From 521248864ef4560b18ded40d7d69031879d986e8 Mon Sep 17 00:00:00 2001 From: manuraf Date: Wed, 7 Feb 2024 11:31:07 +0100 Subject: [PATCH] refactor repo vars --- .github/workflows/call_code_review_infra.yml | 12 ++++++------ .github/workflows/call_release_function.yml | 8 ++++---- .github/workflows/call_release_infra.yml | 18 +++++++++--------- .github/workflows/call_release_ms.yml | 18 +++++++++--------- .github/workflows/release_ms.yml | 2 +- .identity/github_environment_ci.tf | 8 ++++++++ .identity/github_repo_variables.tf | 6 ++++++ .identity/locals.tf | 18 +++++++++++------- 8 files changed, 54 insertions(+), 36 deletions(-) create mode 100644 .identity/github_repo_variables.tf diff --git a/.github/workflows/call_code_review_infra.yml b/.github/workflows/call_code_review_infra.yml index 5cf1c44b2..3a46dd2a5 100644 --- a/.github/workflows/call_code_review_infra.yml +++ b/.github/workflows/call_code_review_infra.yml @@ -16,8 +16,8 @@ on: description: List of environment variables to set up, given in env=value format. env: - ARM_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} + ARM_SUBSCRIPTION_ID: ${{ vars.AZURE_SUBSCRIPTION_ID }} + ARM_TENANT_ID: ${{ vars.AZURE_TENANT_ID }} ARM_USE_OIDC: true ARM_USE_AZUREAD: true ARM_STORAGE_USE_AZUREAD: true @@ -32,7 +32,7 @@ jobs: id-token: write contents: read env: - ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID_CI }} + ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: @@ -51,9 +51,9 @@ jobs: - name: Azure Login uses: azure/login@cb79c773a3cfa27f31f25eb3f677781210c9ce3d # v1.6.1 with: - client-id: ${{ secrets.AZURE_CLIENT_ID_CI }} - tenant-id: ${{ secrets.AZURE_TENANT_ID }} - subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ vars.AZURE_TENANT_ID }} + subscription-id: ${{ vars.AZURE_SUBSCRIPTION_ID }} - name: Set Terraform Version id: set-terraform-version diff --git a/.github/workflows/call_release_function.yml b/.github/workflows/call_release_function.yml index 07c26a303..4c54b6ee3 100644 --- a/.github/workflows/call_release_function.yml +++ b/.github/workflows/call_release_function.yml @@ -40,9 +40,9 @@ jobs: - name: Log in to Azure uses: azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0 with: - client-id: ${{ secrets.AZURE_CLIENT_ID_CD }} - tenant-id: ${{ secrets.AZURE_TENANT_ID }} - subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ vars.AZURE_TENANT_ID }} + subscription-id: ${{ vars.AZURE_SUBSCRIPTION_ID }} - name: Deploy Function App shell: bash @@ -50,7 +50,7 @@ jobs: run: | mvn -f pom.xml quarkus:deploy \ -Dquarkus.azure-functions.app-name=${{ format('selc-{0}-onboarding-fn', inputs.short_env) }} \ - -Dquarkus.azure-functions.subscription-id=${{ secrets.AZURE_SUBSCRIPTION_ID }} \ + -Dquarkus.azure-functions.subscription-id=${{ vars.AZURE_SUBSCRIPTION_ID }} \ -Dquarkus.azure-functions.resource-group=${{ format('selc-{0}-onboarding-fn-rg', inputs.short_env) }} \ -Dquarkus.azure-functions.region=westeurope \ -Dquarkus.azure-functions.app-service-plan-name=${{ format('selc-{0}-onboarding-fn-plan', inputs.short_env) }} \ diff --git a/.github/workflows/call_release_infra.yml b/.github/workflows/call_release_infra.yml index a73c07174..a6db9fa20 100644 --- a/.github/workflows/call_release_infra.yml +++ b/.github/workflows/call_release_infra.yml @@ -16,8 +16,8 @@ on: description: List of environment variables to set up, given in env=value format. env: - ARM_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} + ARM_SUBSCRIPTION_ID: ${{ vars.AZURE_SUBSCRIPTION_ID }} + ARM_TENANT_ID: ${{ vars.AZURE_TENANT_ID }} ARM_USE_OIDC: true ARM_USE_AZUREAD: true ARM_STORAGE_USE_AZUREAD: true @@ -61,9 +61,9 @@ jobs: - name: Terraform Plan uses: pagopa/terraform-preapply-azure-action@54ded8cda3437c3f6a9f46baf69cb321ce82f5cd with: - client_id: ${{ secrets.AZURE_CLIENT_ID_CI }} - tenant_id: ${{ secrets.AZURE_TENANT_ID }} - subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + client_id: ${{ secrets.AZURE_CLIENT_ID }} + tenant_id: ${{ vars.AZURE_TENANT_ID }} + subscription_id: ${{ vars.AZURE_SUBSCRIPTION_ID }} dir: ${{ inputs.dir }} azure_environment: ${{ env.TERRAFORM_ENVIRONMENT }} env: @@ -86,7 +86,7 @@ jobs: id-token: write contents: read env: - ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID_CD }} + ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: @@ -97,9 +97,9 @@ jobs: - name: Azure Login uses: azure/login@cb79c773a3cfa27f31f25eb3f677781210c9ce3d # v1.6.1 with: - client-id: ${{ secrets.AZURE_CLIENT_ID_CD }} - tenant-id: ${{ secrets.AZURE_TENANT_ID }} - subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ vars.AZURE_TENANT_ID }} + subscription-id: ${{ vars.AZURE_SUBSCRIPTION_ID }} - name: Download Terraform Plan as Artifact uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1 diff --git a/.github/workflows/call_release_ms.yml b/.github/workflows/call_release_ms.yml index 652c7560b..51780a509 100644 --- a/.github/workflows/call_release_ms.yml +++ b/.github/workflows/call_release_ms.yml @@ -10,8 +10,8 @@ on: env: DIR: "./infra/container_apps/onboarding-ms" - ARM_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} + ARM_SUBSCRIPTION_ID: ${{ vars.AZURE_SUBSCRIPTION_ID }} + ARM_TENANT_ID: ${{ vars.AZURE_TENANT_ID }} ARM_USE_OIDC: true ARM_USE_AZUREAD: true ARM_STORAGE_USE_AZUREAD: true @@ -102,9 +102,9 @@ jobs: - name: Terraform Plan uses: pagopa/terraform-preapply-azure-action@54ded8cda3437c3f6a9f46baf69cb321ce82f5cd with: - client_id: ${{ secrets.AZURE_CLIENT_ID_CI }} - tenant_id: ${{ secrets.AZURE_TENANT_ID }} - subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + client_id: ${{ secrets.AZURE_CLIENT_ID }} + tenant_id: ${{ vars.AZURE_TENANT_ID }} + subscription_id: ${{ vars.AZURE_SUBSCRIPTION_ID }} dir: ${{ env.DIR }} azure_environment: ${{ inputs.environment }}${{ inputs.pnpg_suffix }} env: @@ -128,7 +128,7 @@ jobs: id-token: write contents: read env: - ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID_CD }} + ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: @@ -139,9 +139,9 @@ jobs: - name: Azure Login uses: azure/login@cb79c773a3cfa27f31f25eb3f677781210c9ce3d # v1.6.1 with: - client-id: ${{ secrets.AZURE_CLIENT_ID_CD }} - tenant-id: ${{ secrets.AZURE_TENANT_ID }} - subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ vars.AZURE_TENANT_ID }} + subscription-id: ${{ vars.AZURE_SUBSCRIPTION_ID }} - name: Download Terraform Plan as Artifact uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1 diff --git a/.github/workflows/release_ms.yml b/.github/workflows/release_ms.yml index a62ea9a20..7f8927c79 100644 --- a/.github/workflows/release_ms.yml +++ b/.github/workflows/release_ms.yml @@ -18,7 +18,7 @@ jobs: release_dev: uses: ./.github/workflows/call_release_ms.yml name: '[Dev] OnBoarding ms Release' - if: github.ref_name == 'main' + if: startsWith(github.ref_name, 'releases/') != true secrets: inherit with: environment: dev diff --git a/.identity/github_environment_ci.tf b/.identity/github_environment_ci.tf index 078c78d88..daade256e 100644 --- a/.identity/github_environment_ci.tf +++ b/.identity/github_environment_ci.tf @@ -38,3 +38,11 @@ resource "github_actions_environment_secret" "env_ci_secrets" { secret_name = each.key plaintext_value = each.value } + +resource "github_actions_environment_variable" "env_ci_variables" { + for_each = local.env_ci_variables + repository = local.github.repository + environment = github_repository_environment.github_repository_environment_ci.environment + variable_name = each.key + value = each.value +} diff --git a/.identity/github_repo_variables.tf b/.identity/github_repo_variables.tf new file mode 100644 index 000000000..d68fb08e4 --- /dev/null +++ b/.identity/github_repo_variables.tf @@ -0,0 +1,6 @@ +resource "github_actions_variable" "repo_variables" { + for_each = local.repo_variables + repository = local.github.repository + variable_name = each.key + value = each.value +} \ No newline at end of file diff --git a/.identity/locals.tf b/.identity/locals.tf index 493f1cf5f..996a11241 100644 --- a/.identity/locals.tf +++ b/.identity/locals.tf @@ -9,23 +9,27 @@ locals { cd_branch_policy_enabled = var.github_repository_environment_cd.protected_branches == true || var.github_repository_environment_cd.custom_branch_policies == true } + repo_variables = { + "AZURE_TENANT_ID" = data.azurerm_client_config.current.tenant_id, + } + repo_secrets = { + "SONAR_TOKEN" = data.azurerm_key_vault_secret.key_vault_sonar.value, + } + + env_ci_variables = { "AZURE_SUBSCRIPTION_ID" = data.azurerm_client_config.current.subscription_id - "AZURE_TENANT_ID" = data.azurerm_client_config.current.tenant_id, - "SONAR_TOKEN" = data.azurerm_key_vault_secret.key_vault_sonar.value, } env_cd_variables = { - "AZURE_ONBOARDING_FN_APP_NAME" = "${local.project}-onboarding-fn", - "AZURE_ONBOARDING_FN_RESOURCE_GROUP" = "${local.project}-onboarding-fn-rg", - "AZURE_ONBOARDING_FN_SERVICE_PLAN" = "${local.project}-onboarding-fn-plan" + "AZURE_SUBSCRIPTION_ID" = data.azurerm_client_config.current.subscription_id } env_ci_secrets = { - "AZURE_CLIENT_ID_CI" = module.identity_ci.identity_client_id + "AZURE_CLIENT_ID" = module.identity_ci.identity_client_id } env_cd_secrets = { - "AZURE_CLIENT_ID_CD" = module.identity_cd.identity_client_id + "AZURE_CLIENT_ID" = module.identity_cd.identity_client_id } }