Add scheduled workflow to renew TLS certificates (#23)

* Add scheduled workflow to renew TLS certificates

Add a monthly CI job that runs terraform plan (for verification)
targeting module.domain in the network layer for dev, staging, and
prod networks. This prevents ACME-issued certificates from expiring
on stable networks that don't get regular terraform applies.

Supports manual dispatch with optional network name filter.

* Add push trigger on branch for testing terraform plan

* Add plan/apply flow with GitHub issue notifications

* Fix PIPESTATUS to capture terraform exit code through tee

* Address PR review: remove push trigger, unused var, auto-create label

* Change schedule to twice a month (1st and 15th)

* Refactor: use credentials action, tighter targets, always apply

- Update configure-azure-credentials to accept optional network_name
  input, matching the pattern from template-infra's configure-aws-credentials
- Scope terraform targets to individual certificate resources instead
  of the entire domain module to avoid touching DNS infrastructure
- Remove issue creation flow in favor of always applying (set and forget)
- Use the credentials action instead of inlined auth logic

* Fix dead link to main.tf.jinja in set-up-network docs

The file was renamed from main.tf to main.tf.jinja but the doc link
was not updated, causing the markdown link checker to fail.

* Remove dead variable and add concurrency guard

- Remove unused network_name variable in configure-azure-credentials
  "Get Azure client id" step (only account_name is used)
- Add concurrency key per network to prevent overlapping terraform
  applies against the same state

* Move cert renewal logic to bin script, revert docs link fix

- Create bin/renew-tls-certificates script that wraps terraform-init
  and terraform-apply with the certificate-specific targets
- Simplify workflow to call the bin script instead of inline terraform
- Revert set-up-network.md link back to main.tf (installed docs don't
  have the .jinja extension)

* Pass network_name variable to terraform in renew-tls-certificates

The script was missing -var="network_name=..." which caused terraform
to fail with "No value for required variable" since the networks module
has no .tfvars files and relies on the variable being passed explicitly.

* Stop exporting ARM_SUBSCRIPTION_ID as env var

The infra code specifies subscription_id in each provider block, so
the ARM_SUBSCRIPTION_ID env var is unnecessary and can cause issues
with cross-subscription resources (e.g. domain provider referencing
a different subscription than the network). Pass the subscription id
to azure/login via step output instead.

* Set up OIDC federated token for Azure SDK auth

The ACME provider's DNS solver uses the Go Azure SDK's
DefaultAzureCredential, which doesn't understand ARM_* env vars.
Request a GitHub OIDC token and write it to a file so the SDK's
WorkloadIdentityCredential can authenticate for DNS challenges.

* Remove explicit OIDC token setup, rely on Azure CLI credential

azure/login already authenticates the CLI, so DefaultAzureCredential
should pick it up via AzureCLICredential without needing to manually
fetch and store an OIDC token.

* Ignore main.tf link in markdown link checker

infra/networks/main.tf only exists in instantiated repos (it's
main.tf.jinja in the template), so the link checker always fails
on this file reference in set-up-network.md.

* Revert markdownlint config change, move to separate PR

---------

Co-authored-by: Sean Thomas <sean.thomas@navapbc.com>

Author: sean-navapbc

.github/actions/configure-azure-credentials/action.yml

@@ -1,19 +1,26 @@
 name: Configure Azure Credentials
 description: |
-  Configure Azure Credentials for a given application and environment so that
-  the GitHub Actions workflow can access Azure resources.
+  Configure Azure Credentials so that the GitHub Actions workflow can access
+  Azure resources.
 
   This is a wrapper around https://github.com/azure/login that first determines
   the tenant, subscription, and client ids based on the configuration in
   app-config.
 
+  Authenticate using one of the following options:
+  1. Authenticate by network_name
+  2. Authenticate by app_name and environment
+
 inputs:
+  network_name:
+    description: 'Name of network (e.g. dev, staging, prod)'
+    required: false
   app_name:
     description: 'Name of application folder under /infra'
-    required: true
+    required: false
   environment:
     description: 'Name of environment (dev, staging, prod) that resources live in, or "shared" for resources that are shared across environments'
-    required: true
+    required: false
 
 runs:
   using: "composite"
@@ -33,7 +40,7 @@ runs:
     - name: Get account name from network
       id: get-account-name
       run: |
-        network_name="${{ steps.get-network-name.outputs.network_name }}"
+        network_name="${{ inputs.network_name || steps.get-network-name.outputs.network_name }}"
         echo "Get account name for network: ${network_name}"
 
         account_name=$(./bin/account-name-for-network "${network_name}")
@@ -43,10 +50,10 @@ runs:
       shell: bash
 
     - name: Get Azure client id, tenant id, and subscription id
+      id: get-azure-config
       run: |
         echo "::group::Azure account authentication details"
 
-        network_name="${{ steps.get-network-name.outputs.network_name }}"
         account_name="${{ steps.get-account-name.outputs.account_name }}"
 
         terraform -chdir=infra/project-config init > /dev/null
@@ -63,14 +70,20 @@ runs:
 
         echo "::endgroup::"
 
-        echo "Setting env vars ARM_TENANT_ID, ARM_SUBSCRIPTION_ID, and ARM_CLIENT_ID..."
+        # Set ARM_TENANT_ID and ARM_CLIENT_ID as env vars for terraform.
+        # ARM_SUBSCRIPTION_ID is intentionally not set — the infra code
+        # specifies subscription_id in each provider block, and setting
+        # the env var can cause issues with cross-subscription resources.
         echo "ARM_TENANT_ID=$TENANT_ID" >> "$GITHUB_ENV"
-        echo "ARM_SUBSCRIPTION_ID=$account_id" >> "$GITHUB_ENV"
         echo "ARM_CLIENT_ID=$CLIENT_ID" >> "$GITHUB_ENV"
+
+        # Pass subscription id as step output for azure/login only
+        echo "subscription_id=${account_id}" >> "$GITHUB_OUTPUT"
       shell: bash
 
     - uses: azure/login@v2
       with:
         tenant-id: ${{ env.ARM_TENANT_ID }}
-        subscription-id: ${{ env.ARM_SUBSCRIPTION_ID }}
+        subscription-id: ${{ steps.get-azure-config.outputs.subscription_id }}
         client-id: ${{ env.ARM_CLIENT_ID }}
+

.github/workflows/renew-tls-certificates.yml

@@ -0,0 +1,54 @@
+name: Renew TLS Certificates
+
+on:
+  schedule:
+    # Run twice a month (1st and 15th) at midnight UTC
+    # Gives ample buffer on 90-day Let's Encrypt certs
+    - cron: "0 0 1,15 * *"
+  workflow_dispatch:
+    inputs:
+      network_name:
+        description: "Network to renew certificates for (leave empty for all)"
+        required: false
+        type: string
+
+permissions:
+  contents: read
+  id-token: write
+
+jobs:
+  renew-certs:
+    name: Renew certs (${{ matrix.network_name }})
+    runs-on: ubuntu-latest
+    concurrency: renew-tls-certs-${{ matrix.network_name }}
+    strategy:
+      fail-fast: false
+      matrix:
+        network_name: [dev, staging, prod]
+
+    steps:
+      - name: Check if network requested
+        id: check
+        run: |
+          if [[ -n "${{ inputs.network_name }}" && "${{ inputs.network_name }}" != "${{ matrix.network_name }}" ]]; then
+            echo "skip=true" >> "$GITHUB_OUTPUT"
+          fi
+
+      - uses: actions/checkout@v4
+        if: steps.check.outputs.skip != 'true'
+
+      - name: Set up Terraform
+        if: steps.check.outputs.skip != 'true'
+        uses: ./.github/actions/setup-terraform
+
+      - name: Configure Azure credentials
+        if: steps.check.outputs.skip != 'true'
+        uses: ./.github/actions/configure-azure-credentials
+        with:
+          network_name: ${{ matrix.network_name }}
+
+      - name: Renew certificates
+        if: steps.check.outputs.skip != 'true'
+        run: ./bin/renew-tls-certificates "${{ matrix.network_name }}"
+        env:
+          ARM_USE_OIDC: true

bin/renew-tls-certificates

@@ -0,0 +1,20 @@
+#!/usr/bin/env bash
+# -----------------------------------------------------------------------------
+# Renew TLS certificates for the specified network by running terraform apply
+# targeted at the certificate resources in the domain module.
+#
+# Positional parameters:
+# network_name (required) - The network to renew certificates for (e.g. dev, staging, prod)
+# -----------------------------------------------------------------------------
+set -euo pipefail
+
+network_name="$1"
+
+./bin/terraform-init infra/networks "${network_name}"
+./bin/terraform-apply infra/networks "${network_name}" \
+  -var="network_name=${network_name}" \
+  -target='module.domain.acme_registration.reg' \
+  -target='module.domain.acme_certificate.certificate' \
+  -target='module.domain.azurerm_key_vault_certificate.key_vault_certificate' \
+  -auto-approve \
+  -input=false