diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml deleted file mode 100644 index b476dbd..0000000 --- a/.github/workflows/deploy.yml +++ /dev/null @@ -1,58 +0,0 @@ -name: Auto Deploy - -# Controls when the workflow will run -on: - pull_request: - branches: - - main - types: [ closed ] - - - # Allows you to run this workflow manually from the Actions tab - workflow_dispatch: - -# A workflow run is made up of one or more jobs that can run sequentially or in parallel -jobs: - build: - if: ${{ github.event.pull_request.merged }} - name: Call Azure Build Pipeline - # The type of runner that the job will run on - runs-on: ubuntu-latest - - # Steps represent a sequence of tasks that will be executed as part of the job - steps: - - # default skip bump versioning - - name: Set as default skip bump versioning - run: | - echo "SEMVER=skip" >> $GITHUB_ENV - - - name: Set major - run: | - echo "SEMVER=major" >> $GITHUB_ENV - if: ${{ contains(github.event.pull_request.labels.*.name, 'breaking-change') }} - - - name: Set minor - run: | - echo "SEMVER=minor" >> $GITHUB_ENV - if: ${{ contains(github.event.pull_request.labels.*.name, 'enhancement') }} - - - name: Set patch - run: | - echo "SEMVER=patch" >> $GITHUB_ENV - if: ${{ contains(github.event.pull_request.labels.*.name, 'bug') }} - - - name: Set skip - run: | - echo "SEMVER=skip" >> $GITHUB_ENV - if: ${{ contains(github.event.pull_request.labels.*.name, 'ignore-for-release') }} - - - name: Azure Pipelines Action - Jversion - uses: jacopocarlini/azure-pipelines@v1.3 - with: - azure-devops-project-url: https://dev.azure.com/pagopaspa/pagoPA-projects - azure-pipeline-name: 'pagopa-platform-authorizer.deploy' - azure-devops-token: ${{ secrets.AZURE_DEVOPS_TOKEN }} - azure-template-parameters: '{"ENV": "dev", "SEMVER": "${{env.SEMVER}}", "TEST": "true"}' - azure-pipeline-variables: '{"system.debug": "true"}' - diff --git a/.github/workflows/release_deploy.yml b/.github/workflows/release_deploy.yml new file mode 100644 index 0000000..949bc1a --- /dev/null +++ b/.github/workflows/release_deploy.yml @@ -0,0 +1,210 @@ +name: Release And Deploy + +# Controls when the workflow will run +on: + pull_request: + branches: + - main + types: [ closed ] + + # Allows you to run this workflow manually from the Actions tab + workflow_dispatch: + inputs: + environment: + required: true + type: choice + description: Select the Environment + options: + - dev + - uat + - prod + - all + semver: + required: true + type: choice + description: Select the new Semantic Version + options: + - major + - minor + - patch + - buildNumber + - skip + default: skip + beta: + required: false + type: boolean + description: deploy beta version + default: false + + workflow_call: + inputs: + environment: + required: true + type: string + semver: + required: true + type: string + default: skip + beta: + required: false + type: boolean + description: deploy beta version + default: false + +permissions: + packages: write + contents: write + issues: write + id-token: write + actions: read + +env: + ENV_SHORT: ${{ (contains(github.event.inputs.environment,'dev') && 'd') || (contains(github.event.inputs.environment, 'uat') && 'u') || (contains(github.event.inputs.environment,'prod') && 'p') }} + +# A workflow run is made up of one or more jobs that can run sequentially or in parallel +jobs: + setup: + name: Setup + runs-on: ubuntu-latest + outputs: + semver: ${{ steps.get_semver.outputs.semver }} + environment: ${{ steps.output.outputs.environment }} + steps: + - name: Get semver + id: get_semver + uses: pagopa/github-actions-template/semver-setup@v1.3.0 + + - if: ${{ github.event.inputs.environment == null || github.event.inputs.environment == 'dev' }} + run: echo "ENVIRNOMENT=dev" >> $GITHUB_ENV + + - if: ${{ github.event.inputs.environment == 'uat' }} + run: echo "ENVIRNOMENT=uat" >> $GITHUB_ENV + + - if: ${{ github.event.inputs.environment == 'prod' }} + run: echo "ENVIRNOMENT=prod" >> $GITHUB_ENV + + - if: ${{ github.event.inputs.environment == 'all' }} + run: echo "ENVIRNOMENT=all" >> $GITHUB_ENV + + - id: output + name: Set Output + run: | + echo "environment=${{env.ENVIRNOMENT}}" >> $GITHUB_OUTPUT + + release: + name: Create a New Release + runs-on: ubuntu-latest + needs: [setup] + outputs: + version: ${{ steps.release.outputs.version }} + steps: + - name: Make Release + id: release + uses: pagopa/github-actions-template/maven-release@main + with: + semver: ${{ needs.setup.outputs.semver }} + github_token: ${{ secrets.BOT_TOKEN_GITHUB }} + beta: ${{ inputs.beta }} + skip_ci: ${{ inputs.beta }} + + build-and-push: + needs: [ setup, release ] + name: Build and Push Docker Image + runs-on: ubuntu-latest + if: ${{ inputs.semver != 'skip' }} + environment: ${{ inputs.environment }} + steps: + - name: Build and Push + id: semver + uses: pagopa/github-actions-template/ghcr-build-push@v1.5.4 + with: + branch: ${{ github.ref_name}} + github_token: ${{ secrets.GITHUB_TOKEN }} + tag: ${{ needs.release.outputs.version }} + + deploy_azure_fn: + name: Deploy Azure function + needs: [ setup, release, build-and-push ] + runs-on: ubuntu-latest + if: ${{ always() && !contains(needs.*.result, 'failure') && !contains(needs.*.result, 'cancelled') }} + + steps: + - name: Set env variables + run: | + echo "RESOURCE_GROUP=pagopa-${{env.ENV_SHORT}}-weu-shared-rg" >> $GITHUB_ENV + echo "APP_NAME=pagopa-${{env.ENV_SHORT}}-weu-shared-authorizer-fn" >> $GITHUB_ENV + echo "REGISTRY_IMAGE=ghcr.io/pagopa/pagopa-platform-authorizer:${{needs.release.outputs.version}}" >> $GITHUB_ENV + + - name: 'Checkout GitHub Action' + uses: actions/checkout@v3 + + - name: 'Login via Azure CLI' + uses: azure/login@v1 + with: + client-id: ${{ secrets.CLIENT_ID }} + tenant-id: ${{ secrets.TENANT_ID }} + subscription-id: ${{ secrets.SUBSCRIPTION_ID }} + + - name: 'Azure CLI script: start staging slot' + uses: azure/CLI@v1 + if: ${{ contains(github.event.inputs.environment, 'prod') }} + with: + inlineScript: | + az functionapp start --name ${{ env.APP_NAME }} --resource-group ${{ env.RESOURCE_GROUP }} --slot staging + + - name: 'Run Azure Functions Container Action: staging slot' + uses: Azure/functions-container-action@v1.2.1 + if: ${{ contains(github.event.inputs.environment, 'prod')}} + with: + app-name: ${{ env.APP_NAME }} + image: ${{ env.REGISTRY_IMAGE }} + slot-name: staging + + - name: 'Deploy Approval' + uses: trstringer/manual-approval@v1 + if: ${{ contains(github.event.inputs.environment, 'prod')}} + with: + secret: ${{ secrets.BOT_TOKEN_GITHUB }} + approvers: pagopa-team-core + minimum-approvals: 1 + issue-title: "Deploying ${{ env.TAG }} to prod from staging" + issue-body: "Please approve or deny the deployment of version ${{ env.TAG }}." + exclude-workflow-initiator-as-approver: false + timeout-minutes: 360 + + - name: 'Run Azure Functions Container Action' + uses: Azure/functions-container-action@v1.2.1 + with: + app-name: ${{ env.APP_NAME }} + image: ${{ env.REGISTRY_IMAGE }} + slot-name: production + + - name: 'Azure CLI script: end staging slot' + uses: azure/CLI@v1 + if: ${{ contains(github.event.inputs.environment, 'prod') }} + with: + inlineScript: | + az functionapp stop --name ${{ env.APP_NAME }} --resource-group ${{ env.RESOURCE_GROUP }} --slot staging + + - name: Azure logout + run: | + az logout + +# notify: +# needs: [ deploy ] +# runs-on: ubuntu-latest +# name: Notify +# if: always() +# steps: +# - name: Report Status +# if: always() +# uses: ravsamhq/notify-slack-action@v2 +# with: +# status: ${{ needs.deploy.result }} +# token: ${{ secrets.GITHUB_TOKEN }} +# notify_when: 'failure,skipped' +# notification_title: '{workflow} has {status_message}' +# message_format: '{emoji} <{workflow_url}|{workflow}> {status_message} in <{repo_url}|{repo}>' +# footer: 'Linked to Repo <{repo_url}|{repo}>' +# env: +# SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} diff --git a/.identity/00_data.tf b/.identity/00_data.tf index bbb772f..a85f720 100644 --- a/.identity/00_data.tf +++ b/.identity/00_data.tf @@ -27,6 +27,10 @@ data "azurerm_key_vault" "domain_key_vault" { resource_group_name = "pagopa-${var.env_short}-${local.domain}-sec-rg" } +data "azurerm_resource_group" "shared_rg" { + name = "pagopa-${var.env_short}-weu-shared-rg" +} + data "azurerm_resource_group" "apim_resource_group" { name = "${local.product}-api-rg" } diff --git a/.identity/02_application_action.tf b/.identity/02_application_action.tf index ebcff97..deca70c 100644 --- a/.identity/02_application_action.tf +++ b/.identity/02_application_action.tf @@ -59,6 +59,12 @@ resource "azurerm_role_assignment" "environment_terraform_resource_group_dashboa principal_id = module.github_runner_app.object_id } +resource "azurerm_role_assignment" "environment_function" { + scope = data.azurerm_resource_group.shared_rg.id + role_definition_name = "Contributor" + principal_id = module.github_runner_app.object_id +} + resource "azurerm_role_assignment" "environment_key_vault" { scope = data.azurerm_key_vault.key_vault.id role_definition_name = "Reader"