refactor repo vars

pagopa · Feb 7, 2024 · 5212488 · 5212488
1 parent 0df7640
commit 5212488
Show file tree

Hide file tree

Showing 8 changed files with 54 additions and 36 deletions.
diff --git a/.github/workflows/call_code_review_infra.yml b/.github/workflows/call_code_review_infra.yml
@@ -16,8 +16,8 @@ on:
         description: List of environment variables to set up, given in env=value format.
 
 env:
-  ARM_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
-  ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
+  ARM_SUBSCRIPTION_ID: ${{ vars.AZURE_SUBSCRIPTION_ID }}
+  ARM_TENANT_ID: ${{ vars.AZURE_TENANT_ID }}
   ARM_USE_OIDC: true
   ARM_USE_AZUREAD: true
   ARM_STORAGE_USE_AZUREAD: true
@@ -32,7 +32,7 @@ jobs:
       id-token: write
       contents: read
     env:
-      ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID_CI }}
+      ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
       GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
     steps:
@@ -51,9 +51,9 @@ jobs:
       - name: Azure Login
         uses: azure/login@cb79c773a3cfa27f31f25eb3f677781210c9ce3d # v1.6.1
         with:
-          client-id: ${{ secrets.AZURE_CLIENT_ID_CI }}
-          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
-          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+          client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          tenant-id: ${{ vars.AZURE_TENANT_ID }}
+          subscription-id: ${{ vars.AZURE_SUBSCRIPTION_ID }}
 
       - name: Set Terraform Version
         id: set-terraform-version

diff --git a/.github/workflows/call_release_function.yml b/.github/workflows/call_release_function.yml
@@ -40,17 +40,17 @@ jobs:
       - name: Log in to Azure
         uses: azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
         with:
-          client-id: ${{ secrets.AZURE_CLIENT_ID_CD }}
-          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
-          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+          client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          tenant-id: ${{ vars.AZURE_TENANT_ID }}
+          subscription-id: ${{ vars.AZURE_SUBSCRIPTION_ID }}
 
       - name: Deploy Function App
         shell: bash
         working-directory: apps/onboarding-functions
         run: |
           mvn -f pom.xml quarkus:deploy \
             -Dquarkus.azure-functions.app-name=${{ format('selc-{0}-onboarding-fn', inputs.short_env) }} \
-            -Dquarkus.azure-functions.subscription-id=${{ secrets.AZURE_SUBSCRIPTION_ID }} \
+            -Dquarkus.azure-functions.subscription-id=${{ vars.AZURE_SUBSCRIPTION_ID }} \
             -Dquarkus.azure-functions.resource-group=${{ format('selc-{0}-onboarding-fn-rg', inputs.short_env) }} \
             -Dquarkus.azure-functions.region=westeurope \
             -Dquarkus.azure-functions.app-service-plan-name=${{ format('selc-{0}-onboarding-fn-plan', inputs.short_env) }} \

diff --git a/.github/workflows/call_release_infra.yml b/.github/workflows/call_release_infra.yml
@@ -16,8 +16,8 @@ on:
         description: List of environment variables to set up, given in env=value format.
 
 env:
-  ARM_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
-  ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
+  ARM_SUBSCRIPTION_ID: ${{ vars.AZURE_SUBSCRIPTION_ID }}
+  ARM_TENANT_ID: ${{ vars.AZURE_TENANT_ID }}
   ARM_USE_OIDC: true
   ARM_USE_AZUREAD: true
   ARM_STORAGE_USE_AZUREAD: true
@@ -61,9 +61,9 @@ jobs:
       - name: Terraform Plan
         uses: pagopa/terraform-preapply-azure-action@54ded8cda3437c3f6a9f46baf69cb321ce82f5cd
         with:
-          client_id: ${{ secrets.AZURE_CLIENT_ID_CI }}
-          tenant_id: ${{ secrets.AZURE_TENANT_ID }}
-          subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+          client_id: ${{ secrets.AZURE_CLIENT_ID }}
+          tenant_id: ${{ vars.AZURE_TENANT_ID }}
+          subscription_id: ${{ vars.AZURE_SUBSCRIPTION_ID }}
           dir: ${{ inputs.dir }}
           azure_environment: ${{ env.TERRAFORM_ENVIRONMENT }}
         env:
@@ -86,7 +86,7 @@ jobs:
       id-token: write
       contents: read
     env:
-      ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID_CD }}
+      ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
       GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
     steps:
@@ -97,9 +97,9 @@ jobs:
       - name: Azure Login
         uses: azure/login@cb79c773a3cfa27f31f25eb3f677781210c9ce3d # v1.6.1
         with:
-          client-id: ${{ secrets.AZURE_CLIENT_ID_CD }}
-          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
-          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+          client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          tenant-id: ${{ vars.AZURE_TENANT_ID }}
+          subscription-id: ${{ vars.AZURE_SUBSCRIPTION_ID }}
 
       - name: Download Terraform Plan as Artifact
         uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1

diff --git a/.github/workflows/call_release_ms.yml b/.github/workflows/call_release_ms.yml
@@ -10,8 +10,8 @@ on:
 
 env:
   DIR: "./infra/container_apps/onboarding-ms"
-  ARM_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
-  ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
+  ARM_SUBSCRIPTION_ID: ${{ vars.AZURE_SUBSCRIPTION_ID }}
+  ARM_TENANT_ID: ${{ vars.AZURE_TENANT_ID }}
   ARM_USE_OIDC: true
   ARM_USE_AZUREAD: true
   ARM_STORAGE_USE_AZUREAD: true
@@ -102,9 +102,9 @@ jobs:
       - name: Terraform Plan
         uses: pagopa/terraform-preapply-azure-action@54ded8cda3437c3f6a9f46baf69cb321ce82f5cd
         with:
-          client_id: ${{ secrets.AZURE_CLIENT_ID_CI }}
-          tenant_id: ${{ secrets.AZURE_TENANT_ID }}
-          subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+          client_id: ${{ secrets.AZURE_CLIENT_ID }}
+          tenant_id: ${{ vars.AZURE_TENANT_ID }}
+          subscription_id: ${{ vars.AZURE_SUBSCRIPTION_ID }}
           dir: ${{ env.DIR }}
           azure_environment: ${{ inputs.environment }}${{ inputs.pnpg_suffix }}
         env:
@@ -128,7 +128,7 @@ jobs:
       id-token: write
       contents: read
     env:
-      ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID_CD }}
+      ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
       GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
     steps:
@@ -139,9 +139,9 @@ jobs:
       - name: Azure Login
         uses: azure/login@cb79c773a3cfa27f31f25eb3f677781210c9ce3d # v1.6.1
         with:
-          client-id: ${{ secrets.AZURE_CLIENT_ID_CD }}
-          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
-          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+          client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          tenant-id: ${{ vars.AZURE_TENANT_ID }}
+          subscription-id: ${{ vars.AZURE_SUBSCRIPTION_ID }}
 
       - name: Download Terraform Plan as Artifact
         uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1

diff --git a/.github/workflows/release_ms.yml b/.github/workflows/release_ms.yml
@@ -18,7 +18,7 @@ jobs:
   release_dev:
     uses: ./.github/workflows/call_release_ms.yml
     name: '[Dev] OnBoarding ms Release'
-    if: github.ref_name == 'main'
+    if: startsWith(github.ref_name, 'releases/') != true
     secrets: inherit
     with:
       environment: dev

diff --git a/.identity/github_environment_ci.tf b/.identity/github_environment_ci.tf
@@ -38,3 +38,11 @@ resource "github_actions_environment_secret" "env_ci_secrets" {
   secret_name     = each.key
   plaintext_value = each.value
 }
+
+resource "github_actions_environment_variable" "env_ci_variables" {
+  for_each      = local.env_ci_variables
+  repository    = local.github.repository
+  environment   = github_repository_environment.github_repository_environment_ci.environment
+  variable_name = each.key
+  value         = each.value
+}
diff --git a/.identity/github_repo_variables.tf b/.identity/github_repo_variables.tf
@@ -0,0 +1,6 @@
+resource "github_actions_variable" "repo_variables" {
+  for_each      = local.repo_variables
+  repository    = local.github.repository
+  variable_name = each.key
+  value         = each.value
+}
diff --git a/.identity/locals.tf b/.identity/locals.tf
@@ -9,23 +9,27 @@ locals {
     cd_branch_policy_enabled = var.github_repository_environment_cd.protected_branches == true || var.github_repository_environment_cd.custom_branch_policies == true
   }
 
+  repo_variables = {
+    "AZURE_TENANT_ID" = data.azurerm_client_config.current.tenant_id,
+  }
+
   repo_secrets = {
+    "SONAR_TOKEN" = data.azurerm_key_vault_secret.key_vault_sonar.value,
+  }
+
+  env_ci_variables = {
     "AZURE_SUBSCRIPTION_ID" = data.azurerm_client_config.current.subscription_id
-    "AZURE_TENANT_ID"       = data.azurerm_client_config.current.tenant_id,
-    "SONAR_TOKEN"           = data.azurerm_key_vault_secret.key_vault_sonar.value,
   }
 
   env_cd_variables = {
-    "AZURE_ONBOARDING_FN_APP_NAME"       = "${local.project}-onboarding-fn",
-    "AZURE_ONBOARDING_FN_RESOURCE_GROUP" = "${local.project}-onboarding-fn-rg",
-    "AZURE_ONBOARDING_FN_SERVICE_PLAN"   = "${local.project}-onboarding-fn-plan"
+    "AZURE_SUBSCRIPTION_ID" = data.azurerm_client_config.current.subscription_id
   }
 
   env_ci_secrets = {
-    "AZURE_CLIENT_ID_CI" = module.identity_ci.identity_client_id
+    "AZURE_CLIENT_ID" = module.identity_ci.identity_client_id
   }
 
   env_cd_secrets = {
-    "AZURE_CLIENT_ID_CD" = module.identity_cd.identity_client_id
+    "AZURE_CLIENT_ID" = module.identity_cd.identity_client_id
   }
 }