[PAGOPA-1135] Merge branch 'main' into PAGOPA-1135-sviluppo-migrazion…

…e-api-config-cache # Conflicts: # .github/workflows/deploy_with_github_runner.yml # Dockerfile
pagopa · Aug 24, 2023 · 1c12d48 · 1c12d48
2 parents 1c299fd + 6e83b1c
commit 1c12d48
Show file tree

Hide file tree

Showing 34 changed files with 348 additions and 372 deletions.
diff --git a/.gitignore b/.gitignore
@@ -35,3 +35,5 @@ hs_err_pid*
 
 helm/charts
 helm/Chart.lock
+/.identity/.terraform.lock.hcl
+/docker/secrets
diff --git a/.identity/.terraform.lock.hcl b/.identity/.terraform.lock.hcl
diff --git a/.identity/00_data.tf b/.identity/00_data.tf
@@ -0,0 +1,52 @@
+data "azurerm_storage_account" "tf_storage_account"{
+  name                = "pagopainfraterraform${var.env}"
+  resource_group_name = "io-infra-rg"
+}
+
+data "azurerm_resource_group" "dashboards" {
+  name = "dashboards"
+}
+
+data "azurerm_kubernetes_cluster" "aks" {
+  name                = local.aks_cluster.name
+  resource_group_name = local.aks_cluster.resource_group_name
+}
+
+data "github_organization_teams" "all" {
+  root_teams_only = true
+  summary_only    = true
+}
+
+data "azurerm_key_vault" "key_vault" {
+  name                = "pagopa-${var.env_short}-kv"
+  resource_group_name = "pagopa-${var.env_short}-sec-rg"
+}
+
+data "azurerm_key_vault" "domain_key_vault" {
+  name                = "pagopa-${var.env_short}-${local.domain}-kv"
+  resource_group_name = "pagopa-${var.env_short}-${local.domain}-sec-rg"
+}
+
+data "azurerm_resource_group" "apim_resource_group" {
+  name = "${local.product}-api-rg"
+}
+
+data "azurerm_key_vault_secret" "key_vault_sonar" {
+  name         = "sonar-token"
+  key_vault_id = data.azurerm_key_vault.key_vault.id
+}
+
+data "azurerm_key_vault_secret" "key_vault_bot_token" {
+  name         = "bot-token-github"
+  key_vault_id = data.azurerm_key_vault.key_vault.id
+}
+
+data "azurerm_key_vault_secret" "key_vault_cucumber_token" {
+  name         = "cucumber-token"
+  key_vault_id = data.azurerm_key_vault.key_vault.id
+}
+
+data "azurerm_key_vault_secret" "key_vault_integration_test_subkey" {
+  name         = "integration-test-subkey"
+  key_vault_id = data.azurerm_key_vault.key_vault.id
+}
diff --git a/.identity/00_locals.tf b/.identity/00_locals.tf
diff --git a/.identity/00_main.tf.ci b/.identity/00_main.tf.ci
diff --git a/.identity/00_variables.tf b/.identity/00_variables.tf
diff --git a/.identity/01_data.tf b/.identity/01_data.tf
diff --git a/.identity/02_application_action.tf b/.identity/02_application_action.tf
@@ -1,28 +1,96 @@
-resource "azuread_application" "action" {
-  display_name = "github-${local.github.org}-${local.github.repository}-${var.env}"
+module "github_runner_app" {
+  source = "git::https://github.com/pagopa/github-actions-tf-modules.git//app-github-runner-creator?ref=main"
+
+  app_name = local.app_name
+
+  subscription_id = data.azurerm_subscription.current.id
+
+  github_org              = local.github.org
+  github_repository       = local.github.repository
+  github_environment_name = var.env
+
+  container_app_github_runner_env_rg = local.container_app_environment.resource_group
+}
+
+resource "null_resource" "github_runner_app_permissions_to_namespace" {
+  triggers = {
+    aks_id               = data.azurerm_kubernetes_cluster.aks.id
+    service_principal_id = module.github_runner_app.client_id
+    namespace            = local.domain
+    version              = "v2"
+  }
+
+  provisioner "local-exec" {
+    command = <<EOT
+      az role assignment create --role "Azure Kubernetes Service RBAC Admin" \
+      --assignee ${self.triggers.service_principal_id} \
+      --scope ${self.triggers.aks_id}/namespaces/${self.triggers.namespace}
+
+      az role assignment list --role "Azure Kubernetes Service RBAC Admin"  \
+      --scope ${self.triggers.aks_id}/namespaces/${self.triggers.namespace}
+    EOT
+  }
+
+  provisioner "local-exec" {
+    when    = destroy
+    command = <<EOT
+      az role assignment delete --role "Azure Kubernetes Service RBAC Admin" \
+      --assignee ${self.triggers.service_principal_id} \
+      --scope ${self.triggers.aks_id}/namespaces/${self.triggers.namespace}
+    EOT
+  }
 }
 
-resource "azuread_service_principal" "action" {
-  application_id = azuread_application.action.application_id
+resource "azurerm_role_assignment" "environment_terraform_storage_account" {
+  scope                = data.azurerm_storage_account.tf_storage_account.id
+  role_definition_name = "Contributor"
+  principal_id         = module.github_runner_app.object_id
 }
 
-resource "azuread_application_federated_identity_credential" "environment" {
-  application_object_id = azuread_application.action.object_id
-  display_name          = "github-federated"
-  description           = "github-federated"
-  audiences             = ["api://AzureADTokenExchange"]
-  issuer                = "https://token.actions.githubusercontent.com"
-  subject               = "repo:${local.github.org}/${local.github.repository}:environment:${var.env}"
+resource "azurerm_role_assignment" "environment_terraform_resource_group_apim" {
+  scope                = data.azurerm_resource_group.apim_resource_group.id
+  role_definition_name = "Contributor"
+  principal_id         = module.github_runner_app.object_id
 }
 
-output "azure_action_client_id" {
-  value = azuread_service_principal.action.application_id
+resource "azurerm_role_assignment" "environment_terraform_resource_group_dashboards" {
+  scope                = data.azurerm_resource_group.dashboards.id
+  role_definition_name = "Contributor"
+  principal_id         = module.github_runner_app.object_id
 }
 
-output "azure_action_application_id" {
-  value = azuread_service_principal.action.application_id
+resource "azurerm_role_assignment" "environment_key_vault" {
+  scope                = data.azurerm_key_vault.key_vault.id
+  role_definition_name = "Reader"
+  principal_id         = module.github_runner_app.object_id
 }
 
-output "azure_action_object_id" {
-  value = azuread_service_principal.action.object_id
+resource "azurerm_role_assignment" "environment_key_vault_domain" {
+  scope                = data.azurerm_key_vault.domain_key_vault.id
+  role_definition_name = "Reader"
+  principal_id         = module.github_runner_app.object_id
+}
+
+resource "azurerm_key_vault_access_policy" "ad_kv_group_policy" {
+  key_vault_id = data.azurerm_key_vault.key_vault.id
+
+  tenant_id = data.azurerm_client_config.current.tenant_id
+  object_id = module.github_runner_app.object_id
+
+  key_permissions         = []
+  secret_permissions      = ["Get", "List"]
+  storage_permissions     = []
+  certificate_permissions = []
+}
+
+resource "azurerm_key_vault_access_policy" "ad_domain_kv_group_policy" {
+  key_vault_id = data.azurerm_key_vault.domain_key_vault.id
+
+  tenant_id = data.azurerm_client_config.current.tenant_id
+  object_id = module.github_runner_app.object_id
+
+  key_permissions         = []
+  secret_permissions      = ["Get", "List"]
+  storage_permissions     = []
+  certificate_permissions = []
 }
diff --git a/.identity/02_application_action_auth.tf b/.identity/02_application_action_auth.tf
diff --git a/.identity/02_application_master.tf b/.identity/02_application_master.tf
diff --git a/.identity/02_application_master_auth.tf b/.identity/02_application_master_auth.tf
diff --git a/.identity/02_application_pullrequest.tf b/.identity/02_application_pullrequest.tf
diff --git a/.identity/02_application_pullrequest_auth.tf b/.identity/02_application_pullrequest_auth.tf