Remove test-pipe workflow and update GitHub Runner config

Deleted the manual dispatch workflow YAML file and enhanced the GitHub Runner setup. Updated configurations to use specific branches and added managed identity outputs along with resource assignments.
pagopa · Oct 15, 2024 · 4801a05 · 4801a05
1 parent 3f1be66
commit 4801a05
Show file tree

Hide file tree

Showing 8 changed files with 155 additions and 22 deletions.
diff --git a/.github/workflows/test-pipe.yml b/.github/workflows/test-pipe.yml
diff --git a/src/github-runner/.terraform.lock.hcl b/src/github-runner/.terraform.lock.hcl
diff --git a/src/github-runner/01_github_identity.tf b/src/github-runner/01_github_identity.tf
@@ -0,0 +1,103 @@
+data "azurerm_kubernetes_cluster" "aks" {
+  name                = "${local.product}-itn-dev-aks"
+  resource_group_name = "${local.product}-itn-dev-aks-rg"
+}
+
+# repos must be lower than 20 items
+locals {
+  repos_01 = [
+    "devops-app-status",
+  ]
+
+  federations_01 = [
+    for repo in local.repos_01 : {
+      repository = repo
+      subject    = "github-${var.env}"
+    }
+  ]
+
+  namespace = "test-app-status"
+
+  # to avoid subscription Contributor -> https://github.com/microsoft/azure-container-apps/issues/35
+  environment_cd_roles = {
+    subscription = [
+      "Contributor"
+    ]
+    resource_groups = {
+      "${azurerm_resource_group.rg_github_runner.name}" = [
+        "Key Vault Reader"
+      ],
+      "${data.azurerm_kubernetes_cluster.aks.resource_group_name}" = [
+        "Contributor"
+      ],
+      "${azurerm_resource_group.rg_github_runner.name}" = [
+        "Contributor"
+      ]
+    }
+  }
+}
+
+module "identity_cd_01" {
+  source = "./.terraform/modules/__v3__/github_federated_identity"
+  # pagopa-<ENV><DOMAIN>-<COUNTER>-github-<PERMS>-identity
+  prefix    = var.prefix
+  env_short = var.env_short
+
+  identity_role = "cd"
+
+  github_federations = local.federations_01
+
+  cd_rbac_roles = {
+    subscription_roles = local.environment_cd_roles.subscription
+    resource_groups    = local.environment_cd_roles.resource_groups
+  }
+
+  tags = var.tags
+
+}
+
+resource "azurerm_key_vault_access_policy" "gha_iac_managed_identities" {
+  key_vault_id = data.azurerm_key_vault.key_vault_common.id
+  tenant_id    = data.azurerm_client_config.current.tenant_id
+  object_id    = module.identity_cd_01.identity_principal_id
+
+  secret_permissions = ["Get", "List", "Set", ]
+
+  certificate_permissions = ["SetIssuers", "DeleteIssuers", "Purge", "List", "Get"]
+  key_permissions         = ["Get", "List", "Update", "Create", "Import", "Delete", "Encrypt", "Decrypt", "GetRotationPolicy"]
+
+  storage_permissions = []
+}
+
+resource "null_resource" "github_runner_app_permissions_to_namespace_cd_01" {
+  triggers = {
+    aks_id               = data.azurerm_kubernetes_cluster.aks.id
+    service_principal_id = module.identity_cd_01.identity_client_id
+    namespace            = local.namespace
+    version              = "v2"
+  }
+
+  provisioner "local-exec" {
+    command = <<EOT
+      az role assignment create --role "Azure Kubernetes Service RBAC Admin" \
+      --assignee ${self.triggers.service_principal_id} \
+      --scope ${self.triggers.aks_id}/namespaces/${self.triggers.namespace}
+
+      az role assignment list --role "Azure Kubernetes Service RBAC Admin"  \
+      --scope ${self.triggers.aks_id}/namespaces/${self.triggers.namespace}
+    EOT
+  }
+
+  provisioner "local-exec" {
+    when    = destroy
+    command = <<EOT
+      az role assignment delete --role "Azure Kubernetes Service RBAC Admin" \
+      --assignee ${self.triggers.service_principal_id} \
+      --scope ${self.triggers.aks_id}/namespaces/${self.triggers.namespace}
+    EOT
+  }
+
+  depends_on = [
+    module.identity_cd_01
+  ]
+}
diff --git a/src/github-runner/02_container_app_jobs.tf b/src/github-runner/02_container_app_jobs.tf
@@ -22,10 +22,10 @@ module "container_app_job" {
   environment_name = module.container_app_environment_runner.name
   environment_rg   = module.container_app_environment_runner.resource_group_name
 
-
+  polling_interval_in_seconds = 10
   job = {
     name             = "infra"
-    repo             = "pagopa-infra"
+    repo             = "devops-app-status"
     polling_interval = 20
   }
 

diff --git a/src/github-runner/99_locals.tf b/src/github-runner/99_locals.tf
@@ -1,3 +1,4 @@
 locals {
   project = "${var.prefix}-${var.env_short}"
+  product = "${var.prefix}-${var.env_short}"
 }
diff --git a/src/github-runner/99_main.tf b/src/github-runner/99_main.tf
@@ -13,7 +13,11 @@ provider "azurerm" {
   features {}
 }
 
+data "azurerm_subscription" "current" {}
+
+data "azurerm_client_config" "current" {}
+
 module "__v3__" {
   # https://github.com/pagopa/terraform-azurerm-v3/releases/tag/v8.48.0
-  source = "git::https://github.com/pagopa/terraform-azurerm-v3.git?ref=v8.48.0"
+  source = "git::https://github.com/pagopa/terraform-azurerm-v3.git?ref=PAYMCLOUD-109-POC-Github-Runner-on-DevOpsLab"
 }
diff --git a/src/github-runner/99_outputs.tf b/src/github-runner/99_outputs.tf
@@ -27,3 +27,18 @@ output "ca_job_name" {
   value       = module.container_app_job.name
   description = "Container App job name"
 }
+
+output "github_manage_identity_client_id" {
+  value       = module.identity_cd_01.identity_client_id
+  description = "Managed identity client ID"
+}
+
+output "github_manage_identity_principal_id" {
+  value       = module.identity_cd_01.identity_principal_id
+  description = "Managed identity principal ID"
+}
+
+output "github_manage_identity_name" {
+  value       = module.identity_cd_01.identity_app_name
+  description = "Managed identity name"
+}
diff --git a/src/github-runner/README.md b/src/github-runner/README.md
@@ -11,20 +11,26 @@
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module___v3__"></a> [\_\_v3\_\_](#module\_\_\_v3\_\_) | git::https://github.com/pagopa/terraform-azurerm-v3.git | v8.48.0 |
+| <a name="module___v3__"></a> [\_\_v3\_\_](#module\_\_\_v3\_\_) | git::https://github.com/pagopa/terraform-azurerm-v3.git | PAYMCLOUD-109-POC-Github-Runner-on-DevOpsLab |
 | <a name="module_container_app_environment_runner"></a> [container\_app\_environment\_runner](#module\_container\_app\_environment\_runner) | ./.terraform/modules/__v3__/container_app_environment_v2 | n/a |
 | <a name="module_container_app_job"></a> [container\_app\_job](#module\_container\_app\_job) | ./.terraform/modules/__v3__/container_app_job_gh_runner_v2 | n/a |
+| <a name="module_identity_cd_01"></a> [identity\_cd\_01](#module\_identity\_cd\_01) | ./.terraform/modules/__v3__/github_federated_identity | n/a |
 | <a name="module_subnet_runner"></a> [subnet\_runner](#module\_subnet\_runner) | ./.terraform/modules/__v3__/subnet | n/a |
 
 ## Resources
 
 | Name | Type |
 |------|------|
+| [azurerm_key_vault_access_policy.gha_iac_managed_identities](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource |
 | [azurerm_management_lock.lock_cae](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/management_lock) | resource |
 | [azurerm_resource_group.rg_github_runner](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource |
+| [null_resource.github_runner_app_permissions_to_namespace_cd_01](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
+| [azurerm_client_config.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/client_config) | data source |
 | [azurerm_key_vault.key_vault_common](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault) | data source |
+| [azurerm_kubernetes_cluster.aks](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/kubernetes_cluster) | data source |
 | [azurerm_log_analytics_workspace.law_common](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/log_analytics_workspace) | data source |
 | [azurerm_resource_group.rg_common](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/resource_group) | data source |
+| [azurerm_subscription.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subscription) | data source |
 | [azurerm_virtual_network.vnet_common](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/virtual_network) | data source |
 
 ## Inputs
@@ -49,6 +55,9 @@
 | <a name="output_ca_job_name"></a> [ca\_job\_name](#output\_ca\_job\_name) | Container App job name |
 | <a name="output_cae_id"></a> [cae\_id](#output\_cae\_id) | Container App Environment id |
 | <a name="output_cae_name"></a> [cae\_name](#output\_cae\_name) | Container App Environment name |
+| <a name="output_github_manage_identity_client_id"></a> [github\_manage\_identity\_client\_id](#output\_github\_manage\_identity\_client\_id) | Managed identity client ID |
+| <a name="output_github_manage_identity_name"></a> [github\_manage\_identity\_name](#output\_github\_manage\_identity\_name) | Managed identity name |
+| <a name="output_github_manage_identity_principal_id"></a> [github\_manage\_identity\_principal\_id](#output\_github\_manage\_identity\_principal\_id) | Managed identity principal ID |
 | <a name="output_subnet_id"></a> [subnet\_id](#output\_subnet\_id) | Subnet id |
 | <a name="output_subnet_name"></a> [subnet\_name](#output\_subnet\_name) | Subnet name |
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->