feat: added Azure Function deploy action

.github/workflows/release_deploy.yml

@@ -0,0 +1,210 @@
+name: Release And Deploy
+
+# Controls when the workflow will run
+on:
+  pull_request:
+    branches:
+      - main
+    types: [ closed ]
+
+  # Allows you to run this workflow manually from the Actions tab
+  workflow_dispatch:
+    inputs:
+      environment:
+        required: true
+        type: choice
+        description: Select the Environment
+        options:
+          - dev
+          - uat
+          - prod
+          - all
+      semver:
+        required: true
+        type: choice
+        description: Select the new Semantic Version
+        options:
+          - major
+          - minor
+          - patch
+          - buildNumber
+          - skip
+        default: skip
+      beta:
+        required: false
+        type: boolean
+        description: deploy beta version
+        default: false
+
+  workflow_call:
+    inputs:
+      environment:
+        required: true
+        type: string
+      semver:
+        required: true
+        type: string
+        default: skip
+      beta:
+        required: false
+        type: boolean
+        description: deploy beta version
+        default: false
+
+permissions:
+  packages: write
+  contents: write
+  issues: write
+  id-token: write
+  actions: read
+
+env:
+  ENV_SHORT: ${{ (contains(github.event.inputs.environment,'dev') && 'd') || (contains(github.event.inputs.environment, 'uat') && 'u') || (contains(github.event.inputs.environment,'prod') && 'p') }}
+
+# A workflow run is made up of one or more jobs that can run sequentially or in parallel
+jobs:
+  setup:
+    name: Setup
+    runs-on: ubuntu-latest
+    outputs:
+      semver: ${{ steps.get_semver.outputs.semver }}
+      environment: ${{ steps.output.outputs.environment }}
+    steps:
+      - name: Get semver
+        id: get_semver
+        uses: pagopa/github-actions-template/semver-setup@v1.3.0
+
+      - if: ${{ github.event.inputs.environment == null || github.event.inputs.environment == 'dev' }}
+        run: echo "ENVIRNOMENT=dev" >> $GITHUB_ENV
+
+      - if: ${{ github.event.inputs.environment == 'uat' }}
+        run: echo "ENVIRNOMENT=uat" >> $GITHUB_ENV
+
+      - if: ${{ github.event.inputs.environment == 'prod' }}
+        run: echo "ENVIRNOMENT=prod" >> $GITHUB_ENV
+
+      - if: ${{ github.event.inputs.environment == 'all' }}
+        run: echo "ENVIRNOMENT=all" >> $GITHUB_ENV
+
+      - id: output
+        name: Set Output
+        run: |
+          echo "environment=${{env.ENVIRNOMENT}}" >> $GITHUB_OUTPUT
+
+  release:
+    name: Create a New Release
+    runs-on: ubuntu-latest
+    needs: [setup]
+    outputs:
+      version: ${{ steps.release.outputs.version }}
+    steps:
+      - name: Make Release
+        id: release
+        uses: pagopa/github-actions-template/maven-release@main
+        with:
+          semver: ${{ needs.setup.outputs.semver }}
+          github_token: ${{ secrets.BOT_TOKEN_GITHUB }}
+          beta: ${{ inputs.beta }}
+          skip_ci: ${{ inputs.beta }}
+
+  build-and-push:
+    needs: [ setup, release ]
+    name: Build and Push Docker Image
+    runs-on: ubuntu-latest
+    if: ${{ inputs.semver != 'skip' }}
+    environment: ${{ inputs.environment }}
+    steps:
+      - name: Build and Push
+        id: semver
+        uses: pagopa/github-actions-template/ghcr-build-push@v1.5.4
+        with:
+          branch: ${{ github.ref_name}}
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          tag: ${{ needs.release.outputs.version }}
+
+  deploy_azure_fn:
+    name: Deploy Azure function
+    needs: [ setup, release, build-and-push ]
+    runs-on: ubuntu-latest
+    if: ${{ always() && !contains(needs.*.result, 'failure') && !contains(needs.*.result, 'cancelled') }}
+
+    steps:
+      - name: Set env variables
+        run: |
+          echo "RESOURCE_GROUP=pagopa-${{env.ENV_SHORT}}-weu-shared-rg" >> $GITHUB_ENV
+          echo "APP_NAME=pagopa-${{env.ENV_SHORT}}-weu-shared-authorizer-fn" >> $GITHUB_ENV
+          echo "REGISTRY_IMAGE=ghcr.io/pagopa/pagopa-platform-authorizer:${{needs.release.outputs.version}}" >> $GITHUB_ENV
+
+      - name: 'Checkout GitHub Action'
+        uses: actions/checkout@v3
+
+      - name: 'Login via Azure CLI'
+        uses: azure/login@v1
+        with:
+          client-id: ${{ secrets.CLIENT_ID }}
+          tenant-id: ${{ secrets.TENANT_ID }}
+          subscription-id: ${{ secrets.SUBSCRIPTION_ID }}
+
+      - name: 'Azure CLI script: start staging slot'
+        uses: azure/CLI@v1
+        if: ${{ contains(github.event.inputs.environment, 'prod') }}
+        with:
+          inlineScript: |
+            az functionapp start --name ${{ env.APP_NAME }} --resource-group ${{ env.RESOURCE_GROUP }} --slot staging
+
+      - name: 'Run Azure Functions Container Action: staging slot'
+        uses: Azure/functions-container-action@v1.2.1
+        if: ${{ contains(github.event.inputs.environment, 'prod')}}
+        with:
+          app-name: ${{ env.APP_NAME }}
+          image: ${{ env.REGISTRY_IMAGE }}
+          slot-name: staging
+
+      - name: 'Deploy Approval'
+        uses: trstringer/manual-approval@v1
+        if: ${{ contains(github.event.inputs.environment, 'prod')}}
+        with:
+          secret: ${{ secrets.BOT_TOKEN_GITHUB }}
+          approvers: pagopa-team-core
+          minimum-approvals: 1
+          issue-title: "Deploying ${{ env.TAG }} to prod from staging"
+          issue-body: "Please approve or deny the deployment of version ${{ env.TAG }}."
+          exclude-workflow-initiator-as-approver: false
+          timeout-minutes: 360
+
+      - name: 'Run Azure Functions Container Action'
+        uses: Azure/functions-container-action@v1.2.1
+        with:
+          app-name: ${{ env.APP_NAME }}
+          image: ${{ env.REGISTRY_IMAGE }}
+          slot-name: production
+
+      - name: 'Azure CLI script: end staging slot'
+        uses: azure/CLI@v1
+        if: ${{ contains(github.event.inputs.environment, 'prod') }}
+        with:
+          inlineScript: |
+            az functionapp stop --name ${{ env.APP_NAME }} --resource-group ${{ env.RESOURCE_GROUP }} --slot staging
+
+      - name: Azure logout
+        run: |
+          az logout
+
+#  notify:
+#    needs: [ deploy ]
+#    runs-on: ubuntu-latest
+#    name: Notify
+#    if: always()
+#    steps:
+#      - name: Report Status
+#        if: always()
+#        uses: ravsamhq/notify-slack-action@v2
+#        with:
+#          status: ${{ needs.deploy.result }}
+#          token: ${{ secrets.GITHUB_TOKEN }}
+#          notify_when: 'failure,skipped'
+#          notification_title: '{workflow} has {status_message}'
+#          message_format: '{emoji} <{workflow_url}|{workflow}> {status_message} in <{repo_url}|{repo}>'
+#          footer: 'Linked to Repo <{repo_url}|{repo}>'
+#        env:
+#          SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}

.identity/00_data.tf

@@ -27,6 +27,10 @@ data "azurerm_key_vault" "domain_key_vault" {
   resource_group_name = "pagopa-${var.env_short}-${local.domain}-sec-rg"
 }
 
+data "azurerm_resource_group" "shared_rg" {
+  name  = "pagopa-${var.env_short}-weu-shared-rg"
+}
+
 data "azurerm_resource_group" "apim_resource_group" {
   name = "${local.product}-api-rg"
 }

.identity/02_application_action.tf

@@ -59,6 +59,12 @@ resource "azurerm_role_assignment" "environment_terraform_resource_group_dashboa
   principal_id         = module.github_runner_app.object_id
 }
 
+resource "azurerm_role_assignment" "environment_function" {
+  scope                = data.azurerm_resource_group.shared_rg.id
+  role_definition_name = "Contributor"
+  principal_id         = module.github_runner_app.object_id
+}
+
 resource "azurerm_role_assignment" "environment_key_vault" {
   scope                = data.azurerm_key_vault.key_vault.id
   role_definition_name = "Reader"