diff --git a/src/github-runner/.terraform.lock.hcl b/src/github-runner/.terraform.lock.hcl new file mode 100644 index 0000000..f53b428 --- /dev/null +++ b/src/github-runner/.terraform.lock.hcl @@ -0,0 +1,41 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/azurerm" { + version = "3.116.0" + constraints = "~> 3.30, ~> 3.74, ~> 3.116.0, <= 3.116.0" + hashes = [ + "h1:BCR3NIorFSvGG3v/+JOiiw3VM4PkChLO4m84wzD9NDo=", + "zh:02b6606aff025fc2a962b3e568e000300abe959adac987183c24dac8eb057f4d", + "zh:2a23a8ce24ff9e885925ffee0c3ea7eadba7a702541d05869275778aa47bdea7", + "zh:57d10746384baeca4d5c56e88872727cdc150f437b8c5e14f0542127f7475e24", + "zh:59e3ebde1a2e1e094c671e179f231ead60684390dbf02d2b1b7fe67a228daa1a", + "zh:5f1f5c7d09efa2ee8ddf21bd9efbbf8286f6e90047556bef305c062fa0ac5880", + "zh:a40646aee3c9907276dab926e6123a8d70b1e56174836d4c59a9992034f88d70", + "zh:c21d40461bc5836cf56ad3d93d2fc47f61138574a55e972ad5ff1cb73bab66dc", + "zh:c56fb91a5ae66153ba0f737a26da1b3d4f88fdef7d41c63e06c5772d93b26953", + "zh:d1e60e85f51d12fc150aeab8e31d3f18f859c32f927f99deb5b74cb1e10087aa", + "zh:ed35e727e7d79e687cd3d148f52b442961ede286e7c5b4da1dcd9f0128009466", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + "zh:f6d2a4e7c58f44e7d04a4a9c73f35ed452f412c97c85def68c4b52814cbe03ab", + ] +} + +provider "registry.terraform.io/hashicorp/null" { + version = "3.2.3" + hashes = [ + "h1:I0Um8UkrMUb81Fxq/dxbr3HLP2cecTH2WMJiwKSrwQY=", + "zh:22d062e5278d872fe7aed834f5577ba0a5afe34a3bdac2b81f828d8d3e6706d2", + "zh:23dead00493ad863729495dc212fd6c29b8293e707b055ce5ba21ee453ce552d", + "zh:28299accf21763ca1ca144d8f660688d7c2ad0b105b7202554ca60b02a3856d3", + "zh:55c9e8a9ac25a7652df8c51a8a9a422bd67d784061b1de2dc9fe6c3cb4e77f2f", + "zh:756586535d11698a216291c06b9ed8a5cc6a4ec43eee1ee09ecd5c6a9e297ac1", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:9d5eea62fdb587eeb96a8c4d782459f4e6b73baeece4d04b4a40e44faaee9301", + "zh:a6355f596a3fb8fc85c2fb054ab14e722991533f87f928e7169a486462c74670", + "zh:b5a65a789cff4ada58a5baffc76cb9767dc26ec6b45c00d2ec8b1b027f6db4ed", + "zh:db5ab669cf11d0e9f81dc380a6fdfcac437aea3d69109c7aef1a5426639d2d65", + "zh:de655d251c470197bcbb5ac45d289595295acb8f829f6c781d4a75c8c8b7c7dd", + "zh:f5c68199f2e6076bce92a12230434782bf768103a427e9bb9abee99b116af7b5", + ] +} diff --git a/src/github-runner/00_data.tf b/src/github-runner/00_data.tf new file mode 100644 index 0000000..69b97fb --- /dev/null +++ b/src/github-runner/00_data.tf @@ -0,0 +1,18 @@ +data "azurerm_resource_group" "rg_common" { + name = "${var.prefix}-${var.env_short}-vnet-rg" +} + +data "azurerm_key_vault" "key_vault_common" { + name = "${var.prefix}-${var.env_short}-${var.location_short}-kv" + resource_group_name = "${var.prefix}-${var.env_short}-sec-rg" +} + +data "azurerm_virtual_network" "vnet_common" { + name = var.networking.vnet_common_name + resource_group_name = data.azurerm_resource_group.rg_common.name +} + +data "azurerm_log_analytics_workspace" "law_common" { + name = var.law_name + resource_group_name = "${var.prefix}-${var.env_short}-monitor-rg" +} diff --git a/src/github-runner/00_resource_group.tf b/src/github-runner/00_resource_group.tf new file mode 100644 index 0000000..385acac --- /dev/null +++ b/src/github-runner/00_resource_group.tf @@ -0,0 +1,6 @@ +resource "azurerm_resource_group" "rg_github_runner" { + name = "${local.project}-github-runner-rg" + location = var.location + + tags = var.tags +} diff --git a/src/github-runner/01_github_identity.tf b/src/github-runner/01_github_identity.tf new file mode 100644 index 0000000..b2ac809 --- /dev/null +++ b/src/github-runner/01_github_identity.tf @@ -0,0 +1,103 @@ +data "azurerm_kubernetes_cluster" "aks" { + name = "${local.product}-itn-dev-aks" + resource_group_name = "${local.product}-itn-dev-aks-rg" +} + +# repos must be lower than 20 items +locals { + repos_01 = [ + "devops-app-status", + ] + + federations_01 = [ + for repo in local.repos_01 : { + repository = repo + subject = "github-${var.env}" + } + ] + + namespace = "test-app-status" + + # to avoid subscription Contributor -> https://github.com/microsoft/azure-container-apps/issues/35 + environment_cd_roles = { + subscription = [ + "Contributor" + ] + resource_groups = { + "${azurerm_resource_group.rg_github_runner.name}" = [ + "Key Vault Reader" + ], + "${data.azurerm_kubernetes_cluster.aks.resource_group_name}" = [ + "Contributor" + ], + "${azurerm_resource_group.rg_github_runner.name}" = [ + "Contributor" + ] + } + } +} + +module "identity_cd_01" { + source = "./.terraform/modules/__v3__/github_federated_identity" + # pagopa---github--identity + prefix = var.prefix + env_short = var.env_short + + identity_role = "cd" + + github_federations = local.federations_01 + + cd_rbac_roles = { + subscription_roles = local.environment_cd_roles.subscription + resource_groups = local.environment_cd_roles.resource_groups + } + + tags = var.tags + +} + +resource "azurerm_key_vault_access_policy" "gha_iac_managed_identities" { + key_vault_id = data.azurerm_key_vault.key_vault_common.id + tenant_id = data.azurerm_client_config.current.tenant_id + object_id = module.identity_cd_01.identity_principal_id + + secret_permissions = ["Get", "List", "Set", ] + + certificate_permissions = ["SetIssuers", "DeleteIssuers", "Purge", "List", "Get"] + key_permissions = ["Get", "List", "Update", "Create", "Import", "Delete", "Encrypt", "Decrypt", "GetRotationPolicy"] + + storage_permissions = [] +} + +resource "null_resource" "github_runner_app_permissions_to_namespace_cd_01" { + triggers = { + aks_id = data.azurerm_kubernetes_cluster.aks.id + service_principal_id = module.identity_cd_01.identity_client_id + namespace = local.namespace + version = "v2" + } + + provisioner "local-exec" { + command = < +## Requirements + +| Name | Version | +|------|---------| +| [azurerm](#requirement\_azurerm) | <= 3.116.0 | + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| [\_\_v3\_\_](#module\_\_\_v3\_\_) | git::https://github.com/pagopa/terraform-azurerm-v3.git | v8.50.0 | +| [container\_app\_environment\_runner](#module\_container\_app\_environment\_runner) | ./.terraform/modules/__v3__/container_app_environment_v2 | n/a | +| [container\_app\_job](#module\_container\_app\_job) | ./.terraform/modules/__v3__/container_app_job_gh_runner_v2 | n/a | +| [identity\_cd\_01](#module\_identity\_cd\_01) | ./.terraform/modules/__v3__/github_federated_identity | n/a | +| [subnet\_runner](#module\_subnet\_runner) | ./.terraform/modules/__v3__/subnet | n/a | + +## Resources + +| Name | Type | +|------|------| +| [azurerm_key_vault_access_policy.gha_iac_managed_identities](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource | +| [azurerm_management_lock.lock_cae](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/management_lock) | resource | +| [azurerm_resource_group.rg_github_runner](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource | +| [null_resource.github_runner_app_permissions_to_namespace_cd_01](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource | +| [azurerm_client_config.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/client_config) | data source | +| [azurerm_key_vault.key_vault_common](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault) | data source | +| [azurerm_kubernetes_cluster.aks](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/kubernetes_cluster) | data source | +| [azurerm_log_analytics_workspace.law_common](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/log_analytics_workspace) | data source | +| [azurerm_resource_group.rg_common](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/resource_group) | data source | +| [azurerm_subscription.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subscription) | data source | +| [azurerm_virtual_network.vnet_common](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/virtual_network) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [env](#input\_env) | n/a | `string` | n/a | yes | +| [env\_short](#input\_env\_short) | n/a | `string` | n/a | yes | +| [key\_vault\_common](#input\_key\_vault\_common) | n/a | 
object({
    name            = string
    pat_secret_name = string
  })
| n/a | yes | +| [law\_name](#input\_law\_name) | n/a | `string` | `"Log Analytics Workspace name"` | no | +| [location](#input\_location) | n/a | `string` | `"northeurope"` | no | +| [location\_short](#input\_location\_short) | n/a | `string` | `"neu"` | no | +| [networking](#input\_networking) | n/a | 
object({
    vnet_common_name  = string
    subnet_cidr_block = string
  })
| n/a | yes | +| [prefix](#input\_prefix) | n/a | `string` | n/a | yes | +| [tags](#input\_tags) | n/a | `map(any)` | 
{
  "CreatedBy": "Terraform"
}
| no | + +## Outputs + +| Name | Description | +|------|-------------| +| [ca\_job\_id](#output\_ca\_job\_id) | Container App job id | +| [ca\_job\_name](#output\_ca\_job\_name) | Container App job name | +| [cae\_id](#output\_cae\_id) | Container App Environment id | +| [cae\_name](#output\_cae\_name) | Container App Environment name | +| [github\_manage\_identity\_client\_id](#output\_github\_manage\_identity\_client\_id) | Managed identity client ID | +| [github\_manage\_identity\_name](#output\_github\_manage\_identity\_name) | Managed identity name | +| [github\_manage\_identity\_principal\_id](#output\_github\_manage\_identity\_principal\_id) | Managed identity principal ID | +| [subnet\_id](#output\_subnet\_id) | Subnet id | +| [subnet\_name](#output\_subnet\_name) | Subnet name | + diff --git a/src/github-runner/env/neu-dev/backend.ini b/src/github-runner/env/neu-dev/backend.ini new file mode 100644 index 0000000..a7cc599 --- /dev/null +++ b/src/github-runner/env/neu-dev/backend.ini @@ -0,0 +1 @@ +subscription=DevOpsLab diff --git a/src/github-runner/env/neu-dev/backend.tfvars b/src/github-runner/env/neu-dev/backend.tfvars new file mode 100644 index 0000000..c701a5c --- /dev/null +++ b/src/github-runner/env/neu-dev/backend.tfvars @@ -0,0 +1,4 @@ +resource_group_name = "terraform-state-rg" +storage_account_name = "tfinfdevopslab" +container_name = "terraform-state" +key = "devopslab-infra-github-runner.tfstate" diff --git a/src/github-runner/env/neu-dev/terraform.tfvars b/src/github-runner/env/neu-dev/terraform.tfvars new file mode 100644 index 0000000..64ef369 --- /dev/null +++ b/src/github-runner/env/neu-dev/terraform.tfvars @@ -0,0 +1,25 @@ +prefix = "dvopla" +env_short = "d" +env = "dev" +location = "northeurope" +location_short = "neu" + +tags = { + CreatedBy = "Terraform" + Environment = "DEV" + Owner = "DevOps" + Source = "https://github.com/pagopa/devopslab-infra" + CostCenter = "TS310 - PAGAMENTI & SERVIZI" +} + +key_vault_common = { + name = "" + pat_secret_name = "github-runner-pat" +} + +networking = { + vnet_common_name = "dvopla-d-vnet" + subnet_cidr_block = "10.1.148.0/23" +} + +law_name = "dvopla-d-law" diff --git a/src/github-runner/terraform.sh b/src/github-runner/terraform.sh new file mode 120000 index 0000000..165ae70 --- /dev/null +++ b/src/github-runner/terraform.sh @@ -0,0 +1 @@ +../../scripts/terraform.sh \ No newline at end of file