diff --git a/.github/workflows/code_review.yml b/.github/workflows/code_review.yml index a3c7df2b..97d2b305 100644 --- a/.github/workflows/code_review.yml +++ b/.github/workflows/code_review.yml @@ -59,7 +59,7 @@ jobs: # from https://github.com/Azure/login/commits/master uses: azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2 with: - client-id: ${{ secrets.CD_CLIENT_ID }} + client-id: ${{ secrets.CLIENT_ID }} tenant-id: ${{ secrets.TENANT_ID }} subscription-id: ${{ secrets.SUBSCRIPTION_ID }} diff --git a/.github/workflows/create_dashboard.yaml b/.github/workflows/create_dashboard.yaml index b1582182..a6e223a9 100644 --- a/.github/workflows/create_dashboard.yaml +++ b/.github/workflows/create_dashboard.yaml @@ -45,7 +45,7 @@ jobs: environment: ${{ matrix.environment }} api-name: ${{ matrix.product }} config: .opex/${{ matrix.product }}/env/${{ matrix.environment }}/config.yaml - client-id: ${{ secrets.CD_CLIENT_ID }} + client-id: ${{ secrets.CLIENT_ID }} tenant-id: ${{ secrets.TENANT_ID }} subscription-id: ${{ secrets.SUBSCRIPTION_ID }} # from https://github.com/pagopa/opex-dashboard-azure-action/pkgs/container/opex-dashboard-azure-action diff --git a/.github/workflows/deploy_with_github_runner.yml b/.github/workflows/deploy_with_github_runner.yml index 9dea33d3..74873e9f 100644 --- a/.github/workflows/deploy_with_github_runner.yml +++ b/.github/workflows/deploy_with_github_runner.yml @@ -11,6 +11,10 @@ on: required: true description: The environment target of the job type: string + branch: + required: false + default: ${{ github.ref_name }} + type: string env: NAMESPACE: afm @@ -22,31 +26,8 @@ permissions: contents: read jobs: - create_runner: - name: Create Runner - runs-on: ubuntu-22.04 - environment: - name: ${{ inputs.environment }} - if: ${{ inputs.target == inputs.environment || inputs.target == 'all' }} - outputs: - runner_name: ${{ steps.create_github_runner.outputs.runner_name }} - steps: - - name: Create GitHub Runner - id: create_github_runner - # from https://github.com/pagopa/eng-github-actions-iac-template/tree/main/azure/github-self-hosted-runner-azure-create-action - uses: pagopa/eng-github-actions-iac-template/azure/github-self-hosted-runner-azure-create-action@main - with: - client_id: ${{ secrets.CD_CLIENT_ID }} - tenant_id: ${{ secrets.TENANT_ID }} - subscription_id: ${{ secrets.SUBSCRIPTION_ID }} - container_app_environment_name: ${{ vars.CONTAINER_APP_ENVIRONMENT_NAME }} - resource_group_name: ${{ vars.CONTAINER_APP_ENVIRONMENT_RESOURCE_GROUP_NAME }} # RG of the runner - pat_token: ${{ secrets.BOT_TOKEN_GITHUB }} - self_hosted_runner_image_tag: "latest" - deploy: - needs: [ create_runner ] - runs-on: [ self-hosted, "${{ needs.create_runner.outputs.runner_name }}" ] + runs-on: [ self-hosted-job, "${{ inputs.environment }}" ] if: ${{ inputs.target == inputs.environment || inputs.target == 'all' }} name: Deploy on AKS environment: ${{ inputs.environment }} @@ -54,8 +35,8 @@ jobs: - name: Deploy uses: pagopa/github-actions-template/aks-deploy@main with: - branch: ${{ github.ref_name }} - client_id: ${{ secrets.CD_CLIENT_ID }} + branch: ${{ inputs.branch }} + client_id: ${{ secrets.CLIENT_ID }} subscription_id: ${{ secrets.SUBSCRIPTION_ID }} tenant_id: ${{ secrets.TENANT_ID }} env: ${{ inputs.environment }} @@ -63,23 +44,5 @@ jobs: cluster_name: ${{ vars.CLUSTER_NAME }} resource_group: ${{ vars.CLUSTER_RESOURCE_GROUP }} app_name: ${{ env.APP_NAME }} - helm_upgrade_options: "--debug" - - cleanup_runner: - name: Cleanup Runner - needs: [ create_runner, deploy ] - if: ${{ success() || failure() && inputs.target == inputs.environment || inputs.target == 'all' }} - runs-on: ubuntu-22.04 - environment: ${{ inputs.environment }} - steps: - - name: Cleanup GitHub Runner - id: cleanup_github_runner - # from https://github.com/pagopa/eng-github-actions-iac-template/tree/main/azure/github-self-hosted-runner-azure-cleanup-action - uses: pagopa/eng-github-actions-iac-template/azure/github-self-hosted-runner-azure-cleanup-action@0ee2f58fd46d10ac7f00bce4304b98db3dbdbe9a - with: - client_id: ${{ secrets.CD_CLIENT_ID }} - tenant_id: ${{ secrets.TENANT_ID }} - subscription_id: ${{ secrets.SUBSCRIPTION_ID }} - resource_group_name: ${{ vars.CONTAINER_APP_ENVIRONMENT_RESOURCE_GROUP_NAME }} - runner_name: ${{ needs.create_runner.outputs.runner_name }} - pat_token: ${{ secrets.BOT_TOKEN_GITHUB }} + helm_upgrade_options: "--debug --set microservice-chart.azure.workloadIdentityClientId=${{vars.WORKLOAD_IDENTITY_ID}}" + timeout: '15m0s' diff --git a/.github/workflows/integration_test.yml b/.github/workflows/integration_test.yml index 3d95da21..21d79e55 100644 --- a/.github/workflows/integration_test.yml +++ b/.github/workflows/integration_test.yml @@ -47,7 +47,7 @@ jobs: # from https://github.com/Azure/login/commits/master uses: azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2 with: - client-id: ${{ secrets.CD_CLIENT_ID }} + client-id: ${{ secrets.CLIENT_ID }} tenant-id: ${{ secrets.TENANT_ID }} subscription-id: ${{ secrets.SUBSCRIPTION_ID }} diff --git a/.github/workflows/release_deploy.yml b/.github/workflows/release_deploy.yml index 69f8c3e5..90f266f8 100644 --- a/.github/workflows/release_deploy.yml +++ b/.github/workflows/release_deploy.yml @@ -3,6 +3,8 @@ name: Release And Deploy # Controls when the workflow will run on: pull_request: + branches: + - main types: [ closed ] # Allows you to run this workflow manually from the Actions tab diff --git a/.gitignore b/.gitignore index 36d6ea3e..6a14a6a5 100644 --- a/.gitignore +++ b/.gitignore @@ -8,3 +8,4 @@ target/**/* /afm-utils.iml /helm/charts/ /.identity/.terraform.lock.hcl +**/.terraform/* diff --git a/.identity/00_data.tf b/.identity/00_data.tf index 0e58c2c0..d0b76a4e 100644 --- a/.identity/00_data.tf +++ b/.identity/00_data.tf @@ -22,6 +22,16 @@ data "azurerm_key_vault" "key_vault" { resource_group_name = "pagopa-${var.env_short}-sec-rg" } +data "azurerm_user_assigned_identity" "workload_identity_clientid" { + name = "afm-workload-identity" + resource_group_name = "pagopa-${var.env_short}-${local.location_short}-${var.env}-aks-rg" +} + +data "azurerm_user_assigned_identity" "identity_cd_01" { + resource_group_name = "${local.product}-identity-rg" + name = "${local.product}-${local.domain}-job-01-github-cd-identity" +} + data "azurerm_key_vault" "domain_key_vault" { name = "pagopa-${var.env_short}-${local.domain}-kv" resource_group_name = "pagopa-${var.env_short}-${local.domain}-sec-rg" diff --git a/.identity/03_github_environment.tf b/.identity/03_github_environment.tf index 7472baef..8dd49a8d 100644 --- a/.identity/03_github_environment.tf +++ b/.identity/03_github_environment.tf @@ -21,7 +21,7 @@ resource "github_repository_environment" "github_repository_environment" { locals { env_secrets = { - "CD_CLIENT_ID" : data.azurerm_user_assigned_identity.identity_cd.client_id, + "CLIENT_ID" : data.azurerm_user_assigned_identity.identity_cd_01.client_id, "TENANT_ID" : data.azurerm_client_config.current.tenant_id, "SUBSCRIPTION_ID" : data.azurerm_subscription.current.subscription_id, "SUBKEY" : data.azurerm_key_vault_secret.key_vault_integration_test_subkey.value, @@ -36,7 +36,8 @@ locals { "DOMAIN" : local.domain, "NAMESPACE" : local.domain, "COSMOS_URI": "https://${local.prefix}-${var.env_short}-${local.location_short}-${local.domain}-marketplace-cosmos-account.documents.azure.com:443/", - "COSMOS_DATABASE": "db" + "COSMOS_DATABASE": "db", + "WORKLOAD_IDENTITY_ID": data.azurerm_user_assigned_identity.workload_identity_clientid.client_id } repo_secrets = { "SONAR_TOKEN" : data.azurerm_key_vault_secret.key_vault_sonar.value, diff --git a/.identity/99_main.tf b/.identity/99_main.tf index c5eb0567..51d3427a 100644 --- a/.identity/99_main.tf +++ b/.identity/99_main.tf @@ -4,11 +4,11 @@ terraform { required_providers { azuread = { source = "hashicorp/azuread" - version = "2.30.0" + version = "~> 2.53" } azurerm = { source = "hashicorp/azurerm" - version = "3.45.0" + version = "~> 3.117" } github = { source = "integrations/github" diff --git a/helm/Chart.yaml b/helm/Chart.yaml index d89e2a47..4ad1ed7d 100644 --- a/helm/Chart.yaml +++ b/helm/Chart.yaml @@ -6,5 +6,5 @@ version: 0.30.0 appVersion: 0.9.10 dependencies: - name: microservice-chart - version: 2.4.0 + version: 7.5.0 repository: "https://pagopa.github.io/aks-microservice-chart-blueprint" diff --git a/helm/values-dev.yaml b/helm/values-dev.yaml index 13f229d1..580d8087 100644 --- a/helm/values-dev.yaml +++ b/helm/values-dev.yaml @@ -22,6 +22,7 @@ microservice-chart: periodSeconds: 10 deployment: create: true + replicas: 1 serviceMonitor: create: true endpoints: @@ -42,9 +43,9 @@ microservice-chart: path: /pagopa-afm-utils-service/(.*) servicePort: 8080 serviceAccount: - create: false - annotations: {} - name: "" + name: "afm-workload-identity" + azure: + workloadIdentityClientId: podAnnotations: {} podSecurityContext: seccompProfile: diff --git a/helm/values-prod.yaml b/helm/values-prod.yaml index 8e9f757d..d541eb56 100644 --- a/helm/values-prod.yaml +++ b/helm/values-prod.yaml @@ -42,9 +42,9 @@ microservice-chart: path: /pagopa-afm-utils-service/(.*) servicePort: 8080 serviceAccount: - create: false - annotations: {} - name: "" + name: "afm-workload-identity" + azure: + workloadIdentityClientId: podAnnotations: {} podSecurityContext: seccompProfile: diff --git a/helm/values-uat.yaml b/helm/values-uat.yaml index 99730432..4e77ee0f 100644 --- a/helm/values-uat.yaml +++ b/helm/values-uat.yaml @@ -22,6 +22,7 @@ microservice-chart: periodSeconds: 10 deployment: create: true + replicas: 1 serviceMonitor: create: true endpoints: @@ -42,9 +43,9 @@ microservice-chart: path: /pagopa-afm-utils-service/(.*) servicePort: 8080 serviceAccount: - create: false - annotations: {} - name: "" + name: "afm-workload-identity" + azure: + workloadIdentityClientId: podAnnotations: {} podSecurityContext: seccompProfile: diff --git a/src/main/java/it/gov/pagopa/afm/utils/task/SchedulerTask.java b/src/main/java/it/gov/pagopa/afm/utils/task/SchedulerTask.java index 6c9da085..76e280dd 100644 --- a/src/main/java/it/gov/pagopa/afm/utils/task/SchedulerTask.java +++ b/src/main/java/it/gov/pagopa/afm/utils/task/SchedulerTask.java @@ -3,7 +3,6 @@ import it.gov.pagopa.afm.utils.service.MarketPlaceClient; import javax.annotation.PostConstruct; -import lombok.extern.slf4j.Slf4j; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.scheduling.concurrent.ThreadPoolTaskScheduler; import org.springframework.scheduling.support.CronTrigger;