79f527988b5ad8bc744cbcf2e4ac84f389c17b32a", + "zh:43b6cdd6471478baddf4326f23a68ec5bce5a64aa4792cafa0d87708429e18de", + "zh:54d577bebc29cfb9a8f29c8335fe533b55c1e7bf79d7a7acb1d8dfcc305f2824", + "zh:6aa1b7cb45e7d9e116b3e6c234c92b9cc6598819d0d6b0cb330a707f8e6f007b", + "zh:8824653f311a4993b5ce355bbe5f74d8ed1eed2ed2fd25d6e902831263566b40", + "zh:8b9a256730cf48d3b8a91d86393a4787d119fc9990ab864c6069ec83bbaf0a17", + "zh:9e87d3cc56dfba33c9a8f41b1f39b8624d680c8e5498bbdccccca251825c9529", + "zh:9fa3ac69297416c619e812e79bf634064cc09fdea242088bbf65fb34ffd6db9f", + "zh:c0aa2b2e488eefd7a4739d9b6893b977b5249d7f2ccfa55b64ce529a50b64fd7", + "zh:cbe26313f9d2dcfcbaa91a0c4f064ed6e34c2e2eff05dfe092332f50530fc61b", + "zh:dc2ca63d044304352ac66d969c5acb0dc689a48d4d97ee5d0a28414bc5bc95ee", + "zh:f6351cb0ff7ff17771c415349f0b9828ec54f19f40c6c3a53a8092f2c78c6f65", + "zh:f8c06856928f55475e9ae63958f5f38a45ceee728f9ec0114ffebd5b6b56f44e", + ] +} diff --git a/.identity/01_data.tf b/.identity/01_data.tf new file mode 100644 index 00000000..aae4af56 --- /dev/null +++ b/.identity/01_data.tf @@ -0,0 +1,3 @@ +data "github_team" "maintainers" { + slug = "io-communication-backend" +} diff --git a/.identity/99_locals.tf b/.identity/99_locals.tf new file mode 100644 index 00000000..6119420b --- /dev/null +++ b/.identity/99_locals.tf @@ -0,0 +1,18 @@ +locals { + prefix = "${var.prefix}-${var.env_short}" + + resource_group_name = "io-p-service-messages-rg" + functions_app_name = "io-p-messages-sending-func" + + github_federations = tolist([ + { + repository = "io-functions-service-messages" + subject = "prod-cd" + } + ]) + + repo_secrets = { + "AZURE_SUBSCRIPTION_ID" = data.azurerm_client_config.current.subscription_id + "AZURE_TENANT_ID" = data.azurerm_client_config.current.tenant_id + } +} diff --git a/.identity/99_main.tf b/.identity/99_main.tf new file mode 100644 index 00000000..4f778003 --- /dev/null +++ b/.identity/99_main.tf @@ -0,0 +1,34 @@ +terraform { + required_version = ">=1.6.0" + + required_providers { + azuread = { + source = "hashicorp/azuread" + version = "2.33.0" + } + azurerm = { + source = "hashicorp/azurerm" + version = "3.84.0" + } + github = { + source = "integrations/github" + version = "5.39.0" + } + } + + backend "azurerm" {} +} + +provider "azurerm" { + features {} +} + +provider "github" { + owner = var.github.org + write_delay_ms = "200" + read_delay_ms = "200" +} + +data "azurerm_subscription" "current" {} + +data "azurerm_client_config" "current" {} diff --git a/.identity/99_outputs.tf b/.identity/99_outputs.tf new file mode 100644 index 00000000..21265fb7 --- /dev/null +++ b/.identity/99_outputs.tf @@ -0,0 +1,14 @@ +output "tenant_id" { + value = data.azurerm_client_config.current.tenant_id +} + +output "subscription_id" { + value = data.azurerm_subscription.current.subscription_id +} + +output "web_apps_managed_identities" { + value = { + app_name = module.web_apps_identity_cd.identity_app_name + client_id = module.web_apps_identity_cd.identity_client_id + } +} diff --git a/.identity/99_variables.tf b/.identity/99_variables.tf new file mode 100644 index 00000000..a23aefe2 --- /dev/null +++ b/.identity/99_variables.tf @@ -0,0 +1,64 @@ +variable "tags" { + type = map(any) +} + +variable "prefix" { + type = string + validation { + condition = ( + length(var.prefix) <= 6 + ) + error_message = "Max length is 6 chars." + } +} + +variable "env" { + type = string + description = "Environment" +} + +variable "env_short" { + type = string + validation { + condition = ( + length(var.env_short) <= 1 + ) + error_message = "Max length is 1 chars." + } +} + +variable "domain" { + type = string + description = "The applicative domain" + validation { + condition = ( + length(var.domain) < 6 + ) + error_message = "Max length is 6 chars." + } +} + +variable "github" { + type = object({ + org = string + repository = string + }) + description = "GitHub Organization and repository name" + default = { + org = "pagopa" + repository = "io-functions-service-messages" + } +} + +variable "web_apps_environment_cd_roles" { + type = object({ + subscription = list(string) + resource_groups = map(list(string)) + }) + description = "GitHub Continous Delivery roles for web apps managed identity" +} + +variable "location" { + type = string + default = "westeurope" +} diff --git a/.identity/github_environment_web_apps.tf b/.identity/github_environment_web_apps.tf new file mode 100644 index 00000000..1cfa21d3 --- /dev/null +++ b/.identity/github_environment_web_apps.tf @@ -0,0 +1,35 @@ +resource "github_repository_environment" "messages_sending" { + environment = local.functions_app_name + repository = var.github.repository + reviewers { + teams = [data.github_team.maintainers.id] + } +} + +resource "github_actions_environment_secret" "web_app_client_id" { + repository = var.github.repository + environment = github_repository_environment.messages_sending.environment + secret_name = "AZURE_CLIENT_ID" + plaintext_value = module.web_apps_identity_cd.identity_client_id +} + +resource "github_actions_environment_variable" "web_app_resouce_group" { + repository = var.github.repository + environment = github_repository_environment.messages_sending.environment + variable_name = "AZURE_WEB_APP_RESOURCE_GROUP" + value = local.resource_group_name +} + +resource "github_actions_environment_variable" "web_app_names" { + repository = var.github.repository + environment = github_repository_environment.messages_sending.environment + variable_name = "AZURE_WEB_APP_NAME" + value = local.functions_app_name +} + +resource "github_actions_environment_variable" "health_check_path" { + repository = var.github.repository + environment = github_repository_environment.messages_sending.environment + variable_name = "HEALTH_CHECK_PATH" + value = "/api/v1/info" +} diff --git a/.identity/github_repo_secrets.tf b/.identity/github_repo_secrets.tf new file mode 100644 index 00000000..3494f189 --- /dev/null +++ b/.identity/github_repo_secrets.tf @@ -0,0 +1,6 @@ +resource "github_actions_secret" "repo_secrets" { + for_each = local.repo_secrets + repository = var.github.repository + secret_name = each.key + plaintext_value = each.value +} \ No newline at end of file diff --git a/.identity/identity_web_apps.tf b/.identity/identity_web_apps.tf new file mode 100644 index 00000000..671835ef --- /dev/null +++ b/.identity/identity_web_apps.tf @@ -0,0 +1,18 @@ +module "web_apps_identity_cd" { + source = "github.com/pagopa/terraform-azurerm-v3//github_federated_identity?ref=v7.34.2" + + prefix = var.prefix + env_short = var.env_short + domain = var.domain + + identity_role = "cd" + + github_federations = local.github_federations + + cd_rbac_roles = { + subscription_roles = var.web_apps_environment_cd_roles.subscription + resource_groups = var.web_apps_environment_cd_roles.resource_groups + } + + tags = var.tags +} diff --git a/.identity/terraform.sh b/.identity/terraform.sh new file mode 100755 index 00000000..982f6a00 --- /dev/null +++ b/.identity/terraform.sh @@ -0,0 +1,44 @@ +#!/bin/bash + +set -e + +action=$1 +env=$2 +IFS=" " read -r -a other <<< "${@:3}" + +if [ -z "$action" ]; then + echo "Missed action: init, apply, plan" + exit 0 +fi + +if [ -z "$env" ]; then + echo "env should be: dev, uat or prod." + exit 0 +fi + +# shellcheck source=./env/prod/backend.ini +source "./env/$env/backend.ini" +az account set -s "${subscription}" + +export TF_VAR_github_token="${GITHUB_TOKEN}" + +if echo "init plan apply refresh import output state taint destroy" | grep -w "$action" > /dev/null; then + if [ "$action" = "init" ]; then + echo "🧭 terraform INIT in env: ${env}" + + terraform "$action" -reconfigure -backend-config="./env/$env/backend.tfvars" "${other[@]}" + elif [ "$action" = "output" ] || [ "$action" = "state" ] || [ "$action" = "taint" ]; then + echo "🧭 terraform (output|state|taint) launched with action: ${action} in env: ${env}" + + terraform init -reconfigure -backend-config="./env/$env/backend.tfvars" + terraform "$action" "${other[@]}" + else + echo "🧭 terraform launched with action: ${action} in env: ${env} into folder $(pwd)" + + terraform init -reconfigure -backend-config="./env/$env/backend.tfvars" + terraform "$action" -var-file="./env/$env/terraform.tfvars" "${other[@]}" + fi +else + echo "Action not allowed." + exit 1 +fi From 33d662bbf6586fc52eaa8ff3cfcd46311fa0bbaa Mon Sep 17 00:00:00 2001 From: Michael Disaro Date: Mon, 8 Apr 2024 17:20:09 +0200 Subject: [PATCH 16/41] fixes cr --- .github/actions/build/action.yml | 8 +----- .github/actions/create-artifact/action.yml | 23 --------------- .github/workflows/deploy-func.yaml | 2 -- .github/workflows/deploy.yaml | 33 ++++++++-------------- .gitignore | 1 - 5 files changed, 13 insertions(+), 54 deletions(-) delete mode 100644 .github/actions/create-artifact/action.yml diff --git a/.github/actions/build/action.yml b/.github/actions/build/action.yml index 24d919a9..5ebe155f 100644 --- a/.github/actions/build/action.yml +++ b/.github/actions/build/action.yml @@ -1,12 +1,6 @@ name: "Build workspace" description: "This action builds the project." - -inputs: - workspace-name: - description: The name of the workspace to create the artifact for" - required: true - runs: using: "composite" steps: @@ -21,6 +15,6 @@ runs: run: yarn install --frozen-lockfile shell: bash - - name: Build ${{ inputs.workspace-name }} + - name: Build io-functions-service-messages run: yarn build shell: bash diff --git a/.github/actions/create-artifact/action.yml b/.github/actions/create-artifact/action.yml deleted file mode 100644 index ad39fc88..00000000 --- a/.github/actions/create-artifact/action.yml +++ /dev/null @@ -1,23 +0,0 @@ -name: "Make workspace artifact" -description: "This action creates an artifact for the selected workspace." - -inputs: - workspace-name: - description: The name of the workspace to create the artifact for" - required: true - -outputs: - artifact-path: - description: The path to the created artifact - value: ${{ steps['make-function-app-artifact'].outputs.artifact-path }} - -runs: - using: "composite" - steps: - - name: Make the azure function app artifact - id: make-function-app-artifact - run: | - zip -r ${{ inputs.workspace-name }}.zip . - echo "artifact-path=$(realpath ${{ inputs.workspace-name }}.zip)" >> "$GITHUB_OUTPUT" - shell: bash - \ No newline at end of file diff --git a/.github/workflows/deploy-func.yaml b/.github/workflows/deploy-func.yaml index a87fee05..20287548 100644 --- a/.github/workflows/deploy-func.yaml +++ b/.github/workflows/deploy-func.yaml @@ -9,6 +9,4 @@ jobs: deploy_workspace_to_azure: name: Deploy uses: ./.github/workflows/deploy.yaml - with: - workspace-name: io-functions-service-messages secrets: inherit \ No newline at end of file diff --git a/.github/workflows/deploy.yaml b/.github/workflows/deploy.yaml index 6a73f4ac..dee71167 100644 --- a/.github/workflows/deploy.yaml +++ b/.github/workflows/deploy.yaml @@ -1,11 +1,7 @@ -name: Deploy workspace +name: Deploy functions on: - workflow_call: - inputs: - workspace-name: - required: true - type: string + workflow_call: {} jobs: build: @@ -17,21 +13,18 @@ jobs: with: fetch-depth: 3 - - name: Build workspace + - name: Build functions uses: "./.github/actions/build" - with: - workspace-name: ${{ inputs.workspace-name }} - - - name: Make workspace artifact - id: make_artifact - uses: "./.github/actions/create-artifact" - with: - workspace-name: ${{ inputs.workspace-name }} - - name: Upload workspace artifact + - name: Make the azure function app artifact + run: | + zip -r io-functions-service-messages.zip . + echo "artifact-path=$(realpath io-functions-service-messages.zip)" >> "$GITHUB_OUTPUT" + shell: bash + + - name: Upload functions artifact uses: actions/upload-artifact@v3 with: - name: ${{ inputs.workspace-name }} path: ${{ steps.make_artifact.outputs.artifact-path }} deploy: @@ -46,10 +39,8 @@ jobs: contents: read steps: - - name: Download workspace artifact + - name: Download functions artifact uses: actions/download-artifact@v3 - with: - name: ${{ inputs.workspace-name }} - name: Login to Azure uses: azure/login@v1 @@ -64,7 +55,7 @@ jobs: resource-group-name: ${{ vars.AZURE_WEB_APP_RESOURCE_GROUP }} app-name: ${{ vars.AZURE_WEB_APP_NAME }} slot-name: staging - package: ${{ inputs.workspace-name }}.zip + package: io-functions-service-messages.zip - name: Check staging health run: curl --retry 5 --retry-max-time 120 --retry-all-errors -f 'https://${{ vars.AZURE_WEB_APP_NAME }}-staging.azurewebsites.net${{ vars.HEALTH_CHECK_PATH }}' diff --git a/.gitignore b/.gitignore index 42195918..5a17e2e1 100755 --- a/.gitignore +++ b/.gitignore @@ -31,7 +31,6 @@ dist # Python Environments .env .venv -env/ venv/ ENV/ env.bak/ From 50b23175a6afb702dad9c34ad1dd3707434d530d Mon Sep 17 00:00:00 2001 From: Michael Disaro Date: Mon, 8 Apr 2024 17:23:16 +0200 Subject: [PATCH 17/41] added env --- .identity/env/prod/backend.ini | 1 + .identity/env/prod/backend.tfvars | 4 ++++ .identity/env/prod/terraform.tfvars | 24 ++++++++++++++++++++++++ 3 files changed, 29 insertions(+) create mode 100644 .identity/env/prod/backend.ini create mode 100644 .identity/env/prod/backend.tfvars create mode 100644 .identity/env/prod/terraform.tfvars diff --git a/.identity/env/prod/backend.ini b/.identity/env/prod/backend.ini new file mode 100644 index 00000000..cf83055f --- /dev/null +++ b/.identity/env/prod/backend.ini @@ -0,0 +1 @@ +subscription=PROD-IO diff --git a/.identity/env/prod/backend.tfvars b/.identity/env/prod/backend.tfvars new file mode 100644 index 00000000..134da021 --- /dev/null +++ b/.identity/env/prod/backend.tfvars @@ -0,0 +1,4 @@ +resource_group_name = "io-infra-rg" +storage_account_name = "ioinfrastterraform" +container_name = "azurermstate" +key = "messages-common.terraform.tfstate" diff --git a/.identity/env/prod/terraform.tfvars b/.identity/env/prod/terraform.tfvars new file mode 100644 index 00000000..83c4e0cd --- /dev/null +++ b/.identity/env/prod/terraform.tfvars @@ -0,0 +1,24 @@ +domain = "iocom" +env = "prod" +env_short = "p" +prefix = "io" + +tags = { + CreatedBy = "Terraform" + Environment = "Prod" + Owner = "io" + Source = "https://github.com/pagopa/io-sign" + CostCenter = "TS310 - PAGAMENTI & SERVIZI" +} + +web_apps_environment_cd_roles = { + subscription = [] + resource_groups = { + "io-p-github-runner-rg" = [ + "Contributor", + ], + "io-p-sign-backend-rg" = [ + "Contributor", + ] + } +} From 465d692276872df2e1b46e69ddc0a97b2cf2ff47 Mon Sep 17 00:00:00 2001 From: Michael Disaro Date: Mon, 8 Apr 2024 17:25:12 +0200 Subject: [PATCH 18/41] fix --- .github/workflows/deploy.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/deploy.yaml b/.github/workflows/deploy.yaml index dee71167..1e011a37 100644 --- a/.github/workflows/deploy.yaml +++ b/.github/workflows/deploy.yaml @@ -17,6 +17,7 @@ jobs: uses: "./.github/actions/build" - name: Make the azure function app artifact + id: make_artifact run: | zip -r io-functions-service-messages.zip . echo "artifact-path=$(realpath io-functions-service-messages.zip)" >> "$GITHUB_OUTPUT" From f2761989d0495207e6c67494cb35d2dda8f9ab66 Mon Sep 17 00:00:00 2001 From: Michael Disaro Date: Tue, 9 Apr 2024 17:07:24 +0200 Subject: [PATCH 19/41] fix --- .identity/env/prod/terraform.tfvars | 4 ++-- openapi/index.yaml | 15 ++++++++++----- openapi/index_external.yaml | 12 ++++++++---- 3 files changed, 20 insertions(+), 11 deletions(-) diff --git a/.identity/env/prod/terraform.tfvars b/.identity/env/prod/terraform.tfvars index 83c4e0cd..d84fa5f2 100644 --- a/.identity/env/prod/terraform.tfvars +++ b/.identity/env/prod/terraform.tfvars @@ -7,7 +7,7 @@ tags = { CreatedBy = "Terraform" Environment = "Prod" Owner = "io" - Source = "https://github.com/pagopa/io-sign" + Source = "https://github.com/pagopa/io-functions-service-messages" CostCenter = "TS310 - PAGAMENTI & SERVIZI" } @@ -17,7 +17,7 @@ web_apps_environment_cd_roles = { "io-p-github-runner-rg" = [ "Contributor", ], - "io-p-sign-backend-rg" = [ + "io-p-service-messages-rg" = [ "Contributor", ] } diff --git a/openapi/index.yaml b/openapi/index.yaml index 98554728..ae20d7fa 100644 --- a/openapi/index.yaml +++ b/openapi/index.yaml @@ -96,7 +96,8 @@ paths: operationId: listRCConfiguration summary: Get all the remote-content configurations associated to the userId description: >- - Get all the remote-content configurations associated to the userId retrieved from the header + Get all the remote-content configurations associated to the userId + retrieved from the header parameters: - in: header name: x-user-id @@ -128,7 +129,8 @@ paths: operationId: getRCConfiguration summary: Get the remote-content configuration identified by the configurationId description: >- - Get the remote-content configuration using the provided configurationId passed as path param + Get the remote-content configuration using the provided configurationId + passed as path param parameters: - in: path name: configurationId @@ -166,7 +168,8 @@ paths: operationId: updateRCConfiguration summary: Update an existing remote-content configuration description: >- - Update an existing remote-content configuration using the provided payload + Update an existing remote-content configuration using the provided + payload parameters: - in: body name: body @@ -393,7 +396,8 @@ definitions: type: integer format: int32 description: >- - The HTTP status code generated by the origin server for this occurrence of the problem. + The HTTP status code generated by the origin server for this + occurrence of the problem. minimum: 100 maximum: 600 exclusiveMaximum: true @@ -408,7 +412,8 @@ definitions: type: string format: uri description: >- - An absolute URI that identifies the specific occurrence of the problem. + An absolute URI that identifies the specific occurrence of the + problem. It may or may not yield further information if dereferenced. FiscalCode: diff --git a/openapi/index_external.yaml b/openapi/index_external.yaml index 906f7da3..1939df9a 100644 --- a/openapi/index_external.yaml +++ b/openapi/index_external.yaml @@ -164,7 +164,8 @@ paths: operationId: getRCConfiguration summary: Get the remote-content configuration identified by the configurationId description: >- - Get the remote-content configuration using the provided configurationId passed as path param + Get the remote-content configuration using the provided configurationId + passed as path param parameters: - in: path name: configurationId @@ -227,7 +228,8 @@ paths: operationId: updateRCConfiguration summary: Update an existing remote-content configuration description: >- - Update an existing remote-content configuration using the provided payload + Update an existing remote-content configuration using the provided + payload parameters: - in: body name: body @@ -440,7 +442,8 @@ definitions: type: integer format: int32 description: >- - The HTTP status code generated by the origin server for this occurrence of the problem. + The HTTP status code generated by the origin server for this + occurrence of the problem. minimum: 100 maximum: 600 exclusiveMaximum: true @@ -455,7 +458,8 @@ definitions: type: string format: uri description: >- - An absolute URI that identifies the specific occurrence of the problem. + An absolute URI that identifies the specific occurrence of the + problem. It may or may not yield further information if dereferenced. FiscalCode: From e2a8334c4a1164579ec18a9a391ec0c91ea91dc3 Mon Sep 17 00:00:00 2001 From: Michael Disaro Date: Wed, 10 Apr 2024 16:10:52 +0200 Subject: [PATCH 20/41] post review changes --- .github/workflows/deploy-func.yaml | 6 +- .github/workflows/deploy.yaml | 25 ++++--- .../templates/composite_node_yarn.yml} | 0 .gitignore | 50 +++++++++++++ .identity/.gitignore | 48 ------------ .identity/.terraform.lock.hcl | 73 ------------------- .identity/99_locals.tf | 18 ----- .identity/99_variables.tf | 64 ---------------- .identity/env/prod/backend.ini | 1 - .identity/env/prod/backend.tfvars | 4 - .identity/env/prod/terraform.tfvars | 24 ------ .identity/github_environment_web_apps.tf | 35 --------- .identity/identity_web_apps.tf | 18 ----- .identity/terraform.sh | 44 ----------- .../.terraform-version => .terraform-version | 0 .../01_data.tf => infra/identity/data.tf | 0 infra/identity/locals.tf | 42 +++++++++++ .../99_main.tf => infra/identity/main.tf | 13 ++-- .../identity/outputs.tf | 0 infra/repository/data.tf | 9 +++ infra/repository/github_branch_rules.tf | 25 +++++++ infra/repository/github_environment_cd.tf | 18 +++++ infra/repository/github_environment_ci.tf | 18 +++++ .../repository}/github_repo_secrets.tf | 5 +- infra/repository/github_repository.tf | 27 +++++++ infra/repository/identity_web_apps.tf | 18 +++++ infra/repository/locals.tf | 55 ++++++++++++++ infra/repository/main.tf | 34 +++++++++ 28 files changed, 325 insertions(+), 349 deletions(-) rename .github/{actions/build/action.yml => workflows/templates/composite_node_yarn.yml} (100%) delete mode 100644 .identity/.gitignore delete mode 100644 .identity/.terraform.lock.hcl delete mode 100644 .identity/99_locals.tf delete mode 100644 .identity/99_variables.tf delete mode 100644 .identity/env/prod/backend.ini delete mode 100644 .identity/env/prod/backend.tfvars delete mode 100644 .identity/env/prod/terraform.tfvars delete mode 100644 .identity/github_environment_web_apps.tf delete mode 100644 .identity/identity_web_apps.tf delete mode 100755 .identity/terraform.sh rename .identity/.terraform-version => .terraform-version (100%) rename .identity/01_data.tf => infra/identity/data.tf (100%) create mode 100644 infra/identity/locals.tf rename .identity/99_main.tf => infra/identity/main.tf (61%) rename .identity/99_outputs.tf => infra/identity/outputs.tf (100%) create mode 100644 infra/repository/data.tf create mode 100644 infra/repository/github_branch_rules.tf create mode 100644 infra/repository/github_environment_cd.tf create mode 100644 infra/repository/github_environment_ci.tf rename {.identity => infra/repository}/github_repo_secrets.tf (57%) create mode 100644 infra/repository/github_repository.tf create mode 100644 infra/repository/identity_web_apps.tf create mode 100644 infra/repository/locals.tf create mode 100644 infra/repository/main.tf diff --git a/.github/workflows/deploy-func.yaml b/.github/workflows/deploy-func.yaml index 20287548..e70f204a 100644 --- a/.github/workflows/deploy-func.yaml +++ b/.github/workflows/deploy-func.yaml @@ -1,12 +1,14 @@ -name: Deploy (io-functions-service-messages) +name: functions-service-messages Release on: push: branches: - "iocom-1221" - workflow_dispatch: {} + workflow_dispatch: jobs: deploy_workspace_to_azure: name: Deploy uses: ./.github/workflows/deploy.yaml + with: + environment: prod secrets: inherit \ No newline at end of file diff --git a/.github/workflows/deploy.yaml b/.github/workflows/deploy.yaml index 1e011a37..deb120e4 100644 --- a/.github/workflows/deploy.yaml +++ b/.github/workflows/deploy.yaml @@ -1,20 +1,23 @@ -name: Deploy functions - on: - workflow_call: {} + workflow_call: + +inputs: + environment: + type: string + required: true jobs: build: name: Build runs-on: ubuntu-latest steps: - - name: Checkout repo + - name: Checkout uses: actions/checkout@v3 with: - fetch-depth: 3 + fetch-depth: 2 - name: Build functions - uses: "./.github/actions/build" + uses: "./.github/worflows/templates/composite_node_yarn.yml" - name: Make the azure function app artifact id: make_artifact @@ -29,11 +32,11 @@ jobs: path: ${{ steps.make_artifact.outputs.artifact-path }} deploy: - name: Deploy + name: Deploy Function App if: ${{ !github.event.act }} needs: [build] runs-on: self-hosted - environment: production + environment: ${{ inputs.environment }}-cd permissions: id-token: write @@ -50,7 +53,7 @@ jobs: tenant-id: ${{ secrets.AZURE_TENANT_ID }} subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - - name: Deploy to ${{ vars.AZURE_WEB_APP_NAME }} staging slot + - name: Deploy Function App to Staging Slot uses: azure/webapps-deploy@v2 with: resource-group-name: ${{ vars.AZURE_WEB_APP_RESOURCE_GROUP }} @@ -58,8 +61,8 @@ jobs: slot-name: staging package: io-functions-service-messages.zip - - name: Check staging health + - name: Check Staging Health run: curl --retry 5 --retry-max-time 120 --retry-all-errors -f 'https://${{ vars.AZURE_WEB_APP_NAME }}-staging.azurewebsites.net${{ vars.HEALTH_CHECK_PATH }}' - - name: Swap staging slot with production + - name: Swap Staging and Production Slots run: az webapp deployment slot swap -g ${{ vars.AZURE_WEB_APP_RESOURCE_GROUP }} -n ${{ vars.AZURE_WEB_APP_NAME }} --slot staging --target-slot production \ No newline at end of file diff --git a/.github/actions/build/action.yml b/.github/workflows/templates/composite_node_yarn.yml similarity index 100% rename from .github/actions/build/action.yml rename to .github/workflows/templates/composite_node_yarn.yml diff --git a/.gitignore b/.gitignore index 5a17e2e1..f6c244b9 100755 --- a/.gitignore +++ b/.gitignore @@ -32,6 +32,7 @@ dist .env .venv venv/ +env/ ENV/ env.bak/ venv.bak/ @@ -62,3 +63,52 @@ helm/charts** helm/charts/* docker-compose.override.yml + +# Local .terraform directories +**/.terraform/* + +# .tfstate files +*.tfstate +*.tfstate.* + +# Crash log files +crash.log + +# Ignore any .tfvars files that are generated automatically for each Terraform run. Most +# .tfvars files are managed as part of configuration and so should be included in +# version control. +# +# example.tfvars + +# Ignore override files as they are usually used to override resources locally and so +# are not checked in +override.tf +override.tf.json +*_override.tf +*_override.tf.json + +# Include override files you do wish to add to version control using negated pattern +# +# !example_override.tf + +# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan +# example: *tfplan* + +**/.tfsec/* +**/.ignore/* + +*.DS_Store +*.log +*.h2.db +settings.json +__TMP +.metals/ +*.log +*.h2.db +settings.json +__TMP +.metals/ +__azurite_* +/.idea + +**/modules/**/.terraform.lock.hcl diff --git a/.identity/.gitignore b/.identity/.gitignore deleted file mode 100644 index 45544ad9..00000000 --- a/.identity/.gitignore +++ /dev/null @@ -1,48 +0,0 @@ -# Local .terraform directories -**/.terraform/* - -# .tfstate files -*.tfstate -*.tfstate.* - -# Crash log files -crash.log - -# Ignore any .tfvars files that are generated automatically for each Terraform run. Most -# .tfvars files are managed as part of configuration and so should be included in -# version control. -# -# example.tfvars - -# Ignore override files as they are usually used to override resources locally and so -# are not checked in -override.tf -override.tf.json -*_override.tf -*_override.tf.json - -# Include override files you do wish to add to version control using negated pattern -# -# !example_override.tf - -# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan -# example: *tfplan* - -**/.tfsec/* -**/.ignore/* - -*.DS_Store -*.log -*.h2.db -settings.json -__TMP -.metals/ -*.log -*.h2.db -settings.json -__TMP -.metals/ -__azurite_* -/.idea - -**/modules/**/.terraform.lock.hcl diff --git a/.identity/.terraform.lock.hcl b/.identity/.terraform.lock.hcl deleted file mode 100644 index 3e3655f5..00000000 --- a/.identity/.terraform.lock.hcl +++ /dev/null @@ -1,73 +0,0 @@ -# This file is maintained automatically by "terraform init". -# Manual edits may be lost in future updates. - -provider "registry.terraform.io/hashicorp/azuread" { - version = "2.33.0" - constraints = "2.33.0" - hashes = [ - "h1:PDiZA9QpXCkaSuWu6jiCRcjVtKJETqjcOZq4I434zfE=", - "h1:QAQe2+WSqGnHYAVoA+NN4Oeuoqg5sXq3U9Qmj6S1P5M=", - "h1:XIvCW3Nl4bW1bc9f8jyGhft+fQjaed4yy/LFzDAeVJ8=", - "h1:Z28tjly5UfKOE+HL/oALxCPhmCuBwUgZ4uaYt68VR3M=", - "zh:0602d03d7d7e38819f78dc377e64f365427496edf1065bfbb113e3921ab1c34e", - "zh:08843838f4fe146084592472648d4ea7191931eabe042a96c3b3c6eaf8ddfb43", - "zh:1c3e89cf19118fc07d7b04257251fc9897e722c16e0a0df7b07fcd261f8c12e7", - "zh:26a0d8a186e3b47ea0b7217a8e420b03fda59b7a680bb3ea52cf7d3e6d965ef3", - "zh:352a1cacaacd39e796de15a52d192ab0e6eb98dd36b5fbf8ebddd37e6dafa4ac", - "zh:3702ad4c534e67e2e07b060bfe5e6edc244c59c911906c8b15b96e7fecb0ff2c", - "zh:93b5248d26bdd44845b2ab051a2168c7edad788ae9836f62ea5fb632fd59d7ea", - "zh:a7b880155f4a67b52a5bfe78de33dc55254ef80006234f00e36aaf6533b1de4a", - "zh:a7cf0829364127c9bca26ec01ea3d66988b43987b2d26a3290487d1fc0da50eb", - "zh:b1f82b0d30af733b36a2f849799e0b1ed6a72888fa32a438c829c4e5cff88e20", - "zh:b6c2b23770852de8f56b549579c2f5a82afd84a9ca0616d53a25d48488f7aaf0", - "zh:d87dfbdfe8ab9d3a2e33f210333d40f211ea7d33bfa671063e6807c6ddd85a52", - ] -} - -provider "registry.terraform.io/hashicorp/azurerm" { - version = "3.84.0" - constraints = ">= 3.30.0, 3.84.0, <= 3.84.0" - hashes = [ - "h1:1Ucponuagrx5kNeIlcZwG2urqoRXBCTddDKqL265+xM=", - "h1:3KYwbI62e6u2f7ob9Ps8yahnIaNHkE56UsF0130zRzE=", - "h1:aoqNC2sfLKyblgQh0SfQW0BHl3UP1mMAUJLYLGG3PxE=", - "h1:y/NWRLvnJmyJ5lf/AnLFy25jfyJqp6xwwxLxZnvovAs=", - "zh:14a96daf672541dbc27137d9cc0a96a737710597262ecaaa64a328eb1174e5df", - "zh:16d8e794fdd87ed8e64291fe8a617f420d8263f21672033333a020d06f4c9618", - "zh:64e5cd1bb6a81bccffff0d1f77790286ab46179cf12442134c3f3bca722afc1b", - "zh:7010ada67fbae971ac8b7204a30b1317aee7ccac7227afc6ac27277c642996a1", - "zh:77c2616ecd29685d2a4dc3ec3e9771e5ecf652e127946767d9b7ef19bbf58a21", - "zh:861922cfae724eacf1bd915efd5dbf6c23e4e762a2bbe60993099648e64aedb5", - "zh:8fb797c98bb08e7342995317810d28c41bb519fbc128adaa170896356b9eaebd", - "zh:982e85a4a9d282e3c8f7d7836037ccc98ff3ef50af246fad2e04684a81d16201", - "zh:a2ef29ff907cf6622e58afa0a27e23a3160ba3d70d531795b4d9a6c42c354630", - "zh:c46ccc4eecb79d096bcb652af0cffe300ec480d80a13a5b302c71b1aac9f9f1c", - "zh:cc6a06bf6d5e811fe8c0d9ad652e143b4e94bd16a03fb8a86f5086f0ae5abfa9", - "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", - ] -} - -provider "registry.terraform.io/integrations/github" { - version = "5.39.0" - constraints = "5.39.0" - hashes = [ - "h1:AMn+8x91H4L0bNXgfGA4mEmjumfd7lslBRNsf+Z3J9Q=", - "h1:B2pPhXlLR5IHfoO6MQ70EgfavVLUlFd8FQw2zxy04RM=", - "h1:EsDsxcxdtvQ6D64PNbkGG6PbAC2l2ECeCryGPw6uKIw=", - "h1:mpO68ifHJruMIuSvOuCa4PQt841arZr50O+uCxjhVak=", - "zh:1bd8eae3b590ca0d765af0d316fe5500b6a55cc75b84997aed38549fef3f3e3e", - "zh:3fb718473bcf42ce48f71ad79f527988b5ad8bc744cbcf2e4ac84f389c17b32a", - "zh:43b6cdd6471478baddf4326f23a68ec5bce5a64aa4792cafa0d87708429e18de", - "zh:54d577bebc29cfb9a8f29c8335fe533b55c1e7bf79d7a7acb1d8dfcc305f2824", - "zh:6aa1b7cb45e7d9e116b3e6c234c92b9cc6598819d0d6b0cb330a707f8e6f007b", - "zh:8824653f311a4993b5ce355bbe5f74d8ed1eed2ed2fd25d6e902831263566b40", - "zh:8b9a256730cf48d3b8a91d86393a4787d119fc9990ab864c6069ec83bbaf0a17", - "zh:9e87d3cc56dfba33c9a8f41b1f39b8624d680c8e5498bbdccccca251825c9529", - "zh:9fa3ac69297416c619e812e79bf634064cc09fdea242088bbf65fb34ffd6db9f", - "zh:c0aa2b2e488eefd7a4739d9b6893b977b5249d7f2ccfa55b64ce529a50b64fd7", - "zh:cbe26313f9d2dcfcbaa91a0c4f064ed6e34c2e2eff05dfe092332f50530fc61b", - "zh:dc2ca63d044304352ac66d969c5acb0dc689a48d4d97ee5d0a28414bc5bc95ee", - "zh:f6351cb0ff7ff17771c415349f0b9828ec54f19f40c6c3a53a8092f2c78c6f65", - "zh:f8c06856928f55475e9ae63958f5f38a45ceee728f9ec0114ffebd5b6b56f44e", - ] -} diff --git a/.identity/99_locals.tf b/.identity/99_locals.tf deleted file mode 100644 index 6119420b..00000000 --- a/.identity/99_locals.tf +++ /dev/null @@ -1,18 +0,0 @@ -locals { - prefix = "${var.prefix}-${var.env_short}" - - resource_group_name = "io-p-service-messages-rg" - functions_app_name = "io-p-messages-sending-func" - - github_federations = tolist([ - { - repository = "io-functions-service-messages" - subject = "prod-cd" - } - ]) - - repo_secrets = { - "AZURE_SUBSCRIPTION_ID" = data.azurerm_client_config.current.subscription_id - "AZURE_TENANT_ID" = data.azurerm_client_config.current.tenant_id - } -} diff --git a/.identity/99_variables.tf b/.identity/99_variables.tf deleted file mode 100644 index a23aefe2..00000000 --- a/.identity/99_variables.tf +++ /dev/null @@ -1,64 +0,0 @@ -variable "tags" { - type = map(any) -} - -variable "prefix" { - type = string - validation { - condition = ( - length(var.prefix) <= 6 - ) - error_message = "Max length is 6 chars." - } -} - -variable "env" { - type = string - description = "Environment" -} - -variable "env_short" { - type = string - validation { - condition = ( - length(var.env_short) <= 1 - ) - error_message = "Max length is 1 chars." - } -} - -variable "domain" { - type = string - description = "The applicative domain" - validation { - condition = ( - length(var.domain) < 6 - ) - error_message = "Max length is 6 chars." - } -} - -variable "github" { - type = object({ - org = string - repository = string - }) - description = "GitHub Organization and repository name" - default = { - org = "pagopa" - repository = "io-functions-service-messages" - } -} - -variable "web_apps_environment_cd_roles" { - type = object({ - subscription = list(string) - resource_groups = map(list(string)) - }) - description = "GitHub Continous Delivery roles for web apps managed identity" -} - -variable "location" { - type = string - default = "westeurope" -} diff --git a/.identity/env/prod/backend.ini b/.identity/env/prod/backend.ini deleted file mode 100644 index cf83055f..00000000 --- a/.identity/env/prod/backend.ini +++ /dev/null @@ -1 +0,0 @@ -subscription=PROD-IO diff --git a/.identity/env/prod/backend.tfvars b/.identity/env/prod/backend.tfvars deleted file mode 100644 index 134da021..00000000 --- a/.identity/env/prod/backend.tfvars +++ /dev/null @@ -1,4 +0,0 @@ -resource_group_name = "io-infra-rg" -storage_account_name = "ioinfrastterraform" -container_name = "azurermstate" -key = "messages-common.terraform.tfstate" diff --git a/.identity/env/prod/terraform.tfvars b/.identity/env/prod/terraform.tfvars deleted file mode 100644 index d84fa5f2..00000000 --- a/.identity/env/prod/terraform.tfvars +++ /dev/null @@ -1,24 +0,0 @@ -domain = "iocom" -env = "prod" -env_short = "p" -prefix = "io" - -tags = { - CreatedBy = "Terraform" - Environment = "Prod" - Owner = "io" - Source = "https://github.com/pagopa/io-functions-service-messages" - CostCenter = "TS310 - PAGAMENTI & SERVIZI" -} - -web_apps_environment_cd_roles = { - subscription = [] - resource_groups = { - "io-p-github-runner-rg" = [ - "Contributor", - ], - "io-p-service-messages-rg" = [ - "Contributor", - ] - } -} diff --git a/.identity/github_environment_web_apps.tf b/.identity/github_environment_web_apps.tf deleted file mode 100644 index 1cfa21d3..00000000 --- a/.identity/github_environment_web_apps.tf +++ /dev/null @@ -1,35 +0,0 @@ -resource "github_repository_environment" "messages_sending" { - environment = local.functions_app_name - repository = var.github.repository - reviewers { - teams = [data.github_team.maintainers.id] - } -} - -resource "github_actions_environment_secret" "web_app_client_id" { - repository = var.github.repository - environment = github_repository_environment.messages_sending.environment - secret_name = "AZURE_CLIENT_ID" - plaintext_value = module.web_apps_identity_cd.identity_client_id -} - -resource "github_actions_environment_variable" "web_app_resouce_group" { - repository = var.github.repository - environment = github_repository_environment.messages_sending.environment - variable_name = "AZURE_WEB_APP_RESOURCE_GROUP" - value = local.resource_group_name -} - -resource "github_actions_environment_variable" "web_app_names" { - repository = var.github.repository - environment = github_repository_environment.messages_sending.environment - variable_name = "AZURE_WEB_APP_NAME" - value = local.functions_app_name -} - -resource "github_actions_environment_variable" "health_check_path" { - repository = var.github.repository - environment = github_repository_environment.messages_sending.environment - variable_name = "HEALTH_CHECK_PATH" - value = "/api/v1/info" -} diff --git a/.identity/identity_web_apps.tf b/.identity/identity_web_apps.tf deleted file mode 100644 index 671835ef..00000000 --- a/.identity/identity_web_apps.tf +++ /dev/null @@ -1,18 +0,0 @@ -module "web_apps_identity_cd" { - source = "github.com/pagopa/terraform-azurerm-v3//github_federated_identity?ref=v7.34.2" - - prefix = var.prefix - env_short = var.env_short - domain = var.domain - - identity_role = "cd" - - github_federations = local.github_federations - - cd_rbac_roles = { - subscription_roles = var.web_apps_environment_cd_roles.subscription - resource_groups = var.web_apps_environment_cd_roles.resource_groups - } - - tags = var.tags -} diff --git a/.identity/terraform.sh b/.identity/terraform.sh deleted file mode 100755 index 982f6a00..00000000 --- a/.identity/terraform.sh +++ /dev/null @@ -1,44 +0,0 @@ -#!/bin/bash - -set -e - -action=$1 -env=$2 -IFS=" " read -r -a other <<< "${@:3}" - -if [ -z "$action" ]; then - echo "Missed action: init, apply, plan" - exit 0 -fi - -if [ -z "$env" ]; then - echo "env should be: dev, uat or prod." - exit 0 -fi - -# shellcheck source=./env/prod/backend.ini -source "./env/$env/backend.ini" -az account set -s "${subscription}" - -export TF_VAR_github_token="${GITHUB_TOKEN}" - -if echo "init plan apply refresh import output state taint destroy" | grep -w "$action" > /dev/null; then - if [ "$action" = "init" ]; then - echo "🧭 terraform INIT in env: ${env}" - - terraform "$action" -reconfigure -backend-config="./env/$env/backend.tfvars" "${other[@]}" - elif [ "$action" = "output" ] || [ "$action" = "state" ] || [ "$action" = "taint" ]; then - echo "🧭 terraform (output|state|taint) launched with action: ${action} in env: ${env}" - - terraform init -reconfigure -backend-config="./env/$env/backend.tfvars" - terraform "$action" "${other[@]}" - else - echo "🧭 terraform launched with action: ${action} in env: ${env} into folder $(pwd)" - - terraform init -reconfigure -backend-config="./env/$env/backend.tfvars" - terraform "$action" -var-file="./env/$env/terraform.tfvars" "${other[@]}" - fi -else - echo "Action not allowed." - exit 1 -fi diff --git a/.identity/.terraform-version b/.terraform-version similarity index 100% rename from .identity/.terraform-version rename to .terraform-version diff --git a/.identity/01_data.tf b/infra/identity/data.tf similarity index 100% rename from .identity/01_data.tf rename to infra/identity/data.tf diff --git a/infra/identity/locals.tf b/infra/identity/locals.tf new file mode 100644 index 00000000..e55f327b --- /dev/null +++ b/infra/identity/locals.tf @@ -0,0 +1,42 @@ +locals { + prefix = "io" + env_short = "p" + project = "${local.prefix}-${local.env_short}" + domain = "iocom" + repository = "io-functions-services-messages" + + resource_group_name = "${local.project}-service-messages-rg" + functions_app_name = "${local.project}-messages-sending-func" + + github_federations = tolist([ + { + repository = "io-functions-service-messages" + subject = "prod-cd" + } + ]) + + repo_secrets = { + "AZURE_SUBSCRIPTION_ID" = data.azurerm_client_config.current.subscription_id + "AZURE_TENANT_ID" = data.azurerm_client_config.current.tenant_id + } + + web_apps_environment_cd_roles = { + subscription = [] + resource_groups = { + "io-p-github-runner-rg" = [ + "Contributor", + ], + "io-p-service-messages-rg" = [ + "Contributor", + ] + } + } + + tags = { + CreatedBy = "Terraform" + Environment = "Prod" + Owner = "IO" + Source = "https://github.com/pagopa/io-functions-service-messages" + CostCenter = "TS310 - PAGAMENTI & SERVIZI" + } +} diff --git a/.identity/99_main.tf b/infra/identity/main.tf similarity index 61% rename from .identity/99_main.tf rename to infra/identity/main.tf index 4f778003..a86fa49a 100644 --- a/.identity/99_main.tf +++ b/infra/identity/main.tf @@ -8,7 +8,7 @@ terraform { } azurerm = { source = "hashicorp/azurerm" - version = "3.84.0" + version = "<= 3.98" } github = { source = "integrations/github" @@ -16,7 +16,12 @@ terraform { } } - backend "azurerm" {} + backend "azurerm" { + resource_group_name = terraform-state-rg + storage_account_name = tfappprodio + container_name = terraform-state + key = io-functions-service-messages.identity.tfstate + } } provider "azurerm" { @@ -24,9 +29,7 @@ provider "azurerm" { } provider "github" { - owner = var.github.org - write_delay_ms = "200" - read_delay_ms = "200" + owner = "pagopa" } data "azurerm_subscription" "current" {} diff --git a/.identity/99_outputs.tf b/infra/identity/outputs.tf similarity index 100% rename from .identity/99_outputs.tf rename to infra/identity/outputs.tf diff --git a/infra/repository/data.tf b/infra/repository/data.tf new file mode 100644 index 00000000..f64bbb44 --- /dev/null +++ b/infra/repository/data.tf @@ -0,0 +1,9 @@ +data "azurerm_user_assigned_identity" "identity_prod_ci" { + name = "${local.project}-github-ci-identity" + resource_group_name = local.identity_resource_group_name +} + +data "azurerm_user_assigned_identity" "identity_prod_cd" { + name = "${local.project}-github-cd-identity" + resource_group_name = local.identity_resource_group_name +} \ No newline at end of file diff --git a/infra/repository/github_branch_rules.tf b/infra/repository/github_branch_rules.tf new file mode 100644 index 00000000..ca44edb8 --- /dev/null +++ b/infra/repository/github_branch_rules.tf @@ -0,0 +1,25 @@ +resource "github_branch_default" "default_main" { + repository = github_repository.this.name + branch = "main" +} + +resource "github_branch_protection" "protection_main" { + repository_id = github_repository.this.name + pattern = "main" + + required_status_checks { + strict = false + contexts = [] + } + + require_conversation_resolution = true + require_signed_commits = false + + required_pull_request_reviews { + dismiss_stale_reviews = false + require_code_owner_reviews = true + required_approving_review_count = 1 + } + + allows_deletions = false +} \ No newline at end of file diff --git a/infra/repository/github_environment_cd.tf b/infra/repository/github_environment_cd.tf new file mode 100644 index 00000000..e98d63da --- /dev/null +++ b/infra/repository/github_environment_cd.tf @@ -0,0 +1,18 @@ +resource "github_repository_environment" "github_repository_environment_prod_cd" { + environment = "prod-cd" + repository = github_repository.this.name + + deployment_branch_policy { + protected_branches = false + custom_branch_policies = true + } +} + +resource "github_actions_environment_secret" "env_prod_cd_secrets" { + for_each = local.cd.secrets + + repository = github_repository.this.name + environment = github_repository_environment.github_repository_environment_prod_cd.environment + secret_name = each.key + plaintext_value = each.value +} \ No newline at end of file diff --git a/infra/repository/github_environment_ci.tf b/infra/repository/github_environment_ci.tf new file mode 100644 index 00000000..fc08e996 --- /dev/null +++ b/infra/repository/github_environment_ci.tf @@ -0,0 +1,18 @@ +resource "github_repository_environment" "github_repository_environment_prod_ci" { + environment = "prod-ci" + repository = github_repository.this.name + + deployment_branch_policy { + protected_branches = false + custom_branch_policies = true + } +} + +resource "github_actions_environment_secret" "env_prod_ci_secrets" { + for_each = local.ci.secrets + + repository = github_repository.this.name + environment = github_repository_environment.github_repository_environment_prod_ci.environment + secret_name = each.key + plaintext_value = each.value +} \ No newline at end of file diff --git a/.identity/github_repo_secrets.tf b/infra/repository/github_repo_secrets.tf similarity index 57% rename from .identity/github_repo_secrets.tf rename to infra/repository/github_repo_secrets.tf index 3494f189..7e9687b0 100644 --- a/.identity/github_repo_secrets.tf +++ b/infra/repository/github_repo_secrets.tf @@ -1,6 +1,7 @@ resource "github_actions_secret" "repo_secrets" { - for_each = local.repo_secrets - repository = var.github.repository + for_each = local.repo_secrets + + repository = github_repository.this.name secret_name = each.key plaintext_value = each.value } \ No newline at end of file diff --git a/infra/repository/github_repository.tf b/infra/repository/github_repository.tf new file mode 100644 index 00000000..0b1aa707 --- /dev/null +++ b/infra/repository/github_repository.tf @@ -0,0 +1,27 @@ +resource "github_repository" "this" { + name = local.repository + description = "Initial repository for DevEx activities." + + visibility = "public" + + allow_auto_merge = true + allow_rebase_merge = false + allow_merge_commit = false + allow_squash_merge = true + squash_merge_commit_title = "PR_TITLE" + squash_merge_commit_message = "BLANK" + + delete_branch_on_merge = true + + has_projects = false + has_wiki = false + has_discussions = false + has_issues = false + has_downloads = false + + topics = ["dx", "typescript"] + + vulnerability_alerts = true + + archive_on_destroy = true +} \ No newline at end of file diff --git a/infra/repository/identity_web_apps.tf b/infra/repository/identity_web_apps.tf new file mode 100644 index 00000000..e78efafd --- /dev/null +++ b/infra/repository/identity_web_apps.tf @@ -0,0 +1,18 @@ +module "web_apps_identity_cd" { + source = "github.com/pagopa/terraform-azurerm-v3//github_federated_identity?ref=v7.34.2" + + prefix = local.prefix + env_short = local.env_short + domain = local.domain + + identity_role = "cd" + + github_federations = local.github_federations + + cd_rbac_roles = { + subscription_roles = locals.web_apps_environment_cd_roles.subscription + resource_groups = locals.web_apps_environment_cd_roles.resource_groups + } + + tags = locals.tags +} diff --git a/infra/repository/locals.tf b/infra/repository/locals.tf new file mode 100644 index 00000000..dd591467 --- /dev/null +++ b/infra/repository/locals.tf @@ -0,0 +1,55 @@ +locals { + prefix = "io" + env_short = "p" + project = "${local.prefix}-${local.env_short}" + domain = "iocom" + repository = "io-functions-services-messages" + + identity_resource_group_name = "${local.project}-identity-rg" + resource_group_name = "${local.project}-service-messages-rg" + functions_app_name = "${local.project}-messages-sending-func" + + github_federations = tolist([ + { + repository = "io-functions-service-messages" + subject = "prod-cd" + } + ]) + + repo_secrets = { + "ARM_TENANT_ID" = data.azurerm_client_config.current.tenant_id, + "ARM_SUBSCRIPTION_ID" = data.azurerm_subscription.current.id + } + + ci = { + secrets = { + "ARM_CLIENT_ID" = data.azurerm_user_assigned_identity.identity_prod_ci.client_id + } + } + + cd = { + secrets = { + "ARM_CLIENT_ID" = data.azurerm_user_assigned_identity.identity_prod_cd.client_id + } + } + + web_apps_environment_cd_roles = { + subscription = [] + resource_groups = { + "io-p-github-runner-rg" = [ + "Contributor", + ], + "io-p-service-messages-rg" = [ + "Contributor", + ] + } + } + + tags = { + CreatedBy = "Terraform" + Environment = "Prod" + Owner = "IO" + Source = "https://github.com/pagopa/io-functions-service-messages" + CostCenter = "TS310 - PAGAMENTI & SERVIZI" +} +} diff --git a/infra/repository/main.tf b/infra/repository/main.tf new file mode 100644 index 00000000..5e8a31e2 --- /dev/null +++ b/infra/repository/main.tf @@ -0,0 +1,34 @@ +terraform { + + required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = ">= 3.96.0" + } + + github = { + source = "integrations/github" + version = "6.1.0" + } + } + + backend "azurerm" { + resource_group_name = terraform-state-rg + storage_account_name = tfappprodio + container_name = terraform-state + key = io-functions-service-messages.identity.tfstate + } +} + +provider "azurerm" { + features { + } +} + +provider "github" { + owner = "pagopa" +} + +data "azurerm_client_config" "current" {} + +data "azurerm_subscription" "current" {} From 6e7874cac65864415da62b7f38c4815a7909114f Mon Sep 17 00:00:00 2001 From: Michael Disaro Date: Wed, 10 Apr 2024 16:14:18 +0200 Subject: [PATCH 21/41] fix --- .github/workflows/deploy.yaml | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/.github/workflows/deploy.yaml b/.github/workflows/deploy.yaml index deb120e4..db0d91fd 100644 --- a/.github/workflows/deploy.yaml +++ b/.github/workflows/deploy.yaml @@ -1,10 +1,9 @@ on: workflow_call: - -inputs: - environment: - type: string - required: true + inputs: + environment: + type: string + required: true jobs: build: From 7fc13eb5a7cd8977ee2c086914ef046975d30e31 Mon Sep 17 00:00:00 2001 From: Michael Disaro Date: Wed, 10 Apr 2024 16:28:41 +0200 Subject: [PATCH 22/41] fix version --- .github/workflows/deploy.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/deploy.yaml b/.github/workflows/deploy.yaml index db0d91fd..e5ec0ec6 100644 --- a/.github/workflows/deploy.yaml +++ b/.github/workflows/deploy.yaml @@ -16,7 +16,7 @@ jobs: fetch-depth: 2 - name: Build functions - uses: "./.github/worflows/templates/composite_node_yarn.yml" + uses: "./.github/worflows/templates/composite_node_yarn.yml@main" - name: Make the azure function app artifact id: make_artifact From d9e5313e93922c9a7c366460ccecce41ab369691 Mon Sep 17 00:00:00 2001 From: Michael Disaro Date: Mon, 15 Apr 2024 15:18:00 +0200 Subject: [PATCH 23/41] fixed infra and workflows code --- .../{templates => }/composite_node_yarn.yml | 0 .github/workflows/deploy-func.yaml | 3 ++ .github/workflows/deploy.yaml | 47 +++++++++++-------- .github/workflows/release.yml | 38 --------------- infra/identity/data.tf | 3 -- infra/identity/locals.tf | 43 ++++------------- infra/identity/main.tf | 33 +++++++------ infra/identity/outputs.tf | 13 +---- infra/repository/data.tf | 5 -- infra/repository/github_environment_ci.tf | 18 ------- infra/repository/github_repository.tf | 4 +- infra/repository/identity_web_apps.tf | 18 ------- infra/repository/locals.tf | 39 +-------------- infra/repository/main.tf | 12 ++--- 14 files changed, 64 insertions(+), 212 deletions(-) rename .github/workflows/{templates => }/composite_node_yarn.yml (100%) delete mode 100644 .github/workflows/release.yml delete mode 100644 infra/identity/data.tf delete mode 100644 infra/repository/github_environment_ci.tf delete mode 100644 infra/repository/identity_web_apps.tf diff --git a/.github/workflows/templates/composite_node_yarn.yml b/.github/workflows/composite_node_yarn.yml similarity index 100% rename from .github/workflows/templates/composite_node_yarn.yml rename to .github/workflows/composite_node_yarn.yml diff --git a/.github/workflows/deploy-func.yaml b/.github/workflows/deploy-func.yaml index e70f204a..d6dd5946 100644 --- a/.github/workflows/deploy-func.yaml +++ b/.github/workflows/deploy-func.yaml @@ -11,4 +11,7 @@ jobs: uses: ./.github/workflows/deploy.yaml with: environment: prod + app_service_name: io-p-messages-sending-func + app_service_resource_group: io-p-service-messages-rg + healtcheck_path: /api/v1/info secrets: inherit \ No newline at end of file diff --git a/.github/workflows/deploy.yaml b/.github/workflows/deploy.yaml index e5ec0ec6..5dea9f73 100644 --- a/.github/workflows/deploy.yaml +++ b/.github/workflows/deploy.yaml @@ -4,6 +4,15 @@ on: environment: type: string required: true + app_service_name: + type: string + required: true + app_service_resource_group: + type: string + required: true + healtcheck_path: + type: string + required: true jobs: build: @@ -12,26 +21,24 @@ jobs: steps: - name: Checkout uses: actions/checkout@v3 - with: - fetch-depth: 2 - - name: Build functions - uses: "./.github/worflows/templates/composite_node_yarn.yml@main" + - name: Build app + uses: "./.github/worflows/composite_node_yarn.yml" - - name: Make the azure function app artifact + - name: Make the azure app artifact id: make_artifact run: | - zip -r io-functions-service-messages.zip . - echo "artifact-path=$(realpath io-functions-service-messages.zip)" >> "$GITHUB_OUTPUT" + zip -r app.zip . + echo "artifact-path=$(realpath app.zip)" >> "$GITHUB_OUTPUT" shell: bash - - name: Upload functions artifact + - name: Upload artifact uses: actions/upload-artifact@v3 with: path: ${{ steps.make_artifact.outputs.artifact-path }} deploy: - name: Deploy Function App + name: Deploy App if: ${{ !github.event.act }} needs: [build] runs-on: self-hosted @@ -42,26 +49,26 @@ jobs: contents: read steps: - - name: Download functions artifact + - name: Download artifact uses: actions/download-artifact@v3 - name: Login to Azure - uses: azure/login@v1 + uses: azure/login@v2 with: - client-id: ${{ secrets.AZURE_CLIENT_ID }} - tenant-id: ${{ secrets.AZURE_TENANT_ID }} - subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + client-id: ${{ secrets.ARM_CLIENT_ID }} + tenant-id: ${{ secrets.ARM_TENANT_ID }} + subscription-id: ${{ secrets.ARM_SUBSCRIPTION_ID }} - - name: Deploy Function App to Staging Slot + - name: Deploy App to Staging Slot uses: azure/webapps-deploy@v2 with: - resource-group-name: ${{ vars.AZURE_WEB_APP_RESOURCE_GROUP }} - app-name: ${{ vars.AZURE_WEB_APP_NAME }} + resource-group-name: ${{ inputs.app_service_resource_group }} + app-name: ${{ inputs.app_service_name }} slot-name: staging - package: io-functions-service-messages.zip + package: app.zip - name: Check Staging Health - run: curl --retry 5 --retry-max-time 120 --retry-all-errors -f 'https://${{ vars.AZURE_WEB_APP_NAME }}-staging.azurewebsites.net${{ vars.HEALTH_CHECK_PATH }}' + run: curl --retry 5 --retry-max-time 120 --retry-all-errors -f 'https://${{ inputs.app_service_name }}-staging.azurewebsites.net${{ inputs.healtcheck_path }}' - name: Swap Staging and Production Slots - run: az webapp deployment slot swap -g ${{ vars.AZURE_WEB_APP_RESOURCE_GROUP }} -n ${{ vars.AZURE_WEB_APP_NAME }} --slot staging --target-slot production \ No newline at end of file + run: az webapp deployment slot swap -g ${{ inputs.app_service_resource_group }} -n ${{ inputs.app_service_name }} --slot staging --target-slot production \ No newline at end of file diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml deleted file mode 100644 index af4ca7e0..00000000 --- a/.github/workflows/release.yml +++ /dev/null @@ -1,38 +0,0 @@ -name: Release - -on: - release: - types: - - created - -jobs: - docker: - runs-on: ubuntu-latest - steps: - - - name: Checkout - id: checkout - uses: actions/checkout@v2 - with: - persist-credentials: false - - - name: Log in to the Container registry - id: docker_login - uses: docker/login-action@v2 - with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Build and push Docker image - id: docker_build_push - uses: docker/build-push-action@v3 - with: - context: . - push: true - tags: | - ghcr.io/${{ github.repository }}:latest - ghcr.io/${{ github.repository }}:${{ github.ref_name }} - labels: | - maintainer=https://pagopa.it - org.opencontainers.image.source=https://github.com/${{ github.repository }} diff --git a/infra/identity/data.tf b/infra/identity/data.tf deleted file mode 100644 index aae4af56..00000000 --- a/infra/identity/data.tf +++ /dev/null @@ -1,3 +0,0 @@ -data "github_team" "maintainers" { - slug = "io-communication-backend" -} diff --git a/infra/identity/locals.tf b/infra/identity/locals.tf index e55f327b..5c2e1a74 100644 --- a/infra/identity/locals.tf +++ b/infra/identity/locals.tf @@ -1,42 +1,15 @@ locals { prefix = "io" env_short = "p" - project = "${local.prefix}-${local.env_short}" - domain = "iocom" - repository = "io-functions-services-messages" - - resource_group_name = "${local.project}-service-messages-rg" - functions_app_name = "${local.project}-messages-sending-func" - - github_federations = tolist([ - { - repository = "io-functions-service-messages" - subject = "prod-cd" - } - ]) - - repo_secrets = { - "AZURE_SUBSCRIPTION_ID" = data.azurerm_client_config.current.subscription_id - "AZURE_TENANT_ID" = data.azurerm_client_config.current.tenant_id - } - - web_apps_environment_cd_roles = { - subscription = [] - resource_groups = { - "io-p-github-runner-rg" = [ - "Contributor", - ], - "io-p-service-messages-rg" = [ - "Contributor", - ] - } - } + domain = "functions-services-messages" + repository = "${locals.prefix}-${locals.domain}" tags = { - CreatedBy = "Terraform" - Environment = "Prod" - Owner = "IO" - Source = "https://github.com/pagopa/io-functions-service-messages" - CostCenter = "TS310 - PAGAMENTI & SERVIZI" + CreatedBy = "Terraform" + Environment = "Prod" + Owner = "IO" + Source = "https://github.com/pagopa/io-functions-service-messages/infra/identity" + CostCenter = "TS310 - PAGAMENTI & SERVIZI" + ManagementTeam = "IO Comunicazione" } } diff --git a/infra/identity/main.tf b/infra/identity/main.tf index a86fa49a..17cac11a 100644 --- a/infra/identity/main.tf +++ b/infra/identity/main.tf @@ -2,25 +2,17 @@ terraform { required_version = ">=1.6.0" required_providers { - azuread = { - source = "hashicorp/azuread" - version = "2.33.0" - } azurerm = { source = "hashicorp/azurerm" version = "<= 3.98" } - github = { - source = "integrations/github" - version = "5.39.0" - } } backend "azurerm" { - resource_group_name = terraform-state-rg - storage_account_name = tfappprodio - container_name = terraform-state - key = io-functions-service-messages.identity.tfstate + resource_group_name = "terraform-state-rg" + storage_account_name = "tfappprodio" + container_name = "terraform-state" + key = "io-functions-service-messages.identity.tfstate" } } @@ -28,10 +20,17 @@ provider "azurerm" { features {} } -provider "github" { - owner = "pagopa" -} +module "federated_identities" { + source = "github.com/dx//infra/modules/azure_federated_identity_with_github?ref=main" -data "azurerm_subscription" "current" {} + prefix = local.prefix + env_short = local.env_short + env = local.env + continuous_integration = { + enable = false + } + + repositories = [local.repo_name] -data "azurerm_client_config" "current" {} + tags = local.tags +} diff --git a/infra/identity/outputs.tf b/infra/identity/outputs.tf index 21265fb7..b84cfb94 100644 --- a/infra/identity/outputs.tf +++ b/infra/identity/outputs.tf @@ -1,14 +1,5 @@ -output "tenant_id" { - value = data.azurerm_client_config.current.tenant_id -} - -output "subscription_id" { - value = data.azurerm_subscription.current.subscription_id -} - -output "web_apps_managed_identities" { +output "functions_managed_identities" { value = { - app_name = module.web_apps_identity_cd.identity_app_name - client_id = module.web_apps_identity_cd.identity_client_id + app_name = module.federated_identities.federated_cd_identity.name } } diff --git a/infra/repository/data.tf b/infra/repository/data.tf index f64bbb44..bb89988d 100644 --- a/infra/repository/data.tf +++ b/infra/repository/data.tf @@ -1,8 +1,3 @@ -data "azurerm_user_assigned_identity" "identity_prod_ci" { - name = "${local.project}-github-ci-identity" - resource_group_name = local.identity_resource_group_name -} - data "azurerm_user_assigned_identity" "identity_prod_cd" { name = "${local.project}-github-cd-identity" resource_group_name = local.identity_resource_group_name diff --git a/infra/repository/github_environment_ci.tf b/infra/repository/github_environment_ci.tf deleted file mode 100644 index fc08e996..00000000 --- a/infra/repository/github_environment_ci.tf +++ /dev/null @@ -1,18 +0,0 @@ -resource "github_repository_environment" "github_repository_environment_prod_ci" { - environment = "prod-ci" - repository = github_repository.this.name - - deployment_branch_policy { - protected_branches = false - custom_branch_policies = true - } -} - -resource "github_actions_environment_secret" "env_prod_ci_secrets" { - for_each = local.ci.secrets - - repository = github_repository.this.name - environment = github_repository_environment.github_repository_environment_prod_ci.environment - secret_name = each.key - plaintext_value = each.value -} \ No newline at end of file diff --git a/infra/repository/github_repository.tf b/infra/repository/github_repository.tf index 0b1aa707..1a3745b8 100644 --- a/infra/repository/github_repository.tf +++ b/infra/repository/github_repository.tf @@ -1,6 +1,6 @@ resource "github_repository" "this" { name = local.repository - description = "Initial repository for DevEx activities." + description = "Manage functions for service messages" visibility = "public" @@ -19,7 +19,7 @@ resource "github_repository" "this" { has_issues = false has_downloads = false - topics = ["dx", "typescript"] + topics = ["service messages", "iocom", "manage functions"] vulnerability_alerts = true diff --git a/infra/repository/identity_web_apps.tf b/infra/repository/identity_web_apps.tf deleted file mode 100644 index e78efafd..00000000 --- a/infra/repository/identity_web_apps.tf +++ /dev/null @@ -1,18 +0,0 @@ -module "web_apps_identity_cd" { - source = "github.com/pagopa/terraform-azurerm-v3//github_federated_identity?ref=v7.34.2" - - prefix = local.prefix - env_short = local.env_short - domain = local.domain - - identity_role = "cd" - - github_federations = local.github_federations - - cd_rbac_roles = { - subscription_roles = locals.web_apps_environment_cd_roles.subscription - resource_groups = locals.web_apps_environment_cd_roles.resource_groups - } - - tags = locals.tags -} diff --git a/infra/repository/locals.tf b/infra/repository/locals.tf index dd591467..a2b568f2 100644 --- a/infra/repository/locals.tf +++ b/infra/repository/locals.tf @@ -2,54 +2,19 @@ locals { prefix = "io" env_short = "p" project = "${local.prefix}-${local.env_short}" - domain = "iocom" - repository = "io-functions-services-messages" + domain = "functions-services-messages" + repository = "${locals.prefix}-${locals.domain}" identity_resource_group_name = "${local.project}-identity-rg" - resource_group_name = "${local.project}-service-messages-rg" - functions_app_name = "${local.project}-messages-sending-func" - - github_federations = tolist([ - { - repository = "io-functions-service-messages" - subject = "prod-cd" - } - ]) repo_secrets = { "ARM_TENANT_ID" = data.azurerm_client_config.current.tenant_id, "ARM_SUBSCRIPTION_ID" = data.azurerm_subscription.current.id } - ci = { - secrets = { - "ARM_CLIENT_ID" = data.azurerm_user_assigned_identity.identity_prod_ci.client_id - } - } - cd = { secrets = { "ARM_CLIENT_ID" = data.azurerm_user_assigned_identity.identity_prod_cd.client_id } } - - web_apps_environment_cd_roles = { - subscription = [] - resource_groups = { - "io-p-github-runner-rg" = [ - "Contributor", - ], - "io-p-service-messages-rg" = [ - "Contributor", - ] - } - } - - tags = { - CreatedBy = "Terraform" - Environment = "Prod" - Owner = "IO" - Source = "https://github.com/pagopa/io-functions-service-messages" - CostCenter = "TS310 - PAGAMENTI & SERVIZI" -} } diff --git a/infra/repository/main.tf b/infra/repository/main.tf index 5e8a31e2..af7def67 100644 --- a/infra/repository/main.tf +++ b/infra/repository/main.tf @@ -13,10 +13,10 @@ terraform { } backend "azurerm" { - resource_group_name = terraform-state-rg - storage_account_name = tfappprodio - container_name = terraform-state - key = io-functions-service-messages.identity.tfstate + resource_group_name = "terraform-state-rg" + storage_account_name = "tfappprodio" + container_name = "terraform-state" + key = "io-functions-service-messages.repository.tfstate" } } @@ -28,7 +28,3 @@ provider "azurerm" { provider "github" { owner = "pagopa" } - -data "azurerm_client_config" "current" {} - -data "azurerm_subscription" "current" {} From 61a125fa40db1f1f516c9e79d059ef9fe82962ab Mon Sep 17 00:00:00 2001 From: Michael Disaro Date: Mon, 15 Apr 2024 15:31:59 +0200 Subject: [PATCH 24/41] fixed with plans --- infra/identity/.terraform.lock.hcl | 22 ++++++++++++++++++++++ infra/identity/locals.tf | 9 +++++---- infra/identity/main.tf | 6 ++---- infra/repository/locals.tf | 10 +++++----- 4 files changed, 34 insertions(+), 13 deletions(-) create mode 100644 infra/identity/.terraform.lock.hcl diff --git a/infra/identity/.terraform.lock.hcl b/infra/identity/.terraform.lock.hcl new file mode 100644 index 00000000..14e5ed75 --- /dev/null +++ b/infra/identity/.terraform.lock.hcl @@ -0,0 +1,22 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/azurerm" { + version = "3.97.1" + constraints = ">= 3.30.0, >= 3.86.0, <= 3.97.1, <= 3.98.0" + hashes = [ + "h1:LtwGbd4HEb5QCXmdxSvTjPSh8/Gp8eAQMYfiAKaubV4=", + "zh:15171efcc3aa3a37748c502c493cb16ecff603b81ada4499a843574976bac524", + "zh:2ca6c13a4a96f67763ecced0015c7b101ee02d54ea54b28a8df4ae06468071b1", + "zh:2e3c77dbfd8f760132ecef2d6117e939cbea26b96aba5e4d926e7f7f0f7afe72", + "zh:4bc346eece1622be93c73801d8256502b11fd7c2e7f7cea12d048bb9fc9fe900", + "zh:4f1042942ed8d0433680a367527289459d43b0894a51eaba83ac414e80d5187f", + "zh:63e674c31482ae3579ea84daf5b1ba066ce40cb23475f54e17b6b131320a1bec", + "zh:8327148766dcb7a174673729a832c8095d7e137d0e6c7e2a9a01da48b8b73fbe", + "zh:851b3ae417059a80c7813e7f0063298a590a42f056004f2c2558ea14061c207e", + "zh:ac081b48907139c121a422ae9b1f40fc72c6aaaeb05cbdbf848102a6a5f426f4", + "zh:dc1d663df2d95e4ba91070ceb20d3560b6ea5c465d39c57a5979319302643e41", + "zh:ed26457367cbbb94237e935d297cb31b5687f9abf697377da0ee46974480db9b", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} diff --git a/infra/identity/locals.tf b/infra/identity/locals.tf index 5c2e1a74..70ccb367 100644 --- a/infra/identity/locals.tf +++ b/infra/identity/locals.tf @@ -1,8 +1,9 @@ locals { - prefix = "io" - env_short = "p" - domain = "functions-services-messages" - repository = "${locals.prefix}-${locals.domain}" + prefix = "io" + env_short = "p" + env = "prod" + domain = "functions-services-messages" + repo_name = "${local.prefix}-${local.domain}" tags = { CreatedBy = "Terraform" diff --git a/infra/identity/main.tf b/infra/identity/main.tf index 17cac11a..f36ac4d2 100644 --- a/infra/identity/main.tf +++ b/infra/identity/main.tf @@ -21,14 +21,12 @@ provider "azurerm" { } module "federated_identities" { - source = "github.com/dx//infra/modules/azure_federated_identity_with_github?ref=main" + source = "github.com/pagopa/dx//infra/modules/azure_federated_identity_with_github?ref=main" prefix = local.prefix env_short = local.env_short env = local.env - continuous_integration = { - enable = false - } + domain = local.domain repositories = [local.repo_name] diff --git a/infra/repository/locals.tf b/infra/repository/locals.tf index a2b568f2..d43b3bde 100644 --- a/infra/repository/locals.tf +++ b/infra/repository/locals.tf @@ -1,9 +1,9 @@ locals { - prefix = "io" - env_short = "p" - project = "${local.prefix}-${local.env_short}" - domain = "functions-services-messages" - repository = "${locals.prefix}-${locals.domain}" + prefix = "io" + env_short = "p" + project = "${local.prefix}-${local.env_short}" + domain = "functions-services-messages" + repo_name = "${locals.prefix}-${locals.domain}" identity_resource_group_name = "${local.project}-identity-rg" From c5fbf219909ce72200efa0ac502df2c79e9b1b70 Mon Sep 17 00:00:00 2001 From: Andrea Grillo Date: Mon, 15 Apr 2024 15:35:36 +0200 Subject: [PATCH 25/41] update ouputs --- infra/identity/.terraform.lock.hcl | 3 +++ infra/identity/outputs.tf | 10 ++++++++-- 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/infra/identity/.terraform.lock.hcl b/infra/identity/.terraform.lock.hcl index 14e5ed75..0336d41e 100644 --- a/infra/identity/.terraform.lock.hcl +++ b/infra/identity/.terraform.lock.hcl @@ -6,6 +6,9 @@ provider "registry.terraform.io/hashicorp/azurerm" { constraints = ">= 3.30.0, >= 3.86.0, <= 3.97.1, <= 3.98.0" hashes = [ "h1:LtwGbd4HEb5QCXmdxSvTjPSh8/Gp8eAQMYfiAKaubV4=", + "h1:klBuN2uVZF7AVMhskbbgF8pygyhPBxsjedB1GUV79PA=", + "h1:m5wyoRGjbVfJU2YaGZrN1lfGgjpyuwi7Ykw1uHdwlAg=", + "h1:vwYchGsh1TY+/GjUv6CUS6It2opnMYYYVt4GBvCmesY=", "zh:15171efcc3aa3a37748c502c493cb16ecff603b81ada4499a843574976bac524", "zh:2ca6c13a4a96f67763ecced0015c7b101ee02d54ea54b28a8df4ae06468071b1", "zh:2e3c77dbfd8f760132ecef2d6117e939cbea26b96aba5e4d926e7f7f0f7afe72", diff --git a/infra/identity/outputs.tf b/infra/identity/outputs.tf index b84cfb94..09b62db4 100644 --- a/infra/identity/outputs.tf +++ b/infra/identity/outputs.tf @@ -1,5 +1,11 @@ -output "functions_managed_identities" { +output "functions_managed_identity_ci" { value = { - app_name = module.federated_identities.federated_cd_identity.name + app_name = module.federated_identities.federated_ci_identity.name + } +} + +output "functions_managed_identity_cd" { + value = { + app_name = module.federated_identities.federated_cd_identity.name } } From b22f05bf4524ed89d4e8adb24fdb72c933402351 Mon Sep 17 00:00:00 2001 From: Michael Disaro Date: Mon, 15 Apr 2024 15:53:25 +0200 Subject: [PATCH 26/41] fixed and applied --- .github/workflows/deploy.yaml | 2 +- infra/repository/.terraform.lock.hcl | 50 +++++++++++++++++++++++++ infra/repository/data.tf | 2 +- infra/repository/github_branch_rules.tf | 4 +- infra/repository/github_repository.tf | 4 +- infra/repository/locals.tf | 4 +- infra/repository/main.tf | 4 ++ 7 files changed, 63 insertions(+), 7 deletions(-) create mode 100644 infra/repository/.terraform.lock.hcl diff --git a/.github/workflows/deploy.yaml b/.github/workflows/deploy.yaml index 5dea9f73..4b772583 100644 --- a/.github/workflows/deploy.yaml +++ b/.github/workflows/deploy.yaml @@ -23,7 +23,7 @@ jobs: uses: actions/checkout@v3 - name: Build app - uses: "./.github/worflows/composite_node_yarn.yml" + uses: "./.github/workflows/composite_node_yarn.yml" - name: Make the azure app artifact id: make_artifact diff --git a/infra/repository/.terraform.lock.hcl b/infra/repository/.terraform.lock.hcl new file mode 100644 index 00000000..fd2fbf71 --- /dev/null +++ b/infra/repository/.terraform.lock.hcl @@ -0,0 +1,50 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/azurerm" { + version = "3.99.0" + constraints = ">= 3.96.0" + hashes = [ + "h1:1+d7Ciq/7GN4hY/+VshO2p4uOlUqHH6WpK2Zu4YocqE=", + "h1:b24Yw8/EneYHRV3aPoVexmw0Eo252ur30tN+sPajzXk=", + "h1:dawmYJUMGlL3t1mKDyaLJc08uSxPaUBoCAb/YCbVxPM=", + "h1:yHNaEhlR3kqlItAXFLWlIH2xxu4i7r2XzQnS04f/qBo=", + "zh:20581c1f4c586a37af45ed4c2a86ff4d868cee79139a755bd29750d804cee3ef", + "zh:28b3cc4e5f8bc65a595eab011d5965203a39e92aa9e26df842ffc979305ac823", + "zh:4cb167f8bb82f9065b7b50d012be3045fce3c699b0ea0e257ad1995441227f72", + "zh:6fa5c6fa430921a4e0fe8d44eaf12210fb90afdf3f83cedfde1c691ae36e953c", + "zh:75eff5b0ea9fca46ed5a0425c5e33fbda470e6448917817e80ae898688568665", + "zh:9af0aeaa74bfc764c60eec7d212d31deb70e03e970d22449f11170f75108f9cf", + "zh:b5055767199a2927d41b543a16e905c1e0b209f14a2144c756786194e133b41d", + "zh:c3e30b0eed068a148498ac78a9e013bc2eef0eb3cc3b4484f77421d64a797dc2", + "zh:ce87cd35cef9e5805f921978a91a7a4e139e8cbc7674a94076cb1a20a0c2feb1", + "zh:d87b84f144c865145bd10093ead99b653ea363fd4e7315675727659ca78544d0", + "zh:ee5900a50d69e046aab6581f6d888014b3f8d543e5b17c50761579d3370935f2", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} + +provider "registry.terraform.io/integrations/github" { + version = "6.1.0" + constraints = "6.1.0" + hashes = [ + "h1:0BC1bA6irof4GXsbOCltW2f18OB/vp3kYhQ598IvOu0=", + "h1:LZeec2qr5cNz6MIVrQArl11E1hRnEdzkS7JUrc/8cus=", + "h1:MWD2GsKJ92kgyegYPGPjQKM0SqFaFbvOibMfDQdJsP0=", + "h1:Z1C0pLLJQF2fit8PKwc1e5Vm64q73RpayCmkDSMihqw=", + "zh:03c2a7d7fa334b5abb1ea4962bb2ffabfff96ec883b1a62445fe724d4a541313", + "zh:144f77865c87843635a3f6a0d52530ab3a6270b04dfa2da744a9fc0003b64900", + "zh:4cfa42e679be22e516b8e0294688d6cfc896c0e1456387fd9d10d09d84e99c6d", + "zh:5ff9e90b7bc9008f5b7fb0d9ef0c7c67eb8fb29439309620de1b0b1810b3e7f9", + "zh:7bfe85fcbef2b4b6ff5eff8bc82a590f2471e71297207616014c852e7385921b", + "zh:a105ec4828973821a9618c0e058f5a597de014edf7aa64d97b7f4fc528abbc36", + "zh:a495c5b3bc6ce3d6261e9d1ba7f285e7e463b5f6ad15e533d5b7037ab985530f", + "zh:a4d7e43b7b59f41022e9137115440df46aa9de62a187ae4a35fb9fc388fca4c3", + "zh:a75ab20f5032e2ebcfe288e06d0f4f8eafd8fed569be7ac7c384e55c294ada43", + "zh:cb6e9cde411355ad477a60fecb8ed9b665d8475761949e03aceed57851842385", + "zh:d833d63b5374841e667647fde74d2388d1249a097a633b4bba20ad175b7db681", + "zh:e4e5aab1a6e37fb8220621673384b62a3f2693ca1052487eb4ca38426a40bc8b", + "zh:f06a84ddf6723e880997c0f773b500b3fabcecb1230d9ed2d93943700802c876", + "zh:f9695f2ceddfc243834a10bd91cfb8aa1b0e7cdb9eee14d17d49b4f439440b86", + ] +} diff --git a/infra/repository/data.tf b/infra/repository/data.tf index bb89988d..2220bb12 100644 --- a/infra/repository/data.tf +++ b/infra/repository/data.tf @@ -1,4 +1,4 @@ data "azurerm_user_assigned_identity" "identity_prod_cd" { - name = "${local.project}-github-cd-identity" + name = local.identity_cd_name resource_group_name = local.identity_resource_group_name } \ No newline at end of file diff --git a/infra/repository/github_branch_rules.tf b/infra/repository/github_branch_rules.tf index ca44edb8..e6bfee9c 100644 --- a/infra/repository/github_branch_rules.tf +++ b/infra/repository/github_branch_rules.tf @@ -1,11 +1,11 @@ resource "github_branch_default" "default_main" { repository = github_repository.this.name - branch = "main" + branch = "master" } resource "github_branch_protection" "protection_main" { repository_id = github_repository.this.name - pattern = "main" + pattern = "master" required_status_checks { strict = false diff --git a/infra/repository/github_repository.tf b/infra/repository/github_repository.tf index 1a3745b8..b1eb94d7 100644 --- a/infra/repository/github_repository.tf +++ b/infra/repository/github_repository.tf @@ -1,5 +1,5 @@ resource "github_repository" "this" { - name = local.repository + name = local.repo_name description = "Manage functions for service messages" visibility = "public" @@ -19,7 +19,7 @@ resource "github_repository" "this" { has_issues = false has_downloads = false - topics = ["service messages", "iocom", "manage functions"] + topics = ["service-messages", "iocom", "manage-functions"] vulnerability_alerts = true diff --git a/infra/repository/locals.tf b/infra/repository/locals.tf index d43b3bde..dd15b8d1 100644 --- a/infra/repository/locals.tf +++ b/infra/repository/locals.tf @@ -3,7 +3,9 @@ locals { env_short = "p" project = "${local.prefix}-${local.env_short}" domain = "functions-services-messages" - repo_name = "${locals.prefix}-${locals.domain}" + repo_name = "${local.prefix}-${local.domain}" + + identity_cd_name = "${local.project}-${local.domain}-github-cd-identity" identity_resource_group_name = "${local.project}-identity-rg" diff --git a/infra/repository/main.tf b/infra/repository/main.tf index af7def67..b4c5bc38 100644 --- a/infra/repository/main.tf +++ b/infra/repository/main.tf @@ -28,3 +28,7 @@ provider "azurerm" { provider "github" { owner = "pagopa" } + +data "azurerm_client_config" "current" {} + +data "azurerm_subscription" "current" {} From 45426e30fe513ffe80e385929aa0455f4fde2ee0 Mon Sep 17 00:00:00 2001 From: Andrea Grillo Date: Mon, 15 Apr 2024 15:57:27 +0200 Subject: [PATCH 27/41] agents --- .github/workflows/deploy.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/deploy.yaml b/.github/workflows/deploy.yaml index 4b772583..43269537 100644 --- a/.github/workflows/deploy.yaml +++ b/.github/workflows/deploy.yaml @@ -17,7 +17,7 @@ on: jobs: build: name: Build - runs-on: ubuntu-latest + runs-on: ubuntu-20.04 steps: - name: Checkout uses: actions/checkout@v3 @@ -41,7 +41,7 @@ jobs: name: Deploy App if: ${{ !github.event.act }} needs: [build] - runs-on: self-hosted + runs-on: ubuntu-20.04 environment: ${{ inputs.environment }}-cd permissions: From a272dae28564453def3be562d54d1804cc9de518 Mon Sep 17 00:00:00 2001 From: Andrea Grillo Date: Mon, 15 Apr 2024 16:04:05 +0200 Subject: [PATCH 28/41] rename things --- .github/workflows/{composite_node_yarn.yml => action.yml} | 0 .github/workflows/deploy-func.yaml | 4 +++- .github/workflows/deploy.yaml | 7 +++++-- 3 files changed, 8 insertions(+), 3 deletions(-) rename .github/workflows/{composite_node_yarn.yml => action.yml} (100%) diff --git a/.github/workflows/composite_node_yarn.yml b/.github/workflows/action.yml similarity index 100% rename from .github/workflows/composite_node_yarn.yml rename to .github/workflows/action.yml diff --git a/.github/workflows/deploy-func.yaml b/.github/workflows/deploy-func.yaml index d6dd5946..e50207b3 100644 --- a/.github/workflows/deploy-func.yaml +++ b/.github/workflows/deploy-func.yaml @@ -1,11 +1,13 @@ name: functions-service-messages Release on: + workflow_dispatch: + push: branches: - "iocom-1221" - workflow_dispatch: jobs: + deploy_workspace_to_azure: name: Deploy uses: ./.github/workflows/deploy.yaml diff --git a/.github/workflows/deploy.yaml b/.github/workflows/deploy.yaml index 43269537..c40ebdc1 100644 --- a/.github/workflows/deploy.yaml +++ b/.github/workflows/deploy.yaml @@ -23,7 +23,7 @@ jobs: uses: actions/checkout@v3 - name: Build app - uses: "./.github/workflows/composite_node_yarn.yml" + uses: "./.github/workflows/action.yml" - name: Make the azure app artifact id: make_artifact @@ -43,10 +43,13 @@ jobs: needs: [build] runs-on: ubuntu-20.04 environment: ${{ inputs.environment }}-cd - permissions: id-token: write contents: read + env: + ARM_USE_OIDC: true + ARM_USE_AZUREAD: true + ARM_STORAGE_USE_AZUREAD: true steps: - name: Download artifact From f6c72d6d94ff47141b24c93eec95dae16acc892b Mon Sep 17 00:00:00 2001 From: Andrea Grillo Date: Mon, 15 Apr 2024 16:24:51 +0200 Subject: [PATCH 29/41] update paths --- .github/{workflows => actions/node-yarn}/action.yml | 0 .github/workflows/deploy.yaml | 4 ++-- 2 files changed, 2 insertions(+), 2 deletions(-) rename .github/{workflows => actions/node-yarn}/action.yml (100%) diff --git a/.github/workflows/action.yml b/.github/actions/node-yarn/action.yml similarity index 100% rename from .github/workflows/action.yml rename to .github/actions/node-yarn/action.yml diff --git a/.github/workflows/deploy.yaml b/.github/workflows/deploy.yaml index c40ebdc1..ea5f3e0e 100644 --- a/.github/workflows/deploy.yaml +++ b/.github/workflows/deploy.yaml @@ -20,10 +20,10 @@ jobs: runs-on: ubuntu-20.04 steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 - name: Build app - uses: "./.github/workflows/action.yml" + uses: ./.github/actions/node-yarn/action.yml - name: Make the azure app artifact id: make_artifact From 7ef19dcc0ff0694dae65128b0746bc01c4a45429 Mon Sep 17 00:00:00 2001 From: Andrea Grillo Date: Mon, 15 Apr 2024 16:26:04 +0200 Subject: [PATCH 30/41] fix path --- .github/workflows/deploy.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/deploy.yaml b/.github/workflows/deploy.yaml index ea5f3e0e..b6a51592 100644 --- a/.github/workflows/deploy.yaml +++ b/.github/workflows/deploy.yaml @@ -23,7 +23,7 @@ jobs: uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 - name: Build app - uses: ./.github/actions/node-yarn/action.yml + uses: ./.github/actions/node-yarn - name: Make the azure app artifact id: make_artifact From 2455cb3f6fc4f503c1191eda5c5448d51e923635 Mon Sep 17 00:00:00 2001 From: Michael Disaro Date: Mon, 15 Apr 2024 16:45:37 +0200 Subject: [PATCH 31/41] fixed download name --- .github/workflows/deploy.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/deploy.yaml b/.github/workflows/deploy.yaml index b6a51592..7ff931ed 100644 --- a/.github/workflows/deploy.yaml +++ b/.github/workflows/deploy.yaml @@ -54,6 +54,8 @@ jobs: steps: - name: Download artifact uses: actions/download-artifact@v3 + with: + name: app.zip - name: Login to Azure uses: azure/login@v2 From e0164c7aacea3cfa688bb2b5f9075c0ecf1a03f7 Mon Sep 17 00:00:00 2001 From: Michael Disaro Date: Mon, 15 Apr 2024 16:52:22 +0200 Subject: [PATCH 32/41] changed artifact path --- .github/workflows/deploy.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/deploy.yaml b/.github/workflows/deploy.yaml index 7ff931ed..9195b743 100644 --- a/.github/workflows/deploy.yaml +++ b/.github/workflows/deploy.yaml @@ -55,7 +55,7 @@ jobs: - name: Download artifact uses: actions/download-artifact@v3 with: - name: app.zip + path: ./app.zip - name: Login to Azure uses: azure/login@v2 @@ -70,7 +70,7 @@ jobs: resource-group-name: ${{ inputs.app_service_resource_group }} app-name: ${{ inputs.app_service_name }} slot-name: staging - package: app.zip + package: ./app.zip - name: Check Staging Health run: curl --retry 5 --retry-max-time 120 --retry-all-errors -f 'https://${{ inputs.app_service_name }}-staging.azurewebsites.net${{ inputs.healtcheck_path }}' From 01f2bb9a6a78b460a03736608f7762b6fa8fd973 Mon Sep 17 00:00:00 2001 From: Michael Disaro Date: Mon, 15 Apr 2024 17:05:10 +0200 Subject: [PATCH 33/41] try fix upload --- .github/workflows/deploy.yaml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/.github/workflows/deploy.yaml b/.github/workflows/deploy.yaml index 9195b743..f9b985e5 100644 --- a/.github/workflows/deploy.yaml +++ b/.github/workflows/deploy.yaml @@ -35,6 +35,7 @@ jobs: - name: Upload artifact uses: actions/upload-artifact@v3 with: + name: app.zip path: ${{ steps.make_artifact.outputs.artifact-path }} deploy: @@ -54,9 +55,7 @@ jobs: steps: - name: Download artifact uses: actions/download-artifact@v3 - with: - path: ./app.zip - + - name: Login to Azure uses: azure/login@v2 with: @@ -70,7 +69,7 @@ jobs: resource-group-name: ${{ inputs.app_service_resource_group }} app-name: ${{ inputs.app_service_name }} slot-name: staging - package: ./app.zip + package: app.zip - name: Check Staging Health run: curl --retry 5 --retry-max-time 120 --retry-all-errors -f 'https://${{ inputs.app_service_name }}-staging.azurewebsites.net${{ inputs.healtcheck_path }}' From 6fd936754f36341e1096eeb350a04c57ded5f8c0 Mon Sep 17 00:00:00 2001 From: Michael Disaro Date: Mon, 15 Apr 2024 17:11:27 +0200 Subject: [PATCH 34/41] try to fix download name --- .github/workflows/deploy.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/deploy.yaml b/.github/workflows/deploy.yaml index f9b985e5..703bb821 100644 --- a/.github/workflows/deploy.yaml +++ b/.github/workflows/deploy.yaml @@ -55,6 +55,8 @@ jobs: steps: - name: Download artifact uses: actions/download-artifact@v3 + with: + name: app.zip - name: Login to Azure uses: azure/login@v2 From 246ed4162fc52c14e558ed556858ef49af7cbddf Mon Sep 17 00:00:00 2001 From: Michael Disaro Date: Mon, 15 Apr 2024 17:20:59 +0200 Subject: [PATCH 35/41] fixed healthcheck path --- Info/function.json | 2 +- Info/index.ts | 2 +- openapi/index.yaml | 12 ------------ openapi/index_internal.yaml.template | 12 ------------ 4 files changed, 2 insertions(+), 26 deletions(-) diff --git a/Info/function.json b/Info/function.json index fafefb7e..34df31b9 100644 --- a/Info/function.json +++ b/Info/function.json @@ -5,7 +5,7 @@ "type": "httpTrigger", "direction": "in", "name": "req", - "route": "ready", + "route": "v1/info", "methods": [ "get" ] diff --git a/Info/index.ts b/Info/index.ts index d288769f..40049b64 100644 --- a/Info/index.ts +++ b/Info/index.ts @@ -11,7 +11,7 @@ const app = express(); secureExpressApp(app); // Add express route -app.get("/api/ready", Info(cosmosdbClient)); +app.get("/api/v1/info", Info(cosmosdbClient)); const azureFunctionHandler = createAzureFunctionHandler(app); diff --git a/openapi/index.yaml b/openapi/index.yaml index ae20d7fa..820ab6e7 100644 --- a/openapi/index.yaml +++ b/openapi/index.yaml @@ -16,18 +16,6 @@ schemes: security: - SubscriptionKey: [] paths: - /ping: - get: - operationId: pingOperation - summary: Ping - description: Returns function's package name and version - tags: - - restricted - responses: - '200': - description: Success. - '500': - description: Internal Server error /notify: post: operationId: notify diff --git a/openapi/index_internal.yaml.template b/openapi/index_internal.yaml.template index dad76120..03a2c1d5 100644 --- a/openapi/index_internal.yaml.template +++ b/openapi/index_internal.yaml.template @@ -17,18 +17,6 @@ schemes: security: - SubscriptionKey: [] paths: - /ping: - get: - operationId: pingOperation - summary: Ping - description: Returns function's package name and version - tags: - - restricted - responses: - '200': - description: Success. - '500': - description: Internal Server error /notify: post: operationId: notify From 00d18e57ccc50362ffd27f0d0ad141aa803d7268 Mon Sep 17 00:00:00 2001 From: Michael Disaro Date: Mon, 15 Apr 2024 17:31:38 +0200 Subject: [PATCH 36/41] fixed curl option --- .github/workflows/deploy.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/deploy.yaml b/.github/workflows/deploy.yaml index 703bb821..612aa943 100644 --- a/.github/workflows/deploy.yaml +++ b/.github/workflows/deploy.yaml @@ -74,7 +74,7 @@ jobs: package: app.zip - name: Check Staging Health - run: curl --retry 5 --retry-max-time 120 --retry-all-errors -f 'https://${{ inputs.app_service_name }}-staging.azurewebsites.net${{ inputs.healtcheck_path }}' + run: curl --retry 5 --retry-max-time 120 -f 'https://${{ inputs.app_service_name }}-staging.azurewebsites.net${{ inputs.healtcheck_path }}' - name: Swap Staging and Production Slots run: az webapp deployment slot swap -g ${{ inputs.app_service_resource_group }} -n ${{ inputs.app_service_name }} --slot staging --target-slot production \ No newline at end of file From 51cc5fba842ec5458159a6f081666b243698488a Mon Sep 17 00:00:00 2001 From: Andrea Grillo Date: Mon, 15 Apr 2024 18:46:59 +0200 Subject: [PATCH 37/41] add private runner --- infra/github-runner/.terraform.lock.hcl | 48 +++++++++++++++++++ .../github-runner/container_app_job_runner.tf | 25 ++++++++++ infra/github-runner/data.tf | 9 ++++ infra/github-runner/locals.tf | 25 ++++++++++ infra/github-runner/main.tf | 19 ++++++++ 5 files changed, 126 insertions(+) create mode 100644 infra/github-runner/.terraform.lock.hcl create mode 100644 infra/github-runner/container_app_job_runner.tf create mode 100644 infra/github-runner/data.tf create mode 100644 infra/github-runner/locals.tf create mode 100644 infra/github-runner/main.tf diff --git a/infra/github-runner/.terraform.lock.hcl b/infra/github-runner/.terraform.lock.hcl new file mode 100644 index 00000000..a5748633 --- /dev/null +++ b/infra/github-runner/.terraform.lock.hcl @@ -0,0 +1,48 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/azure/azapi" { + version = "1.12.1" + constraints = "<= 1.12.1" + hashes = [ + "h1:4uNzgEfL4VJ48QYAKM4A/E+HWyx7roO58xmR3R2WNh0=", + "h1:EaQL7pQCRm5iL2zy/dG7rOe2OZ0ZypuyVnpQAiAwJmM=", + "h1:Gv1HwQMV7+3ctMPr1nKmOhEGu+UWb6FlQmrgaHxknJ4=", + "h1:H9n5gOhlN5GT5WIhasUbxIONS/6BfRP9ES1oQop2wxk=", + "zh:1cf52e685ceb04e73e13fbf3f3036bff23a3274a4ceda8693c0612076a588166", + "zh:321b59c2a67c6cb4e5cf0dbe2cc978f5389d781e8b391f9b75bf4d830abd2ffe", + "zh:49046bd8020c3b44c6b5dc67041f181e4fff45e3bc1a9ff0646dd20c21c8ce47", + "zh:5784d0c326ec4825571577bc39b253019bd3b1030c19d67ca3436df2d7ba01c8", + "zh:5ad7e18d26f170c01888d8e65dab7aa475089aac7bf0106526fd57cdd56533bc", + "zh:6695854f4f655673bea85e37444bf0c070b440dba4bc269aa144d0f6b7c1cc5f", + "zh:7f372c897da6b9ad90869a8eb85b37dad4dff2d5d311b3eca1a2e6373e2271ed", + "zh:8afa1a2be1dada4e8be4ab72d9d56f36af1e486c9353d04aabf6e79db7310125", + "zh:90809364619238c45185bff25c7d9c4fde34253561d8183ebbe797456c44bc9c", + "zh:9338d44650c9e68e10a6bc2d69f7beacd5059e6ac681d2e388e80a1652d9c183", + "zh:c94ee6fb1df2c1d35f338107b5e73cdba86c4ecf9dcde95e2ca0132cbbd4bd7c", + "zh:de231d363b1a664c6b5d3af8d3b9cf542d04d4506fb9458ba6c8ebf94e0e32ae", + ] +} + +provider "registry.terraform.io/hashicorp/azurerm" { + version = "3.97.1" + constraints = ">= 3.50.0, <= 3.97.1, <= 3.98.0" + hashes = [ + "h1:LtwGbd4HEb5QCXmdxSvTjPSh8/Gp8eAQMYfiAKaubV4=", + "h1:klBuN2uVZF7AVMhskbbgF8pygyhPBxsjedB1GUV79PA=", + "h1:m5wyoRGjbVfJU2YaGZrN1lfGgjpyuwi7Ykw1uHdwlAg=", + "h1:vwYchGsh1TY+/GjUv6CUS6It2opnMYYYVt4GBvCmesY=", + "zh:15171efcc3aa3a37748c502c493cb16ecff603b81ada4499a843574976bac524", + "zh:2ca6c13a4a96f67763ecced0015c7b101ee02d54ea54b28a8df4ae06468071b1", + "zh:2e3c77dbfd8f760132ecef2d6117e939cbea26b96aba5e4d926e7f7f0f7afe72", + "zh:4bc346eece1622be93c73801d8256502b11fd7c2e7f7cea12d048bb9fc9fe900", + "zh:4f1042942ed8d0433680a367527289459d43b0894a51eaba83ac414e80d5187f", + "zh:63e674c31482ae3579ea84daf5b1ba066ce40cb23475f54e17b6b131320a1bec", + "zh:8327148766dcb7a174673729a832c8095d7e137d0e6c7e2a9a01da48b8b73fbe", + "zh:851b3ae417059a80c7813e7f0063298a590a42f056004f2c2558ea14061c207e", + "zh:ac081b48907139c121a422ae9b1f40fc72c6aaaeb05cbdbf848102a6a5f426f4", + "zh:dc1d663df2d95e4ba91070ceb20d3560b6ea5c465d39c57a5979319302643e41", + "zh:ed26457367cbbb94237e935d297cb31b5687f9abf697377da0ee46974480db9b", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} diff --git a/infra/github-runner/container_app_job_runner.tf b/infra/github-runner/container_app_job_runner.tf new file mode 100644 index 00000000..315c30e0 --- /dev/null +++ b/infra/github-runner/container_app_job_runner.tf @@ -0,0 +1,25 @@ +module "container_app_job" { + source = "github.com/pagopa/terraform-azurerm-v3//container_app_job_gh_runner?ref=v7.76.0" + + location = local.location + prefix = local.prefix + env_short = local.env_short + + key_vault = { + resource_group_name = data.azurerm_key_vault.key_vault_common.resource_group_name + name = data.azurerm_key_vault.key_vault_common.name + secret_name = "github-runner-pat" + } + + environment = { + name = data.azurerm_container_app_environment.container_app_environment_runner.name + resource_group_name = data.azurerm_container_app_environment.container_app_environment_runner.resource_group_name + } + + job = { + name = "service-messages" + repo = "io-functions-service-messages" + } + + tags = local.tags +} diff --git a/infra/github-runner/data.tf b/infra/github-runner/data.tf new file mode 100644 index 00000000..22ce5dc8 --- /dev/null +++ b/infra/github-runner/data.tf @@ -0,0 +1,9 @@ +data "azurerm_key_vault" "key_vault_common" { + name = local.key_vault_common.name + resource_group_name = local.key_vault_common.resource_group_name +} + +data "azurerm_container_app_environment" "container_app_environment_runner" { + name = local.container_app_environment.name + resource_group_name = local.container_app_environment.resource_group_name +} diff --git a/infra/github-runner/locals.tf b/infra/github-runner/locals.tf new file mode 100644 index 00000000..aa5247f9 --- /dev/null +++ b/infra/github-runner/locals.tf @@ -0,0 +1,25 @@ +locals { + location = "westeurope" + prefix = "io" + env_short = "p" + project = "${local.prefix}-${local.env_short}" + + key_vault_common = { + name = "${local.project}-kv-common" + resource_group_name = "${local.project}-rg-common" + } + + container_app_environment = { + name = "${local.project}-github-runner-cae" + resource_group_name = "${local.project}-github-runner-rg" + } + + tags = { + CostCenter = "TS310 - PAGAMENTI & SERVIZI" + CreatedBy = "Terraform" + Environment = "Prod" + Owner = "IO" + ManagementTeam = "IO Comunicazione" + Source = "https://github.com/pagopa/io-functions-service-messages/tree/main/infra/github-runner" + } +} diff --git a/infra/github-runner/main.tf b/infra/github-runner/main.tf new file mode 100644 index 00000000..7265c96a --- /dev/null +++ b/infra/github-runner/main.tf @@ -0,0 +1,19 @@ +terraform { + required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = "<= 3.98.0" + } + } + + backend "azurerm" { + resource_group_name = "terraform-state-rg" + storage_account_name = "tfappprodio" + container_name = "terraform-state" + key = "io-functions-service-messages.github-runner.tfstate" + } +} + +provider "azurerm" { + features {} +} From 9da8ac4ae9f7c65d24efb25be4ad50aff4ed71bd Mon Sep 17 00:00:00 2001 From: Andrea Grillo Date: Mon, 15 Apr 2024 18:47:30 +0200 Subject: [PATCH 38/41] switch back to self hosted agent --- .github/workflows/deploy.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/deploy.yaml b/.github/workflows/deploy.yaml index 612aa943..b110a374 100644 --- a/.github/workflows/deploy.yaml +++ b/.github/workflows/deploy.yaml @@ -42,7 +42,7 @@ jobs: name: Deploy App if: ${{ !github.event.act }} needs: [build] - runs-on: ubuntu-20.04 + runs-on: self-hosted environment: ${{ inputs.environment }}-cd permissions: id-token: write From ac5e01065f9c1e7cfe800cbeab548068678c3bbd Mon Sep 17 00:00:00 2001 From: Andrea Grillo Date: Tue, 16 Apr 2024 10:16:30 +0200 Subject: [PATCH 39/41] fix typos --- infra/github-runner/container_app_job_runner.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/infra/github-runner/container_app_job_runner.tf b/infra/github-runner/container_app_job_runner.tf index 315c30e0..1724d083 100644 --- a/infra/github-runner/container_app_job_runner.tf +++ b/infra/github-runner/container_app_job_runner.tf @@ -17,8 +17,8 @@ module "container_app_job" { } job = { - name = "service-messages" - repo = "io-functions-service-messages" + name = "f-services-messages" + repo = "io-functions-services-messages" } tags = local.tags From a80e3a0ea39f26d13a6ec8ac7fdcccb0c9f63aaf Mon Sep 17 00:00:00 2001 From: Michael Disaro Date: Tue, 16 Apr 2024 10:31:22 +0200 Subject: [PATCH 40/41] updated versions --- .github/actions/node-yarn/action.yml | 2 +- .github/workflows/deploy.yaml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/actions/node-yarn/action.yml b/.github/actions/node-yarn/action.yml index 5ebe155f..8c9ae302 100644 --- a/.github/actions/node-yarn/action.yml +++ b/.github/actions/node-yarn/action.yml @@ -5,7 +5,7 @@ runs: using: "composite" steps: - name: Setup Node.js - uses: actions/setup-node@v3 + uses: actions/setup-node@v4 with: node-version-file: ".node-version" cache: "yarn" diff --git a/.github/workflows/deploy.yaml b/.github/workflows/deploy.yaml index b110a374..eb8d97b5 100644 --- a/.github/workflows/deploy.yaml +++ b/.github/workflows/deploy.yaml @@ -33,7 +33,7 @@ jobs: shell: bash - name: Upload artifact - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: name: app.zip path: ${{ steps.make_artifact.outputs.artifact-path }} @@ -54,7 +54,7 @@ jobs: steps: - name: Download artifact - uses: actions/download-artifact@v3 + uses: actions/download-artifact@v4 with: name: app.zip From 5d6f3700600a7ae12bbab8df2ff33915bf52485b Mon Sep 17 00:00:00 2001 From: Michael Disaro Date: Tue, 16 Apr 2024 11:17:44 +0200 Subject: [PATCH 41/41] removed push trigger --- .github/workflows/deploy-func.yaml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/.github/workflows/deploy-func.yaml b/.github/workflows/deploy-func.yaml index e50207b3..b274a0a5 100644 --- a/.github/workflows/deploy-func.yaml +++ b/.github/workflows/deploy-func.yaml @@ -2,10 +2,6 @@ name: functions-service-messages Release on: workflow_dispatch: - push: - branches: - - "iocom-1221" - jobs: deploy_workspace_to_azure: