[CES-598] Added GitHub Runner in azure_core_infra module (#189)

pagopa · Dec 20, 2024 · a39432e · a39432e
1 parent 121bdf8
commit a39432e
Show file tree

Hide file tree

Showing 33 changed files with 512 additions and 14 deletions.
diff --git a/.changeset/giant-owls-sin.md b/.changeset/giant-owls-sin.md
@@ -0,0 +1,5 @@
+---
+"azure_core_infra": patch
+---
+
+Added GitHub Runner and Log Analytics configuration
diff --git a/infra/github-runner/dev/.terraform.lock.hcl b/infra/github-runner/dev/.terraform.lock.hcl
diff --git a/infra/github-runner/dev/README.md b/infra/github-runner/dev/README.md
@@ -0,0 +1,39 @@
+# dev
+
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | <= 3.117.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | 3.117.0 |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_container_app_job_selfhosted_runner"></a> [container\_app\_job\_selfhosted\_runner](#module\_container\_app\_job\_selfhosted\_runner) | ../../modules/github_selfhosted_runner_on_container_app_jobs | n/a |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [azurerm_container_app_environment.gh_runner](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/container_app_environment) | data source |
+| [azurerm_key_vault.key_vault](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault) | data source |
+| [azurerm_resource_group.gh_runner](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/resource_group) | data source |
+
+## Inputs
+
+No inputs.
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_container_app_job"></a> [container\_app\_job](#output\_container\_app\_job) | n/a |
+<!-- END_TF_DOCS -->
diff --git a/infra/github-runner/dev/data.tf b/infra/github-runner/dev/data.tf
@@ -0,0 +1,13 @@
+data "azurerm_resource_group" "gh_runner" {
+  name = "${local.prefix}-${local.env_short}-${local.location_short}-github-runner-rg-${local.suffix}"
+}
+
+data "azurerm_container_app_environment" "gh_runner" {
+  name                = "${local.prefix}-${local.env_short}-${local.location_short}-github-runner-cae-${local.suffix}"
+  resource_group_name = data.azurerm_resource_group.gh_runner.name
+}
+
+data "azurerm_key_vault" "key_vault" {
+  name                = "${local.prefix}-${local.env_short}-${local.location_short}-common-kv-${local.suffix}"
+  resource_group_name = "${local.prefix}-${local.env_short}-${local.location_short}-common-rg-${local.suffix}"
+}
diff --git a/infra/github-runner/dev/locals.tf b/infra/github-runner/dev/locals.tf
@@ -0,0 +1,16 @@
+locals {
+  prefix         = "dx"
+  suffix         = "01"
+  env_short      = "d"
+  location       = "italynorth"
+  location_short = "itn"
+  repo_name      = "dx"
+
+  tags = {
+    CostCenter  = "TS700 - ENGINEERING"
+    CreatedBy   = "Terraform"
+    Environment = "Dev"
+    Owner       = "DevEx"
+    Source      = "https://github.com/pagopa/dx/blob/main/infra/resources/dev"
+  }
+}
diff --git a/infra/github-runner/dev/main.tf b/infra/github-runner/dev/main.tf
@@ -0,0 +1,50 @@
+terraform {
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = "<= 3.117.0"
+    }
+  }
+
+  backend "azurerm" {
+    resource_group_name  = "terraform-state-rg"
+    storage_account_name = "tfdevdx"
+    container_name       = "terraform-state"
+    key                  = "dx.github-runner.dev.tfstate"
+  }
+}
+
+provider "azurerm" {
+  features {
+  }
+}
+
+module "container_app_job_selfhosted_runner" {
+  source = "../../modules/github_selfhosted_runner_on_container_app_jobs"
+
+  environment = {
+    prefix          = local.prefix
+    env_short       = local.env_short
+    location        = local.location
+    instance_number = local.suffix
+  }
+
+  resource_group_name = data.azurerm_resource_group.gh_runner.name
+
+  repository = {
+    name = local.repo_name
+  }
+
+  container_app_environment = {
+    id       = data.azurerm_container_app_environment.gh_runner.id
+    location = local.location
+  }
+
+  key_vault = {
+    name                = data.azurerm_key_vault.key_vault.name
+    resource_group_name = data.azurerm_key_vault.key_vault.resource_group_name
+    use_rbac            = true
+  }
+
+  tags = local.tags
+}
diff --git a/infra/github-runner/dev/outputs.tf b/infra/github-runner/dev/outputs.tf
@@ -0,0 +1,7 @@
+output "container_app_job" {
+  value = {
+    id                  = module.container_app_job_selfhosted_runner.container_app_job.id
+    name                = module.container_app_job_selfhosted_runner.container_app_job.name
+    resource_group_name = module.container_app_job_selfhosted_runner.container_app_job.resource_group_name
+  }
+}
diff --git a/infra/identity/dev/README.md b/infra/identity/dev/README.md
@@ -19,6 +19,8 @@
 | Name | Source | Version |
 |------|--------|---------|
 | <a name="module_federated_identities"></a> [federated\_identities](#module\_federated\_identities) | ../../modules/azure_federated_identity_with_github | n/a |
+| <a name="module_roles_cd"></a> [roles\_cd](#module\_roles\_cd) | ../../modules/azure_role_assignments | n/a |
+| <a name="module_roles_ci"></a> [roles\_ci](#module\_roles\_ci) | ../../modules/azure_role_assignments | n/a |
 
 ## Resources
 

diff --git a/infra/identity/dev/locals.tf b/infra/identity/dev/locals.tf
@@ -1,10 +1,11 @@
 locals {
 
-  prefix    = "dx"
-  env_short = "d"
-  env       = "dev"
-  location  = "italynorth"
-  project   = "${local.prefix}-${local.env_short}"
+  prefix         = "dx"
+  env_short      = "d"
+  env            = "dev"
+  location       = "italynorth"
+  location_short = "itn"
+  project        = "${local.prefix}-${local.env_short}"
 
   repo_name = "dx"
 

diff --git a/infra/identity/dev/main.tf b/infra/identity/dev/main.tf
@@ -58,3 +58,33 @@ module "federated_identities" {
     azurerm_resource_group.rg_identity
   ]
 }
+
+module "roles_ci" {
+  source       = "../../modules/azure_role_assignments"
+  principal_id = module.federated_identities.federated_ci_identity.id
+
+  key_vault = [
+    {
+      name                = "${local.project}-${local.location_short}-common-kv-01"
+      resource_group_name = "${local.project}-${local.location_short}-common-rg-01"
+      roles = {
+        secrets = "reader"
+      }
+    }
+  ]
+}
+
+module "roles_cd" {
+  source       = "../../modules/azure_role_assignments"
+  principal_id = module.federated_identities.federated_cd_identity.id
+
+  key_vault = [
+    {
+      name                = "${local.project}-${local.location_short}-common-kv-01"
+      resource_group_name = "${local.project}-${local.location_short}-common-rg-01"
+      roles = {
+        secrets = "reader"
+      }
+    }
+  ]
+}
diff --git a/infra/modules/azure_core_infra/README.md b/infra/modules/azure_core_infra/README.md
@@ -42,9 +42,12 @@ module "core" {
 
 | Name | Source | Version |
 |------|--------|---------|
+| <a name="module_common_log_analytics"></a> [common\_log\_analytics](#module\_common\_log\_analytics) | ./_modules/log_analytics | n/a |
 | <a name="module_dns"></a> [dns](#module\_dns) | ./_modules/dns | n/a |
+| <a name="module_github_runner"></a> [github\_runner](#module\_github\_runner) | ./_modules/github_runner | n/a |
 | <a name="module_key_vault"></a> [key\_vault](#module\_key\_vault) | ./_modules/key_vault | n/a |
 | <a name="module_naming_convention"></a> [naming\_convention](#module\_naming\_convention) | ../azure_naming_convention | n/a |
+| <a name="module_naming_convention_gh_runner"></a> [naming\_convention\_gh\_runner](#module\_naming\_convention\_gh\_runner) | ../azure_naming_convention | n/a |
 | <a name="module_nat_gateway"></a> [nat\_gateway](#module\_nat\_gateway) | ./_modules/nat_gateway | n/a |
 | <a name="module_network"></a> [network](#module\_network) | ./_modules/networking | n/a |
 | <a name="module_vpn"></a> [vpn](#module\_vpn) | ./_modules/vpn | n/a |
@@ -54,6 +57,7 @@ module "core" {
 | Name | Type |
 |------|------|
 | [azurerm_resource_group.common](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource |
+| [azurerm_resource_group.gh_runner](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource |
 | [azurerm_resource_group.network](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource |
 | [azurerm_resource_group.test](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource |
 | [azurerm_client_config.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/client_config) | data source |
@@ -63,6 +67,7 @@ module "core" {
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_environment"></a> [environment](#input\_environment) | Values which are used to generate resource names and location short names. They are all mandatory except for domain, which should not be used only in the case of a resource used by multiple domains. | <pre>object({<br/>    prefix          = string<br/>    env_short       = string<br/>    location        = string<br/>    domain          = optional(string)<br/>    app_name        = string<br/>    instance_number = string<br/>  })</pre> | n/a | yes |
+| <a name="input_gh_runner_snet"></a> [gh\_runner\_snet](#input\_gh\_runner\_snet) | GitHub runner subnet cidr | `string` | `"10.0.242.0/23"` | no |
 | <a name="input_nat_enabled"></a> [nat\_enabled](#input\_nat\_enabled) | Flag to enable nat gateway creation | `bool` | `false` | no |
 | <a name="input_pep_subnet_cidr"></a> [pep\_subnet\_cidr](#input\_pep\_subnet\_cidr) | CIDR block for the private endpoint subnet | `string` | `"10.0.2.0/23"` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | Resources tags | `map(any)` | n/a | yes |
@@ -74,10 +79,12 @@ module "core" {
 
 | Name | Description |
 |------|-------------|
+| <a name="output_common_key_vault"></a> [common\_key\_vault](#output\_common\_key\_vault) | n/a |
 | <a name="output_common_nat_gateways"></a> [common\_nat\_gateways](#output\_common\_nat\_gateways) | n/a |
 | <a name="output_common_pep_snet"></a> [common\_pep\_snet](#output\_common\_pep\_snet) | n/a |
 | <a name="output_common_resource_group_name"></a> [common\_resource\_group\_name](#output\_common\_resource\_group\_name) | n/a |
 | <a name="output_common_vnet"></a> [common\_vnet](#output\_common\_vnet) | n/a |
+| <a name="output_github_runner"></a> [github\_runner](#output\_github\_runner) | n/a |
 | <a name="output_network_resource_group_name"></a> [network\_resource\_group\_name](#output\_network\_resource\_group\_name) | n/a |
 | <a name="output_test_resource_group_name"></a> [test\_resource\_group\_name](#output\_test\_resource\_group\_name) | n/a |
 <!-- END_TF_DOCS -->
diff --git a/infra/modules/azure_core_infra/_modules/github_runner/README.md b/infra/modules/azure_core_infra/_modules/github_runner/README.md
@@ -0,0 +1,41 @@
+# github_runner
+
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+No requirements.
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [azurerm_container_app_environment.cae](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/container_app_environment) | resource |
+| [azurerm_management_lock.lock_cae](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/management_lock) | resource |
+| [azurerm_subnet.runner_snet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/subnet) | resource |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_location"></a> [location](#input\_location) | Location | `string` | n/a | yes |
+| <a name="input_log_analytics_workspace_id"></a> [log\_analytics\_workspace\_id](#input\_log\_analytics\_workspace\_id) | n/a | `string` | n/a | yes |
+| <a name="input_prefix"></a> [prefix](#input\_prefix) | Prefix for resource names | `string` | n/a | yes |
+| <a name="input_resource_group_name"></a> [resource\_group\_name](#input\_resource\_group\_name) | Resource group name | `string` | n/a | yes |
+| <a name="input_subnet_cidr"></a> [subnet\_cidr](#input\_subnet\_cidr) | n/a | `string` | `"10.0.242.0/23"` | no |
+| <a name="input_suffix"></a> [suffix](#input\_suffix) | Suffix for resource names | `string` | `"01"` | no |
+| <a name="input_tags"></a> [tags](#input\_tags) | Resources tags | `map(any)` | n/a | yes |
+| <a name="input_virtual_network"></a> [virtual\_network](#input\_virtual\_network) | Virtual network where to attach private dns zones | <pre>object({<br/>    id                  = string<br/>    name                = string<br/>    resource_group_name = string<br/>  })</pre> | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_cae_id"></a> [cae\_id](#output\_cae\_id) | Container App Environment id |
+| <a name="output_cae_name"></a> [cae\_name](#output\_cae\_name) | Container App Environment name |
+| <a name="output_subnet_id"></a> [subnet\_id](#output\_subnet\_id) | Subnet id |
+| <a name="output_subnet_name"></a> [subnet\_name](#output\_subnet\_name) | Subnet name |
+<!-- END_TF_DOCS -->
diff --git a/infra/modules/azure_core_infra/_modules/github_runner/container_app_environment.tf b/infra/modules/azure_core_infra/_modules/github_runner/container_app_environment.tf
@@ -0,0 +1,20 @@
+resource "azurerm_container_app_environment" "cae" {
+  name                = "${var.prefix}-cae-${var.suffix}"
+  location            = var.location
+  resource_group_name = var.resource_group_name
+
+  log_analytics_workspace_id = var.log_analytics_workspace_id
+
+  infrastructure_subnet_id       = azurerm_subnet.runner_snet.id
+  zone_redundancy_enabled        = false
+  internal_load_balancer_enabled = false
+
+  tags = var.tags
+}
+
+resource "azurerm_management_lock" "lock_cae" {
+  lock_level = "CanNotDelete"
+  name       = "${var.prefix}-cae-${var.suffix}"
+  notes      = "This Container App Environment cannot be deleted"
+  scope      = azurerm_container_app_environment.cae.id
+}
diff --git a/infra/modules/azure_core_infra/_modules/github_runner/outputs.tf b/infra/modules/azure_core_infra/_modules/github_runner/outputs.tf
@@ -0,0 +1,19 @@
+output "subnet_name" {
+  value       = azurerm_subnet.runner_snet.name
+  description = "Subnet name"
+}
+
+output "subnet_id" {
+  value       = azurerm_subnet.runner_snet.id
+  description = "Subnet id"
+}
+
+output "cae_id" {
+  value       = azurerm_container_app_environment.cae.id
+  description = "Container App Environment id"
+}
+
+output "cae_name" {
+  value       = azurerm_container_app_environment.cae.name
+  description = "Container App Environment name"
+}
diff --git a/infra/modules/azure_core_infra/_modules/github_runner/subnet.tf b/infra/modules/azure_core_infra/_modules/github_runner/subnet.tf
@@ -0,0 +1,6 @@
+resource "azurerm_subnet" "runner_snet" {
+  name                 = "${var.prefix}-snet-${var.suffix}"
+  virtual_network_name = var.virtual_network.name
+  resource_group_name  = var.virtual_network.resource_group_name
+  address_prefixes     = [var.subnet_cidr]
+}