[#IOPLT-950] Add rg permission for CD pipeline and refactor inputs (#1187)

* [#IOPLT-950] Add permission for Resource Group for CD pipeline

* [#IOPLT-950] Refactor CD pipeline with less input values

* [#IOPLT-950] Remove `use_staging_slot` hardcoded parameters dispatch mode

* [#IOPLT-950] Add github runner

* [#IOPLT-950] Refactor infra runner file structure

Author: BurnedMarshal

.github/workflows/deploy-pipelines.yml

@@ -6,30 +6,11 @@ name: Deploy Pipelines - Legacy
 on:
   workflow_dispatch:
     inputs:
-      environment:
-        description: Environment where the artifact will be deployed.
-        type: string
-        required: true
-      resource_group_name:
-        description: Web App resource group name.
-        type: string
-        required: true
-        default: 'io-p-rg-linux'
       app_names:
         description: Web App names.
         type: string
         required: true
         default: "['io-p-app-appbackendli', 'io-p-app-appbackendl1', 'io-p-app-appbackendl2']"
-      health_check_path:
-        description: The health probe path exposed by the Function App.
-        type: string
-        required: false
-        default: '/info'
-      use_staging_slot:
-        description: True if artifact should be deployed to staging slot
-        type: boolean
-        required: false
-        default: true
       use_private_agent:
         description: Use a private agent to deploy the built artifact.
         type: boolean
@@ -38,6 +19,8 @@ on:
 
 env:
   BUNDLE_NAME: bundle
+  resource_group_name: io-p-rg-linux
+  health_check_path: /info
 
 concurrency:
   group: ${{ github.workflow }}-cd
@@ -142,7 +125,7 @@ jobs:
       matrix:
         app_name: ${{ fromJSON(inputs.app_names) }}
     runs-on: ${{ inputs.use_private_agent == true && 'self-hosted' || 'ubuntu-latest' }}
-    environment: ${{ inputs.environment }}-cd
+    environment: prod-cd
     permissions:
       id-token: write
       contents: read
@@ -168,22 +151,10 @@ jobs:
           tenant-id: ${{ env.ARM_TENANT_ID }}
           subscription-id: ${{ env.ARM_SUBSCRIPTION_ID }}
 
-      - name: Deploy
-        if: ${{ inputs.use_staging_slot == false }}
-        run: |
-          az webapp deploy \
-            --resource-group ${{ inputs.resource_group_name }} \
-            --name ${{ matrix.app_name }} \
-            --src-path  ${{ github.workspace }}/${{ env.BUNDLE_NAME }}.zip \
-            --type zip \
-            --async false \
-            | grep -v "hidden-link:"
-
       - name: Deploy to Staging Slot
-        if: ${{ inputs.use_staging_slot == true }}
         run: |
           az webapp deploy \
-            --resource-group ${{ inputs.resource_group_name }} \
+            --resource-group ${{ env.resource_group_name }} \
             --name ${{ matrix.app_name }} \
             --slot staging \
             --src-path  ${{ github.workspace }}/${{ env.BUNDLE_NAME }}.zip \
@@ -192,19 +163,17 @@ jobs:
             | grep -v "hidden-link:"
 
       - name: Ping Staging Health
-        if: ${{ inputs.use_staging_slot == true }}
         run: |
           curl \
             --retry 5 \
             --retry-max-time 120 \
             --retry-all-errors \
-            -f 'https://${{ matrix.app_name }}-staging.azurewebsites.net${{ inputs.health_check_path }}'
+            -f 'https://${{ matrix.app_name }}-staging.azurewebsites.net${{ env.health_check_path }}'
 
       - name: Swap Staging and Production Slots
-        if: ${{ inputs.use_staging_slot == true }}
         run: |
           az webapp deployment slot swap \
-            -g ${{ inputs.resource_group_name }} \
+            -g ${{ env.resource_group_name }} \
             -n ${{ matrix.app_name }} \
             --slot staging \
             --target-slot production

.gitignore

@@ -51,4 +51,20 @@ local.*
 .eslintcache
 
 # Exclude swagger codegen (needed to generate PN specs)
-swagger-codegen-cli-*.jar
+swagger-codegen-cli-*.jar
+
+# Local .terraform directories
+**/.terraform/*
+
+# .tfstate files
+*.tfstate
+*.tfstate.*
+
+# Ignore override files as they are usually used to override resources locally and so
+# are not checked in
+override.tf
+override.tf.json
+*_override.tf
+*_override.tf.json
+
+**/.tfsec/*

.terraform-version

@@ -0,0 +1 @@
+1.11.0

infra/github-runner/prod/.terraform.lock.hcl

@@ -0,0 +1,4 @@
+data "azurerm_container_app_environment" "github-runner-cae" {
+  name                = "${local.prefix}-${local.env_short}-${local.location_short}-github-runner-cae-01"
+  resource_group_name = "${local.prefix}-${local.env_short}-${local.location_short}-github-runner-rg-01"
+}

infra/github-runner/prod/data.tf

@@ -0,0 +1,14 @@
+locals {
+  prefix         = "io"
+  env_short      = "p"
+  location       = "italynorth"
+  location_short = "itn"
+
+  tags = {
+    CostCenter     = "TS000 - Tecnologia e Servizi"
+    CreatedBy      = "Terraform"
+    Environment    = "App IO"
+    ManagementTeam = "IO Platform"
+    Source         = "https://github.com/pagopa/io-backend/blob/main/infra/github-runner/prod"
+  }
+}

infra/github-runner/prod/locals.tf

@@ -0,0 +1,20 @@
+terraform {
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = "~> 4"
+    }
+  }
+
+  backend "azurerm" {
+    resource_group_name  = "terraform-state-rg"
+    storage_account_name = "iopitntfst001"
+    container_name       = "terraform-state"
+    key                  = "io-backend.github-runner.tfstate"
+  }
+}
+
+provider "azurerm" {
+  features {
+  }
+}

infra/github-runner/prod/main.tf

@@ -0,0 +1,27 @@
+module "dx-github-selfhosted-runner-on-container-app-jobs" {
+  source     = "pagopa/dx-github-selfhosted-runner-on-container-app-jobs/azurerm"
+  version    = "~> 1"
+  repository = { name : "io-backend" }
+
+  environment = {
+    prefix          = local.prefix
+    env_short       = local.env_short
+    location        = local.location
+    instance_number = "01"
+  }
+
+  container_app_environment = {
+    id                         = data.azurerm_container_app_environment.github-runner-cae.id
+    location                   = local.location
+    replica_timeout_in_seconds = 3600
+  }
+
+  resource_group_name = "${local.prefix}-${local.env_short}-rg-linux"
+
+  key_vault = {
+    name                = "${local.prefix}-${local.env_short}-kv-common"
+    resource_group_name = "${local.prefix}-${local.env_short}-rg-common"
+  }
+
+  tags = local.tags
+}

infra/github-runner/prod/runner.tf

@@ -46,6 +46,9 @@ environment_cd_roles = {
     ],
     "dashboards" = [
       "Contributor"
+    ],
+    "io-p-rg-linux" = [
+      "Contributor"
     ]
   }
 }