diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml deleted file mode 100644 index 7fe85df..0000000 --- a/.github/workflows/deploy.yml +++ /dev/null @@ -1,58 +0,0 @@ -name: Auto Deploy - -# Controls when the workflow will run -on: - pull_request: - branches: - - main - types: [ closed ] - - - # Allows you to run this workflow manually from the Actions tab - workflow_dispatch: - -# A workflow run is made up of one or more jobs that can run sequentially or in parallel -jobs: - build: - if: ${{ github.event.pull_request.merged }} - name: Call Azure Build Pipeline - # The type of runner that the job will run on - runs-on: ubuntu-latest - - # Steps represent a sequence of tasks that will be executed as part of the job - steps: - - # default skip bump versioning - - name: Set as default skip bump versioning - run: | - echo "SEMVER=skip" >> $GITHUB_ENV - - - name: Set major - run: | - echo "SEMVER=major" >> $GITHUB_ENV - if: ${{ contains(github.event.pull_request.labels.*.name, 'breaking-change') }} - - - name: Set minor - run: | - echo "SEMVER=minor" >> $GITHUB_ENV - if: ${{ contains(github.event.pull_request.labels.*.name, 'enhancement') }} - - - name: Set patch - run: | - echo "SEMVER=patch" >> $GITHUB_ENV - if: ${{ contains(github.event.pull_request.labels.*.name, 'bug') }} - - - name: Set skip - run: | - echo "SEMVER=skip" >> $GITHUB_ENV - if: ${{ contains(github.event.pull_request.labels.*.name, 'ignore-for-release') }} - - - name: Azure Pipelines Action - Jversion - uses: jacopocarlini/azure-pipelines@b9721743a54e862597395b4a70727cfdc03028fb # v1.3 - with: - azure-devops-project-url: https://dev.azure.com/pagopaspa/pagoPA-projects - azure-pipeline-name: 'pagopa-function-template.deploy' - azure-devops-token: ${{ secrets.AZURE_DEVOPS_TOKEN }} - azure-template-parameters: '{"ENV": "dev", "SEMVER": "${{env.SEMVER}}", "TEST": "true"}' - azure-pipeline-variables: '{"system.debug": "true"}' - diff --git a/.github/workflows/release_deploy.yml b/.github/workflows/release_deploy.yml new file mode 100644 index 0000000..2f9497a --- /dev/null +++ b/.github/workflows/release_deploy.yml @@ -0,0 +1,230 @@ +name: Release And Deploy Azure Function + +# Controls when the workflow will run +on: + pull_request: + types: [ closed ] + + # Allows you to run this workflow manually from the Actions tab + workflow_dispatch: + inputs: + environment: + required: true + type: choice + description: Select the Environment + options: + - dev + - uat + - prod + - all + beta: + required: false + type: boolean + description: deploy beta function version on Azure + default: false + skip_release: + required: false + type: boolean + description: skip the release. Only deploy + default: false + +permissions: + packages: write + contents: write + issues: write + id-token: write + actions: read + +env: + REGISTRY: 'ghcr.io' + NAMESPACE: 'pagopa' + IMAGE: 'pagopa-gpd-reporting-analysis' + + +# A workflow run is made up of one or more jobs that can run sequentially or in parallel +jobs: + setup: + name: Setup + runs-on: ubuntu-latest + outputs: + semver: ${{ steps.get_semver.outputs.semver }} + environment: ${{ steps.get_env.outputs.environment }} + steps: + - name: pull request rejected + if: github.event_name == 'pull_request' && github.event.action == 'closed' && github.event.pull_request.merged != true + run: | + echo "❌ PR was closed without a merge" + exit 1 + + # Set Semvar + - run: echo "SEMVER=patch" >> $GITHUB_ENV + + - if: ${{ (github.event.pull_request.merged && contains(github.event.pull_request.labels.*.name, 'breaking-change ')) }} + run: echo "SEMVER=major" >> $GITHUB_ENV + + - if: ${{ inputs.environment == 'uat' }} + run: echo "SEMVER=minor" >> $GITHUB_ENV + + - if: ${{ inputs.environment == 'prod' }} + run: echo "SEMVER=skip" >> $GITHUB_ENV + + - if: ${{ github.ref_name != 'main' }} + run: echo "SEMVER=buildNumber" >> $GITHUB_ENV + + - if: ${{ inputs.skip_release }} + run: echo "SEMVER=skip" >> $GITHUB_ENV + + - id: get_semver + name: Set Output + run: echo "semver=${{env.SEMVER}}" >> $GITHUB_OUTPUT + + # Set Environment + - run: echo "ENVIRNOMENT=${{ inputs.environment}}" >> $GITHUB_ENV + + - if: ${{ inputs.environment == null }} + run: echo "ENVIRNOMENT=dev" >> $GITHUB_ENV + + - id: get_env + name: Set Output + run: echo "environment=${{env.ENVIRNOMENT}}" >> $GITHUB_OUTPUT + + release: + name: Create a New Release + runs-on: ubuntu-latest + needs: [ setup ] + outputs: + version: ${{ steps.release.outputs.version }} + steps: + - name: Make Release + id: release + uses: pagopa/github-actions-template/maven-release@v1.5.4 + with: + semver: ${{ needs.setup.outputs.semver }} + github_token: ${{ secrets.BOT_TOKEN_GITHUB }} + beta: ${{ inputs.beta }} + skip_ci: false + + build-and-push: + needs: [ setup, release ] + name: Build and Push Docker Image + runs-on: ubuntu-latest + if: ${{ inputs.semver != 'skip' }} + environment: ${{ inputs.environment }} + steps: + - uses: actions/checkout@v3 + with: + ref: ${{ needs.release.outputs.version }} + + - name: Update WSDL Location + run: sh upd_wsdl_location.sh ${{ vars.NODO_HOST }} + + - name: Login to GitHub Container Registry + uses: docker/login-action@v2 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Docker meta + id: meta + uses: docker/metadata-action@v4.3.0 + with: + images: ghcr.io/${{ github.repository }} + tags: | + latest + ${{ needs.release.outputs.version }} + type=ref,event=branch + type=sha + + - name: Build and push + uses: docker/build-push-action@v3 + with: + context: . + push: true + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + build-args: ${{ inputs.build_args }} + + deploy_azure_fn: + name: Deploy Azure function + environment: ${{ inputs.environment }} + needs: [ setup, release, build-and-push ] + runs-on: ubuntu-latest + if: ${{ always() && !contains(needs.*.result, 'failure') && !contains(needs.*.result, 'cancelled') }} + steps: + - name: 'Checkout GitHub Action' + uses: actions/checkout@v3 + + - name: 'Login via Azure CLI' + uses: azure/login@v1 + with: + client-id: ${{ secrets.CLIENT_ID }} + tenant-id: ${{ secrets.TENANT_ID }} + subscription-id: ${{ secrets.SUBSCRIPTION_ID }} + + - name: 'Azure CLI script: start staging slot' + uses: azure/CLI@v1 + if: ${{ contains(github.event.inputs.environment, 'prod') }} + env: + ENV_SHORT: ${{ (contains(github.event.inputs.environment,'prod') && 'p') }} + with: + inlineScript: | + az functionapp start --name pagopa-${{ env.ENV_SHORT }}-weu-fn-gpd-analysis --resource-group pagopa-${{ env.ENV_SHORT }}-weu-gps-gpd-rg --slot staging + + - name: 'Run Azure Functions Container Action DEV|UAT: deploy on production slot' + uses: Azure/functions-container-action@v1.2.1 + if: ${{ contains(github.event.inputs.environment, 'dev') || contains(github.event.inputs.environment, 'uat') }} + env: + ENV_SHORT: ${{ (contains(github.event.inputs.environment,'dev') && 'd') || (contains(github.event.inputs.environment, 'uat') && 'u') }} + TAG: ${{needs.release.outputs.version}} + with: + app-name: "pagopa-${{ env.ENV_SHORT }}-weu-fn-gpd-analysis" + image: ${{ env.REGISTRY }}/${{ env.NAMESPACE }}/${{ env.IMAGE }}:${{ env.TAG }} + slot-name: production + + - name: 'Run Azure Functions Container Action PROD: deploy on staging slot' + uses: Azure/functions-container-action@v1.2.1 + if: ${{ contains(github.event.inputs.environment, 'prod') }} + env: + ENV_SHORT: ${{ (contains(github.event.inputs.environment,'prod') && 'p') }} + TAG: ${{needs.release.outputs.version}} + with: + app-name: "pagopa-${{ env.ENV_SHORT }}-weu-fn-gpd-analysis" + image: ${{ env.REGISTRY }}/${{ env.NAMESPACE }}/${{ env.IMAGE }}:${{ env.TAG }} + slot-name: staging + + - name: 'PROD Deploy Approval' + uses: trstringer/manual-approval@v1 + if: ${{ contains(github.event.inputs.environment, 'prod') }} + with: + secret: ${{ secrets.BOT_TOKEN_GITHUB }} + approvers: pagopa-team-core + minimum-approvals: 1 + issue-title: "Deploying ${{ env.TAG }} to prod from staging" + issue-body: "Please approve or deny the deployment of version ${{ env.TAG }}." + exclude-workflow-initiator-as-approver: false + timeout-minutes: 360 + + - name: 'Run Azure Functions Container Action PROD: deploy on production slot' + uses: Azure/functions-container-action@v1.2.1 + if: ${{ contains(github.event.inputs.environment, 'prod') }} + env: + ENV_SHORT: ${{ (contains(github.event.inputs.environment,'prod') && 'p') }} + TAG: ${{needs.release.outputs.version}} + with: + app-name: "pagopa-${{ env.ENV_SHORT }}-weu-fn-gpd-analysis" + image: ${{ env.REGISTRY }}/${{ env.NAMESPACE }}/${{ env.IMAGE }}:${{ env.TAG }} + slot-name: production + + - name: 'Azure CLI script: stop staging slot' + uses: azure/CLI@v1 + if: ${{ contains(github.event.inputs.environment, 'prod') }} + env: + ENV_SHORT: ${{ (contains(github.event.inputs.environment,'prod') && 'p') }} + with: + inlineScript: | + az functionapp stop --name pagopa-${{ env.ENV_SHORT }}-weu-fn-gpd-analysis --resource-group pagopa-${{ env.ENV_SHORT }}-weu-gps-gpd-rg --slot staging + + - name: Azure logout + run: | + az logout diff --git a/.identity/00_data.tf b/.identity/00_data.tf index 06c0ac9..836e357 100644 --- a/.identity/00_data.tf +++ b/.identity/00_data.tf @@ -45,4 +45,10 @@ data "azurerm_key_vault_secret" "key_vault_integration_test_subkey" { data "azurerm_key_vault_secret" "flow_sa_connection_string" { name = "flows-sa-${var.env_short}-connection-string" key_vault_id = data.azurerm_key_vault.domain_key_vault.id +} + + +data "azurerm_user_assigned_identity" "identity_cd_01"{ + name = "${local.prefix}-${var.env_short}-${local.domain}-01-github-cd-identity" + resource_group_name = "${local.prefix}-${var.env_short}-identity-rg" } \ No newline at end of file diff --git a/.identity/03_github_environment.tf b/.identity/03_github_environment.tf index 3f98eeb..f4e2d1a 100644 --- a/.identity/03_github_environment.tf +++ b/.identity/03_github_environment.tf @@ -21,7 +21,7 @@ resource "github_repository_environment" "github_repository_environment" { locals { env_secrets = { - #"CLIENT_ID" : module.github_runner_app.application_id, + "CLIENT_ID" : data.azurerm_user_assigned_identity.identity_cd_01.client_id, "TENANT_ID" : data.azurerm_client_config.current.tenant_id, "SUBSCRIPTION_ID" : data.azurerm_subscription.current.subscription_id, "API_SUBSCRIPTION_KEY" : data.azurerm_key_vault_secret.key_vault_integration_test_subkey.value,