[EC-62] Migrate pipelines to container app jobs and managed identities (

#811)
pagopa · Jan 5, 2024 · cfa7240 · cfa7240
1 parent 34e27b5
commit cfa7240
Show file tree

Hide file tree

Showing 17 changed files with 157 additions and 306 deletions.
diff --git a/.github/workflows/ioweb_prod_cd.yml b/.github/workflows/ioweb_prod_cd.yml
@@ -2,7 +2,6 @@ name: Continuous Delivery on prod ioweb
 
 on:
   workflow_dispatch:
-  # Trigger the workflow on push on the main branch
   push:
     branches:
       - main
@@ -19,30 +18,11 @@ env:
   AZURE_ENVIRONMENT: prod
 
 jobs:
-  create_runner:
-    name: Create Runner
-    runs-on: ubuntu-22.04
-    environment: prod-runner
-    outputs:
-      runner_name: ${{ steps.create_github_runner.outputs.runner_name }}
-    steps:
-      - name: Create GitHub Runner
-        id: create_github_runner
-        # from https://github.com/pagopa/eng-github-actions-iac-template/tree/main/azure/github-self-hosted-runner-azure-create-action
-        uses: pagopa/eng-github-actions-iac-template/azure/github-self-hosted-runner-azure-create-action@main
-        with:
-          client_id: ${{ secrets.AZURE_CLIENT_ID }}
-          tenant_id: ${{ secrets.AZURE_TENANT_ID }}
-          subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
-          container_app_environment_name: ${{ secrets.AZURE_CONTAINER_APP_ENVIRONMENT_NAME }}
-          resource_group_name: ${{ secrets.AZURE_RESOURCE_GROUP_NAME }}
-          pat_token: ${{ secrets.BOT_TOKEN }}
 
   terraform_preapply_job:
     name: Terraform Pre Apply
-    runs-on: [self-hosted, "${{ needs.create_runner.outputs.runner_name }}"]
+    runs-on: self-hosted
     environment: prod-ci
-    needs: create_runner
     steps:
       - name: Checkout
         id: checkout
@@ -61,83 +41,44 @@ jobs:
         # from https://github.com/pagopa/terraform-preapply-azure-action/commits/main
         uses: pagopa/terraform-preapply-azure-action@54ded8cda3437c3f6a9f46baf69cb321ce82f5cd
         with:
-          client_id: ${{ secrets.AZURE_CLIENT_ID }}
+          client_id: ${{ secrets.AZURE_CLIENT_ID_CI }}
           tenant_id: ${{ secrets.AZURE_TENANT_ID }}
           subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
           dir: ${{ env.DIR }}-common
           azure_environment: prod
 
-      # - name: Terraform pre apply app (weu-beta)
-      #   # from https://github.com/pagopa/terraform-preapply-azure-action/commits/main
-      #   uses: pagopa/terraform-preapply-azure-action@54ded8cda3437c3f6a9f46baf69cb321ce82f5cd
-      #   with:
-      #     client_id: ${{ secrets.AZURE_CLIENT_ID }}
-      #     tenant_id: ${{ secrets.AZURE_TENANT_ID }}
-      #     subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
-      #     dir: ${{ env.DIR }}-app
-      #     azure_environment: weu-beta
-
       - name: Terraform pre apply app (weu-prod01)
         # from https://github.com/pagopa/terraform-preapply-azure-action/commits/main
         uses: pagopa/terraform-preapply-azure-action@54ded8cda3437c3f6a9f46baf69cb321ce82f5cd
         with:
-          client_id: ${{ secrets.AZURE_CLIENT_ID }}
+          client_id: ${{ secrets.AZURE_CLIENT_ID_CI }}
           tenant_id: ${{ secrets.AZURE_TENANT_ID }}
           subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
           dir: ${{ env.DIR }}-app
           azure_environment: weu-prod01
 
   terraform_apply_job:
     name: Terraform Apply
-    runs-on: [self-hosted, "${{ needs.create_runner.outputs.runner_name }}"]
+    runs-on: self-hosted
     environment: prod-cd
-    needs: [create_runner, terraform_preapply_job]
+    needs: [terraform_preapply_job]
     steps:
       - name: Terraform apply common
         # from https://github.com/pagopa/terraform-apply-azure-action/commits/main
         uses: pagopa/terraform-apply-azure-action@87efc4aa9b093b99ae5fd1915977e29cd80861ab
         with:
-          client_id: ${{ secrets.AZURE_CLIENT_ID }}
+          client_id: ${{ secrets.AZURE_CLIENT_ID_CD }}
           tenant_id: ${{ secrets.AZURE_TENANT_ID }}
           subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
           dir: ${{ env.DIR }}-common
           azure_environment: prod
 
-      # - name: Terraform apply app (weu-beta)
-      #   # from https://github.com/pagopa/terraform-apply-azure-action/commits/main
-      #   uses: pagopa/terraform-apply-azure-action@87efc4aa9b093b99ae5fd1915977e29cd80861ab
-      #   with:
-      #     client_id: ${{ secrets.AZURE_CLIENT_ID }}
-      #     tenant_id: ${{ secrets.AZURE_TENANT_ID }}
-      #     subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
-      #     dir: ${{ env.DIR }}-app
-      #     azure_environment: weu-beta
-
       - name: Terraform apply app (weu-prod01)
         # from https://github.com/pagopa/terraform-apply-azure-action/commits/main
         uses: pagopa/terraform-apply-azure-action@87efc4aa9b093b99ae5fd1915977e29cd80861ab
         with:
-          client_id: ${{ secrets.AZURE_CLIENT_ID }}
+          client_id: ${{ secrets.AZURE_CLIENT_ID_CD }}
           tenant_id: ${{ secrets.AZURE_TENANT_ID }}
           subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
           dir: ${{ env.DIR }}-app
           azure_environment: weu-prod01
-
-  cleanup_runner:
-    name: Cleanup Runner
-    if: always()
-    runs-on: ubuntu-22.04
-    environment: prod-runner
-    needs: [create_runner, terraform_preapply_job, terraform_apply_job]
-    steps:
-      - name: Cleanup GitHub Runner
-        id: cleanup_github_runner
-        # from https://github.com/pagopa/github-self-hosted-runner-azure-cleanup-action/commits/main
-        uses: pagopa/github-self-hosted-runner-azure-cleanup-action@97731a35e6ffc79b66c4dfd2aae5e4fd04e3ebb5
-        with:
-          client_id: ${{ secrets.AZURE_CLIENT_ID }}
-          tenant_id: ${{ secrets.AZURE_TENANT_ID }}
-          subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
-          resource_group_name: ${{ secrets.AZURE_RESOURCE_GROUP_NAME }}
-          runner_name: ${{ needs.create_runner.outputs.runner_name }}
-          pat_token: ${{ secrets.BOT_TOKEN }}
diff --git a/.github/workflows/ioweb_prod_ci.yml b/.github/workflows/ioweb_prod_ci.yml
@@ -8,6 +8,7 @@ on:
       - edited
       - synchronize
       - reopened
+      - ready_for_review
     paths:
       - "src/domains/ioweb**"
       - ".github/workflows/ioweb_prod**"
@@ -21,30 +22,11 @@ env:
   AZURE_ENVIRONMENT: prod
 
 jobs:
-  create_runner:
-    name: Create Runner
-    runs-on: ubuntu-22.04
-    environment: prod-runner
-    outputs:
-      runner_name: ${{ steps.create_github_runner.outputs.runner_name }}
-    steps:
-      - name: Create GitHub Runner
-        id: create_github_runner
-        # from https://github.com/pagopa/eng-github-actions-iac-template/tree/main/azure/github-self-hosted-runner-azure-create-action
-        uses: pagopa/eng-github-actions-iac-template/azure/github-self-hosted-runner-azure-create-action@main
-        with:
-          client_id: ${{ secrets.AZURE_CLIENT_ID }}
-          tenant_id: ${{ secrets.AZURE_TENANT_ID }}
-          subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
-          container_app_environment_name: ${{ secrets.AZURE_CONTAINER_APP_ENVIRONMENT_NAME }}
-          resource_group_name: ${{ secrets.AZURE_RESOURCE_GROUP_NAME }}
-          pat_token: ${{ secrets.BOT_TOKEN }}
 
   terraform_plan_job:
     name: Terraform Plan
-    runs-on: [self-hosted, "${{ needs.create_runner.outputs.runner_name }}"]
+    runs-on: self-hosted
     environment: prod-ci
-    needs: create_runner
     steps:
       - name: Checkout
         id: checkout
@@ -63,47 +45,18 @@ jobs:
         # from https://github.com/pagopa/terraform-plan-azure-action/commits/main
         uses: pagopa/terraform-plan-azure-action@392aca28cbb33f5dc28215dfb72385e136fd813b
         with:
-          client_id: ${{ secrets.AZURE_CLIENT_ID }}
+          client_id: ${{ secrets.AZURE_CLIENT_ID_CI }}
           tenant_id: ${{ secrets.AZURE_TENANT_ID }}
           subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
           dir: ${{ env.DIR }}-common
           azure_environment: prod
 
-      # - name: Terraform plan app (weu-beta)
-      #   # from https://github.com/pagopa/terraform-plan-azure-action/commits/main
-      #   uses: pagopa/terraform-plan-azure-action@392aca28cbb33f5dc28215dfb72385e136fd813b
-      #   with:
-      #     client_id: ${{ secrets.AZURE_CLIENT_ID }}
-      #     tenant_id: ${{ secrets.AZURE_TENANT_ID }}
-      #     subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
-      #     dir: ${{ env.DIR }}-app
-      #     azure_environment: weu-beta
-
       - name: Terraform plan app (weu-prod01)
         # from https://github.com/pagopa/terraform-plan-azure-action/commits/main
         uses: pagopa/terraform-plan-azure-action@392aca28cbb33f5dc28215dfb72385e136fd813b
         with:
-          client_id: ${{ secrets.AZURE_CLIENT_ID }}
+          client_id: ${{ secrets.AZURE_CLIENT_ID_CI }}
           tenant_id: ${{ secrets.AZURE_TENANT_ID }}
           subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
           dir: ${{ env.DIR }}-app
           azure_environment: weu-prod01
-
-  cleanup_runner:
-    name: Cleanup Runner
-    if: always()
-    runs-on: ubuntu-22.04
-    environment: prod-runner
-    needs: [create_runner, terraform_plan_job]
-    steps:
-      - name: Cleanup GitHub Runner
-        id: cleanup_github_runner
-        # from https://github.com/pagopa/eng-github-actions-iac-template/tree/main/azure/github-self-hosted-runner-azure-cleanup-action
-        uses: pagopa/eng-github-actions-iac-template/azure/github-self-hosted-runner-azure-cleanup-action@main
-        with:
-          client_id: ${{ secrets.AZURE_CLIENT_ID }}
-          tenant_id: ${{ secrets.AZURE_TENANT_ID }}
-          subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
-          resource_group_name: ${{ secrets.AZURE_RESOURCE_GROUP_NAME }}
-          runner_name: ${{ needs.create_runner.outputs.runner_name }}
-          pat_token: ${{ secrets.BOT_TOKEN }}
diff --git a/.github/workflows/ioweb_prod_drift.yml b/.github/workflows/ioweb_prod_drift.yml
@@ -14,30 +14,11 @@ env:
   AZURE_ENVIRONMENT: prod
 
 jobs:
-  create_runner:
-    name: Create Runner
-    runs-on: ubuntu-22.04
-    environment: prod-runner
-    outputs:
-      runner_name: ${{ steps.create_github_runner.outputs.runner_name }}
-    steps:
-      - name: Create GitHub Runner
-        id: create_github_runner
-        # from https://github.com/pagopa/eng-github-actions-iac-template/tree/main/azure/github-self-hosted-runner-azure-create-action
-        uses: pagopa/eng-github-actions-iac-template/azure/github-self-hosted-runner-azure-create-action@main
-        with:
-          client_id: ${{ secrets.AZURE_CLIENT_ID }}
-          tenant_id: ${{ secrets.AZURE_TENANT_ID }}
-          subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
-          container_app_environment_name: ${{ secrets.AZURE_CONTAINER_APP_ENVIRONMENT_NAME }}
-          resource_group_name: ${{ secrets.AZURE_RESOURCE_GROUP_NAME }}
-          pat_token: ${{ secrets.BOT_TOKEN }}
 
   terraform_driftdetection_job:
     name: Terraform Drift Detection
-    runs-on: [self-hosted, "${{ needs.create_runner.outputs.runner_name }}"]
+    runs-on: self-hosted
     environment: prod-ci
-    needs: create_runner
     steps:
       - name: Checkout
         id: checkout
@@ -56,48 +37,18 @@ jobs:
         # from https://github.com/pagopa/terraform-driftdetection-azure-action/commits/main
         uses: pagopa/terraform-driftdetection-azure-action@71bd771b3a071c78b36e5e0ecbd666ac39b1113c
         with:
-          client_id: ${{ secrets.AZURE_CLIENT_ID }}
+          client_id: ${{ secrets.AZURE_CLIENT_ID_CI }}
           tenant_id: ${{ secrets.AZURE_TENANT_ID }}
           subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
           dir: ${{ env.DIR }}-common
           azure_environment: prod
 
-      # - name: Terraform drift detection app (weu-beta)
-      #   # from https://github.com/pagopa/terraform-driftdetection-azure-action/commits/main
-      #   uses: pagopa/terraform-driftdetection-azure-action@71bd771b3a071c78b36e5e0ecbd666ac39b1113c
-      #   with:
-      #     client_id: ${{ secrets.AZURE_CLIENT_ID }}
-      #     tenant_id: ${{ secrets.AZURE_TENANT_ID }}
-      #     subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
-      #     dir: ${{ env.DIR }}-app
-      #     azure_environment: weu-beta
-
       - name: Terraform drift detection app (weu-prod01)
         # from https://github.com/pagopa/terraform-driftdetection-azure-action/commits/main
         uses: pagopa/terraform-driftdetection-azure-action@71bd771b3a071c78b36e5e0ecbd666ac39b1113c
         with:
-          client_id: ${{ secrets.AZURE_CLIENT_ID }}
+          client_id: ${{ secrets.AZURE_CLIENT_ID_CI }}
           tenant_id: ${{ secrets.AZURE_TENANT_ID }}
           subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
           dir: ${{ env.DIR }}-app
           azure_environment: weu-prod01
-
-  cleanup_runner:
-    name: Cleanup Runner
-    if: always()
-    runs-on: ubuntu-22.04
-    environment: prod-runner
-    needs: [create_runner, terraform_driftdetection_job]
-    steps:
-      - name: Cleanup GitHub Runner
-        id: cleanup_github_runner
-        # from https://github.com/pagopa/github-self-hosted-runner-azure-cleanup-action/commits/main
-        uses: pagopa/github-self-hosted-runner-azure-cleanup-action@97731a35e6ffc79b66c4dfd2aae5e4fd04e3ebb5
-        with:
-          client_id: ${{ secrets.AZURE_CLIENT_ID }}
-          tenant_id: ${{ secrets.AZURE_TENANT_ID }}
-          subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
-          resource_group_name: ${{ secrets.AZURE_RESOURCE_GROUP_NAME }}
-          runner_name: ${{ needs.create_runner.outputs.runner_name }}
-          pat_token: ${{ secrets.BOT_TOKEN }}
-