switch to gh app auth

Author: Krusty93

.changeset/sparkly-bananas-arrive.md

@@ -0,0 +1,5 @@
+---
+"github_selfhosted_runner_on_container_app_jobs": minor
+---
+
+Switch to GitHub App-based authentication replacing PAT-based. This approach is generally more secure and scalable.

infra/modules/github_selfhosted_runner_on_container_app_jobs/README.md

@@ -8,12 +8,13 @@ This module creates a Container App Job to be used as a GitHub self-hosted runne
 
 - **Container App Job**: Deploys a Container App Job in the specified Azure Container App Environment.
 - **Managed Identity**: Provides System Assigned Managed Identity for secure authentication with Azure resources.
-- **Key Vault Access**: Grant access to the KeyVault instance with GitHub credentials (PAT token)
+- **Key Vault Access**: Grant access to the KeyVault instance with GitHub App credentials (private key, app ID, and installation ID).
 - **Auto GitHub Registration**: Automatically scale and register as self-hosted runner in the target repository.
 
 ## Usage Example
 
 A usage example can be found in the [examples](https://github.com/pagopa-dx/terraform-azurerm-azure-container-app/tree/main/examples/basic) directory.
+
 <!-- markdownlint-disable -->
 <!-- BEGIN_TF_DOCS -->
 ## Requirements
@@ -42,7 +43,7 @@ No modules.
 |------|-------------|------|---------|:--------:|
 | <a name="input_container_app_environment"></a> [container\_app\_environment](#input\_container\_app\_environment) | Configuration for the Container App Environment. | <pre>object({<br/>    id                          = string<br/>    location                    = string<br/>    replica_timeout_in_seconds  = optional(number, 1800)<br/>    polling_interval_in_seconds = optional(number, 30)<br/>    min_instances               = optional(number, 0)<br/>    max_instances               = optional(number, 30)<br/>    use_labels                  = optional(bool, false)<br/>    override_labels             = optional(list(string), [])<br/>    cpu                         = optional(number, 1.5)<br/>    memory                      = optional(string, "3Gi")<br/>    image                       = optional(string, "ghcr.io/pagopa/github-self-hosted-runner-azure:latest")<br/>    env_vars                    = optional(map(string), {})<br/>    secrets                     = optional(map(string), {})<br/>  })</pre> | n/a | yes |
 | <a name="input_environment"></a> [environment](#input\_environment) | Values which are used to generate resource names and location short names. They are all mandatory except for domain, which should not be used only in the case of a resource used by multiple domains. | <pre>object({<br/>    prefix          = string<br/>    env_short       = string<br/>    location        = string<br/>    instance_number = string<br/>  })</pre> | n/a | yes |
-| <a name="input_key_vault"></a> [key\_vault](#input\_key\_vault) | Details of the Key Vault used to store secrets for the Container App Job. | <pre>object({<br/>    name                = string<br/>    resource_group_name = string<br/>    use_rbac            = optional(bool, false)<br/>    secret_name         = optional(string, "github-runner-pat")<br/>  })</pre> | n/a | yes |
+| <a name="input_key_vault"></a> [key\_vault](#input\_key\_vault) | Details of the Key Vault used to store GitHub App credentials. | <pre>object({<br/>    name                        = string<br/>    resource_group_name         = string<br/>    use_rbac                    = optional(bool, false)<br/>    app_key_secret_name         = optional(string, "gh-app-engineering")<br/>    app_id_secret_name          = optional(string, "github-runner-app-id")<br/>    installation_id_secret_name = optional(string, "github-runner-installation-id")<br/>  })</pre> | n/a | yes |
 | <a name="input_repository"></a> [repository](#input\_repository) | Details of the GitHub repository, including the owner and repository name. | <pre>object({<br/>    owner = optional(string, "pagopa")<br/>    name  = string<br/>  })</pre> | n/a | yes |
 | <a name="input_resource_group_name"></a> [resource\_group\_name](#input\_resource\_group\_name) | The name of the resource group where the Container App Job will be deployed. Defaults to null. | `string` | `null` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | A map of tags to assign to the resources. | `map(any)` | n/a | yes |

infra/modules/github_selfhosted_runner_on_container_app_jobs/container_app_job.tf

@@ -24,29 +24,45 @@ resource "azurerm_container_app_job" "github_runner" {
         name             = "github-runner-rule"
         custom_rule_type = "github-runner"
 
-        # https://keda.sh/docs/2.17/scalers/github-runner/
+        # https://keda.sh/docs/2.19/scalers/github-runner/
         metadata = merge({
+          githubApiURL              = "https://api.github.com"
           owner                     = var.repository.owner
           runnerScope               = "repo"
           repos                     = var.repository.name
-          targetWorkflowQueueLength = "1"
-          github-runner             = "https://api.github.com"
           enableEtags               = "true"
+          targetWorkflowQueueLength = "1"
+          applicationIDFromEnv      = "GITHUB_APP_ID"
+          installationIDFromEnv     = "GITHUB_APP_INSTALLATION_ID"
         }, var.container_app_environment.use_labels ? { labels = local.labels } : {})
 
         authentication {
-          secret_name       = var.key_vault.secret_name
-          trigger_parameter = "personalAccessToken"
+          secret_name       = var.key_vault.app_key_secret_name
+          trigger_parameter = "appKey"
         }
       }
     }
   }
 
   secret {
-    key_vault_secret_id = "${local.key_vault_uri}secrets/${var.key_vault.secret_name}" # no versioning
+    key_vault_secret_id = "${local.key_vault_uri}secrets/${var.key_vault.app_key_secret_name}" # no versioning
+
+    identity = "System"
+    name     = var.key_vault.app_key_secret_name
+  }
+
+  secret {
+    key_vault_secret_id = "${local.key_vault_uri}secrets/${var.key_vault.app_id_secret_name}" # no versioning
+
+    identity = "System"
+    name     = var.key_vault.app_id_secret_name
+  }
+
+  secret {
+    key_vault_secret_id = "${local.key_vault_uri}secrets/${var.key_vault.installation_id_secret_name}" # no versioning
 
     identity = "System"
-    name     = var.key_vault.secret_name
+    name     = var.key_vault.installation_id_secret_name
   }
 
   template {

infra/modules/github_selfhosted_runner_on_container_app_jobs/examples/basic/README.md

@@ -11,7 +11,7 @@
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_container_app_job_selfhosted_runner"></a> [container\_app\_job\_selfhosted\_runner](#module\_container\_app\_job\_selfhosted\_runner) | pagopa-dx/github-selfhosted-runner-on-container-app-jobs/azurerm | ~> 1.2 |
+| <a name="module_container_app_job_selfhosted_runner"></a> [container\_app\_job\_selfhosted\_runner](#module\_container\_app\_job\_selfhosted\_runner) | pagopa-dx/github-selfhosted-runner-on-container-app-jobs/azurerm | ~> 1.3 |
 
 ## Resources
 

infra/modules/github_selfhosted_runner_on_container_app_jobs/examples/basic/main.tf

@@ -1,6 +1,6 @@
 module "container_app_job_selfhosted_runner" {
   source  = "pagopa-dx/github-selfhosted-runner-on-container-app-jobs/azurerm"
-  version = "~> 1.2"
+  version = "~> 1.3"
 
   environment = local.environment
 

infra/modules/github_selfhosted_runner_on_container_app_jobs/locals.tf

@@ -27,11 +27,13 @@ locals {
   })
 
   runner_secrets = merge(var.container_app_environment.secrets, {
-    GITHUB_PAT = var.key_vault.secret_name
+    GITHUB_APP_KEY             = var.key_vault.app_key_secret_name
+    GITHUB_APP_ID              = var.key_vault.app_id_secret_name
+    GITHUB_APP_INSTALLATION_ID = var.key_vault.installation_id_secret_name
   })
 
   labels = join(",", coalescelist(var.container_app_environment.override_labels, [local.env[var.environment.env_short]]))
 
-  key_vault_id  = "/subscriptions/${data.azurerm_client_config.current.subscription_id}/resourceGroups/${var.key_vault.resource_group_name}/providers/Microsoft.KeyVault/vaults/${var.key_vault.name}"
+  key_vault_id  = provider::azurerm::normalise_resource_id("/subscriptions/${data.azurerm_client_config.current.subscription_id}/resourceGroups/${var.key_vault.resource_group_name}/providers/Microsoft.KeyVault/vaults/${var.key_vault.name}")
   key_vault_uri = "https://${var.key_vault.name}.vault.azure.net/"
 }

infra/modules/github_selfhosted_runner_on_container_app_jobs/variables.tf

@@ -51,11 +51,13 @@ variable "container_app_environment" {
 
 variable "key_vault" {
   type = object({
-    name                = string
-    resource_group_name = string
-    use_rbac            = optional(bool, false)
-    secret_name         = optional(string, "github-runner-pat")
+    name                        = string
+    resource_group_name         = string
+    use_rbac                    = optional(bool, false)
+    app_key_secret_name         = optional(string, "gh-app-engineering")
+    app_id_secret_name          = optional(string, "github-runner-app-id")
+    installation_id_secret_name = optional(string, "github-runner-installation-id")
   })
 
-  description = "Details of the Key Vault used to store secrets for the Container App Job."
+  description = "Details of the Key Vault used to store GitHub App credentials."
 }