From 73ea4b635d8b61d2872f1b2703bce0d8f117a219 Mon Sep 17 00:00:00 2001 From: Andrea Grillo Date: Fri, 22 Dec 2023 12:36:44 +0100 Subject: [PATCH 01/11] remove custom gh runner from pipelines --- .github/workflows/ioweb_prod_cd.yml | 65 +------------------ .github/workflows/ioweb_prod_ci.yml | 50 +------------- .github/workflows/ioweb_prod_drift.yml | 51 +-------------- .github/workflows/prod_cd_citizen-auth.yml | 44 +------------ .github/workflows/prod_ci_citizen-auth.yml | 40 +----------- .github/workflows/prod_drift_citizen-auth.yml | 41 +----------- 6 files changed, 10 insertions(+), 281 deletions(-) diff --git a/.github/workflows/ioweb_prod_cd.yml b/.github/workflows/ioweb_prod_cd.yml index c328598ad..ec45d8836 100644 --- a/.github/workflows/ioweb_prod_cd.yml +++ b/.github/workflows/ioweb_prod_cd.yml @@ -2,7 +2,6 @@ name: Continuous Delivery on prod ioweb on: workflow_dispatch: - # Trigger the workflow on push on the main branch push: branches: - main @@ -19,30 +18,11 @@ env: AZURE_ENVIRONMENT: prod jobs: - create_runner: - name: Create Runner - runs-on: ubuntu-22.04 - environment: prod-runner - outputs: - runner_name: ${{ steps.create_github_runner.outputs.runner_name }} - steps: - - name: Create GitHub Runner - id: create_github_runner - # from https://github.com/pagopa/eng-github-actions-iac-template/tree/main/azure/github-self-hosted-runner-azure-create-action - uses: pagopa/eng-github-actions-iac-template/azure/github-self-hosted-runner-azure-create-action@main - with: - client_id: ${{ secrets.AZURE_CLIENT_ID }} - tenant_id: ${{ secrets.AZURE_TENANT_ID }} - subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - container_app_environment_name: ${{ secrets.AZURE_CONTAINER_APP_ENVIRONMENT_NAME }} - resource_group_name: ${{ secrets.AZURE_RESOURCE_GROUP_NAME }} - pat_token: ${{ secrets.BOT_TOKEN }} terraform_preapply_job: name: Terraform Pre Apply - runs-on: [self-hosted, "${{ needs.create_runner.outputs.runner_name }}"] + runs-on: self-hosted environment: prod-ci - needs: create_runner steps: - name: Checkout id: checkout @@ -67,16 +47,6 @@ jobs: dir: ${{ env.DIR }}-common azure_environment: prod - # - name: Terraform pre apply app (weu-beta) - # # from https://github.com/pagopa/terraform-preapply-azure-action/commits/main - # uses: pagopa/terraform-preapply-azure-action@54ded8cda3437c3f6a9f46baf69cb321ce82f5cd - # with: - # client_id: ${{ secrets.AZURE_CLIENT_ID }} - # tenant_id: ${{ secrets.AZURE_TENANT_ID }} - # subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - # dir: ${{ env.DIR }}-app - # azure_environment: weu-beta - - name: Terraform pre apply app (weu-prod01) # from https://github.com/pagopa/terraform-preapply-azure-action/commits/main uses: pagopa/terraform-preapply-azure-action@54ded8cda3437c3f6a9f46baf69cb321ce82f5cd @@ -89,9 +59,9 @@ jobs: terraform_apply_job: name: Terraform Apply - runs-on: [self-hosted, "${{ needs.create_runner.outputs.runner_name }}"] + runs-on: self-hosted environment: prod-cd - needs: [create_runner, terraform_preapply_job] + needs: [terraform_preapply_job] steps: - name: Terraform apply common # from https://github.com/pagopa/terraform-apply-azure-action/commits/main @@ -103,16 +73,6 @@ jobs: dir: ${{ env.DIR }}-common azure_environment: prod - # - name: Terraform apply app (weu-beta) - # # from https://github.com/pagopa/terraform-apply-azure-action/commits/main - # uses: pagopa/terraform-apply-azure-action@87efc4aa9b093b99ae5fd1915977e29cd80861ab - # with: - # client_id: ${{ secrets.AZURE_CLIENT_ID }} - # tenant_id: ${{ secrets.AZURE_TENANT_ID }} - # subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - # dir: ${{ env.DIR }}-app - # azure_environment: weu-beta - - name: Terraform apply app (weu-prod01) # from https://github.com/pagopa/terraform-apply-azure-action/commits/main uses: pagopa/terraform-apply-azure-action@87efc4aa9b093b99ae5fd1915977e29cd80861ab @@ -122,22 +82,3 @@ jobs: subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} dir: ${{ env.DIR }}-app azure_environment: weu-prod01 - - cleanup_runner: - name: Cleanup Runner - if: always() - runs-on: ubuntu-22.04 - environment: prod-runner - needs: [create_runner, terraform_preapply_job, terraform_apply_job] - steps: - - name: Cleanup GitHub Runner - id: cleanup_github_runner - # from https://github.com/pagopa/github-self-hosted-runner-azure-cleanup-action/commits/main - uses: pagopa/github-self-hosted-runner-azure-cleanup-action@97731a35e6ffc79b66c4dfd2aae5e4fd04e3ebb5 - with: - client_id: ${{ secrets.AZURE_CLIENT_ID }} - tenant_id: ${{ secrets.AZURE_TENANT_ID }} - subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - resource_group_name: ${{ secrets.AZURE_RESOURCE_GROUP_NAME }} - runner_name: ${{ needs.create_runner.outputs.runner_name }} - pat_token: ${{ secrets.BOT_TOKEN }} diff --git a/.github/workflows/ioweb_prod_ci.yml b/.github/workflows/ioweb_prod_ci.yml index 04f817872..f4fbb98d0 100644 --- a/.github/workflows/ioweb_prod_ci.yml +++ b/.github/workflows/ioweb_prod_ci.yml @@ -21,30 +21,11 @@ env: AZURE_ENVIRONMENT: prod jobs: - create_runner: - name: Create Runner - runs-on: ubuntu-22.04 - environment: prod-runner - outputs: - runner_name: ${{ steps.create_github_runner.outputs.runner_name }} - steps: - - name: Create GitHub Runner - id: create_github_runner - # from https://github.com/pagopa/eng-github-actions-iac-template/tree/main/azure/github-self-hosted-runner-azure-create-action - uses: pagopa/eng-github-actions-iac-template/azure/github-self-hosted-runner-azure-create-action@main - with: - client_id: ${{ secrets.AZURE_CLIENT_ID }} - tenant_id: ${{ secrets.AZURE_TENANT_ID }} - subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - container_app_environment_name: ${{ secrets.AZURE_CONTAINER_APP_ENVIRONMENT_NAME }} - resource_group_name: ${{ secrets.AZURE_RESOURCE_GROUP_NAME }} - pat_token: ${{ secrets.BOT_TOKEN }} terraform_plan_job: name: Terraform Plan - runs-on: [self-hosted, "${{ needs.create_runner.outputs.runner_name }}"] + runs-on: self-hosted environment: prod-ci - needs: create_runner steps: - name: Checkout id: checkout @@ -69,16 +50,6 @@ jobs: dir: ${{ env.DIR }}-common azure_environment: prod - # - name: Terraform plan app (weu-beta) - # # from https://github.com/pagopa/terraform-plan-azure-action/commits/main - # uses: pagopa/terraform-plan-azure-action@392aca28cbb33f5dc28215dfb72385e136fd813b - # with: - # client_id: ${{ secrets.AZURE_CLIENT_ID }} - # tenant_id: ${{ secrets.AZURE_TENANT_ID }} - # subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - # dir: ${{ env.DIR }}-app - # azure_environment: weu-beta - - name: Terraform plan app (weu-prod01) # from https://github.com/pagopa/terraform-plan-azure-action/commits/main uses: pagopa/terraform-plan-azure-action@392aca28cbb33f5dc28215dfb72385e136fd813b @@ -88,22 +59,3 @@ jobs: subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} dir: ${{ env.DIR }}-app azure_environment: weu-prod01 - - cleanup_runner: - name: Cleanup Runner - if: always() - runs-on: ubuntu-22.04 - environment: prod-runner - needs: [create_runner, terraform_plan_job] - steps: - - name: Cleanup GitHub Runner - id: cleanup_github_runner - # from https://github.com/pagopa/eng-github-actions-iac-template/tree/main/azure/github-self-hosted-runner-azure-cleanup-action - uses: pagopa/eng-github-actions-iac-template/azure/github-self-hosted-runner-azure-cleanup-action@main - with: - client_id: ${{ secrets.AZURE_CLIENT_ID }} - tenant_id: ${{ secrets.AZURE_TENANT_ID }} - subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - resource_group_name: ${{ secrets.AZURE_RESOURCE_GROUP_NAME }} - runner_name: ${{ needs.create_runner.outputs.runner_name }} - pat_token: ${{ secrets.BOT_TOKEN }} diff --git a/.github/workflows/ioweb_prod_drift.yml b/.github/workflows/ioweb_prod_drift.yml index 10ce70a4a..d3d0499b6 100644 --- a/.github/workflows/ioweb_prod_drift.yml +++ b/.github/workflows/ioweb_prod_drift.yml @@ -14,30 +14,11 @@ env: AZURE_ENVIRONMENT: prod jobs: - create_runner: - name: Create Runner - runs-on: ubuntu-22.04 - environment: prod-runner - outputs: - runner_name: ${{ steps.create_github_runner.outputs.runner_name }} - steps: - - name: Create GitHub Runner - id: create_github_runner - # from https://github.com/pagopa/eng-github-actions-iac-template/tree/main/azure/github-self-hosted-runner-azure-create-action - uses: pagopa/eng-github-actions-iac-template/azure/github-self-hosted-runner-azure-create-action@main - with: - client_id: ${{ secrets.AZURE_CLIENT_ID }} - tenant_id: ${{ secrets.AZURE_TENANT_ID }} - subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - container_app_environment_name: ${{ secrets.AZURE_CONTAINER_APP_ENVIRONMENT_NAME }} - resource_group_name: ${{ secrets.AZURE_RESOURCE_GROUP_NAME }} - pat_token: ${{ secrets.BOT_TOKEN }} terraform_driftdetection_job: name: Terraform Drift Detection - runs-on: [self-hosted, "${{ needs.create_runner.outputs.runner_name }}"] + runs-on: self-hosted environment: prod-ci - needs: create_runner steps: - name: Checkout id: checkout @@ -62,16 +43,6 @@ jobs: dir: ${{ env.DIR }}-common azure_environment: prod - # - name: Terraform drift detection app (weu-beta) - # # from https://github.com/pagopa/terraform-driftdetection-azure-action/commits/main - # uses: pagopa/terraform-driftdetection-azure-action@71bd771b3a071c78b36e5e0ecbd666ac39b1113c - # with: - # client_id: ${{ secrets.AZURE_CLIENT_ID }} - # tenant_id: ${{ secrets.AZURE_TENANT_ID }} - # subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - # dir: ${{ env.DIR }}-app - # azure_environment: weu-beta - - name: Terraform drift detection app (weu-prod01) # from https://github.com/pagopa/terraform-driftdetection-azure-action/commits/main uses: pagopa/terraform-driftdetection-azure-action@71bd771b3a071c78b36e5e0ecbd666ac39b1113c @@ -81,23 +52,3 @@ jobs: subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} dir: ${{ env.DIR }}-app azure_environment: weu-prod01 - - cleanup_runner: - name: Cleanup Runner - if: always() - runs-on: ubuntu-22.04 - environment: prod-runner - needs: [create_runner, terraform_driftdetection_job] - steps: - - name: Cleanup GitHub Runner - id: cleanup_github_runner - # from https://github.com/pagopa/github-self-hosted-runner-azure-cleanup-action/commits/main - uses: pagopa/github-self-hosted-runner-azure-cleanup-action@97731a35e6ffc79b66c4dfd2aae5e4fd04e3ebb5 - with: - client_id: ${{ secrets.AZURE_CLIENT_ID }} - tenant_id: ${{ secrets.AZURE_TENANT_ID }} - subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - resource_group_name: ${{ secrets.AZURE_RESOURCE_GROUP_NAME }} - runner_name: ${{ needs.create_runner.outputs.runner_name }} - pat_token: ${{ secrets.BOT_TOKEN }} - diff --git a/.github/workflows/prod_cd_citizen-auth.yml b/.github/workflows/prod_cd_citizen-auth.yml index faa03db37..d0b251893 100644 --- a/.github/workflows/prod_cd_citizen-auth.yml +++ b/.github/workflows/prod_cd_citizen-auth.yml @@ -19,30 +19,11 @@ env: AZURE_ENVIRONMENT: prod jobs: - create_runner: - name: Create Runner - runs-on: ubuntu-22.04 - environment: prod-runner - outputs: - runner_name: ${{ steps.create_github_runner.outputs.runner_name }} - steps: - - name: Create GitHub Runner - id: create_github_runner - # from https://github.com/pagopa/eng-github-actions-iac-template/tree/main/azure/github-self-hosted-runner-azure-create-action - uses: pagopa/eng-github-actions-iac-template/azure/github-self-hosted-runner-azure-create-action@main - with: - client_id: ${{ secrets.AZURE_CLIENT_ID }} - tenant_id: ${{ secrets.AZURE_TENANT_ID }} - subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - container_app_environment_name: ${{ secrets.AZURE_CONTAINER_APP_ENVIRONMENT_NAME }} - resource_group_name: ${{ secrets.AZURE_RESOURCE_GROUP_NAME }} - pat_token: ${{ secrets.BOT_TOKEN }} terraform_preapply_job: name: Terraform Pre Apply - runs-on: [self-hosted, "${{ needs.create_runner.outputs.runner_name }}"] + runs-on: self-hosted environment: prod-ci - needs: create_runner steps: - name: Checkout id: checkout @@ -89,9 +70,9 @@ jobs: terraform_apply_job: name: Terraform Apply - runs-on: [self-hosted, "${{ needs.create_runner.outputs.runner_name }}"] + runs-on: self-hosted environment: prod-cd - needs: [create_runner, terraform_preapply_job] + needs: [terraform_preapply_job] steps: - name: Terraform apply common # from https://github.com/pagopa/terraform-apply-azure-action/commits/main @@ -122,22 +103,3 @@ jobs: subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} dir: ${{ env.DIR }}-app azure_environment: weu-prod01 - - cleanup_runner: - name: Cleanup Runner - if: always() - runs-on: ubuntu-22.04 - environment: prod-runner - needs: [create_runner, terraform_preapply_job, terraform_apply_job] - steps: - - name: Cleanup GitHub Runner - id: cleanup_github_runner - # from https://github.com/pagopa/eng-github-actions-iac-template/tree/main/azure/github-self-hosted-runner-azure-cleanup-action - uses: pagopa/eng-github-actions-iac-template/azure/github-self-hosted-runner-azure-cleanup-action@main - with: - client_id: ${{ secrets.AZURE_CLIENT_ID }} - tenant_id: ${{ secrets.AZURE_TENANT_ID }} - subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - resource_group_name: ${{ secrets.AZURE_RESOURCE_GROUP_NAME }} - runner_name: ${{ needs.create_runner.outputs.runner_name }} - pat_token: ${{ secrets.BOT_TOKEN }} diff --git a/.github/workflows/prod_ci_citizen-auth.yml b/.github/workflows/prod_ci_citizen-auth.yml index 6535bc98e..685d4087e 100644 --- a/.github/workflows/prod_ci_citizen-auth.yml +++ b/.github/workflows/prod_ci_citizen-auth.yml @@ -21,30 +21,11 @@ env: AZURE_ENVIRONMENT: prod jobs: - create_runner: - name: Create Runner - runs-on: ubuntu-22.04 - environment: prod-runner - outputs: - runner_name: ${{ steps.create_github_runner.outputs.runner_name }} - steps: - - name: Create GitHub Runner - id: create_github_runner - # from https://github.com/pagopa/eng-github-actions-iac-template/tree/main/azure/github-self-hosted-runner-azure-create-action - uses: pagopa/eng-github-actions-iac-template/azure/github-self-hosted-runner-azure-create-action@main - with: - client_id: ${{ secrets.AZURE_CLIENT_ID }} - tenant_id: ${{ secrets.AZURE_TENANT_ID }} - subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - container_app_environment_name: ${{ secrets.AZURE_CONTAINER_APP_ENVIRONMENT_NAME }} - resource_group_name: ${{ secrets.AZURE_RESOURCE_GROUP_NAME }} - pat_token: ${{ secrets.BOT_TOKEN }} terraform_plan_job: name: Terraform Plan - runs-on: [self-hosted, "${{ needs.create_runner.outputs.runner_name }}"] + runs-on: self-hosted environment: prod-ci - needs: create_runner steps: - name: Checkout id: checkout @@ -88,22 +69,3 @@ jobs: subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} dir: ${{ env.DIR }}-app azure_environment: weu-prod01 - - cleanup_runner: - name: Cleanup Runner - if: always() - runs-on: ubuntu-22.04 - environment: prod-runner - needs: [create_runner, terraform_plan_job] - steps: - - name: Cleanup GitHub Runner - id: cleanup_github_runner - # from https://github.com/pagopa/eng-github-actions-iac-template/tree/main/azure/github-self-hosted-runner-azure-cleanup-action - uses: pagopa/eng-github-actions-iac-template/azure/github-self-hosted-runner-azure-cleanup-action@main - with: - client_id: ${{ secrets.AZURE_CLIENT_ID }} - tenant_id: ${{ secrets.AZURE_TENANT_ID }} - subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - resource_group_name: ${{ secrets.AZURE_RESOURCE_GROUP_NAME }} - runner_name: ${{ needs.create_runner.outputs.runner_name }} - pat_token: ${{ secrets.BOT_TOKEN }} diff --git a/.github/workflows/prod_drift_citizen-auth.yml b/.github/workflows/prod_drift_citizen-auth.yml index 36a172acc..650bdb2f1 100644 --- a/.github/workflows/prod_drift_citizen-auth.yml +++ b/.github/workflows/prod_drift_citizen-auth.yml @@ -14,30 +14,11 @@ env: AZURE_ENVIRONMENT: prod jobs: - create_runner: - name: Create Runner - runs-on: ubuntu-22.04 - environment: prod-runner - outputs: - runner_name: ${{ steps.create_github_runner.outputs.runner_name }} - steps: - - name: Create GitHub Runner - id: create_github_runner - # from https://github.com/pagopa/eng-github-actions-iac-template/tree/main/azure/github-self-hosted-runner-azure-create-action - uses: pagopa/eng-github-actions-iac-template/azure/github-self-hosted-runner-azure-create-action@main - with: - client_id: ${{ secrets.AZURE_CLIENT_ID }} - tenant_id: ${{ secrets.AZURE_TENANT_ID }} - subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - container_app_environment_name: ${{ secrets.AZURE_CONTAINER_APP_ENVIRONMENT_NAME }} - resource_group_name: ${{ secrets.AZURE_RESOURCE_GROUP_NAME }} - pat_token: ${{ secrets.BOT_TOKEN }} terraform_driftdetection_job: name: Terraform Drift Detection - runs-on: [self-hosted, "${{ needs.create_runner.outputs.runner_name }}"] + runs-on: self-hosted environment: prod-ci - needs: create_runner steps: - name: Checkout id: checkout @@ -81,23 +62,3 @@ jobs: subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} dir: ${{ env.DIR }}-app azure_environment: weu-prod01 - - cleanup_runner: - name: Cleanup Runner - if: always() - runs-on: ubuntu-22.04 - environment: prod-runner - needs: [create_runner, terraform_driftdetection_job] - steps: - - name: Cleanup GitHub Runner - id: cleanup_github_runner - # from https://github.com/pagopa/github-self-hosted-runner-azure-cleanup-action/commits/main - uses: pagopa/github-self-hosted-runner-azure-cleanup-action@97731a35e6ffc79b66c4dfd2aae5e4fd04e3ebb5 - with: - client_id: ${{ secrets.AZURE_CLIENT_ID }} - tenant_id: ${{ secrets.AZURE_TENANT_ID }} - subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - resource_group_name: ${{ secrets.AZURE_RESOURCE_GROUP_NAME }} - runner_name: ${{ needs.create_runner.outputs.runner_name }} - pat_token: ${{ secrets.BOT_TOKEN }} - From fd30b6734bbc0e570d9d81b40cb165c48106d6f3 Mon Sep 17 00:00:00 2001 From: Andrea Grillo Date: Fri, 22 Dec 2023 12:48:51 +0100 Subject: [PATCH 02/11] test without environment --- .github/workflows/prod_ci_citizen-auth.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/prod_ci_citizen-auth.yml b/.github/workflows/prod_ci_citizen-auth.yml index 685d4087e..0ed50d20a 100644 --- a/.github/workflows/prod_ci_citizen-auth.yml +++ b/.github/workflows/prod_ci_citizen-auth.yml @@ -25,7 +25,7 @@ jobs: terraform_plan_job: name: Terraform Plan runs-on: self-hosted - environment: prod-ci + # environment: prod-ci steps: - name: Checkout id: checkout From f1cc2486d571cd2a22004c6fd4f105ceb662bea0 Mon Sep 17 00:00:00 2001 From: Andrea Grillo Date: Tue, 2 Jan 2024 17:26:23 +0100 Subject: [PATCH 03/11] ci env --- .github/workflows/prod_ci_citizen-auth.yml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/.github/workflows/prod_ci_citizen-auth.yml b/.github/workflows/prod_ci_citizen-auth.yml index 0ed50d20a..c27d8e23a 100644 --- a/.github/workflows/prod_ci_citizen-auth.yml +++ b/.github/workflows/prod_ci_citizen-auth.yml @@ -8,6 +8,7 @@ on: - edited - synchronize - reopened + - ready_for_review paths: - "src/domains/citizen-auth**" - ".github/workflows/prod**citizen-auth.yml" @@ -25,7 +26,7 @@ jobs: terraform_plan_job: name: Terraform Plan runs-on: self-hosted - # environment: prod-ci + environment: prod-ci steps: - name: Checkout id: checkout @@ -44,7 +45,7 @@ jobs: # from https://github.com/pagopa/terraform-plan-azure-action/commits/main uses: pagopa/terraform-plan-azure-action@392aca28cbb33f5dc28215dfb72385e136fd813b with: - client_id: ${{ secrets.AZURE_CLIENT_ID }} + client_id: ${{ secrets.AZURE_CLIENT_ID_CI }} tenant_id: ${{ secrets.AZURE_TENANT_ID }} subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} dir: ${{ env.DIR }}-common @@ -54,7 +55,7 @@ jobs: # from https://github.com/pagopa/terraform-plan-azure-action/commits/main uses: pagopa/terraform-plan-azure-action@392aca28cbb33f5dc28215dfb72385e136fd813b with: - client_id: ${{ secrets.AZURE_CLIENT_ID }} + client_id: ${{ secrets.AZURE_CLIENT_ID_CI }} tenant_id: ${{ secrets.AZURE_TENANT_ID }} subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} dir: ${{ env.DIR }}-app @@ -64,7 +65,7 @@ jobs: # from https://github.com/pagopa/terraform-plan-azure-action/commits/main uses: pagopa/terraform-plan-azure-action@392aca28cbb33f5dc28215dfb72385e136fd813b with: - client_id: ${{ secrets.AZURE_CLIENT_ID }} + client_id: ${{ secrets.AZURE_CLIENT_ID_CI }} tenant_id: ${{ secrets.AZURE_TENANT_ID }} subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} dir: ${{ env.DIR }}-app From 8d7141df09c4e19584210a35f48ba08cad193cbb Mon Sep 17 00:00:00 2001 From: Andrea Grillo Date: Wed, 3 Jan 2024 17:16:51 +0100 Subject: [PATCH 04/11] add ad group permissions --- src/core/keyvault_access_policy.tf | 16 ++++++++++++++++ src/domains/citizen-auth-common/00_azuread.tf | 4 ++++ src/domains/citizen-auth-common/02_key_vault.tf | 12 ++++++++++++ 3 files changed, 32 insertions(+) diff --git a/src/core/keyvault_access_policy.tf b/src/core/keyvault_access_policy.tf index 28b3cc4e5..fc649610e 100644 --- a/src/core/keyvault_access_policy.tf +++ b/src/core/keyvault_access_policy.tf @@ -3,6 +3,10 @@ data "azuread_group" "adgroup_admin" { display_name = format("%s-adgroup-admin", local.project) } +data "azuread_group" "adgroup_directory_readers" { + display_name = "directory-readers" +} + # kv admin policy resource "azurerm_key_vault_access_policy" "adgroup_admin" { key_vault_id = module.key_vault.id @@ -29,6 +33,18 @@ resource "azurerm_key_vault_access_policy" "adgroup_admin_common" { certificate_permissions = ["Get", "List", "Update", "Create", "Import", "Delete", "Restore", "Recover", ] } +# kv-common reader policy +resource "azurerm_key_vault_access_policy" "adgroup_directory_readers" { + key_vault_id = module.key_vault_common.id + + tenant_id = data.azurerm_client_config.current.tenant_id + object_id = data.azuread_group.adgroup_directory_readers.object_id + + key_permissions = ["Get", "List"] + secret_permissions = ["Get", "List"] + certificate_permissions = ["Get", "List"] +} + data "azuread_group" "adgroup_developers" { display_name = format("%s-adgroup-developers", local.project) } diff --git a/src/domains/citizen-auth-common/00_azuread.tf b/src/domains/citizen-auth-common/00_azuread.tf index bfffd3a8b..e12ec33d6 100644 --- a/src/domains/citizen-auth-common/00_azuread.tf +++ b/src/domains/citizen-auth-common/00_azuread.tf @@ -14,3 +14,7 @@ data "azuread_group" "adgroup_externals" { data "azuread_group" "adgroup_security" { display_name = format("%s-adgroup-security", local.product) } + +data "azuread_group" "adgroup_directory_readers" { + display_name = "directory-readers" +} diff --git a/src/domains/citizen-auth-common/02_key_vault.tf b/src/domains/citizen-auth-common/02_key_vault.tf index 8d6e87211..0358b5b24 100644 --- a/src/domains/citizen-auth-common/02_key_vault.tf +++ b/src/domains/citizen-auth-common/02_key_vault.tf @@ -44,6 +44,18 @@ resource "azurerm_key_vault_access_policy" "adgroup_developers" { certificate_permissions = ["Get", "List", "Update", "Create", "Import", "Delete", "Restore", "Recover", ] } +## adgroup_directory_readers group policy ## +resource "azurerm_key_vault_access_policy" "adgroup_directory_readers" { + key_vault_id = module.key_vault.id + + tenant_id = data.azurerm_client_config.current.tenant_id + object_id = data.azuread_group.adgroup_directory_readers.object_id + + key_permissions = ["Get", "List"] + secret_permissions = ["Get", "List"] + certificate_permissions = ["Get", "List"] +} + # # azure devops policy # From c71a8b7ce3dbbb5e8c5d03a2a8ef91565412b1da Mon Sep 17 00:00:00 2001 From: Andrea Grillo Date: Wed, 3 Jan 2024 17:24:01 +0100 Subject: [PATCH 05/11] update other pipelines --- .github/workflows/ioweb_prod_cd.yml | 8 ++++---- .github/workflows/ioweb_prod_ci.yml | 5 +++-- .github/workflows/ioweb_prod_drift.yml | 4 ++-- .github/workflows/prod_cd_citizen-auth.yml | 12 ++++++------ .github/workflows/prod_drift_citizen-auth.yml | 6 +++--- 5 files changed, 18 insertions(+), 17 deletions(-) diff --git a/.github/workflows/ioweb_prod_cd.yml b/.github/workflows/ioweb_prod_cd.yml index ec45d8836..2c89f0938 100644 --- a/.github/workflows/ioweb_prod_cd.yml +++ b/.github/workflows/ioweb_prod_cd.yml @@ -41,7 +41,7 @@ jobs: # from https://github.com/pagopa/terraform-preapply-azure-action/commits/main uses: pagopa/terraform-preapply-azure-action@54ded8cda3437c3f6a9f46baf69cb321ce82f5cd with: - client_id: ${{ secrets.AZURE_CLIENT_ID }} + client_id: ${{ secrets.AZURE_CLIENT_ID_CI }} tenant_id: ${{ secrets.AZURE_TENANT_ID }} subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} dir: ${{ env.DIR }}-common @@ -51,7 +51,7 @@ jobs: # from https://github.com/pagopa/terraform-preapply-azure-action/commits/main uses: pagopa/terraform-preapply-azure-action@54ded8cda3437c3f6a9f46baf69cb321ce82f5cd with: - client_id: ${{ secrets.AZURE_CLIENT_ID }} + client_id: ${{ secrets.AZURE_CLIENT_ID_CI }} tenant_id: ${{ secrets.AZURE_TENANT_ID }} subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} dir: ${{ env.DIR }}-app @@ -67,7 +67,7 @@ jobs: # from https://github.com/pagopa/terraform-apply-azure-action/commits/main uses: pagopa/terraform-apply-azure-action@87efc4aa9b093b99ae5fd1915977e29cd80861ab with: - client_id: ${{ secrets.AZURE_CLIENT_ID }} + client_id: ${{ secrets.AZURE_CLIENT_ID_CD }} tenant_id: ${{ secrets.AZURE_TENANT_ID }} subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} dir: ${{ env.DIR }}-common @@ -77,7 +77,7 @@ jobs: # from https://github.com/pagopa/terraform-apply-azure-action/commits/main uses: pagopa/terraform-apply-azure-action@87efc4aa9b093b99ae5fd1915977e29cd80861ab with: - client_id: ${{ secrets.AZURE_CLIENT_ID }} + client_id: ${{ secrets.AZURE_CLIENT_ID_CD }} tenant_id: ${{ secrets.AZURE_TENANT_ID }} subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} dir: ${{ env.DIR }}-app diff --git a/.github/workflows/ioweb_prod_ci.yml b/.github/workflows/ioweb_prod_ci.yml index f4fbb98d0..ba50204bf 100644 --- a/.github/workflows/ioweb_prod_ci.yml +++ b/.github/workflows/ioweb_prod_ci.yml @@ -8,6 +8,7 @@ on: - edited - synchronize - reopened + - ready_for_review paths: - "src/domains/ioweb**" - ".github/workflows/ioweb_prod**" @@ -44,7 +45,7 @@ jobs: # from https://github.com/pagopa/terraform-plan-azure-action/commits/main uses: pagopa/terraform-plan-azure-action@392aca28cbb33f5dc28215dfb72385e136fd813b with: - client_id: ${{ secrets.AZURE_CLIENT_ID }} + client_id: ${{ secrets.AZURE_CLIENT_ID_CI }} tenant_id: ${{ secrets.AZURE_TENANT_ID }} subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} dir: ${{ env.DIR }}-common @@ -54,7 +55,7 @@ jobs: # from https://github.com/pagopa/terraform-plan-azure-action/commits/main uses: pagopa/terraform-plan-azure-action@392aca28cbb33f5dc28215dfb72385e136fd813b with: - client_id: ${{ secrets.AZURE_CLIENT_ID }} + client_id: ${{ secrets.AZURE_CLIENT_ID_CI }} tenant_id: ${{ secrets.AZURE_TENANT_ID }} subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} dir: ${{ env.DIR }}-app diff --git a/.github/workflows/ioweb_prod_drift.yml b/.github/workflows/ioweb_prod_drift.yml index d3d0499b6..1b01f9865 100644 --- a/.github/workflows/ioweb_prod_drift.yml +++ b/.github/workflows/ioweb_prod_drift.yml @@ -37,7 +37,7 @@ jobs: # from https://github.com/pagopa/terraform-driftdetection-azure-action/commits/main uses: pagopa/terraform-driftdetection-azure-action@71bd771b3a071c78b36e5e0ecbd666ac39b1113c with: - client_id: ${{ secrets.AZURE_CLIENT_ID }} + client_id: ${{ secrets.AZURE_CLIENT_ID_CI }} tenant_id: ${{ secrets.AZURE_TENANT_ID }} subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} dir: ${{ env.DIR }}-common @@ -47,7 +47,7 @@ jobs: # from https://github.com/pagopa/terraform-driftdetection-azure-action/commits/main uses: pagopa/terraform-driftdetection-azure-action@71bd771b3a071c78b36e5e0ecbd666ac39b1113c with: - client_id: ${{ secrets.AZURE_CLIENT_ID }} + client_id: ${{ secrets.AZURE_CLIENT_ID_CI }} tenant_id: ${{ secrets.AZURE_TENANT_ID }} subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} dir: ${{ env.DIR }}-app diff --git a/.github/workflows/prod_cd_citizen-auth.yml b/.github/workflows/prod_cd_citizen-auth.yml index d0b251893..046bd1527 100644 --- a/.github/workflows/prod_cd_citizen-auth.yml +++ b/.github/workflows/prod_cd_citizen-auth.yml @@ -42,7 +42,7 @@ jobs: # from https://github.com/pagopa/terraform-preapply-azure-action/commits/main uses: pagopa/terraform-preapply-azure-action@54ded8cda3437c3f6a9f46baf69cb321ce82f5cd with: - client_id: ${{ secrets.AZURE_CLIENT_ID }} + client_id: ${{ secrets.AZURE_CLIENT_ID_CI }} tenant_id: ${{ secrets.AZURE_TENANT_ID }} subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} dir: ${{ env.DIR }}-common @@ -52,7 +52,7 @@ jobs: # from https://github.com/pagopa/terraform-preapply-azure-action/commits/main uses: pagopa/terraform-preapply-azure-action@54ded8cda3437c3f6a9f46baf69cb321ce82f5cd with: - client_id: ${{ secrets.AZURE_CLIENT_ID }} + client_id: ${{ secrets.AZURE_CLIENT_ID_CI }} tenant_id: ${{ secrets.AZURE_TENANT_ID }} subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} dir: ${{ env.DIR }}-app @@ -62,7 +62,7 @@ jobs: # from https://github.com/pagopa/terraform-preapply-azure-action/commits/main uses: pagopa/terraform-preapply-azure-action@54ded8cda3437c3f6a9f46baf69cb321ce82f5cd with: - client_id: ${{ secrets.AZURE_CLIENT_ID }} + client_id: ${{ secrets.AZURE_CLIENT_ID_CI }} tenant_id: ${{ secrets.AZURE_TENANT_ID }} subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} dir: ${{ env.DIR }}-app @@ -78,7 +78,7 @@ jobs: # from https://github.com/pagopa/terraform-apply-azure-action/commits/main uses: pagopa/terraform-apply-azure-action@87efc4aa9b093b99ae5fd1915977e29cd80861ab with: - client_id: ${{ secrets.AZURE_CLIENT_ID }} + client_id: ${{ secrets.AZURE_CLIENT_ID_CD }} tenant_id: ${{ secrets.AZURE_TENANT_ID }} subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} dir: ${{ env.DIR }}-common @@ -88,7 +88,7 @@ jobs: # from https://github.com/pagopa/terraform-apply-azure-action/commits/main uses: pagopa/terraform-apply-azure-action@87efc4aa9b093b99ae5fd1915977e29cd80861ab with: - client_id: ${{ secrets.AZURE_CLIENT_ID }} + client_id: ${{ secrets.AZURE_CLIENT_ID_CD }} tenant_id: ${{ secrets.AZURE_TENANT_ID }} subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} dir: ${{ env.DIR }}-app @@ -98,7 +98,7 @@ jobs: # from https://github.com/pagopa/terraform-apply-azure-action/commits/main uses: pagopa/terraform-apply-azure-action@87efc4aa9b093b99ae5fd1915977e29cd80861ab with: - client_id: ${{ secrets.AZURE_CLIENT_ID }} + client_id: ${{ secrets.AZURE_CLIENT_ID_CD }} tenant_id: ${{ secrets.AZURE_TENANT_ID }} subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} dir: ${{ env.DIR }}-app diff --git a/.github/workflows/prod_drift_citizen-auth.yml b/.github/workflows/prod_drift_citizen-auth.yml index 650bdb2f1..5878a5873 100644 --- a/.github/workflows/prod_drift_citizen-auth.yml +++ b/.github/workflows/prod_drift_citizen-auth.yml @@ -37,7 +37,7 @@ jobs: # from https://github.com/pagopa/terraform-driftdetection-azure-action/commits/main uses: pagopa/terraform-driftdetection-azure-action@71bd771b3a071c78b36e5e0ecbd666ac39b1113c with: - client_id: ${{ secrets.AZURE_CLIENT_ID }} + client_id: ${{ secrets.AZURE_CLIENT_ID_CI }} tenant_id: ${{ secrets.AZURE_TENANT_ID }} subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} dir: ${{ env.DIR }}-common @@ -47,7 +47,7 @@ jobs: # from https://github.com/pagopa/terraform-driftdetection-azure-action/commits/main uses: pagopa/terraform-driftdetection-azure-action@71bd771b3a071c78b36e5e0ecbd666ac39b1113c with: - client_id: ${{ secrets.AZURE_CLIENT_ID }} + client_id: ${{ secrets.AZURE_CLIENT_ID_CI }} tenant_id: ${{ secrets.AZURE_TENANT_ID }} subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} dir: ${{ env.DIR }}-app @@ -57,7 +57,7 @@ jobs: # from https://github.com/pagopa/terraform-driftdetection-azure-action/commits/main uses: pagopa/terraform-driftdetection-azure-action@71bd771b3a071c78b36e5e0ecbd666ac39b1113c with: - client_id: ${{ secrets.AZURE_CLIENT_ID }} + client_id: ${{ secrets.AZURE_CLIENT_ID_CI }} tenant_id: ${{ secrets.AZURE_TENANT_ID }} subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} dir: ${{ env.DIR }}-app From b8585f063421d73cb7ea3233bb4063ff7d8711b9 Mon Sep 17 00:00:00 2001 From: Andrea Grillo Date: Wed, 3 Jan 2024 17:36:43 +0100 Subject: [PATCH 06/11] add permissions --- src/domains/ioweb-common/00_azuread.tf | 4 ++++ src/domains/ioweb-common/02_security.tf | 12 ++++++++++++ 2 files changed, 16 insertions(+) diff --git a/src/domains/ioweb-common/00_azuread.tf b/src/domains/ioweb-common/00_azuread.tf index bfffd3a8b..e12ec33d6 100644 --- a/src/domains/ioweb-common/00_azuread.tf +++ b/src/domains/ioweb-common/00_azuread.tf @@ -14,3 +14,7 @@ data "azuread_group" "adgroup_externals" { data "azuread_group" "adgroup_security" { display_name = format("%s-adgroup-security", local.product) } + +data "azuread_group" "adgroup_directory_readers" { + display_name = "directory-readers" +} diff --git a/src/domains/ioweb-common/02_security.tf b/src/domains/ioweb-common/02_security.tf index 56cf33476..fd891b2a3 100644 --- a/src/domains/ioweb-common/02_security.tf +++ b/src/domains/ioweb-common/02_security.tf @@ -43,6 +43,18 @@ resource "azurerm_key_vault_access_policy" "adgroup_developers" { certificate_permissions = ["Get", "List", "Update", "Create", "Import", "Delete", "Restore", "Recover", ] } +## adgroup_directory_readers group policy ## +resource "azurerm_key_vault_access_policy" "adgroup_directory_readers" { + key_vault_id = module.key_vault.id + + tenant_id = data.azurerm_client_config.current.tenant_id + object_id = data.azuread_group.adgroup_directory_readers.object_id + + key_permissions = ["Get", "List"] + secret_permissions = ["Get", "List"] + certificate_permissions = ["Get", "List"] +} + # Access policy for CD pipeline data "azuread_service_principal" "github_action_iac_cd" { From 2b6824faf11173ce905d360e014ba10ad6e18318 Mon Sep 17 00:00:00 2001 From: Andrea Grillo Date: Wed, 3 Jan 2024 17:57:22 +0100 Subject: [PATCH 07/11] fix permission --- .identity/env/prod/terraform.tfvars | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.identity/env/prod/terraform.tfvars b/.identity/env/prod/terraform.tfvars index 1e5e26665..11c5d7708 100644 --- a/.identity/env/prod/terraform.tfvars +++ b/.identity/env/prod/terraform.tfvars @@ -29,7 +29,7 @@ ci_github_federations = [ cd_github_federations = [ { repository = "io-infra" - subject = "prod-ci" + subject = "prod-cd" } ] From f9c7fdee225a7a99275b0c104fbfeb552266ebe2 Mon Sep 17 00:00:00 2001 From: Andrea Grillo Date: Thu, 4 Jan 2024 09:43:36 +0100 Subject: [PATCH 08/11] add comments --- src/domains/citizen-auth-common/02_key_vault.tf | 2 +- src/domains/ioweb-common/02_security.tf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/domains/citizen-auth-common/02_key_vault.tf b/src/domains/citizen-auth-common/02_key_vault.tf index 0358b5b24..2e1ed1007 100644 --- a/src/domains/citizen-auth-common/02_key_vault.tf +++ b/src/domains/citizen-auth-common/02_key_vault.tf @@ -44,7 +44,7 @@ resource "azurerm_key_vault_access_policy" "adgroup_developers" { certificate_permissions = ["Get", "List", "Update", "Create", "Import", "Delete", "Restore", "Recover", ] } -## adgroup_directory_readers group policy ## +## io-p-citizen-auth-kv adgroup_directory_readers group policy ## resource "azurerm_key_vault_access_policy" "adgroup_directory_readers" { key_vault_id = module.key_vault.id diff --git a/src/domains/ioweb-common/02_security.tf b/src/domains/ioweb-common/02_security.tf index fd891b2a3..729cc99a9 100644 --- a/src/domains/ioweb-common/02_security.tf +++ b/src/domains/ioweb-common/02_security.tf @@ -43,7 +43,7 @@ resource "azurerm_key_vault_access_policy" "adgroup_developers" { certificate_permissions = ["Get", "List", "Update", "Create", "Import", "Delete", "Restore", "Recover", ] } -## adgroup_directory_readers group policy ## +## io-p-ioweb-kv adgroup_directory_readers group policy ## resource "azurerm_key_vault_access_policy" "adgroup_directory_readers" { key_vault_id = module.key_vault.id From 203d826e486dd4da35c3045c809085e73cc15eef Mon Sep 17 00:00:00 2001 From: Andrea Grillo Date: Thu, 4 Jan 2024 11:20:27 +0100 Subject: [PATCH 09/11] change permissions to single mi --- src/core/data.tf | 16 +++++++++++++- src/core/keyvault_access_policy.tf | 21 ++++++++++++------- src/domains/citizen-auth-common/00_azuread.tf | 4 ---- .../citizen-auth-common/02_key_vault.tf | 17 ++++++++++++--- src/domains/citizen-auth-common/06_data.tf | 13 ++++++++++++ src/domains/ioweb-common/00_azuread.tf | 4 ---- src/domains/ioweb-common/02_security.tf | 17 ++++++++++++--- src/domains/ioweb-common/07_data.tf | 13 ++++++++++++ 8 files changed, 83 insertions(+), 22 deletions(-) create mode 100644 src/domains/citizen-auth-common/06_data.tf create mode 100644 src/domains/ioweb-common/07_data.tf diff --git a/src/core/data.tf b/src/core/data.tf index 97ce1b275..fd593a91c 100644 --- a/src/core/data.tf +++ b/src/core/data.tf @@ -298,4 +298,18 @@ data "azurerm_subnet" "services_cms_backoffice_snet" { data "azurerm_storage_account" "citizen_auth_common" { name = "iopweucitizenauthst" resource_group_name = "io-p-citizen-auth-data-rg" -} \ No newline at end of file +} + +# +# MANAGED IDENTITIES +# + +data "azurerm_user_assigned_identity" "managed_identity_io_infra_ci" { + name = "${local.project}-infra-github-ci-identity" + resource_group_name = "${local.project}-identity-rg" +} + +data "azurerm_user_assigned_identity" "managed_identity_io_infra_cd" { + name = "${local.project}-infra-github-cd-identity" + resource_group_name = "${local.project}-identity-rg" +} diff --git a/src/core/keyvault_access_policy.tf b/src/core/keyvault_access_policy.tf index fc649610e..0b349e517 100644 --- a/src/core/keyvault_access_policy.tf +++ b/src/core/keyvault_access_policy.tf @@ -3,10 +3,6 @@ data "azuread_group" "adgroup_admin" { display_name = format("%s-adgroup-admin", local.project) } -data "azuread_group" "adgroup_directory_readers" { - display_name = "directory-readers" -} - # kv admin policy resource "azurerm_key_vault_access_policy" "adgroup_admin" { key_vault_id = module.key_vault.id @@ -33,12 +29,23 @@ resource "azurerm_key_vault_access_policy" "adgroup_admin_common" { certificate_permissions = ["Get", "List", "Update", "Create", "Import", "Delete", "Restore", "Recover", ] } -# kv-common reader policy -resource "azurerm_key_vault_access_policy" "adgroup_directory_readers" { +# kv-common managed identities reader policy +resource "azurerm_key_vault_access_policy" "access_policy_io_infra_ci" { + key_vault_id = module.key_vault_common.id + + tenant_id = data.azurerm_client_config.current.tenant_id + object_id = data.azurerm_user_assigned_identity.managed_identity_io_infra_ci.principal_id + + key_permissions = ["Get", "List"] + secret_permissions = ["Get", "List"] + certificate_permissions = ["Get", "List"] +} + +resource "azurerm_key_vault_access_policy" "access_policy_io_infra_cd" { key_vault_id = module.key_vault_common.id tenant_id = data.azurerm_client_config.current.tenant_id - object_id = data.azuread_group.adgroup_directory_readers.object_id + object_id = data.azurerm_user_assigned_identity.managed_identity_io_infra_cd.principal_id key_permissions = ["Get", "List"] secret_permissions = ["Get", "List"] diff --git a/src/domains/citizen-auth-common/00_azuread.tf b/src/domains/citizen-auth-common/00_azuread.tf index e12ec33d6..bfffd3a8b 100644 --- a/src/domains/citizen-auth-common/00_azuread.tf +++ b/src/domains/citizen-auth-common/00_azuread.tf @@ -14,7 +14,3 @@ data "azuread_group" "adgroup_externals" { data "azuread_group" "adgroup_security" { display_name = format("%s-adgroup-security", local.product) } - -data "azuread_group" "adgroup_directory_readers" { - display_name = "directory-readers" -} diff --git a/src/domains/citizen-auth-common/02_key_vault.tf b/src/domains/citizen-auth-common/02_key_vault.tf index 2e1ed1007..5ff22af41 100644 --- a/src/domains/citizen-auth-common/02_key_vault.tf +++ b/src/domains/citizen-auth-common/02_key_vault.tf @@ -44,12 +44,23 @@ resource "azurerm_key_vault_access_policy" "adgroup_developers" { certificate_permissions = ["Get", "List", "Update", "Create", "Import", "Delete", "Restore", "Recover", ] } -## io-p-citizen-auth-kv adgroup_directory_readers group policy ## -resource "azurerm_key_vault_access_policy" "adgroup_directory_readers" { +## io-p-citizen-auth-kv managed identities reader policy ## +resource "azurerm_key_vault_access_policy" "access_policy_io_infra_ci" { key_vault_id = module.key_vault.id tenant_id = data.azurerm_client_config.current.tenant_id - object_id = data.azuread_group.adgroup_directory_readers.object_id + object_id = data.azurerm_user_assigned_identity.managed_identity_io_infra_ci.principal_id + + key_permissions = ["Get", "List"] + secret_permissions = ["Get", "List"] + certificate_permissions = ["Get", "List"] +} + +resource "azurerm_key_vault_access_policy" "access_policy_io_infra_cd" { + key_vault_id = module.key_vault.id + + tenant_id = data.azurerm_client_config.current.tenant_id + object_id = data.azurerm_user_assigned_identity.managed_identity_io_infra_cd.principal_id key_permissions = ["Get", "List"] secret_permissions = ["Get", "List"] diff --git a/src/domains/citizen-auth-common/06_data.tf b/src/domains/citizen-auth-common/06_data.tf new file mode 100644 index 000000000..b2fb3a94a --- /dev/null +++ b/src/domains/citizen-auth-common/06_data.tf @@ -0,0 +1,13 @@ +# +# MANAGED IDENTITIES +# + +data "azurerm_user_assigned_identity" "managed_identity_io_infra_ci" { + name = "${local.product}-infra-github-ci-identity" + resource_group_name = "${local.product}-identity-rg" +} + +data "azurerm_user_assigned_identity" "managed_identity_io_infra_cd" { + name = "${local.product}-infra-github-cd-identity" + resource_group_name = "${local.product}-identity-rg" +} diff --git a/src/domains/ioweb-common/00_azuread.tf b/src/domains/ioweb-common/00_azuread.tf index e12ec33d6..bfffd3a8b 100644 --- a/src/domains/ioweb-common/00_azuread.tf +++ b/src/domains/ioweb-common/00_azuread.tf @@ -14,7 +14,3 @@ data "azuread_group" "adgroup_externals" { data "azuread_group" "adgroup_security" { display_name = format("%s-adgroup-security", local.product) } - -data "azuread_group" "adgroup_directory_readers" { - display_name = "directory-readers" -} diff --git a/src/domains/ioweb-common/02_security.tf b/src/domains/ioweb-common/02_security.tf index 729cc99a9..0c66d6d7e 100644 --- a/src/domains/ioweb-common/02_security.tf +++ b/src/domains/ioweb-common/02_security.tf @@ -43,12 +43,23 @@ resource "azurerm_key_vault_access_policy" "adgroup_developers" { certificate_permissions = ["Get", "List", "Update", "Create", "Import", "Delete", "Restore", "Recover", ] } -## io-p-ioweb-kv adgroup_directory_readers group policy ## -resource "azurerm_key_vault_access_policy" "adgroup_directory_readers" { +## io-p-ioweb-kv managed identities reader policy ## +resource "azurerm_key_vault_access_policy" "access_policy_io_infra_ci" { key_vault_id = module.key_vault.id tenant_id = data.azurerm_client_config.current.tenant_id - object_id = data.azuread_group.adgroup_directory_readers.object_id + object_id = data.azurerm_user_assigned_identity.managed_identity_io_infra_ci.principal_id + + key_permissions = ["Get", "List"] + secret_permissions = ["Get", "List"] + certificate_permissions = ["Get", "List"] +} + +resource "azurerm_key_vault_access_policy" "access_policy_io_infra_cd" { + key_vault_id = module.key_vault.id + + tenant_id = data.azurerm_client_config.current.tenant_id + object_id = data.azurerm_user_assigned_identity.managed_identity_io_infra_cd.principal_id key_permissions = ["Get", "List"] secret_permissions = ["Get", "List"] diff --git a/src/domains/ioweb-common/07_data.tf b/src/domains/ioweb-common/07_data.tf new file mode 100644 index 000000000..b2fb3a94a --- /dev/null +++ b/src/domains/ioweb-common/07_data.tf @@ -0,0 +1,13 @@ +# +# MANAGED IDENTITIES +# + +data "azurerm_user_assigned_identity" "managed_identity_io_infra_ci" { + name = "${local.product}-infra-github-ci-identity" + resource_group_name = "${local.product}-identity-rg" +} + +data "azurerm_user_assigned_identity" "managed_identity_io_infra_cd" { + name = "${local.product}-infra-github-cd-identity" + resource_group_name = "${local.product}-identity-rg" +} From a779907504481cb3aa0705048f3df4d9d3505dea Mon Sep 17 00:00:00 2001 From: Andrea Grillo Date: Thu, 4 Jan 2024 11:35:23 +0100 Subject: [PATCH 10/11] remove old groups --- .identity/env/prod/terraform.tfvars | 1 - CODEOWNERS | 4 ++-- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/.identity/env/prod/terraform.tfvars b/.identity/env/prod/terraform.tfvars index 11c5d7708..3bd4aaa76 100644 --- a/.identity/env/prod/terraform.tfvars +++ b/.identity/env/prod/terraform.tfvars @@ -13,7 +13,6 @@ github_repository_environment_cd = { protected_branches = true custom_branch_policies = false reviewers_teams = [ - "infrastructure-admins", "io-backend-admin", "io-backend-contributors", ] diff --git a/CODEOWNERS b/CODEOWNERS index a16713bb9..36b5de6f2 100644 --- a/CODEOWNERS +++ b/CODEOWNERS @@ -1,5 +1,5 @@ # see https://help.github.com/en/articles/about-code-owners#example-of-a-codeowners-file -* @pagopa/infrastructure-admins @pagopa/io-backend-admin @pagopa/io-backend-contributors +* @pagopa/io-backend-admin @pagopa/io-backend-contributors -/src/domains/sign @pagopa/infrastructure-admins @pagopa/io-backend-admin @pagopa/io-backend-contributors @pagopa/io-sign-maintainers +/src/domains/sign @pagopa/io-backend-admin @pagopa/io-backend-contributors @pagopa/io-sign-maintainers From 399e2ddc89adc0189dc004115b4f60e946ab7dca Mon Sep 17 00:00:00 2001 From: Andrea Grillo Date: Thu, 4 Jan 2024 11:57:24 +0100 Subject: [PATCH 11/11] docs --- src/core/README.md | 4 ++++ src/core/data.tf | 4 ++-- src/domains/citizen-auth-common/README.md | 4 ++++ src/domains/ioweb-common/README.md | 4 ++++ 4 files changed, 14 insertions(+), 2 deletions(-) diff --git a/src/core/README.md b/src/core/README.md index 6b53aebe8..108e1464c 100644 --- a/src/core/README.md +++ b/src/core/README.md @@ -221,6 +221,8 @@ | [azurerm_dns_zone.io_pagopa_it](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/dns_zone) | resource | | [azurerm_dns_zone.io_selfcare_pagopa_it](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/dns_zone) | resource | | [azurerm_dns_zone.ioweb_it](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/dns_zone) | resource | +| [azurerm_key_vault_access_policy.access_policy_io_infra_cd](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource | +| [azurerm_key_vault_access_policy.access_policy_io_infra_ci](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource | | [azurerm_key_vault_access_policy.adgroup_admin](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource | | [azurerm_key_vault_access_policy.adgroup_admin_common](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource | | [azurerm_key_vault_access_policy.adgroup_developers](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource | @@ -576,6 +578,8 @@ | [azurerm_subnet.ioweb_profile_snet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subnet) | data source | | [azurerm_subnet.services_cms_backoffice_snet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subnet) | data source | | [azurerm_subscription.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subscription) | data source | +| [azurerm_user_assigned_identity.managed_identity_io_infra_cd](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/user_assigned_identity) | data source | +| [azurerm_user_assigned_identity.managed_identity_io_infra_ci](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/user_assigned_identity) | data source | ## Inputs diff --git a/src/core/data.tf b/src/core/data.tf index fd593a91c..0a7840dc1 100644 --- a/src/core/data.tf +++ b/src/core/data.tf @@ -305,11 +305,11 @@ data "azurerm_storage_account" "citizen_auth_common" { # data "azurerm_user_assigned_identity" "managed_identity_io_infra_ci" { - name = "${local.project}-infra-github-ci-identity" + name = "${local.project}-infra-github-ci-identity" resource_group_name = "${local.project}-identity-rg" } data "azurerm_user_assigned_identity" "managed_identity_io_infra_cd" { - name = "${local.project}-infra-github-cd-identity" + name = "${local.project}-infra-github-cd-identity" resource_group_name = "${local.project}-identity-rg" } diff --git a/src/domains/citizen-auth-common/README.md b/src/domains/citizen-auth-common/README.md index 277e9e64c..0f8b59354 100644 --- a/src/domains/citizen-auth-common/README.md +++ b/src/domains/citizen-auth-common/README.md @@ -45,6 +45,8 @@ | [azurerm_cosmosdb_sql_container.fims_interaction](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/cosmosdb_sql_container) | resource | | [azurerm_cosmosdb_sql_container.fims_session](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/cosmosdb_sql_container) | resource | | [azurerm_cosmosdb_sql_container.lollipop_pubkeys](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/cosmosdb_sql_container) | resource | +| [azurerm_key_vault_access_policy.access_policy_io_infra_cd](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource | +| [azurerm_key_vault_access_policy.access_policy_io_infra_ci](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource | | [azurerm_key_vault_access_policy.adgroup_admin](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource | | [azurerm_key_vault_access_policy.adgroup_developers](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource | | [azurerm_key_vault_access_policy.azdevops_platform_iac_policy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource | @@ -94,6 +96,8 @@ | [azurerm_subnet.azdoa_snet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subnet) | data source | | [azurerm_subnet.private_endpoints_subnet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subnet) | data source | | [azurerm_subscription.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subscription) | data source | +| [azurerm_user_assigned_identity.managed_identity_io_infra_cd](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/user_assigned_identity) | data source | +| [azurerm_user_assigned_identity.managed_identity_io_infra_ci](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/user_assigned_identity) | data source | | [azurerm_virtual_network.vnet_common](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/virtual_network) | data source | ## Inputs diff --git a/src/domains/ioweb-common/README.md b/src/domains/ioweb-common/README.md index 1ae4d850c..61167b1ad 100644 --- a/src/domains/ioweb-common/README.md +++ b/src/domains/ioweb-common/README.md @@ -28,6 +28,8 @@ | Name | Type | |------|------| | [azurerm_api_management_api_operation_policy.spid_acs](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/api_management_api_operation_policy) | resource | +| [azurerm_key_vault_access_policy.access_policy_io_infra_cd](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource | +| [azurerm_key_vault_access_policy.access_policy_io_infra_ci](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource | | [azurerm_key_vault_access_policy.adgroup_admin](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource | | [azurerm_key_vault_access_policy.adgroup_developers](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource | | [azurerm_key_vault_access_policy.azdevops_platform_iac_policy_ioweb_kv](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_access_policy) | resource | @@ -72,6 +74,8 @@ | [azurerm_subnet.ioweb_profile_snet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subnet) | data source | | [azurerm_subnet.private_endpoints_subnet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subnet) | data source | | [azurerm_subscription.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subscription) | data source | +| [azurerm_user_assigned_identity.managed_identity_io_infra_cd](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/user_assigned_identity) | data source | +| [azurerm_user_assigned_identity.managed_identity_io_infra_ci](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/user_assigned_identity) | data source | | [azurerm_virtual_network.vnet_common](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/virtual_network) | data source | ## Inputs