From db9113780d9156ab59fde36aeaf4b599d18aaa86 Mon Sep 17 00:00:00 2001
From: Jacopo Carlini <jacopo.carlini@pagopa.it>
Date: Wed, 16 Oct 2024 17:17:24 +0200
Subject: [PATCH 1/2] feat(logging): sampling

---
 .identity/00_data.tf               |  5 ++
 .identity/02_application_action.tf | 90 ------------------------------
 .identity/03_github_environment.tf |  2 +-
 .identity/99_variables.tf          |  1 +
 4 files changed, 7 insertions(+), 91 deletions(-)
 delete mode 100644 .identity/02_application_action.tf

diff --git a/.identity/00_data.tf b/.identity/00_data.tf
index 4079dde..2be2418 100644
--- a/.identity/00_data.tf
+++ b/.identity/00_data.tf
@@ -50,3 +50,8 @@ data "azurerm_key_vault_secret" "flow_sa_connection_string" {
   name         = "flows-sa-${var.env_short}-connection-string"
   key_vault_id = data.azurerm_key_vault.domain_key_vault.id
 }
+
+data "azurerm_user_assigned_identity" "identity_cd_01"{
+  name = "${local.prefix}-${var.env_short}-${local.domain_gps}-01-github-cd-identity"
+  resource_group_name = "${local.prefix}-${var.env_short}-identity-rg"
+}
\ No newline at end of file
diff --git a/.identity/02_application_action.tf b/.identity/02_application_action.tf
deleted file mode 100644
index 26bd8ff..0000000
--- a/.identity/02_application_action.tf
+++ /dev/null
@@ -1,90 +0,0 @@
-module "github_runner_app" {
-  source = "git::https://github.com/pagopa/github-actions-tf-modules.git//app-github-runner-creator?ref=main"
-
-  app_name = local.app_name
-
-  subscription_id = data.azurerm_subscription.current.id
-
-  github_org              = local.github.org
-  github_repository       = local.github.repository
-  github_environment_name = var.env
-
-  container_app_github_runner_env_rg = local.container_app_environment.resource_group
-}
-
-resource "null_resource" "github_runner_app_permissions_to_namespace" {
-  triggers = {
-    aks_id               = data.azurerm_kubernetes_cluster.aks.id
-    service_principal_id = module.github_runner_app.client_id
-    namespace            = local.domain
-    version              = "v2"
-  }
-
-  provisioner "local-exec" {
-    command = <<EOT
-      az role assignment create --role "Azure Kubernetes Service RBAC Admin" \
-      --assignee ${self.triggers.service_principal_id} \
-      --scope ${self.triggers.aks_id}/namespaces/${self.triggers.namespace}
-
-      az role assignment list --role "Azure Kubernetes Service RBAC Admin"  \
-      --scope ${self.triggers.aks_id}/namespaces/${self.triggers.namespace}
-    EOT
-  }
-
-  provisioner "local-exec" {
-    when    = destroy
-    command = <<EOT
-      az role assignment delete --role "Azure Kubernetes Service RBAC Admin" \
-      --assignee ${self.triggers.service_principal_id} \
-      --scope ${self.triggers.aks_id}/namespaces/${self.triggers.namespace}
-    EOT
-  }
-}
-
-resource "azurerm_role_assignment" "environment_terraform_resource_group_dashboards" {
-  scope                = data.azurerm_resource_group.dashboards.id
-  role_definition_name = "Contributor"
-  principal_id         = module.github_runner_app.object_id
-}
-
-resource "azurerm_role_assignment" "environment_function" {
-  scope                = data.azurerm_resource_group.gpd_rg.id
-  role_definition_name = "Contributor"
-  principal_id         = module.github_runner_app.object_id
-}
-
-resource "azurerm_role_assignment" "environment_key_vault" {
-  scope                = data.azurerm_key_vault.key_vault.id
-  role_definition_name = "Reader"
-  principal_id         = module.github_runner_app.object_id
-}
-
-resource "azurerm_role_assignment" "environment_key_vault_domain" {
-  scope                = data.azurerm_key_vault.domain_key_vault.id
-  role_definition_name = "Reader"
-  principal_id         = module.github_runner_app.object_id
-}
-
-resource "azurerm_key_vault_access_policy" "ad_kv_group_policy" {
-  key_vault_id = data.azurerm_key_vault.key_vault.id
-
-  tenant_id = data.azurerm_client_config.current.tenant_id
-  object_id = module.github_runner_app.object_id
-
-  key_permissions         = []
-  secret_permissions      = ["Get", "List"]
-  storage_permissions     = []
-  certificate_permissions = []
-}
-
-resource "azurerm_key_vault_access_policy" "ad_domain_kv_group_policy" {
-  key_vault_id = data.azurerm_key_vault.domain_key_vault.id
-
-  tenant_id = data.azurerm_client_config.current.tenant_id
-  object_id = module.github_runner_app.object_id
-
-  key_permissions         = []
-  secret_permissions      = ["Get", "List"]
-  storage_permissions     = []
-  certificate_permissions = []
-}
diff --git a/.identity/03_github_environment.tf b/.identity/03_github_environment.tf
index 34d3a43..ab3dded 100644
--- a/.identity/03_github_environment.tf
+++ b/.identity/03_github_environment.tf
@@ -21,7 +21,7 @@ resource "github_repository_environment" "github_repository_environment" {
 
 locals {
   env_secrets = {
-    "CLIENT_ID" : module.github_runner_app.application_id,
+    "CLIENT_ID" : data.azurerm_user_assigned_identity.identity_cd_01.client_id,
     "TENANT_ID" : data.azurerm_client_config.current.tenant_id,
     "SUBSCRIPTION_ID" : data.azurerm_subscription.current.subscription_id,
     "API_SUBSCRIPTION_KEY" : data.azurerm_key_vault_secret.key_vault_integration_test_subkey.value,
diff --git a/.identity/99_variables.tf b/.identity/99_variables.tf
index 15d1354..fae659f 100644
--- a/.identity/99_variables.tf
+++ b/.identity/99_variables.tf
@@ -6,6 +6,7 @@ locals {
 
   prefix         = "pagopa"
   domain         = "gps"
+  domain_gps         = "gps"
   location_short = "weu"
   product        = "${var.prefix}-${var.env_short}"
 

From 9b9d935e5cc1f2330e9dfd9ecd470d472fa9e1bd Mon Sep 17 00:00:00 2001
From: Jacopo Carlini <jacopo.carlini@pagopa.it>
Date: Thu, 17 Oct 2024 10:28:47 +0200
Subject: [PATCH 2/2] fix

---
 .github/workflows/deploy.yml       | 58 -------------------
 .identity/02_application_action.tf | 90 ++++++++++++++++++++++++++++++
 2 files changed, 90 insertions(+), 58 deletions(-)
 delete mode 100644 .github/workflows/deploy.yml
 create mode 100644 .identity/02_application_action.tf

diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
deleted file mode 100644
index 4f4091b..0000000
--- a/.github/workflows/deploy.yml
+++ /dev/null
@@ -1,58 +0,0 @@
-name: Auto Deploy
-
-# Controls when the workflow will run
-on:
-  pull_request:
-    branches:
-      - main
-    types: [ closed ]
-
-
-  # Allows you to run this workflow manually from the Actions tab
-  workflow_dispatch:
-
-# A workflow run is made up of one or more jobs that can run sequentially or in parallel
-jobs:
-  build:
-    if: ${{ github.event.pull_request.merged }}
-    name: Call Azure Build Pipeline
-    # The type of runner that the job will run on
-    runs-on: ubuntu-latest
-
-    # Steps represent a sequence of tasks that will be executed as part of the job
-    steps:
-
-      # default skip bump versioning
-      - name: Set as default skip bump versioning
-        run: |
-          echo "SEMVER=skip" >> $GITHUB_ENV
-
-      - name: Set major
-        run: |
-          echo "SEMVER=major" >> $GITHUB_ENV
-        if: ${{ contains(github.event.pull_request.labels.*.name, 'breaking-change') }}
-
-      - name: Set minor
-        run: |
-          echo "SEMVER=minor" >> $GITHUB_ENV
-        if: ${{ contains(github.event.pull_request.labels.*.name, 'enhancement') }}
-
-      - name: Set patch
-        run: |
-          echo "SEMVER=patch" >> $GITHUB_ENV
-        if: ${{ contains(github.event.pull_request.labels.*.name, 'bug') }}
-
-      - name: Set skip
-        run: |
-          echo "SEMVER=skip" >> $GITHUB_ENV
-        if: ${{ contains(github.event.pull_request.labels.*.name, 'ignore-for-release') }}
-
-      - name: Azure Pipelines Action - Jversion
-        uses: jacopocarlini/azure-pipelines@v1.3
-        with:
-          azure-devops-project-url: https://dev.azure.com/pagopaspa/pagoPA-projects
-          azure-pipeline-name: 'pagopa-function-template.deploy'
-          azure-devops-token: ${{ secrets.AZURE_DEVOPS_TOKEN }}
-          azure-template-parameters: '{"ENV": "dev", "SEMVER": "${{env.SEMVER}}", "TEST": "true"}'
-          azure-pipeline-variables: '{"system.debug": "true"}'
-
diff --git a/.identity/02_application_action.tf b/.identity/02_application_action.tf
new file mode 100644
index 0000000..26bd8ff
--- /dev/null
+++ b/.identity/02_application_action.tf
@@ -0,0 +1,90 @@
+module "github_runner_app" {
+  source = "git::https://github.com/pagopa/github-actions-tf-modules.git//app-github-runner-creator?ref=main"
+
+  app_name = local.app_name
+
+  subscription_id = data.azurerm_subscription.current.id
+
+  github_org              = local.github.org
+  github_repository       = local.github.repository
+  github_environment_name = var.env
+
+  container_app_github_runner_env_rg = local.container_app_environment.resource_group
+}
+
+resource "null_resource" "github_runner_app_permissions_to_namespace" {
+  triggers = {
+    aks_id               = data.azurerm_kubernetes_cluster.aks.id
+    service_principal_id = module.github_runner_app.client_id
+    namespace            = local.domain
+    version              = "v2"
+  }
+
+  provisioner "local-exec" {
+    command = <<EOT
+      az role assignment create --role "Azure Kubernetes Service RBAC Admin" \
+      --assignee ${self.triggers.service_principal_id} \
+      --scope ${self.triggers.aks_id}/namespaces/${self.triggers.namespace}
+
+      az role assignment list --role "Azure Kubernetes Service RBAC Admin"  \
+      --scope ${self.triggers.aks_id}/namespaces/${self.triggers.namespace}
+    EOT
+  }
+
+  provisioner "local-exec" {
+    when    = destroy
+    command = <<EOT
+      az role assignment delete --role "Azure Kubernetes Service RBAC Admin" \
+      --assignee ${self.triggers.service_principal_id} \
+      --scope ${self.triggers.aks_id}/namespaces/${self.triggers.namespace}
+    EOT
+  }
+}
+
+resource "azurerm_role_assignment" "environment_terraform_resource_group_dashboards" {
+  scope                = data.azurerm_resource_group.dashboards.id
+  role_definition_name = "Contributor"
+  principal_id         = module.github_runner_app.object_id
+}
+
+resource "azurerm_role_assignment" "environment_function" {
+  scope                = data.azurerm_resource_group.gpd_rg.id
+  role_definition_name = "Contributor"
+  principal_id         = module.github_runner_app.object_id
+}
+
+resource "azurerm_role_assignment" "environment_key_vault" {
+  scope                = data.azurerm_key_vault.key_vault.id
+  role_definition_name = "Reader"
+  principal_id         = module.github_runner_app.object_id
+}
+
+resource "azurerm_role_assignment" "environment_key_vault_domain" {
+  scope                = data.azurerm_key_vault.domain_key_vault.id
+  role_definition_name = "Reader"
+  principal_id         = module.github_runner_app.object_id
+}
+
+resource "azurerm_key_vault_access_policy" "ad_kv_group_policy" {
+  key_vault_id = data.azurerm_key_vault.key_vault.id
+
+  tenant_id = data.azurerm_client_config.current.tenant_id
+  object_id = module.github_runner_app.object_id
+
+  key_permissions         = []
+  secret_permissions      = ["Get", "List"]
+  storage_permissions     = []
+  certificate_permissions = []
+}
+
+resource "azurerm_key_vault_access_policy" "ad_domain_kv_group_policy" {
+  key_vault_id = data.azurerm_key_vault.domain_key_vault.id
+
+  tenant_id = data.azurerm_client_config.current.tenant_id
+  object_id = module.github_runner_app.object_id
+
+  key_permissions         = []
+  secret_permissions      = ["Get", "List"]
+  storage_permissions     = []
+  certificate_permissions = []
+}