pagopa · pasqualespica · May 22, 2025 · May 19, 2025 · May 19, 2025 · May 19, 2025
diff --git a/.github/workflows/code_review.yml b/.github/workflows/code_review.yml
@@ -59,7 +59,7 @@ jobs:
         # from https://github.com/Azure/login/commits/master
         uses: azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2
         with:
-          client-id: ${{ secrets.CD_CLIENT_ID }}
+          client-id: ${{ secrets.CLIENT_ID }}
           tenant-id: ${{ secrets.TENANT_ID }}
           subscription-id: ${{ secrets.SUBSCRIPTION_ID }}
 

diff --git a/.github/workflows/create_dashboard.yaml b/.github/workflows/create_dashboard.yaml
@@ -45,7 +45,7 @@ jobs:
           environment: ${{ matrix.environment }}
           api-name: ${{ matrix.product }}
           config: .opex/${{ matrix.product }}/env/${{ matrix.environment }}/config.yaml
-          client-id: ${{ secrets.CD_CLIENT_ID }}
+          client-id: ${{ secrets.CLIENT_ID }}
           tenant-id: ${{ secrets.TENANT_ID }}
           subscription-id: ${{ secrets.SUBSCRIPTION_ID }}
           # from https://github.com/pagopa/opex-dashboard-azure-action/pkgs/container/opex-dashboard-azure-action

diff --git a/.github/workflows/deploy_with_github_runner.yml b/.github/workflows/deploy_with_github_runner.yml
@@ -11,6 +11,10 @@ on:
         required: true
         description: The environment target of the job
         type: string
+      branch:
+        required: false
+        default: ${{ github.ref_name }}
+        type: string
 
 env:
   NAMESPACE: afm
@@ -22,64 +26,23 @@ permissions:
   contents: read
 
 jobs:
-  create_runner:
-    name: Create Runner
-    runs-on: ubuntu-22.04
-    environment:
-      name: ${{ inputs.environment }}
-    if: ${{ inputs.target == inputs.environment || inputs.target == 'all' }}
-    outputs:
-      runner_name: ${{ steps.create_github_runner.outputs.runner_name }}
-    steps:
-      - name: Create GitHub Runner
-        id: create_github_runner
-        # from https://github.com/pagopa/eng-github-actions-iac-template/tree/main/azure/github-self-hosted-runner-azure-create-action
-        uses: pagopa/eng-github-actions-iac-template/azure/github-self-hosted-runner-azure-create-action@main
-        with:
-          client_id: ${{ secrets.CD_CLIENT_ID }}
-          tenant_id: ${{ secrets.TENANT_ID }}
-          subscription_id: ${{ secrets.SUBSCRIPTION_ID }}
-          container_app_environment_name: ${{ vars.CONTAINER_APP_ENVIRONMENT_NAME }}
-          resource_group_name: ${{ vars.CONTAINER_APP_ENVIRONMENT_RESOURCE_GROUP_NAME }} # RG of the runner
-          pat_token: ${{ secrets.BOT_TOKEN_GITHUB }}
-          self_hosted_runner_image_tag: "latest"
-
   deploy:
-    needs: [ create_runner ]
-    runs-on: [ self-hosted, "${{ needs.create_runner.outputs.runner_name }}" ]
+    runs-on: [ self-hosted-job, "${{ inputs.environment }}" ]
     if: ${{ inputs.target == inputs.environment || inputs.target == 'all' }}
     name: Deploy on AKS
     environment: ${{ inputs.environment }}
     steps:
       - name: Deploy
         uses: pagopa/github-actions-template/aks-deploy@main
         with:
-          branch: ${{ github.ref_name }}
-          client_id: ${{ secrets.CD_CLIENT_ID }}
+          branch: ${{ inputs.branch }}
+          client_id: ${{ secrets.CLIENT_ID }}
           subscription_id: ${{ secrets.SUBSCRIPTION_ID }}
           tenant_id: ${{ secrets.TENANT_ID }}
           env: ${{ inputs.environment }}
           namespace: ${{ env.NAMESPACE }}
           cluster_name: ${{ vars.CLUSTER_NAME }}
           resource_group: ${{ vars.CLUSTER_RESOURCE_GROUP }}
           app_name: ${{ env.APP_NAME }}
-          helm_upgrade_options: "--debug"
-
-  cleanup_runner:
-    name: Cleanup Runner
-    needs: [ create_runner, deploy ]
-    if: ${{ success() || failure() && inputs.target == inputs.environment || inputs.target == 'all' }}
-    runs-on: ubuntu-22.04
-    environment: ${{ inputs.environment }}
-    steps:
-      - name: Cleanup GitHub Runner
-        id: cleanup_github_runner
-        # from https://github.com/pagopa/eng-github-actions-iac-template/tree/main/azure/github-self-hosted-runner-azure-cleanup-action
-        uses: pagopa/eng-github-actions-iac-template/azure/github-self-hosted-runner-azure-cleanup-action@0ee2f58fd46d10ac7f00bce4304b98db3dbdbe9a
-        with:
-          client_id: ${{ secrets.CD_CLIENT_ID }}
-          tenant_id: ${{ secrets.TENANT_ID }}
-          subscription_id: ${{ secrets.SUBSCRIPTION_ID }}
-          resource_group_name: ${{ vars.CONTAINER_APP_ENVIRONMENT_RESOURCE_GROUP_NAME }}
-          runner_name: ${{ needs.create_runner.outputs.runner_name }}
-          pat_token: ${{ secrets.BOT_TOKEN_GITHUB }}
+          helm_upgrade_options: "--debug --set microservice-chart.azure.workloadIdentityClientId=${{vars.WORKLOAD_IDENTITY_ID}}"
+          timeout: '15m0s'
diff --git a/.github/workflows/integration_test.yml b/.github/workflows/integration_test.yml
@@ -47,7 +47,7 @@ jobs:
         # from https://github.com/Azure/login/commits/master
         uses: azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2
         with:
-          client-id: ${{ secrets.CD_CLIENT_ID }}
+          client-id: ${{ secrets.CLIENT_ID }}
           tenant-id: ${{ secrets.TENANT_ID }}
           subscription-id: ${{ secrets.SUBSCRIPTION_ID }}
 

diff --git a/.github/workflows/release_deploy.yml b/.github/workflows/release_deploy.yml
@@ -3,6 +3,8 @@ name: Release And Deploy
 # Controls when the workflow will run
 on:
   pull_request:
+    branches:
+      - main
     types: [ closed ]
 
   # Allows you to run this workflow manually from the Actions tab

diff --git a/.identity/00_data.tf b/.identity/00_data.tf
@@ -22,6 +22,16 @@ data "azurerm_key_vault" "key_vault" {
   resource_group_name = "pagopa-${var.env_short}-sec-rg"
 }
 
+data "azurerm_user_assigned_identity" "workload_identity_clientid" {
+  name                = "afm-workload-identity"
+  resource_group_name = "pagopa-${var.env_short}-${local.location_short}-${var.env}-aks-rg"
+}
+
+data "azurerm_user_assigned_identity" "identity_cd_01" {
+  resource_group_name = "${local.product}-identity-rg"
+  name                = "${local.product}-${local.domain}-job-01-github-cd-identity"
+}
+
 data "azurerm_key_vault" "domain_key_vault" {
   name                = "pagopa-${var.env_short}-${local.domain}-kv"
   resource_group_name = "pagopa-${var.env_short}-${local.domain}-sec-rg"

diff --git a/.identity/03_github_environment.tf b/.identity/03_github_environment.tf
@@ -21,7 +21,7 @@ resource "github_repository_environment" "github_repository_environment" {
 
 locals {
   env_secrets = {
-    "CD_CLIENT_ID" : data.azurerm_user_assigned_identity.identity_cd.client_id,
+    "CLIENT_ID" : data.azurerm_user_assigned_identity.identity_cd_01.client_id,
     "TENANT_ID" : data.azurerm_client_config.current.tenant_id,
     "SUBSCRIPTION_ID" : data.azurerm_subscription.current.subscription_id,
     "SUBKEY" : data.azurerm_key_vault_secret.key_vault_integration_test_subkey.value,
@@ -36,7 +36,8 @@ locals {
     "DOMAIN" : local.domain,
     "NAMESPACE" : local.domain,
     "COSMOS_URI": "https://${local.prefix}-${var.env_short}-${local.location_short}-${local.domain}-marketplace-cosmos-account.documents.azure.com:443/",
-    "COSMOS_DATABASE": "db"
+    "COSMOS_DATABASE": "db",
+    "WORKLOAD_IDENTITY_ID": data.azurerm_user_assigned_identity.workload_identity_clientid.client_id
   }
   repo_secrets = {
     "SONAR_TOKEN" : data.azurerm_key_vault_secret.key_vault_sonar.value,

diff --git a/.identity/99_main.tf b/.identity/99_main.tf
@@ -4,11 +4,11 @@ terraform {
   required_providers {
     azuread = {
       source  = "hashicorp/azuread"
-      version = "2.30.0"
+      version = "~> 2.53"
     }
     azurerm = {
       source  = "hashicorp/azurerm"
-      version = "3.45.0"
+      version = "~> 3.117"
     }
     github = {
       source  = "integrations/github"

diff --git a/helm/Chart.yaml b/helm/Chart.yaml
@@ -2,9 +2,9 @@ apiVersion: v2
 name: pagopa-afm-utils
 description: Utility microservice for pagoPA AFM
 type: application
-version: 0.29.0
-appVersion: 0.9.9
+version: 0.31.0
+appVersion: 0.9.9-2-PIDM-486
 dependencies:
   - name: microservice-chart
-    version: 2.4.0
+    version: 7.5.0
     repository: "https://pagopa.github.io/aks-microservice-chart-blueprint"
diff --git a/helm/values-dev.yaml b/helm/values-dev.yaml
@@ -4,7 +4,7 @@ microservice-chart:
   fullnameOverride: ""
   image:
     repository: ghcr.io/pagopa/pagopa-afm-utils
-    tag: "0.9.9"
+    tag: "0.9.9-2-PIDM-486"
     pullPolicy: Always
   livenessProbe:
     httpGet:
@@ -22,6 +22,7 @@ microservice-chart:
     periodSeconds: 10
   deployment:
     create: true
+    replicas: 1
   serviceMonitor:
     create: true
     endpoints:
@@ -42,9 +43,9 @@ microservice-chart:
     path: /pagopa-afm-utils-service/(.*)
     servicePort: 8080
   serviceAccount:
-    create: false
-    annotations: {}
-    name: ""
+    name: "afm-workload-identity"
+  azure:
+    workloadIdentityClientId: <workload-identity-client-id-set-automatically-by-gha>
   podAnnotations: {}
   podSecurityContext:
     seccompProfile:

diff --git a/helm/values-prod.yaml b/helm/values-prod.yaml
@@ -4,7 +4,7 @@ microservice-chart:
   fullnameOverride: ""
   image:
     repository: ghcr.io/pagopa/pagopa-afm-utils
-    tag: "0.9.9"
+    tag: "0.9.9-2-PIDM-486"
     pullPolicy: Always
   livenessProbe:
     httpGet:
@@ -42,9 +42,9 @@ microservice-chart:
     path: /pagopa-afm-utils-service/(.*)
     servicePort: 8080
   serviceAccount:
-    create: false
-    annotations: {}
-    name: ""
+    name: "afm-workload-identity"
+  azure:
+    workloadIdentityClientId: <workload-identity-client-id-set-automatically-by-gha>
   podAnnotations: {}
   podSecurityContext:
     seccompProfile:

diff --git a/helm/values-uat.yaml b/helm/values-uat.yaml
@@ -4,7 +4,7 @@ microservice-chart:
   fullnameOverride: ""
   image:
     repository: ghcr.io/pagopa/pagopa-afm-utils
-    tag: "0.9.9"
+    tag: "0.9.9-2-PIDM-486"
     pullPolicy: Always
   livenessProbe:
     httpGet:
@@ -22,6 +22,7 @@ microservice-chart:
     periodSeconds: 10
   deployment:
     create: true
+    replicas: 1
   serviceMonitor:
     create: true
     endpoints:
@@ -42,9 +43,9 @@ microservice-chart:
     path: /pagopa-afm-utils-service/(.*)
     servicePort: 8080
   serviceAccount:
-    create: false
-    annotations: {}
-    name: ""
+    name: "afm-workload-identity"
+  azure:
+    workloadIdentityClientId: <workload-identity-client-id-set-automatically-by-gha>
   podAnnotations: {}
   podSecurityContext:
     seccompProfile:

diff --git a/openapi/openapi.json b/openapi/openapi.json
@@ -4,7 +4,7 @@
     "title": "afm-utils",
     "description": "@project.description@",
     "termsOfService": "https://www.pagopa.gov.it/",
-    "version": "0.9.9"
+    "version": "0.9.9-2-PIDM-486"
   },
   "servers": [
     {

diff --git a/pom.xml b/pom.xml
@@ -13,7 +13,7 @@
 
     <groupId>it.gov.pagopa</groupId>
     <artifactId>afm-utils</artifactId>
-    <version>0.9.9</version>
+    <version>0.9.9-2-PIDM-486</version>
     <name>afm-utils</name>
     <description>Utility microservice for pagoPA AFM</description>
     <packaging>jar</packaging>

diff --git a/src/main/java/it/gov/pagopa/afm/utils/task/SchedulerTask.java b/src/main/java/it/gov/pagopa/afm/utils/task/SchedulerTask.java
@@ -3,7 +3,6 @@
 import it.gov.pagopa.afm.utils.service.MarketPlaceClient;
 import javax.annotation.PostConstruct;
 
-import lombok.extern.slf4j.Slf4j;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.scheduling.concurrent.ThreadPoolTaskScheduler;
 import org.springframework.scheduling.support.CronTrigger;