Merge pull request #16 from pagopa/infra

Infra
pagopa · Jun 30, 2023 · 5c06a06 · 5c06a06
2 parents 35c479a + 7078596
commit 5c06a06
Show file tree

Hide file tree

Showing 31 changed files with 656 additions and 2,389 deletions.
diff --git a/.editorconfig b/.editorconfig
diff --git a/.github/workflows/check_pr.yml b/.github/workflows/check_pr.yml
@@ -38,9 +38,10 @@ jobs:
       - name: Formatting
         id: format
         continue-on-error: true
-        uses: axel-op/googlejavaformat-action@v3
+        uses: findologic/intellij-format-action@main
         with:
-          args: "--set-exit-if-changed"
+          path: .
+          fail-on-changes: false
 
       - uses: actions/[email protected]
         if: steps.format.outcome != 'success'

diff --git a/.github/workflows/deploy_with_github_runner.yml b/.github/workflows/deploy_with_github_runner.yml
@@ -83,3 +83,45 @@ jobs:
           resource_group_name: ${{ vars.CONTAINER_APP_ENVIRONMENT_RESOURCE_GROUP_NAME }}
           runner_name: ${{ needs.create_runner.outputs.runner_name }}
           pat_token: ${{ secrets.BOT_TOKEN_GITHUB }}
+
+  update_openapi:
+    needs: [ deploy ]
+    runs-on: ubuntu-latest
+    name: Update OpenAPI
+    if: ${{ inputs.target == inputs.environment || inputs.target == 'all' }}
+    environment: ${{ inputs.environment }}
+    steps:
+      - name: Checkout
+        id: checkout
+        # from https://github.com/actions/checkout/commits/main
+        uses: actions/checkout@1f9a0c22da41e6ebfa534300ef656657ea2c6707
+        with:
+          persist-credentials: false
+
+      - name: Setup Terraform
+        # from https://github.com/hashicorp/setup-terraform/commits/main
+        uses: hashicorp/setup-terraform@8feba2b913ea459066180f9cb177f58a881cf146
+        with:
+          terraform_version: "1.3.6"
+
+      - name: Login
+        id: login
+        # from https://github.com/Azure/login/commits/master
+        uses: azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2
+        with:
+          client-id: ${{ secrets.CLIENT_ID }}
+          tenant-id: ${{ secrets.TENANT_ID }}
+          subscription-id: ${{ secrets.SUBSCRIPTION_ID }}
+
+
+      - name: Terraform Apply
+        shell: bash
+        run: |
+          cd ./infra
+          export ARM_CLIENT_ID="${{ secrets.CLIENT_ID }}"
+          export ARM_SUBSCRIPTION_ID=$(az account show --query id --output tsv)
+          export ARM_TENANT_ID=$(az account show --query tenantId --output tsv)
+          export ARM_USE_OIDC=true
+          export ARM_ACCESS_KEY=$(az storage account keys list --resource-group io-infra-rg --account-name pagopainfraterraform${{inputs.environment}} --query '[0].value' -o tsv)
+          bash ./terraform.sh init weu-${{ inputs.environment }}
+          bash ./terraform.sh apply weu-${{ inputs.environment }} -auto-approve
diff --git a/.github/workflows/update_code.yml b/.github/workflows/update_code.yml
@@ -30,24 +30,19 @@ jobs:
         with:
           java-version: 11
 
-#      - name: Run Service on Docker
-#        shell: bash
-#        run: |
-#          cd ./docker
-#          chmod +x ./run_docker.sh
-#          ./run_docker.sh local
-#
-#      - name: Update OpenApi/Swagger file
-#        run: |
-#          cd ./openapi
-#          chmod +x ./generate_openapi.sh
-#          ./generate_openapi.sh
+      - name: Update OpenApi/Swagger file
+        run: |
+          cd ./openapi
+          chmod +x ./generate_openapi.sh
+          ./generate_openapi.sh
 
       - name: Formatting
-        uses: axel-op/googlejavaformat-action@v3
+        id: format
+        uses: findologic/intellij-format-action@main
         with:
-          args: "--replace"
-          commit-message: "Google Java format"
+          path: .
+          fail-on-changes: false
+
 
   notify:
     needs: [ update ]

diff --git a/.github/workflows/update_infra.yml b/.github/workflows/update_infra.yml
diff --git a/.gitignore b/.gitignore
@@ -35,3 +35,5 @@ hs_err_pid*
 /helm/charts/*
 
 .identity/.terraform/*
+**/.terraform.lock.hcl
+**/.terraform
diff --git a/.identity/00_data.tf b/.identity/00_data.tf
@@ -1,7 +1,16 @@
+data "azurerm_storage_account" "tf_storage_account"{
+  name                = "pagopainfraterraform${var.env}"
+  resource_group_name = "io-infra-rg"
+}
+
 data "azurerm_resource_group" "dashboards" {
   name = "dashboards"
 }
 
+data "azurerm_resource_group" "apim_resource_group" {
+  name = "${local.product}-api-rg"
+}
+
 data "azurerm_kubernetes_cluster" "aks" {
   name                = local.aks_cluster.name
   resource_group_name = local.aks_cluster.resource_group_name
@@ -18,6 +27,11 @@ data "azurerm_key_vault" "key_vault" {
   resource_group_name = "pagopa-${var.env_short}-sec-rg"
 }
 
+data "azurerm_key_vault" "domain_key_vault" {
+  name                = "pagopa-${var.env_short}-${local.domain}-kv"
+  resource_group_name = "pagopa-${var.env_short}-${local.domain}-sec-rg"
+}
+
 data "azurerm_key_vault_secret" "key_vault_sonar" {
 
   name = "sonar-token"

diff --git a/.identity/02_application_action.tf b/.identity/02_application_action.tf
@@ -47,8 +47,17 @@ resource "azurerm_role_assignment" "environment_terraform_resource_group_dashboa
   principal_id         = module.github_runner_app.object_id
 }
 
+resource "azurerm_role_assignment" "environment_terraform_storage_account" {
+  scope                = data.azurerm_storage_account.tf_storage_account.id
+  role_definition_name = "Contributor"
+  principal_id         = module.github_runner_app.object_id
+}
 
-
+resource "azurerm_role_assignment" "environment_terraform_resource_group_apim" {
+  scope                = data.azurerm_resource_group.apim_resource_group.id
+  role_definition_name = "Contributor"
+  principal_id         = module.github_runner_app.object_id
+}
 
 resource "azuread_application" "action" {
   display_name = "github-${local.github.org}-${local.github.repository}-${var.env}"
@@ -81,3 +90,22 @@ resource "azurerm_key_vault_access_policy" "ad_group_policy" {
   storage_permissions     = []
   certificate_permissions = []
 }
+
+resource "azurerm_role_assignment" "environment_key_vault_domain" {
+  scope                = data.azurerm_key_vault.domain_key_vault.id
+  role_definition_name = "Reader"
+  principal_id         = module.github_runner_app.object_id
+}
+
+
+resource "azurerm_key_vault_access_policy" "ad_kv_domain_group_policy" {
+  key_vault_id = data.azurerm_key_vault.domain_key_vault.id
+
+  tenant_id = data.azurerm_client_config.current.tenant_id
+  object_id = module.github_runner_app.object_id
+
+  key_permissions         = []
+  secret_permissions      = ["Get", "List"]
+  storage_permissions     = []
+  certificate_permissions = []
+}
diff --git a/docker/run_docker.sh b/docker/run_docker.sh
@@ -44,7 +44,7 @@ done
 echo $GH_TOKEN > ./secrets
 
 DOCKER_BUILDKIT=1 docker build -t selfcare-integration --secret id=GH_TOKEN,src=./secrets ../
-docker run -d -p8080:8080 --env-file ./.env selfcare-integration
+docker run -p8080:8080 --env-file ./.env selfcare-integration
 
 
 # waiting the containers

diff --git a/helm/values-dev.yaml b/helm/values-dev.yaml
@@ -90,6 +90,21 @@ microservice-chart:
                 values:
                   - user
   canaryDelivery:
+    create: true
+    ingress:
+      create: true
+      canary:
+        type: header
+        headerName: X-Canary
+        headerValue: canary
+        weightPercent: 0
+    service:
+      create: true
     deployment:
+      create: true
       image:
+        repository: ghcr.io/pagopa/pagopa-api-config-selfcare-integration
         tag: 1.3.5
+        pullPolicy: Always
+      envConfig: {}
+      envSecret: {}
diff --git a/helm/values-prod.yaml b/helm/values-prod.yaml
@@ -90,6 +90,21 @@ microservice-chart:
                 values:
                   - user
   canaryDelivery:
+    create: true
+    ingress:
+      create: true
+      canary:
+        type: header
+        headerName: X-Canary
+        headerValue: canary
+        weightPercent: 0
+    service:
+      create: true
     deployment:
+      create: true
       image:
+        repository: ghcr.io/pagopa/pagopa-api-config-selfcare-integration
         tag: 1.3.5
+        pullPolicy: Always
+      envConfig: {}
+      envSecret: {}
diff --git a/helm/values-uat.yaml b/helm/values-uat.yaml
@@ -90,6 +90,21 @@ microservice-chart:
                 values:
                   - user
   canaryDelivery:
+    create: true
+    ingress:
+      create: true
+      canary:
+        type: header
+        headerName: X-Canary
+        headerValue: canary
+        weightPercent: 0
+    service:
+      create: true
     deployment:
+      create: true
       image:
-        tag: 1.3.5
+        repository: ghcr.io/pagopa/pagopa-api-config-selfcare-integration
+        tag: 1.3.3-5
+        pullPolicy: Always
+      envConfig: {}
+      envSecret: {}
diff --git a/infra/04_apim_api.tf b/infra/04_apim_api.tf
@@ -0,0 +1,52 @@
+locals {
+  display_name = "API Config Selfcare Integration"
+  description  = "Management APIs to configure pagoPA for Selfcare"
+  host         = "api.${var.apim_dns_zone_prefix}.${var.external_domain}"
+  hostname     = var.env == "prod" ? "weuprod.apiconfig.internal.platform.pagopa.it" : "weu${var.env}.apiconfig.internal.${var.env}.platform.pagopa.it"
+}
+
+resource "azurerm_api_management_group" "api_apiconfig_selfcare_integration_group" {
+  name                = local.apim.product_id
+  resource_group_name = local.apim.rg
+  api_management_name = local.apim.name
+  display_name        = local.display_name
+  description         = local.description
+}
+
+resource "azurerm_api_management_api_version_set" "apiconfig_selfcare_integration_api" {
+  name                = format("%s-apiconfig-selfcare-integration-api", var.env_short)
+  resource_group_name = local.apim.rg
+  api_management_name = local.apim.name
+  display_name        = local.display_name
+  versioning_scheme   = "Segment"
+}
+
+module "apim_apiconfig_selfcare_integration_api_v1" {
+  source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//api_management_api?ref=v6.7.0"
+
+  name                  = format("%s-apiconfig-selfcare-integration-api", var.env_short)
+  api_management_name   = local.apim.name
+  resource_group_name   = local.apim.rg
+  product_ids           = [local.apim.product_id]
+  subscription_required = true
+
+  version_set_id = azurerm_api_management_api_version_set.apiconfig_selfcare_integration_api.id
+  api_version    = "v1"
+
+  description  = local.description
+  display_name = local.display_name
+  path         = "apiconfig-selfcare-integration"
+  protocols    = ["https"]
+
+  service_url = null
+
+  content_format = "openapi"
+  content_value  = templatefile("../openapi/openapi.json", {
+    host = local.host
+  })
+
+  xml_content = templatefile("./policy/_base_policy.xml", {
+    hostname = local.hostname
+  })
+}
+
diff --git a/infra/99_locals.tf b/infra/99_locals.tf
@@ -0,0 +1,10 @@
+locals {
+  product = "${var.prefix}-${var.env_short}"
+
+  apim = {
+    name       = "${local.product}-apim"
+    rg         = "${local.product}-api-rg"
+    product_id = "apiconfig-selfcare-integration"
+  }
+}
+
diff --git a/infra/99_main.tf b/infra/99_main.tf
@@ -0,0 +1,28 @@
+terraform {
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = ">= 3.30.0"
+    }
+    azuread = {
+      source  = "hashicorp/azuread"
+      version = "2.30.0"
+    }
+    azapi = {
+      source  = "Azure/azapi"
+      version = "= 1.3.0"
+    }
+  }
+
+  backend "azurerm" {}
+}
+
+provider "azurerm" {
+  features {}
+}
+
+provider "azapi" {}
+
+data "azurerm_subscription" "current" {}
+
+data "azurerm_client_config" "current" {}