From cfa7240de0477f73c88aa99ba53b70e715748532 Mon Sep 17 00:00:00 2001 From: Andrea Grillo Date: Fri, 5 Jan 2024 11:10:08 +0100 Subject: [PATCH] [EC-62] Migrate pipelines to container app jobs and managed identities (#811) --- .github/workflows/ioweb_prod_cd.yml | 73 ++----------------- .github/workflows/ioweb_prod_ci.yml | 55 +------------- .github/workflows/ioweb_prod_drift.yml | 55 +------------- .github/workflows/prod_cd_citizen-auth.yml | 56 +++----------- .github/workflows/prod_ci_citizen-auth.yml | 47 ++---------- .github/workflows/prod_drift_citizen-auth.yml | 47 +----------- .identity/env/prod/terraform.tfvars | 3 +- CODEOWNERS | 4 +- src/core/README.md | 4 + src/core/data.tf | 16 +++- src/core/keyvault_access_policy.tf | 23 ++++++ .../citizen-auth-common/02_key_vault.tf | 23 ++++++ src/domains/citizen-auth-common/06_data.tf | 13 ++++ src/domains/citizen-auth-common/README.md | 4 + src/domains/ioweb-common/02_security.tf | 23 ++++++ src/domains/ioweb-common/07_data.tf | 13 ++++ src/domains/ioweb-common/README.md | 4 + 17 files changed, 157 insertions(+), 306 deletions(-) create mode 100644 src/domains/citizen-auth-common/06_data.tf create mode 100644 src/domains/ioweb-common/07_data.tf diff --git a/.github/workflows/ioweb_prod_cd.yml b/.github/workflows/ioweb_prod_cd.yml index c328598ad..2c89f0938 100644 --- a/.github/workflows/ioweb_prod_cd.yml +++ b/.github/workflows/ioweb_prod_cd.yml @@ -2,7 +2,6 @@ name: Continuous Delivery on prod ioweb on: workflow_dispatch: - # Trigger the workflow on push on the main branch push: branches: - main @@ -19,30 +18,11 @@ env: AZURE_ENVIRONMENT: prod jobs: - create_runner: - name: Create Runner - runs-on: ubuntu-22.04 - environment: prod-runner - outputs: - runner_name: ${{ steps.create_github_runner.outputs.runner_name }} - steps: - - name: Create GitHub Runner - id: create_github_runner - # from https://github.com/pagopa/eng-github-actions-iac-template/tree/main/azure/github-self-hosted-runner-azure-create-action - uses: pagopa/eng-github-actions-iac-template/azure/github-self-hosted-runner-azure-create-action@main - with: - client_id: ${{ secrets.AZURE_CLIENT_ID }} - tenant_id: ${{ secrets.AZURE_TENANT_ID }} - subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - container_app_environment_name: ${{ secrets.AZURE_CONTAINER_APP_ENVIRONMENT_NAME }} - resource_group_name: ${{ secrets.AZURE_RESOURCE_GROUP_NAME }} - pat_token: ${{ secrets.BOT_TOKEN }} terraform_preapply_job: name: Terraform Pre Apply - runs-on: [self-hosted, "${{ needs.create_runner.outputs.runner_name }}"] + runs-on: self-hosted environment: prod-ci - needs: create_runner steps: - name: Checkout id: checkout @@ -61,27 +41,17 @@ jobs: # from https://github.com/pagopa/terraform-preapply-azure-action/commits/main uses: pagopa/terraform-preapply-azure-action@54ded8cda3437c3f6a9f46baf69cb321ce82f5cd with: - client_id: ${{ secrets.AZURE_CLIENT_ID }} + client_id: ${{ secrets.AZURE_CLIENT_ID_CI }} tenant_id: ${{ secrets.AZURE_TENANT_ID }} subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} dir: ${{ env.DIR }}-common azure_environment: prod - # - name: Terraform pre apply app (weu-beta) - # # from https://github.com/pagopa/terraform-preapply-azure-action/commits/main - # uses: pagopa/terraform-preapply-azure-action@54ded8cda3437c3f6a9f46baf69cb321ce82f5cd - # with: - # client_id: ${{ secrets.AZURE_CLIENT_ID }} - # tenant_id: ${{ secrets.AZURE_TENANT_ID }} - # subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - # dir: ${{ env.DIR }}-app - # azure_environment: weu-beta - - name: Terraform pre apply app (weu-prod01) # from https://github.com/pagopa/terraform-preapply-azure-action/commits/main uses: pagopa/terraform-preapply-azure-action@54ded8cda3437c3f6a9f46baf69cb321ce82f5cd with: - client_id: ${{ secrets.AZURE_CLIENT_ID }} + client_id: ${{ secrets.AZURE_CLIENT_ID_CI }} tenant_id: ${{ secrets.AZURE_TENANT_ID }} subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} dir: ${{ env.DIR }}-app @@ -89,55 +59,26 @@ jobs: terraform_apply_job: name: Terraform Apply - runs-on: [self-hosted, "${{ needs.create_runner.outputs.runner_name }}"] + runs-on: self-hosted environment: prod-cd - needs: [create_runner, terraform_preapply_job] + needs: [terraform_preapply_job] steps: - name: Terraform apply common # from https://github.com/pagopa/terraform-apply-azure-action/commits/main uses: pagopa/terraform-apply-azure-action@87efc4aa9b093b99ae5fd1915977e29cd80861ab with: - client_id: ${{ secrets.AZURE_CLIENT_ID }} + client_id: ${{ secrets.AZURE_CLIENT_ID_CD }} tenant_id: ${{ secrets.AZURE_TENANT_ID }} subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} dir: ${{ env.DIR }}-common azure_environment: prod - # - name: Terraform apply app (weu-beta) - # # from https://github.com/pagopa/terraform-apply-azure-action/commits/main - # uses: pagopa/terraform-apply-azure-action@87efc4aa9b093b99ae5fd1915977e29cd80861ab - # with: - # client_id: ${{ secrets.AZURE_CLIENT_ID }} - # tenant_id: ${{ secrets.AZURE_TENANT_ID }} - # subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - # dir: ${{ env.DIR }}-app - # azure_environment: weu-beta - - name: Terraform apply app (weu-prod01) # from https://github.com/pagopa/terraform-apply-azure-action/commits/main uses: pagopa/terraform-apply-azure-action@87efc4aa9b093b99ae5fd1915977e29cd80861ab with: - client_id: ${{ secrets.AZURE_CLIENT_ID }} + client_id: ${{ secrets.AZURE_CLIENT_ID_CD }} tenant_id: ${{ secrets.AZURE_TENANT_ID }} subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} dir: ${{ env.DIR }}-app azure_environment: weu-prod01 - - cleanup_runner: - name: Cleanup Runner - if: always() - runs-on: ubuntu-22.04 - environment: prod-runner - needs: [create_runner, terraform_preapply_job, terraform_apply_job] - steps: - - name: Cleanup GitHub Runner - id: cleanup_github_runner - # from https://github.com/pagopa/github-self-hosted-runner-azure-cleanup-action/commits/main - uses: pagopa/github-self-hosted-runner-azure-cleanup-action@97731a35e6ffc79b66c4dfd2aae5e4fd04e3ebb5 - with: - client_id: ${{ secrets.AZURE_CLIENT_ID }} - tenant_id: ${{ secrets.AZURE_TENANT_ID }} - subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - resource_group_name: ${{ secrets.AZURE_RESOURCE_GROUP_NAME }} - runner_name: ${{ needs.create_runner.outputs.runner_name }} - pat_token: ${{ secrets.BOT_TOKEN }} diff --git a/.github/workflows/ioweb_prod_ci.yml b/.github/workflows/ioweb_prod_ci.yml index 04f817872..ba50204bf 100644 --- a/.github/workflows/ioweb_prod_ci.yml +++ b/.github/workflows/ioweb_prod_ci.yml @@ -8,6 +8,7 @@ on: - edited - synchronize - reopened + - ready_for_review paths: - "src/domains/ioweb**" - ".github/workflows/ioweb_prod**" @@ -21,30 +22,11 @@ env: AZURE_ENVIRONMENT: prod jobs: - create_runner: - name: Create Runner - runs-on: ubuntu-22.04 - environment: prod-runner - outputs: - runner_name: ${{ steps.create_github_runner.outputs.runner_name }} - steps: - - name: Create GitHub Runner - id: create_github_runner - # from https://github.com/pagopa/eng-github-actions-iac-template/tree/main/azure/github-self-hosted-runner-azure-create-action - uses: pagopa/eng-github-actions-iac-template/azure/github-self-hosted-runner-azure-create-action@main - with: - client_id: ${{ secrets.AZURE_CLIENT_ID }} - tenant_id: ${{ secrets.AZURE_TENANT_ID }} - subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - container_app_environment_name: ${{ secrets.AZURE_CONTAINER_APP_ENVIRONMENT_NAME }} - resource_group_name: ${{ secrets.AZURE_RESOURCE_GROUP_NAME }} - pat_token: ${{ secrets.BOT_TOKEN }} terraform_plan_job: name: Terraform Plan - runs-on: [self-hosted, "${{ needs.create_runner.outputs.runner_name }}"] + runs-on: self-hosted environment: prod-ci - needs: create_runner steps: - name: Checkout id: checkout @@ -63,47 +45,18 @@ jobs: # from https://github.com/pagopa/terraform-plan-azure-action/commits/main uses: pagopa/terraform-plan-azure-action@392aca28cbb33f5dc28215dfb72385e136fd813b with: - client_id: ${{ secrets.AZURE_CLIENT_ID }} + client_id: ${{ secrets.AZURE_CLIENT_ID_CI }} tenant_id: ${{ secrets.AZURE_TENANT_ID }} subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} dir: ${{ env.DIR }}-common azure_environment: prod - # - name: Terraform plan app (weu-beta) - # # from https://github.com/pagopa/terraform-plan-azure-action/commits/main - # uses: pagopa/terraform-plan-azure-action@392aca28cbb33f5dc28215dfb72385e136fd813b - # with: - # client_id: ${{ secrets.AZURE_CLIENT_ID }} - # tenant_id: ${{ secrets.AZURE_TENANT_ID }} - # subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - # dir: ${{ env.DIR }}-app - # azure_environment: weu-beta - - name: Terraform plan app (weu-prod01) # from https://github.com/pagopa/terraform-plan-azure-action/commits/main uses: pagopa/terraform-plan-azure-action@392aca28cbb33f5dc28215dfb72385e136fd813b with: - client_id: ${{ secrets.AZURE_CLIENT_ID }} + client_id: ${{ secrets.AZURE_CLIENT_ID_CI }} tenant_id: ${{ secrets.AZURE_TENANT_ID }} subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} dir: ${{ env.DIR }}-app azure_environment: weu-prod01 - - cleanup_runner: - name: Cleanup Runner - if: always() - runs-on: ubuntu-22.04 - environment: prod-runner - needs: [create_runner, terraform_plan_job] - steps: - - name: Cleanup GitHub Runner - id: cleanup_github_runner - # from https://github.com/pagopa/eng-github-actions-iac-template/tree/main/azure/github-self-hosted-runner-azure-cleanup-action - uses: pagopa/eng-github-actions-iac-template/azure/github-self-hosted-runner-azure-cleanup-action@main - with: - client_id: ${{ secrets.AZURE_CLIENT_ID }} - tenant_id: ${{ secrets.AZURE_TENANT_ID }} - subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - resource_group_name: ${{ secrets.AZURE_RESOURCE_GROUP_NAME }} - runner_name: ${{ needs.create_runner.outputs.runner_name }} - pat_token: ${{ secrets.BOT_TOKEN }} diff --git a/.github/workflows/ioweb_prod_drift.yml b/.github/workflows/ioweb_prod_drift.yml index 10ce70a4a..1b01f9865 100644 --- a/.github/workflows/ioweb_prod_drift.yml +++ b/.github/workflows/ioweb_prod_drift.yml @@ -14,30 +14,11 @@ env: AZURE_ENVIRONMENT: prod jobs: - create_runner: - name: Create Runner - runs-on: ubuntu-22.04 - environment: prod-runner - outputs: - runner_name: ${{ steps.create_github_runner.outputs.runner_name }} - steps: - - name: Create GitHub Runner - id: create_github_runner - # from https://github.com/pagopa/eng-github-actions-iac-template/tree/main/azure/github-self-hosted-runner-azure-create-action - uses: pagopa/eng-github-actions-iac-template/azure/github-self-hosted-runner-azure-create-action@main - with: - client_id: ${{ secrets.AZURE_CLIENT_ID }} - tenant_id: ${{ secrets.AZURE_TENANT_ID }} - subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - container_app_environment_name: ${{ secrets.AZURE_CONTAINER_APP_ENVIRONMENT_NAME }} - resource_group_name: ${{ secrets.AZURE_RESOURCE_GROUP_NAME }} - pat_token: ${{ secrets.BOT_TOKEN }} terraform_driftdetection_job: name: Terraform Drift Detection - runs-on: [self-hosted, "${{ needs.create_runner.outputs.runner_name }}"] + runs-on: self-hosted environment: prod-ci - needs: create_runner steps: - name: Checkout id: checkout @@ -56,48 +37,18 @@ jobs: # from https://github.com/pagopa/terraform-driftdetection-azure-action/commits/main uses: pagopa/terraform-driftdetection-azure-action@71bd771b3a071c78b36e5e0ecbd666ac39b1113c with: - client_id: ${{ secrets.AZURE_CLIENT_ID }} + client_id: ${{ secrets.AZURE_CLIENT_ID_CI }} tenant_id: ${{ secrets.AZURE_TENANT_ID }} subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} dir: ${{ env.DIR }}-common azure_environment: prod - # - name: Terraform drift detection app (weu-beta) - # # from https://github.com/pagopa/terraform-driftdetection-azure-action/commits/main - # uses: pagopa/terraform-driftdetection-azure-action@71bd771b3a071c78b36e5e0ecbd666ac39b1113c - # with: - # client_id: ${{ secrets.AZURE_CLIENT_ID }} - # tenant_id: ${{ secrets.AZURE_TENANT_ID }} - # subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - # dir: ${{ env.DIR }}-app - # azure_environment: weu-beta - - name: Terraform drift detection app (weu-prod01) # from https://github.com/pagopa/terraform-driftdetection-azure-action/commits/main uses: pagopa/terraform-driftdetection-azure-action@71bd771b3a071c78b36e5e0ecbd666ac39b1113c with: - client_id: ${{ secrets.AZURE_CLIENT_ID }} + client_id: ${{ secrets.AZURE_CLIENT_ID_CI }} tenant_id: ${{ secrets.AZURE_TENANT_ID }} subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} dir: ${{ env.DIR }}-app azure_environment: weu-prod01 - - cleanup_runner: - name: Cleanup Runner - if: always() - runs-on: ubuntu-22.04 - environment: prod-runner - needs: [create_runner, terraform_driftdetection_job] - steps: - - name: Cleanup GitHub Runner - id: cleanup_github_runner - # from https://github.com/pagopa/github-self-hosted-runner-azure-cleanup-action/commits/main - uses: pagopa/github-self-hosted-runner-azure-cleanup-action@97731a35e6ffc79b66c4dfd2aae5e4fd04e3ebb5 - with: - client_id: ${{ secrets.AZURE_CLIENT_ID }} - tenant_id: ${{ secrets.AZURE_TENANT_ID }} - subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - resource_group_name: ${{ secrets.AZURE_RESOURCE_GROUP_NAME }} - runner_name: ${{ needs.create_runner.outputs.runner_name }} - pat_token: ${{ secrets.BOT_TOKEN }} - diff --git a/.github/workflows/prod_cd_citizen-auth.yml b/.github/workflows/prod_cd_citizen-auth.yml index faa03db37..046bd1527 100644 --- a/.github/workflows/prod_cd_citizen-auth.yml +++ b/.github/workflows/prod_cd_citizen-auth.yml @@ -19,30 +19,11 @@ env: AZURE_ENVIRONMENT: prod jobs: - create_runner: - name: Create Runner - runs-on: ubuntu-22.04 - environment: prod-runner - outputs: - runner_name: ${{ steps.create_github_runner.outputs.runner_name }} - steps: - - name: Create GitHub Runner - id: create_github_runner - # from https://github.com/pagopa/eng-github-actions-iac-template/tree/main/azure/github-self-hosted-runner-azure-create-action - uses: pagopa/eng-github-actions-iac-template/azure/github-self-hosted-runner-azure-create-action@main - with: - client_id: ${{ secrets.AZURE_CLIENT_ID }} - tenant_id: ${{ secrets.AZURE_TENANT_ID }} - subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - container_app_environment_name: ${{ secrets.AZURE_CONTAINER_APP_ENVIRONMENT_NAME }} - resource_group_name: ${{ secrets.AZURE_RESOURCE_GROUP_NAME }} - pat_token: ${{ secrets.BOT_TOKEN }} terraform_preapply_job: name: Terraform Pre Apply - runs-on: [self-hosted, "${{ needs.create_runner.outputs.runner_name }}"] + runs-on: self-hosted environment: prod-ci - needs: create_runner steps: - name: Checkout id: checkout @@ -61,7 +42,7 @@ jobs: # from https://github.com/pagopa/terraform-preapply-azure-action/commits/main uses: pagopa/terraform-preapply-azure-action@54ded8cda3437c3f6a9f46baf69cb321ce82f5cd with: - client_id: ${{ secrets.AZURE_CLIENT_ID }} + client_id: ${{ secrets.AZURE_CLIENT_ID_CI }} tenant_id: ${{ secrets.AZURE_TENANT_ID }} subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} dir: ${{ env.DIR }}-common @@ -71,7 +52,7 @@ jobs: # from https://github.com/pagopa/terraform-preapply-azure-action/commits/main uses: pagopa/terraform-preapply-azure-action@54ded8cda3437c3f6a9f46baf69cb321ce82f5cd with: - client_id: ${{ secrets.AZURE_CLIENT_ID }} + client_id: ${{ secrets.AZURE_CLIENT_ID_CI }} tenant_id: ${{ secrets.AZURE_TENANT_ID }} subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} dir: ${{ env.DIR }}-app @@ -81,7 +62,7 @@ jobs: # from https://github.com/pagopa/terraform-preapply-azure-action/commits/main uses: pagopa/terraform-preapply-azure-action@54ded8cda3437c3f6a9f46baf69cb321ce82f5cd with: - client_id: ${{ secrets.AZURE_CLIENT_ID }} + client_id: ${{ secrets.AZURE_CLIENT_ID_CI }} tenant_id: ${{ secrets.AZURE_TENANT_ID }} subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} dir: ${{ env.DIR }}-app @@ -89,15 +70,15 @@ jobs: terraform_apply_job: name: Terraform Apply - runs-on: [self-hosted, "${{ needs.create_runner.outputs.runner_name }}"] + runs-on: self-hosted environment: prod-cd - needs: [create_runner, terraform_preapply_job] + needs: [terraform_preapply_job] steps: - name: Terraform apply common # from https://github.com/pagopa/terraform-apply-azure-action/commits/main uses: pagopa/terraform-apply-azure-action@87efc4aa9b093b99ae5fd1915977e29cd80861ab with: - client_id: ${{ secrets.AZURE_CLIENT_ID }} + client_id: ${{ secrets.AZURE_CLIENT_ID_CD }} tenant_id: ${{ secrets.AZURE_TENANT_ID }} subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} dir: ${{ env.DIR }}-common @@ -107,7 +88,7 @@ jobs: # from https://github.com/pagopa/terraform-apply-azure-action/commits/main uses: pagopa/terraform-apply-azure-action@87efc4aa9b093b99ae5fd1915977e29cd80861ab with: - client_id: ${{ secrets.AZURE_CLIENT_ID }} + client_id: ${{ secrets.AZURE_CLIENT_ID_CD }} tenant_id: ${{ secrets.AZURE_TENANT_ID }} subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} dir: ${{ env.DIR }}-app @@ -117,27 +98,8 @@ jobs: # from https://github.com/pagopa/terraform-apply-azure-action/commits/main uses: pagopa/terraform-apply-azure-action@87efc4aa9b093b99ae5fd1915977e29cd80861ab with: - client_id: ${{ secrets.AZURE_CLIENT_ID }} + client_id: ${{ secrets.AZURE_CLIENT_ID_CD }} tenant_id: ${{ secrets.AZURE_TENANT_ID }} subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} dir: ${{ env.DIR }}-app azure_environment: weu-prod01 - - cleanup_runner: - name: Cleanup Runner - if: always() - runs-on: ubuntu-22.04 - environment: prod-runner - needs: [create_runner, terraform_preapply_job, terraform_apply_job] - steps: - - name: Cleanup GitHub Runner - id: cleanup_github_runner - # from https://github.com/pagopa/eng-github-actions-iac-template/tree/main/azure/github-self-hosted-runner-azure-cleanup-action - uses: pagopa/eng-github-actions-iac-template/azure/github-self-hosted-runner-azure-cleanup-action@main - with: - client_id: ${{ secrets.AZURE_CLIENT_ID }} - tenant_id: ${{ secrets.AZURE_TENANT_ID }} - subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - resource_group_name: ${{ secrets.AZURE_RESOURCE_GROUP_NAME }} - runner_name: ${{ needs.create_runner.outputs.runner_name }} - pat_token: ${{ secrets.BOT_TOKEN }} diff --git a/.github/workflows/prod_ci_citizen-auth.yml b/.github/workflows/prod_ci_citizen-auth.yml index 6535bc98e..c27d8e23a 100644 --- a/.github/workflows/prod_ci_citizen-auth.yml +++ b/.github/workflows/prod_ci_citizen-auth.yml @@ -8,6 +8,7 @@ on: - edited - synchronize - reopened + - ready_for_review paths: - "src/domains/citizen-auth**" - ".github/workflows/prod**citizen-auth.yml" @@ -21,30 +22,11 @@ env: AZURE_ENVIRONMENT: prod jobs: - create_runner: - name: Create Runner - runs-on: ubuntu-22.04 - environment: prod-runner - outputs: - runner_name: ${{ steps.create_github_runner.outputs.runner_name }} - steps: - - name: Create GitHub Runner - id: create_github_runner - # from https://github.com/pagopa/eng-github-actions-iac-template/tree/main/azure/github-self-hosted-runner-azure-create-action - uses: pagopa/eng-github-actions-iac-template/azure/github-self-hosted-runner-azure-create-action@main - with: - client_id: ${{ secrets.AZURE_CLIENT_ID }} - tenant_id: ${{ secrets.AZURE_TENANT_ID }} - subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - container_app_environment_name: ${{ secrets.AZURE_CONTAINER_APP_ENVIRONMENT_NAME }} - resource_group_name: ${{ secrets.AZURE_RESOURCE_GROUP_NAME }} - pat_token: ${{ secrets.BOT_TOKEN }} terraform_plan_job: name: Terraform Plan - runs-on: [self-hosted, "${{ needs.create_runner.outputs.runner_name }}"] + runs-on: self-hosted environment: prod-ci - needs: create_runner steps: - name: Checkout id: checkout @@ -63,7 +45,7 @@ jobs: # from https://github.com/pagopa/terraform-plan-azure-action/commits/main uses: pagopa/terraform-plan-azure-action@392aca28cbb33f5dc28215dfb72385e136fd813b with: - client_id: ${{ secrets.AZURE_CLIENT_ID }} + client_id: ${{ secrets.AZURE_CLIENT_ID_CI }} tenant_id: ${{ secrets.AZURE_TENANT_ID }} subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} dir: ${{ env.DIR }}-common @@ -73,7 +55,7 @@ jobs: # from https://github.com/pagopa/terraform-plan-azure-action/commits/main uses: pagopa/terraform-plan-azure-action@392aca28cbb33f5dc28215dfb72385e136fd813b with: - client_id: ${{ secrets.AZURE_CLIENT_ID }} + client_id: ${{ secrets.AZURE_CLIENT_ID_CI }} tenant_id: ${{ secrets.AZURE_TENANT_ID }} subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} dir: ${{ env.DIR }}-app @@ -83,27 +65,8 @@ jobs: # from https://github.com/pagopa/terraform-plan-azure-action/commits/main uses: pagopa/terraform-plan-azure-action@392aca28cbb33f5dc28215dfb72385e136fd813b with: - client_id: ${{ secrets.AZURE_CLIENT_ID }} + client_id: ${{ secrets.AZURE_CLIENT_ID_CI }} tenant_id: ${{ secrets.AZURE_TENANT_ID }} subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} dir: ${{ env.DIR }}-app azure_environment: weu-prod01 - - cleanup_runner: - name: Cleanup Runner - if: always() - runs-on: ubuntu-22.04 - environment: prod-runner - needs: [create_runner, terraform_plan_job] - steps: - - name: Cleanup GitHub Runner - id: cleanup_github_runner - # from https://github.com/pagopa/eng-github-actions-iac-template/tree/main/azure/github-self-hosted-runner-azure-cleanup-action - uses: pagopa/eng-github-actions-iac-template/azure/github-self-hosted-runner-azure-cleanup-action@main - with: - client_id: ${{ secrets.AZURE_CLIENT_ID }} - tenant_id: ${{ secrets.AZURE_TENANT_ID }} - subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - resource_group_name: ${{ secrets.AZURE_RESOURCE_GROUP_NAME }} - runner_name: ${{ needs.create_runner.outputs.runner_name }} - pat_token: ${{ secrets.BOT_TOKEN }} diff --git a/.github/workflows/prod_drift_citizen-auth.yml b/.github/workflows/prod_drift_citizen-auth.yml index 36a172acc..5878a5873 100644 --- a/.github/workflows/prod_drift_citizen-auth.yml +++ b/.github/workflows/prod_drift_citizen-auth.yml @@ -14,30 +14,11 @@ env: AZURE_ENVIRONMENT: prod jobs: - create_runner: - name: Create Runner - runs-on: ubuntu-22.04 - environment: prod-runner - outputs: - runner_name: ${{ steps.create_github_runner.outputs.runner_name }} - steps: - - name: Create GitHub Runner - id: create_github_runner - # from https://github.com/pagopa/eng-github-actions-iac-template/tree/main/azure/github-self-hosted-runner-azure-create-action - uses: pagopa/eng-github-actions-iac-template/azure/github-self-hosted-runner-azure-create-action@main - with: - client_id: ${{ secrets.AZURE_CLIENT_ID }} - tenant_id: ${{ secrets.AZURE_TENANT_ID }} - subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - container_app_environment_name: ${{ secrets.AZURE_CONTAINER_APP_ENVIRONMENT_NAME }} - resource_group_name: ${{ secrets.AZURE_RESOURCE_GROUP_NAME }} - pat_token: ${{ secrets.BOT_TOKEN }} terraform_driftdetection_job: name: Terraform Drift Detection - runs-on: [self-hosted, "${{ needs.create_runner.outputs.runner_name }}"] + runs-on: self-hosted environment: prod-ci - needs: create_runner steps: - name: Checkout id: checkout @@ -56,7 +37,7 @@ jobs: # from https://github.com/pagopa/terraform-driftdetection-azure-action/commits/main uses: pagopa/terraform-driftdetection-azure-action@71bd771b3a071c78b36e5e0ecbd666ac39b1113c with: - client_id: ${{ secrets.AZURE_CLIENT_ID }} + client_id: ${{ secrets.AZURE_CLIENT_ID_CI }} tenant_id: ${{ secrets.AZURE_TENANT_ID }} subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} dir: ${{ env.DIR }}-common @@ -66,7 +47,7 @@ jobs: # from https://github.com/pagopa/terraform-driftdetection-azure-action/commits/main uses: pagopa/terraform-driftdetection-azure-action@71bd771b3a071c78b36e5e0ecbd666ac39b1113c with: - client_id: ${{ secrets.AZURE_CLIENT_ID }} + client_id: ${{ secrets.AZURE_CLIENT_ID_CI }} tenant_id: ${{ secrets.AZURE_TENANT_ID }} subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} dir: ${{ env.DIR }}-app @@ -76,28 +57,8 @@ jobs: # from https://github.com/pagopa/terraform-driftdetection-azure-action/commits/main uses: pagopa/terraform-driftdetection-azure-action@71bd771b3a071c78b36e5e0ecbd666ac39b1113c with: - client_id: ${{ secrets.AZURE_CLIENT_ID }} + client_id: ${{ secrets.AZURE_CLIENT_ID_CI }} tenant_id: ${{ secrets.AZURE_TENANT_ID }} subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} dir: ${{ env.DIR }}-app azure_environment: weu-prod01 - - cleanup_runner: - name: Cleanup Runner - if: always() - runs-on: ubuntu-22.04 - environment: prod-runner - needs: [create_runner, terraform_driftdetection_job] - steps: - - name: Cleanup GitHub Runner - id: cleanup_github_runner - # from https://github.com/pagopa/github-self-hosted-runner-azure-cleanup-action/commits/main - uses: pagopa/github-self-hosted-runner-azure-cleanup-action@97731a35e6ffc79b66c4dfd2aae5e4fd04e3ebb5 - with: - client_id: ${{ secrets.AZURE_CLIENT_ID }} - tenant_id: ${{ secrets.AZURE_TENANT_ID }} - subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - resource_group_name: ${{ secrets.AZURE_RESOURCE_GROUP_NAME }} - runner_name: ${{ needs.create_runner.outputs.runner_name }} - pat_token: ${{ secrets.BOT_TOKEN }} - diff --git a/.identity/env/prod/terraform.tfvars b/.identity/env/prod/terraform.tfvars index 1e5e26665..3bd4aaa76 100644 --- a/.identity/env/prod/terraform.tfvars +++ b/.identity/env/prod/terraform.tfvars @@ -13,7 +13,6 @@ github_repository_environment_cd = { protected_branches = true custom_branch_policies = false reviewers_teams = [ - "infrastructure-admins", "io-backend-admin", "io-backend-contributors", ] @@ -29,7 +28,7 @@ ci_github_federations = [ cd_github_federations = [ { repository = "io-infra" - subject = "prod-ci" + subject = "prod-cd" } ] diff --git a/CODEOWNERS b/CODEOWNERS index a16713bb9..36b5de6f2 100644 --- a/CODEOWNERS +++ b/CODEOWNERS @@ -1,5 +1,5 @@ # see https://help.github.com/en/articles/about-code-owners#example-of-a-codeowners-file -* @pagopa/infrastructure-admins @pagopa/io-backend-admin @pagopa/io-backend-contributors +* @pagopa/io-backend-admin @pagopa/io-backend-contributors -/src/domains/sign @pagopa/infrastructure-admins @pagopa/io-backend-admin @pagopa/io-backend-contributors @pagopa/io-sign-maintainers +/src/domains/sign @pagopa/io-backend-admin @pagopa/io-backend-contributors @pagopa/io-sign-maintainers diff --git a/src/core/README.md b/src/core/README.md index 6b53aebe8..108e1464c 100644 --- a/src/core/README.md +++ b/src/core/README.md @@ -221,6 +221,8 @@ | [azurerm_dns_zone.io_pagopa_it](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/dns_zone) | resource | | [azurerm_dns_zone.io_selfcare_pagopa_it](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/dns_zone) | resource | | [azurerm_dns_zone.ioweb_it](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/dns_zone) | resource | +| [azurerm_key_vault_access_policy.access_policy_io_infra_cd](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource | +| [azurerm_key_vault_access_policy.access_policy_io_infra_ci](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource | | [azurerm_key_vault_access_policy.adgroup_admin](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource | | [azurerm_key_vault_access_policy.adgroup_admin_common](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource | | [azurerm_key_vault_access_policy.adgroup_developers](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource | @@ -576,6 +578,8 @@ | [azurerm_subnet.ioweb_profile_snet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subnet) | data source | | [azurerm_subnet.services_cms_backoffice_snet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subnet) | data source | | [azurerm_subscription.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subscription) | data source | +| [azurerm_user_assigned_identity.managed_identity_io_infra_cd](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/user_assigned_identity) | data source | +| [azurerm_user_assigned_identity.managed_identity_io_infra_ci](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/user_assigned_identity) | data source | ## Inputs diff --git a/src/core/data.tf b/src/core/data.tf index 97ce1b275..0a7840dc1 100644 --- a/src/core/data.tf +++ b/src/core/data.tf @@ -298,4 +298,18 @@ data "azurerm_subnet" "services_cms_backoffice_snet" { data "azurerm_storage_account" "citizen_auth_common" { name = "iopweucitizenauthst" resource_group_name = "io-p-citizen-auth-data-rg" -} \ No newline at end of file +} + +# +# MANAGED IDENTITIES +# + +data "azurerm_user_assigned_identity" "managed_identity_io_infra_ci" { + name = "${local.project}-infra-github-ci-identity" + resource_group_name = "${local.project}-identity-rg" +} + +data "azurerm_user_assigned_identity" "managed_identity_io_infra_cd" { + name = "${local.project}-infra-github-cd-identity" + resource_group_name = "${local.project}-identity-rg" +} diff --git a/src/core/keyvault_access_policy.tf b/src/core/keyvault_access_policy.tf index 28b3cc4e5..0b349e517 100644 --- a/src/core/keyvault_access_policy.tf +++ b/src/core/keyvault_access_policy.tf @@ -29,6 +29,29 @@ resource "azurerm_key_vault_access_policy" "adgroup_admin_common" { certificate_permissions = ["Get", "List", "Update", "Create", "Import", "Delete", "Restore", "Recover", ] } +# kv-common managed identities reader policy +resource "azurerm_key_vault_access_policy" "access_policy_io_infra_ci" { + key_vault_id = module.key_vault_common.id + + tenant_id = data.azurerm_client_config.current.tenant_id + object_id = data.azurerm_user_assigned_identity.managed_identity_io_infra_ci.principal_id + + key_permissions = ["Get", "List"] + secret_permissions = ["Get", "List"] + certificate_permissions = ["Get", "List"] +} + +resource "azurerm_key_vault_access_policy" "access_policy_io_infra_cd" { + key_vault_id = module.key_vault_common.id + + tenant_id = data.azurerm_client_config.current.tenant_id + object_id = data.azurerm_user_assigned_identity.managed_identity_io_infra_cd.principal_id + + key_permissions = ["Get", "List"] + secret_permissions = ["Get", "List"] + certificate_permissions = ["Get", "List"] +} + data "azuread_group" "adgroup_developers" { display_name = format("%s-adgroup-developers", local.project) } diff --git a/src/domains/citizen-auth-common/02_key_vault.tf b/src/domains/citizen-auth-common/02_key_vault.tf index 8d6e87211..5ff22af41 100644 --- a/src/domains/citizen-auth-common/02_key_vault.tf +++ b/src/domains/citizen-auth-common/02_key_vault.tf @@ -44,6 +44,29 @@ resource "azurerm_key_vault_access_policy" "adgroup_developers" { certificate_permissions = ["Get", "List", "Update", "Create", "Import", "Delete", "Restore", "Recover", ] } +## io-p-citizen-auth-kv managed identities reader policy ## +resource "azurerm_key_vault_access_policy" "access_policy_io_infra_ci" { + key_vault_id = module.key_vault.id + + tenant_id = data.azurerm_client_config.current.tenant_id + object_id = data.azurerm_user_assigned_identity.managed_identity_io_infra_ci.principal_id + + key_permissions = ["Get", "List"] + secret_permissions = ["Get", "List"] + certificate_permissions = ["Get", "List"] +} + +resource "azurerm_key_vault_access_policy" "access_policy_io_infra_cd" { + key_vault_id = module.key_vault.id + + tenant_id = data.azurerm_client_config.current.tenant_id + object_id = data.azurerm_user_assigned_identity.managed_identity_io_infra_cd.principal_id + + key_permissions = ["Get", "List"] + secret_permissions = ["Get", "List"] + certificate_permissions = ["Get", "List"] +} + # # azure devops policy # diff --git a/src/domains/citizen-auth-common/06_data.tf b/src/domains/citizen-auth-common/06_data.tf new file mode 100644 index 000000000..b2fb3a94a --- /dev/null +++ b/src/domains/citizen-auth-common/06_data.tf @@ -0,0 +1,13 @@ +# +# MANAGED IDENTITIES +# + +data "azurerm_user_assigned_identity" "managed_identity_io_infra_ci" { + name = "${local.product}-infra-github-ci-identity" + resource_group_name = "${local.product}-identity-rg" +} + +data "azurerm_user_assigned_identity" "managed_identity_io_infra_cd" { + name = "${local.product}-infra-github-cd-identity" + resource_group_name = "${local.product}-identity-rg" +} diff --git a/src/domains/citizen-auth-common/README.md b/src/domains/citizen-auth-common/README.md index 277e9e64c..0f8b59354 100644 --- a/src/domains/citizen-auth-common/README.md +++ b/src/domains/citizen-auth-common/README.md @@ -45,6 +45,8 @@ | [azurerm_cosmosdb_sql_container.fims_interaction](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/cosmosdb_sql_container) | resource | | [azurerm_cosmosdb_sql_container.fims_session](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/cosmosdb_sql_container) | resource | | [azurerm_cosmosdb_sql_container.lollipop_pubkeys](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/cosmosdb_sql_container) | resource | +| [azurerm_key_vault_access_policy.access_policy_io_infra_cd](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource | +| [azurerm_key_vault_access_policy.access_policy_io_infra_ci](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource | | [azurerm_key_vault_access_policy.adgroup_admin](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource | | [azurerm_key_vault_access_policy.adgroup_developers](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource | | [azurerm_key_vault_access_policy.azdevops_platform_iac_policy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource | @@ -94,6 +96,8 @@ | [azurerm_subnet.azdoa_snet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subnet) | data source | | [azurerm_subnet.private_endpoints_subnet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subnet) | data source | | [azurerm_subscription.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subscription) | data source | +| [azurerm_user_assigned_identity.managed_identity_io_infra_cd](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/user_assigned_identity) | data source | +| [azurerm_user_assigned_identity.managed_identity_io_infra_ci](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/user_assigned_identity) | data source | | [azurerm_virtual_network.vnet_common](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/virtual_network) | data source | ## Inputs diff --git a/src/domains/ioweb-common/02_security.tf b/src/domains/ioweb-common/02_security.tf index 56cf33476..0c66d6d7e 100644 --- a/src/domains/ioweb-common/02_security.tf +++ b/src/domains/ioweb-common/02_security.tf @@ -43,6 +43,29 @@ resource "azurerm_key_vault_access_policy" "adgroup_developers" { certificate_permissions = ["Get", "List", "Update", "Create", "Import", "Delete", "Restore", "Recover", ] } +## io-p-ioweb-kv managed identities reader policy ## +resource "azurerm_key_vault_access_policy" "access_policy_io_infra_ci" { + key_vault_id = module.key_vault.id + + tenant_id = data.azurerm_client_config.current.tenant_id + object_id = data.azurerm_user_assigned_identity.managed_identity_io_infra_ci.principal_id + + key_permissions = ["Get", "List"] + secret_permissions = ["Get", "List"] + certificate_permissions = ["Get", "List"] +} + +resource "azurerm_key_vault_access_policy" "access_policy_io_infra_cd" { + key_vault_id = module.key_vault.id + + tenant_id = data.azurerm_client_config.current.tenant_id + object_id = data.azurerm_user_assigned_identity.managed_identity_io_infra_cd.principal_id + + key_permissions = ["Get", "List"] + secret_permissions = ["Get", "List"] + certificate_permissions = ["Get", "List"] +} + # Access policy for CD pipeline data "azuread_service_principal" "github_action_iac_cd" { diff --git a/src/domains/ioweb-common/07_data.tf b/src/domains/ioweb-common/07_data.tf new file mode 100644 index 000000000..b2fb3a94a --- /dev/null +++ b/src/domains/ioweb-common/07_data.tf @@ -0,0 +1,13 @@ +# +# MANAGED IDENTITIES +# + +data "azurerm_user_assigned_identity" "managed_identity_io_infra_ci" { + name = "${local.product}-infra-github-ci-identity" + resource_group_name = "${local.product}-identity-rg" +} + +data "azurerm_user_assigned_identity" "managed_identity_io_infra_cd" { + name = "${local.product}-infra-github-cd-identity" + resource_group_name = "${local.product}-identity-rg" +} diff --git a/src/domains/ioweb-common/README.md b/src/domains/ioweb-common/README.md index 1ae4d850c..61167b1ad 100644 --- a/src/domains/ioweb-common/README.md +++ b/src/domains/ioweb-common/README.md @@ -28,6 +28,8 @@ | Name | Type | |------|------| | [azurerm_api_management_api_operation_policy.spid_acs](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/api_management_api_operation_policy) | resource | +| [azurerm_key_vault_access_policy.access_policy_io_infra_cd](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource | +| [azurerm_key_vault_access_policy.access_policy_io_infra_ci](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource | | [azurerm_key_vault_access_policy.adgroup_admin](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource | | [azurerm_key_vault_access_policy.adgroup_developers](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource | | [azurerm_key_vault_access_policy.azdevops_platform_iac_policy_ioweb_kv](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource | @@ -72,6 +74,8 @@ | [azurerm_subnet.ioweb_profile_snet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subnet) | data source | | [azurerm_subnet.private_endpoints_subnet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subnet) | data source | | [azurerm_subscription.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subscription) | data source | +| [azurerm_user_assigned_identity.managed_identity_io_infra_cd](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/user_assigned_identity) | data source | +| [azurerm_user_assigned_identity.managed_identity_io_infra_ci](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/user_assigned_identity) | data source | | [azurerm_virtual_network.vnet_common](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/virtual_network) | data source | ## Inputs