From 8582e8c95a445f7a977698d5996f23cc4a541572 Mon Sep 17 00:00:00 2001
From: christian-calabrese <christian.calabrese@pagopa.it>
Date: Tue, 7 Jan 2025 16:55:21 +0100
Subject: [PATCH] Github runner labels can be overridden (#200)

---
 .changeset/wicked-eels-cross.md                   |  5 +++++
 .github/workflows/function_app_deploy.yaml        | 15 ++++++++++++++-
 .github/workflows/infra_apply.yaml                | 10 +++++++++-
 .github/workflows/infra_plan.yaml                 | 10 +++++++++-
 .../README.md                                     |  2 +-
 .../container_app_job.tf                          |  4 ++--
 .../locals.tf                                     |  2 ++
 .../variables.tf                                  |  1 +
 8 files changed, 43 insertions(+), 6 deletions(-)
 create mode 100644 .changeset/wicked-eels-cross.md

diff --git a/.changeset/wicked-eels-cross.md b/.changeset/wicked-eels-cross.md
new file mode 100644
index 000000000..c043db610
--- /dev/null
+++ b/.changeset/wicked-eels-cross.md
@@ -0,0 +1,5 @@
+---
+"github_selfhosted_runner_on_container_app_jobs": patch
+---
+
+Allow override of gh runner labels to support multi env multi subscription cases
diff --git a/.github/workflows/function_app_deploy.yaml b/.github/workflows/function_app_deploy.yaml
index 830385c1a..aa0fd19f9 100644
--- a/.github/workflows/function_app_deploy.yaml
+++ b/.github/workflows/function_app_deploy.yaml
@@ -31,6 +31,16 @@ on:
         type: boolean
         required: false
         default: true
+      use_labels:
+        description: Use labels to start the right environment's GitHub runner. If use_labels is true, also use_private_agent must be set to true
+        type: boolean
+        required: false
+        default: false
+      override_labels:
+        description: Needed for special cases where the environment alone is not sufficient as a distinguishing label
+        type: string
+        required: false
+        default: ''
 
 concurrency:
   group: ${{ github.workflow }}-cd
@@ -101,7 +111,10 @@ jobs:
     name: Deploy
     if: ${{ !github.event.act }}
     needs: [build]
-    runs-on: ${{ inputs.use_private_agent == true && 'self-hosted' || 'ubuntu-latest' }}
+    # Use inputs.override_labels if set; otherwise, fall back to inputs.environment. 
+    # When inputs.use_labels and inputs.use_private_agent are true, apply the selected labels. 
+    # Default to 'self-hosted' if inputs.use_private_agent is true, or 'ubuntu-latest' otherwise.
+    runs-on: ${{ inputs.use_labels && inputs.use_private_agent && (inputs.override_labels != '' && inputs.override_labels || inputs.environment) || inputs.use_private_agent && 'self-hosted' || 'ubuntu-latest' }}
     environment: ${{ inputs.environment }}-cd
     permissions:
       id-token: write
diff --git a/.github/workflows/infra_apply.yaml b/.github/workflows/infra_apply.yaml
index dbb379fe0..47af19554 100644
--- a/.github/workflows/infra_apply.yaml
+++ b/.github/workflows/infra_apply.yaml
@@ -28,6 +28,11 @@ on:
         type: boolean
         required: false
         default: false
+      override_labels:
+        description: Needed for special cases where the environment alone is not sufficient as a distinguishing label
+        type: string
+        required: false
+        default: ''
 
 env:
   ARM_SUBSCRIPTION_ID: ${{ secrets.ARM_SUBSCRIPTION_ID }}
@@ -44,7 +49,10 @@ jobs:
 
   tf_plan:
     name: 'Terraform Plan'
-    runs-on: ${{ inputs.use_labels && inputs.use_private_agent && inputs.environment || inputs.use_private_agent && 'self-hosted' || 'ubuntu-latest' }}
+    # Use inputs.override_labels if set; otherwise, fall back to inputs.environment. 
+    # When inputs.use_labels and inputs.use_private_agent are true, apply the selected labels. 
+    # Default to 'self-hosted' if inputs.use_private_agent is true, or 'ubuntu-latest' otherwise.
+    runs-on: ${{ inputs.use_labels && inputs.use_private_agent && (inputs.override_labels != '' && inputs.override_labels || inputs.environment) || inputs.use_private_agent && 'self-hosted' || 'ubuntu-latest' }}
     environment: ${{ inputs.override_github_environment == '' && inputs.environment || inputs.override_github_environment}}-ci
     permissions:
       id-token: write
diff --git a/.github/workflows/infra_plan.yaml b/.github/workflows/infra_plan.yaml
index 8d2388c46..6a603f614 100644
--- a/.github/workflows/infra_plan.yaml
+++ b/.github/workflows/infra_plan.yaml
@@ -28,6 +28,11 @@ on:
         type: boolean
         required: false
         default: false
+      override_labels:
+        description: Needed for special cases where the environment alone is not sufficient as a distinguishing label
+        type: string
+        required: false
+        default: ''
 
 env:
   ARM_SUBSCRIPTION_ID: ${{ secrets.ARM_SUBSCRIPTION_ID }}
@@ -39,7 +44,10 @@ env:
 jobs:
   tf_plan:
     name: 'Terraform Plan'
-    runs-on: ${{ inputs.use_labels && inputs.use_private_agent && inputs.environment || inputs.use_private_agent && 'self-hosted' || 'ubuntu-latest' }}
+    # Use inputs.override_labels if set; otherwise, fall back to inputs.environment. 
+    # When inputs.use_labels and inputs.use_private_agent are true, apply the selected labels. 
+    # Default to 'self-hosted' if inputs.use_private_agent is true, or 'ubuntu-latest' otherwise.
+    runs-on: ${{ inputs.use_labels && inputs.use_private_agent && (inputs.override_labels != '' && inputs.override_labels || inputs.environment) || inputs.use_private_agent && 'self-hosted' || 'ubuntu-latest' }}
     environment: ${{ inputs.override_github_environment == '' && inputs.environment || inputs.override_github_environment}}-ci
     concurrency:
       group: ${{ github.workflow }}-${{ inputs.environment }}-ci
diff --git a/infra/modules/github_selfhosted_runner_on_container_app_jobs/README.md b/infra/modules/github_selfhosted_runner_on_container_app_jobs/README.md
index 9eddedb15..25b470ff1 100644
--- a/infra/modules/github_selfhosted_runner_on_container_app_jobs/README.md
+++ b/infra/modules/github_selfhosted_runner_on_container_app_jobs/README.md
@@ -27,7 +27,7 @@
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_container_app_environment"></a> [container\_app\_environment](#input\_container\_app\_environment) | Name and resource group of the Container App Environment to use as host | <pre>object({<br/>    id                          = string<br/>    location                    = string<br/>    polling_interval_in_seconds = optional(number, 30)<br/>    min_instances               = optional(number, 0)<br/>    max_instances               = optional(number, 30)<br/>    use_labels                  = optional(bool, false)<br/>    cpu                         = optional(number, 0.5)<br/>    memory                      = optional(string, "1Gi")<br/>  })</pre> | n/a | yes |
+| <a name="input_container_app_environment"></a> [container\_app\_environment](#input\_container\_app\_environment) | Name and resource group of the Container App Environment to use as host | <pre>object({<br/>    id                          = string<br/>    location                    = string<br/>    polling_interval_in_seconds = optional(number, 30)<br/>    min_instances               = optional(number, 0)<br/>    max_instances               = optional(number, 30)<br/>    use_labels                  = optional(bool, false)<br/>    override_labels             = optional(list(string), [])<br/>    cpu                         = optional(number, 0.5)<br/>    memory                      = optional(string, "1Gi")<br/>  })</pre> | n/a | yes |
 | <a name="input_environment"></a> [environment](#input\_environment) | Values which are used to generate resource names and location short names. They are all mandatory except for domain, which should not be used only in the case of a resource used by multiple domains. | <pre>object({<br/>    prefix          = string<br/>    env_short       = string<br/>    location        = string<br/>    instance_number = string<br/>  })</pre> | n/a | yes |
 | <a name="input_key_vault"></a> [key\_vault](#input\_key\_vault) | Details of the KeyVault holding secrets for this job | <pre>object({<br/>    name                = string<br/>    resource_group_name = string<br/>    use_rbac            = optional(bool, false)<br/>    secret_name         = optional(string, "github-runner-pat")<br/>  })</pre> | n/a | yes |
 | <a name="input_repository"></a> [repository](#input\_repository) | n/a | <pre>object({<br/>    owner = optional(string, "pagopa")<br/>    name  = string<br/>  })</pre> | n/a | yes |
diff --git a/infra/modules/github_selfhosted_runner_on_container_app_jobs/container_app_job.tf b/infra/modules/github_selfhosted_runner_on_container_app_jobs/container_app_job.tf
index ac0633dfc..67392f5e1 100644
--- a/infra/modules/github_selfhosted_runner_on_container_app_jobs/container_app_job.tf
+++ b/infra/modules/github_selfhosted_runner_on_container_app_jobs/container_app_job.tf
@@ -31,7 +31,7 @@ resource "azurerm_container_app_job" "github_runner" {
           repos                     = var.repository.name
           targetWorkflowQueueLength = "1"
           github-runner             = "https://api.github.com"
-        }, var.container_app_environment.use_labels ? { labels = [local.env[var.environment.env_short]] } : {})
+        }, var.container_app_environment.use_labels ? { labels = local.labels } : {})
 
         authentication {
           secret_name       = var.key_vault.secret_name
@@ -59,7 +59,7 @@ resource "azurerm_container_app_job" "github_runner" {
         for_each = var.container_app_environment.use_labels ? [1] : []
         content {
           name  = "LABELS"
-          value = [local.env[var.environment.env_short]]
+          value = local.labels
         }
       }
 
diff --git a/infra/modules/github_selfhosted_runner_on_container_app_jobs/locals.tf b/infra/modules/github_selfhosted_runner_on_container_app_jobs/locals.tf
index 1fc27ebd1..3adc73af3 100644
--- a/infra/modules/github_selfhosted_runner_on_container_app_jobs/locals.tf
+++ b/infra/modules/github_selfhosted_runner_on_container_app_jobs/locals.tf
@@ -9,4 +9,6 @@ locals {
     job_name            = "${module.naming_convention.prefix}-caj-${module.naming_convention.suffix}"
     resource_group_name = var.resource_group_name == null ? "${module.naming_convention.prefix}-github-runner-rg-01" : var.resource_group_name
   }
+
+  labels = join(",", coalescelist(var.container_app_environment.override_labels, [local.env[var.environment.env_short]]))
 }
diff --git a/infra/modules/github_selfhosted_runner_on_container_app_jobs/variables.tf b/infra/modules/github_selfhosted_runner_on_container_app_jobs/variables.tf
index 9e9a32078..b37e61c98 100644
--- a/infra/modules/github_selfhosted_runner_on_container_app_jobs/variables.tf
+++ b/infra/modules/github_selfhosted_runner_on_container_app_jobs/variables.tf
@@ -35,6 +35,7 @@ variable "container_app_environment" {
     min_instances               = optional(number, 0)
     max_instances               = optional(number, 30)
     use_labels                  = optional(bool, false)
+    override_labels             = optional(list(string), [])
     cpu                         = optional(number, 0.5)
     memory                      = optional(string, "1Gi")
   })