From 41213d16419748f4c30cdd6148969113615bb8e7 Mon Sep 17 00:00:00 2001 From: Andrea De Rinaldis Date: Mon, 18 Sep 2023 14:56:54 +0200 Subject: [PATCH] [NOD-472] feat: migrating deploy from AZDO to GHA --- .github/workflows/04_release_deploy.yml | 147 +++++++++++++++--------- .identity/00_data.tf | 4 + .identity/02_application_action.tf | 6 + 3 files changed, 105 insertions(+), 52 deletions(-) diff --git a/.github/workflows/04_release_deploy.yml b/.github/workflows/04_release_deploy.yml index e7b2aae..c826ee1 100644 --- a/.github/workflows/04_release_deploy.yml +++ b/.github/workflows/04_release_deploy.yml @@ -1,10 +1,8 @@ -name: Release And Deploy +name: Release And Deploy Azure Function # Controls when the workflow will run on: pull_request: - branches: - - main types: [ closed ] # Allows you to run this workflow manually from the Actions tab @@ -33,22 +31,7 @@ on: beta: required: false type: boolean - description: deploy beta version - default: false - - workflow_call: - inputs: - environment: - required: true - type: string - semver: - required: true - type: string - default: skip - beta: - required: false - type: boolean - description: deploy beta version + description: Deploy function on Azure in beta version default: false permissions: @@ -58,6 +41,8 @@ permissions: id-token: write actions: read +env: + ENV_SHORT: ${{ (contains(github.event.inputs.environment,'dev') && 'd') || (contains(github.event.inputs.environment, 'uat') && 'u') || (contains(github.event.inputs.environment,'prod') && 'p') }} # A workflow run is made up of one or more jobs that can run sequentially or in parallel jobs: @@ -89,7 +74,6 @@ jobs: run: | echo "environment=${{env.ENVIRNOMENT}}" >> $GITHUB_OUTPUT - release: name: Create a New Release runs-on: ubuntu-latest @@ -106,47 +90,106 @@ jobs: beta: ${{ inputs.beta }} skip_ci: ${{ inputs.beta }} - image: + build-and-push: needs: [ setup, release ] name: Build and Push Docker Image runs-on: ubuntu-latest if: ${{ inputs.semver != 'skip' }} + environment: ${{ inputs.environment }} steps: - name: Build and Push id: semver - uses: pagopa/github-actions-template/ghcr-build-push@v1.4.1 + uses: pagopa/github-actions-template/ghcr-build-push@v1.5.4 with: + branch: ${{ github.ref_name}} github_token: ${{ secrets.GITHUB_TOKEN }} tag: ${{ needs.release.outputs.version }} - deploy: - name: Deploy AZ Functions - needs: [ setup, release, image ] + deploy_azure_fn: + name: Deploy Azure function + environment: ${{ inputs.environment }} + needs: [ setup, release, build-and-push ] + runs-on: ubuntu-latest if: ${{ always() && !contains(needs.*.result, 'failure') && !contains(needs.*.result, 'cancelled') }} - strategy: - matrix: - environment: [ dev, uat, prod ] - uses: ./.github/workflows/self_hosted.yml - with: - target: ${{ matrix.environment }} - environment: ${{ needs.setup.outputs.environment }} - secrets: inherit - -# notify: -# needs: [ deploy ] -# runs-on: ubuntu-latest -# name: Notify -# if: always() -# steps: -# - name: Report Status -# if: always() -# uses: ravsamhq/notify-slack-action@v2 -# with: -# status: ${{ needs.deploy.result }} -# token: ${{ secrets.GITHUB_TOKEN }} -# notify_when: 'failure,skipped' -# notification_title: '{workflow} has {status_message}' -# message_format: '{emoji} <{workflow_url}|{workflow}> {status_message} in <{repo_url}|{repo}>' -# footer: 'Linked to Repo <{repo_url}|{repo}>' -# env: -# SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} + + steps: + - name: 'Checkout GitHub Action' + uses: actions/checkout@v3 + + - name: 'Login via Azure CLI' + uses: azure/login@v1 + with: + client-id: ${{ secrets.CLIENT_ID }} + tenant-id: ${{ secrets.TENANT_ID }} + subscription-id: ${{ secrets.SUBSCRIPTION_ID }} + + - name: Set env variables + run: | + echo "RESOURCE_GROUP=pagopa-${{env.ENV_SHORT}}-weu-nodo-re-to-datastore-rg" >> $GITHUB_ENV + echo "APP_NAME=pagopa-${{env.ENV_SHORT}}-weu-nodo-re-fn" >> $GITHUB_ENV + echo "REGISTRY_IMAGE=ghcr.io/pagopa/pagopa-nodo-re-to-datastore:${{needs.release.outputs.version}}" >> $GITHUB_ENV + + + - name: 'Azure CLI script: start staging slot' + uses: azure/CLI@v1 + if: ${{ contains(github.event.inputs.environment, 'prod') }} + with: + inlineScript: | + az functionapp start --name ${{ env.APP_NAME }} --resource-group ${{ env.RESOURCE_GROUP }} --slot staging + + - name: 'Run Azure Functions Container Action: staging slot' + uses: Azure/functions-container-action@v1.2.1 + if: ${{ contains(github.event.inputs.environment, 'prod')}} + with: + app-name: ${{ env.APP_NAME }} + image: ${{ env.REGISTRY_IMAGE }} + slot-name: staging + + - name: 'Deploy Approval' + uses: trstringer/manual-approval@v1 + if: ${{ contains(github.event.inputs.environment, 'prod')}} + with: + secret: ${{ secrets.BOT_TOKEN_GITHUB }} + approvers: pagopa-team-core + minimum-approvals: 1 + issue-title: "Deploying ${{ env.TAG }} to prod from staging" + issue-body: "Please approve or deny the deployment of version ${{ env.TAG }}." + exclude-workflow-initiator-as-approver: false + timeout-minutes: 360 + + - name: 'Run Azure Functions Container Action' + uses: Azure/functions-container-action@v1.2.1 + with: + app-name: ${{ env.APP_NAME }} + image: ${{ env.REGISTRY_IMAGE }} + slot-name: production + + - name: 'Azure CLI script: end staging slot' + uses: azure/CLI@v1 + if: ${{ contains(github.event.inputs.environment, 'prod') }} + with: + inlineScript: | + az functionapp stop --name ${{ env.APP_NAME }} --resource-group ${{ env.RESOURCE_GROUP }} --slot staging + + - name: Azure logout + run: | + az logout + +## notify: +## needs: [ deploy_azure_fn ] +## runs-on: ubuntu-latest +## name: Notify +## if: always() +## steps: +## - name: Report Status +## if: always() +## uses: ravsamhq/notify-slack-action@v2 +## with: +## status: ${{ needs.deploy_azure_fn.result }} +## token: ${{ secrets.GITHUB_TOKEN }} +## notify_when: 'failure,skipped' +## notification_title: '{workflow} has {status_message}' +## message_format: '{emoji} <{workflow_url}|{workflow}> {status_message} in <{repo_url}|{repo}>' +## footer: 'Linked to Repo <{repo_url}|{repo}>' +## env: +## SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} diff --git a/.identity/00_data.tf b/.identity/00_data.tf index 8f41a0e..9c92aa9 100644 --- a/.identity/00_data.tf +++ b/.identity/00_data.tf @@ -32,6 +32,10 @@ data "azurerm_key_vault_secret" "key_vault_bot_token" { key_vault_id = data.azurerm_key_vault.key_vault.id } +data "azurerm_resource_group" "nodo_re_rg" { + name = "pagopa-${var.env_short}-${local.location_short}-nodo-re-to-datastore-rg" +} + #data "azurerm_key_vault_secret" "key_vault_cucumber_token" { # name = "cucumber-token" # key_vault_id = data.azurerm_key_vault.key_vault.id diff --git a/.identity/02_application_action.tf b/.identity/02_application_action.tf index 9926884..b519782 100644 --- a/.identity/02_application_action.tf +++ b/.identity/02_application_action.tf @@ -41,6 +41,12 @@ resource "null_resource" "github_runner_app_permissions_to_namespace" { } } +resource "azurerm_role_assignment" "environment_function" { + scope = data.azurerm_resource_group.nodo_re_rg.id + role_definition_name = "Contributor" + principal_id = module.github_runner_app.object_id +} + resource "azurerm_role_assignment" "environment_terraform_resource_group_dashboards" { scope = data.azurerm_resource_group.dashboards.id role_definition_name = "Contributor"